[cros] Cleanup login auth stack: remove ClientLogin legacy code

chrome/browser/chromeos/login/parallel_authenticator.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/login/parallel_authenticator.h"
 
 #include "base/bind.h"
 #include "base/command_line.h"
 #include "base/files/file_path.h"
 #include "base/logging.h"
@@ skipping 18 matching lines @@
 #include "crypto/sha2.h"
 #include "google_apis/gaia/gaia_auth_util.h"
 #include "third_party/cros_system_api/dbus/service_constants.h"
 
 using content::BrowserThread;
 
 namespace chromeos {
 
 namespace {
 
-// Milliseconds until we timeout our attempt to hit ClientLogin.
-const int kClientLoginTimeoutMs = 10000;
-
 // Length of password hashed with SHA-256.
 const int kPasswordHashLength = 32;
 
 // Records status and calls resolver->Resolve().
 void TriggerResolve(AuthAttemptState* attempt,
                     scoped_refptr<ParallelAuthenticator> resolver,
                     bool success,
                     cryptohome::MountError return_code) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
   attempt->RecordCryptohomeStatus(success, return_code);
@@ skipping 105 matching lines @@
 // Calls cryptohome's key check method.
 void CheckKey(AuthAttemptState* attempt,
               scoped_refptr<ParallelAuthenticator> resolver) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
   cryptohome::AsyncMethodCaller::GetInstance()->AsyncCheckKey(
       attempt->user_context.username,
       attempt->ascii_hash,
       base::Bind(&TriggerResolve, attempt, resolver));
 }
 
-// Returns whether the login failure was connection issue.
-bool WasConnectionIssue(const LoginFailure& online_outcome) {
-  return ((online_outcome.reason() == LoginFailure::LOGIN_TIMED_OUT) ||
-          (online_outcome.error().state() ==
-           GoogleServiceAuthError::CONNECTION_FAILED) ||
-          (online_outcome.error().state() ==
-           GoogleServiceAuthError::REQUEST_CANCELED));
-}
-
 // Returns hash of |password|, salted with the system salt.
 std::string HashPassword(const std::string& password) {
   // Get salt, ascii encode, update sha with that, then update with ascii
   // of password, then end.
   std::string ascii_salt = CryptohomeLibrary::Get()->GetSystemSalt();
   char passhash_buf[kPasswordHashLength];
 
   // Hash salt and password
   crypto::SHA256HashString(ascii_salt + password,
                            &passhash_buf, sizeof(passhash_buf));
@@ skipping 15 matching lines @@
       ephemeral_mount_attempted_(false),
       check_key_attempted_(false),
       already_reported_success_(false),
       owner_is_verified_(false),
       user_can_login_(false),
       using_oauth_(true) {
 }
 
 void ParallelAuthenticator::AuthenticateToLogin(
     Profile* profile,
-    const UserContext& user_context,
-    const std::string& login_token,
-    const std::string& login_captcha) {
+    const UserContext& user_context) {
   std::string canonicalized = gaia::CanonicalizeEmail(user_context.username);
   authentication_profile_ = profile;
   current_state_.reset(
       new AuthAttemptState(
           UserContext(canonicalized,
                       user_context.password,
                       user_context.auth_code),
           HashPassword(user_context.password),
-          login_token,
-          login_captcha,
+          std::string(), // login_token, not used.
+          std::string(), // login_captcha, not used.
           User::USER_TYPE_REGULAR,
           !UserManager::Get()->IsKnownUser(canonicalized)));
   // Reset the verified flag.
   owner_is_verified_ = false;
 
   BrowserThread::PostTask(
       BrowserThread::UI, FROM_HERE,
       base::Bind(&Mount,
                  current_state_.get(),
                  scoped_refptr<ParallelAuthenticator>(this),
@@ skipping 28 matching lines @@
       base::Bind(&Mount,
                  current_state_.get(),
                  scoped_refptr<ParallelAuthenticator>(this),
                  cryptohome::MOUNT_FLAGS_NONE));
 
   if (!using_oauth_) {
     // Test automation needs to disable oauth, but that leads to other
     // services not being able to fetch a token, leading to browser crashes.
     // So initiate ClientLogin-based post authentication.
     // TODO(xiyuan): This should not be required.
+    // Context: http://crbug.com/201374
     current_online_.reset(new OnlineAttempt(current_state_.get(),
                                             this));
     current_online_->Initiate(profile);
   } else {
     // For login completion from extension, we just need to resolve the current
     // auth attempt state, the rest of OAuth related tasks will be done in
     // parallel.
     BrowserThread::PostTask(
         BrowserThread::UI, FROM_HERE,
         base::Bind(&ParallelAuthenticator::ResolveLoginCompletionStatus, this));
@@ skipping 137 matching lines @@
   AuthenticationNotificationDetails details(false);
   content::NotificationService::current()->Notify(
       chrome::NOTIFICATION_LOGIN_AUTHENTICATION,
       content::NotificationService::AllSources(),
       content::Details<AuthenticationNotificationDetails>(&details));
   LOG(WARNING) << "Login failed: " << error.GetErrorString();
   if (consumer_)
     consumer_->OnLoginFailure(error);
 }
 
-void ParallelAuthenticator::RecordOAuthCheckFailure(
-    const std::string& user_name) {
-  DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
-  DCHECK(using_oauth_);
-  // Mark this account's OAuth token state as invalid in the local state.
-  UserManager::Get()->SaveUserOAuthStatus(
-      user_name,
-      User::OAUTH2_TOKEN_STATUS_INVALID);
-}
-
 void ParallelAuthenticator::RecoverEncryptedData(
     const std::string& old_password) {
   std::string old_hash = HashPassword(old_password);
   migrate_attempted_ = true;
   current_state_->ResetCryptohomeStatus();
   BrowserThread::PostTask(
       BrowserThread::UI, FROM_HERE,
       base::Bind(&Migrate,
                  current_state_.get(),
                  scoped_refptr<ParallelAuthenticator>(this),
@@ skipping 33 matching lines @@
 
 void ParallelAuthenticator::OnOwnershipChecked(
     DeviceSettingsService::OwnershipStatus status,
     bool is_owner) {
   // Now we can check if this user is the owner.
   user_can_login_ = is_owner;
   owner_is_verified_ = true;
   Resolve();
 }
 
-void ParallelAuthenticator::RetryAuth(Profile* profile,
-                                      const UserContext& user_context,
-                                      const std::string& login_token,
-                                      const std::string& login_captcha) {
-  reauth_state_.reset(
-      new AuthAttemptState(
-          UserContext(gaia::CanonicalizeEmail(user_context.username),
-                      user_context.password,
-                      user_context.auth_code),
-          HashPassword(user_context.password),
-          login_token,
-          login_captcha,
-          User::USER_TYPE_REGULAR,
-          false /* not a new user */));
-  // Always use ClientLogin regardless of using_oauth flag. This is because
-  // we are unable to renew oauth token on lock screen currently and will
-  // stuck with lock screen if we use OAuthLogin here.
-  // TODO(xiyuan): Revisit this after we support Gaia in lock screen.
-  current_online_.reset(new OnlineAttempt(reauth_state_.get(),
-                                          this));
-  current_online_->Initiate(profile);
-}
-
-
 void ParallelAuthenticator::Resolve() {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
   bool request_pending = false;
   int mount_flags = cryptohome::MOUNT_FLAGS_NONE;
   ParallelAuthenticator::AuthState state = ResolveState();
   VLOG(1) << "Resolved state to: " << state;
   switch (state) {
     case CONTINUE:
     case POSSIBLE_PW_CHANGE:
     case NO_MOUNT:
@@ skipping 43 matching lines @@
                      current_state_.get(),
                      scoped_refptr<ParallelAuthenticator>(this),
                      mount_flags));
       break;
     case NEED_OLD_PW:
       BrowserThread::PostTask(
           BrowserThread::UI, FROM_HERE,
           base::Bind(&ParallelAuthenticator::OnPasswordChangeDetected, this));
       break;
     case ONLINE_FAILED:
-      // In this case, we know online login was rejected because the account
-      // is disabled or something similarly fatal.  Sending the user through
-      // the same path they get when their password is rejected is cleaner
-      // for now.
-      // TODO(cmasone): optimize this so that we don't send the user through
-      // the 'changed password' path when we know doing so won't succeed.
-    case NEED_NEW_PW: {
-        {
-          base::AutoLock for_this_block(success_lock_);
-          if (!already_reported_success_) {
-            // This allows us to present the same behavior for "online:
-            // fail, offline: ok", regardless of the order in which we
-            // receive the results.  There will be cases in which we get
-            // the online failure some time after the offline success,
-            // so we just force all cases in this category to present like this:
-            // OnLoginSuccess(..., ..., true) -> OnLoginFailure().
-            BrowserThread::PostTask(
-                BrowserThread::UI, FROM_HERE,
-                base::Bind(&ParallelAuthenticator::OnLoginSuccess,
-                           this,
-                           true));
-          }
-        }
-        const LoginFailure& login_failure =
-            reauth_state_.get() ? reauth_state_->online_outcome() :
-                                  current_state_->online_outcome();
-        BrowserThread::PostTask(
-            BrowserThread::UI, FROM_HERE,
-            base::Bind(&ParallelAuthenticator::OnLoginFailure, this,
-                       login_failure));
-        // Check if we couldn't verify OAuth token here.
-        if (using_oauth_ &&
-            login_failure.reason() == LoginFailure::NETWORK_AUTH_FAILED) {
-          BrowserThread::PostTask(
-              BrowserThread::UI, FROM_HERE,
-              base::Bind(&ParallelAuthenticator::RecordOAuthCheckFailure, this,
-                         (reauth_state_.get() ?
-                             reauth_state_->user_context.username :
-                             current_state_->user_context.username)));
-        }
-        break;
-    }
+    case NEED_NEW_PW:
     case HAVE_NEW_PW:
-      migrate_attempted_ = true;
-      BrowserThread::PostTask(
-          BrowserThread::UI, FROM_HERE,
-          base::Bind(&Migrate,
-                     reauth_state_.get(),
-                     scoped_refptr<ParallelAuthenticator>(this),
-                     true,
-                     current_state_->ascii_hash));
+      NOTREACHED() << "Using obsolete ClientLogin code path.";
       break;
     case OFFLINE_LOGIN:
       VLOG(2) << "Offline login";
       // Marking request_pending to false when using OAuth because OAuth related
       // tasks are performed after user profile is mounted and are not performed
       // by ParallelAuthenticator.
       // TODO(xiyuan): Revert this when we support Gaia in lock screen and
       // start to use ParallelAuthenticator's VerifyOAuth1AccessToken again.
       request_pending = using_oauth_ ?
           false :
@@ skipping 72 matching lines @@
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
   // If we haven't mounted the user's home dir yet or
   // haven't got sanitized username value, we can't be done.
   // We never get past here if any of these two cryptohome ops is still pending.
   // This is an important invariant.
   if (!current_state_->cryptohome_complete() ||
       !current_state_->username_hash_obtained()) {
     return CONTINUE;
   }
 
-  AuthState state = (reauth_state_.get() ? ResolveReauthState() : CONTINUE);
-  if (state != CONTINUE)
-    return state;
+  AuthState state = CONTINUE;
 
   if (current_state_->cryptohome_outcome())
     state = ResolveCryptohomeSuccessState();
   else
     state = ResolveCryptohomeFailureState();
 
   DCHECK(current_state_->cryptohome_complete());  // Ensure invariant holds.
   migrate_attempted_ = false;
   remove_attempted_ = false;
   ephemeral_mount_attempted_ = false;
   check_key_attempted_ = false;
 
   if (state != POSSIBLE_PW_CHANGE &&
       state != NO_MOUNT &&
       state != OFFLINE_LOGIN)
     return state;
 
   if (current_state_->online_complete()) {
     if (current_state_->online_outcome().reason() == LoginFailure::NONE) {
       // Online attempt succeeded as well, so combine the results.
       return ResolveOnlineSuccessState(state);
     }
-    // Online login attempt was rejected or failed to occur.
-    return ResolveOnlineFailureState(state);
+    NOTREACHED() << "Using obsolete ClientLogin code path.";
   }
   // if online isn't complete yet, just return the offline result.
   return state;
 }
 
 ParallelAuthenticator::AuthState
-ParallelAuthenticator::ResolveReauthState() {
-  DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
-  if (reauth_state_->cryptohome_complete()) {
-    if (!reauth_state_->cryptohome_outcome()) {
-      // If we've tried to migrate and failed, log the error and just wait
-      // til next time the user logs in to migrate their cryptohome key.
-      LOG(ERROR) << "Failed to migrate cryptohome key: "
-                 << reauth_state_->cryptohome_code();
-    }
-    reauth_state_.reset(NULL);
-    return ONLINE_LOGIN;
-  }
-  // Haven't tried the migrate yet, must be processing the online auth attempt.
-  if (!reauth_state_->online_complete()) {
-    NOTREACHED();  // Shouldn't be here at all, if online reauth isn't done!
-    return CONTINUE;
-  }
-  return (reauth_state_->online_outcome().reason() == LoginFailure::NONE) ?
-      HAVE_NEW_PW : NEED_NEW_PW;
-}
-
-ParallelAuthenticator::AuthState
 ParallelAuthenticator::ResolveCryptohomeFailureState() {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
   if (remove_attempted_)
     return FAILED_REMOVE;
   if (ephemeral_mount_attempted_)
     return FAILED_TMPFS;
   if (migrate_attempted_)
     return NEED_OLD_PW;
   if (check_key_attempted_)
     return LOGIN_FAILED;
@@ skipping 46 matching lines @@
     return PUBLIC_ACCOUNT_LOGIN;
   if (current_state_->user_type == User::USER_TYPE_LOCALLY_MANAGED)
     return LOCALLY_MANAGED_USER_LOGIN;
 
   if (!VerifyOwner())
     return CONTINUE;
   return user_can_login_ ? OFFLINE_LOGIN : OWNER_REQUIRED;
 }
 
 ParallelAuthenticator::AuthState
-ParallelAuthenticator::ResolveOnlineFailureState(
-    ParallelAuthenticator::AuthState offline_state) {
-  DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
-  if (offline_state == OFFLINE_LOGIN) {
-    if (WasConnectionIssue(current_state_->online_outcome())) {
-      // Couldn't do an online check, so just go with the offline result.
-      return OFFLINE_LOGIN;
-    }
-    // Otherwise, online login was rejected!
-    if (current_state_->online_outcome().error().state() ==
-        GoogleServiceAuthError::INVALID_GAIA_CREDENTIALS) {
-      return NEED_NEW_PW;
-    }
-    return ONLINE_FAILED;
-  }
-  return LOGIN_FAILED;
-}
-
-ParallelAuthenticator::AuthState
 ParallelAuthenticator::ResolveOnlineSuccessState(
     ParallelAuthenticator::AuthState offline_state) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
   switch (offline_state) {
     case POSSIBLE_PW_CHANGE:
       return NEED_OLD_PW;
     case NO_MOUNT:
       return CREATE_NEW;
     case OFFLINE_LOGIN:
       return ONLINE_LOGIN;
     default:
       NOTREACHED();
       return offline_state;
   }
 }
 
 void ParallelAuthenticator::ResolveLoginCompletionStatus() {
   // Shortcut online state resolution process.
   current_state_->RecordOnlineLoginStatus(LoginFailure::LoginFailureNone());
   Resolve();
 }
 
 void ParallelAuthenticator::SetOwnerState(bool owner_check_finished,
                                           bool check_result) {
   owner_is_verified_ = owner_check_finished;
   user_can_login_ = check_result;
 }
 
 }  // namespace chromeos