Add a new app API to enable watchdog behavior restarts in kiosk apps

extensions/browser/api/runtime/runtime_api.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "extensions/browser/api/runtime/runtime_api.h"
 
 #include <memory>
 #include <utility>
 
 #include "base/lazy_instance.h"
 #include "base/logging.h"
 #include "base/metrics/histogram.h"
+#include "base/strings/string_number_conversions.h"
 #include "base/values.h"
 #include "base/version.h"
+#include "components/prefs/pref_registry_simple.h"
+#include "components/prefs/pref_service.h"
 #include "content/public/browser/browser_context.h"
 #include "content/public/browser/child_process_security_policy.h"
 #include "content/public/browser/notification_service.h"
 #include "content/public/browser/render_frame_host.h"
 #include "content/public/browser/render_process_host.h"
 #include "extensions/browser/api/runtime/runtime_api_delegate.h"
 #include "extensions/browser/event_router.h"
 #include "extensions/browser/extension_host.h"
 #include "extensions/browser/extension_prefs.h"
 #include "extensions/browser/extension_registry.h"
@@ skipping 44 matching lines @@
     "pending_on_installed_event_dispatch_info";
 
 // Previously installed version number.
 const char kPrefPreviousVersion[] = "previous_version";
 
 // The name of the directory to be returned by getPackageDirectoryEntry. This
 // particular value does not matter to user code, but is chosen for consistency
 // with the equivalent Pepper API.
 const char kPackageDirectoryPath[] = "crxfs";
 
+// Preference key for storing the last successful restart on watchdog requests.
+constexpr char kPrefRestartOnWatchdogTime[] = "last_restart_on_watchdog_time";
+
+// Error and status messages strings for the restartOnWatchdog() API.
+constexpr char kErrorInvalidArgument[] = "Invalid argument: *.";
+constexpr char kErrorOnlyKioskModeAllowed[] =
+    "API available only for ChromeOS kiosk mode.";
+constexpr char kErrorOnlyFirstExtensionAllowed[] =
+    "Not the first extension to call this API.";
+constexpr char kErrorInvalidStatus[] = "Invalid restart request status.";
+
+constexpr int kMinDurationBetweenSuccessiveRestartsHours = 3;
+
+// This is used for browsertests, so that we can test the restartOnWatchdog
+// API without a kiost app.
+bool allow_non_kiost_apps_restart_api_for_test = false;
+
 void DispatchOnStartupEventImpl(BrowserContext* browser_context,
                                 const std::string& extension_id,
                                 bool first_call,
                                 ExtensionHost* host) {
   // A NULL host from the LazyBackgroundTaskQueue means the page failed to
   // load. Give up.
   if (!host && !first_call)
     return;
 
   // Don't send onStartup events to incognito browser contexts.
@@ skipping 51 matching lines @@
 ///////////////////////////////////////////////////////////////////////////////
 
 static base::LazyInstance<BrowserContextKeyedAPIFactory<RuntimeAPI> >
     g_factory = LAZY_INSTANCE_INITIALIZER;
 
 // static
 BrowserContextKeyedAPIFactory<RuntimeAPI>* RuntimeAPI::GetFactoryInstance() {
   return g_factory.Pointer();
 }
 
+// static
+void RuntimeAPI::RegisterPrefs(PrefRegistrySimple* registry) {
+  registry->RegisterDoublePref(kPrefRestartOnWatchdogTime, 0.0);
+}
+
 template <>
 void BrowserContextKeyedAPIFactory<RuntimeAPI>::DeclareFactoryDependencies() {
   DependsOn(ProcessManagerFactory::GetInstance());
 }
 
 RuntimeAPI::RuntimeAPI(content::BrowserContext* context)
     : browser_context_(context),
       dispatch_chrome_updated_event_(false),
       extension_registry_observer_(this),
-      process_manager_observer_(this) {
+      process_manager_observer_(this),
+      minimum_duration_between_restarts_(base::TimeDelta::FromHours(
+          kMinDurationBetweenSuccessiveRestartsHours)),
+      weak_ptr_factory_(this) {
   // RuntimeAPI is redirected in incognito, so |browser_context_| is never
   // incognito.
   DCHECK(!browser_context_->IsOffTheRecord());
 
   registrar_.Add(this,
                  extensions::NOTIFICATION_EXTENSIONS_READY_DEPRECATED,
                  content::Source<BrowserContext>(context));
   extension_registry_observer_.Add(ExtensionRegistry::Get(browser_context_));
   process_manager_observer_.Add(ProcessManager::Get(browser_context_));
 
@@ skipping 144 matching lines @@
 }
 
 bool RuntimeAPI::GetPlatformInfo(runtime::PlatformInfo* info) {
   return delegate_->GetPlatformInfo(info);
 }
 
 bool RuntimeAPI::RestartDevice(std::string* error_message) {
   return delegate_->RestartDevice(error_message);
 }
 
+RuntimeAPI::RestartOnWatchdogStatus RuntimeAPI::RestartDeviceOnWatchdogTimeout(
+    const std::string& extension_id,
+    int seconds_from_now) {
+  // To achieve as much accuracy as possible, record the time of the call as
+  // |now| here.
+  const base::Time now = base::Time::NowFromSystemTime();
+
+  if (schedule_restart_first_extension_id_.empty()) {
+    schedule_restart_first_extension_id_ = extension_id;
+  } else if (extension_id != schedule_restart_first_extension_id_) {
+    // We only allow the first extension to call this API to call it repeatedly.
+    // Any other extension will fail.
+    return RestartOnWatchdogStatus::FAILED_NOT_FIRST_EXTENSION;
+  }
+
+  if (seconds_from_now == -1) {
+    MaybeCancelRunningWatchdogTimer();

[Devlin, 2016/05/25 21:53:21]

Given we call this in both cases (here and on line 416), might just make sense
to move it up to 366 and then return here with a comment "// We already stopped
the running timer."

[afakhry, 2016/05/26 00:18:39]

Done.

+    return RestartOnWatchdogStatus::SUCCESS_RESTART_CANCELLED;
+  }
+
+  // Try to read any previous successful restart attempt time resulting from
+  // this API.
+  PrefService* pref_service =
+      ExtensionsBrowserClient::Get()->GetPrefServiceForContext(
+          browser_context_);
+  DCHECK(pref_service);
+  double last_restart_time =
+      pref_service->GetDouble(kPrefRestartOnWatchdogTime);
+
+  ScheduleDelayedRestart(now, seconds_from_now, last_restart_time);
+  return RestartOnWatchdogStatus::SUCCESS_RESTART_SCHEDULED;
+}
+
 bool RuntimeAPI::OpenOptionsPage(const Extension* extension) {
   return delegate_->OpenOptionsPage(extension);
 }
 
+void RuntimeAPI::MaybeCancelRunningWatchdogTimer() {
+  if (!watchdog_timer_.IsRunning())

[Devlin, 2016/05/25 21:53:22]

nit: prefer
if (watchdog_timer_.IsRunning())
  watchdog_timer_.Stop();

[afakhry, 2016/05/26 00:18:39]

Done.

+    return;
+
+  watchdog_timer_.Stop();
+}
+
+void RuntimeAPI::ScheduleDelayedRestart(const base::Time& now,
+                                        int seconds_from_now,
+                                        double stored_last_restart) {
+  base::TimeDelta delay_till_restart =
+      base::TimeDelta::FromSeconds(seconds_from_now);
+
+  // Throttle restart requests that are received too soon successively.
+  base::Time last_restart_time = base::Time::FromDoubleT(stored_last_restart);
+  base::Time future_restart_time = now + delay_till_restart;
+  base::TimeDelta future_time_since_last_restart =
+      future_restart_time > last_restart_time
+          ? future_restart_time - last_restart_time
+          : base::TimeDelta();
+  if (future_time_since_last_restart < minimum_duration_between_restarts_) {
+    // Schedule the restart after |minimum_duration_between_restarts_| has
+    // passed.
+    delay_till_restart =
+        minimum_duration_between_restarts_ - (now - last_restart_time);
+  }
+
+  MaybeCancelRunningWatchdogTimer();
+  watchdog_timer_.Start(FROM_HERE, delay_till_restart,
+                        base::Bind(&RuntimeAPI::OnRestartWatchdogTimeout,
+                                   weak_ptr_factory_.GetWeakPtr()));
+}
+
+void RuntimeAPI::OnRestartWatchdogTimeout() {
+  // We can persist "now" as the last successful restart time, assuming that the
+  // following restart request will succeed, since it can only fail if requested
+  // by non kiosk apps, and we prevent that from the beginning (unless in
+  // browsertests).
+  // This assumption is important, since once restart is requested, we might not
+  // have enough time to persist the data to disk.
+  PrefService* pref_service =
+      ExtensionsBrowserClient::Get()->GetPrefServiceForContext(
+          browser_context_);
+  DCHECK(pref_service);
+  base::Time now = base::Time::NowFromSystemTime();
+  pref_service->SetDouble(kPrefRestartOnWatchdogTime, now.ToDoubleT());
+
+  std::string error_message;
+  const bool success = delegate_->RestartDevice(&error_message);
+
+  if (!success && !allow_non_kiost_apps_restart_api_for_test) {
+    // This is breaking our above assumption and should never be reached.
+    NOTREACHED();
+  }
+}
+
+void RuntimeAPI::AllowNonKiostAppsInRestartOnWatchdogForTesting() {
+  allow_non_kiost_apps_restart_api_for_test = true;
+}
+
 ///////////////////////////////////////////////////////////////////////////////
 
 // static
 void RuntimeEventRouter::DispatchOnStartupEvent(
     content::BrowserContext* context,
     const std::string& extension_id) {
   DispatchOnStartupEventImpl(context, extension_id, true, NULL);
 }
 
 // static
@@ skipping 206 matching lines @@
   std::string message;
   bool result =
       RuntimeAPI::GetFactoryInstance()->Get(browser_context())->RestartDevice(
           &message);
   if (!result) {
     return RespondNow(Error(message));
   }
   return RespondNow(NoArguments());
 }
 
+ExtensionFunction::ResponseAction RuntimeRestartOnWatchdogFunction::Run() {
+  if (!allow_non_kiost_apps_restart_api_for_test &&
+      !ExtensionsBrowserClient::Get()->IsRunningInForcedAppMode()) {
+    return RespondNow(Error(kErrorOnlyKioskModeAllowed));
+  }
+
+  std::unique_ptr<api::runtime::RestartOnWatchdog::Params> params(
+      api::runtime::RestartOnWatchdog::Params::Create(*args_));
+  EXTENSION_FUNCTION_VALIDATE(params.get());
+  int seconds = params->seconds;
+
+  if (seconds < -1)
+    return RespondNow(Error(kErrorInvalidArgument, base::IntToString(seconds)));
+
+  RuntimeAPI::RestartOnWatchdogStatus request_status =
+      RuntimeAPI::GetFactoryInstance()
+          ->Get(browser_context())
+          ->RestartDeviceOnWatchdogTimeout(extension()->id(), seconds);
+
+  switch (request_status) {
+    case RuntimeAPI::RestartOnWatchdogStatus::FAILED_NOT_FIRST_EXTENSION:
+      return RespondNow(Error(kErrorOnlyFirstExtensionAllowed));
+
+    case RuntimeAPI::RestartOnWatchdogStatus::SUCCESS_RESTART_CANCELLED:
+    case RuntimeAPI::RestartOnWatchdogStatus::SUCCESS_RESTART_SCHEDULED:
+      return RespondNow(NoArguments());
+  }
+
+  NOTREACHED();
+  return RespondNow(Error(kErrorInvalidStatus));
+}
+
 ExtensionFunction::ResponseAction RuntimeGetPlatformInfoFunction::Run() {
   runtime::PlatformInfo info;
   if (!RuntimeAPI::GetFactoryInstance()
            ->Get(browser_context())
            ->GetPlatformInfo(&info)) {
     return RespondNow(Error(kPlatformInfoUnavailable));
   }
   return RespondNow(
       ArgumentList(runtime::GetPlatformInfo::Results::Create(info)));
 }
@@ skipping 13 matching lines @@
   content::ChildProcessSecurityPolicy* policy =
       content::ChildProcessSecurityPolicy::GetInstance();
   policy->GrantReadFileSystem(renderer_id, filesystem_id);
   base::DictionaryValue* dict = new base::DictionaryValue();
   dict->SetString("fileSystemId", filesystem_id);
   dict->SetString("baseName", relative_path);
   return RespondNow(OneArgument(dict));
 }
 
 }  // namespace extensions