chromeos: Enable fingerprint auth sessions for ExtendedAuthenticator

Cryptohome already supports starting/ending fingerprint auth session
(i.e. preparing biometrics daemon for upcoming fingerprint scan / back
to normal mode).

This change enables ExtendedAuthenticator to start fingerprint auth
session so that ExtendedAuthenticator can be used to do fingerprint
auth.

The reason why fingerprint auth needs starting/ending auth session is
because it is expensive to switch mode of the fingerprint MCU. The
client should only end fingerprint auth session when no more fingerprint
retries are expected.

The reason why we are doing this by calling cryptohome, instead of
calling biometrics daemon, is that we want cryptohome to control all
authentication mechanisms, and there's a generalized "auth session"
project in cryptohome.

Bug: b:156258540, b:144861739
Change-Id: I767b2aff9791c838674d8ace8ab8d4494f69e603
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2364894
Commit-Queue: Yicheng Li <yichengli@chromium.org>
Reviewed-by: Xiyuan Xia <xiyuan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#800758}

chromeos/dbus/cryptohome/cryptohome_client.cc

@@ -945,6 +945,38 @@ class CryptohomeClientImpl : public CryptohomeClient {
                        weak_ptr_factory_.GetWeakPtr(), std::move(callback)));
   }
 
+  void StartFingerprintAuthSession(
+      const cryptohome::AccountIdentifier& id,
+      const cryptohome::StartFingerprintAuthSessionRequest& request,
+      DBusMethodCallback<cryptohome::BaseReply> callback) override {
+    dbus::MethodCall method_call(
+        cryptohome::kCryptohomeInterface,
+        cryptohome::kCryptohomeStartFingerprintAuthSession);
+    dbus::MessageWriter writer(&method_call);
+    writer.AppendProtoAsArrayOfBytes(id);
+    writer.AppendProtoAsArrayOfBytes(request);
+
+    proxy_->CallMethod(
+        &method_call, kTpmDBusTimeoutMs,
+        base::BindOnce(&CryptohomeClientImpl::OnBaseReplyMethod,
+                       weak_ptr_factory_.GetWeakPtr(), std::move(callback)));
+  }
+
+  void EndFingerprintAuthSession(
+      const cryptohome::EndFingerprintAuthSessionRequest& request,
+      DBusMethodCallback<cryptohome::BaseReply> callback) override {
+    dbus::MethodCall method_call(
+        cryptohome::kCryptohomeInterface,
+        cryptohome::kCryptohomeEndFingerprintAuthSession);
+    dbus::MessageWriter writer(&method_call);
+    writer.AppendProtoAsArrayOfBytes(request);
+
+    proxy_->CallMethod(
+        &method_call, kTpmDBusTimeoutMs,
+        base::BindOnce(&CryptohomeClientImpl::OnBaseReplyMethod,
+                       weak_ptr_factory_.GetWeakPtr(), std::move(callback)));
+  }
+
   void GetBootAttribute(
       const cryptohome::GetBootAttributeRequest& request,
       DBusMethodCallback<cryptohome::BaseReply> callback) override {

chromeos/dbus/cryptohome/cryptohome_client.h

@@ -25,6 +25,7 @@ class AuthorizationRequest;
 class BaseReply;
 class CheckHealthRequest;
 class CheckKeyRequest;
+class EndFingerprintAuthSessionRequest;
 class FlushAndSignBootAttributesRequest;
 class GetBootAttributeRequest;
 class GetKeyDataRequest;
@@ -40,6 +41,7 @@ class RemoveFirmwareManagementParametersRequest;
 class RemoveKeyRequest;
 class SetBootAttributeRequest;
 class SetFirmwareManagementParametersRequest;
+class StartFingerprintAuthSessionRequest;
 class UnmountRequest;
 class UpdateKeyRequest;
 
@@ -595,6 +597,23 @@ class COMPONENT_EXPORT(CRYPTOHOME_CLIENT) CryptohomeClient {
       const cryptohome::MassRemoveKeysRequest& request,
       DBusMethodCallback<cryptohome::BaseReply> callback) = 0;
 
+  // Asynchronously calls StartFingerprintAuthSession method. |callback| is
+  // called after method call, and with reply protobuf.
+  // StartFingerprintAuthSession prepares biometrics daemon for upcoming
+  // fingerprint authentication.
+  virtual void StartFingerprintAuthSession(
+      const cryptohome::AccountIdentifier& id,
+      const cryptohome::StartFingerprintAuthSessionRequest& request,
+      DBusMethodCallback<cryptohome::BaseReply> callback) = 0;
+
+  // Asynchronously calls EndFingerprintAuthSession method. |callback| is
+  // called after method call, and with reply protobuf.
+  // EndFingerprintAuthSession sets biometrics daemon back to normal mode.
+  // If there is a reply, it is always an empty reply with no errors.
+  virtual void EndFingerprintAuthSession(
+      const cryptohome::EndFingerprintAuthSessionRequest& request,
+      DBusMethodCallback<cryptohome::BaseReply> callback) = 0;
+
   // Asynchronously calls GetBootAttribute method. |callback| is called after
   // method call, and with reply protobuf.
   // GetBootAttribute gets the value of the specified boot attribute.

chromeos/dbus/cryptohome/fake_cryptohome_client.cc

@@ -790,6 +790,19 @@ void FakeCryptohomeClient::CheckHealth(
   ReturnProtobufMethodCallback(reply, std::move(callback));
 }
 
+void FakeCryptohomeClient::StartFingerprintAuthSession(
+    const cryptohome::AccountIdentifier& id,
+    const cryptohome::StartFingerprintAuthSessionRequest& request,
+    DBusMethodCallback<cryptohome::BaseReply> callback) {
+  ReturnProtobufMethodCallback(cryptohome::BaseReply(), std::move(callback));
+}
+
+void FakeCryptohomeClient::EndFingerprintAuthSession(
+    const cryptohome::EndFingerprintAuthSessionRequest& request,
+    DBusMethodCallback<cryptohome::BaseReply> callback) {
+  ReturnProtobufMethodCallback(cryptohome::BaseReply(), std::move(callback));
+}
+
 void FakeCryptohomeClient::SetServiceIsAvailable(bool is_available) {
   service_is_available_ = is_available;
   if (!is_available)

chromeos/dbus/cryptohome/fake_cryptohome_client.h

@@ -251,6 +251,13 @@ class COMPONENT_EXPORT(CRYPTOHOME_CLIENT) FakeCryptohomeClient
                              DBusMethodCallback<int64_t> callback) override;
   void CheckHealth(const cryptohome::CheckHealthRequest& request,
                    DBusMethodCallback<cryptohome::BaseReply> callback) override;
+  void StartFingerprintAuthSession(
+      const cryptohome::AccountIdentifier& id,
+      const cryptohome::StartFingerprintAuthSessionRequest& request,
+      DBusMethodCallback<cryptohome::BaseReply> callback) override;
+  void EndFingerprintAuthSession(
+      const cryptohome::EndFingerprintAuthSessionRequest& request,
+      DBusMethodCallback<cryptohome::BaseReply> callback) override;
 
   /////////// Test helpers ////////////
 

chromeos/login/auth/extended_authenticator.h

@@ -68,6 +68,18 @@ class COMPONENT_EXPORT(CHROMEOS_LOGIN_AUTH) ExtendedAuthenticator
   virtual void AuthenticateToCheck(const UserContext& context,
                                    base::OnceClosure success_callback) = 0;
 
+  // Attempts to start fingerprint auth session (prepare biometrics daemon for
+  // upcoming fingerprint scan) for the user with |account_id|. |callback| will
+  // be invoked with whether the fingerprint auth session is successfully
+  // started.
+  virtual void StartFingerprintAuthSession(
+      const AccountId& account_id,
+      base::OnceCallback<void(bool)> callback) = 0;
+
+  // Attempts to end the current fingerprint auth session. Logs an error if no
+  // response.
+  virtual void EndFingerprintAuthSession() = 0;
+
   // Attempts to add a new |key| for the user identified/authorized by
   // |context|. If a key with the same label already exists, the behavior
   // depends on the |replace_existing| flag. If the flag is set, the old key is

chromeos/login/auth/extended_authenticator_impl.cc

@@ -94,6 +94,34 @@ void ExtendedAuthenticatorImpl::AuthenticateToCheck(
                               this, std::move(success_callback)));
 }
 
+void ExtendedAuthenticatorImpl::StartFingerprintAuthSession(
+    const AccountId& account_id,
+    base::OnceCallback<void(bool)> callback) {
+  CryptohomeClient::Get()->StartFingerprintAuthSession(
+      cryptohome::CreateAccountIdentifierFromAccountId(account_id),
+      cryptohome::StartFingerprintAuthSessionRequest(),
+      base::BindOnce(
+          &ExtendedAuthenticatorImpl::OnStartFingerprintAuthSessionComplete,
+          this, std::move(callback)));
+}
+
+void ExtendedAuthenticatorImpl::OnStartFingerprintAuthSessionComplete(
+    base::OnceCallback<void(bool)> callback,
+    base::Optional<cryptohome::BaseReply> reply) {
+  std::move(callback).Run(reply && !reply->has_error());
+}
+
+void ExtendedAuthenticatorImpl::EndFingerprintAuthSession() {
+  CryptohomeClient::Get()->EndFingerprintAuthSession(
+      cryptohome::EndFingerprintAuthSessionRequest(),
+      base::BindOnce([](base::Optional<cryptohome::BaseReply> reply) {
+        // Only check for existence of the reply, because if there is a reply,
+        // it's always a BaseReply without errors.
+        if (!reply)
+          LOG(ERROR) << "EndFingerprintAuthSession call had no reply.";
+      }));
+}
+
 void ExtendedAuthenticatorImpl::AddKey(const UserContext& context,
                                        const cryptohome::KeyDefinition& key,
                                        bool clobber_if_exists,

chromeos/login/auth/extended_authenticator_impl.h

@@ -37,6 +37,10 @@ class COMPONENT_EXPORT(CHROMEOS_LOGIN_AUTH) ExtendedAuthenticatorImpl
                            ResultCallback success_callback) override;
   void AuthenticateToCheck(const UserContext& context,
                            base::OnceClosure success_callback) override;
+  void StartFingerprintAuthSession(
+      const AccountId& account_id,
+      base::OnceCallback<void(bool)> callback) override;
+  void EndFingerprintAuthSession() override;
   void AddKey(const UserContext& context,
               const cryptohome::KeyDefinition& key,
               bool clobber_if_exists,
@@ -86,6 +90,9 @@ class COMPONENT_EXPORT(CHROMEOS_LOGIN_AUTH) ExtendedAuthenticatorImpl
                            base::OnceClosure success_callback,
                            bool success,
                            cryptohome::MountError return_code);
+  void OnStartFingerprintAuthSessionComplete(
+      base::OnceCallback<void(bool)> callback,
+      base::Optional<cryptohome::BaseReply> reply);
 
   bool salt_obtained_;
   std::string system_salt_;

chromeos/login/auth/fake_extended_authenticator.cc

@@ -64,6 +64,14 @@ void FakeExtendedAuthenticator::AuthenticateToCheck(
                 AuthFailure(AuthFailure::UNLOCK_FAILED));
 }
 
+void FakeExtendedAuthenticator::StartFingerprintAuthSession(
+    const AccountId& account_id,
+    base::OnceCallback<void(bool)> callback) {
+  std::move(callback).Run(expected_user_context_.GetAccountId() == account_id);
+}
+
+void FakeExtendedAuthenticator::EndFingerprintAuthSession() {}
+
 void FakeExtendedAuthenticator::AddKey(const UserContext& context,
                                        const cryptohome::KeyDefinition& key,
                                        bool replace_existing,

chromeos/login/auth/fake_extended_authenticator.h

@@ -28,6 +28,10 @@ class COMPONENT_EXPORT(CHROMEOS_LOGIN_AUTH) FakeExtendedAuthenticator
                            ResultCallback success_callback) override;
   void AuthenticateToCheck(const UserContext& context,
                            base::OnceClosure success_callback) override;
+  void StartFingerprintAuthSession(
+      const AccountId& account_id,
+      base::OnceCallback<void(bool)> callback) override;
+  void EndFingerprintAuthSession() override;
   void AddKey(const UserContext& context,
               const cryptohome::KeyDefinition& key,
               bool replace_existing,