OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "chrome/browser/policy/enterprise_install_attributes.h" | 5 #include "chrome/browser/policy/enterprise_install_attributes.h" |
6 | 6 |
7 #include <utility> | |
8 | |
9 #include "base/file_util.h" | |
7 #include "base/logging.h" | 10 #include "base/logging.h" |
8 #include "chrome/browser/chromeos/cros/cryptohome_library.h" | 11 #include "chrome/browser/chromeos/cros/cryptohome_library.h" |
12 #include "chrome/browser/policy/proto/install_attributes.pb.h" | |
9 #include "google_apis/gaia/gaia_auth_util.h" | 13 #include "google_apis/gaia/gaia_auth_util.h" |
10 | 14 |
11 namespace policy { | 15 namespace policy { |
12 | 16 |
13 namespace { | 17 namespace { |
14 // Constants for the possible device modes that can be stored in the lockbox. | 18 // Constants for the possible device modes that can be stored in the lockbox. |
15 const char kConsumerDeviceMode[] = "consumer"; | 19 const char kConsumerDeviceMode[] = "consumer"; |
16 const char kEnterpiseDeviceMode[] = "enterprise"; | 20 const char kEnterpiseDeviceMode[] = "enterprise"; |
17 const char kKioskDeviceMode[] = "kiosk"; | 21 const char kKioskDeviceMode[] = "kiosk"; |
18 const char kUnknownDeviceMode[] = "unknown"; | 22 const char kUnknownDeviceMode[] = "unknown"; |
(...skipping 28 matching lines...) Expand all Loading... | |
47 if (mode == kConsumerDeviceMode) | 51 if (mode == kConsumerDeviceMode) |
48 return DEVICE_MODE_CONSUMER; | 52 return DEVICE_MODE_CONSUMER; |
49 else if (mode == kEnterpiseDeviceMode) | 53 else if (mode == kEnterpiseDeviceMode) |
50 return DEVICE_MODE_ENTERPRISE; | 54 return DEVICE_MODE_ENTERPRISE; |
51 else if (mode == kKioskDeviceMode) | 55 else if (mode == kKioskDeviceMode) |
52 return DEVICE_MODE_KIOSK; | 56 return DEVICE_MODE_KIOSK; |
53 NOTREACHED() << "Unknown device mode string: " << mode; | 57 NOTREACHED() << "Unknown device mode string: " << mode; |
54 return DEVICE_MODE_NOT_SET; | 58 return DEVICE_MODE_NOT_SET; |
55 } | 59 } |
56 | 60 |
61 bool ReadMapKey(const std::map<std::string, std::string>& map, | |
62 const std::string& key, | |
63 std::string* value) { | |
64 std::map<std::string, std::string>::const_iterator entry = map.find(key); | |
65 if (entry == map.end()) | |
66 return false; | |
67 | |
68 *value = entry->second; | |
69 return true; | |
70 } | |
71 | |
57 } // namespace | 72 } // namespace |
58 | 73 |
74 // Cache file name. | |
75 const FilePath::CharType EnterpriseInstallAttributes::kCacheFilePath[] = | |
76 FILE_PATH_LITERAL("/var/run/lockbox/install_attributes.pb"); | |
77 | |
59 EnterpriseInstallAttributes::EnterpriseInstallAttributes( | 78 EnterpriseInstallAttributes::EnterpriseInstallAttributes( |
60 chromeos::CryptohomeLibrary* cryptohome) | 79 chromeos::CryptohomeLibrary* cryptohome) |
61 : cryptohome_(cryptohome), | 80 : cryptohome_(cryptohome), |
62 device_locked_(false), | 81 device_locked_(false), |
63 registration_mode_(DEVICE_MODE_PENDING) {} | 82 registration_mode_(DEVICE_MODE_PENDING) {} |
64 | 83 |
84 void EnterpriseInstallAttributes::ReadCacheFile(const FilePath& cache_file) { | |
85 if (device_locked_ || !file_util::PathExists(cache_file)) | |
86 return; | |
87 | |
88 device_locked_ = true; | |
89 | |
90 char buf[16384]; | |
Will Drewry
2013/01/17 21:17:44
Hrm it worries me that this assumes an install att
Mattias Nissler (ping if slow)
2013/01/17 23:08:51
The reason I didn't use ReadFileToString was exact
| |
91 int len = file_util::ReadFile(cache_file, buf, sizeof(buf)); | |
92 if (len == -1 || len >= static_cast<int>(sizeof(buf))) { | |
93 PLOG(ERROR) << "Failed to read " << cache_file.value(); | |
94 return; | |
95 } | |
96 | |
97 cryptohome::SerializedInstallAttributes install_attrs_proto; | |
98 if (!install_attrs_proto.ParseFromArray(buf, len)) { | |
99 LOG(ERROR) << "Failed to parse install attributes cache"; | |
100 return; | |
101 } | |
102 | |
103 google::protobuf::RepeatedPtrField< | |
104 const cryptohome::SerializedInstallAttributes::Attribute>::iterator entry; | |
105 std::map<std::string, std::string> attr_map; | |
106 for (entry = install_attrs_proto.attributes().begin(); | |
107 entry != install_attrs_proto.attributes().end(); | |
108 ++entry) { | |
109 // The protobuf values unfortunately contain terminating null characters, so | |
110 // we have to sanitize the value here. | |
111 attr_map.insert(std::make_pair(entry->name(), | |
112 std::string(entry->value().c_str()))); | |
113 } | |
114 | |
115 DecodeInstallAttributes(attr_map); | |
116 } | |
117 | |
118 void EnterpriseInstallAttributes::ReadImmutableAttributes() { | |
119 if (device_locked_) | |
120 return; | |
121 | |
122 if (cryptohome_ && cryptohome_->InstallAttributesIsReady()) { | |
123 registration_mode_ = DEVICE_MODE_NOT_SET; | |
124 if (!cryptohome_->InstallAttributesIsInvalid() && | |
125 !cryptohome_->InstallAttributesIsFirstInstall()) { | |
126 device_locked_ = true; | |
127 | |
128 static const char* kEnterpriseAttributes[] = { | |
129 kAttrEnterpriseDeviceId, | |
130 kAttrEnterpriseDomain, | |
131 kAttrEnterpriseMode, | |
132 kAttrEnterpriseOwned, | |
133 kAttrEnterpriseUser, | |
134 }; | |
135 std::map<std::string, std::string> attr_map; | |
136 for (size_t i = 0; i < arraysize(kEnterpriseAttributes); ++i) { | |
137 std::string value; | |
138 if (cryptohome_->InstallAttributesGet(kEnterpriseAttributes[i], &value)) | |
139 attr_map[kEnterpriseAttributes[i]] = value; | |
140 } | |
141 | |
142 DecodeInstallAttributes(attr_map); | |
143 } | |
144 } | |
145 } | |
146 | |
65 EnterpriseInstallAttributes::LockResult EnterpriseInstallAttributes::LockDevice( | 147 EnterpriseInstallAttributes::LockResult EnterpriseInstallAttributes::LockDevice( |
66 const std::string& user, | 148 const std::string& user, |
67 DeviceMode device_mode, | 149 DeviceMode device_mode, |
68 const std::string& device_id) { | 150 const std::string& device_id) { |
69 CHECK_NE(device_mode, DEVICE_MODE_PENDING); | 151 CHECK_NE(device_mode, DEVICE_MODE_PENDING); |
70 CHECK_NE(device_mode, DEVICE_MODE_NOT_SET); | 152 CHECK_NE(device_mode, DEVICE_MODE_NOT_SET); |
71 | 153 |
72 std::string domain = gaia::ExtractDomainName(user); | 154 std::string domain = gaia::ExtractDomainName(user); |
73 | 155 |
74 // Check for existing lock first. | 156 // Check for existing lock first. |
(...skipping 27 matching lines...) Expand all Loading... | |
102 if (!cryptohome_->InstallAttributesSet(kAttrEnterpriseOwned, "true") || | 184 if (!cryptohome_->InstallAttributesSet(kAttrEnterpriseOwned, "true") || |
103 !cryptohome_->InstallAttributesSet(kAttrEnterpriseUser, user) || | 185 !cryptohome_->InstallAttributesSet(kAttrEnterpriseUser, user) || |
104 !cryptohome_->InstallAttributesSet(kAttrEnterpriseDomain, domain) || | 186 !cryptohome_->InstallAttributesSet(kAttrEnterpriseDomain, domain) || |
105 !cryptohome_->InstallAttributesSet(kAttrEnterpriseMode, mode) || | 187 !cryptohome_->InstallAttributesSet(kAttrEnterpriseMode, mode) || |
106 !cryptohome_->InstallAttributesSet(kAttrEnterpriseDeviceId, device_id)) { | 188 !cryptohome_->InstallAttributesSet(kAttrEnterpriseDeviceId, device_id)) { |
107 LOG(ERROR) << "Failed writing attributes"; | 189 LOG(ERROR) << "Failed writing attributes"; |
108 return LOCK_BACKEND_ERROR; | 190 return LOCK_BACKEND_ERROR; |
109 } | 191 } |
110 | 192 |
111 if (!cryptohome_->InstallAttributesFinalize() || | 193 if (!cryptohome_->InstallAttributesFinalize() || |
112 cryptohome_->InstallAttributesIsFirstInstall() || | 194 cryptohome_->InstallAttributesIsFirstInstall()) { |
113 GetRegistrationUser() != user) { | |
114 LOG(ERROR) << "Failed locking."; | 195 LOG(ERROR) << "Failed locking."; |
115 return LOCK_BACKEND_ERROR; | 196 return LOCK_BACKEND_ERROR; |
116 } | 197 } |
117 | 198 |
199 ReadImmutableAttributes(); | |
200 if (GetRegistrationUser() != user) { | |
201 LOG(ERROR) << "Locked data doesn't match"; | |
202 return LOCK_BACKEND_ERROR; | |
203 } | |
204 | |
118 return LOCK_SUCCESS; | 205 return LOCK_SUCCESS; |
119 } | 206 } |
120 | 207 |
121 bool EnterpriseInstallAttributes::IsEnterpriseDevice() { | 208 bool EnterpriseInstallAttributes::IsEnterpriseDevice() { |
122 ReadImmutableAttributes(); | |
123 return device_locked_ && !registration_user_.empty(); | 209 return device_locked_ && !registration_user_.empty(); |
124 } | 210 } |
125 | 211 |
126 std::string EnterpriseInstallAttributes::GetRegistrationUser() { | 212 std::string EnterpriseInstallAttributes::GetRegistrationUser() { |
127 ReadImmutableAttributes(); | |
128 | |
129 if (!device_locked_) | 213 if (!device_locked_) |
130 return std::string(); | 214 return std::string(); |
131 | 215 |
132 return registration_user_; | 216 return registration_user_; |
133 } | 217 } |
134 | 218 |
135 std::string EnterpriseInstallAttributes::GetDomain() { | 219 std::string EnterpriseInstallAttributes::GetDomain() { |
136 if (!IsEnterpriseDevice()) | 220 if (!IsEnterpriseDevice()) |
137 return std::string(); | 221 return std::string(); |
138 | 222 |
139 return registration_domain_; | 223 return registration_domain_; |
140 } | 224 } |
141 | 225 |
142 std::string EnterpriseInstallAttributes::GetDeviceId() { | 226 std::string EnterpriseInstallAttributes::GetDeviceId() { |
143 if (!IsEnterpriseDevice()) | 227 if (!IsEnterpriseDevice()) |
144 return std::string(); | 228 return std::string(); |
145 | 229 |
146 return registration_device_id_; | 230 return registration_device_id_; |
147 } | 231 } |
148 | 232 |
149 DeviceMode EnterpriseInstallAttributes::GetMode() { | 233 DeviceMode EnterpriseInstallAttributes::GetMode() { |
150 ReadImmutableAttributes(); | |
151 return registration_mode_; | 234 return registration_mode_; |
152 } | 235 } |
153 | 236 |
154 void EnterpriseInstallAttributes::ReadImmutableAttributes() { | 237 void EnterpriseInstallAttributes::DecodeInstallAttributes( |
155 if (device_locked_) | 238 const std::map<std::string, std::string>& attr_map) { |
156 return; | 239 std::string enterprise_owned; |
240 std::string enterprise_user; | |
241 if (ReadMapKey(attr_map, kAttrEnterpriseOwned, &enterprise_owned) && | |
242 ReadMapKey(attr_map, kAttrEnterpriseUser, &enterprise_user) && | |
243 enterprise_owned == "true" && | |
244 !enterprise_user.empty()) { | |
245 registration_user_ = gaia::CanonicalizeEmail(enterprise_user); | |
157 | 246 |
158 if (cryptohome_ && cryptohome_->InstallAttributesIsReady()) { | 247 // Initialize the mode to the legacy enterprise mode here and update |
159 registration_mode_ = DEVICE_MODE_NOT_SET; | 248 // below if more information is present. |
160 if (!cryptohome_->InstallAttributesIsInvalid() && | 249 registration_mode_ = DEVICE_MODE_ENTERPRISE; |
161 !cryptohome_->InstallAttributesIsFirstInstall()) { | |
162 device_locked_ = true; | |
163 std::string enterprise_owned; | |
164 std::string enterprise_user; | |
165 if (cryptohome_->InstallAttributesGet(kAttrEnterpriseOwned, | |
166 &enterprise_owned) && | |
167 cryptohome_->InstallAttributesGet(kAttrEnterpriseUser, | |
168 &enterprise_user) && | |
169 enterprise_owned == "true" && | |
170 !enterprise_user.empty()) { | |
171 registration_user_ = gaia::CanonicalizeEmail(enterprise_user); | |
172 | 250 |
173 // Initialize the mode to the legacy enterprise mode here and update | 251 // If we could extract basic setting we should try to extract the |
174 // below if more information is present. | 252 // extended ones too. We try to set these to defaults as good as |
175 registration_mode_ = DEVICE_MODE_ENTERPRISE; | 253 // as possible if present, which could happen for device enrolled in |
254 // pre 19 revisions of the code, before these new attributes were added. | |
255 if (ReadMapKey(attr_map, kAttrEnterpriseDomain, ®istration_domain_)) | |
256 registration_domain_ = gaia::CanonicalizeDomain(registration_domain_); | |
257 else | |
258 registration_domain_ = gaia::ExtractDomainName(registration_user_); | |
176 | 259 |
177 // If we could extract basic setting we should try to extract the | 260 ReadMapKey(attr_map, kAttrEnterpriseDeviceId, ®istration_device_id_); |
178 // extended ones too. We try to set these to defaults as good as | 261 |
179 // as possible if present, which could happen for device enrolled in | 262 std::string mode; |
180 // pre 19 revisions of the code, before these new attributes were added. | 263 if (ReadMapKey(attr_map, kAttrEnterpriseMode, &mode)) |
181 if (cryptohome_->InstallAttributesGet(kAttrEnterpriseDomain, | 264 registration_mode_ = GetDeviceModeFromString(mode); |
182 ®istration_domain_)) { | 265 } else if (enterprise_user.empty() && enterprise_owned != "true") { |
183 registration_domain_ = gaia::CanonicalizeDomain(registration_domain_); | 266 // |registration_user_| is empty on consumer devices. |
184 } else { | 267 registration_mode_ = DEVICE_MODE_CONSUMER; |
185 registration_domain_ = gaia::ExtractDomainName(registration_user_); | |
186 } | |
187 if (!cryptohome_->InstallAttributesGet(kAttrEnterpriseDeviceId, | |
188 ®istration_device_id_)) { | |
189 registration_device_id_.clear(); | |
190 } | |
191 std::string mode; | |
192 if (cryptohome_->InstallAttributesGet(kAttrEnterpriseMode, &mode)) | |
193 registration_mode_ = GetDeviceModeFromString(mode); | |
194 } else if (enterprise_user.empty() && enterprise_owned != "true") { | |
195 // |registration_user_| is empty on consumer devices. | |
196 registration_mode_ = DEVICE_MODE_CONSUMER; | |
197 } | |
198 } | |
199 } | 268 } |
200 } | 269 } |
201 | 270 |
202 } // namespace policy | 271 } // namespace policy |
OLD | NEW |