Expose API to keep authsession alive

Bug: b:238606050 Change-Id: Ied818e4152ca8387e68d0844ed484e2ae22229b7 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4942031 Auto-Submit: Denis Kuznetsov <antrim@chromium.org> Commit-Queue: Anastasiia N <anastasiian@chromium.org> Reviewed-by: Anastasiia N <anastasiian@chromium.org> Cr-Commit-Position: refs/heads/main@{#1210679}
chromium · Oct 17, 2023 · 54a33a0 · 54a33a0
1 parent baae583
commit 54a33a0
Show file tree

Hide file tree

Showing 8 changed files with 115 additions and 32 deletions.
diff --git a/chromeos/ash/components/login/auth/auth_performer.cc b/chromeos/ash/components/login/auth/auth_performer.cc
@@ -15,6 +15,7 @@
 #include "chromeos/ash/components/cryptohome/auth_factor.h"
 #include "chromeos/ash/components/cryptohome/auth_factor_conversions.h"
 #include "chromeos/ash/components/cryptohome/common_types.h"
+#include "chromeos/ash/components/cryptohome/constants.h"
 #include "chromeos/ash/components/cryptohome/cryptohome_util.h"
 #include "chromeos/ash/components/cryptohome/system_salt_getter.h"
 #include "chromeos/ash/components/cryptohome/userdataauth_util.h"
@@ -73,8 +74,11 @@ absl::optional<AuthSessionIntent> DeserializeIntent(
 
 }  // namespace
 
-AuthPerformer::AuthPerformer(UserDataAuthClient* client) : client_(client) {
+AuthPerformer::AuthPerformer(UserDataAuthClient* client,
+                             const base::Clock* clock)
+    : client_(client), clock_(clock) {
   CHECK(client_);
+  CHECK(clock_);
 }
 
 AuthPerformer::~AuthPerformer() = default;
@@ -89,6 +93,7 @@ base::WeakPtr<AuthPerformer> AuthPerformer::AsWeakPtr() {
 
 // static
 void AuthPerformer::FillAuthenticationData(
+    const base::Time& reference_time,
     const user_data_auth::AuthSessionProperties& session_properties,
     UserContext& out_context) {
   DCHECK(session_properties.authorized_for_size() > 0);
@@ -101,7 +106,7 @@ void AuthPerformer::FillAuthenticationData(
     }
   }
   out_context.SetSessionLifetime(
-      base::Time::Now() + base::Seconds(session_properties.seconds_left()));
+      reference_time + base::Seconds(session_properties.seconds_left()));
 }
 
 void AuthPerformer::StartAuthSession(std::unique_ptr<UserContext> context,
@@ -243,20 +248,21 @@ void AuthPerformer::AuthenticateUsingKnowledgeKey(
   client_->AuthenticateAuthFactor(
       request,
       base::BindOnce(&AuthPerformer::MaybeRecordKnowledgeFactorAuthFailure,
-                     weak_factory_.GetWeakPtr(), std::move(context),
-                     std::move(callback)));
+                     weak_factory_.GetWeakPtr(), clock_->Now(),
+                     std::move(context), std::move(callback)));
 }
 
 void AuthPerformer::MaybeRecordKnowledgeFactorAuthFailure(
+    base::Time request_start,
     std::unique_ptr<UserContext> context,
     AuthOperationCallback callback,
     absl::optional<user_data_auth::AuthenticateAuthFactorReply> reply) {
   if (auto error = user_data_auth::ReplyToCryptohomeError(reply);
       error == user_data_auth::CRYPTOHOME_ERROR_KEY_NOT_FOUND) {
     AuthEventsRecorder::Get()->OnKnowledgeFactorAuthFailue();
   }
-  OnAuthenticateAuthFactor(std::move(context), std::move(callback),
-                           std::move(reply));
+  OnAuthenticateAuthFactor(request_start, std::move(context),
+                           std::move(callback), std::move(reply));
 }
 
 void AuthPerformer::HashKeyAndAuthenticate(std::unique_ptr<UserContext> context,
@@ -292,8 +298,8 @@ void AuthPerformer::AuthenticateUsingChallengeResponseKey(
   request.set_auth_factor_label(ref.label().value());
   client_->AuthenticateAuthFactor(
       request, base::BindOnce(&AuthPerformer::OnAuthenticateAuthFactor,
-                              weak_factory_.GetWeakPtr(), std::move(context),
-                              std::move(callback)));
+                              weak_factory_.GetWeakPtr(), clock_->Now(),
+                              std::move(context), std::move(callback)));
 }
 
 void AuthPerformer::AuthenticateWithPassword(
@@ -390,8 +396,8 @@ void AuthPerformer::AuthenticateAsKiosk(std::unique_ptr<UserContext> context,
   request.set_auth_factor_label(existing_factor->ref().label().value());
   client_->AuthenticateAuthFactor(
       request, base::BindOnce(&AuthPerformer::OnAuthenticateAuthFactor,
-                              weak_factory_.GetWeakPtr(), std::move(context),
-                              std::move(callback)));
+                              weak_factory_.GetWeakPtr(), clock_->Now(),
+                              std::move(context), std::move(callback)));
 }
 
 void AuthPerformer::GetAuthSessionStatus(std::unique_ptr<UserContext> context,
@@ -406,8 +412,27 @@ void AuthPerformer::GetAuthSessionStatus(std::unique_ptr<UserContext> context,
 
   client_->GetAuthSessionStatus(
       request, base::BindOnce(&AuthPerformer::OnGetAuthSessionStatus,
-                              weak_factory_.GetWeakPtr(), std::move(context),
-                              std::move(callback)));
+                              weak_factory_.GetWeakPtr(), clock_->Now(),
+                              std::move(context), std::move(callback)));
+}
+
+void AuthPerformer::ExtendAuthSessionLifetime(
+    std::unique_ptr<UserContext> context,
+    AuthOperationCallback callback) {
+  if (context->GetAuthSessionId().empty()) {
+    NOTREACHED() << "Auth session should exist";
+  }
+  LOGIN_LOG(EVENT) << "Requesting authsession lifetime extension";
+  user_data_auth::ExtendAuthSessionRequest request;
+
+  request.set_auth_session_id(context->GetAuthSessionId());
+  request.set_extension_duration(
+      cryptohome::kAuthsessionExtensionPeriod.InSeconds());
+
+  client_->ExtendAuthSession(
+      request, base::BindOnce(&AuthPerformer::OnExtendAuthSession,
+                              weak_factory_.GetWeakPtr(), clock_->Now(),
+                              std::move(context), std::move(callback)));
 }
 
 void AuthPerformer::GetRecoveryRequest(
@@ -478,8 +503,8 @@ void AuthPerformer::AuthenticateWithRecovery(
 
   client_->AuthenticateAuthFactor(
       request, base::BindOnce(&AuthPerformer::OnAuthenticateAuthFactor,
-                              weak_factory_.GetWeakPtr(), std::move(context),
-                              std::move(callback)));
+                              weak_factory_.GetWeakPtr(), clock_->Now(),
+                              std::move(context), std::move(callback)));
 }
 
 /// ---- private callbacks ----
@@ -576,6 +601,7 @@ void AuthPerformer::OnTerminateAuthFactor(
 }
 
 void AuthPerformer::OnAuthenticateAuthFactor(
+    base::Time request_start,
     std::unique_ptr<UserContext> context,
     AuthOperationCallback callback,
     absl::optional<user_data_auth::AuthenticateAuthFactorReply> reply) {
@@ -589,13 +615,14 @@ void AuthPerformer::OnAuthenticateAuthFactor(
   }
   CHECK(reply.has_value());
   CHECK(reply->has_auth_properties());
-  FillAuthenticationData(reply->auth_properties(), *context);
+  FillAuthenticationData(request_start, reply->auth_properties(), *context);
 
   LOGIN_LOG(EVENT) << "Authenticated successfully";
   std::move(callback).Run(std::move(context), absl::nullopt);
 }
 
 void AuthPerformer::OnGetAuthSessionStatus(
+    base::Time request_start,
     std::unique_ptr<UserContext> context,
     AuthSessionStatusCallback callback,
     absl::optional<user_data_auth::GetAuthSessionStatusReply> reply) {
@@ -639,11 +666,29 @@ void AuthPerformer::OnGetAuthSessionStatus(
     default:
       NOTREACHED();
   }
-  FillAuthenticationData(reply->auth_properties(), *context);
+  FillAuthenticationData(request_start, reply->auth_properties(), *context);
   std::move(callback).Run(status, lifetime, std::move(context),
                           /*cryptohome_error=*/absl::nullopt);
 }
 
+void AuthPerformer::OnExtendAuthSession(
+    base::Time request_start,
+    std::unique_ptr<UserContext> context,
+    AuthOperationCallback callback,
+    absl::optional<user_data_auth::ExtendAuthSessionReply> reply) {
+  auto error = user_data_auth::ReplyToCryptohomeError(reply);
+  if (error != user_data_auth::CRYPTOHOME_ERROR_NOT_SET) {
+    LOGIN_LOG(EVENT) << "Failed to extend authsession lifetime " << error;
+    std::move(callback).Run(std::move(context), AuthenticationError{error});
+    return;
+  }
+  CHECK(reply.has_value());
+  context->SetSessionLifetime(request_start +
+                              base::Seconds(reply->seconds_left()));
+  std::move(callback).Run(std::move(context),
+                          /*cryptohome_error=*/absl::nullopt);
+}
+
 void AuthPerformer::OnGetRecoveryRequest(
     RecoveryRequestCallback callback,
     std::unique_ptr<UserContext> context,

diff --git a/chromeos/ash/components/login/auth/auth_performer.h b/chromeos/ash/components/login/auth/auth_performer.h
@@ -11,14 +11,15 @@
 #include "base/functional/callback.h"
 #include "base/memory/raw_ptr.h"
 #include "base/memory/weak_ptr.h"
+#include "base/time/clock.h"
+#include "base/time/default_clock.h"
 #include "chromeos/ash/components/cryptohome/auth_factor.h"
 #include "chromeos/ash/components/dbus/cryptohome/UserDataAuth.pb.h"
 #include "chromeos/ash/components/dbus/userdataauth/userdataauth_client.h"
 #include "chromeos/ash/components/login/auth/public/auth_callbacks.h"
 #include "chromeos/ash/components/login/auth/public/auth_session_intent.h"
 #include "chromeos/ash/components/login/auth/public/auth_session_status.h"
 #include "chromeos/ash/components/login/auth/public/authentication_error.h"
-#include "chromeos/ash/components/login/auth/public/recovery_types.h"
 #include "third_party/abseil-cpp/absl/types/optional.h"
 
 namespace ash {
@@ -31,7 +32,8 @@ class UserContext;
 // This implementation is only compatible with AuthSession-based API.
 class COMPONENT_EXPORT(CHROMEOS_ASH_COMPONENTS_LOGIN_AUTH) AuthPerformer {
  public:
-  explicit AuthPerformer(UserDataAuthClient* client);
+  AuthPerformer(UserDataAuthClient* client,
+                const base::Clock* clock = base::DefaultClock::GetInstance());
 
   AuthPerformer(const AuthPerformer&) = delete;
   AuthPerformer& operator=(const AuthPerformer&) = delete;
@@ -62,6 +64,7 @@ class COMPONENT_EXPORT(CHROMEOS_ASH_COMPONENTS_LOGIN_AUTH) AuthPerformer {
   // Utility method, copies data relevant for authentidated session
   // into UserContext: authenticated intents, remaining lifetime.
   static void FillAuthenticationData(
+      const base::Time& reference_time,
       const user_data_auth::AuthSessionProperties& session_properties,
       UserContext& out_context);
 
@@ -102,6 +105,7 @@ class COMPONENT_EXPORT(CHROMEOS_ASH_COMPONENTS_LOGIN_AUTH) AuthPerformer {
   // After attempting authentication with `AuthenticateUsingKnowledgeKey`, if
   // attempt failed, record it in `AuthEventsRecorder`.
   void MaybeRecordKnowledgeFactorAuthFailure(
+      base::Time request_start,
       std::unique_ptr<UserContext> context,
       AuthOperationCallback callback,
       absl::optional<user_data_auth::AuthenticateAuthFactorReply> reply);
@@ -140,6 +144,9 @@ class COMPONENT_EXPORT(CHROMEOS_ASH_COMPONENTS_LOGIN_AUTH) AuthPerformer {
   void GetAuthSessionStatus(std::unique_ptr<UserContext> context,
                             AuthSessionStatusCallback callback);
 
+  void ExtendAuthSessionLifetime(std::unique_ptr<UserContext> context,
+                                 AuthOperationCallback callback);
+
   void GetRecoveryRequest(const std::string& access_token,
                           const CryptohomeRecoveryEpochResponse& epoch,
                           std::unique_ptr<UserContext> context,
@@ -191,11 +198,13 @@ class COMPONENT_EXPORT(CHROMEOS_ASH_COMPONENTS_LOGIN_AUTH) AuthPerformer {
                                    const std::string& system_salt);
 
   void OnAuthenticateAuthFactor(
+      base::Time request_start,
       std::unique_ptr<UserContext> context,
       AuthOperationCallback callback,
       absl::optional<user_data_auth::AuthenticateAuthFactorReply> reply);
 
   void OnGetAuthSessionStatus(
+      base::Time request_start,
       std::unique_ptr<UserContext> context,
       AuthSessionStatusCallback callback,
       absl::optional<user_data_auth::GetAuthSessionStatusReply> reply);
@@ -205,7 +214,14 @@ class COMPONENT_EXPORT(CHROMEOS_ASH_COMPONENTS_LOGIN_AUTH) AuthPerformer {
       std::unique_ptr<UserContext> context,
       absl::optional<user_data_auth::GetRecoveryRequestReply> reply);
 
+  void OnExtendAuthSession(
+      base::Time request_start,
+      std::unique_ptr<UserContext> context,
+      AuthOperationCallback callback,
+      absl::optional<user_data_auth::ExtendAuthSessionReply> reply);
+
   const raw_ptr<UserDataAuthClient, DanglingUntriaged> client_;
+  const raw_ptr<const base::Clock> clock_;
   base::WeakPtrFactory<AuthPerformer> weak_factory_{this};
 };
 

diff --git a/chromeos/ash/components/login/auth/auth_session_authenticator.cc b/chromeos/ash/components/login/auth/auth_session_authenticator.cc
@@ -13,6 +13,7 @@
 #include "base/functional/callback.h"
 #include "base/functional/callback_helpers.h"
 #include "base/notreached.h"
+#include "base/time/default_clock.h"
 #include "chromeos/ash/components/cryptohome/auth_factor.h"
 #include "chromeos/ash/components/cryptohome/cryptohome_parameters.h"
 #include "chromeos/ash/components/cryptohome/cryptohome_util.h"
@@ -56,7 +57,8 @@ AuthSessionAuthenticator::AuthSessionAuthenticator(
       auth_factor_editor_(
           std::make_unique<AuthFactorEditor>(UserDataAuthClient::Get())),
       auth_performer_(
-          std::make_unique<AuthPerformer>(UserDataAuthClient::Get())),
+          std::make_unique<AuthPerformer>(UserDataAuthClient::Get(),
+                                          base::DefaultClock::GetInstance())),
       mount_performer_(std::make_unique<MountPerformer>()),
       local_state_(local_state) {
   DCHECK(safe_mode_delegate_);

diff --git a/chromeos/ash/components/login/auth/mount_performer.cc b/chromeos/ash/components/login/auth/mount_performer.cc
@@ -8,6 +8,7 @@
 #include "base/command_line.h"
 #include "base/functional/bind.h"
 #include "base/functional/callback.h"
+#include "chromeos/ash/components/cryptohome/constants.h"
 #include "chromeos/ash/components/cryptohome/userdataauth_util.h"
 #include "chromeos/ash/components/dbus/userdataauth/userdataauth_client.h"
 #include "chromeos/ash/components/login/auth/auth_events_recorder.h"
@@ -26,7 +27,7 @@ bool ShouldUseOldEncryptionForTesting() {
 
 }  // namespace
 
-MountPerformer::MountPerformer() = default;
+MountPerformer::MountPerformer(const base::Clock* clock) : clock_(clock) {}
 MountPerformer::~MountPerformer() = default;
 
 void MountPerformer::InvalidateCurrentAttempts() {
@@ -44,8 +45,8 @@ void MountPerformer::CreateNewUser(std::unique_ptr<UserContext> context,
   request.set_auth_session_id(context->GetAuthSessionId());
   UserDataAuthClient::Get()->CreatePersistentUser(
       request, base::BindOnce(&MountPerformer::OnCreatePersistentUser,
-                              weak_factory_.GetWeakPtr(), std::move(context),
-                              std::move(callback)));
+                              weak_factory_.GetWeakPtr(), clock_->Now(),
+                              std::move(context), std::move(callback)));
 }
 
 void MountPerformer::MountPersistentDirectory(
@@ -85,8 +86,8 @@ void MountPerformer::MountEphemeralDirectory(
   request.set_auth_session_id(context->GetAuthSessionId());
   UserDataAuthClient::Get()->PrepareEphemeralVault(
       request, base::BindOnce(&MountPerformer::OnPrepareEphemeralVault,
-                              weak_factory_.GetWeakPtr(), std::move(context),
-                              std::move(callback)));
+                              weak_factory_.GetWeakPtr(), clock_->Now(),
+                              std::move(context), std::move(callback)));
 }
 
 void MountPerformer::MountGuestDirectory(std::unique_ptr<UserContext> context,
@@ -175,6 +176,7 @@ void MountPerformer::MigrateToDircrypto(std::unique_ptr<UserContext> context,
 /// ---- private callbacks ----
 
 void MountPerformer::OnCreatePersistentUser(
+    base::Time request_start,
     std::unique_ptr<UserContext> context,
     AuthOperationCallback callback,
     absl::optional<user_data_auth::CreatePersistentUserReply> reply) {
@@ -186,7 +188,8 @@ void MountPerformer::OnCreatePersistentUser(
   }
   CHECK(reply.has_value());
   CHECK(reply->has_auth_properties());
-  AuthPerformer::FillAuthenticationData(reply->auth_properties(), *context);
+  AuthPerformer::FillAuthenticationData(request_start, reply->auth_properties(),
+                                        *context);
   std::move(callback).Run(std::move(context), absl::nullopt);
 }
 
@@ -209,6 +212,7 @@ void MountPerformer::OnPrepareGuestVault(
 }
 
 void MountPerformer::OnPrepareEphemeralVault(
+    base::Time request_start,
     std::unique_ptr<UserContext> context,
     AuthOperationCallback callback,
     absl::optional<user_data_auth::PrepareEphemeralVaultReply> reply) {
@@ -223,7 +227,8 @@ void MountPerformer::OnPrepareEphemeralVault(
   }
   CHECK(reply.has_value());
   CHECK(reply->has_auth_properties());
-  AuthPerformer::FillAuthenticationData(reply->auth_properties(), *context);
+  AuthPerformer::FillAuthenticationData(request_start, reply->auth_properties(),
+                                        *context);
   context->SetUserIDHash(reply->sanitized_username());
   std::move(callback).Run(std::move(context), absl::nullopt);
 }

diff --git a/chromeos/ash/components/login/auth/mount_performer.h b/chromeos/ash/components/login/auth/mount_performer.h
@@ -10,6 +10,8 @@
 #include "base/component_export.h"
 #include "base/functional/callback.h"
 #include "base/memory/weak_ptr.h"
+#include "base/time/clock.h"
+#include "base/time/default_clock.h"
 #include "chromeos/ash/components/dbus/cryptohome/UserDataAuth.pb.h"
 #include "chromeos/ash/components/login/auth/public/auth_callbacks.h"
 #include "chromeos/ash/components/login/auth/public/authentication_error.h"
@@ -24,7 +26,8 @@ class UserContext;
 // This implementation is only compatible with AuthSession-based API.
 class COMPONENT_EXPORT(CHROMEOS_ASH_COMPONENTS_LOGIN_AUTH) MountPerformer {
  public:
-  MountPerformer();
+  explicit MountPerformer(
+      const base::Clock* clock = base::DefaultClock::GetInstance());
 
   MountPerformer(const MountPerformer&) = delete;
   MountPerformer& operator=(const MountPerformer&) = delete;
@@ -100,6 +103,7 @@ class COMPONENT_EXPORT(CHROMEOS_ASH_COMPONENTS_LOGIN_AUTH) MountPerformer {
  private:
   // Callbacks for UserDataAuthClient operations:
   void OnCreatePersistentUser(
+      base::Time request_start,
       std::unique_ptr<UserContext> context,
       AuthOperationCallback callback,
       absl::optional<user_data_auth::CreatePersistentUserReply> reply);
@@ -108,6 +112,7 @@ class COMPONENT_EXPORT(CHROMEOS_ASH_COMPONENTS_LOGIN_AUTH) MountPerformer {
       AuthOperationCallback callback,
       absl::optional<user_data_auth::PrepareGuestVaultReply> reply);
   void OnPrepareEphemeralVault(
+      base::Time request_start,
       std::unique_ptr<UserContext> context,
       AuthOperationCallback callback,
       absl::optional<user_data_auth::PrepareEphemeralVaultReply> reply);
@@ -135,6 +140,7 @@ class COMPONENT_EXPORT(CHROMEOS_ASH_COMPONENTS_LOGIN_AUTH) MountPerformer {
       AuthOperationCallback callback,
       absl::optional<user_data_auth::StartMigrateToDircryptoReply> reply);
 
+  const raw_ptr<const base::Clock> clock_;
   base::WeakPtrFactory<MountPerformer> weak_factory_{this};
 };