Add first implemenation for SU password sync

chrome/browser/chromeos/login/managed/supervised_user_authentication.cc

+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/chromeos/login/managed/supervised_user_authentication.h"
+
+#include "base/base64.h"
+#include "base/command_line.h"
+#include "base/strings/string_number_conversions.h"
+#include "base/strings/string_util.h"
+#include "chrome/browser/chromeos/login/supervised_user_manager.h"
+#include "chromeos/chromeos_switches.h"
+#include "crypto/random.h"
+#include "crypto/symmetric_key.h"
+
+namespace chromeos {
+
+namespace {
+
+// Byte size of hash salt.
+const unsigned kSaltSize = 32;
+
+// Parameters of cryptographic hashing.
+const unsigned kNumIterations = 1234;
+const unsigned kKeySizeInBits = 256;
+
+std::string CreateSalt() {
+    char result[kSaltSize];
+    crypto::RandBytes(&result, sizeof(result));
+    return StringToLowerASCII(base::HexEncode(
+        reinterpret_cast<const void*>(result),
+        sizeof(result)));
+}
+
+std::string BuildPasswordForHashWithSaltSchema(
+  const std::string& salt,
+  const std::string& plain_password) {
+  scoped_ptr<crypto::SymmetricKey> key(
+      crypto::SymmetricKey::DeriveKeyFromPassword(
+          crypto::SymmetricKey::AES,
+          plain_password, salt,
+          kNumIterations, kKeySizeInBits));
+  std::string raw_result, result;
+  key->GetRawKey(&raw_result);
+  base::Base64Encode(raw_result, &result);
+  return result;
+}
+
+
+

[Bernhard Bauer, 2013/12/19 18:09:58]

Nit: remove two empty lines?

+} // namespace

[Bernhard Bauer, 2013/12/19 18:09:58]

Nit: two spaces before //

+
+SupervisedUserAuthentication::SupervisedUserAuthentication(
+    SupervisedUserManager* owner)
+      : owner_(owner),
+        migration_enabled_(false),
+        stable_schema_(SCHEMA_PLAIN) {
+  CommandLine* command_line = CommandLine::ForCurrentProcess();
+  if (command_line->HasSwitch(switches::kEnableSupervisedPasswordSync)) {
+    migration_enabled_ = true;
+    stable_schema_ = SCHEMA_SALT_HASHED;
+  }
+}
+
+SupervisedUserAuthentication::~SupervisedUserAuthentication() {}
+
+std::string SupervisedUserAuthentication::TransformPassword(
+    const std::string& user_id,
+    const std::string& password) {
+  int user_schema = GetPasswordSchema(user_id);
+  if (SCHEMA_PLAIN == user_schema)

[Bernhard Bauer, 2013/12/19 18:09:58]

Nit: Could you swap these? It reads much better that way.

+    return password;
+
+  if (SCHEMA_SALT_HASHED == user_schema) {
+    base::DictionaryValue holder;
+    std::string salt;
+    owner_->GetPasswordInformation(user_id, &holder);
+    holder.GetStringWithoutPathExpansion(kSalt, &salt);
+    DCHECK(!salt.empty());
+    return BuildPasswordForHashWithSaltSchema(salt, password);
+  }
+  NOTREACHED();
+  return password;
+}
+
+bool SupervisedUserAuthentication::FillDataForNewUser(
+    const std::string& user_id,
+    const std::string& password,
+    base::DictionaryValue* password_data) {
+  Schema schema = stable_schema_;
+  if (SCHEMA_PLAIN == schema) {
+    return false;
+  } else if (SCHEMA_SALT_HASHED == schema) {

[Bernhard Bauer, 2013/12/19 18:09:58]

Nit: No else if you return in the previous branch.

+    password_data->SetStringWithoutPathExpansion(kSchemaVersion,
+                                                 base::IntToString(schema));
+    std::string salt = CreateSalt();
+    password_data->SetStringWithoutPathExpansion(kSalt, salt);
+    password_data->SetStringWithoutPathExpansion(kPasswordRevision,
+        base::IntToString(kMinPasswordRevision));
+    password_data->SetStringWithoutPathExpansion(kEncryptedPassword,
+        BuildPasswordForHashWithSaltSchema(salt, password));
+    return true;
+  } else {
+    NOTREACHED();
+    return false;
+  }
+}
+
+void SupervisedUserAuthentication::StorePasswordData(
+    const std::string& user_id,
+    const base::DictionaryValue& password_data) {
+  DictionaryValue holder;
+  owner_->GetPasswordInformation(user_id, &holder);
+  const base::Value* value;
+  if (password_data.GetWithoutPathExpansion(kSchemaVersion, &value))
+      holder.SetWithoutPathExpansion(kSchemaVersion, value->DeepCopy());
+  if (password_data.GetWithoutPathExpansion(kSalt, &value))
+      holder.SetWithoutPathExpansion(kSalt, value->DeepCopy());
+  if (password_data.GetWithoutPathExpansion(kPasswordRevision, &value))
+      holder.SetWithoutPathExpansion(kPasswordRevision, value->DeepCopy());
+  owner_->SetPasswordInformation(user_id, &holder);
+}
+
+bool SupervisedUserAuthentication::PasswordNeedsMigration(
+    const std::string& user_id) {
+  return GetPasswordSchema(user_id) < stable_schema_;
+}
+
+SupervisedUserAuthentication::Schema
+SupervisedUserAuthentication::GetPasswordSchema(
+  const std::string& user_id) {
+  base::DictionaryValue holder;
+  std::string schema_version_string;
+  owner_->GetPasswordInformation(user_id, &holder);
+  // Default version.
+  Schema schema_version = SCHEMA_PLAIN;
+  if (holder.GetStringWithoutPathExpansion(kSchemaVersion,
+                                           &schema_version_string)) {
+    schema_version = static_cast<Schema>(atoi(schema_version_string.c_str()));
+  }
+  return schema_version;
+}
+
+void SupervisedUserAuthentication::SchedulePasswordMigration(
+    const std::string& supervised_user_id,
+    const std::string& user_password,
+    SupervisedUserLoginFlow* user_flow) {
+  // TODO(antrim): Add actual migration code once cryptohome has required API.
+}
+
+}  // namespace chromeos