Minimal attestation-based enrollment flow.

chrome/browser/chromeos/policy/enrollment_handler_chromeos.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/policy/enrollment_handler_chromeos.h"
 
 #include <utility>
 
 #include "base/bind.h"
 #include "base/location.h"
 #include "base/logging.h"
 #include "base/single_thread_task_runner.h"
 #include "base/threading/thread_task_runner_handle.h"
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/chromeos/attestation/attestation_ca_client.h"
 #include "chrome/browser/chromeos/login/enrollment/auto_enrollment_controller.h"
 #include "chrome/browser/chromeos/ownership/owner_settings_service_chromeos.h"
 #include "chrome/browser/chromeos/policy/device_cloud_policy_store_chromeos.h"
 #include "chrome/browser/chromeos/policy/enrollment_status_chromeos.h"
 #include "chrome/browser/chromeos/policy/proto/chrome_device_policy.pb.h"
 #include "chrome/browser/chromeos/policy/server_backed_state_keys_broker.h"
 #include "chrome/browser/chromeos/profiles/profile_helper.h"
 #include "chrome/browser/chromeos/settings/device_oauth2_token_service.h"
 #include "chrome/browser/chromeos/settings/device_oauth2_token_service_factory.h"
 #include "chrome/browser/profiles/profile.h"
-#include "chromeos/attestation/attestation_constants.h"
 #include "chromeos/attestation/attestation_flow.h"
-#include "chromeos/cryptohome/async_method_caller.h"
-#include "chromeos/dbus/cryptohome_client.h"
-#include "components/signin/core/account_id/account_id.h"
 #include "google_apis/gaia/gaia_urls.h"
 #include "net/http/http_status_code.h"
 
 namespace em = enterprise_management;
 
 namespace policy {
 
 namespace {
 
 // Retry for InstallAttrs initialization every 500ms.
@@ skipping 13 matching lines @@
     case policy::EnrollmentConfig::MODE_LOCAL_FORCED:
       return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_LOCAL_FORCED;
     case policy::EnrollmentConfig::MODE_LOCAL_ADVERTISED:
       return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_LOCAL_ADVERTISED;
     case policy::EnrollmentConfig::MODE_SERVER_FORCED:
       return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_SERVER_FORCED;
     case policy::EnrollmentConfig::MODE_SERVER_ADVERTISED:
       return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_SERVER_ADVERTISED;
     case policy::EnrollmentConfig::MODE_RECOVERY:
       return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_RECOVERY;
+    case policy::EnrollmentConfig::MODE_ATTESTATION:
+      return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_ATTESTATION;
+    case policy::EnrollmentConfig::MODE_ATTESTATION_FORCED:
+      return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_ATTESTATION_FORCED;
   }
 
   NOTREACHED() << "Bad enrollment mode: " << mode;
   return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_MANUAL;
 }
 
 }  // namespace
 
 EnrollmentHandlerChromeOS::EnrollmentHandlerChromeOS(
     DeviceCloudPolicyStoreChromeOS* store,
@@ skipping 22 matching lines @@
       requisition_(requisition),
       allowed_device_modes_(allowed_device_modes),
       completion_callback_(completion_callback),
       device_mode_(DEVICE_MODE_NOT_SET),
       skip_robot_auth_(false),
       enrollment_step_(STEP_PENDING),
       lockbox_init_duration_(0),
       weak_ptr_factory_(this) {
   CHECK(!client_->is_registered());
   CHECK_EQ(DM_STATUS_SUCCESS, client_->status());
-  CHECK_NE(enrollment_config_.auth_mechanism,
-           EnrollmentConfig::AUTH_MECHANISM_BEST_AVAILABLE);
-  CHECK((enrollment_config_.auth_mechanism ==
-             EnrollmentConfig::AUTH_MECHANISM_ATTESTATION &&
-         auth_token_.empty()) ||
-        (enrollment_config_.auth_mechanism ==
-             EnrollmentConfig::AUTH_MECHANISM_INTERACTIVE &&
-         !auth_token_.empty()));
+  CHECK((enrollment_config_.mode == EnrollmentConfig::MODE_ATTESTATION ||
+         enrollment_config_.mode ==
+             EnrollmentConfig::MODE_ATTESTATION_FORCED) == auth_token_.empty());
   CHECK(enrollment_config_.auth_mechanism !=
             EnrollmentConfig::AUTH_MECHANISM_ATTESTATION ||
         (async_method_caller_ != nullptr && cryptohome_client_ != nullptr));
   store_->AddObserver(this);
   client_->AddObserver(this);
   client_->AddPolicyTypeToFetch(dm_protocol::kChromeDevicePolicyType,
                                 std::string());
 }
 
 EnrollmentHandlerChromeOS::~EnrollmentHandlerChromeOS() {
@@ skipping 145 matching lines @@
 }
 
 void EnrollmentHandlerChromeOS::StartRegistration() {
   CHECK_EQ(STEP_LOADING_STORE, enrollment_step_);
   if (!store_->is_initialized()) {
     // Do nothing. StartRegistration() will be called again from OnStoreLoaded()
     // after the CloudPolicyStore has initialized.
     return;
   }
   enrollment_step_ = STEP_REGISTRATION;
-  if (enrollment_config_.auth_mechanism ==
-      EnrollmentConfig::AUTH_MECHANISM_INTERACTIVE) {
+  if (enrollment_config_.should_enroll_with_attestation()) {
+    StartAttestationBasedEnrollmentFlow();
+  } else {
     client_->Register(
         em::DeviceRegisterRequest::DEVICE,
         EnrollmentModeToRegistrationFlavor(enrollment_config_.mode),
         auth_token_, client_id_, requisition_, current_state_key_);
-  } else {
+  }
+}
+
+void EnrollmentHandlerChromeOS::StartAttestationBasedEnrollmentFlow() {
+  if (!attestation_flow_) {
     std::unique_ptr<chromeos::attestation::ServerProxy> attestation_ca_client(
         new chromeos::attestation::AttestationCAClient());
-    chromeos::attestation::AttestationFlow flow(
+    attestation_flow_.reset(new chromeos::attestation::AttestationFlow(
         async_method_caller_, cryptohome_client_,
-        std::move(attestation_ca_client));
-    chromeos::attestation::AttestationFlow::CertificateCallback callback =
-        base::Bind(
-            &EnrollmentHandlerChromeOS::HandleRegistrationCertificateResult,
-            weak_ptr_factory_.GetWeakPtr());
-    flow.GetCertificate(
-        chromeos::attestation::PROFILE_ENTERPRISE_ENROLLMENT_CERTIFICATE,
-        EmptyAccountId(), "" /* request_origin */, false /* force_new_key */,
-        callback);
+        std::move(attestation_ca_client)));
   }
+  chromeos::attestation::AttestationFlow::CertificateCallback callback =
+      base::Bind(
+          &EnrollmentHandlerChromeOS::HandleRegistrationCertificateResult,
+          weak_ptr_factory_.GetWeakPtr());
+  attestation_flow_->GetCertificate(
+      chromeos::attestation::PROFILE_ENTERPRISE_ENROLLMENT_CERTIFICATE,
+      EmptyAccountId(), "" /* request_origin */, false /* force_new_key */,
+      callback);
 }
 
 void EnrollmentHandlerChromeOS::HandleRegistrationCertificateResult(
     bool success,
     const std::string& pem_certificate_chain) {
-  LOG(ERROR) << "Attestation enrollment not implemented.";
+  LOG(WARNING) << "Enrolling with a registration certificate"
+                  " is not supported yet.";
   // TODO(drcrash): Invert success/fail tests, mocking as always failed now.
   if (success) {
     // TODO(drcrash): Implement new call in client_ to register with cert.
   }
-  // TODO(drcrash): Use STATUS_REGISTRATION_CERTIFICATE_FETCH_FAILED.
   ReportResult(EnrollmentStatus::ForStatus(
       EnrollmentStatus::STATUS_REGISTRATION_CERTIFICATE_FETCH_FAILED));
 }
 
 void EnrollmentHandlerChromeOS::HandlePolicyValidationResult(
     DeviceCloudPolicyValidator* validator) {
   CHECK_EQ(STEP_VALIDATION, enrollment_step_);
   if (validator->success()) {
     policy_ = std::move(validator->policy());
     username_ = validator->policy_data()->username();
@@ skipping 183 matching lines @@
                  << ", validation: " << status.validation_status()
                  << ", store: " << status.store_status()
                  << ", lock: " << status.lock_status();
   }
 
   if (!callback.is_null())
     callback.Run(status);
 }
 
 }  // namespace policy