Add a new app API to enable watchdog behavior restarts in kiosk apps

extensions/browser/api/runtime/runtime_api.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "extensions/browser/api/runtime/runtime_api.h"
 
 #include <memory>
 #include <utility>
 
 #include "base/lazy_instance.h"
 #include "base/location.h"
 #include "base/logging.h"
 #include "base/memory/ptr_util.h"
 #include "base/metrics/histogram.h"
 #include "base/single_thread_task_runner.h"
+#include "base/strings/string_number_conversions.h"
 #include "base/threading/thread_task_runner_handle.h"
 #include "base/values.h"
 #include "base/version.h"
+#include "components/prefs/pref_registry_simple.h"
+#include "components/prefs/pref_service.h"
 #include "content/public/browser/browser_context.h"
 #include "content/public/browser/child_process_security_policy.h"
 #include "content/public/browser/notification_service.h"
 #include "content/public/browser/render_frame_host.h"
 #include "content/public/browser/render_process_host.h"
 #include "extensions/browser/api/runtime/runtime_api_delegate.h"
 #include "extensions/browser/event_router.h"
 #include "extensions/browser/extension_host.h"
 #include "extensions/browser/extension_prefs.h"
 #include "extensions/browser/extension_registry.h"
@@ skipping 44 matching lines @@
     "pending_on_installed_event_dispatch_info";
 
 // Previously installed version number.
 const char kPrefPreviousVersion[] = "previous_version";
 
 // The name of the directory to be returned by getPackageDirectoryEntry. This
 // particular value does not matter to user code, but is chosen for consistency
 // with the equivalent Pepper API.
 const char kPackageDirectoryPath[] = "crxfs";
 
+// Preference key for storing the last successful restart due to a call to
+// chrome.runtime.restartAfterDelay().
+constexpr char kPrefLastRestartAfterDelayTime[] =
+    "last_restart_after_delay_time";
+// Preference key for storing whether the most recent restart was due to a
+// successful call to chrome.runtime.restartAfterDelay().
+constexpr char kPrefLastRestartWasDuetoDelayedRestartApi[] =
+    "last_restart_was_due_to_delayed_restart_api";
+
+// Error and status messages strings for the restartAfterDelay() API.
+constexpr char kErrorInvalidArgument[] = "Invalid argument: *.";
+constexpr char kErrorOnlyKioskModeAllowed[] =
+    "API available only for ChromeOS kiosk mode.";
+constexpr char kErrorOnlyFirstExtensionAllowed[] =
+    "Not the first extension to call this API.";
+constexpr char kErrorInvalidStatus[] = "Invalid restart request status.";
+constexpr char kErrorRequestedTooSoon[] =
+    "Restart was requested too soon. It was throttled instead.";
+
+constexpr int kMinDurationBetweenSuccessiveRestartsHours = 3;
+
+// This is used for unit tests, so that we can test the restartAfterDelay
+// API without a kiosk app.
+bool allow_non_kiosk_apps_restart_api_for_test = false;
+
 void DispatchOnStartupEventImpl(BrowserContext* browser_context,
                                 const std::string& extension_id,
                                 bool first_call,
                                 ExtensionHost* host) {
   // A NULL host from the LazyBackgroundTaskQueue means the page failed to
   // load. Give up.
   if (!host && !first_call)
     return;
 
   // Don't send onStartup events to incognito browser contexts.
@@ skipping 51 matching lines @@
 ///////////////////////////////////////////////////////////////////////////////
 
 static base::LazyInstance<BrowserContextKeyedAPIFactory<RuntimeAPI> >
     g_factory = LAZY_INSTANCE_INITIALIZER;
 
 // static
 BrowserContextKeyedAPIFactory<RuntimeAPI>* RuntimeAPI::GetFactoryInstance() {
   return g_factory.Pointer();
 }
 
+// static
+void RuntimeAPI::RegisterPrefs(PrefRegistrySimple* registry) {
+  registry->RegisterBooleanPref(kPrefLastRestartWasDuetoDelayedRestartApi,

[Devlin, 2016/06/14 16:27:21]

nit: DueTo, not Dueto

[afakhry, 2016/06/14 18:00:04]

Done.

+                                false);
+  registry->RegisterDoublePref(kPrefLastRestartAfterDelayTime, 0.0);
+}
+
 template <>
 void BrowserContextKeyedAPIFactory<RuntimeAPI>::DeclareFactoryDependencies() {
   DependsOn(ProcessManagerFactory::GetInstance());
 }
 
 RuntimeAPI::RuntimeAPI(content::BrowserContext* context)
     : browser_context_(context),
+      extension_registry_observer_(this),
+      process_manager_observer_(this),
+      minimum_duration_between_restarts_(base::TimeDelta::FromHours(
+          kMinDurationBetweenSuccessiveRestartsHours)),
       dispatch_chrome_updated_event_(false),
-      extension_registry_observer_(this),
-      process_manager_observer_(this) {
+      did_read_delayed_restart_preferences_(false),
+      was_last_restart_due_to_delayed_restart_api_(false),
+      weak_ptr_factory_(this) {
   // RuntimeAPI is redirected in incognito, so |browser_context_| is never
   // incognito.
   DCHECK(!browser_context_->IsOffTheRecord());
 
   registrar_.Add(this,
                  extensions::NOTIFICATION_EXTENSIONS_READY_DEPRECATED,
                  content::Source<BrowserContext>(context));
   extension_registry_observer_.Add(ExtensionRegistry::Get(browser_context_));
   process_manager_observer_.Add(ProcessManager::Get(browser_context_));
 
@@ skipping 138 matching lines @@
 
 void RuntimeAPI::OpenURL(const GURL& update_url) {
   delegate_->OpenURL(update_url);
 }
 
 bool RuntimeAPI::GetPlatformInfo(runtime::PlatformInfo* info) {
   return delegate_->GetPlatformInfo(info);
 }
 
 bool RuntimeAPI::RestartDevice(std::string* error_message) {
+  if (was_last_restart_due_to_delayed_restart_api_ &&
+      (ExtensionsBrowserClient::Get()->IsRunningInForcedAppMode() ||
+       allow_non_kiosk_apps_restart_api_for_test)) {
+    // We don't allow an app by calling chrome.runtime.restart() to clear the
+    // throttle enforced on it when calling chrome.runtime.restartAfterDelay(),
+    // i.e. the app can't unthrottle itself.
+    // When running in forced kiosk app mode, we assume the following restart
+    // request will succeed.
+    PrefService* pref_service =
+        ExtensionsBrowserClient::Get()->GetPrefServiceForContext(
+            browser_context_);
+    DCHECK(pref_service);
+    pref_service->SetBoolean(kPrefLastRestartWasDuetoDelayedRestartApi, true);
+  }
   return delegate_->RestartDevice(error_message);
+  ;

[Devlin, 2016/06/14 16:27:21]

delete

[afakhry, 2016/06/14 18:00:04]

Not sure where that came from. Done!

+}
+
+RuntimeAPI::RestartOnWatchdogStatus RuntimeAPI::RestartDeviceAfterDelay(
+    const std::string& extension_id,
+    int seconds_from_now) {
+  // To achieve as much accuracy as possible, record the time of the call as
+  // |now| here.
+  const base::Time now = base::Time::NowFromSystemTime();
+
+  if (schedule_restart_first_extension_id_.empty()) {
+    schedule_restart_first_extension_id_ = extension_id;
+  } else if (extension_id != schedule_restart_first_extension_id_) {
+    // We only allow the first extension to call this API to call it repeatedly.
+    // Any other extension will fail.
+    return RestartOnWatchdogStatus::FAILED_NOT_FIRST_EXTENSION;
+  }
+
+  MaybeCancelRunningDelayedRestartTimer();
+
+  if (seconds_from_now == -1) {
+    // We already stopped the running timer (if any).
+    return RestartOnWatchdogStatus::SUCCESS_RESTART_CANCELED;
+  }
+
+  if (!did_read_delayed_restart_preferences_) {
+    // Try to read any previous successful restart attempt time resulting from
+    // this API.
+    PrefService* pref_service =
+        ExtensionsBrowserClient::Get()->GetPrefServiceForContext(
+            browser_context_);
+    DCHECK(pref_service);
+
+    was_last_restart_due_to_delayed_restart_api_ =
+        pref_service->GetBoolean(kPrefLastRestartWasDuetoDelayedRestartApi);
+    if (was_last_restart_due_to_delayed_restart_api_) {
+      // We clear this bit if the previous restart was due to this API, so that
+      // we don't throttle restart requests coming after other restarts or
+      // shutdowns not caused by the runtime API.
+      pref_service->SetBoolean(kPrefLastRestartWasDuetoDelayedRestartApi,
+                               false);
+    }
+
+    last_delayed_restart_time_ = base::Time::FromDoubleT(
+        pref_service->GetDouble(kPrefLastRestartAfterDelayTime));
+
+    if (!allow_non_kiosk_apps_restart_api_for_test) {
+      // Don't read every time unless in tests.
+      did_read_delayed_restart_preferences_ = true;
+    }
+  }
+
+  return ScheduleDelayedRestart(now, seconds_from_now);
 }
 
 bool RuntimeAPI::OpenOptionsPage(const Extension* extension) {
   return delegate_->OpenOptionsPage(extension);
 }
 
+void RuntimeAPI::MaybeCancelRunningDelayedRestartTimer() {
+  if (restart_after_delay_timer_.IsRunning())
+    restart_after_delay_timer_.Stop();
+}
+
+RuntimeAPI::RestartOnWatchdogStatus RuntimeAPI::ScheduleDelayedRestart(
+    const base::Time& now,
+    int seconds_from_now) {
+  base::TimeDelta delay_till_restart =
+      base::TimeDelta::FromSeconds(seconds_from_now);
+
+  // Throttle restart requests that are received too soon successively, only if
+  // the previous restart was due to this API.
+  bool was_throttled = false;
+  if (was_last_restart_due_to_delayed_restart_api_) {
+    base::Time future_restart_time = now + delay_till_restart;
+    base::TimeDelta future_time_since_last_restart =

[Devlin, 2016/06/14 16:27:21]

nit: "future_time_since_last_restart" sounds a little weird to me.  Maybe
"delta_since_last_restart"?

[afakhry, 2016/06/14 18:00:05]

Done.

+        future_restart_time > last_delayed_restart_time_

[Devlin, 2016/06/14 16:27:21]

When would this be false (exempting cases of e.g. pref corruption)?  If this is
false, won't it also cause problems on line 461?

[afakhry, 2016/06/14 18:00:04]

Could be corruption, or the device wall clock has changed somehow, making
|last_delayed_restart_time_| in the future.

Thanks for spotting this issue! It should be TimeDelta::Max() to avoid
throttling in this case.

+            ? future_restart_time - last_delayed_restart_time_
+            : base::TimeDelta();
+    if (future_time_since_last_restart < minimum_duration_between_restarts_) {
+      // Schedule the restart after |minimum_duration_between_restarts_| has
+      // passed.
+      delay_till_restart = minimum_duration_between_restarts_ -
+                           (now - last_delayed_restart_time_);
+      was_throttled = true;
+    }
+  }
+
+  restart_after_delay_timer_.Start(
+      FROM_HERE, delay_till_restart,
+      base::Bind(&RuntimeAPI::OnDelayedRestartTimerTimeout,
+                 weak_ptr_factory_.GetWeakPtr()));
+
+  return was_throttled ? RestartOnWatchdogStatus::FAILED_THROTTLED
+                       : RestartOnWatchdogStatus::SUCCESS_RESTART_SCHEDULED;
+}
+
+void RuntimeAPI::OnDelayedRestartTimerTimeout() {
+  // We can persist "now" as the last successful restart time, assuming that the
+  // following restart request will succeed, since it can only fail if requested
+  // by non kiosk apps, and we prevent that from the beginning (unless in
+  // unit tests).
+  // This assumption is important, since once restart is requested, we might not
+  // have enough time to persist the data to disk.
+  double now = base::Time::NowFromSystemTime().ToDoubleT();
+  PrefService* pref_service =
+      ExtensionsBrowserClient::Get()->GetPrefServiceForContext(
+          browser_context_);
+  DCHECK(pref_service);
+  pref_service->SetDouble(kPrefLastRestartAfterDelayTime, now);
+  pref_service->SetBoolean(kPrefLastRestartWasDuetoDelayedRestartApi, true);
+
+  std::string error_message;
+  const bool success = delegate_->RestartDevice(&error_message);
+
+  if (!success && !allow_non_kiosk_apps_restart_api_for_test) {

[Devlin, 2016/06/14 16:27:21]

DCHECK?

[afakhry, 2016/06/14 18:00:04]

Done.

+    // This is breaking our above assumption and should never be reached.
+    NOTREACHED();
+  }
+}
+
+void RuntimeAPI::AllowNonKioskAppsInRestartAfterDelayForTesting() {
+  allow_non_kiosk_apps_restart_api_for_test = true;
+}
+
 ///////////////////////////////////////////////////////////////////////////////
 
 // static
 void RuntimeEventRouter::DispatchOnStartupEvent(
     content::BrowserContext* context,
     const std::string& extension_id) {
   DispatchOnStartupEventImpl(context, extension_id, true, NULL);
 }
 
 // static
@@ skipping 207 matching lines @@
   std::string message;
   bool result =
       RuntimeAPI::GetFactoryInstance()->Get(browser_context())->RestartDevice(
           &message);
   if (!result) {
     return RespondNow(Error(message));
   }
   return RespondNow(NoArguments());
 }
 
+ExtensionFunction::ResponseAction RuntimeRestartAfterDelayFunction::Run() {
+  if (!allow_non_kiosk_apps_restart_api_for_test &&
+      !ExtensionsBrowserClient::Get()->IsRunningInForcedAppMode()) {
+    return RespondNow(Error(kErrorOnlyKioskModeAllowed));
+  }
+
+  std::unique_ptr<api::runtime::RestartAfterDelay::Params> params(
+      api::runtime::RestartAfterDelay::Params::Create(*args_));
+  EXTENSION_FUNCTION_VALIDATE(params.get());
+  int seconds = params->seconds;
+
+  if (seconds < -1)

[Devlin, 2016/06/14 16:27:21]

maybe also catch 0?

[afakhry, 2016/06/14 18:00:04]

Done.

+    return RespondNow(Error(kErrorInvalidArgument, base::IntToString(seconds)));
+
+  RuntimeAPI::RestartOnWatchdogStatus request_status =
+      RuntimeAPI::GetFactoryInstance()
+          ->Get(browser_context())
+          ->RestartDeviceAfterDelay(extension()->id(), seconds);
+
+  switch (request_status) {
+    case RuntimeAPI::RestartOnWatchdogStatus::FAILED_NOT_FIRST_EXTENSION:
+      return RespondNow(Error(kErrorOnlyFirstExtensionAllowed));
+
+    case RuntimeAPI::RestartOnWatchdogStatus::FAILED_THROTTLED:
+      return RespondNow(Error(kErrorRequestedTooSoon));
+
+    case RuntimeAPI::RestartOnWatchdogStatus::SUCCESS_RESTART_CANCELED:
+    case RuntimeAPI::RestartOnWatchdogStatus::SUCCESS_RESTART_SCHEDULED:
+      return RespondNow(NoArguments());
+  }
+
+  NOTREACHED();
+  return RespondNow(Error(kErrorInvalidStatus));
+}
+
 ExtensionFunction::ResponseAction RuntimeGetPlatformInfoFunction::Run() {
   runtime::PlatformInfo info;
   if (!RuntimeAPI::GetFactoryInstance()
            ->Get(browser_context())
            ->GetPlatformInfo(&info)) {
     return RespondNow(Error(kPlatformInfoUnavailable));
   }
   return RespondNow(
       ArgumentList(runtime::GetPlatformInfo::Results::Create(info)));
 }
@@ skipping 13 matching lines @@
   content::ChildProcessSecurityPolicy* policy =
       content::ChildProcessSecurityPolicy::GetInstance();
   policy->GrantReadFileSystem(renderer_id, filesystem_id);
   std::unique_ptr<base::DictionaryValue> dict(new base::DictionaryValue());
   dict->SetString("fileSystemId", filesystem_id);
   dict->SetString("baseName", relative_path);
   return RespondNow(OneArgument(std::move(dict)));
 }
 
 }  // namespace extensions