Chromium Code Reviews Chromium Code Reviews
Issue 6821075:
Chrome-side lockbox bindings (Closed)
Base URL: http://git.chromium.org/git/chromium.git@trunk| Index: chrome/browser/chromeos/login/enterprise_enrollment_screen.cc |
| diff --git a/chrome/browser/chromeos/login/enterprise_enrollment_screen.cc b/chrome/browser/chromeos/login/enterprise_enrollment_screen.cc |
| index ec775dc7b4b8bfbb170becf21c8cabac17b4ec08..731acd38ce2dc79dfa29d2161305ddfc444223da 100644 |
| --- a/chrome/browser/chromeos/login/enterprise_enrollment_screen.cc |
| +++ b/chrome/browser/chromeos/login/enterprise_enrollment_screen.cc |
| @@ -6,15 +6,33 @@ |
| #include "base/logging.h" |
| #include "chrome/browser/browser_process.h" |
| +#include "chrome/browser/chromeos/cros/cros_library.h" |
| +#include "chrome/browser/chromeos/cros/cryptohome_library.h" |
| #include "chrome/browser/chromeos/login/screen_observer.h" |
| #include "chrome/browser/policy/browser_policy_connector.h" |
| #include "chrome/common/net/gaia/gaia_constants.h" |
| namespace chromeos { |
| +// Retry for lockbox initialization every 500ms. |
| +const int kLockboxRetryIntervalMs = 500; |
| + |
| EnterpriseEnrollmentScreen::EnterpriseEnrollmentScreen( |
| WizardScreenDelegate* delegate) |
| - : ViewScreen<EnterpriseEnrollmentView>(delegate) {} |
| + : ViewScreen<EnterpriseEnrollmentView>(delegate), |
| + ALLOW_THIS_IN_INITIALIZER_LIST(runnable_method_factory_(this)) { |
| + // Init lockbox if it has not been done until now (in debug build we might |
| + // have not done that yet). |
| + chromeos::CryptohomeLibrary* cryptohome = |
| + chromeos::CrosLibrary::Get()->GetCryptohomeLibrary(); |
| + if (cryptohome) { |
| + if (cryptohome->TpmIsEnabled() && |
| + !cryptohome->TpmIsBeingOwned() && |
| + !cryptohome->TpmIsOwned()) { |
| + cryptohome->TpmCanAttemptOwnership(); |
| + } |
| + } |
| +} |
| EnterpriseEnrollmentScreen::~EnterpriseEnrollmentScreen() {} |
| @@ -55,10 +73,34 @@ void EnterpriseEnrollmentScreen::CloseConfirmation() { |
| observer->OnExit(ScreenObserver::ENTERPRISE_ENROLLMENT_COMPLETED); |
| } |
| +bool EnterpriseEnrollmentScreen::GetInitialUser(std::string* user) { |
| + chromeos::CryptohomeLibrary* cryptohome = |
| + chromeos::CrosLibrary::Get()->GetCryptohomeLibrary(); |
| + if (cryptohome && |
| + cryptohome->InstallAttributesIsReady() && |
| + !cryptohome->InstallAttributesIsFirstInstall()) { |
| + std::string value; |
| + if (cryptohome->InstallAttributesGet("enterprise.owned", &value) && |
| + value == "true") { |
| + if (cryptohome->InstallAttributesGet("enterprise.user", &value)) { |
| + // If we landed in the enrollment dialogue with a locked lockbox this |
| + // would mean we might only want to reenroll with the DMServer so lock |
| + // the username to what has been stored in the lockbox already. |
| + *user = value; |
| + if (view()) |
| + view()->set_editable_user(false); |
| + return true; |
| + } |
| + } |
| + LOG(ERROR) << "Enrollment will not finish because the lockbox has been " |
| + << "locked already but does not contain valid data."; |
| + } |
| + return false; |
| +} |
| + |
| void EnterpriseEnrollmentScreen::OnClientLoginSuccess( |
| const ClientLoginResult& result) { |
| - auth_fetcher_->StartIssueAuthToken(result.sid, result.lsid, |
| - GaiaConstants::kDeviceManagementService); |
| + WriteInstallAttributesData(result); |
| } |
| void EnterpriseEnrollmentScreen::OnClientLoginFailure( |
| @@ -177,4 +219,86 @@ void EnterpriseEnrollmentScreen::HandleAuthError( |
| NOTREACHED() << error.state(); |
| } |
| +void EnterpriseEnrollmentScreen::WriteInstallAttributesData( |
| + const ClientLoginResult& result) { |
| + // Since this method is also called directly. |
| + runnable_method_factory_.RevokeAll(); |
| + |
| + if (!view()) |
| + return; |
| + |
| + chromeos::CryptohomeLibrary* cryptohome = |
| + chromeos::CrosLibrary::Get()->GetCryptohomeLibrary(); |
| + if (!cryptohome) { |
| + LOG(ERROR) << "Enrollment can not proceed because the lockbox can not " |
| + << "be accessed."; |
| + view()->ShowFatalEnrollmentError(); |
| + return; |
| + } |
| + |
| + if (!cryptohome->InstallAttributesIsReady()) { |
| + // Lockbox is not ready yet, reschedule pulling. |
|
Mattias Nissler (ping if slow)
2011/04/15 18:48:03
nit: pulling?
pastarmovj
2011/04/15 19:19:12
Done.
|
| + LOG(WARNING) << "Lockbox is not ready yet will retry in " |
| + << kLockboxRetryIntervalMs << "ms."; |
| + MessageLoop::current()->PostDelayedTask( |
| + FROM_HERE, |
| + runnable_method_factory_.NewRunnableMethod( |
| + &EnterpriseEnrollmentScreen::WriteInstallAttributesData, result), |
| + kLockboxRetryIntervalMs); |
| + return; |
| + } |
| + |
| + // Clearing the TPM password seems to be always a good deal. |
| + if (cryptohome->TpmIsEnabled() && |
| + !cryptohome->TpmIsBeingOwned() && |
| + cryptohome->TpmIsOwned()) { |
| + cryptohome->TpmClearStoredPassword(); |
| + } |
| + |
| + // Make sure we really have a working lockbox. |
| + if (cryptohome->InstallAttributesIsInvalid()) { |
| + LOG(ERROR) << "Enrollment can not proceed because the lockbox " |
| + << "is corrupt or failed to initialize!"; |
| + view()->ShowFatalEnrollmentError(); |
| + return; |
| + } |
| + if (!cryptohome->InstallAttributesIsFirstInstall()) { |
| + std::string value; |
| + if (cryptohome->InstallAttributesGet("enterprise.owned", &value) && |
| + value == "true") { |
| + if (cryptohome->InstallAttributesGet("enterprise.user", &value)) { |
| + if (value == user_) { |
| + // If we landed here with a locked lockbox this would mean we might |
| + // only want to reenroll with the DMServer so lock just continue. |
| + auth_fetcher_->StartIssueAuthToken( |
| + result.sid, result.lsid, |
| + GaiaConstants::kDeviceManagementService); |
| + return; |
| + } |
| + } |
| + } |
| + |
| + LOG(ERROR) << "Enrollment can not proceed because the lockbox " |
| + << "has been locked already!"; |
| + view()->ShowFatalEnrollmentError(); |
| + return; |
| + } |
| + |
| + // Set values in the lockbox and lock it. |
| + DCHECK(cryptohome->InstallAttributesIsFirstInstall()); |
| + cryptohome->InstallAttributesSet("enterprise.owned", "true"); |
| + cryptohome->InstallAttributesSet("enterprise.user", user_); |
| + DCHECK(cryptohome->InstallAttributesCount() == 2); |
| + cryptohome->InstallAttributesFinalize(); |
| + if (cryptohome->InstallAttributesIsFirstInstall()) { |
| + LOG(ERROR) << "Enrollment can not proceed because the lockbox " |
| + << "can not be sealed!"; |
| + view()->ShowFatalEnrollmentError(); |
| + return; |
| + } |
|
Mattias Nissler (ping if slow)
2011/04/15 18:48:03
nit: newline
pastarmovj
2011/04/15 19:19:12
Done.
|
| + // Proceed with register and policy fetch. |
| + auth_fetcher_->StartIssueAuthToken( |
| + result.sid, result.lsid, GaiaConstants::kDeviceManagementService); |
| +} |
| + |
| } // namespace chromeos |
