1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_ 6 #define CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_ 7 8 #include <string> 9 10 #include "base/basictypes.h" 11 #include "base/compiler_specific.h" 12 #include "base/memory/ref_counted.h" 13 #include "base/memory/scoped_ptr.h" 14 #include "base/memory/weak_ptr.h" 15 #include "chrome/browser/chromeos/policy/device_cloud_policy_initializer.h" 16 #include "chrome/browser/chromeos/policy/device_cloud_policy_validator.h" 17 #include "chrome/browser/chromeos/policy/enterprise_install_attributes.h" 18 #include "components/policy/core/common/cloud/cloud_policy_client.h" 19 #include "components/policy/core/common/cloud/cloud_policy_store.h" 20 #include "google_apis/gaia/gaia_oauth_client.h" 21 #include "policy/proto/device_management_backend.pb.h" 22 23 namespace base { 24 class SequencedTaskRunner; 25 } 26 27 namespace chromeos { 28 class DeviceSettingsService; 29 } 30 31 namespace policy { 32 33 class DeviceCloudPolicyStoreChromeOS; 34 class ServerBackedStateKeysBroker; 35 36 // Implements the logic that establishes enterprise enrollment for Chromium OS 37 // devices. The process is as follows: 38 // 1. Given an auth token, register with the policy service. 39 // 2. Download the initial policy blob from the service. 40 // 3. Verify the policy blob. Everything up to this point doesn't touch device 41 // state. 42 // 4. Download the OAuth2 authorization code for device-level API access. 43 // 5. Download the OAuth2 refresh token for device-level API access and store 44 // it. 45 // 6. Establish the device lock in installation-time attributes. 46 // 7. Store the policy blob and API refresh token. 47 class EnrollmentHandlerChromeOS : public CloudPolicyClient::Observer, 48 public CloudPolicyStore::Observer, 49 public gaia::GaiaOAuthClient::Delegate { 50 public: 51 typedef DeviceCloudPolicyInitializer::AllowedDeviceModes 52 AllowedDeviceModes; 53 typedef DeviceCloudPolicyInitializer::EnrollmentCallback 54 EnrollmentCallback; 55 56 // |store| and |install_attributes| must remain valid for the life time of the 57 // enrollment handler. |allowed_device_modes| determines what device modes 58 // are acceptable. If the mode specified by the server is not acceptable, 59 // enrollment will fail with an EnrollmentStatus indicating 60 // STATUS_REGISTRATION_BAD_MODE. 61 // |management_mode| should be either ENTERPRISE_MANAGED or CONSUMER_MANAGED. 62 EnrollmentHandlerChromeOS( 63 DeviceCloudPolicyStoreChromeOS* store, 64 EnterpriseInstallAttributes* install_attributes, 65 ServerBackedStateKeysBroker* state_keys_broker, 66 chromeos::DeviceSettingsService* device_settings_service, 67 scoped_ptr<CloudPolicyClient> client, 68 scoped_refptr<base::SequencedTaskRunner> background_task_runner, 69 const std::string& auth_token, 70 const std::string& client_id, 71 bool is_auto_enrollment, 72 const std::string& requisition, 73 const AllowedDeviceModes& allowed_device_modes, 74 enterprise_management::PolicyData::ManagementMode management_mode, 75 const EnrollmentCallback& completion_callback); 76 virtual ~EnrollmentHandlerChromeOS(); 77 78 // Starts the enrollment process and reports the result to 79 // |completion_callback_|. 80 void StartEnrollment(); 81 82 // Releases the client. 83 scoped_ptr<CloudPolicyClient> ReleaseClient(); 84 85 // CloudPolicyClient::Observer: 86 virtual void OnPolicyFetched(CloudPolicyClient* client) OVERRIDE; 87 virtual void OnRegistrationStateChanged(CloudPolicyClient* client) OVERRIDE; 88 virtual void OnRobotAuthCodesFetched(CloudPolicyClient* client) OVERRIDE; 89 virtual void OnClientError(CloudPolicyClient* client) OVERRIDE; 90 91 // CloudPolicyStore::Observer: 92 virtual void OnStoreLoaded(CloudPolicyStore* store) OVERRIDE; 93 virtual void OnStoreError(CloudPolicyStore* store) OVERRIDE; 94 95 // GaiaOAuthClient::Delegate: 96 virtual void OnGetTokensResponse(const std::string& refresh_token, 97 const std::string& access_token, 98 int expires_in_seconds) OVERRIDE; 99 virtual void OnRefreshTokenResponse(const std::string& access_token, 100 int expires_in_seconds) OVERRIDE; 101 virtual void OnOAuthError() OVERRIDE; 102 virtual void OnNetworkError(int response_code) OVERRIDE; 103 104 private: 105 // Indicates what step of the process is currently pending. These steps need 106 // to be listed in the order they are traversed in. 107 enum EnrollmentStep { 108 STEP_PENDING, // Not started yet. 109 STEP_STATE_KEYS, // Waiting for state keys to become available. 110 STEP_LOADING_STORE, // Waiting for |store_| to initialize. 111 STEP_REGISTRATION, // Currently registering the client. 112 STEP_POLICY_FETCH, // Fetching policy. 113 STEP_VALIDATION, // Policy validation. 114 STEP_ROBOT_AUTH_FETCH, // Fetching device API auth code. 115 STEP_ROBOT_AUTH_REFRESH, // Fetching device API refresh token. 116 STEP_LOCK_DEVICE, // Writing installation-time attributes. 117 STEP_STORE_TOKEN_AND_ID, // Storing DM token and virtual device ID. 118 STEP_STORE_ROBOT_AUTH, // Encrypting & writing robot refresh token. 119 STEP_STORE_POLICY, // Storing policy and API refresh token. 120 STEP_FINISHED, // Enrollment process finished, no further action. 121 }; 122 123 // Handles the response to a request for server-backed state keys. 124 void HandleStateKeysResult(const std::vector<std::string>& state_keys, 125 bool first_boot); 126 127 // Starts registration if the store is initialized. 128 void StartRegistration(); 129 130 // Handles the policy validation result, proceeding with device lock if 131 // successful. 132 void HandlePolicyValidationResult(DeviceCloudPolicyValidator* validator); 133 134 // Calls InstallAttributes::LockDevice() for enterprise enrollment and 135 // DeviceSettingsService::SetManagementSettings() for consumer 136 // enrollment. 137 void StartLockDevice(); 138 139 // Checks the status after SetManagementSettings() is done. Proceeds to 140 // robot auth code storing if successful. 141 void HandleSetManagementSettingsDone(); 142 143 // Handle callback from InstallAttributes::LockDevice() and retry on failure. 144 void HandleLockDeviceResult( 145 EnterpriseInstallAttributes::LockResult lock_result); 146 147 // Initiates storing of robot auth token. 148 void StartStoreRobotAuth(); 149 150 // Handles completion of the robot token store operation. 151 void HandleStoreRobotAuthTokenResult(bool result); 152 153 // Drops any ongoing actions. 154 void Stop(); 155 156 // Reports the result of the enrollment process to the initiator. 157 void ReportResult(EnrollmentStatus status); 158 159 DeviceCloudPolicyStoreChromeOS* store_; 160 EnterpriseInstallAttributes* install_attributes_; 161 ServerBackedStateKeysBroker* state_keys_broker_; 162 chromeos::DeviceSettingsService* device_settings_service_; 163 scoped_ptr<CloudPolicyClient> client_; 164 scoped_refptr<base::SequencedTaskRunner> background_task_runner_; 165 scoped_ptr<gaia::GaiaOAuthClient> gaia_oauth_client_; 166 167 std::string auth_token_; 168 std::string client_id_; 169 bool is_auto_enrollment_; 170 std::string requisition_; 171 std::string current_state_key_; 172 std::string refresh_token_; 173 AllowedDeviceModes allowed_device_modes_; 174 enterprise_management::PolicyData::ManagementMode management_mode_; 175 EnrollmentCallback completion_callback_; 176 177 // The device mode as received in the registration request. 178 DeviceMode device_mode_; 179 180 // The validated policy response info to be installed in the store. 181 scoped_ptr<enterprise_management::PolicyFetchResponse> policy_; 182 std::string username_; 183 std::string device_id_; 184 std::string request_token_; 185 186 // Current enrollment step. 187 EnrollmentStep enrollment_step_; 188 189 // Total amount of time in milliseconds spent waiting for lockbox 190 // initialization. 191 int lockbox_init_duration_; 192 193 base::WeakPtrFactory<EnrollmentHandlerChromeOS> weak_ptr_factory_; 194 195 DISALLOW_COPY_AND_ASSIGN(EnrollmentHandlerChromeOS); 196 }; 197 198 } // namespace policy 199 200 #endif // CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_ 201