#include "base/time/time.h"
#include "chrome/browser/chrome_notification_types.h"
#include "chrome/browser/chromeos/policy/proto/chrome_device_policy.pb.h"
-#include "chrome/browser/chromeos/settings/owner_key_util.h"
#include "chrome/browser/chromeos/settings/session_manager_operation.h"
+#include "components/ownership/owner_key_util.h"
#include "components/policy/core/common/cloud/cloud_policy_constants.h"
#include "content/public/browser/browser_thread.h"
#include "content/public/browser/notification_service.h"
namespace em = enterprise_management;
+using ownership::OwnerKeyUtil;
+using ownership::PublicKey;
+
namespace {
// Delay between load retries when there was a validation error.
// of retry time.
int kMaxLoadRetries = (1000 * 60 * 10) / kLoadRetryDelayMs;
+// Assembles PolicyData based on |settings|, |policy_data| and
+// |user_id|.
+scoped_ptr<em::PolicyData> AssemblePolicy(
+ const std::string& user_id,
+ const em::PolicyData* policy_data,
+ const em::ChromeDeviceSettingsProto* settings) {
+ scoped_ptr<em::PolicyData> policy(new em::PolicyData());
+ if (policy_data) {
+ // Preserve management settings.
+ if (policy_data->has_management_mode())
+ policy->set_management_mode(policy_data->management_mode());
+ if (policy_data->has_request_token())
+ policy->set_request_token(policy_data->request_token());
+ if (policy_data->has_device_id())
+ policy->set_device_id(policy_data->device_id());
+ } else {
+ // If there's no previous policy data, this is the first time the device
+ // setting is set. We set the management mode to NOT_MANAGED initially.
+ policy->set_management_mode(em::PolicyData::NOT_MANAGED);
+ }
+ policy->set_policy_type(policy::dm_protocol::kChromeDevicePolicyType);
+ policy->set_timestamp(
+ (base::Time::Now() - base::Time::UnixEpoch()).InMilliseconds());
+ policy->set_username(user_id);
+ if (!settings->SerializeToString(policy->mutable_policy_value()))
+ return scoped_ptr<em::PolicyData>();
+
+ return policy.Pass();
+}
+
+// Returns true if it is okay to transfer from the current mode to the new
+// mode. This function should be called in SetManagementMode().
+bool CheckManagementModeTransition(em::PolicyData::ManagementMode current_mode,
+ em::PolicyData::ManagementMode new_mode) {
+ // Mode is not changed.
+ if (current_mode == new_mode)
+ return true;
+
+ switch (current_mode) {
+ case em::PolicyData::NOT_MANAGED:
+ // For consumer management enrollment.
+ return new_mode == em::PolicyData::CONSUMER_MANAGED;
+
+ case em::PolicyData::ENTERPRISE_MANAGED:
+ // Management mode cannot be set when it is currently ENTERPRISE_MANAGED.
+ return false;
+
+ case em::PolicyData::CONSUMER_MANAGED:
+ // For consumer management unenrollment.
+ return new_mode == em::PolicyData::NOT_MANAGED;
+ }
+
+ NOTREACHED();
+ return false;
+}
+
} // namespace
namespace chromeos {
void DeviceSettingsService::SignAndStore(
scoped_ptr<em::ChromeDeviceSettingsProto> new_settings,
const base::Closure& callback) {
- if (!delegate_)
+ if (!owner_settings_service_) {
HandleError(STORE_KEY_UNAVAILABLE, callback);
- else
- delegate_->SignAndStoreAsync(new_settings.Pass(), callback);
+ return;
+ }
+ scoped_ptr<em::PolicyData> policy =
+ AssemblePolicy(GetUsername(), policy_data(), new_settings.get());
+ if (!policy) {
+ HandleError(STORE_POLICY_ERROR, callback);
+ return;
+ }
+
+ owner_settings_service_->SignAndStorePolicyAsync(policy.Pass(), callback);
}
void DeviceSettingsService::SetManagementSettings(
const std::string& request_token,
const std::string& device_id,
const base::Closure& callback) {
- if (!delegate_) {
+ if (!owner_settings_service_) {
HandleError(STORE_KEY_UNAVAILABLE, callback);
- } else {
- delegate_->SetManagementSettingsAsync(
- management_mode, request_token, device_id, callback);
+ return;
+ }
+
+ em::PolicyData::ManagementMode current_mode = em::PolicyData::NOT_MANAGED;
+ if (policy_data() && policy_data()->has_management_mode())
+ current_mode = policy_data()->management_mode();
+
+ if (!CheckManagementModeTransition(current_mode, management_mode)) {
+ LOG(ERROR) << "Invalid management mode transition: current mode = "
+ << current_mode << ", new mode = " << management_mode;
+ HandleError(DeviceSettingsService::STORE_POLICY_ERROR, callback);
+ return;
+ }
+
+ scoped_ptr<em::PolicyData> policy =
+ AssemblePolicy(GetUsername(), policy_data(), device_settings());
+ if (!policy) {
+ HandleError(DeviceSettingsService::STORE_POLICY_ERROR, callback);
+ return;
}
+
+ policy->set_management_mode(management_mode);
+ policy->set_request_token(request_token);
+ policy->set_device_id(device_id);
+
+ owner_settings_service_->SignAndStorePolicyAsync(policy.Pass(), callback);
}
void DeviceSettingsService::Store(scoped_ptr<em::PolicyFetchResponse> policy,
DeviceSettingsService::OwnershipStatus
DeviceSettingsService::GetOwnershipStatus() {
- if (public_key_)
+ if (public_key_.get())
return public_key_->is_loaded() ? OWNERSHIP_TAKEN : OWNERSHIP_NONE;
return OWNERSHIP_UNKNOWN;
}
void DeviceSettingsService::GetOwnershipStatusAsync(
const OwnershipStatusCallback& callback) {
- if (public_key_) {
+ if (public_key_.get()) {
// If there is a key, report status immediately.
base::MessageLoop::current()->PostTask(
FROM_HERE, base::Bind(callback, GetOwnershipStatus()));
}
bool DeviceSettingsService::HasPrivateOwnerKey() {
- return delegate_ && delegate_->IsOwner();
+ return owner_settings_service_ && owner_settings_service_->IsOwner();
}
void DeviceSettingsService::InitOwner(
const std::string& username,
- const base::WeakPtr<PrivateKeyDelegate>& delegate) {
+ const base::WeakPtr<ownership::OwnerSettingsService>&
+ owner_settings_service) {
// When InitOwner() is called twice with the same |username| it's
// worth to reload settings since owner key may become available.
if (!username_.empty() && username_ != username)
return;
username_ = username;
- delegate_ = delegate;
+ owner_settings_service_ = owner_settings_service;
EnsureReload(true);
}
base::Closure()));
operation->set_force_key_load(force_key_load);
operation->set_username(username_);
- operation->set_delegate(delegate_);
+ operation->set_owner_settings_service(owner_settings_service_);
Enqueue(operation);
}
void DeviceSettingsService::EnsureReload(bool force_key_load) {
if (!pending_operations_.empty()) {
pending_operations_.front()->set_username(username_);
- pending_operations_.front()->set_delegate(delegate_);
+ pending_operations_.front()->set_owner_settings_service(
+ owner_settings_service_);
pending_operations_.front()->RestartLoad(force_key_load);
} else {
EnqueueLoad(force_key_load);