Add a new app API to enable watchdog behavior restarts in kiosk apps

extensions/browser/api/runtime/runtime_api.cc

Index: extensions/browser/api/runtime/runtime_api.cc
diff --git a/extensions/browser/api/runtime/runtime_api.cc b/extensions/browser/api/runtime/runtime_api.cc
index 79e7c97e48c2a502739687c5e90c07e38c54e166..788f2a63b5cb995f649427415af4532b6929b39a 100644
--- a/extensions/browser/api/runtime/runtime_api.cc
+++ b/extensions/browser/api/runtime/runtime_api.cc
@@ -13,9 +13,12 @@
 #include "base/memory/ptr_util.h"
 #include "base/metrics/histogram.h"
 #include "base/single_thread_task_runner.h"
+#include "base/strings/string_number_conversions.h"
 #include "base/threading/thread_task_runner_handle.h"
 #include "base/values.h"
 #include "base/version.h"
+#include "components/prefs/pref_registry_simple.h"
+#include "components/prefs/pref_service.h"
 #include "content/public/browser/browser_context.h"
 #include "content/public/browser/child_process_security_policy.h"
 #include "content/public/browser/notification_service.h"
@@ -80,6 +83,31 @@ const char kPrefPreviousVersion[] = "previous_version";
 // with the equivalent Pepper API.
 const char kPackageDirectoryPath[] = "crxfs";
 
+// Preference key for storing the last successful restart due to a call to
+// chrome.runtime.restartAfterDelay().
+constexpr char kPrefLastRestartAfterDelayTime[] =
+    "last_restart_after_delay_time";
+// Preference key for storing whether the most recent restart was due to a
+// successful call to chrome.runtime.restartAfterDelay().
+constexpr char kPrefLastRestartWasDuetoDelayedRestartApi[] =
+    "last_restart_was_due_to_delayed_restart_api";
+
+// Error and status messages strings for the restartAfterDelay() API.
+constexpr char kErrorInvalidArgument[] = "Invalid argument: *.";
+constexpr char kErrorOnlyKioskModeAllowed[] =
+    "API available only for ChromeOS kiosk mode.";
+constexpr char kErrorOnlyFirstExtensionAllowed[] =
+    "Not the first extension to call this API.";
+constexpr char kErrorInvalidStatus[] = "Invalid restart request status.";
+constexpr char kErrorRequestedTooSoon[] =
+    "Restart was requested too soon. It was throttled instead.";
+
+constexpr int kMinDurationBetweenSuccessiveRestartsHours = 3;
+
+// This is used for unit tests, so that we can test the restartAfterDelay
+// API without a kiosk app.
+bool allow_non_kiosk_apps_restart_api_for_test = false;
+
 void DispatchOnStartupEventImpl(BrowserContext* browser_context,
                                 const std::string& extension_id,
                                 bool first_call,
@@ -151,6 +179,13 @@ BrowserContextKeyedAPIFactory<RuntimeAPI>* RuntimeAPI::GetFactoryInstance() {
   return g_factory.Pointer();
 }
 
+// static
+void RuntimeAPI::RegisterPrefs(PrefRegistrySimple* registry) {
+  registry->RegisterBooleanPref(kPrefLastRestartWasDuetoDelayedRestartApi,

[Devlin, 2016/06/14 16:27:21]

nit: DueTo, not Dueto

[afakhry, 2016/06/14 18:00:04]

Done.

+                                false);
+  registry->RegisterDoublePref(kPrefLastRestartAfterDelayTime, 0.0);
+}
+
 template <>
 void BrowserContextKeyedAPIFactory<RuntimeAPI>::DeclareFactoryDependencies() {
   DependsOn(ProcessManagerFactory::GetInstance());
@@ -158,9 +193,14 @@ void BrowserContextKeyedAPIFactory<RuntimeAPI>::DeclareFactoryDependencies() {
 
 RuntimeAPI::RuntimeAPI(content::BrowserContext* context)
     : browser_context_(context),
-      dispatch_chrome_updated_event_(false),
       extension_registry_observer_(this),
-      process_manager_observer_(this) {
+      process_manager_observer_(this),
+      minimum_duration_between_restarts_(base::TimeDelta::FromHours(
+          kMinDurationBetweenSuccessiveRestartsHours)),
+      dispatch_chrome_updated_event_(false),
+      did_read_delayed_restart_preferences_(false),
+      was_last_restart_due_to_delayed_restart_api_(false),
+      weak_ptr_factory_(this) {
   // RuntimeAPI is redirected in incognito, so |browser_context_| is never
   // incognito.
   DCHECK(!browser_context_->IsOffTheRecord());
@@ -319,13 +359,146 @@ bool RuntimeAPI::GetPlatformInfo(runtime::PlatformInfo* info) {
 }
 
 bool RuntimeAPI::RestartDevice(std::string* error_message) {
+  if (was_last_restart_due_to_delayed_restart_api_ &&
+      (ExtensionsBrowserClient::Get()->IsRunningInForcedAppMode() ||
+       allow_non_kiosk_apps_restart_api_for_test)) {
+    // We don't allow an app by calling chrome.runtime.restart() to clear the
+    // throttle enforced on it when calling chrome.runtime.restartAfterDelay(),
+    // i.e. the app can't unthrottle itself.
+    // When running in forced kiosk app mode, we assume the following restart
+    // request will succeed.
+    PrefService* pref_service =
+        ExtensionsBrowserClient::Get()->GetPrefServiceForContext(
+            browser_context_);
+    DCHECK(pref_service);
+    pref_service->SetBoolean(kPrefLastRestartWasDuetoDelayedRestartApi, true);
+  }
   return delegate_->RestartDevice(error_message);
+  ;

[Devlin, 2016/06/14 16:27:21]

delete

[afakhry, 2016/06/14 18:00:04]

Not sure where that came from. Done!

+}
+
+RuntimeAPI::RestartOnWatchdogStatus RuntimeAPI::RestartDeviceAfterDelay(
+    const std::string& extension_id,
+    int seconds_from_now) {
+  // To achieve as much accuracy as possible, record the time of the call as
+  // |now| here.
+  const base::Time now = base::Time::NowFromSystemTime();
+
+  if (schedule_restart_first_extension_id_.empty()) {
+    schedule_restart_first_extension_id_ = extension_id;
+  } else if (extension_id != schedule_restart_first_extension_id_) {
+    // We only allow the first extension to call this API to call it repeatedly.
+    // Any other extension will fail.
+    return RestartOnWatchdogStatus::FAILED_NOT_FIRST_EXTENSION;
+  }
+
+  MaybeCancelRunningDelayedRestartTimer();
+
+  if (seconds_from_now == -1) {
+    // We already stopped the running timer (if any).
+    return RestartOnWatchdogStatus::SUCCESS_RESTART_CANCELED;
+  }
+
+  if (!did_read_delayed_restart_preferences_) {
+    // Try to read any previous successful restart attempt time resulting from
+    // this API.
+    PrefService* pref_service =
+        ExtensionsBrowserClient::Get()->GetPrefServiceForContext(
+            browser_context_);
+    DCHECK(pref_service);
+
+    was_last_restart_due_to_delayed_restart_api_ =
+        pref_service->GetBoolean(kPrefLastRestartWasDuetoDelayedRestartApi);
+    if (was_last_restart_due_to_delayed_restart_api_) {
+      // We clear this bit if the previous restart was due to this API, so that
+      // we don't throttle restart requests coming after other restarts or
+      // shutdowns not caused by the runtime API.
+      pref_service->SetBoolean(kPrefLastRestartWasDuetoDelayedRestartApi,
+                               false);
+    }
+
+    last_delayed_restart_time_ = base::Time::FromDoubleT(
+        pref_service->GetDouble(kPrefLastRestartAfterDelayTime));
+
+    if (!allow_non_kiosk_apps_restart_api_for_test) {
+      // Don't read every time unless in tests.
+      did_read_delayed_restart_preferences_ = true;
+    }
+  }
+
+  return ScheduleDelayedRestart(now, seconds_from_now);
 }
 
 bool RuntimeAPI::OpenOptionsPage(const Extension* extension) {
   return delegate_->OpenOptionsPage(extension);
 }
 
+void RuntimeAPI::MaybeCancelRunningDelayedRestartTimer() {
+  if (restart_after_delay_timer_.IsRunning())
+    restart_after_delay_timer_.Stop();
+}
+
+RuntimeAPI::RestartOnWatchdogStatus RuntimeAPI::ScheduleDelayedRestart(
+    const base::Time& now,
+    int seconds_from_now) {
+  base::TimeDelta delay_till_restart =
+      base::TimeDelta::FromSeconds(seconds_from_now);
+
+  // Throttle restart requests that are received too soon successively, only if
+  // the previous restart was due to this API.
+  bool was_throttled = false;
+  if (was_last_restart_due_to_delayed_restart_api_) {
+    base::Time future_restart_time = now + delay_till_restart;
+    base::TimeDelta future_time_since_last_restart =

[Devlin, 2016/06/14 16:27:21]

nit: "future_time_since_last_restart" sounds a little weird to me.  Maybe
"delta_since_last_restart"?

[afakhry, 2016/06/14 18:00:05]

Done.

+        future_restart_time > last_delayed_restart_time_

[Devlin, 2016/06/14 16:27:21]

When would this be false (exempting cases of e.g. pref corruption)?  If this is
false, won't it also cause problems on line 461?

[afakhry, 2016/06/14 18:00:04]

Could be corruption, or the device wall clock has changed somehow, making
|last_delayed_restart_time_| in the future.

Thanks for spotting this issue! It should be TimeDelta::Max() to avoid
throttling in this case.

+            ? future_restart_time - last_delayed_restart_time_
+            : base::TimeDelta();
+    if (future_time_since_last_restart < minimum_duration_between_restarts_) {
+      // Schedule the restart after |minimum_duration_between_restarts_| has
+      // passed.
+      delay_till_restart = minimum_duration_between_restarts_ -
+                           (now - last_delayed_restart_time_);
+      was_throttled = true;
+    }
+  }
+
+  restart_after_delay_timer_.Start(
+      FROM_HERE, delay_till_restart,
+      base::Bind(&RuntimeAPI::OnDelayedRestartTimerTimeout,
+                 weak_ptr_factory_.GetWeakPtr()));
+
+  return was_throttled ? RestartOnWatchdogStatus::FAILED_THROTTLED
+                       : RestartOnWatchdogStatus::SUCCESS_RESTART_SCHEDULED;
+}
+
+void RuntimeAPI::OnDelayedRestartTimerTimeout() {
+  // We can persist "now" as the last successful restart time, assuming that the
+  // following restart request will succeed, since it can only fail if requested
+  // by non kiosk apps, and we prevent that from the beginning (unless in
+  // unit tests).
+  // This assumption is important, since once restart is requested, we might not
+  // have enough time to persist the data to disk.
+  double now = base::Time::NowFromSystemTime().ToDoubleT();
+  PrefService* pref_service =
+      ExtensionsBrowserClient::Get()->GetPrefServiceForContext(
+          browser_context_);
+  DCHECK(pref_service);
+  pref_service->SetDouble(kPrefLastRestartAfterDelayTime, now);
+  pref_service->SetBoolean(kPrefLastRestartWasDuetoDelayedRestartApi, true);
+
+  std::string error_message;
+  const bool success = delegate_->RestartDevice(&error_message);
+
+  if (!success && !allow_non_kiosk_apps_restart_api_for_test) {

[Devlin, 2016/06/14 16:27:21]

DCHECK?

[afakhry, 2016/06/14 18:00:04]

Done.

+    // This is breaking our above assumption and should never be reached.
+    NOTREACHED();
+  }
+}
+
+void RuntimeAPI::AllowNonKioskAppsInRestartAfterDelayForTesting() {
+  allow_non_kiosk_apps_restart_api_for_test = true;
+}
+
 ///////////////////////////////////////////////////////////////////////////////
 
 // static
@@ -553,6 +726,41 @@ ExtensionFunction::ResponseAction RuntimeRestartFunction::Run() {
   return RespondNow(NoArguments());
 }
 
+ExtensionFunction::ResponseAction RuntimeRestartAfterDelayFunction::Run() {
+  if (!allow_non_kiosk_apps_restart_api_for_test &&
+      !ExtensionsBrowserClient::Get()->IsRunningInForcedAppMode()) {
+    return RespondNow(Error(kErrorOnlyKioskModeAllowed));
+  }
+
+  std::unique_ptr<api::runtime::RestartAfterDelay::Params> params(
+      api::runtime::RestartAfterDelay::Params::Create(*args_));
+  EXTENSION_FUNCTION_VALIDATE(params.get());
+  int seconds = params->seconds;
+
+  if (seconds < -1)

[Devlin, 2016/06/14 16:27:21]

maybe also catch 0?

[afakhry, 2016/06/14 18:00:04]

Done.

+    return RespondNow(Error(kErrorInvalidArgument, base::IntToString(seconds)));
+
+  RuntimeAPI::RestartOnWatchdogStatus request_status =
+      RuntimeAPI::GetFactoryInstance()
+          ->Get(browser_context())
+          ->RestartDeviceAfterDelay(extension()->id(), seconds);
+
+  switch (request_status) {
+    case RuntimeAPI::RestartOnWatchdogStatus::FAILED_NOT_FIRST_EXTENSION:
+      return RespondNow(Error(kErrorOnlyFirstExtensionAllowed));
+
+    case RuntimeAPI::RestartOnWatchdogStatus::FAILED_THROTTLED:
+      return RespondNow(Error(kErrorRequestedTooSoon));
+
+    case RuntimeAPI::RestartOnWatchdogStatus::SUCCESS_RESTART_CANCELED:
+    case RuntimeAPI::RestartOnWatchdogStatus::SUCCESS_RESTART_SCHEDULED:
+      return RespondNow(NoArguments());
+  }
+
+  NOTREACHED();
+  return RespondNow(Error(kErrorInvalidStatus));
+}
+
 ExtensionFunction::ResponseAction RuntimeGetPlatformInfoFunction::Run() {
   runtime::PlatformInfo info;
   if (!RuntimeAPI::GetFactoryInstance()