Make sure the device recovers from policy loss in the consumer case.

chrome/browser/chromeos/login/parallel_authenticator.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef CHROME_BROWSER_CHROMEOS_LOGIN_PARALLEL_AUTHENTICATOR_H_
 #define CHROME_BROWSER_CHROMEOS_LOGIN_PARALLEL_AUTHENTICATOR_H_
 #pragma once
 
 #include <string>
 
 #include "base/basictypes.h"
 #include "base/compiler_specific.h"
 #include "base/gtest_prod_util.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/synchronization/lock.h"
 #include "chrome/browser/chromeos/login/authenticator.h"
 #include "chrome/browser/chromeos/login/auth_attempt_state.h"
 #include "chrome/browser/chromeos/login/auth_attempt_state_resolver.h"
 #include "chrome/browser/chromeos/login/test_attempt_state.h"
 #include "chrome/browser/chromeos/login/online_attempt.h"
 #include "chrome/common/net/gaia/gaia_auth_consumer.h"
 
 class LoginFailure;
 class Profile;
 
 namespace chromeos {
 
 class LoginStatusConsumer;
-class ResolveChecker;
 
 // Authenticates a Chromium OS user against the Google Accounts ClientLogin API.
 //
 // Simultaneously attempts authentication both offline and online.
 //
 // At a high, level, here's what happens:
 // AuthenticateToLogin() creates an OnlineAttempt and calls a Cryptohome's
 // method to perform online and offline login simultaneously.  When one of
 // these completes, it will store results in a AuthAttemptState owned by
 // ParallelAuthenticator and then call Resolve().  Resolve() will attempt to
@@ skipping 16 matching lines @@
     POSSIBLE_PW_CHANGE,  // Offline login failed, user may have changed pw.
     NEED_NEW_PW,     // User changed pw, and we have the old one.
     NEED_OLD_PW,     // User changed pw, and we have the new one.
     HAVE_NEW_PW,     // We have verified new pw, time to migrate key.
     OFFLINE_LOGIN,   // Login succeeded offline.
     DEMO_LOGIN,      // Logged in as the demo user.
     ONLINE_LOGIN,    // Offline and online login succeeded.
     UNLOCK,          // Screen unlock succeeded.
     ONLINE_FAILED,   // Online login disallowed, but offline succeeded.
     GUEST_LOGIN,     // Logged in guest mode.
-    LOGIN_FAILED     // Login denied.
+    LOGIN_FAILED,    // Login denied.
+    OWNER_REQUIRED   // Login is restricted to the owner only.
   };
 
   explicit ParallelAuthenticator(LoginStatusConsumer* consumer);
   virtual ~ParallelAuthenticator();
 
   // Authenticator overrides.
   virtual void CompleteLogin(Profile* profile,
                              const std::string& username,
                              const std::string& password) OVERRIDE;
 
@@ skipping 115 matching lines @@
   // Used for testing.
   void set_attempt_state(TestAttemptState* new_state) {  // takes ownership.
     current_state_.reset(new_state);
   }
 
   // Sets an online attemp for testing.
   void set_online_attempt(OnlineAttempt* attempt) {
     current_online_.reset(attempt);
   }
 
+  // Used for testing to set the expected state of an owner check.
+  void SetOwnerState(bool owner_check_finished, bool check_result);
+
   // If we don't have the system salt yet, loads it from the CryptohomeLibrary.
   void LoadSystemSalt();
   // If we don't have supplemental_user_key_ yet, loads it from the NSS DB.
   // Returns false if the key can not be loaded/created.
   bool LoadSupplementalUserKey();
 
+  // checks if the current mounted home contains the owner case and either
+  // continues or fails the log-in. Used for policy lost mitigation "safe-mode".
+  // Returns true if the owner check has been successful or if it is not needed.
+  bool VerifyOwner();
+
+  // checks if the current mounted home contains the owner case and either
+  // continues or fails the log-in. Used for policy lost mitigation "safe-mode".
+  void FinishVerifyOwnerOnFileThread();
+
   // Records OAuth1 access token verification failure for |user_account|.
   void RecordOAuthCheckFailure(const std::string& user_account);
 
   // Signal login completion status for cases when a new user is added via
   // an external authentication provider (i.e. GAIA extension).
   void ResolveLoginCompletionStatus();
 
   // Used when we need to try online authentication again, after successful
   // mount, but failed online login.
   scoped_ptr<AuthAttemptState> reauth_state_;
 
   scoped_ptr<AuthAttemptState> current_state_;
   scoped_ptr<OnlineAttempt> current_online_;
   bool migrate_attempted_;
   bool remove_attempted_;
   bool mount_guest_attempted_;
   bool check_key_attempted_;
 
   // When the user has changed her password, but gives us the old one, we will
   // be able to mount her cryptohome, but online authentication will fail.
   // This allows us to present the same behavior to the caller, regardless
   // of the order in which we receive these results.
   bool already_reported_success_;
-  base::Lock success_lock_;  // A lock around already_reported_success_.
+  base::Lock success_lock_;  // A lock around |already_reported_success_|.
+
+  // Flags signaling whether the owner verification has been done and the result
+  // of it.
+  bool owner_is_verified_;
+  bool user_can_login_;
+  // A lock for |owner_is_verified_| and |user_can_login_|.
+  base::Lock owner_verified_lock_;
 
   // True if we use OAuth-based authentication flow.
   bool using_oauth_;
 
+  FRIEND_TEST_ALL_PREFIXES(ParallelAuthenticatorTest,
+                           ResolveOwnerNeededDirectFailedMount);
+  FRIEND_TEST_ALL_PREFIXES(ParallelAuthenticatorTest, ResolveOwnerNeededMount);
+  FRIEND_TEST_ALL_PREFIXES(ParallelAuthenticatorTest,
+                           ResolveOwnerNeededFailedMount);
   DISALLOW_COPY_AND_ASSIGN(ParallelAuthenticator);
 };
 
 }  // namespace chromeos
 
 #endif  // CHROME_BROWSER_CHROMEOS_LOGIN_PARALLEL_AUTHENTICATOR_H_