| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef CHROME_BROWSER_CHROMEOS_SETTINGS_INSTALL_ATTRIBUTES_H_ | 5 #ifndef CHROME_BROWSER_CHROMEOS_SETTINGS_INSTALL_ATTRIBUTES_H_ |
| 6 #define CHROME_BROWSER_CHROMEOS_SETTINGS_INSTALL_ATTRIBUTES_H_ | 6 #define CHROME_BROWSER_CHROMEOS_SETTINGS_INSTALL_ATTRIBUTES_H_ |
| 7 | 7 |
| 8 #include <map> | 8 #include <map> |
| 9 #include <string> | 9 #include <string> |
| 10 | 10 |
| (...skipping 17 matching lines...) Expand all Loading... |
| 28 // logfiles. | 28 // logfiles. |
| 29 enum LockResult { | 29 enum LockResult { |
| 30 LOCK_SUCCESS = 0, // Success. | 30 LOCK_SUCCESS = 0, // Success. |
| 31 LOCK_NOT_READY = 1, // Backend/TPM still initializing. | 31 LOCK_NOT_READY = 1, // Backend/TPM still initializing. |
| 32 LOCK_TIMEOUT = 2, // Backend/TPM timed out. | 32 LOCK_TIMEOUT = 2, // Backend/TPM timed out. |
| 33 LOCK_BACKEND_INVALID = 3, // Backend failed to initialize. | 33 LOCK_BACKEND_INVALID = 3, // Backend failed to initialize. |
| 34 LOCK_ALREADY_LOCKED = 4, // TPM has already been locked. | 34 LOCK_ALREADY_LOCKED = 4, // TPM has already been locked. |
| 35 LOCK_SET_ERROR = 5, // Failed to set attributes. | 35 LOCK_SET_ERROR = 5, // Failed to set attributes. |
| 36 LOCK_FINALIZE_ERROR = 6, // Backend failed to lock. | 36 LOCK_FINALIZE_ERROR = 6, // Backend failed to lock. |
| 37 LOCK_READBACK_ERROR = 7, // Inconsistency reading back registration data. | 37 LOCK_READBACK_ERROR = 7, // Inconsistency reading back registration data. |
| 38 LOCK_WRONG_DOMAIN = 8, // Device already registered to another domain. | 38 LOCK_WRONG_DOMAIN = 8, // Device already registered to another domain or |
| 39 // other mismatch of other attributes. |
| 39 LOCK_WRONG_MODE = 9, // Device already locked to a different mode. | 40 LOCK_WRONG_MODE = 9, // Device already locked to a different mode. |
| 40 }; | 41 }; |
| 41 | 42 |
| 42 // A callback to handle responses of methods returning a LockResult value. | 43 // A callback to handle responses of methods returning a LockResult value. |
| 43 typedef base::Callback<void(LockResult lock_result)> LockResultCallback; | 44 typedef base::Callback<void(LockResult lock_result)> LockResultCallback; |
| 44 | 45 |
| 45 // Return serialized InstallAttributes of an enterprise-owned configuration. | 46 // Return serialized InstallAttributes of an enterprise-owned configuration. |
| 46 static std::string GetEnterpriseOwnedInstallAttributesBlobForTesting( | 47 static std::string GetEnterpriseOwnedInstallAttributesBlobForTesting( |
| 47 const std::string& user_name); | 48 const std::string& user_name); |
| 48 | 49 |
| 49 explicit InstallAttributes(CryptohomeClient* cryptohome_client); | 50 explicit InstallAttributes(CryptohomeClient* cryptohome_client); |
| 50 ~InstallAttributes(); | 51 ~InstallAttributes(); |
| 51 | 52 |
| 52 // Tries to read install attributes from the cache file which is created early | 53 // Tries to read install attributes from the cache file which is created early |
| 53 // during the boot process. The cache file is used to work around slow | 54 // during the boot process. The cache file is used to work around slow |
| 54 // cryptohome startup, which takes a while to register its DBus interface. | 55 // cryptohome startup, which takes a while to register its D-Bus interface. |
| 55 // (See http://crosbug.com/37367 for background on this.) | 56 // (See http://crosbug.com/37367 for background on this.) |
| 56 void Init(const base::FilePath& cache_file); | 57 void Init(const base::FilePath& cache_file); |
| 57 | 58 |
| 58 // Makes sure the local caches for enterprise-related install attributes are | 59 // Makes sure the local caches for enterprise-related install attributes are |
| 59 // up to date with what cryptohome has. This method checks the readiness of | 60 // up to date with what cryptohome has. This method checks the readiness of |
| 60 // attributes and read them if ready. Actual read will be performed in | 61 // attributes and read them if ready. Actual read will be performed in |
| 61 // ReadAttributesIfReady(). | 62 // ReadAttributesIfReady(). |
| 62 void ReadImmutableAttributes(const base::Closure& callback); | 63 void ReadImmutableAttributes(const base::Closure& callback); |
| 63 | 64 |
| 64 // Locks the device to be an enterprise device registered by the given user. | 65 // Locks the device into |device_mode|. Depending on |device_mode|, a |
| 65 // This can also be called after the lock has already been taken, in which | 66 // specific subset of |domain|, |realm| and |device_id| must be set. Can also |
| 66 // case it checks that the passed user agrees with the locked attribute. | 67 // be called after the lock has already been taken, in which case it checks |
| 68 // that the passed parameters fully agree with the locked attributes. |
| 67 // |callback| must not be null and is called with the result. Must not be | 69 // |callback| must not be null and is called with the result. Must not be |
| 68 // called while a previous LockDevice() invocation is still pending. | 70 // called while a previous LockDevice() invocation is still pending. |
| 69 void LockDevice(const std::string& user, | 71 void LockDevice(policy::DeviceMode device_mode, |
| 70 policy::DeviceMode device_mode, | 72 const std::string& domain, |
| 73 const std::string& realm, |
| 71 const std::string& device_id, | 74 const std::string& device_id, |
| 72 const LockResultCallback& callback); | 75 const LockResultCallback& callback); |
| 73 | 76 |
| 74 // Checks whether this is an enterprise device. | 77 // Checks whether this is an enterprise device. |
| 75 bool IsEnterpriseDevice() const; | 78 bool IsEnterpriseDevice() const; |
| 76 | 79 |
| 77 // Checks whether this is a consumer kiosk enabled device. | 80 // Checks whether this is a consumer kiosk enabled device. |
| 78 bool IsConsumerKioskDeviceWithAutoLaunch(); | 81 bool IsConsumerKioskDeviceWithAutoLaunch(); |
| 79 | 82 |
| 80 // Gets the domain this device belongs to or an empty string if the device is | 83 // Return the mode the device was enrolled to. The return value for devices |
| 81 // not an enterprise device. | 84 // that are not locked yet is DEVICE_MODE_UNKNOWN. |
| 82 std::string GetDomain() const; | 85 policy::DeviceMode GetMode() const { return registration_mode_; } |
| 83 | 86 |
| 84 // Gets the device id that was generated when the device was registered. | 87 // Return the domain this device belongs to or an empty string if the device |
| 88 // is not a cloud-managed enterprise device. |
| 89 std::string GetDomain() const { return registration_domain_; } |
| 90 |
| 91 // Return the realm this device belongs to or an empty string if the device is |
| 92 // not an AD enterprise device. |
| 93 std::string GetRealm() const { return registration_realm_; } |
| 94 |
| 95 // Return the device id that was generated when the device was registered. |
| 85 // Returns an empty string if the device is not an enterprise device or the | 96 // Returns an empty string if the device is not an enterprise device or the |
| 86 // device id was not stored in the lockbox (prior to R19). | 97 // device id was not stored in the lockbox (prior to R19). |
| 87 std::string GetDeviceId(); | 98 std::string GetDeviceId() const { return registration_device_id_; } |
| 88 | |
| 89 // Gets the mode the device was enrolled to. The return value for devices that | |
| 90 // are not locked yet will be DEVICE_MODE_UNKNOWN. | |
| 91 policy::DeviceMode GetMode(); | |
| 92 | 99 |
| 93 protected: | 100 protected: |
| 94 // True if install attributes have been read successfully. False if read | 101 // True if install attributes have been read successfully. False if read |
| 95 // failed or no read attempt was made. | 102 // failed or no read attempt was made. |
| 96 bool device_locked_; | 103 bool device_locked_ = false; |
| 97 | 104 |
| 98 // Whether the TPM / install attributes consistency check is running. | 105 // Whether the TPM / install attributes consistency check is running. |
| 99 bool consistency_check_running_; | 106 bool consistency_check_running_ = false; |
| 100 | 107 |
| 101 // To be run after the consistency check has finished. | 108 // To be run after the consistency check has finished. |
| 102 base::Closure post_check_action_; | 109 base::Closure post_check_action_; |
| 103 | 110 |
| 104 // Wether the LockDevice() initiated TPM calls are running. | 111 // Wether the LockDevice() initiated TPM calls are running. |
| 105 bool device_lock_running_; | 112 bool device_lock_running_ = false; |
| 106 | 113 |
| 107 std::string registration_user_; | 114 // The actual install attributes. Populated by DecodeInstallAttributes() |
| 115 // exclusively. |
| 116 policy::DeviceMode registration_mode_ = policy::DEVICE_MODE_PENDING; |
| 108 std::string registration_domain_; | 117 std::string registration_domain_; |
| 118 std::string registration_realm_; |
| 109 std::string registration_device_id_; | 119 std::string registration_device_id_; |
| 110 policy::DeviceMode registration_mode_; | |
| 111 | 120 |
| 112 private: | 121 private: |
| 113 FRIEND_TEST_ALL_PREFIXES(InstallAttributesTest, DeviceLockedFromOlderVersion); | 122 FRIEND_TEST_ALL_PREFIXES(InstallAttributesTest, DeviceLockedFromOlderVersion); |
| 114 FRIEND_TEST_ALL_PREFIXES(InstallAttributesTest, GetRegistrationUser); | |
| 115 FRIEND_TEST_ALL_PREFIXES(InstallAttributesTest, Init); | 123 FRIEND_TEST_ALL_PREFIXES(InstallAttributesTest, Init); |
| 116 FRIEND_TEST_ALL_PREFIXES(InstallAttributesTest, InitForConsumerKiosk); | 124 FRIEND_TEST_ALL_PREFIXES(InstallAttributesTest, InitForConsumerKiosk); |
| 117 FRIEND_TEST_ALL_PREFIXES(InstallAttributesTest, LockCanonicalize); | 125 FRIEND_TEST_ALL_PREFIXES(InstallAttributesTest, LockCanonicalize); |
| 118 FRIEND_TEST_ALL_PREFIXES(InstallAttributesTest, | 126 FRIEND_TEST_ALL_PREFIXES(InstallAttributesTest, |
| 119 VerifyFakeInstallAttributesCache); | 127 VerifyFakeInstallAttributesCache); |
| 120 | 128 |
| 121 // Constants for the possible device modes that can be stored in the lockbox. | 129 // Constants for the possible device modes that can be stored in the lockbox. |
| 122 static const char kConsumerDeviceMode[]; | 130 static const char kConsumerDeviceMode[]; |
| 123 static const char kEnterpriseDeviceMode[]; | 131 static const char kEnterpriseDeviceMode[]; |
| 132 static const char kEnterpriseADDeviceMode[]; |
| 124 static const char kLegacyRetailDeviceMode[]; | 133 static const char kLegacyRetailDeviceMode[]; |
| 125 static const char kConsumerKioskDeviceMode[]; | 134 static const char kConsumerKioskDeviceMode[]; |
| 126 static const char kUnknownDeviceMode[]; | |
| 127 | 135 |
| 128 // Field names in the lockbox. | 136 // Field names in the lockbox. |
| 129 static const char kAttrEnterpriseDeviceId[]; | 137 static const char kAttrEnterpriseDeviceId[]; |
| 130 static const char kAttrEnterpriseDomain[]; | 138 static const char kAttrEnterpriseDomain[]; |
| 139 static const char kAttrEnterpriseRealm[]; |
| 131 static const char kAttrEnterpriseMode[]; | 140 static const char kAttrEnterpriseMode[]; |
| 132 static const char kAttrEnterpriseOwned[]; | 141 static const char kAttrEnterpriseOwned[]; |
| 133 static const char kAttrEnterpriseUser[]; | 142 static const char kAttrEnterpriseUser[]; |
| 134 static const char kAttrConsumerKioskEnabled[]; | 143 static const char kAttrConsumerKioskEnabled[]; |
| 135 | 144 |
| 136 // Called by |cryptohome_client_| when the cryptohome service becomes | 145 // Called by |cryptohome_client_| when the cryptohome service becomes |
| 137 // initially available over D-Bus. | 146 // initially available over D-Bus. |
| 138 void OnCryptohomeServiceInitiallyAvailable(bool service_is_ready); | 147 void OnCryptohomeServiceInitiallyAvailable(bool service_is_ready); |
| 139 | 148 |
| 140 // Translates DeviceMode constants to strings used in the lockbox. | 149 // Translates DeviceMode constants to strings used in the lockbox. |
| 141 std::string GetDeviceModeString(policy::DeviceMode mode); | 150 std::string GetDeviceModeString(policy::DeviceMode mode); |
| 142 | 151 |
| 143 // Translates strings used in the lockbox to DeviceMode values. | 152 // Translates strings used in the lockbox to DeviceMode values. |
| 144 policy::DeviceMode GetDeviceModeFromString(const std::string& mode); | 153 policy::DeviceMode GetDeviceModeFromString(const std::string& mode); |
| 145 | 154 |
| 146 // Decodes the install attributes provided in |attr_map|. | 155 // Decode the install attributes provided in |attr_map| (including some |
| 156 // normalization and processing for backward compatibility) and guarantee that |
| 157 // |registration_*| members are set self-consistently. |
| 147 void DecodeInstallAttributes( | 158 void DecodeInstallAttributes( |
| 148 const std::map<std::string, std::string>& attr_map); | 159 const std::map<std::string, std::string>& attr_map); |
| 149 | 160 |
| 150 // Helper for ReadImmutableAttributes. | 161 // Helper for ReadImmutableAttributes. |
| 151 void ReadAttributesIfReady(const base::Closure& callback, | 162 void ReadAttributesIfReady(const base::Closure& callback, |
| 152 DBusMethodCallStatus call_status, | 163 DBusMethodCallStatus call_status, |
| 153 bool result); | 164 bool result); |
| 154 | 165 |
| 155 // Helper for LockDevice(). Handles the result of InstallAttributesIsReady() | 166 // Helper for LockDevice(). Handles the result of InstallAttributesIsReady() |
| 156 // and continue processing LockDevice if the result is true. | 167 // and continue processing LockDevice if the result is true. |
| 157 void LockDeviceIfAttributesIsReady(const std::string& user, | 168 void LockDeviceIfAttributesIsReady(policy::DeviceMode device_mode, |
| 158 policy::DeviceMode device_mode, | 169 const std::string& domain, |
| 170 const std::string& realm, |
| 159 const std::string& device_id, | 171 const std::string& device_id, |
| 160 const LockResultCallback& callback, | 172 const LockResultCallback& callback, |
| 161 DBusMethodCallStatus call_status, | 173 DBusMethodCallStatus call_status, |
| 162 bool result); | 174 bool result); |
| 163 | 175 |
| 164 // Confirms the registered user and invoke the callback. | 176 // Confirms the registered user and invoke the callback. |
| 165 void OnReadImmutableAttributes(const std::string& user, | 177 void OnReadImmutableAttributes(policy::DeviceMode mode, |
| 178 const std::string& domain, |
| 179 const std::string& realm, |
| 180 const std::string& device_id, |
| 166 const LockResultCallback& callback); | 181 const LockResultCallback& callback); |
| 167 | 182 |
| 168 // Check state of install attributes against TPM lock state and generate UMA | 183 // Check state of install attributes against TPM lock state and generate UMA |
| 169 // for the result. Asynchronously retry |dbus_retries| times in case of DBUS | 184 // for the result. Asynchronously retry |dbus_retries| times in case of DBUS |
| 170 // errors (cryptohomed startup is slow). | 185 // errors (cryptohomed startup is slow). |
| 171 void TriggerConsistencyCheck(int dbus_retries); | 186 void TriggerConsistencyCheck(int dbus_retries); |
| 172 | 187 |
| 173 // Callback for TpmIsOwned() DBUS call. Generates UMA or schedules retry in | 188 // Callback for TpmIsOwned() DBUS call. Generates UMA or schedules retry in |
| 174 // case of DBUS error. | 189 // case of DBUS error. |
| 175 void OnTpmOwnerCheckCompleted(int dbus_retries_remaining, | 190 void OnTpmOwnerCheckCompleted(int dbus_retries_remaining, |
| 176 DBusMethodCallStatus call_status, | 191 DBusMethodCallStatus call_status, |
| 177 bool result); | 192 bool result); |
| 178 | 193 |
| 179 // Gets the user that registered the device. Returns an empty string if the | |
| 180 // device is not an enterprise device. | |
| 181 std::string GetRegistrationUser() const; | |
| 182 | |
| 183 CryptohomeClient* cryptohome_client_; | 194 CryptohomeClient* cryptohome_client_; |
| 184 | 195 |
| 185 base::WeakPtrFactory<InstallAttributes> weak_ptr_factory_; | 196 base::WeakPtrFactory<InstallAttributes> weak_ptr_factory_; |
| 186 | 197 |
| 187 DISALLOW_COPY_AND_ASSIGN(InstallAttributes); | 198 DISALLOW_COPY_AND_ASSIGN(InstallAttributes); |
| 188 }; | 199 }; |
| 189 | 200 |
| 190 } // namespace chromeos | 201 } // namespace chromeos |
| 191 | 202 |
| 192 #endif // CHROME_BROWSER_CHROMEOS_SETTINGS_INSTALL_ATTRIBUTES_H_ | 203 #endif // CHROME_BROWSER_CHROMEOS_SETTINGS_INSTALL_ATTRIBUTES_H_ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2403053003:
Remove unused email from install attributes and add support for AD. (Closed)
