Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(74)

Side by Side Diff: chrome/browser/chromeos/policy/enrollment_config.h

Issue 2186623002: Minimal attestation-based enrollment flow. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Addressed achuithb's feedback. Created 4 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
OLDNEW
1 // Copyright 2014 The Chromium Authors. All rights reserved. 1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #ifndef CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_CONFIG_H_ 5 #ifndef CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_CONFIG_H_
6 #define CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_CONFIG_H_ 6 #define CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_CONFIG_H_
7 7
8 #include <string> 8 #include <string>
9 9
10 namespace policy { 10 namespace policy {
(...skipping 17 matching lines...) Expand all
28 MODE_LOCAL_FORCED, 28 MODE_LOCAL_FORCED,
29 // Advertised enrollment triggered by local OEM manifest or device 29 // Advertised enrollment triggered by local OEM manifest or device
30 // requisition, user can skip. 30 // requisition, user can skip.
31 MODE_LOCAL_ADVERTISED, 31 MODE_LOCAL_ADVERTISED,
32 // Server-backed-state-triggered forced enrollment, user can't skip. 32 // Server-backed-state-triggered forced enrollment, user can't skip.
33 MODE_SERVER_FORCED, 33 MODE_SERVER_FORCED,
34 // Server-backed-state-triggered advertised enrollment, user can skip. 34 // Server-backed-state-triggered advertised enrollment, user can skip.
35 MODE_SERVER_ADVERTISED, 35 MODE_SERVER_ADVERTISED,
36 // Recover from "spontaneous unenrollment", user can't skip. 36 // Recover from "spontaneous unenrollment", user can't skip.
37 MODE_RECOVERY, 37 MODE_RECOVERY,
38 // Start attestation-based enrollment.
39 MODE_ATTESTATION,
40 // Start attestation-based enrollment and only uses that.
41 MODE_ATTESTATION_FORCED,
38 }; 42 };
39 43
40 // An enumeration of authentication mechanisms that can be used for 44 // An enumeration of authentication mechanisms that can be used for
41 // enrollment. 45 // enrollment.
42 enum AuthMechanism { 46 enum AuthMechanism {
43 // Interactive authentication. 47 // Interactive authentication.
44 AUTH_MECHANISM_INTERACTIVE, 48 AUTH_MECHANISM_INTERACTIVE,
45 // Automatic authentication relying on the attestation process. 49 // Automatic authentication relying on the attestation process.
46 AUTH_MECHANISM_ATTESTATION, 50 AUTH_MECHANISM_ATTESTATION,
47 // Let the system determine the best mechanism (typically the one 51 // Let the system determine the best mechanism (typically the one
48 // that requires the least user interaction). 52 // that requires the least user interaction).
49 AUTH_MECHANISM_BEST_AVAILABLE, 53 AUTH_MECHANISM_BEST_AVAILABLE,
50 }; 54 };
51 55
52 // Whether enrollment should be triggered. 56 // Whether enrollment should be triggered.
53 bool should_enroll() const { return mode != MODE_NONE; } 57 bool should_enroll() const {
58 return should_enroll_with_attestation() || should_enroll_interactively();
59 }
60
61 // Whether attestation enrollment should be triggered.
62 bool should_enroll_with_attestation() const {
63 return auth_mechanism != AUTH_MECHANISM_INTERACTIVE;
64 }
65
66 // Whether interactive enrollment should be triggered.
67 bool should_enroll_interactively() const { return mode != MODE_NONE; }
54 68
55 // Whether enrollment is forced. The user can't skip the enrollment step 69 // Whether enrollment is forced. The user can't skip the enrollment step
56 // during OOBE if this returns true. 70 // during OOBE if this returns true.
57 bool is_forced() const { 71 bool is_forced() const {
58 return mode == MODE_LOCAL_FORCED || mode == MODE_SERVER_FORCED || 72 return mode == MODE_LOCAL_FORCED || mode == MODE_SERVER_FORCED ||
59 mode == MODE_RECOVERY; 73 mode == MODE_RECOVERY || is_attestation_forced();
74 }
75
76 // Whether attestation-based enrollment is forced. The user can't skip
77 // the enrollment step during OOBE if this returns true.
78 bool is_attestation_forced() const {
79 return auth_mechanism == AUTH_MECHANISM_ATTESTATION;
80 }
81
82 // Whether this configuration is in attestation mode.
83 bool is_mode_attestation() const {
84 return mode == MODE_ATTESTATION || mode == MODE_ATTESTATION_FORCED;
85 }
86
87 // Whether this configuration is in OAuth mode.
88 bool is_mode_oauth() const {
89 return mode != MODE_NONE && !is_mode_attestation();
60 } 90 }
61 91
62 // Indicates the enrollment flow variant to trigger during OOBE. 92 // Indicates the enrollment flow variant to trigger during OOBE.
63 Mode mode = MODE_NONE; 93 Mode mode = MODE_NONE;
64 94
65 // The domain to enroll the device to, if applicable. If this is not set, the 95 // The domain to enroll the device to, if applicable. If this is not set, the
66 // device may be enrolled to any domain. Note that for the case where the 96 // device may be enrolled to any domain. Note that for the case where the
67 // device is not already locked to a certain domain, this value is used for 97 // device is not already locked to a certain domain, this value is used for
68 // display purposes only and the server makes the final decision on which 98 // display purposes only and the server makes the final decision on which
69 // domain the device should be enrolled with. If the device is already locked 99 // domain the device should be enrolled with. If the device is already locked
70 // to a domain, policy validation during enrollment will verify the domains 100 // to a domain, policy validation during enrollment will verify the domains
71 // match. 101 // match.
72 std::string management_domain; 102 std::string management_domain;
73 103
74 // The authentication mechanism to use. 104 // The authentication mechanism to use.
75 // TODO(drcrash): Change to best available once ZTE is everywhere. 105 // TODO(drcrash): Change to best available once ZTE is everywhere.
76 AuthMechanism auth_mechanism = AUTH_MECHANISM_INTERACTIVE; 106 AuthMechanism auth_mechanism = AUTH_MECHANISM_INTERACTIVE;
77 }; 107 };
78 108
79 } // namespace policy 109 } // namespace policy
80 110
81 #endif // CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_CONFIG_H_ 111 #endif // CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_CONFIG_H_
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698