Home | History | Annotate | Download | only in policy 
      1 // Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #ifndef LIBBRILLO_POLICY_DEVICE_POLICY_H_
      6 #define LIBBRILLO_POLICY_DEVICE_POLICY_H_
      7 
      8 #include <stdint.h>
      9 
     10 #include <set>
     11 #include <string>
     12 #include <utility>
     13 #include <vector>
     14 
     15 #include <base/macros.h>
     16 #include <base/time/time.h>
     17 
     18 #pragma GCC visibility push(default)
     19 
     20 namespace policy {
     21 
     22 // This class holds device settings that are to be enforced across all users.
     23 // It is also responsible for loading the policy blob from disk and verifying
     24 // the signature against the owner's key.
     25 //
     26 // This class defines the interface for querying device policy on ChromeOS.
     27 // The implementation is hidden in DevicePolicyImpl to prevent protobuf
     28 // definition from leaking into the libraries using this interface.
     29 class DevicePolicy {
     30  public:
     31   // Identifiers of a USB device or device family.
     32   struct UsbDeviceId {
     33     // USB Vendor Identifier (aka idVendor).
     34     uint16_t vendor_id;
     35 
     36     // USB Product Identifier (aka idProduct).
     37     uint16_t product_id;
     38   };
     39 
     40   // Time interval represented by two |day_of_week| and |time| pairs. The start
     41   // of the interval is inclusive and the end is exclusive. The time represented
     42   // by those pairs will be interpreted to be in the local timezone. Because of
     43   // this, there exists the possibility of intervals being repeated or skipped
     44   // in a day with daylight savings transitions, this is expected behavior.
     45   struct WeeklyTimeInterval {
     46     // Value is from 1 to 7 (1 = Monday, 2 = Tuesday, etc.). All values outside
     47     // this range are invalid and will be discarded.
     48     int start_day_of_week;
     49     // Time since the start of the day. This value will be interpreted to be in
     50     // the system's current timezone when used for range checking.
     51     base::TimeDelta start_time;
     52     int end_day_of_week;
     53     base::TimeDelta end_time;
     54   };
     55 
     56   // Identifies a <day, percentage> pair in a staging schedule.
     57   struct DayPercentagePair {
     58     bool operator==(const DayPercentagePair& other) const {
     59       return days == other.days && percentage == other.percentage;
     60     }
     61     int days;
     62     int percentage;
     63   };
     64 
     65   DevicePolicy();
     66   virtual ~DevicePolicy();
     67 
     68   // Load device policy off of disk into |policy_|.
     69   // Returns true unless there is a policy on disk and loading it fails.
     70   virtual bool LoadPolicy() = 0;
     71 
     72   // Writes the value of the DevicePolicyRefreshRate policy in |rate|. Returns
     73   // true on success.
     74   virtual bool GetPolicyRefreshRate(int* rate) const = 0;
     75 
     76   // Writes the value of the UserWhitelist policy in |user_whitelist|. Returns
     77   // true on success.
     78   virtual bool GetUserWhitelist(
     79       std::vector<std::string>* user_whitelist) const = 0;
     80 
     81   // Writes the value of the GuestModeEnabled policy in |guest_mode_enabled|.
     82   // Returns true on success.
     83   virtual bool GetGuestModeEnabled(bool* guest_mode_enabled) const = 0;
     84 
     85   // Writes the value of the CameraEnabled policy in |camera_enabled|. Returns
     86   // true on success.
     87   virtual bool GetCameraEnabled(bool* camera_enabled) const = 0;
     88 
     89   // Writes the value of the ShowUserNamesOnSignIn policy in |show_user_names|.
     90   // Returns true on success.
     91   virtual bool GetShowUserNames(bool* show_user_names) const = 0;
     92 
     93   // Writes the value of the DataRoamingEnabled policy in |data_roaming_enabled|
     94   // Returns true on success.
     95   virtual bool GetDataRoamingEnabled(bool* data_roaming_enabled) const = 0;
     96 
     97   // Writes the value of the AllowNewUsers policy in |allow_new_users|. Returns
     98   // true on success.
     99   virtual bool GetAllowNewUsers(bool* allow_new_users) const = 0;
    100 
    101   // Writes the value of MetricEnabled policy in |metrics_enabled|. Returns true
    102   // on success.
    103   virtual bool GetMetricsEnabled(bool* metrics_enabled) const = 0;
    104 
    105   // Writes the value of ReportVersionInfo policy in |report_version_info|.
    106   // Returns true on success.
    107   virtual bool GetReportVersionInfo(bool* report_version_info) const = 0;
    108 
    109   // Writes the value of ReportActivityTimes policy in |report_activity_times|.
    110   // Returns true on success.
    111   virtual bool GetReportActivityTimes(bool* report_activity_times) const = 0;
    112 
    113   // Writes the value of ReportBootMode policy in |report_boot_mode|. Returns
    114   // true on success.
    115   virtual bool GetReportBootMode(bool* report_boot_mode) const = 0;
    116 
    117   // Writes the value of the EphemeralUsersEnabled policy in
    118   // |ephemeral_users_enabled|. Returns true on success.
    119   virtual bool GetEphemeralUsersEnabled(
    120       bool* ephemeral_users_enabled) const = 0;
    121 
    122   // Writes the value of the release channel policy in |release_channel|.
    123   // Returns true on success.
    124   virtual bool GetReleaseChannel(std::string* release_channel) const = 0;
    125 
    126   // Writes the value of the release_channel_delegated policy in
    127   // |release_channel_delegated|. Returns true on success.
    128   virtual bool GetReleaseChannelDelegated(
    129       bool* release_channel_delegated) const = 0;
    130 
    131   // Writes the value of the update_disabled policy in |update_disabled|.
    132   // Returns true on success.
    133   virtual bool GetUpdateDisabled(bool* update_disabled) const = 0;
    134 
    135   // Writes the value of the target_version_prefix policy in
    136   // |target_version_prefix|. Returns true on success.
    137   virtual bool GetTargetVersionPrefix(
    138       std::string* target_version_prefix) const = 0;
    139 
    140   // Writes the value of the rollback_to_target_version policy in
    141   // |rollback_to_target_version|. |rollback_to_target_version| will be one of
    142   // the values in AutoUpdateSettingsProto's RollbackToTargetVersion enum.
    143   // Returns true on success.
    144   virtual bool GetRollbackToTargetVersion(
    145       int* rollback_to_target_version) const = 0;
    146 
    147   // Writes the value of the rollback_allowed_milestones policy in
    148   // |rollback_allowed_milestones|. Returns true on success.
    149   virtual bool GetRollbackAllowedMilestones(
    150       int* rollback_allowed_milestones) const = 0;
    151 
    152   // Writes the value of the scatter_factor_in_seconds policy in
    153   // |scatter_factor_in_seconds|. Returns true on success.
    154   virtual bool GetScatterFactorInSeconds(
    155       int64_t* scatter_factor_in_seconds) const = 0;
    156 
    157   // Writes the connection types on which updates are allowed to
    158   // |connection_types|. The identifiers returned are intended to be consistent
    159   // with what the connection manager users: ethernet, wifi, wimax, bluetooth,
    160   // cellular.
    161   virtual bool GetAllowedConnectionTypesForUpdate(
    162       std::set<std::string>* connection_types) const = 0;
    163 
    164   // Writes the value of the OpenNetworkConfiguration policy in
    165   // |open_network_configuration|. Returns true on success.
    166   virtual bool GetOpenNetworkConfiguration(
    167       std::string* open_network_configuration) const = 0;
    168 
    169   // Writes the name of the device owner in |owner|. For enterprise enrolled
    170   // devices, this will be an empty string.
    171   // Returns true on success.
    172   virtual bool GetOwner(std::string* owner) const = 0;
    173 
    174   // Write the value of http_downloads_enabled policy in
    175   // |http_downloads_enabled|. Returns true on success.
    176   virtual bool GetHttpDownloadsEnabled(bool* http_downloads_enabled) const = 0;
    177 
    178   // Writes the value of au_p2p_enabled policy in
    179   // |au_p2p_enabled|. Returns true on success.
    180   virtual bool GetAuP2PEnabled(bool* au_p2p_enabled) const = 0;
    181 
    182   // Writes the value of allow_kiosk_app_control_chrome_version policy in
    183   // |allow_kiosk_app_control_chrome_version|. Returns true on success.
    184   virtual bool GetAllowKioskAppControlChromeVersion(
    185       bool* allow_kiosk_app_control_chrome_version) const = 0;
    186 
    187   // Writes the value of the UsbDetachableWhitelist policy in |usb_whitelist|.
    188   // Returns true on success.
    189   virtual bool GetUsbDetachableWhitelist(
    190       std::vector<UsbDeviceId>* usb_whitelist) const = 0;
    191 
    192   // Writes the value of the kiosk app id into |app_id_out|.
    193   // Only succeeds if the device is in auto-launched kiosk mode.
    194   virtual bool GetAutoLaunchedKioskAppId(std::string* app_id_out) const = 0;
    195 
    196   // Returns true if the policy data indicates that the device is enterprise
    197   // managed. Note that this potentially could be faked by an exploit, therefore
    198   // InstallAttributesReader must be used when tamper-proof evidence of the
    199   // management state is required.
    200   virtual bool IsEnterpriseManaged() const = 0;
    201 
    202   // Writes the value of the DeviceSecondFactorAuthentication policy in
    203   // |mode_out|. |mode_out| is one of the values from
    204   // DeviceSecondFactorAuthenticationProto's U2fMode enum (e.g. DISABLED,
    205   // U2F or U2F_EXTENDED). Returns true on success.
    206   virtual bool GetSecondFactorAuthenticationMode(int* mode_out) const = 0;
    207 
    208   // Writes the valid time intervals to |intervals_out|. These
    209   // intervals are taken from the disallowed time intervals field in the
    210   // AutoUpdateSettingsProto. Returns true if the intervals in the proto are
    211   // valid.
    212   virtual bool GetDisallowedTimeIntervals(
    213       std::vector<WeeklyTimeInterval>* intervals_out) const = 0;
    214 
    215   // Writes the value of the DeviceUpdateStagingSchedule policy to
    216   // |staging_schedule_out|. Returns true on success.
    217   // The schedule is a list of <days, percentage> pairs. The percentages are
    218   // expected to be mononically increasing in the range of [1, 100]. Similarly,
    219   // days are expected to be monotonically increasing in the range [1, 28]. Each
    220   // pair describes the |percentage| of the fleet that is expected to receive an
    221   // update after |days| days after an update was discovered. e.g. [<4, 30>, <8,
    222   // 100>] means that 30% of devices should be updated in the first 4 days, and
    223   // then 100% should be updated after 8 days.
    224   virtual bool GetDeviceUpdateStagingSchedule(
    225       std::vector<DayPercentagePair>* staging_schedule_out) const = 0;
    226 
    227  private:
    228   // Verifies that the policy signature is correct.
    229   virtual bool VerifyPolicySignature() = 0;
    230 
    231   DISALLOW_COPY_AND_ASSIGN(DevicePolicy);
    232 };
    233 }  // namespace policy
    234 
    235 #pragma GCC visibility pop
    236 
    237 #endif  // LIBBRILLO_POLICY_DEVICE_POLICY_H_
    238