Home | History | Annotate | Download | only in policy
      1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #ifndef CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_
      6 #define CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_
      7 
      8 #include <string>
      9 
     10 #include "base/basictypes.h"
     11 #include "base/compiler_specific.h"
     12 #include "base/memory/ref_counted.h"
     13 #include "base/memory/scoped_ptr.h"
     14 #include "base/memory/weak_ptr.h"
     15 #include "chrome/browser/chromeos/policy/device_cloud_policy_initializer.h"
     16 #include "chrome/browser/chromeos/policy/device_cloud_policy_validator.h"
     17 #include "chrome/browser/chromeos/policy/enterprise_install_attributes.h"
     18 #include "components/policy/core/common/cloud/cloud_policy_client.h"
     19 #include "components/policy/core/common/cloud/cloud_policy_store.h"
     20 #include "google_apis/gaia/gaia_oauth_client.h"
     21 #include "policy/proto/device_management_backend.pb.h"
     22 
     23 namespace base {
     24 class SequencedTaskRunner;
     25 }
     26 
     27 namespace chromeos {
     28 class DeviceSettingsService;
     29 }
     30 
     31 namespace policy {
     32 
     33 class DeviceCloudPolicyStoreChromeOS;
     34 class ServerBackedStateKeysBroker;
     35 
     36 // Implements the logic that establishes enterprise enrollment for Chromium OS
     37 // devices. The process is as follows:
     38 //   1. Given an auth token, register with the policy service.
     39 //   2. Download the initial policy blob from the service.
     40 //   3. Verify the policy blob. Everything up to this point doesn't touch device
     41 //      state.
     42 //   4. Download the OAuth2 authorization code for device-level API access.
     43 //   5. Download the OAuth2 refresh token for device-level API access and store
     44 //      it.
     45 //   6. Establish the device lock in installation-time attributes.
     46 //   7. Store the policy blob and API refresh token.
     47 class EnrollmentHandlerChromeOS : public CloudPolicyClient::Observer,
     48                                   public CloudPolicyStore::Observer,
     49                                   public gaia::GaiaOAuthClient::Delegate {
     50  public:
     51   typedef DeviceCloudPolicyInitializer::AllowedDeviceModes
     52       AllowedDeviceModes;
     53   typedef DeviceCloudPolicyInitializer::EnrollmentCallback
     54       EnrollmentCallback;
     55 
     56   // |store| and |install_attributes| must remain valid for the life time of the
     57   // enrollment handler. |allowed_device_modes| determines what device modes
     58   // are acceptable. If the mode specified by the server is not acceptable,
     59   // enrollment will fail with an EnrollmentStatus indicating
     60   // STATUS_REGISTRATION_BAD_MODE.
     61   // |management_mode| should be either ENTERPRISE_MANAGED or CONSUMER_MANAGED.
     62   EnrollmentHandlerChromeOS(
     63       DeviceCloudPolicyStoreChromeOS* store,
     64       EnterpriseInstallAttributes* install_attributes,
     65       ServerBackedStateKeysBroker* state_keys_broker,
     66       chromeos::DeviceSettingsService* device_settings_service,
     67       scoped_ptr<CloudPolicyClient> client,
     68       scoped_refptr<base::SequencedTaskRunner> background_task_runner,
     69       const std::string& auth_token,
     70       const std::string& client_id,
     71       bool is_auto_enrollment,
     72       const std::string& requisition,
     73       const AllowedDeviceModes& allowed_device_modes,
     74       enterprise_management::PolicyData::ManagementMode management_mode,
     75       const EnrollmentCallback& completion_callback);
     76   virtual ~EnrollmentHandlerChromeOS();
     77 
     78   // Starts the enrollment process and reports the result to
     79   // |completion_callback_|.
     80   void StartEnrollment();
     81 
     82   // Releases the client.
     83   scoped_ptr<CloudPolicyClient> ReleaseClient();
     84 
     85   // CloudPolicyClient::Observer:
     86   virtual void OnPolicyFetched(CloudPolicyClient* client) OVERRIDE;
     87   virtual void OnRegistrationStateChanged(CloudPolicyClient* client) OVERRIDE;
     88   virtual void OnRobotAuthCodesFetched(CloudPolicyClient* client) OVERRIDE;
     89   virtual void OnClientError(CloudPolicyClient* client) OVERRIDE;
     90 
     91   // CloudPolicyStore::Observer:
     92   virtual void OnStoreLoaded(CloudPolicyStore* store) OVERRIDE;
     93   virtual void OnStoreError(CloudPolicyStore* store) OVERRIDE;
     94 
     95   // GaiaOAuthClient::Delegate:
     96   virtual void OnGetTokensResponse(const std::string& refresh_token,
     97                                    const std::string& access_token,
     98                                    int expires_in_seconds) OVERRIDE;
     99   virtual void OnRefreshTokenResponse(const std::string& access_token,
    100                                       int expires_in_seconds) OVERRIDE;
    101   virtual void OnOAuthError() OVERRIDE;
    102   virtual void OnNetworkError(int response_code) OVERRIDE;
    103 
    104  private:
    105   // Indicates what step of the process is currently pending. These steps need
    106   // to be listed in the order they are traversed in.
    107   enum EnrollmentStep {
    108     STEP_PENDING,             // Not started yet.
    109     STEP_STATE_KEYS,          // Waiting for state keys to become available.
    110     STEP_LOADING_STORE,       // Waiting for |store_| to initialize.
    111     STEP_REGISTRATION,        // Currently registering the client.
    112     STEP_POLICY_FETCH,        // Fetching policy.
    113     STEP_VALIDATION,          // Policy validation.
    114     STEP_ROBOT_AUTH_FETCH,    // Fetching device API auth code.
    115     STEP_ROBOT_AUTH_REFRESH,  // Fetching device API refresh token.
    116     STEP_LOCK_DEVICE,         // Writing installation-time attributes.
    117     STEP_STORE_TOKEN_AND_ID,  // Storing DM token and virtual device ID.
    118     STEP_STORE_ROBOT_AUTH,    // Encrypting & writing robot refresh token.
    119     STEP_STORE_POLICY,        // Storing policy and API refresh token.
    120     STEP_FINISHED,            // Enrollment process finished, no further action.
    121   };
    122 
    123   // Handles the response to a request for server-backed state keys.
    124   void HandleStateKeysResult(const std::vector<std::string>& state_keys,
    125                              bool first_boot);
    126 
    127   // Starts registration if the store is initialized.
    128   void StartRegistration();
    129 
    130   // Handles the policy validation result, proceeding with device lock if
    131   // successful.
    132   void HandlePolicyValidationResult(DeviceCloudPolicyValidator* validator);
    133 
    134   // Calls InstallAttributes::LockDevice() for enterprise enrollment and
    135   // DeviceSettingsService::SetManagementSettings() for consumer
    136   // enrollment.
    137   void StartLockDevice();
    138 
    139   // Checks the status after SetManagementSettings() is done. Proceeds to
    140   // robot auth code storing if successful.
    141   void HandleSetManagementSettingsDone();
    142 
    143   // Handle callback from InstallAttributes::LockDevice() and retry on failure.
    144   void HandleLockDeviceResult(
    145       EnterpriseInstallAttributes::LockResult lock_result);
    146 
    147   // Initiates storing of robot auth token.
    148   void StartStoreRobotAuth();
    149 
    150   // Handles completion of the robot token store operation.
    151   void HandleStoreRobotAuthTokenResult(bool result);
    152 
    153   // Drops any ongoing actions.
    154   void Stop();
    155 
    156   // Reports the result of the enrollment process to the initiator.
    157   void ReportResult(EnrollmentStatus status);
    158 
    159   DeviceCloudPolicyStoreChromeOS* store_;
    160   EnterpriseInstallAttributes* install_attributes_;
    161   ServerBackedStateKeysBroker* state_keys_broker_;
    162   chromeos::DeviceSettingsService* device_settings_service_;
    163   scoped_ptr<CloudPolicyClient> client_;
    164   scoped_refptr<base::SequencedTaskRunner> background_task_runner_;
    165   scoped_ptr<gaia::GaiaOAuthClient> gaia_oauth_client_;
    166 
    167   std::string auth_token_;
    168   std::string client_id_;
    169   bool is_auto_enrollment_;
    170   std::string requisition_;
    171   std::string current_state_key_;
    172   std::string refresh_token_;
    173   AllowedDeviceModes allowed_device_modes_;
    174   enterprise_management::PolicyData::ManagementMode management_mode_;
    175   EnrollmentCallback completion_callback_;
    176 
    177   // The device mode as received in the registration request.
    178   DeviceMode device_mode_;
    179 
    180   // The validated policy response info to be installed in the store.
    181   scoped_ptr<enterprise_management::PolicyFetchResponse> policy_;
    182   std::string username_;
    183   std::string device_id_;
    184   std::string request_token_;
    185 
    186   // Current enrollment step.
    187   EnrollmentStep enrollment_step_;
    188 
    189   // Total amount of time in milliseconds spent waiting for lockbox
    190   // initialization.
    191   int lockbox_init_duration_;
    192 
    193   base::WeakPtrFactory<EnrollmentHandlerChromeOS> weak_ptr_factory_;
    194 
    195   DISALLOW_COPY_AND_ASSIGN(EnrollmentHandlerChromeOS);
    196 };
    197 
    198 }  // namespace policy
    199 
    200 #endif  // CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_
    201