Chromium Code Reviews Chromium Code Reviews
Issue 6520008:
Device policy infrastructure (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/policy/cloud_policy_cache.h" | 5 #include "chrome/browser/policy/cloud_policy_cache.h" |
| 6 | 6 |
| 7 #include <limits> | 7 #include <limits> |
| 8 | 8 |
| 9 #include "base/file_util.h" | 9 #include "base/file_util.h" |
| 10 #include "base/logging.h" | 10 #include "base/logging.h" |
| 11 #include "base/task.h" | 11 #include "base/task.h" |
| 12 #include "base/values.h" | 12 #include "base/values.h" |
| 13 #include "chrome/browser/browser_thread.h" | 13 #include "chrome/browser/browser_thread.h" |
| 14 #include "chrome/browser/policy/configuration_policy_pref_store.h" | |
| 14 #include "chrome/browser/policy/proto/cloud_policy.pb.h" | 15 #include "chrome/browser/policy/proto/cloud_policy.pb.h" |
| 15 #include "chrome/browser/policy/proto/device_management_backend.pb.h" | |
| 16 #include "chrome/browser/policy/proto/device_management_constants.h" | 16 #include "chrome/browser/policy/proto/device_management_constants.h" |
| 17 #include "chrome/browser/policy/proto/device_management_local.pb.h" | 17 #include "chrome/browser/policy/proto/device_management_local.pb.h" |
| 18 | 18 |
| 19 using google::protobuf::RepeatedField; | 19 using google::protobuf::RepeatedField; |
| 20 using google::protobuf::RepeatedPtrField; | 20 using google::protobuf::RepeatedPtrField; |
| 21 | 21 |
| 22 // This CloudPolicyCache currently supports two protocols for the interaction | 22 // This CloudPolicyCache currently supports two protocols for the interaction |
| 23 // with DMServer: the old "DevicePolicy" format, which is being used in the | 23 // with DMServer: the old "DevicePolicy" format, which is being used in the |
| 24 // CrOS Pilot Program and will be deprecated afterwards, and the new | 24 // CrOS Pilot Program and will be deprecated afterwards, and the new |
| 25 // "CloudPolicy" format, which will be used exclusively after the public launch | 25 // "CloudPolicy" format, which will be used exclusively after the public launch |
| 26 // of ChromeOS. | 26 // of ChromeOS. |
| 27 | 27 |
| 28 namespace policy { | 28 namespace policy { |
| 29 | 29 |
| 30 // Decodes a CloudPolicySettings object into two maps with mandatory and | 30 // Decodes a CloudPolicySettings object into two maps with mandatory and |
| 31 // recommended settings, respectively. The implementation is generated code | 31 // recommended settings, respectively. The implementation is generated code |
| 32 // in policy/cloud_policy_generated.cc. | 32 // in policy/cloud_policy_generated.cc. |
| 33 void DecodePolicy(const em::CloudPolicySettings& policy, | 33 void DecodePolicy(const em::CloudPolicySettings& policy, |
| 34 PolicyMap* mandatory, PolicyMap* recommended); | 34 PolicyMap* mandatory, PolicyMap* recommended); |
| 35 | 35 |
| 36 // A thin ConfigurationPolicyProvider implementation sitting on top of | |
| 37 // CloudPolicyCache for hooking up with ConfigurationPolicyPrefStore. | |
| 38 class CloudPolicyCache::CloudPolicyProvider | |
| 39 : public ConfigurationPolicyProvider { | |
| 40 public: | |
| 41 CloudPolicyProvider(const PolicyDefinitionList* policy_list, | |
| 42 CloudPolicyCache* cache, | |
| 43 CloudPolicyCache::PolicyLevel level) | |
| 44 : ConfigurationPolicyProvider(policy_list), | |
| 45 cache_(cache), | |
| 46 level_(level) {} | |
| 47 virtual ~CloudPolicyProvider() {} | |
| 48 | |
| 49 virtual bool Provide(ConfigurationPolicyStoreInterface* store) { | |
| 50 if (!cache_->has_device_policy()) { | |
| 51 if (level_ == POLICY_LEVEL_MANDATORY) | |
| 52 ApplyPolicyMap(&cache_->mandatory_policy_, store); | |
| 53 else if (level_ == POLICY_LEVEL_RECOMMENDED) | |
| 54 ApplyPolicyMap(&cache_->recommended_policy_, store); | |
| 55 } else { | |
| 56 ApplyPolicyValueTree(cache_->device_policy_.get(), store); | |
| 57 } | |
| 58 return true; | |
| 59 } | |
| 60 | |
| 61 virtual bool IsInitializationComplete() const { | |
| 62 return cache_->initialization_complete_; | |
| 63 } | |
| 64 | |
| 65 virtual void AddObserver(ConfigurationPolicyProvider::Observer* observer) { | |
| 66 cache_->observer_list_.AddObserver(observer); | |
| 67 } | |
| 68 virtual void RemoveObserver(ConfigurationPolicyProvider::Observer* observer) { | |
| 69 cache_->observer_list_.RemoveObserver(observer); | |
| 70 } | |
| 71 | |
| 72 private: | |
| 73 // The underlying policy cache. | |
| 74 CloudPolicyCache* cache_; | |
| 75 // Policy level this provider will handle. | |
| 76 CloudPolicyCache::PolicyLevel level_; | |
| 77 | |
| 78 DISALLOW_COPY_AND_ASSIGN(CloudPolicyProvider); | |
| 79 }; | |
| 80 | |
| 36 // Saves policy information to a file. | 81 // Saves policy information to a file. |
| 37 class PersistPolicyTask : public Task { | 82 class PersistPolicyTask : public Task { |
| 38 public: | 83 public: |
| 39 PersistPolicyTask(const FilePath& path, | 84 PersistPolicyTask(const FilePath& path, |
| 40 const em::CloudPolicyResponse* cloud_policy_response, | 85 const em::CloudPolicyResponse* cloud_policy_response, |
| 41 const em::DevicePolicyResponse* device_policy_response, | 86 const em::DevicePolicyResponse* device_policy_response, |
| 42 const bool is_unmanaged) | 87 const bool is_unmanaged) |
| 43 : path_(path), | 88 : path_(path), |
| 44 cloud_policy_response_(cloud_policy_response), | 89 cloud_policy_response_(cloud_policy_response), |
| 45 device_policy_response_(device_policy_response), | 90 device_policy_response_(device_policy_response), |
| (...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 78 if (file_util::WriteFile(path_, data.c_str(), size) != size) { | 123 if (file_util::WriteFile(path_, data.c_str(), size) != size) { |
| 79 LOG(WARNING) << "Failed to write " << path_.value(); | 124 LOG(WARNING) << "Failed to write " << path_.value(); |
| 80 return; | 125 return; |
| 81 } | 126 } |
| 82 } | 127 } |
| 83 | 128 |
| 84 CloudPolicyCache::CloudPolicyCache( | 129 CloudPolicyCache::CloudPolicyCache( |
| 85 const FilePath& backing_file_path) | 130 const FilePath& backing_file_path) |
| 86 : backing_file_path_(backing_file_path), | 131 : backing_file_path_(backing_file_path), |
| 87 device_policy_(new DictionaryValue), | 132 device_policy_(new DictionaryValue), |
| 88 fresh_policy_(false), | 133 initialization_complete_(false), |
| 89 is_unmanaged_(false), | 134 is_unmanaged_(false), |
| 90 has_device_policy_(false) { | 135 has_device_policy_(false) { |
| 136 managed_policy_provider_.reset( | |
| 137 new CloudPolicyProvider( | |
| 138 ConfigurationPolicyPrefStore::GetChromePolicyDefinitionList(), | |
| 139 this, | |
| 140 POLICY_LEVEL_MANDATORY)); | |
| 141 recommended_policy_provider_.reset( | |
| 142 new CloudPolicyProvider( | |
| 143 ConfigurationPolicyPrefStore::GetChromePolicyDefinitionList(), | |
| 144 this, | |
| 145 POLICY_LEVEL_RECOMMENDED)); | |
| 91 } | 146 } |
| 92 | 147 |
| 93 CloudPolicyCache::~CloudPolicyCache() {} | 148 CloudPolicyCache::~CloudPolicyCache() { |
| 149 FOR_EACH_OBSERVER(ConfigurationPolicyProvider::Observer, | |
| 150 observer_list_, OnProviderGoingAway()); | |
| 151 } | |
| 94 | 152 |
| 95 void CloudPolicyCache::LoadPolicyFromFile() { | 153 void CloudPolicyCache::LoadFromFile() { |
| 96 // TODO(jkummerow): This method is doing file IO during browser startup. In | 154 // TODO(jkummerow): This method is doing file IO during browser startup. In |
| 97 // the long run it would be better to delay this until the FILE thread exists. | 155 // the long run it would be better to delay this until the FILE thread exists. |
| 98 if (!file_util::PathExists(backing_file_path_) || fresh_policy_) { | 156 if (!file_util::PathExists(backing_file_path_) || initialization_complete_) { |
| 99 return; | 157 return; |
| 100 } | 158 } |
| 101 | 159 |
| 102 // Read the protobuf from the file. | 160 // Read the protobuf from the file. |
| 103 std::string data; | 161 std::string data; |
| 104 if (!file_util::ReadFileToString(backing_file_path_, &data)) { | 162 if (!file_util::ReadFileToString(backing_file_path_, &data)) { |
| 105 LOG(WARNING) << "Failed to read policy data from " | 163 LOG(WARNING) << "Failed to read policy data from " |
| 106 << backing_file_path_.value(); | 164 << backing_file_path_.value(); |
| 107 return; | 165 return; |
| 108 } | 166 } |
| (...skipping 20 matching lines...) Expand all Loading... | |
| 129 LOG(WARNING) << "Decoding policy data failed."; | 187 LOG(WARNING) << "Decoding policy data failed."; |
| 130 return; | 188 return; |
| 131 } | 189 } |
| 132 } | 190 } |
| 133 if (timestamp > base::Time::NowFromSystemTime()) { | 191 if (timestamp > base::Time::NowFromSystemTime()) { |
| 134 LOG(WARNING) << "Rejected policy data from " << backing_file_path_.value() | 192 LOG(WARNING) << "Rejected policy data from " << backing_file_path_.value() |
| 135 << ", file is from the future."; | 193 << ", file is from the future."; |
| 136 return; | 194 return; |
| 137 } | 195 } |
| 138 // Swap in the new policy information. | 196 // Swap in the new policy information. |
| 139 if (is_unmanaged_) { | 197 if (cached_response.has_cloud_policy()) { |
| 140 base::AutoLock lock(lock_); | 198 mandatory_policy_.Swap(&mandatory_policy); |
| 141 last_policy_refresh_time_ = timestamp; | 199 recommended_policy_.Swap(&recommended_policy); |
| 142 return; | 200 has_device_policy_ = false; |
| 143 } else if (cached_response.has_cloud_policy()) { | |
| 144 if (!fresh_policy_) { | |
| 145 base::AutoLock lock(lock_); | |
| 146 // The use of |Swap()| here makes sure that the old value in | |
| 147 // |mandatory_policy_| is deleted when |mandatory_policy| goes out of | |
| 148 // scope. (The same applies to |SetPolicy()| below.) | |
| 149 mandatory_policy_.Swap(&mandatory_policy); | |
| 150 recommended_policy_.Swap(&recommended_policy); | |
| 151 last_policy_refresh_time_ = timestamp; | |
| 152 has_device_policy_ = false; | |
| 153 } | |
| 154 } else if (cached_response.has_device_policy()) { | 201 } else if (cached_response.has_device_policy()) { |
| 155 scoped_ptr<DictionaryValue> value( | 202 scoped_ptr<DictionaryValue> value( |
| 156 DecodeDevicePolicy(cached_response.device_policy())); | 203 DecodeDevicePolicy(cached_response.device_policy())); |
| 157 if (!fresh_policy_) { | 204 device_policy_.reset(value.release()); |
| 158 base::AutoLock lock(lock_); | 205 has_device_policy_ = true; |
| 159 device_policy_.reset(value.release()); | |
| 160 last_policy_refresh_time_ = timestamp; | |
| 161 has_device_policy_ = true; | |
| 162 } | |
| 163 } | 206 } |
| 207 last_policy_refresh_time_ = timestamp; | |
| 208 initialization_complete_ = true; | |
| 209 | |
| 210 FOR_EACH_OBSERVER(ConfigurationPolicyProvider::Observer, | |
| 211 observer_list_, OnUpdatePolicy()); | |
| 164 } | 212 } |
| 165 | 213 |
| 166 bool CloudPolicyCache::SetPolicy(const em::CloudPolicyResponse& policy) { | 214 void CloudPolicyCache::SetPolicy(const em::CloudPolicyResponse& policy) { |
| 167 DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI)); | 215 DCHECK(CalledOnValidThread()); |
| 168 is_unmanaged_ = false; | 216 is_unmanaged_ = false; |
| 169 base::Time timestamp; | 217 base::Time timestamp; |
| 170 PolicyMap mandatory_policy; | 218 PolicyMap mandatory_policy; |
| 171 PolicyMap recommended_policy; | 219 PolicyMap recommended_policy; |
| 172 bool ok = DecodePolicyResponse(policy, &mandatory_policy, &recommended_policy, | 220 bool ok = DecodePolicyResponse(policy, &mandatory_policy, &recommended_policy, |
| 173 ×tamp); | 221 ×tamp); |
| 174 if (!ok) { | 222 if (!ok) |
| 175 // TODO(jkummerow): Signal error to PolicyProvider. | 223 return; |
| 176 return false; | 224 |
| 177 } | |
| 178 const bool new_policy_differs = | 225 const bool new_policy_differs = |
| 179 !mandatory_policy.Equals(mandatory_policy_) || | 226 !mandatory_policy_.Equals(mandatory_policy) || |
| 180 !recommended_policy.Equals(recommended_policy_); | 227 !recommended_policy_.Equals(recommended_policy); |
| 181 { | 228 mandatory_policy_.Swap(&mandatory_policy); |
| 182 base::AutoLock lock(lock_); | 229 recommended_policy_.Swap(&recommended_policy); |
| 183 mandatory_policy_.Swap(&mandatory_policy); | 230 initialization_complete_ = true; |
| 184 recommended_policy_.Swap(&recommended_policy); | 231 last_policy_refresh_time_ = timestamp; |
| 185 fresh_policy_ = true; | 232 has_device_policy_ = false; |
| 186 last_policy_refresh_time_ = timestamp; | 233 |
| 187 has_device_policy_ = false; | 234 if (new_policy_differs) { |
|
Mattias Nissler (ping if slow)
2011/02/21 14:39:13
Do we need also notify if initialization_complete_
Jakob Kummerow
2011/02/22 10:02:33
Done.
I believe this case won't happen anyway with
| |
| 235 FOR_EACH_OBSERVER(ConfigurationPolicyProvider::Observer, | |
| 236 observer_list_, OnUpdatePolicy()); | |
| 188 } | 237 } |
| 189 | 238 |
| 190 if (timestamp > base::Time::NowFromSystemTime() + | 239 if (timestamp > base::Time::NowFromSystemTime() + |
| 191 base::TimeDelta::FromMinutes(1)) { | 240 base::TimeDelta::FromMinutes(1)) { |
| 192 LOG(WARNING) << "Server returned policy with timestamp from the future, " | 241 LOG(WARNING) << "Server returned policy with timestamp from the future, " |
| 193 "not persisting to disk."; | 242 "not persisting to disk."; |
| 194 } else { | 243 } else { |
| 195 em::CloudPolicyResponse* policy_copy = new em::CloudPolicyResponse; | 244 em::CloudPolicyResponse* policy_copy = new em::CloudPolicyResponse; |
| 196 policy_copy->CopyFrom(policy); | 245 policy_copy->CopyFrom(policy); |
| 197 BrowserThread::PostTask( | 246 BrowserThread::PostTask( |
| 198 BrowserThread::FILE, | 247 BrowserThread::FILE, |
| 199 FROM_HERE, | 248 FROM_HERE, |
| 200 new PersistPolicyTask(backing_file_path_, policy_copy, NULL, false)); | 249 new PersistPolicyTask(backing_file_path_, policy_copy, NULL, false)); |
| 201 } | 250 } |
| 202 return new_policy_differs; | |
| 203 } | 251 } |
| 204 | 252 |
| 205 bool CloudPolicyCache::SetDevicePolicy(const em::DevicePolicyResponse& policy) { | 253 void CloudPolicyCache::SetDevicePolicy(const em::DevicePolicyResponse& policy) { |
| 206 DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI)); | 254 DCHECK(CalledOnValidThread()); |
| 207 is_unmanaged_ = false; | 255 is_unmanaged_ = false; |
| 208 DictionaryValue* value = DecodeDevicePolicy(policy); | 256 DictionaryValue* value = DecodeDevicePolicy(policy); |
| 209 const bool new_policy_differs = !(value->Equals(device_policy_.get())); | 257 const bool new_policy_differs = !(value->Equals(device_policy_.get())); |
| 210 base::Time now(base::Time::NowFromSystemTime()); | 258 base::Time now(base::Time::NowFromSystemTime()); |
| 211 { | 259 device_policy_.reset(value); |
| 212 base::AutoLock lock(lock_); | 260 initialization_complete_ = true; |
| 213 device_policy_.reset(value); | 261 last_policy_refresh_time_ = now; |
| 214 fresh_policy_ = true; | 262 has_device_policy_ = true; |
| 215 last_policy_refresh_time_ = now; | 263 |
| 216 has_device_policy_ = true; | 264 if (new_policy_differs) { |
|
Mattias Nissler (ping if slow)
2011/02/21 14:39:13
Same here?
Jakob Kummerow
2011/02/22 10:02:33
Done.
| |
| 265 FOR_EACH_OBSERVER(ConfigurationPolicyProvider::Observer, | |
| 266 observer_list_, OnUpdatePolicy()); | |
| 217 } | 267 } |
| 218 | 268 |
| 219 em::DevicePolicyResponse* policy_copy = new em::DevicePolicyResponse; | 269 em::DevicePolicyResponse* policy_copy = new em::DevicePolicyResponse; |
| 220 policy_copy->CopyFrom(policy); | 270 policy_copy->CopyFrom(policy); |
| 221 BrowserThread::PostTask( | 271 BrowserThread::PostTask( |
| 222 BrowserThread::FILE, | 272 BrowserThread::FILE, |
| 223 FROM_HERE, | 273 FROM_HERE, |
| 224 new PersistPolicyTask(backing_file_path_, NULL, policy_copy, false)); | 274 new PersistPolicyTask(backing_file_path_, NULL, policy_copy, false)); |
| 225 return new_policy_differs; | |
| 226 } | 275 } |
| 227 | 276 |
| 228 DictionaryValue* CloudPolicyCache::GetDevicePolicy() { | 277 ConfigurationPolicyProvider* CloudPolicyCache::GetManagedPolicyProvider() { |
| 229 DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI)); | 278 DCHECK(CalledOnValidThread()); |
| 230 base::AutoLock lock(lock_); | 279 return managed_policy_provider_.get(); |
| 231 return device_policy_->DeepCopy(); | |
| 232 } | 280 } |
| 233 | 281 |
| 234 const PolicyMap* CloudPolicyCache::GetMandatoryPolicy() const { | 282 ConfigurationPolicyProvider* CloudPolicyCache::GetRecommendedPolicyProvider() { |
| 235 DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI)); | 283 DCHECK(CalledOnValidThread()); |
| 236 return &mandatory_policy_; | 284 return recommended_policy_provider_.get(); |
| 237 } | |
| 238 | |
| 239 const PolicyMap* CloudPolicyCache::GetRecommendedPolicy() const { | |
| 240 DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI)); | |
| 241 return &recommended_policy_; | |
| 242 } | 285 } |
| 243 | 286 |
| 244 void CloudPolicyCache::SetUnmanaged() { | 287 void CloudPolicyCache::SetUnmanaged() { |
| 245 DCHECK(BrowserThread::CurrentlyOn(BrowserThread::UI)); | 288 DCHECK(CalledOnValidThread()); |
| 246 is_unmanaged_ = true; | 289 is_unmanaged_ = true; |
| 247 { | 290 mandatory_policy_.Clear(); |
| 248 base::AutoLock lock(lock_); | 291 recommended_policy_.Clear(); |
| 249 mandatory_policy_.Clear(); | 292 device_policy_.reset(new DictionaryValue); |
| 250 recommended_policy_.Clear(); | 293 last_policy_refresh_time_ = base::Time::NowFromSystemTime(); |
| 251 device_policy_.reset(new DictionaryValue); | 294 |
| 252 last_policy_refresh_time_ = base::Time::NowFromSystemTime(); | 295 FOR_EACH_OBSERVER(ConfigurationPolicyProvider::Observer, |
| 253 } | 296 observer_list_, OnUpdatePolicy()); |
| 297 | |
| 254 BrowserThread::PostTask( | 298 BrowserThread::PostTask( |
| 255 BrowserThread::FILE, | 299 BrowserThread::FILE, |
| 256 FROM_HERE, | 300 FROM_HERE, |
| 257 new PersistPolicyTask(backing_file_path_, NULL, NULL, true)); | 301 new PersistPolicyTask(backing_file_path_, NULL, NULL, true)); |
| 258 } | 302 } |
| 259 | 303 |
| 260 // static | 304 // static |
| 261 bool CloudPolicyCache::DecodePolicyResponse( | 305 bool CloudPolicyCache::DecodePolicyResponse( |
| 262 const em::CloudPolicyResponse& policy_response, | 306 const em::CloudPolicyResponse& policy_response, |
| 263 PolicyMap* mandatory, | 307 PolicyMap* mandatory, |
| (...skipping 144 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 408 CloudPolicyCache::DecodeValue(named_value->value()); | 452 CloudPolicyCache::DecodeValue(named_value->value()); |
| 409 if (decoded_value) | 453 if (decoded_value) |
| 410 result->Set(named_value->name(), decoded_value); | 454 result->Set(named_value->name(), decoded_value); |
| 411 } | 455 } |
| 412 } | 456 } |
| 413 } | 457 } |
| 414 return result; | 458 return result; |
| 415 } | 459 } |
| 416 | 460 |
| 417 } // namespace policy | 461 } // namespace policy |
| OLD | NEW |
