1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_
6 #define CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_
10 #include "base/basictypes.h"
11 #include "base/compiler_specific.h"
12 #include "base/memory/ref_counted.h"
13 #include "base/memory/scoped_ptr.h"
14 #include "base/memory/weak_ptr.h"
15 #include "chrome/browser/chromeos/policy/device_cloud_policy_initializer.h"
16 #include "chrome/browser/chromeos/policy/device_cloud_policy_validator.h"
17 #include "chrome/browser/chromeos/policy/enrollment_config.h"
18 #include "chrome/browser/chromeos/policy/enterprise_install_attributes.h"
19 #include "components/policy/core/common/cloud/cloud_policy_client.h"
20 #include "components/policy/core/common/cloud/cloud_policy_constants.h"
21 #include "components/policy/core/common/cloud/cloud_policy_store.h"
22 #include "google_apis/gaia/gaia_oauth_client.h"
23 #include "policy/proto/device_management_backend.pb.h"
26 class SequencedTaskRunner
;
30 class OwnerSettingsServiceChromeOS
;
35 class DeviceCloudPolicyStoreChromeOS
;
36 class ServerBackedStateKeysBroker
;
38 // Implements the logic that establishes enterprise enrollment for Chromium OS
39 // devices. The process is as follows:
40 // 1. Given an auth token, register with the policy service.
41 // 2. Download the initial policy blob from the service.
42 // 3. Verify the policy blob. Everything up to this point doesn't touch device
44 // 4. Download the OAuth2 authorization code for device-level API access.
45 // 5. Download the OAuth2 refresh token for device-level API access and store
47 // 6. Establish the device lock in installation-time attributes.
48 // 7. Store the policy blob and API refresh token.
49 class EnrollmentHandlerChromeOS
: public CloudPolicyClient::Observer
,
50 public CloudPolicyStore::Observer
,
51 public gaia::GaiaOAuthClient::Delegate
{
53 typedef DeviceCloudPolicyInitializer::AllowedDeviceModes
55 typedef DeviceCloudPolicyInitializer::EnrollmentCallback
58 // |store| and |install_attributes| must remain valid for the life time of the
59 // enrollment handler. |allowed_device_modes| determines what device modes
60 // are acceptable. If the mode specified by the server is not acceptable,
61 // enrollment will fail with an EnrollmentStatus indicating
62 // STATUS_REGISTRATION_BAD_MODE.
63 // |management_mode| should be either ENTERPRISE_MANAGED or CONSUMER_MANAGED.
64 EnrollmentHandlerChromeOS(
65 DeviceCloudPolicyStoreChromeOS
* store
,
66 EnterpriseInstallAttributes
* install_attributes
,
67 ServerBackedStateKeysBroker
* state_keys_broker
,
68 chromeos::OwnerSettingsServiceChromeOS
* owner_settings_service
,
69 scoped_ptr
<CloudPolicyClient
> client
,
70 scoped_refptr
<base::SequencedTaskRunner
> background_task_runner
,
71 const EnrollmentConfig
& enrollment_config
,
72 const std::string
& auth_token
,
73 const std::string
& client_id
,
74 const std::string
& requisition
,
75 const AllowedDeviceModes
& allowed_device_modes
,
76 ManagementMode management_mode
,
77 const EnrollmentCallback
& completion_callback
);
78 ~EnrollmentHandlerChromeOS() override
;
80 // Starts the enrollment process and reports the result to
81 // |completion_callback_|.
82 void StartEnrollment();
84 // Releases the client.
85 scoped_ptr
<CloudPolicyClient
> ReleaseClient();
87 // CloudPolicyClient::Observer:
88 void OnPolicyFetched(CloudPolicyClient
* client
) override
;
89 void OnRegistrationStateChanged(CloudPolicyClient
* client
) override
;
90 void OnRobotAuthCodesFetched(CloudPolicyClient
* client
) override
;
91 void OnClientError(CloudPolicyClient
* client
) override
;
93 // CloudPolicyStore::Observer:
94 void OnStoreLoaded(CloudPolicyStore
* store
) override
;
95 void OnStoreError(CloudPolicyStore
* store
) override
;
97 // GaiaOAuthClient::Delegate:
98 void OnGetTokensResponse(const std::string
& refresh_token
,
99 const std::string
& access_token
,
100 int expires_in_seconds
) override
;
101 void OnRefreshTokenResponse(const std::string
& access_token
,
102 int expires_in_seconds
) override
;
103 void OnOAuthError() override
;
104 void OnNetworkError(int response_code
) override
;
107 // Indicates what step of the process is currently pending. These steps need
108 // to be listed in the order they are traversed in.
109 enum EnrollmentStep
{
110 STEP_PENDING
, // Not started yet.
111 STEP_STATE_KEYS
, // Waiting for state keys to become available.
112 STEP_LOADING_STORE
, // Waiting for |store_| to initialize.
113 STEP_REGISTRATION
, // Currently registering the client.
114 STEP_POLICY_FETCH
, // Fetching policy.
115 STEP_VALIDATION
, // Policy validation.
116 STEP_ROBOT_AUTH_FETCH
, // Fetching device API auth code.
117 STEP_ROBOT_AUTH_REFRESH
, // Fetching device API refresh token.
118 STEP_LOCK_DEVICE
, // Writing installation-time attributes.
119 STEP_STORE_TOKEN_AND_ID
, // Storing DM token and virtual device ID.
120 STEP_STORE_ROBOT_AUTH
, // Encrypting & writing robot refresh token.
121 STEP_STORE_POLICY
, // Storing policy and API refresh token.
122 STEP_FINISHED
, // Enrollment process finished, no further action.
125 // Handles the response to a request for server-backed state keys.
126 void HandleStateKeysResult(const std::vector
<std::string
>& state_keys
);
128 // Starts registration if the store is initialized.
129 void StartRegistration();
131 // Handles the policy validation result, proceeding with device lock if
133 void HandlePolicyValidationResult(DeviceCloudPolicyValidator
* validator
);
135 // Calls InstallAttributes::LockDevice() for enterprise enrollment and
136 // DeviceSettingsService::SetManagementSettings() for consumer
138 void StartLockDevice();
140 // Called after SetManagementSettings() is done. Proceeds to robot
141 // auth code storing if successful.
142 void HandleSetManagementSettingsDone(bool success
);
144 // Handle callback from InstallAttributes::LockDevice() and retry on failure.
145 void HandleLockDeviceResult(
146 EnterpriseInstallAttributes::LockResult lock_result
);
148 // Initiates storing of robot auth token.
149 void StartStoreRobotAuth();
151 // Handles completion of the robot token store operation.
152 void HandleStoreRobotAuthTokenResult(bool result
);
154 // Drops any ongoing actions.
157 // Reports the result of the enrollment process to the initiator.
158 void ReportResult(EnrollmentStatus status
);
160 DeviceCloudPolicyStoreChromeOS
* store_
;
161 EnterpriseInstallAttributes
* install_attributes_
;
162 ServerBackedStateKeysBroker
* state_keys_broker_
;
163 chromeos::OwnerSettingsServiceChromeOS
* owner_settings_service_
;
164 scoped_ptr
<CloudPolicyClient
> client_
;
165 scoped_refptr
<base::SequencedTaskRunner
> background_task_runner_
;
166 scoped_ptr
<gaia::GaiaOAuthClient
> gaia_oauth_client_
;
168 EnrollmentConfig enrollment_config_
;
169 std::string auth_token_
;
170 std::string client_id_
;
171 std::string requisition_
;
172 std::string current_state_key_
;
173 std::string refresh_token_
;
174 AllowedDeviceModes allowed_device_modes_
;
175 ManagementMode management_mode_
;
176 EnrollmentCallback completion_callback_
;
178 // The device mode as received in the registration request.
179 DeviceMode device_mode_
;
181 // The validated policy response info to be installed in the store.
182 scoped_ptr
<enterprise_management::PolicyFetchResponse
> policy_
;
183 std::string username_
;
184 std::string device_id_
;
185 std::string request_token_
;
187 // Current enrollment step.
188 EnrollmentStep enrollment_step_
;
190 // Total amount of time in milliseconds spent waiting for lockbox
192 int lockbox_init_duration_
;
194 base::WeakPtrFactory
<EnrollmentHandlerChromeOS
> weak_ptr_factory_
;
196 DISALLOW_COPY_AND_ASSIGN(EnrollmentHandlerChromeOS
);
199 } // namespace policy
201 #endif // CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_