1 // Copyright 2013 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 #ifndef CHROME_BROWSER_CHROMEOS_LOGIN_MANAGED_SUPERVISED_USER_AUTHENTICATION_H_ 5 #define CHROME_BROWSER_CHROMEOS_LOGIN_MANAGED_SUPERVISED_USER_AUTHENTICATION_H_ 6 7 #include "base/basictypes.h" 8 #include "base/compiler_specific.h" 9 #include "base/memory/weak_ptr.h" 10 #include "base/strings/string16.h" 11 #include "base/values.h" 12 #include "chrome/browser/chromeos/login/auth/user_context.h" 13 #include "chrome/browser/chromeos/login/managed/supervised_user_login_flow.h" 14 15 namespace chromeos { 16 17 class SupervisedUserManager; 18 19 // This is a class that encapsulates all details of password handling for 20 // supervised users. 21 // Main property is the schema used to handle password. For now it can be either 22 // plain password schema, when plain text password is passed to standard 23 // cryprohome authentication algorithm without modification, or hashed password 24 // schema, when password is additioUpdateContextToChecknally hashed with 25 // user-specific salt. 26 // Second schema is required to allow password syncing across devices for 27 // supervised users. 28 class SupervisedUserAuthentication { 29 public: 30 enum Schema { 31 SCHEMA_PLAIN = 1, 32 SCHEMA_SALT_HASHED = 2 33 }; 34 35 enum SupervisedUserPasswordChangeResult { 36 PASSWORD_CHANGED_IN_MANAGER_SESSION = 0, 37 PASSWORD_CHANGED_IN_USER_SESSION = 1, 38 PASSWORD_CHANGE_FAILED_NO_MASTER_KEY = 2, 39 PASSWORD_CHANGE_FAILED_NO_SIGNATURE_KEY = 3, 40 PASSWORD_CHANGE_FAILED_NO_PASSWORD_DATA = 4, 41 PASSWORD_CHANGE_FAILED_MASTER_KEY_FAILURE = 5, 42 PASSWORD_CHANGE_FAILED_LOADING_DATA = 6, 43 PASSWORD_CHANGE_FAILED_INCOMPLETE_DATA = 7, 44 PASSWORD_CHANGE_FAILED_AUTHENTICATION_FAILURE = 8, 45 PASSWORD_CHANGE_FAILED_STORE_DATA = 9, 46 PASSWORD_CHANGE_RESULT_MAX_VALUE = 10 47 }; 48 49 typedef base::Callback<void(const base::DictionaryValue* password_data)> 50 PasswordDataCallback; 51 52 explicit SupervisedUserAuthentication(SupervisedUserManager* owner); 53 virtual ~SupervisedUserAuthentication(); 54 55 // Returns current schema for whole ChromeOS. It defines if users with older 56 // schema should be migrated somehow. 57 Schema GetStableSchema(); 58 59 // Transforms key according to schema specified in Local State. 60 UserContext TransformKey(const UserContext& context); 61 62 // Fills |password_data| with |password|-specific data for |user_id|, 63 // depending on target schema. Does not affect Local State. 64 bool FillDataForNewUser(const std::string& user_id, 65 const std::string& password, 66 base::DictionaryValue* password_data, 67 base::DictionaryValue* extra_data); 68 69 // Stores |password_data| for |user_id| in Local State. Only public parts 70 // of |password_data| will be stored. 71 void StorePasswordData(const std::string& user_id, 72 const base::DictionaryValue& password_data); 73 74 bool NeedPasswordChange(const std::string& user_id, 75 const base::DictionaryValue* password_data); 76 77 // Checks if given user should update password upon signin. 78 bool HasScheduledPasswordUpdate(const std::string& user_id); 79 void ClearScheduledPasswordUpdate(const std::string& user_id); 80 81 // Checks if password was migrated to new schema by supervised user. 82 // In this case it does not have encryption key, and should be updated by 83 // manager even if password versions match. 84 bool HasIncompleteKey(const std::string& user_id); 85 void MarkKeyIncomplete(const std::string& user_id, bool incomplete); 86 87 // Loads password data stored by ScheduleSupervisedPasswordChange. 88 void LoadPasswordUpdateData(const std::string& user_id, 89 const PasswordDataCallback& success_callback, 90 const base::Closure& failure_callback); 91 92 // Creates a random string that can be used as a master key for managed 93 // user's homedir. 94 std::string GenerateMasterKey(); 95 96 // Called by supervised user to store password data for migration upon signin. 97 void ScheduleSupervisedPasswordChange( 98 const std::string& supervised_user_id, 99 const base::DictionaryValue* password_data); 100 101 // Utility method that gets schema version for |user_id| from Local State. 102 Schema GetPasswordSchema(const std::string& user_id); 103 104 static std::string BuildPasswordSignature( 105 const std::string& password, 106 int revision, 107 const std::string& base64_signature_key); 108 109 private: 110 SupervisedUserManager* owner_; 111 112 // Controls if migration is enabled. 113 bool migration_enabled_; 114 115 // Target schema version. Affects migration process and new user creation. 116 Schema stable_schema_; 117 118 119 DISALLOW_COPY_AND_ASSIGN(SupervisedUserAuthentication); 120 }; 121 122 } // namespace chromeos 123 124 #endif // CHROME_BROWSER_CHROMEOS_LOGIN_MANAGED_SUPERVISED_USER_AUTHENTICATION_H_ 125