Home | History | Annotate | Download | only in managed 
      1 // Copyright 2013 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 #ifndef CHROME_BROWSER_CHROMEOS_LOGIN_MANAGED_SUPERVISED_USER_AUTHENTICATION_H_
      5 #define CHROME_BROWSER_CHROMEOS_LOGIN_MANAGED_SUPERVISED_USER_AUTHENTICATION_H_
      6 
      7 #include "base/basictypes.h"
      8 #include "base/compiler_specific.h"
      9 #include "base/memory/weak_ptr.h"
     10 #include "base/strings/string16.h"
     11 #include "base/values.h"
     12 #include "chrome/browser/chromeos/login/auth/user_context.h"
     13 #include "chrome/browser/chromeos/login/managed/supervised_user_login_flow.h"
     14 
     15 namespace chromeos {
     16 
     17 class SupervisedUserManager;
     18 
     19 // This is a class that encapsulates all details of password handling for
     20 // supervised users.
     21 // Main property is the schema used to handle password. For now it can be either
     22 // plain password schema, when plain text password is passed to standard
     23 // cryprohome authentication algorithm without modification, or hashed password
     24 // schema, when password is additioUpdateContextToChecknally hashed with
     25 // user-specific salt.
     26 // Second schema is required to allow password syncing across devices for
     27 // supervised users.
     28 class SupervisedUserAuthentication {
     29  public:
     30   enum Schema {
     31     SCHEMA_PLAIN = 1,
     32     SCHEMA_SALT_HASHED = 2
     33   };
     34 
     35   enum SupervisedUserPasswordChangeResult {
     36     PASSWORD_CHANGED_IN_MANAGER_SESSION = 0,
     37     PASSWORD_CHANGED_IN_USER_SESSION = 1,
     38     PASSWORD_CHANGE_FAILED_NO_MASTER_KEY = 2,
     39     PASSWORD_CHANGE_FAILED_NO_SIGNATURE_KEY = 3,
     40     PASSWORD_CHANGE_FAILED_NO_PASSWORD_DATA = 4,
     41     PASSWORD_CHANGE_FAILED_MASTER_KEY_FAILURE = 5,
     42     PASSWORD_CHANGE_FAILED_LOADING_DATA = 6,
     43     PASSWORD_CHANGE_FAILED_INCOMPLETE_DATA = 7,
     44     PASSWORD_CHANGE_FAILED_AUTHENTICATION_FAILURE = 8,
     45     PASSWORD_CHANGE_FAILED_STORE_DATA = 9,
     46     PASSWORD_CHANGE_RESULT_MAX_VALUE = 10
     47   };
     48 
     49   typedef base::Callback<void(const base::DictionaryValue* password_data)>
     50       PasswordDataCallback;
     51 
     52   explicit SupervisedUserAuthentication(SupervisedUserManager* owner);
     53   virtual ~SupervisedUserAuthentication();
     54 
     55   // Returns current schema for whole ChromeOS. It defines if users with older
     56   // schema should be migrated somehow.
     57   Schema GetStableSchema();
     58 
     59   // Transforms key according to schema specified in Local State.
     60   UserContext TransformKey(const UserContext& context);
     61 
     62   // Fills |password_data| with |password|-specific data for |user_id|,
     63   // depending on target schema. Does not affect Local State.
     64   bool FillDataForNewUser(const std::string& user_id,
     65                           const std::string& password,
     66                           base::DictionaryValue* password_data,
     67                           base::DictionaryValue* extra_data);
     68 
     69   // Stores |password_data| for |user_id| in Local State. Only public parts
     70   // of |password_data| will be stored.
     71   void StorePasswordData(const std::string& user_id,
     72                          const base::DictionaryValue& password_data);
     73 
     74   bool NeedPasswordChange(const std::string& user_id,
     75                           const base::DictionaryValue* password_data);
     76 
     77   // Checks if given user should update password upon signin.
     78   bool HasScheduledPasswordUpdate(const std::string& user_id);
     79   void ClearScheduledPasswordUpdate(const std::string& user_id);
     80 
     81   // Checks if password was migrated to new schema by supervised user.
     82   // In this case it does not have encryption key, and should be updated by
     83   // manager even if password versions match.
     84   bool HasIncompleteKey(const std::string& user_id);
     85   void MarkKeyIncomplete(const std::string& user_id, bool incomplete);
     86 
     87   // Loads password data stored by ScheduleSupervisedPasswordChange.
     88   void LoadPasswordUpdateData(const std::string& user_id,
     89                               const PasswordDataCallback& success_callback,
     90                               const base::Closure& failure_callback);
     91 
     92   // Creates a random string that can be used as a master key for managed
     93   // user's homedir.
     94   std::string GenerateMasterKey();
     95 
     96   // Called by supervised user to store password data for migration upon signin.
     97   void ScheduleSupervisedPasswordChange(
     98       const std::string& supervised_user_id,
     99       const base::DictionaryValue* password_data);
    100 
    101   // Utility method that gets schema version for |user_id| from Local State.
    102   Schema GetPasswordSchema(const std::string& user_id);
    103 
    104   static std::string BuildPasswordSignature(
    105       const std::string& password,
    106       int revision,
    107       const std::string& base64_signature_key);
    108 
    109  private:
    110   SupervisedUserManager* owner_;
    111 
    112   // Controls if migration is enabled.
    113   bool migration_enabled_;
    114 
    115   // Target schema version. Affects migration process and new user creation.
    116   Schema stable_schema_;
    117 
    118 
    119   DISALLOW_COPY_AND_ASSIGN(SupervisedUserAuthentication);
    120 };
    121 
    122 } // namespace chromeos
    123 
    124 #endif  // CHROME_BROWSER_CHROMEOS_LOGIN_MANAGED_SUPERVISED_USER_AUTHENTICATION_H_
    125