[CrOS Multidevice] Integrate SecureChannel API into ProximityAuthSystem.

Inject a SecureChannelClient and RemoteDeviceRef (representing the
local device) into ProximityAuthSystem, which are required by
RemoteDeviceLifeCycle in order to establish a secure connection to
a remote device.

R=jhawkins@chromium.org, khorimoto@chromium.org

Bug: 824568, 752273
Change-Id: Iab717e9b9a9d1e992da661406d4d8ddd233c2d6d
Reviewed-on: https://chromium-review.googlesource.com/1109505
Commit-Queue: Ryan Hansberry <hansberry@chromium.org>
Reviewed-by: James Hawkins <jhawkins@chromium.org>
Cr-Commit-Position: refs/heads/master@{#569841}

chrome/browser/chromeos/login/easy_unlock/easy_unlock_service.cc

@@ -670,7 +670,8 @@ EasyUnlockAuthEvent EasyUnlockService::GetPasswordAuthEvent() const {
 
 void EasyUnlockService::SetProximityAuthDevices(
     const AccountId& account_id,
-    const cryptauth::RemoteDeviceRefList& remote_devices) {
+    const cryptauth::RemoteDeviceRefList& remote_devices,
+    base::Optional<cryptauth::RemoteDeviceRef> local_device) {
   UMA_HISTOGRAM_COUNTS_100("SmartLock.EnabledDevicesCount",
                            remote_devices.size());
 
@@ -681,14 +682,16 @@ void EasyUnlockService::SetProximityAuthDevices(
 
   if (!proximity_auth_system_) {
     PA_LOG(INFO) << "Creating ProximityAuthSystem.";
+    // TODO(crbug.com/752273): Inject a real secure_channel_client.
     proximity_auth_system_.reset(new proximity_auth::ProximityAuthSystem(
         GetType() == TYPE_SIGNIN
             ? proximity_auth::ProximityAuthSystem::SIGN_IN
             : proximity_auth::ProximityAuthSystem::SESSION_LOCK,
-        proximity_auth_client()));
+        proximity_auth_client(), nullptr /* secure_channel_client */));
   }
 
-  proximity_auth_system_->SetRemoteDevicesForUser(account_id, remote_devices);
+  proximity_auth_system_->SetRemoteDevicesForUser(account_id, remote_devices,
+                                                  local_device);
   proximity_auth_system_->Start();
 }
 

chrome/browser/chromeos/login/easy_unlock/easy_unlock_service.h

@@ -268,7 +268,8 @@ class EasyUnlockService : public KeyedService {
   // are loaded for |account_id|.
   void SetProximityAuthDevices(
       const AccountId& account_id,
-      const cryptauth::RemoteDeviceRefList& remote_devices);
+      const cryptauth::RemoteDeviceRefList& remote_devices,
+      base::Optional<cryptauth::RemoteDeviceRef> local_device);
 
  private:
   // A class to detect whether a bluetooth adapter is present.

chrome/browser/chromeos/login/easy_unlock/easy_unlock_service_regular.cc

@@ -173,7 +173,8 @@ void EasyUnlockServiceRegular::LoadRemoteDevices() {
     pref_manager_->SetEasyUnlockEnabledStateSet();
     LogSmartLockEnabledState(SmartLockEnabledState::ENABLED);
   } else {
-    SetProximityAuthDevices(GetAccountId(), cryptauth::RemoteDeviceRefList());
+    SetProximityAuthDevices(GetAccountId(), cryptauth::RemoteDeviceRefList(),
+                            base::nullopt /* local_device */);
 
     if (pref_manager_->IsEasyUnlockEnabledStateSet()) {
       LogSmartLockEnabledState(SmartLockEnabledState::DISABLED);
@@ -224,7 +225,11 @@ void EasyUnlockServiceRegular::OnRemoteDevicesLoaded(
 
 void EasyUnlockServiceRegular::UseLoadedRemoteDevices(
     const cryptauth::RemoteDeviceRefList& remote_devices) {
-  SetProximityAuthDevices(GetAccountId(), remote_devices);
+  SetProximityAuthDevices(
+      GetAccountId(), remote_devices,
+      base::FeatureList::IsEnabled(chromeos::features::kMultiDeviceApi)
+          ? device_sync_client_->GetLocalDeviceMetadata()
+          : base::nullopt);
 
   // We need to store a copy of |remote devices_| in the TPM, so it can be
   // retrieved on the sign-in screen when a user session has not been started
@@ -739,7 +744,8 @@ void EasyUnlockServiceRegular::OnTurnOffEasyUnlockSuccess() {
 
   EasyUnlockService::ResetLocalStateForUser(GetAccountId());
   SetRemoteDevices(base::ListValue());
-  SetProximityAuthDevices(GetAccountId(), cryptauth::RemoteDeviceRefList());
+  SetProximityAuthDevices(GetAccountId(), cryptauth::RemoteDeviceRefList(),
+                          base::nullopt /* local_device */);
   pref_manager_->SetIsEasyUnlockEnabled(false);
   SetTurnOffFlowStatus(IDLE);
   ResetScreenlockState();

chrome/browser/chromeos/login/easy_unlock/easy_unlock_service_signin_chromeos.cc

@@ -404,7 +404,8 @@ void EasyUnlockServiceSignin::OnFocusedUserChanged(
   account_id_ = account_id;
   pref_manager_->SetActiveUser(account_id);
   user_pod_last_focused_timestamp_ = base::TimeTicks::Now();
-  SetProximityAuthDevices(account_id_, cryptauth::RemoteDeviceRefList());
+  SetProximityAuthDevices(account_id_, cryptauth::RemoteDeviceRefList(),
+                          base::nullopt /* local_device */);
   ResetScreenlockState();
 
   pref_manager_->SetActiveUser(account_id);
@@ -538,7 +539,9 @@ void EasyUnlockServiceSignin::OnUserDataLoaded(
 
   remote_device_cache_->SetRemoteDevices(remote_devices);
 
-  SetProximityAuthDevices(account_id, remote_device_cache_->GetRemoteDevices());
+  // TODO(crbug.com/752273): Inject a real local device.
+  SetProximityAuthDevices(account_id, remote_device_cache_->GetRemoteDevices(),
+                          base::nullopt /* local_device */);
 }
 
 const EasyUnlockServiceSignin::UserData*

chromeos/components/proximity_auth/fake_remote_device_life_cycle.cc

@@ -7,8 +7,10 @@
 namespace proximity_auth {
 
 FakeRemoteDeviceLifeCycle::FakeRemoteDeviceLifeCycle(
-    cryptauth::RemoteDeviceRef remote_device)
+    cryptauth::RemoteDeviceRef remote_device,
+    base::Optional<cryptauth::RemoteDeviceRef> local_device)
     : remote_device_(remote_device),
+      local_device_(local_device),
       started_(false),
       state_(RemoteDeviceLifeCycle::State::STOPPED) {}
 

chromeos/components/proximity_auth/fake_remote_device_life_cycle.h

@@ -16,7 +16,9 @@ namespace proximity_auth {
 
 class FakeRemoteDeviceLifeCycle : public RemoteDeviceLifeCycle {
  public:
-  explicit FakeRemoteDeviceLifeCycle(cryptauth::RemoteDeviceRef remote_device);
+  explicit FakeRemoteDeviceLifeCycle(
+      cryptauth::RemoteDeviceRef remote_device,
+      base::Optional<cryptauth::RemoteDeviceRef> local_device);
   ~FakeRemoteDeviceLifeCycle() override;
 
   // RemoteDeviceLifeCycle:
@@ -44,10 +46,13 @@ class FakeRemoteDeviceLifeCycle : public RemoteDeviceLifeCycle {
 
   bool started() { return started_; }
 
+  cryptauth::RemoteDeviceRef local_device() { return *local_device_; }
+
   base::ObserverList<Observer>& observers() { return observers_; }
 
  private:
   cryptauth::RemoteDeviceRef remote_device_;
+  base::Optional<cryptauth::RemoteDeviceRef> local_device_;
   base::ObserverList<Observer> observers_;
   bool started_;
   State state_;

chromeos/components/proximity_auth/proximity_auth_system.cc

@@ -6,20 +6,24 @@
 
 #include "base/command_line.h"
 #include "base/threading/thread_task_runner_handle.h"
+#include "chromeos/chromeos_features.h"
 #include "chromeos/components/proximity_auth/logging/logging.h"
 #include "chromeos/components/proximity_auth/proximity_auth_client.h"
 #include "chromeos/components/proximity_auth/proximity_auth_profile_pref_manager.h"
 #include "chromeos/components/proximity_auth/remote_device_life_cycle_impl.h"
 #include "chromeos/components/proximity_auth/switches.h"
 #include "chromeos/components/proximity_auth/unlock_manager_impl.h"
+#include "chromeos/services/secure_channel/public/cpp/client/secure_channel_client.h"
 
 namespace proximity_auth {
 
 ProximityAuthSystem::ProximityAuthSystem(
     ScreenlockType screenlock_type,
-    ProximityAuthClient* proximity_auth_client)
+    ProximityAuthClient* proximity_auth_client,
+    chromeos::secure_channel::SecureChannelClient* secure_channel_client)
     : screenlock_type_(screenlock_type),
       proximity_auth_client_(proximity_auth_client),
+      secure_channel_client_(secure_channel_client),
       pref_manager_(proximity_auth_client->GetPrefManager()),
       unlock_manager_(new UnlockManagerImpl(screenlock_type,
                                             proximity_auth_client_,
@@ -31,10 +35,12 @@ ProximityAuthSystem::ProximityAuthSystem(
 ProximityAuthSystem::ProximityAuthSystem(
     ScreenlockType screenlock_type,
     ProximityAuthClient* proximity_auth_client,
+    chromeos::secure_channel::SecureChannelClient* secure_channel_client,
     std::unique_ptr<UnlockManager> unlock_manager,
     ProximityAuthPrefManager* pref_manager)
     : screenlock_type_(screenlock_type),
       proximity_auth_client_(proximity_auth_client),
+      secure_channel_client_(secure_channel_client),
       pref_manager_(pref_manager),
       unlock_manager_(std::move(unlock_manager)),
       suspended_(false),
@@ -67,8 +73,12 @@ void ProximityAuthSystem::Stop() {
 
 void ProximityAuthSystem::SetRemoteDevicesForUser(
     const AccountId& account_id,
-    const cryptauth::RemoteDeviceRefList& remote_devices) {
+    const cryptauth::RemoteDeviceRefList& remote_devices,
+    base::Optional<cryptauth::RemoteDeviceRef> local_device) {
   remote_devices_map_[account_id] = remote_devices;
+  if (base::FeatureList::IsEnabled(chromeos::features::kMultiDeviceApi))
+    local_device_map_.emplace(account_id, *local_device);
+
   if (started_) {
     const AccountId& focused_account_id =
         ScreenlockBridge::Get()->focused_account_id();
@@ -113,11 +123,10 @@ void ProximityAuthSystem::OnSuspendDone() {
 
 std::unique_ptr<RemoteDeviceLifeCycle>
 ProximityAuthSystem::CreateRemoteDeviceLifeCycle(
-    cryptauth::RemoteDeviceRef remote_device) {
-  // TODO(crbug.com/752273): Inject a real local device and SecureChannelClient.
+    cryptauth::RemoteDeviceRef remote_device,
+    base::Optional<cryptauth::RemoteDeviceRef> local_device) {
   return std::make_unique<RemoteDeviceLifeCycleImpl>(
-      remote_device, base::nullopt /* local_device */,
-      nullptr /* secure_channel_client */);
+      remote_device, local_device, secure_channel_client_);
 }
 
 void ProximityAuthSystem::OnLifeCycleStateChanged(
@@ -158,17 +167,29 @@ void ProximityAuthSystem::OnFocusedUserChanged(const AccountId& account_id) {
   if (remote_devices_map_.find(account_id) == remote_devices_map_.end() ||
       remote_devices_map_[account_id].size() == 0) {
     PA_LOG(INFO) << "User " << account_id.Serialize()
-                 << " does not have a RemoteDevice.";
+                 << " does not have a Smart Lock host device.";
+    return;
+  }
+  if (base::FeatureList::IsEnabled(chromeos::features::kMultiDeviceApi) &&
+      local_device_map_.find(account_id) == local_device_map_.end()) {
+    PA_LOG(INFO) << "User " << account_id.Serialize()
+                 << " does not have a local device.";
     return;
   }
 
   // TODO(tengs): We currently assume each user has only one RemoteDevice, so we
   // can simply take the first item in the list.
   cryptauth::RemoteDeviceRef remote_device = remote_devices_map_[account_id][0];
+
+  base::Optional<cryptauth::RemoteDeviceRef> local_device;
+  if (base::FeatureList::IsEnabled(chromeos::features::kMultiDeviceApi))
+    local_device = local_device_map_.at(account_id);
+
   if (!suspended_) {
     PA_LOG(INFO) << "Creating RemoteDeviceLifeCycle for focused user: "
                  << account_id.Serialize();
-    remote_device_life_cycle_ = CreateRemoteDeviceLifeCycle(remote_device);
+    remote_device_life_cycle_ =
+        CreateRemoteDeviceLifeCycle(remote_device, local_device);
     unlock_manager_->SetRemoteDeviceLifeCycle(remote_device_life_cycle_.get());
     remote_device_life_cycle_->AddObserver(this);
     remote_device_life_cycle_->Start();

chromeos/components/proximity_auth/proximity_auth_system.h

@@ -16,6 +16,12 @@
 #include "components/account_id/account_id.h"
 #include "components/cryptauth/remote_device_ref.h"
 
+namespace chromeos {
+namespace secure_channel {
+class SecureChannelClient;
+}  // namespace secure_channel
+}  // namespace chromeos
+
 namespace proximity_auth {
 
 class ProximityAuthClient;
@@ -33,8 +39,10 @@ class ProximityAuthSystem : public RemoteDeviceLifeCycle::Observer,
  public:
   enum ScreenlockType { SESSION_LOCK, SIGN_IN };
 
-  ProximityAuthSystem(ScreenlockType screenlock_type,
-                      ProximityAuthClient* proximity_auth_client);
+  ProximityAuthSystem(
+      ScreenlockType screenlock_type,
+      ProximityAuthClient* proximity_auth_client,
+      chromeos::secure_channel::SecureChannelClient* secure_channel_client);
   ~ProximityAuthSystem() override;
 
   // Starts the system to connect and authenticate when a registered user is
@@ -45,11 +53,13 @@ class ProximityAuthSystem : public RemoteDeviceLifeCycle::Observer,
   void Stop();
 
   // Registers a list of |remote_devices| for |account_id| that can be used for
-  // sign-in/unlock. If devices were previously registered for the user, then
-  // they will be replaced.
+  // sign-in/unlock. |local_device| represents this device (i.e. this Chrome OS
+  // device) for this particular user profile context. If devices were
+  // previously registered for the user, then they will be replaced.
   void SetRemoteDevicesForUser(
       const AccountId& account_id,
-      const cryptauth::RemoteDeviceRefList& remote_devices);
+      const cryptauth::RemoteDeviceRefList& remote_devices,
+      base::Optional<cryptauth::RemoteDeviceRef> local_device);
 
   // Returns the RemoteDevices registered for |account_id|. Returns an empty
   // list
@@ -69,15 +79,21 @@ class ProximityAuthSystem : public RemoteDeviceLifeCycle::Observer,
  protected:
   // Constructor which allows passing in a custom |unlock_manager_|.
   // Exposed for testing.
-  ProximityAuthSystem(ScreenlockType screenlock_type,
-                      ProximityAuthClient* proximity_auth_client,
-                      std::unique_ptr<UnlockManager> unlock_manager,
-                      ProximityAuthPrefManager* pref_manager);
-
-  // Creates the RemoteDeviceLifeCycle for |remote_device|.
+  ProximityAuthSystem(
+      ScreenlockType screenlock_type,
+      ProximityAuthClient* proximity_auth_client,
+      chromeos::secure_channel::SecureChannelClient* secure_channel_client,
+      std::unique_ptr<UnlockManager> unlock_manager,
+      ProximityAuthPrefManager* pref_manager);
+
+  // Creates the RemoteDeviceLifeCycle for |remote_device| and |local_device|.
+  // |remote_device| is the host intended to be connected to, and |local_device|
+  // represents this device (i.e. this Chrome OS device) for this particular
+  // user profile context.
   // Exposed for testing.
   virtual std::unique_ptr<RemoteDeviceLifeCycle> CreateRemoteDeviceLifeCycle(
-      cryptauth::RemoteDeviceRef remote_device);
+      cryptauth::RemoteDeviceRef remote_device,
+      base::Optional<cryptauth::RemoteDeviceRef> local_device);
 
   // RemoteDeviceLifeCycle::Observer:
   void OnLifeCycleStateChanged(RemoteDeviceLifeCycle::State old_state,
@@ -101,9 +117,17 @@ class ProximityAuthSystem : public RemoteDeviceLifeCycle::Observer,
   // Lists of remote devices, keyed by user account id.
   std::map<AccountId, cryptauth::RemoteDeviceRefList> remote_devices_map_;
 
+  // A mapping from each profile's account ID to the profile-specific
+  // representation of this device (i.e. this Chrome OS device) for that
+  // particular user profile.
+  std::map<AccountId, cryptauth::RemoteDeviceRef> local_device_map_;
+
   // Delegate for Chrome dependent functionality.
   ProximityAuthClient* proximity_auth_client_;
 
+  // Entry point to the SecureChannel API.
+  chromeos::secure_channel::SecureChannelClient* secure_channel_client_;
+
   // Responsible for the life cycle of connecting and authenticating to
   // the RemoteDevice of the currently focused user.
   std::unique_ptr<RemoteDeviceLifeCycle> remote_device_life_cycle_;

chromeos/components/proximity_auth/proximity_auth_system_unittest.cc

@@ -5,8 +5,10 @@
 #include "chromeos/components/proximity_auth/proximity_auth_system.h"
 
 #include "base/command_line.h"
+#include "base/test/scoped_feature_list.h"
 #include "base/test/test_simple_task_runner.h"
 #include "base/threading/thread_task_runner_handle.h"
+#include "chromeos/chromeos_features.h"
 #include "chromeos/components/proximity_auth/fake_lock_handler.h"
 #include "chromeos/components/proximity_auth/fake_remote_device_life_cycle.h"
 #include "chromeos/components/proximity_auth/logging/logging.h"
@@ -14,6 +16,7 @@
 #include "chromeos/components/proximity_auth/proximity_auth_profile_pref_manager.h"
 #include "chromeos/components/proximity_auth/switches.h"
 #include "chromeos/components/proximity_auth/unlock_manager.h"
+#include "chromeos/services/secure_channel/public/cpp/client/fake_secure_channel_client.h"
 #include "components/cryptauth/remote_device_ref.h"
 #include "components/cryptauth/remote_device_test_util.h"
 #include "components/cryptauth/software_feature_state.h"
@@ -85,12 +88,15 @@ class MockProximityAuthPrefManager : public ProximityAuthProfilePrefManager {
 // Harness for ProximityAuthSystem to make it testable.
 class TestableProximityAuthSystem : public ProximityAuthSystem {
  public:
-  TestableProximityAuthSystem(ScreenlockType screenlock_type,
-                              ProximityAuthClient* proximity_auth_client,
-                              std::unique_ptr<UnlockManager> unlock_manager,
-                              ProximityAuthPrefManager* pref_manager)
+  TestableProximityAuthSystem(
+      ScreenlockType screenlock_type,
+      ProximityAuthClient* proximity_auth_client,
+      chromeos::secure_channel::SecureChannelClient* secure_channel_client,
+      std::unique_ptr<UnlockManager> unlock_manager,
+      ProximityAuthPrefManager* pref_manager)
       : ProximityAuthSystem(screenlock_type,
                             proximity_auth_client,
+                            secure_channel_client,
                             std::move(unlock_manager),
                             pref_manager),
         life_cycle_(nullptr) {}
@@ -100,9 +106,10 @@ class TestableProximityAuthSystem : public ProximityAuthSystem {
 
  private:
   std::unique_ptr<RemoteDeviceLifeCycle> CreateRemoteDeviceLifeCycle(
-      cryptauth::RemoteDeviceRef remote_device) override {
+      cryptauth::RemoteDeviceRef remote_device,
+      base::Optional<cryptauth::RemoteDeviceRef> local_device) override {
     std::unique_ptr<FakeRemoteDeviceLifeCycle> life_cycle(
-        new FakeRemoteDeviceLifeCycle(remote_device));
+        new FakeRemoteDeviceLifeCycle(remote_device, local_device));
     life_cycle_ = life_cycle.get();
     return std::move(life_cycle);
   }
@@ -118,6 +125,8 @@ class ProximityAuthSystemTest : public testing::Test {
  protected:
   ProximityAuthSystemTest()
       : pref_manager_(new NiceMock<MockProximityAuthPrefManager>()),
+        user1_local_device_(CreateRemoteDevice(kUser1, "user1_local_device")),
+        user2_local_device_(CreateRemoteDevice(kUser2, "user2_local_device")),
         task_runner_(new base::TestSimpleTaskRunner()),
         thread_task_runner_handle_(task_runner_) {}
 
@@ -136,21 +145,30 @@ class ProximityAuthSystemTest : public testing::Test {
 
     InitProximityAuthSystem(ProximityAuthSystem::SESSION_LOCK);
     proximity_auth_system_->SetRemoteDevicesForUser(
-        AccountId::FromUserEmail(kUser1), user1_remote_devices_);
+        AccountId::FromUserEmail(kUser1), user1_remote_devices_,
+        user1_local_device_);
     proximity_auth_system_->Start();
     LockScreen();
   }
 
   void TearDown() override { UnlockScreen(); }
 
+  void SetMultiDeviceApiEnabled() {
+    scoped_feature_list_.InitAndEnableFeature(
+        chromeos::features::kMultiDeviceApi);
+  }
+
   void InitProximityAuthSystem(ProximityAuthSystem::ScreenlockType type) {
     std::unique_ptr<MockUnlockManager> unlock_manager(
         new NiceMock<MockUnlockManager>());
     unlock_manager_ = unlock_manager.get();
 
+    fake_secure_channel_client_ =
+        std::make_unique<chromeos::secure_channel::FakeSecureChannelClient>();
+
     proximity_auth_system_.reset(new TestableProximityAuthSystem(
-        type, &proximity_auth_client_, std::move(unlock_manager),
-        pref_manager_.get()));
+        type, &proximity_auth_client_, fake_secure_channel_client_.get(),
+        std::move(unlock_manager), pref_manager_.get()));
   }
 
   void LockScreen() {
@@ -176,18 +194,24 @@ class ProximityAuthSystemTest : public testing::Test {
 
   FakeLockHandler lock_handler_;
   NiceMock<MockProximityAuthClient> proximity_auth_client_;
+  std::unique_ptr<chromeos::secure_channel::FakeSecureChannelClient>
+      fake_secure_channel_client_;
   std::unique_ptr<TestableProximityAuthSystem> proximity_auth_system_;
   MockUnlockManager* unlock_manager_;
   std::unique_ptr<MockProximityAuthPrefManager> pref_manager_;
 
-  RemoteDeviceRefList user1_remote_devices_;
-  RemoteDeviceRefList user2_remote_devices_;
+  cryptauth::RemoteDeviceRef user1_local_device_;
+  cryptauth::RemoteDeviceRef user2_local_device_;
+
+  cryptauth::RemoteDeviceRefList user1_remote_devices_;
+  cryptauth::RemoteDeviceRefList user2_remote_devices_;
 
   scoped_refptr<base::TestSimpleTaskRunner> task_runner_;
   base::ThreadTaskRunnerHandle thread_task_runner_handle_;
 
  private:
   ScopedDisableLoggingForTesting disable_logging_;
+  base::test::ScopedFeatureList scoped_feature_list_;
 
   DISALLOW_COPY_AND_ASSIGN(ProximityAuthSystemTest);
 };
@@ -197,10 +221,10 @@ TEST_F(ProximityAuthSystemTest, SetRemoteDevicesForUser_NotStarted) {
 
   AccountId account1 = AccountId::FromUserEmail(kUser1);
   AccountId account2 = AccountId::FromUserEmail(kUser2);
-  proximity_auth_system_->SetRemoteDevicesForUser(account1,
-                                                  user1_remote_devices_);
-  proximity_auth_system_->SetRemoteDevicesForUser(account2,
-                                                  user2_remote_devices_);
+  proximity_auth_system_->SetRemoteDevicesForUser(
+      account1, user1_remote_devices_, user1_local_device_);
+  proximity_auth_system_->SetRemoteDevicesForUser(
+      account2, user2_remote_devices_, user1_local_device_);
 
   CompareRemoteDeviceRefLists(
       user1_remote_devices_,
@@ -220,11 +244,11 @@ TEST_F(ProximityAuthSystemTest, SetRemoteDevicesForUser_Started) {
   InitProximityAuthSystem(ProximityAuthSystem::SESSION_LOCK);
   AccountId account1 = AccountId::FromUserEmail(kUser1);
   AccountId account2 = AccountId::FromUserEmail(kUser2);
-  proximity_auth_system_->SetRemoteDevicesForUser(account1,
-                                                  user1_remote_devices_);
+  proximity_auth_system_->SetRemoteDevicesForUser(
+      account1, user1_remote_devices_, user1_local_device_);
   proximity_auth_system_->Start();
-  proximity_auth_system_->SetRemoteDevicesForUser(account2,
-                                                  user2_remote_devices_);
+  proximity_auth_system_->SetRemoteDevicesForUser(
+      account2, user2_remote_devices_, user2_local_device_);
 
   CompareRemoteDeviceRefLists(
       user1_remote_devices_,
@@ -266,13 +290,47 @@ TEST_F(ProximityAuthSystemTest, FocusUnregisteredUser) {
 
 TEST_F(ProximityAuthSystemTest, ToggleFocus_RegisteredUsers) {
   proximity_auth_system_->SetRemoteDevicesForUser(
-      AccountId::FromUserEmail(kUser2), user2_remote_devices_);
+      AccountId::FromUserEmail(kUser2), user2_remote_devices_,
+      user2_local_device_);
+
+  RemoteDeviceLifeCycle* life_cycle1 = nullptr;
+  EXPECT_CALL(*unlock_manager_, SetRemoteDeviceLifeCycle(_))
+      .WillOnce(SaveArg<0>(&life_cycle1));
+  FocusUser(kUser1);
+  EXPECT_EQ(kUser1, life_cycle1->GetRemoteDevice().user_id());
+
+  RemoteDeviceLifeCycle* life_cycle2 = nullptr;
+  {
+    InSequence sequence;
+    EXPECT_CALL(*unlock_manager_, SetRemoteDeviceLifeCycle(nullptr))
+        .Times(AtLeast(1));
+    EXPECT_CALL(*unlock_manager_, SetRemoteDeviceLifeCycle(_))
+        .WillOnce(SaveArg<0>(&life_cycle2));
+  }
+  FocusUser(kUser2);
+  EXPECT_EQ(kUser2, life_cycle2->GetRemoteDevice().user_id());
+
+  EXPECT_CALL(*unlock_manager_, SetRemoteDeviceLifeCycle(nullptr))
+      .Times(AtLeast(1));
+}
+
+TEST_F(ProximityAuthSystemTest,
+       ToggleFocus_RegisteredUsers_MultiDeviceApiEnabled) {
+  SetMultiDeviceApiEnabled();
+
+  proximity_auth_system_->SetRemoteDevicesForUser(
+      AccountId::FromUserEmail(kUser1), user1_remote_devices_,
+      user1_local_device_);
+  proximity_auth_system_->SetRemoteDevicesForUser(
+      AccountId::FromUserEmail(kUser2), user2_remote_devices_,
+      user2_local_device_);
 
   RemoteDeviceLifeCycle* life_cycle1 = nullptr;
   EXPECT_CALL(*unlock_manager_, SetRemoteDeviceLifeCycle(_))
       .WillOnce(SaveArg<0>(&life_cycle1));
   FocusUser(kUser1);
   EXPECT_EQ(kUser1, life_cycle1->GetRemoteDevice().user_id());
+  EXPECT_EQ(user1_local_device_, life_cycle()->local_device());
 
   RemoteDeviceLifeCycle* life_cycle2 = nullptr;
   {
@@ -284,6 +342,7 @@ TEST_F(ProximityAuthSystemTest, ToggleFocus_RegisteredUsers) {
   }
   FocusUser(kUser2);
   EXPECT_EQ(kUser2, life_cycle2->GetRemoteDevice().user_id());
+  EXPECT_EQ(user2_local_device_, life_cycle()->local_device());
 
   EXPECT_CALL(*unlock_manager_, SetRemoteDeviceLifeCycle(nullptr))
       .Times(AtLeast(1));

chromeos/components/proximity_auth/unlock_manager_impl_unittest.cc

@@ -153,7 +153,8 @@ class ProximityAuthUnlockManagerImplTest : public testing::Test {
  public:
   ProximityAuthUnlockManagerImplTest()
       : remote_device_(cryptauth::CreateRemoteDeviceRefForTest()),
-        life_cycle_(remote_device_),
+        local_device_(cryptauth::CreateRemoteDeviceRefForTest()),
+        life_cycle_(remote_device_, local_device_),
         connection_(remote_device_),
         bluetooth_adapter_(CreateAndRegisterMockBluetoothAdapter()),
         task_runner_(new base::TestSimpleTaskRunner()),
@@ -210,6 +211,7 @@ class ProximityAuthUnlockManagerImplTest : public testing::Test {
 
  protected:
   cryptauth::RemoteDeviceRef remote_device_;
+  cryptauth::RemoteDeviceRef local_device_;
   FakeRemoteDeviceLifeCycle life_cycle_;
   cryptauth::FakeConnection connection_;