enrollment_handler_chromeos.h revision 010d83a9304c5a91596085d917d248abff47903a
151a8d8528135ba4e3e4cf7cd711a9e47b19078a3Chris Lattner// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2deb9654056939a12981446f6ed1139dca3412746Vikram S. Adve// Use of this source code is governed by a BSD-style license that can be 36fbcc26f1460eaee4e0eb8b426fc1ff0c7af11beJohn Criswell// found in the LICENSE file. 46fbcc26f1460eaee4e0eb8b426fc1ff0c7af11beJohn Criswell 56fbcc26f1460eaee4e0eb8b426fc1ff0c7af11beJohn Criswell#ifndef CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_ 66fbcc26f1460eaee4e0eb8b426fc1ff0c7af11beJohn Criswell#define CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_ 76fbcc26f1460eaee4e0eb8b426fc1ff0c7af11beJohn Criswell 86fbcc26f1460eaee4e0eb8b426fc1ff0c7af11beJohn Criswell#include <string> 96fbcc26f1460eaee4e0eb8b426fc1ff0c7af11beJohn Criswell 10e8b5413e5d0c7c0fc5b384e975c4ca87f4c00699Chris Lattner#include "base/basictypes.h" 11e8b5413e5d0c7c0fc5b384e975c4ca87f4c00699Chris Lattner#include "base/compiler_specific.h" 1251a8d8528135ba4e3e4cf7cd711a9e47b19078a3Chris Lattner#include "base/memory/ref_counted.h" 13deb9654056939a12981446f6ed1139dca3412746Vikram S. Adve#include "base/memory/scoped_ptr.h" 14fce1143bcfa73f61845002fa50473d1a01384202Misha Brukman#include "base/memory/weak_ptr.h" 15fce1143bcfa73f61845002fa50473d1a01384202Misha Brukman#include "chrome/browser/chromeos/policy/device_cloud_policy_manager_chromeos.h" 16deb9654056939a12981446f6ed1139dca3412746Vikram S. Adve#include "chrome/browser/chromeos/policy/device_cloud_policy_validator.h" 17c0b9dc5be79f009d260edb5cd5e1d8346587aaa2Alkis Evlogimenos#include "chrome/browser/chromeos/policy/enterprise_install_attributes.h" 180aef12a7a96968a80c38144dfc0a7ae6a9152db9Chris Lattner#include "components/policy/core/common/cloud/cloud_policy_client.h" 1994dc07728f091c652f0a8059aba6dce5018485eeAlkis Evlogimenos#include "components/policy/core/common/cloud/cloud_policy_store.h" 20f13a3f4dd1eaa89ca9a64a1e820b089facca3366Brian Gaeke#include "google_apis/gaia/gaia_oauth_client.h" 21d0fde30ce850b78371fd1386338350591f9ff494Brian Gaeke 22d0fde30ce850b78371fd1386338350591f9ff494Brian Gaekenamespace base { 235e61fa95196b85281eec655787e9c73267532bd1Chris Lattnerclass SequencedTaskRunner; 24d0fde30ce850b78371fd1386338350591f9ff494Brian Gaeke} 2594dc07728f091c652f0a8059aba6dce5018485eeAlkis Evlogimenos 2694dc07728f091c652f0a8059aba6dce5018485eeAlkis Evlogimenosnamespace enterprise_management { 275e61fa95196b85281eec655787e9c73267532bd1Chris Lattnerclass PolicyFetchResponse; 2894dc07728f091c652f0a8059aba6dce5018485eeAlkis Evlogimenos} 2994dc07728f091c652f0a8059aba6dce5018485eeAlkis Evlogimenos 3094dc07728f091c652f0a8059aba6dce5018485eeAlkis Evlogimenosnamespace policy { 3194dc07728f091c652f0a8059aba6dce5018485eeAlkis Evlogimenos 3294dc07728f091c652f0a8059aba6dce5018485eeAlkis Evlogimenosclass ServerBackedStateKeysBroker; 3394dc07728f091c652f0a8059aba6dce5018485eeAlkis Evlogimenos 3494dc07728f091c652f0a8059aba6dce5018485eeAlkis Evlogimenos// Implements the logic that establishes enterprise enrollment for Chromium OS 3594dc07728f091c652f0a8059aba6dce5018485eeAlkis Evlogimenos// devices. The process is as follows: 3694dc07728f091c652f0a8059aba6dce5018485eeAlkis Evlogimenos// 1. Given an auth token, register with the policy service. 3794dc07728f091c652f0a8059aba6dce5018485eeAlkis Evlogimenos// 2. Download the initial policy blob from the service. 3894dc07728f091c652f0a8059aba6dce5018485eeAlkis Evlogimenos// 3. Verify the policy blob. Everything up to this point doesn't touch device 3994dc07728f091c652f0a8059aba6dce5018485eeAlkis Evlogimenos// state. 4094dc07728f091c652f0a8059aba6dce5018485eeAlkis Evlogimenos// 4. Download the OAuth2 authorization code for device-level API access. 4194dc07728f091c652f0a8059aba6dce5018485eeAlkis Evlogimenos// 5. Download the OAuth2 refresh token for device-level API access and store 4294dc07728f091c652f0a8059aba6dce5018485eeAlkis Evlogimenos// it. 4394dc07728f091c652f0a8059aba6dce5018485eeAlkis Evlogimenos// 6. Establish the device lock in installation-time attributes. 4494dc07728f091c652f0a8059aba6dce5018485eeAlkis Evlogimenos// 7. Store the policy blob and API refresh token. 4594dc07728f091c652f0a8059aba6dce5018485eeAlkis Evlogimenosclass EnrollmentHandlerChromeOS : public CloudPolicyClient::Observer, 4694dc07728f091c652f0a8059aba6dce5018485eeAlkis Evlogimenos public CloudPolicyStore::Observer, 47aad5c0505183a5b7913f1a443a1f0650122551ccAlkis Evlogimenos public gaia::GaiaOAuthClient::Delegate { 48aad5c0505183a5b7913f1a443a1f0650122551ccAlkis Evlogimenos public: 49aad5c0505183a5b7913f1a443a1f0650122551ccAlkis Evlogimenos typedef DeviceCloudPolicyManagerChromeOS::AllowedDeviceModes 50aad5c0505183a5b7913f1a443a1f0650122551ccAlkis Evlogimenos AllowedDeviceModes; 51aad5c0505183a5b7913f1a443a1f0650122551ccAlkis Evlogimenos typedef DeviceCloudPolicyManagerChromeOS::EnrollmentCallback 52aad5c0505183a5b7913f1a443a1f0650122551ccAlkis Evlogimenos EnrollmentCallback; 53aad5c0505183a5b7913f1a443a1f0650122551ccAlkis Evlogimenos 5494dc07728f091c652f0a8059aba6dce5018485eeAlkis Evlogimenos // |store| and |install_attributes| must remain valid for the life time of the 5594dc07728f091c652f0a8059aba6dce5018485eeAlkis Evlogimenos // enrollment handler. |allowed_device_modes| determines what device modes 56aec11f1decda111112c39803cb89dace81cd0568Chris Lattner // are acceptable. If the mode specified by the server is not acceptable, 57deb9654056939a12981446f6ed1139dca3412746Vikram S. Adve // enrollment will fail with an EnrollmentStatus indicating 58d0aa0cdbc6fee00f2b2019633a9b9d00d301ac68Chris Lattner // STATUS_REGISTRATION_BAD_MODE. 59c0b9dc5be79f009d260edb5cd5e1d8346587aaa2Alkis Evlogimenos EnrollmentHandlerChromeOS( 60c0b9dc5be79f009d260edb5cd5e1d8346587aaa2Alkis Evlogimenos DeviceCloudPolicyStoreChromeOS* store, 61c0b9dc5be79f009d260edb5cd5e1d8346587aaa2Alkis Evlogimenos EnterpriseInstallAttributes* install_attributes, 628e7ae9860bd1f29c95e4e10fe151a22aaafafef9Chris Lattner ServerBackedStateKeysBroker* state_keys_broker, 631194e9501984daf0d3237ed1bf18a156173e7fd4Chris Lattner scoped_ptr<CloudPolicyClient> client, 6476456bc40c79fcae4da52d34f96c079d9759257cBrian Gaeke scoped_refptr<base::SequencedTaskRunner> background_task_runner, 6576456bc40c79fcae4da52d34f96c079d9759257cBrian Gaeke const std::string& auth_token, 66c07d8d8a26f63dfc54dbd0e1ff776763ec6443adBrian Gaeke const std::string& client_id, 6776456bc40c79fcae4da52d34f96c079d9759257cBrian Gaeke bool is_auto_enrollment, 68deb9654056939a12981446f6ed1139dca3412746Vikram S. Adve const std::string& requisition, 69c07d8d8a26f63dfc54dbd0e1ff776763ec6443adBrian Gaeke const AllowedDeviceModes& allowed_device_modes, 70c07d8d8a26f63dfc54dbd0e1ff776763ec6443adBrian Gaeke const EnrollmentCallback& completion_callback); 71ab8672c8bb83e722b856eac67863542ea7e0cbb2Alkis Evlogimenos virtual ~EnrollmentHandlerChromeOS(); 72ab8672c8bb83e722b856eac67863542ea7e0cbb2Alkis Evlogimenos 73fce1143bcfa73f61845002fa50473d1a01384202Misha Brukman // Starts the enrollment process and reports the result to 74deb9654056939a12981446f6ed1139dca3412746Vikram S. Adve // |completion_callback_|. 75d0aa0cdbc6fee00f2b2019633a9b9d00d301ac68Chris Lattner void StartEnrollment(); 76d0aa0cdbc6fee00f2b2019633a9b9d00d301ac68Chris Lattner 77d0aa0cdbc6fee00f2b2019633a9b9d00d301ac68Chris Lattner // Releases the client. 781194e9501984daf0d3237ed1bf18a156173e7fd4Chris Lattner scoped_ptr<CloudPolicyClient> ReleaseClient(); 795e61fa95196b85281eec655787e9c73267532bd1Chris Lattner 805e61fa95196b85281eec655787e9c73267532bd1Chris Lattner // CloudPolicyClient::Observer: 815e61fa95196b85281eec655787e9c73267532bd1Chris Lattner virtual void OnPolicyFetched(CloudPolicyClient* client) OVERRIDE; 825e61fa95196b85281eec655787e9c73267532bd1Chris Lattner virtual void OnRegistrationStateChanged(CloudPolicyClient* client) OVERRIDE; 83c07d8d8a26f63dfc54dbd0e1ff776763ec6443adBrian Gaeke virtual void OnRobotAuthCodesFetched(CloudPolicyClient* client) OVERRIDE; 845e61fa95196b85281eec655787e9c73267532bd1Chris Lattner virtual void OnClientError(CloudPolicyClient* client) OVERRIDE; 85c0b9dc5be79f009d260edb5cd5e1d8346587aaa2Alkis Evlogimenos 86c0b9dc5be79f009d260edb5cd5e1d8346587aaa2Alkis Evlogimenos // CloudPolicyStore::Observer: 87deb9654056939a12981446f6ed1139dca3412746Vikram S. Adve virtual void OnStoreLoaded(CloudPolicyStore* store) OVERRIDE; 88deb9654056939a12981446f6ed1139dca3412746Vikram S. Adve virtual void OnStoreError(CloudPolicyStore* store) OVERRIDE; 89deb9654056939a12981446f6ed1139dca3412746Vikram S. Adve 90deb9654056939a12981446f6ed1139dca3412746Vikram S. Adve // GaiaOAuthClient::Delegate: 91deb9654056939a12981446f6ed1139dca3412746Vikram S. Adve virtual void OnGetTokensResponse(const std::string& refresh_token, 92deb9654056939a12981446f6ed1139dca3412746Vikram S. Adve const std::string& access_token, 93c0b9dc5be79f009d260edb5cd5e1d8346587aaa2Alkis Evlogimenos int expires_in_seconds) OVERRIDE; 94c0b9dc5be79f009d260edb5cd5e1d8346587aaa2Alkis Evlogimenos virtual void OnRefreshTokenResponse(const std::string& access_token, 95deb9654056939a12981446f6ed1139dca3412746Vikram S. Adve int expires_in_seconds) OVERRIDE; 96deb9654056939a12981446f6ed1139dca3412746Vikram S. Adve virtual void OnOAuthError() OVERRIDE; 97deb9654056939a12981446f6ed1139dca3412746Vikram S. Adve virtual void OnNetworkError(int response_code) OVERRIDE; 98deb9654056939a12981446f6ed1139dca3412746Vikram S. Adve 99deb9654056939a12981446f6ed1139dca3412746Vikram S. Adve private: 100deb9654056939a12981446f6ed1139dca3412746Vikram S. Adve // Indicates what step of the process is currently pending. These steps need 101deb9654056939a12981446f6ed1139dca3412746Vikram S. Adve // to be listed in the order they are traversed in. 102deb9654056939a12981446f6ed1139dca3412746Vikram S. Adve enum EnrollmentStep { 103deb9654056939a12981446f6ed1139dca3412746Vikram S. Adve STEP_PENDING, // Not started yet. 104deb9654056939a12981446f6ed1139dca3412746Vikram S. Adve STEP_STATE_KEYS, // Waiting for state keys to become available. 10576456bc40c79fcae4da52d34f96c079d9759257cBrian Gaeke STEP_LOADING_STORE, // Waiting for |store_| to initialize. 10676456bc40c79fcae4da52d34f96c079d9759257cBrian Gaeke STEP_REGISTRATION, // Currently registering the client. 10776456bc40c79fcae4da52d34f96c079d9759257cBrian Gaeke STEP_POLICY_FETCH, // Fetching policy. 10876456bc40c79fcae4da52d34f96c079d9759257cBrian Gaeke STEP_VALIDATION, // Policy validation. 10976456bc40c79fcae4da52d34f96c079d9759257cBrian Gaeke STEP_ROBOT_AUTH_FETCH, // Fetching device API auth code. 11076456bc40c79fcae4da52d34f96c079d9759257cBrian Gaeke STEP_ROBOT_AUTH_REFRESH, // Fetching device API refresh token. 11176456bc40c79fcae4da52d34f96c079d9759257cBrian Gaeke STEP_LOCK_DEVICE, // Writing installation-time attributes. 11276456bc40c79fcae4da52d34f96c079d9759257cBrian Gaeke STEP_STORE_ROBOT_AUTH, // Encrypting & writing robot refresh token. 11376456bc40c79fcae4da52d34f96c079d9759257cBrian Gaeke STEP_STORE_POLICY, // Storing policy and API refresh token. 11476456bc40c79fcae4da52d34f96c079d9759257cBrian Gaeke STEP_FINISHED, // Enrollment process finished, no further action. 1153707241f315b63b2dc380e0a1be5522bfd58b8d5Brian Gaeke }; 11676456bc40c79fcae4da52d34f96c079d9759257cBrian Gaeke 11776456bc40c79fcae4da52d34f96c079d9759257cBrian Gaeke // Handles the response to a request for server-backed state keys. 11876456bc40c79fcae4da52d34f96c079d9759257cBrian Gaeke void CheckStateKeys(const std::vector<std::string>& state_keys); 11976456bc40c79fcae4da52d34f96c079d9759257cBrian Gaeke 1203707241f315b63b2dc380e0a1be5522bfd58b8d5Brian Gaeke // Starts registration if the store is initialized. 12176456bc40c79fcae4da52d34f96c079d9759257cBrian Gaeke void AttemptRegistration(); 12276456bc40c79fcae4da52d34f96c079d9759257cBrian Gaeke 12376456bc40c79fcae4da52d34f96c079d9759257cBrian Gaeke // Handles the policy validation result, proceeding with installation-time 12476456bc40c79fcae4da52d34f96c079d9759257cBrian Gaeke // attributes locking if successful. 12576456bc40c79fcae4da52d34f96c079d9759257cBrian Gaeke void PolicyValidated(DeviceCloudPolicyValidator* validator); 12676456bc40c79fcae4da52d34f96c079d9759257cBrian Gaeke 12776456bc40c79fcae4da52d34f96c079d9759257cBrian Gaeke // Calls LockDevice() and proceeds to policy installation. If unsuccessful, 12861d3d5c06b279cce1f2b68af4de82f635910578aBrian Gaeke // reports the result. Actual installation or error report will be done in 12976456bc40c79fcae4da52d34f96c079d9759257cBrian Gaeke // HandleLockDeviceResult(). 13076456bc40c79fcae4da52d34f96c079d9759257cBrian Gaeke void StartLockDevice(const std::string& user, 13176456bc40c79fcae4da52d34f96c079d9759257cBrian Gaeke DeviceMode device_mode, 13276456bc40c79fcae4da52d34f96c079d9759257cBrian Gaeke const std::string& device_id); 13376456bc40c79fcae4da52d34f96c079d9759257cBrian Gaeke 13476456bc40c79fcae4da52d34f96c079d9759257cBrian Gaeke // Helper for StartLockDevice(). It performs the actual action based on 13576456bc40c79fcae4da52d34f96c079d9759257cBrian Gaeke // the result of LockDevice. 13676456bc40c79fcae4da52d34f96c079d9759257cBrian Gaeke void HandleLockDeviceResult( 13776456bc40c79fcae4da52d34f96c079d9759257cBrian Gaeke const std::string& user, 13876456bc40c79fcae4da52d34f96c079d9759257cBrian Gaeke DeviceMode device_mode, 13976456bc40c79fcae4da52d34f96c079d9759257cBrian Gaeke const std::string& device_id, 14076456bc40c79fcae4da52d34f96c079d9759257cBrian Gaeke EnterpriseInstallAttributes::LockResult lock_result); 14176456bc40c79fcae4da52d34f96c079d9759257cBrian Gaeke 142743d0a1f831f1d5a3141a6ca730558f40c35690aAlkis Evlogimenos // Handles completion of the robot token store operation. 143743d0a1f831f1d5a3141a6ca730558f40c35690aAlkis Evlogimenos void HandleRobotAuthTokenStored(bool result); 144743d0a1f831f1d5a3141a6ca730558f40c35690aAlkis Evlogimenos 145743d0a1f831f1d5a3141a6ca730558f40c35690aAlkis Evlogimenos // Drops any ongoing actions. 146743d0a1f831f1d5a3141a6ca730558f40c35690aAlkis Evlogimenos void Stop(); 147deb9654056939a12981446f6ed1139dca3412746Vikram S. Adve 148deb9654056939a12981446f6ed1139dca3412746Vikram S. Adve // Reports the result of the enrollment process to the initiator. 149deb9654056939a12981446f6ed1139dca3412746Vikram S. Adve void ReportResult(EnrollmentStatus status); 150deb9654056939a12981446f6ed1139dca3412746Vikram S. Adve 151deb9654056939a12981446f6ed1139dca3412746Vikram S. Adve DeviceCloudPolicyStoreChromeOS* store_; 15246d6a1aeb549a2e4ccd982a1a2cefda541d79c52Vikram S. Adve EnterpriseInstallAttributes* install_attributes_; 153c0b9dc5be79f009d260edb5cd5e1d8346587aaa2Alkis Evlogimenos ServerBackedStateKeysBroker* state_keys_broker_; 154deb9654056939a12981446f6ed1139dca3412746Vikram S. Adve scoped_ptr<CloudPolicyClient> client_; 15546d6a1aeb549a2e4ccd982a1a2cefda541d79c52Vikram S. Adve scoped_refptr<base::SequencedTaskRunner> background_task_runner_; 156deb9654056939a12981446f6ed1139dca3412746Vikram S. Adve scoped_ptr<gaia::GaiaOAuthClient> gaia_oauth_client_; 15783706a5a3a6f19451765b743c5a72b62f74eb71aChris Lattner 158da44b151259525abc9c299f89b9532f3a9883b4eBrian Gaeke std::string auth_token_; 1598e7ae9860bd1f29c95e4e10fe151a22aaafafef9Chris Lattner std::string client_id_; 160f13a3f4dd1eaa89ca9a64a1e820b089facca3366Brian Gaeke bool is_auto_enrollment_; 161f13a3f4dd1eaa89ca9a64a1e820b089facca3366Brian Gaeke std::string requisition_; 162f13a3f4dd1eaa89ca9a64a1e820b089facca3366Brian Gaeke std::string current_state_key_; 163f13a3f4dd1eaa89ca9a64a1e820b089facca3366Brian Gaeke std::string refresh_token_; 164da86bdc75c8d36cb7b1f4e785a3749d7c8f8e638Brian Gaeke AllowedDeviceModes allowed_device_modes_; 165da86bdc75c8d36cb7b1f4e785a3749d7c8f8e638Brian Gaeke EnrollmentCallback completion_callback_; 166da86bdc75c8d36cb7b1f4e785a3749d7c8f8e638Brian Gaeke 167da86bdc75c8d36cb7b1f4e785a3749d7c8f8e638Brian Gaeke // The device mode as received in the registration request. 168c07d8d8a26f63dfc54dbd0e1ff776763ec6443adBrian Gaeke DeviceMode device_mode_; 169c07d8d8a26f63dfc54dbd0e1ff776763ec6443adBrian Gaeke 1708e7ae9860bd1f29c95e4e10fe151a22aaafafef9Chris Lattner // The validated policy response info to be installed in the store. 1718e7ae9860bd1f29c95e4e10fe151a22aaafafef9Chris Lattner scoped_ptr<enterprise_management::PolicyFetchResponse> policy_; 1728e7ae9860bd1f29c95e4e10fe151a22aaafafef9Chris Lattner std::string username_; 1738e7ae9860bd1f29c95e4e10fe151a22aaafafef9Chris Lattner std::string device_id_; 1748e7ae9860bd1f29c95e4e10fe151a22aaafafef9Chris Lattner 1758e7ae9860bd1f29c95e4e10fe151a22aaafafef9Chris Lattner // Current enrollment step. 1768e7ae9860bd1f29c95e4e10fe151a22aaafafef9Chris Lattner EnrollmentStep enrollment_step_; 1778560af4f5fe589cf792bd44617c2308c4f087ba8Brian Gaeke 1788560af4f5fe589cf792bd44617c2308c4f087ba8Brian Gaeke // Total amount of time in milliseconds spent waiting for lockbox 1798560af4f5fe589cf792bd44617c2308c4f087ba8Brian Gaeke // initialization. 1808560af4f5fe589cf792bd44617c2308c4f087ba8Brian Gaeke int lockbox_init_duration_; 1818560af4f5fe589cf792bd44617c2308c4f087ba8Brian Gaeke 1828560af4f5fe589cf792bd44617c2308c4f087ba8Brian Gaeke base::WeakPtrFactory<EnrollmentHandlerChromeOS> weak_ptr_factory_; 1838560af4f5fe589cf792bd44617c2308c4f087ba8Brian Gaeke 1848560af4f5fe589cf792bd44617c2308c4f087ba8Brian Gaeke DISALLOW_COPY_AND_ASSIGN(EnrollmentHandlerChromeOS); 1858560af4f5fe589cf792bd44617c2308c4f087ba8Brian Gaeke}; 1868560af4f5fe589cf792bd44617c2308c4f087ba8Brian Gaeke 1878560af4f5fe589cf792bd44617c2308c4f087ba8Brian Gaeke} // namespace policy 1888560af4f5fe589cf792bd44617c2308c4f087ba8Brian Gaeke 1898560af4f5fe589cf792bd44617c2308c4f087ba8Brian Gaeke#endif // CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_ 1908560af4f5fe589cf792bd44617c2308c4f087ba8Brian Gaeke