Chromium Code Reviews Chromium Code Reviews
Issue 9466005:
Make sure the device recovers from policy loss in the consumer case. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| Index: chrome/browser/chromeos/login/parallel_authenticator.cc |
| diff --git a/chrome/browser/chromeos/login/parallel_authenticator.cc b/chrome/browser/chromeos/login/parallel_authenticator.cc |
| index 28382a0b92f755e2871e66195779b5c0904e4c5f..3fea20c8b7ab7c6e66213d870ee75cfdf0b84f18 100644 |
| --- a/chrome/browser/chromeos/login/parallel_authenticator.cc |
| +++ b/chrome/browser/chromeos/login/parallel_authenticator.cc |
| @@ -14,7 +14,10 @@ |
| #include "chrome/browser/chromeos/boot_times_loader.h" |
| #include "chrome/browser/chromeos/cros/cros_library.h" |
| #include "chrome/browser/chromeos/cros/cryptohome_library.h" |
| +#include "chrome/browser/chromeos/cros_settings.h" |
| #include "chrome/browser/chromeos/cryptohome/async_method_caller.h" |
| +#include "chrome/browser/chromeos/dbus/cryptohome_client.h" |
| +#include "chrome/browser/chromeos/dbus/dbus_thread_manager.h" |
| #include "chrome/browser/chromeos/login/authentication_notification_details.h" |
| #include "chrome/browser/chromeos/login/login_status_consumer.h" |
| #include "chrome/browser/chromeos/login/ownership_service.h" |
| @@ -176,6 +179,8 @@ ParallelAuthenticator::ParallelAuthenticator(LoginStatusConsumer* consumer) |
| mount_guest_attempted_(false), |
| check_key_attempted_(false), |
| already_reported_success_(false), |
| + owner_is_verified_(false), |
| + user_can_login_(false), |
| using_oauth_( |
| !CommandLine::ForCurrentProcess()->HasSwitch( |
| switches::kSkipOAuthLogin)) { |
| @@ -202,6 +207,13 @@ void ParallelAuthenticator::AuthenticateToLogin( |
| login_token, |
| login_captcha, |
| !UserManager::Get()->IsKnownUser(canonicalized))); |
| + { |
| + LOG(ERROR) << "@@@ Resetting for " << username; |
|
Chris Masone
2012/03/13 16:45:53
why LOG(ERROR)?
pastarmovj
2012/03/22 11:48:01
Debug output and it is gone now :)
|
| + // Reset the verified flag. |
| + base::AutoLock for_this_block(owner_verified_lock_); |
| + owner_is_verified_ = false; |
| + } |
| + |
| const bool create_if_missing = false; |
| BrowserThread::PostTask( |
| BrowserThread::UI, FROM_HERE, |
| @@ -209,7 +221,6 @@ void ParallelAuthenticator::AuthenticateToLogin( |
| current_state_.get(), |
| static_cast<AuthAttemptStateResolver*>(this), |
| create_if_missing)); |
| - |
| // ClientLogin authentication check should happen immediately here. |
| // We should not try OAuthLogin check until the profile loads. |
| if (!using_oauth_) { |
| @@ -232,6 +243,13 @@ void ParallelAuthenticator::CompleteLogin(Profile* profile, |
| password, |
| CrosLibrary::Get()->GetCryptohomeLibrary()->HashPassword(password), |
| !UserManager::Get()->IsKnownUser(canonicalized))); |
| + { |
| + LOG(ERROR) << "@@@ Resetting for " << username; |
|
Chris Masone
2012/03/13 16:45:53
Same question as above
pastarmovj
2012/03/22 11:48:01
Debug output and it is gone now :)
|
| + // Reset the verified flag. |
| + base::AutoLock for_this_block(owner_verified_lock_); |
| + owner_is_verified_ = false; |
| + } |
| + |
| const bool create_if_missing = false; |
| BrowserThread::PostTask( |
| BrowserThread::UI, FROM_HERE, |
| @@ -386,6 +404,40 @@ void ParallelAuthenticator::ResyncEncryptedData() { |
| static_cast<AuthAttemptStateResolver*>(this)))); |
| } |
| +void ParallelAuthenticator::VerifyOwnerOnUIThread() { |
| + // Check if policy data is fine and continue in safe mode if needed. |
| + bool is_safe_mode = false; |
| + CrosSettings::Get()->GetBoolean(kPolicyMissingMitigationMode, &is_safe_mode); |
| + if (!is_safe_mode) { |
| + base::AutoLock for_this_block(owner_verified_lock_); |
| + // Now we can continue reading the private key. |
|
Chris Masone
2012/03/13 16:45:53
but you never read the private key here...
pastarmovj
2012/03/22 11:48:01
Comment was wrong. Fixed.
|
| + user_can_login_ = true; |
| + owner_is_verified_ = true; |
| + BrowserThread::PostTask( |
| + BrowserThread::IO, FROM_HERE, |
| + base::Bind(&ParallelAuthenticator::Resolve, this)); |
| + return; |
| + } |
| + // First we have to make sure the current user's cert store is available. |
| + UserManager::Get()->LoadKeyStore(); |
| + // Now we can continue reading the private key. |
| + BrowserThread::PostTask( |
| + BrowserThread::FILE, FROM_HERE, |
| + base::Bind(&ParallelAuthenticator::FinishVerifyOwnerOnFileThread, this)); |
| +} |
| + |
| +void ParallelAuthenticator::FinishVerifyOwnerOnFileThread() { |
| + base::AutoLock for_this_block(owner_verified_lock_); |
| + // Now we can continue reading the private key. |
|
Chris Masone
2012/03/13 16:45:53
you read it here
pastarmovj
2012/03/22 11:48:01
Done.
|
| + user_can_login_ = |
| + OwnershipService::GetSharedInstance()->IsCurrentUserOwner(); |
| + owner_is_verified_ = true; |
| + BrowserThread::PostTask( |
| + BrowserThread::IO, FROM_HERE, |
| + base::Bind(&ParallelAuthenticator::Resolve, this)); |
| + LOG(ERROR) << "@@@ Check finished: " << user_can_login_; |
|
Chris Masone
2012/03/13 16:45:53
ERROR?
pastarmovj
2012/03/22 11:48:01
Debug output. Gone.
|
| +} |
| + |
| void ParallelAuthenticator::RetryAuth(Profile* profile, |
| const std::string& username, |
| const std::string& password, |
| @@ -555,6 +607,22 @@ void ParallelAuthenticator::Resolve() { |
| this, |
| current_state_->online_outcome())); |
| break; |
| + case OWNER_REQUIRED: { |
| + current_state_->ResetCryptohomeStatus(); |
| + bool success = false; |
| + DBusThreadManager::Get()->GetCryptohomeClient()->Unmount(&success); |
| + if (!success) { |
| + // Maybe we should reboot immediately here? |
| + LOG(ERROR) << "Couldn't unmount users home!"; |
| + } |
| + BrowserThread::PostTask(BrowserThread::UI, |
| + FROM_HERE, |
| + base::Bind( |
| + &ParallelAuthenticator::OnLoginFailure, |
| + this, |
| + LoginFailure(LoginFailure::OWNER_REQUIRED))); |
| + break; |
| + } |
| default: |
| NOTREACHED(); |
| break; |
| @@ -674,7 +742,16 @@ ParallelAuthenticator::ResolveCryptohomeSuccessState() { |
| return RECOVER_MOUNT; |
| if (check_key_attempted_) |
| return UNLOCK; |
| - return OFFLINE_LOGIN; |
| + |
| + base::AutoLock for_this_block(owner_verified_lock_); |
| + LOG(ERROR) << "@@@ cryptohome state " << owner_is_verified_; |
|
Chris Masone
2012/03/13 16:45:53
ERROR?
pastarmovj
2012/03/22 11:48:01
Ditto.
|
| + if (!owner_is_verified_) { |
| + BrowserThread::PostTask( |
| + BrowserThread::UI, FROM_HERE, |
| + base::Bind(&ParallelAuthenticator::VerifyOwnerOnUIThread, this)); |
| + return CONTINUE; |
| + } |
| + return user_can_login_ ? OFFLINE_LOGIN : OWNER_REQUIRED; |
| } |
| ParallelAuthenticator::AuthState |
| @@ -719,4 +796,11 @@ void ParallelAuthenticator::ResolveLoginCompletionStatus() { |
| Resolve(); |
| } |
| +void ParallelAuthenticator::SetOwnerState(bool owner_check_finished, |
| + bool check_result) { |
| + base::AutoLock for_this_block(owner_verified_lock_); |
| + owner_is_verified_ = owner_check_finished; |
| + user_can_login_ = check_result; |
| +} |
| + |
| } // namespace chromeos |
