Per email thread, I believe this should happen behind the scenes with the user password that is kept from the login screen.

I guess this needs a design doc.

We should base it on this which has already gotten stamp from security.

go/cros-password-proxy


Lutz, you want to take this on your plate since you're the daemon expert now? :)

Sure, I can do that. Sounds like an interesting task.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform/system_api/+/79e6768704bc922986e145d0b64a55135bfc8e4b

commit 79e6768704bc922986e145d0b64a55135bfc8e4b
Author: Lutz Justen <ljusten@chromium.org>
Date: Sat Mar 25 02:38:06 2017

authpolicy: Add D-Bus constants

Adds error codes related to klist (listing the contents of a Kerberos
credentials cache). Klist is used in CL:458220 to read the ticket's
validity and renewal lifetimes.

BUG= chromium:676607 
TEST=It compiles. 'nuff said.

Change-Id: Ie81cce52768b3ee157efc8442711e118297281bc
Reviewed-on: https://chromium-review.googlesource.com/458427
Commit-Ready: Lutz Justen <ljusten@chromium.org>
Tested-by: Lutz Justen <ljusten@chromium.org>
Reviewed-by: Dan Erat <derat@chromium.org>
Reviewed-by: Roman Sorokin <rsorokin@chromium.org>

[modify] https://crrev.com/79e6768704bc922986e145d0b64a55135bfc8e4b/dbus/authpolicy/dbus-constants.h

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/4b0f9328e20a628bfe8eee8736ef82b0e3fd4d0e

commit 4b0f9328e20a628bfe8eee8736ef82b0e3fd4d0e
Author: Lutz Justen <ljusten@chromium.org>
Date: Tue Mar 28 16:30:15 2017

authpolicy: Refactor TGT acquisition mechanism

In preparation to refreshing ticket-granting-tickets (TGTs),
this CL refactores the TGT acquisition mechanism (aka calling
kinit) into a separate class. In addition, user and device TGT
use a separate credential cache now since they would overwrite
each other before.

BUG= chromium:676607 
TEST=Tested auth and policy fetch.

Change-Id: I69d12e2f45610fb289f92d8336f5750aa15e0a7b
Reviewed-on: https://chromium-review.googlesource.com/443124
Commit-Ready: Lutz Justen <ljusten@chromium.org>
Tested-by: Lutz Justen <ljusten@chromium.org>
Reviewed-by: Thiemo Nagel <tnagel@chromium.org>

[modify] https://crrev.com/4b0f9328e20a628bfe8eee8736ef82b0e3fd4d0e/authpolicy/platform_helper.h
[modify] https://crrev.com/4b0f9328e20a628bfe8eee8736ef82b0e3fd4d0e/authpolicy/authpolicy.gyp
[modify] https://crrev.com/4b0f9328e20a628bfe8eee8736ef82b0e3fd4d0e/authpolicy/samba_interface_internal.cc
[modify] https://crrev.com/4b0f9328e20a628bfe8eee8736ef82b0e3fd4d0e/authpolicy/stub_common.h
[add] https://crrev.com/4b0f9328e20a628bfe8eee8736ef82b0e3fd4d0e/authpolicy/jail_helper.h
[modify] https://crrev.com/4b0f9328e20a628bfe8eee8736ef82b0e3fd4d0e/authpolicy/authpolicy_unittest.cc
[modify] https://crrev.com/4b0f9328e20a628bfe8eee8736ef82b0e3fd4d0e/authpolicy/authpolicy.h
[add] https://crrev.com/4b0f9328e20a628bfe8eee8736ef82b0e3fd4d0e/authpolicy/jail_helper.cc
[modify] https://crrev.com/4b0f9328e20a628bfe8eee8736ef82b0e3fd4d0e/authpolicy/samba_interface.cc
[modify] https://crrev.com/4b0f9328e20a628bfe8eee8736ef82b0e3fd4d0e/authpolicy/stub_common.cc
[modify] https://crrev.com/4b0f9328e20a628bfe8eee8736ef82b0e3fd4d0e/authpolicy/samba_interface_internal.h
[add] https://crrev.com/4b0f9328e20a628bfe8eee8736ef82b0e3fd4d0e/authpolicy/tgt_manager.cc
[modify] https://crrev.com/4b0f9328e20a628bfe8eee8736ef82b0e3fd4d0e/authpolicy/samba_interface.h
[modify] https://crrev.com/4b0f9328e20a628bfe8eee8736ef82b0e3fd4d0e/authpolicy/constants.h
[modify] https://crrev.com/4b0f9328e20a628bfe8eee8736ef82b0e3fd4d0e/authpolicy/stub_kinit_main.cc
[add] https://crrev.com/4b0f9328e20a628bfe8eee8736ef82b0e3fd4d0e/authpolicy/tgt_manager.h
[modify] https://crrev.com/4b0f9328e20a628bfe8eee8736ef82b0e3fd4d0e/authpolicy/path_service.h
[modify] https://crrev.com/4b0f9328e20a628bfe8eee8736ef82b0e3fd4d0e/authpolicy/path_service.cc
[add] https://crrev.com/4b0f9328e20a628bfe8eee8736ef82b0e3fd4d0e/authpolicy/constants.cc
[modify] https://crrev.com/4b0f9328e20a628bfe8eee8736ef82b0e3fd4d0e/authpolicy/stub_net_main.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/b02680a4b3250601713923d0ce649ad2879927b7

commit b02680a4b3250601713923d0ce649ad2879927b7
Author: Lutz Justen <ljusten@chromium.org>
Date: Fri Mar 31 17:40:29 2017

authpolicy: Renew user TGT before it expires

Automatically renews a user ticket-granting-ticket (TGT) before it
expires. This prevents that user policy cannot be fetched anymore
if the user session runs for longer than the TGT validity lifetime
(usually 10 hours). The ticket stills expire after the renewal
lifetime (usually 24 hours) or if the machine is offline during all
renewal attempts and logging back in is required. Prompting the user
to relog in Chrome is a future CL. The user TGT will be used for more
services (SAML SSO) in the future.

This CL will become much more important when offline login is
supported. It is then much more likely that the 10 hour limit is
exceeded.

Schedules TGT renewal at 80% of the TGT validity lifetime. If the
renewal fails, another renewal attempt is scheduled at 80% of the
remaining lifetime. This is continued in decreasing intervals no
shorter than 5 minutes to save resources. Automatic renewal is given
up when the TGT expires or the renewal time limit is reached. Renewal
is scheduled on the D-Bus thread on a single-threaded task runner, so
that it won't interfere with D-Bus calls.

BUG= chromium:676607 
TEST=Tested on device with a short TGT lifetime of 5 minutes.

Change-Id: Idde26621a72844030aa67903b5d616b6d06a6a62
Reviewed-on: https://chromium-review.googlesource.com/458220
Commit-Ready: Lutz Justen <ljusten@chromium.org>
Tested-by: Lutz Justen <ljusten@chromium.org>
Reviewed-by: Zentaro Kavanagh <zentaro@google.com>

[add] https://crrev.com/b02680a4b3250601713923d0ce649ad2879927b7/authpolicy/stub_klist_main.cc
[modify] https://crrev.com/b02680a4b3250601713923d0ce649ad2879927b7/authpolicy/constants.cc
[modify] https://crrev.com/b02680a4b3250601713923d0ce649ad2879927b7/authpolicy/authpolicy_metrics.h
[modify] https://crrev.com/b02680a4b3250601713923d0ce649ad2879927b7/authpolicy/samba_interface.h
[modify] https://crrev.com/b02680a4b3250601713923d0ce649ad2879927b7/authpolicy/authpolicy_unittest.cc
[modify] https://crrev.com/b02680a4b3250601713923d0ce649ad2879927b7/authpolicy/samba_interface.cc
[modify] https://crrev.com/b02680a4b3250601713923d0ce649ad2879927b7/authpolicy/tgt_manager.cc
[modify] https://crrev.com/b02680a4b3250601713923d0ce649ad2879927b7/authpolicy/tgt_manager.h
[modify] https://crrev.com/b02680a4b3250601713923d0ce649ad2879927b7/authpolicy/authpolicy_parser_main.cc
[modify] https://crrev.com/b02680a4b3250601713923d0ce649ad2879927b7/authpolicy/path_service.h
[modify] https://crrev.com/b02680a4b3250601713923d0ce649ad2879927b7/authpolicy/constants.h
[modify] https://crrev.com/b02680a4b3250601713923d0ce649ad2879927b7/authpolicy/authpolicy_metrics.cc
[modify] https://crrev.com/b02680a4b3250601713923d0ce649ad2879927b7/authpolicy/process_executor.h
[modify] https://crrev.com/b02680a4b3250601713923d0ce649ad2879927b7/authpolicy/authpolicy.gyp
[modify] https://crrev.com/b02680a4b3250601713923d0ce649ad2879927b7/authpolicy/path_service.cc
[modify] https://crrev.com/b02680a4b3250601713923d0ce649ad2879927b7/authpolicy/authpolicy.cc
[add] https://crrev.com/b02680a4b3250601713923d0ce649ad2879927b7/authpolicy/seccomp_filters/klist-seccomp.policy
[modify] https://crrev.com/b02680a4b3250601713923d0ce649ad2879927b7/authpolicy/proto/authpolicy_containers.proto

TGTs are refreshed now for up to a week (depending on server config) without requiring a password. We plan that Chrome prompts the user to relog if the TGT is invalid, which should happen extremely rarely now. This should cover our needs. We can still do the password manager if we have to, but I'd rather wait to see if it's actually necessary.

re comment #13, isn't there a set number of retries beyond which we cannot renew automatically and we actually need the user's password for this? When we discussed this initially we agreed to:

1. Refresh TGT at screen unlock (if online) w/ existing valid TGT  or user's pwd
2. Refresh TGT at profile login (if online) w/ existing valid TGT  or user's pwd
3. Refresh TGT in-session w/ existing valid TGT

The combination of all those would make TGT staleness a rare occurence, but (3) alone would not. Also, for TGT going stale, do we hook into the existing flow for stale GAIA cookies (today it shows a notification that the user needs to sign out and sign back in. We can reuse the exact same flow. You can try it by logging into Chrome, changing your Google pwd on another machine and then playing around a bit on the Chrome device till the notification shows).


Do we have bugs to track (1), (2), and hooking into the stale flow? Or were these included in this change?

1) is definitely the plan, but not done yet.
2) is what we currently do, in fact, we require online login, but Roman is working on offline login right now.
3) is this CL.

>> do we hook into the existing flow for stale GAIA cookies
That is the plan. It makes a lot of sense to reuse existing flow because it's the equivalent use case.

>> Do we have bugs to track (1), (2), and hooking into the stale flow? Or were these included in this change?
If we have bugs, they should be on Roman's plate.

Since this bug is only about user sessions that never lock the screen, it only handles automatic background refresh, i.e. 3).

Re 1): https://bugs.chromium.org/p/chromium/issues/detail?id=676337

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7bd88f51679fefff4ce7fca4c44d814b28e0787d

commit 7bd88f51679fefff4ce7fca4c44d814b28e0787d
Author: ljusten <ljusten@chromium.org>
Date: Thu Apr 13 14:44:35 2017

Sync histograms.xml with authpolicy's dbus-constants.h

Codes are used internally only right now. Authpolicy shouldn't
actually send them yet. This might be implemented in a future CL.

BUG= chromium:676607 
TEST=Squinted eyes to make sure XML is valid.

Review-Url: https://codereview.chromium.org/2809413002
Cr-Commit-Position: refs/heads/master@{#464402}

[modify] https://crrev.com/7bd88f51679fefff4ce7fca4c44d814b28e0787d/tools/metrics/histograms/histograms.xml