Make sure the device recovers from policy loss in the consumer case.

chrome/browser/chromeos/device_settings_provider.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/device_settings_provider.h"
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/callback.h"
 #include "base/file_util.h"
 #include "base/logging.h"
 #include "base/string_util.h"
 #include "base/threading/thread_restrictions.h"
 #include "base/values.h"
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/chromeos/cros/cros_library.h"
 #include "chrome/browser/chromeos/cros/network_library.h"
 #include "chrome/browser/chromeos/cros_settings.h"
 #include "chrome/browser/chromeos/cros_settings_names.h"
 #include "chrome/browser/chromeos/login/ownership_service.h"
 #include "chrome/browser/chromeos/login/signed_settings_cache.h"
 #include "chrome/browser/chromeos/login/signed_settings_helper.h"
 #include "chrome/browser/chromeos/login/user_manager.h"
 #include "chrome/browser/policy/app_pack_updater.h"
+#include "chrome/browser/policy/browser_policy_connector.h"
+#include "chrome/browser/policy/cloud_policy_constants.h"
 #include "chrome/browser/ui/options/options_util.h"
 #include "chrome/common/chrome_notification_types.h"
 #include "chrome/installer/util/google_update_settings.h"
 #include "content/public/browser/notification_service.h"
 
 using google::protobuf::RepeatedPtrField;
 
 namespace em = enterprise_management;
 
 namespace chromeos {
 
 namespace {
 
 // List of settings handled by the DeviceSettingsProvider.
 const char* kKnownSettings[] = {
   kAccountsPrefAllowGuest,
   kAccountsPrefAllowNewUser,
   kAccountsPrefEphemeralUsersEnabled,
   kAccountsPrefShowUserNamesOnSignIn,
   kAccountsPrefUsers,
   kAppPack,
+
   kDeviceOwner,
   kIdleLogoutTimeout,
   kIdleLogoutWarningDuration,
+  kPolicyMissingMitigationMode,
   kReleaseChannel,
   kReportDeviceActivityTimes,
   kReportDeviceBootMode,
   kReportDeviceVersionInfo,
   kScreenSaverExtensionId,
   kScreenSaverTimeout,
   kSettingProxyEverywhere,
   kSignedDataRoamingEnabled,
   kStatsReportingPref,
 };
@@ skipping 14 matching lines @@
   // If the value is not set we should try to migrate legacy consent file.
   // Loading consent file state causes us to do blocking IO on UI thread.
   // Temporarily allow it until we fix http://crbug.com/62626
   base::ThreadRestrictions::ScopedAllowIO allow_io;
   return GoogleUpdateSettings::GetCollectStatsConsent();
 }
 
 }  // namespace
 
 DeviceSettingsProvider::DeviceSettingsProvider(
+    const NotifyObserversCallback& notify_cb,
+    SignedSettingsHelper* signed_settings_helper,
+    OwnershipService::Status ownership_status)
+    : CrosSettingsProvider(notify_cb),
+      signed_settings_helper_(signed_settings_helper),
+      ownership_status_(ownership_status),
+      migration_helper_(new SignedSettingsMigrationHelper()),
+      retries_left_(kNumRetriesLimit),
+      trusted_(false) {
+  Initialize();
+}
+
+DeviceSettingsProvider::DeviceSettingsProvider(
     const NotifyObserversCallback& notify_cb)
     : CrosSettingsProvider(notify_cb),
+      signed_settings_helper_(SignedSettingsHelper::Get()),
       ownership_status_(OwnershipService::GetSharedInstance()->GetStatus(true)),
       migration_helper_(new SignedSettingsMigrationHelper()),
       retries_left_(kNumRetriesLimit),
       trusted_(false) {
+  Initialize();
+}
+
+DeviceSettingsProvider::~DeviceSettingsProvider() {
+}
+
+void DeviceSettingsProvider::Initialize() {
   // Register for notification when ownership is taken so that we can update
   // the |ownership_status_| and reload if needed.
   registrar_.Add(this, chrome::NOTIFICATION_OWNER_KEY_FETCH_ATTEMPT_SUCCEEDED,
                  content::NotificationService::AllSources());
   // Make sure we have at least the cache data immediately.
   RetrieveCachedData();
   // Start prefetching preferences.
   Reload();
 }
 
-DeviceSettingsProvider::~DeviceSettingsProvider() {
-}
-
 void DeviceSettingsProvider::Reload() {
   // While fetching we can't trust the cache anymore.
   trusted_ = false;
   if (ownership_status_ == OwnershipService::OWNERSHIP_NONE) {
     RetrieveCachedData();
   } else {
     // Retrieve the real data.
-    SignedSettingsHelper::Get()->StartRetrievePolicyOp(
+    signed_settings_helper_->StartRetrievePolicyOp(
         base::Bind(&DeviceSettingsProvider::OnRetrievePolicyCompleted,
                    base::Unretained(this)));
   }
 }
 
 void DeviceSettingsProvider::DoSet(const std::string& path,
                                    const base::Value& in_value) {
   if (!UserManager::Get()->IsCurrentUserOwner() &&
       ownership_status_ != OwnershipService::OWNERSHIP_NONE) {
     LOG(WARNING) << "Changing settings from non-owner, setting=" << path;
@@ skipping 66 matching lines @@
       if (!pending_changes_.empty())
         SetInPolicy();
     } else {
       NOTREACHED();
     }
     return;
   }
 
   if (!RequestTrustedEntity()) {
     // Otherwise we should first reload and apply on top of that.
-    SignedSettingsHelper::Get()->StartRetrievePolicyOp(
+    signed_settings_helper_->StartRetrievePolicyOp(
         base::Bind(&DeviceSettingsProvider::FinishSetInPolicy,
                    base::Unretained(this)));
     return;
   }
 
   trusted_ = false;
   em::PolicyData data = policy();
   em::ChromeDeviceSettingsProto pol;
   pol.ParseFromString(data.policy_value());
   if (prop == kAccountsPrefAllowNewUser) {
@@ skipping 87 matching lines @@
   // Set the cache to the updated value.
   policy_ = data;
   UpdateValuesCache();
 
   if (!signed_settings_cache::Store(data, g_browser_process->local_state()))
     LOG(ERROR) << "Couldn't store to the temp storage.";
 
   if (ownership_status_ == OwnershipService::OWNERSHIP_TAKEN) {
     em::PolicyFetchResponse policy_envelope;
     policy_envelope.set_policy_data(policy_.SerializeAsString());
-    SignedSettingsHelper::Get()->StartStorePolicyOp(
+    signed_settings_helper_->StartStorePolicyOp(
         policy_envelope,
         base::Bind(&DeviceSettingsProvider::OnStorePolicyCompleted,
                    base::Unretained(this)));
   } else {
     // OnStorePolicyCompleted won't get called in this case so proceed with any
     // pending operations immediately.
     delete pending_changes_[0].second;
     pending_changes_.erase(pending_changes_.begin());
     if (!pending_changes_.empty())
       SetInPolicy();
@@ skipping 263 matching lines @@
   if (pol.has_metrics_enabled())
     ApplyMetricsSetting(false, pol.metrics_enabled().metrics_enabled());
   else
     ApplyMetricsSetting(true, false);
   // Next set the roaming setting as needed.
   ApplyRoamingSetting(pol.has_data_roaming_enabled() ?
       pol.data_roaming_enabled().data_roaming_enabled() : false);
 }
 
 bool DeviceSettingsProvider::MitigateMissingPolicy() {
-  // As this code runs only in exceptional cases it's fine to allow I/O here.
-  base::ThreadRestrictions::ScopedAllowIO allow_io;
-  FilePath legacy_policy_file(kLegacyPolicyFile);
-  // Check if legacy file exists but is not writable to avoid possible
-  // attack of creating this file through chronos (although this should be
-  // not possible in root owned location), but better be safe than sorry.
-  // TODO(pastarmovj): Remove this workaround once we have proper checking
-  // for policy corruption or when Cr48 is phased out the very latest.
-  // See: http://crosbug.com/24916.
-  if (file_util::PathExists(legacy_policy_file) &&
-      !file_util::PathIsWritable(legacy_policy_file)) {
-    // We are in pre 11 dev upgrading to post 17 version mode.
-    LOG(ERROR) << "Detected system upgraded from ChromeOS 11 or older with "
-               << "missing policies. Switching to migration policy mode "
-               << "until the owner logs in to regenerate the policy data.";
-    // In this situation we should pretend we have policy even though we
-    // don't until the owner logs in and restores the policy blob.
-    values_cache_.SetBoolean(kAccountsPrefAllowNewUser, true);
-    values_cache_.SetBoolean(kAccountsPrefAllowGuest, true);
-    trusted_ = true;
-    // Make sure we will recreate the policy once the owner logs in.
-    // Any value not in this list will be left to the default which is fine as
-    // we repopulate the whitelist with the owner and any other possible every
-    // time the user enables whitelist filtering on the UI.
-    migration_helper_->AddMigrationValue(
-        kAccountsPrefAllowNewUser, base::Value::CreateBooleanValue(true));
-    migration_helper_->MigrateValues();
-    // The last step is to pretend we loaded policy correctly and call everyone.
-    for (size_t i = 0; i < callbacks_.size(); ++i)
-      callbacks_[i].Run();
-    callbacks_.clear();
-    return true;
+  // First check if the device has been owned already and if not exit
+  // immediately.
+  if (g_browser_process->browser_policy_connector()->GetDeviceMode() !=
+      policy::DEVICE_MODE_CONSUMER) {
+    return false;
   }
-  return false;
+
+  // If we are here the policy file were corrupted or missing. This can happen
+  // because we are migrating Pre R11 device to the new secure policies or there
+  // was an attempt to circumvent policy system. In this case we should populate
+  // the policy cache with "safe-mode" defaults which should allow the owner to
+  // log in but lock the device for anyone else until the policy blob has been
+  // recreated by the session manager.
+  LOG(ERROR) << "Corruption of the policy data has been detected."
+             << "Switching to \"safe-mode\" policies until the owner logs in "
+             << "to regenerate the policy data.";
+  values_cache_.SetBoolean(kAccountsPrefAllowNewUser, true);
+  values_cache_.SetBoolean(kAccountsPrefAllowGuest, true);
+  values_cache_.SetBoolean(kPolicyMissingMitigationMode, true);
+  trusted_ = true;
+  // Make sure we will recreate the policy once the owner logs in.
+  // Any value not in this list will be left to the default which is fine as
+  // we repopulate the whitelist with the owner and all other existing users
+  // every time the owner enables whitelist filtering on the UI.
+  migration_helper_->AddMigrationValue(
+      kAccountsPrefAllowNewUser, base::Value::CreateBooleanValue(true));
+  migration_helper_->MigrateValues();
+  // The last step is to pretend we loaded policy correctly and call everyone.
+  for (size_t i = 0; i < callbacks_.size(); ++i)
+    callbacks_[i].Run();
+  callbacks_.clear();
+  return true;
 }
 
 const base::Value* DeviceSettingsProvider::Get(const std::string& path) const {
   if (IsControlledSetting(path)) {
     const base::Value* value;
     if (values_cache_.GetValue(path, &value))
       return value;
   } else {
     NOTREACHED() << "Trying to get non cros setting.";
   }
@@ skipping 58 matching lines @@
       trusted_ = true;
       for (size_t i = 0; i < callbacks_.size(); ++i)
         callbacks_[i].Run();
       callbacks_.clear();
       // TODO(pastarmovj): Make those side effects responsibility of the
       // respective subsystems.
       ApplySideEffects();
       break;
     }
     case SignedSettings::NOT_FOUND:
-      // Verify if we don't have to mitigate pre Chrome 12 machine here and if
-      // needed do the magic.
       if (MitigateMissingPolicy())
         break;
     case SignedSettings::KEY_UNAVAILABLE: {
       if (ownership_status_ != OwnershipService::OWNERSHIP_TAKEN)
         NOTREACHED() << "No policies present yet, will use the temp storage.";
       break;
     }
     case SignedSettings::BAD_SIGNATURE:
     case SignedSettings::OPERATION_FAILED: {
       LOG(ERROR) << "Failed to retrieve cros policies. Reason:" << code;
       if (retries_left_ > 0) {
         retries_left_ -= 1;
         Reload();
         return;
       }
       LOG(ERROR) << "No retries left";
       break;
     }
   }
 }
 
 }  // namespace chromeos