Reporting of policy errors via host-offline-reason: part 1

remoting/host/policy_hack/policy_watcher.cc

Index: remoting/host/policy_hack/policy_watcher.cc
diff --git a/remoting/host/policy_hack/policy_watcher.cc b/remoting/host/policy_hack/policy_watcher.cc
index e603cf5032459caaea20f88d40671df5d4aaa0cc..74f97d626a5fc3f1878853f232537e3aaed099f4 100644
--- a/remoting/host/policy_hack/policy_watcher.cc
+++ b/remoting/host/policy_hack/policy_watcher.cc
@@ -119,6 +119,7 @@ const char PolicyWatcher::kHostDebugOverridePoliciesName[] =
 PolicyWatcher::PolicyWatcher(
     scoped_refptr<base::SingleThreadTaskRunner> task_runner)
     : task_runner_(task_runner),
+      transient_policy_error_retry_counter_(0),
       old_policies_(new base::DictionaryValue()),
       default_values_(new base::DictionaryValue()),
       weak_factory_(this) {
@@ -152,16 +153,20 @@ PolicyWatcher::PolicyWatcher(
 PolicyWatcher::~PolicyWatcher() {
 }
 
-void PolicyWatcher::StartWatching(const PolicyCallback& policy_callback) {
+void PolicyWatcher::StartWatching(
+    const PolicyUpdatedCallback& policy_updated_callback,
+    const PolicyErrorCallback& policy_error_callback) {
   if (!OnPolicyWatcherThread()) {
     task_runner_->PostTask(FROM_HERE,
                            base::Bind(&PolicyWatcher::StartWatching,
                                       base::Unretained(this),
-                                      policy_callback));
+                                      policy_updated_callback,
+                                      policy_error_callback));
     return;
   }
 
-  policy_callback_ = policy_callback;
+  policy_updated_callback_ = policy_updated_callback;
+  policy_error_callback_ = policy_error_callback;
   StartWatchingInternal();
 }
 
@@ -175,7 +180,8 @@ void PolicyWatcher::StopWatching(base::WaitableEvent* done) {
 
   StopWatchingInternal();
   weak_factory_.InvalidateWeakPtrs();
-  policy_callback_.Reset();
+  policy_updated_callback_.Reset();
+  policy_error_callback_.Reset();
 
   done->Signal();
 }
@@ -206,6 +212,8 @@ void PolicyWatcher::UpdatePolicies(
     const base::DictionaryValue* new_policies_raw) {
   DCHECK(OnPolicyWatcherThread());
 
+  transient_policy_error_retry_counter_ = 0;
+
   // Use default values for any missing policies.
   scoped_ptr<base::DictionaryValue> new_policies =
       CopyGoodValuesAndAddDefaults(
@@ -229,7 +237,30 @@ void PolicyWatcher::UpdatePolicies(
 
   // Notify our client of the changed policies.
   if (!changed_policies->empty()) {
-    policy_callback_.Run(changed_policies.Pass());
+    policy_updated_callback_.Run(changed_policies.Pass());
+  }
+}
+
+void PolicyWatcher::SignalPolicyError() {
+  policy_error_callback_.Run();

[Lambros, 2014/11/13 00:30:26]

Depending on what you think should happen, you might want to reset the transient
counter here?

[Łukasz Anforowicz, 2014/11/13 17:48:08]

Good point. Done.

+}
+
+void PolicyWatcher::SignalTransientPolicyError() {
+  // TODO(lukasza): max=5 helps recover from transient errors of short
+  //                duration (i.e. reading a partially written file),

[Lambros, 2014/11/13 00:30:26]

nit: Don't indent the whole TODO block. See examples elsewhere for how to format
this.

+  //                but won't help with longer problems (i.e. malformed
+  //                policy pushed out via group policy or puppet will
+  //                most likely still trigger SignalPolicyError)

[Lambros, 2014/11/13 00:30:26]

Is it this class's responsibility to figure out what to do about long-term
policy errors? Is the PolicyErrorCallback not a good-enough interface?

I think it might be better to document in the class header what happens after
SignalPolicyError() is triggered? Will this class continue to report further
errors/updates, or will it stop watching altogether?

[Łukasz Anforowicz, 2014/11/13 17:48:08]

Good point on documenting in the header the current behavior of continuing to
process policy files even after reporting the error.

Yes - I guess it is HostProcess's responsibility to deal with long-term policy
errors.

So:
- I am adding a comment to the header file (next to StartWatching method)
- I am removing this TODO
- Do we need to discuss what to do going forward with the long-term failures
(and recovery from long-term failures)?  The current changelist can probably
checked-in as-is (unless you want me to move the TODO to HostProcess class).  I
am not sure how important the long-term-policy-error-autorecovery is + whether
it should be tracked as a separate bug (maybe I should just open one and let
triage team decide?).

+  //              Potential solution #1: keep the host running in
+  //                security-lock-down mode to keep reparsing the policies
+  //                (i.e. don't call Shutdown in me2me's OnPolicyError)
+  //              Potential solution #2: maybe retry at init.d-level?
+  //              Potential solution #3: maybe using Chrome-wide policy
+  //                libraries rather than policy_hack will help?
+  const int MAX_RETRY_COUNT = 5;

[Lambros, 2014/11/13 00:30:27]

nit: kMaxRetryCount

[Łukasz Anforowicz, 2014/11/13 17:48:08]

Done.

+  transient_policy_error_retry_counter_ += 1;
+  if (transient_policy_error_retry_counter_ >= MAX_RETRY_COUNT) {
+    SignalPolicyError();
   }
 }