Device enterprise registration with a certificate.

components/policy/core/common/cloud/cloud_policy_client.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef COMPONENTS_POLICY_CORE_COMMON_CLOUD_CLOUD_POLICY_CLIENT_H_
 #define COMPONENTS_POLICY_CORE_COMMON_CLOUD_CLOUD_POLICY_CLIENT_H_
 
 #include <stdint.h>
 
 #include <map>
 #include <memory>
 #include <set>
 #include <string>
 #include <utility>
 #include <vector>
 
 #include "base/callback.h"
 #include "base/macros.h"
 #include "base/memory/scoped_vector.h"
 #include "base/observer_list.h"
 #include "base/time/time.h"
 #include "components/policy/core/common/cloud/cloud_policy_constants.h"
 #include "components/policy/core/common/remote_commands/remote_command_job.h"
 #include "components/policy/policy_export.h"
 #include "policy/proto/device_management_backend.pb.h"
 
+namespace cryptohome {
+class AsyncMethodCaller;
+}
+
 namespace net {
 class URLRequestContextGetter;
 }
 
 namespace policy {
 
 class DeviceManagementRequestJob;
 class DeviceManagementService;
 
 // Implements the core logic required to talk to the device management service.
@@ skipping 35 matching lines @@
 
     // Called when a request for device robot OAuth2 authorization tokens
     // returns successfully. Only occurs during enrollment. Optional
     // (default implementation is a noop).
     virtual void OnRobotAuthCodesFetched(CloudPolicyClient* client);
 
     // Indicates there's been an error in a previously-issued request.
     virtual void OnClientError(CloudPolicyClient* client) = 0;
   };
 
+  // Data signing interface.
+  class POLICY_EXPORT SigningService {
+   public:
+    typedef base::Callback<void(bool success,
+                                enterprise_management::SignedData signed_data)>
+        SigningCallback;

[pastarmovj, 2016/08/22 15:09:43]

nit: please add a new line between the two.

[The one and only Dr. Crash, 2016/08/22 16:00:02]

Done.

+    virtual void SignData(const std::string& data,

[pastarmovj, 2016/08/22 15:09:43]

Please document this function so that whoever needs to implement it know what to
do.

[The one and only Dr. Crash, 2016/08/22 16:00:02]

Done.

+                          SigningCallback callback) = 0;
+  };
+
   // |provider| and |service| are weak pointers and it's the caller's
   // responsibility to keep them valid for the lifetime of CloudPolicyClient.
   // |verification_key_hash| contains an identifier telling the DMServer which
-  // verification key to use.
+  // verification key to use. The |signing_service| is used to sign sensitive
+  // requests.
   CloudPolicyClient(

[pastarmovj, 2016/08/22 15:09:43]

Just thinking aloud here... could the signing service be specified by a setter
instead of in the constructor? It doesn't seem like it is needed at construction
time and most instantiations doesn't need it it seems?

[The one and only Dr. Crash, 2016/08/22 16:00:01]

I think the constructor patterns fits the code style better (I did consider both
a setter and passing it to the new API), and we expect to authenticate more
methods like this over time.

       const std::string& machine_id,
       const std::string& machine_model,
+      const std::string& verification_key_hash,
+      DeviceManagementService* service,
+      scoped_refptr<net::URLRequestContextGetter> request_context,
+      SigningService* signing_service);
+  // Constructs a client without signing support.
+  CloudPolicyClient(
+      const std::string& machine_id,
+      const std::string& machine_model,
       const std::string& verification_key_hash,
       DeviceManagementService* service,
       scoped_refptr<net::URLRequestContextGetter> request_context);
   virtual ~CloudPolicyClient();
 
   // Sets the DMToken, thereby establishing a registration with the server. A
   // policy fetch is not automatically issued but can be requested by calling
   // FetchPolicy().
   virtual void SetupRegistration(const std::string& dm_token,
                                  const std::string& client_id);
 
   // Attempts to register with the device management service. Results in a
   // registration change or error notification.
   virtual void Register(
       enterprise_management::DeviceRegisterRequest::Type registration_type,
       enterprise_management::DeviceRegisterRequest::Flavor flavor,
       const std::string& auth_token,
       const std::string& client_id,
       const std::string& requisition,
       const std::string& current_state_key);
 
+  // Attempts to register with the device management service using a
+  // registration certificate. Results in a registration change or
+  // error notification.
+  virtual void RegisterWithCertificate(
+      enterprise_management::DeviceRegisterRequest::Type registration_type,
+      enterprise_management::DeviceRegisterRequest::Flavor flavor,
+      const std::string& pem_certificate_chain,
+      const std::string& client_id,
+      const std::string& requisition,
+      const std::string& current_state_key);
+
   // Sets information about a policy invalidation. Subsequent fetch operations
   // will use the given info, and callers can use fetched_invalidation_version
   // to determine which version of policy was fetched.
   void SetInvalidationInfo(int64_t version, const std::string& payload);
 
   // Requests a policy fetch. The client being registered is a prerequisite to
   // this operation and this call will CHECK if the client is not in registered
   // state. FetchPolicy() triggers a policy fetch from the cloud. A policy
   // change notification is reported to the observers and the new policy blob
   // can be retrieved once the policy fetch operation completes. In case of
@@ skipping 142 matching lines @@
   // Returns the number of active requests.
   int GetActiveRequestCountForTest() const;
 
  protected:
   // A set of (policy type, settings entity ID) pairs to fetch.
   typedef std::set<std::pair<std::string, std::string>> PolicyTypeSet;
 
   // Callback for retries of registration requests.
   void OnRetryRegister(DeviceManagementRequestJob* job);
 
+  // Callback for siganture of requests.
+  void OnRegisterWithCertificateRequestSigned(bool success,
+      enterprise_management::SignedData signed_data);
+
   // Callback for registration requests.
   void OnRegisterCompleted(
       DeviceManagementStatus status,
       int net_error,
       const enterprise_management::DeviceManagementResponse& response);
 
   // Callback for policy fetch requests.
   void OnPolicyFetchCompleted(
       DeviceManagementStatus status,
       int net_error,
@@ skipping 87 matching lines @@
   // Information for the latest policy invalidation received.
   int64_t invalidation_version_;
   std::string invalidation_payload_;
 
   // The invalidation version used for the most recent fetch operation.
   int64_t fetched_invalidation_version_;
 
   // Used for issuing requests to the cloud.
   DeviceManagementService* service_;
 
+  // Used for signing requests.
+  SigningService* signing_service_;
+
   // Only one outstanding policy fetch is allowed, so this is tracked in
   // its own member variable.
   std::unique_ptr<DeviceManagementRequestJob> policy_fetch_request_job_;
 
   // All of the outstanding non-policy-fetch request jobs. These jobs are
   // silently cancelled if Unregister() is called.
   ScopedVector<DeviceManagementRequestJob> request_jobs_;
 
   // The policy responses returned by the last policy fetch operation.
   ResponseMap responses_;
   DeviceManagementStatus status_;
 
   base::ObserverList<Observer, true> observers_;
   scoped_refptr<net::URLRequestContextGetter> request_context_;
 
  private:
+  void SetClientId(const std::string& client_id);
+
   DISALLOW_COPY_AND_ASSIGN(CloudPolicyClient);
 };
 
 }  // namespace policy
 
 #endif  // COMPONENTS_POLICY_CORE_COMMON_CLOUD_CLOUD_POLICY_CLIENT_H_