Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(763)

Side by Side Diff: chrome/browser/chromeos/policy/enrollment_handler_chromeos.cc

Issue 2186623002: Minimal attestation-based enrollment flow. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Addressed achuithb's feedback. Created 4 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "chrome/browser/chromeos/policy/enrollment_handler_chromeos.h" 5 #include "chrome/browser/chromeos/policy/enrollment_handler_chromeos.h"
6 6
7 #include <utility> 7 #include <utility>
8 8
9 #include "base/bind.h" 9 #include "base/bind.h"
10 #include "base/location.h" 10 #include "base/location.h"
11 #include "base/logging.h" 11 #include "base/logging.h"
12 #include "base/single_thread_task_runner.h" 12 #include "base/single_thread_task_runner.h"
13 #include "base/threading/thread_task_runner_handle.h" 13 #include "base/threading/thread_task_runner_handle.h"
14 #include "chrome/browser/browser_process.h" 14 #include "chrome/browser/browser_process.h"
15 #include "chrome/browser/chromeos/attestation/attestation_ca_client.h" 15 #include "chrome/browser/chromeos/attestation/attestation_ca_client.h"
16 #include "chrome/browser/chromeos/login/enrollment/auto_enrollment_controller.h" 16 #include "chrome/browser/chromeos/login/enrollment/auto_enrollment_controller.h"
17 #include "chrome/browser/chromeos/ownership/owner_settings_service_chromeos.h" 17 #include "chrome/browser/chromeos/ownership/owner_settings_service_chromeos.h"
18 #include "chrome/browser/chromeos/policy/device_cloud_policy_store_chromeos.h" 18 #include "chrome/browser/chromeos/policy/device_cloud_policy_store_chromeos.h"
19 #include "chrome/browser/chromeos/policy/enrollment_status_chromeos.h" 19 #include "chrome/browser/chromeos/policy/enrollment_status_chromeos.h"
20 #include "chrome/browser/chromeos/policy/proto/chrome_device_policy.pb.h" 20 #include "chrome/browser/chromeos/policy/proto/chrome_device_policy.pb.h"
21 #include "chrome/browser/chromeos/policy/server_backed_state_keys_broker.h" 21 #include "chrome/browser/chromeos/policy/server_backed_state_keys_broker.h"
22 #include "chrome/browser/chromeos/profiles/profile_helper.h" 22 #include "chrome/browser/chromeos/profiles/profile_helper.h"
23 #include "chrome/browser/chromeos/settings/device_oauth2_token_service.h" 23 #include "chrome/browser/chromeos/settings/device_oauth2_token_service.h"
24 #include "chrome/browser/chromeos/settings/device_oauth2_token_service_factory.h " 24 #include "chrome/browser/chromeos/settings/device_oauth2_token_service_factory.h "
25 #include "chrome/browser/profiles/profile.h" 25 #include "chrome/browser/profiles/profile.h"
26 #include "chromeos/attestation/attestation_constants.h"
27 #include "chromeos/attestation/attestation_flow.h" 26 #include "chromeos/attestation/attestation_flow.h"
28 #include "chromeos/cryptohome/async_method_caller.h"
29 #include "chromeos/dbus/cryptohome_client.h"
30 #include "components/signin/core/account_id/account_id.h"
31 #include "google_apis/gaia/gaia_urls.h" 27 #include "google_apis/gaia/gaia_urls.h"
32 #include "net/http/http_status_code.h" 28 #include "net/http/http_status_code.h"
33 29
34 namespace em = enterprise_management; 30 namespace em = enterprise_management;
35 31
36 namespace policy { 32 namespace policy {
37 33
38 namespace { 34 namespace {
39 35
40 // Retry for InstallAttrs initialization every 500ms. 36 // Retry for InstallAttrs initialization every 500ms.
(...skipping 13 matching lines...) Expand all
54 case policy::EnrollmentConfig::MODE_LOCAL_FORCED: 50 case policy::EnrollmentConfig::MODE_LOCAL_FORCED:
55 return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_LOCAL_FORCED; 51 return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_LOCAL_FORCED;
56 case policy::EnrollmentConfig::MODE_LOCAL_ADVERTISED: 52 case policy::EnrollmentConfig::MODE_LOCAL_ADVERTISED:
57 return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_LOCAL_ADVERTISED; 53 return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_LOCAL_ADVERTISED;
58 case policy::EnrollmentConfig::MODE_SERVER_FORCED: 54 case policy::EnrollmentConfig::MODE_SERVER_FORCED:
59 return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_SERVER_FORCED; 55 return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_SERVER_FORCED;
60 case policy::EnrollmentConfig::MODE_SERVER_ADVERTISED: 56 case policy::EnrollmentConfig::MODE_SERVER_ADVERTISED:
61 return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_SERVER_ADVERTISED; 57 return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_SERVER_ADVERTISED;
62 case policy::EnrollmentConfig::MODE_RECOVERY: 58 case policy::EnrollmentConfig::MODE_RECOVERY:
63 return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_RECOVERY; 59 return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_RECOVERY;
60 case policy::EnrollmentConfig::MODE_ATTESTATION:
61 return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_ATTESTATION;
62 case policy::EnrollmentConfig::MODE_ATTESTATION_FORCED:
63 return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_ATTESTATION_FORCED;
64 } 64 }
65 65
66 NOTREACHED() << "Bad enrollment mode: " << mode; 66 NOTREACHED() << "Bad enrollment mode: " << mode;
67 return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_MANUAL; 67 return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_MANUAL;
68 } 68 }
69 69
70 } // namespace 70 } // namespace
71 71
72 EnrollmentHandlerChromeOS::EnrollmentHandlerChromeOS( 72 EnrollmentHandlerChromeOS::EnrollmentHandlerChromeOS(
73 DeviceCloudPolicyStoreChromeOS* store, 73 DeviceCloudPolicyStoreChromeOS* store,
(...skipping 22 matching lines...) Expand all
96 requisition_(requisition), 96 requisition_(requisition),
97 allowed_device_modes_(allowed_device_modes), 97 allowed_device_modes_(allowed_device_modes),
98 completion_callback_(completion_callback), 98 completion_callback_(completion_callback),
99 device_mode_(DEVICE_MODE_NOT_SET), 99 device_mode_(DEVICE_MODE_NOT_SET),
100 skip_robot_auth_(false), 100 skip_robot_auth_(false),
101 enrollment_step_(STEP_PENDING), 101 enrollment_step_(STEP_PENDING),
102 lockbox_init_duration_(0), 102 lockbox_init_duration_(0),
103 weak_ptr_factory_(this) { 103 weak_ptr_factory_(this) {
104 CHECK(!client_->is_registered()); 104 CHECK(!client_->is_registered());
105 CHECK_EQ(DM_STATUS_SUCCESS, client_->status()); 105 CHECK_EQ(DM_STATUS_SUCCESS, client_->status());
106 CHECK_NE(enrollment_config_.auth_mechanism, 106 CHECK((enrollment_config_.mode == EnrollmentConfig::MODE_ATTESTATION ||
107 EnrollmentConfig::AUTH_MECHANISM_BEST_AVAILABLE); 107 enrollment_config_.mode ==
108 CHECK((enrollment_config_.auth_mechanism == 108 EnrollmentConfig::MODE_ATTESTATION_FORCED) == auth_token_.empty());
109 EnrollmentConfig::AUTH_MECHANISM_ATTESTATION &&
110 auth_token_.empty()) ||
111 (enrollment_config_.auth_mechanism ==
112 EnrollmentConfig::AUTH_MECHANISM_INTERACTIVE &&
113 !auth_token_.empty()));
114 CHECK(enrollment_config_.auth_mechanism != 109 CHECK(enrollment_config_.auth_mechanism !=
115 EnrollmentConfig::AUTH_MECHANISM_ATTESTATION || 110 EnrollmentConfig::AUTH_MECHANISM_ATTESTATION ||
116 (async_method_caller_ != nullptr && cryptohome_client_ != nullptr)); 111 (async_method_caller_ != nullptr && cryptohome_client_ != nullptr));
117 store_->AddObserver(this); 112 store_->AddObserver(this);
118 client_->AddObserver(this); 113 client_->AddObserver(this);
119 client_->AddPolicyTypeToFetch(dm_protocol::kChromeDevicePolicyType, 114 client_->AddPolicyTypeToFetch(dm_protocol::kChromeDevicePolicyType,
120 std::string()); 115 std::string());
121 } 116 }
122 117
123 EnrollmentHandlerChromeOS::~EnrollmentHandlerChromeOS() { 118 EnrollmentHandlerChromeOS::~EnrollmentHandlerChromeOS() {
(...skipping 145 matching lines...) Expand 10 before | Expand all | Expand 10 after
269 } 264 }
270 265
271 void EnrollmentHandlerChromeOS::StartRegistration() { 266 void EnrollmentHandlerChromeOS::StartRegistration() {
272 CHECK_EQ(STEP_LOADING_STORE, enrollment_step_); 267 CHECK_EQ(STEP_LOADING_STORE, enrollment_step_);
273 if (!store_->is_initialized()) { 268 if (!store_->is_initialized()) {
274 // Do nothing. StartRegistration() will be called again from OnStoreLoaded() 269 // Do nothing. StartRegistration() will be called again from OnStoreLoaded()
275 // after the CloudPolicyStore has initialized. 270 // after the CloudPolicyStore has initialized.
276 return; 271 return;
277 } 272 }
278 enrollment_step_ = STEP_REGISTRATION; 273 enrollment_step_ = STEP_REGISTRATION;
279 if (enrollment_config_.auth_mechanism == 274 if (enrollment_config_.should_enroll_with_attestation()) {
280 EnrollmentConfig::AUTH_MECHANISM_INTERACTIVE) { 275 StartAttestationBasedEnrollmentFlow();
276 } else {
281 client_->Register( 277 client_->Register(
282 em::DeviceRegisterRequest::DEVICE, 278 em::DeviceRegisterRequest::DEVICE,
283 EnrollmentModeToRegistrationFlavor(enrollment_config_.mode), 279 EnrollmentModeToRegistrationFlavor(enrollment_config_.mode),
284 auth_token_, client_id_, requisition_, current_state_key_); 280 auth_token_, client_id_, requisition_, current_state_key_);
285 } else { 281 }
282 }
283
284 void EnrollmentHandlerChromeOS::StartAttestationBasedEnrollmentFlow() {
285 if (!attestation_flow_) {
286 std::unique_ptr<chromeos::attestation::ServerProxy> attestation_ca_client( 286 std::unique_ptr<chromeos::attestation::ServerProxy> attestation_ca_client(
287 new chromeos::attestation::AttestationCAClient()); 287 new chromeos::attestation::AttestationCAClient());
288 chromeos::attestation::AttestationFlow flow( 288 attestation_flow_.reset(new chromeos::attestation::AttestationFlow(
289 async_method_caller_, cryptohome_client_, 289 async_method_caller_, cryptohome_client_,
290 std::move(attestation_ca_client)); 290 std::move(attestation_ca_client)));
291 chromeos::attestation::AttestationFlow::CertificateCallback callback =
292 base::Bind(
293 &EnrollmentHandlerChromeOS::HandleRegistrationCertificateResult,
294 weak_ptr_factory_.GetWeakPtr());
295 flow.GetCertificate(
296 chromeos::attestation::PROFILE_ENTERPRISE_ENROLLMENT_CERTIFICATE,
297 EmptyAccountId(), "" /* request_origin */, false /* force_new_key */,
298 callback);
299 } 291 }
292 const chromeos::attestation::AttestationFlow::CertificateCallback callback =
293 base::Bind(
294 &EnrollmentHandlerChromeOS::HandleRegistrationCertificateResult,
295 weak_ptr_factory_.GetWeakPtr());
296 attestation_flow_->GetCertificate(
297 chromeos::attestation::PROFILE_ENTERPRISE_ENROLLMENT_CERTIFICATE,
298 EmptyAccountId(), "" /* request_origin */, false /* force_new_key */,
299 callback);
300 } 300 }
301 301
302 void EnrollmentHandlerChromeOS::HandleRegistrationCertificateResult( 302 void EnrollmentHandlerChromeOS::HandleRegistrationCertificateResult(
303 bool success, 303 bool success,
304 const std::string& pem_certificate_chain) { 304 const std::string& pem_certificate_chain) {
305 LOG(ERROR) << "Attestation enrollment not implemented."; 305 LOG(WARNING) << "Enrolling with a registration certificate"
306 " is not supported yet.";
306 // TODO(drcrash): Invert success/fail tests, mocking as always failed now. 307 // TODO(drcrash): Invert success/fail tests, mocking as always failed now.
307 if (success) { 308 if (success) {
308 // TODO(drcrash): Implement new call in client_ to register with cert. 309 // TODO(drcrash): Implement new call in client_ to register with cert.
309 } 310 }
310 // TODO(drcrash): Use STATUS_REGISTRATION_CERTIFICATE_FETCH_FAILED.
311 ReportResult(EnrollmentStatus::ForStatus( 311 ReportResult(EnrollmentStatus::ForStatus(
312 EnrollmentStatus::STATUS_REGISTRATION_CERTIFICATE_FETCH_FAILED)); 312 EnrollmentStatus::STATUS_REGISTRATION_CERTIFICATE_FETCH_FAILED));
313 } 313 }
314 314
315 void EnrollmentHandlerChromeOS::HandlePolicyValidationResult( 315 void EnrollmentHandlerChromeOS::HandlePolicyValidationResult(
316 DeviceCloudPolicyValidator* validator) { 316 DeviceCloudPolicyValidator* validator) {
317 CHECK_EQ(STEP_VALIDATION, enrollment_step_); 317 CHECK_EQ(STEP_VALIDATION, enrollment_step_);
318 if (validator->success()) { 318 if (validator->success()) {
319 policy_ = std::move(validator->policy()); 319 policy_ = std::move(validator->policy());
320 username_ = validator->policy_data()->username(); 320 username_ = validator->policy_data()->username();
(...skipping 183 matching lines...) Expand 10 before | Expand all | Expand 10 after
504 << ", validation: " << status.validation_status() 504 << ", validation: " << status.validation_status()
505 << ", store: " << status.store_status() 505 << ", store: " << status.store_status()
506 << ", lock: " << status.lock_status(); 506 << ", lock: " << status.lock_status();
507 } 507 }
508 508
509 if (!callback.is_null()) 509 if (!callback.is_null())
510 callback.Run(status); 510 callback.Run(status);
511 } 511 }
512 512
513 } // namespace policy 513 } // namespace policy
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698