// Copyright 2014 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef CHROME_BROWSER_ASH_POLICY_ENROLLMENT_ENROLLMENT_CONFIG_H_
#define CHROME_BROWSER_ASH_POLICY_ENROLLMENT_ENROLLMENT_CONFIG_H_
#include <string>
#include "base/files/file_path.h"
class PrefService;
namespace ash {
class InstallAttributes;
class OobeConfiguration;
namespace system {
class StatisticsProvider;
}
} // namespace ash
namespace policy {
// An enumeration of different enrollment licenses.
// Constants that should be in sync with `OobeTypes.LicenseType`.
enum class LicenseType {
kNone = 0,
kEnterprise = 1,
kEducation = 2,
kTerminal = 3
};
// Source of OOBE config, if the device has an OOBE configuration file and
// that config influences enrollment.
enum class OOBEConfigSource {
// No OOBE config source field (or no OOBE config at all, if this isn't a type
// of enrollment driven by OOBE config).
kNone = 0,
// Unrecognized content present in source field.
kUnknown = 1,
// OOBE config was created during remote deployment Flex installation.
kRemoteDeployment = 2,
// OOBE config was written to disk image by the (Flex) image packaging tool,
// prior to installation.
kPackagingTool = 3,
};
// A container keeping all parameters relevant to whether and how enterprise
// enrollment of a device should occur. This configures the behavior of the
// enrollment flow during OOBE, i.e. whether the enrollment screen starts
// automatically, whether the user can skip enrollment, and what domain to
// display as owning the device.
struct EnrollmentConfig {
// Describes the enrollment mode, i.e. what triggered enrollment.
enum Mode {
// Enrollment not applicable.
MODE_NONE = 0,
// Manually triggered initial enrollment.
MODE_MANUAL = 1,
// Manually triggered re-enrollment.
MODE_MANUAL_REENROLLMENT = 2,
// Forced enrollment triggered by local OEM manifest or device requisition,
// user can't skip.
MODE_LOCAL_FORCED = 3,
// Advertised enrollment triggered by local OEM manifest or device
// requisition, user can skip.
MODE_LOCAL_ADVERTISED = 4,
// Server-backed-state-triggered forced enrollment, user can't skip.
MODE_SERVER_FORCED = 5,
// Server-backed-state-triggered advertised enrollment, user can skip.
MODE_SERVER_ADVERTISED = 6,
// Recover from "spontaneous unenrollment", user can't skip.
MODE_RECOVERY = 7,
// Start attestation-based enrollment.
MODE_ATTESTATION = 8,
// Start attestation-based enrollment and only uses that.
MODE_ATTESTATION_LOCAL_FORCED = 9,
// Server-backed-state-triggered attestation-based enrollment, user can't
// skip.
MODE_ATTESTATION_SERVER_FORCED = 10,
// Forced enrollment triggered as a fallback to attestation re-enrollment,
// user can't skip.
MODE_ATTESTATION_MANUAL_FALLBACK = 11,
// DEPRECATED_MODE_OFFLINE_DEMO = 12,
// DEPRECATED_MODE_ENROLLED_ROLLBACK = 13,
MODE_INITIAL_SERVER_FORCED = 14,
// Server-backed-state-triggered attestation-based initial enrollment,
// user can't skip.
MODE_ATTESTATION_INITIAL_SERVER_FORCED = 15,
// Forced enrollment triggered as a fallback to attestation initial
// enrollment, user can't skip.
MODE_ATTESTATION_INITIAL_MANUAL_FALLBACK = 16,
// An enterprise rollback just took place and the device was wiped.
// Attempt to re-enroll with attestation. This is forced from the
// client side. Cannot be skipped.
MODE_ATTESTATION_ROLLBACK_FORCED = 17,
// An enterprise rollback just took place and the device was wiped.
// Attestation re-enrollment just failed, attempt manual enrollment as
// fallback. Cannot be skipped.
MODE_ATTESTATION_ROLLBACK_MANUAL_FALLBACK = 18,
// Forced initial enrollment triggered after presenting an enrollment
// token (for Flex Auto Enrollment) to the server. Cannot be skipped.
MODE_ENROLLMENT_TOKEN_INITIAL_SERVER_FORCED = 19,
// Forced manual enrollment triggered as a fallback to a failed
// token-based enrollment. Cannot be skipped.
MODE_ENROLLMENT_TOKEN_INITIAL_MANUAL_FALLBACK = 20,
};
// An enumeration of authentication mechanisms that can be used for
// enrollment.
enum AuthMechanism {
// Interactive authentication.
// Note: the entry is used as both a signal for interactive enrollment and
// as a default value (e.g. in `should_enroll_with_attestation()`).
// TODO(b/332529631): Introduce kNone entry to represent default config
// that does not require enrollment.
AUTH_MECHANISM_INTERACTIVE = 0,
// Automatic authentication relying on the attestation process.
AUTH_MECHANISM_ATTESTATION = 1,
// Prefer to use attestation enrollment, falling back to manual enrollment
// if attestation fails or manual enrollment is forced on the system.
AUTH_MECHANISM_ATTESTATION_PREFERRED = 2,
// Prefer to use automatic enrollment-token-based authentication relying on
// the device. If token-based auth fails, fall back to manual enrollment.
// As of writing, token-based-enrollment on ChromeOS only happens for Flex
// Auto Enrollment.
AUTH_MECHANISM_TOKEN_PREFERRED = 3,
};
// An enumeration of assigned upgrades that a device can after initial
// enrollment.
enum class AssignedUpgradeType {
// Unspecified Upgrade
kAssignedUpgradeTypeUnspecified = 0,
// Chrome Enterprise Upgrade
kAssignedUpgradeTypeChromeEnterprise = 1,
// Kiosk & Signage Upgrade
kAssignedUpgradeTypeKioskAndSignage = 2,
};
// Get the enrollment configuration that has been set up via signals such as
// device requisition, OEM manifest, pre-existing installation-time attributes
// or server-backed state retrieval. The configuration is stored in |config|,
// |config.mode| will be MODE_NONE if there is no prescribed configuration.
// |config.management_domain| will contain the domain the device is supposed
// to be enrolled to as decided by factors such as forced re-enrollment,
// enrollment recovery, or already-present install attributes. Note that
// |config.management_domain| may be non-empty even if |config.mode| is
// MODE_NONE.
// |statistics_provider| would also be const if it had const access methods.
// May alter the enrollment recovery flag in local state if it discovers
// inconsistency there.
static EnrollmentConfig GetPrescribedEnrollmentConfig();
static EnrollmentConfig GetPrescribedEnrollmentConfig(
PrefService* local_state,
const ash::InstallAttributes& install_attributes,
ash::system::StatisticsProvider* statistics_provider,
const ash::OobeConfiguration* oobe_configuration);
// Returns the respective manual fallback enrollment mode when given an
// attestation mode.
static Mode GetManualFallbackMode(Mode attestation_mode);
EnrollmentConfig();
EnrollmentConfig(const EnrollmentConfig& config);
~EnrollmentConfig();
// Whether enrollment should be triggered.
bool should_enroll() const {
return should_enroll_with_attestation() || should_enroll_interactively();
}
// Whether attestation enrollment should be triggered.
bool should_enroll_with_attestation() const {
return auth_mechanism != AUTH_MECHANISM_INTERACTIVE;
}
// Whether interactive enrollment should be triggered.
bool should_enroll_interactively() const { return mode != MODE_NONE; }
// Whether we fell back into manual enrollment.
bool is_manual_fallback() const {
return mode == MODE_ATTESTATION_MANUAL_FALLBACK ||
mode == MODE_ATTESTATION_INITIAL_MANUAL_FALLBACK ||
mode == MODE_ATTESTATION_ROLLBACK_MANUAL_FALLBACK ||
mode == MODE_ENROLLMENT_TOKEN_INITIAL_MANUAL_FALLBACK;
}
// Whether enrollment is forced. The user can't skip the enrollment step
// during OOBE if this returns true.
bool is_forced() const {
return mode == MODE_LOCAL_FORCED || mode == MODE_SERVER_FORCED ||
mode == MODE_ATTESTATION_LOCAL_FORCED ||
mode == MODE_ATTESTATION_SERVER_FORCED ||
mode == MODE_INITIAL_SERVER_FORCED ||
mode == MODE_ATTESTATION_INITIAL_SERVER_FORCED ||
mode == MODE_ATTESTATION_ROLLBACK_FORCED || mode == MODE_RECOVERY ||
mode == MODE_ENROLLMENT_TOKEN_INITIAL_SERVER_FORCED ||
is_manual_fallback();
}
// Whether attestation-based authentication is forced. The user cannot enroll
// manually.
bool is_attestation_auth_forced() const {
return auth_mechanism == AUTH_MECHANISM_ATTESTATION;
}
// Whether this configuration is in attestation mode per server request.
bool is_mode_attestation_server() const {
return mode == MODE_ATTESTATION_SERVER_FORCED ||
mode == MODE_ATTESTATION_INITIAL_SERVER_FORCED;
}
// Whether this configuration is in initial attestation forced mode per server
// request.
bool is_mode_initial_attestation_server_forced() const {
return mode == MODE_ATTESTATION_INITIAL_SERVER_FORCED;
}
// Whether this configuration is in attestation mode per client request.
bool is_mode_attestation_client() const {
return mode == MODE_ATTESTATION || mode == MODE_ATTESTATION_LOCAL_FORCED ||
mode == MODE_ATTESTATION_ROLLBACK_FORCED;
}
// Whether this configuration is an automatic enrollment mode that has a
// manual fallback. I.e. after a failed attempt at automatic enrolling,
// manual enrollment will be triggered.
bool is_mode_with_manual_fallback() const {
return is_mode_attestation_server() ||
mode == MODE_ATTESTATION_ROLLBACK_FORCED ||
mode == MODE_ENROLLMENT_TOKEN_INITIAL_SERVER_FORCED;
}
// Whether this configuration is in attestation mode.
bool is_mode_attestation() const {
return is_mode_attestation_client() || is_mode_attestation_server();
}
// Whether this configuration's mode causes the device to automatically
// enroll without user interaction.
bool is_automatic_enrollment() const {
return is_mode_attestation() ||
mode == MODE_ENROLLMENT_TOKEN_INITIAL_SERVER_FORCED;
}
// Whether this configuration is in OAuth mode.
bool is_mode_oauth() const {
return mode != MODE_NONE && !is_automatic_enrollment();
}
// Indicates the enrollment flow variant to trigger during OOBE.
Mode mode = MODE_NONE;
// The authentication mechanism to use.
// TODO(drcrash): Change to best available once ZTE is everywhere.
AuthMechanism auth_mechanism = AUTH_MECHANISM_INTERACTIVE;
// The domain to enroll the device to, if applicable. If this is not set, the
// device may be enrolled to any domain. Note that for the case where the
// device is not already locked to a certain domain, this value is used for
// display purposes only and the server makes the final decision on which
// domain the device should be enrolled with. If the device is already locked
// to a domain, policy validation during enrollment will verify the domains
// match.
std::string management_domain;
// Is a license packaged with device or not.
bool is_license_packaged_with_device = false;
// Which type of license device has.
LicenseType license_type = LicenseType::kNone;
// The assigned upgrade for a device after initial enrollment. Chrome
// Enterprise Upgrade is the default upgrade for ZTE devices, unless other is
// specified in the server-backed initial state retrieval.
AssignedUpgradeType assigned_upgrade_type =
AssignedUpgradeType::kAssignedUpgradeTypeChromeEnterprise;
// User's email which can be passed from the Gaia screen in the enrollment
// nudge flow.
std::string enrollment_nudge_email;
// Enrollment token to use for authentication (for Flex Auto Enrollment).
std::string enrollment_token;
// Source of OOBE config, if the device has an OOBE configuration file and
// that config influences enrollment.
OOBEConfigSource oobe_config_source;
private:
// Hold fields to be filled corresponding to ones in `EnrollmentConfig`.
struct PrescribedConfig;
struct PrescribedLicense;
EnrollmentConfig(PrescribedConfig prescribed_config,
PrescribedLicense prescribed_license);
};
std::ostream& operator<<(std::ostream& os, const EnrollmentConfig::Mode& mode);
std::ostream& operator<<(std::ostream& os,
const EnrollmentConfig::AuthMechanism& auth);
std::ostream& operator<<(std::ostream& os, const EnrollmentConfig& config);
} // namespace policy
#endif // CHROME_BROWSER_ASH_POLICY_ENROLLMENT_ENROLLMENT_CONFIG_H_