// Copyright 2015 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "components/user_manager/known_user.h" #include #include #include #include "base/logging.h" #include "base/metrics/histogram_macros.h" #include "base/time/time.h" #include "base/util/values/values_util.h" #include "base/values.h" #include "components/account_id/account_id.h" #include "components/prefs/pref_registry_simple.h" #include "components/prefs/scoped_user_pref_update.h" #include "components/user_manager/user_manager.h" #include "google_apis/gaia/gaia_auth_util.h" namespace user_manager { namespace known_user { namespace { // A vector pref of preferences of known users. All new preferences should be // placed in this list. const char kKnownUsers[] = "KnownUsers"; // Known user preferences keys (stored in Local State). All keys should be // listed in kReservedKeys below. // Key of canonical e-mail value. const char kCanonicalEmail[] = "email"; // Key of obfuscated GAIA id value. const char kGAIAIdKey[] = "gaia_id"; // Key of obfuscated object guid value for Active Directory accounts. const char kObjGuidKey[] = "obj_guid"; // Key of account type. const char kAccountTypeKey[] = "account_type"; // Key of whether this user ID refers to a SAML user. const char kUsingSAMLKey[] = "using_saml"; // Key of whether this user authenticated via SAML using the principals API. const char kIsUsingSAMLPrincipalsAPI[] = "using_saml_principals_api"; // Key of Device Id. const char kDeviceId[] = "device_id"; // Key of GAPS cookie. const char kGAPSCookie[] = "gaps_cookie"; // Key of the reason for re-auth. const char kReauthReasonKey[] = "reauth_reason"; // Key for the GaiaId migration status. const char kGaiaIdMigration[] = "gaia_id_migration"; // Key of the boolean flag telling if a minimal user home migration has been // attempted. const char kMinimalMigrationAttempted[] = "minimal_migration_attempted"; // Key of the boolean flag telling if user session requires policy. const char kProfileRequiresPolicy[] = "profile_requires_policy"; // Key of the boolean flag telling if user is ephemeral and should be removed // from the local state on logout. const char kIsEphemeral[] = "is_ephemeral"; // Key of the list value that stores challenge-response authentication keys. const char kChallengeResponseKeys[] = "challenge_response_keys"; const char kLastOnlineSignin[] = "last_online_singin"; const char kOfflineSigninLimit[] = "offline_signin_limit"; // Key of the boolean flag telling if user is enterprise managed. const char kIsEnterpriseManaged[] = "is_enterprise_managed"; // Key of the name of the entity (either a domain or email address) that manages // the policies for this account. const char kAccountManager[] = "enterprise_account_manager"; // Key of the last input method user used which is suitable for login/lock // screen. const char kLastInputMethod[] = "last_input_method"; // Key of the PIN auto submit length. const char kPinAutosubmitLength[] = "pin_autosubmit_length"; // Key for the PIN auto submit backfill needed indicator. const char kPinAutosubmitBackfillNeeded[] = "pin_autosubmit_backfill_needed"; // Sync token for SAML password multi-device sync const char kPasswordSyncToken[] = "password_sync_token"; // List containing all the known user preferences keys. const char* kReservedKeys[] = {kCanonicalEmail, kGAIAIdKey, kObjGuidKey, kAccountTypeKey, kUsingSAMLKey, kIsUsingSAMLPrincipalsAPI, kDeviceId, kGAPSCookie, kReauthReasonKey, kGaiaIdMigration, kMinimalMigrationAttempted, kProfileRequiresPolicy, kIsEphemeral, kChallengeResponseKeys, kLastOnlineSignin, kOfflineSigninLimit, kIsEnterpriseManaged, kAccountManager, kLastInputMethod, kPinAutosubmitLength, kPinAutosubmitBackfillNeeded, kPasswordSyncToken}; PrefService* GetLocalState() { if (!UserManager::IsInitialized()) return nullptr; return UserManager::Get()->GetLocalState(); } // Checks if values in |dict| correspond with |account_id| identity. bool UserMatches(const AccountId& account_id, const base::DictionaryValue& dict) { std::string value; if (account_id.GetAccountType() != AccountType::UNKNOWN && dict.GetString(kAccountTypeKey, &value) && account_id.GetAccountType() != AccountId::StringToAccountType(value)) { return false; } // TODO(alemate): update code once user id is really a struct. switch (account_id.GetAccountType()) { case AccountType::GOOGLE: { bool has_gaia_id = dict.GetString(kGAIAIdKey, &value); if (has_gaia_id && account_id.GetGaiaId() == value) return true; break; } case AccountType::ACTIVE_DIRECTORY: { bool has_obj_guid = dict.GetString(kObjGuidKey, &value); if (has_obj_guid && account_id.GetObjGuid() == value) return true; break; } case AccountType::UNKNOWN: { } } bool has_email = dict.GetString(kCanonicalEmail, &value); if (has_email && account_id.GetUserEmail() == value) return true; return false; } // Fills relevant |dict| values based on |account_id|. void UpdateIdentity(const AccountId& account_id, base::DictionaryValue& dict) { if (!account_id.GetUserEmail().empty()) dict.SetString(kCanonicalEmail, account_id.GetUserEmail()); switch (account_id.GetAccountType()) { case AccountType::GOOGLE: if (!account_id.GetGaiaId().empty()) dict.SetString(kGAIAIdKey, account_id.GetGaiaId()); break; case AccountType::ACTIVE_DIRECTORY: if (!account_id.GetObjGuid().empty()) dict.SetString(kObjGuidKey, account_id.GetObjGuid()); break; case AccountType::UNKNOWN: return; } dict.SetString(kAccountTypeKey, AccountId::AccountTypeToString(account_id.GetAccountType())); } void ClearPref(const AccountId& account_id, const std::string& path) { const base::DictionaryValue* user_pref_dict = nullptr; if (!FindPrefs(account_id, &user_pref_dict)) return; base::Value updated_user_pref = user_pref_dict->Clone(); base::DictionaryValue* updated_user_pref_dict; updated_user_pref.GetAsDictionary(&updated_user_pref_dict); updated_user_pref_dict->RemovePath(path); UpdatePrefs(account_id, *updated_user_pref_dict, true); } } // namespace bool FindPrefs(const AccountId& account_id, const base::DictionaryValue** out_value) { PrefService* local_state = GetLocalState(); // Local State may not be initialized in tests. if (!local_state) return false; // UserManager is usually NULL in unit tests. if (account_id.GetAccountType() != AccountType::ACTIVE_DIRECTORY && UserManager::IsInitialized() && UserManager::Get()->IsUserNonCryptohomeDataEphemeral(account_id)) { return false; } if (!account_id.is_valid()) return false; const base::ListValue* known_users = local_state->GetList(kKnownUsers); for (size_t i = 0; i < known_users->GetSize(); ++i) { const base::DictionaryValue* element = nullptr; if (known_users->GetDictionary(i, &element)) { if (UserMatches(account_id, *element)) { known_users->GetDictionary(i, out_value); return true; } } } return false; } void UpdatePrefs(const AccountId& account_id, const base::DictionaryValue& values, bool clear) { PrefService* local_state = GetLocalState(); // Local State may not be initialized in tests. if (!local_state) return; // UserManager is usually NULL in unit tests. if (account_id.GetAccountType() != AccountType::ACTIVE_DIRECTORY && UserManager::IsInitialized() && UserManager::Get()->IsUserNonCryptohomeDataEphemeral(account_id)) { return; } if (!account_id.is_valid()) return; ListPrefUpdate update(local_state, kKnownUsers); for (size_t i = 0; i < update->GetSize(); ++i) { base::DictionaryValue* element = nullptr; if (update->GetDictionary(i, &element)) { if (UserMatches(account_id, *element)) { if (clear) element->Clear(); element->MergeDictionary(&values); UpdateIdentity(account_id, *element); return; } } } std::unique_ptr new_value(new base::DictionaryValue()); new_value->MergeDictionary(&values); UpdateIdentity(account_id, *new_value); update->Append(std::move(new_value)); } bool GetStringPref(const AccountId& account_id, const std::string& path, std::string* out_value) { const base::DictionaryValue* user_pref_dict = nullptr; if (!FindPrefs(account_id, &user_pref_dict)) return false; return user_pref_dict->GetString(path, out_value); } void SetStringPref(const AccountId& account_id, const std::string& path, const std::string& in_value) { base::DictionaryValue dict; dict.SetString(path, in_value); UpdatePrefs(account_id, dict, false); } bool GetBooleanPref(const AccountId& account_id, const std::string& path, bool* out_value) { const base::DictionaryValue* user_pref_dict = nullptr; if (!FindPrefs(account_id, &user_pref_dict)) return false; return user_pref_dict->GetBoolean(path, out_value); } void SetBooleanPref(const AccountId& account_id, const std::string& path, const bool in_value) { base::DictionaryValue dict; dict.SetBoolean(path, in_value); UpdatePrefs(account_id, dict, false); } bool GetIntegerPref(const AccountId& account_id, const std::string& path, int* out_value) { const base::DictionaryValue* user_pref_dict = nullptr; if (!FindPrefs(account_id, &user_pref_dict)) return false; return user_pref_dict->GetInteger(path, out_value); } void SetIntegerPref(const AccountId& account_id, const std::string& path, const int in_value) { base::DictionaryValue dict; dict.SetInteger(path, in_value); UpdatePrefs(account_id, dict, false); } bool GetPref(const AccountId& account_id, const std::string& path, const base::Value** out_value) { const base::DictionaryValue* user_pref_dict = nullptr; if (!FindPrefs(account_id, &user_pref_dict)) return false; *out_value = user_pref_dict->FindPath(path); return *out_value != nullptr; } void SetPref(const AccountId& account_id, const std::string& path, base::Value in_value) { base::DictionaryValue dict; dict.SetPath(path, std::move(in_value)); UpdatePrefs(account_id, dict, false); } void RemovePref(const AccountId& account_id, const std::string& path) { // Prevent removing keys that are used internally. for (const std::string& key : kReservedKeys) CHECK_NE(path, key); ClearPref(account_id, path); } AccountId GetAccountId(const std::string& user_email, const std::string& id, const AccountType& account_type) { DCHECK((id.empty() && account_type == AccountType::UNKNOWN) || (!id.empty() && account_type != AccountType::UNKNOWN)); // In tests empty accounts are possible. if (user_email.empty() && id.empty() && account_type == AccountType::UNKNOWN) { return EmptyAccountId(); } AccountId result(EmptyAccountId()); // UserManager is usually NULL in unit tests. if (account_type == AccountType::UNKNOWN && UserManager::IsInitialized() && UserManager::Get()->GetPlatformKnownUserId(user_email, id, &result)) { return result; } std::string stored_gaia_id; std::string stored_obj_guid; const std::string sanitized_email = user_email.empty() ? std::string() : gaia::CanonicalizeEmail(gaia::SanitizeEmail(user_email)); if (!sanitized_email.empty()) { if (GetStringPref(AccountId::FromUserEmail(sanitized_email), kGAIAIdKey, &stored_gaia_id)) { if (!id.empty()) { DCHECK(account_type == AccountType::GOOGLE); if (id != stored_gaia_id) LOG(ERROR) << "User gaia id has changed. Sync will not work."; } // gaia_id is associated with cryptohome. return AccountId::FromUserEmailGaiaId(sanitized_email, stored_gaia_id); } if (GetStringPref(AccountId::FromUserEmail(sanitized_email), kObjGuidKey, &stored_obj_guid)) { if (!id.empty()) { DCHECK(account_type == AccountType::ACTIVE_DIRECTORY); if (id != stored_obj_guid) LOG(ERROR) << "User object guid has changed. Sync will not work."; } // obj_guid is associated with cryptohome. return AccountId::AdFromUserEmailObjGuid(sanitized_email, stored_obj_guid); } } std::string stored_email; switch (account_type) { case AccountType::GOOGLE: if (GetStringPref(AccountId::FromGaiaId(id), kCanonicalEmail, &stored_email)) { return AccountId::FromUserEmailGaiaId(stored_email, id); } return AccountId::FromUserEmailGaiaId(sanitized_email, id); case AccountType::ACTIVE_DIRECTORY: if (GetStringPref(AccountId::AdFromObjGuid(id), kCanonicalEmail, &stored_email)) { return AccountId::AdFromUserEmailObjGuid(stored_email, id); } return AccountId::AdFromUserEmailObjGuid(sanitized_email, id); case AccountType::UNKNOWN: return AccountId::FromUserEmail(sanitized_email); } NOTREACHED(); return EmptyAccountId(); } std::vector GetKnownAccountIds() { std::vector result; PrefService* local_state = GetLocalState(); // Local State may not be initialized in tests. if (!local_state) return result; const base::ListValue* known_users = local_state->GetList(kKnownUsers); for (size_t i = 0; i < known_users->GetSize(); ++i) { const base::DictionaryValue* element = nullptr; if (known_users->GetDictionary(i, &element)) { std::string email; std::string gaia_id; std::string obj_guid; const bool has_email = element->GetString(kCanonicalEmail, &email); const bool has_gaia_id = element->GetString(kGAIAIdKey, &gaia_id); const bool has_obj_guid = element->GetString(kObjGuidKey, &obj_guid); AccountType account_type = AccountType::GOOGLE; std::string account_type_string; if (element->GetString(kAccountTypeKey, &account_type_string)) { account_type = AccountId::StringToAccountType(account_type_string); } switch (account_type) { case AccountType::GOOGLE: if (has_email || has_gaia_id) { result.push_back(AccountId::FromUserEmailGaiaId(email, gaia_id)); } break; case AccountType::ACTIVE_DIRECTORY: if (has_email && has_obj_guid) { result.push_back( AccountId::AdFromUserEmailObjGuid(email, obj_guid)); } break; default: NOTREACHED() << "Unknown account type"; } } } return result; } bool GetGaiaIdMigrationStatus(const AccountId& account_id, const std::string& subsystem) { bool migrated = false; if (GetBooleanPref(account_id, std::string(kGaiaIdMigration) + "." + subsystem, &migrated)) { return migrated; } return false; } void SetGaiaIdMigrationStatusDone(const AccountId& account_id, const std::string& subsystem) { SetBooleanPref(account_id, std::string(kGaiaIdMigration) + "." + subsystem, true); } void SaveKnownUser(const AccountId& account_id) { const bool is_ephemeral = UserManager::IsInitialized() && UserManager::Get()->IsUserNonCryptohomeDataEphemeral(account_id); if (is_ephemeral && account_id.GetAccountType() != AccountType::ACTIVE_DIRECTORY) { return; } UpdateId(account_id); GetLocalState()->CommitPendingWrite(); } void SetIsEphemeralUser(const AccountId& account_id, bool is_ephemeral) { if (account_id.GetAccountType() != AccountType::ACTIVE_DIRECTORY) return; SetBooleanPref(account_id, kIsEphemeral, is_ephemeral); } void UpdateGaiaID(const AccountId& account_id, const std::string& gaia_id) { SetStringPref(account_id, kGAIAIdKey, gaia_id); SetStringPref(account_id, kAccountTypeKey, AccountId::AccountTypeToString(AccountType::GOOGLE)); } void UpdateId(const AccountId& account_id) { switch (account_id.GetAccountType()) { case AccountType::GOOGLE: SetStringPref(account_id, kGAIAIdKey, account_id.GetGaiaId()); break; case AccountType::ACTIVE_DIRECTORY: SetStringPref(account_id, kObjGuidKey, account_id.GetObjGuid()); break; case AccountType::UNKNOWN: return; } SetStringPref(account_id, kAccountTypeKey, AccountId::AccountTypeToString(account_id.GetAccountType())); } bool FindGaiaID(const AccountId& account_id, std::string* out_value) { return GetStringPref(account_id, kGAIAIdKey, out_value); } void SetDeviceId(const AccountId& account_id, const std::string& device_id) { const std::string known_device_id = GetDeviceId(account_id); if (!known_device_id.empty() && device_id != known_device_id) { NOTREACHED() << "Trying to change device ID for known user."; } SetStringPref(account_id, kDeviceId, device_id); } std::string GetDeviceId(const AccountId& account_id) { std::string device_id; if (GetStringPref(account_id, kDeviceId, &device_id)) { return device_id; } return std::string(); } void SetGAPSCookie(const AccountId& account_id, const std::string& gaps_cookie) { SetStringPref(account_id, kGAPSCookie, gaps_cookie); } std::string GetGAPSCookie(const AccountId& account_id) { std::string gaps_cookie; if (GetStringPref(account_id, kGAPSCookie, &gaps_cookie)) { return gaps_cookie; } return std::string(); } void UpdateUsingSAML(const AccountId& account_id, const bool using_saml) { SetBooleanPref(account_id, kUsingSAMLKey, using_saml); } bool IsUsingSAML(const AccountId& account_id) { bool using_saml; if (GetBooleanPref(account_id, kUsingSAMLKey, &using_saml)) return using_saml; return false; } void USER_MANAGER_EXPORT UpdateIsUsingSAMLPrincipalsAPI(const AccountId& account_id, bool is_using_saml_principals_api) { SetBooleanPref(account_id, kIsUsingSAMLPrincipalsAPI, is_using_saml_principals_api); } bool USER_MANAGER_EXPORT GetIsUsingSAMLPrincipalsAPI(const AccountId& account_id) { bool is_using_saml_principals_api; if (GetBooleanPref(account_id, kIsUsingSAMLPrincipalsAPI, &is_using_saml_principals_api)) { return is_using_saml_principals_api; } return false; } void SetProfileRequiresPolicy(const AccountId& account_id, ProfileRequiresPolicy required) { DCHECK_NE(required, ProfileRequiresPolicy::kUnknown); SetBooleanPref(account_id, kProfileRequiresPolicy, required == ProfileRequiresPolicy::kPolicyRequired); } ProfileRequiresPolicy GetProfileRequiresPolicy(const AccountId& account_id) { bool requires_policy; if (GetBooleanPref(account_id, kProfileRequiresPolicy, &requires_policy)) { return requires_policy ? ProfileRequiresPolicy::kPolicyRequired : ProfileRequiresPolicy::kNoPolicyRequired; } return ProfileRequiresPolicy::kUnknown; } void ClearProfileRequiresPolicy(const AccountId& account_id) { ClearPref(account_id, kProfileRequiresPolicy); } void UpdateReauthReason(const AccountId& account_id, const int reauth_reason) { SetIntegerPref(account_id, kReauthReasonKey, reauth_reason); } bool FindReauthReason(const AccountId& account_id, int* out_value) { return GetIntegerPref(account_id, kReauthReasonKey, out_value); } bool WasUserHomeMinimalMigrationAttempted(const AccountId& account_id) { bool minimal_migration_attempted; const bool pref_set = GetBooleanPref(account_id, kMinimalMigrationAttempted, &minimal_migration_attempted); if (pref_set) return minimal_migration_attempted; // If we haven't recorded that a minimal migration has been attempted, assume // no. return false; } void SetUserHomeMinimalMigrationAttempted(const AccountId& account_id, bool minimal_migration_attempted) { SetBooleanPref(account_id, kMinimalMigrationAttempted, minimal_migration_attempted); } void SetChallengeResponseKeys(const AccountId& account_id, base::Value value) { DCHECK(value.is_list()); SetPref(account_id, kChallengeResponseKeys, std::move(value)); } base::Value GetChallengeResponseKeys(const AccountId& account_id) { const base::Value* value = nullptr; if (!GetPref(account_id, kChallengeResponseKeys, &value) || !value->is_list()) return base::Value(); return value->Clone(); } void SetLastOnlineSignin(const AccountId& account_id, base::Time time) { SetPref(account_id, kLastOnlineSignin, util::TimeToValue(time)); } base::Time GetLastOnlineSignin(const AccountId& account_id) { const base::Value* value = nullptr; if (!GetPref(account_id, kLastOnlineSignin, &value)) return base::Time(); base::Optional time = util::ValueToTime(value); if (!time) return base::Time(); return *time; } void SetOfflineSigninLimit(const AccountId& account_id, base::TimeDelta time_delta) { SetPref(account_id, kOfflineSigninLimit, util::TimeDeltaToValue(time_delta)); } base::TimeDelta GetOfflineSigninLimit(const AccountId& account_id) { const base::Value* value = nullptr; if (!GetPref(account_id, kOfflineSigninLimit, &value)) return base::TimeDelta(); base::Optional time_delta = util::ValueToTimeDelta(value); if (!time_delta) return base::TimeDelta(); return *time_delta; } void SetIsEnterpriseManaged(const AccountId& account_id, bool is_enterprise_managed) { SetBooleanPref(account_id, kIsEnterpriseManaged, is_enterprise_managed); } bool GetIsEnterpriseManaged(const AccountId& account_id) { bool is_enterprise_managed; if (GetBooleanPref(account_id, kIsEnterpriseManaged, &is_enterprise_managed)) return is_enterprise_managed; return false; } void SetAccountManager(const AccountId& account_id, const std::string& manager) { SetStringPref(account_id, kAccountManager, manager); } bool GetAccountManager(const AccountId& account_id, std::string* manager) { return GetStringPref(account_id, kAccountManager, manager); } void SetUserLastLoginInputMethod(const AccountId& account_id, const std::string& input_method) { SetStringPref(account_id, kLastInputMethod, input_method); } bool GetUserLastInputMethod(const AccountId& account_id, std::string* input_method) { return GetStringPref(account_id, kLastInputMethod, input_method); } void SetUserPinLength(const AccountId& account_id, int pin_length) { SetIntegerPref(account_id, kPinAutosubmitLength, pin_length); } int GetUserPinLength(const AccountId& account_id) { int pin_length = 0; if (GetIntegerPref(account_id, kPinAutosubmitLength, &pin_length)) return pin_length; return 0; } bool PinAutosubmitIsBackfillNeeded(const AccountId& account_id) { bool backfill_needed; if (GetBooleanPref(account_id, kPinAutosubmitBackfillNeeded, &backfill_needed)) return backfill_needed; // If the pref is not set, the pref needs to be backfilled. return true; } void PinAutosubmitSetBackfillNotNeeded(const AccountId& account_id) { SetBooleanPref(account_id, kPinAutosubmitBackfillNeeded, false); } void PinAutosubmitSetBackfillNeededForTests(const AccountId& account_id) { SetBooleanPref(account_id, kPinAutosubmitBackfillNeeded, true); } void SetPasswordSyncToken(const AccountId& account_id, const std::string& token) { SetStringPref(account_id, kPasswordSyncToken, token); } std::string GetPasswordSyncToken(const AccountId& account_id) { std::string token; if (GetStringPref(account_id, kPasswordSyncToken, &token)) return token; // Return empty string if sync token was not set for the account yet. return std::string(); } void RemovePrefs(const AccountId& account_id) { PrefService* local_state = GetLocalState(); // Local State may not be initialized in tests. if (!local_state) return; if (!account_id.is_valid()) return; ListPrefUpdate update(local_state, kKnownUsers); for (size_t i = 0; i < update->GetSize(); ++i) { base::DictionaryValue* element = nullptr; if (update->GetDictionary(i, &element)) { if (UserMatches(account_id, *element)) { update->Remove(i, nullptr); break; } } } } void CleanEphemeralUsers() { PrefService* local_state = GetLocalState(); // Local State may not be initialized in tests. if (!local_state) return; ListPrefUpdate update(local_state, kKnownUsers); update->EraseListValueIf([](const auto& value) { if (!value.is_dict()) return false; base::Optional is_ephemeral = value.FindBoolKey(kIsEphemeral); return is_ephemeral && *is_ephemeral; }); } void RegisterPrefs(PrefRegistrySimple* registry) { registry->RegisterListPref(kKnownUsers); } } // namespace known_user } // namespace user_manager