Home | History | Annotate | Download | only in policy 
      1 // Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #ifndef LIBBRILLO_POLICY_DEVICE_POLICY_IMPL_H_
      6 #define LIBBRILLO_POLICY_DEVICE_POLICY_IMPL_H_
      7 
      8 #include <memory>
      9 #include <set>
     10 #include <string>
     11 #include <utility>
     12 #include <vector>
     13 
     14 #include <base/files/file_path.h>
     15 #include <base/macros.h>
     16 
     17 #include "bindings/chrome_device_policy.pb.h"
     18 #include "bindings/device_management_backend.pb.h"
     19 #include "install_attributes/libinstallattributes.h"
     20 #include "policy/device_policy.h"
     21 
     22 #pragma GCC visibility push(default)
     23 
     24 namespace policy {
     25 
     26 // This class holds device settings that are to be enforced across all users.
     27 //
     28 // Before serving it to the users this class verifies that the policy is valid
     29 // against its signature and the owner's key and also that the policy files
     30 // are owned by root.
     31 class DevicePolicyImpl : public DevicePolicy {
     32  public:
     33   DevicePolicyImpl();
     34   ~DevicePolicyImpl() override;
     35 
     36   const enterprise_management::ChromeDeviceSettingsProto& get_device_policy()
     37       const {
     38     return device_policy_;
     39   }
     40 
     41   // DevicePolicy overrides:
     42   bool LoadPolicy() override;
     43   bool GetPolicyRefreshRate(int* rate) const override;
     44   bool GetUserWhitelist(
     45       std::vector<std::string>* user_whitelist) const override;
     46   bool GetGuestModeEnabled(bool* guest_mode_enabled) const override;
     47   bool GetCameraEnabled(bool* camera_enabled) const override;
     48   bool GetShowUserNames(bool* show_user_names) const override;
     49   bool GetDataRoamingEnabled(bool* data_roaming_enabled) const override;
     50   bool GetAllowNewUsers(bool* allow_new_users) const override;
     51   bool GetMetricsEnabled(bool* metrics_enabled) const override;
     52   bool GetReportVersionInfo(bool* report_version_info) const override;
     53   bool GetReportActivityTimes(bool* report_activity_times) const override;
     54   bool GetReportBootMode(bool* report_boot_mode) const override;
     55   bool GetEphemeralUsersEnabled(bool* ephemeral_users_enabled) const override;
     56   bool GetReleaseChannel(std::string* release_channel) const override;
     57   bool GetReleaseChannelDelegated(
     58       bool* release_channel_delegated) const override;
     59   bool GetUpdateDisabled(bool* update_disabled) const override;
     60   bool GetTargetVersionPrefix(
     61       std::string* target_version_prefix) const override;
     62   bool GetRollbackToTargetVersion(
     63       int* rollback_to_target_version) const override;
     64   bool GetRollbackAllowedMilestones(
     65       int* rollback_allowed_milestones) const override;
     66   bool GetScatterFactorInSeconds(
     67       int64_t* scatter_factor_in_seconds) const override;
     68   bool GetAllowedConnectionTypesForUpdate(
     69       std::set<std::string>* connection_types) const override;
     70   bool GetOpenNetworkConfiguration(
     71       std::string* open_network_configuration) const override;
     72   bool GetOwner(std::string* owner) const override;
     73   bool GetHttpDownloadsEnabled(bool* http_downloads_enabled) const override;
     74   bool GetAuP2PEnabled(bool* au_p2p_enabled) const override;
     75   bool GetAllowKioskAppControlChromeVersion(
     76       bool* allow_kiosk_app_control_chrome_version) const override;
     77   bool GetUsbDetachableWhitelist(
     78       std::vector<UsbDeviceId>* usb_whitelist) const override;
     79   bool GetAutoLaunchedKioskAppId(std::string* app_id_out) const override;
     80   bool IsEnterpriseManaged() const override;
     81   bool GetSecondFactorAuthenticationMode(int* mode_out) const override;
     82   bool GetDisallowedTimeIntervals(
     83       std::vector<WeeklyTimeInterval>* intervals_out) const override;
     84   bool GetDeviceUpdateStagingSchedule(
     85       std::vector<DayPercentagePair> *staging_schedule_out) const override;
     86 
     87   // Methods that can be used only for testing.
     88   void set_policy_data_for_testing(
     89       const enterprise_management::PolicyData& policy_data) {
     90     policy_data_ = policy_data;
     91   }
     92   void set_verify_root_ownership_for_testing(bool verify_root_ownership) {
     93     verify_root_ownership_ = verify_root_ownership;
     94   }
     95   void set_install_attributes_for_testing(
     96       std::unique_ptr<InstallAttributesReader> install_attributes_reader) {
     97     install_attributes_reader_ = std::move(install_attributes_reader);
     98   }
     99   void set_policy_for_testing(
    100       const enterprise_management::ChromeDeviceSettingsProto& device_policy) {
    101     device_policy_ = device_policy;
    102   }
    103   void set_policy_path_for_testing(const base::FilePath& policy_path) {
    104     policy_path_ = policy_path;
    105   }
    106   void set_key_file_path_for_testing(const base::FilePath& keyfile_path) {
    107     keyfile_path_ = keyfile_path;
    108   }
    109   void set_verify_policy_for_testing(bool value) { verify_policy_ = value; }
    110 
    111  private:
    112   // Verifies that both the policy file and the signature file exist and are
    113   // owned by the root. Does nothing when |verify_root_ownership_| is set to
    114   // false.
    115   bool VerifyPolicyFile(const base::FilePath& policy_path);
    116 
    117   // Verifies that the policy signature is correct.
    118   bool VerifyPolicySignature() override;
    119 
    120   // Loads policy off of disk from |policy_path| into |policy_|. Returns true if
    121   // the |policy_path| is present on disk and loading it is successful.
    122   bool LoadPolicyFromFile(const base::FilePath& policy_path);
    123 
    124   // Path of the default policy file, e.g. /path/to/policy. In order to make
    125   // device policy more resilient against broken files, this class also tries to
    126   // load indexed paths /path/to/policy.1, /path/to/policy.2 etc., see
    127   // resilient_policy_utils.h.
    128   base::FilePath policy_path_;
    129   base::FilePath keyfile_path_;
    130   std::unique_ptr<InstallAttributesReader> install_attributes_reader_;
    131   enterprise_management::PolicyFetchResponse policy_;
    132   enterprise_management::PolicyData policy_data_;
    133   enterprise_management::ChromeDeviceSettingsProto device_policy_;
    134 
    135   // If true, verify that policy files are owned by root. True in production
    136   // but can be set to false by tests.
    137   bool verify_root_ownership_ = true;
    138   // If false, all types of verification are disabled. True in production
    139   // but can be set to false by tests.
    140   bool verify_policy_ = true;
    141 
    142   DISALLOW_COPY_AND_ASSIGN(DevicePolicyImpl);
    143 };
    144 }  // namespace policy
    145 
    146 #pragma GCC visibility pop
    147 
    148 #endif  // LIBBRILLO_POLICY_DEVICE_POLICY_IMPL_H_
    149