[Chrome OS] Plumb sync vault keys received during signin to SyncService

In this patch, GaiaScreenHandler adds support to deal with the received
sync trusted vault keys.

This information is wrapped in a new class (SyncTrustedVaultKeys) and
propagated via UserContext to UserSessionManager, where during profile
preparation is propagated to SyncService and consumed.

Browser tests are introduced to exercise the whole integration, from
the server (FakeGaia) to the final storage (TrustedVaultClient).

Change-Id: I3cdc16086b2eec2b2a603255ed644c7b1f53192e
Bug: 1081651
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2590035
Commit-Queue: Mikel Astiz <mastiz@chromium.org>
Reviewed-by: Roman Sorokin [CET] <rsorokin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#846285}

chrome/browser/chromeos/login/session/user_session_manager.cc

@@ -138,6 +138,7 @@
 #include "components/signin/public/identity_manager/consent_level.h"
 #include "components/signin/public/identity_manager/identity_manager.h"
 #include "components/signin/public/identity_manager/primary_account_mutator.h"
+#include "components/sync/driver/sync_service.h"
 #include "components/user_manager/known_user.h"
 #include "components/user_manager/user.h"
 #include "components/user_manager/user_manager.h"
@@ -379,6 +380,29 @@ void OnPrepareTpmDeviceFinished() {
   BootTimesRecorder::Get()->AddLoginTimeMarker("TPMOwn-End", false);
 }
 
+void SaveSyncTrustedVaultKeysToProfile(
+    const std::string& gaia_id,
+    const SyncTrustedVaultKeys& trusted_vault_keys,
+    Profile* profile) {
+  syncer::SyncService* sync_service =
+      ProfileSyncServiceFactory::GetForProfile(profile);
+  if (!sync_service) {
+    return;
+  }
+
+  if (!trusted_vault_keys.encryption_keys().empty()) {
+    sync_service->AddTrustedVaultDecryptionKeysFromWeb(
+        gaia_id, trusted_vault_keys.encryption_keys(),
+        trusted_vault_keys.last_encryption_key_version());
+  }
+
+  for (const std::vector<uint8_t>& trusted_public_key :
+       trusted_vault_keys.trusted_public_keys()) {
+    sync_service->AddTrustedVaultRecoveryMethodFromWeb(
+        gaia_id, trusted_public_key, base::DoNothing());
+  }
+}
+
 }  // namespace
 
 UserSessionManagerDelegate::~UserSessionManagerDelegate() {}
@@ -1533,6 +1557,12 @@ void UserSessionManager::FinalizePrepareProfile(Profile* profile) {
   if (!user_context_.GetChallengeResponseKeys().empty())
     PersistChallengeResponseKeys(user_context_);
 
+  if (user_context_.GetSyncTrustedVaultKeys().has_value()) {
+    SaveSyncTrustedVaultKeysToProfile(user_context_.GetGaiaID(),
+                                      *user_context_.GetSyncTrustedVaultKeys(),
+                                      profile);
+  }
+
   VLOG(1) << "Clearing all secrets";
   user_context_.ClearSecrets();
   if (user->GetType() == user_manager::USER_TYPE_CHILD) {

chrome/browser/chromeos/login/webview_login_browsertest.cc

@@ -51,6 +51,8 @@
 #include "chrome/browser/chromeos/scoped_test_system_nss_key_slot_mixin.h"
 #include "chrome/browser/chromeos/settings/scoped_testing_cros_settings.h"
 #include "chrome/browser/chromeos/settings/stub_cros_settings_provider.h"
+#include "chrome/browser/sync/profile_sync_service_factory.h"
+#include "chrome/browser/ui/browser.h"
 #include "chrome/browser/ui/login/login_handler.h"
 #include "chrome/browser/ui/webui/chromeos/login/error_screen_handler.h"
 #include "chrome/browser/ui/webui/chromeos/login/eula_screen_handler.h"
@@ -75,6 +77,9 @@
 #include "components/policy/policy_constants.h"
 #include "components/policy/proto/chrome_device_policy.pb.h"
 #include "components/prefs/pref_change_registrar.h"
+#include "components/sync/driver/profile_sync_service.h"
+#include "components/sync/driver/sync_driver_switches.h"
+#include "components/sync/driver/trusted_vault_client.h"
 #include "content/public/browser/browser_task_traits.h"
 #include "content/public/browser/browser_thread.h"
 #include "content/public/browser/notification_service.h"
@@ -102,6 +107,7 @@
 #include "net/test/spawned_test_server/spawned_test_server.h"
 #include "net/test/test_data_directory.h"
 #include "services/network/public/mojom/cookie_manager.mojom.h"
+#include "testing/gmock/include/gmock/gmock.h"
 #include "third_party/boringssl/src/include/openssl/pool.h"
 
 namespace em = enterprise_management;
@@ -456,6 +462,68 @@ IN_PROC_BROWSER_TEST_F(WebviewLoginTest, BackButton) {
   test::WaitForPrimaryUserSessionStart();
 }
 
+class WebviewLoginTestWithSyncTrustedVaultEnabled : public WebviewLoginTest {
+ public:
+  WebviewLoginTestWithSyncTrustedVaultEnabled() {
+    scoped_feature_list_.Reset();
+    scoped_feature_list_.InitAndEnableFeature(
+        ::switches::kSyncSupportTrustedVaultPassphraseRecovery);
+  }
+};
+
+IN_PROC_BROWSER_TEST_F(WebviewLoginTestWithSyncTrustedVaultEnabled,
+                       BasicWithKeys) {
+  // Set up some fake keys in the server.
+  FakeGaia::SyncTrustedVaultKeys fake_gaia_keys;
+  // Create an arbitrary encryption key, the precisely value is not relevant,
+  // but used as test expectation later down.
+  fake_gaia_keys.encryption_key.resize(16, 123);
+  fake_gaia_keys.encryption_key_version = 91;
+  fake_gaia_keys.trusted_public_keys.emplace_back();
+  // Create an arbitrary public key, the precisely value is not relevant.
+  fake_gaia_keys.trusted_public_keys.back().resize(16, 124);
+  fake_gaia_.fake_gaia()->SetSyncTrustedVaultKeys(FakeGaiaMixin::kFakeUserEmail,
+                                                  fake_gaia_keys);
+
+  WaitForGaiaPageLoadAndPropertyUpdate();
+
+  ExpectIdentifierPage();
+
+  SigninFrameJS().TypeIntoPath(FakeGaiaMixin::kFakeUserEmail, {"identifier"});
+  SigninFrameJS().TapOn("nextButton");
+  WaitForGaiaPageBackButtonUpdate();
+  ExpectPasswordPage();
+
+  ASSERT_TRUE(LoginDisplayHost::default_host());
+
+  SigninFrameJS().TypeIntoPath("[]", {"services"});
+  SigninFrameJS().TypeIntoPath(FakeGaiaMixin::kFakeUserPassword, {"password"});
+  SigninFrameJS().TapOn("nextButton");
+
+  Browser* browser = ui_test_utils::WaitForBrowserToOpen();
+  test::WaitForPrimaryUserSessionStart();
+
+  syncer::ProfileSyncService* sync_service =
+      ProfileSyncServiceFactory::GetAsProfileSyncServiceForProfile(
+          browser->profile());
+  syncer::TrustedVaultClient* trusted_vault_client =
+      sync_service->GetSyncClientForTest()->GetTrustedVaultClient();
+
+  // Verify that the sync trusted vault keys have been received and stored.
+  base::RunLoop loop;
+  std::vector<std::vector<uint8_t>> actual_keys;
+  trusted_vault_client->FetchKeys(
+      sync_service->GetAuthenticatedAccountInfo(),
+      base::BindLambdaForTesting(
+          [&](const std::vector<std::vector<uint8_t>>& keys) {
+            actual_keys = keys;
+            loop.Quit();
+          }));
+  loop.Run();
+
+  EXPECT_THAT(actual_keys, testing::ElementsAre(fake_gaia_keys.encryption_key));
+}
+
 class WebviewLoginTestWithChildSigninEnabled : public WebviewLoginTest {
  public:
   WebviewLoginTestWithChildSigninEnabled() {

chrome/browser/ui/webui/chromeos/login/gaia_screen_handler.cc

@@ -75,6 +75,7 @@
 #include "chromeos/login/auth/challenge_response/cert_utils.h"
 #include "chromeos/login/auth/cryptohome_key_constants.h"
 #include "chromeos/login/auth/saml_password_attributes.h"
+#include "chromeos/login/auth/sync_trusted_vault_keys.h"
 #include "chromeos/login/auth/user_context.h"
 #include "chromeos/network/onc/certificate_scope.h"
 #include "chromeos/settings/cros_settings_names.h"
@@ -780,8 +781,6 @@ void GaiaScreenHandler::HandleCompleteAuthentication(
       base::BindOnce(&LoginDisplayHost::CompleteLogin,
                      base::Unretained(LoginDisplayHost::default_host())));
 
-  // TODO(crbug.com/1081651): Propagate |sync_trusted_vault_keys| into
-  // UserContext.
   pending_user_context_ = std::make_unique<UserContext>();
   std::string error_message;
   if (!login::BuildUserContextForGaiaSignIn(
@@ -789,6 +788,10 @@ void GaiaScreenHandler::HandleCompleteAuthentication(
           GetAccountId(email, gaia_id, AccountType::GOOGLE), using_saml,
           using_saml_api_, password,
           SamlPasswordAttributes::FromJs(*password_attributes),
+          IsSyncTrustedVaultKeysEnabled()
+              ? base::make_optional(
+                    SyncTrustedVaultKeys::FromJs(*sync_trusted_vault_keys))
+              : base::nullopt,
           *extension_provided_client_cert_usage_observer_,
           pending_user_context_.get(), &error_message)) {
     core_oobe_view_->ShowSignInError(0, error_message, std::string(),
@@ -822,8 +825,7 @@ void GaiaScreenHandler::HandleCompleteLogin(const std::string& gaia_id,
                                             const std::string& password,
                                             bool using_saml) {
   VLOG(1) << "HandleCompleteLogin";
-  DoCompleteLogin(gaia_id, typed_email, password, using_saml,
-                  SamlPasswordAttributes());
+  DoCompleteLogin(gaia_id, typed_email, password, using_saml);
 }
 
 void GaiaScreenHandler::HandleUsingSAMLAPI(bool is_third_party_idp) {
@@ -988,12 +990,10 @@ void GaiaScreenHandler::OnShowAddUser() {
   LoginDisplayHost::default_host()->ShowGaiaDialog(populated_account_id_);
 }
 
-void GaiaScreenHandler::DoCompleteLogin(
-    const std::string& gaia_id,
-    const std::string& typed_email,
-    const std::string& password,
-    bool using_saml,
-    const SamlPasswordAttributes& password_attributes) {
+void GaiaScreenHandler::DoCompleteLogin(const std::string& gaia_id,
+                                        const std::string& typed_email,
+                                        const std::string& password,
+                                        bool using_saml) {
   if (using_saml && !using_saml_api_)
     RecordSAMLScrapingVerificationResultInHistogram(true);
 
@@ -1011,7 +1011,8 @@ void GaiaScreenHandler::DoCompleteLogin(
   if (!login::BuildUserContextForGaiaSignIn(
           user ? user->GetType() : CalculateUserType(account_id),
           GetAccountId(typed_email, gaia_id, AccountType::GOOGLE), using_saml,
-          using_saml_api_, password, password_attributes,
+          using_saml_api_, password, SamlPasswordAttributes(),
+          /*sync_trusted_vault_keys=*/base::nullopt,
           *extension_provided_client_cert_usage_observer_, &user_context,
           &error_message)) {
     core_oobe_view_->ShowSignInError(0, error_message, std::string(),

chrome/browser/ui/webui/chromeos/login/gaia_screen_handler.h

@@ -36,7 +36,6 @@ class NSSTempCertsCacheChromeOS;
 
 namespace chromeos {
 
-class SamlPasswordAttributes;
 class SigninScreenHandler;
 class PublicSamlUrlFetcher;
 class GaiaScreen;
@@ -241,8 +240,7 @@ class GaiaScreenHandler : public BaseScreenHandler,
   void DoCompleteLogin(const std::string& gaia_id,
                        const std::string& typed_email,
                        const std::string& password,
-                       bool using_saml,
-                       const SamlPasswordAttributes& password_attributes);
+                       bool using_saml);
 
   // Kick off cookie / local storage cleanup.
   void StartClearingCookies(base::OnceClosure on_clear_callback);

chrome/browser/ui/webui/chromeos/login/online_login_helper.cc

@@ -15,6 +15,7 @@
 #include "chromeos/dbus/util/version_loader.h"
 #include "chromeos/login/auth/challenge_response/cert_utils.h"
 #include "chromeos/login/auth/cryptohome_key_constants.h"
+#include "components/sync/driver/sync_driver_switches.h"
 #include "content/public/browser/storage_partition.h"
 #include "google_apis/gaia/gaia_urls.h"
 #include "ui/base/l10n/l10n_util.h"
@@ -109,6 +110,7 @@ bool BuildUserContextForGaiaSignIn(
     bool using_saml_api,
     const std::string& password,
     const SamlPasswordAttributes& password_attributes,
+    const base::Optional<SyncTrustedVaultKeys>& sync_trusted_vault_keys,
     const LoginClientCertUsageObserver&
         extension_provided_client_cert_usage_observer,
     UserContext* user_context,
@@ -150,6 +152,11 @@ bool BuildUserContextForGaiaSignIn(
       user_context->SetSamlPasswordAttributes(password_attributes);
     }
   }
+
+  if (sync_trusted_vault_keys.has_value()) {
+    user_context->SetSyncTrustedVaultKeys(*sync_trusted_vault_keys);
+  }
+
   return true;
 }
 

chrome/browser/ui/webui/chromeos/login/online_login_helper.h

@@ -7,6 +7,7 @@
 
 #include <string>
 
+#include "base/optional.h"
 #include "chrome/browser/chromeos/login/login_client_cert_usage_observer.h"
 #include "chrome/browser/chromeos/login/signin_partition_manager.h"
 #include "chrome/browser/chromeos/login/ui/login_display_host.h"
@@ -20,6 +21,10 @@
 #include "services/network/public/mojom/cookie_manager.mojom.h"
 
 namespace chromeos {
+
+class SyncTrustedVaultKeys;
+class UserContext;
+
 namespace login {
 
 // A class that's used to specify the way how Gaia should be loaded.
@@ -70,6 +75,7 @@ bool BuildUserContextForGaiaSignIn(
     bool using_saml_api,
     const std::string& password,
     const SamlPasswordAttributes& password_attributes,
+    const base::Optional<SyncTrustedVaultKeys>& sync_trusted_vault_keys,
     const LoginClientCertUsageObserver&
         extension_provided_client_cert_usage_observer,
     UserContext* user_context,

chromeos/login/auth/BUILD.gn

@@ -72,6 +72,8 @@ component("auth") {
     "stub_authenticator.h",
     "stub_authenticator_builder.cc",
     "stub_authenticator_builder.h",
+    "sync_trusted_vault_keys.cc",
+    "sync_trusted_vault_keys.h",
     "test_attempt_state.cc",
     "test_attempt_state.h",
     "user_context.cc",
@@ -134,5 +136,6 @@ source_set("unit_tests") {
     "challenge_response/cert_utils_unittest.cc",
     "key_unittest.cc",
     "saml_password_attributes_unittest.cc",
+    "sync_trusted_vault_keys_unittest.cc",
   ]
 }

chromeos/login/auth/sync_trusted_vault_keys.cc

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chromeos/login/auth/sync_trusted_vault_keys.h"
+
+#include "base/optional.h"
+#include "base/values.h"
+
+namespace chromeos {
+
+namespace {
+
+// Keys in base::Value dictionaries.
+const char kEncryptionKeysDictKey[] = "encryptionKeys";
+const char kTrustedPublicKeysDictKey[] = "trustedPublicKeys";
+const char kKeyMaterialDictKey[] = "keyMaterial";
+const char kVersionDictKey[] = "version";
+
+struct KeyMaterialAndVersion {
+  std::vector<uint8_t> key_material;
+  int version = 0;
+};
+
+base::Optional<KeyMaterialAndVersion> ParseSingleKey(
+    const base::Value& js_object) {
+  const base::Value::BlobStorage* key_material =
+      js_object.FindBlobKey(kKeyMaterialDictKey);
+  if (key_material == nullptr) {
+    return base::nullopt;
+  }
+
+  return KeyMaterialAndVersion{
+      *key_material, js_object.FindIntKey(kVersionDictKey).value_or(0)};
+}
+
+std::vector<KeyMaterialAndVersion> ParseKeyList(const base::Value* key_list) {
+  if (key_list == nullptr || !key_list->is_list()) {
+    return {};
+  }
+
+  std::vector<KeyMaterialAndVersion> parsed_keys;
+  for (const base::Value& key : key_list->GetList()) {
+    base::Optional<KeyMaterialAndVersion> parsed_key = ParseSingleKey(key);
+    if (parsed_key.has_value()) {
+      parsed_keys.push_back(std::move(*parsed_key));
+    }
+  }
+  return parsed_keys;
+}
+
+}  // namespace
+
+SyncTrustedVaultKeys::SyncTrustedVaultKeys() = default;
+
+SyncTrustedVaultKeys::SyncTrustedVaultKeys(const SyncTrustedVaultKeys&) =
+    default;
+
+SyncTrustedVaultKeys::SyncTrustedVaultKeys(SyncTrustedVaultKeys&&) = default;
+
+SyncTrustedVaultKeys& SyncTrustedVaultKeys::operator=(
+    const SyncTrustedVaultKeys&) = default;
+
+SyncTrustedVaultKeys& SyncTrustedVaultKeys::operator=(SyncTrustedVaultKeys&&) =
+    default;
+
+SyncTrustedVaultKeys::~SyncTrustedVaultKeys() = default;
+
+// static
+SyncTrustedVaultKeys SyncTrustedVaultKeys::FromJs(
+    const base::DictionaryValue& js_object) {
+  const std::vector<KeyMaterialAndVersion> encryption_keys =
+      ParseKeyList(js_object.FindListKey(kEncryptionKeysDictKey));
+  const std::vector<KeyMaterialAndVersion> trusted_public_keys =
+      ParseKeyList(js_object.FindListKey(kTrustedPublicKeysDictKey));
+
+  SyncTrustedVaultKeys result;
+  for (const KeyMaterialAndVersion& key : encryption_keys) {
+    if (key.version != 0) {
+      result.encryption_keys_.push_back(key.key_material);
+      result.last_encryption_key_version_ = key.version;
+    }
+  }
+
+  for (const KeyMaterialAndVersion& key : trusted_public_keys) {
+    result.trusted_public_keys_.push_back(key.key_material);
+  }
+
+  return result;
+}
+
+const std::vector<std::vector<uint8_t>>& SyncTrustedVaultKeys::encryption_keys()
+    const {
+  return encryption_keys_;
+}
+
+int SyncTrustedVaultKeys::last_encryption_key_version() const {
+  return last_encryption_key_version_;
+}
+
+const std::vector<std::vector<uint8_t>>&
+SyncTrustedVaultKeys::trusted_public_keys() const {
+  return trusted_public_keys_;
+}
+
+}  // namespace chromeos

chromeos/login/auth/sync_trusted_vault_keys.h

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROMEOS_LOGIN_AUTH_SYNC_TRUSTED_VAULT_KEYS_H_
+#define CHROMEOS_LOGIN_AUTH_SYNC_TRUSTED_VAULT_KEYS_H_
+
+#include <string>
+#include <vector>
+
+#include "base/component_export.h"
+
+namespace base {
+class DictionaryValue;
+}
+
+namespace chromeos {
+
+// Struct which holds keys about a user's encryption keys during signin flow.
+class COMPONENT_EXPORT(CHROMEOS_LOGIN_AUTH) SyncTrustedVaultKeys {
+ public:
+  SyncTrustedVaultKeys();
+  SyncTrustedVaultKeys(const SyncTrustedVaultKeys&);
+  SyncTrustedVaultKeys(SyncTrustedVaultKeys&&);
+  SyncTrustedVaultKeys& operator=(const SyncTrustedVaultKeys&);
+  SyncTrustedVaultKeys& operator=(SyncTrustedVaultKeys&&);
+  ~SyncTrustedVaultKeys();
+
+  // Initialize an instance of this class with data received from javascript.
+  // The input data must be of type SyncTrustedVaultKeys as defined in
+  // authenticator.js.
+  static SyncTrustedVaultKeys FromJs(const base::DictionaryValue& js_object);
+
+  const std::vector<std::vector<uint8_t>>& encryption_keys() const;
+  int last_encryption_key_version() const;
+  const std::vector<std::vector<uint8_t>>& trusted_public_keys() const;
+
+ private:
+  std::vector<std::vector<uint8_t>> encryption_keys_;
+  int last_encryption_key_version_ = 0;
+  std::vector<std::vector<uint8_t>> trusted_public_keys_;
+};
+
+}  // namespace chromeos
+
+#endif  // CHROMEOS_LOGIN_AUTH_SYNC_TRUSTED_VAULT_KEYS_H_

chromeos/login/auth/sync_trusted_vault_keys_unittest.cc

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chromeos/login/auth/sync_trusted_vault_keys.h"
+
+#include "base/optional.h"
+#include "base/values.h"
+#include "testing/gmock/include/gmock/gmock.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace chromeos {
+namespace {
+
+using testing::ElementsAre;
+using testing::Eq;
+using testing::IsEmpty;
+using testing::NotNull;
+
+MATCHER(HasEmptyValue, "") {
+  return arg.encryption_keys().empty() &&
+         arg.last_encryption_key_version() == 0 &&
+         arg.trusted_public_keys().empty();
+}
+
+base::DictionaryValue MakeKeyValueWithoutVersion(
+    const std::vector<uint8_t>& key_material) {
+  base::DictionaryValue key_value;
+  key_value.SetKey("keyMaterial", base::Value(key_material));
+  return key_value;
+}
+
+base::DictionaryValue MakeKeyValue(const std::vector<uint8_t>& key_material,
+                                   int version) {
+  base::DictionaryValue key_value = MakeKeyValueWithoutVersion(key_material);
+  key_value.SetIntKey("version", version);
+  return key_value;
+}
+
+}  // namespace
+
+TEST(SyncTrustedVaultKeysTest, DefaultConstructor) {
+  EXPECT_THAT(SyncTrustedVaultKeys(), HasEmptyValue());
+}
+
+TEST(SyncTrustedVaultKeysTest, FromJsWithEmptyDictionary) {
+  EXPECT_THAT(SyncTrustedVaultKeys::FromJs(base::DictionaryValue()),
+              HasEmptyValue());
+}
+
+TEST(SyncTrustedVaultKeysTest, FromJsWithInvalidDictionary) {
+  base::DictionaryValue value;
+  value.SetStringKey("foo", "bar");
+  EXPECT_THAT(SyncTrustedVaultKeys::FromJs(value), HasEmptyValue());
+}
+
+TEST(SyncTrustedVaultKeysTest, FromJsWithEncryptionKeys) {
+  const std::vector<uint8_t> kEncryptionKeyMaterial1 = {1, 2, 3, 4};
+  const std::vector<uint8_t> kEncryptionKeyMaterial2 = {5, 6, 7, 8};
+  const int kEncryptionKeyVersion1 = 17;
+  const int kEncryptionKeyVersion2 = 15;
+
+  std::vector<base::Value> key_values;
+  key_values.push_back(
+      MakeKeyValue(kEncryptionKeyMaterial1, kEncryptionKeyVersion1));
+  key_values.push_back(
+      MakeKeyValue(kEncryptionKeyMaterial2, kEncryptionKeyVersion2));
+
+  base::DictionaryValue root_value;
+  root_value.SetKey("encryptionKeys", base::Value(std::move(key_values)));
+
+  const SyncTrustedVaultKeys actual_converted_keys =
+      SyncTrustedVaultKeys::FromJs(root_value);
+  EXPECT_THAT(actual_converted_keys.last_encryption_key_version(),
+              Eq(kEncryptionKeyVersion2));
+  EXPECT_THAT(actual_converted_keys.encryption_keys(),
+              ElementsAre(kEncryptionKeyMaterial1, kEncryptionKeyMaterial2));
+  EXPECT_THAT(actual_converted_keys.trusted_public_keys(), IsEmpty());
+}
+
+TEST(SyncTrustedVaultKeysTest, FromJsWithEncryptionKeysWithMissingVersion) {
+  const std::vector<uint8_t> kEncryptionKeyMaterial1 = {1, 2, 3, 4};
+  const std::vector<uint8_t> kEncryptionKeyMaterial2 = {5, 6, 7, 8};
+  const int kEncryptionKeyVersion1 = 17;
+
+  std::vector<base::Value> key_values;
+  key_values.push_back(
+      MakeKeyValue(kEncryptionKeyMaterial1, kEncryptionKeyVersion1));
+  key_values.push_back(MakeKeyValueWithoutVersion(kEncryptionKeyMaterial2));
+
+  base::DictionaryValue root_value;
+  root_value.SetKey("encryptionKeys", base::Value(std::move(key_values)));
+
+  const SyncTrustedVaultKeys actual_converted_keys =
+      SyncTrustedVaultKeys::FromJs(root_value);
+  EXPECT_THAT(actual_converted_keys.last_encryption_key_version(),
+              Eq(kEncryptionKeyVersion1));
+  EXPECT_THAT(actual_converted_keys.encryption_keys(),
+              ElementsAre(kEncryptionKeyMaterial1));
+  EXPECT_THAT(actual_converted_keys.trusted_public_keys(), IsEmpty());
+}
+
+TEST(SyncTrustedVaultKeysTest, FromJsWithTrustedPublicKeys) {
+  const std::vector<uint8_t> kPublicKeyMaterial1 = {1, 2, 3, 4};
+  const std::vector<uint8_t> kPublicKeyMaterial2 = {5, 6, 7, 8};
+
+  std::vector<base::Value> key_values;
+  key_values.push_back(MakeKeyValueWithoutVersion(kPublicKeyMaterial1));
+  key_values.push_back(MakeKeyValueWithoutVersion(kPublicKeyMaterial2));
+
+  base::DictionaryValue root_value;
+  root_value.SetKey("trustedPublicKeys", base::Value(std::move(key_values)));
+
+  const SyncTrustedVaultKeys actual_converted_keys =
+      SyncTrustedVaultKeys::FromJs(root_value);
+  EXPECT_THAT(actual_converted_keys.last_encryption_key_version(), Eq(0));
+  EXPECT_THAT(actual_converted_keys.encryption_keys(), IsEmpty());
+  EXPECT_THAT(actual_converted_keys.trusted_public_keys(),
+              ElementsAre(kPublicKeyMaterial1, kPublicKeyMaterial2));
+}
+
+}  // namespace chromeos

chromeos/login/auth/user_context.cc

@@ -148,6 +148,11 @@ UserContext::GetSamlPasswordAttributes() const {
   return saml_password_attributes_;
 }
 
+const base::Optional<SyncTrustedVaultKeys>&
+UserContext::GetSyncTrustedVaultKeys() const {
+  return sync_trusted_vault_keys_;
+}
+
 bool UserContext::IsLockableManagedGuestSession() const {
   return !managed_guest_session_launch_extension_id_.empty();
 }
@@ -240,6 +245,11 @@ void UserContext::SetSamlPasswordAttributes(
   saml_password_attributes_ = saml_password_attributes;
 }
 
+void UserContext::SetSyncTrustedVaultKeys(
+    const SyncTrustedVaultKeys& sync_trusted_vault_keys) {
+  sync_trusted_vault_keys_ = sync_trusted_vault_keys;
+}
+
 void UserContext::SetIsUnderAdvancedProtection(
     bool is_under_advanced_protection) {
   is_under_advanced_protection_ = is_under_advanced_protection;
@@ -265,6 +275,7 @@ void UserContext::ClearSecrets() {
   password_key_.ClearSecret();
   auth_code_.clear();
   refresh_token_.clear();
+  sync_trusted_vault_keys_.reset();
 }
 
 }  // namespace chromeos

chromeos/login/auth/user_context.h

@@ -12,6 +12,7 @@
 #include "chromeos/login/auth/challenge_response_key.h"
 #include "chromeos/login/auth/key.h"
 #include "chromeos/login/auth/saml_password_attributes.h"
+#include "chromeos/login/auth/sync_trusted_vault_keys.h"
 #include "components/account_id/account_id.h"
 #include "components/password_manager/core/browser/password_hash_data.h"
 #include "components/user_manager/user_type.h"
@@ -88,6 +89,7 @@ class COMPONENT_EXPORT(CHROMEOS_LOGIN_AUTH) UserContext {
   GetSyncPasswordData() const;
   const base::Optional<SamlPasswordAttributes>& GetSamlPasswordAttributes()
       const;
+  const base::Optional<SyncTrustedVaultKeys>& GetSyncTrustedVaultKeys() const;
   // True if |managed_guest_session_launch_extension_id_| is non-empty.
   bool IsLockableManagedGuestSession() const;
   std::string GetManagedGuestSessionLaunchExtensionId() const;
@@ -131,6 +133,8 @@ class COMPONENT_EXPORT(CHROMEOS_LOGIN_AUTH) UserContext {
       const password_manager::PasswordHashData& sync_password_data);
   void SetSamlPasswordAttributes(
       const SamlPasswordAttributes& saml_password_attributes);
+  void SetSyncTrustedVaultKeys(
+      const SyncTrustedVaultKeys& sync_trusted_vault_keys);
   void SetIsUnderAdvancedProtection(bool is_under_advanced_protection);
   // Sets |managed_guest_session_launch_extension_id_| which is used to set the
   // |kLoginExtensionApiLaunchExtensionId| pref when the user's profile is
@@ -175,6 +179,9 @@ class COMPONENT_EXPORT(CHROMEOS_LOGIN_AUTH) UserContext {
 
   // Info about the user's SAML password, such as when it will expire.
   base::Optional<SamlPasswordAttributes> saml_password_attributes_;
+
+  // Info about the user's sync encryption keys.
+  base::Optional<SyncTrustedVaultKeys> sync_trusted_vault_keys_;
 };
 
 }  // namespace chromeos