blob: c6c653dc07a96e4ec3483b39cc168e3d0cdeac8b [file] [log] [blame]
// Copyright 2014 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include <map>
#include <memory>
#include <string>
#include "base/callback_forward.h"
#include "base/macros.h"
#include "chrome/browser/chromeos/policy/device_cloud_policy_initializer.h"
#include "components/policy/core/common/cloud/cloud_policy_constants.h"
class GoogleServiceAuthError;
namespace policy {
struct EnrollmentConfig;
class EnrollmentStatus;
} // namespace policy
namespace chromeos {
// Maps a license type to number of available licenses.
using EnrollmentLicenseMap = std::map<policy::LicenseType, int>;
class ActiveDirectoryJoinDelegate;
// This class is capable to enroll the device into enterprise domain, using
// either a profile containing authentication data or OAuth token.
// It can also clear an authentication data from the profile and revoke tokens
// that are not longer needed.
class EnterpriseEnrollmentHelper {
using EnrollmentCallback =
// Enumeration of the possible errors that can occur during enrollment which
// are not covered by GoogleServiceAuthError or EnrollmentStatus.
enum OtherError {
// Existing enrollment domain doesn't match authentication user.
// Unexpected error condition, indicates a bug in the code.
class EnrollmentStatusConsumer {
virtual ~EnrollmentStatusConsumer() = default;
// Called when an error happens on attempt to receive authentication tokens.
virtual void OnAuthError(const GoogleServiceAuthError& error) = 0;
// Called when there are multiple license types available for enrollment,
// and admin allowed user to choose license type to assign.
// Enrollment is paused, and will resume once UseLicenseType() is called.
virtual void OnMultipleLicensesAvailable(
const EnrollmentLicenseMap& licenses) = 0;
// Called when an error happens during enrollment.
virtual void OnEnrollmentError(policy::EnrollmentStatus status) = 0;
// Called when some other error happens.
virtual void OnOtherError(OtherError error) = 0;
// Called when enrollment finishes successfully.
virtual void OnDeviceEnrolled() = 0;
// Called when device attribute update permission granted,
// |granted| indicates whether permission granted or not.
virtual void OnDeviceAttributeUpdatePermission(bool granted) = 0;
// Called when device attribute upload finishes. |success| indicates
// whether it is successful or not.
virtual void OnDeviceAttributeUploadCompleted(bool success) = 0;
// Called when steps required to fully restore enrollment steps after
// version rollback are completed.
virtual void OnRestoreAfterRollbackCompleted() = 0;
// Factory method. Caller takes ownership of the returned object.
static std::unique_ptr<EnterpriseEnrollmentHelper> Create(
EnrollmentStatusConsumer* status_consumer,
ActiveDirectoryJoinDelegate* ad_join_delegate,
const policy::EnrollmentConfig& enrollment_config,
const std::string& enrolling_user_domain);
using CreateMockEnrollmentHelper =
EnterpriseEnrollmentHelper* (*)(EnrollmentStatusConsumer* status_consumer,
const policy::EnrollmentConfig&
const std::string& enrolling_user_domain);
// Use |creator| instead of the default enrollment helper allocator. This
// allows tests to substitute in a mock enrollment helper. This function will
// only be used once.
static void SetupEnrollmentHelperMock(CreateMockEnrollmentHelper creator);
virtual ~EnterpriseEnrollmentHelper();
// Starts enterprise enrollment using |auth_code|. First tries to exchange the
// auth code to authentication token, then tries to enroll the device with the
// received token.
// If |fetch_additional_token| is true, the helper fetches an additional token
// and passes it to the |status_consumer| on successful enrollment.
// EnrollUsingAuthCode can be called only once during this object's lifetime,
// and only if none of the EnrollUsing* methods was called before.
// TODO (alemate): Remove unused |fetch_additional_token| parameter.
virtual void EnrollUsingAuthCode(const std::string& auth_code,
bool fetch_additional_token) = 0;
// Starts enterprise enrollment using |token|.
// This flow is used when enrollment is controlled by the paired device.
// EnrollUsingToken can be called only once during this object's lifetime, and
// only if none of the EnrollUsing* was called before.
virtual void EnrollUsingToken(const std::string& token) = 0;
// Starts enterprise enrollment using enrollment |token| for authentication.
// This flow is used in OOBE configuration flow.
// EnrollUsingWorkflowToken can be called only once during this object's
// lifetime, and only if none of the EnrollUsing* was called before.
virtual void EnrollUsingEnrollmentToken(const std::string& token) = 0;
// Starts enterprise enrollment using PCA attestation.
// EnrollUsingAttestation can be called only once during the object's
// lifetime, and only if none of the EnrollUsing* was called before.
virtual void EnrollUsingAttestation() = 0;
// Starts enterprise enrollment for offline demo-mode.
// EnrollForOfflineDemo is used offline, no network connections. Thus it goes
// into enrollment without authentication -- and applies policies which are
// stored locally.
virtual void EnrollForOfflineDemo() = 0;
// When chrome version is rolled back on the device via policy, the enrollment
// information is persisted (install attributes, DM token), but some steps
// should still be taken (e.g. create robot accounts on the device) as the
// stateful partition is reset.
virtual void RestoreAfterRollback() = 0;
// Continue enrollment using license |type|.
virtual void UseLicenseType(policy::LicenseType type) = 0;
// Starts device attribute update process. First tries to get
// permission to update device attributes for current user
// using stored during enrollment oauth token.
virtual void GetDeviceAttributeUpdatePermission() = 0;
// Uploads device attributes on DM server. |asset_id| - Asset Identifier
// and |location| - Assigned Location, these attributes were typed by
// current user on the device attribute prompt screen after successful
// enrollment.
virtual void UpdateDeviceAttributes(const std::string& asset_id,
const std::string& location) = 0;
// Clears authentication data from the profile (if EnrollUsingProfile was
// used) and revokes fetched tokens.
// Does not revoke the additional token if enrollment finished successfully.
// Calls |callback| on completion.
virtual void ClearAuth(const base::Closure& callback) = 0;
// |status_consumer| must outlive |this|. Moreover, the user of this class
// is responsible for clearing auth data in some cases (see comment for
// EnrollUsingProfile()).
explicit EnterpriseEnrollmentHelper(
EnrollmentStatusConsumer* status_consumer);
EnrollmentStatusConsumer* status_consumer() { return status_consumer_; }
EnrollmentStatusConsumer* status_consumer_;
// If this is not nullptr, then it will be used to create the enrollment
// helper. |create_mock_enrollment_helper_| needs to outlive this class.
static CreateMockEnrollmentHelper create_mock_enrollment_helper_;
} // namespace chromeos