blob: f8e018dfc05b8354ed38e897a36774d00f983e88 [file] [log] [blame]
// Copyright 2014 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "chrome/browser/chromeos/login/users/supervised_user_manager_impl.h"
#include <memory>
#include "base/files/file_path.h"
#include "base/files/file_util.h"
#include "base/strings/string_util.h"
#include "base/strings/stringprintf.h"
#include "base/strings/utf_string_conversions.h"
#include "base/task_scheduler/post_task.h"
#include "base/values.h"
#include "chrome/browser/browser_process.h"
#include "chrome/browser/chromeos/login/supervised/supervised_user_authentication.h"
#include "chrome/browser/chromeos/login/supervised/supervised_user_constants.h"
#include "chrome/browser/chromeos/login/users/chrome_user_manager_impl.h"
#include "chrome/browser/chromeos/profiles/profile_helper.h"
#include "chrome/browser/supervised_user/supervised_user_service.h"
#include "chrome/browser/supervised_user/supervised_user_service_factory.h"
#include "chromeos/settings/cros_settings_names.h"
#include "components/prefs/pref_registry_simple.h"
#include "components/prefs/pref_service.h"
#include "components/prefs/scoped_user_pref_update.h"
#include "components/user_manager/user_names.h"
#include "components/user_manager/user_type.h"
#include "content/public/browser/browser_thread.h"
#include "google_apis/gaia/gaia_auth_util.h"
using content::BrowserThread;
namespace {
// Names for pref keys in Local State.
// A map from supervised user local user id to sync user id.
const char kSupervisedUserSyncId[] = "ManagedUserSyncId";
// A map from supervised user id to manager user id.
const char kSupervisedUserManagers[] = "ManagedUserManagers";
// A map from supervised user id to manager display name.
const char kSupervisedUserManagerNames[] = "ManagedUserManagerNames";
// A map from supervised user id to manager display e-mail.
const char kSupervisedUserManagerDisplayEmails[] =
"ManagedUserManagerDisplayEmails";
// A vector pref of the supervised accounts defined on this device, that had
// not logged in yet.
const char kSupervisedUsersFirstRun[] = "LocallyManagedUsersFirstRun";
// A pref of the next id for supervised users generation.
const char kSupervisedUsersNextId[] = "LocallyManagedUsersNextId";
// A pref of the next id for supervised users generation.
const char kSupervisedUserCreationTransactionDisplayName[] =
"LocallyManagedUserCreationTransactionDisplayName";
// A pref of the next id for supervised users generation.
const char kSupervisedUserCreationTransactionUserId[] =
"LocallyManagedUserCreationTransactionUserId";
// A map from user id to password schema id.
const char kSupervisedUserPasswordSchema[] = "SupervisedUserPasswordSchema";
// A map from user id to password salt.
const char kSupervisedUserPasswordSalt[] = "SupervisedUserPasswordSalt";
// A map from user id to password revision.
const char kSupervisedUserPasswordRevision[] = "SupervisedUserPasswordRevision";
// A map from user id to flag indicating if password should be updated upon
// signin.
const char kSupervisedUserNeedPasswordUpdate[] =
"SupervisedUserNeedPasswordUpdate";
// A map from user id to flag indicating if cryptohome does not have signature
// key.
const char kSupervisedUserIncompleteKey[] = "SupervisedUserHasIncompleteKey";
std::string LoadSyncToken(base::FilePath profile_dir) {
std::string token;
base::FilePath token_file =
profile_dir.Append(chromeos::kSupervisedUserTokenFilename);
VLOG(1) << "Loading" << token_file.value();
if (!base::ReadFileToString(token_file, &token))
return std::string();
return token;
}
} // namespace
namespace chromeos {
const char kSchemaVersion[] = "SchemaVersion";
const char kPasswordRevision[] = "PasswordRevision";
const char kSalt[] = "PasswordSalt";
const char kPasswordSignature[] = "PasswordSignature";
const char kEncryptedPassword[] = "EncryptedPassword";
const char kRequirePasswordUpdate[] = "RequirePasswordUpdate";
const char kHasIncompleteKey[] = "HasIncompleteKey";
const char kPasswordEncryptionKey[] = "password.hmac.encryption";
const char kPasswordSignatureKey[] = "password.hmac.signature";
const char kPasswordUpdateFile[] = "password.update";
const int kMinPasswordRevision = 1;
// static
void SupervisedUserManager::RegisterPrefs(PrefRegistrySimple* registry) {
registry->RegisterListPref(kSupervisedUsersFirstRun);
registry->RegisterIntegerPref(kSupervisedUsersNextId, 0);
registry->RegisterStringPref(kSupervisedUserCreationTransactionDisplayName,
"");
registry->RegisterStringPref(kSupervisedUserCreationTransactionUserId, "");
registry->RegisterDictionaryPref(kSupervisedUserSyncId);
registry->RegisterDictionaryPref(kSupervisedUserManagers);
registry->RegisterDictionaryPref(kSupervisedUserManagerNames);
registry->RegisterDictionaryPref(kSupervisedUserManagerDisplayEmails);
registry->RegisterDictionaryPref(kSupervisedUserPasswordSchema);
registry->RegisterDictionaryPref(kSupervisedUserPasswordSalt);
registry->RegisterDictionaryPref(kSupervisedUserPasswordRevision);
registry->RegisterDictionaryPref(kSupervisedUserNeedPasswordUpdate);
registry->RegisterDictionaryPref(kSupervisedUserIncompleteKey);
}
SupervisedUserManagerImpl::SupervisedUserManagerImpl(
ChromeUserManagerImpl* owner)
: owner_(owner), cros_settings_(CrosSettings::Get()) {
// SupervisedUserManager instance should be used only on UI thread.
// (or in unit_tests)
if (base::ThreadTaskRunnerHandle::IsSet())
DCHECK_CURRENTLY_ON(BrowserThread::UI);
authentication_.reset(new SupervisedUserAuthentication(this));
}
SupervisedUserManagerImpl::~SupervisedUserManagerImpl() {}
std::string SupervisedUserManagerImpl::GenerateUserId() {
int counter =
g_browser_process->local_state()->GetInteger(kSupervisedUsersNextId);
std::string id;
bool user_exists;
do {
id = base::StringPrintf("%d@%s", counter,
user_manager::kSupervisedUserDomain);
counter++;
user_exists = (nullptr != owner_->FindUser(AccountId::FromUserEmail(id)));
DCHECK(!user_exists);
if (user_exists) {
LOG(ERROR) << "Supervised user with id " << id << " already exists.";
}
} while (user_exists);
g_browser_process->local_state()->SetInteger(kSupervisedUsersNextId, counter);
g_browser_process->local_state()->CommitPendingWrite();
return id;
}
bool SupervisedUserManagerImpl::HasSupervisedUsers(
const std::string& manager_id) const {
const user_manager::UserList& users = owner_->GetUsers();
for (user_manager::UserList::const_iterator it = users.begin();
it != users.end(); ++it) {
if ((*it)->GetType() == user_manager::USER_TYPE_SUPERVISED) {
if (manager_id == GetManagerUserId((*it)->GetAccountId().GetUserEmail()))
return true;
}
}
return false;
}
const user_manager::User* SupervisedUserManagerImpl::CreateUserRecord(
const std::string& manager_id,
const std::string& local_user_id,
const std::string& sync_user_id,
const base::string16& display_name) {
const user_manager::User* user = FindByDisplayName(display_name);
DCHECK(!user);
if (user)
return user;
const user_manager::User* manager =
owner_->FindUser(AccountId::FromUserEmail(manager_id));
CHECK(manager);
PrefService* local_state = g_browser_process->local_state();
user_manager::User* new_user = user_manager::User::CreateSupervisedUser(
AccountId::FromUserEmail(local_user_id));
owner_->AddUserRecord(new_user);
ListPrefUpdate prefs_new_users_update(local_state, kSupervisedUsersFirstRun);
DictionaryPrefUpdate sync_id_update(local_state, kSupervisedUserSyncId);
DictionaryPrefUpdate manager_update(local_state, kSupervisedUserManagers);
DictionaryPrefUpdate manager_name_update(local_state,
kSupervisedUserManagerNames);
DictionaryPrefUpdate manager_email_update(
local_state, kSupervisedUserManagerDisplayEmails);
prefs_new_users_update->Insert(0,
std::make_unique<base::Value>(local_user_id));
sync_id_update->SetWithoutPathExpansion(
local_user_id, std::make_unique<base::Value>(sync_user_id));
manager_update->SetWithoutPathExpansion(
local_user_id,
std::make_unique<base::Value>(manager->GetAccountId().GetUserEmail()));
manager_name_update->SetWithoutPathExpansion(
local_user_id, std::make_unique<base::Value>(manager->GetDisplayName()));
manager_email_update->SetWithoutPathExpansion(
local_user_id, std::make_unique<base::Value>(manager->display_email()));
owner_->SaveUserDisplayName(AccountId::FromUserEmail(local_user_id),
display_name);
g_browser_process->local_state()->CommitPendingWrite();
return new_user;
}
std::string SupervisedUserManagerImpl::GetUserSyncId(
const std::string& user_id) const {
std::string result;
GetUserStringValue(user_id, kSupervisedUserSyncId, &result);
return result;
}
base::string16 SupervisedUserManagerImpl::GetManagerDisplayName(
const std::string& user_id) const {
PrefService* local_state = g_browser_process->local_state();
const base::DictionaryValue* manager_names =
local_state->GetDictionary(kSupervisedUserManagerNames);
base::string16 result;
if (manager_names->GetStringWithoutPathExpansion(user_id, &result) &&
!result.empty())
return result;
return base::UTF8ToUTF16(GetManagerDisplayEmail(user_id));
}
std::string SupervisedUserManagerImpl::GetManagerUserId(
const std::string& user_id) const {
std::string result;
GetUserStringValue(user_id, kSupervisedUserManagers, &result);
return result;
}
std::string SupervisedUserManagerImpl::GetManagerDisplayEmail(
const std::string& user_id) const {
std::string result;
if (GetUserStringValue(user_id, kSupervisedUserManagerDisplayEmails,
&result) &&
!result.empty())
return result;
return GetManagerUserId(user_id);
}
void SupervisedUserManagerImpl::GetPasswordInformation(
const std::string& user_id,
base::DictionaryValue* result) {
int value;
if (GetUserIntegerValue(user_id, kSupervisedUserPasswordSchema, &value))
result->SetKey(kSchemaVersion, base::Value(value));
if (GetUserIntegerValue(user_id, kSupervisedUserPasswordRevision, &value))
result->SetKey(kPasswordRevision, base::Value(value));
bool flag;
if (GetUserBooleanValue(user_id, kSupervisedUserNeedPasswordUpdate, &flag))
result->SetKey(kRequirePasswordUpdate, base::Value(flag));
if (GetUserBooleanValue(user_id, kSupervisedUserIncompleteKey, &flag))
result->SetKey(kHasIncompleteKey, base::Value(flag));
std::string salt;
if (GetUserStringValue(user_id, kSupervisedUserPasswordSalt, &salt))
result->SetKey(kSalt, base::Value(salt));
}
void SupervisedUserManagerImpl::SetPasswordInformation(
const std::string& user_id,
const base::DictionaryValue* password_info) {
int value;
if (password_info->GetIntegerWithoutPathExpansion(kSchemaVersion, &value))
SetUserIntegerValue(user_id, kSupervisedUserPasswordSchema, value);
if (password_info->GetIntegerWithoutPathExpansion(kPasswordRevision, &value))
SetUserIntegerValue(user_id, kSupervisedUserPasswordRevision, value);
bool flag;
if (password_info->GetBooleanWithoutPathExpansion(kRequirePasswordUpdate,
&flag)) {
SetUserBooleanValue(user_id, kSupervisedUserNeedPasswordUpdate, flag);
}
if (password_info->GetBooleanWithoutPathExpansion(kHasIncompleteKey, &flag))
SetUserBooleanValue(user_id, kSupervisedUserIncompleteKey, flag);
std::string salt;
if (password_info->GetStringWithoutPathExpansion(kSalt, &salt))
SetUserStringValue(user_id, kSupervisedUserPasswordSalt, salt);
g_browser_process->local_state()->CommitPendingWrite();
}
bool SupervisedUserManagerImpl::GetUserStringValue(
const std::string& user_id,
const char* key,
std::string* out_value) const {
PrefService* local_state = g_browser_process->local_state();
const base::DictionaryValue* dictionary = local_state->GetDictionary(key);
return dictionary->GetStringWithoutPathExpansion(user_id, out_value);
}
bool SupervisedUserManagerImpl::GetUserIntegerValue(const std::string& user_id,
const char* key,
int* out_value) const {
PrefService* local_state = g_browser_process->local_state();
const base::DictionaryValue* dictionary = local_state->GetDictionary(key);
return dictionary->GetIntegerWithoutPathExpansion(user_id, out_value);
}
bool SupervisedUserManagerImpl::GetUserBooleanValue(const std::string& user_id,
const char* key,
bool* out_value) const {
PrefService* local_state = g_browser_process->local_state();
const base::DictionaryValue* dictionary = local_state->GetDictionary(key);
return dictionary->GetBooleanWithoutPathExpansion(user_id, out_value);
}
void SupervisedUserManagerImpl::SetUserStringValue(const std::string& user_id,
const char* key,
const std::string& value) {
PrefService* local_state = g_browser_process->local_state();
DictionaryPrefUpdate update(local_state, key);
update->SetKey(user_id, base::Value(value));
}
void SupervisedUserManagerImpl::SetUserIntegerValue(const std::string& user_id,
const char* key,
const int value) {
PrefService* local_state = g_browser_process->local_state();
DictionaryPrefUpdate update(local_state, key);
update->SetKey(user_id, base::Value(value));
}
void SupervisedUserManagerImpl::SetUserBooleanValue(const std::string& user_id,
const char* key,
const bool value) {
PrefService* local_state = g_browser_process->local_state();
DictionaryPrefUpdate update(local_state, key);
update->SetKey(user_id, base::Value(value));
}
const user_manager::User* SupervisedUserManagerImpl::FindByDisplayName(
const base::string16& display_name) const {
DCHECK_CURRENTLY_ON(BrowserThread::UI);
const user_manager::UserList& users = owner_->GetUsers();
for (user_manager::UserList::const_iterator it = users.begin();
it != users.end(); ++it) {
if (((*it)->GetType() == user_manager::USER_TYPE_SUPERVISED) &&
((*it)->display_name() == display_name)) {
return *it;
}
}
return NULL;
}
const user_manager::User* SupervisedUserManagerImpl::FindBySyncId(
const std::string& sync_id) const {
DCHECK_CURRENTLY_ON(BrowserThread::UI);
const user_manager::UserList& users = owner_->GetUsers();
for (user_manager::UserList::const_iterator it = users.begin();
it != users.end(); ++it) {
if (((*it)->GetType() == user_manager::USER_TYPE_SUPERVISED) &&
(GetUserSyncId((*it)->GetAccountId().GetUserEmail()) == sync_id)) {
return *it;
}
}
return NULL;
}
void SupervisedUserManagerImpl::StartCreationTransaction(
const base::string16& display_name) {
g_browser_process->local_state()->SetString(
kSupervisedUserCreationTransactionDisplayName,
base::UTF16ToASCII(display_name));
g_browser_process->local_state()->CommitPendingWrite();
}
void SupervisedUserManagerImpl::SetCreationTransactionUserId(
const std::string& email) {
g_browser_process->local_state()->SetString(
kSupervisedUserCreationTransactionUserId, email);
g_browser_process->local_state()->CommitPendingWrite();
}
void SupervisedUserManagerImpl::CommitCreationTransaction() {
g_browser_process->local_state()->ClearPref(
kSupervisedUserCreationTransactionDisplayName);
g_browser_process->local_state()->ClearPref(
kSupervisedUserCreationTransactionUserId);
g_browser_process->local_state()->CommitPendingWrite();
}
bool SupervisedUserManagerImpl::HasFailedUserCreationTransaction() {
return !(g_browser_process->local_state()
->GetString(kSupervisedUserCreationTransactionDisplayName)
.empty());
}
void SupervisedUserManagerImpl::RollbackUserCreationTransaction() {
PrefService* prefs = g_browser_process->local_state();
std::string display_name =
prefs->GetString(kSupervisedUserCreationTransactionDisplayName);
std::string user_id =
prefs->GetString(kSupervisedUserCreationTransactionUserId);
LOG(WARNING) << "Cleaning up transaction for " << display_name << "/"
<< user_id;
if (user_id.empty()) {
// Not much to do - just remove transaction.
prefs->ClearPref(kSupervisedUserCreationTransactionDisplayName);
prefs->CommitPendingWrite();
return;
}
if (!owner_->IsSupervisedAccountId(AccountId::FromUserEmail(user_id))) {
LOG(WARNING) << "Clean up transaction for non-supervised user found:"
<< user_id << ", will not remove data";
prefs->ClearPref(kSupervisedUserCreationTransactionDisplayName);
prefs->ClearPref(kSupervisedUserCreationTransactionUserId);
prefs->CommitPendingWrite();
return;
}
owner_->RemoveNonOwnerUserInternal(AccountId::FromUserEmail(user_id),
nullptr);
prefs->ClearPref(kSupervisedUserCreationTransactionDisplayName);
prefs->ClearPref(kSupervisedUserCreationTransactionUserId);
prefs->CommitPendingWrite();
}
void SupervisedUserManagerImpl::RemoveNonCryptohomeData(
const std::string& user_id) {
PrefService* prefs = g_browser_process->local_state();
ListPrefUpdate prefs_new_users_update(prefs, kSupervisedUsersFirstRun);
prefs_new_users_update->Remove(base::Value(user_id), NULL);
CleanPref(user_id, kSupervisedUserSyncId);
CleanPref(user_id, kSupervisedUserManagers);
CleanPref(user_id, kSupervisedUserManagerNames);
CleanPref(user_id, kSupervisedUserManagerDisplayEmails);
CleanPref(user_id, kSupervisedUserPasswordSalt);
CleanPref(user_id, kSupervisedUserPasswordSchema);
CleanPref(user_id, kSupervisedUserPasswordRevision);
CleanPref(user_id, kSupervisedUserNeedPasswordUpdate);
CleanPref(user_id, kSupervisedUserIncompleteKey);
}
void SupervisedUserManagerImpl::CleanPref(const std::string& user_id,
const char* key) {
PrefService* prefs = g_browser_process->local_state();
DictionaryPrefUpdate dict_update(prefs, key);
dict_update->RemoveWithoutPathExpansion(user_id, NULL);
}
bool SupervisedUserManagerImpl::CheckForFirstRun(const std::string& user_id) {
ListPrefUpdate prefs_new_users_update(g_browser_process->local_state(),
kSupervisedUsersFirstRun);
return prefs_new_users_update->Remove(base::Value(user_id), NULL);
}
void SupervisedUserManagerImpl::UpdateManagerName(
const std::string& manager_id,
const base::string16& new_display_name) {
PrefService* local_state = g_browser_process->local_state();
const base::DictionaryValue* manager_ids =
local_state->GetDictionary(kSupervisedUserManagers);
DictionaryPrefUpdate manager_name_update(local_state,
kSupervisedUserManagerNames);
for (base::DictionaryValue::Iterator it(*manager_ids); !it.IsAtEnd();
it.Advance()) {
std::string user_id;
bool has_manager_id = it.value().GetAsString(&user_id);
DCHECK(has_manager_id);
if (user_id == manager_id) {
manager_name_update->SetWithoutPathExpansion(
it.key(), std::make_unique<base::Value>(new_display_name));
}
}
}
SupervisedUserAuthentication* SupervisedUserManagerImpl::GetAuthentication() {
return authentication_.get();
}
void SupervisedUserManagerImpl::LoadSupervisedUserToken(
Profile* profile,
const LoadTokenCallback& callback) {
// TODO(antrim): use profile->GetPath() once we sure it is safe.
base::FilePath profile_dir = ProfileHelper::GetProfilePathByUserIdHash(
ProfileHelper::Get()->GetUserByProfile(profile)->username_hash());
PostTaskAndReplyWithResult(
base::CreateTaskRunnerWithTraits(
{base::MayBlock(), base::TaskPriority::BACKGROUND,
base::TaskShutdownBehavior::CONTINUE_ON_SHUTDOWN})
.get(),
FROM_HERE, base::Bind(&LoadSyncToken, profile_dir), callback);
}
void SupervisedUserManagerImpl::ConfigureSyncWithToken(
Profile* profile,
const std::string& token) {
if (!token.empty())
SupervisedUserServiceFactory::GetForProfile(profile)->InitSync(token);
}
} // namespace chromeos