Chromium Code Reviews Chromium Code Reviews
Issue 1693383003:
ChromeOS cryptohome should be able to use gaia id as user identifier. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/chromeos/attestation/attestation_policy_observer.h" | 5 #include "chrome/browser/chromeos/attestation/attestation_policy_observer.h" |
| 6 | 6 |
| 7 #include <string> | 7 #include <string> |
| 8 #include <utility> | 8 #include <utility> |
| 9 | 9 |
| 10 #include "base/bind.h" | 10 #include "base/bind.h" |
| 11 #include "base/callback.h" | 11 #include "base/callback.h" |
| 12 #include "base/location.h" | 12 #include "base/location.h" |
| 13 #include "base/time/time.h" | 13 #include "base/time/time.h" |
| 14 #include "chrome/browser/chrome_notification_types.h" | 14 #include "chrome/browser/chrome_notification_types.h" |
| 15 #include "chrome/browser/chromeos/attestation/attestation_ca_client.h" | 15 #include "chrome/browser/chromeos/attestation/attestation_ca_client.h" |
| 16 #include "chrome/browser/chromeos/attestation/attestation_key_payload.pb.h" | 16 #include "chrome/browser/chromeos/attestation/attestation_key_payload.pb.h" |
| 17 #include "chrome/browser/chromeos/settings/cros_settings.h" | 17 #include "chrome/browser/chromeos/settings/cros_settings.h" |
| 18 #include "chromeos/attestation/attestation_flow.h" | 18 #include "chromeos/attestation/attestation_flow.h" |
| 19 #include "chromeos/cryptohome/async_method_caller.h" | 19 #include "chromeos/cryptohome/async_method_caller.h" |
| 20 #include "chromeos/cryptohome/cryptohome_parameters.h" | |
| 20 #include "chromeos/dbus/cryptohome_client.h" | 21 #include "chromeos/dbus/cryptohome_client.h" |
| 21 #include "chromeos/dbus/dbus_method_call_status.h" | 22 #include "chromeos/dbus/dbus_method_call_status.h" |
| 22 #include "chromeos/dbus/dbus_thread_manager.h" | 23 #include "chromeos/dbus/dbus_thread_manager.h" |
| 23 #include "components/policy/core/common/cloud/cloud_policy_client.h" | 24 #include "components/policy/core/common/cloud/cloud_policy_client.h" |
| 24 #include "components/policy/core/common/cloud/cloud_policy_manager.h" | 25 #include "components/policy/core/common/cloud/cloud_policy_manager.h" |
| 26 #include "components/signin/core/account_id/account_id.h" | |
| 27 #include "components/user_manager/known_user.h" | |
| 25 #include "content/public/browser/browser_thread.h" | 28 #include "content/public/browser/browser_thread.h" |
| 26 #include "content/public/browser/notification_details.h" | 29 #include "content/public/browser/notification_details.h" |
| 27 #include "net/cert/pem_tokenizer.h" | 30 #include "net/cert/pem_tokenizer.h" |
| 28 #include "net/cert/x509_certificate.h" | 31 #include "net/cert/x509_certificate.h" |
| 29 | 32 |
| 30 namespace { | 33 namespace { |
| 31 | 34 |
| 32 // The number of days before a certificate expires during which it is | 35 // The number of days before a certificate expires during which it is |
| 33 // considered 'expiring soon' and replacement is initiated. The Chrome OS CA | 36 // considered 'expiring soon' and replacement is initiated. The Chrome OS CA |
| 34 // issues certificates with an expiry of at least two years. This value has | 37 // issues certificates with an expiry of at least two years. This value has |
| (...skipping 129 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 164 | 167 |
| 165 // Start a dbus call to check if an Enterprise Machine Key already exists. | 168 // Start a dbus call to check if an Enterprise Machine Key already exists. |
| 166 base::Closure on_does_exist = | 169 base::Closure on_does_exist = |
| 167 base::Bind(&AttestationPolicyObserver::GetExistingCertificate, | 170 base::Bind(&AttestationPolicyObserver::GetExistingCertificate, |
| 168 weak_factory_.GetWeakPtr()); | 171 weak_factory_.GetWeakPtr()); |
| 169 base::Closure on_does_not_exist = | 172 base::Closure on_does_not_exist = |
| 170 base::Bind(&AttestationPolicyObserver::GetNewCertificate, | 173 base::Bind(&AttestationPolicyObserver::GetNewCertificate, |
| 171 weak_factory_.GetWeakPtr()); | 174 weak_factory_.GetWeakPtr()); |
| 172 cryptohome_client_->TpmAttestationDoesKeyExist( | 175 cryptohome_client_->TpmAttestationDoesKeyExist( |
| 173 KEY_DEVICE, | 176 KEY_DEVICE, |
| 174 std::string(), // Not used. | 177 cryptohome::Identification(EmptyAccountId()).id(), // Not used. |
|
Darren Krahn
2016/02/17 20:48:05
Would a default constructor for cryptohome::Identi
Alexander Alekseev
2016/02/18 13:45:14
Hmm. Actually only tests would benefit from this.
| |
| 175 kEnterpriseMachineKey, | 178 kEnterpriseMachineKey, |
| 176 base::Bind(DBusBoolRedirectCallback, | 179 base::Bind(DBusBoolRedirectCallback, on_does_exist, on_does_not_exist, |
| 177 on_does_exist, | |
| 178 on_does_not_exist, | |
| 179 base::Bind(&AttestationPolicyObserver::Reschedule, | 180 base::Bind(&AttestationPolicyObserver::Reschedule, |
| 180 weak_factory_.GetWeakPtr()), | 181 weak_factory_.GetWeakPtr()), |
| 181 FROM_HERE)); | 182 FROM_HERE)); |
| 182 } | 183 } |
| 183 | 184 |
| 184 void AttestationPolicyObserver::GetNewCertificate() { | 185 void AttestationPolicyObserver::GetNewCertificate() { |
| 185 // We can reuse the dbus callback handler logic. | 186 // We can reuse the dbus callback handler logic. |
| 186 attestation_flow_->GetCertificate( | 187 attestation_flow_->GetCertificate( |
| 187 PROFILE_ENTERPRISE_MACHINE_CERTIFICATE, | 188 PROFILE_ENTERPRISE_MACHINE_CERTIFICATE, |
| 188 std::string(), // Not used. | 189 EmptyAccountId(), // Not used. |
| 189 std::string(), // Not used. | 190 std::string(), // Not used. |
| 190 true, // Force a new key to be generated. | 191 true, // Force a new key to be generated. |
| 191 base::Bind(DBusStringCallback, | 192 base::Bind(DBusStringCallback, |
| 192 base::Bind(&AttestationPolicyObserver::UploadCertificate, | 193 base::Bind(&AttestationPolicyObserver::UploadCertificate, |
| 193 weak_factory_.GetWeakPtr()), | 194 weak_factory_.GetWeakPtr()), |
| 194 base::Bind(&AttestationPolicyObserver::Reschedule, | 195 base::Bind(&AttestationPolicyObserver::Reschedule, |
| 195 weak_factory_.GetWeakPtr()), | 196 weak_factory_.GetWeakPtr()), |
| 196 FROM_HERE, | 197 FROM_HERE, DBUS_METHOD_CALL_SUCCESS)); |
| 197 DBUS_METHOD_CALL_SUCCESS)); | |
| 198 } | 198 } |
| 199 | 199 |
| 200 void AttestationPolicyObserver::GetExistingCertificate() { | 200 void AttestationPolicyObserver::GetExistingCertificate() { |
| 201 cryptohome_client_->TpmAttestationGetCertificate( | 201 cryptohome_client_->TpmAttestationGetCertificate( |
| 202 KEY_DEVICE, | 202 KEY_DEVICE, |
| 203 std::string(), // Not used. | 203 cryptohome::Identification(EmptyAccountId()).id(), // Not used. |
| 204 kEnterpriseMachineKey, | 204 kEnterpriseMachineKey, |
| 205 base::Bind(DBusStringCallback, | 205 base::Bind(DBusStringCallback, |
| 206 base::Bind(&AttestationPolicyObserver::CheckCertificateExpiry, | 206 base::Bind(&AttestationPolicyObserver::CheckCertificateExpiry, |
| 207 weak_factory_.GetWeakPtr()), | 207 weak_factory_.GetWeakPtr()), |
| 208 base::Bind(&AttestationPolicyObserver::Reschedule, | 208 base::Bind(&AttestationPolicyObserver::Reschedule, |
| 209 weak_factory_.GetWeakPtr()), | 209 weak_factory_.GetWeakPtr()), |
| 210 FROM_HERE)); | 210 FROM_HERE)); |
| 211 } | 211 } |
| 212 | 212 |
| 213 void AttestationPolicyObserver::CheckCertificateExpiry( | 213 void AttestationPolicyObserver::CheckCertificateExpiry( |
| (...skipping 51 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 265 // Already uploaded... nothing more to do. | 265 // Already uploaded... nothing more to do. |
| 266 return; | 266 return; |
| 267 } | 267 } |
| 268 UploadCertificate(pem_certificate_chain); | 268 UploadCertificate(pem_certificate_chain); |
| 269 } | 269 } |
| 270 | 270 |
| 271 void AttestationPolicyObserver::GetKeyPayload( | 271 void AttestationPolicyObserver::GetKeyPayload( |
| 272 base::Callback<void(const std::string&)> callback) { | 272 base::Callback<void(const std::string&)> callback) { |
| 273 cryptohome_client_->TpmAttestationGetKeyPayload( | 273 cryptohome_client_->TpmAttestationGetKeyPayload( |
| 274 KEY_DEVICE, | 274 KEY_DEVICE, |
| 275 std::string(), // Not used. | 275 cryptohome::Identification(EmptyAccountId()).id(), // Not used. |
| 276 kEnterpriseMachineKey, | 276 kEnterpriseMachineKey, |
| 277 base::Bind(DBusStringCallback, | 277 base::Bind(DBusStringCallback, callback, |
| 278 callback, | |
| 279 base::Bind(&AttestationPolicyObserver::Reschedule, | 278 base::Bind(&AttestationPolicyObserver::Reschedule, |
| 280 weak_factory_.GetWeakPtr()), | 279 weak_factory_.GetWeakPtr()), |
| 281 FROM_HERE)); | 280 FROM_HERE)); |
| 282 } | 281 } |
| 283 | 282 |
| 284 void AttestationPolicyObserver::OnUploadComplete(bool status) { | 283 void AttestationPolicyObserver::OnUploadComplete(bool status) { |
| 285 if (!status) | 284 if (!status) |
| 286 return; | 285 return; |
| 287 VLOG(1) << "Enterprise Machine Certificate uploaded to DMServer."; | 286 VLOG(1) << "Enterprise Machine Certificate uploaded to DMServer."; |
| 288 GetKeyPayload(base::Bind(&AttestationPolicyObserver::MarkAsUploaded, | 287 GetKeyPayload(base::Bind(&AttestationPolicyObserver::MarkAsUploaded, |
| 289 weak_factory_.GetWeakPtr())); | 288 weak_factory_.GetWeakPtr())); |
| 290 } | 289 } |
| 291 | 290 |
| 292 void AttestationPolicyObserver::MarkAsUploaded(const std::string& key_payload) { | 291 void AttestationPolicyObserver::MarkAsUploaded(const std::string& key_payload) { |
| 293 AttestationKeyPayload payload_pb; | 292 AttestationKeyPayload payload_pb; |
| 294 if (!key_payload.empty()) | 293 if (!key_payload.empty()) |
| 295 payload_pb.ParseFromString(key_payload); | 294 payload_pb.ParseFromString(key_payload); |
| 296 payload_pb.set_is_certificate_uploaded(true); | 295 payload_pb.set_is_certificate_uploaded(true); |
| 297 std::string new_payload; | 296 std::string new_payload; |
| 298 if (!payload_pb.SerializeToString(&new_payload)) { | 297 if (!payload_pb.SerializeToString(&new_payload)) { |
| 299 LOG(WARNING) << "Failed to serialize key payload."; | 298 LOG(WARNING) << "Failed to serialize key payload."; |
| 300 return; | 299 return; |
| 301 } | 300 } |
| 302 cryptohome_client_->TpmAttestationSetKeyPayload( | 301 cryptohome_client_->TpmAttestationSetKeyPayload( |
| 303 KEY_DEVICE, | 302 KEY_DEVICE, |
| 304 std::string(), // Not used. | 303 cryptohome::Identification(EmptyAccountId()).id(), // Not used. |
| 305 kEnterpriseMachineKey, | 304 kEnterpriseMachineKey, new_payload, |
| 306 new_payload, | 305 base::Bind(DBusBoolRedirectCallback, base::Closure(), base::Closure(), |
| 307 base::Bind(DBusBoolRedirectCallback, | 306 base::Closure(), FROM_HERE)); |
| 308 base::Closure(), | |
| 309 base::Closure(), | |
| 310 base::Closure(), | |
| 311 FROM_HERE)); | |
| 312 } | 307 } |
| 313 | 308 |
| 314 void AttestationPolicyObserver::Reschedule() { | 309 void AttestationPolicyObserver::Reschedule() { |
| 315 if (++num_retries_ < kRetryLimit) { | 310 if (++num_retries_ < kRetryLimit) { |
| 316 content::BrowserThread::PostDelayedTask( | 311 content::BrowserThread::PostDelayedTask( |
| 317 content::BrowserThread::UI, FROM_HERE, | 312 content::BrowserThread::UI, FROM_HERE, |
| 318 base::Bind(&AttestationPolicyObserver::Start, | 313 base::Bind(&AttestationPolicyObserver::Start, |
| 319 weak_factory_.GetWeakPtr()), | 314 weak_factory_.GetWeakPtr()), |
| 320 base::TimeDelta::FromSeconds(retry_delay_)); | 315 base::TimeDelta::FromSeconds(retry_delay_)); |
| 321 } else { | 316 } else { |
| 322 LOG(WARNING) << "AttestationPolicyObserver: Retry limit exceeded."; | 317 LOG(WARNING) << "AttestationPolicyObserver: Retry limit exceeded."; |
| 323 } | 318 } |
| 324 } | 319 } |
| 325 | 320 |
| 326 } // namespace attestation | 321 } // namespace attestation |
| 327 } // namespace chromeos | 322 } // namespace chromeos |
| OLD | NEW |
