OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "chrome/browser/chromeos/policy/enrollment_handler_chromeos.h" | 5 #include "chrome/browser/chromeos/policy/enrollment_handler_chromeos.h" |
6 | 6 |
7 #include <utility> | 7 #include <utility> |
8 | 8 |
9 #include "base/bind.h" | 9 #include "base/bind.h" |
10 #include "base/location.h" | 10 #include "base/location.h" |
11 #include "base/logging.h" | 11 #include "base/logging.h" |
12 #include "base/single_thread_task_runner.h" | 12 #include "base/single_thread_task_runner.h" |
13 #include "base/threading/thread_task_runner_handle.h" | 13 #include "base/threading/thread_task_runner_handle.h" |
14 #include "chrome/browser/browser_process.h" | 14 #include "chrome/browser/browser_process.h" |
15 #include "chrome/browser/chromeos/attestation/attestation_ca_client.h" | 15 #include "chrome/browser/chromeos/attestation/attestation_ca_client.h" |
16 #include "chrome/browser/chromeos/login/enrollment/auto_enrollment_controller.h" | 16 #include "chrome/browser/chromeos/login/enrollment/auto_enrollment_controller.h" |
17 #include "chrome/browser/chromeos/ownership/owner_settings_service_chromeos.h" | 17 #include "chrome/browser/chromeos/ownership/owner_settings_service_chromeos.h" |
18 #include "chrome/browser/chromeos/policy/device_cloud_policy_store_chromeos.h" | 18 #include "chrome/browser/chromeos/policy/device_cloud_policy_store_chromeos.h" |
19 #include "chrome/browser/chromeos/policy/enrollment_status_chromeos.h" | 19 #include "chrome/browser/chromeos/policy/enrollment_status_chromeos.h" |
20 #include "chrome/browser/chromeos/policy/proto/chrome_device_policy.pb.h" | 20 #include "chrome/browser/chromeos/policy/proto/chrome_device_policy.pb.h" |
21 #include "chrome/browser/chromeos/policy/server_backed_state_keys_broker.h" | 21 #include "chrome/browser/chromeos/policy/server_backed_state_keys_broker.h" |
22 #include "chrome/browser/chromeos/profiles/profile_helper.h" | 22 #include "chrome/browser/chromeos/profiles/profile_helper.h" |
23 #include "chrome/browser/chromeos/settings/device_oauth2_token_service.h" | 23 #include "chrome/browser/chromeos/settings/device_oauth2_token_service.h" |
24 #include "chrome/browser/chromeos/settings/device_oauth2_token_service_factory.h " | 24 #include "chrome/browser/chromeos/settings/device_oauth2_token_service_factory.h " |
25 #include "chrome/browser/profiles/profile.h" | 25 #include "chrome/browser/profiles/profile.h" |
26 #include "chromeos/attestation/attestation_constants.h" | |
27 #include "chromeos/attestation/attestation_flow.h" | 26 #include "chromeos/attestation/attestation_flow.h" |
28 #include "chromeos/cryptohome/async_method_caller.h" | |
29 #include "chromeos/dbus/cryptohome_client.h" | |
30 #include "components/signin/core/account_id/account_id.h" | |
31 #include "google_apis/gaia/gaia_urls.h" | 27 #include "google_apis/gaia/gaia_urls.h" |
32 #include "net/http/http_status_code.h" | 28 #include "net/http/http_status_code.h" |
33 | 29 |
34 namespace em = enterprise_management; | 30 namespace em = enterprise_management; |
35 | 31 |
36 namespace policy { | 32 namespace policy { |
37 | 33 |
38 namespace { | 34 namespace { |
39 | 35 |
40 // Retry for InstallAttrs initialization every 500ms. | 36 // Retry for InstallAttrs initialization every 500ms. |
(...skipping 13 matching lines...) Expand all Loading... | |
54 case policy::EnrollmentConfig::MODE_LOCAL_FORCED: | 50 case policy::EnrollmentConfig::MODE_LOCAL_FORCED: |
55 return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_LOCAL_FORCED; | 51 return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_LOCAL_FORCED; |
56 case policy::EnrollmentConfig::MODE_LOCAL_ADVERTISED: | 52 case policy::EnrollmentConfig::MODE_LOCAL_ADVERTISED: |
57 return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_LOCAL_ADVERTISED; | 53 return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_LOCAL_ADVERTISED; |
58 case policy::EnrollmentConfig::MODE_SERVER_FORCED: | 54 case policy::EnrollmentConfig::MODE_SERVER_FORCED: |
59 return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_SERVER_FORCED; | 55 return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_SERVER_FORCED; |
60 case policy::EnrollmentConfig::MODE_SERVER_ADVERTISED: | 56 case policy::EnrollmentConfig::MODE_SERVER_ADVERTISED: |
61 return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_SERVER_ADVERTISED; | 57 return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_SERVER_ADVERTISED; |
62 case policy::EnrollmentConfig::MODE_RECOVERY: | 58 case policy::EnrollmentConfig::MODE_RECOVERY: |
63 return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_RECOVERY; | 59 return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_RECOVERY; |
60 case policy::EnrollmentConfig::MODE_ATTESTATION: | |
61 return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_ATTESTATION; | |
62 case policy::EnrollmentConfig::MODE_ATTESTATION_FORCED: | |
63 return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_ATTESTATION_FORCED; | |
64 } | 64 } |
65 | 65 |
66 NOTREACHED() << "Bad enrollment mode: " << mode; | 66 NOTREACHED() << "Bad enrollment mode: " << mode; |
67 return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_MANUAL; | 67 return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_MANUAL; |
68 } | 68 } |
69 | 69 |
70 } // namespace | 70 } // namespace |
71 | 71 |
72 EnrollmentHandlerChromeOS::EnrollmentHandlerChromeOS( | 72 EnrollmentHandlerChromeOS::EnrollmentHandlerChromeOS( |
73 DeviceCloudPolicyStoreChromeOS* store, | 73 DeviceCloudPolicyStoreChromeOS* store, |
(...skipping 22 matching lines...) Expand all Loading... | |
96 requisition_(requisition), | 96 requisition_(requisition), |
97 allowed_device_modes_(allowed_device_modes), | 97 allowed_device_modes_(allowed_device_modes), |
98 completion_callback_(completion_callback), | 98 completion_callback_(completion_callback), |
99 device_mode_(DEVICE_MODE_NOT_SET), | 99 device_mode_(DEVICE_MODE_NOT_SET), |
100 skip_robot_auth_(false), | 100 skip_robot_auth_(false), |
101 enrollment_step_(STEP_PENDING), | 101 enrollment_step_(STEP_PENDING), |
102 lockbox_init_duration_(0), | 102 lockbox_init_duration_(0), |
103 weak_ptr_factory_(this) { | 103 weak_ptr_factory_(this) { |
104 CHECK(!client_->is_registered()); | 104 CHECK(!client_->is_registered()); |
105 CHECK_EQ(DM_STATUS_SUCCESS, client_->status()); | 105 CHECK_EQ(DM_STATUS_SUCCESS, client_->status()); |
106 CHECK_NE(enrollment_config_.auth_mechanism, | 106 CHECK((enrollment_config_.mode == EnrollmentConfig::MODE_ATTESTATION || |
107 EnrollmentConfig::AUTH_MECHANISM_BEST_AVAILABLE); | 107 enrollment_config_.mode == |
108 CHECK((enrollment_config_.auth_mechanism == | 108 EnrollmentConfig::MODE_ATTESTATION_FORCED) == auth_token_.empty()); |
109 EnrollmentConfig::AUTH_MECHANISM_ATTESTATION && | |
110 auth_token_.empty()) || | |
111 (enrollment_config_.auth_mechanism == | |
112 EnrollmentConfig::AUTH_MECHANISM_INTERACTIVE && | |
113 !auth_token_.empty())); | |
114 CHECK(enrollment_config_.auth_mechanism != | 109 CHECK(enrollment_config_.auth_mechanism != |
115 EnrollmentConfig::AUTH_MECHANISM_ATTESTATION || | 110 EnrollmentConfig::AUTH_MECHANISM_ATTESTATION || |
116 (async_method_caller_ != nullptr && cryptohome_client_ != nullptr)); | 111 (async_method_caller_ != nullptr && cryptohome_client_ != nullptr)); |
117 store_->AddObserver(this); | 112 store_->AddObserver(this); |
118 client_->AddObserver(this); | 113 client_->AddObserver(this); |
119 client_->AddPolicyTypeToFetch(dm_protocol::kChromeDevicePolicyType, | 114 client_->AddPolicyTypeToFetch(dm_protocol::kChromeDevicePolicyType, |
120 std::string()); | 115 std::string()); |
121 } | 116 } |
122 | 117 |
123 EnrollmentHandlerChromeOS::~EnrollmentHandlerChromeOS() { | 118 EnrollmentHandlerChromeOS::~EnrollmentHandlerChromeOS() { |
(...skipping 145 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
269 } | 264 } |
270 | 265 |
271 void EnrollmentHandlerChromeOS::StartRegistration() { | 266 void EnrollmentHandlerChromeOS::StartRegistration() { |
272 CHECK_EQ(STEP_LOADING_STORE, enrollment_step_); | 267 CHECK_EQ(STEP_LOADING_STORE, enrollment_step_); |
273 if (!store_->is_initialized()) { | 268 if (!store_->is_initialized()) { |
274 // Do nothing. StartRegistration() will be called again from OnStoreLoaded() | 269 // Do nothing. StartRegistration() will be called again from OnStoreLoaded() |
275 // after the CloudPolicyStore has initialized. | 270 // after the CloudPolicyStore has initialized. |
276 return; | 271 return; |
277 } | 272 } |
278 enrollment_step_ = STEP_REGISTRATION; | 273 enrollment_step_ = STEP_REGISTRATION; |
279 if (enrollment_config_.auth_mechanism == | 274 if (enrollment_config_.should_enroll_with_attestation()) { |
280 EnrollmentConfig::AUTH_MECHANISM_INTERACTIVE) { | 275 StartAttestationBasedEnrollmentFlow(); |
276 } else { | |
281 client_->Register( | 277 client_->Register( |
282 em::DeviceRegisterRequest::DEVICE, | 278 em::DeviceRegisterRequest::DEVICE, |
283 EnrollmentModeToRegistrationFlavor(enrollment_config_.mode), | 279 EnrollmentModeToRegistrationFlavor(enrollment_config_.mode), |
284 auth_token_, client_id_, requisition_, current_state_key_); | 280 auth_token_, client_id_, requisition_, current_state_key_); |
285 } else { | 281 } |
282 } | |
283 | |
284 void EnrollmentHandlerChromeOS::StartAttestationBasedEnrollmentFlow() { | |
285 if (!attestation_flow_) { | |
286 std::unique_ptr<chromeos::attestation::ServerProxy> attestation_ca_client( | 286 std::unique_ptr<chromeos::attestation::ServerProxy> attestation_ca_client( |
287 new chromeos::attestation::AttestationCAClient()); | 287 new chromeos::attestation::AttestationCAClient()); |
288 chromeos::attestation::AttestationFlow flow( | 288 attestation_flow_.reset(new chromeos::attestation::AttestationFlow( |
289 async_method_caller_, cryptohome_client_, | 289 async_method_caller_, cryptohome_client_, |
290 std::move(attestation_ca_client)); | 290 std::move(attestation_ca_client))); |
291 chromeos::attestation::AttestationFlow::CertificateCallback callback = | |
292 base::Bind( | |
293 &EnrollmentHandlerChromeOS::HandleRegistrationCertificateResult, | |
294 weak_ptr_factory_.GetWeakPtr()); | |
295 flow.GetCertificate( | |
296 chromeos::attestation::PROFILE_ENTERPRISE_ENROLLMENT_CERTIFICATE, | |
297 EmptyAccountId(), "" /* request_origin */, false /* force_new_key */, | |
298 callback); | |
299 } | 291 } |
292 chromeos::attestation::AttestationFlow::CertificateCallback callback = | |
achuithb
2016/08/23 18:16:45
const
The one and only Dr. Crash
2016/08/23 21:24:19
Done.
| |
293 base::Bind( | |
294 &EnrollmentHandlerChromeOS::HandleRegistrationCertificateResult, | |
295 weak_ptr_factory_.GetWeakPtr()); | |
296 attestation_flow_->GetCertificate( | |
297 chromeos::attestation::PROFILE_ENTERPRISE_ENROLLMENT_CERTIFICATE, | |
298 EmptyAccountId(), "" /* request_origin */, false /* force_new_key */, | |
299 callback); | |
300 } | 300 } |
301 | 301 |
302 void EnrollmentHandlerChromeOS::HandleRegistrationCertificateResult( | 302 void EnrollmentHandlerChromeOS::HandleRegistrationCertificateResult( |
303 bool success, | 303 bool success, |
304 const std::string& pem_certificate_chain) { | 304 const std::string& pem_certificate_chain) { |
305 LOG(ERROR) << "Attestation enrollment not implemented."; | 305 LOG(WARNING) << "Enrolling with a registration certificate" |
306 " is not supported yet."; | |
306 // TODO(drcrash): Invert success/fail tests, mocking as always failed now. | 307 // TODO(drcrash): Invert success/fail tests, mocking as always failed now. |
307 if (success) { | 308 if (success) { |
308 // TODO(drcrash): Implement new call in client_ to register with cert. | 309 // TODO(drcrash): Implement new call in client_ to register with cert. |
309 } | 310 } |
310 // TODO(drcrash): Use STATUS_REGISTRATION_CERTIFICATE_FETCH_FAILED. | |
311 ReportResult(EnrollmentStatus::ForStatus( | 311 ReportResult(EnrollmentStatus::ForStatus( |
312 EnrollmentStatus::STATUS_REGISTRATION_CERTIFICATE_FETCH_FAILED)); | 312 EnrollmentStatus::STATUS_REGISTRATION_CERTIFICATE_FETCH_FAILED)); |
313 } | 313 } |
314 | 314 |
315 void EnrollmentHandlerChromeOS::HandlePolicyValidationResult( | 315 void EnrollmentHandlerChromeOS::HandlePolicyValidationResult( |
316 DeviceCloudPolicyValidator* validator) { | 316 DeviceCloudPolicyValidator* validator) { |
317 CHECK_EQ(STEP_VALIDATION, enrollment_step_); | 317 CHECK_EQ(STEP_VALIDATION, enrollment_step_); |
318 if (validator->success()) { | 318 if (validator->success()) { |
319 policy_ = std::move(validator->policy()); | 319 policy_ = std::move(validator->policy()); |
320 username_ = validator->policy_data()->username(); | 320 username_ = validator->policy_data()->username(); |
(...skipping 183 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
504 << ", validation: " << status.validation_status() | 504 << ", validation: " << status.validation_status() |
505 << ", store: " << status.store_status() | 505 << ", store: " << status.store_status() |
506 << ", lock: " << status.lock_status(); | 506 << ", lock: " << status.lock_status(); |
507 } | 507 } |
508 | 508 |
509 if (!callback.is_null()) | 509 if (!callback.is_null()) |
510 callback.Run(status); | 510 callback.Run(status); |
511 } | 511 } |
512 | 512 |
513 } // namespace policy | 513 } // namespace policy |
OLD | NEW |