device_local_account_policy_service.h revision 6d86b77056ed63eb6871182f42a9fd5f07550f90
1// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#ifndef CHROME_BROWSER_CHROMEOS_POLICY_DEVICE_LOCAL_ACCOUNT_POLICY_SERVICE_H_ 6#define CHROME_BROWSER_CHROMEOS_POLICY_DEVICE_LOCAL_ACCOUNT_POLICY_SERVICE_H_ 7 8#include <map> 9#include <set> 10#include <string> 11 12#include "base/basictypes.h" 13#include "base/callback.h" 14#include "base/compiler_specific.h" 15#include "base/files/file_path.h" 16#include "base/memory/ref_counted.h" 17#include "base/memory/scoped_ptr.h" 18#include "base/memory/weak_ptr.h" 19#include "base/observer_list.h" 20#include "chrome/browser/chromeos/extensions/device_local_account_external_policy_loader.h" 21#include "chrome/browser/chromeos/policy/device_local_account_external_data_manager.h" 22#include "chrome/browser/chromeos/settings/cros_settings.h" 23#include "components/policy/core/common/cloud/cloud_policy_core.h" 24#include "components/policy/core/common/cloud/cloud_policy_store.h" 25#include "components/policy/core/common/cloud/component_cloud_policy_service.h" 26#include "components/policy/core/common/schema_registry.h" 27 28namespace base { 29class SequencedTaskRunner; 30} 31 32namespace chromeos { 33class DeviceSettingsService; 34class SessionManagerClient; 35} 36 37namespace net { 38class URLRequestContextGetter; 39} 40 41namespace policy { 42 43struct DeviceLocalAccount; 44class DeviceLocalAccountExternalDataService; 45class DeviceLocalAccountPolicyStore; 46class DeviceManagementService; 47 48// The main switching central that downloads, caches, refreshes, etc. policy for 49// a single device-local account. 50class DeviceLocalAccountPolicyBroker 51 : public CloudPolicyStore::Observer, 52 public ComponentCloudPolicyService::Delegate { 53 public: 54 // |policy_update_callback| will be invoked to notify observers that the 55 // policy for |account| has been updated. 56 // |task_runner| is the runner for policy refresh tasks. 57 DeviceLocalAccountPolicyBroker( 58 const DeviceLocalAccount& account, 59 const base::FilePath& component_policy_cache_path, 60 scoped_ptr<DeviceLocalAccountPolicyStore> store, 61 scoped_refptr<DeviceLocalAccountExternalDataManager> 62 external_data_manager, 63 const base::Closure& policy_updated_callback, 64 const scoped_refptr<base::SequencedTaskRunner>& task_runner); 65 virtual ~DeviceLocalAccountPolicyBroker(); 66 67 // Initialize the broker, loading its |store_|. 68 void Initialize(); 69 70 // For the difference between |account_id| and |user_id|, see the 71 // documentation of DeviceLocalAccount. 72 const std::string& account_id() const { return account_id_; } 73 const std::string& user_id() const { return user_id_; } 74 75 scoped_refptr<chromeos::DeviceLocalAccountExternalPolicyLoader> 76 extension_loader() const { return extension_loader_; } 77 78 CloudPolicyCore* core() { return &core_; } 79 const CloudPolicyCore* core() const { return &core_; } 80 81 scoped_refptr<DeviceLocalAccountExternalDataManager> external_data_manager() { 82 return external_data_manager_; 83 } 84 85 ComponentCloudPolicyService* component_policy_service() const { 86 return component_policy_service_.get(); 87 } 88 89 SchemaRegistry* schema_registry() { return &schema_registry_; } 90 91 // Fire up the cloud connection for fetching policy for the account from the 92 // cloud if this is an enterprise-managed device. 93 void ConnectIfPossible( 94 chromeos::DeviceSettingsService* device_settings_service, 95 DeviceManagementService* device_management_service, 96 scoped_refptr<net::URLRequestContextGetter> request_context); 97 98 // Reads the refresh delay from policy and configures the refresh scheduler. 99 void UpdateRefreshDelay(); 100 101 // Retrieves the display name for the account as stored in policy. Returns an 102 // empty string if the policy is not present. 103 std::string GetDisplayName() const; 104 105 // CloudPolicyStore::Observer: 106 virtual void OnStoreLoaded(CloudPolicyStore* store) OVERRIDE; 107 virtual void OnStoreError(CloudPolicyStore* store) OVERRIDE; 108 109 // ComponentCloudPolicyService::Delegate: 110 virtual void OnComponentCloudPolicyUpdated() OVERRIDE; 111 112 private: 113 void CreateComponentCloudPolicyService( 114 const scoped_refptr<net::URLRequestContextGetter>& request_context); 115 116 const std::string account_id_; 117 const std::string user_id_; 118 const base::FilePath component_policy_cache_path_; 119 SchemaRegistry schema_registry_; 120 const scoped_ptr<DeviceLocalAccountPolicyStore> store_; 121 scoped_refptr<DeviceLocalAccountExternalDataManager> external_data_manager_; 122 scoped_refptr<chromeos::DeviceLocalAccountExternalPolicyLoader> 123 extension_loader_; 124 CloudPolicyCore core_; 125 scoped_ptr<ComponentCloudPolicyService> component_policy_service_; 126 base::Closure policy_update_callback_; 127 128 DISALLOW_COPY_AND_ASSIGN(DeviceLocalAccountPolicyBroker); 129}; 130 131// Manages user policy blobs for device-local accounts present on the device. 132// The actual policy blobs are brokered by session_manager (to prevent file 133// manipulation), and we're making signature checks on the policy blobs to 134// ensure they're issued by the device owner. 135class DeviceLocalAccountPolicyService { 136 public: 137 // Interface for interested parties to observe policy changes. 138 class Observer { 139 public: 140 virtual ~Observer() {} 141 142 // Policy for the given |user_id| has changed. 143 virtual void OnPolicyUpdated(const std::string& user_id) = 0; 144 145 // The list of accounts has been updated. 146 virtual void OnDeviceLocalAccountsChanged() = 0; 147 }; 148 149 DeviceLocalAccountPolicyService( 150 chromeos::SessionManagerClient* session_manager_client, 151 chromeos::DeviceSettingsService* device_settings_service, 152 chromeos::CrosSettings* cros_settings, 153 scoped_refptr<base::SequencedTaskRunner> store_background_task_runner, 154 scoped_refptr<base::SequencedTaskRunner> extension_cache_task_runner, 155 scoped_refptr<base::SequencedTaskRunner> 156 external_data_service_backend_task_runner, 157 scoped_refptr<base::SequencedTaskRunner> io_task_runner, 158 scoped_refptr<net::URLRequestContextGetter> request_context); 159 virtual ~DeviceLocalAccountPolicyService(); 160 161 // Shuts down the service and prevents further policy fetches from the cloud. 162 void Shutdown(); 163 164 // Initializes the cloud policy service connection. 165 void Connect(DeviceManagementService* device_management_service); 166 167 // Get the policy broker for a given |user_id|. Returns NULL if that |user_id| 168 // does not belong to an existing device-local account. 169 DeviceLocalAccountPolicyBroker* GetBrokerForUser(const std::string& user_id); 170 171 // Indicates whether policy has been successfully fetched for the given 172 // |user_id|. 173 bool IsPolicyAvailableForUser(const std::string& user_id); 174 175 void AddObserver(Observer* observer); 176 void RemoveObserver(Observer* observer); 177 178 private: 179 typedef std::map<std::string, DeviceLocalAccountPolicyBroker*> 180 PolicyBrokerMap; 181 182 // Returns |true| if the directory in which force-installed extensions are 183 // cached for |account_id| is busy, either because a broker that was using 184 // this directory has not shut down completely yet or because the directory is 185 // being deleted. 186 bool IsExtensionCacheDirectoryBusy(const std::string& account_id); 187 188 // Starts any extension caches that are not running yet but can be started now 189 // because their cache directories are no longer busy. 190 void StartExtensionCachesIfPossible(); 191 192 // Checks whether a broker exists for |account_id|. If so, starts the broker's 193 // extension cache and returns |true|. Otherwise, returns |false|. 194 bool StartExtensionCacheForAccountIfPresent(const std::string& account_id); 195 196 // Called back when any extension caches belonging to device-local accounts 197 // that no longer exist have been removed at start-up. 198 void OnOrphanedExtensionCachesDeleted(); 199 200 // Called back when the extension cache for |account_id| has been shut down. 201 void OnObsoleteExtensionCacheShutdown(const std::string& account_id); 202 203 // Called back when the extension cache for |account_id| has been removed. 204 void OnObsoleteExtensionCacheDeleted(const std::string& account_id); 205 206 // Re-queries the list of defined device-local accounts from device settings 207 // and updates |policy_brokers_| to match that list. 208 void UpdateAccountList(); 209 210 // Calls |UpdateAccountList| if there are no previous calls pending. 211 void UpdateAccountListIfNonePending(); 212 213 // Deletes brokers in |map| and clears it. 214 void DeleteBrokers(PolicyBrokerMap* map); 215 216 // Find the broker for a given |store|. Returns NULL if |store| is unknown. 217 DeviceLocalAccountPolicyBroker* GetBrokerForStore(CloudPolicyStore* store); 218 219 // Notifies the |observers_| that the policy for |user_id| has changed. 220 void NotifyPolicyUpdated(const std::string& user_id); 221 222 ObserverList<Observer, true> observers_; 223 224 chromeos::SessionManagerClient* session_manager_client_; 225 chromeos::DeviceSettingsService* device_settings_service_; 226 chromeos::CrosSettings* cros_settings_; 227 228 DeviceManagementService* device_management_service_; 229 230 // The device-local account policy brokers, keyed by user ID. 231 PolicyBrokerMap policy_brokers_; 232 233 // Whether a call to UpdateAccountList() is pending because |cros_settings_| 234 // are not trusted yet. 235 bool waiting_for_cros_settings_; 236 237 // Orphaned extension caches are removed at startup. This tracks the status of 238 // that process. 239 enum OrphanExtensionCacheDeletionState { 240 NOT_STARTED, 241 IN_PROGRESS, 242 DONE, 243 }; 244 OrphanExtensionCacheDeletionState orphan_extension_cache_deletion_state_; 245 246 // Account IDs whose extension cache directories are busy, either because a 247 // broker for the account has not shut down completely yet or because the 248 // directory is being deleted. 249 std::set<std::string> busy_extension_cache_directories_; 250 251 const scoped_refptr<base::SequencedTaskRunner> store_background_task_runner_; 252 const scoped_refptr<base::SequencedTaskRunner> extension_cache_task_runner_; 253 254 scoped_ptr<DeviceLocalAccountExternalDataService> external_data_service_; 255 256 scoped_refptr<net::URLRequestContextGetter> request_context_; 257 258 const scoped_ptr<chromeos::CrosSettings::ObserverSubscription> 259 local_accounts_subscription_; 260 261 // Path to the directory that contains the cached policy for components 262 // for device-local accounts. 263 base::FilePath component_policy_cache_root_; 264 265 base::WeakPtrFactory<DeviceLocalAccountPolicyService> weak_factory_; 266 267 DISALLOW_COPY_AND_ASSIGN(DeviceLocalAccountPolicyService); 268}; 269 270} // namespace policy 271 272#endif // CHROME_BROWSER_CHROMEOS_POLICY_DEVICE_LOCAL_ACCOUNT_POLICY_SERVICE_H_ 273