1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_
6 #define CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_
10 #include "base/basictypes.h"
11 #include "base/compiler_specific.h"
12 #include "base/memory/ref_counted.h"
13 #include "base/memory/scoped_ptr.h"
14 #include "base/memory/weak_ptr.h"
15 #include "chrome/browser/chromeos/policy/device_cloud_policy_initializer.h"
16 #include "chrome/browser/chromeos/policy/device_cloud_policy_validator.h"
17 #include "chrome/browser/chromeos/policy/enterprise_install_attributes.h"
18 #include "components/policy/core/common/cloud/cloud_policy_client.h"
19 #include "components/policy/core/common/cloud/cloud_policy_store.h"
20 #include "google_apis/gaia/gaia_oauth_client.h"
21 #include "policy/proto/device_management_backend.pb.h"
24 class SequencedTaskRunner;
28 class DeviceSettingsService;
33 class DeviceCloudPolicyStoreChromeOS;
34 class ServerBackedStateKeysBroker;
36 // Implements the logic that establishes enterprise enrollment for Chromium OS
37 // devices. The process is as follows:
38 // 1. Given an auth token, register with the policy service.
39 // 2. Download the initial policy blob from the service.
40 // 3. Verify the policy blob. Everything up to this point doesn't touch device
42 // 4. Download the OAuth2 authorization code for device-level API access.
43 // 5. Download the OAuth2 refresh token for device-level API access and store
45 // 6. Establish the device lock in installation-time attributes.
46 // 7. Store the policy blob and API refresh token.
47 class EnrollmentHandlerChromeOS : public CloudPolicyClient::Observer,
48 public CloudPolicyStore::Observer,
49 public gaia::GaiaOAuthClient::Delegate {
51 typedef DeviceCloudPolicyInitializer::AllowedDeviceModes
53 typedef DeviceCloudPolicyInitializer::EnrollmentCallback
56 // |store| and |install_attributes| must remain valid for the life time of the
57 // enrollment handler. |allowed_device_modes| determines what device modes
58 // are acceptable. If the mode specified by the server is not acceptable,
59 // enrollment will fail with an EnrollmentStatus indicating
60 // STATUS_REGISTRATION_BAD_MODE.
61 // |management_mode| should be either ENTERPRISE_MANAGED or CONSUMER_MANAGED.
62 EnrollmentHandlerChromeOS(
63 DeviceCloudPolicyStoreChromeOS* store,
64 EnterpriseInstallAttributes* install_attributes,
65 ServerBackedStateKeysBroker* state_keys_broker,
66 chromeos::DeviceSettingsService* device_settings_service,
67 scoped_ptr<CloudPolicyClient> client,
68 scoped_refptr<base::SequencedTaskRunner> background_task_runner,
69 const std::string& auth_token,
70 const std::string& client_id,
71 bool is_auto_enrollment,
72 const std::string& requisition,
73 const AllowedDeviceModes& allowed_device_modes,
74 enterprise_management::PolicyData::ManagementMode management_mode,
75 const EnrollmentCallback& completion_callback);
76 virtual ~EnrollmentHandlerChromeOS();
78 // Starts the enrollment process and reports the result to
79 // |completion_callback_|.
80 void StartEnrollment();
82 // Releases the client.
83 scoped_ptr<CloudPolicyClient> ReleaseClient();
85 // CloudPolicyClient::Observer:
86 virtual void OnPolicyFetched(CloudPolicyClient* client) OVERRIDE;
87 virtual void OnRegistrationStateChanged(CloudPolicyClient* client) OVERRIDE;
88 virtual void OnRobotAuthCodesFetched(CloudPolicyClient* client) OVERRIDE;
89 virtual void OnClientError(CloudPolicyClient* client) OVERRIDE;
91 // CloudPolicyStore::Observer:
92 virtual void OnStoreLoaded(CloudPolicyStore* store) OVERRIDE;
93 virtual void OnStoreError(CloudPolicyStore* store) OVERRIDE;
95 // GaiaOAuthClient::Delegate:
96 virtual void OnGetTokensResponse(const std::string& refresh_token,
97 const std::string& access_token,
98 int expires_in_seconds) OVERRIDE;
99 virtual void OnRefreshTokenResponse(const std::string& access_token,
100 int expires_in_seconds) OVERRIDE;
101 virtual void OnOAuthError() OVERRIDE;
102 virtual void OnNetworkError(int response_code) OVERRIDE;
105 // Indicates what step of the process is currently pending. These steps need
106 // to be listed in the order they are traversed in.
107 enum EnrollmentStep {
108 STEP_PENDING, // Not started yet.
109 STEP_STATE_KEYS, // Waiting for state keys to become available.
110 STEP_LOADING_STORE, // Waiting for |store_| to initialize.
111 STEP_REGISTRATION, // Currently registering the client.
112 STEP_POLICY_FETCH, // Fetching policy.
113 STEP_VALIDATION, // Policy validation.
114 STEP_ROBOT_AUTH_FETCH, // Fetching device API auth code.
115 STEP_ROBOT_AUTH_REFRESH, // Fetching device API refresh token.
116 STEP_LOCK_DEVICE, // Writing installation-time attributes.
117 STEP_STORE_TOKEN_AND_ID, // Storing DM token and virtual device ID.
118 STEP_STORE_ROBOT_AUTH, // Encrypting & writing robot refresh token.
119 STEP_STORE_POLICY, // Storing policy and API refresh token.
120 STEP_FINISHED, // Enrollment process finished, no further action.
123 // Handles the response to a request for server-backed state keys.
124 void HandleStateKeysResult(const std::vector<std::string>& state_keys,
127 // Starts registration if the store is initialized.
128 void StartRegistration();
130 // Handles the policy validation result, proceeding with device lock if
132 void HandlePolicyValidationResult(DeviceCloudPolicyValidator* validator);
134 // Calls InstallAttributes::LockDevice() for enterprise enrollment and
135 // DeviceSettingsService::SetManagementSettings() for consumer
137 void StartLockDevice();
139 // Checks the status after SetManagementSettings() is done. Proceeds to
140 // robot auth code storing if successful.
141 void HandleSetManagementSettingsDone();
143 // Handle callback from InstallAttributes::LockDevice() and retry on failure.
144 void HandleLockDeviceResult(
145 EnterpriseInstallAttributes::LockResult lock_result);
147 // Initiates storing of robot auth token.
148 void StartStoreRobotAuth();
150 // Handles completion of the robot token store operation.
151 void HandleStoreRobotAuthTokenResult(bool result);
153 // Drops any ongoing actions.
156 // Reports the result of the enrollment process to the initiator.
157 void ReportResult(EnrollmentStatus status);
159 DeviceCloudPolicyStoreChromeOS* store_;
160 EnterpriseInstallAttributes* install_attributes_;
161 ServerBackedStateKeysBroker* state_keys_broker_;
162 chromeos::DeviceSettingsService* device_settings_service_;
163 scoped_ptr<CloudPolicyClient> client_;
164 scoped_refptr<base::SequencedTaskRunner> background_task_runner_;
165 scoped_ptr<gaia::GaiaOAuthClient> gaia_oauth_client_;
167 std::string auth_token_;
168 std::string client_id_;
169 bool is_auto_enrollment_;
170 std::string requisition_;
171 std::string current_state_key_;
172 std::string refresh_token_;
173 AllowedDeviceModes allowed_device_modes_;
174 enterprise_management::PolicyData::ManagementMode management_mode_;
175 EnrollmentCallback completion_callback_;
177 // The device mode as received in the registration request.
178 DeviceMode device_mode_;
180 // The validated policy response info to be installed in the store.
181 scoped_ptr<enterprise_management::PolicyFetchResponse> policy_;
182 std::string username_;
183 std::string device_id_;
184 std::string request_token_;
186 // Current enrollment step.
187 EnrollmentStep enrollment_step_;
189 // Total amount of time in milliseconds spent waiting for lockbox
191 int lockbox_init_duration_;
193 base::WeakPtrFactory<EnrollmentHandlerChromeOS> weak_ptr_factory_;
195 DISALLOW_COPY_AND_ASSIGN(EnrollmentHandlerChromeOS);
198 } // namespace policy
200 #endif // CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_