1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_ 6 #define CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_ 7 8 #include <string> 9 10 #include "base/basictypes.h" 11 #include "base/compiler_specific.h" 12 #include "base/memory/scoped_ptr.h" 13 #include "base/memory/weak_ptr.h" 14 #include "chrome/browser/chromeos/policy/device_cloud_policy_manager_chromeos.h" 15 #include "chrome/browser/chromeos/policy/device_cloud_policy_validator.h" 16 #include "chrome/browser/chromeos/policy/enterprise_install_attributes.h" 17 #include "chrome/browser/policy/cloud/cloud_policy_client.h" 18 #include "chrome/browser/policy/cloud/cloud_policy_store.h" 19 #include "google_apis/gaia/gaia_oauth_client.h" 20 21 namespace enterprise_management { 22 class PolicyFetchResponse; 23 } 24 25 namespace policy { 26 27 // Implements the logic that establishes enterprise enrollment for Chromium OS 28 // devices. The process is as follows: 29 // 1. Given an auth token, register with the policy service. 30 // 2. Download the initial policy blob from the service. 31 // 3. Verify the policy blob. Everything up to this point doesn't touch device 32 // state. 33 // 4. Download the OAuth2 authorization code for device-level API access. 34 // 5. Download the OAuth2 refresh token for device-level API access and store 35 // it. 36 // 6. Establish the device lock in installation-time attributes. 37 // 7. Store the policy blob and API refresh token. 38 class EnrollmentHandlerChromeOS : public CloudPolicyClient::Observer, 39 public CloudPolicyStore::Observer, 40 public gaia::GaiaOAuthClient::Delegate { 41 public: 42 typedef DeviceCloudPolicyManagerChromeOS::AllowedDeviceModes 43 AllowedDeviceModes; 44 typedef DeviceCloudPolicyManagerChromeOS::EnrollmentCallback 45 EnrollmentCallback; 46 47 // |store| and |install_attributes| must remain valid for the life time of the 48 // enrollment handler. |allowed_device_modes| determines what device modes 49 // are acceptable. If the mode specified by the server is not acceptable, 50 // enrollment will fail with an EnrollmentStatus indicating 51 // STATUS_REGISTRATION_BAD_MODE. 52 EnrollmentHandlerChromeOS(DeviceCloudPolicyStoreChromeOS* store, 53 EnterpriseInstallAttributes* install_attributes, 54 scoped_ptr<CloudPolicyClient> client, 55 const std::string& auth_token, 56 const std::string& client_id, 57 bool is_auto_enrollment, 58 const std::string& requisition, 59 const AllowedDeviceModes& allowed_device_modes, 60 const EnrollmentCallback& completion_callback); 61 virtual ~EnrollmentHandlerChromeOS(); 62 63 // Starts the enrollment process and reports the result to 64 // |completion_callback_|. 65 void StartEnrollment(); 66 67 // Releases the client. 68 scoped_ptr<CloudPolicyClient> ReleaseClient(); 69 70 // CloudPolicyClient::Observer: 71 virtual void OnPolicyFetched(CloudPolicyClient* client) OVERRIDE; 72 virtual void OnRegistrationStateChanged(CloudPolicyClient* client) OVERRIDE; 73 virtual void OnRobotAuthCodesFetched(CloudPolicyClient* client) OVERRIDE; 74 virtual void OnClientError(CloudPolicyClient* client) OVERRIDE; 75 76 // CloudPolicyStore::Observer: 77 virtual void OnStoreLoaded(CloudPolicyStore* store) OVERRIDE; 78 virtual void OnStoreError(CloudPolicyStore* store) OVERRIDE; 79 80 // GaiaOAuthClient::Delegate: 81 virtual void OnGetTokensResponse(const std::string& refresh_token, 82 const std::string& access_token, 83 int expires_in_seconds) OVERRIDE; 84 virtual void OnRefreshTokenResponse(const std::string& access_token, 85 int expires_in_seconds) OVERRIDE; 86 virtual void OnOAuthError() OVERRIDE; 87 virtual void OnNetworkError(int response_code) OVERRIDE; 88 89 private: 90 // Indicates what step of the process is currently pending. These steps need 91 // to be listed in the order they are traversed in. 92 enum EnrollmentStep { 93 STEP_PENDING, // Not started yet. 94 STEP_LOADING_STORE, // Waiting for |store_| to initialize. 95 STEP_REGISTRATION, // Currently registering the client. 96 STEP_POLICY_FETCH, // Fetching policy. 97 STEP_VALIDATION, // Policy validation. 98 STEP_ROBOT_AUTH_FETCH, // Fetching device API auth code. 99 STEP_ROBOT_AUTH_REFRESH, // Fetching device API refresh token. 100 STEP_LOCK_DEVICE, // Writing installation-time attributes. 101 STEP_STORE_POLICY, // Storing policy and API refresh token. 102 STEP_FINISHED, // Enrollment process finished, no further action. 103 }; 104 105 // Starts registration if the store is initialized. 106 void AttemptRegistration(); 107 108 // Handles the policy validation result, proceeding with installation-time 109 // attributes locking if successful. 110 void PolicyValidated(DeviceCloudPolicyValidator* validator); 111 112 // Method called to initiate the STEP_LOCK_DEVICE step. Usually called after 113 // the STEP_ROBOT_AUTH_REFRESH, but may be called directly after a failed 114 // STEP_ROBOT_AUTH_FETCH, since robot tokens are currently optional. 115 void DoLockDeviceStep(); 116 117 // Calls LockDevice() and proceeds to policy installation. If unsuccessful, 118 // reports the result. Actual installation or error report will be done in 119 // HandleLockDeviceResult(). 120 void StartLockDevice(const std::string& user, 121 DeviceMode device_mode, 122 const std::string& device_id); 123 124 // Helper for StartLockDevice(). It performs the actual action based on 125 // the result of LockDevice. 126 void HandleLockDeviceResult( 127 const std::string& user, 128 DeviceMode device_mode, 129 const std::string& device_id, 130 EnterpriseInstallAttributes::LockResult lock_result); 131 132 // Drops any ongoing actions. 133 void Stop(); 134 135 // Reports the result of the enrollment process to the initiator. 136 void ReportResult(EnrollmentStatus status); 137 138 DeviceCloudPolicyStoreChromeOS* store_; 139 EnterpriseInstallAttributes* install_attributes_; 140 scoped_ptr<CloudPolicyClient> client_; 141 scoped_ptr<gaia::GaiaOAuthClient> gaia_oauth_client_; 142 143 std::string auth_token_; 144 std::string client_id_; 145 std::string robot_refresh_token_; 146 bool is_auto_enrollment_; 147 std::string requisition_; 148 AllowedDeviceModes allowed_device_modes_; 149 EnrollmentCallback completion_callback_; 150 151 // The device mode as received in the registration request. 152 DeviceMode device_mode_; 153 154 // The validated policy response info to be installed in the store. 155 scoped_ptr<enterprise_management::PolicyFetchResponse> policy_; 156 std::string username_; 157 std::string device_id_; 158 159 // Current enrollment step. 160 EnrollmentStep enrollment_step_; 161 162 // Total amount of time in milliseconds spent waiting for lockbox 163 // initialization. 164 int lockbox_init_duration_; 165 166 base::WeakPtrFactory<EnrollmentHandlerChromeOS> weak_factory_; 167 168 DISALLOW_COPY_AND_ASSIGN(EnrollmentHandlerChromeOS); 169 }; 170 171 } // namespace policy 172 173 #endif // CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_ 174