1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218
|
// Copyright 2017 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "chrome/browser/ash/attestation/enrollment_id_upload_manager.h"
#include <optional>
#include <utility>
#include "base/functional/bind.h"
#include "base/functional/callback.h"
#include "base/location.h"
#include "base/strings/string_number_conversions.h"
#include "base/strings/string_util.h"
#include "base/time/time.h"
#include "chrome/browser/ash/attestation/attestation_ca_client.h"
#include "chrome/browser/ash/attestation/attestation_key_payload.pb.h"
#include "chromeos/ash/components/cryptohome/cryptohome_parameters.h"
#include "chromeos/ash/components/dbus/attestation/attestation_client.h"
#include "chromeos/ash/components/dbus/attestation/interface.pb.h"
#include "chromeos/ash/components/dbus/dbus_thread_manager.h"
#include "chromeos/dbus/common/dbus_callback.h"
#include "components/account_id/account_id.h"
#include "components/policy/core/common/cloud/cloud_policy_client.h"
#include "components/policy/core/common/cloud/cloud_policy_manager.h"
#include "components/user_manager/known_user.h"
#include "content/public/browser/browser_task_traits.h"
#include "content/public/browser/browser_thread.h"
#include "net/cert/x509_certificate.h"
namespace {
const int kRetryDelay = 5; // Seconds.
const int kRetryLimit = 100;
} // namespace
namespace ash {
namespace attestation {
EnrollmentIdUploadManager::EnrollmentIdUploadManager(
policy::CloudPolicyClient* policy_client,
EnrollmentCertificateUploader* certificate_uploader)
: EnrollmentIdUploadManager(policy_client,
DeviceSettingsService::Get(),
certificate_uploader) {}
EnrollmentIdUploadManager::EnrollmentIdUploadManager(
policy::CloudPolicyClient* policy_client,
DeviceSettingsService* device_settings_service,
EnrollmentCertificateUploader* certificate_uploader)
: device_settings_service_(device_settings_service),
policy_client_(policy_client),
certificate_uploader_(certificate_uploader),
num_retries_(0),
retry_limit_(kRetryLimit),
retry_delay_(kRetryDelay) {
DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
device_settings_service_->AddObserver(this);
Start();
}
EnrollmentIdUploadManager::~EnrollmentIdUploadManager() {
DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
DCHECK(device_settings_service_);
device_settings_service_->RemoveObserver(this);
}
void EnrollmentIdUploadManager::DeviceSettingsUpdated() {
DCHECK_CURRENTLY_ON(content::BrowserThread::UI);
num_retries_ = 0;
Start();
}
void EnrollmentIdUploadManager::Start() {
// If identification for enrollment isn't needed, there is nothing to do.
const enterprise_management::PolicyData* policy_data =
device_settings_service_->policy_data();
if (!policy_data || !policy_data->enrollment_id_needed())
return;
// Do not check the result of the upload request, because DMServer will
// inform us if the enrollment ID is needed the next time device policies
// are fetched.
ObtainAndUploadEnrollmentId(base::DoNothing());
}
void EnrollmentIdUploadManager::ObtainAndUploadEnrollmentId(
UploadManagerCallback callback) {
DCHECK(!callback.is_null());
bool start = upload_manager_callbacks_.empty();
upload_manager_callbacks_.push(std::move(callback));
// Do not allow multiple concurrent requests.
if (start) {
certificate_uploader_->ObtainAndUploadCertificate(base::BindOnce(
&EnrollmentIdUploadManager::OnEnrollmentCertificateUploaded,
weak_factory_.GetWeakPtr()));
}
}
void EnrollmentIdUploadManager::OnEnrollmentCertificateUploaded(
EnrollmentCertificateUploader::Status status) {
switch (status) {
case EnrollmentCertificateUploader::Status::kSuccess:
// Enrollment certificate uploaded successfully. No need to compute EID.
RunCallbacks(/*status=*/true);
break;
case EnrollmentCertificateUploader::Status::kFailedToFetch:
LOG(WARNING) << "EnrollmentIdUploadManager: Failed to fetch certificate. "
"Trying to compute and upload enrollment ID.";
GetEnrollmentId();
break;
case EnrollmentCertificateUploader::Status::kFailedToUpload:
// Enrollment certificate was fetched but not uploaded. It can be uploaded
// later so we will not proceed with computed EID.
RunCallbacks(/*status=*/false);
break;
case EnrollmentCertificateUploader::Status::kInvalidClient:
// Enrollment certificate was not uploaded due to invalid
// `CloudPolicyClient`. The certificate can be uploaded later when the
// client is working again. The manager is also not able to upload EID
// with invalid `CloudPolicyClient` so there is no reason to fall back to
// EID computation.
RunCallbacks(/*status=*/false);
break;
}
}
void EnrollmentIdUploadManager::GetEnrollmentId() {
// If we already uploaded an empty identification, we are done, because
// we asked to compute and upload it only if the PCA refused to give
// us an enrollment certificate, an error that will happen again (the
// AIK certificate sent to request an enrollment certificate does not
// contain an EID).
if (did_upload_empty_eid_) {
RunCallbacks(/*status=*/false);
return;
}
// We expect a registered CloudPolicyClient.
if (!policy_client_->is_registered()) {
LOG(ERROR) << "EnrollmentIdUploadManager: Invalid CloudPolicyClient.";
RunCallbacks(/*status=*/false);
return;
}
::attestation::GetEnrollmentIdRequest request;
request.set_ignore_cache(true);
AttestationClient::Get()->GetEnrollmentId(
request, base::BindOnce(&EnrollmentIdUploadManager::OnGetEnrollmentId,
weak_factory_.GetWeakPtr()));
}
void EnrollmentIdUploadManager::OnGetEnrollmentId(
const ::attestation::GetEnrollmentIdReply& reply) {
if (reply.status() != ::attestation::STATUS_SUCCESS) {
LOG(WARNING) << "Failed to get enrollment ID: " << reply.status();
RescheduleGetEnrollmentId();
return;
}
if (reply.enrollment_id().empty()) {
LOG(WARNING) << "EnrollmentIdUploadManager: The enrollment identifier "
"obtained is empty.";
}
policy_client_->UploadEnterpriseEnrollmentId(
reply.enrollment_id(),
base::BindOnce(&EnrollmentIdUploadManager::OnUploadComplete,
weak_factory_.GetWeakPtr(), reply.enrollment_id()));
}
void EnrollmentIdUploadManager::RescheduleGetEnrollmentId() {
if (++num_retries_ < retry_limit_) {
content::GetUIThreadTaskRunner({})->PostDelayedTask(
FROM_HERE,
base::BindOnce(&EnrollmentIdUploadManager::GetEnrollmentId,
weak_factory_.GetWeakPtr()),
base::Seconds(retry_delay_));
} else {
LOG(WARNING) << "EnrollmentIdUploadManager: Retry limit exceeded.";
RunCallbacks(/*status=*/false);
}
}
void EnrollmentIdUploadManager::OnUploadComplete(
const std::string& enrollment_id,
policy::CloudPolicyClient::Result result) {
const std::string printable_enrollment_id =
base::ToLowerASCII(base::HexEncode(enrollment_id));
if (!result.IsSuccess()) {
LOG(ERROR) << "Failed to upload Enrollment Identifier \""
<< printable_enrollment_id << "\" to DMServer.";
RunCallbacks(/*status=*/false);
return;
}
if (enrollment_id.empty())
did_upload_empty_eid_ = true;
VLOG(1) << "Enrollment Identifier \"" << printable_enrollment_id
<< "\" uploaded to DMServer.";
RunCallbacks(/*status=*/true);
}
void EnrollmentIdUploadManager::RunCallbacks(bool status) {
std::queue<UploadManagerCallback> callbacks;
callbacks.swap(upload_manager_callbacks_);
while (!callbacks.empty()) {
std::move(callbacks.front()).Run(status);
callbacks.pop();
}
}
} // namespace attestation
} // namespace ash
|