[Chrome OS] Extend authenticator APIs with sync trusted vault keys

This patch allows the signin web page in the webview to post a message (method 'syncTrustedVaultKeys') that allows propagating the sync trusted vault encryption keys to the login-related code in the browser (GaiaScreenHandler), as part of the user authentication procedure. Messages are ignored if the client is not actually interested in these keys, which is controlled via feature toggle (disabled by default). A URL parameter is used to let the server know whether this API is enabled. The actual logic to implement this API is not included in this patch and instead a TODO is added for follow-up patches. Change-Id: I388f163e945551b1689f4d1ced3486a40511d22b Bug: 1081651 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2589854 Commit-Queue: Mikel Astiz <mastiz@chromium.org> Reviewed-by: Roman Sorokin [CET] <rsorokin@chromium.org> Cr-Commit-Position: refs/heads/master@{#838203}

[Chrome OS] Extend authenticator APIs with sync trusted vault keys
This patch allows the signin web page in the webview to post a message (method 'syncTrustedVaultKeys') that allows propagating the sync trusted vault encryption keys to the login-related code in the browser (GaiaScreenHandler), as part of the user authentication procedure. Messages are ignored if the client is not actually interested in these keys, which is controlled via feature toggle (disabled by default). A URL parameter is used to let the server know whether this API is enabled. The actual logic to implement this API is not included in this patch and instead a TODO is added for follow-up patches. Change-Id: I388f163e945551b1689f4d1ced3486a40511d22b Bug: 1081651 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2589854 Commit-Queue: Mikel Astiz <mastiz@chromium.org> Reviewed-by: Roman Sorokin [CET] <rsorokin@chromium.org> Cr-Commit-Position: refs/heads/master@{#838203}
9a0531e6 · Mikel Astiz · Chromium LUCI CQ · f134853f · 9a0531e6 · 9a0531e6
Commit 9a0531e6 authored Dec 17, 2020 by Mikel Astiz Committed by Chromium LUCI CQ Dec 17, 2020
4 changed files
--- a/chrome/browser/resources/chromeos/login/screen_gaia_signin.js
+++ b/chrome/browser/resources/chromeos/login/screen_gaia_signin.js
@@ -1068,7 +1068,7 @@ Polymer({
      chrome.send('completeAuthentication', [
        credentials.gaiaId, credentials.email, credentials.password,
        credentials.usingSAML, credentials.services,
-        credentials.passwordAttributes
+        credentials.passwordAttributes, credentials.syncTrustedVaultKeys || {}
      ]);
    }


--- a/chrome/browser/resources/gaia_auth_host/authenticator.js
+++ b/chrome/browser/resources/gaia_auth_host/authenticator.js
@@ -28,6 +28,25 @@
 cr.define('cr.login', function() {
  /* #ignore */ 'use strict';

+  /**
+   * Individual sync trusted vault key.
+   * @typedef {{
+   *   keyMaterial: ArrayBuffer,
+   *   version: number,
+   * }}
+   */
+  /* #export */ let SyncTrustedVaultKey;
+
+  /**
+   * Sync trusted vault encryption keys optionally passed with 'authCompleted'
+   * message.
+   * @typedef {{
+   *   encryptionKeys: Array<SyncTrustedVaultKey>,
+   *   trustedPublicKeys: Array<SyncTrustedVaultKey>
+   * }}
+   */
+  /* #export */ let SyncTrustedVaultKeys;
+
  /**
   * Credentials passed with 'authCompleted' message.
   * @typedef {{
@@ -41,7 +60,8 @@ cr.define('cr.login', function() {
   *   sessionIndex: string,
   *   trusted: boolean,
   *   services: Array,
-   *   passwordAttributes: !PasswordAttributes
+   *   passwordAttributes: !PasswordAttributes,
+   *   syncTrustedVaultKeys: !SyncTrustedVaultKeys
   * }}
   */
  /* #export */ let AuthCompletedCredentials;
@@ -67,6 +87,7 @@ cr.define('cr.login', function() {
   *   flow: string,
   *   ignoreCrOSIdpSetting: boolean,
   *   enableGaiaActionButtons: boolean,
+   *   enableSyncTrustedVaultKeys: boolean,
   *   enterpriseEnrollmentDomain: string,
   *   samlAclUrl: string,
   *   isSupervisedUser: boolean,
@@ -126,7 +147,11 @@ cr.define('cr.login', function() {
                     // If this set to |false|, |confirmPasswordCallback| is
                     // not called before dispatching |authCopleted|.
                     // Default is |true|.
-    'flow',          // One of 'default', 'enterprise', or 'theftprotection'.
+    'enableSyncTrustedVaultKeys',  // Whether the host is interested in getting
+                                   // sync trusted vault keys.
+                                   // Default is |false|.
+    'flow',                        // One of 'default', 'enterprise', or
+                                   // 'theftprotection'.
    'enterpriseDisplayDomain',     // Current domain name to be displayed.
    'enterpriseDomainManager',     // Manager of the current domain. Can be
                                   // either a domain name (foo.com) or an email
@@ -280,6 +305,12 @@ cr.define('cr.login', function() {
    },
    'exit'(msg) {
      this.dispatchEvent(new CustomEvent('exit'));
+    },
+    'syncTrustedVaultKeys'(msg) {
+      if (!this.enableSyncTrustedVaultKeys_) {
+        return;
+      }
+      this.syncTrustedVaultKeys_ = msg.value;
    }
  };

@@ -356,6 +387,7 @@ cr.define('cr.login', function() {
       */
      this.getIsSamlUserPasswordlessCallback = null;
      this.needPassword = true;
+      this.enableSyncTrustedVaultKeys_ = false;
      this.services_ = null;
      /**
       * Caches the result of |getIsSamlUserPasswordlessCallback| invocation for
@@ -367,6 +399,8 @@ cr.define('cr.login', function() {
      /** @private {boolean} */
      this.isConstrainedWindow_ = false;
      this.samlAclUrl_ = null;
+      /** @private {?SyncTrustedVaultKeys} */
+      this.syncTrustedVaultKeys_ = null;

      window.addEventListener(
          'message', this.onMessageFromWebview_.bind(this), false);
@@ -405,6 +439,7 @@ cr.define('cr.login', function() {
      this.videoEnabled = false;
      this.services_ = null;
      this.isSamlUserPasswordless_ = null;
+      this.syncTrustedVaultKeys_ = null;
    }

    /**
@@ -569,6 +604,7 @@ cr.define('cr.login', function() {
      this.clientId_ = data.clientId;
      this.dontResizeNonEmbeddedPages = data.dontResizeNonEmbeddedPages;
      this.enableGaiaActionButtons_ = data.enableGaiaActionButtons;
+      this.enableSyncTrustedVaultKeys_ = !!data.enableSyncTrustedVaultKeys;

      this.initialFrameUrl_ = this.constructInitialFrameUrl_(data);
      this.reloadUrl_ = data.frameUrl || this.initialFrameUrl_;
@@ -717,6 +753,9 @@ cr.define('cr.login', function() {
      if (data.isDeviceOwner) {
        url = appendParam(url, 'is_device_owner', '1');
      }
+      if (data.enableSyncTrustedVaultKeys) {
+        url = appendParam(url, 'szkr', '1');
+      }

      return url;
    }
@@ -1141,7 +1180,8 @@ cr.define('cr.login', function() {
              sessionIndex: this.sessionIndex_ || '',
              trusted: this.trusted_,
              services: this.services_ || [],
-              passwordAttributes: passwordAttributes
+              passwordAttributes: passwordAttributes,
+              syncTrustedVaultKeys: this.syncTrustedVaultKeys_ || {}
            }
          }));
      this.resetStates();

--- a/chrome/browser/ui/webui/chromeos/login/gaia_screen_handler.cc
+++ b/chrome/browser/ui/webui/chromeos/login/gaia_screen_handler.cc
@@ -80,6 +80,7 @@
 #include "components/policy/proto/chrome_device_policy.pb.h"
 #include "components/prefs/pref_service.h"
 #include "components/strings/grit/components_strings.h"
+#include "components/sync/driver/sync_driver_switches.h"
 #include "components/user_manager/known_user.h"
 #include "components/user_manager/user_manager.h"
 #include "components/version_info/version_info.h"
@@ -107,6 +108,11 @@ const char kAuthIframeParentName[] = "signin-frame";

 const char kEndpointGen[] = "1.0";

+bool IsSyncTrustedVaultKeysEnabled() {
+  return base::FeatureList::IsEnabled(
+      ::switches::kSyncSupportTrustedVaultPassphraseRecovery);
+}
+
 // Must be kept consistent with ChromeOSSamlApiUsed in enums.xml
 // These values are persisted to logs. Entries should not be renumbered and
 // numeric values should never be reused
@@ -469,6 +475,8 @@ void GaiaScreenHandler::LoadGaiaWithPartitionAndVersionAndConsent(
  params.SetBoolean("extractSamlPasswordAttributes",
                    login::ExtractSamlPasswordAttributesEnabled());
  params.SetBoolean("enableGaiaActionButtons", true);
+  params.SetBoolean("enableSyncTrustedVaultKeys",
+                    IsSyncTrustedVaultKeysEnabled());

  if (public_saml_url_fetcher_) {
    params.SetBoolean("startsOnSamlPage", true);
@@ -727,7 +735,8 @@ void GaiaScreenHandler::HandleCompleteAuthentication(
    const std::string& password,
    bool using_saml,
    const ::login::StringList& services,
-    const base::DictionaryValue* password_attributes) {
+    const base::DictionaryValue* password_attributes,
+    const base::DictionaryValue* sync_trusted_vault_keys) {
  if (!LoginDisplayHost::default_host())
    return;

@@ -757,6 +766,8 @@ void GaiaScreenHandler::HandleCompleteAuthentication(
      base::BindOnce(&LoginDisplayHost::CompleteLogin,
                     base::Unretained(LoginDisplayHost::default_host())));

+  // TODO(crbug.com/1081651): Propagate |sync_trusted_vault_keys| into
+  // UserContext.
  pending_user_context_ = std::make_unique<UserContext>();
  std::string error_message;
  if (!login::BuildUserContextForGaiaSignIn(

--- a/chrome/browser/ui/webui/chromeos/login/gaia_screen_handler.h
+++ b/chrome/browser/ui/webui/chromeos/login/gaia_screen_handler.h
@@ -194,7 +194,8 @@ class GaiaScreenHandler : public BaseScreenHandler,
      const std::string& password,
      bool using_saml,
      const ::login::StringList& services,
-      const base::DictionaryValue* password_attributes);
+      const base::DictionaryValue* password_attributes,
+      const base::DictionaryValue* sync_trusted_vault_keys);
  void HandleCompleteLogin(const std::string& gaia_id,
                           const std::string& typed_email,
                           const std::string& password,