Chromium Code Reviews Chromium Code Reviews
Issue 10928036:
Implement Chrome OS device enrollment on the new cloud policy stack. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| (Empty) | |
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "chrome/browser/policy/enrollment_handler_chromeos.h" | |
| 6 | |
| 7 #include "base/bind.h" | |
| 8 #include "base/logging.h" | |
| 9 #include "base/message_loop.h" | |
| 10 #include "chrome/browser/policy/cloud_policy_constants.h" | |
| 11 #include "chrome/browser/policy/cloud_policy_validator.h" | |
|
Joao da Silva
2012/09/07 14:01:42
nit: already in .h
Mattias Nissler (ping if slow)
2012/10/23 15:30:41
Done.
| |
| 12 #include "chrome/browser/policy/device_cloud_policy_store_chromeos.h" | |
| 13 #include "chrome/browser/policy/enterprise_install_attributes.h" | |
| 14 #include "chrome/browser/policy/proto/device_management_backend.pb.h" | |
| 15 | |
| 16 namespace em = enterprise_management; | |
| 17 | |
| 18 namespace policy { | |
| 19 | |
| 20 namespace { | |
| 21 | |
| 22 // Retry for InstallAttrs initialization every 500ms. | |
| 23 const int kLockRetryIntervalMs = 500; | |
| 24 // Maximum time to retry InstallAttrs initialization before we give up. | |
| 25 const int kLockRetryTimeoutMs = 10 * 60 * 1000; // 10 minutes. | |
| 26 | |
| 27 } // namespace | |
| 28 | |
| 29 EnrollmentHandlerChromeOS::EnrollmentHandlerChromeOS( | |
| 30 DeviceCloudPolicyStoreChromeOS* store, | |
| 31 EnterpriseInstallAttributes* install_attributes, | |
| 32 scoped_ptr<CloudPolicyClient> client, | |
| 33 const std::string& auth_token, | |
| 34 const CompletionCallback& completion_callback) | |
| 35 : store_(store), | |
| 36 install_attributes_(install_attributes), | |
| 37 client_(client.Pass()), | |
| 38 auth_token_(auth_token), | |
| 39 completion_callback_(completion_callback), | |
| 40 device_mode_(DEVICE_MODE_NOT_SET), | |
| 41 enrollment_step_(STEP_IDLE), | |
| 42 lockbox_init_duration_(0), | |
| 43 ALLOW_THIS_IN_INITIALIZER_LIST(weak_factory_(this)) { | |
| 44 CHECK(!client_->is_registered()); | |
| 45 CHECK_EQ(DM_STATUS_SUCCESS, client_->status()); | |
| 46 store_->AddObserver(this); | |
| 47 client_->AddObserver(this); | |
| 48 } | |
| 49 | |
| 50 EnrollmentHandlerChromeOS::~EnrollmentHandlerChromeOS() { | |
| 51 Reset(); | |
| 52 store_->RemoveObserver(this); | |
| 53 } | |
| 54 | |
| 55 void EnrollmentHandlerChromeOS::StartEnrollment() { | |
| 56 CHECK_EQ(STEP_IDLE, enrollment_step_); | |
| 57 AttemptRegistration(); | |
| 58 } | |
| 59 | |
| 60 scoped_ptr<CloudPolicyClient> EnrollmentHandlerChromeOS::ReleaseClient() { | |
| 61 Reset(); | |
| 62 return client_.Pass(); | |
| 63 } | |
| 64 | |
| 65 void EnrollmentHandlerChromeOS::OnPolicyFetched(CloudPolicyClient* client) { | |
| 66 DCHECK_EQ(client_.get(), client); | |
| 67 CHECK_EQ(STEP_POLICY_FETCH, enrollment_step_); | |
| 68 | |
| 69 enrollment_step_ = STEP_VALIDATION; | |
| 70 | |
| 71 // Validate the policy. | |
| 72 scoped_ptr<DeviceCloudPolicyValidator> validator( | |
| 73 DeviceCloudPolicyValidator::Create( | |
| 74 scoped_ptr<em::PolicyFetchResponse>( | |
| 75 new em::PolicyFetchResponse(*client_->policy())), | |
| 76 base::Bind(&EnrollmentHandlerChromeOS::PolicyValidated, | |
| 77 weak_factory_.GetWeakPtr()))); | |
| 78 | |
| 79 if (install_attributes_->IsEnterpriseDevice()) | |
| 80 validator->ValidateDomain(install_attributes_->GetDomain()); | |
| 81 validator->ValidatePolicyType(dm_protocol::kChromeDevicePolicyType); | |
| 82 validator->ValidatePayload(); | |
| 83 validator->ValidateInitialKey(); | |
| 84 validator.release()->StartValidation(); | |
|
pastarmovj
2012/09/07 12:16:27
Apparently the validator is self destructing why n
Mattias Nissler (ping if slow)
2012/10/23 15:30:41
This is the pattern used for user policy (and else
| |
| 85 } | |
| 86 | |
| 87 void EnrollmentHandlerChromeOS::OnRegistrationStateChanged( | |
| 88 CloudPolicyClient* client) { | |
| 89 DCHECK_EQ(client_.get(), client); | |
| 90 | |
| 91 if (enrollment_step_ != STEP_REGISTRATION) | |
| 92 return; | |
| 93 | |
| 94 if (client_->is_registered()) { | |
| 95 enrollment_step_ = STEP_POLICY_FETCH, | |
| 96 device_mode_ = client_->device_mode(); | |
| 97 if (device_mode_ != DEVICE_MODE_ENTERPRISE && | |
| 98 device_mode_ != DEVICE_MODE_KIOSK) { | |
| 99 LOG(ERROR) << "Bad device mode " << device_mode_; | |
| 100 ReportResult(ENROLLMENT_STATUS_REGISTRATION_FAILED, | |
| 101 DM_STATUS_RESPONSE_DECODING_ERROR, | |
| 102 CloudPolicyValidatorBase::VALIDATION_OK, | |
| 103 CloudPolicyStore::STATUS_OK); | |
| 104 } | |
|
Joao da Silva
2012/09/07 14:01:42
else { ?
Mattias Nissler (ping if slow)
2012/10/23 15:30:41
Ah, yes :)
| |
| 105 client_->FetchPolicy(); | |
| 106 } else { | |
| 107 NOTREACHED() << "Registration state changed to " << client_->is_registered() | |
| 108 << " in step " << enrollment_step_; | |
|
Joao da Silva
2012/09/07 14:01:42
Shouldn't this report an error result, to avoid a
Mattias Nissler (ping if slow)
2012/10/23 15:30:41
Since the handler owns |client_|, this is not poss
| |
| 109 } | |
| 110 } | |
| 111 | |
| 112 void EnrollmentHandlerChromeOS::OnClientError(CloudPolicyClient* client) { | |
| 113 DCHECK_EQ(client_.get(), client); | |
| 114 | |
| 115 if (enrollment_step_ == STEP_REGISTRATION) { | |
| 116 ReportResult(ENROLLMENT_STATUS_REGISTRATION_FAILED, client_->status(), | |
| 117 CloudPolicyValidatorBase::VALIDATION_OK, | |
| 118 CloudPolicyStore::STATUS_OK); | |
| 119 } else if (enrollment_step_ == STEP_POLICY_FETCH) { | |
| 120 ReportResult(ENROLLMENT_STATUS_POLICY_FETCH_FAILED, client_->status(), | |
| 121 CloudPolicyValidatorBase::VALIDATION_OK, | |
| 122 CloudPolicyStore::STATUS_OK); | |
| 123 } else { | |
| 124 NOTREACHED() << "Client error " << client_->status() | |
| 125 << " in step " << enrollment_step_; | |
|
Joao da Silva
2012/09/07 14:01:42
Report an error result?
Mattias Nissler (ping if slow)
2012/10/23 15:30:41
Not sure. If something else is screwing the client
| |
| 126 return; | |
| 127 } | |
| 128 } | |
| 129 | |
| 130 void EnrollmentHandlerChromeOS::OnStoreLoaded(CloudPolicyStore* store) { | |
| 131 DCHECK_EQ(store_, store); | |
| 132 | |
| 133 if (enrollment_step_ == STEP_IDLE) { | |
| 134 AttemptRegistration(); | |
| 135 return; | |
| 136 } | |
| 137 | |
| 138 if (enrollment_step_ != STEP_STORE_POLICY) | |
| 139 return; | |
| 140 | |
| 141 ReportResult(ENROLLMENT_STATUS_SUCCESS, DM_STATUS_SUCCESS, | |
| 142 CloudPolicyValidatorBase::VALIDATION_OK, | |
| 143 CloudPolicyStore::STATUS_OK); | |
| 144 } | |
| 145 | |
| 146 void EnrollmentHandlerChromeOS::OnStoreError(CloudPolicyStore* store) { | |
| 147 DCHECK_EQ(store_, store); | |
| 148 | |
| 149 if (enrollment_step_ == STEP_IDLE) { | |
| 150 // A fresh device is in STATUS_BAD_STATE. | |
| 151 if (store_->status() == CloudPolicyStore::STATUS_BAD_STATE) | |
| 152 return; | |
| 153 } else if (enrollment_step_ != STEP_STORE_POLICY) { | |
| 154 return; | |
| 155 } | |
| 156 | |
| 157 ReportResult(ENROLLMENT_STATUS_STORE_ERROR, DM_STATUS_SUCCESS, | |
| 158 store_->validation_status(), store_->status()); | |
| 159 } | |
| 160 | |
| 161 void EnrollmentHandlerChromeOS::AttemptRegistration() { | |
| 162 if (store_->is_initialized()) { | |
| 163 enrollment_step_ = STEP_REGISTRATION; | |
| 164 client_->Register(auth_token_); | |
| 165 } | |
| 166 } | |
| 167 | |
| 168 void EnrollmentHandlerChromeOS::PolicyValidated( | |
| 169 DeviceCloudPolicyValidator* validator) { | |
|
Joao da Silva
2012/09/07 14:01:42
CHECK_EQ(STEP_VALIDATION, enrollment_step_)?
Mattias Nissler (ping if slow)
2012/10/23 15:30:41
Done.
| |
| 170 if (validator->success()) { | |
| 171 policy_ = validator->policy().Pass(); | |
|
Joao da Silva
2012/09/07 14:01:42
enrollment_step_ = STEP_LOCK_DEVICE?
Mattias Nissler (ping if slow)
2012/10/23 15:30:41
Yes!
| |
| 172 WriteInstallAttributes(validator->policy_data()->username(), device_mode_, | |
| 173 validator->policy_data()->device_id()); | |
| 174 } else { | |
| 175 ReportResult(ENROLLMENT_STATUS_VALIDATION_FAILED, DM_STATUS_SUCCESS, | |
| 176 validator->status(), CloudPolicyStore::STATUS_OK); | |
| 177 } | |
| 178 } | |
| 179 | |
| 180 void EnrollmentHandlerChromeOS::WriteInstallAttributes( | |
| 181 const std::string& user, | |
| 182 DeviceMode device_mode, | |
| 183 const std::string& device_id) { | |
| 184 // Since this method is also called directly. | |
|
Joao da Silva
2012/09/07 14:01:42
CHECK_EQ(STEP_LOCK_DEVICE, enrollment_step_)?
Mattias Nissler (ping if slow)
2012/10/23 15:30:41
Done.
| |
| 185 weak_factory_.InvalidateWeakPtrs(); | |
| 186 | |
| 187 switch (install_attributes_->LockDevice(user, device_mode, device_id)) { | |
| 188 case EnterpriseInstallAttributes::LOCK_SUCCESS: | |
| 189 enrollment_step_ = STEP_STORE_POLICY; | |
| 190 store_->InstallInitialPolicy(*policy_); | |
| 191 return; | |
| 192 case EnterpriseInstallAttributes::LOCK_NOT_READY: | |
| 193 // We wait up to |kLockRetryTimeoutMs| milliseconds and if it hasn't | |
| 194 // succeeded by then show an error to the user and stop the enrollment. | |
| 195 if (lockbox_init_duration_ < kLockRetryTimeoutMs) { | |
| 196 // InstallAttributes not ready yet, retry later. | |
| 197 LOG(WARNING) << "Install Attributes not ready yet will retry in " | |
| 198 << kLockRetryIntervalMs << "ms."; | |
| 199 MessageLoop::current()->PostDelayedTask( | |
| 200 FROM_HERE, | |
| 201 base::Bind(&EnrollmentHandlerChromeOS::WriteInstallAttributes, | |
| 202 weak_factory_.GetWeakPtr(), | |
| 203 user, device_mode, device_id), | |
| 204 base::TimeDelta::FromMilliseconds(kLockRetryIntervalMs)); | |
| 205 lockbox_init_duration_ += kLockRetryIntervalMs; | |
| 206 return; | |
| 207 } | |
| 208 // Fall through. | |
|
Joao da Silva
2012/09/07 14:01:42
Also log that it timed out?
Mattias Nissler (ping if slow)
2012/10/23 15:30:41
Line 197 will have flooded the log already, which
| |
| 209 case EnterpriseInstallAttributes::LOCK_BACKEND_ERROR: | |
| 210 ReportResult(ENROLLMENT_STATUS_LOCK_ERROR, DM_STATUS_SUCCESS, | |
| 211 CloudPolicyValidatorBase::VALIDATION_OK, | |
| 212 CloudPolicyStore::STATUS_OK); | |
| 213 return; | |
| 214 case EnterpriseInstallAttributes::LOCK_WRONG_USER: | |
| 215 LOG(ERROR) << "Enrollment cannot proceed because the InstallAttrs " | |
| 216 << "has been locked already!"; | |
| 217 ReportResult(ENROLLMENT_STATUS_LOCK_WRONG_USER, DM_STATUS_SUCCESS, | |
| 218 CloudPolicyValidatorBase::VALIDATION_OK, | |
| 219 CloudPolicyStore::STATUS_OK); | |
| 220 return; | |
| 221 } | |
| 222 | |
| 223 NOTREACHED(); | |
| 224 } | |
| 225 | |
| 226 void EnrollmentHandlerChromeOS::Reset() { | |
| 227 if (client_.get()) | |
| 228 client_->RemoveObserver(this); | |
| 229 enrollment_step_ = STEP_DONE; | |
|
pastarmovj
2012/09/07 12:16:27
Why not STEP_IDLE?
Mattias Nissler (ping if slow)
2012/10/23 15:30:41
Because this is only to happen once we're done. I'
| |
| 230 weak_factory_.InvalidateWeakPtrs(); | |
| 231 completion_callback_.Reset(); | |
| 232 } | |
| 233 | |
| 234 void EnrollmentHandlerChromeOS::ReportResult( | |
| 235 EnrollmentStatus status, | |
| 236 DeviceManagementStatus dm_status, | |
| 237 CloudPolicyValidatorBase::Status validator_status, | |
| 238 CloudPolicyStore::Status store_status) { | |
| 239 CompletionCallback callback = completion_callback_; | |
| 240 Reset(); | |
| 241 | |
| 242 if (status != ENROLLMENT_STATUS_SUCCESS) { | |
| 243 LOG(WARNING) << "Enrollment failed: " << status << " " << dm_status << " " | |
| 244 << validator_status << " " << store_status; | |
| 245 } | |
| 246 | |
| 247 if (!callback.is_null()) | |
| 248 callback.Run(status, dm_status, validator_status, store_status); | |
| 249 } | |
| 250 | |
| 251 } // namespace | |
|
Joao da Silva
2012/09/07 14:01:42
namespace policy
Mattias Nissler (ping if slow)
2012/10/23 15:30:41
Done.
| |
| OLD | NEW |
