blob: 6d897228622f529fd412a8a5ebf7dea2a9477eaa (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
|
// Copyright (c) 2011 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "chrome/browser/policy/enterprise_install_attributes.h"
#include "base/logging.h"
#include "chrome/browser/chromeos/cros/cryptohome_library.h"
namespace {
const char kAttrEnterpriseOwned[] = "enterprise.owned";
const char kAttrEnterpriseUser[] = "enterprise.user";
} // namespace
namespace policy {
EnterpriseInstallAttributes::EnterpriseInstallAttributes(
chromeos::CryptohomeLibrary* cryptohome)
: cryptohome_(cryptohome),
device_locked_(false) {}
EnterpriseInstallAttributes::LockResult EnterpriseInstallAttributes::LockDevice(
const std::string& user) {
// Check for existing lock first.
if (device_locked_) {
return !registration_user_.empty() && user == registration_user_ ?
LOCK_SUCCESS : LOCK_WRONG_USER;
}
if (!cryptohome_ || !cryptohome_->InstallAttributesIsReady())
return LOCK_NOT_READY;
// Clearing the TPM password seems to be always a good deal.
if (cryptohome_->TpmIsEnabled() &&
!cryptohome_->TpmIsBeingOwned() &&
cryptohome_->TpmIsOwned()) {
cryptohome_->TpmClearStoredPassword();
}
// Make sure we really have a working InstallAttrs.
if (cryptohome_->InstallAttributesIsInvalid()) {
LOG(ERROR) << "Install attributes invalid.";
return LOCK_BACKEND_ERROR;
}
if (!cryptohome_->InstallAttributesIsFirstInstall())
return LOCK_WRONG_USER;
// Set values in the InstallAttrs and lock it.
if (!cryptohome_->InstallAttributesSet(kAttrEnterpriseOwned, "true") ||
!cryptohome_->InstallAttributesSet(kAttrEnterpriseUser, user)) {
LOG(ERROR) << "Failed writing attributes";
return LOCK_BACKEND_ERROR;
}
if (!cryptohome_->InstallAttributesFinalize() ||
cryptohome_->InstallAttributesIsFirstInstall() ||
GetRegistrationUser() != user) {
LOG(ERROR) << "Failed locking.";
return LOCK_BACKEND_ERROR;
}
return LOCK_SUCCESS;
}
bool EnterpriseInstallAttributes::IsEnterpriseDevice() {
ReadImmutableAttributes();
return device_locked_ && !registration_user_.empty();
}
std::string EnterpriseInstallAttributes::GetRegistrationUser() {
ReadImmutableAttributes();
if (!device_locked_)
return std::string();
return registration_user_;
}
std::string EnterpriseInstallAttributes::GetDomain() {
if (!IsEnterpriseDevice())
return std::string();
std::string domain;
size_t pos = registration_user_.find('@');
if (pos != std::string::npos)
domain = registration_user_.substr(pos + 1);
return domain;
}
void EnterpriseInstallAttributes::ReadImmutableAttributes() {
if (device_locked_)
return;
if (cryptohome_ &&
cryptohome_->InstallAttributesIsReady() &&
!cryptohome_->InstallAttributesIsInvalid() &&
!cryptohome_->InstallAttributesIsFirstInstall()) {
device_locked_ = true;
std::string enterprise_owned;
std::string enterprise_user;
if (cryptohome_->InstallAttributesGet(kAttrEnterpriseOwned,
&enterprise_owned) &&
cryptohome_->InstallAttributesGet(kAttrEnterpriseUser,
&enterprise_user) &&
enterprise_owned == "true" &&
!enterprise_user.empty()) {
registration_user_ = enterprise_user;
}
}
}
} // namespace policy
|
