| OLD | NEW |
|---|
| (Empty) |
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | |
| 2 // Use of this source code is governed by a BSD-style license that can be | |
| 3 // found in the LICENSE file. | |
| 4 | |
| 5 #include "chrome/browser/policy/device_local_account_policy_store.h" | |
| 6 | |
| 7 #include "base/bind.h" | |
| 8 #include "base/values.h" | |
| 9 #include "chrome/browser/policy/device_management_service.h" | |
| 10 #include "chrome/browser/policy/policy_types.h" | |
| 11 #include "chrome/browser/policy/proto/cloud_policy.pb.h" | |
| 12 #include "chrome/browser/policy/proto/device_management_backend.pb.h" | |
| 13 #include "chromeos/dbus/session_manager_client.h" | |
| 14 #include "policy/policy_constants.h" | |
| 15 | |
| 16 namespace em = enterprise_management; | |
| 17 | |
| 18 namespace policy { | |
| 19 | |
| 20 DeviceLocalAccountPolicyStore::DeviceLocalAccountPolicyStore( | |
| 21 const std::string& account_id, | |
| 22 chromeos::SessionManagerClient* session_manager_client, | |
| 23 chromeos::DeviceSettingsService* device_settings_service) | |
| 24 : account_id_(account_id), | |
| 25 session_manager_client_(session_manager_client), | |
| 26 device_settings_service_(device_settings_service), | |
| 27 ALLOW_THIS_IN_INITIALIZER_LIST(weak_factory_(this)) {} | |
| 28 | |
| 29 DeviceLocalAccountPolicyStore::~DeviceLocalAccountPolicyStore() {} | |
| 30 | |
| 31 void DeviceLocalAccountPolicyStore::Load() { | |
| 32 weak_factory_.InvalidateWeakPtrs(); | |
| 33 session_manager_client_->RetrieveDeviceLocalAccountPolicy( | |
| 34 account_id_, | |
| 35 base::Bind(&DeviceLocalAccountPolicyStore::ValidateLoadedPolicyBlob, | |
| 36 weak_factory_.GetWeakPtr())); | |
| 37 } | |
| 38 | |
| 39 void DeviceLocalAccountPolicyStore::Store( | |
| 40 const em::PolicyFetchResponse& policy) { | |
| 41 weak_factory_.InvalidateWeakPtrs(); | |
| 42 CheckKeyAndValidate( | |
| 43 make_scoped_ptr(new em::PolicyFetchResponse(policy)), | |
| 44 base::Bind(&DeviceLocalAccountPolicyStore::StoreValidatedPolicy, | |
| 45 weak_factory_.GetWeakPtr())); | |
| 46 } | |
| 47 | |
| 48 void DeviceLocalAccountPolicyStore::ValidateLoadedPolicyBlob( | |
| 49 const std::string& policy_blob) { | |
| 50 if (policy_blob.empty()) { | |
| 51 status_ = CloudPolicyStore::STATUS_LOAD_ERROR; | |
| 52 NotifyStoreError(); | |
| 53 } else { | |
| 54 scoped_ptr<em::PolicyFetchResponse> policy(new em::PolicyFetchResponse()); | |
| 55 if (policy->ParseFromString(policy_blob)) { | |
| 56 CheckKeyAndValidate( | |
| 57 policy.Pass(), | |
| 58 base::Bind(&DeviceLocalAccountPolicyStore::UpdatePolicy, | |
| 59 weak_factory_.GetWeakPtr())); | |
| 60 } else { | |
| 61 status_ = CloudPolicyStore::STATUS_PARSE_ERROR; | |
| 62 NotifyStoreError(); | |
| 63 } | |
| 64 } | |
| 65 } | |
| 66 | |
| 67 void DeviceLocalAccountPolicyStore::UpdatePolicy( | |
| 68 UserCloudPolicyValidator* validator) { | |
| 69 validation_status_ = validator->status(); | |
| 70 if (!validator->success()) { | |
| 71 status_ = STATUS_VALIDATION_ERROR; | |
| 72 NotifyStoreError(); | |
| 73 return; | |
| 74 } | |
| 75 | |
| 76 InstallPolicy(validator->policy_data().Pass(), validator->payload().Pass()); | |
| 77 // Force the |ShelfAutoHideBehavior| policy to |Never|, ensuring that the ash | |
| 78 // shelf does not auto-hide. | |
| 79 policy_map_.Set(key::kShelfAutoHideBehavior, | |
| 80 POLICY_LEVEL_MANDATORY, | |
| 81 POLICY_SCOPE_USER, | |
| 82 Value::CreateStringValue("Never")); | |
| 83 // Force the |ShowLogoutButtonInTray| policy to |true|, ensuring that a big, | |
| 84 // red logout button is shown in the ash system tray. | |
| 85 policy_map_.Set(key::kShowLogoutButtonInTray, | |
| 86 POLICY_LEVEL_MANDATORY, | |
| 87 POLICY_SCOPE_USER, | |
| 88 Value::CreateBooleanValue(true)); | |
| 89 // Restrict device-local accounts to hosted apps for now (i.e. no extensions, | |
| 90 // packaged apps etc.) for security/privacy reasons (i.e. we'd like to | |
| 91 // prevent the admin from stealing private information from random people). | |
| 92 scoped_ptr<base::ListValue> allowed_extension_types(new base::ListValue()); | |
| 93 allowed_extension_types->AppendString("hosted_app"); | |
| 94 policy_map_.Set(key::kExtensionAllowedTypes, | |
| 95 POLICY_LEVEL_MANDATORY, | |
| 96 POLICY_SCOPE_USER, | |
| 97 allowed_extension_types.release()); | |
| 98 | |
| 99 status_ = STATUS_OK; | |
| 100 NotifyStoreLoaded(); | |
| 101 } | |
| 102 | |
| 103 void DeviceLocalAccountPolicyStore::StoreValidatedPolicy( | |
| 104 UserCloudPolicyValidator* validator) { | |
| 105 if (!validator->success()) { | |
| 106 status_ = CloudPolicyStore::STATUS_VALIDATION_ERROR; | |
| 107 validation_status_ = validator->status(); | |
| 108 NotifyStoreError(); | |
| 109 return; | |
| 110 } | |
| 111 | |
| 112 std::string policy_blob; | |
| 113 if (!validator->policy()->SerializeToString(&policy_blob)) { | |
| 114 status_ = CloudPolicyStore::STATUS_SERIALIZE_ERROR; | |
| 115 NotifyStoreError(); | |
| 116 return; | |
| 117 } | |
| 118 | |
| 119 session_manager_client_->StoreDeviceLocalAccountPolicy( | |
| 120 account_id_, | |
| 121 policy_blob, | |
| 122 base::Bind(&DeviceLocalAccountPolicyStore::HandleStoreResult, | |
| 123 weak_factory_.GetWeakPtr())); | |
| 124 } | |
| 125 | |
| 126 void DeviceLocalAccountPolicyStore::HandleStoreResult(bool success) { | |
| 127 if (!success) { | |
| 128 status_ = CloudPolicyStore::STATUS_STORE_ERROR; | |
| 129 NotifyStoreError(); | |
| 130 } else { | |
| 131 Load(); | |
| 132 } | |
| 133 } | |
| 134 | |
| 135 void DeviceLocalAccountPolicyStore::CheckKeyAndValidate( | |
| 136 scoped_ptr<em::PolicyFetchResponse> policy, | |
| 137 const UserCloudPolicyValidator::CompletionCallback& callback) { | |
| 138 device_settings_service_->GetOwnershipStatusAsync( | |
| 139 base::Bind(&DeviceLocalAccountPolicyStore::Validate, | |
| 140 weak_factory_.GetWeakPtr(), | |
| 141 base::Passed(&policy), | |
| 142 callback)); | |
| 143 } | |
| 144 | |
| 145 void DeviceLocalAccountPolicyStore::Validate( | |
| 146 scoped_ptr<em::PolicyFetchResponse> policy_response, | |
| 147 const UserCloudPolicyValidator::CompletionCallback& callback, | |
| 148 chromeos::DeviceSettingsService::OwnershipStatus ownership_status, | |
| 149 bool is_owner) { | |
| 150 DCHECK_NE(chromeos::DeviceSettingsService::OWNERSHIP_UNKNOWN, | |
| 151 ownership_status); | |
| 152 chromeos::OwnerKey* key = device_settings_service_->GetOwnerKey(); | |
| 153 if (!key->public_key()) { | |
| 154 status_ = CloudPolicyStore::STATUS_BAD_STATE; | |
| 155 NotifyStoreLoaded(); | |
| 156 return; | |
| 157 } | |
| 158 | |
| 159 scoped_ptr<UserCloudPolicyValidator> validator( | |
| 160 UserCloudPolicyValidator::Create(policy_response.Pass())); | |
| 161 validator->ValidateUsername(account_id_); | |
| 162 validator->ValidatePolicyType(dm_protocol::kChromePublicAccountPolicyType); | |
| 163 validator->ValidateAgainstCurrentPolicy(policy(), false); | |
| 164 validator->ValidatePayload(); | |
| 165 validator->ValidateSignature(*key->public_key(), false); | |
| 166 validator.release()->StartValidation(callback); | |
| 167 } | |
| 168 | |
| 169 } // namespace policy | |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 12189011:
Split up chrome/browser/policy subdirectory (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src