-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathauthpolicy.h
155 lines (120 loc) · 6.05 KB
/
authpolicy.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
// Copyright 2016 The Chromium OS Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef AUTHPOLICY_AUTHPOLICY_H_
#define AUTHPOLICY_AUTHPOLICY_H_
#include <memory>
#include <string>
#include <utility>
#include <vector>
#include <brillo/dbus/async_event_sequencer.h>
#include <install_attributes/libinstallattributes.h>
#include "authpolicy/authpolicy_metrics.h"
#include "authpolicy/org.chromium.AuthPolicy.h"
#include "authpolicy/samba_interface.h"
namespace login_manager {
class PolicyDescriptor;
}
namespace authpolicy {
class ActiveDirectoryAccountInfo;
class Anonymizer;
class AuthPolicyMetrics;
class SessionManagerClient;
class PathService;
class ResponseTracker;
extern const char kChromeUserPolicyType[];
extern const char kChromeDevicePolicyType[];
extern const char kChromeExtensionPolicyType[];
// Implementation of authpolicy's D-Bus interface. Mainly routes stuff between
// D-Bus and SambaInterface.
class AuthPolicy : public org::chromium::AuthPolicyAdaptor,
public org::chromium::AuthPolicyInterface {
public:
// Args: ErrorType, serialized ActiveDirectoryAccountInfo protobuf.
using AuthenticateUserResponseCallback = std::unique_ptr<
brillo::dbus_utils::DBusMethodResponse<int32_t, std::vector<uint8_t>>>;
// Args: ErrorType.
using PolicyResponseCallback =
std::unique_ptr<brillo::dbus_utils::DBusMethodResponse<int32_t>>;
// Helper method to get the D-Bus object for the given |object_manager|.
static std::unique_ptr<brillo::dbus_utils::DBusObject> GetDBusObject(
brillo::dbus_utils::ExportedObjectManager* object_manager);
AuthPolicy(AuthPolicyMetrics* metrics, const PathService* path_service);
AuthPolicy(const AuthPolicy&) = delete;
AuthPolicy& operator=(const AuthPolicy&) = delete;
~AuthPolicy();
// Initializes internals. See SambaInterface::Initialize() for details.
ErrorType Initialize(bool device_is_locked) WARN_UNUSED_RESULT;
// Registers the D-Bus object and interfaces.
void RegisterAsync(
std::unique_ptr<brillo::dbus_utils::DBusObject> dbus_object,
const brillo::dbus_utils::AsyncEventSequencer::CompletionAction&
completion_callback);
// Cleans all persistent state files. Returns true if all files were cleared.
static bool CleanState(const PathService* path_service) {
return SambaInterface::CleanState(path_service);
}
// org::chromium::AuthPolicyInterface: (see org.chromium.AuthPolicy.xml).
// |auth_user_request_blob| is a serialized AuthenticateUserRequest protobuf.
// Calls |callback| with an ErrorType and a serialized
// ActiveDirectoryAccountInfo protobuf.
void AuthenticateUser(AuthenticateUserResponseCallback callback,
const std::vector<uint8_t>& auth_user_request_blob,
const base::ScopedFD& password_fd) override;
// |get_status_request_blob| is a serialized GetUserStatusRequest protobuf.
// |user_status_blob| is a serialized ActiveDirectoryUserStatus protobuf.
void GetUserStatus(const std::vector<uint8_t>& get_status_request_blob,
int32_t* error,
std::vector<uint8_t>* user_status_blob) override;
// |kerberos_files_blob| is a serialized KerberosFiles profobuf.
void GetUserKerberosFiles(const std::string& account_id,
int32_t* error,
std::vector<uint8_t>* kerberos_files_blob) override;
// |join_domain_request_blob| is a serialized JoinDomainRequest protobuf.
void JoinADDomain(const std::vector<uint8_t>& join_domain_request_blob,
const base::ScopedFD& password_fd,
int32_t* error,
std::string* joined_domain) override;
void RefreshUserPolicy(PolicyResponseCallback callback,
const std::string& acccount_id) override;
void RefreshDevicePolicy(PolicyResponseCallback callback) override;
std::string SetDefaultLogLevel(int32_t level) override;
int32_t ChangeMachinePasswordForTesting() override;
SambaInterface& GetSambaInterfaceForTesting() { return samba_; }
void SetDeviceIsLockedForTesting() { device_is_locked_ = true; }
bool IsUserTgtAutoRenewalEnabledForTesting() {
return samba_.GetUserTgtManagerForTesting()
.IsTgtAutoRenewalEnabledForTesting();
}
private:
// Gets triggered by when the Kerberos credential cache or the configuration
// file of the currently logged in user change. Triggers the
// UserKerberosFilesChanged signal.
void OnUserKerberosFilesChanged();
// Sends policy to SessionManager. Assumes |gpo_policy_data| contains user
// policy if |account_id_key| is not nullptr, otherwise assumes it's device
// policy.
void StorePolicy(std::unique_ptr<protos::GpoPolicyData> gpo_policy_data,
const std::string* account_id_key,
std::unique_ptr<ScopedTimerReporter> timer,
PolicyResponseCallback callback);
// Sends a single policy blob to Session Manager. |policy_type| is the policy
// type passed into enterprise_management::PolicyData. |policy_blob| is the
// policy data (serialized Chrome proto or JSON string for extensions). If
// nullptr, the policy is deleted in Session Manager. |response_tracker| is a
// data structure to track all responses from Session Manager.
void StoreSinglePolicy(const login_manager::PolicyDescriptor& descriptor,
const char* policy_type,
const std::string* policy_blob,
scoped_refptr<ResponseTracker> response_tracker);
AuthPolicyMetrics* metrics_; // Not owned.
SambaInterface samba_;
// Used during enrollment when authpolicyd cannot send policy to Session
// Manager because device is not locked yet.
std::unique_ptr<protos::GpoPolicyData> cached_device_policy_data_;
bool device_is_locked_ = false;
std::unique_ptr<brillo::dbus_utils::DBusObject> dbus_object_;
std::unique_ptr<SessionManagerClient> session_manager_client_;
};
} // namespace authpolicy
#endif // AUTHPOLICY_AUTHPOLICY_H_