Chromium Code Reviews Chromium Code Reviews
Issue 400623002:
Be more picky in triggering enrollment recovery. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/chromeos/policy/device_cloud_policy_store_chromeos.h" | 5 #include "chrome/browser/chromeos/policy/device_cloud_policy_store_chromeos.h" |
| 6 | 6 |
| 7 #include "base/bind.h" | 7 #include "base/bind.h" |
| 8 #include "base/logging.h" | 8 #include "base/logging.h" |
| 9 #include "base/metrics/histogram.h" | 9 #include "base/metrics/histogram.h" |
| 10 #include "base/sequenced_task_runner.h" | 10 #include "base/sequenced_task_runner.h" |
| 11 #include "chrome/browser/chromeos/login/startup_utils.h" | 11 #include "chrome/browser/chromeos/login/startup_utils.h" |
| 12 #include "chrome/browser/chromeos/policy/device_policy_decoder_chromeos.h" | 12 #include "chrome/browser/chromeos/policy/device_policy_decoder_chromeos.h" |
| 13 #include "chrome/browser/chromeos/policy/enterprise_install_attributes.h" | 13 #include "chrome/browser/chromeos/policy/enterprise_install_attributes.h" |
| 14 #include "chrome/browser/chromeos/policy/proto/chrome_device_policy.pb.h" | 14 #include "chrome/browser/chromeos/policy/proto/chrome_device_policy.pb.h" |
| 15 #include "chrome/browser/chromeos/settings/owner_key_util.h" | 15 #include "chrome/browser/chromeos/settings/owner_key_util.h" |
| 16 #include "policy/proto/device_management_backend.pb.h" | 16 #include "policy/proto/device_management_backend.pb.h" |
| 17 | 17 |
| 18 namespace em = enterprise_management; | 18 namespace em = enterprise_management; |
| 19 | 19 |
| 20 namespace policy { | 20 namespace policy { |
| 21 | 21 |
| 22 DeviceCloudPolicyStoreChromeOS::DeviceCloudPolicyStoreChromeOS( | 22 DeviceCloudPolicyStoreChromeOS::DeviceCloudPolicyStoreChromeOS( |
| 23 chromeos::DeviceSettingsService* device_settings_service, | 23 chromeos::DeviceSettingsService* device_settings_service, |
| 24 EnterpriseInstallAttributes* install_attributes, | 24 EnterpriseInstallAttributes* install_attributes, |
| 25 scoped_refptr<base::SequencedTaskRunner> background_task_runner) | 25 scoped_refptr<base::SequencedTaskRunner> background_task_runner) |
| 26 : device_settings_service_(device_settings_service), | 26 : device_settings_service_(device_settings_service), |
| 27 install_attributes_(install_attributes), | 27 install_attributes_(install_attributes), |
| 28 background_task_runner_(background_task_runner), | 28 background_task_runner_(background_task_runner), |
| 29 first_update_(true), | 29 enrollment_validation_done_(false), |
| 30 weak_factory_(this) { | 30 weak_factory_(this) { |
| 31 device_settings_service_->AddObserver(this); | 31 device_settings_service_->AddObserver(this); |
| 32 } | 32 } |
| 33 | 33 |
| 34 DeviceCloudPolicyStoreChromeOS::~DeviceCloudPolicyStoreChromeOS() { | 34 DeviceCloudPolicyStoreChromeOS::~DeviceCloudPolicyStoreChromeOS() { |
| 35 device_settings_service_->RemoveObserver(this); | 35 device_settings_service_->RemoveObserver(this); |
| 36 } | 36 } |
| 37 | 37 |
| 38 void DeviceCloudPolicyStoreChromeOS::Store( | 38 void DeviceCloudPolicyStoreChromeOS::Store( |
| 39 const em::PolicyFetchResponse& policy) { | 39 const em::PolicyFetchResponse& policy) { |
| (...skipping 91 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 131 UpdateFromService(); | 131 UpdateFromService(); |
| 132 } | 132 } |
| 133 | 133 |
| 134 void DeviceCloudPolicyStoreChromeOS::UpdateFromService() { | 134 void DeviceCloudPolicyStoreChromeOS::UpdateFromService() { |
| 135 if (!install_attributes_->IsEnterpriseDevice()) { | 135 if (!install_attributes_->IsEnterpriseDevice()) { |
| 136 status_ = STATUS_BAD_STATE; | 136 status_ = STATUS_BAD_STATE; |
| 137 NotifyStoreError(); | 137 NotifyStoreError(); |
| 138 return; | 138 return; |
| 139 } | 139 } |
| 140 | 140 |
| 141 // Fill UMA histogram once per session. Skip temp validation error because it | 141 // Once per session, validate internal consistency of enrollment state (DM |
| 142 // is not a definitive result (policy load will be retried). | 142 // token must be present on enrolled devices) and in case of failure set flag |
| 143 // to indicate that recovery is required. Since UpdateFromService() is called | |
| 144 // upon completion of any kind of SessionManagerOperation, validation is only | |
| 145 // performed for the first time a status codes is encountered that may | |
| 146 // correspond to completing a read request. | |
| 143 const chromeos::DeviceSettingsService::Status status = | 147 const chromeos::DeviceSettingsService::Status status = |
| 144 device_settings_service_->status(); | 148 device_settings_service_->status(); |
| 145 if (first_update_ && | 149 if ((status == chromeos::DeviceSettingsService::STORE_SUCCESS || |
| 146 status != chromeos::DeviceSettingsService::STORE_TEMP_VALIDATION_ERROR) { | 150 status == chromeos::DeviceSettingsService::STORE_KEY_UNAVAILABLE || |
| 147 first_update_ = false; | 151 status == chromeos::DeviceSettingsService::STORE_NO_POLICY || |
| 152 status == chromeos::DeviceSettingsService::STORE_INVALID_POLICY || | |
| 153 status == chromeos::DeviceSettingsService::STORE_VALIDATION_ERROR) | |
|
pastarmovj
2014/07/18 10:14:54
I would suggest to change this to a switch to guar
Thiemo Nagel
2014/07/18 11:54:04
Done.
| |
| 154 && !enrollment_validation_done_) { | |
| 155 enrollment_validation_done_ = true; | |
| 148 const bool has_dm_token = | 156 const bool has_dm_token = |
| 149 status == chromeos::DeviceSettingsService::STORE_SUCCESS && | 157 status == chromeos::DeviceSettingsService::STORE_SUCCESS && |
| 150 device_settings_service_->policy_data() && | 158 device_settings_service_->policy_data() && |
| 151 device_settings_service_->policy_data()->has_request_token(); | 159 device_settings_service_->policy_data()->has_request_token(); |
| 152 | 160 |
| 153 // At the time LoginDisplayHostImpl decides whether enrollment flow is to be | 161 // At the time LoginDisplayHostImpl decides whether enrollment flow is to be |
| 154 // started, policy hasn't been read yet, so LoginDisplayHostImpl is not in a | 162 // started, policy hasn't been read yet, so LoginDisplayHostImpl is not in a |
| 155 // position to decide whether recovery is required. To work around this, | 163 // position to decide whether recovery is required. To work around this, |
| 156 // upon policy load on machines requiring recovery, a flag is stored in | 164 // upon policy load on machines requiring recovery, a flag is stored in |
| 157 // prefs which is accessed by LoginDisplayHostImpl early during (next) boot. | 165 // prefs which is accessed by LoginDisplayHostImpl early during (next) boot. |
| 158 if (!has_dm_token) { | 166 if (!has_dm_token) { |
| 159 LOG(ERROR) << "Policy read on enrolled device yields no DM token! " | 167 LOG(ERROR) << "Device policy read on enrolled device yields no DM token! " |
| 160 << "Status: " << status << "."; | 168 << "Status: " << status << "."; |
| 161 chromeos::StartupUtils::MarkEnrollmentRecoveryRequired(); | 169 chromeos::StartupUtils::MarkEnrollmentRecoveryRequired(); |
| 162 } | 170 } |
| 163 UMA_HISTOGRAM_BOOLEAN("Enterprise.EnrolledPolicyHasDMToken", has_dm_token); | 171 UMA_HISTOGRAM_BOOLEAN("Enterprise.EnrolledPolicyHasDMToken", has_dm_token); |
| 164 } | 172 } |
| 165 | 173 |
| 166 switch (device_settings_service_->status()) { | 174 switch (device_settings_service_->status()) { |
| 167 case chromeos::DeviceSettingsService::STORE_SUCCESS: { | 175 case chromeos::DeviceSettingsService::STORE_SUCCESS: { |
| 168 status_ = STATUS_OK; | 176 status_ = STATUS_OK; |
| 169 policy_.reset(new em::PolicyData()); | 177 policy_.reset(new em::PolicyData()); |
| (...skipping 22 matching lines...) Expand all Loading... | |
| 192 case chromeos::DeviceSettingsService::STORE_VALIDATION_ERROR: | 200 case chromeos::DeviceSettingsService::STORE_VALIDATION_ERROR: |
| 193 case chromeos::DeviceSettingsService::STORE_TEMP_VALIDATION_ERROR: | 201 case chromeos::DeviceSettingsService::STORE_TEMP_VALIDATION_ERROR: |
| 194 status_ = STATUS_LOAD_ERROR; | 202 status_ = STATUS_LOAD_ERROR; |
| 195 break; | 203 break; |
| 196 } | 204 } |
| 197 | 205 |
| 198 NotifyStoreError(); | 206 NotifyStoreError(); |
| 199 } | 207 } |
| 200 | 208 |
| 201 } // namespace policy | 209 } // namespace policy |
| OLD | NEW |
