enrollment_handler_chromeos.h revision a3f6a49ab37290eeeb8db0f41ec0f1cb74a68be7
1a02191e04bc25c4935f804f2c080ae28663d096dBen Murdoch// Copyright (c) 2012 The Chromium Authors. All rights reserved. 25821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Use of this source code is governed by a BSD-style license that can be 35821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// found in the LICENSE file. 45821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 55821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#ifndef CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_ 65821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#define CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_ 703b57e008b61dfcb1fbad3aea950ae0e001748b0Torne (Richard Coles) 85821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <string> 9eb525c5499e34cc9c4b825d6d9e75bb07cc06aceBen Murdoch 10a02191e04bc25c4935f804f2c080ae28663d096dBen Murdoch#include "base/basictypes.h" 11a02191e04bc25c4935f804f2c080ae28663d096dBen Murdoch#include "base/compiler_specific.h" 125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "base/memory/ref_counted.h" 135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "base/memory/scoped_ptr.h" 145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "base/memory/weak_ptr.h" 155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "chrome/browser/chromeos/policy/device_cloud_policy_manager_chromeos.h" 165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "chrome/browser/chromeos/policy/device_cloud_policy_validator.h" 175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "chrome/browser/chromeos/policy/enterprise_install_attributes.h" 181320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci#include "components/policy/core/common/cloud/cloud_policy_client.h" 19cedac228d2dd51db4b79ea1e72c7f249408ee061Torne (Richard Coles)#include "components/policy/core/common/cloud/cloud_policy_store.h" 20cedac228d2dd51db4b79ea1e72c7f249408ee061Torne (Richard Coles)#include "google_apis/gaia/gaia_oauth_client.h" 21cedac228d2dd51db4b79ea1e72c7f249408ee061Torne (Richard Coles) 22cedac228d2dd51db4b79ea1e72c7f249408ee061Torne (Richard Coles)namespace base { 235821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)class SequencedTaskRunner; 245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 255821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 265821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)namespace chromeos { 271320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucciclass DeviceOAuth2TokenService; 285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 295821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)namespace enterprise_management { 315821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)class PolicyFetchResponse; 325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} 335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)namespace policy { 355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Implements the logic that establishes enterprise enrollment for Chromium OS 375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// devices. The process is as follows: 385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// 1. Given an auth token, register with the policy service. 395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// 2. Download the initial policy blob from the service. 405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// 3. Verify the policy blob. Everything up to this point doesn't touch device 415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// state. 42cedac228d2dd51db4b79ea1e72c7f249408ee061Torne (Richard Coles)// 4. Download the OAuth2 authorization code for device-level API access. 43cedac228d2dd51db4b79ea1e72c7f249408ee061Torne (Richard Coles)// 5. Download the OAuth2 refresh token for device-level API access and store 445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// it. 455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// 6. Establish the device lock in installation-time attributes. 465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// 7. Store the policy blob and API refresh token. 475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)class EnrollmentHandlerChromeOS : public CloudPolicyClient::Observer, 485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) public CloudPolicyStore::Observer, 495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) public gaia::GaiaOAuthClient::Delegate { 505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) public: 515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) typedef DeviceCloudPolicyManagerChromeOS::AllowedDeviceModes 525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) AllowedDeviceModes; 535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) typedef DeviceCloudPolicyManagerChromeOS::EnrollmentCallback 545821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EnrollmentCallback; 555821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 565821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // |store| and |install_attributes| must remain valid for the life time of the 575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // enrollment handler. |allowed_device_modes| determines what device modes 585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // are acceptable. If the mode specified by the server is not acceptable, 595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // enrollment will fail with an EnrollmentStatus indicating 60cedac228d2dd51db4b79ea1e72c7f249408ee061Torne (Richard Coles) // STATUS_REGISTRATION_BAD_MODE. 61cedac228d2dd51db4b79ea1e72c7f249408ee061Torne (Richard Coles) EnrollmentHandlerChromeOS( 625821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) DeviceCloudPolicyStoreChromeOS* store, 635821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EnterpriseInstallAttributes* install_attributes, 645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_ptr<CloudPolicyClient> client, 655821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<base::SequencedTaskRunner> background_task_runner, 661320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci const std::string& auth_token, 675821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const std::string& client_id, 685821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) bool is_auto_enrollment, 695821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const std::string& requisition, 705821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const AllowedDeviceModes& allowed_device_modes, 71cedac228d2dd51db4b79ea1e72c7f249408ee061Torne (Richard Coles) const EnrollmentCallback& completion_callback); 72cedac228d2dd51db4b79ea1e72c7f249408ee061Torne (Richard Coles) virtual ~EnrollmentHandlerChromeOS(); 735821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Starts the enrollment process and reports the result to 755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // |completion_callback_|. 765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) void StartEnrollment(); 775821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Releases the client. 795821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_ptr<CloudPolicyClient> ReleaseClient(); 801320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci 815821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // CloudPolicyClient::Observer: 825821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) virtual void OnPolicyFetched(CloudPolicyClient* client) OVERRIDE; 835821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) virtual void OnRegistrationStateChanged(CloudPolicyClient* client) OVERRIDE; 845821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) virtual void OnRobotAuthCodesFetched(CloudPolicyClient* client) OVERRIDE; 855821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) virtual void OnClientError(CloudPolicyClient* client) OVERRIDE; 865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 875821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // CloudPolicyStore::Observer: 885821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) virtual void OnStoreLoaded(CloudPolicyStore* store) OVERRIDE; 895821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) virtual void OnStoreError(CloudPolicyStore* store) OVERRIDE; 905821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 915821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // GaiaOAuthClient::Delegate: 925821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) virtual void OnGetTokensResponse(const std::string& refresh_token, 935821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const std::string& access_token, 945821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) int expires_in_seconds) OVERRIDE; 955821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) virtual void OnRefreshTokenResponse(const std::string& access_token, 965821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) int expires_in_seconds) OVERRIDE; 975821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) virtual void OnOAuthError() OVERRIDE; 985821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) virtual void OnNetworkError(int response_code) OVERRIDE; 99cedac228d2dd51db4b79ea1e72c7f249408ee061Torne (Richard Coles) 100cedac228d2dd51db4b79ea1e72c7f249408ee061Torne (Richard Coles) private: 1015821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Indicates what step of the process is currently pending. These steps need 1025821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // to be listed in the order they are traversed in. 1035821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) enum EnrollmentStep { 1045821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) STEP_PENDING, // Not started yet. 1055821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) STEP_LOADING_STORE, // Waiting for |store_| to initialize. 1065821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) STEP_REGISTRATION, // Currently registering the client. 1075821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) STEP_POLICY_FETCH, // Fetching policy. 1085821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) STEP_VALIDATION, // Policy validation. 1095821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) STEP_ROBOT_AUTH_FETCH, // Fetching device API auth code. 1105821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) STEP_ROBOT_AUTH_REFRESH, // Fetching device API refresh token. 1115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) STEP_LOCK_DEVICE, // Writing installation-time attributes. 1125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) STEP_STORE_ROBOT_AUTH, // Encrypting & writing robot refresh token. 1135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) STEP_STORE_POLICY, // Storing policy and API refresh token. 1145821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) STEP_FINISHED, // Enrollment process finished, no further action. 115cedac228d2dd51db4b79ea1e72c7f249408ee061Torne (Richard Coles) }; 116cedac228d2dd51db4b79ea1e72c7f249408ee061Torne (Richard Coles) 1171320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci // Starts registration if the store is initialized. 118cedac228d2dd51db4b79ea1e72c7f249408ee061Torne (Richard Coles) void AttemptRegistration(); 119cedac228d2dd51db4b79ea1e72c7f249408ee061Torne (Richard Coles) 120cedac228d2dd51db4b79ea1e72c7f249408ee061Torne (Richard Coles) // Handles the policy validation result, proceeding with installation-time 121cedac228d2dd51db4b79ea1e72c7f249408ee061Torne (Richard Coles) // attributes locking if successful. 122cedac228d2dd51db4b79ea1e72c7f249408ee061Torne (Richard Coles) void PolicyValidated(DeviceCloudPolicyValidator* validator); 123cedac228d2dd51db4b79ea1e72c7f249408ee061Torne (Richard Coles) 124cedac228d2dd51db4b79ea1e72c7f249408ee061Torne (Richard Coles) // Calls LockDevice() and proceeds to policy installation. If unsuccessful, 125cedac228d2dd51db4b79ea1e72c7f249408ee061Torne (Richard Coles) // reports the result. Actual installation or error report will be done in 126cedac228d2dd51db4b79ea1e72c7f249408ee061Torne (Richard Coles) // HandleLockDeviceResult(). 127cedac228d2dd51db4b79ea1e72c7f249408ee061Torne (Richard Coles) void StartLockDevice(const std::string& user, 128cedac228d2dd51db4b79ea1e72c7f249408ee061Torne (Richard Coles) DeviceMode device_mode, 129cedac228d2dd51db4b79ea1e72c7f249408ee061Torne (Richard Coles) const std::string& device_id); 130cedac228d2dd51db4b79ea1e72c7f249408ee061Torne (Richard Coles) 131cedac228d2dd51db4b79ea1e72c7f249408ee061Torne (Richard Coles) // Helper for StartLockDevice(). It performs the actual action based on 132cedac228d2dd51db4b79ea1e72c7f249408ee061Torne (Richard Coles) // the result of LockDevice. 1335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) void HandleLockDeviceResult( 1345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) const std::string& user, 1355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) DeviceMode device_mode, 1361320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci const std::string& device_id, 1375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EnterpriseInstallAttributes::LockResult lock_result); 1385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Drops any ongoing actions. 1405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) void Stop(); 1415821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Reports the result of the enrollment process to the initiator. 1435821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) void ReportResult(EnrollmentStatus status); 1445821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1455821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // Continuation of OnStoreLoaded(). 1465821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) void DidGetTokenService(chromeos::DeviceOAuth2TokenService* token_service); 1475821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1485821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) DeviceCloudPolicyStoreChromeOS* store_; 1495821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EnterpriseInstallAttributes* install_attributes_; 1505821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_ptr<CloudPolicyClient> client_; 1515821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_refptr<base::SequencedTaskRunner> background_task_runner_; 1525821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) scoped_ptr<gaia::GaiaOAuthClient> gaia_oauth_client_; 1535821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1545821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) std::string auth_token_; 155cedac228d2dd51db4b79ea1e72c7f249408ee061Torne (Richard Coles) std::string client_id_; 156cedac228d2dd51db4b79ea1e72c7f249408ee061Torne (Richard Coles) bool is_auto_enrollment_; 1575821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) std::string requisition_; 1585821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) std::string refresh_token_; 1595821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) AllowedDeviceModes allowed_device_modes_; 1605821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) EnrollmentCallback completion_callback_; 1615821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 162116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch // The device mode as received in the registration request. 1635821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) DeviceMode device_mode_; 1645821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 165f8ee788a64d60abd8f2d742a5fdedde054ecd910Torne (Richard Coles) // The validated policy response info to be installed in the store. 166c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) scoped_ptr<enterprise_management::PolicyFetchResponse> policy_; 167c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) std::string username_; 168c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) std::string device_id_; 169c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) 170c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) // Current enrollment step. 171c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) EnrollmentStep enrollment_step_; 172c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) 173c2e0dbddbe15c98d52c4786dac06cb8952a8ae6dTorne (Richard Coles) // Total amount of time in milliseconds spent waiting for lockbox 1745821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) // initialization. 1755821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) int lockbox_init_duration_; 1765821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1771320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci // Used for locking the device and getting the OAuth2 token service. 1785821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) base::WeakPtrFactory<EnrollmentHandlerChromeOS> weak_ptr_factory_; 1795821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1805821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) DISALLOW_COPY_AND_ASSIGN(EnrollmentHandlerChromeOS); 1815821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)}; 1825821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1835821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)} // namespace policy 1845821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1855821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#endif // CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_ 1865821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)