Chromium Code Reviews Chromium Code Reviews
Issue 2403053003:
Remove unused email from install attributes and add support for AD. (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/chromeos/settings/install_attributes.h" | 5 #include "chrome/browser/chromeos/settings/install_attributes.h" |
| 6 | 6 |
| 7 #include <stddef.h> | 7 #include <stddef.h> |
| 8 | 8 |
| 9 #include <utility> | 9 #include <utility> |
| 10 | 10 |
| 11 #include "base/bind.h" | 11 #include "base/bind.h" |
| 12 #include "base/files/file_util.h" | 12 #include "base/files/file_util.h" |
| 13 #include "base/location.h" | 13 #include "base/location.h" |
| 14 #include "base/logging.h" | 14 #include "base/logging.h" |
| 15 #include "base/macros.h" | 15 #include "base/macros.h" |
| 16 #include "base/metrics/histogram_base.h" | 16 #include "base/metrics/histogram_base.h" |
| 17 #include "base/metrics/histogram_macros.h" | 17 #include "base/metrics/histogram_macros.h" |
| 18 #include "base/single_thread_task_runner.h" | 18 #include "base/single_thread_task_runner.h" |
| 19 #include "base/threading/thread_task_runner_handle.h" | 19 #include "base/threading/thread_task_runner_handle.h" |
| 20 #include "base/time/time.h" | 20 #include "base/time/time.h" |
| 21 #include "chrome/browser/chromeos/policy/proto/install_attributes.pb.h" | 21 #include "chrome/browser/chromeos/policy/proto/install_attributes.pb.h" |
| 22 #include "chromeos/cryptohome/cryptohome_util.h" | 22 #include "chromeos/cryptohome/cryptohome_util.h" |
| 23 #include "chromeos/dbus/dbus_thread_manager.h" | 23 #include "chromeos/dbus/dbus_thread_manager.h" |
| 24 #include "google_apis/gaia/gaia_auth_util.h" | 24 #include "google_apis/gaia/gaia_auth_util.h" |
| 25 | 25 |
| 26 namespace chromeos { | 26 namespace chromeos { |
| 27 | 27 |
| 28 namespace cu = cryptohome_util; | |
| 29 | |
| 28 namespace { | 30 namespace { |
| 29 | 31 |
| 30 // Number of TPM lock state query retries during consistency check. | 32 // Number of TPM lock state query retries during consistency check. |
| 31 int kDbusRetryCount = 12; | 33 int kDbusRetryCount = 12; |
| 32 | 34 |
| 33 // Interval of TPM lock state query retries during consistency check. | 35 // Interval of TPM lock state query retries during consistency check. |
| 34 int kDbusRetryIntervalInSeconds = 5; | 36 int kDbusRetryIntervalInSeconds = 5; |
| 35 | 37 |
| 36 bool ReadMapKey(const std::map<std::string, std::string>& map, | 38 std::string ReadMapKey(const std::map<std::string, std::string>& map, |
| 37 const std::string& key, | 39 const std::string& key) { |
| 38 std::string* value) { | |
| 39 std::map<std::string, std::string>::const_iterator entry = map.find(key); | 40 std::map<std::string, std::string>::const_iterator entry = map.find(key); |
| 40 if (entry == map.end()) | 41 if (entry != map.end()) { |
| 41 return false; | 42 return entry->second; |
| 43 } | |
| 44 return std::string(); | |
| 45 } | |
| 42 | 46 |
| 43 *value = entry->second; | 47 void WarnIfNonempty(const std::map<std::string, std::string>& map, |
| 44 return true; | 48 const std::string& key) { |
| 49 if (!ReadMapKey(map, key).empty()) { | |
| 50 LOG(WARNING) << key << " expected to be empty."; | |
| 51 } | |
| 45 } | 52 } |
| 46 | 53 |
| 47 } // namespace | 54 } // namespace |
| 48 | 55 |
| 49 // static | 56 // static |
| 50 std::string | 57 std::string |
| 51 InstallAttributes::GetEnterpriseOwnedInstallAttributesBlobForTesting( | 58 InstallAttributes::GetEnterpriseOwnedInstallAttributesBlobForTesting( |
| 52 const std::string& user_name) { | 59 const std::string& user_name) { |
| 53 cryptohome::SerializedInstallAttributes install_attrs_proto; | 60 cryptohome::SerializedInstallAttributes install_attrs_proto; |
| 54 cryptohome::SerializedInstallAttributes::Attribute* attribute = nullptr; | 61 cryptohome::SerializedInstallAttributes::Attribute* attribute = nullptr; |
| 55 | 62 |
| 56 attribute = install_attrs_proto.add_attributes(); | 63 attribute = install_attrs_proto.add_attributes(); |
| 57 attribute->set_name(InstallAttributes::kAttrEnterpriseOwned); | 64 attribute->set_name(InstallAttributes::kAttrEnterpriseOwned); |
| 58 attribute->set_value("true"); | 65 attribute->set_value("true"); |
| 59 | 66 |
| 60 attribute = install_attrs_proto.add_attributes(); | 67 attribute = install_attrs_proto.add_attributes(); |
| 61 attribute->set_name(InstallAttributes::kAttrEnterpriseUser); | 68 attribute->set_name(InstallAttributes::kAttrEnterpriseUser); |
| 62 attribute->set_value(user_name); | 69 attribute->set_value(user_name); |
| 63 | 70 |
| 64 return install_attrs_proto.SerializeAsString(); | 71 return install_attrs_proto.SerializeAsString(); |
| 65 } | 72 } |
| 66 | 73 |
| 67 InstallAttributes::InstallAttributes(CryptohomeClient* cryptohome_client) | 74 InstallAttributes::InstallAttributes(CryptohomeClient* cryptohome_client) |
| 68 : device_locked_(false), | 75 : cryptohome_client_(cryptohome_client), |
| 69 consistency_check_running_(false), | |
| 70 device_lock_running_(false), | |
| 71 registration_mode_(policy::DEVICE_MODE_PENDING), | |
| 72 cryptohome_client_(cryptohome_client), | |
| 73 weak_ptr_factory_(this) { | 76 weak_ptr_factory_(this) { |
| 74 } | 77 } |
| 75 | 78 |
| 76 InstallAttributes::~InstallAttributes() {} | 79 InstallAttributes::~InstallAttributes() {} |
| 77 | 80 |
| 78 void InstallAttributes::Init(const base::FilePath& cache_file) { | 81 void InstallAttributes::Init(const base::FilePath& cache_file) { |
| 79 DCHECK(!device_locked_); | 82 DCHECK(!device_locked_); |
| 80 | 83 |
| 81 // Mark the consistency check as running to ensure that LockDevice() is | 84 // Mark the consistency check as running to ensure that LockDevice() is |
| 82 // blocked, but wait for the cryptohome service to be available before | 85 // blocked, but wait for the cryptohome service to be available before |
| (...skipping 20 matching lines...) Expand all Loading... | |
| 103 LOG(ERROR) << "Failed to parse install attributes cache."; | 106 LOG(ERROR) << "Failed to parse install attributes cache."; |
| 104 return; | 107 return; |
| 105 } | 108 } |
| 106 | 109 |
| 107 google::protobuf::RepeatedPtrField< | 110 google::protobuf::RepeatedPtrField< |
| 108 const cryptohome::SerializedInstallAttributes::Attribute>::iterator entry; | 111 const cryptohome::SerializedInstallAttributes::Attribute>::iterator entry; |
| 109 std::map<std::string, std::string> attr_map; | 112 std::map<std::string, std::string> attr_map; |
| 110 for (entry = install_attrs_proto.attributes().begin(); | 113 for (entry = install_attrs_proto.attributes().begin(); |
| 111 entry != install_attrs_proto.attributes().end(); | 114 entry != install_attrs_proto.attributes().end(); |
| 112 ++entry) { | 115 ++entry) { |
| 113 // The protobuf values unfortunately contain terminating null characters, so | 116 // The protobuf values contain terminating null characters, so we have to |
| 114 // we have to sanitize the value here. | 117 // sanitize the value here. |
| 115 attr_map.insert(std::make_pair(entry->name(), | 118 attr_map.insert(std::make_pair(entry->name(), |
| 116 std::string(entry->value().c_str()))); | 119 std::string(entry->value().c_str()))); |
| 117 } | 120 } |
| 118 | 121 |
| 119 DecodeInstallAttributes(attr_map); | 122 DecodeInstallAttributes(attr_map); |
| 120 } | 123 } |
| 121 | 124 |
| 122 void InstallAttributes::ReadImmutableAttributes(const base::Closure& callback) { | 125 void InstallAttributes::ReadImmutableAttributes(const base::Closure& callback) { |
| 123 if (device_locked_) { | 126 if (device_locked_) { |
| 124 callback.Run(); | 127 callback.Run(); |
| 125 return; | 128 return; |
| 126 } | 129 } |
| 127 | 130 |
| 128 cryptohome_client_->InstallAttributesIsReady( | 131 cryptohome_client_->InstallAttributesIsReady( |
| 129 base::Bind(&InstallAttributes::ReadAttributesIfReady, | 132 base::Bind(&InstallAttributes::ReadAttributesIfReady, |
| 130 weak_ptr_factory_.GetWeakPtr(), callback)); | 133 weak_ptr_factory_.GetWeakPtr(), callback)); |
| 131 } | 134 } |
| 132 | 135 |
| 133 void InstallAttributes::ReadAttributesIfReady(const base::Closure& callback, | 136 void InstallAttributes::ReadAttributesIfReady(const base::Closure& callback, |
| 134 DBusMethodCallStatus call_status, | 137 DBusMethodCallStatus call_status, |
| 135 bool result) { | 138 bool result) { |
| 136 if (call_status == DBUS_METHOD_CALL_SUCCESS && result) { | 139 if (call_status == DBUS_METHOD_CALL_SUCCESS && result) { |
| 137 registration_mode_ = policy::DEVICE_MODE_NOT_SET; | 140 registration_mode_ = policy::DEVICE_MODE_NOT_SET; |
| 138 if (!cryptohome_util::InstallAttributesIsInvalid() && | 141 if (!cu::InstallAttributesIsInvalid() && |
| 139 !cryptohome_util::InstallAttributesIsFirstInstall()) { | 142 !cu::InstallAttributesIsFirstInstall()) { |
| 140 device_locked_ = true; | 143 device_locked_ = true; |
| 141 | 144 |
| 142 static const char* const kEnterpriseAttributes[] = { | 145 static const char* const kEnterpriseAttributes[] = { |
| 143 kAttrEnterpriseDeviceId, | 146 kAttrEnterpriseDeviceId, |
| 144 kAttrEnterpriseDomain, | 147 kAttrEnterpriseDomain, |
| 148 kAttrEnterpriseRealm, | |
| 145 kAttrEnterpriseMode, | 149 kAttrEnterpriseMode, |
| 146 kAttrEnterpriseOwned, | 150 kAttrEnterpriseOwned, |
| 147 kAttrEnterpriseUser, | 151 kAttrEnterpriseUser, |
| 148 kAttrConsumerKioskEnabled, | 152 kAttrConsumerKioskEnabled, |
| 149 }; | 153 }; |
| 150 std::map<std::string, std::string> attr_map; | 154 std::map<std::string, std::string> attr_map; |
| 151 for (size_t i = 0; i < arraysize(kEnterpriseAttributes); ++i) { | 155 for (size_t i = 0; i < arraysize(kEnterpriseAttributes); ++i) { |
| 152 std::string value; | 156 std::string value; |
| 153 if (cryptohome_util::InstallAttributesGet(kEnterpriseAttributes[i], | 157 if (cu::InstallAttributesGet(kEnterpriseAttributes[i], &value)) |
| 154 &value)) | |
| 155 attr_map[kEnterpriseAttributes[i]] = value; | 158 attr_map[kEnterpriseAttributes[i]] = value; |
| 156 } | 159 } |
| 157 | 160 |
| 158 DecodeInstallAttributes(attr_map); | 161 DecodeInstallAttributes(attr_map); |
| 159 } | 162 } |
| 160 } | 163 } |
| 161 callback.Run(); | 164 callback.Run(); |
| 162 } | 165 } |
| 163 | 166 |
| 164 void InstallAttributes::LockDevice(const std::string& user, | 167 void InstallAttributes::LockDevice(policy::DeviceMode device_mode, |
| 165 policy::DeviceMode device_mode, | 168 const std::string& domain, |
| 169 const std::string& realm, | |
| 166 const std::string& device_id, | 170 const std::string& device_id, |
| 167 const LockResultCallback& callback) { | 171 const LockResultCallback& callback) { |
| 172 CHECK((device_mode == policy::DEVICE_MODE_ENTERPRISE && | |
| 173 !domain.empty() && realm.empty() && !device_id.empty()) || | |
| 174 (device_mode == policy::DEVICE_MODE_ENTERPRISE_AD && | |
| 175 domain.empty() && !realm.empty() && !device_id.empty()) || | |
| 176 (device_mode == policy::DEVICE_MODE_CONSUMER_KIOSK_AUTOLAUNCH && | |
| 177 domain.empty() && realm.empty() && device_id.empty())); | |
| 168 DCHECK(!callback.is_null()); | 178 DCHECK(!callback.is_null()); |
| 169 CHECK_EQ(device_lock_running_, false); | 179 CHECK_EQ(device_lock_running_, false); |
| 170 CHECK_NE(device_mode, policy::DEVICE_MODE_PENDING); | |
| 171 CHECK_NE(device_mode, policy::DEVICE_MODE_NOT_SET); | |
| 172 | 180 |
| 173 // Check for existing lock first. | 181 // Check for existing lock first. |
| 174 if (device_locked_) { | 182 if (device_locked_) { |
| 175 if (device_mode != registration_mode_) { | 183 if (device_mode != registration_mode_) { |
| 184 LOG(ERROR) << "Trying to re-lock with wrong mode."; | |
| 176 callback.Run(LOCK_WRONG_MODE); | 185 callback.Run(LOCK_WRONG_MODE); |
| 177 return; | 186 return; |
| 178 } | 187 } |
| 179 | 188 |
| 180 switch (registration_mode_) { | 189 if (domain != registration_domain_ || |
| 181 case policy::DEVICE_MODE_ENTERPRISE: | 190 realm != registration_realm_ || |
| 182 case policy::DEVICE_MODE_LEGACY_RETAIL_MODE: { | 191 device_id != registration_device_id_) { |
| 183 // Check domain match for enterprise devices. | 192 LOG(ERROR) << "Trying to re-lock with non-matching parameters."; |
| 184 std::string domain = gaia::ExtractDomainName(user); | 193 callback.Run(LOCK_WRONG_DOMAIN); |
| 185 if (registration_domain_.empty() || domain != registration_domain_) { | 194 return; |
| 186 callback.Run(LOCK_WRONG_DOMAIN); | |
| 187 return; | |
| 188 } | |
| 189 break; | |
| 190 } | |
| 191 case policy::DEVICE_MODE_NOT_SET: | |
| 192 case policy::DEVICE_MODE_PENDING: | |
| 193 // This case can't happen due to the CHECK_NE asserts above. | |
| 194 NOTREACHED(); | |
| 195 break; | |
| 196 case policy::DEVICE_MODE_CONSUMER: | |
| 197 case policy::DEVICE_MODE_CONSUMER_KIOSK_AUTOLAUNCH: | |
| 198 // The user parameter is ignored for consumer devices. | |
| 199 break; | |
| 200 } | 195 } |
| 201 | 196 |
| 202 // Already locked in the right mode, signal success. | 197 // Already locked in the right mode, signal success. |
| 203 callback.Run(LOCK_SUCCESS); | 198 callback.Run(LOCK_SUCCESS); |
| 204 return; | 199 return; |
| 205 } | 200 } |
| 206 | 201 |
| 207 // In case the consistency check is still running, postpone the device locking | 202 // In case the consistency check is still running, postpone the device locking |
| 208 // until it has finished. This should not introduce additional delay since | 203 // until it has finished. This should not introduce additional delay since |
| 209 // device locking must wait for TPM initialization anyways. | 204 // device locking must wait for TPM initialization anyways. |
| 210 if (consistency_check_running_) { | 205 if (consistency_check_running_) { |
| 211 CHECK(post_check_action_.is_null()); | 206 CHECK(post_check_action_.is_null()); |
| 212 post_check_action_ = base::Bind(&InstallAttributes::LockDevice, | 207 post_check_action_ = base::Bind(&InstallAttributes::LockDevice, |
| 213 weak_ptr_factory_.GetWeakPtr(), | 208 weak_ptr_factory_.GetWeakPtr(), |
| 214 user, | |
| 215 device_mode, | 209 device_mode, |
| 210 domain, | |
| 211 realm, | |
| 216 device_id, | 212 device_id, |
| 217 callback); | 213 callback); |
| 218 return; | 214 return; |
| 219 } | 215 } |
| 220 | 216 |
| 221 device_lock_running_ = true; | 217 device_lock_running_ = true; |
| 222 cryptohome_client_->InstallAttributesIsReady( | 218 cryptohome_client_->InstallAttributesIsReady( |
| 223 base::Bind(&InstallAttributes::LockDeviceIfAttributesIsReady, | 219 base::Bind(&InstallAttributes::LockDeviceIfAttributesIsReady, |
| 224 weak_ptr_factory_.GetWeakPtr(), | 220 weak_ptr_factory_.GetWeakPtr(), |
| 225 user, | |
| 226 device_mode, | 221 device_mode, |
| 222 domain, | |
| 223 realm, | |
| 227 device_id, | 224 device_id, |
| 228 callback)); | 225 callback)); |
| 229 } | 226 } |
| 230 | 227 |
| 231 void InstallAttributes::LockDeviceIfAttributesIsReady( | 228 void InstallAttributes::LockDeviceIfAttributesIsReady( |
| 232 const std::string& user, | |
| 233 policy::DeviceMode device_mode, | 229 policy::DeviceMode device_mode, |
| 230 const std::string& domain, | |
| 231 const std::string& realm, | |
| 234 const std::string& device_id, | 232 const std::string& device_id, |
| 235 const LockResultCallback& callback, | 233 const LockResultCallback& callback, |
| 236 DBusMethodCallStatus call_status, | 234 DBusMethodCallStatus call_status, |
| 237 bool result) { | 235 bool result) { |
| 238 if (call_status != DBUS_METHOD_CALL_SUCCESS || !result) { | 236 if (call_status != DBUS_METHOD_CALL_SUCCESS || !result) { |
| 239 device_lock_running_ = false; | 237 device_lock_running_ = false; |
| 240 callback.Run(LOCK_NOT_READY); | 238 callback.Run(LOCK_NOT_READY); |
| 241 return; | 239 return; |
| 242 } | 240 } |
| 243 | 241 |
| 244 // Clearing the TPM password seems to be always a good deal. | 242 // Clearing the TPM password seems to be always a good deal. |
| 245 if (cryptohome_util::TpmIsEnabled() && | 243 if (cu::TpmIsEnabled() && !cu::TpmIsBeingOwned() && cu::TpmIsOwned()) { |
| 246 !cryptohome_util::TpmIsBeingOwned() && | |
| 247 cryptohome_util::TpmIsOwned()) { | |
| 248 cryptohome_client_->CallTpmClearStoredPasswordAndBlock(); | 244 cryptohome_client_->CallTpmClearStoredPasswordAndBlock(); |
| 249 } | 245 } |
| 250 | 246 |
| 251 // Make sure we really have a working InstallAttrs. | 247 // Make sure we really have a working InstallAttrs. |
| 252 if (cryptohome_util::InstallAttributesIsInvalid()) { | 248 if (cu::InstallAttributesIsInvalid()) { |
| 253 LOG(ERROR) << "Install attributes invalid."; | 249 LOG(ERROR) << "Install attributes invalid."; |
| 254 device_lock_running_ = false; | 250 device_lock_running_ = false; |
| 255 callback.Run(LOCK_BACKEND_INVALID); | 251 callback.Run(LOCK_BACKEND_INVALID); |
| 256 return; | 252 return; |
| 257 } | 253 } |
| 258 | 254 |
| 259 if (!cryptohome_util::InstallAttributesIsFirstInstall()) { | 255 if (!cu::InstallAttributesIsFirstInstall()) { |
| 260 LOG(ERROR) << "Install attributes already installed."; | 256 LOG(ERROR) << "Install attributes already installed."; |
| 261 device_lock_running_ = false; | 257 device_lock_running_ = false; |
| 262 callback.Run(LOCK_ALREADY_LOCKED); | 258 callback.Run(LOCK_ALREADY_LOCKED); |
| 263 return; | 259 return; |
| 264 } | 260 } |
| 265 | 261 |
| 262 // Set values in the InstallAttrs. | |
| 263 std::string kiosk_enabled, enterprise_owned; | |
| 264 if (device_mode == policy::DEVICE_MODE_CONSUMER_KIOSK_AUTOLAUNCH) { | |
| 265 kiosk_enabled = "true"; | |
| 266 } else { | |
| 267 enterprise_owned = "true"; | |
| 268 } | |
| 266 std::string mode = GetDeviceModeString(device_mode); | 269 std::string mode = GetDeviceModeString(device_mode); |
| 267 std::string registration_user; | 270 if (!cu::InstallAttributesSet(kAttrConsumerKioskEnabled, kiosk_enabled) || |
| 268 if (!user.empty()) | 271 !cu::InstallAttributesSet(kAttrEnterpriseOwned, enterprise_owned) || |
| 269 registration_user = gaia::CanonicalizeEmail(user); | 272 !cu::InstallAttributesSet(kAttrEnterpriseMode, mode) || |
| 270 | 273 !cu::InstallAttributesSet(kAttrEnterpriseDomain, domain) || |
| 271 if (device_mode == policy::DEVICE_MODE_CONSUMER_KIOSK_AUTOLAUNCH) { | 274 !cu::InstallAttributesSet(kAttrEnterpriseRealm, realm) || |
| 272 // Set values in the InstallAttrs and lock it. | 275 !cu::InstallAttributesSet(kAttrEnterpriseDeviceId, device_id)) { |
| 273 if (!cryptohome_util::InstallAttributesSet(kAttrConsumerKioskEnabled, | 276 LOG(ERROR) << "Failed writing attributes."; |
| 274 "true")) { | 277 device_lock_running_ = false; |
| 275 LOG(ERROR) << "Failed writing attributes."; | 278 callback.Run(LOCK_SET_ERROR); |
| 276 device_lock_running_ = false; | 279 return; |
| 277 callback.Run(LOCK_SET_ERROR); | |
| 278 return; | |
| 279 } | |
| 280 } else { | |
| 281 std::string domain = gaia::ExtractDomainName(registration_user); | |
| 282 // Set values in the InstallAttrs and lock it. | |
| 283 if (!cryptohome_util::InstallAttributesSet(kAttrEnterpriseOwned, "true") || | |
| 284 !cryptohome_util::InstallAttributesSet(kAttrEnterpriseUser, | |
| 285 registration_user) || | |
| 286 !cryptohome_util::InstallAttributesSet(kAttrEnterpriseDomain, domain) || | |
| 287 !cryptohome_util::InstallAttributesSet(kAttrEnterpriseMode, mode) || | |
| 288 !cryptohome_util::InstallAttributesSet(kAttrEnterpriseDeviceId, | |
| 289 device_id)) { | |
| 290 LOG(ERROR) << "Failed writing attributes."; | |
| 291 device_lock_running_ = false; | |
| 292 callback.Run(LOCK_SET_ERROR); | |
| 293 return; | |
| 294 } | |
| 295 } | 280 } |
| 296 | 281 |
| 297 if (!cryptohome_util::InstallAttributesFinalize() || | 282 if (!cu::InstallAttributesFinalize() || |
| 298 cryptohome_util::InstallAttributesIsFirstInstall()) { | 283 cu::InstallAttributesIsFirstInstall()) { |
| 299 LOG(ERROR) << "Failed locking."; | 284 LOG(ERROR) << "Failed locking."; |
| 300 device_lock_running_ = false; | 285 device_lock_running_ = false; |
| 301 callback.Run(LOCK_FINALIZE_ERROR); | 286 callback.Run(LOCK_FINALIZE_ERROR); |
| 302 return; | 287 return; |
| 303 } | 288 } |
| 304 | 289 |
| 305 ReadImmutableAttributes( | 290 ReadImmutableAttributes( |
| 306 base::Bind(&InstallAttributes::OnReadImmutableAttributes, | 291 base::Bind(&InstallAttributes::OnReadImmutableAttributes, |
| 307 weak_ptr_factory_.GetWeakPtr(), | 292 weak_ptr_factory_.GetWeakPtr(), |
| 308 registration_user, | 293 device_mode, |
| 294 domain, | |
| 295 realm, | |
| 296 device_id, | |
| 309 callback)); | 297 callback)); |
| 310 } | 298 } |
| 311 | 299 |
| 312 void InstallAttributes::OnReadImmutableAttributes( | 300 void InstallAttributes::OnReadImmutableAttributes( |
| 313 const std::string& registration_user, | 301 policy::DeviceMode mode, |
| 302 const std::string& domain, | |
| 303 const std::string& realm, | |
| 304 const std::string& device_id, | |
| 314 const LockResultCallback& callback) { | 305 const LockResultCallback& callback) { |
| 306 device_lock_running_ = false; | |
| 315 | 307 |
| 316 if (GetRegistrationUser() != registration_user) { | 308 if (registration_mode_ != mode || |
| 309 registration_domain_ != domain || | |
| 310 registration_realm_ != realm || | |
| 311 registration_device_id_ != device_id) { | |
| 317 LOG(ERROR) << "Locked data doesn't match."; | 312 LOG(ERROR) << "Locked data doesn't match."; |
| 318 device_lock_running_ = false; | |
| 319 callback.Run(LOCK_READBACK_ERROR); | 313 callback.Run(LOCK_READBACK_ERROR); |
| 320 return; | 314 return; |
| 321 } | 315 } |
| 322 | 316 |
| 323 device_lock_running_ = false; | |
| 324 callback.Run(LOCK_SUCCESS); | 317 callback.Run(LOCK_SUCCESS); |
| 325 } | 318 } |
| 326 | 319 |
| 327 bool InstallAttributes::IsEnterpriseDevice() const { | 320 bool InstallAttributes::IsEnterpriseDevice() const { |
| 328 return device_locked_ && !registration_user_.empty(); | 321 if (!device_locked_) { |
| 322 return false; | |
| 323 } | |
| 324 return registration_mode_ == policy::DEVICE_MODE_ENTERPRISE || | |
| 325 registration_mode_ == policy::DEVICE_MODE_ENTERPRISE_AD; | |
| 329 } | 326 } |
| 330 | 327 |
| 331 bool InstallAttributes::IsConsumerKioskDeviceWithAutoLaunch() { | 328 bool InstallAttributes::IsConsumerKioskDeviceWithAutoLaunch() { |
| 332 return device_locked_ && | 329 return device_locked_ && |
| 333 registration_mode_ == policy::DEVICE_MODE_CONSUMER_KIOSK_AUTOLAUNCH; | 330 registration_mode_ == policy::DEVICE_MODE_CONSUMER_KIOSK_AUTOLAUNCH; |
| 334 } | 331 } |
| 335 | 332 |
| 336 std::string InstallAttributes::GetDomain() const { | |
| 337 if (!IsEnterpriseDevice()) | |
| 338 return std::string(); | |
| 339 | |
| 340 return registration_domain_; | |
| 341 } | |
| 342 | |
| 343 std::string InstallAttributes::GetDeviceId() { | |
| 344 if (!IsEnterpriseDevice()) | |
| 345 return std::string(); | |
| 346 | |
| 347 return registration_device_id_; | |
| 348 } | |
| 349 | |
| 350 policy::DeviceMode InstallAttributes::GetMode() { | |
| 351 return registration_mode_; | |
| 352 } | |
| 353 | |
| 354 void InstallAttributes::TriggerConsistencyCheck(int dbus_retries) { | 333 void InstallAttributes::TriggerConsistencyCheck(int dbus_retries) { |
| 355 cryptohome_client_->TpmIsOwned( | 334 cryptohome_client_->TpmIsOwned( |
| 356 base::Bind(&InstallAttributes::OnTpmOwnerCheckCompleted, | 335 base::Bind(&InstallAttributes::OnTpmOwnerCheckCompleted, |
| 357 weak_ptr_factory_.GetWeakPtr(), | 336 weak_ptr_factory_.GetWeakPtr(), |
| 358 dbus_retries)); | 337 dbus_retries)); |
| 359 } | 338 } |
| 360 | 339 |
| 361 void InstallAttributes::OnTpmOwnerCheckCompleted( | 340 void InstallAttributes::OnTpmOwnerCheckCompleted( |
| 362 int dbus_retries_remaining, | 341 int dbus_retries_remaining, |
| 363 DBusMethodCallStatus call_status, | 342 DBusMethodCallStatus call_status, |
| (...skipping 23 matching lines...) Expand all Loading... | |
| 387 post_check_action_.Reset(); | 366 post_check_action_.Reset(); |
| 388 } | 367 } |
| 389 } | 368 } |
| 390 | 369 |
| 391 // Warning: The values for these keys (but not the keys themselves) are stored | 370 // Warning: The values for these keys (but not the keys themselves) are stored |
| 392 // in the protobuf with a trailing zero. Also note that some of these constants | 371 // in the protobuf with a trailing zero. Also note that some of these constants |
| 393 // have been copied to login_manager/device_policy_service.cc. Please make sure | 372 // have been copied to login_manager/device_policy_service.cc. Please make sure |
| 394 // that all changes to the constants are reflected there as well. | 373 // that all changes to the constants are reflected there as well. |
| 395 const char InstallAttributes::kConsumerDeviceMode[] = "consumer"; | 374 const char InstallAttributes::kConsumerDeviceMode[] = "consumer"; |
| 396 const char InstallAttributes::kEnterpriseDeviceMode[] = "enterprise"; | 375 const char InstallAttributes::kEnterpriseDeviceMode[] = "enterprise"; |
| 376 const char InstallAttributes::kEnterpriseADDeviceMode[] = "enterprise_ad"; | |
| 397 const char InstallAttributes::kLegacyRetailDeviceMode[] = "kiosk"; | 377 const char InstallAttributes::kLegacyRetailDeviceMode[] = "kiosk"; |
| 398 const char InstallAttributes::kConsumerKioskDeviceMode[] = "consumer_kiosk"; | 378 const char InstallAttributes::kConsumerKioskDeviceMode[] = "consumer_kiosk"; |
| 399 const char InstallAttributes::kUnknownDeviceMode[] = "unknown"; | |
| 400 | 379 |
| 401 const char InstallAttributes::kAttrEnterpriseDeviceId[] = | 380 const char InstallAttributes::kAttrEnterpriseDeviceId[] = |
| 402 "enterprise.device_id"; | 381 "enterprise.device_id"; |
| 403 const char InstallAttributes::kAttrEnterpriseDomain[] = "enterprise.domain"; | 382 const char InstallAttributes::kAttrEnterpriseDomain[] = "enterprise.domain"; |
| 383 const char InstallAttributes::kAttrEnterpriseRealm[] = "enterprise.realm"; | |
| 404 const char InstallAttributes::kAttrEnterpriseMode[] = "enterprise.mode"; | 384 const char InstallAttributes::kAttrEnterpriseMode[] = "enterprise.mode"; |
| 405 const char InstallAttributes::kAttrEnterpriseOwned[] = "enterprise.owned"; | 385 const char InstallAttributes::kAttrEnterpriseOwned[] = "enterprise.owned"; |
| 406 const char InstallAttributes::kAttrEnterpriseUser[] = "enterprise.user"; | 386 const char InstallAttributes::kAttrEnterpriseUser[] = "enterprise.user"; |
| 407 const char InstallAttributes::kAttrConsumerKioskEnabled[] = | 387 const char InstallAttributes::kAttrConsumerKioskEnabled[] = |
| 408 "consumer.app_kiosk_enabled"; | 388 "consumer.app_kiosk_enabled"; |
| 409 | 389 |
| 410 void InstallAttributes::OnCryptohomeServiceInitiallyAvailable( | 390 void InstallAttributes::OnCryptohomeServiceInitiallyAvailable( |
| 411 bool service_is_ready) { | 391 bool service_is_ready) { |
| 412 if (!service_is_ready) | 392 if (!service_is_ready) |
| 413 LOG(ERROR) << "Failed waiting for cryptohome D-Bus service availability."; | 393 LOG(ERROR) << "Failed waiting for cryptohome D-Bus service availability."; |
| 414 | 394 |
| 415 // Start the consistency check even if we failed to wait for availability; | 395 // Start the consistency check even if we failed to wait for availability; |
| 416 // hopefully the service will become available eventually. | 396 // hopefully the service will become available eventually. |
| 417 TriggerConsistencyCheck(kDbusRetryCount); | 397 TriggerConsistencyCheck(kDbusRetryCount); |
| 418 } | 398 } |
| 419 | 399 |
| 420 std::string InstallAttributes::GetDeviceModeString(policy::DeviceMode mode) { | 400 std::string InstallAttributes::GetDeviceModeString(policy::DeviceMode mode) { |
| 421 switch (mode) { | 401 switch (mode) { |
| 422 case policy::DEVICE_MODE_CONSUMER: | 402 case policy::DEVICE_MODE_CONSUMER: |
| 423 return InstallAttributes::kConsumerDeviceMode; | 403 return InstallAttributes::kConsumerDeviceMode; |
| 424 case policy::DEVICE_MODE_ENTERPRISE: | 404 case policy::DEVICE_MODE_ENTERPRISE: |
| 425 return InstallAttributes::kEnterpriseDeviceMode; | 405 return InstallAttributes::kEnterpriseDeviceMode; |
| 406 case policy::DEVICE_MODE_ENTERPRISE_AD: | |
| 407 return InstallAttributes::kEnterpriseADDeviceMode; | |
| 426 case policy::DEVICE_MODE_LEGACY_RETAIL_MODE: | 408 case policy::DEVICE_MODE_LEGACY_RETAIL_MODE: |
| 427 return InstallAttributes::kLegacyRetailDeviceMode; | 409 return InstallAttributes::kLegacyRetailDeviceMode; |
| 428 case policy::DEVICE_MODE_CONSUMER_KIOSK_AUTOLAUNCH: | 410 case policy::DEVICE_MODE_CONSUMER_KIOSK_AUTOLAUNCH: |
| 429 return InstallAttributes::kConsumerKioskDeviceMode; | 411 return InstallAttributes::kConsumerKioskDeviceMode; |
| 430 case policy::DEVICE_MODE_PENDING: | 412 case policy::DEVICE_MODE_PENDING: |
| 431 case policy::DEVICE_MODE_NOT_SET: | 413 case policy::DEVICE_MODE_NOT_SET: |
| 432 break; | 414 break; |
| 433 } | 415 } |
| 434 NOTREACHED() << "Invalid device mode: " << mode; | 416 NOTREACHED() << "Invalid device mode: " << mode; |
| 435 return InstallAttributes::kUnknownDeviceMode; | 417 return std::string(); |
| 436 } | 418 } |
| 437 | 419 |
| 438 policy::DeviceMode InstallAttributes::GetDeviceModeFromString( | 420 policy::DeviceMode InstallAttributes::GetDeviceModeFromString( |
| 439 const std::string& mode) { | 421 const std::string& mode) { |
| 440 if (mode == InstallAttributes::kConsumerDeviceMode) | 422 if (mode == InstallAttributes::kConsumerDeviceMode) |
| 441 return policy::DEVICE_MODE_CONSUMER; | 423 return policy::DEVICE_MODE_CONSUMER; |
| 442 else if (mode == InstallAttributes::kEnterpriseDeviceMode) | 424 else if (mode == InstallAttributes::kEnterpriseDeviceMode) |
| 443 return policy::DEVICE_MODE_ENTERPRISE; | 425 return policy::DEVICE_MODE_ENTERPRISE; |
| 426 else if (mode == InstallAttributes::kEnterpriseADDeviceMode) | |
| 427 return policy::DEVICE_MODE_ENTERPRISE_AD; | |
| 444 else if (mode == InstallAttributes::kLegacyRetailDeviceMode) | 428 else if (mode == InstallAttributes::kLegacyRetailDeviceMode) |
| 445 return policy::DEVICE_MODE_LEGACY_RETAIL_MODE; | 429 return policy::DEVICE_MODE_LEGACY_RETAIL_MODE; |
| 446 else if (mode == InstallAttributes::kConsumerKioskDeviceMode) | 430 else if (mode == InstallAttributes::kConsumerKioskDeviceMode) |
| 447 return policy::DEVICE_MODE_CONSUMER_KIOSK_AUTOLAUNCH; | 431 return policy::DEVICE_MODE_CONSUMER_KIOSK_AUTOLAUNCH; |
| 448 NOTREACHED() << "Unknown device mode string: " << mode; | |
| 449 return policy::DEVICE_MODE_NOT_SET; | 432 return policy::DEVICE_MODE_NOT_SET; |
| 450 } | 433 } |
| 451 | 434 |
| 452 void InstallAttributes::DecodeInstallAttributes( | 435 void InstallAttributes::DecodeInstallAttributes( |
| 453 const std::map<std::string, std::string>& attr_map) { | 436 const std::map<std::string, std::string>& attr_map) { |
| 454 std::string enterprise_owned; | 437 // Start from a clean slate. |
| 455 std::string enterprise_user; | 438 registration_mode_ = policy::DEVICE_MODE_NOT_SET; |
| 456 std::string consumer_kiosk_enabled; | 439 registration_domain_.clear(); |
| 457 if (ReadMapKey(attr_map, kAttrEnterpriseOwned, &enterprise_owned) && | 440 registration_realm_.clear(); |
| 458 ReadMapKey(attr_map, kAttrEnterpriseUser, &enterprise_user) && | 441 registration_device_id_.clear(); |
| 459 enterprise_owned == "true" && | |
| 460 !enterprise_user.empty()) { | |
| 461 registration_user_ = gaia::CanonicalizeEmail(enterprise_user); | |
| 462 | 442 |
| 463 // Initialize the mode to the legacy enterprise mode here and update | 443 const std::string enterprise_owned = |
| 464 // below if more information is present. | 444 ReadMapKey(attr_map, kAttrEnterpriseOwned); |
| 465 registration_mode_ = policy::DEVICE_MODE_ENTERPRISE; | 445 const std::string consumer_kiosk_enabled = |
| 446 ReadMapKey(attr_map, kAttrConsumerKioskEnabled); | |
| 447 const std::string mode = ReadMapKey(attr_map, kAttrEnterpriseMode); | |
| 448 const std::string domain = ReadMapKey(attr_map, kAttrEnterpriseDomain); | |
| 449 const std::string realm = ReadMapKey(attr_map, kAttrEnterpriseRealm); | |
| 450 const std::string device_id = ReadMapKey(attr_map, kAttrEnterpriseDeviceId); | |
| 451 const std::string user_deprecated = ReadMapKey(attr_map, kAttrEnterpriseUser); | |
| 466 | 452 |
| 467 // If we could extract basic setting we should try to extract the | 453 if (enterprise_owned == "true") { |
| 468 // extended ones too. We try to set these to defaults as good as | 454 WarnIfNonempty(attr_map, kAttrConsumerKioskEnabled); |
| 469 // as possible if present, which could happen for device enrolled in | 455 registration_device_id_ = device_id; |
| 470 // pre 19 revisions of the code, before these new attributes were added. | |
| 471 if (ReadMapKey(attr_map, kAttrEnterpriseDomain, ®istration_domain_)) | |
| 472 registration_domain_ = gaia::CanonicalizeDomain(registration_domain_); | |
| 473 else | |
| 474 registration_domain_ = gaia::ExtractDomainName(registration_user_); | |
| 475 | 456 |
| 476 ReadMapKey(attr_map, kAttrEnterpriseDeviceId, ®istration_device_id_); | 457 // Set registration_mode_. |
| 458 registration_mode_ = GetDeviceModeFromString(mode); | |
| 459 if (registration_mode_ != policy::DEVICE_MODE_ENTERPRISE && | |
| 460 registration_mode_ != policy::DEVICE_MODE_ENTERPRISE_AD) { | |
| 461 if (!mode.empty()) { | |
| 462 LOG(WARNING) << "Bad " << kAttrEnterpriseMode << ": " << mode; | |
| 463 } | |
| 464 registration_mode_ = policy::DEVICE_MODE_ENTERPRISE; | |
| 465 } | |
| 477 | 466 |
| 478 std::string mode; | 467 if (registration_mode_ == policy::DEVICE_MODE_ENTERPRISE) { |
| 479 if (ReadMapKey(attr_map, kAttrEnterpriseMode, &mode)) | 468 // Either set registration_domain_ ... |
| 480 registration_mode_ = GetDeviceModeFromString(mode); | 469 WarnIfNonempty(attr_map, kAttrEnterpriseRealm); |
| 481 } else if (ReadMapKey(attr_map, | 470 if (!domain.empty()) { |
| 482 kAttrConsumerKioskEnabled, | 471 // The canonicalization is for compatibility with earlier versions. |
| 483 &consumer_kiosk_enabled) && | 472 registration_domain_ = gaia::CanonicalizeDomain(domain); |
| 484 consumer_kiosk_enabled == "true") { | 473 } else if (!user_deprecated.empty()) { |
| 474 // Compatibility for pre M19 code. | |
| 475 registration_domain_ = gaia::ExtractDomainName(user_deprecated); | |
| 476 } else { | |
| 477 LOG(WARNING) << "Couldn't read domain."; | |
|
emaxx
2016/10/11 17:26:37
nit: Two spaces instead of one.
Thiemo Nagel
2016/10/11 18:23:30
Thanks. Fixed.
| |
| 478 } | |
| 479 } else { | |
| 480 // ... or set registration_realm_. | |
| 481 WarnIfNonempty(attr_map, kAttrEnterpriseDomain); | |
| 482 if (!realm.empty()) { | |
| 483 registration_realm_ = realm; | |
| 484 } else { | |
| 485 LOG(WARNING) << "Couldn't read realm."; | |
| 486 } | |
| 487 } | |
| 488 | |
| 489 return; | |
| 490 } | |
| 491 | |
| 492 WarnIfNonempty(attr_map, kAttrEnterpriseOwned); | |
| 493 WarnIfNonempty(attr_map, kAttrEnterpriseDomain); | |
| 494 WarnIfNonempty(attr_map, kAttrEnterpriseRealm); | |
| 495 WarnIfNonempty(attr_map, kAttrEnterpriseDeviceId); | |
| 496 WarnIfNonempty(attr_map, kAttrEnterpriseUser); | |
| 497 if (consumer_kiosk_enabled == "true") { | |
| 485 registration_mode_ = policy::DEVICE_MODE_CONSUMER_KIOSK_AUTOLAUNCH; | 498 registration_mode_ = policy::DEVICE_MODE_CONSUMER_KIOSK_AUTOLAUNCH; |
| 486 } else if (enterprise_user.empty() && enterprise_owned != "true") { | 499 return; |
| 487 // |registration_user_| is empty on consumer devices. | 500 } |
| 501 | |
| 502 WarnIfNonempty(attr_map, kAttrConsumerKioskEnabled); | |
| 503 if (user_deprecated.empty()) { | |
| 488 registration_mode_ = policy::DEVICE_MODE_CONSUMER; | 504 registration_mode_ = policy::DEVICE_MODE_CONSUMER; |
| 489 } | 505 } |
| 490 } | 506 } |
| 491 | 507 |
| 492 std::string InstallAttributes::GetRegistrationUser() const { | |
| 493 if (!device_locked_) | |
| 494 return std::string(); | |
| 495 | |
| 496 return registration_user_; | |
| 497 } | |
| 498 | |
| 499 } // namespace chromeos | 508 } // namespace chromeos |
| OLD | NEW |
