Chrome OS Login: known_user for SAML API usage

Store in the Local State (as a known_user preference) the boolean flag whether the SAML Credentials Passing API (a.k.a. the principals API) was used during the authentication of this user. Bug: 971795 Test: browser_tests --gtest_filter="SamlTest.*:OobeTest.*" Change-Id: I92a7e2c9c029cb02df8b51e581cb6e0f34e3e6f0 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1662552 Commit-Queue: Maksim Ivanov <emaxx@chromium.org> Reviewed-by: Achuith Bhandarkar <achuith@chromium.org> Cr-Commit-Position: refs/heads/master@{#670057}

Chrome OS Login: known_user for SAML API usage
Store in the Local State (as a known_user preference) the boolean flag whether the SAML Credentials Passing API (a.k.a. the principals API) was used during the authentication of this user. Bug: 971795 Test: browser_tests --gtest_filter="SamlTest.*:OobeTest.*" Change-Id: I92a7e2c9c029cb02df8b51e581cb6e0f34e3e6f0 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1662552 Commit-Queue: Maksim Ivanov <emaxx@chromium.org> Reviewed-by: Achuith Bhandarkar <achuith@chromium.org> Cr-Commit-Position: refs/heads/master@{#670057}
8171be71 · Maksim Ivanov · Commit Bot · 79534f5f · 8171be71 · 8171be71
Commit 8171be71 authored Jun 18, 2019 by Maksim Ivanov Committed by Commit Bot Jun 18, 2019
9 changed files
--- a/chrome/browser/chromeos/login/oobe_browsertest.cc
+++ b/chrome/browser/chromeos/login/oobe_browsertest.cc
@@ -20,6 +20,10 @@
 #include "chrome/common/chrome_switches.h"
 #include "chrome/test/base/in_process_browser_test.h"
 #include "chromeos/constants/chromeos_switches.h"
+#include "components/account_id/account_id.h"
+#include "components/user_manager/known_user.h"
+#include "components/user_manager/user.h"
+#include "content/public/browser/notification_details.h"
 #include "content/public/test/browser_test_utils.h"
 #include "content/public/test/test_utils.h"
 #include "google_apis/gaia/gaia_switches.h"
@@ -85,6 +89,12 @@ IN_PROC_BROWSER_TEST_F(OobeTest, NewUser) {
                                FakeGaiaMixin::kEmptyUserServices);

  session_start_waiter.Wait();
+
+  const AccountId account_id =
+      content::Details<const user_manager::User>(session_start_waiter.details())
+          ->GetAccountId();
+  EXPECT_FALSE(
+      user_manager::known_user::GetIsUsingSAMLPrincipalsAPI(account_id));
 }

 IN_PROC_BROWSER_TEST_F(OobeTest, Accelerator) {

--- a/chrome/browser/chromeos/login/saml/saml_browsertest.cc
+++ b/chrome/browser/chromeos/login/saml/saml_browsertest.cc
@@ -85,6 +85,7 @@
 #include "components/policy/policy_constants.h"
 #include "components/policy/proto/chrome_device_policy.pb.h"
 #include "components/policy/proto/device_management_backend.pb.h"
+#include "components/user_manager/known_user.h"
 #include "components/user_manager/user.h"
 #include "components/user_manager/user_manager.h"
 #include "content/public/browser/browser_task_traits.h"
@@ -536,6 +537,10 @@ IN_PROC_BROWSER_TEST_F(SamlTest, CredentialPassingAPI) {
                SystemSaltGetter::ConvertRawSaltToHexString(
                    FakeCryptohomeClient::GetStubSystemSalt()));
  EXPECT_EQ(key.GetSecret(), cryptohome_client_->salted_hashed_secret());
+
+  EXPECT_TRUE(user_manager::known_user::GetIsUsingSAMLPrincipalsAPI(
+      AccountId::FromUserEmailGaiaId(kFirstSAMLUserEmail,
+                                     kFirstSAMLUserGaiaId)));
 }

 // Tests the single password scraped flow.
@@ -568,6 +573,10 @@ IN_PROC_BROWSER_TEST_F(SamlTest, ScrapedSingle) {
  } while (message != "\"fake_password\"");

  session_start_waiter.Wait();
+
+  EXPECT_FALSE(user_manager::known_user::GetIsUsingSAMLPrincipalsAPI(
+      AccountId::FromUserEmailGaiaId(kFirstSAMLUserEmail,
+                                     kFirstSAMLUserGaiaId)));
 }

 // Tests password scraping from a dynamically created password field.
@@ -594,6 +603,10 @@ IN_PROC_BROWSER_TEST_F(SamlTest, ScrapedDynamic) {
      content::NotificationService::AllSources());
  SigninFrameJS().TapOn("Submit");
  session_start_waiter.Wait();
+
+  EXPECT_FALSE(user_manager::known_user::GetIsUsingSAMLPrincipalsAPI(
+      AccountId::FromUserEmailGaiaId(kFirstSAMLUserEmail,
+                                     kFirstSAMLUserGaiaId)));
 }

 // Tests the multiple password scraped flow.
@@ -619,6 +632,10 @@ IN_PROC_BROWSER_TEST_F(SamlTest, ScrapedMultiple) {
      content::NotificationService::AllSources());
  SendConfirmPassword("password1");
  session_start_waiter.Wait();
+
+  EXPECT_FALSE(user_manager::known_user::GetIsUsingSAMLPrincipalsAPI(
+      AccountId::FromUserEmailGaiaId(kFirstSAMLUserEmail,
+                                     kFirstSAMLUserGaiaId)));
 }

 // Tests the no password scraped flow.
@@ -645,6 +662,10 @@ IN_PROC_BROWSER_TEST_F(SamlTest, ScrapedNone) {
      content::NotificationService::AllSources());
  SetManualPasswords("Test1", "Test1");
  session_start_waiter.Wait();
+
+  EXPECT_FALSE(user_manager::known_user::GetIsUsingSAMLPrincipalsAPI(
+      AccountId::FromUserEmailGaiaId(kFirstSAMLUserEmail,
+                                     kFirstSAMLUserGaiaId)));
 }

 // Types |bob@corp.example.com| into the GAIA login form but then authenticates

--- a/chrome/browser/chromeos/login/session/user_session_manager.cc
+++ b/chrome/browser/chromeos/login/session/user_session_manager.cc
@@ -1516,9 +1516,13 @@ void UserSessionManager::FinalizePrepareProfile(Profile* profile) {

  user_manager::UserManager* user_manager = user_manager::UserManager::Get();
  if (user_manager->IsLoggedInAsUserWithGaiaAccount()) {
-    if (user_context_.GetAuthFlow() == UserContext::AUTH_FLOW_GAIA_WITH_SAML)
+    if (user_context_.GetAuthFlow() == UserContext::AUTH_FLOW_GAIA_WITH_SAML) {
      user_manager::known_user::UpdateUsingSAML(user_context_.GetAccountId(),
                                                true);
+      user_manager::known_user::UpdateIsUsingSAMLPrincipalsAPI(
+          user_context_.GetAccountId(),
+          user_context_.IsUsingSamlPrincipalsApi());
+    }
    SAMLOfflineSigninLimiter* saml_offline_signin_limiter =
        SAMLOfflineSigninLimiterFactory::GetForProfile(profile);
    if (saml_offline_signin_limiter)

--- a/chrome/browser/ui/webui/chromeos/login/gaia_screen_handler.cc
+++ b/chrome/browser/ui/webui/chromeos/login/gaia_screen_handler.cc
@@ -831,6 +831,8 @@ void GaiaScreenHandler::OnGetCookiesForCompleteAuthentication(
  user_context.SetAuthFlow(using_saml
                               ? UserContext::AUTH_FLOW_GAIA_WITH_SAML
                               : UserContext::AUTH_FLOW_GAIA_WITHOUT_SAML);
+  if (using_saml)
+    user_context.SetIsUsingSamlPrincipalsApi(using_saml_api_);
  user_context.SetGAPSCookie(gaps_cookie);
  if (using_saml && ExtractSamlPasswordAttributesEnabled()) {
    user_context.SetSamlPasswordAttributes(password_attributes);
@@ -983,6 +985,8 @@ void GaiaScreenHandler::DoCompleteLogin(
  user_context.SetAuthFlow(using_saml
                               ? UserContext::AUTH_FLOW_GAIA_WITH_SAML
                               : UserContext::AUTH_FLOW_GAIA_WITHOUT_SAML);
+  if (using_saml)
+    user_context.SetIsUsingSamlPrincipalsApi(using_saml_api_);

  if (using_saml && ExtractSamlPasswordAttributesEnabled()) {
    user_context.SetSamlPasswordAttributes(password_attributes);

--- a/chrome/browser/ui/webui/chromeos/login/gaia_screen_handler.h
+++ b/chrome/browser/ui/webui/chromeos/login/gaia_screen_handler.h
@@ -334,6 +334,10 @@ class GaiaScreenHandler : public BaseScreenHandler,

  // If the user authenticated via SAML, this indicates whether the principals
  // API was used.
+  // TODO(emaxx): This is also currently set when the user authenticated via
+  // Gaia, since Gaia uses the same API for passing the password to Chrome.
+  // Either fix this behavior, or change the naming and the comments to reflect
+  // it.
  bool using_saml_api_ = false;

  // Test credentials.

--- a/chromeos/login/auth/user_context.cc
+++ b/chromeos/login/auth/user_context.cc
@@ -113,6 +113,10 @@ UserContext::AuthFlow UserContext::GetAuthFlow() const {
  return auth_flow_;
 }

+bool UserContext::IsUsingSamlPrincipalsApi() const {
+  return is_using_saml_principals_api_;
+}
+
 user_manager::UserType UserContext::GetUserType() const {
  return user_type_;
 }
@@ -196,6 +200,11 @@ void UserContext::SetAuthFlow(AuthFlow auth_flow) {
  auth_flow_ = auth_flow;
 }

+void UserContext::SetIsUsingSamlPrincipalsApi(
+    bool is_using_saml_principals_api) {
+  is_using_saml_principals_api_ = is_using_saml_principals_api;
+}
+
 void UserContext::SetPublicSessionLocale(const std::string& locale) {
  public_session_locale_ = locale;
 }

--- a/chromeos/login/auth/user_context.h
+++ b/chromeos/login/auth/user_context.h
@@ -79,6 +79,7 @@ class COMPONENT_EXPORT(CHROMEOS_LOGIN_AUTH) UserContext {
  bool IsUsingPin() const;
  bool IsForcingDircrypto() const;
  AuthFlow GetAuthFlow() const;
+  bool IsUsingSamlPrincipalsApi() const;
  user_manager::UserType GetUserType() const;
  const std::string& GetPublicSessionLocale() const;
  const std::string& GetPublicSessionInputMethod() const;
@@ -105,6 +106,7 @@ class COMPONENT_EXPORT(CHROMEOS_LOGIN_AUTH) UserContext {
  void SetIsUsingPin(bool is_using_pin);
  void SetIsForcingDircrypto(bool is_forcing_dircrypto);
  void SetAuthFlow(AuthFlow auth_flow);
+  void SetIsUsingSamlPrincipalsApi(bool is_using_saml_principals_api);
  void SetPublicSessionLocale(const std::string& locale);
  void SetPublicSessionInputMethod(const std::string& input_method);
  void SetDeviceId(const std::string& device_id);
@@ -130,6 +132,7 @@ class COMPONENT_EXPORT(CHROMEOS_LOGIN_AUTH) UserContext {
  bool is_using_pin_ = false;
  bool is_forcing_dircrypto_ = false;
  AuthFlow auth_flow_ = AUTH_FLOW_OFFLINE;
+  bool is_using_saml_principals_api_ = false;
  user_manager::UserType user_type_ = user_manager::USER_TYPE_REGULAR;
  std::string public_session_locale_;
  std::string public_session_input_method_;

--- a/components/user_manager/known_user.cc
+++ b/components/user_manager/known_user.cc
@@ -43,6 +43,9 @@ const char kAccountTypeKey[] = "account_type";
 // Key of whether this user ID refers to a SAML user.
 const char kUsingSAMLKey[] = "using_saml";

+// Key of whether this user authenticated via SAML using the principals API.
+const char kIsUsingSAMLPrincipalsAPI[] = "using_saml_principals_api";
+
 // Key of Device Id.
 const char kDeviceId[] = "device_id";

@@ -72,6 +75,7 @@ const char* kReservedKeys[] = {kCanonicalEmail,
                               kObjGuidKey,
                               kAccountTypeKey,
                               kUsingSAMLKey,
+                               kIsUsingSAMLPrincipalsAPI,
                               kDeviceId,
                               kGAPSCookie,
                               kReauthReasonKey,
@@ -519,6 +523,23 @@ bool IsUsingSAML(const AccountId& account_id) {
  return false;
 }

+void USER_MANAGER_EXPORT
+UpdateIsUsingSAMLPrincipalsAPI(const AccountId& account_id,
+                               bool is_using_saml_principals_api) {
+  SetBooleanPref(account_id, kIsUsingSAMLPrincipalsAPI,
+                 is_using_saml_principals_api);
+}
+
+bool USER_MANAGER_EXPORT
+GetIsUsingSAMLPrincipalsAPI(const AccountId& account_id) {
+  bool is_using_saml_principals_api;
+  if (GetBooleanPref(account_id, kIsUsingSAMLPrincipalsAPI,
+                     &is_using_saml_principals_api)) {
+    return is_using_saml_principals_api;
+  }
+  return false;
+}
+
 void SetProfileRequiresPolicy(const AccountId& account_id,
                              ProfileRequiresPolicy required) {
  DCHECK_NE(required, ProfileRequiresPolicy::kUnknown);

--- a/components/user_manager/known_user.h
+++ b/components/user_manager/known_user.h
@@ -152,6 +152,15 @@ void USER_MANAGER_EXPORT UpdateUsingSAML(const AccountId& account_id,
 // returns false.
 bool USER_MANAGER_EXPORT IsUsingSAML(const AccountId& account_id);

+// Setter and getter for the known user preference that stores whether the user
+// authenticated via SAML using the principals API.
+void USER_MANAGER_EXPORT
+UpdateIsUsingSAMLPrincipalsAPI(const AccountId& account_id,
+                               bool is_using_saml_principals_api);
+
+bool USER_MANAGER_EXPORT
+GetIsUsingSAMLPrincipalsAPI(const AccountId& account_id);
+
 // Enum describing whether a user's profile requires policy. If kPolicyRequired,
 // the profile initialization code will ensure that valid policy is loaded
 // before session initialization completes.