enrollment_handler_chromeos.h revision c2e0dbddbe15c98d52c4786dac06cb8952a8ae6d
15821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Copyright (c) 2012 The Chromium Authors. All rights reserved. 25821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// Use of this source code is governed by a BSD-style license that can be 35821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// found in the LICENSE file. 45821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 590dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)#ifndef CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_ 65821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#define CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_ 75821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 85821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include <string> 95821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 1090dce4d38c5ff5333bea97d859d4e484e27edf0cTorne (Richard Coles)#include "base/basictypes.h" 115821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "base/compiler_specific.h" 125821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "base/memory/scoped_ptr.h" 135821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "base/memory/weak_ptr.h" 142a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)#include "chrome/browser/chromeos/policy/device_cloud_policy_manager_chromeos.h" 155821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "chrome/browser/chromeos/policy/device_cloud_policy_validator.h" 165821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "chrome/browser/chromeos/policy/enterprise_install_attributes.h" 175821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "chrome/browser/policy/cloud/cloud_policy_client.h" 185821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "chrome/browser/policy/cloud/cloud_policy_store.h" 195821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)#include "google_apis/gaia/gaia_oauth_client.h" 205821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 212a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)namespace enterprise_management { 222a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)class PolicyFetchResponse; 232a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)} 245821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) 251320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tuccinamespace policy { 262a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) 272a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)// Implements the logic that establishes enterprise enrollment for Chromium OS 285821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// devices. The process is as follows: 292a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)// 1. Given an auth token, register with the policy service. 305821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// 2. Download the initial policy blob from the service. 312a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles)// 3. Verify the policy blob. Everything up to this point doesn't touch device 325821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// state. 335821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// 4. Download the OAuth2 authorization code for device-level API access. 345821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// 5. Download the OAuth2 refresh token for device-level API access and store 355821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// it. 365821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// 6. Establish the device lock in installation-time attributes. 375821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)// 7. Store the policy blob and API refresh token. 385821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles)class EnrollmentHandlerChromeOS : public CloudPolicyClient::Observer, 395821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) public CloudPolicyStore::Observer, 405821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) public gaia::GaiaOAuthClient::Delegate { 412a99a7e74a7f215066514fe81d2bfa6639d9edddTorne (Richard Coles) public: 425821806d5e7f356e8fa4b058a389a808ea183019Torne (Richard Coles) typedef DeviceCloudPolicyManagerChromeOS::AllowedDeviceModes 43 AllowedDeviceModes; 44 typedef DeviceCloudPolicyManagerChromeOS::EnrollmentCallback 45 EnrollmentCallback; 46 47 // |store| and |install_attributes| must remain valid for the life time of the 48 // enrollment handler. |allowed_device_modes| determines what device modes 49 // are acceptable. If the mode specified by the server is not acceptable, 50 // enrollment will fail with an EnrollmentStatus indicating 51 // STATUS_REGISTRATION_BAD_MODE. 52 EnrollmentHandlerChromeOS(DeviceCloudPolicyStoreChromeOS* store, 53 EnterpriseInstallAttributes* install_attributes, 54 scoped_ptr<CloudPolicyClient> client, 55 const std::string& auth_token, 56 const std::string& client_id, 57 bool is_auto_enrollment, 58 const AllowedDeviceModes& allowed_device_modes, 59 const EnrollmentCallback& completion_callback); 60 virtual ~EnrollmentHandlerChromeOS(); 61 62 // Starts the enrollment process and reports the result to 63 // |completion_callback_|. 64 void StartEnrollment(); 65 66 // Releases the client. 67 scoped_ptr<CloudPolicyClient> ReleaseClient(); 68 69 // CloudPolicyClient::Observer: 70 virtual void OnPolicyFetched(CloudPolicyClient* client) OVERRIDE; 71 virtual void OnRegistrationStateChanged(CloudPolicyClient* client) OVERRIDE; 72 virtual void OnRobotAuthCodesFetched(CloudPolicyClient* client) OVERRIDE; 73 virtual void OnClientError(CloudPolicyClient* client) OVERRIDE; 74 75 // CloudPolicyStore::Observer: 76 virtual void OnStoreLoaded(CloudPolicyStore* store) OVERRIDE; 77 virtual void OnStoreError(CloudPolicyStore* store) OVERRIDE; 78 79 // GaiaOAuthClient::Delegate: 80 virtual void OnGetTokensResponse(const std::string& refresh_token, 81 const std::string& access_token, 82 int expires_in_seconds) OVERRIDE; 83 virtual void OnRefreshTokenResponse(const std::string& access_token, 84 int expires_in_seconds) OVERRIDE; 85 virtual void OnOAuthError() OVERRIDE; 86 virtual void OnNetworkError(int response_code) OVERRIDE; 87 88 private: 89 // Indicates what step of the process is currently pending. These steps need 90 // to be listed in the order they are traversed in. 91 enum EnrollmentStep { 92 STEP_PENDING, // Not started yet. 93 STEP_LOADING_STORE, // Waiting for |store_| to initialize. 94 STEP_REGISTRATION, // Currently registering the client. 95 STEP_POLICY_FETCH, // Fetching policy. 96 STEP_VALIDATION, // Policy validation. 97 STEP_ROBOT_AUTH_FETCH, // Fetching device API auth code. 98 STEP_ROBOT_AUTH_REFRESH, // Fetching device API refresh token. 99 STEP_LOCK_DEVICE, // Writing installation-time attributes. 100 STEP_STORE_POLICY, // Storing policy and API refresh token. 101 STEP_FINISHED, // Enrollment process finished, no further action. 102 }; 103 104 // Starts registration if the store is initialized. 105 void AttemptRegistration(); 106 107 // Handles the policy validation result, proceeding with installation-time 108 // attributes locking if successful. 109 void PolicyValidated(DeviceCloudPolicyValidator* validator); 110 111 // Method called to initiate the STEP_LOCK_DEVICE step. Usually called after 112 // the STEP_ROBOT_AUTH_REFRESH, but may be called directly after a failed 113 // STEP_ROBOT_AUTH_FETCH, since robot tokens are currently optional. 114 void DoLockDeviceStep(); 115 116 // Calls LockDevice() and proceeds to policy installation. If unsuccessful, 117 // reports the result. Actual installation or error report will be done in 118 // HandleLockDeviceResult(). 119 void StartLockDevice(const std::string& user, 120 DeviceMode device_mode, 121 const std::string& device_id); 122 123 // Helper for StartLockDevice(). It performs the actual action based on 124 // the result of LockDevice. 125 void HandleLockDeviceResult( 126 const std::string& user, 127 DeviceMode device_mode, 128 const std::string& device_id, 129 EnterpriseInstallAttributes::LockResult lock_result); 130 131 // Drops any ongoing actions. 132 void Stop(); 133 134 // Reports the result of the enrollment process to the initiator. 135 void ReportResult(EnrollmentStatus status); 136 137 DeviceCloudPolicyStoreChromeOS* store_; 138 EnterpriseInstallAttributes* install_attributes_; 139 scoped_ptr<CloudPolicyClient> client_; 140 scoped_ptr<gaia::GaiaOAuthClient> gaia_oauth_client_; 141 142 std::string auth_token_; 143 std::string client_id_; 144 std::string robot_refresh_token_; 145 bool is_auto_enrollment_; 146 AllowedDeviceModes allowed_device_modes_; 147 EnrollmentCallback completion_callback_; 148 149 // The device mode as received in the registration request. 150 DeviceMode device_mode_; 151 152 // The validated policy response info to be installed in the store. 153 scoped_ptr<enterprise_management::PolicyFetchResponse> policy_; 154 std::string username_; 155 std::string device_id_; 156 157 // Current enrollment step. 158 EnrollmentStep enrollment_step_; 159 160 // Total amount of time in milliseconds spent waiting for lockbox 161 // initialization. 162 int lockbox_init_duration_; 163 164 base::WeakPtrFactory<EnrollmentHandlerChromeOS> weak_factory_; 165 166 DISALLOW_COPY_AND_ASSIGN(EnrollmentHandlerChromeOS); 167}; 168 169} // namespace policy 170 171#endif // CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_ 172