Reporting of policy errors via host-offline-reason: part 1

remoting/host/policy_hack/policy_watcher.h

Index: remoting/host/policy_hack/policy_watcher.h
diff --git a/remoting/host/policy_hack/policy_watcher.h b/remoting/host/policy_hack/policy_watcher.h
index 0ced8f23a4a7c55437e8fb0566dbb359a8c8adef..069bd4069ec95a24c6e9b70fabbd04dd16db3d1c 100644
--- a/remoting/host/policy_hack/policy_watcher.h
+++ b/remoting/host/policy_hack/policy_watcher.h
@@ -25,17 +25,33 @@ class PolicyWatcher {
  public:
   // Called first with all policies, and subsequently with any changed policies.
   typedef base::Callback<void(scoped_ptr<base::DictionaryValue>)>
-      PolicyCallback;
+      PolicyUpdatedCallback;
+
+  // Called after detecting malformed policies.
+  typedef base::Callback<void()> PolicyErrorCallback;
 
   explicit PolicyWatcher(
       scoped_refptr<base::SingleThreadTaskRunner> task_runner);
   virtual ~PolicyWatcher();
 
-  // This guarantees that the |policy_callback| is called at least once with
-  // the current policies.  After that, |policy_callback| will be called
-  // whenever a change to any policy is detected. It will then be called only
-  // with the changed policies.
-  virtual void StartWatching(const PolicyCallback& policy_callback);
+  // This guarantees that the |policy_updated_callback| is called at least once
+  // with the current policies.  After that, |policy_updated_callback| will be
+  // called whenever a change to any policy is detected. It will then be called
+  // only with the changed policies.
+  //
+  // |policy_error_callback| will be called when malformed policies are detected
+  // (i.e. wrong type of policy value, or unparseable files under
+  // /etc/opt/chrome/policies/managed).
+  // When called, the |policy_error_callback| is responsible for mitigating the
+  // security risk of running with incorrectly formulated policies (by either
+  // shutting down or locking down the host).
+  // After calling |policy_error_callback| PolicyWatcher will continue watching

[Łukasz Anforowicz, 2014/11/13 17:51:15]

"will continue watching" is not technically true for Mac implementation... 
Still - I think this comment is fine:

1. Mac implementation says that users expect to have to log out and log back in
for policy^H^H^H pref changes to take effect

2. Setting expectations that both callbacks can be called multiple times is
safest / requires users of PolicyWatchers to be most robust (i.e. the Mac
behavior shouldn't trip the user from C++ memory management perspective)

+  // for policy changes and will call |policy_updated_callback| when the error
+  // is recovered from and may call |policy_error_callback| when new errors are
+  // found.
+  virtual void StartWatching(
+      const PolicyUpdatedCallback& policy_updated_callback,
+      const PolicyErrorCallback& policy_error_callback);
 
   // Should be called after StartWatching() before the object is deleted. Calls
   // just wait for |done| to be signaled before deleting the object.
@@ -98,6 +114,15 @@ class PolicyWatcher {
   // relevant policies.
   void UpdatePolicies(const base::DictionaryValue* new_policy);
 
+  // Signals policy error to the registered |PolicyErrorCallback|.
+  void SignalPolicyError();
+
+  // Called whenever a transient error occurs during reading of policy files.
+  // This will increment a counter, and will trigger a call to
+  // SignalPolicyError() only after a threshold count is reached.
+  // The counter is reset whenever policy has been successfully read.
+  void SignalTransientPolicyError();
+
   // Used for time-based reloads in case something goes wrong with the
   // notification system.
   void ScheduleFallbackReloadTask();
@@ -109,7 +134,9 @@ class PolicyWatcher {
  private:
   scoped_refptr<base::SingleThreadTaskRunner> task_runner_;
 
-  PolicyCallback policy_callback_;
+  PolicyUpdatedCallback policy_updated_callback_;
+  PolicyErrorCallback policy_error_callback_;
+  int transient_policy_error_retry_counter_;
 
   scoped_ptr<base::DictionaryValue> old_policies_;
   scoped_ptr<base::DictionaryValue> default_values_;