login_manager/device_policy_service.h - chromiumos/platform2 - Git at Google

 // Copyright 2011 The ChromiumOS Authors
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #ifndef LOGIN_MANAGER_DEVICE_POLICY_SERVICE_H_
 #define LOGIN_MANAGER_DEVICE_POLICY_SERVICE_H_

 #include <stdint.h>

 #include <memory>
 #include <string>
 #include <vector>

 #include <base/files/file_path.h>
 #include <base/gtest_prod_util.h>
 #include <base/memory/ref_counted.h>
 #include <crypto/scoped_nss_types.h>
 #include <libcrossystem/crossystem.h>

 #include "bindings/device_management_backend.pb.h"
 #include "login_manager/nss_util.h"
 #include "login_manager/policy_service.h"
 #include "login_manager/vpd_process.h"

 class InstallAttributesReader;

 namespace crypto {
 class RSAPrivateKey;
 }

 namespace enterprise_management {
 class ChromeDeviceSettingsProto;
 class PolicyFetchResponse;
 }  // namespace enterprise_management

 namespace login_manager {
 class KeyGenerator;
 class LoginMetrics;
 class OwnerKeyLossMitigator;
 class SystemUtils;

 // A policy service specifically for device policy, adding in a few helpers for
 // generating a new key for the device owner, handling key loss mitigation,
 // storing owner properties etc.
 class DevicePolicyService : public PolicyService {
  public:
   // Legacy flag file, used prior to M114 to indicate that some OOBE screens
   // should be skipped after the device was powerwashed - during the Chromad
   // migration to cloud management. See comment of the ".cc" file for details
   // about deleting this variable in the future.
   static const char kChromadMigrationSkipOobePreservePath[];

   ~DevicePolicyService() override;

   // Instantiates a regular (non-testing) device policy service instance.
   static std::unique_ptr<DevicePolicyService> Create(
       PolicyKey* owner_key,
       LoginMetrics* metrics,
       OwnerKeyLossMitigator* mitigator,
       NssUtil* nss,
       SystemUtils* system,
       crossystem::Crossystem* crossystem,
       VpdProcess* vpd_process,
       InstallAttributesReader* install_attributes_reader);

   // Must be called only if |current_user| is the device owner. If they don't
   // appear to have the owner key, run key mitigation. Returns true on success.
   // Fills in |error| upon encountering an error.
   virtual bool HandleOwnerLogin(const std::string& current_user,
                                 PK11SlotDescriptor* module,
                                 brillo::ErrorPtr* error);

   // Returns true if |current_user| is listed in device policy as the device
   // owner. Returns false if not, or if that cannot be determined.
   virtual bool UserIsOwner(const std::string& current_user);

   // Ensures that the public key in |pub_key| is legitimately paired with a
   // private key held by the current user, signs and stores some
   // ownership-related metadata, and then stores this key off as the new
   // device owner key. Returns true if successful, false otherwise
   virtual bool ValidateAndStoreOwnerKey(const std::string& current_user,
                                         const std::vector<uint8_t>& pub_key,
                                         PK11SlotDescriptor* module);

   // Checks whether the key is missing.
   virtual bool KeyMissing();

   // Checks whether key loss is being mitigated.
   virtual bool Mitigating();

   // Loads policy key and policy blob from disk. Returns true if at least the
   // key can be loaded (policy may not be present yet, which is OK).
   virtual bool Initialize();

   // Gets feature flags specified in device settings to pass to Chrome on
   // startup.
   virtual std::vector<std::string> GetFeatureFlags();

   // Gets extra command line arguments to pass to Chrome on startup.
   virtual std::vector<std::string> GetExtraCommandLineArguments();

   // Returns the currently active device settings.
   const enterprise_management::ChromeDeviceSettingsProto& GetSettings();

   // Returns whether system settings can be updated by checking that PolicyKey
   // is populated and the device is running on Chrome OS firmware.
   virtual bool MayUpdateSystemSettings();

   // Updates the system settings flags in NVRAM and in VPD. A failure in NVRAM
   // update is not considered a fatal error because new functionality relies on
   // VPD when checking the settings. The old code is using NVRAM however, which
   // means we have to update that memory too. Returns whether VPD process
   // started successfully and is running in a separate process. In this case,
   // |vpd_process_| is responsible for running |completion|; otherwise,
   // OnPolicyPersisted() is.
   virtual bool UpdateSystemSettings(Completion completion);

   // Sets the block_devmode flag in the VPD to 0 in the background. Also set
   // block_devmode=0 in system properties. If the update VPD process could be
   // started in the background |vpd_process_| is responsible for running
   // |completion|; otherwise, the completion is run with an error.
   virtual void ClearBlockDevmode(Completion completion);

   // Validates the remote device wipe command received from the server against
   // |signature_type| algorithm.
   // Does not allow em::PolicyFetchRequest::NONE signature type.
   virtual bool ValidateRemoteDeviceWipeCommand(
       const std::vector<uint8_t>& in_signed_command,
       enterprise_management::PolicyFetchRequest::SignatureType signature_type);

   // PolicyService:
   void Store(const PolicyNamespace& ns,
              const std::vector<uint8_t>& policy_blob,
              int key_flags,
              Completion completion) override;
   void PersistPolicy(const PolicyNamespace& ns, Completion completion) override;

   static const char kPolicyDir[];
   static const char kSerialRecoveryFlagFile[];

   // Format of this string is documented in device_management_backend.proto.
   static const char kDevicePolicyType[];
   static const char kExtensionPolicyType[];
   static const char kRemoteCommandPolicyType[];

  private:
   friend class DevicePolicyServiceTest;
   friend class MockDevicePolicyService;
   FRIEND_TEST_ALL_PREFIXES(DevicePolicyServiceTest, GivenUserIsOwner);
   FRIEND_TEST_ALL_PREFIXES(DevicePolicyServiceTest,
                            PersistPolicyMultipleNamespaces);

   // Takes ownership of |policy_store|.
   DevicePolicyService(const base::FilePath& policy_dir,
                       PolicyKey* owner_key,
                       LoginMetrics* metrics,
                       OwnerKeyLossMitigator* mitigator,
                       NssUtil* nss,
                       SystemUtils* system,
                       crossystem::Crossystem* crossystem,
                       VpdProcess* vpd_process,
                       InstallAttributesReader* install_attributes_reader);
   DevicePolicyService(const DevicePolicyService&) = delete;
   DevicePolicyService& operator=(const DevicePolicyService&) = delete;

   // Returns true if |policy| allows arbitrary new users to sign in.
   // Only exposed for testing.
   static bool PolicyAllowsNewUsers(
       const enterprise_management::PolicyFetchResponse& policy);

   // Returns true if |current_user| is listed in |policy| as the device owner.
   // Returns false if not, or if that cannot be determined.
   static bool GivenUserIsOwner(
       const enterprise_management::PolicyFetchResponse& policy,
       const std::string& current_user);

   // Given the private half of the owner keypair, this call allowlists
   // |current_user| and sets a property indicating
   // |current_user| is the owner in the current policy and schedules a
   // PersistPolicy().
   // Returns false on failure.
   bool StoreOwnerProperties(const std::string& current_user,
                             crypto::RSAPrivateKey* signing_key);

   // Checks the user's NSS database to see if they have the private key.
   // Returns a pointer to it if so.
   // On failure, returns nullptr, with |error| set appropriately.
   // |error| can be nullptr, if caller doesn't need it.
   std::unique_ptr<crypto::RSAPrivateKey> GetOwnerKeyForGivenUser(
       const std::vector<uint8_t>& key,
       PK11SlotDescriptor* module,
       brillo::ErrorPtr* error);

   // Helper to return the policy store for the Chrome domain.
   PolicyStore* GetChromeStore();

   // Returns the device_id from PolicyData.
   std::string GetDeviceId();

   // Returns enterprise mode from |install_attributes_reader_|.
   const std::string& GetEnterpriseMode();

   // Process the input and send the metrics to UMA. |key_success| specifies
   // whether the key loading was successful (true also in case when there's yet
   // no key on disk), |key_populated| - if there's a key file on disk and it has
   // been successfully loaded. Similarly |policy_success| specifies whether the
   // policy loading was successful and |policy_populated| - if there's at least
   // one device policy file on disk that was successfully loaded.
   void ReportDevicePolicyFileMetrics(bool key_success,
                                      bool key_populated,
                                      bool policy_success,
                                      bool policy_populated);

   // Returns whether the store is resilient. To be used for testing only.
   bool IsChromeStoreResilientForTesting();

   OwnerKeyLossMitigator* mitigator_;
   NssUtil* nss_;
   SystemUtils* system_;                                 // Owned by the caller.
   crossystem::Crossystem* crossystem_;                  // Owned by the caller.
   VpdProcess* vpd_process_;                             // Owned by the caller.
   InstallAttributesReader* install_attributes_reader_;  // Owned by the caller.

   // Cached copy of the decoded device settings. Decoding happens on first
   // access, the cache is cleared whenever a new policy gets installed via
   // Store().
   std::unique_ptr<enterprise_management::ChromeDeviceSettingsProto> settings_;
 };

 }  // namespace login_manager

 #endif  // LOGIN_MANAGER_DEVICE_POLICY_SERVICE_H_
	// Copyright 2011 The ChromiumOS Authors
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#ifndef LOGIN_MANAGER_DEVICE_POLICY_SERVICE_H_
	#define LOGIN_MANAGER_DEVICE_POLICY_SERVICE_H_

	#include <stdint.h>

	#include <memory>
	#include <string>
	#include <vector>

	#include <base/files/file_path.h>
	#include <base/gtest_prod_util.h>
	#include <base/memory/ref_counted.h>
	#include <crypto/scoped_nss_types.h>
	#include <libcrossystem/crossystem.h>

	#include "bindings/device_management_backend.pb.h"
	#include "login_manager/nss_util.h"
	#include "login_manager/policy_service.h"
	#include "login_manager/vpd_process.h"

	class InstallAttributesReader;

	namespace crypto {
	class RSAPrivateKey;
	}

	namespace enterprise_management {
	class ChromeDeviceSettingsProto;
	class PolicyFetchResponse;
	} // namespace enterprise_management

	namespace login_manager {
	class KeyGenerator;
	class LoginMetrics;
	class OwnerKeyLossMitigator;
	class SystemUtils;

	// A policy service specifically for device policy, adding in a few helpers for
	// generating a new key for the device owner, handling key loss mitigation,
	// storing owner properties etc.
	class DevicePolicyService : public PolicyService {
	public:
	// Legacy flag file, used prior to M114 to indicate that some OOBE screens
	// should be skipped after the device was powerwashed - during the Chromad
	// migration to cloud management. See comment of the ".cc" file for details
	// about deleting this variable in the future.
	static const char kChromadMigrationSkipOobePreservePath[];

	~DevicePolicyService() override;

	// Instantiates a regular (non-testing) device policy service instance.
	static std::unique_ptr<DevicePolicyService> Create(
	PolicyKey* owner_key,
	LoginMetrics* metrics,
	OwnerKeyLossMitigator* mitigator,
	NssUtil* nss,
	SystemUtils* system,
	crossystem::Crossystem* crossystem,
	VpdProcess* vpd_process,
	InstallAttributesReader* install_attributes_reader);

	// Must be called only if \|current_user\| is the device owner. If they don't
	// appear to have the owner key, run key mitigation. Returns true on success.
	// Fills in \|error\| upon encountering an error.
	virtual bool HandleOwnerLogin(const std::string& current_user,
	PK11SlotDescriptor* module,
	brillo::ErrorPtr* error);

	// Returns true if \|current_user\| is listed in device policy as the device
	// owner. Returns false if not, or if that cannot be determined.
	virtual bool UserIsOwner(const std::string& current_user);

	// Ensures that the public key in \|pub_key\| is legitimately paired with a
	// private key held by the current user, signs and stores some
	// ownership-related metadata, and then stores this key off as the new
	// device owner key. Returns true if successful, false otherwise
	virtual bool ValidateAndStoreOwnerKey(const std::string& current_user,
	const std::vector<uint8_t>& pub_key,
	PK11SlotDescriptor* module);

	// Checks whether the key is missing.
	virtual bool KeyMissing();

	// Checks whether key loss is being mitigated.
	virtual bool Mitigating();

	// Loads policy key and policy blob from disk. Returns true if at least the
	// key can be loaded (policy may not be present yet, which is OK).
	virtual bool Initialize();

	// Gets feature flags specified in device settings to pass to Chrome on
	// startup.
	virtual std::vector<std::string> GetFeatureFlags();

	// Gets extra command line arguments to pass to Chrome on startup.
	virtual std::vector<std::string> GetExtraCommandLineArguments();

	// Returns the currently active device settings.
	const enterprise_management::ChromeDeviceSettingsProto& GetSettings();

	// Returns whether system settings can be updated by checking that PolicyKey
	// is populated and the device is running on Chrome OS firmware.
	virtual bool MayUpdateSystemSettings();

	// Updates the system settings flags in NVRAM and in VPD. A failure in NVRAM
	// update is not considered a fatal error because new functionality relies on
	// VPD when checking the settings. The old code is using NVRAM however, which
	// means we have to update that memory too. Returns whether VPD process
	// started successfully and is running in a separate process. In this case,
	// \|vpd_process_\| is responsible for running \|completion\|; otherwise,
	// OnPolicyPersisted() is.
	virtual bool UpdateSystemSettings(Completion completion);

	// Sets the block_devmode flag in the VPD to 0 in the background. Also set
	// block_devmode=0 in system properties. If the update VPD process could be
	// started in the background \|vpd_process_\| is responsible for running
	// \|completion\|; otherwise, the completion is run with an error.
	virtual void ClearBlockDevmode(Completion completion);

	// Validates the remote device wipe command received from the server against
	// \|signature_type\| algorithm.
	// Does not allow em::PolicyFetchRequest::NONE signature type.
	virtual bool ValidateRemoteDeviceWipeCommand(
	const std::vector<uint8_t>& in_signed_command,
	enterprise_management::PolicyFetchRequest::SignatureType signature_type);

	// PolicyService:
	void Store(const PolicyNamespace& ns,
	const std::vector<uint8_t>& policy_blob,
	int key_flags,
	Completion completion) override;
	void PersistPolicy(const PolicyNamespace& ns, Completion completion) override;

	static const char kPolicyDir[];
	static const char kSerialRecoveryFlagFile[];

	// Format of this string is documented in device_management_backend.proto.
	static const char kDevicePolicyType[];
	static const char kExtensionPolicyType[];
	static const char kRemoteCommandPolicyType[];

	private:
	friend class DevicePolicyServiceTest;
	friend class MockDevicePolicyService;
	FRIEND_TEST_ALL_PREFIXES(DevicePolicyServiceTest, GivenUserIsOwner);
	FRIEND_TEST_ALL_PREFIXES(DevicePolicyServiceTest,
	PersistPolicyMultipleNamespaces);

	// Takes ownership of \|policy_store\|.
	DevicePolicyService(const base::FilePath& policy_dir,
	PolicyKey* owner_key,
	LoginMetrics* metrics,
	OwnerKeyLossMitigator* mitigator,
	NssUtil* nss,
	SystemUtils* system,
	crossystem::Crossystem* crossystem,
	VpdProcess* vpd_process,
	InstallAttributesReader* install_attributes_reader);
	DevicePolicyService(const DevicePolicyService&) = delete;
	DevicePolicyService& operator=(const DevicePolicyService&) = delete;

	// Returns true if \|policy\| allows arbitrary new users to sign in.
	// Only exposed for testing.
	static bool PolicyAllowsNewUsers(
	const enterprise_management::PolicyFetchResponse& policy);

	// Returns true if \|current_user\| is listed in \|policy\| as the device owner.
	// Returns false if not, or if that cannot be determined.
	static bool GivenUserIsOwner(
	const enterprise_management::PolicyFetchResponse& policy,
	const std::string& current_user);

	// Given the private half of the owner keypair, this call allowlists
	// \|current_user\| and sets a property indicating
	// \|current_user\| is the owner in the current policy and schedules a
	// PersistPolicy().
	// Returns false on failure.
	bool StoreOwnerProperties(const std::string& current_user,
	crypto::RSAPrivateKey* signing_key);

	// Checks the user's NSS database to see if they have the private key.
	// Returns a pointer to it if so.
	// On failure, returns nullptr, with \|error\| set appropriately.
	// \|error\| can be nullptr, if caller doesn't need it.
	std::unique_ptr<crypto::RSAPrivateKey> GetOwnerKeyForGivenUser(
	const std::vector<uint8_t>& key,
	PK11SlotDescriptor* module,
	brillo::ErrorPtr* error);

	// Helper to return the policy store for the Chrome domain.
	PolicyStore* GetChromeStore();

	// Returns the device_id from PolicyData.
	std::string GetDeviceId();

	// Returns enterprise mode from \|install_attributes_reader_\|.
	const std::string& GetEnterpriseMode();

	// Process the input and send the metrics to UMA. \|key_success\| specifies
	// whether the key loading was successful (true also in case when there's yet
	// no key on disk), \|key_populated\| - if there's a key file on disk and it has
	// been successfully loaded. Similarly \|policy_success\| specifies whether the
	// policy loading was successful and \|policy_populated\| - if there's at least
	// one device policy file on disk that was successfully loaded.
	void ReportDevicePolicyFileMetrics(bool key_success,
	bool key_populated,
	bool policy_success,
	bool policy_populated);

	// Returns whether the store is resilient. To be used for testing only.
	bool IsChromeStoreResilientForTesting();

	OwnerKeyLossMitigator* mitigator_;
	NssUtil* nss_;
	SystemUtils* system_; // Owned by the caller.
	crossystem::Crossystem* crossystem_; // Owned by the caller.
	VpdProcess* vpd_process_; // Owned by the caller.
	InstallAttributesReader* install_attributes_reader_; // Owned by the caller.

	// Cached copy of the decoded device settings. Decoding happens on first
	// access, the cache is cleared whenever a new policy gets installed via
	// Store().
	std::unique_ptr<enterprise_management::ChromeDeviceSettingsProto> settings_;
	};

	} // namespace login_manager

	#endif // LOGIN_MANAGER_DEVICE_POLICY_SERVICE_H_