Chromium Code Reviews Chromium Code Reviews
Issue 2261763002:
Device enterprise registration with a certificate. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "components/policy/core/common/cloud/cloud_policy_client.h" | 5 #include "components/policy/core/common/cloud/cloud_policy_client.h" |
| 6 | 6 |
| 7 #include <utility> | 7 #include <utility> |
| 8 | 8 |
| 9 #include "base/bind.h" | 9 #include "base/bind.h" |
| 10 #include "base/bind_helpers.h" | 10 #include "base/bind_helpers.h" |
| (...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 46 CloudPolicyClient::Observer::~Observer() {} | 46 CloudPolicyClient::Observer::~Observer() {} |
| 47 | 47 |
| 48 void CloudPolicyClient::Observer::OnRobotAuthCodesFetched( | 48 void CloudPolicyClient::Observer::OnRobotAuthCodesFetched( |
| 49 CloudPolicyClient* client) {} | 49 CloudPolicyClient* client) {} |
| 50 | 50 |
| 51 CloudPolicyClient::CloudPolicyClient( | 51 CloudPolicyClient::CloudPolicyClient( |
| 52 const std::string& machine_id, | 52 const std::string& machine_id, |
| 53 const std::string& machine_model, | 53 const std::string& machine_model, |
| 54 const std::string& verification_key_hash, | 54 const std::string& verification_key_hash, |
| 55 DeviceManagementService* service, | 55 DeviceManagementService* service, |
| 56 scoped_refptr<net::URLRequestContextGetter> request_context) | 56 scoped_refptr<net::URLRequestContextGetter> request_context, |
| 57 SigningService* signing_service) | |
| 57 : machine_id_(machine_id), | 58 : machine_id_(machine_id), |
| 58 machine_model_(machine_model), | 59 machine_model_(machine_model), |
| 59 verification_key_hash_(verification_key_hash), | 60 verification_key_hash_(verification_key_hash), |
| 60 device_mode_(DEVICE_MODE_NOT_SET), | 61 device_mode_(DEVICE_MODE_NOT_SET), |
| 61 submit_machine_id_(false), | 62 submit_machine_id_(false), |
| 62 public_key_version_(-1), | 63 public_key_version_(-1), |
| 63 public_key_version_valid_(false), | 64 public_key_version_valid_(false), |
| 64 invalidation_version_(0), | 65 invalidation_version_(0), |
| 65 fetched_invalidation_version_(0), | 66 fetched_invalidation_version_(0), |
| 66 service_(service), // Can be null for unit tests. | 67 service_(service), // Can be null for unit tests. |
| 68 signing_service_(signing_service), | |
| 67 status_(DM_STATUS_SUCCESS), | 69 status_(DM_STATUS_SUCCESS), |
| 68 request_context_(request_context) { | 70 request_context_(request_context) { |
| 69 } | 71 } |
| 70 | 72 |
| 73 CloudPolicyClient::CloudPolicyClient( | |
| 74 const std::string& machine_id, | |
| 75 const std::string& machine_model, | |
| 76 const std::string& verification_key_hash, | |
| 77 DeviceManagementService* service, | |
| 78 scoped_refptr<net::URLRequestContextGetter> request_context) : | |
| 79 CloudPolicyClient(machine_id, | |
| 80 machine_model, | |
| 81 verification_key_hash, | |
| 82 service, | |
| 83 request_context, | |
| 84 nullptr /* signing_service */) { | |
| 85 } | |
| 86 | |
| 71 CloudPolicyClient::~CloudPolicyClient() { | 87 CloudPolicyClient::~CloudPolicyClient() { |
| 72 base::STLDeleteValues(&responses_); | 88 base::STLDeleteValues(&responses_); |
| 73 } | 89 } |
| 74 | 90 |
| 75 void CloudPolicyClient::SetupRegistration(const std::string& dm_token, | 91 void CloudPolicyClient::SetupRegistration(const std::string& dm_token, |
| 76 const std::string& client_id) { | 92 const std::string& client_id) { |
| 77 DCHECK(!dm_token.empty()); | 93 DCHECK(!dm_token.empty()); |
| 78 DCHECK(!client_id.empty()); | 94 DCHECK(!client_id.empty()); |
| 79 DCHECK(!is_registered()); | 95 DCHECK(!is_registered()); |
| 80 | 96 |
| 81 dm_token_ = dm_token; | 97 dm_token_ = dm_token; |
| 82 client_id_ = client_id; | 98 client_id_ = client_id; |
| 83 request_jobs_.clear(); | 99 request_jobs_.clear(); |
| 84 policy_fetch_request_job_.reset(); | 100 policy_fetch_request_job_.reset(); |
| 85 base::STLDeleteValues(&responses_); | 101 base::STLDeleteValues(&responses_); |
| 86 | 102 |
| 87 NotifyRegistrationStateChanged(); | 103 NotifyRegistrationStateChanged(); |
| 88 } | 104 } |
| 89 | 105 |
| 106 void CloudPolicyClient::SetClientId(const std::string& client_id) { | |
| 107 if (client_id.empty()) { | |
| 108 // Generate a new client ID. This is intentionally done on each new | |
| 109 // registration request in order to preserve privacy. Reusing IDs would | |
| 110 // mean the server could track clients by their registration attempts. | |
| 111 client_id_ = base::GenerateGUID(); | |
| 112 } else { | |
| 113 client_id_ = client_id; | |
| 114 } | |
| 115 } | |
| 116 | |
| 90 void CloudPolicyClient::Register(em::DeviceRegisterRequest::Type type, | 117 void CloudPolicyClient::Register(em::DeviceRegisterRequest::Type type, |
| 91 em::DeviceRegisterRequest::Flavor flavor, | 118 em::DeviceRegisterRequest::Flavor flavor, |
| 92 const std::string& auth_token, | 119 const std::string& auth_token, |
| 93 const std::string& client_id, | 120 const std::string& client_id, |
| 94 const std::string& requisition, | 121 const std::string& requisition, |
| 95 const std::string& current_state_key) { | 122 const std::string& current_state_key) { |
| 96 DCHECK(service_); | 123 DCHECK(service_); |
| 97 DCHECK(!auth_token.empty()); | 124 DCHECK(!auth_token.empty()); |
| 98 DCHECK(!is_registered()); | 125 DCHECK(!is_registered()); |
| 99 | 126 |
| 100 if (client_id.empty()) { | 127 SetClientId(client_id); |
| 101 // Generate a new client ID. This is intentionally done on each new | |
| 102 // registration request in order to preserve privacy. Reusing IDs would mean | |
| 103 // the server could track clients by their registration attempts. | |
| 104 client_id_ = base::GenerateGUID(); | |
| 105 } else { | |
| 106 client_id_ = client_id; | |
| 107 } | |
| 108 | 128 |
| 109 policy_fetch_request_job_.reset( | 129 policy_fetch_request_job_.reset( |
| 110 service_->CreateJob(DeviceManagementRequestJob::TYPE_REGISTRATION, | 130 service_->CreateJob(DeviceManagementRequestJob::TYPE_REGISTRATION, |
| 111 GetRequestContext())); | 131 GetRequestContext())); |
| 112 policy_fetch_request_job_->SetOAuthToken(auth_token); | 132 policy_fetch_request_job_->SetOAuthToken(auth_token); |
| 113 policy_fetch_request_job_->SetClientID(client_id_); | 133 policy_fetch_request_job_->SetClientID(client_id_); |
| 114 | 134 |
| 115 em::DeviceRegisterRequest* request = | 135 em::DeviceRegisterRequest* request = |
| 116 policy_fetch_request_job_->GetRequest()->mutable_register_request(); | 136 policy_fetch_request_job_->GetRequest()->mutable_register_request(); |
| 117 if (!client_id.empty()) | 137 if (!client_id.empty()) |
| (...skipping 10 matching lines...) Expand all Loading... | |
| 128 request->set_flavor(flavor); | 148 request->set_flavor(flavor); |
| 129 | 149 |
| 130 policy_fetch_request_job_->SetRetryCallback( | 150 policy_fetch_request_job_->SetRetryCallback( |
| 131 base::Bind(&CloudPolicyClient::OnRetryRegister, base::Unretained(this))); | 151 base::Bind(&CloudPolicyClient::OnRetryRegister, base::Unretained(this))); |
| 132 | 152 |
| 133 policy_fetch_request_job_->Start( | 153 policy_fetch_request_job_->Start( |
| 134 base::Bind(&CloudPolicyClient::OnRegisterCompleted, | 154 base::Bind(&CloudPolicyClient::OnRegisterCompleted, |
| 135 base::Unretained(this))); | 155 base::Unretained(this))); |
| 136 } | 156 } |
| 137 | 157 |
| 158 void CloudPolicyClient::RegisterWithCertificate( | |
| 159 em::DeviceRegisterRequest::Type type, | |
| 160 em::DeviceRegisterRequest::Flavor flavor, | |
| 161 const std::string& pem_certificate_chain, | |
| 162 const std::string& client_id, | |
| 163 const std::string& requisition, | |
| 164 const std::string& current_state_key) { | |
| 165 DCHECK(service_); | |
| 166 DCHECK(!pem_certificate_chain.empty()); | |
| 167 DCHECK(!is_registered()); | |
| 168 | |
| 169 if (!signing_service_) { | |
|
pastarmovj
2016/08/22 15:09:43
Can you explain why is this not a DCHECK or CHECK
The one and only Dr. Crash
2016/08/22 16:00:01
I started with a DCHECK, but thought that since th
pastarmovj
2016/08/23 08:46:02
+Daren, what do you think?
| |
| 170 LOG(ERROR) << "Cryptographic misconfiguration. Cannot sign request."; | |
| 171 em::DeviceManagementResponse response; | |
| 172 OnRegisterCompleted(DM_STATUS_CANNOT_SIGN_REQUEST, 0, response); | |
| 173 return; | |
| 174 } | |
| 175 | |
| 176 SetClientId(client_id); | |
| 177 | |
| 178 em::CertificateBasedDeviceRegistrationData data; | |
| 179 data.set_certificate_type(em::CertificateBasedDeviceRegistrationData:: | |
| 180 ENTERPRISE_ENROLLMENT_CERTIFICATE); | |
| 181 data.set_device_certificate(pem_certificate_chain); | |
| 182 | |
| 183 em::DeviceRegisterRequest* request = data.mutable_device_register_request(); | |
| 184 if (!client_id.empty()) | |
| 185 request->set_reregister(true); | |
| 186 request->set_type(type); | |
| 187 if (!machine_id_.empty()) | |
| 188 request->set_machine_id(machine_id_); | |
| 189 if (!machine_model_.empty()) | |
| 190 request->set_machine_model(machine_model_); | |
| 191 if (!requisition.empty()) | |
| 192 request->set_requisition(requisition); | |
| 193 if (!current_state_key.empty()) | |
| 194 request->set_server_backed_state_key(current_state_key); | |
| 195 request->set_flavor(flavor); | |
| 196 | |
| 197 signing_service_->SignData(data.SerializeAsString(), | |
| 198 base::Bind(&CloudPolicyClient::OnRegisterWithCertificateRequestSigned, | |
| 199 base::Unretained(this))); | |
| 200 } | |
| 201 | |
| 202 void CloudPolicyClient::OnRegisterWithCertificateRequestSigned(bool success, | |
| 203 em::SignedData signed_data) { | |
| 204 if (success) { | |
|
pastarmovj
2016/08/22 15:09:43
nit: maybe reverse this like if (!success) { error
The one and only Dr. Crash
2016/08/22 16:00:01
Done.
| |
| 205 policy_fetch_request_job_.reset( | |
| 206 service_->CreateJob( | |
| 207 DeviceManagementRequestJob::TYPE_CERT_BASED_REGISTRATION, | |
| 208 GetRequestContext())); | |
| 209 policy_fetch_request_job_->SetClientID(client_id_); | |
| 210 em::SignedData* signed_request = policy_fetch_request_job_->GetRequest()-> | |
| 211 mutable_cert_based_register_request()->mutable_signed_request(); | |
| 212 signed_request->set_data(signed_data.data()); | |
| 213 signed_request->set_signature(signed_data.signature()); | |
| 214 signed_request->set_extra_data_bytes(signed_data.extra_data_bytes()); | |
| 215 policy_fetch_request_job_->SetRetryCallback( | |
| 216 base::Bind(&CloudPolicyClient::OnRetryRegister, | |
| 217 base::Unretained(this))); | |
| 218 policy_fetch_request_job_->Start( | |
| 219 base::Bind(&CloudPolicyClient::OnRegisterCompleted, | |
| 220 base::Unretained(this))); | |
| 221 return; | |
| 222 } | |
| 223 em::DeviceManagementResponse response; | |
| 224 OnRegisterCompleted(DM_STATUS_CANNOT_SIGN_REQUEST, 0, response); | |
| 225 } | |
| 226 | |
| 138 void CloudPolicyClient::SetInvalidationInfo(int64_t version, | 227 void CloudPolicyClient::SetInvalidationInfo(int64_t version, |
| 139 const std::string& payload) { | 228 const std::string& payload) { |
| 140 invalidation_version_ = version; | 229 invalidation_version_ = version; |
| 141 invalidation_payload_ = payload; | 230 invalidation_payload_ = payload; |
| 142 } | 231 } |
| 143 | 232 |
| 144 void CloudPolicyClient::FetchPolicy() { | 233 void CloudPolicyClient::FetchPolicy() { |
| 145 CHECK(is_registered()); | 234 CHECK(is_registered()); |
| 146 CHECK(!types_to_fetch_.empty()); | 235 CHECK(!types_to_fetch_.empty()); |
| 147 | 236 |
| (...skipping 569 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 717 | 806 |
| 718 void CloudPolicyClient::NotifyRobotAuthCodesFetched() { | 807 void CloudPolicyClient::NotifyRobotAuthCodesFetched() { |
| 719 FOR_EACH_OBSERVER(Observer, observers_, OnRobotAuthCodesFetched(this)); | 808 FOR_EACH_OBSERVER(Observer, observers_, OnRobotAuthCodesFetched(this)); |
| 720 } | 809 } |
| 721 | 810 |
| 722 void CloudPolicyClient::NotifyClientError() { | 811 void CloudPolicyClient::NotifyClientError() { |
| 723 FOR_EACH_OBSERVER(Observer, observers_, OnClientError(this)); | 812 FOR_EACH_OBSERVER(Observer, observers_, OnClientError(this)); |
| 724 } | 813 } |
| 725 | 814 |
| 726 } // namespace policy | 815 } // namespace policy |
| OLD | NEW |
