Extract LoginPerformer to chromeos/auth

BUG=387613
R=nkostylev@chromium.org

Review URL: https://codereview.chromium.org/614973002

Cr-Commit-Position: refs/heads/master@{#300489}

8 files changed, 570 insertions, 20 deletions

diff --git a/chromeos/login/auth/authenticator.cc b/chromeos/login/auth/authenticator.cc
index fb642fa..bf8d626 100644
--- a/chromeos/login/auth/authenticator.cc
+++ b/chromeos/login/auth/authenticator.cc
@@ -9,7 +9,7 @@ namespace chromeos {
 class AuthStatusConsumer;
 
 Authenticator::Authenticator(AuthStatusConsumer* consumer)
-    : consumer_(consumer), authentication_profile_(NULL) {
+    : consumer_(consumer), authentication_context_(NULL) {
 }
 
 Authenticator::~Authenticator() {
diff --git a/chromeos/login/auth/authenticator.h b/chromeos/login/auth/authenticator.h
index d3fd584..7ae29b0 100644
--- a/chromeos/login/auth/authenticator.h
+++ b/chromeos/login/auth/authenticator.h
@@ -13,7 +13,9 @@
 #include "chromeos/login/auth/auth_status_consumer.h"
 #include "google_apis/gaia/gaia_auth_consumer.h"
 
-class Profile;
+namespace content {
+class BrowserContext;
+}
 
 namespace chromeos {
 
@@ -31,13 +33,13 @@ class CHROMEOS_EXPORT Authenticator
 
   // Given externally authenticated username and password (part of
   // |user_context|), this method attempts to complete authentication process.
-  virtual void CompleteLogin(Profile* profile,
+  virtual void CompleteLogin(content::BrowserContext* browser_context,
                              const UserContext& user_context) = 0;
 
   // Given a user credentials in |user_context|,
   // this method attempts to authenticate to login.
   // Must be called on the UI thread.
-  virtual void AuthenticateToLogin(Profile* profile,
+  virtual void AuthenticateToLogin(content::BrowserContext* browser_context,
                                    const UserContext& user_context) = 0;
 
   // Given a user credentials in |user_context|, this method attempts to
@@ -86,9 +88,11 @@ class CHROMEOS_EXPORT Authenticator
   // and create a new cryptohome.
   virtual void ResyncEncryptedData() = 0;
 
-  // Profile (usually off the record ) that was used to perform the last
+  // BrowserContext (usually off the record) that was used to perform the last
   // authentication process.
-  Profile* authentication_profile() { return authentication_profile_; }
+  content::BrowserContext* authentication_context() {
+    return authentication_context_;
+  }
 
   // Sets consumer explicitly.
   void SetConsumer(AuthStatusConsumer* consumer);
@@ -97,7 +101,7 @@ class CHROMEOS_EXPORT Authenticator
   virtual ~Authenticator();
 
   AuthStatusConsumer* consumer_;
-  Profile* authentication_profile_;
+  content::BrowserContext* authentication_context_;
 
  private:
   friend class base::RefCountedThreadSafe<Authenticator>;
diff --git a/chromeos/login/auth/cryptohome_authenticator.cc b/chromeos/login/auth/cryptohome_authenticator.cc
index 0c3c162..970f6f1d 100644
--- a/chromeos/login/auth/cryptohome_authenticator.cc
+++ b/chromeos/login/auth/cryptohome_authenticator.cc
@@ -384,9 +384,9 @@ CryptohomeAuthenticator::CryptohomeAuthenticator(
 }
 
 void CryptohomeAuthenticator::AuthenticateToLogin(
-    Profile* profile,
+    content::BrowserContext* context,
     const UserContext& user_context) {
-  authentication_profile_ = profile;
+  authentication_context_ = context;
   current_state_.reset(new AuthAttemptState(user_context,
                                             user_manager::USER_TYPE_REGULAR,
                                             false,  // unlock
@@ -401,9 +401,9 @@ void CryptohomeAuthenticator::AuthenticateToLogin(
              false /* create_if_nonexistent */);
 }
 
-void CryptohomeAuthenticator::CompleteLogin(Profile* profile,
+void CryptohomeAuthenticator::CompleteLogin(content::BrowserContext* context,
                                             const UserContext& user_context) {
-  authentication_profile_ = profile;
+  authentication_context_ = context;
   current_state_.reset(new AuthAttemptState(user_context,
                                             user_manager::USER_TYPE_REGULAR,
                                             true,   // unlock
diff --git a/chromeos/login/auth/cryptohome_authenticator.h b/chromeos/login/auth/cryptohome_authenticator.h
index 980dc0f..fac0d06 100644
--- a/chromeos/login/auth/cryptohome_authenticator.h
+++ b/chromeos/login/auth/cryptohome_authenticator.h
@@ -21,7 +21,10 @@
 #include "google_apis/gaia/gaia_auth_consumer.h"
 
 class AuthFailure;
-class Profile;
+
+namespace content {
+class BrowserContext;
+}
 
 namespace chromeos {
 
@@ -93,7 +96,7 @@ class CHROMEOS_EXPORT CryptohomeAuthenticator
                           AuthStatusConsumer* consumer);
 
   // Authenticator overrides.
-  virtual void CompleteLogin(Profile* profile,
+  virtual void CompleteLogin(content::BrowserContext* context,
                              const UserContext& user_context) override;
 
   // Given |user_context|, this method attempts to authenticate to your
@@ -103,8 +106,8 @@ class CHROMEOS_EXPORT CryptohomeAuthenticator
   // Upon failure to login consumer_->OnAuthFailure() is called
   // with an error message.
   //
-  // Uses |profile| when doing URL fetches.
-  virtual void AuthenticateToLogin(Profile* profile,
+  // Uses |context| when doing URL fetches.
+  virtual void AuthenticateToLogin(content::BrowserContext* context,
                                    const UserContext& user_context) override;
 
   // Given |user_context|, this method attempts to authenticate to the cached
diff --git a/chromeos/login/auth/login_performer.cc b/chromeos/login/auth/login_performer.cc
new file mode 100644
index 0000000..823036f
--- /dev/null
+++ b/chromeos/login/auth/login_performer.cc
@@ -0,0 +1,309 @@
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chromeos/login/auth/login_performer.h"
+
+#include "base/bind.h"
+#include "base/logging.h"
+#include "base/message_loop/message_loop.h"
+#include "base/metrics/histogram.h"
+#include "base/metrics/user_metrics.h"
+#include "base/metrics/user_metrics_action.h"
+#include "base/prefs/pref_service.h"
+#include "base/strings/utf_string_conversions.h"
+#include "base/threading/thread_restrictions.h"
+#include "chromeos/dbus/dbus_thread_manager.h"
+#include "chromeos/dbus/session_manager_client.h"
+#include "chromeos/login/user_names.h"
+#include "chromeos/login_event_recorder.h"
+#include "chromeos/settings/cros_settings_names.h"
+#include "google_apis/gaia/gaia_auth_util.h"
+#include "net/cookies/cookie_monster.h"
+#include "net/cookies/cookie_store.h"
+#include "net/url_request/url_request_context.h"
+#include "net/url_request/url_request_context_getter.h"
+
+using base::UserMetricsAction;
+
+namespace chromeos {
+
+LoginPerformer::LoginPerformer(scoped_refptr<base::TaskRunner> task_runner,
+                               Delegate* delegate)
+    : delegate_(delegate),
+      task_runner_(task_runner),
+      online_attempt_host_(this),
+      last_login_failure_(AuthFailure::AuthFailureNone()),
+      password_changed_(false),
+      password_changed_callback_count_(0),
+      auth_mode_(AUTH_MODE_INTERNAL),
+      weak_factory_(this) {
+}
+
+LoginPerformer::~LoginPerformer() {
+  DVLOG(1) << "Deleting LoginPerformer";
+  if (authenticator_.get())
+    authenticator_->SetConsumer(NULL);
+  if (extended_authenticator_.get())
+    extended_authenticator_->SetConsumer(NULL);
+}
+
+////////////////////////////////////////////////////////////////////////////////
+// LoginPerformer, AuthStatusConsumer implementation:
+
+void LoginPerformer::OnAuthFailure(const AuthFailure& failure) {
+  DCHECK(task_runner_->RunsTasksOnCurrentThread());
+  base::RecordAction(UserMetricsAction("Login_Failure"));
+
+  UMA_HISTOGRAM_ENUMERATION("Login.FailureReason",
+                            failure.reason(),
+                            AuthFailure::NUM_FAILURE_REASONS);
+
+  DVLOG(1) << "failure.reason " << failure.reason();
+  DVLOG(1) << "failure.error.state " << failure.error().state();
+
+  last_login_failure_ = failure;
+  if (delegate_) {
+    delegate_->OnAuthFailure(failure);
+    return;
+  } else {
+    // COULD_NOT_MOUNT_CRYPTOHOME, COULD_NOT_MOUNT_TMPFS:
+    // happens during offline auth only.
+    NOTREACHED();
+  }
+}
+
+void LoginPerformer::OnRetailModeAuthSuccess(const UserContext& user_context) {
+  DCHECK(task_runner_->RunsTasksOnCurrentThread());
+  base::RecordAction(UserMetricsAction("Login_DemoUserLoginSuccess"));
+  AuthStatusConsumer::OnRetailModeAuthSuccess(user_context);
+}
+
+void LoginPerformer::OnAuthSuccess(const UserContext& user_context) {
+  DCHECK(task_runner_->RunsTasksOnCurrentThread());
+  base::RecordAction(UserMetricsAction("Login_Success"));
+  VLOG(1) << "LoginSuccess hash: " << user_context.GetUserIDHash();
+  DCHECK(delegate_);
+  // After delegate_->OnAuthSuccess(...) is called, delegate_ releases
+  // LoginPerformer ownership. LP now manages it's lifetime on its own.
+  base::MessageLoop::current()->DeleteSoon(FROM_HERE, this);
+  delegate_->OnAuthSuccess(user_context);
+}
+
+void LoginPerformer::OnOffTheRecordAuthSuccess() {
+  DCHECK(task_runner_->RunsTasksOnCurrentThread());
+  base::RecordAction(UserMetricsAction("Login_GuestLoginSuccess"));
+
+  if (delegate_)
+    delegate_->OnOffTheRecordAuthSuccess();
+  else
+    NOTREACHED();
+}
+
+void LoginPerformer::OnPasswordChangeDetected() {
+  password_changed_ = true;
+  password_changed_callback_count_++;
+  if (delegate_) {
+    delegate_->OnPasswordChangeDetected();
+  } else {
+    NOTREACHED();
+  }
+}
+
+void LoginPerformer::OnChecked(const std::string& user_id, bool success) {
+  if (!delegate_) {
+    // Delegate is reset in case of successful offline login.
+    // See ExistingUserConstoller::OnAuthSuccess().
+    // Case when user has changed password and enters old password
+    // does not block user from sign in yet.
+    return;
+  }
+  delegate_->OnOnlineChecked(user_id, success);
+}
+
+////////////////////////////////////////////////////////////////////////////////
+// LoginPerformer, public:
+
+void LoginPerformer::NotifyWhitelistCheckFailure() {
+  if (delegate_)
+    delegate_->WhiteListCheckFailed(user_context_.GetUserID());
+  else
+    NOTREACHED();
+}
+
+void LoginPerformer::PerformLogin(const UserContext& user_context,
+                                  AuthorizationMode auth_mode) {
+  auth_mode_ = auth_mode;
+  user_context_ = user_context;
+
+  if (RunTrustedCheck(base::Bind(&LoginPerformer::DoPerformLogin,
+                                 weak_factory_.GetWeakPtr(),
+                                 user_context_,
+                                 auth_mode))) {
+    return;
+  }
+  DoPerformLogin(user_context, auth_mode);
+}
+
+void LoginPerformer::DoPerformLogin(const UserContext& user_context,
+                                    AuthorizationMode auth_mode) {
+  std::string email = gaia::CanonicalizeEmail(user_context.GetUserID());
+  bool wildcard_match = false;
+  if (!IsUserWhitelisted(email, &wildcard_match)) {
+    NotifyWhitelistCheckFailure();
+    return;
+  }
+  switch (auth_mode_) {
+    case AUTH_MODE_EXTENSION: {
+      RunOnlineWhitelistCheck(
+          email,
+          wildcard_match,
+          base::Bind(&LoginPerformer::StartLoginCompletion,
+                     weak_factory_.GetWeakPtr()),
+          base::Bind(&LoginPerformer::NotifyWhitelistCheckFailure,
+                     weak_factory_.GetWeakPtr()));
+      break;
+    }
+    case AUTH_MODE_INTERNAL:
+      StartAuthentication();
+      break;
+  }
+}
+
+void LoginPerformer::LoginAsSupervisedUser(const UserContext& user_context) {
+  DCHECK_EQ(chromeos::login::kSupervisedUserDomain,
+            gaia::ExtractDomainName(user_context.GetUserID()));
+
+  if (RunTrustedCheck(base::Bind(&LoginPerformer::LoginAsSupervisedUser,
+                                 weak_factory_.GetWeakPtr(),
+                                 user_context_))) {
+    return;
+  }
+
+  if (!AreSupervisedUsersAllowed()) {
+    LOG(ERROR) << "Login attempt of supervised user detected.";
+    delegate_->WhiteListCheckFailed(user_context.GetUserID());
+    return;
+  }
+
+  SetupSupervisedUserFlow(user_context.GetUserID());
+  UserContext user_context_copy = TransformSupervisedKey(user_context);
+
+  if (UseExtendedAuthenticatorForSupervisedUser(user_context)) {
+    EnsureExtendedAuthenticator();
+    // TODO(antrim) : Replace empty callback with explicit method.
+    // http://crbug.com/351268
+    task_runner_->PostTask(
+        FROM_HERE,
+        base::Bind(&ExtendedAuthenticator::AuthenticateToMount,
+                   extended_authenticator_.get(),
+                   user_context_copy,
+                   ExtendedAuthenticator::ResultCallback()));
+
+  } else {
+    EnsureAuthenticator();
+    task_runner_->PostTask(FROM_HERE,
+                           base::Bind(&Authenticator::LoginAsSupervisedUser,
+                                      authenticator_.get(),
+                                      user_context_copy));
+  }
+}
+
+void LoginPerformer::LoginAsPublicSession(const UserContext& user_context) {
+  if (!CheckPolicyForUser(user_context.GetUserID())) {
+    DCHECK(delegate_);
+    if (delegate_)
+      delegate_->PolicyLoadFailed();
+    return;
+  }
+
+  EnsureAuthenticator();
+  task_runner_->PostTask(FROM_HERE,
+                         base::Bind(&Authenticator::LoginAsPublicSession,
+                                    authenticator_.get(),
+                                    user_context));
+}
+
+void LoginPerformer::LoginRetailMode() {
+  EnsureAuthenticator();
+  task_runner_->PostTask(
+      FROM_HERE,
+      base::Bind(&Authenticator::LoginRetailMode, authenticator_.get()));
+}
+
+void LoginPerformer::LoginOffTheRecord() {
+  EnsureAuthenticator();
+  task_runner_->PostTask(
+      FROM_HERE,
+      base::Bind(&Authenticator::LoginOffTheRecord, authenticator_.get()));
+}
+
+void LoginPerformer::LoginAsKioskAccount(const std::string& app_user_id,
+                                         bool use_guest_mount) {
+  EnsureAuthenticator();
+  task_runner_->PostTask(FROM_HERE,
+                         base::Bind(&Authenticator::LoginAsKioskAccount,
+                                    authenticator_.get(),
+                                    app_user_id,
+                                    use_guest_mount));
+}
+
+void LoginPerformer::RecoverEncryptedData(const std::string& old_password) {
+  task_runner_->PostTask(FROM_HERE,
+                         base::Bind(&Authenticator::RecoverEncryptedData,
+                                    authenticator_.get(),
+                                    old_password));
+}
+
+void LoginPerformer::ResyncEncryptedData() {
+  task_runner_->PostTask(
+      FROM_HERE,
+      base::Bind(&Authenticator::ResyncEncryptedData, authenticator_.get()));
+}
+
+////////////////////////////////////////////////////////////////////////////////
+// LoginPerformer, private:
+
+void LoginPerformer::EnsureExtendedAuthenticator() {
+  if (extended_authenticator_.get())
+    extended_authenticator_->SetConsumer(NULL);
+  extended_authenticator_ = ExtendedAuthenticator::Create(this);
+}
+
+void LoginPerformer::StartLoginCompletion() {
+  DVLOG(1) << "Login completion started";
+  chromeos::LoginEventRecorder::Get()->AddLoginTimeMarker("AuthStarted", false);
+  content::BrowserContext* browser_context = GetSigninContext();
+  EnsureAuthenticator();
+  task_runner_->PostTask(FROM_HERE,
+                         base::Bind(&chromeos::Authenticator::CompleteLogin,
+                                    authenticator_.get(),
+                                    browser_context,
+                                    user_context_));
+  user_context_.ClearSecrets();
+}
+
+void LoginPerformer::StartAuthentication() {
+  DVLOG(1) << "Auth started";
+  chromeos::LoginEventRecorder::Get()->AddLoginTimeMarker("AuthStarted", false);
+  if (delegate_) {
+    EnsureAuthenticator();
+    content::BrowserContext* browser_context = GetSigninContext();
+    task_runner_->PostTask(FROM_HERE,
+                           base::Bind(&Authenticator::AuthenticateToLogin,
+                                      authenticator_.get(),
+                                      base::Unretained(browser_context),
+                                      user_context_));
+    // Make unobtrusive online check. It helps to determine password change
+    // state in the case when offline login fails.
+    online_attempt_host_.Check(GetSigninRequestContext(), user_context_);
+  } else {
+    NOTREACHED();
+  }
+  user_context_.ClearSecrets();
+}
+
+void LoginPerformer::EnsureAuthenticator() {
+  authenticator_ = CreateAuthenticator();
+}
+}  // namespace chromeos
diff --git a/chromeos/login/auth/login_performer.h b/chromeos/login/auth/login_performer.h
new file mode 100644
index 0000000..318fc4a
--- /dev/null
+++ b/chromeos/login/auth/login_performer.h
@@ -0,0 +1,232 @@
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROMEOS_LOGIN_AUTH_LOGIN_PERFORMER_H_
+#define CHROMEOS_LOGIN_AUTH_LOGIN_PERFORMER_H_
+
+#include <string>
+
+#include "base/basictypes.h"
+#include "base/callback.h"
+#include "base/memory/scoped_ptr.h"
+#include "base/memory/weak_ptr.h"
+#include "chromeos/chromeos_export.h"
+#include "chromeos/login/auth/auth_status_consumer.h"
+#include "chromeos/login/auth/authenticator.h"
+#include "chromeos/login/auth/extended_authenticator.h"
+#include "chromeos/login/auth/online_attempt_host.h"
+#include "chromeos/login/auth/user_context.h"
+#include "google_apis/gaia/google_service_auth_error.h"
+
+namespace net {
+class URLRequestContextGetter;
+}
+
+namespace policy {
+class WildcardLoginChecker;
+}
+
+namespace content {
+class BrowserContext;
+}
+
+namespace chromeos {
+
+// This class encapsulates sign in operations.
+// Sign in is performed in a way that offline auth is executed first.
+// Once offline auth is OK - user homedir is mounted, UI is launched.
+// At this point LoginPerformer |delegate_| is destroyed and it releases
+// LP instance ownership. LP waits for online login result.
+// If auth is succeeded, cookie fetcher is executed, LP instance deletes itself.
+//
+// If |delegate_| is not NULL it will handle error messages, password input.
+class CHROMEOS_EXPORT LoginPerformer : public AuthStatusConsumer,
+                                       public OnlineAttemptHost::Delegate {
+ public:
+  typedef enum AuthorizationMode {
+    // Authorization performed internally by Chrome.
+    AUTH_MODE_INTERNAL,
+    // Authorization performed by an extension.
+    AUTH_MODE_EXTENSION
+  } AuthorizationMode;
+
+  // Delegate class to get notifications from the LoginPerformer.
+  class Delegate : public AuthStatusConsumer {
+   public:
+    virtual ~Delegate() {}
+    virtual void WhiteListCheckFailed(const std::string& email) = 0;
+    virtual void PolicyLoadFailed() = 0;
+    virtual void OnOnlineChecked(const std::string& email, bool success) = 0;
+  };
+
+  LoginPerformer(scoped_refptr<base::TaskRunner> task_runner,
+                 Delegate* delegate);
+  virtual ~LoginPerformer();
+
+  // Performs a login for |user_context|.
+  // If auth_mode is AUTH_MODE_EXTENSION, there are no further auth checks,
+  // AUTH_MODE_INTERNAL will perform auth checks.
+  void PerformLogin(const UserContext& user_context,
+                    AuthorizationMode auth_mode);
+
+  // Performs supervised user login with a given |user_context|.
+  void LoginAsSupervisedUser(const UserContext& user_context);
+
+  // Performs retail mode login.
+  void LoginRetailMode();
+
+  // Performs actions to prepare guest mode login.
+  void LoginOffTheRecord();
+
+  // Performs public session login with a given |user_context|.
+  void LoginAsPublicSession(const UserContext& user_context);
+
+  // Performs a login into the kiosk mode account with |app_user_id|.
+  void LoginAsKioskAccount(const std::string& app_user_id,
+                           bool use_guest_mount);
+
+  // AuthStatusConsumer implementation:
+  virtual void OnAuthFailure(const AuthFailure& error) override;
+  virtual void OnRetailModeAuthSuccess(
+      const UserContext& user_context) override;
+  virtual void OnAuthSuccess(const UserContext& user_context) override;
+  virtual void OnOffTheRecordAuthSuccess() override;
+  virtual void OnPasswordChangeDetected() override;
+
+  // Migrates cryptohome using |old_password| specified.
+  void RecoverEncryptedData(const std::string& old_password);
+
+  // Reinitializes cryptohome with the new password.
+  void ResyncEncryptedData();
+
+  // Returns latest auth error.
+  const GoogleServiceAuthError& error() const {
+    return last_login_failure_.error();
+  }
+
+  // True if password change has been detected.
+  bool password_changed() { return password_changed_; }
+
+  // Number of times we've been called with OnPasswordChangeDetected().
+  // If user enters incorrect old password, same LoginPerformer instance will
+  // be called so callback count makes it possible to distinguish initial
+  // "password changed detected" event from further attempts to enter old
+  // password for cryptohome migration (when > 1).
+  int password_changed_callback_count() {
+    return password_changed_callback_count_;
+  }
+
+  void set_delegate(Delegate* delegate) { delegate_ = delegate; }
+
+  AuthorizationMode auth_mode() const { return auth_mode_; }
+
+ protected:
+  // Implements OnlineAttemptHost::Delegate.
+  virtual void OnChecked(const std::string& user_id, bool success) override;
+
+  // Platform-dependant methods to be implemented by concrete class.
+
+  // Run trusted check for a platform. If trusted check have to be performed
+  // asynchronously, |false| will be returned, and either delegate's
+  // PolicyLoadFailed() or |callback| will be called upon actual check.
+  virtual bool RunTrustedCheck(const base::Closure& callback) = 0;
+
+  // Check if user is allowed to sign in on device. |wildcard_match| will
+  // contain additional information whether this user is explicitly listed or
+  // not (may be relevant for extension-based sign-in).
+  virtual bool IsUserWhitelisted(const std::string& user_id,
+                                 bool* wildcard_match) = 0;
+
+  // This method should run addional online check if user can sign in on device.
+  // Either |success_callback| or |failure_callback| should be called upon this
+  // check.
+  virtual void RunOnlineWhitelistCheck(
+      const std::string& user_id,
+      bool wildcard_match,
+      const base::Closure& success_callback,
+      const base::Closure& failure_callback) = 0;
+
+  // Supervised users-related methods.
+
+  // Check if supervised users are allowed on this device.
+  virtual bool AreSupervisedUsersAllowed() = 0;
+
+  // Check which authenticator should be used for supervised user.
+  virtual bool UseExtendedAuthenticatorForSupervisedUser(
+      const UserContext& user_context) = 0;
+
+  // Probably transform supervised user's authentication key.
+  virtual UserContext TransformSupervisedKey(const UserContext& context) = 0;
+
+  // Set up sign-in flow for supervised user.
+  virtual void SetupSupervisedUserFlow(const std::string& user_id) = 0;
+
+  // Run policy check for |user_id|. If something is wrong, delegate's
+  // PolicyLoadFailed is called.
+  virtual bool CheckPolicyForUser(const std::string& user_id) = 0;
+
+  // Look up browser context to use during signin.
+  virtual content::BrowserContext* GetSigninContext() = 0;
+
+  // Get RequestContext used for sign in.
+  virtual net::URLRequestContextGetter* GetSigninRequestContext() = 0;
+
+  // Create authenticator implementation.
+  virtual scoped_refptr<Authenticator> CreateAuthenticator() = 0;
+
+  void set_authenticator(scoped_refptr<Authenticator> authenticator);
+
+  // Notifications receiver.
+  Delegate* delegate_;
+
+ private:
+  // Starts login completion of externally authenticated user.
+  void StartLoginCompletion();
+
+  // Starts authentication.
+  void StartAuthentication();
+  void NotifyWhitelistCheckFailure();
+
+  // Makes sure that authenticator is created.
+  void EnsureAuthenticator();
+  void EnsureExtendedAuthenticator();
+
+  // Actual implementantion of PeformLogin that is run after trusted values
+  // check.
+  void DoPerformLogin(const UserContext& user_context,
+                      AuthorizationMode auth_mode);
+
+  scoped_refptr<base::TaskRunner> task_runner_;
+
+  // Used for logging in.
+  scoped_refptr<Authenticator> authenticator_;
+
+  // Used for logging in.
+  scoped_refptr<ExtendedAuthenticator> extended_authenticator_;
+
+  // Used to make auxiliary online check.
+  OnlineAttemptHost online_attempt_host_;
+
+  // Represents last login failure that was encountered when communicating to
+  // sign-in server. AuthFailure.LoginFailureNone() by default.
+  AuthFailure last_login_failure_;
+
+  // User credentials for the current login attempt.
+  UserContext user_context_;
+
+  // True if password change has been detected.
+  // Once correct password is entered homedir migration is executed.
+  bool password_changed_;
+  int password_changed_callback_count_;
+
+  // Authorization mode type.
+  AuthorizationMode auth_mode_;
+
+  base::WeakPtrFactory<LoginPerformer> weak_factory_;
+  DISALLOW_COPY_AND_ASSIGN(LoginPerformer);
+};
+
+}  // namespace chromeos
+
+#endif  // CHROMEOS_LOGIN_AUTH_LOGIN_PERFORMER_H_
diff --git a/chromeos/login/auth/mock_authenticator.cc b/chromeos/login/auth/mock_authenticator.cc
index e457f9f..0665156 100644
--- a/chromeos/login/auth/mock_authenticator.cc
+++ b/chromeos/login/auth/mock_authenticator.cc
@@ -17,14 +17,14 @@ MockAuthenticator::MockAuthenticator(AuthStatusConsumer* consumer,
       message_loop_(base::MessageLoopProxy::current()) {
 }
 
-void MockAuthenticator::CompleteLogin(Profile* profile,
+void MockAuthenticator::CompleteLogin(content::BrowserContext* ignored,
                                       const UserContext& user_context) {
   if (expected_user_context_ != user_context)
     NOTREACHED();
   OnAuthSuccess();
 }
 
-void MockAuthenticator::AuthenticateToLogin(Profile* profile,
+void MockAuthenticator::AuthenticateToLogin(content::BrowserContext* ignored,
                                             const UserContext& user_context) {
   if (user_context == expected_user_context_) {
     message_loop_->PostTask(
diff --git a/chromeos/login/auth/mock_authenticator.h b/chromeos/login/auth/mock_authenticator.h
index d887e59..d4c5e86 100644
--- a/chromeos/login/auth/mock_authenticator.h
+++ b/chromeos/login/auth/mock_authenticator.h
@@ -13,7 +13,9 @@
 #include "chromeos/login/auth/user_context.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
-class Profile;
+namespace content {
+class BrowserContext;
+}
 
 namespace chromeos {
 
@@ -25,9 +27,9 @@ class CHROMEOS_EXPORT MockAuthenticator : public Authenticator {
                     const UserContext& expected_user_context);
 
   // Authenticator:
-  virtual void CompleteLogin(Profile* profile,
+  virtual void CompleteLogin(content::BrowserContext* context,
                              const UserContext& user_context) override;
-  virtual void AuthenticateToLogin(Profile* profile,
+  virtual void AuthenticateToLogin(content::BrowserContext* context,
                                    const UserContext& user_context) override;
   virtual void AuthenticateToUnlock(const UserContext& user_context) override;
   virtual void LoginAsSupervisedUser(const UserContext& user_context) override;