1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_
6 #define CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_
10 #include "base/basictypes.h"
11 #include "base/compiler_specific.h"
12 #include "base/memory/ref_counted.h"
13 #include "base/memory/scoped_ptr.h"
14 #include "base/memory/weak_ptr.h"
15 #include "chrome/browser/chromeos/policy/device_cloud_policy_manager_chromeos.h"
16 #include "chrome/browser/chromeos/policy/device_cloud_policy_validator.h"
17 #include "chrome/browser/chromeos/policy/enterprise_install_attributes.h"
18 #include "components/policy/core/common/cloud/cloud_policy_client.h"
19 #include "components/policy/core/common/cloud/cloud_policy_store.h"
20 #include "google_apis/gaia/gaia_oauth_client.h"
23 class SequencedTaskRunner;
26 namespace enterprise_management {
27 class PolicyFetchResponse;
32 class ServerBackedStateKeysBroker;
34 // Implements the logic that establishes enterprise enrollment for Chromium OS
35 // devices. The process is as follows:
36 // 1. Given an auth token, register with the policy service.
37 // 2. Download the initial policy blob from the service.
38 // 3. Verify the policy blob. Everything up to this point doesn't touch device
40 // 4. Download the OAuth2 authorization code for device-level API access.
41 // 5. Download the OAuth2 refresh token for device-level API access and store
43 // 6. Establish the device lock in installation-time attributes.
44 // 7. Store the policy blob and API refresh token.
45 class EnrollmentHandlerChromeOS : public CloudPolicyClient::Observer,
46 public CloudPolicyStore::Observer,
47 public gaia::GaiaOAuthClient::Delegate {
49 typedef DeviceCloudPolicyManagerChromeOS::AllowedDeviceModes
51 typedef DeviceCloudPolicyManagerChromeOS::EnrollmentCallback
54 // |store| and |install_attributes| must remain valid for the life time of the
55 // enrollment handler. |allowed_device_modes| determines what device modes
56 // are acceptable. If the mode specified by the server is not acceptable,
57 // enrollment will fail with an EnrollmentStatus indicating
58 // STATUS_REGISTRATION_BAD_MODE.
59 EnrollmentHandlerChromeOS(
60 DeviceCloudPolicyStoreChromeOS* store,
61 EnterpriseInstallAttributes* install_attributes,
62 ServerBackedStateKeysBroker* state_keys_broker,
63 scoped_ptr<CloudPolicyClient> client,
64 scoped_refptr<base::SequencedTaskRunner> background_task_runner,
65 const std::string& auth_token,
66 const std::string& client_id,
67 bool is_auto_enrollment,
68 const std::string& requisition,
69 const AllowedDeviceModes& allowed_device_modes,
70 const EnrollmentCallback& completion_callback);
71 virtual ~EnrollmentHandlerChromeOS();
73 // Starts the enrollment process and reports the result to
74 // |completion_callback_|.
75 void StartEnrollment();
77 // Releases the client.
78 scoped_ptr<CloudPolicyClient> ReleaseClient();
80 // CloudPolicyClient::Observer:
81 virtual void OnPolicyFetched(CloudPolicyClient* client) OVERRIDE;
82 virtual void OnRegistrationStateChanged(CloudPolicyClient* client) OVERRIDE;
83 virtual void OnRobotAuthCodesFetched(CloudPolicyClient* client) OVERRIDE;
84 virtual void OnClientError(CloudPolicyClient* client) OVERRIDE;
86 // CloudPolicyStore::Observer:
87 virtual void OnStoreLoaded(CloudPolicyStore* store) OVERRIDE;
88 virtual void OnStoreError(CloudPolicyStore* store) OVERRIDE;
90 // GaiaOAuthClient::Delegate:
91 virtual void OnGetTokensResponse(const std::string& refresh_token,
92 const std::string& access_token,
93 int expires_in_seconds) OVERRIDE;
94 virtual void OnRefreshTokenResponse(const std::string& access_token,
95 int expires_in_seconds) OVERRIDE;
96 virtual void OnOAuthError() OVERRIDE;
97 virtual void OnNetworkError(int response_code) OVERRIDE;
100 // Indicates what step of the process is currently pending. These steps need
101 // to be listed in the order they are traversed in.
102 enum EnrollmentStep {
103 STEP_PENDING, // Not started yet.
104 STEP_STATE_KEYS, // Waiting for state keys to become available.
105 STEP_LOADING_STORE, // Waiting for |store_| to initialize.
106 STEP_REGISTRATION, // Currently registering the client.
107 STEP_POLICY_FETCH, // Fetching policy.
108 STEP_VALIDATION, // Policy validation.
109 STEP_ROBOT_AUTH_FETCH, // Fetching device API auth code.
110 STEP_ROBOT_AUTH_REFRESH, // Fetching device API refresh token.
111 STEP_LOCK_DEVICE, // Writing installation-time attributes.
112 STEP_STORE_ROBOT_AUTH, // Encrypting & writing robot refresh token.
113 STEP_STORE_POLICY, // Storing policy and API refresh token.
114 STEP_FINISHED, // Enrollment process finished, no further action.
117 // Handles the response to a request for server-backed state keys.
118 void CheckStateKeys(const std::vector<std::string>& state_keys);
120 // Starts registration if the store is initialized.
121 void AttemptRegistration();
123 // Handles the policy validation result, proceeding with installation-time
124 // attributes locking if successful.
125 void PolicyValidated(DeviceCloudPolicyValidator* validator);
127 // Calls LockDevice() and proceeds to policy installation. If unsuccessful,
128 // reports the result. Actual installation or error report will be done in
129 // HandleLockDeviceResult().
130 void StartLockDevice(const std::string& user,
131 DeviceMode device_mode,
132 const std::string& device_id);
134 // Helper for StartLockDevice(). It performs the actual action based on
135 // the result of LockDevice.
136 void HandleLockDeviceResult(
137 const std::string& user,
138 DeviceMode device_mode,
139 const std::string& device_id,
140 EnterpriseInstallAttributes::LockResult lock_result);
142 // Handles completion of the robot token store operation.
143 void HandleRobotAuthTokenStored(bool result);
145 // Drops any ongoing actions.
148 // Reports the result of the enrollment process to the initiator.
149 void ReportResult(EnrollmentStatus status);
151 DeviceCloudPolicyStoreChromeOS* store_;
152 EnterpriseInstallAttributes* install_attributes_;
153 ServerBackedStateKeysBroker* state_keys_broker_;
154 scoped_ptr<CloudPolicyClient> client_;
155 scoped_refptr<base::SequencedTaskRunner> background_task_runner_;
156 scoped_ptr<gaia::GaiaOAuthClient> gaia_oauth_client_;
158 std::string auth_token_;
159 std::string client_id_;
160 bool is_auto_enrollment_;
161 std::string requisition_;
162 std::string current_state_key_;
163 std::string refresh_token_;
164 AllowedDeviceModes allowed_device_modes_;
165 EnrollmentCallback completion_callback_;
167 // The device mode as received in the registration request.
168 DeviceMode device_mode_;
170 // The validated policy response info to be installed in the store.
171 scoped_ptr<enterprise_management::PolicyFetchResponse> policy_;
172 std::string username_;
173 std::string device_id_;
175 // Current enrollment step.
176 EnrollmentStep enrollment_step_;
178 // Total amount of time in milliseconds spent waiting for lockbox
180 int lockbox_init_duration_;
182 base::WeakPtrFactory<EnrollmentHandlerChromeOS> weak_ptr_factory_;
184 DISALLOW_COPY_AND_ASSIGN(EnrollmentHandlerChromeOS);
187 } // namespace policy
189 #endif // CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_