OLD | NEW |
---|---|
1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "chrome/browser/chromeos/policy/active_directory_policy_manager.h" | 5 #include "chrome/browser/chromeos/policy/active_directory_policy_manager.h" |
6 | 6 |
7 #include <string> | 7 #include <string> |
8 #include <utility> | 8 #include <utility> |
9 | 9 |
10 #include "base/logging.h" | 10 #include "base/logging.h" |
(...skipping 13 matching lines...) Expand all Loading... | |
24 } // namespace | 24 } // namespace |
25 | 25 |
26 namespace policy { | 26 namespace policy { |
27 | 27 |
28 ActiveDirectoryPolicyManager::~ActiveDirectoryPolicyManager() {} | 28 ActiveDirectoryPolicyManager::~ActiveDirectoryPolicyManager() {} |
29 | 29 |
30 // static | 30 // static |
31 std::unique_ptr<ActiveDirectoryPolicyManager> | 31 std::unique_ptr<ActiveDirectoryPolicyManager> |
32 ActiveDirectoryPolicyManager::CreateForDevicePolicy( | 32 ActiveDirectoryPolicyManager::CreateForDevicePolicy( |
33 std::unique_ptr<CloudPolicyStore> store) { | 33 std::unique_ptr<CloudPolicyStore> store) { |
34 return base::WrapUnique( | 34 // Can't use MakeUnique<> because the constructor is private. |
35 new ActiveDirectoryPolicyManager(EmptyAccountId(), std::move(store))); | 35 return base::WrapUnique(new ActiveDirectoryPolicyManager( |
36 EmptyAccountId(), false, base::TimeDelta(), base::OnceClosure(), | |
37 std::move(store))); | |
36 } | 38 } |
37 | 39 |
38 // static | 40 // static |
39 std::unique_ptr<ActiveDirectoryPolicyManager> | 41 std::unique_ptr<ActiveDirectoryPolicyManager> |
40 ActiveDirectoryPolicyManager::CreateForUserPolicy( | 42 ActiveDirectoryPolicyManager::CreateForUserPolicy( |
41 const AccountId& account_id, | 43 const AccountId& account_id, |
44 bool wait_for_policy_fetch, | |
45 base::TimeDelta initial_policy_fetch_timeout, | |
46 base::OnceClosure exit_session, | |
42 std::unique_ptr<CloudPolicyStore> store) { | 47 std::unique_ptr<CloudPolicyStore> store) { |
43 return base::WrapUnique( | 48 // Can't use MakeUnique<> because the constructor is private. |
44 new ActiveDirectoryPolicyManager(account_id, std::move(store))); | 49 return base::WrapUnique(new ActiveDirectoryPolicyManager( |
50 account_id, wait_for_policy_fetch, initial_policy_fetch_timeout, | |
51 std::move(exit_session), std::move(store))); | |
45 } | 52 } |
46 | 53 |
47 void ActiveDirectoryPolicyManager::Init(SchemaRegistry* registry) { | 54 void ActiveDirectoryPolicyManager::Init(SchemaRegistry* registry) { |
48 ConfigurationPolicyProvider::Init(registry); | 55 ConfigurationPolicyProvider::Init(registry); |
49 | 56 |
50 store_->AddObserver(this); | 57 store_->AddObserver(this); |
51 if (!store_->is_initialized()) { | 58 if (!store_->is_initialized()) { |
52 store_->Load(); | 59 store_->Load(); |
53 } | 60 } |
54 | 61 |
55 // Does nothing if |store_| hasn't yet initialized. | 62 // Does nothing if |store_| hasn't yet initialized. |
56 PublishPolicy(); | 63 PublishPolicy(); |
57 | 64 |
58 scheduler_ = base::MakeUnique<PolicyScheduler>( | 65 scheduler_ = base::MakeUnique<PolicyScheduler>( |
59 base::BindRepeating(&ActiveDirectoryPolicyManager::DoFetch, | 66 base::BindRepeating(&ActiveDirectoryPolicyManager::DoPolicyFetch, |
60 weak_ptr_factory_.GetWeakPtr()), | 67 weak_ptr_factory_.GetWeakPtr()), |
61 base::BindRepeating(&ActiveDirectoryPolicyManager::OnPolicyFetched, | 68 base::BindRepeating(&ActiveDirectoryPolicyManager::OnPolicyFetched, |
62 weak_ptr_factory_.GetWeakPtr()), | 69 weak_ptr_factory_.GetWeakPtr()), |
63 kFetchInterval); | 70 kFetchInterval); |
64 } | 71 } |
65 | 72 |
66 void ActiveDirectoryPolicyManager::Shutdown() { | 73 void ActiveDirectoryPolicyManager::Shutdown() { |
67 store_->RemoveObserver(this); | 74 store_->RemoveObserver(this); |
68 ConfigurationPolicyProvider::Shutdown(); | 75 ConfigurationPolicyProvider::Shutdown(); |
69 } | 76 } |
70 | 77 |
71 bool ActiveDirectoryPolicyManager::IsInitializationComplete( | 78 bool ActiveDirectoryPolicyManager::IsInitializationComplete( |
72 PolicyDomain domain) const { | 79 PolicyDomain domain) const { |
80 if (waiting_for_initial_policy_fetch_) { | |
81 return false; | |
82 } | |
73 if (domain == POLICY_DOMAIN_CHROME) { | 83 if (domain == POLICY_DOMAIN_CHROME) { |
74 return store_->is_initialized(); | 84 return store_->is_initialized(); |
75 } | 85 } |
76 return true; | 86 return true; |
77 } | 87 } |
78 | 88 |
79 void ActiveDirectoryPolicyManager::RefreshPolicies() { | 89 void ActiveDirectoryPolicyManager::RefreshPolicies() { |
80 scheduler_->ScheduleTaskNow(); | 90 scheduler_->ScheduleTaskNow(); |
81 } | 91 } |
82 | 92 |
83 void ActiveDirectoryPolicyManager::OnStoreLoaded( | 93 void ActiveDirectoryPolicyManager::OnStoreLoaded( |
84 CloudPolicyStore* cloud_policy_store) { | 94 CloudPolicyStore* cloud_policy_store) { |
85 DCHECK_EQ(store_.get(), cloud_policy_store); | 95 DCHECK_EQ(store_.get(), cloud_policy_store); |
86 PublishPolicy(); | 96 PublishPolicy(); |
97 if (fetch_ever_completed_) { | |
98 CancelWaitForInitialPolicy(fetch_ever_succeeded_ /* success */); | |
emaxx
2017/07/14 13:56:40
nit: What about a comment like this:
// Stop w
Thiemo Nagel
2017/07/17 09:29:35
Done.
| |
99 } | |
87 } | 100 } |
88 | 101 |
89 void ActiveDirectoryPolicyManager::OnStoreError( | 102 void ActiveDirectoryPolicyManager::OnStoreError( |
90 CloudPolicyStore* cloud_policy_store) { | 103 CloudPolicyStore* cloud_policy_store) { |
91 DCHECK_EQ(store_.get(), cloud_policy_store); | 104 DCHECK_EQ(store_.get(), cloud_policy_store); |
92 // Publish policy (even though it hasn't changed) in order to signal load | 105 // Publish policy (even though it hasn't changed) in order to signal load |
93 // complete on the ConfigurationPolicyProvider interface. Technically, this is | 106 // complete on the ConfigurationPolicyProvider interface. Technically, this is |
94 // only required on the first load, but doesn't hurt in any case. | 107 // only required on the first load, but doesn't hurt in any case. |
95 PublishPolicy(); | 108 PublishPolicy(); |
109 if (fetch_ever_completed_) { | |
110 CancelWaitForInitialPolicy(false /* success */); | |
111 } | |
112 } | |
113 | |
114 void ActiveDirectoryPolicyManager::ForceTimeoutForTest() { | |
115 DCHECK(initial_policy_timeout_.IsRunning()); | |
116 // Stop the timer to mimic what happens when a real timer fires, then invoke | |
117 // the timer callback directly. | |
118 initial_policy_timeout_.Stop(); | |
119 OnBlockingFetchTimeout(); | |
96 } | 120 } |
97 | 121 |
98 ActiveDirectoryPolicyManager::ActiveDirectoryPolicyManager( | 122 ActiveDirectoryPolicyManager::ActiveDirectoryPolicyManager( |
99 const AccountId& account_id, | 123 const AccountId& account_id, |
124 bool wait_for_policy_fetch, | |
125 base::TimeDelta initial_policy_fetch_timeout, | |
126 base::OnceClosure exit_session, | |
100 std::unique_ptr<CloudPolicyStore> store) | 127 std::unique_ptr<CloudPolicyStore> store) |
101 : account_id_(account_id), store_(std::move(store)) {} | 128 : account_id_(account_id), |
129 waiting_for_initial_policy_fetch_(wait_for_policy_fetch), | |
130 exit_session_(std::move(exit_session)), | |
131 store_(std::move(store)) { | |
132 DCHECK(!(account_id == EmptyAccountId() && wait_for_policy_fetch)); | |
emaxx
2017/07/14 13:56:40
nit: BTW, why is there such a restriction? Could y
Thiemo Nagel
2017/07/17 09:29:35
Done.
| |
133 DCHECK_NE(wait_for_policy_fetch, initial_policy_fetch_timeout.is_zero()); | |
134 initial_policy_fetch_may_fail_ = !initial_policy_fetch_timeout.is_max(); | |
135 if (wait_for_policy_fetch && !initial_policy_fetch_timeout.is_max()) { | |
136 initial_policy_timeout_.Start( | |
137 FROM_HERE, initial_policy_fetch_timeout, | |
138 base::Bind(&ActiveDirectoryPolicyManager::OnBlockingFetchTimeout, | |
139 weak_ptr_factory_.GetWeakPtr())); | |
140 } | |
141 } | |
102 | 142 |
103 void ActiveDirectoryPolicyManager::PublishPolicy() { | 143 void ActiveDirectoryPolicyManager::PublishPolicy() { |
104 if (!store_->is_initialized()) { | 144 if (!store_->is_initialized()) { |
105 return; | 145 return; |
106 } | 146 } |
107 std::unique_ptr<PolicyBundle> bundle = base::MakeUnique<PolicyBundle>(); | 147 std::unique_ptr<PolicyBundle> bundle = base::MakeUnique<PolicyBundle>(); |
108 PolicyMap& policy_map = | 148 PolicyMap& policy_map = |
109 bundle->Get(PolicyNamespace(POLICY_DOMAIN_CHROME, std::string())); | 149 bundle->Get(PolicyNamespace(POLICY_DOMAIN_CHROME, std::string())); |
110 policy_map.CopyFrom(store_->policy_map()); | 150 policy_map.CopyFrom(store_->policy_map()); |
111 | 151 |
112 // Overwrite the source which is POLICY_SOURCE_CLOUD by default. | 152 // Overwrite the source which is POLICY_SOURCE_CLOUD by default. |
113 // TODO(tnagel): Rename CloudPolicyStore to PolicyStore and make the source | 153 // TODO(tnagel): Rename CloudPolicyStore to PolicyStore and make the source |
114 // configurable, then drop PolicyMap::SetSourceForAll(). | 154 // configurable, then drop PolicyMap::SetSourceForAll(). |
115 policy_map.SetSourceForAll(POLICY_SOURCE_ACTIVE_DIRECTORY); | 155 policy_map.SetSourceForAll(POLICY_SOURCE_ACTIVE_DIRECTORY); |
116 SetEnterpriseUsersDefaults(&policy_map); | 156 SetEnterpriseUsersDefaults(&policy_map); |
117 UpdatePolicy(std::move(bundle)); | 157 UpdatePolicy(std::move(bundle)); |
118 } | 158 } |
119 | 159 |
120 void ActiveDirectoryPolicyManager::DoFetch( | 160 void ActiveDirectoryPolicyManager::DoPolicyFetch( |
121 base::OnceCallback<void(bool success)> callback) { | 161 base::OnceCallback<void(bool success)> callback) { |
122 chromeos::DBusThreadManager* thread_manager = | 162 chromeos::DBusThreadManager* thread_manager = |
123 chromeos::DBusThreadManager::Get(); | 163 chromeos::DBusThreadManager::Get(); |
124 DCHECK(thread_manager); | 164 DCHECK(thread_manager); |
125 chromeos::AuthPolicyClient* auth_policy_client = | 165 chromeos::AuthPolicyClient* auth_policy_client = |
126 thread_manager->GetAuthPolicyClient(); | 166 thread_manager->GetAuthPolicyClient(); |
127 DCHECK(auth_policy_client); | 167 DCHECK(auth_policy_client); |
128 if (account_id_ == EmptyAccountId()) { | 168 if (account_id_ == EmptyAccountId()) { |
129 auth_policy_client->RefreshDevicePolicy(std::move(callback)); | 169 auth_policy_client->RefreshDevicePolicy(std::move(callback)); |
130 } else { | 170 } else { |
131 auth_policy_client->RefreshUserPolicy(account_id_, std::move(callback)); | 171 auth_policy_client->RefreshUserPolicy(account_id_, std::move(callback)); |
132 } | 172 } |
133 } | 173 } |
134 | 174 |
135 void ActiveDirectoryPolicyManager::OnPolicyFetched(bool success) { | 175 void ActiveDirectoryPolicyManager::OnPolicyFetched(bool success) { |
136 if (!success) { | 176 fetch_ever_completed_ = true; |
177 if (success) { | |
178 fetch_ever_succeeded_ = true; | |
179 } else { | |
137 LOG(ERROR) << "Active Directory policy fetch failed."; | 180 LOG(ERROR) << "Active Directory policy fetch failed."; |
181 if (store_->is_initialized()) { | |
182 CancelWaitForInitialPolicy(false /* success */); | |
183 } | |
138 } | 184 } |
139 // Load independently of success or failure to keep up to date with whatever | 185 // Load independently of success or failure to keep in sync with the state in |
140 // has happened on the authpolicyd / session manager side. | 186 // session manager. This cancels any potentially running previous Load() |
187 // operations thus it is guaranteed that at the next OnStoreLoaded() | |
188 // invocation the policy is up-to-date with what was fetched. | |
141 store_->Load(); | 189 store_->Load(); |
142 } | 190 } |
143 | 191 |
192 void ActiveDirectoryPolicyManager::OnBlockingFetchTimeout() { | |
193 DCHECK(waiting_for_initial_policy_fetch_); | |
194 LOG(WARNING) << "Timed out while waiting for the policy fetch. " | |
195 << "The session will start with the cached policy."; | |
196 CancelWaitForInitialPolicy(false); | |
197 } | |
198 | |
199 void ActiveDirectoryPolicyManager::CancelWaitForInitialPolicy(bool success) { | |
200 if (!waiting_for_initial_policy_fetch_) | |
201 return; | |
202 | |
203 initial_policy_timeout_.Stop(); | |
204 | |
205 // If there was an error, and we don't want to allow profile initialization | |
206 // to go forward after a failed policy fetch, then just return (profile | |
207 // initialization will not complete). | |
208 // TODO(tnagel): Maybe add code to retry policy fetching? | |
209 if (!store_->has_policy()) { | |
210 // If there's no policy at all (not even cached) we can't continue. | |
211 LOG(ERROR) << "Policy could not be obtained. " | |
212 << "Aborting profile initialization"; | |
213 if (exit_session_) { | |
214 std::move(exit_session_).Run(); | |
215 } | |
216 return; | |
217 } | |
218 if (!success && !initial_policy_fetch_may_fail_) { | |
219 LOG(ERROR) << "Policy fetch failed for the user. " | |
220 << "Aborting profile initialization"; | |
221 if (exit_session_) { | |
222 std::move(exit_session_).Run(); | |
223 } | |
224 return; | |
225 } | |
226 | |
227 waiting_for_initial_policy_fetch_ = false; | |
228 | |
229 // Publish policy (even though it hasn't changed) in order to signal load | |
230 // complete on the ConfigurationPolicyProvider interface. | |
231 PublishPolicy(); | |
232 } | |
233 | |
144 } // namespace policy | 234 } // namespace policy |
OLD | NEW |