Chromium Code Reviews Chromium Code Reviews
Issue 212653004:
Update server-backed state key generation. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/chromeos/policy/device_cloud_policy_manager_chromeos.h" | 5 #include "chrome/browser/chromeos/policy/device_cloud_policy_manager_chromeos.h" |
| 6 | 6 |
| 7 #include "base/bind.h" | 7 #include "base/bind.h" |
| 8 #include "base/bind_helpers.h" | 8 #include "base/bind_helpers.h" |
| 9 #include "base/command_line.h" | 9 #include "base/command_line.h" |
| 10 #include "base/port.h" | |
| 10 #include "base/prefs/pref_registry_simple.h" | 11 #include "base/prefs/pref_registry_simple.h" |
| 11 #include "base/prefs/pref_service.h" | 12 #include "base/prefs/pref_service.h" |
| 13 #include "base/strings/string_number_conversions.h" | |
| 14 #include "base/time/time.h" | |
| 12 #include "chrome/browser/browser_process.h" | 15 #include "chrome/browser/browser_process.h" |
| 13 #include "chrome/browser/chromeos/attestation/attestation_policy_observer.h" | 16 #include "chrome/browser/chromeos/attestation/attestation_policy_observer.h" |
| 14 #include "chrome/browser/chromeos/login/startup_utils.h" | 17 #include "chrome/browser/chromeos/login/startup_utils.h" |
| 15 #include "chrome/browser/chromeos/policy/device_cloud_policy_store_chromeos.h" | 18 #include "chrome/browser/chromeos/policy/device_cloud_policy_store_chromeos.h" |
| 16 #include "chrome/browser/chromeos/policy/enrollment_handler_chromeos.h" | 19 #include "chrome/browser/chromeos/policy/enrollment_handler_chromeos.h" |
| 17 #include "chrome/browser/chromeos/policy/enterprise_install_attributes.h" | 20 #include "chrome/browser/chromeos/policy/enterprise_install_attributes.h" |
| 18 #include "chrome/browser/chromeos/policy/server_backed_device_state.h" | 21 #include "chrome/browser/chromeos/policy/server_backed_device_state.h" |
| 19 #include "chrome/common/chrome_content_client.h" | 22 #include "chrome/common/chrome_content_client.h" |
| 20 #include "chrome/common/pref_names.h" | 23 #include "chrome/common/pref_names.h" |
| 21 #include "chromeos/chromeos_constants.h" | 24 #include "chromeos/chromeos_constants.h" |
| (...skipping 15 matching lines...) Expand all Loading... | |
| 37 namespace policy { | 40 namespace policy { |
| 38 | 41 |
| 39 namespace { | 42 namespace { |
| 40 | 43 |
| 41 // Overridden no requisition value. | 44 // Overridden no requisition value. |
| 42 const char kNoRequisition[] = "none"; | 45 const char kNoRequisition[] = "none"; |
| 43 | 46 |
| 44 // Overridden no requisition value. | 47 // Overridden no requisition value. |
| 45 const char kRemoraRequisition[] = "remora"; | 48 const char kRemoraRequisition[] = "remora"; |
| 46 | 49 |
| 47 // MachineInfo key names. | |
| 48 const char kMachineInfoSystemHwqual[] = "hardware_class"; | |
| 49 | |
| 50 // These are the machine serial number keys that we check in order until we | 50 // These are the machine serial number keys that we check in order until we |
| 51 // find a non-empty serial number. The VPD spec says the serial number should be | 51 // find a non-empty serial number. The VPD spec says the serial number should be |
| 52 // in the "serial_number" key for v2+ VPDs. However, legacy devices used a | 52 // in the "serial_number" key for v2+ VPDs. However, legacy devices used a |
| 53 // different keys to report their serial number, which we fall back to if | 53 // different key to report their serial number, which we fall back to if |
| 54 // "serial_number" is not present. | 54 // "serial_number" is not present. |
| 55 // | 55 // |
| 56 // Product_S/N is still special-cased due to inconsistencies with serial | 56 // Product_S/N is still special-cased due to inconsistencies with serial |
| 57 // numbers on Lumpy devices: On these devices, serial_number is identical to | 57 // numbers on Lumpy devices: On these devices, serial_number is identical to |
| 58 // Product_S/N with an appended checksum. Unfortunately, the sticker on the | 58 // Product_S/N with an appended checksum. Unfortunately, the sticker on the |
| 59 // packaging doesn't include that checksum either (the sticker on the device | 59 // packaging doesn't include that checksum either (the sticker on the device |
| 60 // does though!). The former sticker is the source of the serial number used by | 60 // does though!). The former sticker is the source of the serial number used by |
| 61 // device management service, so we prefer Product_S/N over serial number to | 61 // device management service, so we prefer Product_S/N over serial number to |
| 62 // match the server. | 62 // match the server. |
| 63 // | 63 // |
| (...skipping 25 matching lines...) Expand all Loading... | |
| 89 chromeos::system::StatisticsProvider* provider = | 89 chromeos::system::StatisticsProvider* provider = |
| 90 chromeos::system::StatisticsProvider::GetInstance(); | 90 chromeos::system::StatisticsProvider::GetInstance(); |
| 91 if (!provider->GetMachineFlag(key, &value)) | 91 if (!provider->GetMachineFlag(key, &value)) |
| 92 return default_value; | 92 return default_value; |
| 93 | 93 |
| 94 return value; | 94 return value; |
| 95 } | 95 } |
| 96 | 96 |
| 97 } // namespace | 97 } // namespace |
| 98 | 98 |
| 99 const int | |
| 100 DeviceCloudPolicyManagerChromeOS::kDeviceStateKeyTimeQuantumPower; | |
| 101 | |
| 102 const int | |
| 103 DeviceCloudPolicyManagerChromeOS::kDeviceStateKeyFutureQuanta; | |
|
Joao da Silva
2014/03/27 15:45:40
IIRC this is not necessary for static const ints (
Mattias Nissler (ping if slow)
2014/03/27 16:12:41
I got link errors and checked the net, which point
| |
| 104 | |
| 99 DeviceCloudPolicyManagerChromeOS::DeviceCloudPolicyManagerChromeOS( | 105 DeviceCloudPolicyManagerChromeOS::DeviceCloudPolicyManagerChromeOS( |
| 100 scoped_ptr<DeviceCloudPolicyStoreChromeOS> store, | 106 scoped_ptr<DeviceCloudPolicyStoreChromeOS> store, |
| 101 const scoped_refptr<base::SequencedTaskRunner>& task_runner, | 107 const scoped_refptr<base::SequencedTaskRunner>& task_runner, |
| 102 const scoped_refptr<base::SequencedTaskRunner>& background_task_runner, | 108 const scoped_refptr<base::SequencedTaskRunner>& background_task_runner, |
| 103 EnterpriseInstallAttributes* install_attributes) | 109 EnterpriseInstallAttributes* install_attributes) |
| 104 : CloudPolicyManager( | 110 : CloudPolicyManager( |
| 105 PolicyNamespaceKey(dm_protocol::kChromeDevicePolicyType, | 111 PolicyNamespaceKey(dm_protocol::kChromeDevicePolicyType, |
| 106 std::string()), | 112 std::string()), |
| 107 store.get(), | 113 store.get(), |
| 108 task_runner, | 114 task_runner, |
| (...skipping 29 matching lines...) Expand all Loading... | |
| 138 const AllowedDeviceModes& allowed_device_modes, | 144 const AllowedDeviceModes& allowed_device_modes, |
| 139 const EnrollmentCallback& callback) { | 145 const EnrollmentCallback& callback) { |
| 140 CHECK(device_management_service_); | 146 CHECK(device_management_service_); |
| 141 core()->Disconnect(); | 147 core()->Disconnect(); |
| 142 | 148 |
| 143 enrollment_handler_.reset( | 149 enrollment_handler_.reset( |
| 144 new EnrollmentHandlerChromeOS( | 150 new EnrollmentHandlerChromeOS( |
| 145 device_store_.get(), install_attributes_, CreateClient(), | 151 device_store_.get(), install_attributes_, CreateClient(), |
| 146 background_task_runner_, auth_token, | 152 background_task_runner_, auth_token, |
| 147 install_attributes_->GetDeviceId(), is_auto_enrollment, | 153 install_attributes_->GetDeviceId(), is_auto_enrollment, |
| 148 GetDeviceRequisition(), GetDeviceStateKey(), allowed_device_modes, | 154 GetDeviceRequisition(), GetCurrentDeviceStateKey(), |
| 155 allowed_device_modes, | |
| 149 base::Bind(&DeviceCloudPolicyManagerChromeOS::EnrollmentCompleted, | 156 base::Bind(&DeviceCloudPolicyManagerChromeOS::EnrollmentCompleted, |
| 150 base::Unretained(this), callback))); | 157 base::Unretained(this), callback))); |
| 151 enrollment_handler_->StartEnrollment(); | 158 enrollment_handler_->StartEnrollment(); |
| 152 } | 159 } |
| 153 | 160 |
| 154 void DeviceCloudPolicyManagerChromeOS::CancelEnrollment() { | 161 void DeviceCloudPolicyManagerChromeOS::CancelEnrollment() { |
| 155 if (enrollment_handler_.get()) { | 162 if (enrollment_handler_.get()) { |
| 156 enrollment_handler_.reset(); | 163 enrollment_handler_.reset(); |
| 157 StartIfManaged(); | 164 StartIfManaged(); |
| 158 } | 165 } |
| (...skipping 102 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 261 } | 268 } |
| 262 | 269 |
| 263 if (machine_id.empty()) | 270 if (machine_id.empty()) |
| 264 LOG(WARNING) << "Failed to get machine id."; | 271 LOG(WARNING) << "Failed to get machine id."; |
| 265 | 272 |
| 266 return machine_id; | 273 return machine_id; |
| 267 } | 274 } |
| 268 | 275 |
| 269 // static | 276 // static |
| 270 std::string DeviceCloudPolicyManagerChromeOS::GetMachineModel() { | 277 std::string DeviceCloudPolicyManagerChromeOS::GetMachineModel() { |
| 271 return GetMachineStatistic(kMachineInfoSystemHwqual); | 278 return GetMachineStatistic(chromeos::system::kHardwareClassKey); |
| 272 } | 279 } |
| 273 | 280 |
| 274 // static | 281 // static |
| 275 std::string DeviceCloudPolicyManagerChromeOS::GetDeviceStateKey() { | 282 std::string DeviceCloudPolicyManagerChromeOS::GetCurrentDeviceStateKey() { |
| 276 // TODO(mnissler): Figure out which stable device identifiers should be used | 283 std::vector<std::string> state_keys; |
| 277 // here and update the code. See http://crbug.com/352599. | 284 if (GetDeviceStateKeys(base::Time::Now(), &state_keys) && |
| 278 std::string group_code_key = | 285 !state_keys.empty()) { |
| 279 GetMachineStatistic(chromeos::system::kOffersGroupCodeKey); | 286 // The key for the current time is always the first one. |
| 280 return crypto::SHA256HashString(group_code_key + GetMachineID()); | 287 return state_keys[0]; |
| 288 } | |
| 289 | |
| 290 return std::string(); | |
| 281 } | 291 } |
| 282 | 292 |
| 283 scoped_ptr<CloudPolicyClient> DeviceCloudPolicyManagerChromeOS::CreateClient() { | 293 scoped_ptr<CloudPolicyClient> DeviceCloudPolicyManagerChromeOS::CreateClient() { |
| 284 scoped_refptr<net::URLRequestContextGetter> request_context = | 294 scoped_refptr<net::URLRequestContextGetter> request_context = |
| 285 new SystemPolicyRequestContext( | 295 new SystemPolicyRequestContext( |
| 286 g_browser_process->system_request_context(), GetUserAgent()); | 296 g_browser_process->system_request_context(), GetUserAgent()); |
| 287 | 297 |
| 288 scoped_ptr<CloudPolicyClient> client( | 298 scoped_ptr<CloudPolicyClient> client( |
| 289 new CloudPolicyClient(GetMachineID(), GetMachineModel(), | 299 new CloudPolicyClient(GetMachineID(), GetMachineModel(), |
| 290 kPolicyVerificationKeyHash, | 300 kPolicyVerificationKeyHash, |
| 291 USER_AFFILIATION_NONE, | 301 USER_AFFILIATION_NONE, |
| 292 device_status_provider_.get(), | 302 device_status_provider_.get(), |
| 293 device_management_service_, | 303 device_management_service_, |
| 294 request_context)); | 304 request_context)); |
| 295 | 305 |
| 296 // Set state keys to upload immediately after creation so the first policy | 306 // Set state keys to upload immediately after creation so the first policy |
| 297 // fetch submits them to the server. | 307 // fetch submits them to the server. |
| 298 if (CommandLine::ForCurrentProcess()->HasSwitch( | 308 if (CommandLine::ForCurrentProcess()->HasSwitch( |
| 299 chromeos::switches::kEnterpriseEnableForcedReEnrollment)) { | 309 chromeos::switches::kEnterpriseEnableForcedReEnrollment)) { |
| 300 std::vector<std::string> state_keys; | 310 std::vector<std::string> state_keys; |
| 301 state_keys.push_back(GetDeviceStateKey()); | 311 if (GetDeviceStateKeys(base::Time::Now(), &state_keys)) |
| 302 client->SetStateKeysToUpload(state_keys); | 312 client->SetStateKeysToUpload(state_keys); |
| 303 } | 313 } |
| 304 | 314 |
| 305 return client.Pass(); | 315 return client.Pass(); |
| 306 } | 316 } |
| 307 | 317 |
| 308 void DeviceCloudPolicyManagerChromeOS::EnrollmentCompleted( | 318 void DeviceCloudPolicyManagerChromeOS::EnrollmentCompleted( |
| 309 const EnrollmentCallback& callback, | 319 const EnrollmentCallback& callback, |
| 310 EnrollmentStatus status) { | 320 EnrollmentStatus status) { |
| 311 if (status.status() == EnrollmentStatus::STATUS_SUCCESS) | 321 if (status.status() == EnrollmentStatus::STATUS_SUCCESS) |
| 312 StartConnection(enrollment_handler_->ReleaseClient()); | 322 StartConnection(enrollment_handler_->ReleaseClient()); |
| (...skipping 57 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 370 } | 380 } |
| 371 | 381 |
| 372 std::string DeviceCloudPolicyManagerChromeOS::GetRestoreMode() const { | 382 std::string DeviceCloudPolicyManagerChromeOS::GetRestoreMode() const { |
| 373 const base::DictionaryValue* device_state_dict = | 383 const base::DictionaryValue* device_state_dict = |
| 374 local_state_->GetDictionary(prefs::kServerBackedDeviceState); | 384 local_state_->GetDictionary(prefs::kServerBackedDeviceState); |
| 375 std::string restore_mode; | 385 std::string restore_mode; |
| 376 device_state_dict->GetString(kDeviceStateRestoreMode, &restore_mode); | 386 device_state_dict->GetString(kDeviceStateRestoreMode, &restore_mode); |
| 377 return restore_mode; | 387 return restore_mode; |
| 378 } | 388 } |
| 379 | 389 |
| 390 // static | |
| 391 bool DeviceCloudPolicyManagerChromeOS::GetDeviceStateKeys( | |
| 392 const base::Time& timestamp, | |
| 393 std::vector<std::string>* state_keys) { | |
| 394 std::string disk_serial_number = | |
| 395 GetMachineStatistic(chromeos::system::kDiskSerialNumber); | |
| 396 if (disk_serial_number.empty()) { | |
| 397 LOG(ERROR) << "Missing disk serial number"; | |
| 398 return false; | |
| 399 } | |
| 400 | |
| 401 std::string machine_id = GetMachineID(); | |
| 402 if (machine_id.empty()) | |
| 403 return false; | |
| 404 | |
| 405 // Tolerate missing group code keys, some old devices may not have it. | |
| 406 std::string group_code_key = | |
| 407 GetMachineStatistic(chromeos::system::kOffersGroupCodeKey); | |
| 408 | |
| 409 // Get the current time in quantized form. | |
| 410 int64 quantum_size = GG_INT64_C(1) << kDeviceStateKeyTimeQuantumPower; | |
| 411 int64 quantized_time = | |
| 412 (timestamp - base::Time::UnixEpoch()).InSeconds() & ~(quantum_size - 1); | |
|
Joao da Silva
2014/03/27 15:45:40
So quantum_size is 97 days, and quantized_time is
Mattias Nissler (ping if slow)
2014/03/27 16:12:41
Correct.
| |
| 413 for (int i = 0; i < kDeviceStateKeyFutureQuanta; ++i) { | |
| 414 state_keys->push_back(crypto::SHA256HashString( | |
| 415 crypto::SHA256HashString(group_code_key) + | |
| 416 crypto::SHA256HashString(disk_serial_number) + | |
| 417 crypto::SHA256HashString(machine_id) + | |
| 418 crypto::SHA256HashString(base::Int64ToString(quantized_time)))); | |
| 419 quantized_time += quantum_size; | |
|
Joao da Silva
2014/03/27 15:45:40
... and this is producing the hashes that will be
Mattias Nissler (ping if slow)
2014/03/27 16:12:41
Correct.
| |
| 420 } | |
| 421 | |
| 422 return true; | |
| 423 } | |
| 424 | |
| 380 } // namespace policy | 425 } // namespace policy |
| OLD | NEW |
