Persist 'this device is not managed' information

chrome/browser/policy/device_management_policy_provider.cc

 // Copyright (c) 2010 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/policy/device_management_policy_provider.h"
 
 #include "base/command_line.h"
 #include "base/file_util.h"
 #include "base/path_service.h"
 #include "base/rand_util.h"
 #include "base/task.h"
 #include "chrome/browser/browser_thread.h"
 #include "chrome/browser/policy/device_management_backend.h"
 #include "chrome/browser/policy/device_management_policy_cache.h"
 #include "chrome/browser/policy/proto/device_management_constants.h"
+#include "chrome/browser/policy/proto/device_management_local.pb.h"

[Mattias Nissler (ping if slow), 2010/11/26 10:37:45]

do you still need this header?

[Jakob Kummerow, 2010/11/26 11:07:42]

No, I don't. Good catch. Done.

 #include "chrome/common/chrome_paths.h"
 #include "chrome/common/chrome_switches.h"
 #include "chrome/common/notification_service.h"
 #include "chrome/common/notification_type.h"
 
 namespace policy {
 
+namespace em = enterprise_management;
+
 const int64 kPolicyRefreshRateInMilliseconds = 3 * 60 * 60 * 1000;  // 3 hours
 const int64 kPolicyRefreshMaxEarlierInMilliseconds = 20 * 60 * 1000;  // 20 mins
 // These are the base values for delays before retrying after an error. They
 // will be doubled each time they are used.
 const int64 kPolicyRefreshErrorDelayInMilliseconds = 3 * 1000;  // 3 seconds
 const int64 kDeviceTokenRefreshErrorDelayInMilliseconds = 3 * 1000;
+// For unmanaged devices, check once per day whether they're still unmanaged.
+const int64 kPolicyRefreshUnmanagedDeviceInMilliseconds = 24 * 60 * 60 * 1000;
+
+const char* kDeviceTokenFilename = "Token";
+const char* kPolicyFilename = "Policy";
 
 // Ensures that the portion of the policy provider implementation that requires
 // the IOThread is deferred until the IOThread is fully initialized. The policy
 // provider posts this task on the UI thread during its constructor, thereby
 // guaranteeing that the code won't get executed until after the UI and IO
 // threads are fully constructed.
 class DeviceManagementPolicyProvider::InitializeAfterIOThreadExistsTask
     : public Task {
  public:
   explicit InitializeAfterIOThreadExistsTask(
@@ skipping 26 matching lines @@
 
  private:
   base::WeakPtr<DeviceManagementPolicyProvider> provider_;
 };
 
 DeviceManagementPolicyProvider::DeviceManagementPolicyProvider(
     const ConfigurationPolicyProvider::PolicyDefinitionList* policy_list,
     DeviceManagementBackend* backend,
     TokenService* token_service,
     const FilePath& storage_dir)
-    : ConfigurationPolicyProvider(policy_list),
-      backend_(backend),
-      token_service_(token_service),
-      storage_dir_(GetOrCreateDeviceManagementDir(storage_dir)),
-      policy_request_pending_(false),
-      refresh_task_pending_(false),
-      policy_refresh_rate_ms_(kPolicyRefreshRateInMilliseconds),
-      policy_refresh_max_earlier_ms_(kPolicyRefreshMaxEarlierInMilliseconds),
-      policy_refresh_error_delay_ms_(kPolicyRefreshErrorDelayInMilliseconds),
-      token_fetch_error_delay_ms_(kDeviceTokenRefreshErrorDelayInMilliseconds) {
-  Initialize();
+    : ConfigurationPolicyProvider(policy_list) {
+  Initialize(backend,
+             token_service,
+             storage_dir,
+             kPolicyRefreshRateInMilliseconds,
+             kPolicyRefreshMaxEarlierInMilliseconds,
+             kPolicyRefreshErrorDelayInMilliseconds,
+             kDeviceTokenRefreshErrorDelayInMilliseconds,
+             kPolicyRefreshUnmanagedDeviceInMilliseconds);
+}
+
+DeviceManagementPolicyProvider::DeviceManagementPolicyProvider(
+    const PolicyDefinitionList* policy_list,
+    DeviceManagementBackend* backend,
+    TokenService* token_service,
+    const FilePath& storage_dir,
+    int64 policy_refresh_rate_ms,
+    int64 policy_refresh_max_earlier_ms,
+    int64 policy_refresh_error_delay_ms,
+    int64 token_fetch_error_delay_ms,
+    int64 unmanaged_device_refresh_rate_ms)
+    : ConfigurationPolicyProvider(policy_list) {
+  Initialize(backend,
+             token_service,
+             storage_dir,
+             policy_refresh_rate_ms,
+             policy_refresh_max_earlier_ms,
+             policy_refresh_error_delay_ms,
+             token_fetch_error_delay_ms,
+             unmanaged_device_refresh_rate_ms);
 }
 
 DeviceManagementPolicyProvider::~DeviceManagementPolicyProvider() {}
 
 bool DeviceManagementPolicyProvider::Provide(
     ConfigurationPolicyStoreInterface* policy_store) {
   scoped_ptr<DictionaryValue> policies(cache_->GetPolicy());
   DecodePolicyValueTree(policies.get(), policy_store);
   return true;
 }
 
 void DeviceManagementPolicyProvider::HandlePolicyResponse(
     const em::DevicePolicyResponse& response) {
   if (cache_->SetPolicy(response))
     NotifyStoreOfPolicyChange();
   policy_request_pending_ = false;
   // Reset the error delay since policy fetching succeeded this time.
   policy_refresh_error_delay_ms_ = kPolicyRefreshErrorDelayInMilliseconds;
   ScheduleRefreshTask(GetRefreshTaskDelay());
+  // Update this provider's internal waiting state, but don't notify anyone
+  // else yet (that's done by the PrefValueStore that receives the policy).
+  waiting_for_initial_policies_ = false;
 }
 
 void DeviceManagementPolicyProvider::OnError(
     DeviceManagementBackend::ErrorCode code) {
   policy_request_pending_ = false;
   LOG(WARNING) << "Could not provide policy from the device manager (error = "
                << code << "), will retry in "
                << (policy_refresh_error_delay_ms_/1000) << " seconds.";
   ScheduleRefreshTask(policy_refresh_error_delay_ms_);
   policy_refresh_error_delay_ms_ *= 2;
   if (policy_refresh_rate_ms_ &&
       policy_refresh_rate_ms_ < policy_refresh_error_delay_ms_) {
     policy_refresh_error_delay_ms_ = policy_refresh_rate_ms_;
   }
-#if defined(OS_CHROMEOS)
-  // Send a CLOUD_POLICY_UPDATE notification to unblock ChromeOS logins that
-  // are waiting for an initial policy fetch to complete.
-  NotifyCloudPolicyUpdate();
-#endif
+  StopWaitingForInitialPolicies();
 }
 
-#if defined(OS_CHROMEOS)
-void DeviceManagementPolicyProvider::NotifyCloudPolicyUpdate() const {
-    NotificationService::current()->Notify(
-       NotificationType::CLOUD_POLICY_UPDATE,
-       Source<DeviceManagementPolicyProvider>(this),
-       NotificationService::NoDetails());
-}
-#endif
-
 void DeviceManagementPolicyProvider::OnTokenSuccess() {
-  if (policy_request_pending_)
-    return;
+  cache_->SetDeviceUnmanaged(false);
   SendPolicyRequest();
 }
 
 void DeviceManagementPolicyProvider::OnTokenError() {
   LOG(WARNING) << "Could not retrieve device token.";
   ScheduleRefreshTask(token_fetch_error_delay_ms_);
   token_fetch_error_delay_ms_ *= 2;
   if (token_fetch_error_delay_ms_ > policy_refresh_rate_ms_)
     token_fetch_error_delay_ms_ = policy_refresh_rate_ms_;
+  StopWaitingForInitialPolicies();
 }
 
 void DeviceManagementPolicyProvider::OnNotManaged() {
   VLOG(1) << "This device is not managed.";
+  cache_->SetDeviceUnmanaged(true);
+  ScheduleRefreshTask(unmanaged_device_refresh_rate_ms_);
+  StopWaitingForInitialPolicies();
 }
 
 void DeviceManagementPolicyProvider::Shutdown() {
   token_service_ = NULL;
   if (token_fetcher_)
     token_fetcher_->Shutdown();
 }
 
-void DeviceManagementPolicyProvider::Initialize() {
+void DeviceManagementPolicyProvider::Initialize(
+    DeviceManagementBackend* backend,
+    TokenService* token_service,
+    const FilePath& storage_dir,
+    int64 policy_refresh_rate_ms,
+    int64 policy_refresh_max_earlier_ms,
+    int64 policy_refresh_error_delay_ms,
+    int64 token_fetch_error_delay_ms,
+    int64 unmanaged_device_refresh_rate_ms) {
+  backend_.reset(backend);
+  token_service_ = token_service;
+  storage_dir_ = GetOrCreateDeviceManagementDir(storage_dir);
+  policy_request_pending_ = false;
+  refresh_task_pending_ = false;
+  waiting_for_initial_policies_ = true;
+  policy_refresh_rate_ms_ = policy_refresh_rate_ms;
+  policy_refresh_max_earlier_ms_ = policy_refresh_max_earlier_ms;
+  policy_refresh_error_delay_ms_ = policy_refresh_error_delay_ms;
+  token_fetch_error_delay_ms_ = token_fetch_error_delay_ms;
+  unmanaged_device_refresh_rate_ms_ = unmanaged_device_refresh_rate_ms;
+
   const FilePath policy_path = storage_dir_.Append(
-      FILE_PATH_LITERAL("Policy"));
+      FILE_PATH_LITERAL(kPolicyFilename));
   cache_.reset(new DeviceManagementPolicyCache(policy_path));
   cache_->LoadPolicyFromFile();
-
-  // Defer initialization that requires the IOThread until after the IOThread
-  // has been initialized.
-  BrowserThread::PostTask(BrowserThread::UI, FROM_HERE,
-                          new InitializeAfterIOThreadExistsTask(AsWeakPtr()));
+  if (cache_->is_device_unmanaged()) {
+    // This is a non-first login on an unmanaged device.
+    waiting_for_initial_policies_ = false;
+    // Defer token_fetcher_ initialization until this device should ask for
+    // a device token again.
+    base::Time unmanaged_timestamp = cache_->last_policy_refresh_time();
+    int64 delay = unmanaged_device_refresh_rate_ms_ -
+        (base::Time::NowFromSystemTime().ToInternalValue() -
+            unmanaged_timestamp.ToInternalValue());
+    if (delay < 0)
+      delay = 0;
+    BrowserThread::PostDelayedTask(
+        BrowserThread::UI, FROM_HERE,
+        new InitializeAfterIOThreadExistsTask(AsWeakPtr()),
+        delay);
+  } else {
+    if (file_util::PathExists(
+        storage_dir_.Append(FILE_PATH_LITERAL(kDeviceTokenFilename)))) {
+      // This is a non-first login on a managed device.
+      waiting_for_initial_policies_ = false;
+    }

[Mattias Nissler (ping if slow), 2010/11/26 10:37:45]

Why should we check for the file here? Shouldn't we rather ask the cache whether
it has policy available?

[Jakob Kummerow, 2010/11/26 11:07:42]

The idea is that the existence of a device token is a surer sign of being a
managed device than the presence of non-null cached policies (e.g. fetching
policies might have failed even if fetching the token succeeded).

+    // Defer initialization that requires the IOThread until after the IOThread
+    // has been initialized.
+    BrowserThread::PostTask(BrowserThread::UI, FROM_HERE,
+                            new InitializeAfterIOThreadExistsTask(AsWeakPtr()));
+  }
 }
 
 void DeviceManagementPolicyProvider::InitializeAfterIOThreadExists() {
   const FilePath token_path = storage_dir_.Append(
-      FILE_PATH_LITERAL("Token"));
+      FILE_PATH_LITERAL(kDeviceTokenFilename));
   if (token_service_) {
     token_fetcher_ =
         new DeviceTokenFetcher(backend_.get(), token_service_, token_path);
     registrar_.Init(token_fetcher_);
     registrar_.AddObserver(this);
     token_fetcher_->StartFetching();
   }
 }
 
 void DeviceManagementPolicyProvider::SendPolicyRequest() {
-  if (!policy_request_pending_) {
-    policy_request_pending_ = true;
-    em::DevicePolicyRequest policy_request;
-    policy_request.set_policy_scope(kChromePolicyScope);
-    em::DevicePolicySettingRequest* setting =
-        policy_request.add_setting_request();
-    setting->set_key(kChromeDevicePolicySettingKey);
-    backend_->ProcessPolicyRequest(token_fetcher_->GetDeviceToken(),
-                                   token_fetcher_->GetDeviceID(),
-                                   policy_request, this);
-  }
+  if (policy_request_pending_)
+    return;

[Mattias Nissler (ping if slow), 2010/11/26 10:37:45]

I like newlines after early returns, but that's a matter of taste.

[Jakob Kummerow, 2010/11/26 11:07:42]

Done.

+  policy_request_pending_ = true;
+  em::DevicePolicyRequest policy_request;
+  policy_request.set_policy_scope(kChromePolicyScope);
+  em::DevicePolicySettingRequest* setting =
+      policy_request.add_setting_request();
+  setting->set_key(kChromeDevicePolicySettingKey);
+  backend_->ProcessPolicyRequest(token_fetcher_->GetDeviceToken(),
+                                 token_fetcher_->GetDeviceID(),
+                                 policy_request, this);
 }
 
 void DeviceManagementPolicyProvider::RefreshTaskExecute() {
   DCHECK(refresh_task_pending_);
   refresh_task_pending_ = false;
   // If there is no valid device token, the token_fetcher_ apparently failed,
   // so it must be restarted.
   if (!token_fetcher_->IsTokenValid()) {
     if (token_fetcher_->IsTokenPending()) {
       NOTREACHED();
@@ skipping 19 matching lines @@
                                  delay_in_milliseconds);
 }
 
 int64 DeviceManagementPolicyProvider::GetRefreshTaskDelay() {
   int64 delay = policy_refresh_rate_ms_;
   if (policy_refresh_max_earlier_ms_)
     delay -= base::RandGenerator(policy_refresh_max_earlier_ms_);
   return delay;
 }
 
+void DeviceManagementPolicyProvider::StopWaitingForInitialPolicies() {
+  waiting_for_initial_policies_ = false;
+#if defined(OS_CHROMEOS)
+  // Send a CLOUD_POLICY_UPDATE notification to unblock ChromeOS logins that
+  // are waiting for an initial policy fetch to complete.
+  NotifyCloudPolicyUpdate();
+#endif
+}
+
+#if defined(OS_CHROMEOS)
+void DeviceManagementPolicyProvider::NotifyCloudPolicyUpdate() const {
+    NotificationService::current()->Notify(
+       NotificationType::CLOUD_POLICY_UPDATE,
+       Source<DeviceManagementPolicyProvider>(this),
+       NotificationService::NoDetails());
+}
+#endif
+
 // static
 std::string DeviceManagementPolicyProvider::GetDeviceManagementURL() {
   return CommandLine::ForCurrentProcess()->GetSwitchValueASCII(
       switches::kDeviceManagementUrl);
 }
 
 // static
 FilePath DeviceManagementPolicyProvider::GetOrCreateDeviceManagementDir(
     const FilePath& user_data_dir) {
   const FilePath device_management_dir = user_data_dir.Append(
       FILE_PATH_LITERAL("Device Management"));
   if (!file_util::DirectoryExists(device_management_dir)) {
     if (!file_util::CreateDirectory(device_management_dir))
       NOTREACHED();
   }
   return device_management_dir;
 }
 
-bool DeviceManagementPolicyProvider::IsPolicyCacheEmpty() const {
-  return cache_->last_policy_refresh_time().is_null();
-}
-
 bool DeviceManagementPolicyProvider::WaitingForInitialPolicies() const {
-  return (IsPolicyCacheEmpty() && IsPolicyRequestPending());
+  return waiting_for_initial_policies_;

[Mattias Nissler (ping if slow), 2010/11/26 10:37:45]

would this be equivalent to !cache->IsUnmanaged() && cache->HasPolicy()? That
way, we wouldn't have to track the state here explicitly.

[danno, 2010/11/26 10:48:36]

I almost gave the same feedback last time, but nope, it also handes the error
case where the policy fetch fails. 

 }
 
 }  // namespace policy