search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Disable view source for Developer Tools.
[chromium-blink-merge.git] / chrome / browser / chromeos / policy / device_local_account_policy_store.cc
blob327b11e3d70b09743a97949c2ab7f6e812e6448a
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "chrome/browser/chromeos/policy/device_local_account_policy_store.h"
6
7 #include "base/bind.h"
8 #include "base/callback.h"
9 #include "base/values.h"
10 #include "chromeos/dbus/power_policy_controller.h"
11 #include "chromeos/dbus/session_manager_client.h"
12 #include "components/policy/core/common/cloud/device_management_service.h"
13 #include "components/policy/core/common/external_data_fetcher.h"
14 #include "components/policy/core/common/policy_types.h"
15 #include "policy/policy_constants.h"
16 #include "policy/proto/cloud_policy.pb.h"
17 #include "policy/proto/device_management_backend.pb.h"
18
19 namespace em = enterprise_management;
20
21 namespace policy {
22
23 DeviceLocalAccountPolicyStore::DeviceLocalAccountPolicyStore(
24 const std::string& account_id,
25 chromeos::SessionManagerClient* session_manager_client,
26 chromeos::DeviceSettingsService* device_settings_service,
27 scoped_refptr<base::SequencedTaskRunner> background_task_runner)
28 : UserCloudPolicyStoreBase(background_task_runner),
29 account_id_(account_id),
30 session_manager_client_(session_manager_client),
31 device_settings_service_(device_settings_service),
32 weak_factory_(this) {}
33
34 DeviceLocalAccountPolicyStore::~DeviceLocalAccountPolicyStore() {}
35
36 void DeviceLocalAccountPolicyStore::Load() {
37 weak_factory_.InvalidateWeakPtrs();
38 session_manager_client_->RetrieveDeviceLocalAccountPolicy(
39 account_id_,
40 base::Bind(&DeviceLocalAccountPolicyStore::ValidateLoadedPolicyBlob,
41 weak_factory_.GetWeakPtr()));
42 }
43
44 void DeviceLocalAccountPolicyStore::Store(
45 const em::PolicyFetchResponse& policy) {
46 weak_factory_.InvalidateWeakPtrs();
47 CheckKeyAndValidate(
48 true,
49 make_scoped_ptr(new em::PolicyFetchResponse(policy)),
50 base::Bind(&DeviceLocalAccountPolicyStore::StoreValidatedPolicy,
51 weak_factory_.GetWeakPtr()));
52 }
53
54 void DeviceLocalAccountPolicyStore::ValidateLoadedPolicyBlob(
55 const std::string& policy_blob) {
56 if (policy_blob.empty()) {
57 status_ = CloudPolicyStore::STATUS_LOAD_ERROR;
58 NotifyStoreError();
59 } else {
60 scoped_ptr<em::PolicyFetchResponse> policy(new em::PolicyFetchResponse());
61 if (policy->ParseFromString(policy_blob)) {
62 CheckKeyAndValidate(
63 false,
64 policy.Pass(),
65 base::Bind(&DeviceLocalAccountPolicyStore::UpdatePolicy,
66 weak_factory_.GetWeakPtr()));
67 } else {
68 status_ = CloudPolicyStore::STATUS_PARSE_ERROR;
69 NotifyStoreError();
70 }
71 }
72 }
73
74 void DeviceLocalAccountPolicyStore::UpdatePolicy(
75 UserCloudPolicyValidator* validator) {
76 validation_status_ = validator->status();
77 if (!validator->success()) {
78 status_ = STATUS_VALIDATION_ERROR;
79 NotifyStoreError();
80 return;
81 }
82
83 InstallPolicy(validator->policy_data().Pass(), validator->payload().Pass());
84 // Exit the session when the lid is closed. The default behavior is to
85 // suspend while leaving the session running, which is not desirable for
86 // public sessions.
87 policy_map_.Set(key::kLidCloseAction,
88 POLICY_LEVEL_MANDATORY,
89 POLICY_SCOPE_USER,
90 base::Value::CreateIntegerValue(
91 chromeos::PowerPolicyController::ACTION_STOP_SESSION),
92 NULL);
93 // Force the |ShelfAutoHideBehavior| policy to |Never|, ensuring that the ash
94 // shelf does not auto-hide.
95 policy_map_.Set(key::kShelfAutoHideBehavior,
96 POLICY_LEVEL_MANDATORY,
97 POLICY_SCOPE_USER,
98 base::Value::CreateStringValue("Never"),
99 NULL);
100 // Force the |ShowLogoutButtonInTray| policy to |true|, ensuring that a big,
101 // red logout button is shown in the ash system tray.
102 policy_map_.Set(key::kShowLogoutButtonInTray,
103 POLICY_LEVEL_MANDATORY,
104 POLICY_SCOPE_USER,
105 base::Value::CreateBooleanValue(true),
106 NULL);
107 // Force the |FullscreenAllowed| policy to |false|, ensuring that the ash
108 // shelf cannot be hidden by entering fullscreen mode.
109 policy_map_.Set(key::kFullscreenAllowed,
110 POLICY_LEVEL_MANDATORY,
111 POLICY_SCOPE_USER,
112 base::Value::CreateBooleanValue(false),
113 NULL);
114
115 status_ = STATUS_OK;
116 NotifyStoreLoaded();
117 }
118
119 void DeviceLocalAccountPolicyStore::StoreValidatedPolicy(
120 UserCloudPolicyValidator* validator) {
121 if (!validator->success()) {
122 status_ = CloudPolicyStore::STATUS_VALIDATION_ERROR;
123 validation_status_ = validator->status();
124 NotifyStoreError();
125 return;
126 }
127
128 std::string policy_blob;
129 if (!validator->policy()->SerializeToString(&policy_blob)) {
130 status_ = CloudPolicyStore::STATUS_SERIALIZE_ERROR;
131 NotifyStoreError();
132 return;
133 }
134
135 session_manager_client_->StoreDeviceLocalAccountPolicy(
136 account_id_,
137 policy_blob,
138 base::Bind(&DeviceLocalAccountPolicyStore::HandleStoreResult,
139 weak_factory_.GetWeakPtr()));
140 }
141
142 void DeviceLocalAccountPolicyStore::HandleStoreResult(bool success) {
143 if (!success) {
144 status_ = CloudPolicyStore::STATUS_STORE_ERROR;
145 NotifyStoreError();
146 } else {
147 Load();
148 }
149 }
150
151 void DeviceLocalAccountPolicyStore::CheckKeyAndValidate(
152 bool valid_timestamp_required,
153 scoped_ptr<em::PolicyFetchResponse> policy,
154 const UserCloudPolicyValidator::CompletionCallback& callback) {
155 device_settings_service_->GetOwnershipStatusAsync(
156 base::Bind(&DeviceLocalAccountPolicyStore::Validate,
157 weak_factory_.GetWeakPtr(),
158 valid_timestamp_required,
159 base::Passed(&policy),
160 callback));
161 }
162
163 void DeviceLocalAccountPolicyStore::Validate(
164 bool valid_timestamp_required,
165 scoped_ptr<em::PolicyFetchResponse> policy_response,
166 const UserCloudPolicyValidator::CompletionCallback& callback,
167 chromeos::DeviceSettingsService::OwnershipStatus ownership_status) {
168 DCHECK_NE(chromeos::DeviceSettingsService::OWNERSHIP_UNKNOWN,
169 ownership_status);
170 scoped_refptr<chromeos::OwnerKey> key =
171 device_settings_service_->GetOwnerKey();
172 if (!key.get() || !key->public_key()) {
173 status_ = CloudPolicyStore::STATUS_BAD_STATE;
174 NotifyStoreLoaded();
175 return;
176 }
177
178 scoped_ptr<UserCloudPolicyValidator> validator(
179 UserCloudPolicyValidator::Create(policy_response.Pass(),
180 background_task_runner()));
181 validator->ValidateUsername(account_id_);
182 validator->ValidatePolicyType(dm_protocol::kChromePublicAccountPolicyType);
183 // The timestamp is verified when storing a new policy downloaded from the
184 // server but not when loading a cached policy from disk.
185 // See SessionManagerOperation::ValidateDeviceSettings for the rationale.
186 validator->ValidateAgainstCurrentPolicy(
187 policy(),
188 valid_timestamp_required
189 ? CloudPolicyValidatorBase::TIMESTAMP_REQUIRED
190 : CloudPolicyValidatorBase::TIMESTAMP_NOT_REQUIRED,
191 CloudPolicyValidatorBase::DM_TOKEN_REQUIRED);
192 validator->ValidatePayload();
193 validator->ValidateSignature(*key->public_key(), false);
194 validator.release()->StartValidation(callback);
195 }
196
197 } // namespace policy