Minimal attestation-based enrollment flow.

chrome/browser/chromeos/login/enrollment/enrollment_screen.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/login/enrollment/enrollment_screen.h"
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/callback.h"
 #include "base/logging.h"
 #include "base/metrics/histogram.h"
 #include "base/timer/elapsed_timer.h"
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/browser_process_platform_part.h"
 #include "chrome/browser/chromeos/login/enrollment/enrollment_uma.h"
 #include "chrome/browser/chromeos/login/screen_manager.h"
 #include "chrome/browser/chromeos/login/screens/base_screen_delegate.h"
 #include "chrome/browser/chromeos/login/startup_utils.h"
 #include "chrome/browser/chromeos/login/wizard_controller.h"
 #include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h"
 #include "chrome/browser/chromeos/policy/enrollment_status_chromeos.h"
 #include "chrome/browser/chromeos/profiles/profile_helper.h"
 #include "chromeos/dbus/cryptohome_client.h"
 #include "chromeos/dbus/dbus_method_call_status.h"
 #include "chromeos/dbus/dbus_thread_manager.h"
 #include "components/pairing/controller_pairing_controller.h"
 #include "google_apis/gaia/gaia_auth_util.h"
 
 using namespace pairing_chromeos;
+using policy::EnrollmentConfig;
 
 // Do not change the UMA histogram parameters without renaming the histograms!
 #define UMA_ENROLLMENT_TIME(histogram_name, elapsed_timer) \
   do {                                                     \
     UMA_HISTOGRAM_CUSTOM_TIMES(                            \
       (histogram_name),                                    \
       (elapsed_timer)->Elapsed(),                          \
       base::TimeDelta::FromMilliseconds(100) /* min */,    \
       base::TimeDelta::FromMinutes(15) /* max */,          \
       100 /* bucket_count */);                             \
@@ skipping 14 matching lines @@
 
 // static
 EnrollmentScreen* EnrollmentScreen::Get(ScreenManager* manager) {
   return static_cast<EnrollmentScreen*>(
       manager->GetScreen(WizardController::kEnrollmentScreenName));
 }
 
 EnrollmentScreen::EnrollmentScreen(BaseScreenDelegate* base_screen_delegate,
                                    EnrollmentScreenActor* actor)
     : BaseScreen(base_screen_delegate),
       shark_controller_(NULL),

[achuithb, 2016/08/23 18:16:44]

We prefer in-class initialization. Also, change this NULL to nullptr

[The one and only Dr. Crash, 2016/08/23 21:24:18]

Done.

       actor_(actor),
+      current_auth_(AUTH_OAUTH),
+      last_auth_(AUTH_OAUTH),
       enrollment_failed_once_(false),
-      weak_ptr_factory_(this) {
-}
+      weak_ptr_factory_(this) {}
 
 EnrollmentScreen::~EnrollmentScreen() {
   DCHECK(!enrollment_helper_ || g_browser_process->IsShuttingDown());
 }
 
 void EnrollmentScreen::SetParameters(
     const policy::EnrollmentConfig& enrollment_config,
     pairing_chromeos::ControllerPairingController* shark_controller) {
   enrollment_config_ = enrollment_config;
+  switch (enrollment_config_.auth_mechanism) {
+    case EnrollmentConfig::AUTH_MECHANISM_INTERACTIVE:
+      current_auth_ = AUTH_OAUTH;
+      last_auth_ = AUTH_OAUTH;
+      break;
+    case EnrollmentConfig::AUTH_MECHANISM_ATTESTATION:
+      current_auth_ = AUTH_ATTESTATION;
+      last_auth_ = AUTH_ATTESTATION;
+      break;
+    case EnrollmentConfig::AUTH_MECHANISM_BEST_AVAILABLE:
+      current_auth_ = AUTH_ATTESTATION;
+      last_auth_ = enrollment_config_.should_enroll_interactively()
+                       ? AUTH_OAUTH
+                       : AUTH_ATTESTATION;
+      break;
+  }
   shark_controller_ = shark_controller;
-  actor_->SetParameters(this, enrollment_config_);
+  SetConfig();
+}
+
+void EnrollmentScreen::SetConfig() {
+  config_ = enrollment_config_;
+  if (current_auth_ == AUTH_ATTESTATION) {
+    config_.mode = enrollment_config_.is_attestation_forced()
+                       ? policy::EnrollmentConfig::MODE_ATTESTATION_FORCED
+                       : policy::EnrollmentConfig::MODE_ATTESTATION;
+  }
+  actor_->SetParameters(this, config_);
+  enrollment_helper_ = nullptr;
+}
+
+bool EnrollmentScreen::AdvanceToNextAuth() {
+  if (current_auth_ != last_auth_ && current_auth_ == AUTH_ATTESTATION) {

[achuithb, 2016/08/23 18:16:44]

I would reverse this and do an early exit with return false

+    current_auth_ = AUTH_OAUTH;
+    SetConfig();
+    return true;
+  }
+  return false;
 }
 
 void EnrollmentScreen::CreateEnrollmentHelper() {
-  DCHECK(!enrollment_helper_);
-  enrollment_helper_ = EnterpriseEnrollmentHelper::Create(
-      this, enrollment_config_, enrolling_user_domain_);
+  if (!enrollment_helper_) {
+    enrollment_helper_ = EnterpriseEnrollmentHelper::Create(
+        this, config_, enrolling_user_domain_);
+  }
 }
 
 void EnrollmentScreen::ClearAuth(const base::Closure& callback) {
   if (!enrollment_helper_) {
     callback.Run();
     return;
   }
   enrollment_helper_->ClearAuth(base::Bind(&EnrollmentScreen::OnAuthCleared,
                                            weak_ptr_factory_.GetWeakPtr(),
                                            callback));
 }
 
 void EnrollmentScreen::OnAuthCleared(const base::Closure& callback) {
-  enrollment_helper_.reset();
+  enrollment_helper_ = nullptr;
   callback.Run();
 }
 
 void EnrollmentScreen::PrepareToShow() {
   actor_->PrepareToShow();
 }
 
 void EnrollmentScreen::Show() {
   UMA(policy::kMetricEnrollmentTriggered);
+  switch (current_auth_) {
+    case AUTH_OAUTH:
+      ShowInteractiveScreen();
+      break;
+    case AUTH_ATTESTATION:
+      AuthenticateUsingAttestation();
+      break;
+  }

[achuithb, 2016/08/23 18:16:44]

Add default with NOTREACHED() to future proof

[The one and only Dr. Crash, 2016/08/23 21:24:18]

Done.

+}
+
+void EnrollmentScreen::ShowInteractiveScreen() {
   ClearAuth(base::Bind(&EnrollmentScreen::ShowSigninScreen,
                        weak_ptr_factory_.GetWeakPtr()));
 }
 
 void EnrollmentScreen::Hide() {
   actor_->Hide();
   weak_ptr_factory_.InvalidateWeakPtrs();
 }
 
 std::string EnrollmentScreen::GetName() const {
   return WizardController::kEnrollmentScreenName;
 }
 
+void EnrollmentScreen::AuthenticateUsingAttestation() {
+  VLOG(1) << "Authenticating using attestation.";
+  elapsed_timer_.reset(new base::ElapsedTimer());
+  actor_->Show();
+  actor_->ShowEnrollmentSpinnerScreen();
+  CreateEnrollmentHelper();
+  enrollment_helper_->EnrollUsingAttestation();
+}
+
 void EnrollmentScreen::OnLoginDone(const std::string& user,
                                    const std::string& auth_code) {
   LOG_IF(ERROR, auth_code.empty()) << "Auth code is empty.";
   elapsed_timer_.reset(new base::ElapsedTimer());
   enrolling_user_domain_ = gaia::ExtractDomainName(user);
 
   UMA(enrollment_failed_once_ ? policy::kMetricEnrollmentRestarted
                               : policy::kMetricEnrollmentStarted);
 
   actor_->ShowEnrollmentSpinnerScreen();
   CreateEnrollmentHelper();
   enrollment_helper_->EnrollUsingAuthCode(
       auth_code, shark_controller_ != NULL /* fetch_additional_token */);
 }
 
 void EnrollmentScreen::OnRetry() {
-  ClearAuth(base::Bind(&EnrollmentScreen::ShowSigninScreen,
-                       weak_ptr_factory_.GetWeakPtr()));
+  Show();
 }
 
 void EnrollmentScreen::OnCancel() {
+  if (AdvanceToNextAuth()) {
+    Show();
+    return;
+  }
+
   UMA(policy::kMetricEnrollmentCancelled);
   if (elapsed_timer_)
     UMA_ENROLLMENT_TIME(kMetricEnrollmentTimeCancel, elapsed_timer_);
 
   const BaseScreenDelegate::ExitCodes exit_code =
-      enrollment_config_.is_forced()
-          ? BaseScreenDelegate::ENTERPRISE_ENROLLMENT_BACK
-          : BaseScreenDelegate::ENTERPRISE_ENROLLMENT_COMPLETED;
+      config_.is_forced() ? BaseScreenDelegate::ENTERPRISE_ENROLLMENT_BACK
+                          : BaseScreenDelegate::ENTERPRISE_ENROLLMENT_COMPLETED;
   ClearAuth(
       base::Bind(&EnrollmentScreen::Finish, base::Unretained(this), exit_code));
 }
 
 void EnrollmentScreen::OnConfirmationClosed() {
   ClearAuth(base::Bind(&EnrollmentScreen::Finish, base::Unretained(this),
                        BaseScreenDelegate::ENTERPRISE_ENROLLMENT_COMPLETED));
 }
 
 void EnrollmentScreen::OnAuthError(const GoogleServiceAuthError& error) {
@@ skipping 84 matching lines @@
 }
 
 void EnrollmentScreen::ShowEnrollmentStatusOnSuccess() {
   if (elapsed_timer_)
     UMA_ENROLLMENT_TIME(kMetricEnrollmentTimeSuccess, elapsed_timer_);
   actor_->ShowEnrollmentStatus(policy::EnrollmentStatus::ForStatus(
       policy::EnrollmentStatus::STATUS_SUCCESS));
 }
 
 void EnrollmentScreen::UMA(policy::MetricEnrollment sample) {
-  EnrollmentUMA(sample, enrollment_config_.mode);
+  EnrollmentUMA(sample, config_.mode);
 }
 
 void EnrollmentScreen::ShowSigninScreen() {
   actor_->Show();
   actor_->ShowSigninScreen();
 }
 
 void EnrollmentScreen::OnAnyEnrollmentError() {
   enrollment_failed_once_ = true;
+  //  TODO(drcrash): Maybe create multiple metrics for attestation vs oauth?

[achuithb, 2016/08/23 18:16:44]

File a bug and reference it here. 

[The one and only Dr. Crash, 2016/08/23 21:24:18]

Done.

   if (elapsed_timer_)
     UMA_ENROLLMENT_TIME(kMetricEnrollmentTimeFailure, elapsed_timer_);
 }
 
 }  // namespace chromeos