| OLD | NEW |
|---|
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/chromeos/attestation/attestation_policy_observer.h" | 5 #include "chrome/browser/chromeos/attestation/attestation_policy_observer.h" |
| 6 | 6 |
| 7 #include <string> | 7 #include <string> |
| 8 | 8 |
| 9 #include "base/bind.h" | 9 #include "base/bind.h" |
| 10 #include "base/callback.h" | 10 #include "base/callback.h" |
| 11 #include "base/location.h" | 11 #include "base/location.h" |
| 12 #include "base/time/time.h" | 12 #include "base/time/time.h" |
| 13 #include "chrome/browser/chrome_notification_types.h" | 13 #include "chrome/browser/chrome_notification_types.h" |
| 14 #include "chrome/browser/chromeos/attestation/attestation_ca_client.h" | 14 #include "chrome/browser/chromeos/attestation/attestation_ca_client.h" |
| 15 #include "chrome/browser/chromeos/attestation/attestation_key_payload.pb.h" | 15 #include "chrome/browser/chromeos/attestation/attestation_key_payload.pb.h" |
| 16 #include "chrome/browser/chromeos/settings/cros_settings.h" | 16 #include "chrome/browser/chromeos/settings/cros_settings.h" |
| 17 #include "chromeos/attestation/attestation_flow.h" | 17 #include "chromeos/attestation/attestation_flow.h" |
| 18 #include "chromeos/cryptohome/async_method_caller.h" | 18 #include "chromeos/cryptohome/async_method_caller.h" |
| 19 #include "chromeos/dbus/cryptohome_client.h" | 19 #include "chromeos/dbus/cryptohome_client.h" |
| 20 #include "chromeos/dbus/dbus_method_call_status.h" | 20 #include "chromeos/dbus/dbus_method_call_status.h" |
| 21 #include "chromeos/dbus/dbus_thread_manager.h" | 21 #include "chromeos/dbus/dbus_thread_manager.h" |
| 22 #include "components/policy/core/common/cloud/cloud_policy_client.h" | 22 #include "components/policy/core/common/cloud/cloud_policy_client.h" |
| 23 #include "components/policy/core/common/cloud/cloud_policy_manager.h" | 23 #include "components/policy/core/common/cloud/cloud_policy_manager.h" |
| 24 #include "components/user_manager/user_id.h" |
| 24 #include "content/public/browser/browser_thread.h" | 25 #include "content/public/browser/browser_thread.h" |
| 25 #include "content/public/browser/notification_details.h" | 26 #include "content/public/browser/notification_details.h" |
| 26 #include "net/cert/x509_certificate.h" | 27 #include "net/cert/x509_certificate.h" |
| 27 | 28 |
| 28 namespace { | 29 namespace { |
| 29 | 30 |
| 30 // The number of days before a certificate expires during which it is | 31 // The number of days before a certificate expires during which it is |
| 31 // considered 'expiring soon' and replacement is initiated. The Chrome OS CA | 32 // considered 'expiring soon' and replacement is initiated. The Chrome OS CA |
| 32 // issues certificates with an expiry of at least two years. This value has | 33 // issues certificates with an expiry of at least two years. This value has |
| 33 // been set large enough so that the majority of users will have gone through | 34 // been set large enough so that the majority of users will have gone through |
| (...skipping 129 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 163 | 164 |
| 164 // Start a dbus call to check if an Enterprise Machine Key already exists. | 165 // Start a dbus call to check if an Enterprise Machine Key already exists. |
| 165 base::Closure on_does_exist = | 166 base::Closure on_does_exist = |
| 166 base::Bind(&AttestationPolicyObserver::GetExistingCertificate, | 167 base::Bind(&AttestationPolicyObserver::GetExistingCertificate, |
| 167 weak_factory_.GetWeakPtr()); | 168 weak_factory_.GetWeakPtr()); |
| 168 base::Closure on_does_not_exist = | 169 base::Closure on_does_not_exist = |
| 169 base::Bind(&AttestationPolicyObserver::GetNewCertificate, | 170 base::Bind(&AttestationPolicyObserver::GetNewCertificate, |
| 170 weak_factory_.GetWeakPtr()); | 171 weak_factory_.GetWeakPtr()); |
| 171 cryptohome_client_->TpmAttestationDoesKeyExist( | 172 cryptohome_client_->TpmAttestationDoesKeyExist( |
| 172 KEY_DEVICE, | 173 KEY_DEVICE, |
| 173 std::string(), // Not used. | 174 user_manager::EmptyUserID(), // Not used. |
| 174 kEnterpriseMachineKey, | 175 kEnterpriseMachineKey, |
| 175 base::Bind(DBusBoolRedirectCallback, | 176 base::Bind(DBusBoolRedirectCallback, |
| 176 on_does_exist, | 177 on_does_exist, |
| 177 on_does_not_exist, | 178 on_does_not_exist, |
| 178 base::Bind(&AttestationPolicyObserver::Reschedule, | 179 base::Bind(&AttestationPolicyObserver::Reschedule, |
| 179 weak_factory_.GetWeakPtr()), | 180 weak_factory_.GetWeakPtr()), |
| 180 FROM_HERE)); | 181 FROM_HERE)); |
| 181 } | 182 } |
| 182 | 183 |
| 183 void AttestationPolicyObserver::GetNewCertificate() { | 184 void AttestationPolicyObserver::GetNewCertificate() { |
| 184 // We can reuse the dbus callback handler logic. | 185 // We can reuse the dbus callback handler logic. |
| 185 attestation_flow_->GetCertificate( | 186 attestation_flow_->GetCertificate( |
| 186 PROFILE_ENTERPRISE_MACHINE_CERTIFICATE, | 187 PROFILE_ENTERPRISE_MACHINE_CERTIFICATE, |
| 187 std::string(), // Not used. | 188 user_manager::EmptyUserID(), // Not used. |
| 188 std::string(), // Not used. | 189 std::string(), // Not used. |
| 189 true, // Force a new key to be generated. | 190 true, // Force a new key to be generated. |
| 190 base::Bind(DBusStringCallback, | 191 base::Bind(DBusStringCallback, |
| 191 base::Bind(&AttestationPolicyObserver::UploadCertificate, | 192 base::Bind(&AttestationPolicyObserver::UploadCertificate, |
| 192 weak_factory_.GetWeakPtr()), | 193 weak_factory_.GetWeakPtr()), |
| 193 base::Bind(&AttestationPolicyObserver::Reschedule, | 194 base::Bind(&AttestationPolicyObserver::Reschedule, |
| 194 weak_factory_.GetWeakPtr()), | 195 weak_factory_.GetWeakPtr()), |
| 195 FROM_HERE, | 196 FROM_HERE, |
| 196 DBUS_METHOD_CALL_SUCCESS)); | 197 DBUS_METHOD_CALL_SUCCESS)); |
| 197 } | 198 } |
| 198 | 199 |
| 199 void AttestationPolicyObserver::GetExistingCertificate() { | 200 void AttestationPolicyObserver::GetExistingCertificate() { |
| 200 cryptohome_client_->TpmAttestationGetCertificate( | 201 cryptohome_client_->TpmAttestationGetCertificate( |
| 201 KEY_DEVICE, | 202 KEY_DEVICE, |
| 202 std::string(), // Not used. | 203 user_manager::EmptyUserID(), // Not used. |
| 203 kEnterpriseMachineKey, | 204 kEnterpriseMachineKey, |
| 204 base::Bind(DBusStringCallback, | 205 base::Bind(DBusStringCallback, |
| 205 base::Bind(&AttestationPolicyObserver::CheckCertificateExpiry, | 206 base::Bind(&AttestationPolicyObserver::CheckCertificateExpiry, |
| 206 weak_factory_.GetWeakPtr()), | 207 weak_factory_.GetWeakPtr()), |
| 207 base::Bind(&AttestationPolicyObserver::Reschedule, | 208 base::Bind(&AttestationPolicyObserver::Reschedule, |
| 208 weak_factory_.GetWeakPtr()), | 209 weak_factory_.GetWeakPtr()), |
| 209 FROM_HERE)); | 210 FROM_HERE)); |
| 210 } | 211 } |
| 211 | 212 |
| 212 void AttestationPolicyObserver::CheckCertificateExpiry( | 213 void AttestationPolicyObserver::CheckCertificateExpiry( |
| (...skipping 37 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 250 // Already uploaded... nothing more to do. | 251 // Already uploaded... nothing more to do. |
| 251 return; | 252 return; |
| 252 } | 253 } |
| 253 UploadCertificate(certificate); | 254 UploadCertificate(certificate); |
| 254 } | 255 } |
| 255 | 256 |
| 256 void AttestationPolicyObserver::GetKeyPayload( | 257 void AttestationPolicyObserver::GetKeyPayload( |
| 257 base::Callback<void(const std::string&)> callback) { | 258 base::Callback<void(const std::string&)> callback) { |
| 258 cryptohome_client_->TpmAttestationGetKeyPayload( | 259 cryptohome_client_->TpmAttestationGetKeyPayload( |
| 259 KEY_DEVICE, | 260 KEY_DEVICE, |
| 260 std::string(), // Not used. | 261 user_manager::EmptyUserID(), // Not used. |
| 261 kEnterpriseMachineKey, | 262 kEnterpriseMachineKey, |
| 262 base::Bind(DBusStringCallback, | 263 base::Bind(DBusStringCallback, |
| 263 callback, | 264 callback, |
| 264 base::Bind(&AttestationPolicyObserver::Reschedule, | 265 base::Bind(&AttestationPolicyObserver::Reschedule, |
| 265 weak_factory_.GetWeakPtr()), | 266 weak_factory_.GetWeakPtr()), |
| 266 FROM_HERE)); | 267 FROM_HERE)); |
| 267 } | 268 } |
| 268 | 269 |
| 269 void AttestationPolicyObserver::OnUploadComplete(bool status) { | 270 void AttestationPolicyObserver::OnUploadComplete(bool status) { |
| 270 if (!status) | 271 if (!status) |
| 271 return; | 272 return; |
| 272 VLOG(1) << "Enterprise Machine Certificate uploaded to DMServer."; | 273 VLOG(1) << "Enterprise Machine Certificate uploaded to DMServer."; |
| 273 GetKeyPayload(base::Bind(&AttestationPolicyObserver::MarkAsUploaded, | 274 GetKeyPayload(base::Bind(&AttestationPolicyObserver::MarkAsUploaded, |
| 274 weak_factory_.GetWeakPtr())); | 275 weak_factory_.GetWeakPtr())); |
| 275 } | 276 } |
| 276 | 277 |
| 277 void AttestationPolicyObserver::MarkAsUploaded(const std::string& key_payload) { | 278 void AttestationPolicyObserver::MarkAsUploaded(const std::string& key_payload) { |
| 278 AttestationKeyPayload payload_pb; | 279 AttestationKeyPayload payload_pb; |
| 279 if (!key_payload.empty()) | 280 if (!key_payload.empty()) |
| 280 payload_pb.ParseFromString(key_payload); | 281 payload_pb.ParseFromString(key_payload); |
| 281 payload_pb.set_is_certificate_uploaded(true); | 282 payload_pb.set_is_certificate_uploaded(true); |
| 282 std::string new_payload; | 283 std::string new_payload; |
| 283 if (!payload_pb.SerializeToString(&new_payload)) { | 284 if (!payload_pb.SerializeToString(&new_payload)) { |
| 284 LOG(WARNING) << "Failed to serialize key payload."; | 285 LOG(WARNING) << "Failed to serialize key payload."; |
| 285 return; | 286 return; |
| 286 } | 287 } |
| 287 cryptohome_client_->TpmAttestationSetKeyPayload( | 288 cryptohome_client_->TpmAttestationSetKeyPayload( |
| 288 KEY_DEVICE, | 289 KEY_DEVICE, |
| 289 std::string(), // Not used. | 290 user_manager::EmptyUserID(), // Not used. |
| 290 kEnterpriseMachineKey, | 291 kEnterpriseMachineKey, |
| 291 new_payload, | 292 new_payload, |
| 292 base::Bind(DBusBoolRedirectCallback, | 293 base::Bind(DBusBoolRedirectCallback, |
| 293 base::Closure(), | 294 base::Closure(), |
| 294 base::Closure(), | 295 base::Closure(), |
| 295 base::Closure(), | 296 base::Closure(), |
| 296 FROM_HERE)); | 297 FROM_HERE)); |
| 297 } | 298 } |
| 298 | 299 |
| 299 void AttestationPolicyObserver::Reschedule() { | 300 void AttestationPolicyObserver::Reschedule() { |
| 300 if (++num_retries_ < kRetryLimit) { | 301 if (++num_retries_ < kRetryLimit) { |
| 301 content::BrowserThread::PostDelayedTask( | 302 content::BrowserThread::PostDelayedTask( |
| 302 content::BrowserThread::UI, FROM_HERE, | 303 content::BrowserThread::UI, FROM_HERE, |
| 303 base::Bind(&AttestationPolicyObserver::Start, | 304 base::Bind(&AttestationPolicyObserver::Start, |
| 304 weak_factory_.GetWeakPtr()), | 305 weak_factory_.GetWeakPtr()), |
| 305 base::TimeDelta::FromSeconds(retry_delay_)); | 306 base::TimeDelta::FromSeconds(retry_delay_)); |
| 306 } else { | 307 } else { |
| 307 LOG(WARNING) << "AttestationPolicyObserver: Retry limit exceeded."; | 308 LOG(WARNING) << "AttestationPolicyObserver: Retry limit exceeded."; |
| 308 } | 309 } |
| 309 } | 310 } |
| 310 | 311 |
| 311 } // namespace attestation | 312 } // namespace attestation |
| 312 } // namespace chromeos | 313 } // namespace chromeos |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1165323004:
We should use UserID object to identify users instead of username.
Base URL: https://chromium.googlesource.com/chromium/src.git@master