chrome/browser/chromeos/policy/enrollment_handler_chromeos.cc - Issue 2186623002: Minimal attestation-based enrollment flow.

Unified Diff: chrome/browser/chromeos/policy/enrollment_handler_chromeos.cc

Issue 2186623002: Minimal attestation-based enrollment flow. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Rebased after 2265163002 so we can pass presubmit. Created 4 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

« chrome/browser/chromeos/policy/enrollment_config.h ('K') | « chrome/browser/chromeos/policy/enrollment_handler_chromeos.h ('k') | chrome/browser/ui/webui/chromeos/login/enrollment_screen_handler.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: chrome/browser/chromeos/policy/enrollment_handler_chromeos.cc

diff --git a/chrome/browser/chromeos/policy/enrollment_handler_chromeos.cc b/chrome/browser/chromeos/policy/enrollment_handler_chromeos.cc

index 2409a2b32b95b01380ae818ba294924dd79df4ee..be5210c9b46ff763e62caba017c8d9b395d8caf9 100644

--- a/chrome/browser/chromeos/policy/enrollment_handler_chromeos.cc

+++ b/chrome/browser/chromeos/policy/enrollment_handler_chromeos.cc

@@ -23,11 +23,7 @@

#include "chrome/browser/chromeos/settings/device_oauth2_token_service.h"

#include "chrome/browser/chromeos/settings/device_oauth2_token_service_factory.h"

#include "chrome/browser/profiles/profile.h"

-#include "chromeos/attestation/attestation_constants.h"

#include "chromeos/attestation/attestation_flow.h"

-#include "chromeos/cryptohome/async_method_caller.h"

-#include "chromeos/dbus/cryptohome_client.h"

-#include "components/signin/core/account_id/account_id.h"

#include "google_apis/gaia/gaia_urls.h"

#include "net/http/http_status_code.h"

@@ -61,6 +57,10 @@ em::DeviceRegisterRequest::Flavor EnrollmentModeToRegistrationFlavor(

return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_SERVER_ADVERTISED;

case policy::EnrollmentConfig::MODE_RECOVERY:

return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_RECOVERY;

+ case policy::EnrollmentConfig::MODE_ATTESTATION:

+ return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_ATTESTATION;

+ case policy::EnrollmentConfig::MODE_ATTESTATION_FORCED:

+ return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_ATTESTATION_FORCED;

}

NOTREACHED() << "Bad enrollment mode: " << mode;

@@ -103,14 +103,9 @@ EnrollmentHandlerChromeOS::EnrollmentHandlerChromeOS(

weak_ptr_factory_(this) {

CHECK(!client_->is_registered());

CHECK_EQ(DM_STATUS_SUCCESS, client_->status());

- CHECK_NE(enrollment_config_.auth_mechanism,

- EnrollmentConfig::AUTH_MECHANISM_BEST_AVAILABLE);

- CHECK((enrollment_config_.auth_mechanism ==

- EnrollmentConfig::AUTH_MECHANISM_ATTESTATION &&

- auth_token_.empty()) ||

- (enrollment_config_.auth_mechanism ==

- EnrollmentConfig::AUTH_MECHANISM_INTERACTIVE &&

- !auth_token_.empty()));

+ CHECK((enrollment_config_.mode == EnrollmentConfig::MODE_ATTESTATION ||

+ enrollment_config_.mode ==

+ EnrollmentConfig::MODE_ATTESTATION_FORCED) == auth_token_.empty());

CHECK(enrollment_config_.auth_mechanism !=

EnrollmentConfig::AUTH_MECHANISM_ATTESTATION ||

(async_method_caller_ != nullptr && cryptohome_client_ != nullptr));

@@ -276,38 +271,43 @@ void EnrollmentHandlerChromeOS::StartRegistration() {

return;

}

enrollment_step_ = STEP_REGISTRATION;

- if (enrollment_config_.auth_mechanism ==

- EnrollmentConfig::AUTH_MECHANISM_INTERACTIVE) {

+ if (enrollment_config_.should_enroll_with_attestation()) {

+ StartAttestationBasedEnrollmentFlow();

+ } else {

client_->Register(

em::DeviceRegisterRequest::DEVICE,

EnrollmentModeToRegistrationFlavor(enrollment_config_.mode),

auth_token_, client_id_, requisition_, current_state_key_);

- } else {

+ }

+void EnrollmentHandlerChromeOS::StartAttestationBasedEnrollmentFlow() {

+ if (!attestation_flow_) {

std::unique_ptr<chromeos::attestation::ServerProxy> attestation_ca_client(

new chromeos::attestation::AttestationCAClient());

- chromeos::attestation::AttestationFlow flow(

+ attestation_flow_.reset(new chromeos::attestation::AttestationFlow(

async_method_caller_, cryptohome_client_,

- std::move(attestation_ca_client));

- chromeos::attestation::AttestationFlow::CertificateCallback callback =

- base::Bind(

- &EnrollmentHandlerChromeOS::HandleRegistrationCertificateResult,

- weak_ptr_factory_.GetWeakPtr());

- flow.GetCertificate(

- chromeos::attestation::PROFILE_ENTERPRISE_ENROLLMENT_CERTIFICATE,

- EmptyAccountId(), "" /* request_origin */, false /* force_new_key */,

- callback);

+ std::move(attestation_ca_client)));

}

+ chromeos::attestation::AttestationFlow::CertificateCallback callback =

achuithb 2016/08/23 18:16:45 const

The one and only Dr. Crash 2016/08/23 21:24:19 Done.

+ base::Bind(

+ &EnrollmentHandlerChromeOS::HandleRegistrationCertificateResult,

+ weak_ptr_factory_.GetWeakPtr());

+ attestation_flow_->GetCertificate(

+ chromeos::attestation::PROFILE_ENTERPRISE_ENROLLMENT_CERTIFICATE,

+ EmptyAccountId(), "" /* request_origin */, false /* force_new_key */,

+ callback);

}

void EnrollmentHandlerChromeOS::HandleRegistrationCertificateResult(

bool success,

const std::string& pem_certificate_chain) {

- LOG(ERROR) << "Attestation enrollment not implemented.";

+ LOG(WARNING) << "Enrolling with a registration certificate"

+ " is not supported yet.";

// TODO(drcrash): Invert success/fail tests, mocking as always failed now.

if (success) {

// TODO(drcrash): Implement new call in client_ to register with cert.

}

- // TODO(drcrash): Use STATUS_REGISTRATION_CERTIFICATE_FETCH_FAILED.

ReportResult(EnrollmentStatus::ForStatus(

EnrollmentStatus::STATUS_REGISTRATION_CERTIFICATE_FETCH_FAILED));

}