enrollment_handler_chromeos.h revision a3f6a49ab37290eeeb8db0f41ec0f1cb74a68be7 
1// Copyright (c) 2012 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#ifndef CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_
6#define CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_
7
8#include <string>
9
10#include "base/basictypes.h"
11#include "base/compiler_specific.h"
12#include "base/memory/ref_counted.h"
13#include "base/memory/scoped_ptr.h"
14#include "base/memory/weak_ptr.h"
15#include "chrome/browser/chromeos/policy/device_cloud_policy_manager_chromeos.h"
16#include "chrome/browser/chromeos/policy/device_cloud_policy_validator.h"
17#include "chrome/browser/chromeos/policy/enterprise_install_attributes.h"
18#include "components/policy/core/common/cloud/cloud_policy_client.h"
19#include "components/policy/core/common/cloud/cloud_policy_store.h"
20#include "google_apis/gaia/gaia_oauth_client.h"
21
22namespace base {
23class SequencedTaskRunner;
24}
25
26namespace chromeos {
27class DeviceOAuth2TokenService;
28}
29
30namespace enterprise_management {
31class PolicyFetchResponse;
32}
33
34namespace policy {
35
36// Implements the logic that establishes enterprise enrollment for Chromium OS
37// devices. The process is as follows:
38//   1. Given an auth token, register with the policy service.
39//   2. Download the initial policy blob from the service.
40//   3. Verify the policy blob. Everything up to this point doesn't touch device
41//      state.
42//   4. Download the OAuth2 authorization code for device-level API access.
43//   5. Download the OAuth2 refresh token for device-level API access and store
44//      it.
45//   6. Establish the device lock in installation-time attributes.
46//   7. Store the policy blob and API refresh token.
47class EnrollmentHandlerChromeOS : public CloudPolicyClient::Observer,
48                                  public CloudPolicyStore::Observer,
49                                  public gaia::GaiaOAuthClient::Delegate {
50 public:
51  typedef DeviceCloudPolicyManagerChromeOS::AllowedDeviceModes
52      AllowedDeviceModes;
53  typedef DeviceCloudPolicyManagerChromeOS::EnrollmentCallback
54      EnrollmentCallback;
55
56  // |store| and |install_attributes| must remain valid for the life time of the
57  // enrollment handler. |allowed_device_modes| determines what device modes
58  // are acceptable. If the mode specified by the server is not acceptable,
59  // enrollment will fail with an EnrollmentStatus indicating
60  // STATUS_REGISTRATION_BAD_MODE.
61  EnrollmentHandlerChromeOS(
62      DeviceCloudPolicyStoreChromeOS* store,
63      EnterpriseInstallAttributes* install_attributes,
64      scoped_ptr<CloudPolicyClient> client,
65      scoped_refptr<base::SequencedTaskRunner> background_task_runner,
66      const std::string& auth_token,
67      const std::string& client_id,
68      bool is_auto_enrollment,
69      const std::string& requisition,
70      const AllowedDeviceModes& allowed_device_modes,
71      const EnrollmentCallback& completion_callback);
72  virtual ~EnrollmentHandlerChromeOS();
73
74  // Starts the enrollment process and reports the result to
75  // |completion_callback_|.
76  void StartEnrollment();
77
78  // Releases the client.
79  scoped_ptr<CloudPolicyClient> ReleaseClient();
80
81  // CloudPolicyClient::Observer:
82  virtual void OnPolicyFetched(CloudPolicyClient* client) OVERRIDE;
83  virtual void OnRegistrationStateChanged(CloudPolicyClient* client) OVERRIDE;
84  virtual void OnRobotAuthCodesFetched(CloudPolicyClient* client) OVERRIDE;
85  virtual void OnClientError(CloudPolicyClient* client) OVERRIDE;
86
87  // CloudPolicyStore::Observer:
88  virtual void OnStoreLoaded(CloudPolicyStore* store) OVERRIDE;
89  virtual void OnStoreError(CloudPolicyStore* store) OVERRIDE;
90
91  // GaiaOAuthClient::Delegate:
92  virtual void OnGetTokensResponse(const std::string& refresh_token,
93                                   const std::string& access_token,
94                                   int expires_in_seconds) OVERRIDE;
95  virtual void OnRefreshTokenResponse(const std::string& access_token,
96                                      int expires_in_seconds) OVERRIDE;
97  virtual void OnOAuthError() OVERRIDE;
98  virtual void OnNetworkError(int response_code) OVERRIDE;
99
100 private:
101  // Indicates what step of the process is currently pending. These steps need
102  // to be listed in the order they are traversed in.
103  enum EnrollmentStep {
104    STEP_PENDING,             // Not started yet.
105    STEP_LOADING_STORE,       // Waiting for |store_| to initialize.
106    STEP_REGISTRATION,        // Currently registering the client.
107    STEP_POLICY_FETCH,        // Fetching policy.
108    STEP_VALIDATION,          // Policy validation.
109    STEP_ROBOT_AUTH_FETCH,    // Fetching device API auth code.
110    STEP_ROBOT_AUTH_REFRESH,  // Fetching device API refresh token.
111    STEP_LOCK_DEVICE,         // Writing installation-time attributes.
112    STEP_STORE_ROBOT_AUTH,    // Encrypting & writing robot refresh token.
113    STEP_STORE_POLICY,        // Storing policy and API refresh token.
114    STEP_FINISHED,            // Enrollment process finished, no further action.
115  };
116
117  // Starts registration if the store is initialized.
118  void AttemptRegistration();
119
120  // Handles the policy validation result, proceeding with installation-time
121  // attributes locking if successful.
122  void PolicyValidated(DeviceCloudPolicyValidator* validator);
123
124  // Calls LockDevice() and proceeds to policy installation. If unsuccessful,
125  // reports the result. Actual installation or error report will be done in
126  // HandleLockDeviceResult().
127  void StartLockDevice(const std::string& user,
128                       DeviceMode device_mode,
129                       const std::string& device_id);
130
131  // Helper for StartLockDevice(). It performs the actual action based on
132  // the result of LockDevice.
133  void HandleLockDeviceResult(
134      const std::string& user,
135      DeviceMode device_mode,
136      const std::string& device_id,
137      EnterpriseInstallAttributes::LockResult lock_result);
138
139  // Drops any ongoing actions.
140  void Stop();
141
142  // Reports the result of the enrollment process to the initiator.
143  void ReportResult(EnrollmentStatus status);
144
145  // Continuation of OnStoreLoaded().
146  void DidGetTokenService(chromeos::DeviceOAuth2TokenService* token_service);
147
148  DeviceCloudPolicyStoreChromeOS* store_;
149  EnterpriseInstallAttributes* install_attributes_;
150  scoped_ptr<CloudPolicyClient> client_;
151  scoped_refptr<base::SequencedTaskRunner> background_task_runner_;
152  scoped_ptr<gaia::GaiaOAuthClient> gaia_oauth_client_;
153
154  std::string auth_token_;
155  std::string client_id_;
156  bool is_auto_enrollment_;
157  std::string requisition_;
158  std::string refresh_token_;
159  AllowedDeviceModes allowed_device_modes_;
160  EnrollmentCallback completion_callback_;
161
162  // The device mode as received in the registration request.
163  DeviceMode device_mode_;
164
165  // The validated policy response info to be installed in the store.
166  scoped_ptr<enterprise_management::PolicyFetchResponse> policy_;
167  std::string username_;
168  std::string device_id_;
169
170  // Current enrollment step.
171  EnrollmentStep enrollment_step_;
172
173  // Total amount of time in milliseconds spent waiting for lockbox
174  // initialization.
175  int lockbox_init_duration_;
176
177  // Used for locking the device and getting the OAuth2 token service.
178  base::WeakPtrFactory<EnrollmentHandlerChromeOS> weak_ptr_factory_;
179
180  DISALLOW_COPY_AND_ASSIGN(EnrollmentHandlerChromeOS);
181};
182
183}  // namespace policy
184
185#endif  // CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_
186