PSM: Execution of PSM and hash dance in sequential order

Executes PSM determination if its switch is enabled during the initial enrollment. Then, upon completion, it will execute hash dance. As the whole PSM functionality is being controlled by a switch, its possible to split its basic functionality and its tests in follow up CLs. Test: Will be added in a follow-up CL Bug: chromium:1119581 Binary-Size: Increase is temporary. Change-Id: I4473ef0617cc9f7e4594130bcefe57bab12ed7f3 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2365952Reviewed-by: Roland Bock <rbock@google.com> Reviewed-by: Maksim Ivanov <emaxx@chromium.org> Reviewed-by: Amr Aboelkher <amraboelkher@chromium.org> Reviewed-by: Amr Aboelkher <amraboelkher@google.com> Reviewed-by: Pavol Marko <pmarko@chromium.org> Commit-Queue: Amr Aboelkher <amraboelkher@google.com> Cr-Commit-Position: refs/heads/master@{#804049}

PSM: Execution of PSM and hash dance in sequential order
Executes PSM determination if its switch is enabled during the initial enrollment. Then, upon completion, it will execute hash dance. As the whole PSM functionality is being controlled by a switch, its possible to split its basic functionality and its tests in follow up CLs. Test: Will be added in a follow-up CL Bug: chromium:1119581 Binary-Size: Increase is temporary. Change-Id: I4473ef0617cc9f7e4594130bcefe57bab12ed7f3 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2365952Reviewed-by: Roland Bock <rbock@google.com> Reviewed-by: Maksim Ivanov <emaxx@chromium.org> Reviewed-by: Amr Aboelkher <amraboelkher@chromium.org> Reviewed-by: Amr Aboelkher <amraboelkher@google.com> Reviewed-by: Pavol Marko <pmarko@chromium.org> Commit-Queue: Amr Aboelkher <amraboelkher@google.com> Cr-Commit-Position: refs/heads/master@{#804049}
419bd388 · Amr Aboelkher · Commit Bot · 210fb6b5 · 419bd388 · 419bd388
Commit 419bd388 authored Sep 03, 2020 by Amr Aboelkher Committed by Commit Bot Sep 03, 2020
11 changed files
--- a/chrome/browser/chromeos/BUILD.gn
+++ b/chrome/browser/chromeos/BUILD.gn
@@ -46,6 +46,8 @@ source_set("chromeos") {
    "//components/startup_metric_utils/browser:browser",
    "//content/app/resources",
    "//mojo/public/cpp/bindings",
+    "//third_party/private-join-and-compute/src:ec_commutative_cipher",
+    "//third_party/private_membership:private_membership",
    "//third_party/securemessage/proto",
    "//ui/accessibility/mojom",
    "//ui/chromeos/resources",

--- a/chrome/browser/chromeos/policy/DEPS
+++ b/chrome/browser/chromeos/policy/DEPS
+include_rules = [
+  # Run
+  #
+  #   buildtools/checkdeps/checkdeps.py chrome/browser/chromeos/policy
+  #
+  # to test.
+  # Allow includes for shell-encryption and private_membership third_party libs.
+  "+third_party/private_membership",
+  "+third_party/shell-encryption",
+]
--- a/chrome/browser/chromeos/policy/auto_enrollment_client_impl.cc
+++ b/chrome/browser/chromeos/policy/auto_enrollment_client_impl.cc
--- a/chrome/browser/chromeos/policy/auto_enrollment_client_impl.h
+++ b/chrome/browser/chromeos/policy/auto_enrollment_client_impl.h
@@ -22,12 +22,31 @@
 class PrefRegistrySimple;
 class PrefService;
+namespace private_membership {
+namespace rlwe {
+class PrivateMembershipRlweClient;
+class RlwePlaintextId;
+}  // namespace rlwe
+}  // namespace private_membership
 namespace enterprise_management {
 class DeviceManagementResponse;
 }
 namespace policy {
+// Construct the private set membership identifier. See
+// go/cros-enterprise-psm and go/cros-client-psm for more details.
+private_membership::rlwe::RlwePlaintextId ConstructDeviceRlweId(
+    const std::string& device_serial_number,
+    const std::string& device_rlz_brand_code);
+// A class that handles all communications related to private set membership
+// protocol with DMServer. Also, upon successful determination, it caches the
+// membership state of a given identifier in the local_state PrefService.
+// Upon a failed determination it won't allow another membership check.
+class PrivateSetMembershipHelper;
 // Interacts with the device management service and determines whether this
 // machine should automatically enter the Enterprise Enrollment screen during
 // OOBE.
@@ -105,7 +124,9 @@ class AutoEnrollmentClientImpl
      int power_initial,
      int power_limit,
      base::Optional<int> power_outdated_server_detect,
-      std::string uma_suffix);
+      std::string uma_suffix,
+      std::unique_ptr<PrivateSetMembershipHelper>
+          private_set_membership_helper);
  // Tries to load the result of a previous execution of the protocol from
  // local state. Returns true if that decision has been made and is valid.
@@ -115,6 +136,20 @@ class AutoEnrollmentClientImpl
  // Returns true if progress has been made, false if the protocol is done.
  bool RetryStep();
+  // Retries running private set membership protocol, if the protocol
+  // is enabled and it is possible to start. Returns true if the protocol is
+  // enabled and progress has been made, false if the protocol is done. Also,
+  // that protocol is being started only one time.
+  bool PrivateSetMembershipRetryStep();
+  // Sets the private set membership RLWE client for testing through
+  // |private_set_membership_helper_|, if the protocol is enabled. Also, the
+  // |private_set_membership_rlwe_client| has to be non-null.
+  void SetPrivateSetMembershipRlweClientForTesting(
+      std::unique_ptr<private_membership::rlwe::PrivateMembershipRlweClient>
+          private_set_membership_rlwe_client,
+      private_membership::rlwe::RlwePlaintextId& psm_rlwe_id);
  // Cleans up and invokes |progress_callback_|.
  void ReportProgress(AutoEnrollmentState state);
@@ -210,6 +245,9 @@ class AutoEnrollmentClientImpl
  std::unique_ptr<StateDownloadMessageProcessor>
      state_download_message_processor_;
+  // Obtains the device state using private set membership protocol.
+  std::unique_ptr<PrivateSetMembershipHelper> private_set_membership_helper_;
  // Times used to determine the duration of the protocol, and the extra time
  // needed to complete after the signin was complete.
  // If |time_start_| is not null, the protocol is still running.

--- a/chrome/common/pref_names.cc
+++ b/chrome/common/pref_names.cc
@@ -2155,6 +2155,11 @@ const char kHardwareKeyboardLayout[] = "intl.hardware_keyboard";
 // made yet.
 const char kShouldAutoEnroll[] = "ShouldAutoEnroll";
+// A boolean pref of the private-set-membership decision. Its value is only
+// valid if it's not the default value; otherwise, no private-set-membership
+// decision has been made yet.
+const char kShouldRetrieveDeviceState[] = "ShouldRetrieveDeviceState";
 // An integer pref with the maximum number of bits used by the client in a
 // previous auto-enrollment request. If the client goes through an auto update
 // during OOBE and reboots into a version of the OS with a larger maximum

--- a/chrome/common/pref_names.h
+++ b/chrome/common/pref_names.h
@@ -695,6 +695,7 @@ extern const char kDeviceSettingsCache[];
 extern const char kHardwareKeyboardLayout[];
 extern const char kShouldAutoEnroll[];
 extern const char kAutoEnrollmentPowerLimit[];
+extern const char kShouldRetrieveDeviceState[];
 extern const char kDeviceActivityTimes[];
 extern const char kAppActivityTimes[];
 extern const char kUserActivityTimes[];

--- a/components/policy/core/common/cloud/cloud_policy_constants.cc
+++ b/components/policy/core/common/cloud/cloud_policy_constants.cc
@@ -37,6 +37,7 @@ const char kEnrollmentTokenAuthHeaderPrefix[] = "GoogleEnrollmentToken token=";
 const char kValueAppType[] = "Chrome";
 const char kValueDeviceType[] = "2";
 const char kValueRequestAutoEnrollment[] = "enterprise_check";
+const char kValueRequestPsmHasDeviceState[] = "enterprise_psm_check";
 const char kValueRequestPolicy[] = "policy";
 const char kValueRequestRegister[] = "register";
 const char kValueRequestApiAuthorization[] = "api_authorization";

--- a/components/policy/core/common/cloud/cloud_policy_constants.h
+++ b/components/policy/core/common/cloud/cloud_policy_constants.h
@@ -36,6 +36,7 @@ POLICY_EXPORT extern const char kEnrollmentTokenAuthHeaderPrefix[];
 POLICY_EXPORT extern const char kValueAppType[];
 POLICY_EXPORT extern const char kValueDeviceType[];
 POLICY_EXPORT extern const char kValueRequestAutoEnrollment[];
+POLICY_EXPORT extern const char kValueRequestPsmHasDeviceState[];
 POLICY_EXPORT extern const char kValueRequestPolicy[];
 POLICY_EXPORT extern const char kValueRequestRegister[];
 POLICY_EXPORT extern const char kValueRequestApiAuthorization[];

--- a/components/policy/core/common/cloud/device_management_service.cc
+++ b/components/policy/core/common/cloud/device_management_service.cc
@@ -189,6 +189,9 @@ std::string DeviceManagementService::JobConfiguration::GetJobTypeAsString(
    case DeviceManagementService::JobConfiguration::
        TYPE_CERT_PROVISIONING_REQUEST:
      return "CertProvisioningRequest";
+    case DeviceManagementService::JobConfiguration::
+        TYPE_PSM_HAS_DEVICE_STATE_REQUEST:
+      return "PSMDeviceStateRequest";
  }
  NOTREACHED() << "Invalid job type " << type;
  return "";

--- a/components/policy/core/common/cloud/device_management_service.h
+++ b/components/policy/core/common/cloud/device_management_service.h
@@ -182,6 +182,7 @@ class POLICY_EXPORT DeviceManagementService {
      TYPE_REQUEST_SAML_URL = 23,
      TYPE_CHROME_OS_USER_REPORT = 24,
      TYPE_CERT_PROVISIONING_REQUEST = 25,
+      TYPE_PSM_HAS_DEVICE_STATE_REQUEST = 26,
    };
    // The set of HTTP query parameters of the request.

--- a/components/policy/core/common/cloud/dmserver_job_configurations.cc
+++ b/components/policy/core/common/cloud/dmserver_job_configurations.cc
@@ -82,6 +82,9 @@ const char* JobTypeToRequestType(
    case DeviceManagementService::JobConfiguration::
        TYPE_CERT_PROVISIONING_REQUEST:
      return dm_protocol::kValueRequestCertProvisioningRequest;
+    case DeviceManagementService::JobConfiguration::
+        TYPE_PSM_HAS_DEVICE_STATE_REQUEST:
+      return dm_protocol::kValueRequestPsmHasDeviceState;
  }
  NOTREACHED() << "Invalid job type " << type;
  return "";