components/policy/core/common/policy_loader_win.cc - Issue 152633003: On enterprise machines read policy from the registry.

Side by Side Diff: components/policy/core/common/policy_loader_win.cc

Issue 152633003: On enterprise machines read policy from the registry. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Created 6 years, 10 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

« no previous file with comments | « no previous file | no next file » | no next file with comments »

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "components/policy/core/common/policy_loader_win.h"	5 #include "components/policy/core/common/policy_loader_win.h"

6	6

7 #include <windows.h>	7 #include <windows.h>

8 #include <lm.h> // For limits.	8 #include <lm.h> // For limits.

9 #include <ntdsapi.h> // For Ds[Un]Bind	9 #include <ntdsapi.h> // For Ds[Un]Bind

10 #include <rpc.h> // For struct GUID	10 #include <rpc.h> // For struct GUID

(...skipping 17 matching lines...) Expand all Loading...
28 #include "base/json/json_writer.h"	28 #include "base/json/json_writer.h"

29 #include "base/lazy_instance.h"	29 #include "base/lazy_instance.h"

30 #include "base/logging.h"	30 #include "base/logging.h"

31 #include "base/metrics/histogram.h"	31 #include "base/metrics/histogram.h"

32 #include "base/scoped_native_library.h"	32 #include "base/scoped_native_library.h"

33 #include "base/sequenced_task_runner.h"	33 #include "base/sequenced_task_runner.h"

34 #include "base/stl_util.h"	34 #include "base/stl_util.h"

35 #include "base/strings/string16.h"	35 #include "base/strings/string16.h"

36 #include "base/strings/string_util.h"	36 #include "base/strings/string_util.h"

37 #include "base/values.h"	37 #include "base/values.h"

	38 #include "base/win/win_util.h"

38 #include "base/win/windows_version.h"	39 #include "base/win/windows_version.h"

39 #include "components/json_schema/json_schema_constants.h"	40 #include "components/json_schema/json_schema_constants.h"

40 #include "components/policy/core/common/policy_bundle.h"	41 #include "components/policy/core/common/policy_bundle.h"

41 #include "components/policy/core/common/policy_load_status.h"	42 #include "components/policy/core/common/policy_load_status.h"

42 #include "components/policy/core/common/policy_map.h"	43 #include "components/policy/core/common/policy_map.h"

43 #include "components/policy/core/common/policy_namespace.h"	44 #include "components/policy/core/common/policy_namespace.h"

44 #include "components/policy/core/common/preg_parser_win.h"	45 #include "components/policy/core/common/preg_parser_win.h"

45 #include "components/policy/core/common/registry_dict_win.h"	46 #include "components/policy/core/common/registry_dict_win.h"

46 #include "components/policy/core/common/schema.h"	47 #include "components/policy/core/common/schema.h"

47	48

(...skipping 291 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
339	340

340 // Policy scope and corresponding hive.	341 // Policy scope and corresponding hive.

341 static const struct {	342 static const struct {

342 PolicyScope scope;	343 PolicyScope scope;

343 HKEY hive;	344 HKEY hive;

344 } kScopes[] = {	345 } kScopes[] = {

345 { POLICY_SCOPE_MACHINE, HKEY_LOCAL_MACHINE },	346 { POLICY_SCOPE_MACHINE, HKEY_LOCAL_MACHINE },

346 { POLICY_SCOPE_USER, HKEY_CURRENT_USER },	347 { POLICY_SCOPE_USER, HKEY_CURRENT_USER },

347 };	348 };

348	349

	350 bool is_enterprise = base::win::IsEnrolledToDomain();

	351

349 // Load policy data for the different scopes/levels and merge them.	352 // Load policy data for the different scopes/levels and merge them.

350 scoped_ptr<PolicyBundle> bundle(new PolicyBundle());	353 scoped_ptr<PolicyBundle> bundle(new PolicyBundle());

351 PolicyMap* chrome_policy =	354 PolicyMap* chrome_policy =

352 &bundle->Get(PolicyNamespace(POLICY_DOMAIN_CHROME, std::string()));	355 &bundle->Get(PolicyNamespace(POLICY_DOMAIN_CHROME, std::string()));

353 for (size_t i = 0; i < arraysize(kScopes); ++i) {	356 for (size_t i = 0; i < arraysize(kScopes); ++i) {

354 PolicyScope scope = kScopes[i].scope;	357 PolicyScope scope = kScopes[i].scope;

355 PolicyLoadStatusSample status;	358 PolicyLoadStatusSample status;

356 RegistryDict gpo_dict;	359 RegistryDict gpo_dict;

357	360

358 // Note: GPO rules mandate a call to EnterCriticalPolicySection() here, and	361 // Note: GPO rules mandate a call to EnterCriticalPolicySection() here, and

359 // a matching LeaveCriticalPolicySection() call below after the	362 // a matching LeaveCriticalPolicySection() call below after the

360 // ReadPolicyFromGPO() block. Unfortunately, the policy mutex may be	363 // ReadPolicyFromGPO() block. Unfortunately, the policy mutex may be

361 // unavailable for extended periods of time, and there are reports of this	364 // unavailable for extended periods of time, and there are reports of this

362 // happening in the wild: http://crbug.com/265862.	365 // happening in the wild: http://crbug.com/265862.

363 //	366 //

364 // Blocking for minutes is neither acceptable for Chrome startup, nor on	367 // Blocking for minutes is neither acceptable for Chrome startup, nor on

365 // the FILE thread on which this code runs in steady state. Given that	368 // the FILE thread on which this code runs in steady state. Given that

366 // there have never been any reports of issues due to partially-applied /	369 // there have never been any reports of issues due to partially-applied /

367 // corrupt group policy, this code intentionally omits the	370 // corrupt group policy, this code intentionally omits the

368 // EnterCriticalPolicySection() call.	371 // EnterCriticalPolicySection() call.

369 //	372 //

370 // If there's ever reason to revisit this decision, one option could be to	373 // If there's ever reason to revisit this decision, one option could be to

371 // make the EnterCriticalPolicySection() call on a dedicated thread and	374 // make the EnterCriticalPolicySection() call on a dedicated thread and

372 // timeout on it more aggressively. For now, there's no justification for	375 // timeout on it more aggressively. For now, there's no justification for

373 // the additional effort this would introduce.	376 // the additional effort this would introduce.

374	377

375 if (!ReadPolicyFromGPO(scope, &gpo_dict, &status)) {	378 if (is_enterprise \|\| !ReadPolicyFromGPO(scope, &gpo_dict, &status)) {

376 VLOG(1) << "Failed to read GPO files for " << scope	379 VLOG(1) << (!is_enterprise ? "Failed to read GPO files for " : "For ")

377 << " falling back to registry.";	380 << scope << " falling back to registry.";
	Mattias Nissler (ping if slow) 2014/02/05 13:23:42 This is silly. Just turn the log message into: VL This is silly. Just turn the log message into: VLOG(1) << "Reading registry for scope " << scope. Please also add a VLOG before the loop to tell us whether we're AD-enrolled or not. pastarmovj 2014/02/05 14:05:45 The idea was to achieve both with one go :) Show quoted text On 2014/02/05 13:23:42, Mattias Nissler wrote: > This is silly. Just turn the log message into: > > VLOG(1) << "Reading registry for scope " << scope. > > Please also add a VLOG before the loop to tell us whether we're AD-enrolled or > not. The idea was to achieve both with one go :)
378 gpo_dict.ReadRegistry(kScopes[i].hive, chrome_policy_key_);	381 gpo_dict.ReadRegistry(kScopes[i].hive, chrome_policy_key_);

379 }	382 }

380	383

381 // Remove special-cased entries from the GPO dictionary.	384 // Remove special-cased entries from the GPO dictionary.

382 scoped_ptr<RegistryDict> recommended_dict(	385 scoped_ptr<RegistryDict> recommended_dict(

383 gpo_dict.RemoveKey(kKeyRecommended));	386 gpo_dict.RemoveKey(kKeyRecommended));

384 scoped_ptr<RegistryDict> third_party_dict(	387 scoped_ptr<RegistryDict> third_party_dict(

385 gpo_dict.RemoveKey(kKeyThirdParty));	388 gpo_dict.RemoveKey(kKeyThirdParty));

386	389

387 // Load Chrome policy.	390 // Load Chrome policy.

(...skipping 204 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
592	595

593 void PolicyLoaderWin::OnObjectSignaled(HANDLE object) {	596 void PolicyLoaderWin::OnObjectSignaled(HANDLE object) {

594 DCHECK(object == user_policy_changed_event_.handle() \|\|	597 DCHECK(object == user_policy_changed_event_.handle() \|\|

595 object == machine_policy_changed_event_.handle())	598 object == machine_policy_changed_event_.handle())

596 << "unexpected object signaled policy reload, obj = "	599 << "unexpected object signaled policy reload, obj = "

597 << std::showbase << std::hex << object;	600 << std::showbase << std::hex << object;

598 Reload(false);	601 Reload(false);

599 }	602 }

600	603

601 } // namespace policy	604 } // namespace policy

OLD	NEW