OLD | NEW |
1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2010 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "chrome/browser/policy/device_management_policy_provider.h" | 5 #include "chrome/browser/policy/device_management_policy_provider.h" |
6 | 6 |
7 #include "base/command_line.h" | 7 #include "base/command_line.h" |
8 #include "base/file_util.h" | 8 #include "base/file_util.h" |
9 #include "base/path_service.h" | 9 #include "base/path_service.h" |
10 #include "base/rand_util.h" | 10 #include "base/rand_util.h" |
11 #include "base/task.h" | 11 #include "base/task.h" |
12 #include "chrome/browser/browser_thread.h" | 12 #include "chrome/browser/browser_thread.h" |
13 #include "chrome/browser/profile.h" | 13 #include "chrome/browser/profile.h" |
14 #include "chrome/browser/policy/device_management_backend.h" | 14 #include "chrome/browser/policy/device_management_backend.h" |
15 #include "chrome/browser/policy/device_management_policy_cache.h" | 15 #include "chrome/browser/policy/device_management_policy_cache.h" |
16 #include "chrome/browser/policy/proto/device_management_constants.h" | 16 #include "chrome/browser/policy/proto/device_management_constants.h" |
17 #include "chrome/common/chrome_paths.h" | 17 #include "chrome/common/chrome_paths.h" |
18 #include "chrome/common/chrome_switches.h" | 18 #include "chrome/common/chrome_switches.h" |
19 #include "chrome/common/notification_service.h" | 19 #include "chrome/common/notification_service.h" |
20 #include "chrome/common/notification_type.h" | 20 #include "chrome/common/notification_type.h" |
21 | 21 |
22 namespace policy { | 22 namespace policy { |
23 | 23 |
| 24 namespace em = enterprise_management; |
| 25 |
24 const int64 kPolicyRefreshRateInMilliseconds = 3 * 60 * 60 * 1000; // 3 hours | 26 const int64 kPolicyRefreshRateInMilliseconds = 3 * 60 * 60 * 1000; // 3 hours |
25 const int64 kPolicyRefreshMaxEarlierInMilliseconds = 20 * 60 * 1000; // 20 mins | 27 const int64 kPolicyRefreshMaxEarlierInMilliseconds = 20 * 60 * 1000; // 20 mins |
26 // These are the base values for delays before retrying after an error. They | 28 // These are the base values for delays before retrying after an error. They |
27 // will be doubled each time they are used. | 29 // will be doubled each time they are used. |
28 const int64 kPolicyRefreshErrorDelayInMilliseconds = 3 * 1000; // 3 seconds | 30 const int64 kPolicyRefreshErrorDelayInMilliseconds = 3 * 1000; // 3 seconds |
29 const int64 kDeviceTokenRefreshErrorDelayInMilliseconds = 3 * 1000; | 31 const int64 kDeviceTokenRefreshErrorDelayInMilliseconds = 3 * 1000; |
| 32 // For unmanaged devices, check once per day whether they're still unmanaged. |
| 33 const int64 kPolicyRefreshUnmanagedDeviceInMilliseconds = 24 * 60 * 60 * 1000; |
| 34 |
| 35 const FilePath::StringType kDeviceTokenFilename = FILE_PATH_LITERAL("Token"); |
| 36 const FilePath::StringType kPolicyFilename = FILE_PATH_LITERAL("Policy"); |
30 | 37 |
31 // Ensures that the portion of the policy provider implementation that requires | 38 // Ensures that the portion of the policy provider implementation that requires |
32 // the IOThread is deferred until the IOThread is fully initialized. The policy | 39 // the IOThread is deferred until the IOThread is fully initialized. The policy |
33 // provider posts this task on the UI thread during its constructor, thereby | 40 // provider posts this task on the UI thread during its constructor, thereby |
34 // guaranteeing that the code won't get executed until after the UI and IO | 41 // guaranteeing that the code won't get executed until after the UI and IO |
35 // threads are fully constructed. | 42 // threads are fully constructed. |
36 class DeviceManagementPolicyProvider::InitializeAfterIOThreadExistsTask | 43 class DeviceManagementPolicyProvider::InitializeAfterIOThreadExistsTask |
37 : public Task { | 44 : public Task { |
38 public: | 45 public: |
39 explicit InitializeAfterIOThreadExistsTask( | 46 explicit InitializeAfterIOThreadExistsTask( |
(...skipping 25 matching lines...) Expand all Loading... |
65 } | 72 } |
66 | 73 |
67 private: | 74 private: |
68 base::WeakPtr<DeviceManagementPolicyProvider> provider_; | 75 base::WeakPtr<DeviceManagementPolicyProvider> provider_; |
69 }; | 76 }; |
70 | 77 |
71 DeviceManagementPolicyProvider::DeviceManagementPolicyProvider( | 78 DeviceManagementPolicyProvider::DeviceManagementPolicyProvider( |
72 const ConfigurationPolicyProvider::PolicyDefinitionList* policy_list, | 79 const ConfigurationPolicyProvider::PolicyDefinitionList* policy_list, |
73 DeviceManagementBackend* backend, | 80 DeviceManagementBackend* backend, |
74 Profile* profile) | 81 Profile* profile) |
75 : ConfigurationPolicyProvider(policy_list), | 82 : ConfigurationPolicyProvider(policy_list) { |
76 backend_(backend), | 83 Initialize(backend, |
77 profile_(profile), | 84 profile, |
78 storage_dir_(GetOrCreateDeviceManagementDir(profile_->GetPath())), | 85 kPolicyRefreshRateInMilliseconds, |
79 policy_request_pending_(false), | 86 kPolicyRefreshMaxEarlierInMilliseconds, |
80 refresh_task_pending_(false), | 87 kPolicyRefreshErrorDelayInMilliseconds, |
81 policy_refresh_rate_ms_(kPolicyRefreshRateInMilliseconds), | 88 kDeviceTokenRefreshErrorDelayInMilliseconds, |
82 policy_refresh_max_earlier_ms_(kPolicyRefreshMaxEarlierInMilliseconds), | 89 kPolicyRefreshUnmanagedDeviceInMilliseconds); |
83 policy_refresh_error_delay_ms_(kPolicyRefreshErrorDelayInMilliseconds), | 90 } |
84 token_fetch_error_delay_ms_(kDeviceTokenRefreshErrorDelayInMilliseconds) { | 91 |
85 Initialize(); | 92 DeviceManagementPolicyProvider::DeviceManagementPolicyProvider( |
| 93 const PolicyDefinitionList* policy_list, |
| 94 DeviceManagementBackend* backend, |
| 95 Profile* profile, |
| 96 int64 policy_refresh_rate_ms, |
| 97 int64 policy_refresh_max_earlier_ms, |
| 98 int64 policy_refresh_error_delay_ms, |
| 99 int64 token_fetch_error_delay_ms, |
| 100 int64 unmanaged_device_refresh_rate_ms) |
| 101 : ConfigurationPolicyProvider(policy_list) { |
| 102 Initialize(backend, |
| 103 profile, |
| 104 policy_refresh_rate_ms, |
| 105 policy_refresh_max_earlier_ms, |
| 106 policy_refresh_error_delay_ms, |
| 107 token_fetch_error_delay_ms, |
| 108 unmanaged_device_refresh_rate_ms); |
86 } | 109 } |
87 | 110 |
88 DeviceManagementPolicyProvider::~DeviceManagementPolicyProvider() {} | 111 DeviceManagementPolicyProvider::~DeviceManagementPolicyProvider() {} |
89 | 112 |
90 bool DeviceManagementPolicyProvider::Provide( | 113 bool DeviceManagementPolicyProvider::Provide( |
91 ConfigurationPolicyStoreInterface* policy_store) { | 114 ConfigurationPolicyStoreInterface* policy_store) { |
92 scoped_ptr<DictionaryValue> policies(cache_->GetPolicy()); | 115 scoped_ptr<DictionaryValue> policies(cache_->GetPolicy()); |
93 DecodePolicyValueTree(policies.get(), policy_store); | 116 DecodePolicyValueTree(policies.get(), policy_store); |
94 return true; | 117 return true; |
95 } | 118 } |
96 | 119 |
97 void DeviceManagementPolicyProvider::HandlePolicyResponse( | 120 void DeviceManagementPolicyProvider::HandlePolicyResponse( |
98 const em::DevicePolicyResponse& response) { | 121 const em::DevicePolicyResponse& response) { |
99 if (cache_->SetPolicy(response)) | 122 if (cache_->SetPolicy(response)) |
100 NotifyStoreOfPolicyChange(); | 123 NotifyStoreOfPolicyChange(); |
101 policy_request_pending_ = false; | 124 policy_request_pending_ = false; |
102 // Reset the error delay since policy fetching succeeded this time. | 125 // Reset the error delay since policy fetching succeeded this time. |
103 policy_refresh_error_delay_ms_ = kPolicyRefreshErrorDelayInMilliseconds; | 126 policy_refresh_error_delay_ms_ = kPolicyRefreshErrorDelayInMilliseconds; |
104 ScheduleRefreshTask(GetRefreshTaskDelay()); | 127 ScheduleRefreshTask(GetRefreshTaskDelay()); |
| 128 // Update this provider's internal waiting state, but don't notify anyone |
| 129 // else yet (that's done by the PrefValueStore that receives the policy). |
| 130 waiting_for_initial_policies_ = false; |
105 } | 131 } |
106 | 132 |
107 void DeviceManagementPolicyProvider::OnError( | 133 void DeviceManagementPolicyProvider::OnError( |
108 DeviceManagementBackend::ErrorCode code) { | 134 DeviceManagementBackend::ErrorCode code) { |
109 policy_request_pending_ = false; | 135 policy_request_pending_ = false; |
110 if (code == DeviceManagementBackend::kErrorServiceDeviceNotFound || | 136 if (code == DeviceManagementBackend::kErrorServiceDeviceNotFound || |
111 code == DeviceManagementBackend::kErrorServiceManagementTokenInvalid) { | 137 code == DeviceManagementBackend::kErrorServiceManagementTokenInvalid) { |
112 LOG(WARNING) << "The device token was either invalid or unknown to the " | 138 LOG(WARNING) << "The device token was either invalid or unknown to the " |
113 << "device manager, re-registering device."; | 139 << "device manager, re-registering device."; |
114 token_fetcher_->Restart(); | 140 token_fetcher_->Restart(); |
115 } else { | 141 } else { |
116 LOG(WARNING) << "Could not provide policy from the device manager (error = " | 142 LOG(WARNING) << "Could not provide policy from the device manager (error = " |
117 << code << "), will retry in " | 143 << code << "), will retry in " |
118 << (policy_refresh_error_delay_ms_/1000) << " seconds."; | 144 << (policy_refresh_error_delay_ms_/1000) << " seconds."; |
119 ScheduleRefreshTask(policy_refresh_error_delay_ms_); | 145 ScheduleRefreshTask(policy_refresh_error_delay_ms_); |
120 policy_refresh_error_delay_ms_ *= 2; | 146 policy_refresh_error_delay_ms_ *= 2; |
121 if (policy_refresh_rate_ms_ && | 147 if (policy_refresh_rate_ms_ && |
122 policy_refresh_rate_ms_ < policy_refresh_error_delay_ms_) { | 148 policy_refresh_rate_ms_ < policy_refresh_error_delay_ms_) { |
123 policy_refresh_error_delay_ms_ = policy_refresh_rate_ms_; | 149 policy_refresh_error_delay_ms_ = policy_refresh_rate_ms_; |
124 } | 150 } |
125 } | 151 } |
| 152 StopWaitingForInitialPolicies(); |
126 } | 153 } |
127 | 154 |
128 void DeviceManagementPolicyProvider::OnTokenSuccess() { | 155 void DeviceManagementPolicyProvider::OnTokenSuccess() { |
129 if (policy_request_pending_) | 156 if (policy_request_pending_) |
130 return; | 157 return; |
| 158 cache_->SetDeviceUnmanaged(false); |
131 SendPolicyRequest(); | 159 SendPolicyRequest(); |
132 } | 160 } |
133 | 161 |
134 void DeviceManagementPolicyProvider::OnTokenError() { | 162 void DeviceManagementPolicyProvider::OnTokenError() { |
135 LOG(WARNING) << "Could not retrieve device token."; | 163 LOG(WARNING) << "Could not retrieve device token."; |
136 ScheduleRefreshTask(token_fetch_error_delay_ms_); | 164 ScheduleRefreshTask(token_fetch_error_delay_ms_); |
137 token_fetch_error_delay_ms_ *= 2; | 165 token_fetch_error_delay_ms_ *= 2; |
138 if (token_fetch_error_delay_ms_ > policy_refresh_rate_ms_) | 166 if (token_fetch_error_delay_ms_ > policy_refresh_rate_ms_) |
139 token_fetch_error_delay_ms_ = policy_refresh_rate_ms_; | 167 token_fetch_error_delay_ms_ = policy_refresh_rate_ms_; |
| 168 StopWaitingForInitialPolicies(); |
140 } | 169 } |
141 | 170 |
142 void DeviceManagementPolicyProvider::OnNotManaged() { | 171 void DeviceManagementPolicyProvider::OnNotManaged() { |
143 VLOG(1) << "This device is not managed."; | 172 VLOG(1) << "This device is not managed."; |
| 173 cache_->SetDeviceUnmanaged(true); |
| 174 ScheduleRefreshTask(unmanaged_device_refresh_rate_ms_); |
| 175 StopWaitingForInitialPolicies(); |
144 } | 176 } |
145 | 177 |
146 void DeviceManagementPolicyProvider::Shutdown() { | 178 void DeviceManagementPolicyProvider::Shutdown() { |
147 profile_ = NULL; | 179 profile_ = NULL; |
148 if (token_fetcher_) | 180 if (token_fetcher_) |
149 token_fetcher_->Shutdown(); | 181 token_fetcher_->Shutdown(); |
150 } | 182 } |
151 | 183 |
152 void DeviceManagementPolicyProvider::Initialize() { | 184 void DeviceManagementPolicyProvider::Initialize( |
153 const FilePath policy_path = storage_dir_.Append( | 185 DeviceManagementBackend* backend, |
154 FILE_PATH_LITERAL("Policy")); | 186 Profile* profile, |
| 187 int64 policy_refresh_rate_ms, |
| 188 int64 policy_refresh_max_earlier_ms, |
| 189 int64 policy_refresh_error_delay_ms, |
| 190 int64 token_fetch_error_delay_ms, |
| 191 int64 unmanaged_device_refresh_rate_ms) { |
| 192 backend_.reset(backend); |
| 193 profile_ = profile; |
| 194 storage_dir_ = GetOrCreateDeviceManagementDir(profile_->GetPath()); |
| 195 policy_request_pending_ = false; |
| 196 refresh_task_pending_ = false; |
| 197 waiting_for_initial_policies_ = true; |
| 198 policy_refresh_rate_ms_ = policy_refresh_rate_ms; |
| 199 policy_refresh_max_earlier_ms_ = policy_refresh_max_earlier_ms; |
| 200 policy_refresh_error_delay_ms_ = policy_refresh_error_delay_ms; |
| 201 token_fetch_error_delay_ms_ = token_fetch_error_delay_ms; |
| 202 unmanaged_device_refresh_rate_ms_ = unmanaged_device_refresh_rate_ms; |
| 203 |
| 204 const FilePath policy_path = storage_dir_.Append(kPolicyFilename); |
155 cache_.reset(new DeviceManagementPolicyCache(policy_path)); | 205 cache_.reset(new DeviceManagementPolicyCache(policy_path)); |
156 cache_->LoadPolicyFromFile(); | 206 cache_->LoadPolicyFromFile(); |
157 | 207 |
158 // Defer initialization that requires the IOThread until after the IOThread | 208 if (cache_->is_device_unmanaged()) { |
159 // has been initialized. | 209 // This is a non-first login on an unmanaged device. |
160 BrowserThread::PostTask(BrowserThread::UI, FROM_HERE, | 210 waiting_for_initial_policies_ = false; |
161 new InitializeAfterIOThreadExistsTask(AsWeakPtr())); | 211 // Defer token_fetcher_ initialization until this device should ask for |
| 212 // a device token again. |
| 213 base::Time unmanaged_timestamp = cache_->last_policy_refresh_time(); |
| 214 int64 delay = unmanaged_device_refresh_rate_ms_ - |
| 215 (base::Time::NowFromSystemTime().ToInternalValue() - |
| 216 unmanaged_timestamp.ToInternalValue()); |
| 217 if (delay < 0) |
| 218 delay = 0; |
| 219 BrowserThread::PostDelayedTask( |
| 220 BrowserThread::UI, FROM_HERE, |
| 221 new InitializeAfterIOThreadExistsTask(AsWeakPtr()), |
| 222 delay); |
| 223 } else { |
| 224 if (file_util::PathExists( |
| 225 storage_dir_.Append(kDeviceTokenFilename))) { |
| 226 // This is a non-first login on a managed device. |
| 227 waiting_for_initial_policies_ = false; |
| 228 } |
| 229 // Defer initialization that requires the IOThread until after the IOThread |
| 230 // has been initialized. |
| 231 BrowserThread::PostTask(BrowserThread::UI, FROM_HERE, |
| 232 new InitializeAfterIOThreadExistsTask(AsWeakPtr())); |
| 233 } |
162 } | 234 } |
163 | 235 |
164 void DeviceManagementPolicyProvider::InitializeAfterIOThreadExists() { | 236 void DeviceManagementPolicyProvider::InitializeAfterIOThreadExists() { |
165 if (profile_) { | 237 if (profile_) { |
166 if (!token_fetcher_) { | 238 if (!token_fetcher_) { |
167 token_fetcher_ = new DeviceTokenFetcher( | 239 token_fetcher_ = new DeviceTokenFetcher( |
168 backend_.get(), profile_, GetTokenPath()); | 240 backend_.get(), profile_, GetTokenPath()); |
169 } | 241 } |
170 registrar_.Init(token_fetcher_); | 242 registrar_.Init(token_fetcher_); |
171 registrar_.AddObserver(this); | 243 registrar_.AddObserver(this); |
172 token_fetcher_->StartFetching(); | 244 token_fetcher_->StartFetching(); |
173 } | 245 } |
174 } | 246 } |
175 | 247 |
176 void DeviceManagementPolicyProvider::SendPolicyRequest() { | 248 void DeviceManagementPolicyProvider::SendPolicyRequest() { |
177 if (!policy_request_pending_) { | 249 if (policy_request_pending_) |
178 policy_request_pending_ = true; | 250 return; |
179 em::DevicePolicyRequest policy_request; | 251 |
180 policy_request.set_policy_scope(kChromePolicyScope); | 252 policy_request_pending_ = true; |
181 em::DevicePolicySettingRequest* setting = | 253 em::DevicePolicyRequest policy_request; |
182 policy_request.add_setting_request(); | 254 policy_request.set_policy_scope(kChromePolicyScope); |
183 setting->set_key(kChromeDevicePolicySettingKey); | 255 em::DevicePolicySettingRequest* setting = |
184 setting->set_watermark(""); | 256 policy_request.add_setting_request(); |
185 backend_->ProcessPolicyRequest(token_fetcher_->GetDeviceToken(), | 257 setting->set_key(kChromeDevicePolicySettingKey); |
186 token_fetcher_->GetDeviceID(), | 258 setting->set_watermark(""); |
187 policy_request, this); | 259 backend_->ProcessPolicyRequest(token_fetcher_->GetDeviceToken(), |
188 } | 260 token_fetcher_->GetDeviceID(), |
| 261 policy_request, this); |
189 } | 262 } |
190 | 263 |
191 void DeviceManagementPolicyProvider::RefreshTaskExecute() { | 264 void DeviceManagementPolicyProvider::RefreshTaskExecute() { |
192 DCHECK(refresh_task_pending_); | 265 DCHECK(refresh_task_pending_); |
193 refresh_task_pending_ = false; | 266 refresh_task_pending_ = false; |
194 // If there is no valid device token, the token_fetcher_ apparently failed, | 267 // If there is no valid device token, the token_fetcher_ apparently failed, |
195 // so it must be restarted. | 268 // so it must be restarted. |
196 if (!token_fetcher_->IsTokenValid()) { | 269 if (!token_fetcher_->IsTokenValid()) { |
197 if (token_fetcher_->IsTokenPending()) { | 270 if (token_fetcher_->IsTokenPending()) { |
198 NOTREACHED(); | 271 NOTREACHED(); |
(...skipping 20 matching lines...) Expand all Loading... |
219 } | 292 } |
220 | 293 |
221 int64 DeviceManagementPolicyProvider::GetRefreshTaskDelay() { | 294 int64 DeviceManagementPolicyProvider::GetRefreshTaskDelay() { |
222 int64 delay = policy_refresh_rate_ms_; | 295 int64 delay = policy_refresh_rate_ms_; |
223 if (policy_refresh_max_earlier_ms_) | 296 if (policy_refresh_max_earlier_ms_) |
224 delay -= base::RandGenerator(policy_refresh_max_earlier_ms_); | 297 delay -= base::RandGenerator(policy_refresh_max_earlier_ms_); |
225 return delay; | 298 return delay; |
226 } | 299 } |
227 | 300 |
228 FilePath DeviceManagementPolicyProvider::GetTokenPath() { | 301 FilePath DeviceManagementPolicyProvider::GetTokenPath() { |
229 return storage_dir_.Append(FILE_PATH_LITERAL("Token")); | 302 return storage_dir_.Append(kDeviceTokenFilename); |
230 } | 303 } |
231 | 304 |
232 void DeviceManagementPolicyProvider::SetDeviceTokenFetcher( | 305 void DeviceManagementPolicyProvider::SetDeviceTokenFetcher( |
233 DeviceTokenFetcher* token_fetcher) { | 306 DeviceTokenFetcher* token_fetcher) { |
234 DCHECK(!token_fetcher_); | 307 DCHECK(!token_fetcher_); |
235 token_fetcher_ = token_fetcher; | 308 token_fetcher_ = token_fetcher; |
236 } | 309 } |
237 | 310 |
| 311 void DeviceManagementPolicyProvider::StopWaitingForInitialPolicies() { |
| 312 waiting_for_initial_policies_ = false; |
| 313 // Send a CLOUD_POLICY_UPDATE notification to unblock ChromeOS logins that |
| 314 // are waiting for an initial policy fetch to complete. |
| 315 NotifyCloudPolicyUpdate(); |
| 316 } |
| 317 |
| 318 void DeviceManagementPolicyProvider::NotifyCloudPolicyUpdate() const { |
| 319 NotificationService::current()->Notify( |
| 320 NotificationType::CLOUD_POLICY_UPDATE, |
| 321 Source<DeviceManagementPolicyProvider>(this), |
| 322 NotificationService::NoDetails()); |
| 323 } |
| 324 |
238 // static | 325 // static |
239 std::string DeviceManagementPolicyProvider::GetDeviceManagementURL() { | 326 std::string DeviceManagementPolicyProvider::GetDeviceManagementURL() { |
240 return CommandLine::ForCurrentProcess()->GetSwitchValueASCII( | 327 return CommandLine::ForCurrentProcess()->GetSwitchValueASCII( |
241 switches::kDeviceManagementUrl); | 328 switches::kDeviceManagementUrl); |
242 } | 329 } |
243 | 330 |
244 // static | 331 // static |
245 FilePath DeviceManagementPolicyProvider::GetOrCreateDeviceManagementDir( | 332 FilePath DeviceManagementPolicyProvider::GetOrCreateDeviceManagementDir( |
246 const FilePath& user_data_dir) { | 333 const FilePath& user_data_dir) { |
247 const FilePath device_management_dir = user_data_dir.Append( | 334 const FilePath device_management_dir = user_data_dir.Append( |
248 FILE_PATH_LITERAL("Device Management")); | 335 FILE_PATH_LITERAL("Device Management")); |
249 if (!file_util::DirectoryExists(device_management_dir)) { | 336 if (!file_util::DirectoryExists(device_management_dir)) { |
250 if (!file_util::CreateDirectory(device_management_dir)) | 337 if (!file_util::CreateDirectory(device_management_dir)) |
251 NOTREACHED(); | 338 NOTREACHED(); |
252 } | 339 } |
253 return device_management_dir; | 340 return device_management_dir; |
254 } | 341 } |
255 | 342 |
256 } // namespace policy | 343 } // namespace policy |
OLD | NEW |