// Copyright 2020 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "chrome/browser/ash/cert_provisioning/cert_provisioning_invalidator.h"
#include <utility>
#include "base/functional/overloaded.h"
#include "base/strings/string_util.h"
#include "base/strings/stringprintf.h"
#include "chrome/browser/ash/cert_provisioning/cert_provisioning_common.h"
#include "chrome/browser/invalidation/profile_invalidation_provider_factory.h"
#include "components/invalidation/invalidation_factory.h"
#include "components/invalidation/invalidation_listener.h"
#include "components/invalidation/profile_invalidation_provider.h"
#include "components/invalidation/public/invalidation.h"
#include "components/invalidation/public/invalidation_service.h"
#include "components/invalidation/public/invalidation_util.h"
#include "components/invalidation/public/invalidator_state.h"
#include "components/policy/core/common/cloud/cloud_policy_constants.h"
namespace ash::cert_provisioning {
namespace {
// Topics that start with this prefix are considered to be "public" FCM topics.
// This allows us to migrate to "private" FCM topics (which would get a
// different prefix) server-side without client-side changes.
constexpr char kFcmCertProvisioningPublicTopicPrefix[] = "cert-";
// Shall be expanded to cert.[scope].[topic]
constexpr char kOwnerNameFormat[] = "cert.%s.%s";
const char* CertScopeToString(CertScope scope) {
switch (scope) {
case CertScope::kUser:
return "user";
case CertScope::kDevice:
return "device";
}
NOTREACHED_IN_MIGRATION()
<< "Unknown cert scope: " << static_cast<int>(scope);
return "";
}
} // namespace
//=============== CertProvisioningInvalidationHandler ==========================
namespace internal {
// static
std::unique_ptr<CertProvisioningInvalidationHandler>
CertProvisioningInvalidationHandler::BuildAndRegister(
CertScope scope,
std::variant<invalidation::InvalidationService*,
invalidation::InvalidationListener*>
invalidation_service_or_listener,
const invalidation::Topic& topic,
const std::string& listener_type,
OnInvalidationEventCallback on_invalidation_event_callback) {
auto invalidator = std::make_unique<CertProvisioningInvalidationHandler>(
scope, std::move(invalidation_service_or_listener), topic, listener_type,
std::move(on_invalidation_event_callback));
if (!invalidator->Register()) {
return nullptr;
}
return invalidator;
}
CertProvisioningInvalidationHandler::CertProvisioningInvalidationHandler(
CertScope scope,
std::variant<invalidation::InvalidationService*,
invalidation::InvalidationListener*>
invalidation_service_or_listener,
const invalidation::Topic& topic,
const std::string& listener_type,
OnInvalidationEventCallback on_invalidation_event_callback)
: scope_(scope),
invalidation_service_or_listener_(
invalidation::PointerVariantToRawPointer(
invalidation_service_or_listener)),
topic_(topic),
listener_type_(listener_type),
on_invalidation_event_callback_(
std::move(on_invalidation_event_callback)) {
CHECK(!std::holds_alternative<raw_ptr<invalidation::InvalidationService>>(
invalidation_service_or_listener_) ||
std::get<raw_ptr<invalidation::InvalidationService>>(
invalidation_service_or_listener_))
<< "InvalidationService is used but is null";
CHECK(!std::holds_alternative<raw_ptr<invalidation::InvalidationListener>>(
invalidation_service_or_listener_) ||
std::get<raw_ptr<invalidation::InvalidationListener>>(
invalidation_service_or_listener_))
<< "InvalidationListener is used but is null";
CHECK(!on_invalidation_event_callback_.is_null());
}
CertProvisioningInvalidationHandler::~CertProvisioningInvalidationHandler() {
// Unregister is not called here so that subscription can be preserved if
// browser restarts. If subscription is not needed a user must call Unregister
// explicitly.
}
bool CertProvisioningInvalidationHandler::Register() {
if (IsRegistered()) {
return true;
}
return std::visit(
base::Overloaded{[this](invalidation::InvalidationService* service) {
return RegisterWithInvalidationService(service);
},
[this](invalidation::InvalidationListener* listener) {
invalidation_listener_observation_.Observe(listener);
return true;
}},
invalidation_service_or_listener_);
}
bool CertProvisioningInvalidationHandler::RegisterWithInvalidationService(
invalidation::InvalidationService* service) {
OnInvalidatorStateChange(service->GetInvalidatorState());
invalidation_service_observation_.Observe(service);
if (!service->UpdateInterestedTopics(this,
/*topics=*/{topic_})) {
LOG(WARNING) << "Failed to register with topic " << topic_;
return false;
}
return true;
}
void CertProvisioningInvalidationHandler::Unregister() {
if (!IsRegistered()) {
return;
}
if (std::holds_alternative<raw_ptr<invalidation::InvalidationService>>(
invalidation_service_or_listener_)) {
const auto service = std::get<raw_ptr<invalidation::InvalidationService>>(
invalidation_service_or_listener_);
// Assuming that updating invalidator's topics with an empty set can never
// fail. Failure is only possible when setting a non-empty topic that is
// already associated with some other invalidator.
const bool topics_reset =
service->UpdateInterestedTopics(this, invalidation::TopicSet());
CHECK(topics_reset);
}
invalidation_service_observation_.Reset();
invalidation_listener_observation_.Reset();
}
void CertProvisioningInvalidationHandler::OnInvalidatorStateChange(
invalidation::InvalidatorState state) {
DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
}
void CertProvisioningInvalidationHandler::OnSuccessfullySubscribed(
const invalidation::Topic& topic) {
DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
CHECK_EQ(topic, topic_)
<< "Successfully subscribed notification for wrong topic";
on_invalidation_event_callback_.Run(
InvalidationEvent::kSuccessfullySubscribed);
}
void CertProvisioningInvalidationHandler::OnIncomingInvalidation(
const invalidation::Invalidation& invalidation) {
DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
if (!AreInvalidationsEnabled()) {
LOG(WARNING) << "Unexpected invalidation received.";
}
CHECK(invalidation.topic() == topic_)
<< "Incoming invalidation does not contain invalidation"
" for certificate topic";
on_invalidation_event_callback_.Run(InvalidationEvent::kInvalidationReceived);
}
std::string CertProvisioningInvalidationHandler::GetOwnerName() const {
return base::StringPrintf(kOwnerNameFormat, CertScopeToString(scope_),
topic_.c_str());
}
bool CertProvisioningInvalidationHandler::IsPublicTopic(
const invalidation::Topic& topic) const {
return base::StartsWith(topic, kFcmCertProvisioningPublicTopicPrefix,
base::CompareCase::SENSITIVE);
}
void CertProvisioningInvalidationHandler::OnExpectationChanged(
invalidation::InvalidationsExpected expected) {
are_invalidations_expected_ = expected;
}
void CertProvisioningInvalidationHandler::OnInvalidationReceived(
const invalidation::DirectInvalidation& invalidation) {
on_invalidation_event_callback_.Run(InvalidationEvent::kInvalidationReceived);
}
std::string CertProvisioningInvalidationHandler::GetType() const {
return listener_type_;
}
bool CertProvisioningInvalidationHandler::IsRegistered() const {
return std::visit(
base::Overloaded{
[this](invalidation::InvalidationService* service) {
return invalidation_service_observation_.IsObservingSource(service);
},
[this](invalidation::InvalidationListener* listener) {
return invalidation_listener_observation_.IsObservingSource(
listener);
}},
invalidation_service_or_listener_);
}
bool CertProvisioningInvalidationHandler::AreInvalidationsEnabled() const {
if (!IsRegistered()) {
return false;
}
return std::visit(
base::Overloaded{[](invalidation::InvalidationService* service) {
return service->GetInvalidatorState() ==
invalidation::InvalidatorState::kEnabled;
},
[this](invalidation::InvalidationListener* listener) {
return are_invalidations_expected_ ==
invalidation::InvalidationsExpected::kYes;
}},
invalidation_service_or_listener_);
}
} // namespace internal
//=============== CertProvisioningUserInvalidator ==============================
CertProvisioningInvalidator::CertProvisioningInvalidator() = default;
CertProvisioningInvalidator::~CertProvisioningInvalidator() = default;
void CertProvisioningInvalidator::Unregister() {
if (invalidation_handler_) {
invalidation_handler_->Unregister();
invalidation_handler_.reset();
}
}
//=============== CertProvisioningUserInvalidatorFactory =======================
CertProvisioningUserInvalidatorFactory::CertProvisioningUserInvalidatorFactory(
Profile* profile)
: profile_(profile) {
CHECK(profile_);
}
std::unique_ptr<CertProvisioningInvalidator>
CertProvisioningUserInvalidatorFactory::Create() {
return std::make_unique<CertProvisioningUserInvalidator>(profile_);
}
//=============== CertProvisioningUserInvalidator ==============================
CertProvisioningUserInvalidator::CertProvisioningUserInvalidator(
Profile* profile)
: profile_(profile) {
CHECK(profile_);
}
void CertProvisioningUserInvalidator::Register(
const invalidation::Topic& topic,
const std::string& listener_type,
OnInvalidationEventCallback on_invalidation_event_callback) {
invalidation::ProfileInvalidationProvider* invalidation_provider =
invalidation::ProfileInvalidationProviderFactory::GetForProfile(profile_);
CHECK(invalidation_provider);
invalidation_handler_ =
internal::CertProvisioningInvalidationHandler::BuildAndRegister(
CertScope::kUser,
invalidation_provider->GetInvalidationServiceOrListener(
policy::kPolicyFCMInvalidationSenderID,
invalidation::InvalidationListener::kProjectNumberEnterprise),
topic, listener_type, std::move(on_invalidation_event_callback));
if (!invalidation_handler_) {
LOG(ERROR) << "Failed to register for invalidation topic";
}
}
//=============== CertProvisioningDeviceInvalidatorFactory =====================
CertProvisioningDeviceInvalidatorFactory::
CertProvisioningDeviceInvalidatorFactory(
std::variant<policy::AffiliatedInvalidationServiceProvider*,
invalidation::InvalidationListener*>
invalidation_service_provider_or_listener)
: invalidation_service_provider_or_listener_(
invalidation::PointerVariantToRawPointer(
invalidation_service_provider_or_listener)) {
CHECK(!std::holds_alternative<
raw_ptr<policy::AffiliatedInvalidationServiceProvider>>(
invalidation_service_provider_or_listener_) ||
std::get<raw_ptr<policy::AffiliatedInvalidationServiceProvider>>(
invalidation_service_provider_or_listener_))
<< "AffiliatedInvalidationServiceProvider is used but is null";
CHECK(!std::holds_alternative<raw_ptr<invalidation::InvalidationListener>>(
invalidation_service_provider_or_listener_) ||
std::get<raw_ptr<invalidation::InvalidationListener>>(
invalidation_service_provider_or_listener_))
<< "InvalidationListener is used but is null";
}
CertProvisioningDeviceInvalidatorFactory::
CertProvisioningDeviceInvalidatorFactory() = default;
CertProvisioningDeviceInvalidatorFactory::
~CertProvisioningDeviceInvalidatorFactory() = default;
std::unique_ptr<CertProvisioningInvalidator>
CertProvisioningDeviceInvalidatorFactory::Create() {
return std::make_unique<CertProvisioningDeviceInvalidator>(
invalidation::RawPointerVariantToPointer(
invalidation_service_provider_or_listener_));
}
//=============== CertProvisioningDeviceInvalidator ============================
CertProvisioningDeviceInvalidator::CertProvisioningDeviceInvalidator(
std::variant<policy::AffiliatedInvalidationServiceProvider*,
invalidation::InvalidationListener*>
invalidation_service_provider_or_listener)
: invalidation_service_provider_or_listener_(
invalidation::PointerVariantToRawPointer(
invalidation_service_provider_or_listener)) {
CHECK(!std::holds_alternative<
raw_ptr<policy::AffiliatedInvalidationServiceProvider>>(
invalidation_service_provider_or_listener_) ||
std::get<raw_ptr<policy::AffiliatedInvalidationServiceProvider>>(
invalidation_service_provider_or_listener_))
<< "AffiliatedInvalidationServiceProvider is used but is null";
CHECK(!std::holds_alternative<raw_ptr<invalidation::InvalidationListener>>(
invalidation_service_provider_or_listener_) ||
std::get<raw_ptr<invalidation::InvalidationListener>>(
invalidation_service_provider_or_listener_))
<< "InvalidationListener is used but is null";
}
CertProvisioningDeviceInvalidator::~CertProvisioningDeviceInvalidator() {
// As mentioned in the class-level comment, this intentionally doesn't call
// Unregister so that a subscription can be preserved across process restarts.
//
// Note that it is OK to call this even if this instance has not called
// RegisterConsumer yet.
std::visit(
base::Overloaded{
[this](
policy::AffiliatedInvalidationServiceProvider* service_provider) {
service_provider->UnregisterConsumer(this);
},
[](invalidation::InvalidationListener* listener) {
// Do nothing.
}},
invalidation_service_provider_or_listener_);
}
void CertProvisioningDeviceInvalidator::Register(
const invalidation::Topic& topic,
const std::string& listener_type,
OnInvalidationEventCallback on_invalidation_event_callback) {
topic_ = topic;
listener_type_ = listener_type;
CHECK(!topic_.empty());
on_invalidation_event_callback_ = std::move(on_invalidation_event_callback);
std::visit(
base::Overloaded{
[this](
policy::AffiliatedInvalidationServiceProvider* service_provider) {
service_provider->RegisterConsumer(this);
},
[this](invalidation::InvalidationListener* listener) {
invalidation_handler_ =
internal::CertProvisioningInvalidationHandler::BuildAndRegister(
CertScope::kDevice, listener, topic_, listener_type_,
on_invalidation_event_callback_);
}},
invalidation_service_provider_or_listener_);
}
void CertProvisioningDeviceInvalidator::Unregister() {
std::visit(
base::Overloaded{
[this](
policy::AffiliatedInvalidationServiceProvider* service_provider) {
service_provider->UnregisterConsumer(this);
},
[](invalidation::InvalidationListener* listener) {
// Do nothing.
}},
invalidation_service_provider_or_listener_);
CertProvisioningInvalidator::Unregister();
topic_.clear();
}
void CertProvisioningDeviceInvalidator::OnInvalidationServiceSet(
invalidation::InvalidationService* invalidation_service) {
// This can only be called after Register() has been called, so the `topic_`
// must be non-empty.
CHECK(!topic_.empty());
// Reset any previously active `invalidation_handler` as it could be referring
// to the previous `invalidation_service`.
invalidation_handler_.reset();
if (!invalidation_service) {
return;
}
invalidation_handler_ =
internal::CertProvisioningInvalidationHandler::BuildAndRegister(
CertScope::kDevice, invalidation_service, topic_, listener_type_,
on_invalidation_event_callback_);
if (!invalidation_handler_) {
LOG(ERROR) << "Failed to register for invalidation topic";
}
}
} // namespace ash::cert_provisioning
Codebase Browser
chromium