1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_ 6 #define CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_ 7 8 #include <string> 9 10 #include "base/basictypes.h" 11 #include "base/compiler_specific.h" 12 #include "base/memory/ref_counted.h" 13 #include "base/memory/scoped_ptr.h" 14 #include "base/memory/weak_ptr.h" 15 #include "chrome/browser/chromeos/policy/device_cloud_policy_manager_chromeos.h" 16 #include "chrome/browser/chromeos/policy/device_cloud_policy_validator.h" 17 #include "chrome/browser/chromeos/policy/enterprise_install_attributes.h" 18 #include "components/policy/core/common/cloud/cloud_policy_client.h" 19 #include "components/policy/core/common/cloud/cloud_policy_store.h" 20 #include "google_apis/gaia/gaia_oauth_client.h" 21 22 namespace base { 23 class SequencedTaskRunner; 24 } 25 26 namespace enterprise_management { 27 class PolicyFetchResponse; 28 } 29 30 namespace policy { 31 32 class ServerBackedStateKeysBroker; 33 34 // Implements the logic that establishes enterprise enrollment for Chromium OS 35 // devices. The process is as follows: 36 // 1. Given an auth token, register with the policy service. 37 // 2. Download the initial policy blob from the service. 38 // 3. Verify the policy blob. Everything up to this point doesn't touch device 39 // state. 40 // 4. Download the OAuth2 authorization code for device-level API access. 41 // 5. Download the OAuth2 refresh token for device-level API access and store 42 // it. 43 // 6. Establish the device lock in installation-time attributes. 44 // 7. Store the policy blob and API refresh token. 45 class EnrollmentHandlerChromeOS : public CloudPolicyClient::Observer, 46 public CloudPolicyStore::Observer, 47 public gaia::GaiaOAuthClient::Delegate { 48 public: 49 typedef DeviceCloudPolicyManagerChromeOS::AllowedDeviceModes 50 AllowedDeviceModes; 51 typedef DeviceCloudPolicyManagerChromeOS::EnrollmentCallback 52 EnrollmentCallback; 53 54 // |store| and |install_attributes| must remain valid for the life time of the 55 // enrollment handler. |allowed_device_modes| determines what device modes 56 // are acceptable. If the mode specified by the server is not acceptable, 57 // enrollment will fail with an EnrollmentStatus indicating 58 // STATUS_REGISTRATION_BAD_MODE. 59 EnrollmentHandlerChromeOS( 60 DeviceCloudPolicyStoreChromeOS* store, 61 EnterpriseInstallAttributes* install_attributes, 62 ServerBackedStateKeysBroker* state_keys_broker, 63 scoped_ptr<CloudPolicyClient> client, 64 scoped_refptr<base::SequencedTaskRunner> background_task_runner, 65 const std::string& auth_token, 66 const std::string& client_id, 67 bool is_auto_enrollment, 68 const std::string& requisition, 69 const AllowedDeviceModes& allowed_device_modes, 70 const EnrollmentCallback& completion_callback); 71 virtual ~EnrollmentHandlerChromeOS(); 72 73 // Starts the enrollment process and reports the result to 74 // |completion_callback_|. 75 void StartEnrollment(); 76 77 // Releases the client. 78 scoped_ptr<CloudPolicyClient> ReleaseClient(); 79 80 // CloudPolicyClient::Observer: 81 virtual void OnPolicyFetched(CloudPolicyClient* client) OVERRIDE; 82 virtual void OnRegistrationStateChanged(CloudPolicyClient* client) OVERRIDE; 83 virtual void OnRobotAuthCodesFetched(CloudPolicyClient* client) OVERRIDE; 84 virtual void OnClientError(CloudPolicyClient* client) OVERRIDE; 85 86 // CloudPolicyStore::Observer: 87 virtual void OnStoreLoaded(CloudPolicyStore* store) OVERRIDE; 88 virtual void OnStoreError(CloudPolicyStore* store) OVERRIDE; 89 90 // GaiaOAuthClient::Delegate: 91 virtual void OnGetTokensResponse(const std::string& refresh_token, 92 const std::string& access_token, 93 int expires_in_seconds) OVERRIDE; 94 virtual void OnRefreshTokenResponse(const std::string& access_token, 95 int expires_in_seconds) OVERRIDE; 96 virtual void OnOAuthError() OVERRIDE; 97 virtual void OnNetworkError(int response_code) OVERRIDE; 98 99 private: 100 // Indicates what step of the process is currently pending. These steps need 101 // to be listed in the order they are traversed in. 102 enum EnrollmentStep { 103 STEP_PENDING, // Not started yet. 104 STEP_STATE_KEYS, // Waiting for state keys to become available. 105 STEP_LOADING_STORE, // Waiting for |store_| to initialize. 106 STEP_REGISTRATION, // Currently registering the client. 107 STEP_POLICY_FETCH, // Fetching policy. 108 STEP_VALIDATION, // Policy validation. 109 STEP_ROBOT_AUTH_FETCH, // Fetching device API auth code. 110 STEP_ROBOT_AUTH_REFRESH, // Fetching device API refresh token. 111 STEP_LOCK_DEVICE, // Writing installation-time attributes. 112 STEP_STORE_ROBOT_AUTH, // Encrypting & writing robot refresh token. 113 STEP_STORE_POLICY, // Storing policy and API refresh token. 114 STEP_FINISHED, // Enrollment process finished, no further action. 115 }; 116 117 // Handles the response to a request for server-backed state keys. 118 void CheckStateKeys(const std::vector<std::string>& state_keys); 119 120 // Starts registration if the store is initialized. 121 void AttemptRegistration(); 122 123 // Handles the policy validation result, proceeding with installation-time 124 // attributes locking if successful. 125 void PolicyValidated(DeviceCloudPolicyValidator* validator); 126 127 // Calls LockDevice() and proceeds to policy installation. If unsuccessful, 128 // reports the result. Actual installation or error report will be done in 129 // HandleLockDeviceResult(). 130 void StartLockDevice(const std::string& user, 131 DeviceMode device_mode, 132 const std::string& device_id); 133 134 // Helper for StartLockDevice(). It performs the actual action based on 135 // the result of LockDevice. 136 void HandleLockDeviceResult( 137 const std::string& user, 138 DeviceMode device_mode, 139 const std::string& device_id, 140 EnterpriseInstallAttributes::LockResult lock_result); 141 142 // Handles completion of the robot token store operation. 143 void HandleRobotAuthTokenStored(bool result); 144 145 // Drops any ongoing actions. 146 void Stop(); 147 148 // Reports the result of the enrollment process to the initiator. 149 void ReportResult(EnrollmentStatus status); 150 151 DeviceCloudPolicyStoreChromeOS* store_; 152 EnterpriseInstallAttributes* install_attributes_; 153 ServerBackedStateKeysBroker* state_keys_broker_; 154 scoped_ptr<CloudPolicyClient> client_; 155 scoped_refptr<base::SequencedTaskRunner> background_task_runner_; 156 scoped_ptr<gaia::GaiaOAuthClient> gaia_oauth_client_; 157 158 std::string auth_token_; 159 std::string client_id_; 160 bool is_auto_enrollment_; 161 std::string requisition_; 162 std::string current_state_key_; 163 std::string refresh_token_; 164 AllowedDeviceModes allowed_device_modes_; 165 EnrollmentCallback completion_callback_; 166 167 // The device mode as received in the registration request. 168 DeviceMode device_mode_; 169 170 // The validated policy response info to be installed in the store. 171 scoped_ptr<enterprise_management::PolicyFetchResponse> policy_; 172 std::string username_; 173 std::string device_id_; 174 175 // Current enrollment step. 176 EnrollmentStep enrollment_step_; 177 178 // Total amount of time in milliseconds spent waiting for lockbox 179 // initialization. 180 int lockbox_init_duration_; 181 182 base::WeakPtrFactory<EnrollmentHandlerChromeOS> weak_ptr_factory_; 183 184 DISALLOW_COPY_AND_ASSIGN(EnrollmentHandlerChromeOS); 185 }; 186 187 } // namespace policy 188 189 #endif // CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_ 190