1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef COMPONENTS_POLICY_CORE_COMMON_CLOUD_CLOUD_POLICY_CLIENT_H_ 6 #define COMPONENTS_POLICY_CORE_COMMON_CLOUD_CLOUD_POLICY_CLIENT_H_ 7 8 #include <map> 9 #include <set> 10 #include <string> 11 #include <vector> 12 13 #include "base/basictypes.h" 14 #include "base/callback.h" 15 #include "base/memory/scoped_ptr.h" 16 #include "base/observer_list.h" 17 #include "base/time/time.h" 18 #include "components/policy/core/common/cloud/cloud_policy_constants.h" 19 #include "components/policy/policy_export.h" 20 #include "policy/proto/device_management_backend.pb.h" 21 22 namespace net { 23 class URLRequestContextGetter; 24 } 25 26 namespace policy { 27 28 class DeviceManagementRequestJob; 29 class DeviceManagementService; 30 31 // Implements the core logic required to talk to the device management service. 32 // Also keeps track of the current state of the association with the service, 33 // such as whether there is a valid registration (DMToken is present in that 34 // case) and whether and what errors occurred in the latest request. 35 // 36 // Note that CloudPolicyClient doesn't do any validation of policy responses 37 // such as signature and time stamp checks. These happen once the policy gets 38 // installed in the cloud policy cache. 39 class POLICY_EXPORT CloudPolicyClient { 40 public: 41 // Maps a PolicyNamespaceKey to its corresponding PolicyFetchResponse. 42 typedef std::map<PolicyNamespaceKey, 43 enterprise_management::PolicyFetchResponse*> ResponseMap; 44 45 // A callback which receives boolean status of an operation. If the operation 46 // succeeded, |status| is true. 47 typedef base::Callback<void(bool status)> StatusCallback; 48 49 // Observer interface for state and policy changes. 50 class POLICY_EXPORT Observer { 51 public: 52 virtual ~Observer(); 53 54 // Called when a policy fetch completes successfully. If a policy fetch 55 // triggers an error, OnClientError() will fire. 56 virtual void OnPolicyFetched(CloudPolicyClient* client) = 0; 57 58 // Called upon registration state changes. This callback is invoked for 59 // successful completion of registration and unregistration requests. 60 virtual void OnRegistrationStateChanged(CloudPolicyClient* client) = 0; 61 62 // Called when a request for device robot OAuth2 authorization tokens 63 // returns successfully. Only occurs during enrollment. Optional 64 // (default implementation is a noop). 65 virtual void OnRobotAuthCodesFetched(CloudPolicyClient* client); 66 67 // Indicates there's been an error in a previously-issued request. 68 virtual void OnClientError(CloudPolicyClient* client) = 0; 69 }; 70 71 // Delegate interface for supplying status information to upload to the server 72 // as part of the policy fetch request. 73 class POLICY_EXPORT StatusProvider { 74 public: 75 virtual ~StatusProvider(); 76 77 // Retrieves status information to send with the next policy fetch. 78 // Implementations must return true if status information was filled in. 79 virtual bool GetDeviceStatus( 80 enterprise_management::DeviceStatusReportRequest* status) = 0; 81 virtual bool GetSessionStatus( 82 enterprise_management::SessionStatusReportRequest* status) = 0; 83 84 // Called after the status information has successfully been submitted to 85 // the server. 86 virtual void OnSubmittedSuccessfully() = 0; 87 }; 88 89 // |provider| and |service| are weak pointers and it's the caller's 90 // responsibility to keep them valid for the lifetime of CloudPolicyClient. 91 // |verification_key_hash| contains an identifier telling the DMServer which 92 // verification key to use. 93 CloudPolicyClient( 94 const std::string& machine_id, 95 const std::string& machine_model, 96 const std::string& verification_key_hash, 97 UserAffiliation user_affiliation, 98 StatusProvider* provider, 99 DeviceManagementService* service, 100 scoped_refptr<net::URLRequestContextGetter> request_context); 101 virtual ~CloudPolicyClient(); 102 103 // Sets the DMToken, thereby establishing a registration with the server. A 104 // policy fetch is not automatically issued but can be requested by calling 105 // FetchPolicy(). 106 virtual void SetupRegistration(const std::string& dm_token, 107 const std::string& client_id); 108 109 // Attempts to register with the device management service. Results in a 110 // registration change or error notification. 111 virtual void Register( 112 enterprise_management::DeviceRegisterRequest::Type registration_type, 113 const std::string& auth_token, 114 const std::string& client_id, 115 bool is_auto_enrollment, 116 const std::string& requisition, 117 const std::string& current_state_key); 118 119 // Sets information about a policy invalidation. Subsequent fetch operations 120 // will use the given info, and callers can use fetched_invalidation_version 121 // to determine which version of policy was fetched. 122 void SetInvalidationInfo(int64 version, const std::string& payload); 123 124 // Requests a policy fetch. The client being registered is a prerequisite to 125 // this operation and this call will CHECK if the client is not in registered 126 // state. FetchPolicy() triggers a policy fetch from the cloud. A policy 127 // change notification is reported to the observers and the new policy blob 128 // can be retrieved once the policy fetch operation completes. In case of 129 // multiple requests to fetch policy, new requests will cancel any pending 130 // requests and the latest request will eventually trigger notifications. 131 virtual void FetchPolicy(); 132 133 // Requests OAuth2 auth codes for the device robot account. The client being 134 // registered is a prerequisite to this operation and this call will CHECK if 135 // the client is not in registered state. 136 virtual void FetchRobotAuthCodes(const std::string& auth_token); 137 138 // Sends an unregistration request to the server. 139 virtual void Unregister(); 140 141 // Upload a device certificate to the server. Like FetchPolicy, this method 142 // requires that the client is in a registered state. |certificate_data| must 143 // hold the X.509 certificate data to be sent to the server. The |callback| 144 // will be called when the operation completes. 145 virtual void UploadCertificate(const std::string& certificate_data, 146 const StatusCallback& callback); 147 148 // Adds an observer to be called back upon policy and state changes. 149 void AddObserver(Observer* observer); 150 151 // Removes the specified observer. 152 void RemoveObserver(Observer* observer); 153 set_submit_machine_id(bool submit_machine_id)154 void set_submit_machine_id(bool submit_machine_id) { 155 submit_machine_id_ = submit_machine_id; 156 } 157 set_last_policy_timestamp(const base::Time & timestamp)158 void set_last_policy_timestamp(const base::Time& timestamp) { 159 last_policy_timestamp_ = timestamp; 160 } 161 set_public_key_version(int public_key_version)162 void set_public_key_version(int public_key_version) { 163 public_key_version_ = public_key_version; 164 public_key_version_valid_ = true; 165 } 166 clear_public_key_version()167 void clear_public_key_version() { 168 public_key_version_valid_ = false; 169 } 170 171 // FetchPolicy() calls will request this policy namespace. 172 void AddNamespaceToFetch(const PolicyNamespaceKey& policy_ns_key); 173 174 // FetchPolicy() calls won't request the given policy namespace anymore. 175 void RemoveNamespaceToFetch(const PolicyNamespaceKey& policy_ns_key); 176 177 // Configures a set of device state keys to transfer to the server in the next 178 // policy fetch. If the fetch is successful, the keys will be cleared so they 179 // are only uploaded once. 180 void SetStateKeysToUpload(const std::vector<std::string>& keys); 181 182 // Whether the client is registered with the device management service. is_registered()183 bool is_registered() const { return !dm_token_.empty(); } 184 dm_token()185 const std::string& dm_token() const { return dm_token_; } client_id()186 const std::string& client_id() const { return client_id_; } 187 188 // The device mode as received in the registration request. device_mode()189 DeviceMode device_mode() const { return device_mode_; } 190 191 // The policy responses as obtained by the last request to the cloud. These 192 // policies haven't gone through verification, so their contents cannot be 193 // trusted. Use CloudPolicyStore::policy() and CloudPolicyStore::policy_map() 194 // instead for making policy decisions. responses()195 const ResponseMap& responses() const { 196 return responses_; 197 } 198 199 // Returns the policy response for |policy_ns_key|, if found in |responses()|; 200 // otherwise returns NULL. 201 const enterprise_management::PolicyFetchResponse* GetPolicyFor( 202 const PolicyNamespaceKey& policy_ns_key) const; 203 status()204 DeviceManagementStatus status() const { 205 return status_; 206 } 207 robot_api_auth_code()208 const std::string& robot_api_auth_code() const { 209 return robot_api_auth_code_; 210 } 211 212 // Returns the invalidation version that was used for the last FetchPolicy. 213 // Observers can call this method from their OnPolicyFetched method to 214 // determine which at which invalidation version the policy was fetched. fetched_invalidation_version()215 int64 fetched_invalidation_version() const { 216 return fetched_invalidation_version_; 217 } 218 219 scoped_refptr<net::URLRequestContextGetter> GetRequestContext(); 220 221 protected: 222 // A set of PolicyNamespaceKeys to fetch. 223 typedef std::set<PolicyNamespaceKey> NamespaceSet; 224 225 // Callback for retries of registration requests. 226 void OnRetryRegister(DeviceManagementRequestJob* job); 227 228 // Callback for registration requests. 229 void OnRegisterCompleted( 230 DeviceManagementStatus status, 231 int net_error, 232 const enterprise_management::DeviceManagementResponse& response); 233 234 // Callback for policy fetch requests. 235 void OnPolicyFetchCompleted( 236 DeviceManagementStatus status, 237 int net_error, 238 const enterprise_management::DeviceManagementResponse& response); 239 240 // Callback for robot account api authorization requests. 241 void OnFetchRobotAuthCodesCompleted( 242 DeviceManagementStatus status, 243 int net_error, 244 const enterprise_management::DeviceManagementResponse& response); 245 246 // Callback for unregistration requests. 247 void OnUnregisterCompleted( 248 DeviceManagementStatus status, 249 int net_error, 250 const enterprise_management::DeviceManagementResponse& response); 251 252 // Callback for certificate upload requests. 253 void OnCertificateUploadCompleted( 254 const StatusCallback& callback, 255 DeviceManagementStatus status, 256 int net_error, 257 const enterprise_management::DeviceManagementResponse& response); 258 259 // Observer notification helpers. 260 void NotifyPolicyFetched(); 261 void NotifyRegistrationStateChanged(); 262 void NotifyRobotAuthCodesFetched(); 263 void NotifyClientError(); 264 265 // Data necessary for constructing policy requests. 266 const std::string machine_id_; 267 const std::string machine_model_; 268 const std::string verification_key_hash_; 269 const UserAffiliation user_affiliation_; 270 NamespaceSet namespaces_to_fetch_; 271 std::vector<std::string> state_keys_to_upload_; 272 273 std::string dm_token_; 274 DeviceMode device_mode_; 275 std::string client_id_; 276 bool submit_machine_id_; 277 base::Time last_policy_timestamp_; 278 int public_key_version_; 279 bool public_key_version_valid_; 280 std::string robot_api_auth_code_; 281 282 // Information for the latest policy invalidation received. 283 int64 invalidation_version_; 284 std::string invalidation_payload_; 285 286 // The invalidation version used for the most recent fetch operation. 287 int64 fetched_invalidation_version_; 288 289 // Used for issuing requests to the cloud. 290 DeviceManagementService* service_; 291 scoped_ptr<DeviceManagementRequestJob> request_job_; 292 293 // Status upload data is produced by |status_provider_|. 294 StatusProvider* status_provider_; 295 296 // The policy responses returned by the last policy fetch operation. 297 ResponseMap responses_; 298 DeviceManagementStatus status_; 299 300 ObserverList<Observer, true> observers_; 301 scoped_refptr<net::URLRequestContextGetter> request_context_; 302 303 private: 304 DISALLOW_COPY_AND_ASSIGN(CloudPolicyClient); 305 }; 306 307 } // namespace policy 308 309 #endif // COMPONENTS_POLICY_CORE_COMMON_CLOUD_CLOUD_POLICY_CLIENT_H_ 310