src/chrome/browser/chromeos/policy/device_local_account_policy_store.cc

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "chrome/browser/chromeos/policy/device_local_account_policy_store.h"
   6
   7 #include "base/bind.h"
   8 #include "base/callback.h"
   9 #include "base/values.h"
  10 #include "chrome/browser/browser_process.h"
  11 #include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h"
  12 #include "chromeos/dbus/power_policy_controller.h"
  13 #include "chromeos/dbus/session_manager_client.h"
  14 #include "components/policy/core/common/cloud/device_management_service.h"
  15 #include "components/policy/core/common/external_data_fetcher.h"
  16 #include "components/policy/core/common/policy_types.h"
  17 #include "policy/policy_constants.h"
  18 #include "policy/proto/cloud_policy.pb.h"
  19 #include "policy/proto/device_management_backend.pb.h"
  20
  21 namespace em = enterprise_management;
  22
  23 namespace policy {
  24
  25 DeviceLocalAccountPolicyStore::DeviceLocalAccountPolicyStore(
  26     const std::string& account_id,
  27     chromeos::SessionManagerClient* session_manager_client,
  28     chromeos::DeviceSettingsService* device_settings_service,
  29     scoped_refptr<base::SequencedTaskRunner> background_task_runner)
  30     : UserCloudPolicyStoreBase(background_task_runner),
  31       account_id_(account_id),
  32       session_manager_client_(session_manager_client),
  33       device_settings_service_(device_settings_service),
  34       weak_factory_(this) {}
  35
  36 DeviceLocalAccountPolicyStore::~DeviceLocalAccountPolicyStore() {}
  37
  38 void DeviceLocalAccountPolicyStore::Load() {
  39   weak_factory_.InvalidateWeakPtrs();
  40   session_manager_client_->RetrieveDeviceLocalAccountPolicy(
  41       account_id_,
  42       base::Bind(&DeviceLocalAccountPolicyStore::ValidateLoadedPolicyBlob,
  43                  weak_factory_.GetWeakPtr()));
  44 }
  45
  46 void DeviceLocalAccountPolicyStore::Store(
  47     const em::PolicyFetchResponse& policy) {
  48   weak_factory_.InvalidateWeakPtrs();
  49   CheckKeyAndValidate(
  50       true,
  51       make_scoped_ptr(new em::PolicyFetchResponse(policy)),
  52       base::Bind(&DeviceLocalAccountPolicyStore::StoreValidatedPolicy,
  53                  weak_factory_.GetWeakPtr()));
  54 }
  55
  56 void DeviceLocalAccountPolicyStore::ValidateLoadedPolicyBlob(
  57     const std::string& policy_blob) {
  58   if (policy_blob.empty()) {
  59     status_ = CloudPolicyStore::STATUS_LOAD_ERROR;
  60     NotifyStoreError();
  61   } else {
  62     scoped_ptr<em::PolicyFetchResponse> policy(new em::PolicyFetchResponse());
  63     if (policy->ParseFromString(policy_blob)) {
  64       CheckKeyAndValidate(
  65           false,
  66           policy.Pass(),
  67           base::Bind(&DeviceLocalAccountPolicyStore::UpdatePolicy,
  68                      weak_factory_.GetWeakPtr()));
  69     } else {
  70       status_ = CloudPolicyStore::STATUS_PARSE_ERROR;
  71       NotifyStoreError();
  72     }
  73   }
  74 }
  75
  76 void DeviceLocalAccountPolicyStore::UpdatePolicy(
  77     UserCloudPolicyValidator* validator) {
  78   validation_status_ = validator->status();
  79   if (!validator->success()) {
  80     status_ = STATUS_VALIDATION_ERROR;
  81     NotifyStoreError();
  82     return;
  83   }
  84
  85   InstallPolicy(validator->policy_data().Pass(), validator->payload().Pass());
  86   // Exit the session when the lid is closed. The default behavior is to
  87   // suspend while leaving the session running, which is not desirable for
  88   // public sessions.
  89   policy_map_.Set(key::kLidCloseAction,
  90                   POLICY_LEVEL_MANDATORY,
  91                   POLICY_SCOPE_USER,
  92                   base::Value::CreateIntegerValue(
  93                       chromeos::PowerPolicyController::ACTION_STOP_SESSION),
  94                   NULL);
  95   // Force the |ShelfAutoHideBehavior| policy to |Never|, ensuring that the ash
  96   // shelf does not auto-hide.
  97   policy_map_.Set(key::kShelfAutoHideBehavior,
  98                   POLICY_LEVEL_MANDATORY,
  99                   POLICY_SCOPE_USER,
 100                   base::Value::CreateStringValue("Never"),
 101                   NULL);
 102   // Force the |ShowLogoutButtonInTray| policy to |true|, ensuring that a big,
 103   // red logout button is shown in the ash system tray.
 104   policy_map_.Set(key::kShowLogoutButtonInTray,
 105                   POLICY_LEVEL_MANDATORY,
 106                   POLICY_SCOPE_USER,
 107                   base::Value::CreateBooleanValue(true),
 108                   NULL);
 109   // Force the |FullscreenAllowed| policy to |false|, ensuring that the ash
 110   // shelf cannot be hidden by entering fullscreen mode.
 111   policy_map_.Set(key::kFullscreenAllowed,
 112                   POLICY_LEVEL_MANDATORY,
 113                   POLICY_SCOPE_USER,
 114                   base::Value::CreateBooleanValue(false),
 115                   NULL);
 116
 117   status_ = STATUS_OK;
 118   NotifyStoreLoaded();
 119 }
 120
 121 void DeviceLocalAccountPolicyStore::StoreValidatedPolicy(
 122     UserCloudPolicyValidator* validator) {
 123   if (!validator->success()) {
 124     status_ = CloudPolicyStore::STATUS_VALIDATION_ERROR;
 125     validation_status_ = validator->status();
 126     NotifyStoreError();
 127     return;
 128   }
 129
 130   std::string policy_blob;
 131   if (!validator->policy()->SerializeToString(&policy_blob)) {
 132     status_ = CloudPolicyStore::STATUS_SERIALIZE_ERROR;
 133     NotifyStoreError();
 134     return;
 135   }
 136
 137   session_manager_client_->StoreDeviceLocalAccountPolicy(
 138       account_id_,
 139       policy_blob,
 140       base::Bind(&DeviceLocalAccountPolicyStore::HandleStoreResult,
 141                  weak_factory_.GetWeakPtr()));
 142 }
 143
 144 void DeviceLocalAccountPolicyStore::HandleStoreResult(bool success) {
 145   if (!success) {
 146     status_ = CloudPolicyStore::STATUS_STORE_ERROR;
 147     NotifyStoreError();
 148   } else {
 149     Load();
 150   }
 151 }
 152
 153 void DeviceLocalAccountPolicyStore::CheckKeyAndValidate(
 154     bool valid_timestamp_required,
 155     scoped_ptr<em::PolicyFetchResponse> policy,
 156     const UserCloudPolicyValidator::CompletionCallback& callback) {
 157   device_settings_service_->GetOwnershipStatusAsync(
 158       base::Bind(&DeviceLocalAccountPolicyStore::Validate,
 159                  weak_factory_.GetWeakPtr(),
 160                  valid_timestamp_required,
 161                  base::Passed(&policy),
 162                  callback));
 163 }
 164
 165 void DeviceLocalAccountPolicyStore::Validate(
 166     bool valid_timestamp_required,
 167     scoped_ptr<em::PolicyFetchResponse> policy_response,
 168     const UserCloudPolicyValidator::CompletionCallback& callback,
 169     chromeos::DeviceSettingsService::OwnershipStatus ownership_status) {
 170   DCHECK_NE(chromeos::DeviceSettingsService::OWNERSHIP_UNKNOWN,
 171             ownership_status);
 172   scoped_refptr<chromeos::OwnerKey> key =
 173       device_settings_service_->GetOwnerKey();
 174   if (!key.get() || !key->public_key()) {
 175     status_ = CloudPolicyStore::STATUS_BAD_STATE;
 176     NotifyStoreLoaded();
 177     return;
 178   }
 179
 180   scoped_ptr<UserCloudPolicyValidator> validator(
 181       UserCloudPolicyValidator::Create(policy_response.Pass(),
 182                                        background_task_runner()));
 183   validator->ValidateUsername(account_id_);
 184   validator->ValidatePolicyType(dm_protocol::kChromePublicAccountPolicyType);
 185   // The timestamp is verified when storing a new policy downloaded from the
 186   // server but not when loading a cached policy from disk.
 187   // See SessionManagerOperation::ValidateDeviceSettings for the rationale.
 188   validator->ValidateAgainstCurrentPolicy(
 189       policy(),
 190       valid_timestamp_required
 191           ? CloudPolicyValidatorBase::TIMESTAMP_REQUIRED
 192           : CloudPolicyValidatorBase::TIMESTAMP_NOT_REQUIRED,
 193       CloudPolicyValidatorBase::DM_TOKEN_REQUIRED);
 194   validator->ValidatePayload();
 195   policy::BrowserPolicyConnectorChromeOS* connector =
 196       g_browser_process->platform_part()->browser_policy_connector_chromeos();
 197   validator->ValidateSignature(key->public_key_as_string(),
 198                                GetPolicyVerificationKey(),
 199                                connector->GetEnterpriseDomain(),
 200                                false);
 201   validator.release()->StartValidation(callback);
 202 }
 203
 204 }  // namespace policy