Minimal attestation-based enrollment flow.

chrome/browser/chromeos/login/enrollment/enterprise_enrollment_helper_impl.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/login/enrollment/enterprise_enrollment_helper_impl.h"
 
 #include "base/bind.h"
 #include "base/location.h"
 #include "base/logging.h"
 #include "base/macros.h"
@@ skipping 54 matching lines @@
 
 namespace chromeos {
 
 EnterpriseEnrollmentHelperImpl::EnterpriseEnrollmentHelperImpl(
     EnrollmentStatusConsumer* status_consumer,
     const policy::EnrollmentConfig& enrollment_config,
     const std::string& enrolling_user_domain)
     : EnterpriseEnrollmentHelper(status_consumer),
       enrollment_config_(enrollment_config),
       enrolling_user_domain_(enrolling_user_domain),
-      started_(false),
-      finished_(false),
+      started_oauth_(false),
+      finished_oauth_(false),
       success_(false),
       auth_data_cleared_(false),
       weak_ptr_factory_(this) {
   // Init the TPM if it has not been done until now (in debug build we might
   // have not done that yet).
   DBusThreadManager::Get()->GetCryptohomeClient()->TpmCanAttemptOwnership(
       EmptyVoidDBusMethodCallback());
 }
 
 EnterpriseEnrollmentHelperImpl::~EnterpriseEnrollmentHelperImpl() {
-  DCHECK(g_browser_process->IsShuttingDown() || !started_ ||
-         (finished_ && (success_ || auth_data_cleared_)));
+  DCHECK(g_browser_process->IsShuttingDown() || !started_oauth_ ||
+         (finished_oauth_ && (success_ || auth_data_cleared_)));
 }
 
 void EnterpriseEnrollmentHelperImpl::EnrollUsingAuthCode(
     const std::string& auth_code,
     bool fetch_additional_token) {
-  DCHECK(!started_);
-  started_ = true;
+  DCHECK(!started_oauth_);
+  started_oauth_ = true;
   oauth_fetcher_.reset(policy::PolicyOAuth2TokenFetcher::CreateInstance());
   oauth_fetcher_->StartWithAuthCode(
       auth_code, g_browser_process->system_request_context(),
       base::Bind(&EnterpriseEnrollmentHelperImpl::OnTokenFetched,
                  weak_ptr_factory_.GetWeakPtr(),
                  fetch_additional_token /* is_additional_token */));
 }
 
 void EnterpriseEnrollmentHelperImpl::EnrollUsingToken(
     const std::string& token) {
-  DCHECK(!started_);
-  started_ = true;
-  DoEnrollUsingToken(token);
+  DCHECK(!started_oauth_);
+  started_oauth_ = true;
+  DoEnroll(token);
+}
+
+void EnterpriseEnrollmentHelperImpl::EnrollUsingAttestation() {
+  DCHECK(enrollment_config_.mode ==

[pastarmovj, 2016/08/19 10:29:18]

I wonder if this should not even be a CHECK. Could a bug cause this function to
be called with the wrong mode and cause the wrong type of enrollment? I am not
sure how much of an issue this really is but better safe then sorry :)

[The one and only Dr. Crash, 2016/08/19 17:49:29]

Sounds reasonable.

+             policy::EnrollmentConfig::MODE_ATTESTATION ||
+         enrollment_config_.mode ==
+             policy::EnrollmentConfig::MODE_ATTESTATION_FORCED);
+  DoEnroll("");
 }
 
 void EnterpriseEnrollmentHelperImpl::ClearAuth(const base::Closure& callback) {
-  // Do not revoke the additional token if enrollment has finished
-  // successfully.
-  if (!success_ && additional_token_.length())
-    (new TokenRevoker())->Start(additional_token_);
+  if (started_oauth_) {
+    // Do not revoke the additional token if enrollment has finished
+    // successfully.
+    if (!success_ && additional_token_.length())
+      (new TokenRevoker())->Start(additional_token_);
 
-  if (oauth_fetcher_) {
-    if (!oauth_fetcher_->OAuth2AccessToken().empty())
-      (new TokenRevoker())->Start(oauth_fetcher_->OAuth2AccessToken());
+    if (oauth_fetcher_) {
+      if (!oauth_fetcher_->OAuth2AccessToken().empty())
+        (new TokenRevoker())->Start(oauth_fetcher_->OAuth2AccessToken());
 
-    if (!oauth_fetcher_->OAuth2RefreshToken().empty())
-      (new TokenRevoker())->Start(oauth_fetcher_->OAuth2RefreshToken());
+      if (!oauth_fetcher_->OAuth2RefreshToken().empty())
+        (new TokenRevoker())->Start(oauth_fetcher_->OAuth2RefreshToken());
 
-    oauth_fetcher_.reset();
-  } else if (oauth_token_.length()) {
-    // EnrollUsingToken was called.
-    (new TokenRevoker())->Start(oauth_token_);
+      oauth_fetcher_.reset();
+    } else if (oauth_token_.length()) {
+      // EnrollUsingToken was called.
+      (new TokenRevoker())->Start(oauth_token_);
+    }
   }
 
   chromeos::ProfileHelper::Get()->ClearSigninProfile(
       base::Bind(&EnterpriseEnrollmentHelperImpl::OnSigninProfileCleared,
                  weak_ptr_factory_.GetWeakPtr(), callback));
 }
 
-void EnterpriseEnrollmentHelperImpl::DoEnrollUsingToken(
-    const std::string& token) {
+void EnterpriseEnrollmentHelperImpl::DoEnroll(const std::string& token) {
   DCHECK(token == oauth_token_ || oauth_token_.empty());
   oauth_token_ = token;
   policy::BrowserPolicyConnectorChromeOS* connector =
       g_browser_process->platform_part()->browser_policy_connector_chromeos();
   if (connector->IsEnterpriseManaged() &&
       connector->GetEnterpriseDomain() != enrolling_user_domain_) {
     LOG(ERROR) << "Trying to re-enroll to a different domain than "
                << connector->GetEnterpriseDomain();
     UMA(policy::kMetricEnrollmentPrecheckDomainMismatch);
-    finished_ = true;
+    finished_oauth_ = true;
     status_consumer()->OnOtherError(OTHER_ERROR_DOMAIN_MISMATCH);
     return;
   }
 
   policy::DeviceCloudPolicyInitializer::AllowedDeviceModes device_modes;
   device_modes[policy::DEVICE_MODE_ENTERPRISE] = true;
   connector->ScheduleServiceInitialization(0);
 
   policy::DeviceCloudPolicyInitializer* dcp_initializer =
       connector->GetDeviceCloudPolicyInitializer();
@@ skipping 36 matching lines @@
           &EnterpriseEnrollmentHelperImpl::OnDeviceAttributeUploadCompleted,
           weak_ptr_factory_.GetWeakPtr()));
 }
 
 void EnterpriseEnrollmentHelperImpl::OnTokenFetched(
     bool is_additional_token,
     const std::string& token,
     const GoogleServiceAuthError& error) {
   if (error.state() != GoogleServiceAuthError::NONE) {
     ReportAuthStatus(error);
-    finished_ = true;
+    finished_oauth_ = true;
     status_consumer()->OnAuthError(error);
     return;
   }
 
   if (!is_additional_token) {
-    DoEnrollUsingToken(token);
+    EnrollUsingToken(token);
     return;
   }
 
   additional_token_ = token;
   std::string refresh_token = oauth_fetcher_->OAuth2RefreshToken();
   oauth_fetcher_.reset(policy::PolicyOAuth2TokenFetcher::CreateInstance());
   oauth_fetcher_->StartWithRefreshToken(
       refresh_token, g_browser_process->system_request_context(),
       base::Bind(&EnterpriseEnrollmentHelperImpl::OnTokenFetched,
                  weak_ptr_factory_.GetWeakPtr(),
                  false /* is_additional_token */));
 }
 
 void EnterpriseEnrollmentHelperImpl::OnEnrollmentFinished(
     policy::EnrollmentStatus status) {
   // TODO(pbond): remove this LOG once http://crbug.com/586961 is fixed.
   LOG(WARNING) << "Enrollment finished";
   ReportEnrollmentStatus(status);
-  finished_ = true;
+  if (started_oauth_) {
+    finished_oauth_ = true;
+  }
   if (status.status() == policy::EnrollmentStatus::STATUS_SUCCESS) {
     success_ = true;
     StartupUtils::MarkOobeCompleted();
     status_consumer()->OnDeviceEnrolled(additional_token_);
   } else {
     status_consumer()->OnEnrollmentError(status);
   }
 }
 
 void EnterpriseEnrollmentHelperImpl::OnDeviceAttributeUpdatePermission(
@@ skipping 177 matching lines @@
   EnrollmentUMA(sample, enrollment_config_.mode);
 }
 
 void EnterpriseEnrollmentHelperImpl::OnSigninProfileCleared(
     const base::Closure& callback) {
   auth_data_cleared_ = true;
   callback.Run();
 }
 
 }  // namespace chromeos