ash: Start/end fingerprint auth session in in-session auth dialog

If fingerprint auth is supported, the in-session auth dialog needs
to explicitly start fingerprint auth session (so that biometrics
daemon can get prepared for the upcoming fingerprint scans), and
explicitly end fingerprint auth session when no more retries are
expected.

Bug: b:156258540, b:144861739
Change-Id: I7534594a696bd42f6f29fdc85fe8548b5cf8caae
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2369336
Commit-Queue: Yicheng Li <yichengli@chromium.org>
Reviewed-by: Xiyuan Xia <xiyuan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#801153}

ash/in_session_auth/auth_dialog_contents_view.h

@@ -42,6 +42,8 @@ class AuthDialogContentsView : public views::View,
   // views::ButtonListener:
   void ButtonPressed(views::Button* sender, const ui::Event& event) override;
 
+  uint32_t auth_methods() const { return auth_methods_; }
+
  private:
   class FingerprintView;
 

ash/in_session_auth/in_session_auth_dialog.cc

@@ -57,11 +57,11 @@ std::unique_ptr<views::Widget> CreateAuthDialogWidget(aura::Window* parent) {
 
 InSessionAuthDialog::InSessionAuthDialog(uint32_t auth_methods) {
   widget_ = CreateAuthDialogWidget(nullptr);
-  auto* contents_view = widget_->SetContentsView(
+  contents_view_ = widget_->SetContentsView(
       std::make_unique<AuthDialogContentsView>(auth_methods));
   gfx::Rect bound = widget_->GetWindowBoundsInScreen();
   // Calculate initial height based on which child views are shown.
-  bound.set_height(contents_view->GetPreferredSize().height());
+  bound.set_height(contents_view_->GetPreferredSize().height());
   widget_->SetBounds(bound);
 
   widget_->Show();
@@ -69,4 +69,9 @@ InSessionAuthDialog::InSessionAuthDialog(uint32_t auth_methods) {
 
 InSessionAuthDialog::~InSessionAuthDialog() = default;
 
+uint32_t InSessionAuthDialog::GetAuthMethods() const {
+  DCHECK(contents_view_);
+  return contents_view_->auth_methods();
+}
+
 }  // namespace ash

ash/in_session_auth/in_session_auth_dialog.h

@@ -15,6 +15,8 @@ class Widget;
 
 namespace ash {
 
+class AuthDialogContentsView;
+
 // InSessionAuthDialog gets instantiated on every request to show
 // an authentication dialog, and gets destroyed when the request is
 // completed.
@@ -29,10 +31,16 @@ class InSessionAuthDialog {
 
   bool is_shown() const { return !!widget_; }
 
+  uint32_t GetAuthMethods() const;
+
  private:
   // The dialog widget. Owned by this class so that we can close the widget
   // when auth completes.
   std::unique_ptr<views::Widget> widget_;
+
+  // Pointer to the contents view. Used to query and update the set of available
+  // auth methods.
+  AuthDialogContentsView* contents_view_ = nullptr;
 };
 
 }  // namespace ash

ash/in_session_auth/in_session_auth_dialog_controller_impl.cc

@@ -38,7 +38,27 @@ void InSessionAuthDialogControllerImpl::ShowAuthenticationDialog(
   // Password should always be available.
   uint32_t auth_methods = AuthDialogContentsView::kAuthPassword;
 
-  if (client_->IsFingerprintAuthAvailable(account_id))
+  if (client_->IsFingerprintAuthAvailable(account_id)) {
+    client_->StartFingerprintAuthSession(
+        account_id,
+        base::BindOnce(
+            &InSessionAuthDialogControllerImpl::OnStartFingerprintAuthSession,
+            weak_factory_.GetWeakPtr(), account_id, auth_methods));
+    // OnStartFingerprintAuthSession checks PIN availability.
+    return;
+  }
+
+  client_->CheckPinAuthAvailability(
+      account_id,
+      base::BindOnce(&InSessionAuthDialogControllerImpl::OnPinCanAuthenticate,
+                     weak_factory_.GetWeakPtr(), auth_methods));
+}
+
+void InSessionAuthDialogControllerImpl::OnStartFingerprintAuthSession(
+    AccountId account_id,
+    uint32_t auth_methods,
+    bool success) {
+  if (success)
     auth_methods |= AuthDialogContentsView::kAuthFingerprint;
 
   client_->CheckPinAuthAvailability(
@@ -57,6 +77,13 @@ void InSessionAuthDialogControllerImpl::OnPinCanAuthenticate(
 }
 
 void InSessionAuthDialogControllerImpl::DestroyAuthenticationDialog() {
+  DCHECK(client_);
+  if (!dialog_)
+    return;
+
+  if (dialog_->GetAuthMethods() & AuthDialogContentsView::kAuthFingerprint)
+    client_->EndFingerprintAuthSession();
+
   dialog_.reset();
 }
 

ash/in_session_auth/in_session_auth_dialog_controller_impl.h

@@ -40,6 +40,9 @@ class InSessionAuthDialogControllerImpl : public InSessionAuthDialogController {
 
  private:
   bool IsFingerprintAvailable(const AccountId& account_id);
+  void OnStartFingerprintAuthSession(AccountId account_id,
+                                     uint32_t auth_methods,
+                                     bool success);
   void OnPinCanAuthenticate(uint32_t auth_methods, bool pin_auth_available);
 
   // Callback to execute when auth on ChromeOS side completes.

ash/in_session_auth/mock_in_session_auth_dialog_client.h

@@ -32,6 +32,14 @@ class MockInSessionAuthDialogClient : public InSessionAuthDialogClient {
               (const AccountId& account_id),
               (override));
 
+  MOCK_METHOD(void,
+              StartFingerprintAuthSession,
+              (const AccountId& account_id,
+               base::OnceCallback<void(bool)> callback),
+              (override));
+
+  MOCK_METHOD(void, EndFingerprintAuthSession, (), (override));
+
   MOCK_METHOD(void,
               CheckPinAuthAvailability,
               (const AccountId& account_id,

ash/public/cpp/in_session_auth_dialog_client.h

@@ -29,6 +29,14 @@ class ASH_PUBLIC_EXPORT InSessionAuthDialogClient {
   // Check whether fingerprint auth is available for |account_id|.
   virtual bool IsFingerprintAuthAvailable(const AccountId& account_id) = 0;
 
+  // Switch biometrics daemon to auth mode.
+  virtual void StartFingerprintAuthSession(
+      const AccountId& account_id,
+      base::OnceCallback<void(bool)> callback) = 0;
+
+  // Switch biometrics daemon to normal mode. Used when closing the dialog.
+  virtual void EndFingerprintAuthSession() = 0;
+
   // Check whether PIN auth is available for |account_id|.
   virtual void CheckPinAuthAvailability(
       const AccountId& account_id,

chrome/browser/ui/ash/in_session_auth_dialog_client.cc

@@ -60,6 +60,26 @@ bool InSessionAuthDialogClient::IsFingerprintAuthAvailable(
          quick_unlock_storage->fingerprint_storage()->IsFingerprintAvailable();
 }
 
+ExtendedAuthenticator* InSessionAuthDialogClient::GetExtendedAuthenticator() {
+  // Lazily allocate |extended_authenticator_| so that tests can inject a fake.
+  if (!extended_authenticator_)
+    extended_authenticator_ = ExtendedAuthenticator::Create(this);
+
+  return extended_authenticator_.get();
+}
+
+void InSessionAuthDialogClient::StartFingerprintAuthSession(
+    const AccountId& account_id,
+    base::OnceCallback<void(bool)> callback) {
+  GetExtendedAuthenticator()->StartFingerprintAuthSession(account_id,
+                                                          std::move(callback));
+}
+
+void InSessionAuthDialogClient::EndFingerprintAuthSession() {
+  DCHECK(extended_authenticator_);
+  extended_authenticator_->EndFingerprintAuthSession();
+}
+
 void InSessionAuthDialogClient::CheckPinAuthAvailability(
     const AccountId& account_id,
     base::OnceCallback<void(bool)> callback) {
@@ -90,10 +110,6 @@ void InSessionAuthDialogClient::AuthenticateUserWithPasswordOrPin(
                << user_context.GetUserType();
   }
 
-  // Lazily allocate |extended_authenticator_| so that tests can inject a fake.
-  if (!extended_authenticator_)
-    extended_authenticator_ = ExtendedAuthenticator::Create(this);
-
   DCHECK(!pending_auth_state_);
   pending_auth_state_.emplace(std::move(callback));
 
@@ -139,7 +155,7 @@ void InSessionAuthDialogClient::AuthenticateWithPassword(
       FROM_HERE,
       base::BindOnce(
           &ExtendedAuthenticator::AuthenticateToCheck,
-          extended_authenticator_.get(), user_context,
+          GetExtendedAuthenticator(), user_context,
           base::Bind(&InSessionAuthDialogClient::OnPasswordAuthSuccess,
                      weak_factory_.GetWeakPtr(), user_context)));
 }

chrome/browser/ui/ash/in_session_auth_dialog_client.h

@@ -37,6 +37,10 @@ class InSessionAuthDialogClient : public ash::InSessionAuthDialogClient,
       bool authenticated_by_pin,
       AuthenticateCallback callback) override;
   bool IsFingerprintAuthAvailable(const AccountId& account_id) override;
+  void StartFingerprintAuthSession(
+      const AccountId& account_id,
+      base::OnceCallback<void(bool)> callback) override;
+  void EndFingerprintAuthSession() override;
   void CheckPinAuthAvailability(
       const AccountId& account_id,
       base::OnceCallback<void(bool)> callback) override;
@@ -61,6 +65,10 @@ class InSessionAuthDialogClient : public ash::InSessionAuthDialogClient,
     base::OnceCallback<void(bool)> callback;
   };
 
+  // Returns a pointer to the ExtendedAuthenticator instance if there is one.
+  // Otherwise creates one.
+  chromeos::ExtendedAuthenticator* GetExtendedAuthenticator();
+
   void AuthenticateWithPassword(const chromeos::UserContext& user_context);
 
   void OnPinAttemptDone(const chromeos::UserContext& user_context,