1 // Copyright 2014 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 // 5 // The signin manager encapsulates some functionality tracking 6 // which user is signed in. See SigninManagerBase for full description of 7 // responsibilities. The class defined in this file provides functionality 8 // required by all platforms except Chrome OS. 9 // 10 // When a user is signed in, a ClientLogin request is run on their behalf. 11 // Auth tokens are fetched from Google and the results are stored in the 12 // TokenService. 13 // TODO(tim): Bug 92948, 226464. ClientLogin is all but gone from use. 14 15 #ifndef COMPONENTS_SIGNIN_CORE_BROWSER_SIGNIN_MANAGER_H_ 16 #define COMPONENTS_SIGNIN_CORE_BROWSER_SIGNIN_MANAGER_H_ 17 18 #if defined(OS_CHROMEOS) 19 // On Chrome OS, SigninManagerBase is all that exists. 20 #include "components/signin/core/browser/signin_manager_base.h" 21 22 #else 23 24 #include <set> 25 #include <string> 26 27 #include "base/compiler_specific.h" 28 #include "base/gtest_prod_util.h" 29 #include "base/logging.h" 30 #include "base/memory/scoped_ptr.h" 31 #include "base/observer_list.h" 32 #include "base/prefs/pref_change_registrar.h" 33 #include "base/prefs/pref_member.h" 34 #include "components/keyed_service/core/keyed_service.h" 35 #include "components/signin/core/browser/signin_internals_util.h" 36 #include "components/signin/core/browser/signin_manager_base.h" 37 #include "components/signin/core/browser/signin_metrics.h" 38 #include "google_apis/gaia/google_service_auth_error.h" 39 #include "google_apis/gaia/merge_session_helper.h" 40 #include "net/cookies/canonical_cookie.h" 41 42 class PrefService; 43 class ProfileOAuth2TokenService; 44 class SigninAccountIdHelper; 45 class SigninClient; 46 47 class SigninManager : public SigninManagerBase { 48 public: 49 // The callback invoked once the OAuth token has been fetched during signin, 50 // but before the profile transitions to the "signed-in" state. This allows 51 // callers to load policy and prompt the user appropriately before completing 52 // signin. The callback is passed the just-fetched OAuth login refresh token. 53 typedef base::Callback<void(const std::string&)> OAuthTokenFetchedCallback; 54 55 // Returns true if |url| is a web signin URL and should be hosted in an 56 // isolated, privileged signin process. 57 static bool IsWebBasedSigninFlowURL(const GURL& url); 58 59 // This is used to distinguish URLs belonging to the special web signin flow 60 // running in the special signin process from other URLs on the same domain. 61 // We do not grant WebUI privilieges / bindings to this process or to URLs of 62 // this scheme; enforcement of privileges is handled separately by 63 // OneClickSigninHelper. 64 static const char kChromeSigninEffectiveSite[]; 65 66 SigninManager(SigninClient* client, ProfileOAuth2TokenService* token_service); 67 virtual ~SigninManager(); 68 69 // Returns true if the username is allowed based on the policy string. 70 static bool IsUsernameAllowedByPolicy(const std::string& username, 71 const std::string& policy); 72 73 // Attempt to sign in this user with a refresh token. 74 // If non-null, the passed |oauth_fetched_callback| callback is invoked once 75 // signin has been completed. 76 // The callback should invoke SignOut() or CompletePendingSignin() to either 77 // continue or cancel the in-process signin. 78 virtual void StartSignInWithRefreshToken( 79 const std::string& refresh_token, 80 const std::string& username, 81 const std::string& password, 82 const OAuthTokenFetchedCallback& oauth_fetched_callback); 83 84 // Copies auth credentials from one SigninManager to this one. This is used 85 // when creating a new profile during the signin process to transfer the 86 // in-progress credentials to the new profile. 87 virtual void CopyCredentialsFrom(const SigninManager& source); 88 89 // Sign a user out, removing the preference, erasing all keys 90 // associated with the user, and canceling all auth in progress. 91 virtual void SignOut(signin_metrics::ProfileSignout signout_source_metric); 92 93 // On platforms where SigninManager is responsible for dealing with 94 // invalid username policy updates, we need to check this during 95 // initialization and sign the user out. 96 virtual void Initialize(PrefService* local_state) OVERRIDE; 97 virtual void Shutdown() OVERRIDE; 98 99 // Invoked from an OAuthTokenFetchedCallback to complete user signin. 100 virtual void CompletePendingSignin(); 101 102 // Invoked from SigninManagerAndroid to indicate that the sign-in process 103 // has completed for |username|. 104 void OnExternalSigninCompleted(const std::string& username); 105 106 // Returns true if there's a signin in progress. 107 virtual bool AuthInProgress() const OVERRIDE; 108 109 virtual bool IsSigninAllowed() const OVERRIDE; 110 111 // Returns true if the passed username is allowed by policy. Virtual for 112 // mocking in tests. 113 virtual bool IsAllowedUsername(const std::string& username) const; 114 115 // If an authentication is in progress, return the username being 116 // authenticated. Returns an empty string if no auth is in progress. 117 const std::string& GetUsernameForAuthInProgress() const; 118 119 // Set the preference to turn off one-click sign-in so that it won't ever 120 // show it again for the user associated with |prefs| (even if the user tries 121 // a new account). 122 static void DisableOneClickSignIn(PrefService* prefs); 123 124 // Tells the SigninManager whether to prohibit signout for this profile. 125 // If |prohibit_signout| is true, then signout will be prohibited. 126 void ProhibitSignout(bool prohibit_signout); 127 128 // If true, signout is prohibited for this profile (calls to SignOut() are 129 // ignored). 130 bool IsSignoutProhibited() const; 131 132 // Add or remove observers for the merge session notification. 133 void AddMergeSessionObserver(MergeSessionHelper::Observer* observer); 134 void RemoveMergeSessionObserver(MergeSessionHelper::Observer* observer); 135 136 protected: 137 // Flag saying whether signing out is allowed. 138 bool prohibit_signout_; 139 140 private: 141 enum SigninType { SIGNIN_TYPE_NONE, SIGNIN_TYPE_WITH_REFRESH_TOKEN }; 142 143 std::string SigninTypeToString(SigninType type); 144 friend class FakeSigninManager; 145 FRIEND_TEST_ALL_PREFIXES(SigninManagerTest, ClearTransientSigninData); 146 FRIEND_TEST_ALL_PREFIXES(SigninManagerTest, ProvideSecondFactorSuccess); 147 FRIEND_TEST_ALL_PREFIXES(SigninManagerTest, ProvideSecondFactorFailure); 148 149 // If user was signed in, load tokens from DB if available. 150 void InitTokenService(); 151 152 // Called to setup the transient signin data during one of the 153 // StartSigninXXX methods. |type| indicates which of the methods is being 154 // used to perform the signin while |username| and |password| identify the 155 // account to be signed in. Returns false and generates an auth error if the 156 // passed |username| is not allowed by policy. 157 bool PrepareForSignin(SigninType type, 158 const std::string& username, 159 const std::string& password); 160 161 // Persists |username| as the currently signed-in account, and triggers 162 // a sign-in success notification. 163 void OnSignedIn(const std::string& username); 164 165 // Called when a new request to re-authenticate a user is in progress. 166 // Will clear in memory data but leaves the db as such so when the browser 167 // restarts we can use the old token(which might throw a password error). 168 void ClearTransientSigninData(); 169 170 // Called to handle an error from a GAIA auth fetch. Sets the last error 171 // to |error|, sends out a notification of login failure and clears the 172 // transient signin data. 173 void HandleAuthError(const GoogleServiceAuthError& error); 174 175 void OnSigninAllowedPrefChanged(); 176 void OnGoogleServicesUsernamePatternChanged(); 177 178 // ClientLogin identity. 179 std::string possibly_invalid_username_; 180 std::string password_; // This is kept empty whenever possible. 181 182 // Fetcher for the obfuscated user id. 183 scoped_ptr<SigninAccountIdHelper> account_id_helper_; 184 185 // The type of sign being performed. This value is valid only between a call 186 // to one of the StartSigninXXX methods and when the sign in is either 187 // successful or not. 188 SigninType type_; 189 190 // Temporarily saves the oauth2 refresh token. It will be passed to the 191 // token service so that it does not need to mint new ones. 192 std::string temp_refresh_token_; 193 194 // The SigninClient object associated with this object. Must outlive this 195 // object. 196 SigninClient* client_; 197 198 // The ProfileOAuth2TokenService instance associated with this object. Must 199 // outlive this object. 200 ProfileOAuth2TokenService* token_service_; 201 202 // Helper object to listen for changes to signin preferences stored in non- 203 // profile-specific local prefs (like kGoogleServicesUsernamePattern). 204 PrefChangeRegistrar local_state_pref_registrar_; 205 206 // Helper object to listen for changes to the signin allowed preference. 207 BooleanPrefMember signin_allowed_; 208 209 // Helper to merge signed in account into the content area. 210 scoped_ptr<MergeSessionHelper> merge_session_helper_; 211 212 base::WeakPtrFactory<SigninManager> weak_pointer_factory_; 213 214 DISALLOW_COPY_AND_ASSIGN(SigninManager); 215 }; 216 217 #endif // !defined(OS_CHROMEOS) 218 219 #endif // COMPONENTS_SIGNIN_CORE_BROWSER_SIGNIN_MANAGER_H_ 220