enrollment_handler_chromeos.h revision 8bcbed890bc3ce4d7a057a8f32cab53fa534672e
1// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#ifndef CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_ 6#define CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_ 7 8#include <string> 9 10#include "base/basictypes.h" 11#include "base/compiler_specific.h" 12#include "base/memory/ref_counted.h" 13#include "base/memory/scoped_ptr.h" 14#include "base/memory/weak_ptr.h" 15#include "chrome/browser/chromeos/policy/device_cloud_policy_manager_chromeos.h" 16#include "chrome/browser/chromeos/policy/device_cloud_policy_validator.h" 17#include "chrome/browser/chromeos/policy/enterprise_install_attributes.h" 18#include "chrome/browser/policy/cloud/cloud_policy_client.h" 19#include "chrome/browser/policy/cloud/cloud_policy_store.h" 20#include "google_apis/gaia/gaia_oauth_client.h" 21 22namespace base { 23class SequencedTaskRunner; 24} 25 26namespace enterprise_management { 27class PolicyFetchResponse; 28} 29 30namespace policy { 31 32// Implements the logic that establishes enterprise enrollment for Chromium OS 33// devices. The process is as follows: 34// 1. Given an auth token, register with the policy service. 35// 2. Download the initial policy blob from the service. 36// 3. Verify the policy blob. Everything up to this point doesn't touch device 37// state. 38// 4. Download the OAuth2 authorization code for device-level API access. 39// 5. Download the OAuth2 refresh token for device-level API access and store 40// it. 41// 6. Establish the device lock in installation-time attributes. 42// 7. Store the policy blob and API refresh token. 43class EnrollmentHandlerChromeOS : public CloudPolicyClient::Observer, 44 public CloudPolicyStore::Observer, 45 public gaia::GaiaOAuthClient::Delegate { 46 public: 47 typedef DeviceCloudPolicyManagerChromeOS::AllowedDeviceModes 48 AllowedDeviceModes; 49 typedef DeviceCloudPolicyManagerChromeOS::EnrollmentCallback 50 EnrollmentCallback; 51 52 // |store| and |install_attributes| must remain valid for the life time of the 53 // enrollment handler. |allowed_device_modes| determines what device modes 54 // are acceptable. If the mode specified by the server is not acceptable, 55 // enrollment will fail with an EnrollmentStatus indicating 56 // STATUS_REGISTRATION_BAD_MODE. 57 EnrollmentHandlerChromeOS( 58 DeviceCloudPolicyStoreChromeOS* store, 59 EnterpriseInstallAttributes* install_attributes, 60 scoped_ptr<CloudPolicyClient> client, 61 scoped_refptr<base::SequencedTaskRunner> background_task_runner, 62 const std::string& auth_token, 63 const std::string& client_id, 64 bool is_auto_enrollment, 65 const std::string& requisition, 66 const AllowedDeviceModes& allowed_device_modes, 67 const EnrollmentCallback& completion_callback); 68 virtual ~EnrollmentHandlerChromeOS(); 69 70 // Starts the enrollment process and reports the result to 71 // |completion_callback_|. 72 void StartEnrollment(); 73 74 // Releases the client. 75 scoped_ptr<CloudPolicyClient> ReleaseClient(); 76 77 // CloudPolicyClient::Observer: 78 virtual void OnPolicyFetched(CloudPolicyClient* client) OVERRIDE; 79 virtual void OnRegistrationStateChanged(CloudPolicyClient* client) OVERRIDE; 80 virtual void OnRobotAuthCodesFetched(CloudPolicyClient* client) OVERRIDE; 81 virtual void OnClientError(CloudPolicyClient* client) OVERRIDE; 82 83 // CloudPolicyStore::Observer: 84 virtual void OnStoreLoaded(CloudPolicyStore* store) OVERRIDE; 85 virtual void OnStoreError(CloudPolicyStore* store) OVERRIDE; 86 87 // GaiaOAuthClient::Delegate: 88 virtual void OnGetTokensResponse(const std::string& refresh_token, 89 const std::string& access_token, 90 int expires_in_seconds) OVERRIDE; 91 virtual void OnRefreshTokenResponse(const std::string& access_token, 92 int expires_in_seconds) OVERRIDE; 93 virtual void OnOAuthError() OVERRIDE; 94 virtual void OnNetworkError(int response_code) OVERRIDE; 95 96 private: 97 // Indicates what step of the process is currently pending. These steps need 98 // to be listed in the order they are traversed in. 99 enum EnrollmentStep { 100 STEP_PENDING, // Not started yet. 101 STEP_LOADING_STORE, // Waiting for |store_| to initialize. 102 STEP_REGISTRATION, // Currently registering the client. 103 STEP_POLICY_FETCH, // Fetching policy. 104 STEP_VALIDATION, // Policy validation. 105 STEP_ROBOT_AUTH_FETCH, // Fetching device API auth code. 106 STEP_ROBOT_AUTH_REFRESH, // Fetching device API refresh token. 107 STEP_LOCK_DEVICE, // Writing installation-time attributes. 108 STEP_STORE_POLICY, // Storing policy and API refresh token. 109 STEP_FINISHED, // Enrollment process finished, no further action. 110 }; 111 112 // Starts registration if the store is initialized. 113 void AttemptRegistration(); 114 115 // Handles the policy validation result, proceeding with installation-time 116 // attributes locking if successful. 117 void PolicyValidated(DeviceCloudPolicyValidator* validator); 118 119 // Method called to initiate the STEP_LOCK_DEVICE step. Usually called after 120 // the STEP_ROBOT_AUTH_REFRESH, but may be called directly after a failed 121 // STEP_ROBOT_AUTH_FETCH, since robot tokens are currently optional. 122 void DoLockDeviceStep(); 123 124 // Calls LockDevice() and proceeds to policy installation. If unsuccessful, 125 // reports the result. Actual installation or error report will be done in 126 // HandleLockDeviceResult(). 127 void StartLockDevice(const std::string& user, 128 DeviceMode device_mode, 129 const std::string& device_id); 130 131 // Helper for StartLockDevice(). It performs the actual action based on 132 // the result of LockDevice. 133 void HandleLockDeviceResult( 134 const std::string& user, 135 DeviceMode device_mode, 136 const std::string& device_id, 137 EnterpriseInstallAttributes::LockResult lock_result); 138 139 // Drops any ongoing actions. 140 void Stop(); 141 142 // Reports the result of the enrollment process to the initiator. 143 void ReportResult(EnrollmentStatus status); 144 145 DeviceCloudPolicyStoreChromeOS* store_; 146 EnterpriseInstallAttributes* install_attributes_; 147 scoped_ptr<CloudPolicyClient> client_; 148 scoped_refptr<base::SequencedTaskRunner> background_task_runner_; 149 scoped_ptr<gaia::GaiaOAuthClient> gaia_oauth_client_; 150 151 std::string auth_token_; 152 std::string client_id_; 153 std::string robot_refresh_token_; 154 bool is_auto_enrollment_; 155 std::string requisition_; 156 AllowedDeviceModes allowed_device_modes_; 157 EnrollmentCallback completion_callback_; 158 159 // The device mode as received in the registration request. 160 DeviceMode device_mode_; 161 162 // The validated policy response info to be installed in the store. 163 scoped_ptr<enterprise_management::PolicyFetchResponse> policy_; 164 std::string username_; 165 std::string device_id_; 166 167 // Current enrollment step. 168 EnrollmentStep enrollment_step_; 169 170 // Total amount of time in milliseconds spent waiting for lockbox 171 // initialization. 172 int lockbox_init_duration_; 173 174 base::WeakPtrFactory<EnrollmentHandlerChromeOS> weak_factory_; 175 176 DISALLOW_COPY_AND_ASSIGN(EnrollmentHandlerChromeOS); 177}; 178 179} // namespace policy 180 181#endif // CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_ 182