1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h"
9 #include "base/command_line.h"
10 #include "base/files/file_path.h"
11 #include "base/location.h"
12 #include "base/logging.h"
13 #include "base/message_loop/message_loop.h"
14 #include "base/path_service.h"
15 #include "base/prefs/pref_registry_simple.h"
16 #include "base/sequenced_task_runner.h"
17 #include "base/strings/utf_string_conversions.h"
18 #include "base/thread_task_runner_handle.h"
19 #include "base/threading/sequenced_worker_pool.h"
20 #include "chrome/browser/chromeos/policy/affiliated_cloud_policy_invalidator.h"
21 #include "chrome/browser/chromeos/policy/affiliated_invalidation_service_provider.h"
22 #include "chrome/browser/chromeos/policy/affiliated_invalidation_service_provider_impl.h"
23 #include "chrome/browser/chromeos/policy/consumer_management_service.h"
24 #include "chrome/browser/chromeos/policy/device_cloud_policy_initializer.h"
25 #include "chrome/browser/chromeos/policy/device_cloud_policy_store_chromeos.h"
26 #include "chrome/browser/chromeos/policy/device_local_account.h"
27 #include "chrome/browser/chromeos/policy/device_local_account_policy_service.h"
28 #include "chrome/browser/chromeos/policy/device_network_configuration_updater.h"
29 #include "chrome/browser/chromeos/policy/enrollment_config.h"
30 #include "chrome/browser/chromeos/policy/enterprise_install_attributes.h"
31 #include "chrome/browser/chromeos/policy/remote_commands/affiliated_remote_commands_invalidator.h"
32 #include "chrome/browser/chromeos/policy/server_backed_state_keys_broker.h"
33 #include "chrome/browser/chromeos/settings/cros_settings.h"
34 #include "chrome/browser/chromeos/settings/device_settings_service.h"
35 #include "chrome/browser/policy/device_management_service_configuration.h"
36 #include "chrome/common/pref_names.h"
37 #include "chromeos/chromeos_paths.h"
38 #include "chromeos/chromeos_switches.h"
39 #include "chromeos/cryptohome/system_salt_getter.h"
40 #include "chromeos/dbus/cryptohome_client.h"
41 #include "chromeos/dbus/dbus_thread_manager.h"
42 #include "chromeos/network/network_handler.h"
43 #include "chromeos/network/onc/onc_certificate_importer_impl.h"
44 #include "chromeos/settings/cros_settings_names.h"
45 #include "chromeos/settings/cros_settings_provider.h"
46 #include "chromeos/settings/timezone_settings.h"
47 #include "components/policy/core/common/cloud/cloud_policy_client.h"
48 #include "components/policy/core/common/cloud/cloud_policy_refresh_scheduler.h"
49 #include "components/policy/core/common/proxy_policy_provider.h"
50 #include "content/public/browser/browser_thread.h"
51 #include "google_apis/gaia/gaia_auth_util.h"
52 #include "net/url_request/url_request_context_getter.h"
53 #include "policy/proto/device_management_backend.pb.h"
55 using content::BrowserThread
;
61 // TODO(davidyu): Update the URL to the real one once it is ready.
62 // http://crbug.com/366491.
64 // The URL for the consumer device management server.
65 const char kDefaultConsumerDeviceManagementServerUrl
[] =
66 "https://m.google.com/devicemanagement/data/api";
68 // Install attributes for tests.
69 EnterpriseInstallAttributes
* g_testing_install_attributes
= NULL
;
71 // Helper that returns a new SequencedTaskRunner backed by the blocking pool.
72 // Each SequencedTaskRunner returned is independent from the others.
73 scoped_refptr
<base::SequencedTaskRunner
> GetBackgroundTaskRunner() {
74 base::SequencedWorkerPool
* pool
= BrowserThread::GetBlockingPool();
76 return pool
->GetSequencedTaskRunnerWithShutdownBehavior(
77 pool
->GetSequenceToken(), base::SequencedWorkerPool::SKIP_ON_SHUTDOWN
);
80 std::string
GetDeviceManagementServerUrlForConsumer() {
81 const base::CommandLine
* command_line
=
82 base::CommandLine::ForCurrentProcess();
83 if (command_line
->HasSwitch(
84 chromeos::switches::kConsumerDeviceManagementUrl
)) {
85 return command_line
->GetSwitchValueASCII(
86 chromeos::switches::kConsumerDeviceManagementUrl
);
88 return kDefaultConsumerDeviceManagementServerUrl
;
93 BrowserPolicyConnectorChromeOS::BrowserPolicyConnectorChromeOS()
94 : device_cloud_policy_manager_(NULL
),
95 global_user_cloud_policy_provider_(NULL
),
96 weak_ptr_factory_(this) {
97 if (g_testing_install_attributes
) {
98 install_attributes_
.reset(g_testing_install_attributes
);
99 g_testing_install_attributes
= NULL
;
102 // SystemSaltGetter or DBusThreadManager may be uninitialized on unit tests.
104 // TODO(satorux): Remove SystemSaltGetter::IsInitialized() when it's ready
105 // (removing it now breaks tests). crbug.com/141016.
106 if (chromeos::SystemSaltGetter::IsInitialized() &&
107 chromeos::DBusThreadManager::IsInitialized()) {
108 state_keys_broker_
.reset(new ServerBackedStateKeysBroker(
109 chromeos::DBusThreadManager::Get()->GetSessionManagerClient(),
110 base::ThreadTaskRunnerHandle::Get()));
112 chromeos::CryptohomeClient
* cryptohome_client
=
113 chromeos::DBusThreadManager::Get()->GetCryptohomeClient();
115 // Don't initialize install attributes if g_testing_install_attributes have
117 if (!install_attributes_
) {
118 install_attributes_
.reset(
119 new EnterpriseInstallAttributes(cryptohome_client
));
120 base::FilePath install_attrs_file
;
121 CHECK(PathService::Get(chromeos::FILE_INSTALL_ATTRIBUTES
,
122 &install_attrs_file
));
123 install_attributes_
->Init(install_attrs_file
);
126 const base::CommandLine
* command_line
=
127 base::CommandLine::ForCurrentProcess();
128 if (command_line
->HasSwitch(
129 chromeos::switches::kEnableConsumerManagement
)) {
130 consumer_management_service_
.reset(
131 new ConsumerManagementService(
133 chromeos::DeviceSettingsService::Get()));
136 scoped_ptr
<DeviceCloudPolicyStoreChromeOS
> device_cloud_policy_store(
137 new DeviceCloudPolicyStoreChromeOS(
138 chromeos::DeviceSettingsService::Get(),
139 install_attributes_
.get(),
140 GetBackgroundTaskRunner()));
141 device_cloud_policy_manager_
= new DeviceCloudPolicyManagerChromeOS(
142 device_cloud_policy_store
.Pass(), base::ThreadTaskRunnerHandle::Get(),
143 state_keys_broker_
.get());
145 scoped_ptr
<ConfigurationPolicyProvider
>(device_cloud_policy_manager_
));
148 global_user_cloud_policy_provider_
= new ProxyPolicyProvider();
149 AddPolicyProvider(scoped_ptr
<ConfigurationPolicyProvider
>(
150 global_user_cloud_policy_provider_
));
153 BrowserPolicyConnectorChromeOS::~BrowserPolicyConnectorChromeOS() {}
155 void BrowserPolicyConnectorChromeOS::Init(
156 PrefService
* local_state
,
157 scoped_refptr
<net::URLRequestContextGetter
> request_context
) {
158 local_state_
= local_state
;
159 ChromeBrowserPolicyConnector::Init(local_state
, request_context
);
161 affiliated_invalidation_service_provider_
.reset(
162 new AffiliatedInvalidationServiceProviderImpl
);
164 const base::CommandLine
* command_line
=
165 base::CommandLine::ForCurrentProcess();
166 if (command_line
->HasSwitch(chromeos::switches::kEnableConsumerManagement
)) {
167 scoped_ptr
<DeviceManagementService::Configuration
> configuration(
168 new DeviceManagementServiceConfiguration(
169 GetDeviceManagementServerUrlForConsumer()));
170 consumer_device_management_service_
.reset(
171 new DeviceManagementService(configuration
.Pass()));
172 consumer_device_management_service_
->ScheduleInitialization(
173 kServiceInitializationStartupDelay
);
176 if (device_cloud_policy_manager_
) {
177 // Note: for now the |device_cloud_policy_manager_| is using the global
178 // schema registry. Eventually it will have its own registry, once device
179 // cloud policy for extensions is introduced. That means it'd have to be
180 // initialized from here instead of BrowserPolicyConnector::Init().
182 device_cloud_policy_manager_
->Initialize(local_state
);
183 device_cloud_policy_manager_
->AddDeviceCloudPolicyManagerObserver(this);
184 RestartDeviceCloudPolicyInitializer();
187 device_local_account_policy_service_
.reset(
188 new DeviceLocalAccountPolicyService(
189 chromeos::DBusThreadManager::Get()->GetSessionManagerClient(),
190 chromeos::DeviceSettingsService::Get(),
191 chromeos::CrosSettings::Get(),
192 affiliated_invalidation_service_provider_
.get(),
193 GetBackgroundTaskRunner(),
194 GetBackgroundTaskRunner(),
195 GetBackgroundTaskRunner(),
196 content::BrowserThread::GetMessageLoopProxyForThread(
197 content::BrowserThread::IO
),
199 device_local_account_policy_service_
->Connect(device_management_service());
200 if (device_cloud_policy_manager_
) {
201 device_cloud_policy_invalidator_
.reset(new AffiliatedCloudPolicyInvalidator(
202 enterprise_management::DeviceRegisterRequest::DEVICE
,
203 device_cloud_policy_manager_
->core(),
204 affiliated_invalidation_service_provider_
.get()));
205 device_remote_commands_invalidator_
.reset(
206 new AffiliatedRemoteCommandsInvalidator(
207 device_cloud_policy_manager_
->core(),
208 affiliated_invalidation_service_provider_
.get()));
211 SetTimezoneIfPolicyAvailable();
213 network_configuration_updater_
=
214 DeviceNetworkConfigurationUpdater::CreateForDevicePolicy(
216 chromeos::NetworkHandler::Get()
217 ->managed_network_configuration_handler(),
218 chromeos::NetworkHandler::Get()->network_device_handler(),
219 chromeos::CrosSettings::Get());
222 void BrowserPolicyConnectorChromeOS::PreShutdown() {
223 // Let the |affiliated_invalidation_service_provider_| unregister itself as an
224 // observer of per-Profile InvalidationServices and the device-global
225 // invalidation::TiclInvalidationService it may have created as an observer of
226 // the DeviceOAuth2TokenService that is destroyed before Shutdown() is called.
227 if (affiliated_invalidation_service_provider_
)
228 affiliated_invalidation_service_provider_
->Shutdown();
231 void BrowserPolicyConnectorChromeOS::Shutdown() {
232 network_configuration_updater_
.reset();
234 if (device_local_account_policy_service_
)
235 device_local_account_policy_service_
->Shutdown();
237 if (device_cloud_policy_initializer_
)
238 device_cloud_policy_initializer_
->Shutdown();
240 if (device_cloud_policy_manager_
)
241 device_cloud_policy_manager_
->RemoveDeviceCloudPolicyManagerObserver(this);
243 ChromeBrowserPolicyConnector::Shutdown();
246 bool BrowserPolicyConnectorChromeOS::IsEnterpriseManaged() {
247 return install_attributes_
&& install_attributes_
->IsEnterpriseDevice();
250 std::string
BrowserPolicyConnectorChromeOS::GetEnterpriseDomain() const {
251 return install_attributes_
? install_attributes_
->GetDomain() : std::string();
254 std::string
BrowserPolicyConnectorChromeOS::GetDeviceAssetID() {
255 if (device_cloud_policy_manager_
) {
256 const enterprise_management::PolicyData
* policy
=
257 device_cloud_policy_manager_
->device_store()->policy();
258 if (policy
&& policy
->has_annotated_asset_id())
259 return policy
->annotated_asset_id();
261 return std::string();
264 std::string
BrowserPolicyConnectorChromeOS::GetDirectoryApiID() {
265 if (device_cloud_policy_manager_
) {
266 const enterprise_management::PolicyData
* policy
=
267 device_cloud_policy_manager_
->device_store()->policy();
268 if (policy
&& policy
->has_directory_api_id())
269 return policy
->directory_api_id();
271 return std::string();
274 DeviceMode
BrowserPolicyConnectorChromeOS::GetDeviceMode() {
275 return install_attributes_
? install_attributes_
->GetMode()
276 : DEVICE_MODE_NOT_SET
;
279 EnrollmentConfig
BrowserPolicyConnectorChromeOS::GetPrescribedEnrollmentConfig()
281 if (device_cloud_policy_initializer_
)
282 return device_cloud_policy_initializer_
->GetPrescribedEnrollmentConfig();
284 return EnrollmentConfig();
287 UserAffiliation
BrowserPolicyConnectorChromeOS::GetUserAffiliation(
288 const std::string
& user_name
) {
289 // An empty username means incognito user in case of ChromiumOS and
290 // no logged-in user in case of Chromium (SigninService). Many tests use
291 // nonsense email addresses (e.g. 'test') so treat those as non-enterprise
293 if (user_name
.empty() || user_name
.find('@') == std::string::npos
)
294 return USER_AFFILIATION_NONE
;
296 if (install_attributes_
&&
297 (gaia::ExtractDomainName(gaia::CanonicalizeEmail(user_name
)) ==
298 install_attributes_
->GetDomain() ||
299 policy::IsDeviceLocalAccountUser(user_name
, NULL
))) {
300 return USER_AFFILIATION_MANAGED
;
303 return USER_AFFILIATION_NONE
;
306 void BrowserPolicyConnectorChromeOS::SetUserPolicyDelegate(
307 ConfigurationPolicyProvider
* user_policy_provider
) {
308 global_user_cloud_policy_provider_
->SetDelegate(user_policy_provider
);
311 void BrowserPolicyConnectorChromeOS::SetConsumerManagementServiceForTesting(
312 scoped_ptr
<ConsumerManagementService
> service
) {
313 consumer_management_service_
= service
.Pass();
316 void BrowserPolicyConnectorChromeOS::SetDeviceCloudPolicyInitializerForTesting(
317 scoped_ptr
<DeviceCloudPolicyInitializer
> initializer
) {
318 device_cloud_policy_initializer_
= initializer
.Pass();
322 void BrowserPolicyConnectorChromeOS::SetInstallAttributesForTesting(
323 EnterpriseInstallAttributes
* attributes
) {
324 DCHECK(!g_testing_install_attributes
);
325 g_testing_install_attributes
= attributes
;
329 void BrowserPolicyConnectorChromeOS::RemoveInstallAttributesForTesting() {
330 if (g_testing_install_attributes
) {
331 delete g_testing_install_attributes
;
332 g_testing_install_attributes
= NULL
;
337 void BrowserPolicyConnectorChromeOS::RegisterPrefs(
338 PrefRegistrySimple
* registry
) {
339 registry
->RegisterIntegerPref(
340 prefs::kDevicePolicyRefreshRate
,
341 CloudPolicyRefreshScheduler::kDefaultRefreshDelayMs
);
344 void BrowserPolicyConnectorChromeOS::OnDeviceCloudPolicyManagerConnected() {
345 CHECK(device_cloud_policy_initializer_
);
347 // DeviceCloudPolicyInitializer might still be on the call stack, so we
348 // should release the initializer after this function returns.
349 device_cloud_policy_initializer_
->Shutdown();
350 base::MessageLoop::current()->DeleteSoon(
351 FROM_HERE
, device_cloud_policy_initializer_
.release());
354 void BrowserPolicyConnectorChromeOS::OnDeviceCloudPolicyManagerDisconnected() {
355 DCHECK(!device_cloud_policy_initializer_
);
357 RestartDeviceCloudPolicyInitializer();
360 void BrowserPolicyConnectorChromeOS::SetTimezoneIfPolicyAvailable() {
361 typedef chromeos::CrosSettingsProvider Provider
;
362 Provider::TrustedStatus result
=
363 chromeos::CrosSettings::Get()->PrepareTrustedValues(base::Bind(
364 &BrowserPolicyConnectorChromeOS::SetTimezoneIfPolicyAvailable
,
365 weak_ptr_factory_
.GetWeakPtr()));
367 if (result
!= Provider::TRUSTED
)
370 std::string timezone
;
371 if (chromeos::CrosSettings::Get()->GetString(chromeos::kSystemTimezonePolicy
,
374 chromeos::system::TimezoneSettings::GetInstance()->SetTimezoneFromID(
375 base::UTF8ToUTF16(timezone
));
379 void BrowserPolicyConnectorChromeOS::RestartDeviceCloudPolicyInitializer() {
380 device_cloud_policy_initializer_
.reset(
381 new DeviceCloudPolicyInitializer(
383 device_management_service(),
384 consumer_device_management_service_
.get(),
385 GetBackgroundTaskRunner(),
386 install_attributes_
.get(),
387 state_keys_broker_
.get(),
388 device_cloud_policy_manager_
->device_store(),
389 device_cloud_policy_manager_
));
390 device_cloud_policy_initializer_
->Init();
393 chromeos::AffiliationIDSet
394 BrowserPolicyConnectorChromeOS::GetDeviceAffiliationIDs() const {
395 chromeos::AffiliationIDSet affiliation_ids
;
396 if (device_cloud_policy_manager_
) {
397 const enterprise_management::PolicyData
* const policy_data
=
398 device_cloud_policy_manager_
->device_store()->policy();
400 affiliation_ids
.insert(policy_data
->device_affiliation_ids().begin(),
401 policy_data
->device_affiliation_ids().end());
404 return affiliation_ids
;
407 } // namespace policy