Implement ephemeral users

chrome/browser/chromeos/login/user_manager.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/login/user_manager.h"
 
 #include <vector>
 
 #include "base/bind.h"
 #include "base/command_line.h"
@@ skipping 18 matching lines @@
 #include "chrome/browser/chromeos/cryptohome/async_method_caller.h"
 #include "chrome/browser/chromeos/dbus/cryptohome_client.h"
 #include "chrome/browser/chromeos/dbus/dbus_thread_manager.h"
 #include "chrome/browser/chromeos/input_method/input_method_manager.h"
 #include "chrome/browser/chromeos/login/default_user_images.h"
 #include "chrome/browser/chromeos/login/helper.h"
 #include "chrome/browser/chromeos/login/login_display.h"
 #include "chrome/browser/chromeos/login/ownership_service.h"
 #include "chrome/browser/chromeos/login/remove_user_delegate.h"
 #include "chrome/browser/chromeos/system/runtime_environment.h"
+#include "chrome/browser/policy/browser_policy_connector.h"
 #include "chrome/browser/prefs/pref_service.h"
 #include "chrome/browser/prefs/scoped_user_pref_update.h"
 #include "chrome/browser/profiles/profile_downloader.h"
 #include "chrome/browser/profiles/profile_manager.h"
 #include "chrome/browser/sync/profile_sync_service.h"
 #include "chrome/browser/sync/profile_sync_service_factory.h"
 #include "chrome/browser/ui/webui/web_ui_util.h"
 #include "chrome/common/chrome_notification_types.h"
 #include "chrome/common/chrome_paths.h"
 #include "chrome/common/chrome_switches.h"
@@ skipping 266 matching lines @@
   const_cast<UserManager*>(this)->EnsureUsersLoaded();
   return users_;
 }
 
 void UserManager::UserLoggedIn(const std::string& email) {
   DCHECK(!user_is_logged_in_);
 
   user_is_logged_in_ = true;
 
   if (email == kGuestUser) {
+    current_user_is_ephemeral_ = true;
     GuestUserLoggedIn();
     return;
   }
 
   if (email == kDemoUser) {
+    current_user_is_ephemeral_ = true;

[Ivan Korotkov, 2012/03/01 20:16:30]

What's the point of making guest/demo user ephemeral btw?

[use bartfab instead, 2012/03/05 18:07:32]

It is logically consistent. The guest user's recent visits are not recorded and
the guest cryptohome uses tmpfs. This also simplifies the check for whether
persistent information (such as a user image) is permitted for the current user
from (current_user_is_guest_ || current_user_is_ephemeral_) to just
(current_user_is_ephemeral_).

     DemoUserLoggedIn();
     return;
   }
 
+  if (IsEphemeralUser(email)) {
+    current_user_is_ephemeral_ = true;
+    logged_in_user_ = CreateUser(email);
+    NotifyOnLogin();
+    return;
+  }
+
   EnsureUsersLoaded();
 
   // Clear the prefs view of the users.
   PrefService* prefs = g_browser_process->local_state();
   ListPrefUpdate prefs_users_update(prefs, kLoggedInUsers);
   prefs_users_update->Clear();
 
   // Make sure this user is first.
   prefs_users_update->Append(Value::CreateStringValue(email));
   UserList::iterator logged_in_user = users_.end();
@@ skipping 129 matching lines @@
                    base::Unretained(this),
                    image_path));
   }
 }
 
 bool UserManager::IsKnownUser(const std::string& email) const {
   return FindUser(email) != NULL;
 }
 
 const User* UserManager::FindUser(const std::string& email) const {
-  // Speed up search by checking the logged-in user first.
   if (logged_in_user_ && logged_in_user_->email() == email)
     return logged_in_user_;
-  const UserList& users = GetUsers();
-  for (UserList::const_iterator it = users.begin(); it != users.end(); ++it) {
-    if ((*it)->email() == email)
-      return *it;
-  }
-  return NULL;
+  return FindUserInList(email);
 }
 
 bool UserManager::IsDisplayNameUnique(const std::string& display_name) const {
   return display_name_count_[display_name] < 2;
 }
 
 void UserManager::SaveUserOAuthStatus(
     const std::string& username,
     User::OAuthTokenStatus oauth_token_status) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
-  PrefService* local_state = g_browser_process->local_state();
-  DictionaryPrefUpdate oauth_status_update(local_state, kUserOAuthTokenStatus);
-  oauth_status_update->SetWithoutPathExpansion(username,
-      new base::FundamentalValue(static_cast<int>(oauth_token_status)));
+
   DVLOG(1) << "Saving user OAuth token status in Local State";
   User* user = const_cast<User*>(FindUser(username));
   if (user)
     user->set_oauth_token_status(oauth_token_status);
+
+  // Do not update local store if the user is ephemeral.
+  if (IsEphemeralUser(username))
+    return;
+
+  PrefService* local_state = g_browser_process->local_state();
+
+  DictionaryPrefUpdate oauth_status_update(local_state, kUserOAuthTokenStatus);
+  oauth_status_update->SetWithoutPathExpansion(username,
+      new base::FundamentalValue(static_cast<int>(oauth_token_status)));
 }
 
 User::OAuthTokenStatus UserManager::LoadUserOAuthStatus(
     const std::string& username) const {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
 
   if (CommandLine::ForCurrentProcess()->HasSwitch(
       switches::kSkipOAuthLogin)) {
     // Use OAUTH_TOKEN_STATUS_VALID flag if kSkipOAuthLogin is present.
     return User::OAUTH_TOKEN_STATUS_VALID;
@@ skipping 16 matching lines @@
 void UserManager::SaveUserDisplayEmail(const std::string& username,
                                        const std::string& display_email) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
 
   User* user = const_cast<User*>(FindUser(username));
   if (!user)
     return;  // Ignore if there is no such user.
 
   user->set_display_email(display_email);
 
+  // Do not update local store if the user is ephemeral.
+  if (IsEphemeralUser(username))
+    return;
+
   PrefService* local_state = g_browser_process->local_state();
 
   DictionaryPrefUpdate display_email_update(local_state, kUserDisplayEmail);
   display_email_update->SetWithoutPathExpansion(
       username,
       base::Value::CreateStringValue(display_email));
 }
 
 std::string UserManager::GetUserDisplayEmail(
     const std::string& username) const {
@@ skipping 51 matching lines @@
 }
 
 void UserManager::Observe(int type,
                           const content::NotificationSource& source,
                           const content::NotificationDetails& details) {
   switch (type) {
     case chrome::NOTIFICATION_OWNER_KEY_FETCH_ATTEMPT_SUCCEEDED:
       BrowserThread::PostTask(BrowserThread::FILE, FROM_HERE,
                               base::Bind(&UserManager::CheckOwnership,
                                          base::Unretained(this)));
+      BrowserThread::PostTask(BrowserThread::UI, FROM_HERE,
+          base::Bind(&UserManager::RetrieveTrustedDevicePolicies,
+          base::Unretained(this)));
       break;
     case chrome::NOTIFICATION_PROFILE_ADDED:
       if (user_is_logged_in() && !IsLoggedInAsGuest()) {
         Profile* profile = content::Source<Profile>(source).ptr();
         if (!profile->IsOffTheRecord() &&
             profile == ProfileManager::GetDefaultProfile()) {
           DCHECK(NULL == observed_sync_service_);
           observed_sync_service_ =
               ProfileSyncServiceFactory::GetForProfile(profile);
           if (observed_sync_service_)
@@ skipping 54 matching lines @@
 
 // Protected constructor and destructor.
 UserManager::UserManager()
     : ALLOW_THIS_IN_INITIALIZER_LIST(image_loader_(new UserImageLoader)),
       demo_user_(kDemoUser, false),
       guest_user_(kGuestUser, true),
       stub_user_(kStubUser, false),
       logged_in_user_(NULL),
       current_user_is_owner_(false),
       current_user_is_new_(false),
+      current_user_is_ephemeral_(false),
       user_is_logged_in_(false),
       observed_sync_service_(NULL),
       last_image_set_async_(false),
       downloaded_profile_image_data_url_(chrome::kAboutBlankURL) {
   // Use stub as the logged-in user for test paths without login.
   if (!system::runtime_environment::IsRunningOnChromeOS())
     StubUserLoggedIn();
   registrar_.Add(this, chrome::NOTIFICATION_OWNER_KEY_FETCH_ATTEMPT_SUCCEEDED,
       content::NotificationService::AllSources());
   registrar_.Add(this, chrome::NOTIFICATION_PROFILE_ADDED,
       content::NotificationService::AllSources());
+  RetrieveTrustedDevicePolicies();
 }
 
 UserManager::~UserManager() {
 }
 
 FilePath UserManager::GetImagePathForUser(const std::string& username) {
   std::string filename = username + ".png";
   FilePath user_data_dir;
   PathService::Get(chrome::DIR_USER_DATA, &user_data_dir);
   return user_data_dir.AppendASCII(filename);
@@ skipping 75 matching lines @@
         if (prefs_display_emails &&
             prefs_display_emails->GetStringWithoutPathExpansion(
                 email, &display_email)) {
           user->set_display_email(display_email);
         }
       }
     }
   }
 }
 
+void UserManager::RetrieveTrustedDevicePolicies() {
+  ephemeral_users_enabled_.reset();
+  owner_.reset();
+
+  CrosSettings* cros_settings = CrosSettings::Get();
+  // Schedule a callback if device policy has not yet been verified.
+  if (!cros_settings->GetTrusted(
+      kAccountsPrefEphemeralUsersEnabled,
+      base::Bind(&UserManager::RetrieveTrustedDevicePolicies,
+                 base::Unretained(this)))) {
+    return;
+  }
+  bool* ephemeral_users_enabled = new bool;
+  cros_settings->GetBoolean(kAccountsPrefEphemeralUsersEnabled,
+                            ephemeral_users_enabled);
+  ephemeral_users_enabled_.reset(ephemeral_users_enabled);
+
+  if (g_browser_process->browser_policy_connector()->IsEnterpriseManaged()) {
+    owner_.reset(new std::string);
+  } else {
+    std::string* owner = new std::string;
+    cros_settings->GetString(kDeviceOwner, owner);
+    owner_.reset(owner);
+  }
+
+  if (*ephemeral_users_enabled_)
+    RemoveAllExceptOwnerFromList();

[Ivan Korotkov, 2012/03/02 12:39:38]

Discussed this with Nikita:
Please consider delaying user login until these trusted settings are fetched.
Otherwise, a user can login before the trusted settings are verified and will
become persistent.
For example, see LoginPerformer::CompleteLogin waiting for "allow new user"
before completing login.

[use bartfab instead, 2012/03/05 18:07:32]

I discussed this with the folks here at the office. It turns out that trusted
policy will always be available before login already. Without it, features such
as the user whitelist would not work. Thus, no additional check and potential
login delay is necessary.

+}
+
+bool UserManager::AreEphemeralUsersEnabled() const {
+  return ephemeral_users_enabled_.get() &&
+      *ephemeral_users_enabled_ &&
+      owner_.get();
+}
+
+bool UserManager::IsEphemeralUser(const std::string& email) const {
+  // The guest user always is ephemeral.
+  if (email == guest_user_.email())
+    return true;
+
+  // The currently logged-in user is ephemeral iff logged in as ephemeral.
+  if (logged_in_user_ && (email == logged_in_user_->email()))
+    return current_user_is_ephemeral_;
+
+  // Any other user is ephemeral iff ephemeral users are enabled, the user is
+  // not the owner and is not in the persistent list.
+  return AreEphemeralUsersEnabled() &&
+      (email != *owner_) &&
+      !FindUserInList(email);
+}
+
+const User* UserManager::FindUserInList(const std::string& email) const {
+  const UserList& users = GetUsers();
+  for (UserList::const_iterator it = users.begin(); it != users.end(); ++it) {
+    if ((*it)->email() == email)
+      return *it;
+  }
+  return NULL;
+}
+
 void UserManager::StubUserLoggedIn() {
   logged_in_user_ = &stub_user_;
   stub_user_.SetImage(GetDefaultImage(kStubDefaultImageIndex),
                       kStubDefaultImageIndex);
 }
 
 void UserManager::NotifyOnLogin() {
   CHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
   content::NotificationService::current()->Notify(
       chrome::NOTIFICATION_LOGIN_USER_CHANGED,
@@ skipping 108 matching lines @@
                  base::Unretained(this),
                  username, image_path.value(), image_index, true));
 }
 
 void UserManager::SaveImageToLocalState(const std::string& username,
                                         const std::string& image_path,
                                         int image_index,
                                         bool is_async) {
   DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
 
+  // Ignore for ephemeral users.
+  if (IsEphemeralUser(username))
+    return;
+
   // TODO(ivankr): use unique filenames for user images each time
   // a new image is set so that only the last image update is saved
   // to Local State and notified.
   if (is_async && !last_image_set_async_) {
     DVLOG(1) << "Ignoring saved image because it has changed";
     return;
   } else if (!is_async) {
     // Reset the async image save flag if called directly from the UI thread.
     last_image_set_async_ = false;
   }
@@ skipping 131 matching lines @@
 }
 
 User* UserManager::CreateUser(const std::string& email) const {
   User* user = new User(email, email == kGuestUser);
   user->set_oauth_token_status(LoadUserOAuthStatus(email));
   // Used to determine whether user's display name is unique.
   ++display_name_count_[user->GetDisplayName()];
   return user;
 }
 
+void UserManager::RemoveAllExceptOwnerFromList() {
+  const std::string owner_email = *owner_;
+  // If a user is currently logged in and the login occurred before ephemeral
+  // users were enabled, this user should not be deleted yet either.

[Ivan Korotkov, 2012/03/02 12:39:38]

Are we sure about that decision? As far as I understand, enabling ephemeral
users means that ALL users except the owner should not be preserved after
logging out.

[Nikita (slow), 2012/03/02 12:51:42]

And this only makes sense when we want "Enable ephemeral users" as a setting for
non-enterprise owned devices (i.e. having an actual user-owner). 

If that's not the case, your change should be simplified as in enterprise
scenario all users are not owner and may be deleted.

Simplifying this change means removing flag "is_ephemeral_user_" and such users
would not be different from any other user.
Policy would be applied only at sign out / boot i.e. cleanup list of users.

[use bartfab instead, 2012/03/05 18:07:32]

Even with ephemeral users exposed as a consumer setting, this code should never
run while a user is logged in, except for very rare corner cases. The check is
mostly a safety net.

That said, I agree with Ivan that it is actually safe to delete a logged-in
user. In *cryptohomed*, a logged-in user's home directory cannot immediately be
removed. In the user manager, it is (mostly) safe. The only risk I can see is
that if a custom image download is currently in progress for the user, this
image will not be deleted. This is such an extremely rare corner case that I
guess it is OK to ignore it and just do away with the check for the logged-in
user altogether.

+  std::string logged_in_user_email;
+  if (user_is_logged_in_ && !current_user_is_ephemeral_)
+    logged_in_user_email = logged_in_user_->email();
+
+  PrefService* prefs = g_browser_process->local_state();
+  ListPrefUpdate prefs_users_update(prefs, kLoggedInUsers);
+  DictionaryPrefUpdate prefs_images_update(prefs, kUserImages);
+  DictionaryPrefUpdate prefs_oauth_update(prefs, kUserOAuthTokenStatus);
+  DictionaryPrefUpdate prefs_display_email_update(prefs, kUserDisplayEmail);
+
+  scoped_ptr<base::ListValue> users(prefs_users_update->DeepCopy());
+  prefs_users_update->Clear();
+  for (base::ListValue::const_iterator user = users->begin();
+      user != users->end(); ++user) {
+    std::string user_email;
+    (*user)->GetAsString(&user_email);
+    if (user_email == owner_email || user_email == logged_in_user_email) {
+      prefs_users_update->Append(Value::CreateStringValue(user_email));
+      continue;
+    }
+    std::string image_path_string;
+    prefs_images_update->GetStringWithoutPathExpansion(user_email,
+                                                       &image_path_string);
+    prefs_images_update->RemoveWithoutPathExpansion(user_email, NULL);
+    prefs_oauth_update->RemoveWithoutPathExpansion(user_email, NULL);
+    prefs_display_email_update->RemoveWithoutPathExpansion(user_email, NULL);
+
+    int default_image_id = User::kInvalidImageIndex;
+    if (!image_path_string.empty() &&
+        !IsDefaultImagePath(image_path_string, &default_image_id)) {
+      FilePath image_path(image_path_string);
+      BrowserThread::PostTask(
+          BrowserThread::FILE,
+          FROM_HERE,
+          base::Bind(&UserManager::DeleteUserImage,
+                     base::Unretained(this),
+                     image_path));
+    }
+  }
+
+  if (!users_.empty()) {
+    UserList users_update;
+    for (UserList::iterator user = users_.begin(); user != users_.end();
+        ++user) {
+      if ((*user)->email() ==  owner_email || *user == logged_in_user_) {
+        users_update.push_back(*user);
+      } else {
+        --display_name_count_[(*user)->GetDisplayName()];
+        delete *user;
+      }
+    }
+    users_ = users_update;
+    // Trigger a redraw of the login window.
+    content::NotificationService::current()->Notify(
+        chrome::NOTIFICATION_SYSTEM_SETTING_CHANGED,
+        content::Source<UserManager>(this),
+        content::NotificationService::NoDetails());
+  }
+}
+
 }  // namespace chromeos