1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
|
// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef CHROME_BROWSER_POLICY_CLOUD_CLOUD_POLICY_CLIENT_H_
#define CHROME_BROWSER_POLICY_CLOUD_CLOUD_POLICY_CLIENT_H_
#include <map>
#include <set>
#include <string>
#include "base/basictypes.h"
#include "base/callback.h"
#include "base/memory/scoped_ptr.h"
#include "base/observer_list.h"
#include "base/time/time.h"
#include "chrome/browser/policy/cloud/cloud_policy_constants.h"
#include "chrome/browser/policy/proto/cloud/device_management_backend.pb.h"
namespace net {
class URLRequestContextGetter;
}
namespace policy {
class DeviceManagementRequestJob;
class DeviceManagementService;
// Implements the core logic required to talk to the device management service.
// Also keeps track of the current state of the association with the service,
// such as whether there is a valid registration (DMToken is present in that
// case) and whether and what errors occurred in the latest request.
//
// Note that CloudPolicyClient doesn't do any validation of policy responses
// such as signature and time stamp checks. These happen once the policy gets
// installed in the cloud policy cache.
class CloudPolicyClient {
public:
// Maps a PolicyNamespaceKey to its corresponding PolicyFetchResponse.
typedef std::map<PolicyNamespaceKey,
enterprise_management::PolicyFetchResponse*> ResponseMap;
// A callback which receives boolean status of an operation. If the operation
// succeeded, |status| is true.
typedef base::Callback<void(bool status)> StatusCallback;
// Observer interface for state and policy changes.
class Observer {
public:
virtual ~Observer();
// Called when a policy fetch completes successfully. If a policy fetch
// triggers an error, OnClientError() will fire.
virtual void OnPolicyFetched(CloudPolicyClient* client) = 0;
// Called upon registration state changes. This callback is invoked for
// successful completion of registration and unregistration requests.
virtual void OnRegistrationStateChanged(CloudPolicyClient* client) = 0;
// Called when a request for device robot OAuth2 authorization tokens
// returns successfully. Only occurs during enrollment. Optional
// (default implementation is a noop).
virtual void OnRobotAuthCodesFetched(CloudPolicyClient* client);
// Indicates there's been an error in a previously-issued request.
virtual void OnClientError(CloudPolicyClient* client) = 0;
};
// Delegate interface for supplying status information to upload to the server
// as part of the policy fetch request.
class StatusProvider {
public:
virtual ~StatusProvider();
// Retrieves status information to send with the next policy fetch.
// Implementations must return true if status information was filled in.
virtual bool GetDeviceStatus(
enterprise_management::DeviceStatusReportRequest* status) = 0;
virtual bool GetSessionStatus(
enterprise_management::SessionStatusReportRequest* status) = 0;
// Called after the status information has successfully been submitted to
// the server.
virtual void OnSubmittedSuccessfully() = 0;
};
// |provider| and |service| are weak pointers and it's the caller's
// responsibility to keep them valid for the lifetime of CloudPolicyClient.
CloudPolicyClient(
const std::string& machine_id,
const std::string& machine_model,
UserAffiliation user_affiliation,
StatusProvider* provider,
DeviceManagementService* service,
scoped_refptr<net::URLRequestContextGetter> request_context);
virtual ~CloudPolicyClient();
// Sets the DMToken, thereby establishing a registration with the server. A
// policy fetch is not automatically issued but can be requested by calling
// FetchPolicy().
virtual void SetupRegistration(const std::string& dm_token,
const std::string& client_id);
// Attempts to register with the device management service. Results in a
// registration change or error notification.
virtual void Register(
enterprise_management::DeviceRegisterRequest::Type registration_type,
const std::string& auth_token,
const std::string& client_id,
bool is_auto_enrollment,
const std::string& requisition);
// Sets information about a policy invalidation. Subsequent fetch operations
// will use the given info, and callers can use fetched_invalidation_version
// to determine which version of policy was fetched.
void SetInvalidationInfo(int64 version, const std::string& payload);
// Requests a policy fetch. The client being registered is a prerequisite to
// this operation and this call will CHECK if the client is not in registered
// state. FetchPolicy() triggers a policy fetch from the cloud. A policy
// change notification is reported to the observers and the new policy blob
// can be retrieved once the policy fetch operation completes. In case of
// multiple requests to fetch policy, new requests will cancel any pending
// requests and the latest request will eventually trigger notifications.
virtual void FetchPolicy();
// Requests OAuth2 auth codes for the device robot account. The client being
// registered is a prerequisite to this operation and this call will CHECK if
// the client is not in registered state.
virtual void FetchRobotAuthCodes(const std::string& auth_token);
// Sends an unregistration request to the server.
virtual void Unregister();
// Upload a device certificate to the server. Like FetchPolicy, this method
// requires that the client is in a registered state. |certificate_data| must
// hold the X.509 certificate data to be sent to the server. The |callback|
// will be called when the operation completes.
virtual void UploadCertificate(const std::string& certificate_data,
const StatusCallback& callback);
// Adds an observer to be called back upon policy and state changes.
void AddObserver(Observer* observer);
// Removes the specified observer.
void RemoveObserver(Observer* observer);
void set_submit_machine_id(bool submit_machine_id) {
submit_machine_id_ = submit_machine_id;
}
void set_last_policy_timestamp(const base::Time& timestamp) {
last_policy_timestamp_ = timestamp;
}
void set_public_key_version(int public_key_version) {
public_key_version_ = public_key_version;
public_key_version_valid_ = true;
}
void clear_public_key_version() {
public_key_version_valid_ = false;
}
// FetchPolicy() calls will request this policy namespace.
void AddNamespaceToFetch(const PolicyNamespaceKey& policy_ns_key);
// FetchPolicy() calls won't request the given policy namespace anymore.
void RemoveNamespaceToFetch(const PolicyNamespaceKey& policy_ns_key);
// Whether the client is registered with the device management service.
bool is_registered() const { return !dm_token_.empty(); }
const std::string& dm_token() const { return dm_token_; }
const std::string& client_id() const { return client_id_; }
// The device mode as received in the registration request.
DeviceMode device_mode() const { return device_mode_; }
// The policy responses as obtained by the last request to the cloud. These
// policies haven't gone through verification, so their contents cannot be
// trusted. Use CloudPolicyStore::policy() and CloudPolicyStore::policy_map()
// instead for making policy decisions.
const ResponseMap& responses() const {
return responses_;
}
// Returns the policy response for |policy_ns_key|, if found in |responses()|;
// otherwise returns NULL.
const enterprise_management::PolicyFetchResponse* GetPolicyFor(
const PolicyNamespaceKey& policy_ns_key) const;
DeviceManagementStatus status() const {
return status_;
}
const std::string& robot_api_auth_code() const {
return robot_api_auth_code_;
}
// Returns the invalidation version that was used for the last FetchPolicy.
// Observers can call this method from their OnPolicyFetched method to
// determine which at which invalidation version the policy was fetched.
int64 fetched_invalidation_version() const {
return fetched_invalidation_version_;
}
scoped_refptr<net::URLRequestContextGetter> GetRequestContext();
protected:
// A set of PolicyNamespaceKeys to fetch.
typedef std::set<PolicyNamespaceKey> NamespaceSet;
// Callback for retries of registration requests.
void OnRetryRegister(DeviceManagementRequestJob* job);
// Callback for registration requests.
void OnRegisterCompleted(
DeviceManagementStatus status,
int net_error,
const enterprise_management::DeviceManagementResponse& response);
// Callback for policy fetch requests.
void OnPolicyFetchCompleted(
DeviceManagementStatus status,
int net_error,
const enterprise_management::DeviceManagementResponse& response);
// Callback for robot account api authorization requests.
void OnFetchRobotAuthCodesCompleted(
DeviceManagementStatus status,
int net_error,
const enterprise_management::DeviceManagementResponse& response);
// Callback for unregistration requests.
void OnUnregisterCompleted(
DeviceManagementStatus status,
int net_error,
const enterprise_management::DeviceManagementResponse& response);
// Callback for certificate upload requests.
void OnCertificateUploadCompleted(
const StatusCallback& callback,
DeviceManagementStatus status,
int net_error,
const enterprise_management::DeviceManagementResponse& response);
// Observer notification helpers.
void NotifyPolicyFetched();
void NotifyRegistrationStateChanged();
void NotifyRobotAuthCodesFetched();
void NotifyClientError();
// Data necessary for constructing policy requests.
const std::string machine_id_;
const std::string machine_model_;
const UserAffiliation user_affiliation_;
NamespaceSet namespaces_to_fetch_;
std::string dm_token_;
DeviceMode device_mode_;
std::string client_id_;
bool submit_machine_id_;
base::Time last_policy_timestamp_;
int public_key_version_;
bool public_key_version_valid_;
std::string robot_api_auth_code_;
// Information for the latest policy invalidation received.
int64 invalidation_version_;
std::string invalidation_payload_;
// The invalidation version used for the most recent fetch operation.
int64 fetched_invalidation_version_;
// Used for issuing requests to the cloud.
DeviceManagementService* service_;
scoped_ptr<DeviceManagementRequestJob> request_job_;
// Status upload data is produced by |status_provider_|.
StatusProvider* status_provider_;
// The policy responses returned by the last policy fetch operation.
ResponseMap responses_;
DeviceManagementStatus status_;
ObserverList<Observer, true> observers_;
scoped_refptr<net::URLRequestContextGetter> request_context_;
private:
DISALLOW_COPY_AND_ASSIGN(CloudPolicyClient);
};
} // namespace policy
#endif // CHROME_BROWSER_POLICY_CLOUD_CLOUD_POLICY_CLIENT_H_
|
