Allow Profile-independent TpmChallengeKeySubtle

Allow TpmChallengeKeySubtle to be instantiated with a nullptr Profile*.
Such an instance can only be used to work with machine keys (device-wide
keys).
This is useful to decouple the device-wide CertProvisioningScheduler
from the sign-in Profile.

Bug: 1045895
Change-Id: I42382d3be03aa371d4ba31aaebb2891326e24599
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2189650
Commit-Queue: Pavol Marko <pmarko@chromium.org>
Reviewed-by: Michael Ershov <miersh@google.com>
Reviewed-by: Achuith Bhandarkar <achuith@chromium.org>
Cr-Commit-Position: refs/heads/master@{#790540}

chrome/browser/chromeos/attestation/tpm_challenge_key_subtle.cc

@@ -133,6 +133,10 @@ void TpmChallengeKeySubtleImpl::RestorePreparedKeyState(
     const std::string& key_name,
     Profile* profile) {
   DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+
+  // For user keys, a |profile| is strictly necessary.
+  DCHECK(key_type != KEY_USER || profile);
+
   key_type_ = key_type;
   will_register_key_ = will_register_key;
   key_name_ = GetKeyNameWithDefault(key_type, key_name);
@@ -152,6 +156,9 @@ void TpmChallengeKeySubtleImpl::StartPrepareKeyStep(
   DCHECK((key_type != KEY_DEVICE) || (will_register_key == !key_name.empty()))
       << "Invalid arguments: " << will_register_key << " " << !key_name.empty();
 
+  // For user keys, a |profile| is strictly necessary.
+  DCHECK(key_type != KEY_USER || profile);
+
   key_type_ = key_type;
   will_register_key_ = will_register_key;
   key_name_ = GetKeyNameWithDefault(key_type, key_name);
@@ -179,7 +186,7 @@ void TpmChallengeKeySubtleImpl::PrepareMachineKey() {
     return;
   }
 
-  // Check whether the user is managed unless the signin profile is used.
+  // Check whether the user is managed unless this is a device-wide instance.
   if (GetUser() && !IsUserAffiliated()) {
     std::move(callback_).Run(
         Result::MakeError(ResultCode::kUserNotManagedError));
@@ -236,6 +243,7 @@ bool TpmChallengeKeySubtleImpl::IsUserAffiliated() const {
 
 bool TpmChallengeKeySubtleImpl::IsRemoteAttestationEnabledForUser() const {
   DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+  DCHECK(profile_);
 
   PrefService* prefs = profile_->GetPrefs();
   // TODO(crbug.com/1000589): Check it's mandatory after fixing corp policy.
@@ -272,6 +280,8 @@ AttestationCertificateProfile TpmChallengeKeySubtleImpl::GetCertificateProfile()
 
 const user_manager::User* TpmChallengeKeySubtleImpl::GetUser() const {
   DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+  if (!profile_)
+    return nullptr;
   return ProfileHelper::Get()->GetUserByProfile(profile_);
 }
 

chrome/browser/chromeos/attestation/tpm_challenge_key_subtle.h

@@ -38,6 +38,8 @@ class TpmChallengeKeySubtleFactory final {
   // has successfully finished before and that only one call of
   // |StartSignChallengeStep| and/or |StartRegisterKeyStep| for a prepared key
   // pair will ever happen.
+  // |profile| may be nullptr - then it is assumed that this is a device-wide
+  // instance that is only intended to be used with machine keys.
   static std::unique_ptr<TpmChallengeKeySubtle> CreateForPreparedKey(
       AttestationKeyType key_type,
       bool will_register_key,
@@ -149,6 +151,8 @@ class TpmChallengeKeySubtleImpl final : public TpmChallengeKeySubtle {
 
   // Returns true if the user is managed and is affiliated with the domain the
   // device is enrolled to.
+  // If this is a device-wide instance without a user-associated |profile_|,
+  // returns false.
   bool IsUserAffiliated() const;
   // Returns true if remote attestation is allowed and the setting is managed.
   bool IsRemoteAttestationEnabledForUser() const;
@@ -156,7 +160,11 @@ class TpmChallengeKeySubtleImpl final : public TpmChallengeKeySubtle {
   // Returns the enterprise domain the device is enrolled to or user email.
   std::string GetEmail() const;
   AttestationCertificateProfile GetCertificateProfile() const;
+  // Returns the User* associated with |profile_|. May return nullptr (if there
+  // is no |profile_| or if e.g. |profile_| is a sign-in profile).
   const user_manager::User* GetUser() const;
+  // Returns the AccountId associated with |profile_|. Will return
+  // EmptyAccountId() if GetUser() returns nullptr.
   AccountId GetAccountId() const;
 
   // Actually prepares a key after all checks are passed.
@@ -194,6 +202,8 @@ class TpmChallengeKeySubtleImpl final : public TpmChallengeKeySubtle {
   AttestationFlow* attestation_flow_ = nullptr;
 
   TpmChallengeKeyCallback callback_;
+  // |profile_| may be nullptr if this is an instance that is used device-wide
+  // and only intended to work with machine keys.
   Profile* profile_ = nullptr;
 
   AttestationKeyType key_type_ = AttestationKeyType::KEY_DEVICE;

chrome/browser/chromeos/cert_provisioning/cert_provisioning_scheduler.cc

@@ -26,7 +26,6 @@
 #include "chrome/browser/chromeos/platform_keys/platform_keys_service_factory.h"
 #include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h"
 #include "chrome/browser/chromeos/policy/user_cloud_policy_manager_chromeos.h"
-#include "chrome/browser/chromeos/profiles/profile_helper.h"
 #include "chrome/common/pref_names.h"
 #include "chromeos/network/network_handler.h"
 #include "chromeos/network/network_state_handler.h"
@@ -125,23 +124,22 @@ std::unique_ptr<CertProvisioningScheduler>
 CertProvisioningSchedulerImpl::CreateDeviceCertProvisioningScheduler(
     policy::AffiliatedInvalidationServiceProvider*
         invalidation_service_provider) {
-  Profile* profile = ProfileHelper::GetSigninProfile();
   PrefService* pref_service = g_browser_process->local_state();
   policy::CloudPolicyClient* cloud_policy_client =
       GetCloudPolicyClientForDevice();
   platform_keys::PlatformKeysService* platform_keys_service =
-      GetPlatformKeysService(CertScope::kDevice, profile);
+      GetPlatformKeysService(CertScope::kDevice, /*profile=*/nullptr);
   NetworkStateHandler* network_state_handler = GetNetworkStateHandler();
 
-  if (!profile || !pref_service || !cloud_policy_client ||
-      !network_state_handler || !platform_keys_service) {
+  if (!pref_service || !cloud_policy_client || !network_state_handler ||
+      !platform_keys_service) {
     LOG(ERROR) << "Failed to create device certificate provisioning scheduler";
     return nullptr;
   }
 
   return std::make_unique<CertProvisioningSchedulerImpl>(
-      CertScope::kDevice, profile, pref_service, cloud_policy_client,
-      platform_keys_service, network_state_handler,
+      CertScope::kDevice, /*profile=*/nullptr, pref_service,
+      cloud_policy_client, platform_keys_service, network_state_handler,
       std::make_unique<CertProvisioningDeviceInvalidatorFactory>(
           invalidation_service_provider));
 }
@@ -163,7 +161,7 @@ CertProvisioningSchedulerImpl::CertProvisioningSchedulerImpl(
       certs_with_ids_getter_(cert_scope, platform_keys_service),
       cert_deleter_(cert_scope, platform_keys_service),
       invalidator_factory_(std::move(invalidator_factory)) {
-  CHECK(profile);
+  CHECK(profile_ || cert_scope_ == CertScope::kDevice);
   CHECK(pref_service_);
   CHECK(cloud_policy_client_);
   CHECK(platform_keys_service_);

chrome/browser/chromeos/cert_provisioning/cert_provisioning_scheduler.h

@@ -171,6 +171,8 @@ class CertProvisioningSchedulerImpl
   void OnPlatformKeysServiceShutDown() override;
 
   CertScope cert_scope_ = CertScope::kUser;
+  // |profile_| can be nullptr for the device-wide instance of
+  // CertProvisioningScheduler.
   Profile* profile_ = nullptr;
   PrefService* pref_service_ = nullptr;
   const char* pref_name_ = nullptr;

chrome/browser/chromeos/cert_provisioning/cert_provisioning_worker.cc

@@ -186,7 +186,7 @@ CertProvisioningWorkerImpl::CertProvisioningWorkerImpl(
       request_backoff_(&kBackoffPolicy),
       cloud_policy_client_(cloud_policy_client),
       invalidator_(std::move(invalidator)) {
-  CHECK(profile);
+  CHECK(profile || cert_scope == CertScope::kDevice);
   platform_keys_service_ = GetPlatformKeysService(cert_scope, profile);
   CHECK(platform_keys_service_);