OLD | NEW |
1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "chrome/browser/policy/device_management_policy_provider.h" | 5 #include "chrome/browser/policy/device_management_policy_provider.h" |
6 | 6 |
7 #include "base/command_line.h" | 7 #include "base/command_line.h" |
8 #include "base/file_util.h" | 8 #include "base/file_util.h" |
9 #include "base/path_service.h" | 9 #include "base/path_service.h" |
10 #include "base/rand_util.h" | 10 #include "base/rand_util.h" |
11 #include "base/task.h" | 11 #include "base/task.h" |
12 #include "chrome/browser/browser_thread.h" | 12 #include "chrome/browser/browser_thread.h" |
13 #include "chrome/browser/profile.h" | 13 #include "chrome/browser/profile.h" |
14 #include "chrome/browser/policy/device_management_backend.h" | 14 #include "chrome/browser/policy/device_management_backend.h" |
15 #include "chrome/browser/policy/device_management_policy_cache.h" | 15 #include "chrome/browser/policy/device_management_policy_cache.h" |
16 #include "chrome/browser/policy/proto/device_management_constants.h" | 16 #include "chrome/browser/policy/proto/device_management_constants.h" |
17 #include "chrome/common/chrome_paths.h" | 17 #include "chrome/common/chrome_paths.h" |
18 #include "chrome/common/chrome_switches.h" | 18 #include "chrome/common/chrome_switches.h" |
19 #include "chrome/common/notification_service.h" | 19 #include "chrome/common/notification_service.h" |
20 #include "chrome/common/notification_type.h" | 20 #include "chrome/common/notification_type.h" |
21 | 21 |
22 namespace policy { | 22 namespace policy { |
23 | 23 |
24 namespace em = enterprise_management; | |
25 | |
26 const int64 kPolicyRefreshRateInMilliseconds = 3 * 60 * 60 * 1000; // 3 hours | 24 const int64 kPolicyRefreshRateInMilliseconds = 3 * 60 * 60 * 1000; // 3 hours |
27 const int64 kPolicyRefreshMaxEarlierInMilliseconds = 20 * 60 * 1000; // 20 mins | 25 const int64 kPolicyRefreshMaxEarlierInMilliseconds = 20 * 60 * 1000; // 20 mins |
28 // These are the base values for delays before retrying after an error. They | 26 // These are the base values for delays before retrying after an error. They |
29 // will be doubled each time they are used. | 27 // will be doubled each time they are used. |
30 const int64 kPolicyRefreshErrorDelayInMilliseconds = 3 * 1000; // 3 seconds | 28 const int64 kPolicyRefreshErrorDelayInMilliseconds = 3 * 1000; // 3 seconds |
31 const int64 kDeviceTokenRefreshErrorDelayInMilliseconds = 3 * 1000; | 29 const int64 kDeviceTokenRefreshErrorDelayInMilliseconds = 3 * 1000; |
32 // For unmanaged devices, check once per day whether they're still unmanaged. | |
33 const int64 kPolicyRefreshUnmanagedDeviceInMilliseconds = 24 * 60 * 60 * 1000; | |
34 | |
35 const char* kDeviceTokenFilename = "Token"; | |
36 const char* kPolicyFilename = "Policy"; | |
37 | 30 |
38 // Ensures that the portion of the policy provider implementation that requires | 31 // Ensures that the portion of the policy provider implementation that requires |
39 // the IOThread is deferred until the IOThread is fully initialized. The policy | 32 // the IOThread is deferred until the IOThread is fully initialized. The policy |
40 // provider posts this task on the UI thread during its constructor, thereby | 33 // provider posts this task on the UI thread during its constructor, thereby |
41 // guaranteeing that the code won't get executed until after the UI and IO | 34 // guaranteeing that the code won't get executed until after the UI and IO |
42 // threads are fully constructed. | 35 // threads are fully constructed. |
43 class DeviceManagementPolicyProvider::InitializeAfterIOThreadExistsTask | 36 class DeviceManagementPolicyProvider::InitializeAfterIOThreadExistsTask |
44 : public Task { | 37 : public Task { |
45 public: | 38 public: |
46 explicit InitializeAfterIOThreadExistsTask( | 39 explicit InitializeAfterIOThreadExistsTask( |
(...skipping 25 matching lines...) Expand all Loading... |
72 } | 65 } |
73 | 66 |
74 private: | 67 private: |
75 base::WeakPtr<DeviceManagementPolicyProvider> provider_; | 68 base::WeakPtr<DeviceManagementPolicyProvider> provider_; |
76 }; | 69 }; |
77 | 70 |
78 DeviceManagementPolicyProvider::DeviceManagementPolicyProvider( | 71 DeviceManagementPolicyProvider::DeviceManagementPolicyProvider( |
79 const ConfigurationPolicyProvider::PolicyDefinitionList* policy_list, | 72 const ConfigurationPolicyProvider::PolicyDefinitionList* policy_list, |
80 DeviceManagementBackend* backend, | 73 DeviceManagementBackend* backend, |
81 Profile* profile) | 74 Profile* profile) |
82 : ConfigurationPolicyProvider(policy_list) { | 75 : ConfigurationPolicyProvider(policy_list), |
83 Initialize(backend, | 76 backend_(backend), |
84 profile, | 77 profile_(profile), |
85 kPolicyRefreshRateInMilliseconds, | 78 storage_dir_(GetOrCreateDeviceManagementDir(profile_->GetPath())), |
86 kPolicyRefreshMaxEarlierInMilliseconds, | 79 policy_request_pending_(false), |
87 kPolicyRefreshErrorDelayInMilliseconds, | 80 refresh_task_pending_(false), |
88 kDeviceTokenRefreshErrorDelayInMilliseconds, | 81 policy_refresh_rate_ms_(kPolicyRefreshRateInMilliseconds), |
89 kPolicyRefreshUnmanagedDeviceInMilliseconds); | 82 policy_refresh_max_earlier_ms_(kPolicyRefreshMaxEarlierInMilliseconds), |
90 } | 83 policy_refresh_error_delay_ms_(kPolicyRefreshErrorDelayInMilliseconds), |
91 | 84 token_fetch_error_delay_ms_(kDeviceTokenRefreshErrorDelayInMilliseconds) { |
92 DeviceManagementPolicyProvider::DeviceManagementPolicyProvider( | 85 Initialize(); |
93 const PolicyDefinitionList* policy_list, | |
94 DeviceManagementBackend* backend, | |
95 Profile* profile, | |
96 int64 policy_refresh_rate_ms, | |
97 int64 policy_refresh_max_earlier_ms, | |
98 int64 policy_refresh_error_delay_ms, | |
99 int64 token_fetch_error_delay_ms, | |
100 int64 unmanaged_device_refresh_rate_ms) | |
101 : ConfigurationPolicyProvider(policy_list) { | |
102 Initialize(backend, | |
103 profile, | |
104 policy_refresh_rate_ms, | |
105 policy_refresh_max_earlier_ms, | |
106 policy_refresh_error_delay_ms, | |
107 token_fetch_error_delay_ms, | |
108 unmanaged_device_refresh_rate_ms); | |
109 } | 86 } |
110 | 87 |
111 DeviceManagementPolicyProvider::~DeviceManagementPolicyProvider() {} | 88 DeviceManagementPolicyProvider::~DeviceManagementPolicyProvider() {} |
112 | 89 |
113 bool DeviceManagementPolicyProvider::Provide( | 90 bool DeviceManagementPolicyProvider::Provide( |
114 ConfigurationPolicyStoreInterface* policy_store) { | 91 ConfigurationPolicyStoreInterface* policy_store) { |
115 scoped_ptr<DictionaryValue> policies(cache_->GetPolicy()); | 92 scoped_ptr<DictionaryValue> policies(cache_->GetPolicy()); |
116 DecodePolicyValueTree(policies.get(), policy_store); | 93 DecodePolicyValueTree(policies.get(), policy_store); |
117 return true; | 94 return true; |
118 } | 95 } |
119 | 96 |
120 void DeviceManagementPolicyProvider::HandlePolicyResponse( | 97 void DeviceManagementPolicyProvider::HandlePolicyResponse( |
121 const em::DevicePolicyResponse& response) { | 98 const em::DevicePolicyResponse& response) { |
122 if (cache_->SetPolicy(response)) | 99 if (cache_->SetPolicy(response)) |
123 NotifyStoreOfPolicyChange(); | 100 NotifyStoreOfPolicyChange(); |
124 policy_request_pending_ = false; | 101 policy_request_pending_ = false; |
125 // Reset the error delay since policy fetching succeeded this time. | 102 // Reset the error delay since policy fetching succeeded this time. |
126 policy_refresh_error_delay_ms_ = kPolicyRefreshErrorDelayInMilliseconds; | 103 policy_refresh_error_delay_ms_ = kPolicyRefreshErrorDelayInMilliseconds; |
127 ScheduleRefreshTask(GetRefreshTaskDelay()); | 104 ScheduleRefreshTask(GetRefreshTaskDelay()); |
128 // Update this provider's internal waiting state, but don't notify anyone | |
129 // else yet (that's done by the PrefValueStore that receives the policy). | |
130 waiting_for_initial_policies_ = false; | |
131 } | 105 } |
132 | 106 |
133 void DeviceManagementPolicyProvider::OnError( | 107 void DeviceManagementPolicyProvider::OnError( |
134 DeviceManagementBackend::ErrorCode code) { | 108 DeviceManagementBackend::ErrorCode code) { |
135 policy_request_pending_ = false; | 109 policy_request_pending_ = false; |
136 if (code == DeviceManagementBackend::kErrorServiceDeviceNotFound || | 110 if (code == DeviceManagementBackend::kErrorServiceDeviceNotFound || |
137 code == DeviceManagementBackend::kErrorServiceManagementTokenInvalid) { | 111 code == DeviceManagementBackend::kErrorServiceManagementTokenInvalid) { |
138 LOG(WARNING) << "The device token was either invalid or unknown to the " | 112 LOG(WARNING) << "The device token was either invalid or unknown to the " |
139 << "device manager, re-registering device."; | 113 << "device manager, re-registering device."; |
140 token_fetcher_->Restart(); | 114 token_fetcher_->Restart(); |
141 } else { | 115 } else { |
142 LOG(WARNING) << "Could not provide policy from the device manager (error = " | 116 LOG(WARNING) << "Could not provide policy from the device manager (error = " |
143 << code << "), will retry in " | 117 << code << "), will retry in " |
144 << (policy_refresh_error_delay_ms_/1000) << " seconds."; | 118 << (policy_refresh_error_delay_ms_/1000) << " seconds."; |
145 ScheduleRefreshTask(policy_refresh_error_delay_ms_); | 119 ScheduleRefreshTask(policy_refresh_error_delay_ms_); |
146 policy_refresh_error_delay_ms_ *= 2; | 120 policy_refresh_error_delay_ms_ *= 2; |
147 if (policy_refresh_rate_ms_ && | 121 if (policy_refresh_rate_ms_ && |
148 policy_refresh_rate_ms_ < policy_refresh_error_delay_ms_) { | 122 policy_refresh_rate_ms_ < policy_refresh_error_delay_ms_) { |
149 policy_refresh_error_delay_ms_ = policy_refresh_rate_ms_; | 123 policy_refresh_error_delay_ms_ = policy_refresh_rate_ms_; |
150 } | 124 } |
151 } | 125 } |
152 StopWaitingForInitialPolicies(); | |
153 } | 126 } |
154 | 127 |
155 void DeviceManagementPolicyProvider::OnTokenSuccess() { | 128 void DeviceManagementPolicyProvider::OnTokenSuccess() { |
156 if (policy_request_pending_) | 129 if (policy_request_pending_) |
157 return; | 130 return; |
158 cache_->SetDeviceUnmanaged(false); | |
159 SendPolicyRequest(); | 131 SendPolicyRequest(); |
160 } | 132 } |
161 | 133 |
162 void DeviceManagementPolicyProvider::OnTokenError() { | 134 void DeviceManagementPolicyProvider::OnTokenError() { |
163 LOG(WARNING) << "Could not retrieve device token."; | 135 LOG(WARNING) << "Could not retrieve device token."; |
164 ScheduleRefreshTask(token_fetch_error_delay_ms_); | 136 ScheduleRefreshTask(token_fetch_error_delay_ms_); |
165 token_fetch_error_delay_ms_ *= 2; | 137 token_fetch_error_delay_ms_ *= 2; |
166 if (token_fetch_error_delay_ms_ > policy_refresh_rate_ms_) | 138 if (token_fetch_error_delay_ms_ > policy_refresh_rate_ms_) |
167 token_fetch_error_delay_ms_ = policy_refresh_rate_ms_; | 139 token_fetch_error_delay_ms_ = policy_refresh_rate_ms_; |
168 StopWaitingForInitialPolicies(); | |
169 } | 140 } |
170 | 141 |
171 void DeviceManagementPolicyProvider::OnNotManaged() { | 142 void DeviceManagementPolicyProvider::OnNotManaged() { |
172 VLOG(1) << "This device is not managed."; | 143 VLOG(1) << "This device is not managed."; |
173 cache_->SetDeviceUnmanaged(true); | |
174 ScheduleRefreshTask(unmanaged_device_refresh_rate_ms_); | |
175 StopWaitingForInitialPolicies(); | |
176 } | 144 } |
177 | 145 |
178 void DeviceManagementPolicyProvider::Shutdown() { | 146 void DeviceManagementPolicyProvider::Shutdown() { |
179 profile_ = NULL; | 147 profile_ = NULL; |
180 if (token_fetcher_) | 148 if (token_fetcher_) |
181 token_fetcher_->Shutdown(); | 149 token_fetcher_->Shutdown(); |
182 } | 150 } |
183 | 151 |
184 void DeviceManagementPolicyProvider::Initialize( | 152 void DeviceManagementPolicyProvider::Initialize() { |
185 DeviceManagementBackend* backend, | |
186 Profile* profile, | |
187 int64 policy_refresh_rate_ms, | |
188 int64 policy_refresh_max_earlier_ms, | |
189 int64 policy_refresh_error_delay_ms, | |
190 int64 token_fetch_error_delay_ms, | |
191 int64 unmanaged_device_refresh_rate_ms) { | |
192 backend_.reset(backend); | |
193 profile_ = profile; | |
194 storage_dir_ = GetOrCreateDeviceManagementDir(profile_->GetPath()); | |
195 policy_request_pending_ = false; | |
196 refresh_task_pending_ = false; | |
197 waiting_for_initial_policies_ = true; | |
198 policy_refresh_rate_ms_ = policy_refresh_rate_ms; | |
199 policy_refresh_max_earlier_ms_ = policy_refresh_max_earlier_ms; | |
200 policy_refresh_error_delay_ms_ = policy_refresh_error_delay_ms; | |
201 token_fetch_error_delay_ms_ = token_fetch_error_delay_ms; | |
202 unmanaged_device_refresh_rate_ms_ = unmanaged_device_refresh_rate_ms; | |
203 | |
204 const FilePath policy_path = storage_dir_.Append( | 153 const FilePath policy_path = storage_dir_.Append( |
205 FILE_PATH_LITERAL("Policy")); | 154 FILE_PATH_LITERAL("Policy")); |
206 cache_.reset(new DeviceManagementPolicyCache(policy_path)); | 155 cache_.reset(new DeviceManagementPolicyCache(policy_path)); |
207 cache_->LoadPolicyFromFile(); | 156 cache_->LoadPolicyFromFile(); |
208 | 157 |
209 if (cache_->is_device_unmanaged()) { | 158 // Defer initialization that requires the IOThread until after the IOThread |
210 // This is a non-first login on an unmanaged device. | 159 // has been initialized. |
211 waiting_for_initial_policies_ = false; | 160 BrowserThread::PostTask(BrowserThread::UI, FROM_HERE, |
212 // Defer token_fetcher_ initialization until this device should ask for | 161 new InitializeAfterIOThreadExistsTask(AsWeakPtr())); |
213 // a device token again. | |
214 base::Time unmanaged_timestamp = cache_->last_policy_refresh_time(); | |
215 int64 delay = unmanaged_device_refresh_rate_ms_ - | |
216 (base::Time::NowFromSystemTime().ToInternalValue() - | |
217 unmanaged_timestamp.ToInternalValue()); | |
218 if (delay < 0) | |
219 delay = 0; | |
220 BrowserThread::PostDelayedTask( | |
221 BrowserThread::UI, FROM_HERE, | |
222 new InitializeAfterIOThreadExistsTask(AsWeakPtr()), | |
223 delay); | |
224 } else { | |
225 if (file_util::PathExists( | |
226 storage_dir_.Append(FILE_PATH_LITERAL(kDeviceTokenFilename)))) { | |
227 // This is a non-first login on a managed device. | |
228 waiting_for_initial_policies_ = false; | |
229 } | |
230 // Defer initialization that requires the IOThread until after the IOThread | |
231 // has been initialized. | |
232 BrowserThread::PostTask(BrowserThread::UI, FROM_HERE, | |
233 new InitializeAfterIOThreadExistsTask(AsWeakPtr())); | |
234 } | |
235 } | 162 } |
236 | 163 |
237 void DeviceManagementPolicyProvider::InitializeAfterIOThreadExists() { | 164 void DeviceManagementPolicyProvider::InitializeAfterIOThreadExists() { |
238 if (profile_) { | 165 if (profile_) { |
239 if (!token_fetcher_) { | 166 if (!token_fetcher_) { |
240 token_fetcher_ = new DeviceTokenFetcher( | 167 token_fetcher_ = new DeviceTokenFetcher( |
241 backend_.get(), profile_, GetTokenPath()); | 168 backend_.get(), profile_, GetTokenPath()); |
242 } | 169 } |
243 registrar_.Init(token_fetcher_); | 170 registrar_.Init(token_fetcher_); |
244 registrar_.AddObserver(this); | 171 registrar_.AddObserver(this); |
245 token_fetcher_->StartFetching(); | 172 token_fetcher_->StartFetching(); |
246 } | 173 } |
247 } | 174 } |
248 | 175 |
249 void DeviceManagementPolicyProvider::SendPolicyRequest() { | 176 void DeviceManagementPolicyProvider::SendPolicyRequest() { |
250 if (policy_request_pending_) | 177 if (!policy_request_pending_) { |
251 return; | 178 policy_request_pending_ = true; |
252 | 179 em::DevicePolicyRequest policy_request; |
253 policy_request_pending_ = true; | 180 policy_request.set_policy_scope(kChromePolicyScope); |
254 em::DevicePolicyRequest policy_request; | 181 em::DevicePolicySettingRequest* setting = |
255 policy_request.set_policy_scope(kChromePolicyScope); | 182 policy_request.add_setting_request(); |
256 em::DevicePolicySettingRequest* setting = | 183 setting->set_key(kChromeDevicePolicySettingKey); |
257 policy_request.add_setting_request(); | 184 setting->set_watermark(""); |
258 setting->set_key(kChromeDevicePolicySettingKey); | 185 backend_->ProcessPolicyRequest(token_fetcher_->GetDeviceToken(), |
259 setting->set_watermark(""); | 186 token_fetcher_->GetDeviceID(), |
260 backend_->ProcessPolicyRequest(token_fetcher_->GetDeviceToken(), | 187 policy_request, this); |
261 token_fetcher_->GetDeviceID(), | 188 } |
262 policy_request, this); | |
263 } | 189 } |
264 | 190 |
265 void DeviceManagementPolicyProvider::RefreshTaskExecute() { | 191 void DeviceManagementPolicyProvider::RefreshTaskExecute() { |
266 DCHECK(refresh_task_pending_); | 192 DCHECK(refresh_task_pending_); |
267 refresh_task_pending_ = false; | 193 refresh_task_pending_ = false; |
268 // If there is no valid device token, the token_fetcher_ apparently failed, | 194 // If there is no valid device token, the token_fetcher_ apparently failed, |
269 // so it must be restarted. | 195 // so it must be restarted. |
270 if (!token_fetcher_->IsTokenValid()) { | 196 if (!token_fetcher_->IsTokenValid()) { |
271 if (token_fetcher_->IsTokenPending()) { | 197 if (token_fetcher_->IsTokenPending()) { |
272 NOTREACHED(); | 198 NOTREACHED(); |
(...skipping 29 matching lines...) Expand all Loading... |
302 FilePath DeviceManagementPolicyProvider::GetTokenPath() { | 228 FilePath DeviceManagementPolicyProvider::GetTokenPath() { |
303 return storage_dir_.Append(FILE_PATH_LITERAL("Token")); | 229 return storage_dir_.Append(FILE_PATH_LITERAL("Token")); |
304 } | 230 } |
305 | 231 |
306 void DeviceManagementPolicyProvider::SetDeviceTokenFetcher( | 232 void DeviceManagementPolicyProvider::SetDeviceTokenFetcher( |
307 DeviceTokenFetcher* token_fetcher) { | 233 DeviceTokenFetcher* token_fetcher) { |
308 DCHECK(!token_fetcher_); | 234 DCHECK(!token_fetcher_); |
309 token_fetcher_ = token_fetcher; | 235 token_fetcher_ = token_fetcher; |
310 } | 236 } |
311 | 237 |
312 void DeviceManagementPolicyProvider::StopWaitingForInitialPolicies() { | |
313 waiting_for_initial_policies_ = false; | |
314 // Send a CLOUD_POLICY_UPDATE notification to unblock ChromeOS logins that | |
315 // are waiting for an initial policy fetch to complete. | |
316 NotifyCloudPolicyUpdate(); | |
317 } | |
318 | |
319 void DeviceManagementPolicyProvider::NotifyCloudPolicyUpdate() const { | |
320 NotificationService::current()->Notify( | |
321 NotificationType::CLOUD_POLICY_UPDATE, | |
322 Source<DeviceManagementPolicyProvider>(this), | |
323 NotificationService::NoDetails()); | |
324 } | |
325 | |
326 // static | 238 // static |
327 std::string DeviceManagementPolicyProvider::GetDeviceManagementURL() { | 239 std::string DeviceManagementPolicyProvider::GetDeviceManagementURL() { |
328 return CommandLine::ForCurrentProcess()->GetSwitchValueASCII( | 240 return CommandLine::ForCurrentProcess()->GetSwitchValueASCII( |
329 switches::kDeviceManagementUrl); | 241 switches::kDeviceManagementUrl); |
330 } | 242 } |
331 | 243 |
332 // static | 244 // static |
333 FilePath DeviceManagementPolicyProvider::GetOrCreateDeviceManagementDir( | 245 FilePath DeviceManagementPolicyProvider::GetOrCreateDeviceManagementDir( |
334 const FilePath& user_data_dir) { | 246 const FilePath& user_data_dir) { |
335 const FilePath device_management_dir = user_data_dir.Append( | 247 const FilePath device_management_dir = user_data_dir.Append( |
336 FILE_PATH_LITERAL("Device Management")); | 248 FILE_PATH_LITERAL("Device Management")); |
337 if (!file_util::DirectoryExists(device_management_dir)) { | 249 if (!file_util::DirectoryExists(device_management_dir)) { |
338 if (!file_util::CreateDirectory(device_management_dir)) | 250 if (!file_util::CreateDirectory(device_management_dir)) |
339 NOTREACHED(); | 251 NOTREACHED(); |
340 } | 252 } |
341 return device_management_dir; | 253 return device_management_dir; |
342 } | 254 } |
343 | 255 |
344 } // namespace policy | 256 } // namespace policy |
OLD | NEW |