enrollment_handler_chromeos.h revision 90dce4d38c5ff5333bea97d859d4e484e27edf0c 
1// Copyright (c) 2012 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#ifndef CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_
6#define CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_
7
8#include <string>
9
10#include "base/basictypes.h"
11#include "base/compiler_specific.h"
12#include "base/memory/scoped_ptr.h"
13#include "base/memory/weak_ptr.h"
14#include "chrome/browser/chromeos/policy/device_cloud_policy_manager_chromeos.h"
15#include "chrome/browser/chromeos/policy/device_cloud_policy_validator.h"
16#include "chrome/browser/chromeos/policy/enterprise_install_attributes.h"
17#include "chrome/browser/policy/cloud/cloud_policy_client.h"
18#include "chrome/browser/policy/cloud/cloud_policy_store.h"
19#include "google_apis/gaia/gaia_oauth_client.h"
20
21namespace enterprise_management {
22class PolicyFetchResponse;
23}
24
25namespace policy {
26
27// Implements the logic that establishes enterprise enrollment for Chromium OS
28// devices. The process is as follows:
29//   1. Given an auth token, register with the policy service.
30//   2. Download the initial policy blob from the service.
31//   3. Verify the policy blob. Everything up to this point doesn't touch device
32//      state.
33//   4. Download the OAuth2 authorization code for device-level API access.
34//   5. Download the OAuth2 refresh token for device-level API access and store
35//      it.
36//   6. Establish the device lock in installation-time attributes.
37//   7. Store the policy blob and API refresh token.
38class EnrollmentHandlerChromeOS : public CloudPolicyClient::Observer,
39                                  public CloudPolicyStore::Observer,
40                                  public gaia::GaiaOAuthClient::Delegate {
41 public:
42  typedef DeviceCloudPolicyManagerChromeOS::AllowedDeviceModes
43      AllowedDeviceModes;
44  typedef DeviceCloudPolicyManagerChromeOS::EnrollmentCallback
45      EnrollmentCallback;
46
47  // |store| and |install_attributes| must remain valid for the life time of the
48  // enrollment handler. |allowed_device_modes| determines what device modes
49  // are acceptable. If the mode specified by the server is not acceptable,
50  // enrollment will fail with an EnrollmentStatus indicating
51  // STATUS_REGISTRATION_BAD_MODE.
52  EnrollmentHandlerChromeOS(DeviceCloudPolicyStoreChromeOS* store,
53                            EnterpriseInstallAttributes* install_attributes,
54                            scoped_ptr<CloudPolicyClient> client,
55                            const std::string& auth_token,
56                            const std::string& client_id,
57                            bool is_auto_enrollment,
58                            const std::string& requisition,
59                            const AllowedDeviceModes& allowed_device_modes,
60                            const EnrollmentCallback& completion_callback);
61  virtual ~EnrollmentHandlerChromeOS();
62
63  // Starts the enrollment process and reports the result to
64  // |completion_callback_|.
65  void StartEnrollment();
66
67  // Releases the client.
68  scoped_ptr<CloudPolicyClient> ReleaseClient();
69
70  // CloudPolicyClient::Observer:
71  virtual void OnPolicyFetched(CloudPolicyClient* client) OVERRIDE;
72  virtual void OnRegistrationStateChanged(CloudPolicyClient* client) OVERRIDE;
73  virtual void OnRobotAuthCodesFetched(CloudPolicyClient* client) OVERRIDE;
74  virtual void OnClientError(CloudPolicyClient* client) OVERRIDE;
75
76  // CloudPolicyStore::Observer:
77  virtual void OnStoreLoaded(CloudPolicyStore* store) OVERRIDE;
78  virtual void OnStoreError(CloudPolicyStore* store) OVERRIDE;
79
80  // GaiaOAuthClient::Delegate:
81  virtual void OnGetTokensResponse(const std::string& refresh_token,
82                                   const std::string& access_token,
83                                   int expires_in_seconds) OVERRIDE;
84  virtual void OnRefreshTokenResponse(const std::string& access_token,
85                                      int expires_in_seconds) OVERRIDE;
86  virtual void OnOAuthError() OVERRIDE;
87  virtual void OnNetworkError(int response_code) OVERRIDE;
88
89 private:
90  // Indicates what step of the process is currently pending. These steps need
91  // to be listed in the order they are traversed in.
92  enum EnrollmentStep {
93    STEP_PENDING,             // Not started yet.
94    STEP_LOADING_STORE,       // Waiting for |store_| to initialize.
95    STEP_REGISTRATION,        // Currently registering the client.
96    STEP_POLICY_FETCH,        // Fetching policy.
97    STEP_VALIDATION,          // Policy validation.
98    STEP_ROBOT_AUTH_FETCH,    // Fetching device API auth code.
99    STEP_ROBOT_AUTH_REFRESH,  // Fetching device API refresh token.
100    STEP_LOCK_DEVICE,         // Writing installation-time attributes.
101    STEP_STORE_POLICY,        // Storing policy and API refresh token.
102    STEP_FINISHED,            // Enrollment process finished, no further action.
103  };
104
105  // Starts registration if the store is initialized.
106  void AttemptRegistration();
107
108  // Handles the policy validation result, proceeding with installation-time
109  // attributes locking if successful.
110  void PolicyValidated(DeviceCloudPolicyValidator* validator);
111
112  // Method called to initiate the STEP_LOCK_DEVICE step.  Usually called after
113  // the STEP_ROBOT_AUTH_REFRESH, but may be called directly after a failed
114  // STEP_ROBOT_AUTH_FETCH, since robot tokens are currently optional.
115  void DoLockDeviceStep();
116
117  // Calls LockDevice() and proceeds to policy installation. If unsuccessful,
118  // reports the result. Actual installation or error report will be done in
119  // HandleLockDeviceResult().
120  void StartLockDevice(const std::string& user,
121                       DeviceMode device_mode,
122                       const std::string& device_id);
123
124  // Helper for StartLockDevice(). It performs the actual action based on
125  // the result of LockDevice.
126  void HandleLockDeviceResult(
127      const std::string& user,
128      DeviceMode device_mode,
129      const std::string& device_id,
130      EnterpriseInstallAttributes::LockResult lock_result);
131
132  // Drops any ongoing actions.
133  void Stop();
134
135  // Reports the result of the enrollment process to the initiator.
136  void ReportResult(EnrollmentStatus status);
137
138  DeviceCloudPolicyStoreChromeOS* store_;
139  EnterpriseInstallAttributes* install_attributes_;
140  scoped_ptr<CloudPolicyClient> client_;
141  scoped_ptr<gaia::GaiaOAuthClient> gaia_oauth_client_;
142
143  std::string auth_token_;
144  std::string client_id_;
145  std::string robot_refresh_token_;
146  bool is_auto_enrollment_;
147  std::string requisition_;
148  AllowedDeviceModes allowed_device_modes_;
149  EnrollmentCallback completion_callback_;
150
151  // The device mode as received in the registration request.
152  DeviceMode device_mode_;
153
154  // The validated policy response info to be installed in the store.
155  scoped_ptr<enterprise_management::PolicyFetchResponse> policy_;
156  std::string username_;
157  std::string device_id_;
158
159  // Current enrollment step.
160  EnrollmentStep enrollment_step_;
161
162  // Total amount of time in milliseconds spent waiting for lockbox
163  // initialization.
164  int lockbox_init_duration_;
165
166  base::WeakPtrFactory<EnrollmentHandlerChromeOS> weak_factory_;
167
168  DISALLOW_COPY_AND_ASSIGN(EnrollmentHandlerChromeOS);
169};
170
171}  // namespace policy
172
173#endif  // CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_
174