enrollment_handler_chromeos.h revision 116680a4aac90f2aa7413d9095a592090648e557
1// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#ifndef CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_ 6#define CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_ 7 8#include <string> 9 10#include "base/basictypes.h" 11#include "base/compiler_specific.h" 12#include "base/memory/ref_counted.h" 13#include "base/memory/scoped_ptr.h" 14#include "base/memory/weak_ptr.h" 15#include "chrome/browser/chromeos/policy/device_cloud_policy_initializer.h" 16#include "chrome/browser/chromeos/policy/device_cloud_policy_validator.h" 17#include "chrome/browser/chromeos/policy/enterprise_install_attributes.h" 18#include "components/policy/core/common/cloud/cloud_policy_client.h" 19#include "components/policy/core/common/cloud/cloud_policy_store.h" 20#include "google_apis/gaia/gaia_oauth_client.h" 21 22namespace base { 23class SequencedTaskRunner; 24} 25 26namespace enterprise_management { 27class PolicyFetchResponse; 28} 29 30namespace policy { 31 32class DeviceCloudPolicyStoreChromeOS; 33class ServerBackedStateKeysBroker; 34 35// Implements the logic that establishes enterprise enrollment for Chromium OS 36// devices. The process is as follows: 37// 1. Given an auth token, register with the policy service. 38// 2. Download the initial policy blob from the service. 39// 3. Verify the policy blob. Everything up to this point doesn't touch device 40// state. 41// 4. Download the OAuth2 authorization code for device-level API access. 42// 5. Download the OAuth2 refresh token for device-level API access and store 43// it. 44// 6. Establish the device lock in installation-time attributes. 45// 7. Store the policy blob and API refresh token. 46class EnrollmentHandlerChromeOS : public CloudPolicyClient::Observer, 47 public CloudPolicyStore::Observer, 48 public gaia::GaiaOAuthClient::Delegate { 49 public: 50 typedef DeviceCloudPolicyInitializer::AllowedDeviceModes 51 AllowedDeviceModes; 52 typedef DeviceCloudPolicyInitializer::EnrollmentCallback 53 EnrollmentCallback; 54 55 // |store| and |install_attributes| must remain valid for the life time of the 56 // enrollment handler. |allowed_device_modes| determines what device modes 57 // are acceptable. If the mode specified by the server is not acceptable, 58 // enrollment will fail with an EnrollmentStatus indicating 59 // STATUS_REGISTRATION_BAD_MODE. 60 EnrollmentHandlerChromeOS( 61 DeviceCloudPolicyStoreChromeOS* store, 62 EnterpriseInstallAttributes* install_attributes, 63 ServerBackedStateKeysBroker* state_keys_broker, 64 scoped_ptr<CloudPolicyClient> client, 65 scoped_refptr<base::SequencedTaskRunner> background_task_runner, 66 const std::string& auth_token, 67 const std::string& client_id, 68 bool is_auto_enrollment, 69 const std::string& requisition, 70 const AllowedDeviceModes& allowed_device_modes, 71 const EnrollmentCallback& completion_callback); 72 virtual ~EnrollmentHandlerChromeOS(); 73 74 // Starts the enrollment process and reports the result to 75 // |completion_callback_|. 76 void StartEnrollment(); 77 78 // Releases the client. 79 scoped_ptr<CloudPolicyClient> ReleaseClient(); 80 81 // CloudPolicyClient::Observer: 82 virtual void OnPolicyFetched(CloudPolicyClient* client) OVERRIDE; 83 virtual void OnRegistrationStateChanged(CloudPolicyClient* client) OVERRIDE; 84 virtual void OnRobotAuthCodesFetched(CloudPolicyClient* client) OVERRIDE; 85 virtual void OnClientError(CloudPolicyClient* client) OVERRIDE; 86 87 // CloudPolicyStore::Observer: 88 virtual void OnStoreLoaded(CloudPolicyStore* store) OVERRIDE; 89 virtual void OnStoreError(CloudPolicyStore* store) OVERRIDE; 90 91 // GaiaOAuthClient::Delegate: 92 virtual void OnGetTokensResponse(const std::string& refresh_token, 93 const std::string& access_token, 94 int expires_in_seconds) OVERRIDE; 95 virtual void OnRefreshTokenResponse(const std::string& access_token, 96 int expires_in_seconds) OVERRIDE; 97 virtual void OnOAuthError() OVERRIDE; 98 virtual void OnNetworkError(int response_code) OVERRIDE; 99 100 private: 101 // Indicates what step of the process is currently pending. These steps need 102 // to be listed in the order they are traversed in. 103 enum EnrollmentStep { 104 STEP_PENDING, // Not started yet. 105 STEP_STATE_KEYS, // Waiting for state keys to become available. 106 STEP_LOADING_STORE, // Waiting for |store_| to initialize. 107 STEP_REGISTRATION, // Currently registering the client. 108 STEP_POLICY_FETCH, // Fetching policy. 109 STEP_VALIDATION, // Policy validation. 110 STEP_ROBOT_AUTH_FETCH, // Fetching device API auth code. 111 STEP_ROBOT_AUTH_REFRESH, // Fetching device API refresh token. 112 STEP_LOCK_DEVICE, // Writing installation-time attributes. 113 STEP_STORE_ROBOT_AUTH, // Encrypting & writing robot refresh token. 114 STEP_STORE_POLICY, // Storing policy and API refresh token. 115 STEP_FINISHED, // Enrollment process finished, no further action. 116 }; 117 118 // Handles the response to a request for server-backed state keys. 119 void CheckStateKeys(const std::vector<std::string>& state_keys); 120 121 // Starts registration if the store is initialized. 122 void AttemptRegistration(); 123 124 // Handles the policy validation result, proceeding with installation-time 125 // attributes locking if successful. 126 void PolicyValidated(DeviceCloudPolicyValidator* validator); 127 128 // Calls LockDevice() and proceeds to policy installation. If unsuccessful, 129 // reports the result. Actual installation or error report will be done in 130 // HandleLockDeviceResult(). 131 void StartLockDevice(const std::string& user, 132 DeviceMode device_mode, 133 const std::string& device_id); 134 135 // Helper for StartLockDevice(). It performs the actual action based on 136 // the result of LockDevice. 137 void HandleLockDeviceResult( 138 const std::string& user, 139 DeviceMode device_mode, 140 const std::string& device_id, 141 EnterpriseInstallAttributes::LockResult lock_result); 142 143 // Handles completion of the robot token store operation. 144 void HandleRobotAuthTokenStored(bool result); 145 146 // Drops any ongoing actions. 147 void Stop(); 148 149 // Reports the result of the enrollment process to the initiator. 150 void ReportResult(EnrollmentStatus status); 151 152 DeviceCloudPolicyStoreChromeOS* store_; 153 EnterpriseInstallAttributes* install_attributes_; 154 ServerBackedStateKeysBroker* state_keys_broker_; 155 scoped_ptr<CloudPolicyClient> client_; 156 scoped_refptr<base::SequencedTaskRunner> background_task_runner_; 157 scoped_ptr<gaia::GaiaOAuthClient> gaia_oauth_client_; 158 159 std::string auth_token_; 160 std::string client_id_; 161 bool is_auto_enrollment_; 162 std::string requisition_; 163 std::string current_state_key_; 164 std::string refresh_token_; 165 AllowedDeviceModes allowed_device_modes_; 166 EnrollmentCallback completion_callback_; 167 168 // The device mode as received in the registration request. 169 DeviceMode device_mode_; 170 171 // The validated policy response info to be installed in the store. 172 scoped_ptr<enterprise_management::PolicyFetchResponse> policy_; 173 std::string username_; 174 std::string device_id_; 175 176 // Current enrollment step. 177 EnrollmentStep enrollment_step_; 178 179 // Total amount of time in milliseconds spent waiting for lockbox 180 // initialization. 181 int lockbox_init_duration_; 182 183 base::WeakPtrFactory<EnrollmentHandlerChromeOS> weak_ptr_factory_; 184 185 DISALLOW_COPY_AND_ASSIGN(EnrollmentHandlerChromeOS); 186}; 187 188} // namespace policy 189 190#endif // CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_ 191