1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "chrome/browser/chromeos/policy/user_cloud_policy_manager_factory_chromeos.h" 6 7 #include "base/bind.h" 8 #include "base/command_line.h" 9 #include "base/files/file_path.h" 10 #include "base/logging.h" 11 #include "base/memory/ref_counted.h" 12 #include "base/message_loop/message_loop_proxy.h" 13 #include "base/path_service.h" 14 #include "base/sequenced_task_runner.h" 15 #include "base/threading/sequenced_worker_pool.h" 16 #include "base/time/time.h" 17 #include "chrome/browser/browser_process.h" 18 #include "chrome/browser/chromeos/login/login_utils.h" 19 #include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h" 20 #include "chrome/browser/chromeos/policy/user_cloud_external_data_manager.h" 21 #include "chrome/browser/chromeos/policy/user_cloud_policy_manager_chromeos.h" 22 #include "chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.h" 23 #include "chrome/browser/chromeos/profiles/profile_helper.h" 24 #include "chrome/browser/policy/schema_registry_service.h" 25 #include "chrome/browser/policy/schema_registry_service_factory.h" 26 #include "chrome/browser/profiles/profile.h" 27 #include "chromeos/chromeos_paths.h" 28 #include "chromeos/chromeos_switches.h" 29 #include "chromeos/dbus/dbus_thread_manager.h" 30 #include "components/keyed_service/content/browser_context_dependency_manager.h" 31 #include "components/policy/core/browser/browser_policy_connector.h" 32 #include "components/policy/core/common/cloud/cloud_external_data_manager.h" 33 #include "components/policy/core/common/cloud/device_management_service.h" 34 #include "components/user_manager/user.h" 35 #include "components/user_manager/user_manager.h" 36 #include "components/user_manager/user_type.h" 37 #include "content/public/browser/browser_thread.h" 38 #include "net/url_request/url_request_context_getter.h" 39 #include "policy/policy_constants.h" 40 41 namespace policy { 42 43 namespace { 44 45 // Subdirectory in the user's profile for storing legacy user policies. 46 const base::FilePath::CharType kDeviceManagementDir[] = 47 FILE_PATH_LITERAL("Device Management"); 48 49 // File in the above directory for storing legacy user policy dmtokens. 50 const base::FilePath::CharType kToken[] = FILE_PATH_LITERAL("Token"); 51 52 // This constant is used to build two different paths. It can be a file inside 53 // kDeviceManagementDir where legacy user policy data is stored, and it can be 54 // a directory inside the profile directory where other resources are stored. 55 const base::FilePath::CharType kPolicy[] = FILE_PATH_LITERAL("Policy"); 56 57 // Directory under kPolicy, in the user's profile dir, where policy for 58 // components is cached. 59 const base::FilePath::CharType kComponentsDir[] = 60 FILE_PATH_LITERAL("Components"); 61 62 // Directory in which to store external policy data. This is specified relative 63 // to kPolicy. 64 const base::FilePath::CharType kPolicyExternalDataDir[] = 65 FILE_PATH_LITERAL("External Data"); 66 67 // Timeout in seconds after which to abandon the initial policy fetch and start 68 // the session regardless. 69 const int kInitialPolicyFetchTimeoutSeconds = 10; 70 71 } // namespace 72 73 // static 74 UserCloudPolicyManagerFactoryChromeOS* 75 UserCloudPolicyManagerFactoryChromeOS::GetInstance() { 76 return Singleton<UserCloudPolicyManagerFactoryChromeOS>::get(); 77 } 78 79 // static 80 UserCloudPolicyManagerChromeOS* 81 UserCloudPolicyManagerFactoryChromeOS::GetForProfile( 82 Profile* profile) { 83 return GetInstance()->GetManagerForProfile(profile); 84 } 85 86 // static 87 scoped_ptr<UserCloudPolicyManagerChromeOS> 88 UserCloudPolicyManagerFactoryChromeOS::CreateForProfile( 89 Profile* profile, 90 bool force_immediate_load, 91 scoped_refptr<base::SequencedTaskRunner> background_task_runner) { 92 return GetInstance()->CreateManagerForProfile( 93 profile, force_immediate_load, background_task_runner); 94 } 95 96 UserCloudPolicyManagerFactoryChromeOS::UserCloudPolicyManagerFactoryChromeOS() 97 : BrowserContextKeyedBaseFactory( 98 "UserCloudPolicyManagerChromeOS", 99 BrowserContextDependencyManager::GetInstance()) { 100 DependsOn(SchemaRegistryServiceFactory::GetInstance()); 101 } 102 103 UserCloudPolicyManagerFactoryChromeOS:: 104 ~UserCloudPolicyManagerFactoryChromeOS() {} 105 106 UserCloudPolicyManagerChromeOS* 107 UserCloudPolicyManagerFactoryChromeOS::GetManagerForProfile( 108 Profile* profile) { 109 // Get the manager for the original profile, since the PolicyService is 110 // also shared between the incognito Profile and the original Profile. 111 ManagerMap::const_iterator it = managers_.find(profile->GetOriginalProfile()); 112 return it != managers_.end() ? it->second : NULL; 113 } 114 115 scoped_ptr<UserCloudPolicyManagerChromeOS> 116 UserCloudPolicyManagerFactoryChromeOS::CreateManagerForProfile( 117 Profile* profile, 118 bool force_immediate_load, 119 scoped_refptr<base::SequencedTaskRunner> background_task_runner) { 120 const CommandLine* command_line = CommandLine::ForCurrentProcess(); 121 // Don't initialize cloud policy for the signin profile. 122 if (chromeos::ProfileHelper::IsSigninProfile(profile)) 123 return scoped_ptr<UserCloudPolicyManagerChromeOS>(); 124 125 // |user| should never be NULL except for the signin profile. This object is 126 // created as part of the Profile creation, which happens right after 127 // sign-in. The just-signed-in User is the active user during that time. 128 user_manager::User* user = 129 chromeos::ProfileHelper::Get()->GetUserByProfile(profile); 130 CHECK(user); 131 132 // Only USER_TYPE_REGULAR users have user cloud policy. 133 // USER_TYPE_RETAIL_MODE, USER_TYPE_KIOSK_APP, USER_TYPE_GUEST and 134 // USER_TYPE_SUPERVISED are not signed in and can't authenticate the 135 // policy registration. 136 // USER_TYPE_PUBLIC_ACCOUNT gets its policy from the 137 // DeviceLocalAccountPolicyService. 138 // Non-managed domains will be skipped by the below check 139 const std::string& username = user->email(); 140 if (user->GetType() != user_manager::USER_TYPE_REGULAR || 141 BrowserPolicyConnector::IsNonEnterpriseUser(username)) { 142 return scoped_ptr<UserCloudPolicyManagerChromeOS>(); 143 } 144 145 policy::BrowserPolicyConnectorChromeOS* connector = 146 g_browser_process->platform_part()->browser_policy_connector_chromeos(); 147 UserAffiliation affiliation = connector->GetUserAffiliation(username); 148 const bool is_affiliated_user = affiliation == USER_AFFILIATION_MANAGED; 149 const bool is_browser_restart = 150 command_line->HasSwitch(chromeos::switches::kLoginUser); 151 const bool wait_for_initial_policy = 152 !is_browser_restart && 153 (user_manager::UserManager::Get()->IsCurrentUserNew() || 154 is_affiliated_user); 155 156 const base::TimeDelta initial_policy_fetch_timeout = 157 user_manager::UserManager::Get()->IsCurrentUserNew() 158 ? base::TimeDelta::Max() 159 : base::TimeDelta::FromSeconds(kInitialPolicyFetchTimeoutSeconds); 160 161 DeviceManagementService* device_management_service = 162 connector->device_management_service(); 163 if (wait_for_initial_policy) 164 device_management_service->ScheduleInitialization(0); 165 166 base::FilePath profile_dir = profile->GetPath(); 167 const base::FilePath legacy_dir = profile_dir.Append(kDeviceManagementDir); 168 const base::FilePath policy_cache_file = legacy_dir.Append(kPolicy); 169 const base::FilePath token_cache_file = legacy_dir.Append(kToken); 170 const base::FilePath component_policy_cache_dir = 171 profile_dir.Append(kPolicy).Append(kComponentsDir); 172 const base::FilePath external_data_dir = 173 profile_dir.Append(kPolicy).Append(kPolicyExternalDataDir); 174 base::FilePath policy_key_dir; 175 CHECK(PathService::Get(chromeos::DIR_USER_POLICY_KEYS, &policy_key_dir)); 176 177 scoped_ptr<UserCloudPolicyStoreChromeOS> store( 178 new UserCloudPolicyStoreChromeOS( 179 chromeos::DBusThreadManager::Get()->GetCryptohomeClient(), 180 chromeos::DBusThreadManager::Get()->GetSessionManagerClient(), 181 background_task_runner, 182 username, policy_key_dir, token_cache_file, policy_cache_file)); 183 184 scoped_refptr<base::SequencedTaskRunner> backend_task_runner = 185 content::BrowserThread::GetBlockingPool()->GetSequencedTaskRunner( 186 content::BrowserThread::GetBlockingPool()->GetSequenceToken()); 187 scoped_refptr<base::SequencedTaskRunner> io_task_runner = 188 content::BrowserThread::GetMessageLoopProxyForThread( 189 content::BrowserThread::IO); 190 scoped_ptr<CloudExternalDataManager> external_data_manager( 191 new UserCloudExternalDataManager(base::Bind(&GetChromePolicyDetails), 192 backend_task_runner, 193 io_task_runner, 194 external_data_dir, 195 store.get())); 196 if (force_immediate_load) 197 store->LoadImmediately(); 198 199 scoped_refptr<base::SequencedTaskRunner> file_task_runner = 200 content::BrowserThread::GetMessageLoopProxyForThread( 201 content::BrowserThread::FILE); 202 203 scoped_ptr<UserCloudPolicyManagerChromeOS> manager( 204 new UserCloudPolicyManagerChromeOS( 205 store.PassAs<CloudPolicyStore>(), 206 external_data_manager.Pass(), 207 component_policy_cache_dir, 208 wait_for_initial_policy, 209 initial_policy_fetch_timeout, 210 base::MessageLoopProxy::current(), 211 file_task_runner, 212 io_task_runner)); 213 214 bool wildcard_match = false; 215 if (connector->IsEnterpriseManaged() && 216 chromeos::LoginUtils::IsWhitelisted(username, &wildcard_match) && 217 wildcard_match && 218 !connector->IsNonEnterpriseUser(username)) { 219 manager->EnableWildcardLoginCheck(username); 220 } 221 222 manager->Init( 223 SchemaRegistryServiceFactory::GetForContext(profile)->registry()); 224 manager->Connect(g_browser_process->local_state(), 225 device_management_service, 226 g_browser_process->system_request_context(), 227 affiliation); 228 229 DCHECK(managers_.find(profile) == managers_.end()); 230 managers_[profile] = manager.get(); 231 return manager.Pass(); 232 } 233 234 void UserCloudPolicyManagerFactoryChromeOS::BrowserContextShutdown( 235 content::BrowserContext* context) { 236 Profile* profile = static_cast<Profile*>(context); 237 if (profile->IsOffTheRecord()) 238 return; 239 UserCloudPolicyManagerChromeOS* manager = GetManagerForProfile(profile); 240 if (manager) 241 manager->Shutdown(); 242 } 243 244 void UserCloudPolicyManagerFactoryChromeOS::BrowserContextDestroyed( 245 content::BrowserContext* context) { 246 Profile* profile = static_cast<Profile*>(context); 247 managers_.erase(profile); 248 BrowserContextKeyedBaseFactory::BrowserContextDestroyed(context); 249 } 250 251 void UserCloudPolicyManagerFactoryChromeOS::SetEmptyTestingFactory( 252 content::BrowserContext* context) {} 253 254 bool UserCloudPolicyManagerFactoryChromeOS::HasTestingFactory( 255 content::BrowserContext* context) { 256 return false; 257 } 258 259 void UserCloudPolicyManagerFactoryChromeOS::CreateServiceNow( 260 content::BrowserContext* context) {} 261 262 } // namespace policy 263