1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "chrome/browser/chromeos/policy/device_local_account_policy_store.h"
8 #include "base/callback.h"
9 #include "base/values.h"
10 #include "chrome/browser/browser_process.h"
11 #include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h"
12 #include "chromeos/dbus/power_policy_controller.h"
13 #include "chromeos/dbus/session_manager_client.h"
14 #include "components/policy/core/common/cloud/device_management_service.h"
15 #include "components/policy/core/common/external_data_fetcher.h"
16 #include "components/policy/core/common/policy_types.h"
17 #include "policy/policy_constants.h"
18 #include "policy/proto/cloud_policy.pb.h"
19 #include "policy/proto/device_management_backend.pb.h"
21 namespace em = enterprise_management;
25 DeviceLocalAccountPolicyStore::DeviceLocalAccountPolicyStore(
26 const std::string& account_id,
27 chromeos::SessionManagerClient* session_manager_client,
28 chromeos::DeviceSettingsService* device_settings_service,
29 scoped_refptr<base::SequencedTaskRunner> background_task_runner)
30 : UserCloudPolicyStoreBase(background_task_runner),
31 account_id_(account_id),
32 session_manager_client_(session_manager_client),
33 device_settings_service_(device_settings_service),
34 weak_factory_(this) {}
36 DeviceLocalAccountPolicyStore::~DeviceLocalAccountPolicyStore() {}
38 void DeviceLocalAccountPolicyStore::Load() {
39 weak_factory_.InvalidateWeakPtrs();
40 session_manager_client_->RetrieveDeviceLocalAccountPolicy(
42 base::Bind(&DeviceLocalAccountPolicyStore::ValidateLoadedPolicyBlob,
43 weak_factory_.GetWeakPtr()));
46 void DeviceLocalAccountPolicyStore::Store(
47 const em::PolicyFetchResponse& policy) {
48 weak_factory_.InvalidateWeakPtrs();
51 make_scoped_ptr(new em::PolicyFetchResponse(policy)),
52 base::Bind(&DeviceLocalAccountPolicyStore::StoreValidatedPolicy,
53 weak_factory_.GetWeakPtr()));
56 void DeviceLocalAccountPolicyStore::ValidateLoadedPolicyBlob(
57 const std::string& policy_blob) {
58 if (policy_blob.empty()) {
59 status_ = CloudPolicyStore::STATUS_LOAD_ERROR;
62 scoped_ptr<em::PolicyFetchResponse> policy(new em::PolicyFetchResponse());
63 if (policy->ParseFromString(policy_blob)) {
67 base::Bind(&DeviceLocalAccountPolicyStore::UpdatePolicy,
68 weak_factory_.GetWeakPtr()));
70 status_ = CloudPolicyStore::STATUS_PARSE_ERROR;
76 void DeviceLocalAccountPolicyStore::UpdatePolicy(
77 UserCloudPolicyValidator* validator) {
78 validation_status_ = validator->status();
79 if (!validator->success()) {
80 status_ = STATUS_VALIDATION_ERROR;
85 InstallPolicy(validator->policy_data().Pass(), validator->payload().Pass());
86 // Exit the session when the lid is closed. The default behavior is to
87 // suspend while leaving the session running, which is not desirable for
89 policy_map_.Set(key::kLidCloseAction,
90 POLICY_LEVEL_MANDATORY,
92 base::Value::CreateIntegerValue(
93 chromeos::PowerPolicyController::ACTION_STOP_SESSION),
95 // Force the |ShelfAutoHideBehavior| policy to |Never|, ensuring that the ash
96 // shelf does not auto-hide.
97 policy_map_.Set(key::kShelfAutoHideBehavior,
98 POLICY_LEVEL_MANDATORY,
100 base::Value::CreateStringValue("Never"),
102 // Force the |ShowLogoutButtonInTray| policy to |true|, ensuring that a big,
103 // red logout button is shown in the ash system tray.
104 policy_map_.Set(key::kShowLogoutButtonInTray,
105 POLICY_LEVEL_MANDATORY,
107 base::Value::CreateBooleanValue(true),
109 // Force the |FullscreenAllowed| policy to |false|, ensuring that the ash
110 // shelf cannot be hidden by entering fullscreen mode.
111 policy_map_.Set(key::kFullscreenAllowed,
112 POLICY_LEVEL_MANDATORY,
114 base::Value::CreateBooleanValue(false),
121 void DeviceLocalAccountPolicyStore::StoreValidatedPolicy(
122 UserCloudPolicyValidator* validator) {
123 if (!validator->success()) {
124 status_ = CloudPolicyStore::STATUS_VALIDATION_ERROR;
125 validation_status_ = validator->status();
130 std::string policy_blob;
131 if (!validator->policy()->SerializeToString(&policy_blob)) {
132 status_ = CloudPolicyStore::STATUS_SERIALIZE_ERROR;
137 session_manager_client_->StoreDeviceLocalAccountPolicy(
140 base::Bind(&DeviceLocalAccountPolicyStore::HandleStoreResult,
141 weak_factory_.GetWeakPtr()));
144 void DeviceLocalAccountPolicyStore::HandleStoreResult(bool success) {
146 status_ = CloudPolicyStore::STATUS_STORE_ERROR;
153 void DeviceLocalAccountPolicyStore::CheckKeyAndValidate(
154 bool valid_timestamp_required,
155 scoped_ptr<em::PolicyFetchResponse> policy,
156 const UserCloudPolicyValidator::CompletionCallback& callback) {
157 device_settings_service_->GetOwnershipStatusAsync(
158 base::Bind(&DeviceLocalAccountPolicyStore::Validate,
159 weak_factory_.GetWeakPtr(),
160 valid_timestamp_required,
161 base::Passed(&policy),
165 void DeviceLocalAccountPolicyStore::Validate(
166 bool valid_timestamp_required,
167 scoped_ptr<em::PolicyFetchResponse> policy_response,
168 const UserCloudPolicyValidator::CompletionCallback& callback,
169 chromeos::DeviceSettingsService::OwnershipStatus ownership_status) {
170 DCHECK_NE(chromeos::DeviceSettingsService::OWNERSHIP_UNKNOWN,
172 scoped_refptr<chromeos::OwnerKey> key =
173 device_settings_service_->GetOwnerKey();
174 if (!key.get() || !key->public_key()) {
175 status_ = CloudPolicyStore::STATUS_BAD_STATE;
180 scoped_ptr<UserCloudPolicyValidator> validator(
181 UserCloudPolicyValidator::Create(policy_response.Pass(),
182 background_task_runner()));
183 validator->ValidateUsername(account_id_);
184 validator->ValidatePolicyType(dm_protocol::kChromePublicAccountPolicyType);
185 // The timestamp is verified when storing a new policy downloaded from the
186 // server but not when loading a cached policy from disk.
187 // See SessionManagerOperation::ValidateDeviceSettings for the rationale.
188 validator->ValidateAgainstCurrentPolicy(
190 valid_timestamp_required
191 ? CloudPolicyValidatorBase::TIMESTAMP_REQUIRED
192 : CloudPolicyValidatorBase::TIMESTAMP_NOT_REQUIRED,
193 CloudPolicyValidatorBase::DM_TOKEN_REQUIRED);
194 validator->ValidatePayload();
195 policy::BrowserPolicyConnectorChromeOS* connector =
196 g_browser_process->platform_part()->browser_policy_connector_chromeos();
197 validator->ValidateSignature(key->public_key_as_string(),
198 GetPolicyVerificationKey(),
199 connector->GetEnterpriseDomain(),
201 validator.release()->StartValidation(callback);
204 } // namespace policy