Update server-backed state key generation.

chrome/browser/chromeos/policy/device_cloud_policy_manager_chromeos.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/policy/device_cloud_policy_manager_chromeos.h"
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/command_line.h"
+#include "base/port.h"
 #include "base/prefs/pref_registry_simple.h"
 #include "base/prefs/pref_service.h"
+#include "base/strings/string_number_conversions.h"
+#include "base/time/time.h"
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/chromeos/attestation/attestation_policy_observer.h"
 #include "chrome/browser/chromeos/login/startup_utils.h"
 #include "chrome/browser/chromeos/policy/device_cloud_policy_store_chromeos.h"
 #include "chrome/browser/chromeos/policy/enrollment_handler_chromeos.h"
 #include "chrome/browser/chromeos/policy/enterprise_install_attributes.h"
 #include "chrome/browser/chromeos/policy/server_backed_device_state.h"
 #include "chrome/common/chrome_content_client.h"
 #include "chrome/common/pref_names.h"
 #include "chromeos/chromeos_constants.h"
@@ skipping 15 matching lines @@
 namespace policy {
 
 namespace {
 
 // Overridden no requisition value.
 const char kNoRequisition[] = "none";
 
 // Overridden no requisition value.
 const char kRemoraRequisition[] = "remora";
 
-// MachineInfo key names.
-const char kMachineInfoSystemHwqual[] = "hardware_class";
-
 // These are the machine serial number keys that we check in order until we
 // find a non-empty serial number. The VPD spec says the serial number should be
 // in the "serial_number" key for v2+ VPDs. However, legacy devices used a
-// different keys to report their serial number, which we fall back to if
+// different key to report their serial number, which we fall back to if
 // "serial_number" is not present.
 //
 // Product_S/N is still special-cased due to inconsistencies with serial
 // numbers on Lumpy devices: On these devices, serial_number is identical to
 // Product_S/N with an appended checksum. Unfortunately, the sticker on the
 // packaging doesn't include that checksum either (the sticker on the device
 // does though!). The former sticker is the source of the serial number used by
 // device management service, so we prefer Product_S/N over serial number to
 // match the server.
 //
@@ skipping 25 matching lines @@
   chromeos::system::StatisticsProvider* provider =
       chromeos::system::StatisticsProvider::GetInstance();
   if (!provider->GetMachineFlag(key, &value))
     return default_value;
 
   return value;
 }
 
 }  // namespace
 
+const int
+DeviceCloudPolicyManagerChromeOS::kDeviceStateKeyTimeQuantumPower;
+
+const int
+DeviceCloudPolicyManagerChromeOS::kDeviceStateKeyFutureQuanta;
+
 DeviceCloudPolicyManagerChromeOS::DeviceCloudPolicyManagerChromeOS(
     scoped_ptr<DeviceCloudPolicyStoreChromeOS> store,
     const scoped_refptr<base::SequencedTaskRunner>& task_runner,
     const scoped_refptr<base::SequencedTaskRunner>& background_task_runner,
     EnterpriseInstallAttributes* install_attributes)
     : CloudPolicyManager(
           PolicyNamespaceKey(dm_protocol::kChromeDevicePolicyType,
                              std::string()),
           store.get(),
           task_runner,
@@ skipping 29 matching lines @@
     const AllowedDeviceModes& allowed_device_modes,
     const EnrollmentCallback& callback) {
   CHECK(device_management_service_);
   core()->Disconnect();
 
   enrollment_handler_.reset(
       new EnrollmentHandlerChromeOS(
           device_store_.get(), install_attributes_, CreateClient(),
           background_task_runner_, auth_token,
           install_attributes_->GetDeviceId(), is_auto_enrollment,
-          GetDeviceRequisition(), GetDeviceStateKey(), allowed_device_modes,
+          GetDeviceRequisition(), GetCurrentDeviceStateKey(),
+          allowed_device_modes,
           base::Bind(&DeviceCloudPolicyManagerChromeOS::EnrollmentCompleted,
                      base::Unretained(this), callback)));
   enrollment_handler_->StartEnrollment();
 }
 
 void DeviceCloudPolicyManagerChromeOS::CancelEnrollment() {
   if (enrollment_handler_.get()) {
     enrollment_handler_.reset();
     StartIfManaged();
   }
@@ skipping 102 matching lines @@
   }
 
   if (machine_id.empty())
     LOG(WARNING) << "Failed to get machine id.";
 
   return machine_id;
 }
 
 // static
 std::string DeviceCloudPolicyManagerChromeOS::GetMachineModel() {
-  return GetMachineStatistic(kMachineInfoSystemHwqual);
+  return GetMachineStatistic(chromeos::system::kHardwareClassKey);
 }
 
 // static
-std::string DeviceCloudPolicyManagerChromeOS::GetDeviceStateKey() {
-  // TODO(mnissler): Figure out which stable device identifiers should be used
-  // here and update the code. See http://crbug.com/352599.
-  std::string group_code_key =
-      GetMachineStatistic(chromeos::system::kOffersGroupCodeKey);
-  return crypto::SHA256HashString(group_code_key + GetMachineID());
+std::string DeviceCloudPolicyManagerChromeOS::GetCurrentDeviceStateKey() {
+  std::vector<std::string> state_keys;
+  if (GetDeviceStateKeys(base::Time::Now(), &state_keys) &&
+      !state_keys.empty()) {
+    // The key for the current time is always the first one.
+    return state_keys[0];
+  }
+
+  return std::string();
 }
 
 scoped_ptr<CloudPolicyClient> DeviceCloudPolicyManagerChromeOS::CreateClient() {
   scoped_refptr<net::URLRequestContextGetter> request_context =
       new SystemPolicyRequestContext(
           g_browser_process->system_request_context(), GetUserAgent());
 
   scoped_ptr<CloudPolicyClient> client(
       new CloudPolicyClient(GetMachineID(), GetMachineModel(),
                             kPolicyVerificationKeyHash,
                             USER_AFFILIATION_NONE,
                             device_status_provider_.get(),
                             device_management_service_,
                             request_context));
 
   // Set state keys to upload immediately after creation so the first policy
   // fetch submits them to the server.
   if (CommandLine::ForCurrentProcess()->HasSwitch(
           chromeos::switches::kEnterpriseEnableForcedReEnrollment)) {
     std::vector<std::string> state_keys;
-    state_keys.push_back(GetDeviceStateKey());
-    client->SetStateKeysToUpload(state_keys);
+    if (GetDeviceStateKeys(base::Time::Now(), &state_keys))
+      client->SetStateKeysToUpload(state_keys);
   }
 
   return client.Pass();
 }
 
 void DeviceCloudPolicyManagerChromeOS::EnrollmentCompleted(
     const EnrollmentCallback& callback,
     EnrollmentStatus status) {
   if (status.status() == EnrollmentStatus::STATUS_SUCCESS)
     StartConnection(enrollment_handler_->ReleaseClient());
@@ skipping 57 matching lines @@
 }
 
 std::string DeviceCloudPolicyManagerChromeOS::GetRestoreMode() const {
   const base::DictionaryValue* device_state_dict =
       local_state_->GetDictionary(prefs::kServerBackedDeviceState);
   std::string restore_mode;
   device_state_dict->GetString(kDeviceStateRestoreMode, &restore_mode);
   return restore_mode;
 }
 
+// static
+bool DeviceCloudPolicyManagerChromeOS::GetDeviceStateKeys(
+    const base::Time& timestamp,
+    std::vector<std::string>* state_keys) {
+  state_keys->clear();
+
+  std::string disk_serial_number =
+      GetMachineStatistic(chromeos::system::kDiskSerialNumber);
+  if (disk_serial_number.empty()) {
+    LOG(ERROR) << "Missing disk serial number";
+    return false;
+  }
+
+  std::string machine_id = GetMachineID();
+  if (machine_id.empty())
+    return false;
+
+  // Tolerate missing group code keys, some old devices may not have it.
+  std::string group_code_key =
+      GetMachineStatistic(chromeos::system::kOffersGroupCodeKey);
+
+  // Get the current time in quantized form.
+  int64 quantum_size = GG_INT64_C(1) << kDeviceStateKeyTimeQuantumPower;
+  int64 quantized_time =
+      (timestamp - base::Time::UnixEpoch()).InSeconds() & ~(quantum_size - 1);
+  for (int i = 0; i < kDeviceStateKeyFutureQuanta; ++i) {
+    state_keys->push_back(crypto::SHA256HashString(
+        crypto::SHA256HashString(group_code_key) +
+        crypto::SHA256HashString(disk_serial_number) +
+        crypto::SHA256HashString(machine_id) +
+        crypto::SHA256HashString(base::Int64ToString(quantized_time))));
+    quantized_time += quantum_size;
+  }
+
+  return true;
+}
+
 }  // namespace policy