Chromium Code Reviews Chromium Code Reviews
Issue 101283003:
Add first implemenation for SU password sync (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| Index: chrome/browser/chromeos/login/managed/supervised_user_authentication.cc |
| diff --git a/chrome/browser/chromeos/login/managed/supervised_user_authentication.cc b/chrome/browser/chromeos/login/managed/supervised_user_authentication.cc |
| new file mode 100644 |
| index 0000000000000000000000000000000000000000..6f93737f87281113188e4fd87f477ccf5275a533 |
| --- /dev/null |
| +++ b/chrome/browser/chromeos/login/managed/supervised_user_authentication.cc |
| @@ -0,0 +1,144 @@ |
| +// Copyright (c) 2012 The Chromium Authors. All rights reserved. |
|
Nikita (slow)
2013/12/09 17:51:08
nit: 2013
Denis Kuznetsov (DE-MUC)
2013/12/12 19:45:24
Done.
|
| +// Use of this source code is governed by a BSD-style license that can be |
| +// found in the LICENSE file. |
| + |
| +#include "chrome/browser/chromeos/login/managed/supervised_user_authentication.h" |
| + |
| +#include "base/base64.h" |
| +#include "base/command_line.h" |
| +#include "base/strings/string_number_conversions.h" |
| +#include "base/strings/string_util.h" |
| +#include "chrome/browser/chromeos/login/supervised_user_manager.h" |
| +#include "chromeos/chromeos_switches.h" |
| +#include "crypto/random.h" |
| +#include "crypto/symmetric_key.h" |
| + |
| +namespace chromeos { |
| + |
| +namespace { |
| + |
| +const unsigned kNumIterations = 1234; |
|
Nikita (slow)
2013/12/09 16:42:16
nit: Please add short comment about these constant
Denis Kuznetsov (DE-MUC)
2013/12/12 19:45:24
Done.
|
| +const unsigned kSaltSize = 32; |
| +const unsigned kKeySizeInBits = 256; |
| + |
| +std::string CreateSalt() { |
| + char result[kSaltSize]; |
| + crypto::RandBytes(&result, sizeof(result)); |
| + return StringToLowerASCII(base::HexEncode( |
| + reinterpret_cast<const void*>(result), |
| + sizeof(result))); |
| +} |
| + |
| +} // namespace |
| + |
| +SupervisedUserAuthentication::SupervisedUserAuthentication( |
| + SupervisedUserManager* owner) |
| + : owner_(owner), |
| + should_migrate_(false), |
| + target_version_(kPlainPasswordSchema) { |
| + CommandLine* command_line = CommandLine::ForCurrentProcess(); |
| + if (command_line->HasSwitch(switches::kEnableSupervisedPasswordSync)) { |
| + should_migrate_ = true; |
| + target_version_ = kPasswordEncryptedWithSaltSchema; |
| + } |
| +} |
| + |
| +SupervisedUserAuthentication::~SupervisedUserAuthentication() {} |
| + |
| +std::string SupervisedUserAuthentication::TransformPassword( |
| + const std::string& user_id, |
| + const std::string& password) { |
| + int user_schema_version = GetPasswordSchemaVersion(user_id); |
| + if (kPlainPasswordSchema == user_schema_version) |
| + return password; |
| + if (kPasswordEncryptedWithSaltSchema == user_schema_version) { |
|
Nikita (slow)
2013/12/09 17:51:08
nit: How about wrapping this into else if
Denis Kuznetsov (DE-MUC)
2013/12/12 19:45:24
Done.
|
| + base::DictionaryValue holder; |
| + std::string salt; |
| + owner_->GetPasswordInformation(user_id, &holder); |
| + holder.GetStringWithoutPathExpansion(kSalt, &salt); |
| + DCHECK(!salt.empty()); |
| + return BuildPasswordForSchemaV2(salt, password); |
| + } |
| + NOTREACHED(); |
|
Nikita (slow)
2013/12/09 17:51:08
nit: Put this block into else?
Denis Kuznetsov (DE-MUC)
2013/12/12 19:45:24
Done.
|
| + return password; |
| +} |
| + |
| +bool SupervisedUserAuthentication::FillDataForNewUser( |
| + const std::string& user_id, |
| + const std::string& password, |
| + base::DictionaryValue* password_data) { |
| + int schema = target_version_; |
| + if (schema == kPlainPasswordSchema) |
|
Nikita (slow)
2013/12/09 17:51:08
nit: Please keep consistency with previous method:
Denis Kuznetsov (DE-MUC)
2013/12/12 19:45:24
Done.
|
| + return false; |
| + if (schema == kPasswordEncryptedWithSaltSchema) { |
|
Nikita (slow)
2013/12/09 17:51:08
nit:
if (v1) {
..
} else if (v2) {
..
} else {
Denis Kuznetsov (DE-MUC)
2013/12/12 19:45:24
Done.
Bernhard Bauer
2013/12/14 03:02:30
Um... sorry, but http://dev.chromium.org/developer
Nikita (slow)
2013/12/15 06:55:12
So this should be like
bool result = false;
if (.
Bernhard Bauer
2013/12/15 15:39:56
No, the else should go, not the return :)
So it w
|
| + password_data->SetStringWithoutPathExpansion( |
|
Bernhard Bauer
2013/12/11 14:46:43
You don't need to store everything as a string. Yo
Denis Kuznetsov (DE-MUC)
2013/12/12 19:45:24
Yes, but (as I understand) if I at some point set
Bernhard Bauer
2013/12/13 00:30:50
Sync doesn't know about the preferences as they ar
|
| + kSchemaVersion, base::IntToString(schema)); |
|
Nikita (slow)
2013/12/09 17:51:08
nit: Will it fit? First parameter on previous line
Denis Kuznetsov (DE-MUC)
2013/12/12 19:45:24
Done.
|
| + std::string salt = CreateSalt(); |
| + password_data->SetStringWithoutPathExpansion( |
| + kSalt, salt); |
|
Nikita (slow)
2013/12/09 17:51:08
nit: Fits on the previous line.
Denis Kuznetsov (DE-MUC)
2013/12/12 19:45:24
Done.
|
| + password_data->SetStringWithoutPathExpansion( |
| + kPasswordVersion, std::string("1")); |
|
Nikita (slow)
2013/12/09 17:51:08
nit: first parameter on the previous line, another
Nikita (slow)
2013/12/09 17:51:08
nit: std::string("1") - magic constant?
Denis Kuznetsov (DE-MUC)
2013/12/12 19:45:24
Done.
|
| + password_data->SetStringWithoutPathExpansion( |
| + kEncryptedPassword, BuildPasswordForSchemaV2(salt, password)); |
| + return true; |
| + } |
| + NOTREACHED(); |
| + return false; |
| +} |
| + |
| +void SupervisedUserAuthentication::StorePasswordData( |
| + const std::string& user_id, |
| + const base::DictionaryValue& password_data) { |
| + DictionaryValue holder; |
| + owner_->GetPasswordInformation(user_id, &holder); |
| + const base::Value* value; |
| + if (password_data.GetWithoutPathExpansion(kSchemaVersion, &value)) |
| + holder.SetWithoutPathExpansion(kSchemaVersion, value->DeepCopy()); |
| + if (password_data.GetWithoutPathExpansion(kSalt, &value)) |
| + holder.SetWithoutPathExpansion(kSalt, value->DeepCopy()); |
| + if (password_data.GetWithoutPathExpansion(kPasswordVersion, &value)) |
| + holder.SetWithoutPathExpansion(kPasswordVersion, value->DeepCopy()); |
| + owner_->SetPasswordInformation(user_id, &holder); |
| +} |
| + |
| +std::string SupervisedUserAuthentication::BuildPasswordForSchemaV2( |
| + const std::string& salt, |
| + const std::string& plain_password) { |
| + scoped_ptr<crypto::SymmetricKey> key( |
| + crypto::SymmetricKey::DeriveKeyFromPassword( |
| + crypto::SymmetricKey::AES, |
| + plain_password, salt, |
| + kNumIterations, kKeySizeInBits)); |
| + std::string raw_result, result; |
| + key->GetRawKey(&raw_result); |
| + base::Base64Encode(raw_result, &result); |
| + return result; |
| +} |
| + |
| +bool SupervisedUserAuthentication::PasswordNeedsMigration( |
| + const std::string& user_id) { |
| + return GetPasswordSchemaVersion(user_id) < target_version_; |
| +} |
| + |
| +int SupervisedUserAuthentication::GetPasswordSchemaVersion( |
| + const std::string& user_id) { |
| + base::DictionaryValue holder; |
| + std::string schema_version_string; |
| + owner_->GetPasswordInformation(user_id, &holder); |
| + // Default version. |
| + int schema_version = kPlainPasswordSchema; |
| + if (holder.GetStringWithoutPathExpansion(kSchemaVersion, |
| + &schema_version_string)) { |
| + schema_version = atoi(schema_version_string.c_str()); |
| + } |
| + return schema_version; |
| +} |
| + |
| +void SupervisedUserAuthentication::SchedulePasswordMigration( |
| + const std::string& supervised_user_id, |
| + const std::string& user_password, |
| + SupervisedUserLoginFlow* user_flow) { |
| + // TODO(antrim): Add actual migration code once cryptohome has required API. |
| +} |
| + |
| +} // namespace chromeos |
