1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "chrome/browser/chromeos/policy/enrollment_handler_chromeos.h"
8 #include "base/command_line.h"
9 #include "base/logging.h"
10 #include "base/message_loop/message_loop.h"
11 #include "chrome/browser/browser_process.h"
12 #include "chrome/browser/chromeos/login/enrollment/auto_enrollment_controller.h"
13 #include "chrome/browser/chromeos/policy/device_cloud_policy_store_chromeos.h"
14 #include "chrome/browser/chromeos/policy/proto/chrome_device_policy.pb.h"
15 #include "chrome/browser/chromeos/policy/server_backed_state_keys_broker.h"
16 #include "chrome/browser/chromeos/settings/device_oauth2_token_service.h"
17 #include "chrome/browser/chromeos/settings/device_oauth2_token_service_factory.h"
18 #include "chrome/browser/chromeos/settings/device_settings_service.h"
19 #include "chromeos/chromeos_switches.h"
20 #include "components/policy/core/common/cloud/cloud_policy_constants.h"
21 #include "google_apis/gaia/gaia_urls.h"
22 #include "net/http/http_status_code.h"
24 namespace em = enterprise_management;
30 // Retry for InstallAttrs initialization every 500ms.
31 const int kLockRetryIntervalMs = 500;
32 // Maximum time to retry InstallAttrs initialization before we give up.
33 const int kLockRetryTimeoutMs = 10 * 60 * 1000; // 10 minutes.
35 // Testing token used when the enrollment-skip-robot-auth is set to skip talking
36 // to GAIA for an actual token. This is needed to be able to run against the
37 // testing DMServer implementations.
38 const char kTestingRobotToken[] = "test-token";
42 EnrollmentHandlerChromeOS::EnrollmentHandlerChromeOS(
43 DeviceCloudPolicyStoreChromeOS* store,
44 EnterpriseInstallAttributes* install_attributes,
45 ServerBackedStateKeysBroker* state_keys_broker,
46 chromeos::DeviceSettingsService* device_settings_service,
47 scoped_ptr<CloudPolicyClient> client,
48 scoped_refptr<base::SequencedTaskRunner> background_task_runner,
49 const std::string& auth_token,
50 const std::string& client_id,
51 bool is_auto_enrollment,
52 const std::string& requisition,
53 const AllowedDeviceModes& allowed_device_modes,
54 em::PolicyData::ManagementMode management_mode,
55 const EnrollmentCallback& completion_callback)
57 install_attributes_(install_attributes),
58 state_keys_broker_(state_keys_broker),
59 device_settings_service_(device_settings_service),
60 client_(client.Pass()),
61 background_task_runner_(background_task_runner),
62 auth_token_(auth_token),
63 client_id_(client_id),
64 is_auto_enrollment_(is_auto_enrollment),
65 requisition_(requisition),
66 allowed_device_modes_(allowed_device_modes),
67 management_mode_(management_mode),
68 completion_callback_(completion_callback),
69 device_mode_(DEVICE_MODE_NOT_SET),
70 enrollment_step_(STEP_PENDING),
71 lockbox_init_duration_(0),
72 weak_ptr_factory_(this) {
73 CHECK(!client_->is_registered());
74 CHECK_EQ(DM_STATUS_SUCCESS, client_->status());
75 CHECK(management_mode_ == em::PolicyData::ENTERPRISE_MANAGED ||
76 management_mode_ == em::PolicyData::CONSUMER_MANAGED);
77 store_->AddObserver(this);
78 client_->AddObserver(this);
79 client_->AddNamespaceToFetch(PolicyNamespaceKey(
80 dm_protocol::kChromeDevicePolicyType, std::string()));
83 EnrollmentHandlerChromeOS::~EnrollmentHandlerChromeOS() {
85 store_->RemoveObserver(this);
88 void EnrollmentHandlerChromeOS::StartEnrollment() {
89 CHECK_EQ(STEP_PENDING, enrollment_step_);
90 enrollment_step_ = STEP_STATE_KEYS;
91 state_keys_broker_->RequestStateKeys(
92 base::Bind(&EnrollmentHandlerChromeOS::HandleStateKeysResult,
93 weak_ptr_factory_.GetWeakPtr()));
96 scoped_ptr<CloudPolicyClient> EnrollmentHandlerChromeOS::ReleaseClient() {
98 return client_.Pass();
101 void EnrollmentHandlerChromeOS::OnPolicyFetched(CloudPolicyClient* client) {
102 DCHECK_EQ(client_.get(), client);
103 CHECK_EQ(STEP_POLICY_FETCH, enrollment_step_);
105 enrollment_step_ = STEP_VALIDATION;
107 // Validate the policy.
108 const em::PolicyFetchResponse* policy = client_->GetPolicyFor(
109 PolicyNamespaceKey(dm_protocol::kChromeDevicePolicyType, std::string()));
111 ReportResult(EnrollmentStatus::ForFetchError(
112 DM_STATUS_RESPONSE_DECODING_ERROR));
116 scoped_ptr<DeviceCloudPolicyValidator> validator(
117 DeviceCloudPolicyValidator::Create(
118 scoped_ptr<em::PolicyFetchResponse>(
119 new em::PolicyFetchResponse(*policy)),
120 background_task_runner_));
122 validator->ValidateTimestamp(base::Time(), base::Time::NowFromSystemTime(),
123 CloudPolicyValidatorBase::TIMESTAMP_REQUIRED);
125 // If this is re-enrollment, make sure that the new policy matches the
126 // previously-enrolled domain.
128 if (install_attributes_->IsEnterpriseDevice()) {
129 domain = install_attributes_->GetDomain();
130 validator->ValidateDomain(domain);
132 validator->ValidateDMToken(client->dm_token(),
133 CloudPolicyValidatorBase::DM_TOKEN_REQUIRED);
134 validator->ValidatePolicyType(dm_protocol::kChromeDevicePolicyType);
135 validator->ValidatePayload();
136 if (management_mode_ == em::PolicyData::CONSUMER_MANAGED) {
137 // For consumer-managed devices, although we don't store the policy, we
138 // still need to verify its integrity since we use the request token in it.
139 // The consumer device management server does not have the verification
140 // key, and we need to skip checking on that by passing an empty key to
141 // ValidateInitialKey(). ValidateInitialKey() still checks that the policy
142 // data is correctly signed by the new public key when the verification key
144 validator->ValidateInitialKey("", "");
146 // If |domain| is empty here, the policy validation code will just use the
147 // domain from the username field in the policy itself to do key validation.
148 // TODO(mnissler): Plumb the enrolling user's username into this object so
149 // we can validate the username on the resulting policy, and use the domain
150 // from that username to validate the key below (http://crbug.com/343074).
151 validator->ValidateInitialKey(GetPolicyVerificationKey(), domain);
153 validator.release()->StartValidation(
154 base::Bind(&EnrollmentHandlerChromeOS::HandlePolicyValidationResult,
155 weak_ptr_factory_.GetWeakPtr()));
158 void EnrollmentHandlerChromeOS::OnRegistrationStateChanged(
159 CloudPolicyClient* client) {
160 DCHECK_EQ(client_.get(), client);
162 if (enrollment_step_ == STEP_REGISTRATION && client_->is_registered()) {
163 enrollment_step_ = STEP_POLICY_FETCH,
164 device_mode_ = client_->device_mode();
165 if (device_mode_ == DEVICE_MODE_NOT_SET)
166 device_mode_ = DEVICE_MODE_ENTERPRISE;
167 if (!allowed_device_modes_.test(device_mode_)) {
168 LOG(ERROR) << "Bad device mode " << device_mode_;
169 ReportResult(EnrollmentStatus::ForStatus(
170 EnrollmentStatus::STATUS_REGISTRATION_BAD_MODE));
173 client_->FetchPolicy();
175 LOG(FATAL) << "Registration state changed to " << client_->is_registered()
176 << " in step " << enrollment_step_ << ".";
180 void EnrollmentHandlerChromeOS::OnClientError(CloudPolicyClient* client) {
181 DCHECK_EQ(client_.get(), client);
183 if (enrollment_step_ == STEP_ROBOT_AUTH_FETCH) {
184 LOG(ERROR) << "API authentication code fetch failed: "
185 << client_->status();
186 ReportResult(EnrollmentStatus::ForRobotAuthFetchError(client_->status()));
187 } else if (enrollment_step_ < STEP_POLICY_FETCH) {
188 ReportResult(EnrollmentStatus::ForRegistrationError(client_->status()));
190 ReportResult(EnrollmentStatus::ForFetchError(client_->status()));
194 void EnrollmentHandlerChromeOS::OnStoreLoaded(CloudPolicyStore* store) {
195 DCHECK_EQ(store_, store);
197 if (enrollment_step_ == STEP_LOADING_STORE) {
198 // If the |store_| wasn't initialized when StartEnrollment() was called,
199 // then StartRegistration() bails silently. This gets registration rolling
200 // again after the store finishes loading.
202 } else if (enrollment_step_ == STEP_STORE_POLICY) {
203 ReportResult(EnrollmentStatus::ForStatus(EnrollmentStatus::STATUS_SUCCESS));
207 void EnrollmentHandlerChromeOS::OnStoreError(CloudPolicyStore* store) {
208 DCHECK_EQ(store_, store);
209 if (enrollment_step_ == STEP_STORE_TOKEN_AND_ID) {
210 // Calling DeviceSettingsService::SetManagementSettings() on a non-
211 // enterprise-managed device will trigger OnStoreError(), as
212 // DeviceCloudPolicyStore listens to all changes on DeviceSettingsService,
213 // and it calls OnStoreError() when the device is not enterprise-managed.
216 ReportResult(EnrollmentStatus::ForStoreError(store_->status(),
217 store_->validation_status()));
220 void EnrollmentHandlerChromeOS::HandleStateKeysResult(
221 const std::vector<std::string>& state_keys) {
222 CHECK_EQ(STEP_STATE_KEYS, enrollment_step_);
224 // Make sure state keys are available if forced re-enrollment is on.
225 if (chromeos::AutoEnrollmentController::GetMode() ==
226 chromeos::AutoEnrollmentController::MODE_FORCED_RE_ENROLLMENT) {
227 client_->SetStateKeysToUpload(state_keys);
228 current_state_key_ = state_keys_broker_->current_state_key();
229 if (state_keys.empty() || current_state_key_.empty()) {
231 EnrollmentStatus::ForStatus(EnrollmentStatus::STATUS_NO_STATE_KEYS));
236 enrollment_step_ = STEP_LOADING_STORE;
240 void EnrollmentHandlerChromeOS::StartRegistration() {
241 CHECK_EQ(STEP_LOADING_STORE, enrollment_step_);
242 if (store_->is_initialized()) {
243 enrollment_step_ = STEP_REGISTRATION;
244 client_->Register(em::DeviceRegisterRequest::DEVICE,
245 auth_token_, client_id_, is_auto_enrollment_,
246 requisition_, current_state_key_);
248 // Do nothing. StartRegistration() will be called again from OnStoreLoaded()
249 // after the CloudPolicyStore has initialized.
253 void EnrollmentHandlerChromeOS::HandlePolicyValidationResult(
254 DeviceCloudPolicyValidator* validator) {
255 CHECK_EQ(STEP_VALIDATION, enrollment_step_);
256 if (validator->success()) {
257 policy_ = validator->policy().Pass();
258 username_ = validator->policy_data()->username();
259 device_id_ = validator->policy_data()->device_id();
260 request_token_ = validator->policy_data()->request_token();
262 if (CommandLine::ForCurrentProcess()->HasSwitch(
263 chromeos::switches::kEnterpriseEnrollmentSkipRobotAuth)) {
264 // For test purposes we allow enrollment to succeed without proper robot
265 // account and use the provided value as a token.
266 refresh_token_ = kTestingRobotToken;
267 enrollment_step_ = STEP_LOCK_DEVICE;
272 enrollment_step_ = STEP_ROBOT_AUTH_FETCH;
273 client_->FetchRobotAuthCodes(auth_token_);
275 ReportResult(EnrollmentStatus::ForValidationError(validator->status()));
279 void EnrollmentHandlerChromeOS::OnRobotAuthCodesFetched(
280 CloudPolicyClient* client) {
281 DCHECK_EQ(client_.get(), client);
282 CHECK_EQ(STEP_ROBOT_AUTH_FETCH, enrollment_step_);
284 enrollment_step_ = STEP_ROBOT_AUTH_REFRESH;
286 gaia::OAuthClientInfo client_info;
287 client_info.client_id = GaiaUrls::GetInstance()->oauth2_chrome_client_id();
288 client_info.client_secret =
289 GaiaUrls::GetInstance()->oauth2_chrome_client_secret();
290 client_info.redirect_uri = "oob";
292 // Use the system request context to avoid sending user cookies.
293 gaia_oauth_client_.reset(new gaia::GaiaOAuthClient(
294 g_browser_process->system_request_context()));
295 gaia_oauth_client_->GetTokensFromAuthCode(client_info,
296 client->robot_api_auth_code(),
301 // GaiaOAuthClient::Delegate callback for OAuth2 refresh token fetched.
302 void EnrollmentHandlerChromeOS::OnGetTokensResponse(
303 const std::string& refresh_token,
304 const std::string& access_token,
305 int expires_in_seconds) {
306 CHECK_EQ(STEP_ROBOT_AUTH_REFRESH, enrollment_step_);
308 refresh_token_ = refresh_token;
310 enrollment_step_ = STEP_LOCK_DEVICE;
314 // GaiaOAuthClient::Delegate
315 void EnrollmentHandlerChromeOS::OnRefreshTokenResponse(
316 const std::string& access_token,
317 int expires_in_seconds) {
318 // We never use the code that should trigger this callback.
319 LOG(FATAL) << "Unexpected callback invoked.";
322 // GaiaOAuthClient::Delegate OAuth2 error when fetching refresh token request.
323 void EnrollmentHandlerChromeOS::OnOAuthError() {
324 CHECK_EQ(STEP_ROBOT_AUTH_REFRESH, enrollment_step_);
325 // OnOAuthError is only called if the request is bad (malformed) or the
326 // response is bad (empty access token returned).
327 LOG(ERROR) << "OAuth protocol error while fetching API refresh token.";
329 EnrollmentStatus::ForRobotRefreshFetchError(net::HTTP_BAD_REQUEST));
332 // GaiaOAuthClient::Delegate network error when fetching refresh token.
333 void EnrollmentHandlerChromeOS::OnNetworkError(int response_code) {
334 CHECK_EQ(STEP_ROBOT_AUTH_REFRESH, enrollment_step_);
335 LOG(ERROR) << "Network error while fetching API refresh token: "
338 EnrollmentStatus::ForRobotRefreshFetchError(response_code));
341 void EnrollmentHandlerChromeOS::StartLockDevice() {
342 CHECK_EQ(STEP_LOCK_DEVICE, enrollment_step_);
343 // Since this method is also called directly.
344 weak_ptr_factory_.InvalidateWeakPtrs();
346 if (management_mode_ == em::PolicyData::CONSUMER_MANAGED) {
347 // Consumer device enrollment doesn't use install attributes. Instead,
348 // we put the information in the owners settings.
349 enrollment_step_ = STEP_STORE_TOKEN_AND_ID;
350 device_settings_service_->SetManagementSettings(
351 management_mode_, request_token_, device_id_,
352 base::Bind(&EnrollmentHandlerChromeOS::HandleSetManagementSettingsDone,
353 weak_ptr_factory_.GetWeakPtr()));
355 install_attributes_->LockDevice(
356 username_, device_mode_, device_id_,
357 base::Bind(&EnrollmentHandlerChromeOS::HandleLockDeviceResult,
358 weak_ptr_factory_.GetWeakPtr()));
362 void EnrollmentHandlerChromeOS::HandleSetManagementSettingsDone() {
363 CHECK_EQ(STEP_STORE_TOKEN_AND_ID, enrollment_step_);
364 if (device_settings_service_->status() !=
365 chromeos::DeviceSettingsService::STORE_SUCCESS) {
366 ReportResult(EnrollmentStatus::ForStatus(
367 EnrollmentStatus::STATUS_STORE_TOKEN_AND_ID_FAILED));
371 StartStoreRobotAuth();
374 void EnrollmentHandlerChromeOS::HandleLockDeviceResult(
375 EnterpriseInstallAttributes::LockResult lock_result) {
376 CHECK_EQ(STEP_LOCK_DEVICE, enrollment_step_);
377 switch (lock_result) {
378 case EnterpriseInstallAttributes::LOCK_SUCCESS:
379 StartStoreRobotAuth();
381 case EnterpriseInstallAttributes::LOCK_NOT_READY:
382 // We wait up to |kLockRetryTimeoutMs| milliseconds and if it hasn't
383 // succeeded by then show an error to the user and stop the enrollment.
384 if (lockbox_init_duration_ < kLockRetryTimeoutMs) {
385 // InstallAttributes not ready yet, retry later.
386 LOG(WARNING) << "Install Attributes not ready yet will retry in "
387 << kLockRetryIntervalMs << "ms.";
388 base::MessageLoop::current()->PostDelayedTask(
390 base::Bind(&EnrollmentHandlerChromeOS::StartLockDevice,
391 weak_ptr_factory_.GetWeakPtr()),
392 base::TimeDelta::FromMilliseconds(kLockRetryIntervalMs));
393 lockbox_init_duration_ += kLockRetryIntervalMs;
395 HandleLockDeviceResult(EnterpriseInstallAttributes::LOCK_TIMEOUT);
398 case EnterpriseInstallAttributes::LOCK_TIMEOUT:
399 case EnterpriseInstallAttributes::LOCK_BACKEND_INVALID:
400 case EnterpriseInstallAttributes::LOCK_ALREADY_LOCKED:
401 case EnterpriseInstallAttributes::LOCK_SET_ERROR:
402 case EnterpriseInstallAttributes::LOCK_FINALIZE_ERROR:
403 case EnterpriseInstallAttributes::LOCK_READBACK_ERROR:
404 case EnterpriseInstallAttributes::LOCK_WRONG_DOMAIN:
405 ReportResult(EnrollmentStatus::ForLockError(lock_result));
410 void EnrollmentHandlerChromeOS::StartStoreRobotAuth() {
411 // Get the token service so we can store our robot refresh token.
412 enrollment_step_ = STEP_STORE_ROBOT_AUTH;
413 chromeos::DeviceOAuth2TokenServiceFactory::Get()->SetAndSaveRefreshToken(
415 base::Bind(&EnrollmentHandlerChromeOS::HandleStoreRobotAuthTokenResult,
416 weak_ptr_factory_.GetWeakPtr()));
419 void EnrollmentHandlerChromeOS::HandleStoreRobotAuthTokenResult(bool result) {
420 CHECK_EQ(STEP_STORE_ROBOT_AUTH, enrollment_step_);
423 LOG(ERROR) << "Failed to store API refresh token.";
424 ReportResult(EnrollmentStatus::ForStatus(
425 EnrollmentStatus::STATUS_ROBOT_REFRESH_STORE_FAILED));
429 if (management_mode_ == em::PolicyData::CONSUMER_MANAGED) {
430 // For consumer management enrollment, we don't store the policy.
431 ReportResult(EnrollmentStatus::ForStatus(EnrollmentStatus::STATUS_SUCCESS));
435 enrollment_step_ = STEP_STORE_POLICY;
436 store_->InstallInitialPolicy(*policy_);
439 void EnrollmentHandlerChromeOS::Stop() {
441 client_->RemoveObserver(this);
442 enrollment_step_ = STEP_FINISHED;
443 weak_ptr_factory_.InvalidateWeakPtrs();
444 completion_callback_.Reset();
447 void EnrollmentHandlerChromeOS::ReportResult(EnrollmentStatus status) {
448 EnrollmentCallback callback = completion_callback_;
451 if (status.status() != EnrollmentStatus::STATUS_SUCCESS) {
452 LOG(WARNING) << "Enrollment failed: " << status.status()
453 << ", client: " << status.client_status()
454 << ", validation: " << status.validation_status()
455 << ", store: " << status.store_status()
456 << ", lock: " << status.lock_status();
459 if (!callback.is_null())
460 callback.Run(status);
463 } // namespace policy