| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/chromeos/policy/enrollment_handler_chromeos.h" | 5 #include "chrome/browser/chromeos/policy/enrollment_handler_chromeos.h" |
| 6 | 6 |
| 7 #include <utility> | 7 #include <utility> |
| 8 | 8 |
| 9 #include "base/bind.h" | 9 #include "base/bind.h" |
| 10 #include "base/command_line.h" | 10 #include "base/command_line.h" |
| (...skipping 11 matching lines...) Expand all Loading... |
| 22 #include "chrome/browser/chromeos/policy/proto/chrome_device_policy.pb.h" | 22 #include "chrome/browser/chromeos/policy/proto/chrome_device_policy.pb.h" |
| 23 #include "chrome/browser/chromeos/policy/server_backed_state_keys_broker.h" | 23 #include "chrome/browser/chromeos/policy/server_backed_state_keys_broker.h" |
| 24 #include "chrome/browser/chromeos/profiles/profile_helper.h" | 24 #include "chrome/browser/chromeos/profiles/profile_helper.h" |
| 25 #include "chrome/browser/chromeos/settings/device_oauth2_token_service.h" | 25 #include "chrome/browser/chromeos/settings/device_oauth2_token_service.h" |
| 26 #include "chrome/browser/chromeos/settings/device_oauth2_token_service_factory.h
" | 26 #include "chrome/browser/chromeos/settings/device_oauth2_token_service_factory.h
" |
| 27 #include "chrome/browser/profiles/profile.h" | 27 #include "chrome/browser/profiles/profile.h" |
| 28 #include "chrome/common/channel_info.h" | 28 #include "chrome/common/channel_info.h" |
| 29 #include "chromeos/attestation/attestation_flow.h" | 29 #include "chromeos/attestation/attestation_flow.h" |
| 30 #include "chromeos/chromeos_switches.h" | 30 #include "chromeos/chromeos_switches.h" |
| 31 #include "chromeos/dbus/auth_policy_client.h" | 31 #include "chromeos/dbus/auth_policy_client.h" |
| 32 #include "chromeos/dbus/cryptohome/rpc.pb.h" |
| 32 #include "chromeos/dbus/dbus_thread_manager.h" | 33 #include "chromeos/dbus/dbus_thread_manager.h" |
| 33 #include "chromeos/dbus/upstart_client.h" | 34 #include "chromeos/dbus/upstart_client.h" |
| 34 #include "components/version_info/version_info.h" | 35 #include "components/version_info/version_info.h" |
| 35 #include "google_apis/gaia/gaia_auth_util.h" | 36 #include "google_apis/gaia/gaia_auth_util.h" |
| 36 #include "google_apis/gaia/gaia_urls.h" | 37 #include "google_apis/gaia/gaia_urls.h" |
| 37 #include "net/http/http_status_code.h" | 38 #include "net/http/http_status_code.h" |
| 38 | 39 |
| 39 namespace em = enterprise_management; | 40 namespace em = enterprise_management; |
| 40 | 41 |
| 41 namespace policy { | 42 namespace policy { |
| (...skipping 27 matching lines...) Expand all Loading... |
| 69 case EnrollmentConfig::MODE_ATTESTATION: | 70 case EnrollmentConfig::MODE_ATTESTATION: |
| 70 return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_ATTESTATION; | 71 return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_ATTESTATION; |
| 71 case EnrollmentConfig::MODE_ATTESTATION_FORCED: | 72 case EnrollmentConfig::MODE_ATTESTATION_FORCED: |
| 72 return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_ATTESTATION_FORCED; | 73 return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_ATTESTATION_FORCED; |
| 73 } | 74 } |
| 74 | 75 |
| 75 NOTREACHED() << "Bad enrollment mode: " << mode; | 76 NOTREACHED() << "Bad enrollment mode: " << mode; |
| 76 return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_MANUAL; | 77 return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_MANUAL; |
| 77 } | 78 } |
| 78 | 79 |
| 80 // Returns whether block_devmode is set. |
| 81 bool GetBlockdevmodeFromPolicy( |
| 82 const enterprise_management::PolicyFetchResponse* policy) { |
| 83 DCHECK(policy); |
| 84 em::PolicyData policy_data; |
| 85 if (!policy_data.ParseFromString(policy->policy_data())) { |
| 86 LOG(ERROR) << "Failed to parse policy data"; |
| 87 return false; |
| 88 } |
| 89 |
| 90 em::ChromeDeviceSettingsProto payload; |
| 91 if (!payload.ParseFromString(policy_data.policy_value())) { |
| 92 LOG(ERROR) << "Failed to parse policy value"; |
| 93 return false; |
| 94 } |
| 95 |
| 96 bool block_devmode = false; |
| 97 if (payload.has_system_settings()) { |
| 98 const em::SystemSettingsProto& container = payload.system_settings(); |
| 99 if (container.has_block_devmode()) { |
| 100 block_devmode = container.block_devmode(); |
| 101 } |
| 102 } |
| 103 |
| 104 return block_devmode; |
| 105 } |
| 106 |
| 79 } // namespace | 107 } // namespace |
| 80 | 108 |
| 81 EnrollmentHandlerChromeOS::EnrollmentHandlerChromeOS( | 109 EnrollmentHandlerChromeOS::EnrollmentHandlerChromeOS( |
| 82 DeviceCloudPolicyStoreChromeOS* store, | 110 DeviceCloudPolicyStoreChromeOS* store, |
| 83 chromeos::InstallAttributes* install_attributes, | 111 chromeos::InstallAttributes* install_attributes, |
| 84 ServerBackedStateKeysBroker* state_keys_broker, | 112 ServerBackedStateKeysBroker* state_keys_broker, |
| 85 chromeos::attestation::AttestationFlow* attestation_flow, | 113 chromeos::attestation::AttestationFlow* attestation_flow, |
| 86 std::unique_ptr<CloudPolicyClient> client, | 114 std::unique_ptr<CloudPolicyClient> client, |
| 87 scoped_refptr<base::SequencedTaskRunner> background_task_runner, | 115 scoped_refptr<base::SequencedTaskRunner> background_task_runner, |
| 88 chromeos::ActiveDirectoryJoinDelegate* ad_join_delegate, | 116 chromeos::ActiveDirectoryJoinDelegate* ad_join_delegate, |
| (...skipping 301 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 390 const std::string& access_token, | 418 const std::string& access_token, |
| 391 int expires_in_seconds) { | 419 int expires_in_seconds) { |
| 392 CHECK_EQ(STEP_ROBOT_AUTH_REFRESH, enrollment_step_); | 420 CHECK_EQ(STEP_ROBOT_AUTH_REFRESH, enrollment_step_); |
| 393 | 421 |
| 394 robot_refresh_token_ = refresh_token; | 422 robot_refresh_token_ = refresh_token; |
| 395 | 423 |
| 396 SetStep(STEP_AD_DOMAIN_JOIN); | 424 SetStep(STEP_AD_DOMAIN_JOIN); |
| 397 StartJoinAdDomain(); | 425 StartJoinAdDomain(); |
| 398 } | 426 } |
| 399 | 427 |
| 428 void EnrollmentHandlerChromeOS::SetFirmwareManagementParametersData() { |
| 429 DCHECK_EQ(STEP_SET_FWMP_DATA, enrollment_step_); |
| 430 |
| 431 // In case of reenrollment, the device has the TPM locked and nothing has to |
| 432 // change in install attributes. No need to update firmware parameters in this |
| 433 // case. |
| 434 if (install_attributes_->IsDeviceLocked()) { |
| 435 SetStep(STEP_LOCK_DEVICE); |
| 436 StartLockDevice(); |
| 437 return; |
| 438 } |
| 439 |
| 440 install_attributes_->SetBlockDevmodeInTpm( |
| 441 GetBlockdevmodeFromPolicy(policy_.get()), |
| 442 base::Bind( |
| 443 &EnrollmentHandlerChromeOS::OnFirmwareManagementParametersDataSet, |
| 444 weak_ptr_factory_.GetWeakPtr())); |
| 445 } |
| 446 |
| 447 void EnrollmentHandlerChromeOS::OnFirmwareManagementParametersDataSet( |
| 448 chromeos::DBusMethodCallStatus call_status, |
| 449 bool result, |
| 450 const cryptohome::BaseReply& reply) { |
| 451 DCHECK_EQ(STEP_SET_FWMP_DATA, enrollment_step_); |
| 452 if (!result) { |
| 453 LOG(ERROR) |
| 454 << "Failed to update firmware management parameters in TPM, error: " |
| 455 << reply.error(); |
| 456 } |
| 457 |
| 458 SetStep(STEP_LOCK_DEVICE); |
| 459 StartLockDevice(); |
| 460 } |
| 461 |
| 400 // GaiaOAuthClient::Delegate | 462 // GaiaOAuthClient::Delegate |
| 401 void EnrollmentHandlerChromeOS::OnRefreshTokenResponse( | 463 void EnrollmentHandlerChromeOS::OnRefreshTokenResponse( |
| 402 const std::string& access_token, | 464 const std::string& access_token, |
| 403 int expires_in_seconds) { | 465 int expires_in_seconds) { |
| 404 // We never use the code that should trigger this callback. | 466 // We never use the code that should trigger this callback. |
| 405 LOG(FATAL) << "Unexpected callback invoked."; | 467 LOG(FATAL) << "Unexpected callback invoked."; |
| 406 } | 468 } |
| 407 | 469 |
| 408 // GaiaOAuthClient::Delegate OAuth2 error when fetching refresh token request. | 470 // GaiaOAuthClient::Delegate OAuth2 error when fetching refresh token request. |
| 409 void EnrollmentHandlerChromeOS::OnOAuthError() { | 471 void EnrollmentHandlerChromeOS::OnOAuthError() { |
| (...skipping 10 matching lines...) Expand all Loading... |
| 420 CHECK_EQ(STEP_ROBOT_AUTH_REFRESH, enrollment_step_); | 482 CHECK_EQ(STEP_ROBOT_AUTH_REFRESH, enrollment_step_); |
| 421 LOG(ERROR) << "Network error while fetching API refresh token: " | 483 LOG(ERROR) << "Network error while fetching API refresh token: " |
| 422 << response_code; | 484 << response_code; |
| 423 ReportResult( | 485 ReportResult( |
| 424 EnrollmentStatus::ForRobotRefreshFetchError(response_code)); | 486 EnrollmentStatus::ForRobotRefreshFetchError(response_code)); |
| 425 } | 487 } |
| 426 | 488 |
| 427 void EnrollmentHandlerChromeOS::StartJoinAdDomain() { | 489 void EnrollmentHandlerChromeOS::StartJoinAdDomain() { |
| 428 DCHECK_EQ(STEP_AD_DOMAIN_JOIN, enrollment_step_); | 490 DCHECK_EQ(STEP_AD_DOMAIN_JOIN, enrollment_step_); |
| 429 if (device_mode_ != DEVICE_MODE_ENTERPRISE_AD) { | 491 if (device_mode_ != DEVICE_MODE_ENTERPRISE_AD) { |
| 430 SetStep(STEP_LOCK_DEVICE); | 492 SetStep(STEP_SET_FWMP_DATA); |
| 431 StartLockDevice(); | 493 SetFirmwareManagementParametersData(); |
| 432 return; | 494 return; |
| 433 } | 495 } |
| 434 DCHECK(ad_join_delegate_); | 496 DCHECK(ad_join_delegate_); |
| 435 ad_join_delegate_->JoinDomain( | 497 ad_join_delegate_->JoinDomain( |
| 436 base::BindOnce(&EnrollmentHandlerChromeOS::OnAdDomainJoined, | 498 base::BindOnce(&EnrollmentHandlerChromeOS::OnAdDomainJoined, |
| 437 weak_ptr_factory_.GetWeakPtr())); | 499 weak_ptr_factory_.GetWeakPtr())); |
| 438 } | 500 } |
| 439 | 501 |
| 440 void EnrollmentHandlerChromeOS::OnAdDomainJoined(const std::string& realm) { | 502 void EnrollmentHandlerChromeOS::OnAdDomainJoined(const std::string& realm) { |
| 441 DCHECK_EQ(STEP_AD_DOMAIN_JOIN, enrollment_step_); | 503 DCHECK_EQ(STEP_AD_DOMAIN_JOIN, enrollment_step_); |
| 442 CHECK(!realm.empty()); | 504 CHECK(!realm.empty()); |
| 443 realm_ = realm; | 505 realm_ = realm; |
| 444 SetStep(STEP_LOCK_DEVICE); | 506 SetStep(STEP_SET_FWMP_DATA); |
| 445 StartLockDevice(); | 507 SetFirmwareManagementParametersData(); |
| 446 } | 508 } |
| 447 | 509 |
| 448 void EnrollmentHandlerChromeOS::StartLockDevice() { | 510 void EnrollmentHandlerChromeOS::StartLockDevice() { |
| 449 DCHECK_EQ(STEP_LOCK_DEVICE, enrollment_step_); | 511 DCHECK_EQ(STEP_LOCK_DEVICE, enrollment_step_); |
| 450 // Since this method is also called directly. | 512 // Since this method is also called directly. |
| 451 weak_ptr_factory_.InvalidateWeakPtrs(); | 513 weak_ptr_factory_.InvalidateWeakPtrs(); |
| 452 | 514 |
| 453 install_attributes_->LockDevice( | 515 install_attributes_->LockDevice( |
| 454 device_mode_, domain_, realm_, device_id_, | 516 device_mode_, domain_, realm_, device_id_, |
| 455 base::Bind(&EnrollmentHandlerChromeOS::HandleLockDeviceResult, | 517 base::Bind(&EnrollmentHandlerChromeOS::HandleLockDeviceResult, |
| (...skipping 143 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 599 callback.Run(status); | 661 callback.Run(status); |
| 600 } | 662 } |
| 601 | 663 |
| 602 void EnrollmentHandlerChromeOS::SetStep(EnrollmentStep step) { | 664 void EnrollmentHandlerChromeOS::SetStep(EnrollmentStep step) { |
| 603 DCHECK_LE(enrollment_step_, step); | 665 DCHECK_LE(enrollment_step_, step); |
| 604 VLOG(1) << "Step: " << step; | 666 VLOG(1) << "Step: " << step; |
| 605 enrollment_step_ = step; | 667 enrollment_step_ = step; |
| 606 } | 668 } |
| 607 | 669 |
| 608 } // namespace policy | 670 } // namespace policy |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2727713003:
Update FWMP in TPM (Closed)
