Chromium Code Reviews Chromium Code Reviews
Issue 2186623002:
Minimal attestation-based enrollment flow. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/chromeos/login/enrollment/enterprise_enrollment_helper_ impl.h" | 5 #include "chrome/browser/chromeos/login/enrollment/enterprise_enrollment_helper_ impl.h" |
| 6 | 6 |
| 7 #include "base/bind.h" | 7 #include "base/bind.h" |
| 8 #include "base/location.h" | 8 #include "base/location.h" |
| 9 #include "base/logging.h" | 9 #include "base/logging.h" |
| 10 #include "base/macros.h" | 10 #include "base/macros.h" |
| (...skipping 54 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 65 | 65 |
| 66 namespace chromeos { | 66 namespace chromeos { |
| 67 | 67 |
| 68 EnterpriseEnrollmentHelperImpl::EnterpriseEnrollmentHelperImpl( | 68 EnterpriseEnrollmentHelperImpl::EnterpriseEnrollmentHelperImpl( |
| 69 EnrollmentStatusConsumer* status_consumer, | 69 EnrollmentStatusConsumer* status_consumer, |
| 70 const policy::EnrollmentConfig& enrollment_config, | 70 const policy::EnrollmentConfig& enrollment_config, |
| 71 const std::string& enrolling_user_domain) | 71 const std::string& enrolling_user_domain) |
| 72 : EnterpriseEnrollmentHelper(status_consumer), | 72 : EnterpriseEnrollmentHelper(status_consumer), |
| 73 enrollment_config_(enrollment_config), | 73 enrollment_config_(enrollment_config), |
| 74 enrolling_user_domain_(enrolling_user_domain), | 74 enrolling_user_domain_(enrolling_user_domain), |
| 75 started_(false), | 75 oauth_data_cleared_(false), |
|
achuithb
2016/08/23 18:16:44
Initialize in header
The one and only Dr. Crash
2016/08/23 21:24:18
Done.
| |
| 76 finished_(false), | |
| 77 success_(false), | 76 success_(false), |
| 78 auth_data_cleared_(false), | |
| 79 weak_ptr_factory_(this) { | 77 weak_ptr_factory_(this) { |
| 80 // Init the TPM if it has not been done until now (in debug build we might | 78 // Init the TPM if it has not been done until now (in debug build we might |
| 81 // have not done that yet). | 79 // have not done that yet). |
| 82 DBusThreadManager::Get()->GetCryptohomeClient()->TpmCanAttemptOwnership( | 80 DBusThreadManager::Get()->GetCryptohomeClient()->TpmCanAttemptOwnership( |
| 83 EmptyVoidDBusMethodCallback()); | 81 EmptyVoidDBusMethodCallback()); |
| 84 } | 82 } |
| 85 | 83 |
| 86 EnterpriseEnrollmentHelperImpl::~EnterpriseEnrollmentHelperImpl() { | 84 EnterpriseEnrollmentHelperImpl::~EnterpriseEnrollmentHelperImpl() { |
| 87 DCHECK(g_browser_process->IsShuttingDown() || !started_ || | 85 DCHECK( |
| 88 (finished_ && (success_ || auth_data_cleared_))); | 86 g_browser_process->IsShuttingDown() || |
| 87 oauth_status_ == OAUTH_NOT_STARTED || | |
| 88 (oauth_status_ == OAUTH_FINISHED && (success_ || oauth_data_cleared_))); | |
| 89 } | 89 } |
| 90 | 90 |
| 91 void EnterpriseEnrollmentHelperImpl::EnrollUsingAuthCode( | 91 void EnterpriseEnrollmentHelperImpl::EnrollUsingAuthCode( |
| 92 const std::string& auth_code, | 92 const std::string& auth_code, |
| 93 bool fetch_additional_token) { | 93 bool fetch_additional_token) { |
| 94 DCHECK(!started_); | 94 DCHECK(oauth_status_ == OAUTH_NOT_STARTED); |
| 95 started_ = true; | 95 oauth_status_ = OAUTH_STARTED_WITH_AUTH_CODE; |
| 96 oauth_fetcher_.reset(policy::PolicyOAuth2TokenFetcher::CreateInstance()); | 96 oauth_fetcher_.reset(policy::PolicyOAuth2TokenFetcher::CreateInstance()); |
| 97 oauth_fetcher_->StartWithAuthCode( | 97 oauth_fetcher_->StartWithAuthCode( |
| 98 auth_code, g_browser_process->system_request_context(), | 98 auth_code, g_browser_process->system_request_context(), |
| 99 base::Bind(&EnterpriseEnrollmentHelperImpl::OnTokenFetched, | 99 base::Bind(&EnterpriseEnrollmentHelperImpl::OnTokenFetched, |
| 100 weak_ptr_factory_.GetWeakPtr(), | 100 weak_ptr_factory_.GetWeakPtr(), |
| 101 fetch_additional_token /* is_additional_token */)); | 101 fetch_additional_token /* is_additional_token */)); |
| 102 } | 102 } |
| 103 | 103 |
| 104 void EnterpriseEnrollmentHelperImpl::EnrollUsingToken( | 104 void EnterpriseEnrollmentHelperImpl::EnrollUsingToken( |
| 105 const std::string& token) { | 105 const std::string& token) { |
| 106 DCHECK(!started_); | 106 DCHECK(oauth_status_ != OAUTH_STARTED_WITH_TOKEN); |
|
achuithb
2016/08/23 18:16:44
Can we have a positive check here instead?
DCHECK(
The one and only Dr. Crash
2016/08/23 21:24:18
That's more fragile if the enum gets extended than
| |
| 107 started_ = true; | 107 if (oauth_status_ == OAUTH_NOT_STARTED) { |
|
achuithb
2016/08/23 18:16:44
Drop {}
| |
| 108 DoEnrollUsingToken(token); | 108 oauth_status_ = OAUTH_STARTED_WITH_TOKEN; |
| 109 } | |
| 110 DoEnroll(token); | |
| 111 } | |
| 112 | |
| 113 void EnterpriseEnrollmentHelperImpl::EnrollUsingAttestation() { | |
| 114 CHECK(enrollment_config_.mode == policy::EnrollmentConfig::MODE_ATTESTATION || | |
| 115 enrollment_config_.mode == | |
| 116 policy::EnrollmentConfig::MODE_ATTESTATION_FORCED); | |
|
achuithb
2016/08/23 18:16:44
DCHECK for oauth_status_ here?
The one and only Dr. Crash
2016/08/23 21:24:18
No. The attestation enrollment is independent and
| |
| 117 DoEnroll(""); | |
| 109 } | 118 } |
| 110 | 119 |
| 111 void EnterpriseEnrollmentHelperImpl::ClearAuth(const base::Closure& callback) { | 120 void EnterpriseEnrollmentHelperImpl::ClearAuth(const base::Closure& callback) { |
| 112 // Do not revoke the additional token if enrollment has finished | 121 if (oauth_status_ != OAUTH_NOT_STARTED) { |
| 113 // successfully. | 122 // Do not revoke the additional token if enrollment has finished |
| 114 if (!success_ && additional_token_.length()) | 123 // successfully. |
| 115 (new TokenRevoker())->Start(additional_token_); | 124 if (!success_ && additional_token_.length()) |
| 125 (new TokenRevoker())->Start(additional_token_); | |
| 116 | 126 |
| 117 if (oauth_fetcher_) { | 127 if (oauth_fetcher_) { |
| 118 if (!oauth_fetcher_->OAuth2AccessToken().empty()) | 128 if (!oauth_fetcher_->OAuth2AccessToken().empty()) |
| 119 (new TokenRevoker())->Start(oauth_fetcher_->OAuth2AccessToken()); | 129 (new TokenRevoker())->Start(oauth_fetcher_->OAuth2AccessToken()); |
| 120 | 130 |
| 121 if (!oauth_fetcher_->OAuth2RefreshToken().empty()) | 131 if (!oauth_fetcher_->OAuth2RefreshToken().empty()) |
| 122 (new TokenRevoker())->Start(oauth_fetcher_->OAuth2RefreshToken()); | 132 (new TokenRevoker())->Start(oauth_fetcher_->OAuth2RefreshToken()); |
| 123 | 133 |
| 124 oauth_fetcher_.reset(); | 134 oauth_fetcher_.reset(); |
| 125 } else if (oauth_token_.length()) { | 135 } else if (oauth_token_.length()) { |
| 126 // EnrollUsingToken was called. | 136 // EnrollUsingToken was called. |
| 127 (new TokenRevoker())->Start(oauth_token_); | 137 (new TokenRevoker())->Start(oauth_token_); |
| 138 } | |
| 128 } | 139 } |
| 129 | 140 |
| 130 chromeos::ProfileHelper::Get()->ClearSigninProfile( | 141 chromeos::ProfileHelper::Get()->ClearSigninProfile( |
| 131 base::Bind(&EnterpriseEnrollmentHelperImpl::OnSigninProfileCleared, | 142 base::Bind(&EnterpriseEnrollmentHelperImpl::OnSigninProfileCleared, |
| 132 weak_ptr_factory_.GetWeakPtr(), callback)); | 143 weak_ptr_factory_.GetWeakPtr(), callback)); |
| 133 } | 144 } |
| 134 | 145 |
| 135 void EnterpriseEnrollmentHelperImpl::DoEnrollUsingToken( | 146 void EnterpriseEnrollmentHelperImpl::DoEnroll(const std::string& token) { |
| 136 const std::string& token) { | |
| 137 DCHECK(token == oauth_token_ || oauth_token_.empty()); | 147 DCHECK(token == oauth_token_ || oauth_token_.empty()); |
|
achuithb
2016/08/23 18:16:44
Do we need a DCHECK for oauth_status_?
The one and only Dr. Crash
2016/08/23 21:24:19
Added one.
| |
| 138 oauth_token_ = token; | 148 oauth_token_ = token; |
| 139 policy::BrowserPolicyConnectorChromeOS* connector = | 149 policy::BrowserPolicyConnectorChromeOS* connector = |
| 140 g_browser_process->platform_part()->browser_policy_connector_chromeos(); | 150 g_browser_process->platform_part()->browser_policy_connector_chromeos(); |
| 141 if (connector->IsEnterpriseManaged() && | 151 if (connector->IsEnterpriseManaged() && |
| 142 connector->GetEnterpriseDomain() != enrolling_user_domain_) { | 152 connector->GetEnterpriseDomain() != enrolling_user_domain_) { |
| 143 LOG(ERROR) << "Trying to re-enroll to a different domain than " | 153 LOG(ERROR) << "Trying to re-enroll to a different domain than " |
| 144 << connector->GetEnterpriseDomain(); | 154 << connector->GetEnterpriseDomain(); |
| 145 UMA(policy::kMetricEnrollmentPrecheckDomainMismatch); | 155 UMA(policy::kMetricEnrollmentPrecheckDomainMismatch); |
| 146 finished_ = true; | 156 if (oauth_status_ != OAUTH_NOT_STARTED) { |
|
achuithb
2016/08/23 18:16:44
drop {}
The one and only Dr. Crash
2016/08/23 21:24:18
Done.
| |
| 157 oauth_status_ = OAUTH_FINISHED; | |
| 158 } | |
| 147 status_consumer()->OnOtherError(OTHER_ERROR_DOMAIN_MISMATCH); | 159 status_consumer()->OnOtherError(OTHER_ERROR_DOMAIN_MISMATCH); |
| 148 return; | 160 return; |
| 149 } | 161 } |
| 150 | 162 |
| 151 policy::DeviceCloudPolicyInitializer::AllowedDeviceModes device_modes; | 163 policy::DeviceCloudPolicyInitializer::AllowedDeviceModes device_modes; |
| 152 device_modes[policy::DEVICE_MODE_ENTERPRISE] = true; | 164 device_modes[policy::DEVICE_MODE_ENTERPRISE] = true; |
| 153 connector->ScheduleServiceInitialization(0); | 165 connector->ScheduleServiceInitialization(0); |
| 154 | 166 |
| 155 policy::DeviceCloudPolicyInitializer* dcp_initializer = | 167 policy::DeviceCloudPolicyInitializer* dcp_initializer = |
| 156 connector->GetDeviceCloudPolicyInitializer(); | 168 connector->GetDeviceCloudPolicyInitializer(); |
| (...skipping 36 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 193 &EnterpriseEnrollmentHelperImpl::OnDeviceAttributeUploadCompleted, | 205 &EnterpriseEnrollmentHelperImpl::OnDeviceAttributeUploadCompleted, |
| 194 weak_ptr_factory_.GetWeakPtr())); | 206 weak_ptr_factory_.GetWeakPtr())); |
| 195 } | 207 } |
| 196 | 208 |
| 197 void EnterpriseEnrollmentHelperImpl::OnTokenFetched( | 209 void EnterpriseEnrollmentHelperImpl::OnTokenFetched( |
| 198 bool is_additional_token, | 210 bool is_additional_token, |
| 199 const std::string& token, | 211 const std::string& token, |
| 200 const GoogleServiceAuthError& error) { | 212 const GoogleServiceAuthError& error) { |
| 201 if (error.state() != GoogleServiceAuthError::NONE) { | 213 if (error.state() != GoogleServiceAuthError::NONE) { |
| 202 ReportAuthStatus(error); | 214 ReportAuthStatus(error); |
| 203 finished_ = true; | 215 oauth_status_ = OAUTH_FINISHED; |
| 204 status_consumer()->OnAuthError(error); | 216 status_consumer()->OnAuthError(error); |
| 205 return; | 217 return; |
| 206 } | 218 } |
| 207 | 219 |
| 208 if (!is_additional_token) { | 220 if (!is_additional_token) { |
| 209 DoEnrollUsingToken(token); | 221 EnrollUsingToken(token); |
| 210 return; | 222 return; |
| 211 } | 223 } |
| 212 | 224 |
| 213 additional_token_ = token; | 225 additional_token_ = token; |
| 214 std::string refresh_token = oauth_fetcher_->OAuth2RefreshToken(); | 226 std::string refresh_token = oauth_fetcher_->OAuth2RefreshToken(); |
| 215 oauth_fetcher_.reset(policy::PolicyOAuth2TokenFetcher::CreateInstance()); | 227 oauth_fetcher_.reset(policy::PolicyOAuth2TokenFetcher::CreateInstance()); |
| 216 oauth_fetcher_->StartWithRefreshToken( | 228 oauth_fetcher_->StartWithRefreshToken( |
| 217 refresh_token, g_browser_process->system_request_context(), | 229 refresh_token, g_browser_process->system_request_context(), |
| 218 base::Bind(&EnterpriseEnrollmentHelperImpl::OnTokenFetched, | 230 base::Bind(&EnterpriseEnrollmentHelperImpl::OnTokenFetched, |
| 219 weak_ptr_factory_.GetWeakPtr(), | 231 weak_ptr_factory_.GetWeakPtr(), |
| 220 false /* is_additional_token */)); | 232 false /* is_additional_token */)); |
| 221 } | 233 } |
| 222 | 234 |
| 223 void EnterpriseEnrollmentHelperImpl::OnEnrollmentFinished( | 235 void EnterpriseEnrollmentHelperImpl::OnEnrollmentFinished( |
| 224 policy::EnrollmentStatus status) { | 236 policy::EnrollmentStatus status) { |
| 225 // TODO(pbond): remove this LOG once http://crbug.com/586961 is fixed. | 237 // TODO(pbond): remove this LOG once http://crbug.com/586961 is fixed. |
| 226 LOG(WARNING) << "Enrollment finished"; | 238 LOG(WARNING) << "Enrollment finished"; |
| 227 ReportEnrollmentStatus(status); | 239 ReportEnrollmentStatus(status); |
| 228 finished_ = true; | 240 if (oauth_status_ != OAUTH_NOT_STARTED) { |
|
achuithb
2016/08/23 18:16:44
Drop {}
The one and only Dr. Crash
2016/08/23 21:24:18
Done.
| |
| 241 oauth_status_ = OAUTH_FINISHED; | |
| 242 } | |
| 229 if (status.status() == policy::EnrollmentStatus::STATUS_SUCCESS) { | 243 if (status.status() == policy::EnrollmentStatus::STATUS_SUCCESS) { |
| 230 success_ = true; | 244 success_ = true; |
| 231 StartupUtils::MarkOobeCompleted(); | 245 StartupUtils::MarkOobeCompleted(); |
| 232 status_consumer()->OnDeviceEnrolled(additional_token_); | 246 status_consumer()->OnDeviceEnrolled(additional_token_); |
| 233 } else { | 247 } else { |
| 234 status_consumer()->OnEnrollmentError(status); | 248 status_consumer()->OnEnrollmentError(status); |
| 235 } | 249 } |
| 236 } | 250 } |
| 237 | 251 |
| 238 void EnterpriseEnrollmentHelperImpl::OnDeviceAttributeUpdatePermission( | 252 void EnterpriseEnrollmentHelperImpl::OnDeviceAttributeUpdatePermission( |
| (...skipping 172 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 411 break; | 425 break; |
| 412 } | 426 } |
| 413 } | 427 } |
| 414 | 428 |
| 415 void EnterpriseEnrollmentHelperImpl::UMA(policy::MetricEnrollment sample) { | 429 void EnterpriseEnrollmentHelperImpl::UMA(policy::MetricEnrollment sample) { |
| 416 EnrollmentUMA(sample, enrollment_config_.mode); | 430 EnrollmentUMA(sample, enrollment_config_.mode); |
| 417 } | 431 } |
| 418 | 432 |
| 419 void EnterpriseEnrollmentHelperImpl::OnSigninProfileCleared( | 433 void EnterpriseEnrollmentHelperImpl::OnSigninProfileCleared( |
| 420 const base::Closure& callback) { | 434 const base::Closure& callback) { |
| 421 auth_data_cleared_ = true; | 435 oauth_data_cleared_ = true; |
| 422 callback.Run(); | 436 callback.Run(); |
| 423 } | 437 } |
| 424 | 438 |
| 425 } // namespace chromeos | 439 } // namespace chromeos |
| OLD | NEW |
