enrollment_handler_chromeos.h revision 1320f92c476a1ad9d19dba2a48c72b75566198e9 
1// Copyright (c) 2012 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#ifndef CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_
6#define CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_
7
8#include <string>
9
10#include "base/basictypes.h"
11#include "base/compiler_specific.h"
12#include "base/memory/ref_counted.h"
13#include "base/memory/scoped_ptr.h"
14#include "base/memory/weak_ptr.h"
15#include "chrome/browser/chromeos/policy/device_cloud_policy_initializer.h"
16#include "chrome/browser/chromeos/policy/device_cloud_policy_validator.h"
17#include "chrome/browser/chromeos/policy/enterprise_install_attributes.h"
18#include "components/policy/core/common/cloud/cloud_policy_client.h"
19#include "components/policy/core/common/cloud/cloud_policy_store.h"
20#include "google_apis/gaia/gaia_oauth_client.h"
21#include "policy/proto/device_management_backend.pb.h"
22
23namespace base {
24class SequencedTaskRunner;
25}
26
27namespace chromeos {
28class DeviceSettingsService;
29}
30
31namespace policy {
32
33class DeviceCloudPolicyStoreChromeOS;
34class ServerBackedStateKeysBroker;
35
36// Implements the logic that establishes enterprise enrollment for Chromium OS
37// devices. The process is as follows:
38//   1. Given an auth token, register with the policy service.
39//   2. Download the initial policy blob from the service.
40//   3. Verify the policy blob. Everything up to this point doesn't touch device
41//      state.
42//   4. Download the OAuth2 authorization code for device-level API access.
43//   5. Download the OAuth2 refresh token for device-level API access and store
44//      it.
45//   6. Establish the device lock in installation-time attributes.
46//   7. Store the policy blob and API refresh token.
47class EnrollmentHandlerChromeOS : public CloudPolicyClient::Observer,
48                                  public CloudPolicyStore::Observer,
49                                  public gaia::GaiaOAuthClient::Delegate {
50 public:
51  typedef DeviceCloudPolicyInitializer::AllowedDeviceModes
52      AllowedDeviceModes;
53  typedef DeviceCloudPolicyInitializer::EnrollmentCallback
54      EnrollmentCallback;
55
56  // |store| and |install_attributes| must remain valid for the life time of the
57  // enrollment handler. |allowed_device_modes| determines what device modes
58  // are acceptable. If the mode specified by the server is not acceptable,
59  // enrollment will fail with an EnrollmentStatus indicating
60  // STATUS_REGISTRATION_BAD_MODE.
61  // |management_mode| should be either ENTERPRISE_MANAGED or CONSUMER_MANAGED.
62  EnrollmentHandlerChromeOS(
63      DeviceCloudPolicyStoreChromeOS* store,
64      EnterpriseInstallAttributes* install_attributes,
65      ServerBackedStateKeysBroker* state_keys_broker,
66      chromeos::DeviceSettingsService* device_settings_service,
67      scoped_ptr<CloudPolicyClient> client,
68      scoped_refptr<base::SequencedTaskRunner> background_task_runner,
69      const std::string& auth_token,
70      const std::string& client_id,
71      bool is_auto_enrollment,
72      const std::string& requisition,
73      const AllowedDeviceModes& allowed_device_modes,
74      enterprise_management::PolicyData::ManagementMode management_mode,
75      const EnrollmentCallback& completion_callback);
76  virtual ~EnrollmentHandlerChromeOS();
77
78  // Starts the enrollment process and reports the result to
79  // |completion_callback_|.
80  void StartEnrollment();
81
82  // Releases the client.
83  scoped_ptr<CloudPolicyClient> ReleaseClient();
84
85  // CloudPolicyClient::Observer:
86  virtual void OnPolicyFetched(CloudPolicyClient* client) OVERRIDE;
87  virtual void OnRegistrationStateChanged(CloudPolicyClient* client) OVERRIDE;
88  virtual void OnRobotAuthCodesFetched(CloudPolicyClient* client) OVERRIDE;
89  virtual void OnClientError(CloudPolicyClient* client) OVERRIDE;
90
91  // CloudPolicyStore::Observer:
92  virtual void OnStoreLoaded(CloudPolicyStore* store) OVERRIDE;
93  virtual void OnStoreError(CloudPolicyStore* store) OVERRIDE;
94
95  // GaiaOAuthClient::Delegate:
96  virtual void OnGetTokensResponse(const std::string& refresh_token,
97                                   const std::string& access_token,
98                                   int expires_in_seconds) OVERRIDE;
99  virtual void OnRefreshTokenResponse(const std::string& access_token,
100                                      int expires_in_seconds) OVERRIDE;
101  virtual void OnOAuthError() OVERRIDE;
102  virtual void OnNetworkError(int response_code) OVERRIDE;
103
104 private:
105  // Indicates what step of the process is currently pending. These steps need
106  // to be listed in the order they are traversed in.
107  enum EnrollmentStep {
108    STEP_PENDING,             // Not started yet.
109    STEP_STATE_KEYS,          // Waiting for state keys to become available.
110    STEP_LOADING_STORE,       // Waiting for |store_| to initialize.
111    STEP_REGISTRATION,        // Currently registering the client.
112    STEP_POLICY_FETCH,        // Fetching policy.
113    STEP_VALIDATION,          // Policy validation.
114    STEP_ROBOT_AUTH_FETCH,    // Fetching device API auth code.
115    STEP_ROBOT_AUTH_REFRESH,  // Fetching device API refresh token.
116    STEP_LOCK_DEVICE,         // Writing installation-time attributes.
117    STEP_STORE_TOKEN_AND_ID,  // Storing DM token and virtual device ID.
118    STEP_STORE_ROBOT_AUTH,    // Encrypting & writing robot refresh token.
119    STEP_STORE_POLICY,        // Storing policy and API refresh token.
120    STEP_FINISHED,            // Enrollment process finished, no further action.
121  };
122
123  // Handles the response to a request for server-backed state keys.
124  void HandleStateKeysResult(const std::vector<std::string>& state_keys,
125                             bool first_boot);
126
127  // Starts registration if the store is initialized.
128  void StartRegistration();
129
130  // Handles the policy validation result, proceeding with device lock if
131  // successful.
132  void HandlePolicyValidationResult(DeviceCloudPolicyValidator* validator);
133
134  // Calls InstallAttributes::LockDevice() for enterprise enrollment and
135  // DeviceSettingsService::SetManagementSettings() for consumer
136  // enrollment.
137  void StartLockDevice();
138
139  // Checks the status after SetManagementSettings() is done. Proceeds to
140  // robot auth code storing if successful.
141  void HandleSetManagementSettingsDone();
142
143  // Handle callback from InstallAttributes::LockDevice() and retry on failure.
144  void HandleLockDeviceResult(
145      EnterpriseInstallAttributes::LockResult lock_result);
146
147  // Initiates storing of robot auth token.
148  void StartStoreRobotAuth();
149
150  // Handles completion of the robot token store operation.
151  void HandleStoreRobotAuthTokenResult(bool result);
152
153  // Drops any ongoing actions.
154  void Stop();
155
156  // Reports the result of the enrollment process to the initiator.
157  void ReportResult(EnrollmentStatus status);
158
159  DeviceCloudPolicyStoreChromeOS* store_;
160  EnterpriseInstallAttributes* install_attributes_;
161  ServerBackedStateKeysBroker* state_keys_broker_;
162  chromeos::DeviceSettingsService* device_settings_service_;
163  scoped_ptr<CloudPolicyClient> client_;
164  scoped_refptr<base::SequencedTaskRunner> background_task_runner_;
165  scoped_ptr<gaia::GaiaOAuthClient> gaia_oauth_client_;
166
167  std::string auth_token_;
168  std::string client_id_;
169  bool is_auto_enrollment_;
170  std::string requisition_;
171  std::string current_state_key_;
172  std::string refresh_token_;
173  AllowedDeviceModes allowed_device_modes_;
174  enterprise_management::PolicyData::ManagementMode management_mode_;
175  EnrollmentCallback completion_callback_;
176
177  // The device mode as received in the registration request.
178  DeviceMode device_mode_;
179
180  // The validated policy response info to be installed in the store.
181  scoped_ptr<enterprise_management::PolicyFetchResponse> policy_;
182  std::string username_;
183  std::string device_id_;
184  std::string request_token_;
185
186  // Current enrollment step.
187  EnrollmentStep enrollment_step_;
188
189  // Total amount of time in milliseconds spent waiting for lockbox
190  // initialization.
191  int lockbox_init_duration_;
192
193  base::WeakPtrFactory<EnrollmentHandlerChromeOS> weak_ptr_factory_;
194
195  DISALLOW_COPY_AND_ASSIGN(EnrollmentHandlerChromeOS);
196};
197
198}  // namespace policy
199
200#endif  // CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_
201