1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
|
// Copyright 2018 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef COMPONENTS_ENTERPRISE_BROWSER_CONTROLLER_CHROME_BROWSER_CLOUD_MANAGEMENT_CONTROLLER_H_
#define COMPONENTS_ENTERPRISE_BROWSER_CONTROLLER_CHROME_BROWSER_CLOUD_MANAGEMENT_CONTROLLER_H_
#include <memory>
#include <string>
#include "base/files/file_path.h"
#include "base/functional/callback_forward.h"
#include "base/memory/ref_counted.h"
#include "base/memory/weak_ptr.h"
#include "base/observer_list.h"
#include "base/task/single_thread_task_runner.h"
#include "base/time/time.h"
#include "build/build_config.h"
#include "components/enterprise/browser/device_trust/device_trust_key_manager.h"
#include "components/enterprise/browser/reporting/reporting_delegate_factory.h"
#include "components/enterprise/client_certificates/core/certificate_provisioning_service.h"
#include "components/policy/core/common/cloud/chrome_browser_cloud_management_metrics.h"
#include "components/policy/core/common/cloud/cloud_policy_client.h"
#include "components/policy/core/common/policy_service.h"
class PrefService;
namespace network {
class NetworkConnectionTracker;
class SharedURLLoaderFactory;
} // namespace network
namespace enterprise_reporting {
class ReportScheduler;
} // namespace enterprise_reporting
namespace client_certificates {
class CertificateProvisioningService;
} // namespace client_certificates
namespace policy {
class ChromeBrowserCloudManagementRegistrar;
class ClientDataDelegate;
class ConfigurationPolicyProvider;
class MachineLevelUserCloudPolicyManager;
class MachineLevelUserCloudPolicyFetcher;
// A class that setups and manages all CBCM related features.
// Notes on threading and lifetime: This object lives on the UI thread and is
// owned by |g_browser_process|.
class ChromeBrowserCloudManagementController
: public CloudPolicyClient::Observer {
public:
// Chrome browser cloud management enrollment result.
enum class RegisterResult {
kNoEnrollmentNeeded, // The device won't be enrolled without an enrollment
// token.
kEnrollmentSuccessBeforeDialogDisplayed, // The enrollment process is
// finished before dialog
// displayed.
kEnrollmentSuccess, // The device has been enrolled successfully
kQuitDueToFailure, // The enrollment has failed or aborted, user choose to
// quit Chrome.
kRestartDueToFailure, // The enrollment has failed, user choose to restart
kEnrollmentFailedSilently, // The enrollment has failed, admin choose to
// ignore the error message.
kEnrollmentFailedSilentlyBeforeDialogDisplayed, // The enrollment has
// failed before dialog
// displayed, admin choose
// to ignore the error
// message.
};
class Delegate {
public:
using NetworkConnectionTrackerGetter =
base::RepeatingCallback<network::NetworkConnectionTracker*()>;
Delegate() = default;
Delegate(const Delegate&) = delete;
Delegate& operator=(const Delegate&) = delete;
virtual ~Delegate() = default;
// Sets the platform-specific DM token storage delegate;
virtual void SetDMTokenStorageDelegate() = 0;
// Returns the platform-specific DIR_USER_DATA value to pass to the
// PathService.
virtual int GetUserDataDirKey() = 0;
// Returns the platform-specific file path, if any, of the browser policy
// cache file that is fetched by external binaries. For example, on Windows,
// the external policy cache is fetched by Google Update.
virtual base::FilePath GetExternalPolicyDir() = 0;
// Returns a RepeatingCallback to get the platform-specific
// NetworkConnectionTracker.
virtual NetworkConnectionTrackerGetter
CreateNetworkConnectionTrackerGetter() = 0;
// Initializes the OAuth2 token service factory for policy invalidations.
virtual void InitializeOAuthTokenFactory(
scoped_refptr<network::SharedURLLoaderFactory> url_loader_factory,
PrefService* local_state) = 0;
// Creates the RegisterWatcher. Only needed on desktop for now.
virtual void StartWatchingRegistration(
ChromeBrowserCloudManagementController* controller) = 0;
// Returns true if enrollment was successful.
virtual bool WaitUntilPolicyEnrollmentFinished() = 0;
// Returns true if the startup dialog is showing.
virtual bool IsEnterpriseStartupDialogShowing() = 0;
// Starts the policy invalidation service.
virtual void OnServiceAccountSet(CloudPolicyClient* client,
const std::string& account_email) = 0;
// Performs clean-up during shutdown.
virtual void ShutDown() = 0;
// Gets the platform-specific machine-level policy manager.
virtual MachineLevelUserCloudPolicyManager*
GetMachineLevelUserCloudPolicyManager() = 0;
// Gets the platform-specific device management service.
virtual DeviceManagementService* GetDeviceManagementService() = 0;
// Gets the platform-specific URL loader factory.
virtual scoped_refptr<network::SharedURLLoaderFactory>
GetSharedURLLoaderFactory() = 0;
// Returns a BestEffort Task Runner, bound to the UI thread like the rest of
// this class, that is meant to be used to schedule asynchronous tasks
// during startup.
virtual scoped_refptr<base::SingleThreadTaskRunner>
GetBestEffortTaskRunner() = 0;
// Gets the platform-specific reporting delegate factory.
virtual std::unique_ptr<enterprise_reporting::ReportingDelegateFactory>
GetReportingDelegateFactory() = 0;
// Creates a platform-specific DeviceTrustKeyManager instance.
virtual std::unique_ptr<enterprise_connectors::DeviceTrustKeyManager>
CreateDeviceTrustKeyManager();
// Creates a platform-specific client certificate provisioning service
// instance.
virtual std::unique_ptr<client_certificates::CertificateProvisioningService>
CreateCertificateProvisioningService();
// Sets the SharedURLLoaderFactory that this object will use to make
// requests to GAIA.
virtual void SetGaiaURLLoaderFactory(
scoped_refptr<network::SharedURLLoaderFactory> url_loader_factory) = 0;
// Returns true if the cloud policy manager can be created rightaway of if
// it should be deferred for some reason depending on the platform (e.g. on
// Android it should wait for PolicyService initialization).
virtual bool ReadyToCreatePolicyManager() = 0;
// Returns true if controller initialization can proceed, and false it it
// needs to be deferred. On platforms where controller initialization isn't
// blocked, this method should return true.
virtual bool ReadyToInit() = 0;
// Returns the platform-specific client data delegate.
virtual std::unique_ptr<ClientDataDelegate> CreateClientDataDelegate() = 0;
// Postpones controller initialization until |ReadyToInit()| is true.
// Implemented in the delegate because the reason why initialization needs
// to be deferred may vary across platforms.
virtual void DeferInitialization(base::OnceClosure init_callback);
};
class Observer {
public:
virtual ~Observer() = default;
// Called when policy enrollment is finished.
// |succeeded| is true if |dm_token| is returned from the server.
virtual void OnPolicyRegisterFinished(bool succeeded) {}
// Called when the browser has been unenrolled.
virtual void OnBrowserUnenrolled(bool succeeded) {}
// Called when the cloud reporting is launched.
virtual void OnCloudReportingLaunched(
enterprise_reporting::ReportScheduler* report_scheduler) {}
// Called when enrollment result is recorded.
virtual void OnEnrollmentResultRecorded() {}
// Called when shutting down.
virtual void OnShutdown() {}
};
// Directory name under the user-data-dir where the policy data is stored.
static const base::FilePath::CharType kPolicyDir[];
explicit ChromeBrowserCloudManagementController(
std::unique_ptr<ChromeBrowserCloudManagementController::Delegate>
delegate);
ChromeBrowserCloudManagementController(
const ChromeBrowserCloudManagementController&) = delete;
ChromeBrowserCloudManagementController& operator=(
const ChromeBrowserCloudManagementController&) = delete;
~ChromeBrowserCloudManagementController() override;
// The Chrome browser cloud management is only enabled on Chrome by default.
// However, it can be enabled on Chromium by command line switch for test and
// development purpose.
static bool IsEnabled();
// Returns a MachineLevelUserCloudPolicyManager instance if cloud management
// is enabled, or nullptr otherwise.
// TODO(http://crbug.com/1221173): Consider deprecating this method (still
// used on iOS) in favor of DeferrableCreatePolicyManager.
std::unique_ptr<MachineLevelUserCloudPolicyManager> CreatePolicyManager(
ConfigurationPolicyProvider* platform_provider);
// Invokes |callback| with a MachineLevelUserCloudPolicyManager instance if
// cloud management is enabled, or with nullptr otherwise. Callback invocation
// may be deferred if it can't be determined rightaway if cloud management
// is enabled (e.g. on Android).
void DeferrableCreatePolicyManager(
ConfigurationPolicyProvider* platform_provider,
base::OnceCallback<
void(std::unique_ptr<MachineLevelUserCloudPolicyManager>)> callback);
void Init(PrefService* local_state,
scoped_refptr<network::SharedURLLoaderFactory> url_loader_factory);
void MaybeInit(
PrefService* local_state,
scoped_refptr<network::SharedURLLoaderFactory> url_loader_factory);
bool WaitUntilPolicyEnrollmentFinished();
void AddObserver(Observer* observer);
void RemoveObserver(Observer* observer);
// Returns whether the enterprise startup dialog is being diaplayed.
bool IsEnterpriseStartupDialogShowing();
// Unenrolls the browser from cloud management by either invalidating or
// deleting the stored DMToken.
void UnenrollBrowser(bool delete_dm_token);
// CloudPolicyClient::Observer implementation:
void OnClientError(CloudPolicyClient* client) override;
void OnServiceAccountSet(CloudPolicyClient* client,
const std::string& account_email) override;
// Early cleanup during browser shutdown process
void ShutDown();
// Returns the device trust key manager. Returns nullptr if the Device Trust
// feature flag isn't enabled.
enterprise_connectors::DeviceTrustKeyManager* GetDeviceTrustKeyManager();
// Returns a client certificate provisioning service.
client_certificates::CertificateProvisioningService*
GetCertificateProvisioningService();
// Sets the SharedURLLoaderFactory that this will be used to make requests to
// GAIA.
void SetGaiaURLLoaderFactory(
scoped_refptr<network::SharedURLLoaderFactory> url_loader_factory);
enterprise_reporting::ReportScheduler* report_scheduler() {
return report_scheduler_.get();
}
protected:
void NotifyPolicyRegisterFinished(bool succeeded);
void NotifyBrowserUnenrolled(bool succeeded);
void NotifyCloudReportingLaunched();
void NotifyShutdown();
private:
bool GetEnrollmentTokenAndClientId(std::string* enrollment_token,
std::string* client_id);
void RegisterForCloudManagementWithEnrollmentTokenCallback(
const std::string& dm_token,
const std::string& client_id);
void InvalidatePolicies();
void UnenrollCallback(const std::string& metric_name, bool success);
void CreateReportScheduler();
// Implementation of |DeferrableCreatePolicyManager| that can be invoked right
// away or bound to a callback to be executed later.
void DeferrableCreatePolicyManagerImpl(
ConfigurationPolicyProvider* platform_provider,
base::OnceCallback<
void(std::unique_ptr<MachineLevelUserCloudPolicyManager>)> callback);
// Logs enrollment result to histogram
// `Enterprise.MachineLevelUserCloudPolicyEnrollment.Result`.
void RecordEnrollmentResult(
ChromeBrowserCloudManagementEnrollmentResult result);
base::ObserverList<Observer, true>::Unchecked observers_;
std::unique_ptr<Delegate> delegate_;
std::unique_ptr<ChromeBrowserCloudManagementRegistrar>
cloud_management_registrar_;
std::unique_ptr<MachineLevelUserCloudPolicyFetcher> policy_fetcher_;
// Time at which the enrollment process was started. Used to log UMA metric.
base::Time enrollment_start_time_;
std::unique_ptr<enterprise_reporting::ReportScheduler> report_scheduler_;
std::unique_ptr<CloudPolicyClient> cloud_policy_client_;
std::unique_ptr<ClientDataDelegate> client_data_delegate_;
// Holds a callback to the function that will consume the
// MachineLevelUserCloudPolicyManager object once it's created.
// This allows creation to be deferred on platforms in which the enrollment
// token may not be immediately available (e.g. Android).
base::OnceClosure create_cloud_policy_manager_callback_;
std::unique_ptr<enterprise_connectors::DeviceTrustKeyManager>
device_trust_key_manager_;
std::unique_ptr<client_certificates::CertificateProvisioningService>
certificate_provisioning_service_;
base::WeakPtrFactory<ChromeBrowserCloudManagementController> weak_factory_{
this};
};
} // namespace policy
#endif // COMPONENTS_ENTERPRISE_BROWSER_CONTROLLER_CHROME_BROWSER_CLOUD_MANAGEMENT_CONTROLLER_H_
|
