enrollment_handler_chromeos.h revision a1401311d1ab56c4ed0a474bd38c108f75cb0cd9
15821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Copyright (c) 2012 The Chromium Authors. All rights reserved. 25821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Use of this source code is governed by a BSD-style license that can be 35821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// found in the LICENSE file. 45821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 52a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#ifndef CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_ 62a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#define CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_ 75821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 85821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <string> 95821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "base/basictypes.h" 115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "base/compiler_specific.h" 128bcbed890bc3ce4d7a057a8f32cab53fa534672eTorne (Richard Coles)#include "base/memory/ref_counted.h" 135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "base/memory/scoped_ptr.h" 145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "base/memory/weak_ptr.h" 152a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#include "chrome/browser/chromeos/policy/device_cloud_policy_manager_chromeos.h" 162a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#include "chrome/browser/chromeos/policy/device_cloud_policy_validator.h" 17c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)#include "chrome/browser/chromeos/policy/enterprise_install_attributes.h" 18a3f6a49ab37290eeeb8db0f41ec0f1cb74a68be7Torne (Richard Coles)#include "components/policy/core/common/cloud/cloud_policy_client.h" 19a3f6a49ab37290eeeb8db0f41ec0f1cb74a68be7Torne (Richard Coles)#include "components/policy/core/common/cloud/cloud_policy_store.h" 20c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)#include "google_apis/gaia/gaia_oauth_client.h" 215821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 228bcbed890bc3ce4d7a057a8f32cab53fa534672eTorne (Richard Coles)namespace base { 238bcbed890bc3ce4d7a057a8f32cab53fa534672eTorne (Richard Coles)class SequencedTaskRunner; 248bcbed890bc3ce4d7a057a8f32cab53fa534672eTorne (Richard Coles)} 258bcbed890bc3ce4d7a057a8f32cab53fa534672eTorne (Richard Coles) 265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)namespace enterprise_management { 275821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)class PolicyFetchResponse; 285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)namespace policy { 315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Implements the logic that establishes enterprise enrollment for Chromium OS 335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// devices. The process is as follows: 345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// 1. Given an auth token, register with the policy service. 355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// 2. Download the initial policy blob from the service. 365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// 3. Verify the policy blob. Everything up to this point doesn't touch device 375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// state. 38c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)// 4. Download the OAuth2 authorization code for device-level API access. 39c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)// 5. Download the OAuth2 refresh token for device-level API access and store 40c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)// it. 41c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)// 6. Establish the device lock in installation-time attributes. 42c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles)// 7. Store the policy blob and API refresh token. 435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)class EnrollmentHandlerChromeOS : public CloudPolicyClient::Observer, 44c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) public CloudPolicyStore::Observer, 45c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) public gaia::GaiaOAuthClient::Delegate { 465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) public: 475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) typedef DeviceCloudPolicyManagerChromeOS::AllowedDeviceModes 485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) AllowedDeviceModes; 495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) typedef DeviceCloudPolicyManagerChromeOS::EnrollmentCallback 505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EnrollmentCallback; 515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // |store| and |install_attributes| must remain valid for the life time of the 535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // enrollment handler. |allowed_device_modes| determines what device modes 545821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // are acceptable. If the mode specified by the server is not acceptable, 555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // enrollment will fail with an EnrollmentStatus indicating 565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // STATUS_REGISTRATION_BAD_MODE. 578bcbed890bc3ce4d7a057a8f32cab53fa534672eTorne (Richard Coles) EnrollmentHandlerChromeOS( 588bcbed890bc3ce4d7a057a8f32cab53fa534672eTorne (Richard Coles) DeviceCloudPolicyStoreChromeOS* store, 598bcbed890bc3ce4d7a057a8f32cab53fa534672eTorne (Richard Coles) EnterpriseInstallAttributes* install_attributes, 608bcbed890bc3ce4d7a057a8f32cab53fa534672eTorne (Richard Coles) scoped_ptr<CloudPolicyClient> client, 618bcbed890bc3ce4d7a057a8f32cab53fa534672eTorne (Richard Coles) scoped_refptr<base::SequencedTaskRunner> background_task_runner, 628bcbed890bc3ce4d7a057a8f32cab53fa534672eTorne (Richard Coles) const std::string& auth_token, 638bcbed890bc3ce4d7a057a8f32cab53fa534672eTorne (Richard Coles) const std::string& client_id, 648bcbed890bc3ce4d7a057a8f32cab53fa534672eTorne (Richard Coles) bool is_auto_enrollment, 658bcbed890bc3ce4d7a057a8f32cab53fa534672eTorne (Richard Coles) const std::string& requisition, 668bcbed890bc3ce4d7a057a8f32cab53fa534672eTorne (Richard Coles) const AllowedDeviceModes& allowed_device_modes, 678bcbed890bc3ce4d7a057a8f32cab53fa534672eTorne (Richard Coles) const EnrollmentCallback& completion_callback); 685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) virtual ~EnrollmentHandlerChromeOS(); 695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Starts the enrollment process and reports the result to 715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // |completion_callback_|. 725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) void StartEnrollment(); 735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Releases the client. 755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_ptr<CloudPolicyClient> ReleaseClient(); 765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // CloudPolicyClient::Observer: 785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) virtual void OnPolicyFetched(CloudPolicyClient* client) OVERRIDE; 795821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) virtual void OnRegistrationStateChanged(CloudPolicyClient* client) OVERRIDE; 80c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) virtual void OnRobotAuthCodesFetched(CloudPolicyClient* client) OVERRIDE; 815821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) virtual void OnClientError(CloudPolicyClient* client) OVERRIDE; 825821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 835821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // CloudPolicyStore::Observer: 845821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) virtual void OnStoreLoaded(CloudPolicyStore* store) OVERRIDE; 855821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) virtual void OnStoreError(CloudPolicyStore* store) OVERRIDE; 865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 87c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) // GaiaOAuthClient::Delegate: 88c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) virtual void OnGetTokensResponse(const std::string& refresh_token, 89c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) const std::string& access_token, 90c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) int expires_in_seconds) OVERRIDE; 91c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) virtual void OnRefreshTokenResponse(const std::string& access_token, 92c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) int expires_in_seconds) OVERRIDE; 93c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) virtual void OnOAuthError() OVERRIDE; 94c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) virtual void OnNetworkError(int response_code) OVERRIDE; 95c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) 965821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) private: 975821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Indicates what step of the process is currently pending. These steps need 985821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // to be listed in the order they are traversed in. 995821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) enum EnrollmentStep { 100c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) STEP_PENDING, // Not started yet. 101c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) STEP_LOADING_STORE, // Waiting for |store_| to initialize. 102c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) STEP_REGISTRATION, // Currently registering the client. 103c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) STEP_POLICY_FETCH, // Fetching policy. 104c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) STEP_VALIDATION, // Policy validation. 105c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) STEP_ROBOT_AUTH_FETCH, // Fetching device API auth code. 106c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) STEP_ROBOT_AUTH_REFRESH, // Fetching device API refresh token. 107c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) STEP_LOCK_DEVICE, // Writing installation-time attributes. 1081e9bf3e0803691d0a228da41fc608347b6db4340Torne (Richard Coles) STEP_STORE_ROBOT_AUTH, // Encrypting & writing robot refresh token. 109c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) STEP_STORE_POLICY, // Storing policy and API refresh token. 110c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) STEP_FINISHED, // Enrollment process finished, no further action. 1115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) }; 1125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Starts registration if the store is initialized. 1145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) void AttemptRegistration(); 1155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Handles the policy validation result, proceeding with installation-time 1175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // attributes locking if successful. 1185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) void PolicyValidated(DeviceCloudPolicyValidator* validator); 1195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 120c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) // Calls LockDevice() and proceeds to policy installation. If unsuccessful, 121c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) // reports the result. Actual installation or error report will be done in 122c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) // HandleLockDeviceResult(). 123c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) void StartLockDevice(const std::string& user, 124c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) DeviceMode device_mode, 125c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) const std::string& device_id); 126c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) 127c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) // Helper for StartLockDevice(). It performs the actual action based on 128c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) // the result of LockDevice. 129c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) void HandleLockDeviceResult( 130c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) const std::string& user, 131c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) DeviceMode device_mode, 132c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) const std::string& device_id, 133c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) EnterpriseInstallAttributes::LockResult lock_result); 1345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 135a1401311d1ab56c4ed0a474bd38c108f75cb0cd9Torne (Richard Coles) // Handles completion of the robot token store operation. 136a1401311d1ab56c4ed0a474bd38c108f75cb0cd9Torne (Richard Coles) void HandleRobotAuthTokenStored(bool result); 137a1401311d1ab56c4ed0a474bd38c108f75cb0cd9Torne (Richard Coles) 1385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Drops any ongoing actions. 1395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) void Stop(); 1405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Reports the result of the enrollment process to the initiator. 1425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) void ReportResult(EnrollmentStatus status); 1435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) DeviceCloudPolicyStoreChromeOS* store_; 1455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EnterpriseInstallAttributes* install_attributes_; 1465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_ptr<CloudPolicyClient> client_; 1478bcbed890bc3ce4d7a057a8f32cab53fa534672eTorne (Richard Coles) scoped_refptr<base::SequencedTaskRunner> background_task_runner_; 148c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) scoped_ptr<gaia::GaiaOAuthClient> gaia_oauth_client_; 1495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) std::string auth_token_; 1512a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) std::string client_id_; 1522a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) bool is_auto_enrollment_; 15390dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles) std::string requisition_; 1541e9bf3e0803691d0a228da41fc608347b6db4340Torne (Richard Coles) std::string refresh_token_; 1555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) AllowedDeviceModes allowed_device_modes_; 1565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EnrollmentCallback completion_callback_; 1575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // The device mode as received in the registration request. 1595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) DeviceMode device_mode_; 1605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 161c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) // The validated policy response info to be installed in the store. 1625821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_ptr<enterprise_management::PolicyFetchResponse> policy_; 163c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) std::string username_; 164c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) std::string device_id_; 1655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1665821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Current enrollment step. 1675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EnrollmentStep enrollment_step_; 1685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Total amount of time in milliseconds spent waiting for lockbox 1705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // initialization. 1715821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) int lockbox_init_duration_; 1725821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 173a1401311d1ab56c4ed0a474bd38c108f75cb0cd9Torne (Richard Coles) // Used for locking the device. 1741e9bf3e0803691d0a228da41fc608347b6db4340Torne (Richard Coles) base::WeakPtrFactory<EnrollmentHandlerChromeOS> weak_ptr_factory_; 1755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) DISALLOW_COPY_AND_ASSIGN(EnrollmentHandlerChromeOS); 1775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)}; 1785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1795821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} // namespace policy 1805821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1812a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#endif // CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_ 182