src/chrome/browser/chromeos/policy/enrollment_handler_chromeos.h

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_
   6 #define CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_
   7
   8 #include <string>
   9
  10 #include "base/basictypes.h"
  11 #include "base/compiler_specific.h"
  12 #include "base/memory/ref_counted.h"
  13 #include "base/memory/scoped_ptr.h"
  14 #include "base/memory/weak_ptr.h"
  15 #include "chrome/browser/chromeos/policy/device_cloud_policy_initializer.h"
  16 #include "chrome/browser/chromeos/policy/device_cloud_policy_validator.h"
  17 #include "chrome/browser/chromeos/policy/enterprise_install_attributes.h"
  18 #include "components/policy/core/common/cloud/cloud_policy_client.h"
  19 #include "components/policy/core/common/cloud/cloud_policy_store.h"
  20 #include "google_apis/gaia/gaia_oauth_client.h"
  21 #include "policy/proto/device_management_backend.pb.h"
  22
  23 namespace base {
  24 class SequencedTaskRunner;
  25 }
  26
  27 namespace chromeos {
  28 class DeviceSettingsService;
  29 }
  30
  31 namespace policy {
  32
  33 class DeviceCloudPolicyStoreChromeOS;
  34 class ServerBackedStateKeysBroker;
  35
  36 // Implements the logic that establishes enterprise enrollment for Chromium OS
  37 // devices. The process is as follows:
  38 //   1. Given an auth token, register with the policy service.
  39 //   2. Download the initial policy blob from the service.
  40 //   3. Verify the policy blob. Everything up to this point doesn't touch device
  41 //      state.
  42 //   4. Download the OAuth2 authorization code for device-level API access.
  43 //   5. Download the OAuth2 refresh token for device-level API access and store
  44 //      it.
  45 //   6. Establish the device lock in installation-time attributes.
  46 //   7. Store the policy blob and API refresh token.
  47 class EnrollmentHandlerChromeOS : public CloudPolicyClient::Observer,
  48                                   public CloudPolicyStore::Observer,
  49                                   public gaia::GaiaOAuthClient::Delegate {
  50  public:
  51   typedef DeviceCloudPolicyInitializer::AllowedDeviceModes
  52       AllowedDeviceModes;
  53   typedef DeviceCloudPolicyInitializer::EnrollmentCallback
  54       EnrollmentCallback;
  55
  56   // |store| and |install_attributes| must remain valid for the life time of the
  57   // enrollment handler. |allowed_device_modes| determines what device modes
  58   // are acceptable. If the mode specified by the server is not acceptable,
  59   // enrollment will fail with an EnrollmentStatus indicating
  60   // STATUS_REGISTRATION_BAD_MODE.
  61   // |management_mode| should be either ENTERPRISE_MANAGED or CONSUMER_MANAGED.
  62   EnrollmentHandlerChromeOS(
  63       DeviceCloudPolicyStoreChromeOS* store,
  64       EnterpriseInstallAttributes* install_attributes,
  65       ServerBackedStateKeysBroker* state_keys_broker,
  66       chromeos::DeviceSettingsService* device_settings_service,
  67       scoped_ptr<CloudPolicyClient> client,
  68       scoped_refptr<base::SequencedTaskRunner> background_task_runner,
  69       const std::string& auth_token,
  70       const std::string& client_id,
  71       bool is_auto_enrollment,
  72       const std::string& requisition,
  73       const AllowedDeviceModes& allowed_device_modes,
  74       enterprise_management::PolicyData::ManagementMode management_mode,
  75       const EnrollmentCallback& completion_callback);
  76   virtual ~EnrollmentHandlerChromeOS();
  77
  78   // Starts the enrollment process and reports the result to
  79   // |completion_callback_|.
  80   void StartEnrollment();
  81
  82   // Releases the client.
  83   scoped_ptr<CloudPolicyClient> ReleaseClient();
  84
  85   // CloudPolicyClient::Observer:
  86   virtual void OnPolicyFetched(CloudPolicyClient* client) OVERRIDE;
  87   virtual void OnRegistrationStateChanged(CloudPolicyClient* client) OVERRIDE;
  88   virtual void OnRobotAuthCodesFetched(CloudPolicyClient* client) OVERRIDE;
  89   virtual void OnClientError(CloudPolicyClient* client) OVERRIDE;
  90
  91   // CloudPolicyStore::Observer:
  92   virtual void OnStoreLoaded(CloudPolicyStore* store) OVERRIDE;
  93   virtual void OnStoreError(CloudPolicyStore* store) OVERRIDE;
  94
  95   // GaiaOAuthClient::Delegate:
  96   virtual void OnGetTokensResponse(const std::string& refresh_token,
  97                                    const std::string& access_token,
  98                                    int expires_in_seconds) OVERRIDE;
  99   virtual void OnRefreshTokenResponse(const std::string& access_token,
 100                                       int expires_in_seconds) OVERRIDE;
 101   virtual void OnOAuthError() OVERRIDE;
 102   virtual void OnNetworkError(int response_code) OVERRIDE;
 103
 104  private:
 105   // Indicates what step of the process is currently pending. These steps need
 106   // to be listed in the order they are traversed in.
 107   enum EnrollmentStep {
 108     STEP_PENDING,             // Not started yet.
 109     STEP_STATE_KEYS,          // Waiting for state keys to become available.
 110     STEP_LOADING_STORE,       // Waiting for |store_| to initialize.
 111     STEP_REGISTRATION,        // Currently registering the client.
 112     STEP_POLICY_FETCH,        // Fetching policy.
 113     STEP_VALIDATION,          // Policy validation.
 114     STEP_ROBOT_AUTH_FETCH,    // Fetching device API auth code.
 115     STEP_ROBOT_AUTH_REFRESH,  // Fetching device API refresh token.
 116     STEP_LOCK_DEVICE,         // Writing installation-time attributes.
 117     STEP_STORE_TOKEN_AND_ID,  // Storing DM token and virtual device ID.
 118     STEP_STORE_ROBOT_AUTH,    // Encrypting & writing robot refresh token.
 119     STEP_STORE_POLICY,        // Storing policy and API refresh token.
 120     STEP_FINISHED,            // Enrollment process finished, no further action.
 121   };
 122
 123   // Handles the response to a request for server-backed state keys.
 124   void HandleStateKeysResult(const std::vector<std::string>& state_keys,
 125                              bool first_boot);
 126
 127   // Starts registration if the store is initialized.
 128   void StartRegistration();
 129
 130   // Handles the policy validation result, proceeding with device lock if
 131   // successful.
 132   void HandlePolicyValidationResult(DeviceCloudPolicyValidator* validator);
 133
 134   // Calls InstallAttributes::LockDevice() for enterprise enrollment and
 135   // DeviceSettingsService::SetManagementSettings() for consumer
 136   // enrollment.
 137   void StartLockDevice();
 138
 139   // Checks the status after SetManagementSettings() is done. Proceeds to
 140   // robot auth code storing if successful.
 141   void HandleSetManagementSettingsDone();
 142
 143   // Handle callback from InstallAttributes::LockDevice() and retry on failure.
 144   void HandleLockDeviceResult(
 145       EnterpriseInstallAttributes::LockResult lock_result);
 146
 147   // Initiates storing of robot auth token.
 148   void StartStoreRobotAuth();
 149
 150   // Handles completion of the robot token store operation.
 151   void HandleStoreRobotAuthTokenResult(bool result);
 152
 153   // Drops any ongoing actions.
 154   void Stop();
 155
 156   // Reports the result of the enrollment process to the initiator.
 157   void ReportResult(EnrollmentStatus status);
 158
 159   DeviceCloudPolicyStoreChromeOS* store_;
 160   EnterpriseInstallAttributes* install_attributes_;
 161   ServerBackedStateKeysBroker* state_keys_broker_;
 162   chromeos::DeviceSettingsService* device_settings_service_;
 163   scoped_ptr<CloudPolicyClient> client_;
 164   scoped_refptr<base::SequencedTaskRunner> background_task_runner_;
 165   scoped_ptr<gaia::GaiaOAuthClient> gaia_oauth_client_;
 166
 167   std::string auth_token_;
 168   std::string client_id_;
 169   bool is_auto_enrollment_;
 170   std::string requisition_;
 171   std::string current_state_key_;
 172   std::string refresh_token_;
 173   AllowedDeviceModes allowed_device_modes_;
 174   enterprise_management::PolicyData::ManagementMode management_mode_;
 175   EnrollmentCallback completion_callback_;
 176
 177   // The device mode as received in the registration request.
 178   DeviceMode device_mode_;
 179
 180   // The validated policy response info to be installed in the store.
 181   scoped_ptr<enterprise_management::PolicyFetchResponse> policy_;
 182   std::string username_;
 183   std::string device_id_;
 184   std::string request_token_;
 185
 186   // Current enrollment step.
 187   EnrollmentStep enrollment_step_;
 188
 189   // Total amount of time in milliseconds spent waiting for lockbox
 190   // initialization.
 191   int lockbox_init_duration_;
 192
 193   base::WeakPtrFactory<EnrollmentHandlerChromeOS> weak_ptr_factory_;
 194
 195   DISALLOW_COPY_AND_ASSIGN(EnrollmentHandlerChromeOS);
 196 };
 197
 198 }  // namespace policy
 199
 200 #endif  // CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_