1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "components/policy/core/common/cloud/device_management_service.h"
10 #include "base/compiler_specific.h"
11 #include "base/location.h"
12 #include "base/single_thread_task_runner.h"
13 #include "base/thread_task_runner_handle.h"
14 #include "net/base/escape.h"
15 #include "net/base/load_flags.h"
16 #include "net/base/net_errors.h"
17 #include "net/http/http_response_headers.h"
18 #include "net/url_request/url_fetcher.h"
19 #include "net/url_request/url_request_context_getter.h"
20 #include "net/url_request/url_request_status.h"
23 namespace em
= enterprise_management
;
29 const char kPostContentType
[] = "application/protobuf";
31 const char kServiceTokenAuthHeader
[] = "Authorization: GoogleLogin auth=";
32 const char kDMTokenAuthHeader
[] = "Authorization: GoogleDMToken token=";
34 // Number of times to retry on ERR_NETWORK_CHANGED errors.
35 const int kMaxNetworkChangedRetries
= 3;
37 // HTTP Error Codes of the DM Server with their concrete meanings in the context
38 // of the DM Server communication.
39 const int kSuccess
= 200;
40 const int kInvalidArgument
= 400;
41 const int kInvalidAuthCookieOrDMToken
= 401;
42 const int kMissingLicenses
= 402;
43 const int kDeviceManagementNotAllowed
= 403;
44 const int kInvalidURL
= 404; // This error is not coming from the GFE.
45 const int kInvalidSerialNumber
= 405;
46 const int kDomainMismatch
= 406;
47 const int kDeviceIdConflict
= 409;
48 const int kDeviceNotFound
= 410;
49 const int kPendingApproval
= 412;
50 const int kInternalServerError
= 500;
51 const int kServiceUnavailable
= 503;
52 const int kPolicyNotFound
= 902;
53 const int kDeprovisioned
= 903;
55 bool IsProxyError(const net::URLRequestStatus status
) {
56 switch (status
.error()) {
57 case net::ERR_PROXY_CONNECTION_FAILED
:
58 case net::ERR_TUNNEL_CONNECTION_FAILED
:
59 case net::ERR_PROXY_AUTH_UNSUPPORTED
:
60 case net::ERR_HTTPS_PROXY_TUNNEL_RESPONSE
:
61 case net::ERR_MANDATORY_PROXY_CONFIGURATION_FAILED
:
62 case net::ERR_PROXY_CERTIFICATE_INVALID
:
63 case net::ERR_SOCKS_CONNECTION_FAILED
:
64 case net::ERR_SOCKS_CONNECTION_HOST_UNREACHABLE
:
70 bool IsProtobufMimeType(const net::URLFetcher
* fetcher
) {
71 return fetcher
->GetResponseHeaders()->HasHeaderValue(
72 "content-type", "application/x-protobuffer");
75 bool FailedWithProxy(const net::URLFetcher
* fetcher
) {
76 if ((fetcher
->GetLoadFlags() & net::LOAD_BYPASS_PROXY
) != 0) {
77 // The request didn't use a proxy.
81 if (!fetcher
->GetStatus().is_success() &&
82 IsProxyError(fetcher
->GetStatus())) {
83 LOG(WARNING
) << "Proxy failed while contacting dmserver.";
87 if (fetcher
->GetStatus().is_success() &&
88 fetcher
->GetResponseCode() == kSuccess
&&
89 fetcher
->WasFetchedViaProxy() &&
90 !IsProtobufMimeType(fetcher
)) {
91 // The proxy server can be misconfigured but pointing to an existing
92 // server that replies to requests. Try to recover if a successful
93 // request that went through a proxy returns an unexpected mime type.
94 LOG(WARNING
) << "Got bad mime-type in response from dmserver that was "
95 << "fetched via a proxy.";
102 const char* JobTypeToRequestType(DeviceManagementRequestJob::JobType type
) {
104 case DeviceManagementRequestJob::TYPE_AUTO_ENROLLMENT
:
105 return dm_protocol::kValueRequestAutoEnrollment
;
106 case DeviceManagementRequestJob::TYPE_REGISTRATION
:
107 return dm_protocol::kValueRequestRegister
;
108 case DeviceManagementRequestJob::TYPE_POLICY_FETCH
:
109 return dm_protocol::kValueRequestPolicy
;
110 case DeviceManagementRequestJob::TYPE_API_AUTH_CODE_FETCH
:
111 return dm_protocol::kValueRequestApiAuthorization
;
112 case DeviceManagementRequestJob::TYPE_UNREGISTRATION
:
113 return dm_protocol::kValueRequestUnregister
;
114 case DeviceManagementRequestJob::TYPE_UPLOAD_CERTIFICATE
:
115 return dm_protocol::kValueRequestUploadCertificate
;
116 case DeviceManagementRequestJob::TYPE_DEVICE_STATE_RETRIEVAL
:
117 return dm_protocol::kValueRequestDeviceStateRetrieval
;
118 case DeviceManagementRequestJob::TYPE_UPLOAD_STATUS
:
119 return dm_protocol::kValueRequestUploadStatus
;
120 case DeviceManagementRequestJob::TYPE_REMOTE_COMMANDS
:
121 return dm_protocol::kValueRequestRemoteCommands
;
122 case DeviceManagementRequestJob::TYPE_ATTRIBUTE_UPDATE_PERMISSION
:
123 return dm_protocol::kValueRequestDeviceAttributeUpdatePermission
;
124 case DeviceManagementRequestJob::TYPE_ATTRIBUTE_UPDATE
:
125 return dm_protocol::kValueRequestDeviceAttributeUpdate
;
126 case DeviceManagementRequestJob::TYPE_GCM_ID_UPDATE
:
127 return dm_protocol::kValueRequestGcmIdUpdate
;
129 NOTREACHED() << "Invalid job type " << type
;
135 // Request job implementation used with DeviceManagementService.
136 class DeviceManagementRequestJobImpl
: public DeviceManagementRequestJob
{
138 DeviceManagementRequestJobImpl(
140 const std::string
& agent_parameter
,
141 const std::string
& platform_parameter
,
142 DeviceManagementService
* service
,
143 const scoped_refptr
<net::URLRequestContextGetter
>& request_context
);
144 ~DeviceManagementRequestJobImpl() override
;
146 // Handles the URL request response.
147 void HandleResponse(const net::URLRequestStatus
& status
,
149 const net::ResponseCookies
& cookies
,
150 const std::string
& data
);
152 // Gets the URL to contact.
153 GURL
GetURL(const std::string
& server_url
);
155 // Configures the fetcher, setting up payload and headers.
156 void ConfigureRequest(net::URLFetcher
* fetcher
);
158 // Returns true if this job should be retried. |fetcher| has just completed,
159 // and can be inspected to determine if the request failed and should be
161 bool ShouldRetry(const net::URLFetcher
* fetcher
);
163 // Invoked right before retrying this job.
167 // DeviceManagementRequestJob:
171 // Invokes the callback with the given error code.
172 void ReportError(DeviceManagementStatus code
);
174 // Pointer to the service this job is associated with.
175 DeviceManagementService
* service_
;
177 // Whether the BYPASS_PROXY flag should be set by ConfigureRequest().
180 // Number of times that this job has been retried due to ERR_NETWORK_CHANGED.
183 // The request context to use for this job.
184 scoped_refptr
<net::URLRequestContextGetter
> request_context_
;
186 DISALLOW_COPY_AND_ASSIGN(DeviceManagementRequestJobImpl
);
189 DeviceManagementRequestJobImpl::DeviceManagementRequestJobImpl(
191 const std::string
& agent_parameter
,
192 const std::string
& platform_parameter
,
193 DeviceManagementService
* service
,
194 const scoped_refptr
<net::URLRequestContextGetter
>& request_context
)
195 : DeviceManagementRequestJob(type
, agent_parameter
, platform_parameter
),
197 bypass_proxy_(false),
199 request_context_(request_context
) {
202 DeviceManagementRequestJobImpl::~DeviceManagementRequestJobImpl() {
203 service_
->RemoveJob(this);
206 void DeviceManagementRequestJobImpl::Run() {
207 service_
->AddJob(this);
210 void DeviceManagementRequestJobImpl::HandleResponse(
211 const net::URLRequestStatus
& status
,
213 const net::ResponseCookies
& cookies
,
214 const std::string
& data
) {
215 if (status
.status() != net::URLRequestStatus::SUCCESS
) {
216 LOG(WARNING
) << "DMServer request failed, status: " << status
.status()
217 << ", error: " << status
.error();
218 em::DeviceManagementResponse dummy_response
;
219 callback_
.Run(DM_STATUS_REQUEST_FAILED
, status
.error(), dummy_response
);
223 if (response_code
!= kSuccess
)
224 LOG(WARNING
) << "DMServer sent an error response: " << response_code
;
226 switch (response_code
) {
228 em::DeviceManagementResponse response
;
229 if (!response
.ParseFromString(data
)) {
230 ReportError(DM_STATUS_RESPONSE_DECODING_ERROR
);
233 callback_
.Run(DM_STATUS_SUCCESS
, net::OK
, response
);
236 case kInvalidArgument
:
237 ReportError(DM_STATUS_REQUEST_INVALID
);
239 case kInvalidAuthCookieOrDMToken
:
240 ReportError(DM_STATUS_SERVICE_MANAGEMENT_TOKEN_INVALID
);
242 case kMissingLicenses
:
243 ReportError(DM_STATUS_SERVICE_MISSING_LICENSES
);
245 case kDeviceManagementNotAllowed
:
246 ReportError(DM_STATUS_SERVICE_MANAGEMENT_NOT_SUPPORTED
);
248 case kPendingApproval
:
249 ReportError(DM_STATUS_SERVICE_ACTIVATION_PENDING
);
252 case kInternalServerError
:
253 case kServiceUnavailable
:
254 ReportError(DM_STATUS_TEMPORARY_UNAVAILABLE
);
256 case kDeviceNotFound
:
257 ReportError(DM_STATUS_SERVICE_DEVICE_NOT_FOUND
);
259 case kPolicyNotFound
:
260 ReportError(DM_STATUS_SERVICE_POLICY_NOT_FOUND
);
262 case kInvalidSerialNumber
:
263 ReportError(DM_STATUS_SERVICE_INVALID_SERIAL_NUMBER
);
265 case kDomainMismatch
:
266 ReportError(DM_STATUS_SERVICE_DOMAIN_MISMATCH
);
269 ReportError(DM_STATUS_SERVICE_DEPROVISIONED
);
271 case kDeviceIdConflict
:
272 ReportError(DM_STATUS_SERVICE_DEVICE_ID_CONFLICT
);
275 // Handle all unknown 5xx HTTP error codes as temporary and any other
276 // unknown error as one that needs more time to recover.
277 if (response_code
>= 500 && response_code
<= 599)
278 ReportError(DM_STATUS_TEMPORARY_UNAVAILABLE
);
280 ReportError(DM_STATUS_HTTP_STATUS_ERROR
);
285 GURL
DeviceManagementRequestJobImpl::GetURL(
286 const std::string
& server_url
) {
287 std::string
result(server_url
);
289 for (ParameterMap::const_iterator
entry(query_params_
.begin());
290 entry
!= query_params_
.end();
292 if (entry
!= query_params_
.begin())
294 result
+= net::EscapeQueryParamValue(entry
->first
, true);
296 result
+= net::EscapeQueryParamValue(entry
->second
, true);
301 void DeviceManagementRequestJobImpl::ConfigureRequest(
302 net::URLFetcher
* fetcher
) {
303 // TODO(dcheng): It might make sense to make this take a const
304 // scoped_refptr<T>& too eventually.
305 fetcher
->SetRequestContext(request_context_
.get());
306 fetcher
->SetLoadFlags(net::LOAD_DO_NOT_SEND_COOKIES
|
307 net::LOAD_DO_NOT_SAVE_COOKIES
|
308 net::LOAD_DISABLE_CACHE
|
309 (bypass_proxy_
? net::LOAD_BYPASS_PROXY
: 0));
311 CHECK(request_
.SerializeToString(&payload
));
312 fetcher
->SetUploadData(kPostContentType
, payload
);
313 std::string extra_headers
;
314 if (!gaia_token_
.empty())
315 extra_headers
+= kServiceTokenAuthHeader
+ gaia_token_
+ "\n";
316 if (!dm_token_
.empty())
317 extra_headers
+= kDMTokenAuthHeader
+ dm_token_
+ "\n";
318 fetcher
->SetExtraRequestHeaders(extra_headers
);
321 bool DeviceManagementRequestJobImpl::ShouldRetry(
322 const net::URLFetcher
* fetcher
) {
323 if (FailedWithProxy(fetcher
) && !bypass_proxy_
) {
324 // Retry the job if it failed due to a broken proxy, by bypassing the
325 // proxy on the next try.
326 bypass_proxy_
= true;
330 // Early device policy fetches on ChromeOS and Auto-Enrollment checks are
331 // often interrupted during ChromeOS startup when network change notifications
332 // are sent. Allowing the fetcher to retry once after that is enough to
333 // recover; allow it to retry up to 3 times just in case.
334 if (fetcher
->GetStatus().error() == net::ERR_NETWORK_CHANGED
&&
335 retries_count_
< kMaxNetworkChangedRetries
) {
340 // The request didn't fail, or the limit of retry attempts has been reached;
341 // forward the result to the job owner.
345 void DeviceManagementRequestJobImpl::PrepareRetry() {
346 if (!retry_callback_
.is_null())
347 retry_callback_
.Run(this);
350 void DeviceManagementRequestJobImpl::ReportError(DeviceManagementStatus code
) {
351 em::DeviceManagementResponse dummy_response
;
352 callback_
.Run(code
, net::OK
, dummy_response
);
355 DeviceManagementRequestJob::~DeviceManagementRequestJob() {}
357 void DeviceManagementRequestJob::SetGaiaToken(const std::string
& gaia_token
) {
358 gaia_token_
= gaia_token
;
361 void DeviceManagementRequestJob::SetOAuthToken(const std::string
& oauth_token
) {
362 AddParameter(dm_protocol::kParamOAuthToken
, oauth_token
);
365 void DeviceManagementRequestJob::SetDMToken(const std::string
& dm_token
) {
366 dm_token_
= dm_token
;
369 void DeviceManagementRequestJob::SetClientID(const std::string
& client_id
) {
370 AddParameter(dm_protocol::kParamDeviceID
, client_id
);
373 em::DeviceManagementRequest
* DeviceManagementRequestJob::GetRequest() {
377 DeviceManagementRequestJob::DeviceManagementRequestJob(
379 const std::string
& agent_parameter
,
380 const std::string
& platform_parameter
) {
381 AddParameter(dm_protocol::kParamRequest
, JobTypeToRequestType(type
));
382 AddParameter(dm_protocol::kParamDeviceType
, dm_protocol::kValueDeviceType
);
383 AddParameter(dm_protocol::kParamAppType
, dm_protocol::kValueAppType
);
384 AddParameter(dm_protocol::kParamAgent
, agent_parameter
);
385 AddParameter(dm_protocol::kParamPlatform
, platform_parameter
);
388 void DeviceManagementRequestJob::SetRetryCallback(
389 const RetryCallback
& retry_callback
) {
390 retry_callback_
= retry_callback
;
393 void DeviceManagementRequestJob::Start(const Callback
& callback
) {
394 callback_
= callback
;
398 void DeviceManagementRequestJob::AddParameter(const std::string
& name
,
399 const std::string
& value
) {
400 query_params_
.push_back(std::make_pair(name
, value
));
403 // A random value that other fetchers won't likely use.
404 const int DeviceManagementService::kURLFetcherID
= 0xde71ce1d;
406 DeviceManagementService::~DeviceManagementService() {
407 // All running jobs should have been cancelled by now.
408 DCHECK(pending_jobs_
.empty());
409 DCHECK(queued_jobs_
.empty());
412 DeviceManagementRequestJob
* DeviceManagementService::CreateJob(
413 DeviceManagementRequestJob::JobType type
,
414 const scoped_refptr
<net::URLRequestContextGetter
>& request_context
) {
415 return new DeviceManagementRequestJobImpl(
417 configuration_
->GetAgentParameter(),
418 configuration_
->GetPlatformParameter(),
423 void DeviceManagementService::ScheduleInitialization(int64 delay_milliseconds
) {
426 base::ThreadTaskRunnerHandle::Get()->PostDelayedTask(
427 FROM_HERE
, base::Bind(&DeviceManagementService::Initialize
,
428 weak_ptr_factory_
.GetWeakPtr()),
429 base::TimeDelta::FromMilliseconds(delay_milliseconds
));
432 void DeviceManagementService::Initialize() {
437 while (!queued_jobs_
.empty()) {
438 StartJob(queued_jobs_
.front());
439 queued_jobs_
.pop_front();
443 void DeviceManagementService::Shutdown() {
444 for (JobFetcherMap::iterator
job(pending_jobs_
.begin());
445 job
!= pending_jobs_
.end();
448 queued_jobs_
.push_back(job
->second
);
450 pending_jobs_
.clear();
453 DeviceManagementService::DeviceManagementService(
454 scoped_ptr
<Configuration
> configuration
)
455 : configuration_(configuration
.Pass()),
457 weak_ptr_factory_(this) {
458 DCHECK(configuration_
);
461 void DeviceManagementService::StartJob(DeviceManagementRequestJobImpl
* job
) {
462 std::string server_url
= GetServerUrl();
463 net::URLFetcher
* fetcher
=
464 net::URLFetcher::Create(kURLFetcherID
, job
->GetURL(server_url
),
465 net::URLFetcher::POST
, this).release();
466 job
->ConfigureRequest(fetcher
);
467 pending_jobs_
[fetcher
] = job
;
471 std::string
DeviceManagementService::GetServerUrl() {
472 return configuration_
->GetServerUrl();
475 void DeviceManagementService::OnURLFetchComplete(
476 const net::URLFetcher
* source
) {
477 JobFetcherMap::iterator
entry(pending_jobs_
.find(source
));
478 if (entry
== pending_jobs_
.end()) {
479 NOTREACHED() << "Callback from foreign URL fetcher";
483 DeviceManagementRequestJobImpl
* job
= entry
->second
;
484 pending_jobs_
.erase(entry
);
486 if (job
->ShouldRetry(source
)) {
487 VLOG(1) << "Retrying dmserver request.";
492 source
->GetResponseAsString(&data
);
493 job
->HandleResponse(source
->GetStatus(), source
->GetResponseCode(),
494 source
->GetCookies(), data
);
499 void DeviceManagementService::AddJob(DeviceManagementRequestJobImpl
* job
) {
503 queued_jobs_
.push_back(job
);
506 void DeviceManagementService::RemoveJob(DeviceManagementRequestJobImpl
* job
) {
507 for (JobFetcherMap::iterator
entry(pending_jobs_
.begin());
508 entry
!= pending_jobs_
.end();
510 if (entry
->second
== job
) {
512 pending_jobs_
.erase(entry
);
517 const JobQueue::iterator elem
=
518 std::find(queued_jobs_
.begin(), queued_jobs_
.end(), job
);
519 if (elem
!= queued_jobs_
.end())
520 queued_jobs_
.erase(elem
);
523 } // namespace policy