fake enrollment for offline demo mode

This adds a 'MODE_OFFLINE_DEMO' enrollment mode, which locks the device and applies the policy in the local installation. This is the flow to setup the offline demo mode. Currently the actual policy data is not yet available, so this right now simply locks the device. Bug: 827290 Change-Id: I6cdfec50049b017fc01d9875bd520f0655660031 Reviewed-on: https://chromium-review.googlesource.com/1000012Reviewed-by: Alexander Alekseev <alemate@chromium.org> Reviewed-by: Aga Wronska <agawronska@chromium.org> Reviewed-by: Drew Wilson <atwilson@chromium.org> Commit-Queue: Jun Mukai <mukai@chromium.org> Cr-Commit-Position: refs/heads/master@{#553389}

fake enrollment for offline demo mode
This adds a 'MODE_OFFLINE_DEMO' enrollment mode, which locks the device and applies the policy in the local installation. This is the flow to setup the offline demo mode. Currently the actual policy data is not yet available, so this right now simply locks the device. Bug: 827290 Change-Id: I6cdfec50049b017fc01d9875bd520f0655660031 Reviewed-on: https://chromium-review.googlesource.com/1000012Reviewed-by: Alexander Alekseev <alemate@chromium.org> Reviewed-by: Aga Wronska <agawronska@chromium.org> Reviewed-by: Drew Wilson <atwilson@chromium.org> Commit-Queue: Jun Mukai <mukai@chromium.org> Cr-Commit-Position: refs/heads/master@{#553389}
bdc8a348 · Jun Mukai · Commit Bot · c16fdebe · bdc8a348 · bdc8a348
Commit bdc8a348 authored Apr 25, 2018 by Jun Mukai Committed by Commit Bot Apr 25, 2018
11 changed files
--- a/chrome/browser/chromeos/login/enrollment/enrollment_uma.cc
+++ b/chrome/browser/chromeos/login/enrollment/enrollment_uma.cc
@@ -37,6 +37,13 @@ void EnrollmentUMA(policy::MetricEnrollment sample,
    case policy::EnrollmentConfig::MODE_RECOVERY:
      base::UmaHistogramSparse(kMetricEnrollmentRecovery, sample);
      break;
+    case policy::EnrollmentConfig::MODE_OFFLINE_DEMO:
+      // MODE_OFFLINE_DEMO is currently NOTREACHED(), since the normal
+      // enrollment flow (which invokes this function) shouldn't use this mode.
+      // TODO(mukai, agawronska): decide what needs to be done here.
+      // https://crbug.com/835904
+      NOTREACHED();
+      break;
    case policy::EnrollmentConfig::MODE_NONE:
      NOTREACHED();
      break;

--- a/chrome/browser/chromeos/login/enrollment/enterprise_enrollment_helper.h
+++ b/chrome/browser/chromeos/login/enrollment/enterprise_enrollment_helper.h
@@ -118,6 +118,12 @@ class EnterpriseEnrollmentHelper {
  // lifetime, and only if none of the EnrollUsing* was called before.
  virtual void EnrollUsingAttestation() = 0;

+  // Starts enterprise enrollment for offline demo-mode.
+  // EnrollForOfflineDemo is used offline, no network connections. Thus it goes
+  // into enrollment without authentication -- and applies policies which are
+  // stored locally.
+  virtual void EnrollForOfflineDemo() = 0;
+
  // Continue enrollment using license |type|.
  virtual void UseLicenseType(policy::LicenseType type) = 0;


--- a/chrome/browser/chromeos/login/enrollment/enterprise_enrollment_helper_impl.cc
+++ b/chrome/browser/chromeos/login/enrollment/enterprise_enrollment_helper_impl.cc
@@ -114,6 +114,12 @@ void EnterpriseEnrollmentHelperImpl::EnrollUsingAttestation() {
  DoEnroll("");  // The token is not used in attestation mode.
 }

+void EnterpriseEnrollmentHelperImpl::EnrollForOfflineDemo() {
+  CHECK_EQ(enrollment_config_.mode,
+           policy::EnrollmentConfig::MODE_OFFLINE_DEMO);
+  DoEnroll("");  // The token is not used in offline demo mode.
+}
+
 void EnterpriseEnrollmentHelperImpl::ClearAuth(const base::Closure& callback) {
  if (oauth_status_ != OAUTH_NOT_STARTED) {
    // Do not revoke the additional token if enrollment has finished
@@ -161,8 +167,10 @@ void EnterpriseEnrollmentHelperImpl::DoEnroll(const std::string& token) {
  }

  bool check_license_type = false;
-  // The license selection dialog is not used when doing Zero Touch.
-  if (!enrollment_config_.is_mode_attestation()) {
+  // The license selection dialog is not used when doing Zero Touch or setting
+  // up offline demo-mode.
+  if (!enrollment_config_.is_mode_attestation() &&
+      enrollment_config_.mode != policy::EnrollmentConfig::MODE_OFFLINE_DEMO) {
    check_license_type = !base::CommandLine::ForCurrentProcess()->HasSwitch(
        chromeos::switches::kEnterpriseDisableLicenseTypeSelection);
  }

--- a/chrome/browser/chromeos/login/enrollment/enterprise_enrollment_helper_impl.h
+++ b/chrome/browser/chromeos/login/enrollment/enterprise_enrollment_helper_impl.h
@@ -37,6 +37,7 @@ class EnterpriseEnrollmentHelperImpl : public EnterpriseEnrollmentHelper {
                           bool fetch_additional_token) override;
  void EnrollUsingToken(const std::string& token) override;
  void EnrollUsingAttestation() override;
+  void EnrollForOfflineDemo() override;
  void ClearAuth(const base::Closure& callback) override;
  void UseLicenseType(policy::LicenseType type) override;
  void GetDeviceAttributeUpdatePermission() override;

--- a/chrome/browser/chromeos/login/enrollment/enterprise_enrollment_helper_mock.h
+++ b/chrome/browser/chromeos/login/enrollment/enterprise_enrollment_helper_mock.h
@@ -26,6 +26,7 @@ class EnterpriseEnrollmentHelperMock : public EnterpriseEnrollmentHelper {
               void(const std::string& auth_code, bool fetch_additional_token));
  MOCK_METHOD1(EnrollUsingToken, void(const std::string& token));
  MOCK_METHOD0(EnrollUsingAttestation, void());
+  MOCK_METHOD0(EnrollForOfflineDemo, void());
  MOCK_METHOD1(UseLicenseType, void(policy::LicenseType type));
  MOCK_METHOD0(GetDeviceAttributeUpdatePermission, void());
  MOCK_METHOD2(UpdateDeviceAttributes,

--- a/chrome/browser/chromeos/login/screens/demo_setup_screen.cc
+++ b/chrome/browser/chromeos/login/screens/demo_setup_screen.cc
@@ -4,14 +4,17 @@

 #include "chrome/browser/chromeos/login/screens/demo_setup_screen.h"

+#include "chrome/browser/chromeos/login/enrollment/enterprise_enrollment_helper.h"
 #include "chrome/browser/chromeos/login/screen_manager.h"
 #include "chrome/browser/chromeos/login/screens/base_screen_delegate.h"
+#include "chrome/browser/chromeos/policy/enrollment_config.h"

 namespace {

 constexpr const char kUserActionOnlineSetup[] = "online-setup";
 constexpr const char kUserActionOfflineSetup[] = "offline-setup";
 constexpr const char kUserActionClose[] = "close-setup";
+constexpr const char kDemoModeDomain[] = "cros-demo-mode.com";

 }  // namespace

@@ -40,11 +43,56 @@ void DemoSetupScreen::Hide() {
    view_->Hide();
 }

+void DemoSetupScreen::OnAuthError(const GoogleServiceAuthError& error) {
+  NOTREACHED();
+}
+
+void DemoSetupScreen::OnMultipleLicensesAvailable(
+    const EnrollmentLicenseMap& licenses) {
+  NOTREACHED();
+}
+
+void DemoSetupScreen::OnEnrollmentError(policy::EnrollmentStatus status) {
+  LOG(ERROR) << "Enrollment error: " << status.status() << ", "
+             << status.client_status() << ", " << status.store_status() << ", "
+             << status.validation_status() << ", " << status.lock_status();
+  // TODO(mukai): bring some error message on the screen.
+  // https://crbug.com/835898
+  NOTIMPLEMENTED();
+}
+
+void DemoSetupScreen::OnOtherError(
+    EnterpriseEnrollmentHelper::OtherError error) {
+  LOG(ERROR) << "Other error: " << error;
+  // TODO(mukai): bring some error message on the screen.
+  // https://crbug.com/835898
+  NOTIMPLEMENTED();
+}
+
+void DemoSetupScreen::OnDeviceEnrolled(const std::string& additional_token) {
+  NOTIMPLEMENTED();
+}
+
+void DemoSetupScreen::OnDeviceAttributeUpdatePermission(bool granted) {
+  NOTREACHED();
+}
+
+void DemoSetupScreen::OnDeviceAttributeUploadCompleted(bool success) {
+  NOTREACHED();
+}
+
 void DemoSetupScreen::OnUserAction(const std::string& action_id) {
  if (action_id == kUserActionOnlineSetup) {
    NOTIMPLEMENTED();
  } else if (action_id == kUserActionOfflineSetup) {
-    NOTIMPLEMENTED();
+    // TODO(mukai): load the policy data from somewhere (maybe asynchronously)
+    // and then set the loaded policy data into config. https://crbug.com/827290
+    policy::EnrollmentConfig config;
+    config.mode = policy::EnrollmentConfig::MODE_OFFLINE_DEMO;
+    config.management_domain = kDemoModeDomain;
+    enrollment_helper_ = EnterpriseEnrollmentHelper::Create(
+        this, nullptr /* ad_join_delegate */, config, kDemoModeDomain);
+    enrollment_helper_->EnrollForOfflineDemo();
  } else if (action_id == kUserActionClose) {
    Finish(ScreenExitCode::DEMO_MODE_SETUP_CLOSED);
  } else {
@@ -55,6 +103,7 @@ void DemoSetupScreen::OnUserAction(const std::string& action_id) {
 void DemoSetupScreen::OnViewDestroyed(DemoSetupScreenView* view) {
  if (view_ == view)
    view_ = nullptr;
+  enrollment_helper_.reset();
 }

 }  // namespace chromeos
--- a/chrome/browser/chromeos/login/screens/demo_setup_screen.h
+++ b/chrome/browser/chromeos/login/screens/demo_setup_screen.h
@@ -5,8 +5,12 @@
 #ifndef CHROME_BROWSER_CHROMEOS_LOGIN_SCREENS_DEMO_SETUP_SCREEN_H_
 #define CHROME_BROWSER_CHROMEOS_LOGIN_SCREENS_DEMO_SETUP_SCREEN_H_

+#include <memory>
+
+#include "chrome/browser/chromeos/login/enrollment/enterprise_enrollment_helper.h"
 #include "chrome/browser/chromeos/login/screens/base_screen.h"
 #include "chrome/browser/chromeos/login/screens/demo_setup_screen_view.h"
+#include "chrome/browser/chromeos/policy/enrollment_status_chromeos.h"

 namespace chromeos {

@@ -14,7 +18,9 @@ class BaseScreenDelegate;

 // Controlls demo mode setup. The screen can be shown during OOBE. It allows
 // user to setup retail demo mode on the device.
-class DemoSetupScreen : public BaseScreen {
+class DemoSetupScreen
+    : public BaseScreen,
+      public EnterpriseEnrollmentHelper::EnrollmentStatusConsumer {
 public:
  DemoSetupScreen(BaseScreenDelegate* base_screen_delegate,
                  DemoSetupScreenView* view);
@@ -29,9 +35,21 @@ class DemoSetupScreen : public BaseScreen {
  // then it has to call Bind(nullptr).
  void OnViewDestroyed(DemoSetupScreenView* view);

+  // EnterpriseEnrollmentHelper::EnterpriseStatusConsumer:
+  void OnAuthError(const GoogleServiceAuthError& error) override;
+  void OnMultipleLicensesAvailable(
+      const EnrollmentLicenseMap& licenses) override;
+  void OnEnrollmentError(policy::EnrollmentStatus status) override;
+  void OnOtherError(EnterpriseEnrollmentHelper::OtherError error) override;
+  void OnDeviceEnrolled(const std::string& additional_token) override;
+  void OnDeviceAttributeUpdatePermission(bool granted) override;
+  void OnDeviceAttributeUploadCompleted(bool success) override;
+
 private:
  DemoSetupScreenView* view_;

+  std::unique_ptr<EnterpriseEnrollmentHelper> enrollment_helper_;
+
  DISALLOW_COPY_AND_ASSIGN(DemoSetupScreen);
 };


--- a/chrome/browser/chromeos/policy/enrollment_config.h
+++ b/chrome/browser/chromeos/policy/enrollment_config.h
@@ -45,6 +45,9 @@ struct EnrollmentConfig {
    // Forced enrollment triggered as a fallback to attestation enrollment,
    // user can't skip.
    MODE_ATTESTATION_MANUAL_FALLBACK,
+
+    // Enrollment for offline demo mode with locally stored policy data.
+    MODE_OFFLINE_DEMO,
  };

  // An enumeration of authentication mechanisms that can be used for

--- a/chrome/browser/chromeos/policy/enrollment_handler_chromeos.cc
+++ b/chrome/browser/chromeos/policy/enrollment_handler_chromeos.cc
@@ -8,6 +8,7 @@

 #include "base/bind.h"
 #include "base/command_line.h"
+#include "base/guid.h"
 #include "base/location.h"
 #include "base/logging.h"
 #include "base/sequenced_task_runner.h"
@@ -51,6 +52,7 @@ em::DeviceRegisterRequest::Flavor EnrollmentModeToRegistrationFlavor(
    EnrollmentConfig::Mode mode) {
  switch (mode) {
    case EnrollmentConfig::MODE_NONE:
+    case EnrollmentConfig::MODE_OFFLINE_DEMO:
      break;
    case EnrollmentConfig::MODE_MANUAL:
      return em::DeviceRegisterRequest::FLAVOR_ENROLLMENT_MANUAL;
@@ -141,11 +143,8 @@ EnrollmentHandlerChromeOS::EnrollmentHandlerChromeOS(
      weak_ptr_factory_(this) {
  CHECK(!client_->is_registered());
  CHECK_EQ(DM_STATUS_SUCCESS, client_->status());
-  CHECK((enrollment_config_.mode == EnrollmentConfig::MODE_ATTESTATION ||
-         enrollment_config_.mode ==
-             EnrollmentConfig::MODE_ATTESTATION_LOCAL_FORCED ||
-         enrollment_config.mode ==
-             EnrollmentConfig::MODE_ATTESTATION_SERVER_FORCED) ==
+  CHECK((enrollment_config_.is_mode_attestation() ||
+         enrollment_config.mode == EnrollmentConfig::MODE_OFFLINE_DEMO) ==
        auth_token_.empty());
  CHECK(enrollment_config_.auth_mechanism !=
            EnrollmentConfig::AUTH_MECHANISM_ATTESTATION ||
@@ -370,6 +369,8 @@ void EnrollmentHandlerChromeOS::StartRegistration() {
  SetStep(STEP_REGISTRATION);
  if (enrollment_config_.is_mode_attestation()) {
    StartAttestationBasedEnrollmentFlow();
+  } else if (enrollment_config_.mode == EnrollmentConfig::MODE_OFFLINE_DEMO) {
+    StartOfflineDemoEnrollmentFlow();
  } else {
    client_->Register(
        em::DeviceRegisterRequest::DEVICE,
@@ -405,6 +406,22 @@ void EnrollmentHandlerChromeOS::HandleRegistrationCertificateResult(
  }
 }

+void EnrollmentHandlerChromeOS::StartOfflineDemoEnrollmentFlow() {
+  // TODO(mukai): set |policy_| which are obtained offline to enforce the actual
+  // policy for offline-demo mode. https://crbug.com/827290
+  device_mode_ = policy::DeviceMode::DEVICE_MODE_ENTERPRISE;
+  domain_ = enrollment_config_.management_domain;
+  device_id_ = base::GenerateGUID();
+  skip_robot_auth_ = true;
+  if (!policy_) {
+    ReportResult(
+        EnrollmentStatus::ForStatus(EnrollmentStatus::POLICY_FETCH_FAILED));
+    return;
+  }
+  SetStep(STEP_SET_FWMP_DATA);
+  SetFirmwareManagementParametersData();
+}
+
 void EnrollmentHandlerChromeOS::HandlePolicyValidationResult(
    DeviceCloudPolicyValidator* validator) {
  DCHECK_EQ(STEP_VALIDATION, enrollment_step_);

--- a/chrome/browser/chromeos/policy/enrollment_handler_chromeos.h
+++ b/chrome/browser/chromeos/policy/enrollment_handler_chromeos.h
@@ -149,6 +149,9 @@ class EnrollmentHandlerChromeOS : public CloudPolicyClient::Observer,
      chromeos::attestation::AttestationStatus status,
      const std::string& pem_certificate_chain);

+  // Starts the enrollment flow for the offline demo mode.
+  void StartOfflineDemoEnrollmentFlow();
+
  // Starts registration if the store is initialized.
  void StartRegistration();


--- a/chrome/browser/ui/webui/chromeos/login/enrollment_screen_handler.cc
+++ b/chrome/browser/ui/webui/chromeos/login/enrollment_screen_handler.cc
@@ -61,6 +61,7 @@ const char kEnrollmentModeUIRecovery[] = "recovery";
 std::string EnrollmentModeToUIMode(policy::EnrollmentConfig::Mode mode) {
  switch (mode) {
    case policy::EnrollmentConfig::MODE_NONE:
+    case policy::EnrollmentConfig::MODE_OFFLINE_DEMO:
      break;
    case policy::EnrollmentConfig::MODE_MANUAL:
    case policy::EnrollmentConfig::MODE_MANUAL_REENROLLMENT: