Minimal attestation-based enrollment flow.

chrome/browser/chromeos/login/enrollment/enrollment_screen.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/login/enrollment/enrollment_screen.h"
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/callback.h"
 #include "base/logging.h"
 #include "base/metrics/histogram.h"
 #include "base/timer/elapsed_timer.h"
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/browser_process_platform_part.h"
 #include "chrome/browser/chromeos/login/enrollment/enrollment_uma.h"
 #include "chrome/browser/chromeos/login/screen_manager.h"
 #include "chrome/browser/chromeos/login/screens/base_screen_delegate.h"
 #include "chrome/browser/chromeos/login/startup_utils.h"
 #include "chrome/browser/chromeos/login/wizard_controller.h"
 #include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h"
 #include "chrome/browser/chromeos/policy/enrollment_status_chromeos.h"
 #include "chrome/browser/chromeos/profiles/profile_helper.h"
 #include "chromeos/dbus/cryptohome_client.h"
 #include "chromeos/dbus/dbus_method_call_status.h"
 #include "chromeos/dbus/dbus_thread_manager.h"
 #include "components/pairing/controller_pairing_controller.h"
 #include "google_apis/gaia/gaia_auth_util.h"
 
 using namespace pairing_chromeos;
+using policy::EnrollmentConfig;
 
 // Do not change the UMA histogram parameters without renaming the histograms!
 #define UMA_ENROLLMENT_TIME(histogram_name, elapsed_timer) \
   do {                                                     \
     UMA_HISTOGRAM_CUSTOM_TIMES(                            \
       (histogram_name),                                    \
       (elapsed_timer)->Elapsed(),                          \
       base::TimeDelta::FromMilliseconds(100) /* min */,    \
       base::TimeDelta::FromMinutes(15) /* max */,          \
       100 /* bucket_count */);                             \
@@ skipping 16 matching lines @@
 EnrollmentScreen* EnrollmentScreen::Get(ScreenManager* manager) {
   return static_cast<EnrollmentScreen*>(
       manager->GetScreen(WizardController::kEnrollmentScreenName));
 }
 
 EnrollmentScreen::EnrollmentScreen(BaseScreenDelegate* base_screen_delegate,
                                    EnrollmentScreenActor* actor)
     : BaseScreen(base_screen_delegate),
       shark_controller_(NULL),
       actor_(actor),
+      current_auth_(AUTH_OAUTH),
+      last_auth_(AUTH_OAUTH),
       enrollment_failed_once_(false),
-      weak_ptr_factory_(this) {
-}
+      weak_ptr_factory_(this) {}
 
 EnrollmentScreen::~EnrollmentScreen() {
   DCHECK(!enrollment_helper_ || g_browser_process->IsShuttingDown());
 }
 
 void EnrollmentScreen::SetParameters(
     const policy::EnrollmentConfig& enrollment_config,
     pairing_chromeos::ControllerPairingController* shark_controller) {
   enrollment_config_ = enrollment_config;
+  switch (enrollment_config_.auth_mechanism) {
+    case EnrollmentConfig::AUTH_MECHANISM_INTERACTIVE:
+      current_auth_ = AUTH_OAUTH;
+      last_auth_ = AUTH_OAUTH;
+      break;
+    case EnrollmentConfig::AUTH_MECHANISM_ATTESTATION:
+      current_auth_ = AUTH_ATTESTATION;
+      last_auth_ = AUTH_ATTESTATION;
+      break;
+    case EnrollmentConfig::AUTH_MECHANISM_BEST_AVAILABLE:
+      current_auth_ = AUTH_ATTESTATION;
+      last_auth_ = AUTH_OAUTH;
+      break;
+  }
   shark_controller_ = shark_controller;
-  actor_->SetParameters(this, enrollment_config_);
+  SetConfig();
+}
+
+void EnrollmentScreen::SetConfig() {
+  config_ = enrollment_config_;
+  if (current_auth_ == AUTH_ATTESTATION) {
+    if (last_auth_ == current_auth_) {
+      config_.mode = policy::EnrollmentConfig::MODE_ATTESTATION;
+    } else {
+      config_.mode = policy::EnrollmentConfig::MODE_ATTESTATION_FORCED;
+    }
+  }
+  actor_->SetParameters(this, config_);
+  enrollment_helper_ = nullptr;
+}
+
+bool EnrollmentScreen::AdvanceToNextAuth() {
+  if (current_auth_ == last_auth_) {

[pastarmovj, 2016/08/19 10:29:18]

This looks like too much of a boilerplate for juggling only 2 cases. Are you
expecting this to grow more in the near future? If not I would embed the
knowledge of that in the logic directly for now. E.g.:

if (current_auth_ != last_auth_ && current_auth_ == AUTH_ATTESTATION) {
  current_auth_ = AUTH_OAUTH;
  if (enrollment_config_.should_enroll_interactively()) {
    SetConfig();
    return true;
  }
}
return false;

And if you plan for more then maybe having an array of the options would be a
better idea in that case.

[The one and only Dr. Crash, 2016/08/19 17:49:29]

I like that.

+    return false;
+  }
+  switch (current_auth_) {
+    case AUTH_ATTESTATION:
+      current_auth_ = AUTH_OAUTH;
+      if (enrollment_config_.should_enroll_interactively()) {
+        SetConfig();
+        return true;
+      } else {
+        return false;
+      }
+    case AUTH_OAUTH:
+      return false;
+  }
+  return false;
 }
 
 void EnrollmentScreen::CreateEnrollmentHelper() {
-  DCHECK(!enrollment_helper_);
-  enrollment_helper_ = EnterpriseEnrollmentHelper::Create(
-      this, enrollment_config_, enrolling_user_domain_);
+  if (!enrollment_helper_) {
+    enrollment_helper_ = EnterpriseEnrollmentHelper::Create(
+        this, config_, enrolling_user_domain_);
+  }
 }
 
 void EnrollmentScreen::ClearAuth(const base::Closure& callback) {
   if (!enrollment_helper_) {
     callback.Run();
     return;
   }
   enrollment_helper_->ClearAuth(base::Bind(&EnrollmentScreen::OnAuthCleared,
                                            weak_ptr_factory_.GetWeakPtr(),
                                            callback));
 }
 
 void EnrollmentScreen::OnAuthCleared(const base::Closure& callback) {
-  enrollment_helper_.reset();
+  enrollment_helper_ = nullptr;
   callback.Run();
 }
 
 void EnrollmentScreen::PrepareToShow() {
   actor_->PrepareToShow();
 }
 
 void EnrollmentScreen::Show() {
   UMA(policy::kMetricEnrollmentTriggered);
+  switch (current_auth_) {
+    case AUTH_OAUTH:
+      ShowInteractiveScreen();
+      break;
+    case AUTH_ATTESTATION:
+      AuthenticateUsingAttestation();
+      break;
+  }
+}
+
+void EnrollmentScreen::ShowInteractiveScreen() {
   ClearAuth(base::Bind(&EnrollmentScreen::ShowSigninScreen,
                        weak_ptr_factory_.GetWeakPtr()));
 }
 
 void EnrollmentScreen::Hide() {
   actor_->Hide();
   weak_ptr_factory_.InvalidateWeakPtrs();
 }
 
 std::string EnrollmentScreen::GetName() const {
   return WizardController::kEnrollmentScreenName;
 }
 
+void EnrollmentScreen::AuthenticateUsingAttestation() {
+  VLOG(1) << "Authenticating using attestation.";
+  elapsed_timer_.reset(new base::ElapsedTimer());
+  actor_->Show();
+  actor_->ShowEnrollmentSpinnerScreen();
+  CreateEnrollmentHelper();
+  enrollment_helper_->EnrollUsingAttestation();
+}
+
 void EnrollmentScreen::OnLoginDone(const std::string& user,
                                    const std::string& auth_code) {
   LOG_IF(ERROR, auth_code.empty()) << "Auth code is empty.";
   elapsed_timer_.reset(new base::ElapsedTimer());
   enrolling_user_domain_ = gaia::ExtractDomainName(user);
 
   UMA(enrollment_failed_once_ ? policy::kMetricEnrollmentRestarted
                               : policy::kMetricEnrollmentStarted);
 
   actor_->ShowEnrollmentSpinnerScreen();
   CreateEnrollmentHelper();
   enrollment_helper_->EnrollUsingAuthCode(
       auth_code, shark_controller_ != NULL /* fetch_additional_token */);
 }
 
 void EnrollmentScreen::OnRetry() {
-  ClearAuth(base::Bind(&EnrollmentScreen::ShowSigninScreen,
-                       weak_ptr_factory_.GetWeakPtr()));
+  Show();
 }
 
 void EnrollmentScreen::OnCancel() {
+  if (AdvanceToNextAuth()) {
+    Show();
+    return;
+  }
+
   UMA(policy::kMetricEnrollmentCancelled);
   if (elapsed_timer_)
     UMA_ENROLLMENT_TIME(kMetricEnrollmentTimeCancel, elapsed_timer_);
 
   const BaseScreenDelegate::ExitCodes exit_code =
-      enrollment_config_.is_forced()
-          ? BaseScreenDelegate::ENTERPRISE_ENROLLMENT_BACK
-          : BaseScreenDelegate::ENTERPRISE_ENROLLMENT_COMPLETED;
+      config_.is_forced() ? BaseScreenDelegate::ENTERPRISE_ENROLLMENT_BACK
+                          : BaseScreenDelegate::ENTERPRISE_ENROLLMENT_COMPLETED;
   ClearAuth(
       base::Bind(&EnrollmentScreen::Finish, base::Unretained(this), exit_code));
 }
 
 void EnrollmentScreen::OnConfirmationClosed() {
   ClearAuth(base::Bind(&EnrollmentScreen::Finish, base::Unretained(this),
                        BaseScreenDelegate::ENTERPRISE_ENROLLMENT_COMPLETED));
 }
 
 void EnrollmentScreen::OnAuthError(const GoogleServiceAuthError& error) {
@@ skipping 84 matching lines @@
 }
 
 void EnrollmentScreen::ShowEnrollmentStatusOnSuccess() {
   if (elapsed_timer_)
     UMA_ENROLLMENT_TIME(kMetricEnrollmentTimeSuccess, elapsed_timer_);
   actor_->ShowEnrollmentStatus(policy::EnrollmentStatus::ForStatus(
       policy::EnrollmentStatus::STATUS_SUCCESS));
 }
 
 void EnrollmentScreen::UMA(policy::MetricEnrollment sample) {
-  EnrollmentUMA(sample, enrollment_config_.mode);
+  EnrollmentUMA(sample, config_.mode);
 }
 
 void EnrollmentScreen::ShowSigninScreen() {
   actor_->Show();
   actor_->ShowSigninScreen();
 }
 
 void EnrollmentScreen::OnAnyEnrollmentError() {
   enrollment_failed_once_ = true;
+  //  TODO(drcrash): Maybe create multiple metrics for attestation vs oauth?
   if (elapsed_timer_)
     UMA_ENROLLMENT_TIME(kMetricEnrollmentTimeFailure, elapsed_timer_);
 }
 
 }  // namespace chromeos