1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef CHROME_BROWSER_CHROMEOS_POLICY_DEVICE_LOCAL_ACCOUNT_POLICY_SERVICE_H_ 6 #define CHROME_BROWSER_CHROMEOS_POLICY_DEVICE_LOCAL_ACCOUNT_POLICY_SERVICE_H_ 7 8 #include <map> 9 #include <set> 10 #include <string> 11 12 #include "base/basictypes.h" 13 #include "base/compiler_specific.h" 14 #include "base/memory/ref_counted.h" 15 #include "base/memory/scoped_ptr.h" 16 #include "base/memory/weak_ptr.h" 17 #include "base/observer_list.h" 18 #include "chrome/browser/chromeos/extensions/device_local_account_external_policy_loader.h" 19 #include "chrome/browser/chromeos/policy/device_local_account_external_data_manager.h" 20 #include "chrome/browser/chromeos/settings/cros_settings.h" 21 #include "components/policy/core/common/cloud/cloud_policy_core.h" 22 #include "components/policy/core/common/cloud/cloud_policy_store.h" 23 24 namespace base { 25 class SequencedTaskRunner; 26 } 27 28 namespace chromeos { 29 class DeviceSettingsService; 30 class SessionManagerClient; 31 } 32 33 namespace net { 34 class URLRequestContextGetter; 35 } 36 37 namespace policy { 38 39 struct DeviceLocalAccount; 40 class DeviceLocalAccountExternalDataService; 41 class DeviceLocalAccountPolicyStore; 42 class DeviceManagementService; 43 44 // The main switching central that downloads, caches, refreshes, etc. policy for 45 // a single device-local account. 46 class DeviceLocalAccountPolicyBroker { 47 public: 48 // |task_runner| is the runner for policy refresh tasks. 49 DeviceLocalAccountPolicyBroker( 50 const DeviceLocalAccount& account, 51 scoped_ptr<DeviceLocalAccountPolicyStore> store, 52 scoped_refptr<DeviceLocalAccountExternalDataManager> 53 external_data_manager, 54 const scoped_refptr<base::SequencedTaskRunner>& task_runner); 55 ~DeviceLocalAccountPolicyBroker(); 56 57 // Initialize the broker, loading its |store_|. 58 void Initialize(); 59 60 // For the difference between |account_id| and |user_id|, see the 61 // documentation of DeviceLocalAccount. account_id()62 const std::string& account_id() const { return account_id_; } user_id()63 const std::string& user_id() const { return user_id_; } 64 65 scoped_refptr<chromeos::DeviceLocalAccountExternalPolicyLoader> extension_loader()66 extension_loader() const { return extension_loader_; } 67 core()68 CloudPolicyCore* core() { return &core_; } core()69 const CloudPolicyCore* core() const { return &core_; } 70 external_data_manager()71 scoped_refptr<DeviceLocalAccountExternalDataManager> external_data_manager() { 72 return external_data_manager_; 73 } 74 75 // Fire up the cloud connection for fetching policy for the account from the 76 // cloud if this is an enterprise-managed device. 77 void ConnectIfPossible( 78 chromeos::DeviceSettingsService* device_settings_service, 79 DeviceManagementService* device_management_service, 80 scoped_refptr<net::URLRequestContextGetter> request_context); 81 82 // Reads the refresh delay from policy and configures the refresh scheduler. 83 void UpdateRefreshDelay(); 84 85 // Retrieves the display name for the account as stored in policy. Returns an 86 // empty string if the policy is not present. 87 std::string GetDisplayName() const; 88 89 private: 90 const std::string account_id_; 91 const std::string user_id_; 92 const scoped_ptr<DeviceLocalAccountPolicyStore> store_; 93 scoped_refptr<DeviceLocalAccountExternalDataManager> external_data_manager_; 94 scoped_refptr<chromeos::DeviceLocalAccountExternalPolicyLoader> 95 extension_loader_; 96 CloudPolicyCore core_; 97 98 DISALLOW_COPY_AND_ASSIGN(DeviceLocalAccountPolicyBroker); 99 }; 100 101 // Manages user policy blobs for device-local accounts present on the device. 102 // The actual policy blobs are brokered by session_manager (to prevent file 103 // manipulation), and we're making signature checks on the policy blobs to 104 // ensure they're issued by the device owner. 105 class DeviceLocalAccountPolicyService : public CloudPolicyStore::Observer { 106 public: 107 // Interface for interested parties to observe policy changes. 108 class Observer { 109 public: ~Observer()110 virtual ~Observer() {} 111 112 // Policy for the given |user_id| has changed. 113 virtual void OnPolicyUpdated(const std::string& user_id) = 0; 114 115 // The list of accounts has been updated. 116 virtual void OnDeviceLocalAccountsChanged() = 0; 117 }; 118 119 DeviceLocalAccountPolicyService( 120 chromeos::SessionManagerClient* session_manager_client, 121 chromeos::DeviceSettingsService* device_settings_service, 122 chromeos::CrosSettings* cros_settings, 123 scoped_refptr<base::SequencedTaskRunner> store_background_task_runner, 124 scoped_refptr<base::SequencedTaskRunner> extension_cache_task_runner, 125 scoped_refptr<base::SequencedTaskRunner> 126 external_data_service_backend_task_runner, 127 scoped_refptr<base::SequencedTaskRunner> io_task_runner, 128 scoped_refptr<net::URLRequestContextGetter> request_context); 129 virtual ~DeviceLocalAccountPolicyService(); 130 131 // Shuts down the service and prevents further policy fetches from the cloud. 132 void Shutdown(); 133 134 // Initializes the cloud policy service connection. 135 void Connect(DeviceManagementService* device_management_service); 136 137 // Get the policy broker for a given |user_id|. Returns NULL if that |user_id| 138 // does not belong to an existing device-local account. 139 DeviceLocalAccountPolicyBroker* GetBrokerForUser(const std::string& user_id); 140 141 // Indicates whether policy has been successfully fetched for the given 142 // |user_id|. 143 bool IsPolicyAvailableForUser(const std::string& user_id); 144 145 void AddObserver(Observer* observer); 146 void RemoveObserver(Observer* observer); 147 148 // CloudPolicyStore::Observer: 149 virtual void OnStoreLoaded(CloudPolicyStore* store) OVERRIDE; 150 virtual void OnStoreError(CloudPolicyStore* store) OVERRIDE; 151 152 private: 153 typedef std::map<std::string, DeviceLocalAccountPolicyBroker*> 154 PolicyBrokerMap; 155 156 // Returns |true| if the directory in which force-installed extensions are 157 // cached for |account_id| is busy, either because a broker that was using 158 // this directory has not shut down completely yet or because the directory is 159 // being deleted. 160 bool IsExtensionCacheDirectoryBusy(const std::string& account_id); 161 162 // Starts any extension caches that are not running yet but can be started now 163 // because their cache directories are no longer busy. 164 void StartExtensionCachesIfPossible(); 165 166 // Checks whether a broker exists for |account_id|. If so, starts the broker's 167 // extension cache and returns |true|. Otherwise, returns |false|. 168 bool StartExtensionCacheForAccountIfPresent(const std::string& account_id); 169 170 // Called back when any extension caches belonging to device-local accounts 171 // that no longer exist have been removed at start-up. 172 void OnOrphanedExtensionCachesDeleted(); 173 174 // Called back when the extension cache for |account_id| has been shut down. 175 void OnObsoleteExtensionCacheShutdown(const std::string& account_id); 176 177 // Called back when the extension cache for |account_id| has been removed. 178 void OnObsoleteExtensionCacheDeleted(const std::string& account_id); 179 180 // Re-queries the list of defined device-local accounts from device settings 181 // and updates |policy_brokers_| to match that list. 182 void UpdateAccountList(); 183 184 // Calls |UpdateAccountList| if there are no previous calls pending. 185 void UpdateAccountListIfNonePending(); 186 187 // Deletes brokers in |map| and clears it. 188 void DeleteBrokers(PolicyBrokerMap* map); 189 190 // Find the broker for a given |store|. Returns NULL if |store| is unknown. 191 DeviceLocalAccountPolicyBroker* GetBrokerForStore(CloudPolicyStore* store); 192 193 ObserverList<Observer, true> observers_; 194 195 chromeos::SessionManagerClient* session_manager_client_; 196 chromeos::DeviceSettingsService* device_settings_service_; 197 chromeos::CrosSettings* cros_settings_; 198 199 DeviceManagementService* device_management_service_; 200 201 // The device-local account policy brokers, keyed by user ID. 202 PolicyBrokerMap policy_brokers_; 203 204 // Whether a call to UpdateAccountList() is pending because |cros_settings_| 205 // are not trusted yet. 206 bool waiting_for_cros_settings_; 207 208 // Orphaned extension caches are removed at startup. This tracks the status of 209 // that process. 210 enum OrphanCacheDeletionState { 211 NOT_STARTED, 212 IN_PROGRESS, 213 DONE, 214 }; 215 OrphanCacheDeletionState orphan_cache_deletion_state_; 216 217 // Account IDs whose extension cache directories are busy, either because a 218 // broker for the account has not shut down completely yet or because the 219 // directory is being deleted. 220 std::set<std::string> busy_extension_cache_directories_; 221 222 const scoped_refptr<base::SequencedTaskRunner> store_background_task_runner_; 223 const scoped_refptr<base::SequencedTaskRunner> extension_cache_task_runner_; 224 225 scoped_ptr<DeviceLocalAccountExternalDataService> external_data_service_; 226 227 scoped_refptr<net::URLRequestContextGetter> request_context_; 228 229 const scoped_ptr<chromeos::CrosSettings::ObserverSubscription> 230 local_accounts_subscription_; 231 232 base::WeakPtrFactory<DeviceLocalAccountPolicyService> weak_factory_; 233 234 DISALLOW_COPY_AND_ASSIGN(DeviceLocalAccountPolicyService); 235 }; 236 237 } // namespace policy 238 239 #endif // CHROME_BROWSER_CHROMEOS_POLICY_DEVICE_LOCAL_ACCOUNT_POLICY_SERVICE_H_ 240