login_manager/device_policy_service.h - mirrors/cros/chromiumos/platform2 - Git at Google

 // Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 #ifndef LOGIN_MANAGER_DEVICE_POLICY_SERVICE_H_
 #define LOGIN_MANAGER_DEVICE_POLICY_SERVICE_H_

 #include <stdint.h>

 #include <memory>
 #include <string>
 #include <vector>

 #include <base/files/file_path.h>
 #include <base/gtest_prod_util.h>
 #include <base/macros.h>
 #include <base/memory/ref_counted.h>
 #include <crypto/scoped_nss_types.h>

 #include "login_manager/crossystem.h"
 #include "login_manager/nss_util.h"
 #include "login_manager/owner_key_loss_mitigator.h"
 #include "login_manager/policy_service.h"
 #include "login_manager/vpd_process.h"

 class InstallAttributesReader;

 namespace crypto {
 class RSAPrivateKey;
 }

 namespace enterprise_management {
 class ChromeDeviceSettingsProto;
 class PolicyFetchResponse;
 }  // namespace enterprise_management

 namespace login_manager {
 class KeyGenerator;
 class LoginMetrics;
 class NssUtil;
 class OwnerKeyLossMitigator;

 // A policy service specifically for device policy, adding in a few helpers for
 // generating a new key for the device owner, handling key loss mitigation,
 // storing owner properties etc.
 class DevicePolicyService : public PolicyService {
  public:
   ~DevicePolicyService() override;

   // Instantiates a regular (non-testing) device policy service instance.
   static std::unique_ptr<DevicePolicyService> Create(
       PolicyKey* owner_key,
       LoginMetrics* metrics,
       OwnerKeyLossMitigator* mitigator,
       NssUtil* nss,
       Crossystem* crossystem,
       VpdProcess* vpd_process,
       InstallAttributesReader* install_attributes_reader);

   // Checks whether the given |current_user| is the device owner. The result of
   // the check is returned in |is_owner|. If so, it is validated that the device
   // policy settings are set up appropriately:
   // - If |current_user| has the owner key, put them on the login allowlist.
   // - If policy claims |current_user| is the device owner but they don't appear
   //   to have the owner key, run key mitigation.
   // Returns true on success. Fills in |error| upon encountering an error.
   virtual bool CheckAndHandleOwnerLogin(const std::string& current_user,
                                         PK11SlotDescriptor* module,
                                         bool* is_owner,
                                         brillo::ErrorPtr* error);

   // Ensures that the public key in |pub_key| is legitimately paired with a
   // private key held by the current user, signs and stores some
   // ownership-related metadata, and then stores this key off as the new
   // device owner key. Returns true if successful, false otherwise
   virtual bool ValidateAndStoreOwnerKey(const std::string& current_user,
                                         const std::vector<uint8_t>& pub_key,
                                         PK11SlotDescriptor* module);

   // Checks whether the key is missing.
   virtual bool KeyMissing();

   // Checks whether key loss is being mitigated.
   virtual bool Mitigating();

   // Loads policy key and policy blob from disk. Returns true if at least the
   // key can be loaded (policy may not be present yet, which is OK).
   virtual bool Initialize();

   // Given info about whether we were able to load the Owner key and the
   // device policy, report the state of these files via |metrics_|.
   virtual void ReportPolicyFileMetrics(bool key_success, bool policy_success);

   // Gets extra startup switches specified in device settings to pass to Chrome.
   virtual std::vector<std::string> GetStartUpSwitches();

   // Gets feature flags specified in device settings to pass to Chrome on
   // startup.
   virtual std::vector<std::string> GetFeatureFlags();

   // Returns the currently active device settings.
   const enterprise_management::ChromeDeviceSettingsProto& GetSettings();

   // Returns whether system settings can be updated by checking that PolicyKey
   // is populated and the device is running on Chrome OS firmware.
   virtual bool MayUpdateSystemSettings();

   // Updates the system settings flags in NVRAM and in VPD. A failure in NVRAM
   // update is not considered a fatal error because new functionality relies on
   // VPD when checking the settings. The old code is using NVRAM however, which
   // means we have to update that memory too. Returns whether VPD process
   // started succesfully and is running in a separate process. In this case,
   // |vpd_process_| is responsible for running |completion|; otherwise,
   // OnPolicyPersisted() is.
   virtual bool UpdateSystemSettings(const Completion& completion);

   // Sets the block_devmode and check_enrollment flags in the VPD to 0
   // in the background. Also set block_devmode=0 in system properties.
   // If the update VPD process could be started in the background
   // |vpd_process_| is responsible for running |completion|;
   // otherwise, the completion is run with an error.
   virtual void ClearForcedReEnrollmentFlags(const Completion& completion);

   // Validates the remote device wipe command received from the server.
   virtual bool ValidateRemoteDeviceWipeCommand(
       const std::vector<uint8_t>& in_signed_command);

   // PolicyService:
   bool Store(const PolicyNamespace& ns,
              const std::vector<uint8_t>& policy_blob,
              int key_flags,
              SignatureCheck signature_check,
              const Completion& completion) override;
   void PersistPolicy(const PolicyNamespace& ns,
                      const Completion& completion) override;

   static const char kPolicyDir[];
   static const char kSerialRecoveryFlagFile[];

   // Format of this string is documented in device_management_backend.proto.
   static const char kDevicePolicyType[];
   static const char kExtensionPolicyType[];
   static const char kRemoteCommandPolicyType[];

  private:
   friend class DevicePolicyServiceTest;
   friend class MockDevicePolicyService;
   FRIEND_TEST_ALL_PREFIXES(DevicePolicyServiceTest, GivenUserIsOwner);
   FRIEND_TEST_ALL_PREFIXES(DevicePolicyServiceTest,
                            PersistPolicyMultipleNamespaces);

   // Takes ownership of |policy_store|.
   DevicePolicyService(const base::FilePath& policy_dir,
                       PolicyKey* owner_key,
                       LoginMetrics* metrics,
                       OwnerKeyLossMitigator* mitigator,
                       NssUtil* nss,
                       Crossystem* crossystem,
                       VpdProcess* vpd_process,
                       InstallAttributesReader* install_attributes_reader);
   DevicePolicyService(const DevicePolicyService&) = delete;
   DevicePolicyService& operator=(const DevicePolicyService&) = delete;

   // Returns true if |policy| allows arbitrary new users to sign in.
   // Only exposed for testing.
   static bool PolicyAllowsNewUsers(
       const enterprise_management::PolicyFetchResponse& policy);

   // Returns true if |current_user| is listed in |policy| as the device owner.
   // Returns false if not, or if that cannot be determined.
   static bool GivenUserIsOwner(
       const enterprise_management::PolicyFetchResponse& policy,
       const std::string& current_user);

   // Given the private half of the owner keypair, this call allowlists
   // |current_user| and sets a property indicating
   // |current_user| is the owner in the current policy and schedules a
   // PersistPolicy().
   // Returns false on failure.
   bool StoreOwnerProperties(const std::string& current_user,
                             crypto::RSAPrivateKey* signing_key);

   // Checks the user's NSS database to see if they have the private key.
   // Returns a pointer to it if so.
   // On failure, returns nullptr, with |error| set appropriately.
   // |error| can be nullptr, if caller doesn't need it.
   std::unique_ptr<crypto::RSAPrivateKey> GetOwnerKeyForGivenUser(
       const std::vector<uint8_t>& key,
       PK11SlotDescriptor* module,
       brillo::ErrorPtr* error);

   // Helper to return the policy store for the Chrome domain.
   PolicyStore* GetChromeStore();

   // Returns the device_id from PolicyData.
   std::string GetDeviceId();

   // Returns enterprise mode from |install_attributes_reader_|.
   const std::string& GetEnterpriseMode();

   // Returns whether the store is resilent. To be used for testing only.
   bool IsChromeStoreResilientForTesting();

   OwnerKeyLossMitigator* mitigator_;
   NssUtil* nss_;
   Crossystem* crossystem_;                              // Owned by the caller.
   VpdProcess* vpd_process_;                             // Owned by the caller.
   InstallAttributesReader* install_attributes_reader_;  // Owned by the caller.

   // Cached copy of the decoded device settings. Decoding happens on first
   // access, the cache is cleared whenever a new policy gets installed via
   // Store().
   std::unique_ptr<enterprise_management::ChromeDeviceSettingsProto> settings_;
 };

 }  // namespace login_manager

 #endif  // LOGIN_MANAGER_DEVICE_POLICY_SERVICE_H_
	// Copyright (c) 2011 The Chromium OS Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	#ifndef LOGIN_MANAGER_DEVICE_POLICY_SERVICE_H_
	#define LOGIN_MANAGER_DEVICE_POLICY_SERVICE_H_

	#include <stdint.h>

	#include <memory>
	#include <string>
	#include <vector>

	#include <base/files/file_path.h>
	#include <base/gtest_prod_util.h>
	#include <base/macros.h>
	#include <base/memory/ref_counted.h>
	#include <crypto/scoped_nss_types.h>

	#include "login_manager/crossystem.h"
	#include "login_manager/nss_util.h"
	#include "login_manager/owner_key_loss_mitigator.h"
	#include "login_manager/policy_service.h"
	#include "login_manager/vpd_process.h"

	class InstallAttributesReader;

	namespace crypto {
	class RSAPrivateKey;
	}

	namespace enterprise_management {
	class ChromeDeviceSettingsProto;
	class PolicyFetchResponse;
	} // namespace enterprise_management

	namespace login_manager {
	class KeyGenerator;
	class LoginMetrics;
	class NssUtil;
	class OwnerKeyLossMitigator;

	// A policy service specifically for device policy, adding in a few helpers for
	// generating a new key for the device owner, handling key loss mitigation,
	// storing owner properties etc.
	class DevicePolicyService : public PolicyService {
	public:
	~DevicePolicyService() override;

	// Instantiates a regular (non-testing) device policy service instance.
	static std::unique_ptr<DevicePolicyService> Create(
	PolicyKey* owner_key,
	LoginMetrics* metrics,
	OwnerKeyLossMitigator* mitigator,
	NssUtil* nss,
	Crossystem* crossystem,
	VpdProcess* vpd_process,
	InstallAttributesReader* install_attributes_reader);

	// Checks whether the given \|current_user\| is the device owner. The result of
	// the check is returned in \|is_owner\|. If so, it is validated that the device
	// policy settings are set up appropriately:
	// - If \|current_user\| has the owner key, put them on the login allowlist.
	// - If policy claims \|current_user\| is the device owner but they don't appear
	// to have the owner key, run key mitigation.
	// Returns true on success. Fills in \|error\| upon encountering an error.
	virtual bool CheckAndHandleOwnerLogin(const std::string& current_user,
	PK11SlotDescriptor* module,
	bool* is_owner,
	brillo::ErrorPtr* error);

	// Ensures that the public key in \|pub_key\| is legitimately paired with a
	// private key held by the current user, signs and stores some
	// ownership-related metadata, and then stores this key off as the new
	// device owner key. Returns true if successful, false otherwise
	virtual bool ValidateAndStoreOwnerKey(const std::string& current_user,
	const std::vector<uint8_t>& pub_key,
	PK11SlotDescriptor* module);

	// Checks whether the key is missing.
	virtual bool KeyMissing();

	// Checks whether key loss is being mitigated.
	virtual bool Mitigating();

	// Loads policy key and policy blob from disk. Returns true if at least the
	// key can be loaded (policy may not be present yet, which is OK).
	virtual bool Initialize();

	// Given info about whether we were able to load the Owner key and the
	// device policy, report the state of these files via \|metrics_\|.
	virtual void ReportPolicyFileMetrics(bool key_success, bool policy_success);

	// Gets extra startup switches specified in device settings to pass to Chrome.
	virtual std::vector<std::string> GetStartUpSwitches();

	// Gets feature flags specified in device settings to pass to Chrome on
	// startup.
	virtual std::vector<std::string> GetFeatureFlags();

	// Returns the currently active device settings.
	const enterprise_management::ChromeDeviceSettingsProto& GetSettings();

	// Returns whether system settings can be updated by checking that PolicyKey
	// is populated and the device is running on Chrome OS firmware.
	virtual bool MayUpdateSystemSettings();

	// Updates the system settings flags in NVRAM and in VPD. A failure in NVRAM
	// update is not considered a fatal error because new functionality relies on
	// VPD when checking the settings. The old code is using NVRAM however, which
	// means we have to update that memory too. Returns whether VPD process
	// started succesfully and is running in a separate process. In this case,
	// \|vpd_process_\| is responsible for running \|completion\|; otherwise,
	// OnPolicyPersisted() is.
	virtual bool UpdateSystemSettings(const Completion& completion);

	// Sets the block_devmode and check_enrollment flags in the VPD to 0
	// in the background. Also set block_devmode=0 in system properties.
	// If the update VPD process could be started in the background
	// \|vpd_process_\| is responsible for running \|completion\|;
	// otherwise, the completion is run with an error.
	virtual void ClearForcedReEnrollmentFlags(const Completion& completion);

	// Validates the remote device wipe command received from the server.
	virtual bool ValidateRemoteDeviceWipeCommand(
	const std::vector<uint8_t>& in_signed_command);

	// PolicyService:
	bool Store(const PolicyNamespace& ns,
	const std::vector<uint8_t>& policy_blob,
	int key_flags,
	SignatureCheck signature_check,
	const Completion& completion) override;
	void PersistPolicy(const PolicyNamespace& ns,
	const Completion& completion) override;

	static const char kPolicyDir[];
	static const char kSerialRecoveryFlagFile[];

	// Format of this string is documented in device_management_backend.proto.
	static const char kDevicePolicyType[];
	static const char kExtensionPolicyType[];
	static const char kRemoteCommandPolicyType[];

	private:
	friend class DevicePolicyServiceTest;
	friend class MockDevicePolicyService;
	FRIEND_TEST_ALL_PREFIXES(DevicePolicyServiceTest, GivenUserIsOwner);
	FRIEND_TEST_ALL_PREFIXES(DevicePolicyServiceTest,
	PersistPolicyMultipleNamespaces);

	// Takes ownership of \|policy_store\|.
	DevicePolicyService(const base::FilePath& policy_dir,
	PolicyKey* owner_key,
	LoginMetrics* metrics,
	OwnerKeyLossMitigator* mitigator,
	NssUtil* nss,
	Crossystem* crossystem,
	VpdProcess* vpd_process,
	InstallAttributesReader* install_attributes_reader);
	DevicePolicyService(const DevicePolicyService&) = delete;
	DevicePolicyService& operator=(const DevicePolicyService&) = delete;

	// Returns true if \|policy\| allows arbitrary new users to sign in.
	// Only exposed for testing.
	static bool PolicyAllowsNewUsers(
	const enterprise_management::PolicyFetchResponse& policy);

	// Returns true if \|current_user\| is listed in \|policy\| as the device owner.
	// Returns false if not, or if that cannot be determined.
	static bool GivenUserIsOwner(
	const enterprise_management::PolicyFetchResponse& policy,
	const std::string& current_user);

	// Given the private half of the owner keypair, this call allowlists
	// \|current_user\| and sets a property indicating
	// \|current_user\| is the owner in the current policy and schedules a
	// PersistPolicy().
	// Returns false on failure.
	bool StoreOwnerProperties(const std::string& current_user,
	crypto::RSAPrivateKey* signing_key);

	// Checks the user's NSS database to see if they have the private key.
	// Returns a pointer to it if so.
	// On failure, returns nullptr, with \|error\| set appropriately.
	// \|error\| can be nullptr, if caller doesn't need it.
	std::unique_ptr<crypto::RSAPrivateKey> GetOwnerKeyForGivenUser(
	const std::vector<uint8_t>& key,
	PK11SlotDescriptor* module,
	brillo::ErrorPtr* error);

	// Helper to return the policy store for the Chrome domain.
	PolicyStore* GetChromeStore();

	// Returns the device_id from PolicyData.
	std::string GetDeviceId();

	// Returns enterprise mode from \|install_attributes_reader_\|.
	const std::string& GetEnterpriseMode();

	// Returns whether the store is resilent. To be used for testing only.
	bool IsChromeStoreResilientForTesting();

	OwnerKeyLossMitigator* mitigator_;
	NssUtil* nss_;
	Crossystem* crossystem_; // Owned by the caller.
	VpdProcess* vpd_process_; // Owned by the caller.
	InstallAttributesReader* install_attributes_reader_; // Owned by the caller.

	// Cached copy of the decoded device settings. Decoding happens on first
	// access, the cache is cleared whenever a new policy gets installed via
	// Store().
	std::unique_ptr<enterprise_management::ChromeDeviceSettingsProto> settings_;
	};

	} // namespace login_manager

	#endif // LOGIN_MANAGER_DEVICE_POLICY_SERVICE_H_