components/policy/core/common/cloud/cloud_policy_client.cc - Issue 2261763002: Device enterprise registration with a certificate.

Side by Side Diff: components/policy/core/common/cloud/cloud_policy_client.cc

Issue 2261763002: Device enterprise registration with a certificate. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Addressed more feedback. Created 4 years, 3 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« components/policy/core/common/cloud/cloud_policy_client.h ('K') | « components/policy/core/common/cloud/cloud_policy_client.h ('k') | components/policy/core/common/cloud/cloud_policy_client_unittest.cc » ('j') | components/policy/core/common/cloud/cloud_policy_client_unittest.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "components/policy/core/common/cloud/cloud_policy_client.h"	5 #include "components/policy/core/common/cloud/cloud_policy_client.h"

6	6

7 #include <utility>	7 #include <utility>

8	8

9 #include "base/bind.h"	9 #include "base/bind.h"

10 #include "base/bind_helpers.h"	10 #include "base/bind_helpers.h"

(...skipping 35 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
46 CloudPolicyClient::Observer::~Observer() {}	46 CloudPolicyClient::Observer::~Observer() {}

47	47

48 void CloudPolicyClient::Observer::OnRobotAuthCodesFetched(	48 void CloudPolicyClient::Observer::OnRobotAuthCodesFetched(

49 CloudPolicyClient* client) {}	49 CloudPolicyClient* client) {}

50	50

51 CloudPolicyClient::CloudPolicyClient(	51 CloudPolicyClient::CloudPolicyClient(

52 const std::string& machine_id,	52 const std::string& machine_id,

53 const std::string& machine_model,	53 const std::string& machine_model,

54 const std::string& verification_key_hash,	54 const std::string& verification_key_hash,

55 DeviceManagementService* service,	55 DeviceManagementService* service,

56 scoped_refptr<net::URLRequestContextGetter> request_context)	56 scoped_refptr<net::URLRequestContextGetter> request_context,

	57 SigningService* signing_service)

57 : machine_id_(machine_id),	58 : machine_id_(machine_id),

58 machine_model_(machine_model),	59 machine_model_(machine_model),

59 verification_key_hash_(verification_key_hash),	60 verification_key_hash_(verification_key_hash),

60 device_mode_(DEVICE_MODE_NOT_SET),	61 device_mode_(DEVICE_MODE_NOT_SET),
	achuithb 2016/08/23 18:40:28 Move this to header Move this to header The one and only Dr. Crash 2016/08/24 05:53:44 Done. Show quoted text On 2016/08/23 18:40:28, achuithb wrote: > Move this to header Done.
61 submit_machine_id_(false),	62 submit_machine_id_(false),

62 public_key_version_(-1),	63 public_key_version_(-1),

63 public_key_version_valid_(false),	64 public_key_version_valid_(false),

64 invalidation_version_(0),	65 invalidation_version_(0),

65 fetched_invalidation_version_(0),	66 fetched_invalidation_version_(0),

66 service_(service), // Can be null for unit tests.	67 service_(service), // Can be null for unit tests.

	68 signing_service_(signing_service),

67 status_(DM_STATUS_SUCCESS),	69 status_(DM_STATUS_SUCCESS),

68 request_context_(request_context) {	70 request_context_(request_context) {

69 }	71 }

70	72

	73 CloudPolicyClient::CloudPolicyClient(
	achuithb 2016/08/23 18:40:28 Get rid of this Get rid of this The one and only Dr. Crash 2016/08/24 05:53:44 Done. Show quoted text On 2016/08/23 18:40:28, achuithb wrote: > Get rid of this Done.
	74 const std::string& machine_id,

	75 const std::string& machine_model,

	76 const std::string& verification_key_hash,

	77 DeviceManagementService* service,

	78 scoped_refptr<net::URLRequestContextGetter> request_context) :

	79 CloudPolicyClient(machine_id,

	80 machine_model,

	81 verification_key_hash,

	82 service,

	83 request_context,

	84 nullptr /* signing_service */) {

	85 }

	86

71 CloudPolicyClient::~CloudPolicyClient() {	87 CloudPolicyClient::~CloudPolicyClient() {

72 base::STLDeleteValues(&responses_);	88 base::STLDeleteValues(&responses_);

73 }	89 }

74	90

75 void CloudPolicyClient::SetupRegistration(const std::string& dm_token,	91 void CloudPolicyClient::SetupRegistration(const std::string& dm_token,

76 const std::string& client_id) {	92 const std::string& client_id) {

77 DCHECK(!dm_token.empty());	93 DCHECK(!dm_token.empty());

78 DCHECK(!client_id.empty());	94 DCHECK(!client_id.empty());

79 DCHECK(!is_registered());	95 DCHECK(!is_registered());

80	96

81 dm_token_ = dm_token;	97 dm_token_ = dm_token;

82 client_id_ = client_id;	98 client_id_ = client_id;

83 request_jobs_.clear();	99 request_jobs_.clear();

84 policy_fetch_request_job_.reset();	100 policy_fetch_request_job_.reset();

85 base::STLDeleteValues(&responses_);	101 base::STLDeleteValues(&responses_);

86	102

87 NotifyRegistrationStateChanged();	103 NotifyRegistrationStateChanged();

88 }	104 }

89	105

	106 void CloudPolicyClient::SetClientId(const std::string& client_id) {

	107 if (client_id.empty()) {
	achuithb 2016/08/23 18:40:28 use ternary operator instead use ternary operator instead The one and only Dr. Crash 2016/08/24 05:53:44 Done. Show quoted text On 2016/08/23 18:40:28, achuithb wrote: > use ternary operator instead Done.
	108 // Generate a new client ID. This is intentionally done on each new

	109 // registration request in order to preserve privacy. Reusing IDs would

	110 // mean the server could track clients by their registration attempts.

	111 client_id_ = base::GenerateGUID();

	112 } else {

	113 client_id_ = client_id;

	114 }

	115 }

	116

90 void CloudPolicyClient::Register(em::DeviceRegisterRequest::Type type,	117 void CloudPolicyClient::Register(em::DeviceRegisterRequest::Type type,

91 em::DeviceRegisterRequest::Flavor flavor,	118 em::DeviceRegisterRequest::Flavor flavor,

92 const std::string& auth_token,	119 const std::string& auth_token,

93 const std::string& client_id,	120 const std::string& client_id,

94 const std::string& requisition,	121 const std::string& requisition,

95 const std::string& current_state_key) {	122 const std::string& current_state_key) {

96 DCHECK(service_);	123 DCHECK(service_);

97 DCHECK(!auth_token.empty());	124 DCHECK(!auth_token.empty());

98 DCHECK(!is_registered());	125 DCHECK(!is_registered());

99	126

100 if (client_id.empty()) {	127 SetClientId(client_id);

101 // Generate a new client ID. This is intentionally done on each new

102 // registration request in order to preserve privacy. Reusing IDs would mean

103 // the server could track clients by their registration attempts.

104 client_id_ = base::GenerateGUID();

105 } else {

106 client_id_ = client_id;

107 }

108	128

109 policy_fetch_request_job_.reset(	129 policy_fetch_request_job_.reset(

110 service_->CreateJob(DeviceManagementRequestJob::TYPE_REGISTRATION,	130 service_->CreateJob(DeviceManagementRequestJob::TYPE_REGISTRATION,

111 GetRequestContext()));	131 GetRequestContext()));

112 policy_fetch_request_job_->SetOAuthToken(auth_token);	132 policy_fetch_request_job_->SetOAuthToken(auth_token);

113 policy_fetch_request_job_->SetClientID(client_id_);	133 policy_fetch_request_job_->SetClientID(client_id_);

114	134

115 em::DeviceRegisterRequest* request =	135 em::DeviceRegisterRequest* request =

116 policy_fetch_request_job_->GetRequest()->mutable_register_request();	136 policy_fetch_request_job_->GetRequest()->mutable_register_request();

117 if (!client_id.empty())	137 if (!client_id.empty())

(...skipping 10 matching lines...) Expand all Loading...
128 request->set_flavor(flavor);	148 request->set_flavor(flavor);

129	149

130 policy_fetch_request_job_->SetRetryCallback(	150 policy_fetch_request_job_->SetRetryCallback(

131 base::Bind(&CloudPolicyClient::OnRetryRegister, base::Unretained(this)));	151 base::Bind(&CloudPolicyClient::OnRetryRegister, base::Unretained(this)));

132	152

133 policy_fetch_request_job_->Start(	153 policy_fetch_request_job_->Start(

134 base::Bind(&CloudPolicyClient::OnRegisterCompleted,	154 base::Bind(&CloudPolicyClient::OnRegisterCompleted,

135 base::Unretained(this)));	155 base::Unretained(this)));

136 }	156 }

137	157

	158 void CloudPolicyClient::RegisterWithCertificate(

	159 em::DeviceRegisterRequest::Type type,

	160 em::DeviceRegisterRequest::Flavor flavor,

	161 const std::string& pem_certificate_chain,

	162 const std::string& client_id,

	163 const std::string& requisition,

	164 const std::string& current_state_key) {

	165 DCHECK(signing_service_);

	166 DCHECK(service_);

	167 DCHECK(!pem_certificate_chain.empty());

	168 DCHECK(!is_registered());

	169

	170 SetClientId(client_id);

	171

	172 em::CertificateBasedDeviceRegistrationData data;

	173 data.set_certificate_type(em::CertificateBasedDeviceRegistrationData::

	174 ENTERPRISE_ENROLLMENT_CERTIFICATE);

	175 data.set_device_certificate(pem_certificate_chain);

	176

	177 em::DeviceRegisterRequest* request = data.mutable_device_register_request();

	178 if (!client_id.empty())

	179 request->set_reregister(true);

	180 request->set_type(type);

	181 if (!machine_id_.empty())

	182 request->set_machine_id(machine_id_);

	183 if (!machine_model_.empty())

	184 request->set_machine_model(machine_model_);

	185 if (!requisition.empty())

	186 request->set_requisition(requisition);

	187 if (!current_state_key.empty())

	188 request->set_server_backed_state_key(current_state_key);

	189 request->set_flavor(flavor);

	190

	191 signing_service_->SignData(data.SerializeAsString(),

	192 base::Bind(&CloudPolicyClient::OnRegisterWithCertificateRequestSigned,

	193 base::Unretained(this)));
	achuithb 2016/08/23 18:40:28 Why base::Unretained? Couldn't you use a weak ptr Why base::Unretained? Couldn't you use a weak ptr instead? Here and elsewhere The one and only Dr. Crash 2016/08/24 05:53:44 Again, that's me matching the style of the file. Show quoted text On 2016/08/23 18:40:28, achuithb wrote: > Why base::Unretained? Couldn't you use a weak ptr instead? Here and elsewhere Again, that's me matching the style of the file. achuithb 2016/08/24 06:05:36 Could you please switch to using weak_ptr_factory? Show quoted text On 2016/08/24 05:53:44, The one and only Dr. Crash wrote: > On 2016/08/23 18:40:28, achuithb wrote: > > Why base::Unretained? Couldn't you use a weak ptr instead? Here and elsewhere > > Again, that's me matching the style of the file. Could you please switch to using weak_ptr_factory? base::Unretained can cause access to freed memory during shutdown which is a security problem. The one and only Dr. Crash 2016/08/24 08:19:16 Sure. Show quoted text On 2016/08/24 06:05:36, achuithb wrote: > On 2016/08/24 05:53:44, The one and only Dr. Crash wrote: > > On 2016/08/23 18:40:28, achuithb wrote: > > > Why base::Unretained? Couldn't you use a weak ptr instead? Here and > elsewhere > > > > Again, that's me matching the style of the file. > > Could you please switch to using weak_ptr_factory? base::Unretained can cause > access to freed memory during shutdown which is a security problem. Sure.
	194 }

	195

	196 void CloudPolicyClient::OnRegisterWithCertificateRequestSigned(bool success,

	197 em::SignedData signed_data) {

	198 if (!success) {

	199 em::DeviceManagementResponse response;
	achuithb 2016/08/23 18:40:28 const const The one and only Dr. Crash 2016/08/24 05:53:44 Done. Show quoted text On 2016/08/23 18:40:28, achuithb wrote: > const Done.
	200 OnRegisterCompleted(DM_STATUS_CANNOT_SIGN_REQUEST, 0, response);

	201 return;

	202 }

	203 policy_fetch_request_job_.reset(
	achuithb 2016/08/23 18:40:28 newline before this newline before this The one and only Dr. Crash 2016/08/24 05:53:44 Done. Show quoted text On 2016/08/23 18:40:28, achuithb wrote: > newline before this Done.
	204 service_->CreateJob(

	205 DeviceManagementRequestJob::TYPE_CERT_BASED_REGISTRATION,

	206 GetRequestContext()));

	207 policy_fetch_request_job_->SetClientID(client_id_);

	208 em::SignedData* signed_request = policy_fetch_request_job_->GetRequest()->

	209 mutable_cert_based_register_request()->mutable_signed_request();

	210 signed_request->set_data(signed_data.data());

	211 signed_request->set_signature(signed_data.signature());

	212 signed_request->set_extra_data_bytes(signed_data.extra_data_bytes());

	213 policy_fetch_request_job_->SetRetryCallback(

	214 base::Bind(&CloudPolicyClient::OnRetryRegister,

	215 base::Unretained(this)));

	216 policy_fetch_request_job_->Start(

	217 base::Bind(&CloudPolicyClient::OnRegisterCompleted,

	218 base::Unretained(this)));

	219 }

	220

138 void CloudPolicyClient::SetInvalidationInfo(int64_t version,	221 void CloudPolicyClient::SetInvalidationInfo(int64_t version,

139 const std::string& payload) {	222 const std::string& payload) {

140 invalidation_version_ = version;	223 invalidation_version_ = version;

141 invalidation_payload_ = payload;	224 invalidation_payload_ = payload;

142 }	225 }

143	226

144 void CloudPolicyClient::FetchPolicy() {	227 void CloudPolicyClient::FetchPolicy() {

145 CHECK(is_registered());	228 CHECK(is_registered());

146 CHECK(!types_to_fetch_.empty());	229 CHECK(!types_to_fetch_.empty());

147	230

(...skipping 569 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
717	800

718 void CloudPolicyClient::NotifyRobotAuthCodesFetched() {	801 void CloudPolicyClient::NotifyRobotAuthCodesFetched() {

719 FOR_EACH_OBSERVER(Observer, observers_, OnRobotAuthCodesFetched(this));	802 FOR_EACH_OBSERVER(Observer, observers_, OnRobotAuthCodesFetched(this));

720 }	803 }

721	804

722 void CloudPolicyClient::NotifyClientError() {	805 void CloudPolicyClient::NotifyClientError() {

723 FOR_EACH_OBSERVER(Observer, observers_, OnClientError(this));	806 FOR_EACH_OBSERVER(Observer, observers_, OnClientError(this));

724 }	807 }

725	808

726 } // namespace policy	809 } // namespace policy

OLD	NEW