Chromium Code Reviews Chromium Code Reviews
Issue 2954293002:
Chromad: Prevent session from starting without policy (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef CHROME_BROWSER_CHROMEOS_POLICY_ACTIVE_DIRECTORY_POLICY_MANAGER_H_ | 5 #ifndef CHROME_BROWSER_CHROMEOS_POLICY_ACTIVE_DIRECTORY_POLICY_MANAGER_H_ |
| 6 #define CHROME_BROWSER_CHROMEOS_POLICY_ACTIVE_DIRECTORY_POLICY_MANAGER_H_ | 6 #define CHROME_BROWSER_CHROMEOS_POLICY_ACTIVE_DIRECTORY_POLICY_MANAGER_H_ |
| 7 | 7 |
| 8 #include <memory> | 8 #include <memory> |
| 9 | 9 |
| 10 #include "base/bind.h" | |
| 10 #include "base/macros.h" | 11 #include "base/macros.h" |
| 11 #include "base/memory/weak_ptr.h" | 12 #include "base/memory/weak_ptr.h" |
| 13 #include "base/time/time.h" | |
| 14 #include "base/timer/timer.h" | |
| 12 #include "components/policy/core/common/cloud/cloud_policy_store.h" | 15 #include "components/policy/core/common/cloud/cloud_policy_store.h" |
| 13 #include "components/policy/core/common/configuration_policy_provider.h" | 16 #include "components/policy/core/common/configuration_policy_provider.h" |
| 14 #include "components/policy/core/common/policy_scheduler.h" | 17 #include "components/policy/core/common/policy_scheduler.h" |
| 15 #include "components/signin/core/account_id/account_id.h" | 18 #include "components/signin/core/account_id/account_id.h" |
| 16 | 19 |
| 17 namespace policy { | 20 namespace policy { |
| 18 | 21 |
| 19 // ConfigurationPolicyProvider for device or user policy from Active Directory. | 22 // ConfigurationPolicyProvider for device or user policy from Active Directory. |
| 20 // The choice of constructor determines whether device or user policy is | 23 // The choice of constructor determines whether device or user policy is |
| 21 // provided. The policy is fetched from the Domain Controller by authpolicyd | 24 // provided. The policy is fetched from the Domain Controller by authpolicyd |
| 22 // which stores it in session manager and from where it is loaded by | 25 // which stores it in session manager and from where it is loaded by |
| 23 // ActiveDirectoryPolicyManager. | 26 // ActiveDirectoryPolicyManager. |
| 24 class ActiveDirectoryPolicyManager : public ConfigurationPolicyProvider, | 27 class ActiveDirectoryPolicyManager : public ConfigurationPolicyProvider, |
| 25 public CloudPolicyStore::Observer { | 28 public CloudPolicyStore::Observer { |
| 26 public: | 29 public: |
| 27 ~ActiveDirectoryPolicyManager() override; | 30 ~ActiveDirectoryPolicyManager() override; |
| 28 | 31 |
| 29 // Create manager for device policy. | 32 // Create manager for device policy. |
| 30 static std::unique_ptr<ActiveDirectoryPolicyManager> CreateForDevicePolicy( | 33 static std::unique_ptr<ActiveDirectoryPolicyManager> CreateForDevicePolicy( |
| 31 std::unique_ptr<CloudPolicyStore> store); | 34 std::unique_ptr<CloudPolicyStore> store); |
| 32 | 35 |
| 33 // Create manager for |accound_id| user policy. | 36 // Create manager for |accound_id| user policy. |
| 34 static std::unique_ptr<ActiveDirectoryPolicyManager> CreateForUserPolicy( | 37 static std::unique_ptr<ActiveDirectoryPolicyManager> CreateForUserPolicy( |
| 35 const AccountId& account_id, | 38 const AccountId& account_id, |
| 39 bool wait_for_policy_fetch, | |
| 40 base::TimeDelta initial_policy_fetch_timeout, | |
| 41 base::OnceClosure exit_session, | |
| 36 std::unique_ptr<CloudPolicyStore> store); | 42 std::unique_ptr<CloudPolicyStore> store); |
| 37 | 43 |
| 38 // ConfigurationPolicyProvider: | 44 // ConfigurationPolicyProvider: |
| 39 void Init(SchemaRegistry* registry) override; | 45 void Init(SchemaRegistry* registry) override; |
| 40 void Shutdown() override; | 46 void Shutdown() override; |
| 41 bool IsInitializationComplete(PolicyDomain domain) const override; | 47 bool IsInitializationComplete(PolicyDomain domain) const override; |
| 42 void RefreshPolicies() override; | 48 void RefreshPolicies() override; |
| 43 | 49 |
| 44 // CloudPolicyStore::Observer: | 50 // CloudPolicyStore::Observer: |
| 45 void OnStoreLoaded(CloudPolicyStore* cloud_policy_store) override; | 51 void OnStoreLoaded(CloudPolicyStore* cloud_policy_store) override; |
| 46 void OnStoreError(CloudPolicyStore* cloud_policy_store) override; | 52 void OnStoreError(CloudPolicyStore* cloud_policy_store) override; |
| 47 | 53 |
| 48 CloudPolicyStore* store() const { return store_.get(); } | 54 CloudPolicyStore* store() const { return store_.get(); } |
| 49 | 55 |
| 56 // Helper function to force a policy fetch timeout. | |
| 57 void ForceTimeoutForTest(); | |
| 58 | |
| 50 private: | 59 private: |
| 51 // |account_id| specifies the user to manage policy for. If |account_id| is | 60 // |account_id| specifies the user to manage policy for. If |account_id| is |
| 52 // empty, device policy is managed. | 61 // empty, device policy is managed. If |wait_for_policy_fetch| is true, |
| 62 // IsInitializationComplete() is forced to false until either there has been a | |
| 63 // successful policy fetch from the server or |initial_policy_fetch_timeout| | |
| 64 // has expired. (The timeout may be set to TimeDelta::Max() to block | |
| 65 // permanently.) | |
| 53 ActiveDirectoryPolicyManager(const AccountId& account_id, | 66 ActiveDirectoryPolicyManager(const AccountId& account_id, |
| 67 bool wait_for_policy_fetch, | |
| 68 base::TimeDelta initial_policy_fetch_timeout, | |
| 69 base::OnceClosure exit_session, | |
| 54 std::unique_ptr<CloudPolicyStore> store); | 70 std::unique_ptr<CloudPolicyStore> store); |
| 55 | 71 |
| 56 // Publish the policy that's currently cached in the store. | 72 // Publish the policy that's currently cached in the store. |
| 57 void PublishPolicy(); | 73 void PublishPolicy(); |
| 58 | 74 |
| 59 // Calls into authpolicyd to fetch policy. Reports success or failure via | 75 // Calls into authpolicyd to fetch policy. Reports success or failure via |
| 60 // |callback|. | 76 // |callback|. |
| 61 void DoFetch(PolicyScheduler::TaskCallback callback); | 77 void DoFetch(PolicyScheduler::TaskCallback callback); |
| 62 | 78 |
| 63 // Called by scheduler with result of policy fetch. | 79 // Called by scheduler with result of policy fetch. This covers policy |
| 80 // download, parsing and storing into session_manager. (To access and publish | |
| 81 // the policy, the store needs to be reloaded from session_manager.) | |
| 64 void OnPolicyFetched(bool success); | 82 void OnPolicyFetched(bool success); |
| 65 | 83 |
| 84 // Called when |policy_fetch_timeout_| times out, to cancel the blocking wait | |
|
emaxx
2017/07/12 20:18:20
nit: s/policy_fetch_timeout_/initial_policy_timeou
Thiemo Nagel
2017/07/14 12:18:55
Done.
| |
| 85 // for the initial policy fetch. | |
| 86 void OnBlockingFetchTimeout(); | |
| 87 | |
| 88 // Cancels waiting for the initial policy fetch and flags the | |
| 89 // ConfigurationPolicyProvider ready (assuming all other initialization tasks | |
| 90 // have completed). |success| denotes whether the policy fetch was successful. | |
| 91 void CancelWaitForPolicy(bool success); | |
|
emaxx
2017/07/12 20:18:20
nit: Maybe add s/ForPolicy/ForInitialPolicy/ (or e
Thiemo Nagel
2017/07/14 12:18:55
Thanks. Done. I'm not adding Fetch because a Load
| |
| 92 | |
| 66 const AccountId account_id_; | 93 const AccountId account_id_; |
| 94 | |
| 95 // Whether we're waiting for a policy fetch to complete before reporting | |
| 96 // IsInitializationComplete(). | |
| 97 bool waiting_for_initial_policy_fetch_; | |
| 98 | |
| 99 // Whether the user session is continued in case of failure of initial policy | |
| 100 // fetch. | |
| 101 bool initial_policy_fetch_may_fail_; | |
| 102 | |
| 103 // Whether policy fetch has ever been reported as completed by authpolicyd. | |
| 104 bool fetch_ever_completed_ = false; | |
| 105 | |
| 106 // Whether policy fetch has ever been reported as successful by authpolicyd. | |
| 107 bool fetch_ever_succeeded_ = false; | |
| 108 | |
| 109 // A timer that puts a hard limit on the maximum time to wait for the initial | |
| 110 // policy fetch/load. | |
| 111 base::Timer initial_policy_timeout_{false /* retain_user_task */, | |
|
emaxx
2017/07/12 20:18:20
nit: If you're not opposed to too long names, I'd
Thiemo Nagel
2017/07/14 12:18:55
Same as above, I think writing "fetch" hides the f
| |
| 112 false /* is_repeating */}; | |
| 113 | |
| 114 // Callback to exit the session. | |
| 115 base::OnceClosure exit_session_; | |
| 116 | |
| 67 std::unique_ptr<CloudPolicyStore> store_; | 117 std::unique_ptr<CloudPolicyStore> store_; |
| 68 | |
| 69 std::unique_ptr<PolicyScheduler> scheduler_; | 118 std::unique_ptr<PolicyScheduler> scheduler_; |
| 70 | 119 |
| 71 // Must be last member. | 120 // Must be last member. |
| 72 base::WeakPtrFactory<ActiveDirectoryPolicyManager> weak_ptr_factory_{this}; | 121 base::WeakPtrFactory<ActiveDirectoryPolicyManager> weak_ptr_factory_{this}; |
| 73 | 122 |
| 74 DISALLOW_COPY_AND_ASSIGN(ActiveDirectoryPolicyManager); | 123 DISALLOW_COPY_AND_ASSIGN(ActiveDirectoryPolicyManager); |
| 75 }; | 124 }; |
| 76 | 125 |
| 77 } // namespace policy | 126 } // namespace policy |
| 78 | 127 |
| 79 #endif // CHROME_BROWSER_CHROMEOS_POLICY_ACTIVE_DIRECTORY_POLICY_MANAGER_H_ | 128 #endif // CHROME_BROWSER_CHROMEOS_POLICY_ACTIVE_DIRECTORY_POLICY_MANAGER_H_ |
| OLD | NEW |
