Move to new attestation dbus methods.

The new attestation methods support selection of an alternate Privacy CA
which has been configured by enterprise policy.  This CL does not add
support for alternate PCAs, just support for the new methods.

BUG=chromium:243605
TEST=unit, manual

Review URL: https://codereview.chromium.org/177373006

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@256760 0039d316-1c4b-4281-b951-d872f2087c98

6 files changed, 90 insertions, 19 deletions

diff --git a/chromeos/attestation/attestation_constants.h b/chromeos/attestation/attestation_constants.h
index 1429004..de55998 100644
--- a/chromeos/attestation/attestation_constants.h
+++ b/chromeos/attestation/attestation_constants.h
@@ -41,6 +41,11 @@ enum AttestationCertificateProfile {
   PROFILE_CONTENT_PROTECTION_CERTIFICATE,
 };
 
+enum PrivacyCAType {
+  DEFAULT_PCA,    // The Google-operated Privacy CA.
+  ALTERNATE_PCA,  // An alternate Privacy CA specified by enterprise policy.
+};
+
 // A key name for the Enterprise Machine Key.  This key should always be stored
 // as a DEVICE_KEY.
 CHROMEOS_EXPORT extern const char kEnterpriseMachineKey[];
diff --git a/chromeos/attestation/attestation_flow.cc b/chromeos/attestation/attestation_flow.cc
index 5021ddf..7cfdc87 100644
--- a/chromeos/attestation/attestation_flow.cc
+++ b/chromeos/attestation/attestation_flow.cc
@@ -125,11 +125,12 @@ void AttestationFlow::GetCertificate(
 void AttestationFlow::StartEnroll(const base::Closure& on_failure,
                                   const base::Closure& next_task) {
   // Get the attestation service to create a Privacy CA enrollment request.
-  async_caller_->AsyncTpmAttestationCreateEnrollRequest(base::Bind(
-      &AttestationFlow::SendEnrollRequestToPCA,
-      weak_factory_.GetWeakPtr(),
-      on_failure,
-      next_task));
+  async_caller_->AsyncTpmAttestationCreateEnrollRequest(
+      server_proxy_->GetType(),
+      base::Bind(&AttestationFlow::SendEnrollRequestToPCA,
+                 weak_factory_.GetWeakPtr(),
+                 on_failure,
+                 next_task));
 }
 
 void AttestationFlow::SendEnrollRequestToPCA(const base::Closure& on_failure,
@@ -166,6 +167,7 @@ void AttestationFlow::SendEnrollResponseToDaemon(
 
   // Forward the response to the attestation service to complete enrollment.
   async_caller_->AsyncTpmAttestationEnroll(
+      server_proxy_->GetType(),
       data,
       base::Bind(&AttestationFlow::OnEnrollComplete,
                  weak_factory_.GetWeakPtr(),
@@ -201,6 +203,7 @@ void AttestationFlow::StartCertificateRequest(
   if (generate_new_key) {
     // Get the attestation service to create a Privacy CA certificate request.
     async_caller_->AsyncTpmAttestationCreateCertRequest(
+        server_proxy_->GetType(),
         certificate_profile,
         user_id,
         request_origin,
@@ -299,5 +302,11 @@ void AttestationFlow::GetExistingCertificate(
       base::Bind(&DBusDataMethodCallback, callback));
 }
 
+ServerProxy::~ServerProxy() {}
+
+PrivacyCAType ServerProxy::GetType() {
+  return DEFAULT_PCA;
+}
+
 }  // namespace attestation
 }  // namespace chromeos
diff --git a/chromeos/attestation/attestation_flow.h b/chromeos/attestation/attestation_flow.h
index 3c846db..a6c6cd2 100644
--- a/chromeos/attestation/attestation_flow.h
+++ b/chromeos/attestation/attestation_flow.h
@@ -33,11 +33,12 @@ class CHROMEOS_EXPORT ServerProxy {
  public:
   typedef base::Callback<void(bool success,
                               const std::string& data)> DataCallback;
-  virtual ~ServerProxy() {}
+  virtual ~ServerProxy();
   virtual void SendEnrollRequest(const std::string& request,
                                  const DataCallback& on_response) = 0;
   virtual void SendCertificateRequest(const std::string& request,
                                       const DataCallback& on_response) = 0;
+  virtual PrivacyCAType GetType();
 };
 
 // Implements the message flow for Chrome OS attestation tasks.  Generally this
diff --git a/chromeos/attestation/attestation_flow_unittest.cc b/chromeos/attestation/attestation_flow_unittest.cc
index 3597517..578393b 100644
--- a/chromeos/attestation/attestation_flow_unittest.cc
+++ b/chromeos/attestation/attestation_flow_unittest.cc
@@ -12,7 +12,11 @@
 #include "testing/gtest/include/gtest/gtest.h"
 
 using testing::_;
+using testing::AtLeast;
+using testing::DoDefault;
 using testing::Invoke;
+using testing::NiceMock;
+using testing::Return;
 using testing::Sequence;
 using testing::StrictMock;
 using testing::WithArgs;
@@ -79,12 +83,13 @@ TEST_F(AttestationFlowTest, GetCertificate) {
   // Use StrictMock when we want to verify invocation frequency.
   StrictMock<cryptohome::MockAsyncMethodCaller> async_caller;
   async_caller.SetUp(true, cryptohome::MOUNT_ERROR_NONE);
-  EXPECT_CALL(async_caller, AsyncTpmAttestationCreateEnrollRequest(_))
+  EXPECT_CALL(async_caller, AsyncTpmAttestationCreateEnrollRequest(_, _))
       .Times(1)
       .InSequence(flow_order);
 
   scoped_ptr<MockServerProxy> proxy(new StrictMock<MockServerProxy>());
   proxy->DeferToFake(true);
+  EXPECT_CALL(*proxy, GetType()).WillRepeatedly(DoDefault());
   EXPECT_CALL(*proxy, SendEnrollRequest(
       cryptohome::MockAsyncMethodCaller::kFakeAttestationEnrollRequest,
       _)).Times(1)
@@ -93,13 +98,15 @@ TEST_F(AttestationFlowTest, GetCertificate) {
   std::string fake_enroll_response =
       cryptohome::MockAsyncMethodCaller::kFakeAttestationEnrollRequest;
   fake_enroll_response += "_response";
-  EXPECT_CALL(async_caller, AsyncTpmAttestationEnroll(fake_enroll_response, _))
+  EXPECT_CALL(async_caller,
+              AsyncTpmAttestationEnroll(_, fake_enroll_response, _))
       .Times(1)
       .InSequence(flow_order);
 
   EXPECT_CALL(
       async_caller,
-      AsyncTpmAttestationCreateCertRequest(PROFILE_ENTERPRISE_USER_CERTIFICATE,
+      AsyncTpmAttestationCreateCertRequest(_,
+                                           PROFILE_ENTERPRISE_USER_CERTIFICATE,
                                            "fake@test.com", "fake_origin", _))
           .Times(1)
           .InSequence(flow_order);
@@ -141,7 +148,7 @@ TEST_F(AttestationFlowTest, GetCertificate) {
 TEST_F(AttestationFlowTest, GetCertificate_NoEK) {
   StrictMock<cryptohome::MockAsyncMethodCaller> async_caller;
   async_caller.SetUp(false, cryptohome::MOUNT_ERROR_NONE);
-  EXPECT_CALL(async_caller, AsyncTpmAttestationCreateEnrollRequest(_))
+  EXPECT_CALL(async_caller, AsyncTpmAttestationCreateEnrollRequest(_, _))
       .Times(1);
 
   chromeos::MockCryptohomeClient client;
@@ -150,6 +157,7 @@ TEST_F(AttestationFlowTest, GetCertificate_NoEK) {
 
   // We're not expecting any server calls in this case; StrictMock will verify.
   scoped_ptr<MockServerProxy> proxy(new StrictMock<MockServerProxy>());
+  EXPECT_CALL(*proxy, GetType()).WillRepeatedly(DoDefault());
 
   StrictMock<MockObserver> observer;
   EXPECT_CALL(observer, MockCertificateCallback(false, ""))
@@ -168,7 +176,7 @@ TEST_F(AttestationFlowTest, GetCertificate_NoEK) {
 TEST_F(AttestationFlowTest, GetCertificate_EKRejected) {
   StrictMock<cryptohome::MockAsyncMethodCaller> async_caller;
   async_caller.SetUp(true, cryptohome::MOUNT_ERROR_NONE);
-  EXPECT_CALL(async_caller, AsyncTpmAttestationCreateEnrollRequest(_))
+  EXPECT_CALL(async_caller, AsyncTpmAttestationCreateEnrollRequest(_, _))
       .Times(1);
 
   chromeos::MockCryptohomeClient client;
@@ -177,6 +185,7 @@ TEST_F(AttestationFlowTest, GetCertificate_EKRejected) {
 
   scoped_ptr<MockServerProxy> proxy(new StrictMock<MockServerProxy>());
   proxy->DeferToFake(false);
+  EXPECT_CALL(*proxy, GetType()).WillRepeatedly(DoDefault());
   EXPECT_CALL(*proxy, SendEnrollRequest(
       cryptohome::MockAsyncMethodCaller::kFakeAttestationEnrollRequest,
       _)).Times(1);
@@ -198,13 +207,14 @@ TEST_F(AttestationFlowTest, GetCertificate_EKRejected) {
 TEST_F(AttestationFlowTest, GetCertificate_FailEnroll) {
   StrictMock<cryptohome::MockAsyncMethodCaller> async_caller;
   async_caller.SetUp(true, cryptohome::MOUNT_ERROR_NONE);
-  EXPECT_CALL(async_caller, AsyncTpmAttestationCreateEnrollRequest(_))
+  EXPECT_CALL(async_caller, AsyncTpmAttestationCreateEnrollRequest(_, _))
       .Times(1);
   std::string fake_enroll_response =
       cryptohome::MockAsyncMethodCaller::kFakeAttestationEnrollRequest;
   fake_enroll_response += "_response";
-  EXPECT_CALL(async_caller, AsyncTpmAttestationEnroll(fake_enroll_response, _))
-      .WillOnce(WithArgs<1>(Invoke(AsyncCallbackFalse)));
+  EXPECT_CALL(async_caller,
+              AsyncTpmAttestationEnroll(_, fake_enroll_response, _))
+      .WillOnce(WithArgs<2>(Invoke(AsyncCallbackFalse)));
 
   chromeos::MockCryptohomeClient client;
   EXPECT_CALL(client, TpmAttestationIsEnrolled(_))
@@ -212,6 +222,7 @@ TEST_F(AttestationFlowTest, GetCertificate_FailEnroll) {
 
   scoped_ptr<MockServerProxy> proxy(new StrictMock<MockServerProxy>());
   proxy->DeferToFake(true);
+  EXPECT_CALL(*proxy, GetType()).WillRepeatedly(DoDefault());
   EXPECT_CALL(*proxy, SendEnrollRequest(
       cryptohome::MockAsyncMethodCaller::kFakeAttestationEnrollRequest,
       _)).Times(1);
@@ -234,7 +245,7 @@ TEST_F(AttestationFlowTest, GetMachineCertificateAlreadyEnrolled) {
   async_caller.SetUp(true, cryptohome::MOUNT_ERROR_NONE);
   EXPECT_CALL(async_caller,
               AsyncTpmAttestationCreateCertRequest(
-                  PROFILE_ENTERPRISE_MACHINE_CERTIFICATE, "", "", _))
+                  _, PROFILE_ENTERPRISE_MACHINE_CERTIFICATE, "", "", _))
       .Times(1);
   std::string fake_cert_response =
       cryptohome::MockAsyncMethodCaller::kFakeAttestationCertRequest;
@@ -253,6 +264,7 @@ TEST_F(AttestationFlowTest, GetMachineCertificateAlreadyEnrolled) {
 
   scoped_ptr<MockServerProxy> proxy(new StrictMock<MockServerProxy>());
   proxy->DeferToFake(true);
+  EXPECT_CALL(*proxy, GetType()).WillRepeatedly(DoDefault());
   EXPECT_CALL(*proxy, SendCertificateRequest(
       cryptohome::MockAsyncMethodCaller::kFakeAttestationCertRequest,
       _)).Times(1);
@@ -277,7 +289,7 @@ TEST_F(AttestationFlowTest, GetCertificate_FailCreateCertRequest) {
   async_caller.SetUp(false, cryptohome::MOUNT_ERROR_NONE);
   EXPECT_CALL(async_caller,
               AsyncTpmAttestationCreateCertRequest(
-                  PROFILE_ENTERPRISE_USER_CERTIFICATE, "", "", _))
+                  _, PROFILE_ENTERPRISE_USER_CERTIFICATE, "", "", _))
       .Times(1);
 
   chromeos::MockCryptohomeClient client;
@@ -286,6 +298,7 @@ TEST_F(AttestationFlowTest, GetCertificate_FailCreateCertRequest) {
 
   // We're not expecting any server calls in this case; StrictMock will verify.
   scoped_ptr<MockServerProxy> proxy(new StrictMock<MockServerProxy>());
+  EXPECT_CALL(*proxy, GetType()).WillRepeatedly(DoDefault());
 
   StrictMock<MockObserver> observer;
   EXPECT_CALL(observer, MockCertificateCallback(false, "")).Times(1);
@@ -305,7 +318,7 @@ TEST_F(AttestationFlowTest, GetCertificate_CertRequestRejected) {
   async_caller.SetUp(true, cryptohome::MOUNT_ERROR_NONE);
   EXPECT_CALL(async_caller,
               AsyncTpmAttestationCreateCertRequest(
-                  PROFILE_ENTERPRISE_USER_CERTIFICATE, "", "", _))
+                  _, PROFILE_ENTERPRISE_USER_CERTIFICATE, "", "", _))
       .Times(1);
 
   chromeos::MockCryptohomeClient client;
@@ -314,6 +327,7 @@ TEST_F(AttestationFlowTest, GetCertificate_CertRequestRejected) {
 
   scoped_ptr<MockServerProxy> proxy(new StrictMock<MockServerProxy>());
   proxy->DeferToFake(false);
+  EXPECT_CALL(*proxy, GetType()).WillRepeatedly(DoDefault());
   EXPECT_CALL(*proxy, SendCertificateRequest(
       cryptohome::MockAsyncMethodCaller::kFakeAttestationCertRequest,
       _)).Times(1);
@@ -341,6 +355,7 @@ TEST_F(AttestationFlowTest, GetCertificate_FailIsEnrolled) {
 
   // We're not expecting any server calls in this case; StrictMock will verify.
   scoped_ptr<MockServerProxy> proxy(new StrictMock<MockServerProxy>());
+  EXPECT_CALL(*proxy, GetType()).WillRepeatedly(DoDefault());
 
   StrictMock<MockObserver> observer;
   EXPECT_CALL(observer, MockCertificateCallback(false, "")).Times(1);
@@ -360,7 +375,7 @@ TEST_F(AttestationFlowTest, GetCertificate_CheckExisting) {
   async_caller.SetUp(true, cryptohome::MOUNT_ERROR_NONE);
   EXPECT_CALL(async_caller,
               AsyncTpmAttestationCreateCertRequest(
-                  PROFILE_ENTERPRISE_USER_CERTIFICATE, "", "", _))
+                  _, PROFILE_ENTERPRISE_USER_CERTIFICATE, "", "", _))
       .Times(1);
   std::string fake_cert_response =
       cryptohome::MockAsyncMethodCaller::kFakeAttestationCertRequest;
@@ -382,6 +397,7 @@ TEST_F(AttestationFlowTest, GetCertificate_CheckExisting) {
 
   scoped_ptr<MockServerProxy> proxy(new StrictMock<MockServerProxy>());
   proxy->DeferToFake(true);
+  EXPECT_CALL(*proxy, GetType()).WillRepeatedly(DoDefault());
   EXPECT_CALL(*proxy, SendCertificateRequest(
       cryptohome::MockAsyncMethodCaller::kFakeAttestationCertRequest,
       _)).Times(1);
@@ -417,6 +433,7 @@ TEST_F(AttestationFlowTest, GetCertificate_AlreadyExists) {
 
   // We're not expecting any server calls in this case; StrictMock will verify.
   scoped_ptr<MockServerProxy> proxy(new StrictMock<MockServerProxy>());
+  EXPECT_CALL(*proxy, GetType()).WillRepeatedly(DoDefault());
 
   StrictMock<MockObserver> observer;
   EXPECT_CALL(observer, MockCertificateCallback(true, "fake_cert")).Times(1);
@@ -431,5 +448,40 @@ TEST_F(AttestationFlowTest, GetCertificate_AlreadyExists) {
   Run();
 }
 
+TEST_F(AttestationFlowTest, AlternatePCA) {
+  // Strategy: Create a ServerProxy mock which reports ALTERNATE_PCA and check
+  // that all calls to the AsyncMethodCaller reflect this PCA type.
+  scoped_ptr<MockServerProxy> proxy(new NiceMock<MockServerProxy>());
+  proxy->DeferToFake(true);
+  EXPECT_CALL(*proxy, GetType()).WillRepeatedly(Return(ALTERNATE_PCA));
+
+  chromeos::MockCryptohomeClient client;
+  EXPECT_CALL(client, TpmAttestationIsEnrolled(_))
+      .WillRepeatedly(Invoke(DBusCallbackFalse));
+
+  NiceMock<cryptohome::MockAsyncMethodCaller> async_caller;
+  async_caller.SetUp(true, cryptohome::MOUNT_ERROR_NONE);
+  EXPECT_CALL(async_caller,
+              AsyncTpmAttestationCreateEnrollRequest(ALTERNATE_PCA, _))
+      .Times(AtLeast(1));
+  EXPECT_CALL(async_caller,
+              AsyncTpmAttestationEnroll(ALTERNATE_PCA, _, _))
+      .Times(AtLeast(1));
+  EXPECT_CALL(async_caller,
+              AsyncTpmAttestationCreateCertRequest(ALTERNATE_PCA, _, _, _, _))
+      .Times(AtLeast(1));
+
+  NiceMock<MockObserver> observer;
+  AttestationFlow::CertificateCallback mock_callback = base::Bind(
+      &MockObserver::MockCertificateCallback,
+      base::Unretained(&observer));
+
+  scoped_ptr<ServerProxy> proxy_interface(proxy.release());
+  AttestationFlow flow(&async_caller, &client, proxy_interface.Pass());
+  flow.GetCertificate(PROFILE_ENTERPRISE_USER_CERTIFICATE, "", "", true,
+                      mock_callback);
+  Run();
+}
+
 }  // namespace attestation
 }  // namespace chromeos
diff --git a/chromeos/attestation/mock_attestation_flow.cc b/chromeos/attestation/mock_attestation_flow.cc
index b776899..b6eda5b3 100644
--- a/chromeos/attestation/mock_attestation_flow.cc
+++ b/chromeos/attestation/mock_attestation_flow.cc
@@ -8,6 +8,7 @@
 #include "testing/gmock/include/gmock/gmock.h"
 
 using testing::_;
+using testing::DefaultValue;
 using testing::Invoke;
 
 namespace chromeos {
@@ -27,7 +28,9 @@ void FakeServerProxy::SendCertificateRequest(const std::string& request,
   callback.Run(result_, request + "_response");
 }
 
-MockServerProxy::MockServerProxy() {}
+MockServerProxy::MockServerProxy() {
+  DefaultValue<PrivacyCAType>::Set(DEFAULT_PCA);
+}
 
 MockServerProxy::~MockServerProxy() {}
 
diff --git a/chromeos/attestation/mock_attestation_flow.h b/chromeos/attestation/mock_attestation_flow.h
index 1950246..1774964 100644
--- a/chromeos/attestation/mock_attestation_flow.h
+++ b/chromeos/attestation/mock_attestation_flow.h
@@ -46,6 +46,7 @@ class MockServerProxy : public ServerProxy {
                void(const std::string&, const DataCallback&));
   MOCK_METHOD2(SendCertificateRequest,
                void(const std::string&, const DataCallback&));
+  MOCK_METHOD0(GetType, PrivacyCAType());
 
  private:
   FakeServerProxy fake_;