// Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef LOGIN_MANAGER_DEVICE_POLICY_SERVICE_H_
#define LOGIN_MANAGER_DEVICE_POLICY_SERVICE_H_

#include <stdint.h>

#include <memory>
#include <string>
#include <vector>

#include <base/files/file_path.h>
#include <base/gtest_prod_util.h>
#include <base/macros.h>
#include <base/memory/ref_counted.h>
#include <crypto/scoped_nss_types.h>

#include "login_manager/crossystem.h"
#include "login_manager/nss_util.h"
#include "login_manager/owner_key_loss_mitigator.h"
#include "login_manager/policy_service.h"
#include "login_manager/vpd_process.h"

class InstallAttributesReader;

namespace crypto {
class RSAPrivateKey;
}

namespace enterprise_management {
class ChromeDeviceSettingsProto;
class PolicyFetchResponse;
}  // namespace enterprise_management

namespace login_manager {
class KeyGenerator;
class LoginMetrics;
class NssUtil;
class OwnerKeyLossMitigator;

// A policy service specifically for device policy, adding in a few helpers for
// generating a new key for the device owner, handling key loss mitigation,
// storing owner properties etc.
class DevicePolicyService : public PolicyService {
 public:
  ~DevicePolicyService() override;

  // Instantiates a regular (non-testing) device policy service instance.
  static std::unique_ptr<DevicePolicyService> Create(
      PolicyKey* owner_key,
      LoginMetrics* metrics,
      OwnerKeyLossMitigator* mitigator,
      NssUtil* nss,
      Crossystem* crossystem,
      VpdProcess* vpd_process,
      InstallAttributesReader* install_attributes_reader);

  // Checks whether the given |current_user| is the device owner. The result of
  // the check is returned in |is_owner|. If so, it is validated that the device
  // policy settings are set up appropriately:
  // - If |current_user| has the owner key, put them on the login white list.
  // - If policy claims |current_user| is the device owner but they don't appear
  //   to have the owner key, run key mitigation.
  // Returns true on success. Fills in |error| upon encountering an error.
  virtual bool CheckAndHandleOwnerLogin(const std::string& current_user,
                                        PK11SlotDescriptor* module,
                                        bool* is_owner,
                                        brillo::ErrorPtr* error);

  // Ensures that the public key in |pub_key| is legitimately paired with a
  // private key held by the current user, signs and stores some
  // ownership-related metadata, and then stores this key off as the new
  // device owner key. Returns true if successful, false otherwise
  virtual bool ValidateAndStoreOwnerKey(const std::string& current_user,
                                        const std::vector<uint8_t>& pub_key,
                                        PK11SlotDescriptor* module);

  // Checks whether the key is missing.
  virtual bool KeyMissing();

  // Checks whether key loss is being mitigated.
  virtual bool Mitigating();

  // Loads policy key and policy blob from disk. Returns true if at least the
  // key can be loaded (policy may not be present yet, which is OK).
  virtual bool Initialize();

  // Given info about whether we were able to load the Owner key and the
  // device policy, report the state of these files via |metrics_|.
  virtual void ReportPolicyFileMetrics(bool key_success, bool policy_success);

  // Gets the value of the StartUpFlags policy as a vector of strings to be
  // supplied to Chrome when it is started.
  virtual std::vector<std::string> GetStartUpFlags();

  // Returns the currently active device settings.
  const enterprise_management::ChromeDeviceSettingsProto& GetSettings();

  // Returns whether system settings can be updated by checking that PolicyKey
  // is populated and the device is running on Chrome OS firmware.
  virtual bool MayUpdateSystemSettings();

  // Updates the system settings flags in NVRAM and in VPD. A failure in NVRAM
  // update is not considered a fatal error because new functionality relies on
  // VPD when checking the settings. The old code is using NVRAM however, which
  // means we have to update that memory too. Returns whether VPD process
  // started succesfully and is running in a separate process. In this case,
  // |vpd_process_| is responsible for running |completion|; otherwise,
  // OnPolicyPersisted() is.
  virtual bool UpdateSystemSettings(const Completion& completion);

  // Sets the block_devmode and check_enrollment flags in the VPD to 0
  // in the background. Also set block_devmode=0 in system properties.
  // If the update VPD process could be started in the background
  // |vpd_process_| is responsible for running |completion|;
  // otherwise, the completion is run with an error.
  virtual void ClearForcedReEnrollmentFlags(const Completion& completion);

  // Validates the remote device wipe command received from the server.
  virtual bool ValidateRemoteDeviceWipeCommand(
      const std::vector<uint8_t>& in_signed_command);

  // PolicyService:
  bool Store(const PolicyNamespace& ns,
             const std::vector<uint8_t>& policy_blob,
             int key_flags,
             SignatureCheck signature_check,
             const Completion& completion) override;
  void PersistPolicy(const PolicyNamespace& ns,
                     const Completion& completion) override;

  static const char kPolicyDir[];
  static const char kSerialRecoveryFlagFile[];

  // Format of this string is documented in device_management_backend.proto.
  static const char kDevicePolicyType[];
  static const char kExtensionPolicyType[];
  static const char kRemoteCommandPolicyType[];

 private:
  friend class DevicePolicyServiceTest;
  friend class MockDevicePolicyService;
  FRIEND_TEST_ALL_PREFIXES(DevicePolicyServiceTest, GivenUserIsOwner);
  FRIEND_TEST_ALL_PREFIXES(DevicePolicyServiceTest,
                           PersistPolicyMultipleNamespaces);

  // Takes ownership of |policy_store|.
  DevicePolicyService(const base::FilePath& policy_dir,
                      PolicyKey* owner_key,
                      LoginMetrics* metrics,
                      OwnerKeyLossMitigator* mitigator,
                      NssUtil* nss,
                      Crossystem* crossystem,
                      VpdProcess* vpd_process,
                      InstallAttributesReader* install_attributes_reader);

  // Returns true if |policy| allows arbitrary new users to sign in.
  // Only exposed for testing.
  static bool PolicyAllowsNewUsers(
      const enterprise_management::PolicyFetchResponse& policy);

  // Returns true if |current_user| is listed in |policy| as the device owner.
  // Returns false if not, or if that cannot be determined.
  static bool GivenUserIsOwner(
      const enterprise_management::PolicyFetchResponse& policy,
      const std::string& current_user);

  // Given the private half of the owner keypair, this call whitelists
  // |current_user| and sets a property indicating
  // |current_user| is the owner in the current policy and schedules a
  // PersistPolicy().
  // Returns false on failure.
  bool StoreOwnerProperties(const std::string& current_user,
                            crypto::RSAPrivateKey* signing_key);

  // Checks the user's NSS database to see if they have the private key.
  // Returns a pointer to it if so.
  // On failure, returns nullptr, with |error| set appropriately.
  // |error| can be nullptr, if caller doesn't need it.
  std::unique_ptr<crypto::RSAPrivateKey> GetOwnerKeyForGivenUser(
      const std::vector<uint8_t>& key,
      PK11SlotDescriptor* module,
      brillo::ErrorPtr* error);

  // Helper to return the policy store for the Chrome domain.
  PolicyStore* GetChromeStore();

  // Returns the device_id from PolicyData.
  std::string GetDeviceId();

  // Returns enterprise mode from |install_attributes_reader_|.
  const std::string& GetEnterpriseMode();

  // Returns whether the store is resilent. To be used for testing only.
  bool IsChromeStoreResilientForTesting();

  OwnerKeyLossMitigator* mitigator_;
  NssUtil* nss_;
  Crossystem* crossystem_;                              // Owned by the caller.
  VpdProcess* vpd_process_;                             // Owned by the caller.
  InstallAttributesReader* install_attributes_reader_;  // Owned by the caller.

  // Cached copy of the decoded device settings. Decoding happens on first
  // access, the cache is cleared whenever a new policy gets installed via
  // Store().
  std::unique_ptr<enterprise_management::ChromeDeviceSettingsProto> settings_;

  DISALLOW_COPY_AND_ASSIGN(DevicePolicyService);
};

}  // namespace login_manager

#endif  // LOGIN_MANAGER_DEVICE_POLICY_SERVICE_H_