| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/chromeos/policy/device_cloud_policy_initializer.h" | 5 #include "chrome/browser/chromeos/policy/device_cloud_policy_initializer.h" |
| 6 | 6 |
| 7 #include <utility> | 7 #include <utility> |
| 8 | 8 |
| 9 #include "base/bind.h" | 9 #include "base/bind.h" |
| 10 #include "base/bind_helpers.h" | 10 #include "base/bind_helpers.h" |
| 11 #include "base/callback.h" | 11 #include "base/callback.h" |
| 12 #include "base/logging.h" | 12 #include "base/logging.h" |
| 13 #include "base/memory/ptr_util.h" | 13 #include "base/memory/ptr_util.h" |
| 14 #include "base/sequenced_task_runner.h" | 14 #include "base/sequenced_task_runner.h" |
| 15 #include "base/values.h" | 15 #include "base/values.h" |
| 16 #include "chrome/browser/browser_process.h" | 16 #include "chrome/browser/browser_process.h" |
| 17 #include "chrome/browser/chromeos/attestation/attestation_ca_client.h" |
| 18 #include "chrome/browser/chromeos/attestation/attestation_signed_data.pb.h" |
| 17 #include "chrome/browser/chromeos/policy/device_cloud_policy_manager_chromeos.h" | 19 #include "chrome/browser/chromeos/policy/device_cloud_policy_manager_chromeos.h" |
| 18 #include "chrome/browser/chromeos/policy/device_cloud_policy_store_chromeos.h" | 20 #include "chrome/browser/chromeos/policy/device_cloud_policy_store_chromeos.h" |
| 19 #include "chrome/browser/chromeos/policy/device_status_collector.h" | 21 #include "chrome/browser/chromeos/policy/device_status_collector.h" |
| 20 #include "chrome/browser/chromeos/policy/enrollment_config.h" | 22 #include "chrome/browser/chromeos/policy/enrollment_config.h" |
| 21 #include "chrome/browser/chromeos/policy/enrollment_handler_chromeos.h" | 23 #include "chrome/browser/chromeos/policy/enrollment_handler_chromeos.h" |
| 22 #include "chrome/browser/chromeos/policy/enrollment_status_chromeos.h" | 24 #include "chrome/browser/chromeos/policy/enrollment_status_chromeos.h" |
| 23 #include "chrome/browser/chromeos/policy/enterprise_install_attributes.h" | 25 #include "chrome/browser/chromeos/policy/enterprise_install_attributes.h" |
| 24 #include "chrome/browser/chromeos/policy/server_backed_device_state.h" | 26 #include "chrome/browser/chromeos/policy/server_backed_device_state.h" |
| 25 #include "chrome/common/chrome_content_client.h" | 27 #include "chrome/common/chrome_content_client.h" |
| 26 #include "chrome/common/pref_names.h" | 28 #include "chrome/common/pref_names.h" |
| 29 #include "chromeos/attestation/attestation_flow.h" |
| 27 #include "chromeos/chromeos_switches.h" | 30 #include "chromeos/chromeos_switches.h" |
| 31 #include "chromeos/cryptohome/async_method_caller.h" |
| 32 #include "chromeos/cryptohome/cryptohome_parameters.h" |
| 33 #include "chromeos/dbus/dbus_thread_manager.h" |
| 28 #include "chromeos/system/statistics_provider.h" | 34 #include "chromeos/system/statistics_provider.h" |
| 29 #include "components/policy/core/common/cloud/cloud_policy_core.h" | 35 #include "components/policy/core/common/cloud/cloud_policy_core.h" |
| 30 #include "components/policy/core/common/cloud/device_management_service.h" | 36 #include "components/policy/core/common/cloud/device_management_service.h" |
| 31 #include "components/prefs/pref_service.h" | 37 #include "components/prefs/pref_service.h" |
| 32 #include "net/url_request/url_request_context_getter.h" | 38 #include "net/url_request/url_request_context_getter.h" |
| 33 | 39 |
| 34 namespace policy { | 40 namespace policy { |
| 35 | 41 |
| 36 namespace { | 42 namespace { |
| 37 | 43 |
| (...skipping 13 matching lines...) Expand all Loading... |
| 51 | 57 |
| 52 DeviceCloudPolicyInitializer::DeviceCloudPolicyInitializer( | 58 DeviceCloudPolicyInitializer::DeviceCloudPolicyInitializer( |
| 53 PrefService* local_state, | 59 PrefService* local_state, |
| 54 DeviceManagementService* enterprise_service, | 60 DeviceManagementService* enterprise_service, |
| 55 const scoped_refptr<base::SequencedTaskRunner>& background_task_runner, | 61 const scoped_refptr<base::SequencedTaskRunner>& background_task_runner, |
| 56 EnterpriseInstallAttributes* install_attributes, | 62 EnterpriseInstallAttributes* install_attributes, |
| 57 ServerBackedStateKeysBroker* state_keys_broker, | 63 ServerBackedStateKeysBroker* state_keys_broker, |
| 58 DeviceCloudPolicyStoreChromeOS* device_store, | 64 DeviceCloudPolicyStoreChromeOS* device_store, |
| 59 DeviceCloudPolicyManagerChromeOS* manager, | 65 DeviceCloudPolicyManagerChromeOS* manager, |
| 60 cryptohome::AsyncMethodCaller* async_method_caller, | 66 cryptohome::AsyncMethodCaller* async_method_caller, |
| 61 chromeos::CryptohomeClient* cryptohome_client) | 67 std::unique_ptr<chromeos::attestation::AttestationFlow> attestation_flow) |
| 62 : local_state_(local_state), | 68 : local_state_(local_state), |
| 63 enterprise_service_(enterprise_service), | 69 enterprise_service_(enterprise_service), |
| 64 background_task_runner_(background_task_runner), | 70 background_task_runner_(background_task_runner), |
| 65 install_attributes_(install_attributes), | 71 install_attributes_(install_attributes), |
| 66 state_keys_broker_(state_keys_broker), | 72 state_keys_broker_(state_keys_broker), |
| 67 device_store_(device_store), | 73 device_store_(device_store), |
| 68 manager_(manager), | 74 manager_(manager), |
| 69 async_method_caller_(async_method_caller), | 75 attestation_flow_(std::move(attestation_flow)), |
| 70 cryptohome_client_(cryptohome_client), | 76 signing_service_(async_method_caller) {} |
| 71 is_initialized_(false) {} | |
| 72 | 77 |
| 73 DeviceCloudPolicyInitializer::~DeviceCloudPolicyInitializer() { | 78 DeviceCloudPolicyInitializer::~DeviceCloudPolicyInitializer() { |
| 74 DCHECK(!is_initialized_); | 79 DCHECK(!is_initialized_); |
| 75 } | 80 } |
| 76 | 81 |
| 77 void DeviceCloudPolicyInitializer::Init() { | 82 void DeviceCloudPolicyInitializer::Init() { |
| 78 DCHECK(!is_initialized_); | 83 DCHECK(!is_initialized_); |
| 79 | 84 |
| 80 is_initialized_ = true; | 85 is_initialized_ = true; |
| 81 device_store_->AddObserver(this); | 86 device_store_->AddObserver(this); |
| (...skipping 18 matching lines...) Expand all Loading... |
| 100 const EnrollmentConfig& enrollment_config, | 105 const EnrollmentConfig& enrollment_config, |
| 101 const std::string& auth_token, | 106 const std::string& auth_token, |
| 102 const AllowedDeviceModes& allowed_device_modes, | 107 const AllowedDeviceModes& allowed_device_modes, |
| 103 const EnrollmentCallback& enrollment_callback) { | 108 const EnrollmentCallback& enrollment_callback) { |
| 104 DCHECK(is_initialized_); | 109 DCHECK(is_initialized_); |
| 105 DCHECK(!enrollment_handler_); | 110 DCHECK(!enrollment_handler_); |
| 106 | 111 |
| 107 manager_->core()->Disconnect(); | 112 manager_->core()->Disconnect(); |
| 108 enrollment_handler_.reset(new EnrollmentHandlerChromeOS( | 113 enrollment_handler_.reset(new EnrollmentHandlerChromeOS( |
| 109 device_store_, install_attributes_, state_keys_broker_, | 114 device_store_, install_attributes_, state_keys_broker_, |
| 110 async_method_caller_, cryptohome_client_, | 115 attestation_flow_.get(), CreateClient(device_management_service), |
| 111 CreateClient(device_management_service), background_task_runner_, | 116 background_task_runner_, enrollment_config, auth_token, |
| 112 enrollment_config, auth_token, install_attributes_->GetDeviceId(), | 117 install_attributes_->GetDeviceId(), manager_->GetDeviceRequisition(), |
| 113 manager_->GetDeviceRequisition(), allowed_device_modes, | 118 allowed_device_modes, |
| 114 base::Bind(&DeviceCloudPolicyInitializer::EnrollmentCompleted, | 119 base::Bind(&DeviceCloudPolicyInitializer::EnrollmentCompleted, |
| 115 base::Unretained(this), enrollment_callback))); | 120 base::Unretained(this), enrollment_callback))); |
| 116 enrollment_handler_->StartEnrollment(); | 121 enrollment_handler_->StartEnrollment(); |
| 117 } | 122 } |
| 118 | 123 |
| 119 EnrollmentConfig DeviceCloudPolicyInitializer::GetPrescribedEnrollmentConfig() | 124 EnrollmentConfig DeviceCloudPolicyInitializer::GetPrescribedEnrollmentConfig() |
| 120 const { | 125 const { |
| 121 EnrollmentConfig config; | 126 EnrollmentConfig config; |
| 122 | 127 |
| 123 // Authentication through the attestation mechanism is controlled by a | 128 // Authentication through the attestation mechanism is controlled by a |
| (...skipping 121 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 245 if (!enrollment_callback.is_null()) | 250 if (!enrollment_callback.is_null()) |
| 246 enrollment_callback.Run(status); | 251 enrollment_callback.Run(status); |
| 247 } | 252 } |
| 248 | 253 |
| 249 std::unique_ptr<CloudPolicyClient> DeviceCloudPolicyInitializer::CreateClient( | 254 std::unique_ptr<CloudPolicyClient> DeviceCloudPolicyInitializer::CreateClient( |
| 250 DeviceManagementService* device_management_service) { | 255 DeviceManagementService* device_management_service) { |
| 251 return base::MakeUnique<CloudPolicyClient>( | 256 return base::MakeUnique<CloudPolicyClient>( |
| 252 DeviceCloudPolicyManagerChromeOS::GetMachineID(), | 257 DeviceCloudPolicyManagerChromeOS::GetMachineID(), |
| 253 DeviceCloudPolicyManagerChromeOS::GetMachineModel(), | 258 DeviceCloudPolicyManagerChromeOS::GetMachineModel(), |
| 254 kPolicyVerificationKeyHash, device_management_service, | 259 kPolicyVerificationKeyHash, device_management_service, |
| 255 g_browser_process->system_request_context(), | 260 g_browser_process->system_request_context(), &signing_service_); |
| 256 nullptr /* signing_service */); | |
| 257 } | 261 } |
| 258 | 262 |
| 259 void DeviceCloudPolicyInitializer::TryToCreateClient() { | 263 void DeviceCloudPolicyInitializer::TryToCreateClient() { |
| 260 if (!device_store_->is_initialized() || | 264 if (!device_store_->is_initialized() || |
| 261 !device_store_->has_policy() || | 265 !device_store_->has_policy() || |
| 262 state_keys_broker_->pending() || | 266 state_keys_broker_->pending() || |
| 263 enrollment_handler_) { | 267 enrollment_handler_) { |
| 264 return; | 268 return; |
| 265 } | 269 } |
| 266 StartConnection(CreateClient(enterprise_service_)); | 270 StartConnection(CreateClient(enterprise_service_)); |
| 267 } | 271 } |
| 268 | 272 |
| 269 void DeviceCloudPolicyInitializer::StartConnection( | 273 void DeviceCloudPolicyInitializer::StartConnection( |
| 270 std::unique_ptr<CloudPolicyClient> client) { | 274 std::unique_ptr<CloudPolicyClient> client) { |
| 271 if (!manager_->core()->service()) | 275 if (!manager_->core()->service()) |
| 272 manager_->StartConnection(std::move(client), install_attributes_); | 276 manager_->StartConnection(std::move(client), install_attributes_); |
| 273 } | 277 } |
| 274 | 278 |
| 279 DeviceCloudPolicyInitializer::TpmEnrollmentKeySigningService:: |
| 280 TpmEnrollmentKeySigningService( |
| 281 cryptohome::AsyncMethodCaller* async_method_caller) |
| 282 : async_method_caller_(async_method_caller), weak_ptr_factory_(this) {} |
| 283 |
| 284 DeviceCloudPolicyInitializer::TpmEnrollmentKeySigningService:: |
| 285 ~TpmEnrollmentKeySigningService() {} |
| 286 |
| 287 void DeviceCloudPolicyInitializer::TpmEnrollmentKeySigningService::SignData( |
| 288 const std::string& data, |
| 289 const SigningCallback& callback) { |
| 290 const chromeos::attestation::AttestationCertificateProfile cert_profile = |
| 291 chromeos::attestation::PROFILE_ENTERPRISE_ENROLLMENT_CERTIFICATE; |
| 292 const cryptohome::Identification identification; |
| 293 async_method_caller_->TpmAttestationSignSimpleChallenge( |
| 294 chromeos::attestation::AttestationFlow::GetKeyTypeForProfile( |
| 295 cert_profile), |
| 296 identification, |
| 297 chromeos::attestation::AttestationFlow::GetKeyNameForProfile(cert_profile, |
| 298 ""), |
| 299 data, base::Bind(&DeviceCloudPolicyInitializer:: |
| 300 TpmEnrollmentKeySigningService::OnDataSigned, |
| 301 weak_ptr_factory_.GetWeakPtr(), data, callback)); |
| 302 } |
| 303 |
| 304 void DeviceCloudPolicyInitializer::TpmEnrollmentKeySigningService::OnDataSigned( |
| 305 const std::string& data, |
| 306 const SigningCallback& callback, |
| 307 bool success, |
| 308 const std::string& signed_data) { |
| 309 enterprise_management::SignedData em_signed_data; |
| 310 chromeos::attestation::SignedData att_signed_data; |
| 311 if (success && (success = att_signed_data.ParseFromString(signed_data))) { |
| 312 em_signed_data.set_data(att_signed_data.data()); |
| 313 em_signed_data.set_signature(att_signed_data.signature()); |
| 314 em_signed_data.set_extra_data_bytes(att_signed_data.data().size() - |
| 315 data.size()); |
| 316 } |
| 317 callback.Run(success, em_signed_data); |
| 318 } |
| 319 |
| 275 } // namespace policy | 320 } // namespace policy |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2276593004:
Device registration using an enrollment certificate from the PCA. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master