Chromium Code Reviews Chromium Code Reviews
Issue 822523003:
Implement device-local account policy pushing (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@f_2_442800_switch_device_cloud_policy_invalidator| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef CHROME_BROWSER_CHROMEOS_POLICY_DEVICE_LOCAL_ACCOUNT_POLICY_SERVICE_H_ | 5 #ifndef CHROME_BROWSER_CHROMEOS_POLICY_DEVICE_LOCAL_ACCOUNT_POLICY_SERVICE_H_ |
| 6 #define CHROME_BROWSER_CHROMEOS_POLICY_DEVICE_LOCAL_ACCOUNT_POLICY_SERVICE_H_ | 6 #define CHROME_BROWSER_CHROMEOS_POLICY_DEVICE_LOCAL_ACCOUNT_POLICY_SERVICE_H_ |
| 7 | 7 |
| 8 #include <map> | 8 #include <map> |
| 9 #include <set> | 9 #include <set> |
| 10 #include <string> | 10 #include <string> |
| (...skipping 23 matching lines...) Expand all Loading... | |
| 34 class DeviceSettingsService; | 34 class DeviceSettingsService; |
| 35 class SessionManagerClient; | 35 class SessionManagerClient; |
| 36 } | 36 } |
| 37 | 37 |
| 38 namespace net { | 38 namespace net { |
| 39 class URLRequestContextGetter; | 39 class URLRequestContextGetter; |
| 40 } | 40 } |
| 41 | 41 |
| 42 namespace policy { | 42 namespace policy { |
| 43 | 43 |
| 44 class AffiliatedCloudPolicyInvalidator; | |
| 45 class AffiliatedInvalidationServiceProvider; | |
| 44 struct DeviceLocalAccount; | 46 struct DeviceLocalAccount; |
| 45 class DeviceLocalAccountExternalDataService; | 47 class DeviceLocalAccountExternalDataService; |
| 46 class DeviceLocalAccountPolicyStore; | 48 class DeviceLocalAccountPolicyStore; |
| 47 class DeviceManagementService; | 49 class DeviceManagementService; |
| 48 | 50 |
| 49 // The main switching central that downloads, caches, refreshes, etc. policy for | 51 // The main switching central that downloads, caches, refreshes, etc. policy for |
| 50 // a single device-local account. | 52 // a single device-local account. |
| 51 class DeviceLocalAccountPolicyBroker | 53 class DeviceLocalAccountPolicyBroker |
| 52 : public CloudPolicyStore::Observer, | 54 : public CloudPolicyStore::Observer, |
| 53 public ComponentCloudPolicyService::Delegate { | 55 public ComponentCloudPolicyService::Delegate { |
| 54 public: | 56 public: |
| 57 // |invalidation_service_provider| must outlive |this|. | |
| 55 // |policy_update_callback| will be invoked to notify observers that the | 58 // |policy_update_callback| will be invoked to notify observers that the |
| 56 // policy for |account| has been updated. | 59 // policy for |account| has been updated. |
| 57 // |task_runner| is the runner for policy refresh tasks. | 60 // |task_runner| is the runner for policy refresh tasks. |
| 58 DeviceLocalAccountPolicyBroker( | 61 DeviceLocalAccountPolicyBroker( |
| 59 const DeviceLocalAccount& account, | 62 const DeviceLocalAccount& account, |
| 60 const base::FilePath& component_policy_cache_path, | 63 const base::FilePath& component_policy_cache_path, |
| 61 scoped_ptr<DeviceLocalAccountPolicyStore> store, | 64 scoped_ptr<DeviceLocalAccountPolicyStore> store, |
| 62 scoped_refptr<DeviceLocalAccountExternalDataManager> | 65 scoped_refptr<DeviceLocalAccountExternalDataManager> |
| 63 external_data_manager, | 66 external_data_manager, |
| 64 const base::Closure& policy_updated_callback, | 67 const base::Closure& policy_updated_callback, |
| 65 const scoped_refptr<base::SequencedTaskRunner>& task_runner); | 68 const scoped_refptr<base::SequencedTaskRunner>& task_runner, |
| 69 AffiliatedInvalidationServiceProvider* invalidation_service_provider); | |
| 66 ~DeviceLocalAccountPolicyBroker() override; | 70 ~DeviceLocalAccountPolicyBroker() override; |
| 67 | 71 |
| 68 // Initialize the broker, loading its |store_|. | 72 // Initialize the broker, loading its |store_|. |
| 69 void Initialize(); | 73 void Initialize(); |
| 70 | 74 |
| 71 // For the difference between |account_id| and |user_id|, see the | 75 // For the difference between |account_id| and |user_id|, see the |
| 72 // documentation of DeviceLocalAccount. | 76 // documentation of DeviceLocalAccount. |
| 73 const std::string& account_id() const { return account_id_; } | 77 const std::string& account_id() const { return account_id_; } |
| 74 const std::string& user_id() const { return user_id_; } | 78 const std::string& user_id() const { return user_id_; } |
| 75 | 79 |
| 76 scoped_refptr<chromeos::DeviceLocalAccountExternalPolicyLoader> | 80 scoped_refptr<chromeos::DeviceLocalAccountExternalPolicyLoader> |
| 77 extension_loader() const { return extension_loader_; } | 81 extension_loader() const { return extension_loader_; } |
| 78 | 82 |
| 79 CloudPolicyCore* core() { return &core_; } | 83 CloudPolicyCore* core() { return &core_; } |
| 80 const CloudPolicyCore* core() const { return &core_; } | 84 const CloudPolicyCore* core() const { return &core_; } |
| 81 | 85 |
| 82 scoped_refptr<DeviceLocalAccountExternalDataManager> external_data_manager() { | 86 scoped_refptr<DeviceLocalAccountExternalDataManager> external_data_manager() { |
| 83 return external_data_manager_; | 87 return external_data_manager_; |
| 84 } | 88 } |
| 85 | 89 |
| 86 ComponentCloudPolicyService* component_policy_service() const { | 90 ComponentCloudPolicyService* component_policy_service() const { |
| 87 return component_policy_service_.get(); | 91 return component_policy_service_.get(); |
| 88 } | 92 } |
| 89 | 93 |
| 90 SchemaRegistry* schema_registry() { return &schema_registry_; } | 94 SchemaRegistry* schema_registry() { return &schema_registry_; } |
| 91 | 95 |
| 96 bool HasInvalidatorForTest() const; | |
| 97 | |
| 92 // Fire up the cloud connection for fetching policy for the account from the | 98 // Fire up the cloud connection for fetching policy for the account from the |
| 93 // cloud if this is an enterprise-managed device. | 99 // cloud if this is an enterprise-managed device. |
| 94 void ConnectIfPossible( | 100 void ConnectIfPossible( |
| 95 chromeos::DeviceSettingsService* device_settings_service, | 101 chromeos::DeviceSettingsService* device_settings_service, |
| 96 DeviceManagementService* device_management_service, | 102 DeviceManagementService* device_management_service, |
| 97 scoped_refptr<net::URLRequestContextGetter> request_context); | 103 scoped_refptr<net::URLRequestContextGetter> request_context); |
| 98 | 104 |
| 99 // Reads the refresh delay from policy and configures the refresh scheduler. | 105 // Reads the refresh delay from policy and configures the refresh scheduler. |
| 100 void UpdateRefreshDelay(); | 106 void UpdateRefreshDelay(); |
| 101 | 107 |
| 102 // Retrieves the display name for the account as stored in policy. Returns an | 108 // Retrieves the display name for the account as stored in policy. Returns an |
| 103 // empty string if the policy is not present. | 109 // empty string if the policy is not present. |
| 104 std::string GetDisplayName() const; | 110 std::string GetDisplayName() const; |
| 105 | 111 |
| 106 // CloudPolicyStore::Observer: | 112 // CloudPolicyStore::Observer: |
| 107 void OnStoreLoaded(CloudPolicyStore* store) override; | 113 void OnStoreLoaded(CloudPolicyStore* store) override; |
| 108 void OnStoreError(CloudPolicyStore* store) override; | 114 void OnStoreError(CloudPolicyStore* store) override; |
| 109 | 115 |
| 110 // ComponentCloudPolicyService::Delegate: | 116 // ComponentCloudPolicyService::Delegate: |
| 111 void OnComponentCloudPolicyUpdated() override; | 117 void OnComponentCloudPolicyUpdated() override; |
| 112 | 118 |
| 113 private: | 119 private: |
| 114 void CreateComponentCloudPolicyService( | 120 void CreateComponentCloudPolicyService( |
| 115 const scoped_refptr<net::URLRequestContextGetter>& request_context, | 121 const scoped_refptr<net::URLRequestContextGetter>& request_context, |
| 116 CloudPolicyClient* client); | 122 CloudPolicyClient* client); |
| 117 | 123 |
| 124 AffiliatedInvalidationServiceProvider* invalidation_service_provider_; | |
|
pneubeck (no reviews)
2015/02/04 10:02:14
nit: +const
bartfab (slow)
2015/02/04 12:34:51
Done.
| |
| 118 const std::string account_id_; | 125 const std::string account_id_; |
| 119 const std::string user_id_; | 126 const std::string user_id_; |
| 120 const base::FilePath component_policy_cache_path_; | 127 const base::FilePath component_policy_cache_path_; |
| 121 SchemaRegistry schema_registry_; | 128 SchemaRegistry schema_registry_; |
| 122 const scoped_ptr<DeviceLocalAccountPolicyStore> store_; | 129 const scoped_ptr<DeviceLocalAccountPolicyStore> store_; |
| 123 DeviceLocalAccountExtensionTracker extension_tracker_; | 130 DeviceLocalAccountExtensionTracker extension_tracker_; |
| 124 scoped_refptr<DeviceLocalAccountExternalDataManager> external_data_manager_; | 131 scoped_refptr<DeviceLocalAccountExternalDataManager> external_data_manager_; |
| 125 scoped_refptr<chromeos::DeviceLocalAccountExternalPolicyLoader> | 132 scoped_refptr<chromeos::DeviceLocalAccountExternalPolicyLoader> |
| 126 extension_loader_; | 133 extension_loader_; |
| 127 CloudPolicyCore core_; | 134 CloudPolicyCore core_; |
| 128 scoped_ptr<ComponentCloudPolicyService> component_policy_service_; | 135 scoped_ptr<ComponentCloudPolicyService> component_policy_service_; |
| 129 base::Closure policy_update_callback_; | 136 base::Closure policy_update_callback_; |
| 137 scoped_ptr<AffiliatedCloudPolicyInvalidator> invalidator_; | |
| 130 | 138 |
| 131 DISALLOW_COPY_AND_ASSIGN(DeviceLocalAccountPolicyBroker); | 139 DISALLOW_COPY_AND_ASSIGN(DeviceLocalAccountPolicyBroker); |
| 132 }; | 140 }; |
| 133 | 141 |
| 134 // Manages user policy blobs for device-local accounts present on the device. | 142 // Manages user policy blobs for device-local accounts present on the device. |
| 135 // The actual policy blobs are brokered by session_manager (to prevent file | 143 // The actual policy blobs are brokered by session_manager (to prevent file |
| 136 // manipulation), and we're making signature checks on the policy blobs to | 144 // manipulation), and we're making signature checks on the policy blobs to |
| 137 // ensure they're issued by the device owner. | 145 // ensure they're issued by the device owner. |
| 138 class DeviceLocalAccountPolicyService { | 146 class DeviceLocalAccountPolicyService { |
| 139 public: | 147 public: |
| 140 // Interface for interested parties to observe policy changes. | 148 // Interface for interested parties to observe policy changes. |
| 141 class Observer { | 149 class Observer { |
| 142 public: | 150 public: |
| 143 virtual ~Observer() {} | 151 virtual ~Observer() {} |
| 144 | 152 |
| 145 // Policy for the given |user_id| has changed. | 153 // Policy for the given |user_id| has changed. |
| 146 virtual void OnPolicyUpdated(const std::string& user_id) = 0; | 154 virtual void OnPolicyUpdated(const std::string& user_id) = 0; |
| 147 | 155 |
| 148 // The list of accounts has been updated. | 156 // The list of accounts has been updated. |
| 149 virtual void OnDeviceLocalAccountsChanged() = 0; | 157 virtual void OnDeviceLocalAccountsChanged() = 0; |
| 150 }; | 158 }; |
| 151 | 159 |
| 152 DeviceLocalAccountPolicyService( | 160 DeviceLocalAccountPolicyService( |
| 153 chromeos::SessionManagerClient* session_manager_client, | 161 chromeos::SessionManagerClient* session_manager_client, |
| 154 chromeos::DeviceSettingsService* device_settings_service, | 162 chromeos::DeviceSettingsService* device_settings_service, |
| 155 chromeos::CrosSettings* cros_settings, | 163 chromeos::CrosSettings* cros_settings, |
| 164 AffiliatedInvalidationServiceProvider* invalidation_service_provider, | |
| 156 scoped_refptr<base::SequencedTaskRunner> store_background_task_runner, | 165 scoped_refptr<base::SequencedTaskRunner> store_background_task_runner, |
| 157 scoped_refptr<base::SequencedTaskRunner> extension_cache_task_runner, | 166 scoped_refptr<base::SequencedTaskRunner> extension_cache_task_runner, |
| 158 scoped_refptr<base::SequencedTaskRunner> | 167 scoped_refptr<base::SequencedTaskRunner> |
| 159 external_data_service_backend_task_runner, | 168 external_data_service_backend_task_runner, |
| 160 scoped_refptr<base::SequencedTaskRunner> io_task_runner, | 169 scoped_refptr<base::SequencedTaskRunner> io_task_runner, |
| 161 scoped_refptr<net::URLRequestContextGetter> request_context); | 170 scoped_refptr<net::URLRequestContextGetter> request_context); |
| 162 virtual ~DeviceLocalAccountPolicyService(); | 171 virtual ~DeviceLocalAccountPolicyService(); |
| 163 | 172 |
| 164 // Shuts down the service and prevents further policy fetches from the cloud. | 173 // Shuts down the service and prevents further policy fetches from the cloud. |
| 165 void Shutdown(); | 174 void Shutdown(); |
| (...skipping 54 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 220 DeviceLocalAccountPolicyBroker* GetBrokerForStore(CloudPolicyStore* store); | 229 DeviceLocalAccountPolicyBroker* GetBrokerForStore(CloudPolicyStore* store); |
| 221 | 230 |
| 222 // Notifies the |observers_| that the policy for |user_id| has changed. | 231 // Notifies the |observers_| that the policy for |user_id| has changed. |
| 223 void NotifyPolicyUpdated(const std::string& user_id); | 232 void NotifyPolicyUpdated(const std::string& user_id); |
| 224 | 233 |
| 225 ObserverList<Observer, true> observers_; | 234 ObserverList<Observer, true> observers_; |
| 226 | 235 |
| 227 chromeos::SessionManagerClient* session_manager_client_; | 236 chromeos::SessionManagerClient* session_manager_client_; |
| 228 chromeos::DeviceSettingsService* device_settings_service_; | 237 chromeos::DeviceSettingsService* device_settings_service_; |
| 229 chromeos::CrosSettings* cros_settings_; | 238 chromeos::CrosSettings* cros_settings_; |
| 239 AffiliatedInvalidationServiceProvider* invalidation_service_provider_; | |
| 230 | 240 |
| 231 DeviceManagementService* device_management_service_; | 241 DeviceManagementService* device_management_service_; |
| 232 | 242 |
| 233 // The device-local account policy brokers, keyed by user ID. | 243 // The device-local account policy brokers, keyed by user ID. |
| 234 PolicyBrokerMap policy_brokers_; | 244 PolicyBrokerMap policy_brokers_; |
| 235 | 245 |
| 236 // Whether a call to UpdateAccountList() is pending because |cros_settings_| | 246 // Whether a call to UpdateAccountList() is pending because |cros_settings_| |
| 237 // are not trusted yet. | 247 // are not trusted yet. |
| 238 bool waiting_for_cros_settings_; | 248 bool waiting_for_cros_settings_; |
| 239 | 249 |
| (...skipping 26 matching lines...) Expand all Loading... | |
| 266 base::FilePath component_policy_cache_root_; | 276 base::FilePath component_policy_cache_root_; |
| 267 | 277 |
| 268 base::WeakPtrFactory<DeviceLocalAccountPolicyService> weak_factory_; | 278 base::WeakPtrFactory<DeviceLocalAccountPolicyService> weak_factory_; |
| 269 | 279 |
| 270 DISALLOW_COPY_AND_ASSIGN(DeviceLocalAccountPolicyService); | 280 DISALLOW_COPY_AND_ASSIGN(DeviceLocalAccountPolicyService); |
| 271 }; | 281 }; |
| 272 | 282 |
| 273 } // namespace policy | 283 } // namespace policy |
| 274 | 284 |
| 275 #endif // CHROME_BROWSER_CHROMEOS_POLICY_DEVICE_LOCAL_ACCOUNT_POLICY_SERVICE_H_ | 285 #endif // CHROME_BROWSER_CHROMEOS_POLICY_DEVICE_LOCAL_ACCOUNT_POLICY_SERVICE_H_ |
| OLD | NEW |
