File: cert_provisioning_client.h

package info (click to toggle)
chromium 139.0.7258.127-1
  • links: PTS, VCS
  • area: main
  • in suites:
  • size: 6,122,068 kB
  • sloc: cpp: 35,100,771; ansic: 7,163,530; javascript: 4,103,002; python: 1,436,920; asm: 946,517; xml: 746,709; pascal: 187,653; perl: 88,691; sh: 88,436; objc: 79,953; sql: 51,488; cs: 44,583; fortran: 24,137; makefile: 22,147; tcl: 15,277; php: 13,980; yacc: 8,984; ruby: 7,485; awk: 3,720; lisp: 3,096; lex: 1,327; ada: 727; jsp: 228; sed: 36
file content (246 lines) | stat: -rw-r--r-- 9,933 bytes parent folder | download | duplicates (6) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
 
// Copyright 2023 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef CHROME_BROWSER_ASH_CERT_PROVISIONING_CERT_PROVISIONING_CLIENT_H_
#define CHROME_BROWSER_ASH_CERT_PROVISIONING_CERT_PROVISIONING_CLIENT_H_

#include <stdint.h>

#include <optional>
#include <string>
#include <vector>

#include "base/functional/callback.h"
#include "base/memory/raw_ref.h"
#include "base/memory/weak_ptr.h"
#include "base/types/expected.h"
#include "chrome/browser/ash/cert_provisioning/cert_provisioning_common.h"
#include "components/policy/core/common/cloud/cloud_policy_constants.h"
#include "components/policy/proto/device_management_backend.pb.h"

namespace policy {
class CloudPolicyClient;
}  // namespace policy

namespace ash::cert_provisioning {

// Client for Certificate Provisioning requests interfacing with the device
// management server.
class CertProvisioningClient {
 public:
  virtual ~CertProvisioningClient() = default;

  // Information identifying a Certificate Provisioning Process.
  struct ProvisioningProcess {
    ProvisioningProcess(std::string process_id,
                        CertScope cert_scope,
                        std::string cert_profile_id,
                        std::string policy_version,
                        std::vector<uint8_t> public_key);
    ~ProvisioningProcess();

    ProvisioningProcess& operator=(const ProvisioningProcess& other) = delete;
    ProvisioningProcess(const ProvisioningProcess& other) = delete;

    ProvisioningProcess(ProvisioningProcess&& other);
    ProvisioningProcess& operator=(ProvisioningProcess&& other);

    bool operator==(const ProvisioningProcess& other) const;

    // If you add/remove fields, don't forget to adapt kFieldCount!
    std::string process_id;
    CertScope cert_scope;
    std::string cert_profile_id;
    std::string policy_version;
    std::vector<uint8_t> public_key;

    // This must match the number of fields this struct has.
    // Used as a change detector to remind you to take a look e.g. at
    // operator==.
    static constexpr int kFieldCount = 5;
  };

  struct Error {
    policy::DeviceManagementStatus device_management_status;
    enterprise_management::CertProvBackendError backend_error;
  };

  using CertProvGetNextInstructionResponse =
      enterprise_management::CertProvGetNextInstructionResponse;

  using StartCsrCallback = base::OnceCallback<void(
      policy::DeviceManagementStatus status,
      std::optional<enterprise_management::
                        ClientCertificateProvisioningResponse::Error> error,
      std::optional<int64_t> try_later,
      const std::string& invalidation_topic,
      const std::string& va_challenge,
      enterprise_management::HashingAlgorithm hash_algorithm,
      std::vector<uint8_t> data_to_sign)>;

  using FinishCsrCallback = base::OnceCallback<void(
      policy::DeviceManagementStatus status,
      std::optional<enterprise_management::
                        ClientCertificateProvisioningResponse::Error> error,
      std::optional<int64_t> try_later)>;

  using DownloadCertCallback = base::OnceCallback<void(
      policy::DeviceManagementStatus status,
      std::optional<enterprise_management::
                        ClientCertificateProvisioningResponse::Error> error,
      std::optional<int64_t> try_later,
      const std::string& pem_encoded_certificate)>;

  using StartCallback = base::OnceCallback<void(
      base::expected<enterprise_management::CertProvStartResponse, Error>
          result)>;

  using NextInstructionCallback = base::OnceCallback<void(
      base::expected<CertProvGetNextInstructionResponse, Error> result)>;

  using AuthorizeCallback =
      base::OnceCallback<void(base::expected<void, Error> result)>;

  using UploadProofOfPossessionCallback =
      base::OnceCallback<void(base::expected<void, Error> result)>;

  virtual void Start(ProvisioningProcess provisioning_process,
                     StartCallback callback) = 0;

  virtual void GetNextInstruction(ProvisioningProcess provisioning_process,
                                  NextInstructionCallback callback) = 0;

  virtual void Authorize(ProvisioningProcess provisioning_process,
                         std::string va_challenge_response,
                         AuthorizeCallback callback) = 0;

  virtual void UploadProofOfPossession(
      ProvisioningProcess provisioning_process,
      std::string signature,
      UploadProofOfPossessionCallback callback) = 0;

  // Sends certificate provisioning start csr request. It is Step 1 in the
  // certificate provisioning flow. |cert_scope| defines if it is a user- or
  // device-level request, |cert_profile_id| defines for which profile from
  // policies the request applies, |public_key| is used to build the CSR.
  // |callback| will be called when the operation completes. It is expected to
  // receive the CSR and VA challenge.
  virtual void StartCsr(ProvisioningProcess provisioning_process,
                        StartCsrCallback callback) = 0;

  // Sends certificate provisioning finish csr request. It is Step 2 in the
  // certificate provisioning flow. |cert_scope| defines if it is a user- or
  // device-level request, |cert_profile_id| and |public_key| define the
  // provisioning flow that should be continued. |va_challenge_response| is a
  // challenge response to the challenge from the previous step. |signature| is
  // cryptographic signature of the CSR from the previous step, the algorithm
  // for it is defined in a corresponding certificate profile. |callback| will
  // be called when the operation completes. It is expected to receive a
  // confirmation that the request is accepted.
  virtual void FinishCsr(ProvisioningProcess provisioning_process,
                         std::string va_challenge_response,
                         std::string signature,
                         FinishCsrCallback callback) = 0;

  // Sends certificate provisioning download certificate request. It is Step 3
  // (final) in the certificate provisioning flow. |cert_scope|,
  // |cert_profile_id|, |public_key| are the same as for finish csr request.
  // |callback| will be called when the operation completes. It is expected to
  // receive a certificate that was issued according to the CSR that was
  // generated during previous steps.
  virtual void DownloadCert(ProvisioningProcess provisioning_process,
                            DownloadCertCallback callback) = 0;
};

class CertProvisioningClientImpl : public CertProvisioningClient {
 public:
  // The caller must ensure that `cloud_policy_client` remains valid as long as
  // this instance exists.
  explicit CertProvisioningClientImpl(
      policy::CloudPolicyClient& cloud_policy_client);
  CertProvisioningClientImpl(const CertProvisioningClientImpl&) = delete;
  CertProvisioningClientImpl& operator=(const CertProvisioningClientImpl&) =
      delete;
  ~CertProvisioningClientImpl() override;

  void Start(ProvisioningProcess provisioning_process,
             StartCallback callback) override;

  void GetNextInstruction(ProvisioningProcess provisioning_process,
                          NextInstructionCallback callback) override;

  void Authorize(ProvisioningProcess provisioning_process,
                 std::string va_challenge_response,
                 AuthorizeCallback callback) override;

  void UploadProofOfPossession(
      ProvisioningProcess provisioning_process,
      std::string signature,
      UploadProofOfPossessionCallback callback) override;

  void StartCsr(ProvisioningProcess provisioning_process,
                StartCsrCallback callback) override;

  void FinishCsr(ProvisioningProcess provisioning_process,
                 std::string va_challenge_response,
                 std::string signature,
                 FinishCsrCallback callback) override;

  void DownloadCert(ProvisioningProcess provisioning_process,
                    DownloadCertCallback callback) override;

 private:
  void FillCommonRequestData(
      ProvisioningProcess provisioning_process,
      enterprise_management::ClientCertificateProvisioningRequest& out_request);

  void OnStartResponse(
      StartCallback callback,
      policy::DeviceManagementStatus status,
      const enterprise_management::ClientCertificateProvisioningResponse&
          response);

  void OnGetNextInstructionResponse(
      NextInstructionCallback callback,
      policy::DeviceManagementStatus status,
      const enterprise_management::ClientCertificateProvisioningResponse&
          response);

  void OnAuthorizeResponse(
      AuthorizeCallback callback,
      policy::DeviceManagementStatus status,
      const enterprise_management::ClientCertificateProvisioningResponse&
          response);

  void OnUploadProofOfPossessionResponse(
      UploadProofOfPossessionCallback callback,
      policy::DeviceManagementStatus status,
      const enterprise_management::ClientCertificateProvisioningResponse&
          response);

  void OnStartCsrResponse(
      StartCsrCallback callback,
      policy::DeviceManagementStatus status,
      const enterprise_management::ClientCertificateProvisioningResponse&
          response);
  void OnFinishCsrResponse(
      FinishCsrCallback callback,
      policy::DeviceManagementStatus status,
      const enterprise_management::ClientCertificateProvisioningResponse&
          response);
  void OnDownloadCertResponse(
      DownloadCertCallback callback,
      policy::DeviceManagementStatus status,
      const enterprise_management::ClientCertificateProvisioningResponse&
          response);

  // Unowned.
  const raw_ref<policy::CloudPolicyClient> cloud_policy_client_;

  base::WeakPtrFactory<CertProvisioningClientImpl> weak_ptr_factory_{this};
};

}  // namespace ash::cert_provisioning

#endif  // CHROME_BROWSER_ASH_CERT_PROVISIONING_CERT_PROVISIONING_CLIENT_H_