Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(174)

Side by Side Diff: chrome/browser/chromeos/policy/user_cloud_policy_manager_chromeos.cc

Issue 2954293002: Chromad: Prevent session from starting without policy (Closed)
Patch Set: Address nits Created 3 years, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "chrome/browser/chromeos/policy/user_cloud_policy_manager_chromeos.h" 5 #include "chrome/browser/chromeos/policy/user_cloud_policy_manager_chromeos.h"
6 6
7 #include <set> 7 #include <set>
8 #include <utility> 8 #include <utility>
9 9
10 #include "base/bind.h" 10 #include "base/bind.h"
(...skipping 83 matching lines...) Expand 10 before | Expand all | Expand 10 after
94 const scoped_refptr<base::SequencedTaskRunner>& io_task_runner) 94 const scoped_refptr<base::SequencedTaskRunner>& io_task_runner)
95 : CloudPolicyManager(dm_protocol::kChromeUserPolicyType, 95 : CloudPolicyManager(dm_protocol::kChromeUserPolicyType,
96 std::string(), 96 std::string(),
97 store.get(), 97 store.get(),
98 task_runner, 98 task_runner,
99 file_task_runner, 99 file_task_runner,
100 io_task_runner), 100 io_task_runner),
101 store_(std::move(store)), 101 store_(std::move(store)),
102 external_data_manager_(std::move(external_data_manager)), 102 external_data_manager_(std::move(external_data_manager)),
103 component_policy_cache_path_(component_policy_cache_path), 103 component_policy_cache_path_(component_policy_cache_path),
104 wait_for_policy_fetch_(wait_for_policy_fetch) { 104 waiting_for_initial_policy_fetch_(wait_for_policy_fetch) {
105 time_init_started_ = base::Time::Now(); 105 time_init_started_ = base::Time::Now();
106 106
107 // Caller must pass a non-zero policy_fetch_timeout iff 107 // Caller must pass a non-zero policy_fetch_timeout iff
108 // |wait_for_policy_fetch| is true. 108 // |wait_for_policy_fetch| is true.
109 DCHECK_NE(wait_for_policy_fetch_, initial_policy_fetch_timeout.is_zero()); 109 DCHECK_NE(waiting_for_initial_policy_fetch_,
110 allow_failed_policy_fetches_ = 110 initial_policy_fetch_timeout.is_zero());
111 initial_policy_fetch_may_fail_ =
111 base::CommandLine::ForCurrentProcess()->HasSwitch( 112 base::CommandLine::ForCurrentProcess()->HasSwitch(
112 chromeos::switches::kAllowFailedPolicyFetchForTest) || 113 chromeos::switches::kAllowFailedPolicyFetchForTest) ||
113 !initial_policy_fetch_timeout.is_max(); 114 !initial_policy_fetch_timeout.is_max();
114 // No need to set the timer when the timeout is infinite. 115 // No need to set the timer when the timeout is infinite.
115 if (wait_for_policy_fetch_ && !initial_policy_fetch_timeout.is_max()) { 116 if (waiting_for_initial_policy_fetch_ &&
117 !initial_policy_fetch_timeout.is_max()) {
116 policy_fetch_timeout_.Start( 118 policy_fetch_timeout_.Start(
117 FROM_HERE, 119 FROM_HERE,
118 initial_policy_fetch_timeout, 120 initial_policy_fetch_timeout,
119 base::Bind(&UserCloudPolicyManagerChromeOS::OnBlockingFetchTimeout, 121 base::Bind(&UserCloudPolicyManagerChromeOS::OnBlockingFetchTimeout,
120 base::Unretained(this))); 122 base::Unretained(this)));
121 } 123 }
122 } 124 }
123 125
124 void UserCloudPolicyManagerChromeOS::ForceTimeoutForTest() { 126 void UserCloudPolicyManagerChromeOS::ForceTimeoutForTest() {
125 DCHECK(policy_fetch_timeout_.IsRunning()); 127 DCHECK(policy_fetch_timeout_.IsRunning());
(...skipping 41 matching lines...) Expand 10 before | Expand all | Expand 10 after
167 external_data_manager_->Connect(system_request_context); 169 external_data_manager_->Connect(system_request_context);
168 170
169 // Determine the next step after the CloudPolicyService initializes. 171 // Determine the next step after the CloudPolicyService initializes.
170 if (service()->IsInitializationComplete()) { 172 if (service()->IsInitializationComplete()) {
171 OnInitializationCompleted(service()); 173 OnInitializationCompleted(service());
172 174
173 // The cloud policy client may be already registered by this point if the 175 // The cloud policy client may be already registered by this point if the
174 // store has already been loaded and contains a valid policy - the 176 // store has already been loaded and contains a valid policy - the
175 // registration setup in this case is performed by the CloudPolicyService 177 // registration setup in this case is performed by the CloudPolicyService
176 // that is instantiated inside the CloudPolicyCore::Connect() method call. 178 // that is instantiated inside the CloudPolicyCore::Connect() method call.
177 // If that's the case and |wait_for_policy_fetch_| is true, then the policy 179 // If that's the case and |waiting_for_initial_policy_fetch_| is true, then
178 // fetch needs to be issued (it happens otherwise after the client 180 // the policy fetch needs to be issued (it happens otherwise after the
179 // registration is finished, in OnRegistrationStateChanged()). 181 // client registration is finished, in OnRegistrationStateChanged()).
180 if (client()->is_registered() && wait_for_policy_fetch_) { 182 if (client()->is_registered() && waiting_for_initial_policy_fetch_) {
181 service()->RefreshPolicy( 183 service()->RefreshPolicy(
182 base::Bind(&UserCloudPolicyManagerChromeOS::CancelWaitForPolicyFetch, 184 base::Bind(&UserCloudPolicyManagerChromeOS::CancelWaitForPolicyFetch,
183 base::Unretained(this))); 185 base::Unretained(this)));
184 } 186 }
185 } else { 187 } else {
186 service()->AddObserver(this); 188 service()->AddObserver(this);
187 } 189 }
188 } 190 }
189 191
190 void UserCloudPolicyManagerChromeOS::OnAccessTokenAvailable( 192 void UserCloudPolicyManagerChromeOS::OnAccessTokenAvailable(
(...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after
223 token_fetcher_.reset(); 225 token_fetcher_.reset();
224 external_data_manager_->Disconnect(); 226 external_data_manager_->Disconnect();
225 CloudPolicyManager::Shutdown(); 227 CloudPolicyManager::Shutdown();
226 } 228 }
227 229
228 bool UserCloudPolicyManagerChromeOS::IsInitializationComplete( 230 bool UserCloudPolicyManagerChromeOS::IsInitializationComplete(
229 PolicyDomain domain) const { 231 PolicyDomain domain) const {
230 if (!CloudPolicyManager::IsInitializationComplete(domain)) 232 if (!CloudPolicyManager::IsInitializationComplete(domain))
231 return false; 233 return false;
232 if (domain == POLICY_DOMAIN_CHROME) 234 if (domain == POLICY_DOMAIN_CHROME)
233 return !wait_for_policy_fetch_; 235 return !waiting_for_initial_policy_fetch_;
234 return true; 236 return true;
235 } 237 }
236 238
237 void UserCloudPolicyManagerChromeOS::OnInitializationCompleted( 239 void UserCloudPolicyManagerChromeOS::OnInitializationCompleted(
238 CloudPolicyService* cloud_policy_service) { 240 CloudPolicyService* cloud_policy_service) {
239 DCHECK_EQ(service(), cloud_policy_service); 241 DCHECK_EQ(service(), cloud_policy_service);
240 cloud_policy_service->RemoveObserver(this); 242 cloud_policy_service->RemoveObserver(this);
241 243
242 time_init_completed_ = base::Time::Now(); 244 time_init_completed_ = base::Time::Now();
243 UMA_HISTOGRAM_MEDIUM_TIMES(kUMADelayInitialization, 245 UMA_HISTOGRAM_MEDIUM_TIMES(kUMADelayInitialization,
244 time_init_completed_ - time_init_started_); 246 time_init_completed_ - time_init_started_);
245 247
246 // If the CloudPolicyClient isn't registered at this stage then it needs an 248 // If the CloudPolicyClient isn't registered at this stage then it needs an
247 // OAuth token for the initial registration. 249 // OAuth token for the initial registration.
248 // 250 //
249 // If |wait_for_policy_fetch_| is true then Profile initialization is blocking 251 // If |waiting_for_initial_policy_fetch_| is true then Profile initialization
250 // on the initial policy fetch, so the token must be fetched immediately. 252 // is blocking on the initial policy fetch, so the token must be fetched
251 // In that case, the signin Profile is used to authenticate a Gaia request to 253 // immediately. In that case, the signin Profile is used to authenticate a
252 // fetch a refresh token, and then the policy token is fetched. 254 // Gaia request to fetch a refresh token, and then the policy token is
255 // fetched.
253 // 256 //
254 // If |wait_for_policy_fetch_| is false then the UserCloudPolicyTokenForwarder 257 // If |waiting_for_initial_policy_fetch_| is false then the
255 // service will eventually call OnAccessTokenAvailable() once an access token 258 // UserCloudPolicyTokenForwarder service will eventually call
256 // is available. That call may have already happened while waiting for 259 // OnAccessTokenAvailable() once an access token is available. That call may
257 // initialization of the CloudPolicyService, so in that case check if an 260 // have already happened while waiting for initialization of the
258 // access token is already available. 261 // CloudPolicyService, so in that case check if an access token is already
262 // available.
259 if (!client()->is_registered()) { 263 if (!client()->is_registered()) {
260 if (wait_for_policy_fetch_) { 264 if (waiting_for_initial_policy_fetch_) {
261 FetchPolicyOAuthToken(); 265 FetchPolicyOAuthToken();
262 } else if (!access_token_.empty()) { 266 } else if (!access_token_.empty()) {
263 OnAccessTokenAvailable(access_token_); 267 OnAccessTokenAvailable(access_token_);
264 } 268 }
265 } 269 }
266 270
267 if (!wait_for_policy_fetch_) { 271 if (!waiting_for_initial_policy_fetch_) {
268 // If this isn't blocking on a policy fetch then 272 // If this isn't blocking on a policy fetch then
269 // CloudPolicyManager::OnStoreLoaded() already published the cached policy. 273 // CloudPolicyManager::OnStoreLoaded() already published the cached policy.
270 // Start the refresh scheduler now, which will eventually refresh the 274 // Start the refresh scheduler now, which will eventually refresh the
271 // cached policy or make the first fetch once the OAuth2 token is 275 // cached policy or make the first fetch once the OAuth2 token is
272 // available. 276 // available.
273 StartRefreshSchedulerIfReady(); 277 StartRefreshSchedulerIfReady();
274 } 278 }
275 } 279 }
276 280
277 void UserCloudPolicyManagerChromeOS::OnPolicyFetched( 281 void UserCloudPolicyManagerChromeOS::OnPolicyFetched(
278 CloudPolicyClient* client) { 282 CloudPolicyClient* client) {
279 // No action required. If we're blocked on a policy fetch, we'll learn about 283 // No action required. If we're blocked on a policy fetch, we'll learn about
280 // completion of it through OnInitialPolicyFetchComplete(), or through the 284 // completion of it through OnInitialPolicyFetchComplete(), or through the
281 // CancelWaitForPolicyFetch() callback. 285 // CancelWaitForPolicyFetch() callback.
282 } 286 }
283 287
284 void UserCloudPolicyManagerChromeOS::OnRegistrationStateChanged( 288 void UserCloudPolicyManagerChromeOS::OnRegistrationStateChanged(
285 CloudPolicyClient* cloud_policy_client) { 289 CloudPolicyClient* cloud_policy_client) {
286 DCHECK_EQ(client(), cloud_policy_client); 290 DCHECK_EQ(client(), cloud_policy_client);
287 291
288 if (wait_for_policy_fetch_) { 292 if (waiting_for_initial_policy_fetch_) {
289 time_client_registered_ = base::Time::Now(); 293 time_client_registered_ = base::Time::Now();
290 if (!time_token_available_.is_null()) { 294 if (!time_token_available_.is_null()) {
291 UMA_HISTOGRAM_MEDIUM_TIMES( 295 UMA_HISTOGRAM_MEDIUM_TIMES(
292 kUMAInitialFetchDelayClientRegister, 296 kUMAInitialFetchDelayClientRegister,
293 time_client_registered_ - time_token_available_); 297 time_client_registered_ - time_token_available_);
294 } 298 }
295 299
296 // If we're blocked on the policy fetch, now is a good time to issue it. 300 // If we're blocked on the policy fetch, now is a good time to issue it.
297 if (client()->is_registered()) { 301 if (client()->is_registered()) {
298 service()->RefreshPolicy( 302 service()->RefreshPolicy(
299 base::Bind( 303 base::Bind(
300 &UserCloudPolicyManagerChromeOS::OnInitialPolicyFetchComplete, 304 &UserCloudPolicyManagerChromeOS::OnInitialPolicyFetchComplete,
301 base::Unretained(this))); 305 base::Unretained(this)));
302 } else { 306 } else {
303 // If the client has switched to not registered, we bail out as this 307 // If the client has switched to not registered, we bail out as this
304 // indicates the cloud policy setup flow has been aborted. 308 // indicates the cloud policy setup flow has been aborted.
305 CancelWaitForPolicyFetch(true); 309 CancelWaitForPolicyFetch(true);
306 } 310 }
307 } 311 }
308 } 312 }
309 313
310 void UserCloudPolicyManagerChromeOS::OnClientError( 314 void UserCloudPolicyManagerChromeOS::OnClientError(
311 CloudPolicyClient* cloud_policy_client) { 315 CloudPolicyClient* cloud_policy_client) {
312 DCHECK_EQ(client(), cloud_policy_client); 316 DCHECK_EQ(client(), cloud_policy_client);
313 if (wait_for_policy_fetch_) { 317 if (waiting_for_initial_policy_fetch_) {
314 UMA_HISTOGRAM_SPARSE_SLOWLY(kUMAInitialFetchClientError, 318 UMA_HISTOGRAM_SPARSE_SLOWLY(kUMAInitialFetchClientError,
315 cloud_policy_client->status()); 319 cloud_policy_client->status());
316 } 320 }
317 switch (client()->status()) { 321 switch (client()->status()) {
318 case DM_STATUS_SUCCESS: 322 case DM_STATUS_SUCCESS:
319 case DM_STATUS_SERVICE_MANAGEMENT_NOT_SUPPORTED: 323 case DM_STATUS_SERVICE_MANAGEMENT_NOT_SUPPORTED:
320 // If management is not supported for this user, then a registration 324 // If management is not supported for this user, then a registration
321 // error is to be expected. 325 // error is to be expected.
322 CancelWaitForPolicyFetch(true); 326 CancelWaitForPolicyFetch(true);
323 break; 327 break;
(...skipping 73 matching lines...) Expand 10 before | Expand all | Expand 10 after
397 signin_context.get(), g_browser_process->system_request_context(), 401 signin_context.get(), g_browser_process->system_request_context(),
398 base::Bind(&UserCloudPolicyManagerChromeOS::OnOAuth2PolicyTokenFetched, 402 base::Bind(&UserCloudPolicyManagerChromeOS::OnOAuth2PolicyTokenFetched,
399 base::Unretained(this))); 403 base::Unretained(this)));
400 } 404 }
401 405
402 void UserCloudPolicyManagerChromeOS::OnOAuth2PolicyTokenFetched( 406 void UserCloudPolicyManagerChromeOS::OnOAuth2PolicyTokenFetched(
403 const std::string& policy_token, 407 const std::string& policy_token,
404 const GoogleServiceAuthError& error) { 408 const GoogleServiceAuthError& error) {
405 DCHECK(!client()->is_registered()); 409 DCHECK(!client()->is_registered());
406 time_token_available_ = base::Time::Now(); 410 time_token_available_ = base::Time::Now();
407 if (wait_for_policy_fetch_) { 411 if (waiting_for_initial_policy_fetch_) {
408 UMA_HISTOGRAM_MEDIUM_TIMES(kUMAInitialFetchDelayOAuth2Token, 412 UMA_HISTOGRAM_MEDIUM_TIMES(kUMAInitialFetchDelayOAuth2Token,
409 time_token_available_ - time_init_completed_); 413 time_token_available_ - time_init_completed_);
410 } 414 }
411 415
412 if (error.state() == GoogleServiceAuthError::NONE) { 416 if (error.state() == GoogleServiceAuthError::NONE) {
413 // Start client registration. Either OnRegistrationStateChanged() or 417 // Start client registration. Either OnRegistrationStateChanged() or
414 // OnClientError() will be called back. 418 // OnClientError() will be called back.
415 client()->Register(em::DeviceRegisterRequest::USER, 419 client()->Register(em::DeviceRegisterRequest::USER,
416 em::DeviceRegisterRequest::FLAVOR_USER_REGISTRATION, 420 em::DeviceRegisterRequest::FLAVOR_USER_REGISTRATION,
417 policy_token, std::string(), std::string(), 421 policy_token, std::string(), std::string(),
(...skipping 20 matching lines...) Expand all
438 bool success) { 442 bool success) {
439 const base::Time now = base::Time::Now(); 443 const base::Time now = base::Time::Now();
440 UMA_HISTOGRAM_MEDIUM_TIMES(kUMAInitialFetchDelayPolicyFetch, 444 UMA_HISTOGRAM_MEDIUM_TIMES(kUMAInitialFetchDelayPolicyFetch,
441 now - time_client_registered_); 445 now - time_client_registered_);
442 UMA_HISTOGRAM_MEDIUM_TIMES(kUMAInitialFetchDelayTotal, 446 UMA_HISTOGRAM_MEDIUM_TIMES(kUMAInitialFetchDelayTotal,
443 now - time_init_started_); 447 now - time_init_started_);
444 CancelWaitForPolicyFetch(success); 448 CancelWaitForPolicyFetch(success);
445 } 449 }
446 450
447 void UserCloudPolicyManagerChromeOS::OnBlockingFetchTimeout() { 451 void UserCloudPolicyManagerChromeOS::OnBlockingFetchTimeout() {
448 DCHECK(wait_for_policy_fetch_); 452 DCHECK(waiting_for_initial_policy_fetch_);
449 LOG(WARNING) << "Timed out while waiting for the policy fetch. " 453 LOG(WARNING) << "Timed out while waiting for the policy fetch. "
450 << "The session will start with the cached policy."; 454 << "The session will start with the cached policy.";
451 CancelWaitForPolicyFetch(false); 455 CancelWaitForPolicyFetch(false);
452 } 456 }
453 457
454 void UserCloudPolicyManagerChromeOS::CancelWaitForPolicyFetch(bool success) { 458 void UserCloudPolicyManagerChromeOS::CancelWaitForPolicyFetch(bool success) {
455 if (!wait_for_policy_fetch_) 459 if (!waiting_for_initial_policy_fetch_)
456 return; 460 return;
457 461
458 policy_fetch_timeout_.Stop(); 462 policy_fetch_timeout_.Stop();
459 463
460 // If there was an error, and we don't want to allow profile initialization 464 // If there was an error, and we don't want to allow profile initialization
461 // to go forward after a failed policy fetch, then just return (profile 465 // to go forward after a failed policy fetch, then just return (profile
462 // initialization will not complete). 466 // initialization will not complete).
463 // TODO(atwilson): Add code to retry policy fetching. 467 // TODO(atwilson): Add code to retry policy fetching.
464 if (!success && !allow_failed_policy_fetches_) { 468 if (!success && !initial_policy_fetch_may_fail_) {
465 LOG(ERROR) << "Policy fetch failed for the user. " 469 LOG(ERROR) << "Policy fetch failed for the user. "
466 "Aborting profile initialization"; 470 "Aborting profile initialization";
467 // Need to exit the current user, because we've already started this user's 471 // Need to exit the current user, because we've already started this user's
468 // session. 472 // session.
469 chrome::AttemptUserExit(); 473 chrome::AttemptUserExit();
470 return; 474 return;
471 } 475 }
472 476
473 wait_for_policy_fetch_ = false; 477 waiting_for_initial_policy_fetch_ = false;
478
474 CheckAndPublishPolicy(); 479 CheckAndPublishPolicy();
475 // Now that |wait_for_policy_fetch_| is guaranteed to be false, the scheduler 480 // Now that |waiting_for_initial_policy_fetch_| is guaranteed to be false, the
476 // can be started. 481 // scheduler can be started.
477 StartRefreshSchedulerIfReady(); 482 StartRefreshSchedulerIfReady();
478 } 483 }
479 484
480 void UserCloudPolicyManagerChromeOS::StartRefreshSchedulerIfReady() { 485 void UserCloudPolicyManagerChromeOS::StartRefreshSchedulerIfReady() {
481 if (core()->refresh_scheduler()) 486 if (core()->refresh_scheduler())
482 return; // Already started. 487 return; // Already started.
483 488
484 if (wait_for_policy_fetch_) 489 if (waiting_for_initial_policy_fetch_)
485 return; // Still waiting for the initial, blocking fetch. 490 return; // Still waiting for the initial, blocking fetch.
486 491
487 if (!service() || !local_state_) 492 if (!service() || !local_state_)
488 return; // Not connected. 493 return; // Not connected.
489 494
490 if (component_policy_service() && 495 if (component_policy_service() &&
491 !component_policy_service()->is_initialized()) { 496 !component_policy_service()->is_initialized()) {
492 // If the client doesn't have the list of components to fetch yet then don't 497 // If the client doesn't have the list of components to fetch yet then don't
493 // start the scheduler. The |component_policy_service_| will call back into 498 // start the scheduler. The |component_policy_service_| will call back into
494 // OnComponentCloudPolicyUpdated() once it's ready. 499 // OnComponentCloudPolicyUpdated() once it's ready.
495 return; 500 return;
496 } 501 }
497 502
498 core()->StartRefreshScheduler(); 503 core()->StartRefreshScheduler();
499 core()->TrackRefreshDelayPref(local_state_, 504 core()->TrackRefreshDelayPref(local_state_,
500 policy_prefs::kUserPolicyRefreshRate); 505 policy_prefs::kUserPolicyRefreshRate);
501 } 506 }
502 507
503 } // namespace policy 508 } // namespace policy
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698