Add new certificateProvider extension API.
[chromium-blink-merge.git] / chrome / browser / chromeos / policy / enrollment_handler_chromeos.h
blobc356a8b77815ce04147b70e536f3f8725462cf85
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_
6 #define CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_
8 #include <string>
10 #include "base/basictypes.h"
11 #include "base/compiler_specific.h"
12 #include "base/memory/ref_counted.h"
13 #include "base/memory/scoped_ptr.h"
14 #include "base/memory/weak_ptr.h"
15 #include "chrome/browser/chromeos/policy/device_cloud_policy_initializer.h"
16 #include "chrome/browser/chromeos/policy/device_cloud_policy_validator.h"
17 #include "chrome/browser/chromeos/policy/enrollment_config.h"
18 #include "chrome/browser/chromeos/policy/enterprise_install_attributes.h"
19 #include "components/policy/core/common/cloud/cloud_policy_client.h"
20 #include "components/policy/core/common/cloud/cloud_policy_constants.h"
21 #include "components/policy/core/common/cloud/cloud_policy_store.h"
22 #include "google_apis/gaia/gaia_oauth_client.h"
23 #include "policy/proto/device_management_backend.pb.h"
25 namespace base {
26 class SequencedTaskRunner;
29 namespace chromeos {
30 class OwnerSettingsServiceChromeOS;
33 namespace policy {
35 class DeviceCloudPolicyStoreChromeOS;
36 class ServerBackedStateKeysBroker;
38 // Implements the logic that establishes enterprise enrollment for Chromium OS
39 // devices. The process is as follows:
40 // 1. Given an auth token, register with the policy service.
41 // 2. Download the initial policy blob from the service.
42 // 3. Verify the policy blob. Everything up to this point doesn't touch device
43 // state.
44 // 4. Download the OAuth2 authorization code for device-level API access.
45 // 5. Download the OAuth2 refresh token for device-level API access and store
46 // it.
47 // 6. Establish the device lock in installation-time attributes.
48 // 7. Store the policy blob and API refresh token.
49 class EnrollmentHandlerChromeOS : public CloudPolicyClient::Observer,
50 public CloudPolicyStore::Observer,
51 public gaia::GaiaOAuthClient::Delegate {
52 public:
53 typedef DeviceCloudPolicyInitializer::AllowedDeviceModes
54 AllowedDeviceModes;
55 typedef DeviceCloudPolicyInitializer::EnrollmentCallback
56 EnrollmentCallback;
58 // |store| and |install_attributes| must remain valid for the life time of the
59 // enrollment handler. |allowed_device_modes| determines what device modes
60 // are acceptable. If the mode specified by the server is not acceptable,
61 // enrollment will fail with an EnrollmentStatus indicating
62 // STATUS_REGISTRATION_BAD_MODE.
63 // |management_mode| should be either ENTERPRISE_MANAGED or CONSUMER_MANAGED.
64 EnrollmentHandlerChromeOS(
65 DeviceCloudPolicyStoreChromeOS* store,
66 EnterpriseInstallAttributes* install_attributes,
67 ServerBackedStateKeysBroker* state_keys_broker,
68 chromeos::OwnerSettingsServiceChromeOS* owner_settings_service,
69 scoped_ptr<CloudPolicyClient> client,
70 scoped_refptr<base::SequencedTaskRunner> background_task_runner,
71 const EnrollmentConfig& enrollment_config,
72 const std::string& auth_token,
73 const std::string& client_id,
74 const std::string& requisition,
75 const AllowedDeviceModes& allowed_device_modes,
76 ManagementMode management_mode,
77 const EnrollmentCallback& completion_callback);
78 ~EnrollmentHandlerChromeOS() override;
80 // Starts the enrollment process and reports the result to
81 // |completion_callback_|.
82 void StartEnrollment();
84 // Releases the client.
85 scoped_ptr<CloudPolicyClient> ReleaseClient();
87 // CloudPolicyClient::Observer:
88 void OnPolicyFetched(CloudPolicyClient* client) override;
89 void OnRegistrationStateChanged(CloudPolicyClient* client) override;
90 void OnRobotAuthCodesFetched(CloudPolicyClient* client) override;
91 void OnClientError(CloudPolicyClient* client) override;
93 // CloudPolicyStore::Observer:
94 void OnStoreLoaded(CloudPolicyStore* store) override;
95 void OnStoreError(CloudPolicyStore* store) override;
97 // GaiaOAuthClient::Delegate:
98 void OnGetTokensResponse(const std::string& refresh_token,
99 const std::string& access_token,
100 int expires_in_seconds) override;
101 void OnRefreshTokenResponse(const std::string& access_token,
102 int expires_in_seconds) override;
103 void OnOAuthError() override;
104 void OnNetworkError(int response_code) override;
106 private:
107 // Indicates what step of the process is currently pending. These steps need
108 // to be listed in the order they are traversed in.
109 enum EnrollmentStep {
110 STEP_PENDING, // Not started yet.
111 STEP_STATE_KEYS, // Waiting for state keys to become available.
112 STEP_LOADING_STORE, // Waiting for |store_| to initialize.
113 STEP_REGISTRATION, // Currently registering the client.
114 STEP_POLICY_FETCH, // Fetching policy.
115 STEP_VALIDATION, // Policy validation.
116 STEP_ROBOT_AUTH_FETCH, // Fetching device API auth code.
117 STEP_ROBOT_AUTH_REFRESH, // Fetching device API refresh token.
118 STEP_LOCK_DEVICE, // Writing installation-time attributes.
119 STEP_STORE_TOKEN_AND_ID, // Storing DM token and virtual device ID.
120 STEP_STORE_ROBOT_AUTH, // Encrypting & writing robot refresh token.
121 STEP_STORE_POLICY, // Storing policy and API refresh token.
122 STEP_FINISHED, // Enrollment process finished, no further action.
125 // Handles the response to a request for server-backed state keys.
126 void HandleStateKeysResult(const std::vector<std::string>& state_keys);
128 // Starts registration if the store is initialized.
129 void StartRegistration();
131 // Handles the policy validation result, proceeding with device lock if
132 // successful.
133 void HandlePolicyValidationResult(DeviceCloudPolicyValidator* validator);
135 // Calls InstallAttributes::LockDevice() for enterprise enrollment and
136 // DeviceSettingsService::SetManagementSettings() for consumer
137 // enrollment.
138 void StartLockDevice();
140 // Called after SetManagementSettings() is done. Proceeds to robot
141 // auth code storing if successful.
142 void HandleSetManagementSettingsDone(bool success);
144 // Handle callback from InstallAttributes::LockDevice() and retry on failure.
145 void HandleLockDeviceResult(
146 EnterpriseInstallAttributes::LockResult lock_result);
148 // Initiates storing of robot auth token.
149 void StartStoreRobotAuth();
151 // Handles completion of the robot token store operation.
152 void HandleStoreRobotAuthTokenResult(bool result);
154 // Drops any ongoing actions.
155 void Stop();
157 // Reports the result of the enrollment process to the initiator.
158 void ReportResult(EnrollmentStatus status);
160 DeviceCloudPolicyStoreChromeOS* store_;
161 EnterpriseInstallAttributes* install_attributes_;
162 ServerBackedStateKeysBroker* state_keys_broker_;
163 chromeos::OwnerSettingsServiceChromeOS* owner_settings_service_;
164 scoped_ptr<CloudPolicyClient> client_;
165 scoped_refptr<base::SequencedTaskRunner> background_task_runner_;
166 scoped_ptr<gaia::GaiaOAuthClient> gaia_oauth_client_;
168 EnrollmentConfig enrollment_config_;
169 std::string auth_token_;
170 std::string client_id_;
171 std::string requisition_;
172 AllowedDeviceModes allowed_device_modes_;
173 ManagementMode management_mode_;
174 EnrollmentCallback completion_callback_;
176 // The current state key provided by |state_keys_broker_|.
177 std::string current_state_key_;
179 // The device mode as received in the registration request.
180 DeviceMode device_mode_;
182 // Whether the server signaled to skip robot auth setup.
183 bool skip_robot_auth_;
185 // The robot account refresh token.
186 std::string robot_refresh_token_;
188 // The validated policy response info to be installed in the store.
189 scoped_ptr<enterprise_management::PolicyFetchResponse> policy_;
190 std::string username_;
191 std::string device_id_;
192 std::string request_token_;
194 // Current enrollment step.
195 EnrollmentStep enrollment_step_;
197 // Total amount of time in milliseconds spent waiting for lockbox
198 // initialization.
199 int lockbox_init_duration_;
201 base::WeakPtrFactory<EnrollmentHandlerChromeOS> weak_ptr_factory_;
203 DISALLOW_COPY_AND_ASSIGN(EnrollmentHandlerChromeOS);
206 } // namespace policy
208 #endif // CHROME_BROWSER_CHROMEOS_POLICY_ENROLLMENT_HANDLER_CHROMEOS_H_