OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "chrome/browser/chromeos/policy/enrollment_handler_chromeos.h" | 5 #include "chrome/browser/chromeos/policy/enrollment_handler_chromeos.h" |
6 | 6 |
7 #include "base/bind.h" | 7 #include "base/bind.h" |
8 #include "base/logging.h" | 8 #include "base/logging.h" |
9 #include "base/message_loop.h" | 9 #include "base/message_loop.h" |
| 10 #include "chrome/browser/browser_process.h" |
10 #include "chrome/browser/chromeos/policy/device_cloud_policy_store_chromeos.h" | 11 #include "chrome/browser/chromeos/policy/device_cloud_policy_store_chromeos.h" |
| 12 #include "chrome/browser/chromeos/settings/device_oauth2_token_service.h" |
| 13 #include "chrome/browser/chromeos/settings/device_oauth2_token_service_factory.h
" |
11 #include "chrome/browser/policy/cloud/cloud_policy_constants.h" | 14 #include "chrome/browser/policy/cloud/cloud_policy_constants.h" |
12 #include "chrome/browser/policy/proto/chromeos/chrome_device_policy.pb.h" | 15 #include "chrome/browser/policy/proto/chromeos/chrome_device_policy.pb.h" |
13 #include "chrome/browser/policy/proto/cloud/device_management_backend.pb.h" | 16 #include "chrome/browser/policy/proto/cloud/device_management_backend.pb.h" |
| 17 #include "google_apis/gaia/gaia_urls.h" |
14 | 18 |
15 namespace em = enterprise_management; | 19 namespace em = enterprise_management; |
16 | 20 |
17 namespace policy { | 21 namespace policy { |
18 | 22 |
19 namespace { | 23 namespace { |
20 | 24 |
21 // Retry for InstallAttrs initialization every 500ms. | 25 // Retry for InstallAttrs initialization every 500ms. |
22 const int kLockRetryIntervalMs = 500; | 26 const int kLockRetryIntervalMs = 500; |
23 // Maximum time to retry InstallAttrs initialization before we give up. | 27 // Maximum time to retry InstallAttrs initialization before we give up. |
(...skipping 98 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
122 client_->FetchPolicy(); | 126 client_->FetchPolicy(); |
123 } else { | 127 } else { |
124 LOG(FATAL) << "Registration state changed to " << client_->is_registered() | 128 LOG(FATAL) << "Registration state changed to " << client_->is_registered() |
125 << " in step " << enrollment_step_; | 129 << " in step " << enrollment_step_; |
126 } | 130 } |
127 } | 131 } |
128 | 132 |
129 void EnrollmentHandlerChromeOS::OnClientError(CloudPolicyClient* client) { | 133 void EnrollmentHandlerChromeOS::OnClientError(CloudPolicyClient* client) { |
130 DCHECK_EQ(client_.get(), client); | 134 DCHECK_EQ(client_.get(), client); |
131 | 135 |
132 if (enrollment_step_ < STEP_POLICY_FETCH) | 136 if (enrollment_step_ == STEP_ROBOT_AUTH_FETCH) { |
| 137 LOG(WARNING) << "API authentication code fetch failed: " |
| 138 << client_->status(); |
| 139 // Robot auth tokens are currently optional. Skip fetching the refresh |
| 140 // token and jump directly to the lock device step. |
| 141 robot_refresh_token_.clear(); |
| 142 DoLockDeviceStep(); |
| 143 } else if (enrollment_step_ < STEP_POLICY_FETCH) { |
133 ReportResult(EnrollmentStatus::ForRegistrationError(client_->status())); | 144 ReportResult(EnrollmentStatus::ForRegistrationError(client_->status())); |
134 else | 145 } else { |
135 ReportResult(EnrollmentStatus::ForFetchError(client_->status())); | 146 ReportResult(EnrollmentStatus::ForFetchError(client_->status())); |
| 147 } |
136 } | 148 } |
137 | 149 |
138 void EnrollmentHandlerChromeOS::OnStoreLoaded(CloudPolicyStore* store) { | 150 void EnrollmentHandlerChromeOS::OnStoreLoaded(CloudPolicyStore* store) { |
139 DCHECK_EQ(store_, store); | 151 DCHECK_EQ(store_, store); |
140 | 152 |
141 if (enrollment_step_ == STEP_LOADING_STORE) { | 153 if (enrollment_step_ == STEP_LOADING_STORE) { |
| 154 // If the |store_| wasn't initialized when StartEnrollment() was |
| 155 // called, then AttemptRegistration() bails silently. This gets |
| 156 // registration rolling again after the store finishes loading. |
142 AttemptRegistration(); | 157 AttemptRegistration(); |
143 } else if (enrollment_step_ == STEP_STORE_POLICY) { | 158 } else if (enrollment_step_ == STEP_STORE_POLICY) { |
| 159 // Store the robot API auth refresh token. |
| 160 // Currently optional, so always return success. |
| 161 chromeos::DeviceOAuth2TokenService* token_service = |
| 162 chromeos::DeviceOAuth2TokenServiceFactory::Get(); |
| 163 if (token_service && !robot_refresh_token_.empty()) { |
| 164 token_service->SetAndSaveRefreshToken(robot_refresh_token_); |
| 165 |
| 166 } |
144 ReportResult(EnrollmentStatus::ForStatus(EnrollmentStatus::STATUS_SUCCESS)); | 167 ReportResult(EnrollmentStatus::ForStatus(EnrollmentStatus::STATUS_SUCCESS)); |
145 } | 168 } |
146 } | 169 } |
147 | 170 |
148 void EnrollmentHandlerChromeOS::OnStoreError(CloudPolicyStore* store) { | 171 void EnrollmentHandlerChromeOS::OnStoreError(CloudPolicyStore* store) { |
149 DCHECK_EQ(store_, store); | 172 DCHECK_EQ(store_, store); |
150 ReportResult(EnrollmentStatus::ForStoreError(store_->status(), | 173 ReportResult(EnrollmentStatus::ForStoreError(store_->status(), |
151 store_->validation_status())); | 174 store_->validation_status())); |
152 } | 175 } |
153 | 176 |
154 void EnrollmentHandlerChromeOS::AttemptRegistration() { | 177 void EnrollmentHandlerChromeOS::AttemptRegistration() { |
155 CHECK_EQ(STEP_LOADING_STORE, enrollment_step_); | 178 CHECK_EQ(STEP_LOADING_STORE, enrollment_step_); |
156 if (store_->is_initialized()) { | 179 if (store_->is_initialized()) { |
157 enrollment_step_ = STEP_REGISTRATION; | 180 enrollment_step_ = STEP_REGISTRATION; |
158 client_->Register(em::DeviceRegisterRequest::DEVICE, | 181 client_->Register(em::DeviceRegisterRequest::DEVICE, |
159 auth_token_, client_id_, is_auto_enrollment_); | 182 auth_token_, client_id_, is_auto_enrollment_); |
160 } | 183 } |
161 } | 184 } |
162 | 185 |
163 void EnrollmentHandlerChromeOS::PolicyValidated( | 186 void EnrollmentHandlerChromeOS::PolicyValidated( |
164 DeviceCloudPolicyValidator* validator) { | 187 DeviceCloudPolicyValidator* validator) { |
165 CHECK_EQ(STEP_VALIDATION, enrollment_step_); | 188 CHECK_EQ(STEP_VALIDATION, enrollment_step_); |
166 if (validator->success()) { | 189 if (validator->success()) { |
167 policy_ = validator->policy().Pass(); | 190 policy_ = validator->policy().Pass(); |
168 enrollment_step_ = STEP_LOCK_DEVICE; | 191 username_ = validator->policy_data()->username(); |
169 WriteInstallAttributes(validator->policy_data()->username(), device_mode_, | 192 device_id_ = validator->policy_data()->device_id(); |
170 validator->policy_data()->device_id()); | 193 |
| 194 enrollment_step_ = STEP_ROBOT_AUTH_FETCH; |
| 195 client_->FetchRobotAuthCodes(auth_token_); |
171 } else { | 196 } else { |
172 ReportResult(EnrollmentStatus::ForValidationError(validator->status())); | 197 ReportResult(EnrollmentStatus::ForValidationError(validator->status())); |
173 } | 198 } |
174 } | 199 } |
175 | 200 |
176 void EnrollmentHandlerChromeOS::WriteInstallAttributes( | 201 void EnrollmentHandlerChromeOS::OnRobotAuthCodesFetched( |
| 202 CloudPolicyClient* client) { |
| 203 DCHECK_EQ(client_.get(), client); |
| 204 CHECK_EQ(STEP_ROBOT_AUTH_FETCH, enrollment_step_); |
| 205 |
| 206 enrollment_step_ = STEP_ROBOT_AUTH_REFRESH; |
| 207 |
| 208 gaia::OAuthClientInfo client_info; |
| 209 client_info.client_id = GaiaUrls::GetInstance()->oauth2_chrome_client_id(); |
| 210 client_info.client_secret = |
| 211 GaiaUrls::GetInstance()->oauth2_chrome_client_secret(); |
| 212 |
| 213 // Use the system request context to avoid sending user cookies. |
| 214 gaia_oauth_client_.reset(new gaia::GaiaOAuthClient( |
| 215 GaiaUrls::GetInstance()->oauth2_token_url(), |
| 216 g_browser_process->system_request_context())); |
| 217 gaia_oauth_client_->GetTokensFromAuthCode(client_info, |
| 218 client->robot_api_auth_code(), |
| 219 0 /* max_retries */, |
| 220 this); |
| 221 } |
| 222 |
| 223 // GaiaOAuthClient::Delegate callback for OAuth2 refresh token fetched. |
| 224 void EnrollmentHandlerChromeOS::OnGetTokensResponse( |
| 225 const std::string& refresh_token, |
| 226 const std::string& access_token, |
| 227 int expires_in_seconds) { |
| 228 CHECK_EQ(STEP_ROBOT_AUTH_REFRESH, enrollment_step_); |
| 229 |
| 230 robot_refresh_token_ = refresh_token; |
| 231 |
| 232 DoLockDeviceStep(); |
| 233 } |
| 234 |
| 235 void EnrollmentHandlerChromeOS::DoLockDeviceStep() { |
| 236 enrollment_step_ = STEP_LOCK_DEVICE, |
| 237 StartLockDevice(username_, device_mode_, device_id_); |
| 238 } |
| 239 |
| 240 // GaiaOAuthClient::Delegate |
| 241 void EnrollmentHandlerChromeOS::OnRefreshTokenResponse( |
| 242 const std::string& access_token, |
| 243 int expires_in_seconds) { |
| 244 // We never use the code that should trigger this callback. |
| 245 LOG(FATAL) << "Unexpected callback invoked"; |
| 246 } |
| 247 |
| 248 // GaiaOAuthClient::Delegate OAuth2 error when fetching refresh token request. |
| 249 void EnrollmentHandlerChromeOS::OnOAuthError() { |
| 250 CHECK_EQ(STEP_ROBOT_AUTH_REFRESH, enrollment_step_); |
| 251 DoLockDeviceStep(); |
| 252 } |
| 253 |
| 254 // GaiaOAuthClient::Delegate network error when fetching refresh token. |
| 255 void EnrollmentHandlerChromeOS::OnNetworkError(int response_code) { |
| 256 LOG(ERROR) << "Network error while fetching API refresh token: " |
| 257 << response_code; |
| 258 CHECK_EQ(STEP_ROBOT_AUTH_REFRESH, enrollment_step_); |
| 259 DoLockDeviceStep(); |
| 260 } |
| 261 |
| 262 void EnrollmentHandlerChromeOS::StartLockDevice( |
177 const std::string& user, | 263 const std::string& user, |
178 DeviceMode device_mode, | 264 DeviceMode device_mode, |
179 const std::string& device_id) { | 265 const std::string& device_id) { |
180 CHECK_EQ(STEP_LOCK_DEVICE, enrollment_step_); | 266 CHECK_EQ(STEP_LOCK_DEVICE, enrollment_step_); |
181 // Since this method is also called directly. | 267 // Since this method is also called directly. |
182 weak_factory_.InvalidateWeakPtrs(); | 268 weak_factory_.InvalidateWeakPtrs(); |
183 | 269 |
184 install_attributes_->LockDevice( | 270 install_attributes_->LockDevice( |
185 user, device_mode, device_id, | 271 user, device_mode, device_id, |
186 base::Bind(&EnrollmentHandlerChromeOS::HandleLockDeviceResult, | 272 base::Bind(&EnrollmentHandlerChromeOS::HandleLockDeviceResult, |
187 weak_factory_.GetWeakPtr(), | 273 weak_factory_.GetWeakPtr(), |
188 user, | 274 user, |
189 device_mode, | 275 device_mode, |
190 device_id)); | 276 device_id)); |
191 } | 277 } |
192 | 278 |
193 void EnrollmentHandlerChromeOS::HandleLockDeviceResult( | 279 void EnrollmentHandlerChromeOS::HandleLockDeviceResult( |
194 const std::string& user, | 280 const std::string& user, |
195 DeviceMode device_mode, | 281 DeviceMode device_mode, |
196 const std::string& device_id, | 282 const std::string& device_id, |
197 EnterpriseInstallAttributes::LockResult lock_result) { | 283 EnterpriseInstallAttributes::LockResult lock_result) { |
| 284 CHECK_EQ(STEP_LOCK_DEVICE, enrollment_step_); |
198 switch (lock_result) { | 285 switch (lock_result) { |
199 case EnterpriseInstallAttributes::LOCK_SUCCESS: | 286 case EnterpriseInstallAttributes::LOCK_SUCCESS: |
200 enrollment_step_ = STEP_STORE_POLICY; | 287 enrollment_step_ = STEP_STORE_POLICY; |
201 store_->InstallInitialPolicy(*policy_); | 288 store_->InstallInitialPolicy(*policy_); |
202 return; | 289 return; |
203 case EnterpriseInstallAttributes::LOCK_NOT_READY: | 290 case EnterpriseInstallAttributes::LOCK_NOT_READY: |
204 // We wait up to |kLockRetryTimeoutMs| milliseconds and if it hasn't | 291 // We wait up to |kLockRetryTimeoutMs| milliseconds and if it hasn't |
205 // succeeded by then show an error to the user and stop the enrollment. | 292 // succeeded by then show an error to the user and stop the enrollment. |
206 if (lockbox_init_duration_ < kLockRetryTimeoutMs) { | 293 if (lockbox_init_duration_ < kLockRetryTimeoutMs) { |
207 // InstallAttributes not ready yet, retry later. | 294 // InstallAttributes not ready yet, retry later. |
208 LOG(WARNING) << "Install Attributes not ready yet will retry in " | 295 LOG(WARNING) << "Install Attributes not ready yet will retry in " |
209 << kLockRetryIntervalMs << "ms."; | 296 << kLockRetryIntervalMs << "ms."; |
210 MessageLoop::current()->PostDelayedTask( | 297 MessageLoop::current()->PostDelayedTask( |
211 FROM_HERE, | 298 FROM_HERE, |
212 base::Bind(&EnrollmentHandlerChromeOS::WriteInstallAttributes, | 299 base::Bind(&EnrollmentHandlerChromeOS::StartLockDevice, |
213 weak_factory_.GetWeakPtr(), | 300 weak_factory_.GetWeakPtr(), |
214 user, device_mode, device_id), | 301 user, device_mode, device_id), |
215 base::TimeDelta::FromMilliseconds(kLockRetryIntervalMs)); | 302 base::TimeDelta::FromMilliseconds(kLockRetryIntervalMs)); |
216 lockbox_init_duration_ += kLockRetryIntervalMs; | 303 lockbox_init_duration_ += kLockRetryIntervalMs; |
217 } else { | 304 } else { |
218 ReportResult(EnrollmentStatus::ForStatus( | 305 ReportResult(EnrollmentStatus::ForStatus( |
219 EnrollmentStatus::STATUS_LOCK_TIMEOUT)); | 306 EnrollmentStatus::STATUS_LOCK_TIMEOUT)); |
220 } | 307 } |
221 return; | 308 return; |
222 case EnterpriseInstallAttributes::LOCK_BACKEND_ERROR: | 309 case EnterpriseInstallAttributes::LOCK_BACKEND_ERROR: |
(...skipping 30 matching lines...) Expand all Loading... |
253 << " " << status.client_status() | 340 << " " << status.client_status() |
254 << " " << status.validation_status() | 341 << " " << status.validation_status() |
255 << " " << status.store_status(); | 342 << " " << status.store_status(); |
256 } | 343 } |
257 | 344 |
258 if (!callback.is_null()) | 345 if (!callback.is_null()) |
259 callback.Run(status); | 346 callback.Run(status); |
260 } | 347 } |
261 | 348 |
262 } // namespace policy | 349 } // namespace policy |
OLD | NEW |