Home | History | Annotate | Download | only in enterprise_platform_keys_private 
      1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #ifndef CHROME_BROWSER_EXTENSIONS_API_ENTERPRISE_PLATFORM_KEYS_PRIVATE_ENTERPRISE_PLATFORM_KEYS_PRIVATE_API_H__
      6 #define CHROME_BROWSER_EXTENSIONS_API_ENTERPRISE_PLATFORM_KEYS_PRIVATE_ENTERPRISE_PLATFORM_KEYS_PRIVATE_API_H__
      7 
      8 #include <string>
      9 
     10 #include "base/callback.h"
     11 #include "base/compiler_specific.h"
     12 #include "base/memory/scoped_ptr.h"
     13 #include "chrome/browser/extensions/chrome_extension_function.h"
     14 #include "chrome/common/extensions/api/enterprise_platform_keys_private.h"
     15 #include "chromeos/attestation/attestation_constants.h"
     16 #include "chromeos/attestation/attestation_flow.h"
     17 #include "chromeos/dbus/cryptohome_client.h"
     18 #include "chromeos/dbus/dbus_method_call_status.h"
     19 #include "third_party/cros_system_api/dbus/service_constants.h"
     20 
     21 class PrefService;
     22 
     23 namespace chromeos {
     24 class CryptohomeClient;
     25 }
     26 
     27 namespace cryptohome {
     28 class AsyncMethodCaller;
     29 }
     30 
     31 namespace policy {
     32 class EnterpriseInstallAttributes;
     33 }
     34 
     35 namespace user_prefs {
     36 class PrefRegistrySyncable;
     37 }
     38 
     39 namespace extensions {
     40 
     41 class EPKPChallengeKeyBase : public ChromeAsyncExtensionFunction {
     42  public:
     43   static const char kChallengeBadBase64Error[];
     44   static const char kDevicePolicyDisabledError[];
     45   static const char kExtensionNotWhitelistedError[];
     46   static const char kResponseBadBase64Error[];
     47   static const char kSignChallengeFailedError[];
     48   static const char kUserNotManaged[];
     49 
     50  protected:
     51   enum PrepareKeyResult {
     52     PREPARE_KEY_OK = 0,
     53     PREPARE_KEY_DBUS_ERROR,
     54     PREPARE_KEY_USER_REJECTED,
     55     PREPARE_KEY_GET_CERTIFICATE_FAILED,
     56     PREPARE_KEY_RESET_REQUIRED
     57   };
     58 
     59   EPKPChallengeKeyBase();
     60   EPKPChallengeKeyBase(
     61       chromeos::CryptohomeClient* cryptohome_client,
     62       cryptohome::AsyncMethodCaller* async_caller,
     63       chromeos::attestation::AttestationFlow* attestation_flow,
     64       policy::EnterpriseInstallAttributes* install_attributes);
     65   virtual ~EPKPChallengeKeyBase();
     66 
     67   // Returns a trusted value from CroSettings indicating if the device
     68   // attestation is enabled.
     69   void GetDeviceAttestationEnabled(
     70       const base::Callback<void(bool)>& callback) const;
     71 
     72   // Returns true if the device is enterprise managed.
     73   bool IsEnterpriseDevice() const;
     74 
     75   // Returns true if the extension is white-listed in the user policy.
     76   bool IsExtensionWhitelisted() const;
     77 
     78   // Returns true if the user is enterprise managed.
     79   bool IsUserManaged() const;
     80 
     81   // Returns the enterprise domain the device is enrolled to.
     82   std::string GetEnterpriseDomain() const;
     83 
     84   // Returns the user email.
     85   std::string GetUserEmail() const;
     86 
     87   // Returns the enterprise virtual device ID.
     88   std::string GetDeviceId() const;
     89 
     90   // Prepares the key for signing. It will first check if the key exists. If
     91   // the key does not exist, it will call AttestationFlow::GetCertificate() to
     92   // get a new one. If require_user_consent is true, it will explicitly ask for
     93   // user consent before calling GetCertificate().
     94   void PrepareKey(
     95       chromeos::attestation::AttestationKeyType key_type,
     96       const std::string& user_id,
     97       const std::string& key_name,
     98       chromeos::attestation::AttestationCertificateProfile certificate_profile,
     99       bool require_user_consent,
    100       const base::Callback<void(PrepareKeyResult)>& callback);
    101 
    102   chromeos::CryptohomeClient* cryptohome_client_;
    103   cryptohome::AsyncMethodCaller* async_caller_;
    104   chromeos::attestation::AttestationFlow* attestation_flow_;
    105   scoped_ptr<chromeos::attestation::AttestationFlow> default_attestation_flow_;
    106 
    107  private:
    108   // Holds the context of a PrepareKey() operation.
    109   struct PrepareKeyContext {
    110     PrepareKeyContext(
    111         chromeos::attestation::AttestationKeyType key_type,
    112         const std::string& user_id,
    113         const std::string& key_name,
    114         chromeos::attestation::AttestationCertificateProfile
    115             certificate_profile,
    116         bool require_user_consent,
    117         const base::Callback<void(PrepareKeyResult)>& callback);
    118     ~PrepareKeyContext();
    119 
    120     chromeos::attestation::AttestationKeyType key_type;
    121     const std::string user_id;
    122     const std::string key_name;
    123     chromeos::attestation::AttestationCertificateProfile certificate_profile;
    124     bool require_user_consent;
    125     const base::Callback<void(PrepareKeyResult)> callback;
    126   };
    127 
    128   void IsAttestationPreparedCallback(
    129       const PrepareKeyContext& context,
    130       chromeos::DBusMethodCallStatus status,
    131       bool result);
    132   void DoesKeyExistCallback(
    133       const PrepareKeyContext& context,
    134       chromeos::DBusMethodCallStatus status,
    135       bool result);
    136   void AskForUserConsent(const base::Callback<void(bool)>& callback) const;
    137   void AskForUserConsentCallback(
    138       const PrepareKeyContext& context,
    139       bool result);
    140   void GetCertificateCallback(
    141       const base::Callback<void(PrepareKeyResult)>& callback,
    142       bool success,
    143       const std::string& pem_certificate_chain);
    144 
    145   policy::EnterpriseInstallAttributes* install_attributes_;
    146 };
    147 
    148 class EPKPChallengeMachineKey : public EPKPChallengeKeyBase {
    149  public:
    150   static const char kGetCertificateFailedError[];
    151   static const char kNonEnterpriseDeviceError[];
    152 
    153   EPKPChallengeMachineKey();
    154   EPKPChallengeMachineKey(
    155       chromeos::CryptohomeClient* cryptohome_client,
    156       cryptohome::AsyncMethodCaller* async_caller,
    157       chromeos::attestation::AttestationFlow* attestation_flow,
    158       policy::EnterpriseInstallAttributes* install_attributes);
    159 
    160  protected:
    161   virtual bool RunAsync() OVERRIDE;
    162 
    163  private:
    164   static const char kKeyName[];
    165 
    166   virtual ~EPKPChallengeMachineKey();
    167 
    168   void GetDeviceAttestationEnabledCallback(const std::string& challenge,
    169                                            bool enabled);
    170   void PrepareKeyCallback(const std::string& challenge,
    171                           PrepareKeyResult result);
    172   void SignChallengeCallback(bool success, const std::string& response);
    173 
    174   DECLARE_EXTENSION_FUNCTION(
    175       "enterprise.platformKeysPrivate.challengeMachineKey",
    176       ENTERPRISE_PLATFORMKEYSPRIVATE_CHALLENGEMACHINEKEY);
    177 };
    178 
    179 typedef EPKPChallengeMachineKey
    180     EnterprisePlatformKeysPrivateChallengeMachineKeyFunction;
    181 
    182 class EPKPChallengeUserKey : public EPKPChallengeKeyBase {
    183  public:
    184   static const char kGetCertificateFailedError[];
    185   static const char kKeyRegistrationFailedError[];
    186   static const char kUserPolicyDisabledError[];
    187 
    188   EPKPChallengeUserKey();
    189   EPKPChallengeUserKey(
    190       chromeos::CryptohomeClient* cryptohome_client,
    191       cryptohome::AsyncMethodCaller* async_caller,
    192       chromeos::attestation::AttestationFlow* attestation_flow,
    193       policy::EnterpriseInstallAttributes* install_attributes);
    194 
    195   static void RegisterProfilePrefs(user_prefs::PrefRegistrySyncable* registry);
    196 
    197  protected:
    198   virtual bool RunAsync() OVERRIDE;
    199 
    200  private:
    201   static const char kKeyName[];
    202 
    203   virtual ~EPKPChallengeUserKey();
    204 
    205   void GetDeviceAttestationEnabledCallback(const std::string& challenge,
    206                                            bool register_key,
    207                                            bool require_user_consent,
    208                                            bool enabled);
    209   void PrepareKeyCallback(const std::string& challenge,
    210                           bool register_key,
    211                           PrepareKeyResult result);
    212   void SignChallengeCallback(bool register_key,
    213                              bool success,
    214                              const std::string& response);
    215   void RegisterKeyCallback(const std::string& response,
    216                            bool success,
    217                            cryptohome::MountError return_code);
    218 
    219   bool IsRemoteAttestationEnabledForUser() const;
    220 
    221   DECLARE_EXTENSION_FUNCTION(
    222       "enterprise.platformKeysPrivate.challengeUserKey",
    223       ENTERPRISE_PLATFORMKEYSPRIVATE_CHALLENGEUSERKEY);
    224 };
    225 
    226 typedef EPKPChallengeUserKey
    227     EnterprisePlatformKeysPrivateChallengeUserKeyFunction;
    228 
    229 }  // namespace extensions
    230 
    231 #endif  // CHROME_BROWSER_EXTENSIONS_API_ENTERPRISE_PLATFORM_KEYS_PRIVATE_ENTERPRISE_PLATFORM_KEYS_PRIVATE_API_H__
    232