[signin] Delete Pre-Dice tokens after dice migration

Until this CL, the Dice migration was blocked on the token migration. Now, if there are still pre-dice tokens when the dice migration happens, they are deleted. It has been more than a year since tokens are being migrated. There are still a few token services which were not migrated (most likely because they are corrupted or the encryption key has been lost). Bug: 1006669 Change-Id: Id4bf3e28c8386095ec98cc12cddbacb243f4f77e Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1819310Reviewed-by: Monica Basta <msalama@chromium.org> Commit-Queue: David Roger <droger@chromium.org> Cr-Commit-Position: refs/heads/master@{#699256}

[signin] Delete Pre-Dice tokens after dice migration
Until this CL, the Dice migration was blocked on the token migration. Now, if there are still pre-dice tokens when the dice migration happens, they are deleted. It has been more than a year since tokens are being migrated. There are still a few token services which were not migrated (most likely because they are corrupted or the encryption key has been lost). Bug: 1006669 Change-Id: Id4bf3e28c8386095ec98cc12cddbacb243f4f77e Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1819310Reviewed-by: Monica Basta <msalama@chromium.org> Commit-Queue: David Roger <droger@chromium.org> Cr-Commit-Position: refs/heads/master@{#699256}
9d8b66a0 · David Roger · Commit Bot · 5fe2e3ac · 9d8b66a0 · 9d8b66a0
Commit 9d8b66a0 authored Sep 24, 2019 by David Roger Committed by Commit Bot Sep 24, 2019
4 changed files
--- a/chrome/browser/signin/account_consistency_mode_manager.cc
+++ b/chrome/browser/signin/account_consistency_mode_manager.cc
@@ -298,12 +298,8 @@ AccountConsistencyModeManager::ComputeAccountConsistencyMethod(
    if (IsDiceMigrationCompleted(profile))
      return AccountConsistencyMethod::kDice;

-    if (!IsReadyForDiceMigration(profile) &&
-        profile->GetPrefs()->GetBoolean(prefs::kTokenServiceDiceCompatible) &&
-        base::FeatureList::IsEnabled(kForceDiceMigration)) {
-      // Force migration to Dice.
+    if (base::FeatureList::IsEnabled(kForceDiceMigration))
      return AccountConsistencyMethod::kDice;
-    }
  }

  return method;

--- a/components/signin/internal/identity_manager/mutable_profile_oauth2_token_service_delegate.cc
+++ b/components/signin/internal/identity_manager/mutable_profile_oauth2_token_service_delegate.cc
@@ -438,6 +438,7 @@ void MutableProfileOAuth2TokenServiceDelegate::LoadCredentials(
    set_load_credentials_state(
        signin::LoadCredentialsState::
            LOAD_CREDENTIALS_FINISHED_WITH_UNKNOWN_ERRORS);
+    MaybeDeletePreDiceTokens();
    FinishLoadingCredentials();
    return;
  }
@@ -476,6 +477,7 @@ void MutableProfileOAuth2TokenServiceDelegate::OnWebDataServiceRequestDone(
    set_load_credentials_state(
        signin::LoadCredentialsState::
            LOAD_CREDENTIALS_FINISHED_WITH_DB_CANNOT_BE_OPENED);
+    MaybeDeletePreDiceTokens();
  }

  // Make sure that we have an entry for |loading_primary_account_id_| in the
@@ -848,6 +850,10 @@ void MutableProfileOAuth2TokenServiceDelegate::AddAccountStatus(
 }

 void MutableProfileOAuth2TokenServiceDelegate::FinishLoadingCredentials() {
+#if !defined(OS_CHROMEOS)
+  if (account_consistency_ == signin::AccountConsistencyMethod::kDice)
+    DCHECK(client_->GetPrefs()->GetBoolean(prefs::kTokenServiceDiceCompatible));
+#endif
  FireRefreshTokensLoaded();
 }

@@ -868,3 +874,18 @@ void MutableProfileOAuth2TokenServiceDelegate::RevokeCredentialsImpl(
    FireRefreshTokenRevoked(account_id);
  }
 }
+
+void MutableProfileOAuth2TokenServiceDelegate::MaybeDeletePreDiceTokens() {
+  DCHECK(load_credentials_state() ==
+             signin::LoadCredentialsState::
+                 LOAD_CREDENTIALS_FINISHED_WITH_UNKNOWN_ERRORS ||
+         load_credentials_state() ==
+             signin::LoadCredentialsState::
+                 LOAD_CREDENTIALS_FINISHED_WITH_DB_CANNOT_BE_OPENED);
+
+  if (account_consistency_ == signin::AccountConsistencyMethod::kDice &&
+      !client_->GetPrefs()->GetBoolean(prefs::kTokenServiceDiceCompatible)) {
+    RevokeAllCredentials();
+    client_->GetPrefs()->SetBoolean(prefs::kTokenServiceDiceCompatible, true);
+  }
+}
--- a/components/signin/internal/identity_manager/mutable_profile_oauth2_token_service_delegate.h
+++ b/components/signin/internal/identity_manager/mutable_profile_oauth2_token_service_delegate.h
@@ -189,6 +189,11 @@ class MutableProfileOAuth2TokenServiceDelegate
  void RevokeCredentialsImpl(const CoreAccountId& account_id,
                             bool revoke_on_server);

+  // If the Dice migration happened before the tokens could be migrated, delete
+  // all the tokens. This is only called if the tokens could not be loaded
+  // successfully.
+  void MaybeDeletePreDiceTokens();
+
  // Maps the |account_id| of accounts known to ProfileOAuth2TokenService
  // to information about the account.
  typedef std::map<CoreAccountId, AccountStatus> AccountStatusMap;

--- a/components/signin/internal/identity_manager/mutable_profile_oauth2_token_service_delegate_unittest.cc
+++ b/components/signin/internal/identity_manager/mutable_profile_oauth2_token_service_delegate_unittest.cc
@@ -708,6 +708,51 @@ TEST_F(MutableProfileOAuth2TokenServiceDelegateTest,
  EXPECT_TRUE(pref_service_.GetBoolean(prefs::kTokenServiceDiceCompatible));
 }

+// Checks that tokens are loaded and prefs::kTokenServiceDiceCompatible is set
+// to true if the tokens are loaded after the Dice migration.
+TEST_F(MutableProfileOAuth2TokenServiceDelegateTest, LoadAfterDiceMigration) {
+  InitializeOAuth2ServiceDelegate(signin::AccountConsistencyMethod::kDice);
+  ASSERT_FALSE(pref_service_.GetBoolean(prefs::kTokenServiceDiceCompatible));
+
+  // Add account info to the account tracker.
+  AccountInfo primary_account = CreateTestAccountInfo(
+      "primary_account", false /* is_hosted_domain*/, true /* is_valid*/);
+  account_tracker_service_.SeedAccountInfo(primary_account);
+  AddAuthTokenManually("AccountId-" + primary_account.account_id.id,
+                       "refresh_token");
+
+  oauth2_service_delegate_->LoadCredentials(std::string());
+  base::RunLoop().RunUntilIdle();
+
+  EXPECT_TRUE(oauth2_service_delegate_->RefreshTokenIsAvailable(
+      primary_account.account_id));
+  EXPECT_EQ(
+      signin::LoadCredentialsState::LOAD_CREDENTIALS_FINISHED_WITH_SUCCESS,
+      oauth2_service_delegate_->load_credentials_state());
+
+  ASSERT_TRUE(pref_service_.GetBoolean(prefs::kTokenServiceDiceCompatible));
+}
+
+// Checks that prefs::kTokenServiceDiceCompatible is set to true if the tokens
+// are loaded after the Dice migration, even if there was a database read error.
+TEST_F(MutableProfileOAuth2TokenServiceDelegateTest,
+       LoadAfterDiceMigrationWithError) {
+  InitializeOAuth2ServiceDelegate(signin::AccountConsistencyMethod::kDice);
+  ASSERT_FALSE(pref_service_.GetBoolean(prefs::kTokenServiceDiceCompatible));
+
+  // Shutdown the database to trigger a database read error.
+  token_web_data_->ShutdownDatabase();
+
+  oauth2_service_delegate_->LoadCredentials(std::string());
+  base::RunLoop().RunUntilIdle();
+
+  EXPECT_EQ(0u, oauth2_service_delegate_->GetAccounts().size());
+  EXPECT_EQ(signin::LoadCredentialsState::
+                LOAD_CREDENTIALS_FINISHED_WITH_DB_CANNOT_BE_OPENED,
+            oauth2_service_delegate_->load_credentials_state());
+
+  ASSERT_TRUE(pref_service_.GetBoolean(prefs::kTokenServiceDiceCompatible));
+}
 #endif  // BUILDFLAG(ENABLE_DICE_SUPPORT)

 #if !defined(OS_CHROMEOS)