Issue 809914 link

Starred by 0 users

Issue metadata

Status:	Assigned
Owner:	ljusten@chromium.org
Cc:	ljusten@chromium.org rsorokin@chromium.org
Components:	Enterprise
EstimatedDays:	----
NextAction:	----
OS:	Chrome
Pri:	3
Type:	Bug
Enterprise-Triaged backlog Chromad merge-merged-testbranch

authpolicy: Store DMToken in device policy

Project Member Reported by ljusten@chromium.org, Feb 7 2018

Issue description

Right now, DMToken is stored using DMTokenStorage for AD managed devices. This is different from cloud management, where DMToken is stored in device policy. It might also be an issue in case Chrome is hacked. Instead, we should store DMToken in device policy also for AD managed devices.

For this purpose, send DMToken to authpolicy during domain join (add it to JoinDomainRequest) and have authpolicy store it in device policy.

Comment 1 by rsorokin@chromium.org, Feb 12 2018

Status: Started (was: Assigned)

Comment 2 by rsorokin@chromium.org, Feb 12 2018

Labels: OS-Chrome

Project Member

Comment 3 by bugdroid1@chromium.org, Feb 14 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform/system_api/+/13139639690bd5fddc221333d7a314b22559efc3

commit 13139639690bd5fddc221333d7a314b22559efc3
Author: Roman Sorokin <rsorokin@chromium.org>
Date: Wed Feb 14 05:17:01 2018

authpolicy: Add dm_token into JoinDomainRequest

Authpolicyd should set it in the device policy to match the way it's
done for cloud management.

BUG=chromium:809914
TEST=none

Change-Id: Id39b047f4b1e1a8db8722ace0abb133090a97f34
Reviewed-on: https://chromium-review.googlesource.com/911790
Commit-Ready: Lutz Justen <ljusten@chromium.org>
Tested-by: Roman Sorokin <rsorokin@chromium.org>
Reviewed-by: Dan Erat <derat@chromium.org>

[modify] https://crrev.com/13139639690bd5fddc221333d7a314b22559efc3/dbus/authpolicy/active_directory_info.proto

Comment 4 by rsorokin@chromium.org, Feb 22 2018

Labels: -M-66 M-67

Project Member

Comment 5 by bugdroid1@chromium.org, Apr 16 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/99a8d795549e363a355f3b0e090d2aad761b58d3

commit 99a8d795549e363a355f3b0e090d2aad761b58d3
Author: Roman Sorokin <rsorokin@chromium.org>
Date: Mon Apr 16 15:57:58 2018

Add test for Active Directory join error card

Checks that correct error card is shown (Active Directory one). Also checks
that hitting retry shows Active Directory screen again.

BUG=chromium:829361,chromium:809914
TEST=EnterpriseEnrollmentTest.TestActiveDirectoryEnrollment_ErrorCard

Change-Id: I5eb6aa289828954c5837934ab34fb119f15bcdc6
Reviewed-on: https://chromium-review.googlesource.com/998272
Reviewed-by: Alexander Alekseev <alemate@chromium.org>
Commit-Queue: Roman Sorokin <rsorokin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#550974}
[modify] https://crrev.com/99a8d795549e363a355f3b0e090d2aad761b58d3/chrome/browser/chromeos/login/enrollment/enrollment_screen.h
[modify] https://crrev.com/99a8d795549e363a355f3b0e090d2aad761b58d3/chrome/browser/chromeos/login/enterprise_enrollment_browsertest.cc

Project Member

Comment 6 by bugdroid1@chromium.org, Apr 17 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c026bc840d42e3928b8a9555546b1893b16da914

commit c026bc840d42e3928b8a9555546b1893b16da914
Author: Roman Sorokin <rsorokin@chromium.org>
Date: Tue Apr 17 13:27:27 2018

Refactor Active Directory domain join flow

Moved calling to D-Bus service out of EnrollmentScreenHandler into
EnrollmentScreen. Needed because EnrollmentScreen implements
ActiveDirectoryJoinDelegate. Future CL will use that to provide dm token
to D-Bus service and to use configuration seed coming from DM server.

BUG=chromium:829361,chromium:809914

Cq-Include-Trybots: master.tryserver.chromium.linux:closure_compilation
Change-Id: I606d974e3461c802b37ff88ec0658f910a3953f5
Reviewed-on: https://chromium-review.googlesource.com/1004954
Commit-Queue: Roman Sorokin <rsorokin@chromium.org>
Reviewed-by: Alexander Alekseev <alemate@chromium.org>
Cr-Commit-Position: refs/heads/master@{#551309}
[modify] https://crrev.com/c026bc840d42e3928b8a9555546b1893b16da914/chrome/browser/chromeos/login/enrollment/enrollment_screen.cc
[modify] https://crrev.com/c026bc840d42e3928b8a9555546b1893b16da914/chrome/browser/chromeos/login/enrollment/enrollment_screen.h
[modify] https://crrev.com/c026bc840d42e3928b8a9555546b1893b16da914/chrome/browser/chromeos/login/enrollment/enrollment_screen_view.h
[modify] https://crrev.com/c026bc840d42e3928b8a9555546b1893b16da914/chrome/browser/chromeos/login/enrollment/mock_enrollment_screen.h
[modify] https://crrev.com/c026bc840d42e3928b8a9555546b1893b16da914/chrome/browser/resources/chromeos/login/oobe_screen_oauth_enrollment.js
[modify] https://crrev.com/c026bc840d42e3928b8a9555546b1893b16da914/chrome/browser/ui/webui/chromeos/login/enrollment_screen_handler.cc
[modify] https://crrev.com/c026bc840d42e3928b8a9555546b1893b16da914/chrome/browser/ui/webui/chromeos/login/enrollment_screen_handler.h

Project Member

Comment 7 by bugdroid1@chromium.org, Apr 17 2018

Labels: merge-merged-testbranch

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/99a8d795549e363a355f3b0e090d2aad761b58d3

commit 99a8d795549e363a355f3b0e090d2aad761b58d3
Author: Roman Sorokin <rsorokin@chromium.org>
Date: Mon Apr 16 15:57:58 2018

Add test for Active Directory join error card

Checks that correct error card is shown (Active Directory one). Also checks
that hitting retry shows Active Directory screen again.

BUG=chromium:829361,chromium:809914
TEST=EnterpriseEnrollmentTest.TestActiveDirectoryEnrollment_ErrorCard

Change-Id: I5eb6aa289828954c5837934ab34fb119f15bcdc6
Reviewed-on: https://chromium-review.googlesource.com/998272
Reviewed-by: Alexander Alekseev <alemate@chromium.org>
Commit-Queue: Roman Sorokin <rsorokin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#550974}
[modify] https://crrev.com/99a8d795549e363a355f3b0e090d2aad761b58d3/chrome/browser/chromeos/login/enrollment/enrollment_screen.h
[modify] https://crrev.com/99a8d795549e363a355f3b0e090d2aad761b58d3/chrome/browser/chromeos/login/enterprise_enrollment_browsertest.cc

Project Member

Comment 8 by bugdroid1@chromium.org, May 2 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7fa584f704016a7cabc3caa7e2b70d1c47051e5e

commit 7fa584f704016a7cabc3caa7e2b70d1c47051e5e
Author: Roman Sorokin <rsorokin@chromium.org>
Date: Wed May 02 12:33:34 2018

Chromad: Send DMToken to authpolicy

Part of elimination DMTokenStorage effort. DMToken will be stored in
the device policy. Same as for cloud management.

BUG=chromium:809914
TEST=existing unit and browsertests

Change-Id: I90c6417399f55d07bbb815db76c365593cfe88e6
Reviewed-on: https://chromium-review.googlesource.com/1019326
Commit-Queue: Roman Sorokin <rsorokin@chromium.org>
Reviewed-by: Lutz Justen <ljusten@chromium.org>
Reviewed-by: Xiyuan Xia <xiyuan@chromium.org>
Reviewed-by: Maksim Ivanov <emaxx@chromium.org>
Cr-Commit-Position: refs/heads/master@{#555359}
[modify] https://crrev.com/7fa584f704016a7cabc3caa7e2b70d1c47051e5e/chrome/browser/chromeos/login/active_directory_login_browsertest.cc
[modify] https://crrev.com/7fa584f704016a7cabc3caa7e2b70d1c47051e5e/chrome/browser/chromeos/login/enrollment/enrollment_screen.cc
[modify] https://crrev.com/7fa584f704016a7cabc3caa7e2b70d1c47051e5e/chrome/browser/chromeos/login/enrollment/enrollment_screen.h
[modify] https://crrev.com/7fa584f704016a7cabc3caa7e2b70d1c47051e5e/chrome/browser/chromeos/login/enterprise_enrollment_browsertest.cc
[modify] https://crrev.com/7fa584f704016a7cabc3caa7e2b70d1c47051e5e/chrome/browser/chromeos/policy/active_directory_join_delegate.h
[modify] https://crrev.com/7fa584f704016a7cabc3caa7e2b70d1c47051e5e/chrome/browser/chromeos/policy/enrollment_handler_chromeos.cc
[modify] https://crrev.com/7fa584f704016a7cabc3caa7e2b70d1c47051e5e/chromeos/dbus/fake_auth_policy_client.cc
[modify] https://crrev.com/7fa584f704016a7cabc3caa7e2b70d1c47051e5e/chromeos/dbus/fake_auth_policy_client.h
[modify] https://crrev.com/7fa584f704016a7cabc3caa7e2b70d1c47051e5e/chromeos/login/auth/authpolicy_login_helper.cc
[modify] https://crrev.com/7fa584f704016a7cabc3caa7e2b70d1c47051e5e/chromeos/login/auth/authpolicy_login_helper.h
[modify] https://crrev.com/7fa584f704016a7cabc3caa7e2b70d1c47051e5e/chromeos/login/auth/authpolicy_login_helper_unittest.cc

Comment 9 by rsorokin@chromium.org, May 2 2018

Cc: rsorokin@chromium.org
Labels: -M-67 M-68
Owner: ljusten@chromium.org

Next step would be to handle it on the authpolicy side.

Comment 10 by ljusten@chromium.org, Dec 13

Labels: -Pri-2 -M-68 Pri-3

Ran into some snags.

Comment 11 by ljusten@chromium.org, Jan 9

Labels: backlog

Comment 12 by ljusten@chromium.org, Jan 11

Status: Assigned (was: Started)

WIP-CL: https://chromium-review.googlesource.com/c/chromiumos/platform2/+/1406588

►

Issue 809914 link

Issue metadata

authpolicy: Store DMToken in device policy

Issue description

Comment 1 by rsorokin@chromium.org, Feb 12 2018

Comment 1 Deleted

Comment 2 by rsorokin@chromium.org, Feb 12 2018

Comment 2 Deleted

Comment 3 by bugdroid1@chromium.org, Feb 14 2018

Comment 3 Deleted

Comment 4 by rsorokin@chromium.org, Feb 22 2018

Comment 4 Deleted

Comment 5 by bugdroid1@chromium.org, Apr 16 2018

Comment 5 Deleted

Comment 6 by bugdroid1@chromium.org, Apr 17 2018

Comment 6 Deleted

Comment 7 by bugdroid1@chromium.org, Apr 17 2018

Comment 7 Deleted

Comment 8 by bugdroid1@chromium.org, May 2 2018

Comment 8 Deleted

Comment 9 by rsorokin@chromium.org, May 2 2018

Comment 9 Deleted

Comment 10 by ljusten@chromium.org, Dec 13

Comment 10 Deleted

Comment 11 by ljusten@chromium.org, Jan 9

Comment 11 Deleted

Comment 12 by ljusten@chromium.org, Jan 11

Comment 12 Deleted

Sign in to add a comment