Add support for master key upon LMU creation

BUG=243342
R=bauerb@chromium.org, nkostylev@chromium.org
TBR=atwilson@chromium.org

Review URL: https://chromiumcodereview.appspot.com/17061006

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@206722 0039d316-1c4b-4281-b951-d872f2087c98

7 files changed, 68 insertions, 19 deletions

diff --git a/chrome/browser/chromeos/login/managed/locally_managed_user_creation_controller.cc b/chrome/browser/chromeos/login/managed/locally_managed_user_creation_controller.cc
index 0b08810..6ce2359 100644
--- a/chrome/browser/chromeos/login/managed/locally_managed_user_creation_controller.cc
+++ b/chrome/browser/chromeos/login/managed/locally_managed_user_creation_controller.cc
@@ -8,6 +8,8 @@
 #include "base/chromeos/chromeos_version.h"
 #include "base/file_util.h"
 #include "base/files/file_path.h"
+#include "base/strings/string_number_conversions.h"
+#include "base/strings/string_util.h"
 #include "base/task_runner_util.h"
 #include "base/threading/sequenced_worker_pool.h"
 #include "base/values.h"
@@ -20,12 +22,14 @@
 #include "chromeos/dbus/dbus_thread_manager.h"
 #include "chromeos/dbus/session_manager_client.h"
 #include "content/public/browser/browser_thread.h"
+#include "crypto/random.h"
 #include "google_apis/gaia/google_service_auth_error.h"
 
 namespace chromeos {
 
 namespace {
 
+const int kMasterKeySize = 32;
 const int kUserCreationTimeoutSeconds = 60; // 60 seconds.
 
 bool StoreManagedUserFiles(const std::string& token,
@@ -128,6 +132,15 @@ void LocallyManagedUserCreationController::OnMountSuccess(
     const std::string& mount_hash) {
   creation_context_->mount_hash = mount_hash;
 
+  // Generate master password.
+  char master_key_bytes[kMasterKeySize];
+  crypto::RandBytes(&master_key_bytes, sizeof(master_key_bytes));
+  creation_context_->master_key = StringToLowerASCII(base::HexEncode(
+      reinterpret_cast<const void*>(master_key_bytes),
+      sizeof(master_key_bytes)));
+  // TODO(antrim): Add this key as secondary as soon as wad@ adds API in
+  // cryptohome.
+
   timeout_timer_.Start(
       FROM_HERE, base::TimeDelta::FromSeconds(kUserCreationTimeoutSeconds),
       this,
@@ -137,8 +150,10 @@ void LocallyManagedUserCreationController::OnMountSuccess(
       ManagedUserRegistrationServiceFactory::GetForProfile(
           creation_context_->manager_profile);
 
+  ManagedUserRegistrationInfo info(creation_context_->display_name);
+  info.master_key = creation_context_->master_key;
   creation_context_->service->Register(
-      creation_context_->display_name,
+      info,
       base::Bind(&LocallyManagedUserCreationController::RegistrationCallback,
                  weak_factory_.GetWeakPtr()));
 }
diff --git a/chrome/browser/chromeos/login/managed/locally_managed_user_creation_controller.h b/chrome/browser/chromeos/login/managed/locally_managed_user_creation_controller.h
index ecc1b70..cd0fa83 100644
--- a/chrome/browser/chromeos/login/managed/locally_managed_user_creation_controller.h
+++ b/chrome/browser/chromeos/login/managed/locally_managed_user_creation_controller.h
@@ -82,6 +82,7 @@ class LocallyManagedUserCreationController
     std::string user_id;
     std::string password;
     std::string mount_hash;
+    std::string master_key;
     bool token_acquired;
     std::string token;
     bool token_succesfully_written;
diff --git a/chrome/browser/managed_mode/managed_user_registration_service.cc b/chrome/browser/managed_mode/managed_user_registration_service.cc
index 6094d00..25c5954 100644
--- a/chrome/browser/managed_mode/managed_user_registration_service.cc
+++ b/chrome/browser/managed_mode/managed_user_registration_service.cc
@@ -46,13 +46,17 @@ namespace {
 
 const char kAcknowledged[] = "acknowledged";
 const char kName[] = "name";
+const char kMasterKey[] = "masterKey";
 
 SyncData CreateLocalSyncData(const std::string& id,
                              const std::string& name,
-                             bool acknowledged) {
+                             bool acknowledged,
+                             const std::string& master_key) {
   ::sync_pb::EntitySpecifics specifics;
   specifics.mutable_managed_user()->set_id(id);
   specifics.mutable_managed_user()->set_name(name);
+  if (!master_key.empty())
+    specifics.mutable_managed_user()->set_master_key(master_key);
   if (acknowledged)
     specifics.mutable_managed_user()->set_acknowledged(true);
   return SyncData::CreateLocalData(id, name, specifics);
@@ -60,6 +64,10 @@ SyncData CreateLocalSyncData(const std::string& id,
 
 }  // namespace
 
+ManagedUserRegistrationInfo::ManagedUserRegistrationInfo(const string16& name)
+    : name(name) {
+}
+
 ManagedUserRegistrationService::ManagedUserRegistrationService(
     PrefService* prefs,
     scoped_ptr<ManagedUserRefreshTokenFetcher> token_fetcher)
@@ -87,7 +95,7 @@ void ManagedUserRegistrationService::RegisterUserPrefs(
 }
 
 void ManagedUserRegistrationService::Register(
-    const string16& name,
+    const ManagedUserRegistrationInfo& info,
     const RegistrationCallback& callback) {
   DCHECK(pending_managed_user_id_.empty());
   DCHECK(!registration_timer_.IsRunning());
@@ -108,7 +116,8 @@ void ManagedUserRegistrationService::Register(
   DictionaryPrefUpdate update(prefs_, prefs::kManagedUsers);
   DictionaryValue* dict = update.Get();
   DictionaryValue* value = new DictionaryValue;
-  value->SetString(kName, name);
+  value->SetString(kName, info.name);
+  value->SetString(kMasterKey, info.master_key);
   std::string id_raw = base::RandBytesAsString(8);
   bool success = base::Base64Encode(id_raw, &pending_managed_user_id_);
   DCHECK(success);
@@ -121,8 +130,9 @@ void ManagedUserRegistrationService::Register(
     change_list.push_back(SyncChange(
         FROM_HERE,
         SyncChange::ACTION_ADD,
-        CreateLocalSyncData(
-            pending_managed_user_id_, base::UTF16ToUTF8(name), false)));
+        CreateLocalSyncData(pending_managed_user_id_,
+                            base::UTF16ToUTF8(info.name),
+                            false, info.master_key)));
     SyncError error =
         sync_processor_->ProcessSyncChanges(FROM_HERE, change_list);
     DCHECK(!error.IsSet()) << error.ToString();
@@ -130,7 +140,7 @@ void ManagedUserRegistrationService::Register(
 
   browser_sync::DeviceInfo::CreateLocalDeviceInfo(
       base::Bind(&ManagedUserRegistrationService::FetchToken,
-                 weak_ptr_factory_.GetWeakPtr(), name));
+                 weak_ptr_factory_.GetWeakPtr(), info.name));
 }
 
 void ManagedUserRegistrationService::CancelPendingRegistration() {
@@ -172,6 +182,7 @@ SyncMergeResult ManagedUserRegistrationService::MergeDataAndStartSyncing(
     value->SetString(kName, managed_user.name());
     DCHECK(managed_user.acknowledged());
     value->SetBoolean(kAcknowledged, managed_user.acknowledged());
+    value->SetString(kMasterKey, managed_user.master_key());
     if (dict->HasKey(managed_user.id()))
       num_items_modified++;
     else
@@ -191,10 +202,12 @@ SyncMergeResult ManagedUserRegistrationService::MergeDataAndStartSyncing(
     dict->GetBoolean(kAcknowledged, &acknowledged);
     std::string name;
     dict->GetString(kName, &name);
+    std::string master_key;
+    dict->GetString(kMasterKey, &master_key);
     DCHECK(!name.empty());
     change_list.push_back(
         SyncChange(FROM_HERE, SyncChange::ACTION_ADD,
-                   CreateLocalSyncData(it.key(), name, acknowledged)));
+            CreateLocalSyncData(it.key(), name, acknowledged, master_key)));
   }
   result.set_error(sync_processor_->ProcessSyncChanges(FROM_HERE, change_list));
 
@@ -229,9 +242,12 @@ SyncDataList ManagedUserRegistrationService::GetAllSyncData(
     DCHECK(success);
     std::string name;
     dict->GetString(kName, &name);
+    std::string master_key;
+    dict->GetString(kMasterKey, &master_key);
     bool acknowledged = false;
     dict->GetBoolean(kAcknowledged, &acknowledged);
-    data.push_back(CreateLocalSyncData(it.key(), name, acknowledged));
+    data.push_back(
+        CreateLocalSyncData(it.key(), name, acknowledged, master_key));
   }
   return data;
 }
@@ -270,6 +286,7 @@ SyncError ManagedUserRegistrationService::ProcessSyncChanges(
         DictionaryValue* value = new DictionaryValue;
         value->SetString(kName, managed_user.name());
         value->SetBoolean(kAcknowledged, managed_user.acknowledged());
+        value->SetString(kMasterKey, managed_user.master_key());
         dict->SetWithoutPathExpansion(managed_user.id(), value);
         break;
       }
diff --git a/chrome/browser/managed_mode/managed_user_registration_service.h b/chrome/browser/managed_mode/managed_user_registration_service.h
index 00364f6..c2938f4 100644
--- a/chrome/browser/managed_mode/managed_user_registration_service.h
+++ b/chrome/browser/managed_mode/managed_user_registration_service.h
@@ -29,6 +29,13 @@ namespace user_prefs {
 class PrefRegistrySyncable;
 }
 
+// Structure to store registration information.
+struct ManagedUserRegistrationInfo {
+  explicit ManagedUserRegistrationInfo(const string16& name);
+  string16 name;
+  std::string master_key;
+};
+
 // Holds the state necessary for registering a new managed user with the
 // management server and associating it with its custodian. It is owned by the
 // custodian's profile.
@@ -50,11 +57,13 @@ class ManagedUserRegistrationService : public BrowserContextKeyedService,
 
   static void RegisterUserPrefs(user_prefs::PrefRegistrySyncable* registry);
 
-  // Registers a new managed user with the server. |name| is the display name of
-  // the user. |callback| is called with the result of the registration. We use
-  // the name here and not the profile, because on Chrome OS the profile of the
-  // managed user does not yet exist.
-  void Register(const string16& name, const RegistrationCallback& callback);
+  // Registers a new managed user with the server. |info| contains necessary
+  // information like the display name of the  the user. |callback| is called
+  // with the result of the registration. We use the info here and not the
+  // profile, because on Chrome OS the profile of the managed user does
+  // not yet exist.
+  void Register(const ManagedUserRegistrationInfo& info,
+                const RegistrationCallback& callback);
 
   // Cancels any registration currently in progress, without calling the
   // callback or reporting an error. This should be called when the user
diff --git a/chrome/browser/managed_mode/managed_user_registration_service_unittest.cc b/chrome/browser/managed_mode/managed_user_registration_service_unittest.cc
index ff8b0a8..0edb3085 100644
--- a/chrome/browser/managed_mode/managed_user_registration_service_unittest.cc
+++ b/chrome/browser/managed_mode/managed_user_registration_service_unittest.cc
@@ -339,7 +339,8 @@ TEST_F(ManagedUserRegistrationServiceTest, MergeExisting) {
 
 TEST_F(ManagedUserRegistrationServiceTest, Register) {
   StartInitialSync();
-  service()->Register(ASCIIToUTF16("Dug"), GetRegistrationCallback());
+  service()->Register(ManagedUserRegistrationInfo(ASCIIToUTF16("Dug")),
+      GetRegistrationCallback());
   EXPECT_EQ(1u, prefs()->GetDictionary(prefs::kManagedUsers)->size());
   Acknowledge();
 
@@ -349,7 +350,8 @@ TEST_F(ManagedUserRegistrationServiceTest, Register) {
 }
 
 TEST_F(ManagedUserRegistrationServiceTest, RegisterBeforeInitialSync) {
-  service()->Register(ASCIIToUTF16("Nemo"), GetRegistrationCallback());
+  service()->Register(ManagedUserRegistrationInfo(ASCIIToUTF16("Nemo")),
+      GetRegistrationCallback());
   EXPECT_EQ(1u, prefs()->GetDictionary(prefs::kManagedUsers)->size());
   StartInitialSync();
   Acknowledge();
@@ -361,7 +363,8 @@ TEST_F(ManagedUserRegistrationServiceTest, RegisterBeforeInitialSync) {
 
 TEST_F(ManagedUserRegistrationServiceTest, Shutdown) {
   StartInitialSync();
-  service()->Register(ASCIIToUTF16("Remy"), GetRegistrationCallback());
+  service()->Register(ManagedUserRegistrationInfo(ASCIIToUTF16("Remy")),
+      GetRegistrationCallback());
   EXPECT_EQ(1u, prefs()->GetDictionary(prefs::kManagedUsers)->size());
   ResetService();
   EXPECT_EQ(0u, prefs()->GetDictionary(prefs::kManagedUsers)->size());
@@ -372,7 +375,8 @@ TEST_F(ManagedUserRegistrationServiceTest, Shutdown) {
 
 TEST_F(ManagedUserRegistrationServiceTest, StopSyncing) {
   StartInitialSync();
-  service()->Register(ASCIIToUTF16("Mike"), GetRegistrationCallback());
+  service()->Register(ManagedUserRegistrationInfo(ASCIIToUTF16("Mike")),
+      GetRegistrationCallback());
   EXPECT_EQ(1u, prefs()->GetDictionary(prefs::kManagedUsers)->size());
   service()->StopSyncing(MANAGED_USERS);
   EXPECT_EQ(0u, prefs()->GetDictionary(prefs::kManagedUsers)->size());
diff --git a/chrome/browser/managed_mode/managed_user_service.cc b/chrome/browser/managed_mode/managed_user_service.cc
index d407d6e..e0fab3d 100644
--- a/chrome/browser/managed_mode/managed_user_service.cc
+++ b/chrome/browser/managed_mode/managed_user_service.cc
@@ -531,8 +531,9 @@ void ManagedUserService::RegisterAndInitSync(
       ManagedUserRegistrationServiceFactory::GetForProfile(custodian_profile);
   string16 name = UTF8ToUTF16(
       profile_->GetPrefs()->GetString(prefs::kProfileName));
+  ManagedUserRegistrationInfo info(name);
   registration_service->Register(
-      name,
+      info,
       base::Bind(&ManagedUserService::OnManagedUserRegistered,
                  weak_ptr_factory_.GetWeakPtr(), callback, custodian_profile));
 }
diff --git a/sync/protocol/managed_user_specifics.proto b/sync/protocol/managed_user_specifics.proto
index c71bb29..2a6f1b3 100644
--- a/sync/protocol/managed_user_specifics.proto
+++ b/sync/protocol/managed_user_specifics.proto
@@ -23,4 +23,6 @@ message ManagedUserSpecifics {
   // This flag is set by the server to acknowledge that it has committed a
   // newly created managed user.
   optional bool acknowledged = 3 [default = false];
+  // Master key for managed user cryptohome.
+  optional string master_key = 4;
 }