device_local_account_policy_store.cc revision 8bcbed890bc3ce4d7a057a8f32cab53fa534672e 
1// Copyright (c) 2012 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#include "chrome/browser/chromeos/policy/device_local_account_policy_store.h"
6
7#include "base/bind.h"
8#include "base/callback.h"
9#include "base/values.h"
10#include "chrome/browser/policy/cloud/device_management_service.h"
11#include "chrome/browser/policy/external_data_fetcher.h"
12#include "chrome/browser/policy/policy_types.h"
13#include "chrome/browser/policy/proto/cloud/device_management_backend.pb.h"
14#include "chromeos/dbus/power_policy_controller.h"
15#include "chromeos/dbus/session_manager_client.h"
16#include "policy/policy_constants.h"
17#include "policy/proto/cloud_policy.pb.h"
18
19namespace em = enterprise_management;
20
21namespace policy {
22
23DeviceLocalAccountPolicyStore::DeviceLocalAccountPolicyStore(
24    const std::string& account_id,
25    chromeos::SessionManagerClient* session_manager_client,
26    chromeos::DeviceSettingsService* device_settings_service,
27    scoped_refptr<base::SequencedTaskRunner> background_task_runner)
28    : UserCloudPolicyStoreBase(background_task_runner),
29      account_id_(account_id),
30      session_manager_client_(session_manager_client),
31      device_settings_service_(device_settings_service),
32      weak_factory_(this) {}
33
34DeviceLocalAccountPolicyStore::~DeviceLocalAccountPolicyStore() {}
35
36void DeviceLocalAccountPolicyStore::Load() {
37  weak_factory_.InvalidateWeakPtrs();
38  session_manager_client_->RetrieveDeviceLocalAccountPolicy(
39      account_id_,
40      base::Bind(&DeviceLocalAccountPolicyStore::ValidateLoadedPolicyBlob,
41                 weak_factory_.GetWeakPtr()));
42}
43
44void DeviceLocalAccountPolicyStore::Store(
45    const em::PolicyFetchResponse& policy) {
46  weak_factory_.InvalidateWeakPtrs();
47  CheckKeyAndValidate(
48      make_scoped_ptr(new em::PolicyFetchResponse(policy)),
49      base::Bind(&DeviceLocalAccountPolicyStore::StoreValidatedPolicy,
50                 weak_factory_.GetWeakPtr()));
51}
52
53void DeviceLocalAccountPolicyStore::ValidateLoadedPolicyBlob(
54    const std::string& policy_blob) {
55  if (policy_blob.empty()) {
56    status_ = CloudPolicyStore::STATUS_LOAD_ERROR;
57    NotifyStoreError();
58  } else {
59    scoped_ptr<em::PolicyFetchResponse> policy(new em::PolicyFetchResponse());
60    if (policy->ParseFromString(policy_blob)) {
61      CheckKeyAndValidate(
62          policy.Pass(),
63          base::Bind(&DeviceLocalAccountPolicyStore::UpdatePolicy,
64                     weak_factory_.GetWeakPtr()));
65    } else {
66      status_ = CloudPolicyStore::STATUS_PARSE_ERROR;
67      NotifyStoreError();
68    }
69  }
70}
71
72void DeviceLocalAccountPolicyStore::UpdatePolicy(
73    UserCloudPolicyValidator* validator) {
74  validation_status_ = validator->status();
75  if (!validator->success()) {
76    status_ = STATUS_VALIDATION_ERROR;
77    NotifyStoreError();
78    return;
79  }
80
81  InstallPolicy(validator->policy_data().Pass(), validator->payload().Pass());
82  // Exit the session when the lid is closed. The default behavior is to
83  // suspend while leaving the session running, which is not desirable for
84  // public sessions.
85  policy_map_.Set(key::kLidCloseAction,
86                  POLICY_LEVEL_MANDATORY,
87                  POLICY_SCOPE_USER,
88                  base::Value::CreateIntegerValue(
89                      chromeos::PowerPolicyController::ACTION_STOP_SESSION),
90                  NULL);
91  // Force the |ShelfAutoHideBehavior| policy to |Never|, ensuring that the ash
92  // shelf does not auto-hide.
93  policy_map_.Set(key::kShelfAutoHideBehavior,
94                  POLICY_LEVEL_MANDATORY,
95                  POLICY_SCOPE_USER,
96                  Value::CreateStringValue("Never"),
97                  NULL);
98  // Force the |ShowLogoutButtonInTray| policy to |true|, ensuring that a big,
99  // red logout button is shown in the ash system tray.
100  policy_map_.Set(key::kShowLogoutButtonInTray,
101                  POLICY_LEVEL_MANDATORY,
102                  POLICY_SCOPE_USER,
103                  Value::CreateBooleanValue(true),
104                  NULL);
105  // Force the |FullscreenAllowed| policy to |false|, ensuring that the ash
106  // shelf cannot be hidden by entering fullscreen mode.
107  policy_map_.Set(key::kFullscreenAllowed,
108                  POLICY_LEVEL_MANDATORY,
109                  POLICY_SCOPE_USER,
110                  Value::CreateBooleanValue(false),
111                  NULL);
112
113  status_ = STATUS_OK;
114  NotifyStoreLoaded();
115}
116
117void DeviceLocalAccountPolicyStore::StoreValidatedPolicy(
118    UserCloudPolicyValidator* validator) {
119  if (!validator->success()) {
120    status_ = CloudPolicyStore::STATUS_VALIDATION_ERROR;
121    validation_status_ = validator->status();
122    NotifyStoreError();
123    return;
124  }
125
126  std::string policy_blob;
127  if (!validator->policy()->SerializeToString(&policy_blob)) {
128    status_ = CloudPolicyStore::STATUS_SERIALIZE_ERROR;
129    NotifyStoreError();
130    return;
131  }
132
133  session_manager_client_->StoreDeviceLocalAccountPolicy(
134      account_id_,
135      policy_blob,
136      base::Bind(&DeviceLocalAccountPolicyStore::HandleStoreResult,
137                 weak_factory_.GetWeakPtr()));
138}
139
140void DeviceLocalAccountPolicyStore::HandleStoreResult(bool success) {
141  if (!success) {
142    status_ = CloudPolicyStore::STATUS_STORE_ERROR;
143    NotifyStoreError();
144  } else {
145    Load();
146  }
147}
148
149void DeviceLocalAccountPolicyStore::CheckKeyAndValidate(
150    scoped_ptr<em::PolicyFetchResponse> policy,
151    const UserCloudPolicyValidator::CompletionCallback& callback) {
152  device_settings_service_->GetOwnershipStatusAsync(
153      base::Bind(&DeviceLocalAccountPolicyStore::Validate,
154                 weak_factory_.GetWeakPtr(),
155                 base::Passed(&policy),
156                 callback));
157}
158
159void DeviceLocalAccountPolicyStore::Validate(
160    scoped_ptr<em::PolicyFetchResponse> policy_response,
161    const UserCloudPolicyValidator::CompletionCallback& callback,
162    chromeos::DeviceSettingsService::OwnershipStatus ownership_status) {
163  DCHECK_NE(chromeos::DeviceSettingsService::OWNERSHIP_UNKNOWN,
164            ownership_status);
165  scoped_refptr<chromeos::OwnerKey> key =
166      device_settings_service_->GetOwnerKey();
167  if (!key.get() || !key->public_key()) {
168    status_ = CloudPolicyStore::STATUS_BAD_STATE;
169    NotifyStoreLoaded();
170    return;
171  }
172
173  scoped_ptr<UserCloudPolicyValidator> validator(
174      UserCloudPolicyValidator::Create(policy_response.Pass(),
175                                       background_task_runner()));
176  validator->ValidateUsername(account_id_);
177  validator->ValidatePolicyType(dm_protocol::kChromePublicAccountPolicyType);
178  validator->ValidateAgainstCurrentPolicy(
179      policy(),
180      CloudPolicyValidatorBase::TIMESTAMP_REQUIRED,
181      CloudPolicyValidatorBase::DM_TOKEN_REQUIRED);
182  validator->ValidatePayload();
183  validator->ValidateSignature(*key->public_key(), false);
184  validator.release()->StartValidation(callback);
185}
186
187}  // namespace policy
188