diff options
| author | joaodasilva@chromium.org <joaodasilva@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-06-19 22:49:13 +0000 |
|---|---|---|
| committer | joaodasilva@chromium.org <joaodasilva@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-06-19 22:49:13 +0000 |
| commit | 4c972f380a044bebd83772e14380a66143e1ceef (patch) | |
| tree | a6fcd587ce12cff89e60942797945fb274387cf3 | |
| parent | b5bdf75511ae7eb8575083bc567c846a8c92ccb9 (diff) | |
| download | chromium_src-4c972f380a044bebd83772e14380a66143e1ceef.zip chromium_src-4c972f380a044bebd83772e14380a66143e1ceef.tar.gz chromium_src-4c972f380a044bebd83772e14380a66143e1ceef.tar.bz2 | |
Wire up component cloud policy to device local accounts.
This enables policy-for-extensions running in Public Sessions, and for
extensions running as Kiosk Apps too.
TBR=bartfab@chromium.org
BUG=224596
Review URL: https://codereview.chromium.org/341043005
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@278518 0039d316-1c4b-4281-b951-d872f2087c98
9 files changed, 199 insertions, 55 deletions
diff --git a/chrome/browser/chromeos/extensions/device_local_account_management_policy_provider.cc b/chrome/browser/chromeos/extensions/device_local_account_management_policy_provider.cc index 9614868..4c85304b 100644 --- a/chrome/browser/chromeos/extensions/device_local_account_management_policy_provider.cc +++ b/chrome/browser/chromeos/extensions/device_local_account_management_policy_provider.cc @@ -65,6 +65,9 @@ const char* kPublicSessionWhitelist[] = { "dhmdaeekeihmajjnmichlhiffffdbpde", // Store.app demo "jeabmjjifhfcejonjjhccaeigpnnjaak", // TweetDeck demo "pbdihpaifchmclcmkfdgffnnpfbobefh", // YouTube demo + + // Testing extensions: + "ongnjlefhnoajpbodoldndkbkdgfomlp", // Show Managed Storage }; } // namespace diff --git a/chrome/browser/chromeos/policy/device_local_account_browsertest.cc b/chrome/browser/chromeos/policy/device_local_account_browsertest.cc index 677cfa2..59ad468 100644 --- a/chrome/browser/chromeos/policy/device_local_account_browsertest.cc +++ b/chrome/browser/chromeos/policy/device_local_account_browsertest.cc @@ -17,7 +17,6 @@ #include "base/command_line.h" #include "base/file_util.h" #include "base/files/file_path.h" -#include "base/files/scoped_temp_dir.h" #include "base/json/json_reader.h" #include "base/json/json_writer.h" #include "base/location.h" @@ -33,7 +32,6 @@ #include "base/strings/string_util.h" #include "base/strings/stringprintf.h" #include "base/strings/utf_string_conversions.h" -#include "base/test/scoped_path_override.h" #include "base/values.h" #include "chrome/browser/browser_process.h" #include "chrome/browser/chrome_notification_types.h" @@ -311,15 +309,6 @@ class DeviceLocalAccountTest : public DevicePolicyCrosBrowserTest, PolicyBuilder::kFakeDeviceId); ASSERT_TRUE(test_server_.Start()); - ASSERT_TRUE(extension_cache_root_dir_.CreateUniqueTempDir()); - extension_cache_root_dir_override_.reset(new base::ScopedPathOverride( - chromeos::DIR_DEVICE_LOCAL_ACCOUNT_EXTENSIONS, - extension_cache_root_dir_.path())); - ASSERT_TRUE(external_data_cache_dir_.CreateUniqueTempDir()); - external_data_cache_dir_override_.reset(new base::ScopedPathOverride( - chromeos::DIR_DEVICE_LOCAL_ACCOUNT_EXTERNAL_DATA, - external_data_cache_dir_.path())); - BrowserList::AddObserver(this); DevicePolicyCrosBrowserTest::SetUp(); @@ -433,8 +422,11 @@ class DeviceLocalAccountTest : public DevicePolicyCrosBrowserTest, } base::FilePath GetCacheDirectoryForAccountID(const std::string& account_id) { - return extension_cache_root_dir_.path() - .Append(base::HexEncode(account_id.c_str(), account_id.size())); + base::FilePath extension_cache_root_dir; + PathService::Get(chromeos::DIR_DEVICE_LOCAL_ACCOUNT_EXTENSIONS, + &extension_cache_root_dir); + return extension_cache_root_dir.Append( + base::HexEncode(account_id.c_str(), account_id.size())); } base::FilePath GetCacheCRXFile(const std::string& account_id, @@ -459,11 +451,6 @@ class DeviceLocalAccountTest : public DevicePolicyCrosBrowserTest, LocalPolicyTestServer test_server_; private: - base::ScopedTempDir extension_cache_root_dir_; - base::ScopedTempDir external_data_cache_dir_; - scoped_ptr<base::ScopedPathOverride> extension_cache_root_dir_override_; - scoped_ptr<base::ScopedPathOverride> external_data_cache_dir_override_; - DISALLOW_COPY_AND_ASSIGN(DeviceLocalAccountTest); }; diff --git a/chrome/browser/chromeos/policy/device_local_account_policy_provider.cc b/chrome/browser/chromeos/policy/device_local_account_policy_provider.cc index b6ed507..837eb99 100644 --- a/chrome/browser/chromeos/policy/device_local_account_policy_provider.cc +++ b/chrome/browser/chromeos/policy/device_local_account_policy_provider.cc @@ -5,6 +5,7 @@ #include "chrome/browser/chromeos/policy/device_local_account_policy_provider.h" #include "base/bind.h" +#include "base/command_line.h" #include "base/values.h" #include "chrome/browser/chromeos/policy/device_local_account.h" #include "chrome/browser/chromeos/policy/device_local_account_external_data_manager.h" @@ -14,6 +15,9 @@ #include "components/policy/core/common/policy_bundle.h" #include "components/policy/core/common/policy_map.h" #include "components/policy/core/common/policy_namespace.h" +#include "components/policy/core/common/policy_switches.h" +#include "content/public/browser/browser_thread.h" +#include "net/url_request/url_request_context_getter.h" #include "policy/policy_constants.h" namespace policy { @@ -94,10 +98,19 @@ DeviceLocalAccountPolicyProvider::Create( return provider.Pass(); } +void DeviceLocalAccountPolicyProvider::Init(SchemaRegistry* schema_registry) { + ConfigurationPolicyProvider::Init(schema_registry); + MaybeCreateComponentPolicyService(); +} + bool DeviceLocalAccountPolicyProvider::IsInitializationComplete( PolicyDomain domain) const { if (domain == POLICY_DOMAIN_CHROME) return store_initialized_; + if (ComponentCloudPolicyService::SupportsDomain(domain) && + component_policy_service_) { + return component_policy_service_->is_initialized(); + } return true; } @@ -113,13 +126,34 @@ void DeviceLocalAccountPolicyProvider::RefreshPolicies() { } } +void DeviceLocalAccountPolicyProvider::Shutdown() { + component_policy_service_.reset(); + ConfigurationPolicyProvider::Shutdown(); +} + void DeviceLocalAccountPolicyProvider::OnPolicyUpdated( const std::string& user_id) { - if (user_id == user_id_) + if (user_id == user_id_) { + MaybeCreateComponentPolicyService(); UpdateFromBroker(); + } } void DeviceLocalAccountPolicyProvider::OnDeviceLocalAccountsChanged() { + MaybeCreateComponentPolicyService(); + UpdateFromBroker(); +} + +void DeviceLocalAccountPolicyProvider::OnBrokerShutdown( + DeviceLocalAccountPolicyBroker* broker) { + if (broker->user_id() == user_id_) { + // The |component_policy_service_| relies on the broker's CloudPolicyCore, + // so destroy it if the broker is going away. + component_policy_service_.reset(); + } +} + +void DeviceLocalAccountPolicyProvider::OnComponentCloudPolicyUpdated() { UpdateFromBroker(); } @@ -153,6 +187,9 @@ void DeviceLocalAccountPolicyProvider::UpdateFromBroker() { bundle->CopyFrom(policies()); } + if (component_policy_service_) + bundle->MergeFrom(component_policy_service_->policy()); + // Apply overrides. if (chrome_policy_overrides_) { PolicyMap& chrome_policy = @@ -169,4 +206,35 @@ void DeviceLocalAccountPolicyProvider::UpdateFromBroker() { UpdatePolicy(bundle.Pass()); } +void DeviceLocalAccountPolicyProvider::MaybeCreateComponentPolicyService() { + if (component_policy_service_) + return; // Already started. + + if (CommandLine::ForCurrentProcess()->HasSwitch( + switches::kDisableComponentCloudPolicy)) { + // Disabled via the command line. + return; + } + + DeviceLocalAccountPolicyBroker* broker = GetBroker(); + if (!broker || !schema_registry()) + return; // Missing broker or not initialized yet. + + scoped_ptr<ResourceCache> resource_cache( + new ResourceCache(broker->GetComponentPolicyCachePath(), + content::BrowserThread::GetMessageLoopProxyForThread( + content::BrowserThread::FILE))); + + component_policy_service_.reset(new ComponentCloudPolicyService( + this, + schema_registry(), + broker->core(), + resource_cache.Pass(), + service_->request_context(), + content::BrowserThread::GetMessageLoopProxyForThread( + content::BrowserThread::FILE), + content::BrowserThread::GetMessageLoopProxyForThread( + content::BrowserThread::IO))); +} + } // namespace policy diff --git a/chrome/browser/chromeos/policy/device_local_account_policy_provider.h b/chrome/browser/chromeos/policy/device_local_account_policy_provider.h index fa39815..079f931 100644 --- a/chrome/browser/chromeos/policy/device_local_account_policy_provider.h +++ b/chrome/browser/chromeos/policy/device_local_account_policy_provider.h @@ -14,6 +14,8 @@ #include "base/memory/weak_ptr.h" #include "chrome/browser/chromeos/policy/device_local_account_external_data_manager.h" #include "chrome/browser/chromeos/policy/device_local_account_policy_service.h" +#include "components/policy/core/common/cloud/component_cloud_policy_service.h" +#include "components/policy/core/common/cloud/resource_cache.h" #include "components/policy/core/common/configuration_policy_provider.h" namespace policy { @@ -27,7 +29,8 @@ class PolicyMap; // and RefreshPolicies becomes a no-op. class DeviceLocalAccountPolicyProvider : public ConfigurationPolicyProvider, - public DeviceLocalAccountPolicyService::Observer { + public DeviceLocalAccountPolicyService::Observer, + public ComponentCloudPolicyService::Delegate { public: DeviceLocalAccountPolicyProvider( const std::string& user_id, @@ -43,12 +46,19 @@ class DeviceLocalAccountPolicyProvider DeviceLocalAccountPolicyService* service); // ConfigurationPolicyProvider: + virtual void Init(SchemaRegistry* registry) OVERRIDE; virtual bool IsInitializationComplete(PolicyDomain domain) const OVERRIDE; virtual void RefreshPolicies() OVERRIDE; + virtual void Shutdown() OVERRIDE; // DeviceLocalAccountPolicyService::Observer: virtual void OnPolicyUpdated(const std::string& user_id) OVERRIDE; virtual void OnDeviceLocalAccountsChanged() OVERRIDE; + virtual void OnBrokerShutdown( + DeviceLocalAccountPolicyBroker* broker) OVERRIDE; + + // ComponentCloudPolicyService::Delegate: + virtual void OnComponentCloudPolicyUpdated() OVERRIDE; private: // Returns the broker for |user_id_| or NULL if not available. @@ -62,6 +72,10 @@ class DeviceLocalAccountPolicyProvider // policy from the broker if available or keeping the current policy. void UpdateFromBroker(); + // Creates the |component_policy_service_| if it hasn't been created yet + // and all the dependencies are in place. + void MaybeCreateComponentPolicyService(); + const std::string user_id_; scoped_refptr<DeviceLocalAccountExternalDataManager> external_data_manager_; @@ -75,6 +89,8 @@ class DeviceLocalAccountPolicyProvider bool store_initialized_; bool waiting_for_policy_refresh_; + scoped_ptr<ComponentCloudPolicyService> component_policy_service_; + base::WeakPtrFactory<DeviceLocalAccountPolicyProvider> weak_factory_; DISALLOW_COPY_AND_ASSIGN(DeviceLocalAccountPolicyProvider); diff --git a/chrome/browser/chromeos/policy/device_local_account_policy_service.cc b/chrome/browser/chromeos/policy/device_local_account_policy_service.cc index c42c4fc..9d853b8 100644 --- a/chrome/browser/chromeos/policy/device_local_account_policy_service.cc +++ b/chrome/browser/chromeos/policy/device_local_account_policy_service.cc @@ -9,12 +9,12 @@ #include "base/bind.h" #include "base/file_util.h" #include "base/files/file_enumerator.h" -#include "base/files/file_path.h" #include "base/logging.h" #include "base/message_loop/message_loop.h" #include "base/message_loop/message_loop_proxy.h" #include "base/path_service.h" #include "base/sequenced_task_runner.h" +#include "base/stl_util.h" #include "base/strings/string_number_conversions.h" #include "chrome/browser/browser_process.h" #include "chrome/browser/chromeos/policy/device_local_account.h" @@ -31,6 +31,7 @@ #include "components/policy/core/common/cloud/cloud_policy_refresh_scheduler.h" #include "components/policy/core/common/cloud/device_management_service.h" #include "components/policy/core/common/cloud/system_policy_request_context.h" +#include "content/public/browser/browser_thread.h" #include "net/url_request/url_request_context_getter.h" #include "policy/policy_constants.h" #include "policy/proto/device_management_backend.pb.h" @@ -72,29 +73,26 @@ scoped_ptr<CloudPolicyClient> CreateClient( } // Get the subdirectory of the cache directory in which force-installed -// extensions are cached for |account_id|. -std::string GetCacheSubdirectoryForAccountID(const std::string& account_id) { +// extensions are cached for |account_id|. This is also used for the +// component policy cache. +std::string EncodeAccountId(const std::string& account_id) { return base::HexEncode(account_id.c_str(), account_id.size()); } // Cleans up the cache directory by removing subdirectories that are not found // in |subdirectories_to_keep|. Only caches whose cache directory is found in // |subdirectories_to_keep| may be running while the clean-up is in progress. -void DeleteOrphanedExtensionCaches( +void DeleteOrphanedCaches( + const base::FilePath& cache_root_dir, const std::set<std::string>& subdirectories_to_keep) { - base::FilePath cache_root_dir; - CHECK(PathService::Get(chromeos::DIR_DEVICE_LOCAL_ACCOUNT_EXTENSIONS, - &cache_root_dir)); base::FileEnumerator enumerator(cache_root_dir, false, base::FileEnumerator::DIRECTORIES); for (base::FilePath path = enumerator.Next(); !path.empty(); path = enumerator.Next()) { const std::string subdirectory(path.BaseName().MaybeAsASCII()); - if (subdirectories_to_keep.find(subdirectory) == - subdirectories_to_keep.end()) { + if (!ContainsKey(subdirectories_to_keep, subdirectory)) base::DeleteFile(path, true); - } } } @@ -105,8 +103,8 @@ void DeleteObsoleteExtensionCache(const std::string& account_id_to_delete) { base::FilePath cache_root_dir; CHECK(PathService::Get(chromeos::DIR_DEVICE_LOCAL_ACCOUNT_EXTENSIONS, &cache_root_dir)); - const base::FilePath path = cache_root_dir - .Append(GetCacheSubdirectoryForAccountID(account_id_to_delete)); + const base::FilePath path = + cache_root_dir.Append(EncodeAccountId(account_id_to_delete)); if (base::DirectoryExists(path)) base::DeleteFile(path, true); } @@ -115,11 +113,13 @@ void DeleteObsoleteExtensionCache(const std::string& account_id_to_delete) { DeviceLocalAccountPolicyBroker::DeviceLocalAccountPolicyBroker( const DeviceLocalAccount& account, + const base::FilePath& component_policy_cache_path, scoped_ptr<DeviceLocalAccountPolicyStore> store, scoped_refptr<DeviceLocalAccountExternalDataManager> external_data_manager, const scoped_refptr<base::SequencedTaskRunner>& task_runner) : account_id_(account.account_id), user_id_(account.user_id), + component_policy_cache_path_(component_policy_cache_path), store_(store.Pass()), external_data_manager_(external_data_manager), core_(PolicyNamespaceKey(dm_protocol::kChromePublicAccountPolicyType, @@ -130,9 +130,7 @@ DeviceLocalAccountPolicyBroker::DeviceLocalAccountPolicyBroker( CHECK(PathService::Get(chromeos::DIR_DEVICE_LOCAL_ACCOUNT_EXTENSIONS, &cache_root_dir)); extension_loader_ = new chromeos::DeviceLocalAccountExternalPolicyLoader( - store_.get(), - cache_root_dir.Append( - GetCacheSubdirectoryForAccountID(account.account_id))); + store_.get(), cache_root_dir.Append(EncodeAccountId(account.account_id))); } DeviceLocalAccountPolicyBroker::~DeviceLocalAccountPolicyBroker() { @@ -182,6 +180,11 @@ std::string DeviceLocalAccountPolicyBroker::GetDisplayName() const { return display_name; } +base::FilePath DeviceLocalAccountPolicyBroker::GetComponentPolicyCachePath() + const { + return component_policy_cache_path_; +} + DeviceLocalAccountPolicyService::DeviceLocalAccountPolicyService( chromeos::SessionManagerClient* session_manager_client, chromeos::DeviceSettingsService* device_settings_service, @@ -207,6 +210,8 @@ DeviceLocalAccountPolicyService::DeviceLocalAccountPolicyService( UpdateAccountListIfNonePending, base::Unretained(this)))), weak_factory_(this) { + CHECK(PathService::Get(chromeos::DIR_DEVICE_LOCAL_ACCOUNT_COMPONENT_POLICY, + &component_policy_cache_root_)); external_data_service_.reset(new DeviceLocalAccountExternalDataService( this, external_data_service_backend_task_runner, @@ -255,6 +260,11 @@ bool DeviceLocalAccountPolicyService::IsPolicyAvailableForUser( return broker && broker->core()->store()->is_managed(); } +scoped_refptr<net::URLRequestContextGetter> +DeviceLocalAccountPolicyService::request_context() const { + return request_context_; +} + void DeviceLocalAccountPolicyService::AddObserver(Observer* observer) { observers_.AddObserver(observer); } @@ -414,6 +424,7 @@ void DeviceLocalAccountPolicyService::UpdateAccountList() { store.get()); broker.reset(new DeviceLocalAccountPolicyBroker( *it, + component_policy_cache_root_.Append(EncodeAccountId(it->account_id)), store.Pass(), external_data_manager, base::MessageLoopProxy::current())); @@ -432,16 +443,7 @@ void DeviceLocalAccountPolicyService::UpdateAccountList() { policy_brokers_[it->user_id]->Initialize(); } - if (orphan_cache_deletion_state_ == NOT_STARTED) { - subdirectories_to_keep.insert( - GetCacheSubdirectoryForAccountID(it->account_id)); - } - } - - std::set<std::string> obsolete_account_ids; - for (PolicyBrokerMap::const_iterator it = old_policy_brokers.begin(); - it != old_policy_brokers.end(); ++it) { - obsolete_account_ids.insert(it->second->account_id()); + subdirectories_to_keep.insert(EncodeAccountId(it->account_id)); } if (orphan_cache_deletion_state_ == NOT_STARTED) { @@ -453,12 +455,17 @@ void DeviceLocalAccountPolicyService::UpdateAccountList() { // orphaned cache directories not found in |subdirectories_to_keep| from the // cache directory. orphan_cache_deletion_state_ = IN_PROGRESS; + + base::FilePath cache_root_dir; + CHECK(PathService::Get(chromeos::DIR_DEVICE_LOCAL_ACCOUNT_EXTENSIONS, + &cache_root_dir)); extension_cache_task_runner_->PostTaskAndReply( FROM_HERE, - base::Bind(&DeleteOrphanedExtensionCaches, subdirectories_to_keep), - base::Bind(&DeviceLocalAccountPolicyService:: - OnOrphanedExtensionCachesDeleted, - weak_factory_.GetWeakPtr())); + base::Bind( + &DeleteOrphanedCaches, cache_root_dir, subdirectories_to_keep), + base::Bind( + &DeviceLocalAccountPolicyService::OnOrphanedExtensionCachesDeleted, + weak_factory_.GetWeakPtr())); // Start the extension caches for all brokers. These belong to accounts in // |account_ids| and are not affected by the clean-up. @@ -476,6 +483,16 @@ void DeviceLocalAccountPolicyService::UpdateAccountList() { } } + // Purge the component policy caches of any accounts that have been removed. + // Do this only after any obsolete brokers have been destroyed. + // TODO(joaodasilva): for now this must be posted to the FILE thread, + // to avoid racing with the ComponentCloudPolicyStore. Use a task runner + // once that class supports another background thread too. + content::BrowserThread::PostTask(content::BrowserThread::FILE, FROM_HERE, + base::Bind(&DeleteOrphanedCaches, + component_policy_cache_root_, + subdirectories_to_keep)); + FOR_EACH_OBSERVER(Observer, observers_, OnDeviceLocalAccountsChanged()); } @@ -492,6 +509,7 @@ void DeviceLocalAccountPolicyService::DeleteBrokers(PolicyBrokerMap* map) { weak_factory_.GetWeakPtr(), it->second->account_id())); } + FOR_EACH_OBSERVER(Observer, observers_, OnBrokerShutdown(it->second)); delete it->second; } map->clear(); diff --git a/chrome/browser/chromeos/policy/device_local_account_policy_service.h b/chrome/browser/chromeos/policy/device_local_account_policy_service.h index 2f9e776..f91fc95 100644 --- a/chrome/browser/chromeos/policy/device_local_account_policy_service.h +++ b/chrome/browser/chromeos/policy/device_local_account_policy_service.h @@ -11,6 +11,7 @@ #include "base/basictypes.h" #include "base/compiler_specific.h" +#include "base/files/file_path.h" #include "base/memory/ref_counted.h" #include "base/memory/scoped_ptr.h" #include "base/memory/weak_ptr.h" @@ -48,6 +49,7 @@ class DeviceLocalAccountPolicyBroker { // |task_runner| is the runner for policy refresh tasks. DeviceLocalAccountPolicyBroker( const DeviceLocalAccount& account, + const base::FilePath& component_policy_cache_path, scoped_ptr<DeviceLocalAccountPolicyStore> store, scoped_refptr<DeviceLocalAccountExternalDataManager> external_data_manager, @@ -86,9 +88,15 @@ class DeviceLocalAccountPolicyBroker { // empty string if the policy is not present. std::string GetDisplayName() const; + // Returns a directory where component policy for this account can be cached. + // The DeviceLocalAccountPolicyService takes care of cleaning up caches of + // accounts that have been removed. + base::FilePath GetComponentPolicyCachePath() const; + private: const std::string account_id_; const std::string user_id_; + const base::FilePath component_policy_cache_path_; const scoped_ptr<DeviceLocalAccountPolicyStore> store_; scoped_refptr<DeviceLocalAccountExternalDataManager> external_data_manager_; scoped_refptr<chromeos::DeviceLocalAccountExternalPolicyLoader> @@ -114,6 +122,9 @@ class DeviceLocalAccountPolicyService : public CloudPolicyStore::Observer { // The list of accounts has been updated. virtual void OnDeviceLocalAccountsChanged() = 0; + + // The given |broker| is about to be destroyed. + virtual void OnBrokerShutdown(DeviceLocalAccountPolicyBroker* broker) {} }; DeviceLocalAccountPolicyService( @@ -142,6 +153,8 @@ class DeviceLocalAccountPolicyService : public CloudPolicyStore::Observer { // |user_id|. bool IsPolicyAvailableForUser(const std::string& user_id); + scoped_refptr<net::URLRequestContextGetter> request_context() const; + void AddObserver(Observer* observer); void RemoveObserver(Observer* observer); @@ -229,6 +242,10 @@ class DeviceLocalAccountPolicyService : public CloudPolicyStore::Observer { const scoped_ptr<chromeos::CrosSettings::ObserverSubscription> local_accounts_subscription_; + // Path to the directory that contains the cached policies for components + // for device local accounts. + base::FilePath component_policy_cache_root_; + base::WeakPtrFactory<DeviceLocalAccountPolicyService> weak_factory_; DISALLOW_COPY_AND_ASSIGN(DeviceLocalAccountPolicyService); diff --git a/chrome/browser/policy/test/policy_testserver.py b/chrome/browser/policy/test/policy_testserver.py index 4137455..81b6bd5 100644 --- a/chrome/browser/policy/test/policy_testserver.py +++ b/chrome/browser/policy/test/policy_testserver.py @@ -443,6 +443,14 @@ class PolicyRequestHandler(BaseHTTPServer.BaseHTTPRequestHandler): self.server.UpdateStateKeys(token_info['device_token'], key_update_request.server_backed_state_key) + # If this is a publicaccount request then get the username now and use it + # in every PolicyFetchResponse produced. This is required to validate + # policy for extensions in public accounts. + username = self.server.GetPolicies().get('policy_user', None) + for request in msg.policy_request.request: + if request.policy_type == 'google/chromeos/publicaccount': + username = request.settings_entity_id + response = dm.DeviceManagementResponse() for request in msg.policy_request.request: if (request.policy_type in @@ -456,7 +464,7 @@ class PolicyRequestHandler(BaseHTTPServer.BaseHTTPRequestHandler): self.ProcessCloudPolicy(request, token_info, fetch_response) elif request.policy_type == 'google/chrome/extension': self.ProcessCloudPolicyForExtensions( - request, response.policy_response, token_info) + request, response.policy_response, token_info, username) else: fetch_response.error_code = 400 fetch_response.error_message = 'Invalid policy_type' @@ -628,7 +636,8 @@ class PolicyRequestHandler(BaseHTTPServer.BaseHTTPRequestHandler): self.SetProtobufMessageField(policy_message, field_descriptor, value) settings.__getattribute__(field.name).CopyFrom(policy_message) - def ProcessCloudPolicyForExtensions(self, request, response, token_info): + def ProcessCloudPolicyForExtensions(self, request, response, token_info, + username): """Handles a request for policy for extensions. A request for policy for extensions is slightly different from the other @@ -640,6 +649,7 @@ class PolicyRequestHandler(BaseHTTPServer.BaseHTTPRequestHandler): response: The DevicePolicyResponse message for the response. Multiple PolicyFetchResponses will be appended to this message. token_info: The token extracted from the request. + username: The username for the response. """ # Send one PolicyFetchResponse for each extension that has # configuration data at the server. @@ -649,13 +659,13 @@ class PolicyRequestHandler(BaseHTTPServer.BaseHTTPRequestHandler): # type in the response. request.settings_entity_id = settings_entity_id fetch_response = response.response.add() - self.ProcessCloudPolicy(request, token_info, fetch_response) + self.ProcessCloudPolicy(request, token_info, fetch_response, username) # Don't do key rotations for these messages. fetch_response.ClearField('new_public_key') fetch_response.ClearField('new_public_key_signature') fetch_response.ClearField('new_public_key_verification_signature') - def ProcessCloudPolicy(self, msg, token_info, response): + def ProcessCloudPolicy(self, msg, token_info, response, username=None): """Handles a cloud policy request. (New protocol for policy requests.) Encodes the policy into protobuf representation, signs it and constructs @@ -666,6 +676,7 @@ class PolicyRequestHandler(BaseHTTPServer.BaseHTTPRequestHandler): token_info: The token extracted from the request. response: A PolicyFetchResponse message that should be filled with the response data. + username: The username for the response. May be None. """ if msg.machine_id: @@ -746,7 +757,10 @@ class PolicyRequestHandler(BaseHTTPServer.BaseHTTPRequestHandler): if signing_key: policy_data.public_key_version = current_key_index + 1 - if msg.policy_type == 'google/chromeos/publicaccount': + + if username: + policy_data.username = username + elif msg.policy_type == 'google/chromeos/publicaccount': policy_data.username = msg.settings_entity_id else: # For regular user/device policy, there is no way for the testserver to @@ -960,7 +974,8 @@ class PolicyTestServer(testserver_base.BrokenPipeHandlerMixIn, ], dm.DeviceRegisterRequest.DEVICE: [ 'google/chromeos/device', - 'google/chromeos/publicaccount' + 'google/chromeos/publicaccount', + 'google/chrome/extension' ], dm.DeviceRegisterRequest.ANDROID_BROWSER: [ 'google/android/user' diff --git a/chromeos/chromeos_paths.cc b/chromeos/chromeos_paths.cc index a9963af..f629c45 100644 --- a/chromeos/chromeos_paths.cc +++ b/chromeos/chromeos_paths.cc @@ -41,6 +41,9 @@ const base::FilePath::CharType kDeviceLocalAccountExtensionDir[] = const base::FilePath::CharType kDeviceLocalAccountExternalDataDir[] = FILE_PATH_LITERAL("/var/cache/device_local_account_external_policy_data"); +const base::FilePath::CharType kDeviceLocalAccountComponentPolicy[] = + FILE_PATH_LITERAL("/var/cache/device_local_account_component_policy"); + bool PathProvider(int key, base::FilePath* result) { switch (key) { case FILE_DEFAULT_APP_ORDER: @@ -67,6 +70,9 @@ bool PathProvider(int key, base::FilePath* result) { case DIR_DEVICE_LOCAL_ACCOUNT_EXTERNAL_DATA: *result = base::FilePath(kDeviceLocalAccountExternalDataDir); break; + case DIR_DEVICE_LOCAL_ACCOUNT_COMPONENT_POLICY: + *result = base::FilePath(kDeviceLocalAccountComponentPolicy); + break; default: return false; } @@ -99,6 +105,15 @@ void RegisterStubPathOverrides(const base::FilePath& stubs_dir) { parent.AppendASCII("stub_install_attributes.pb"), is_absolute, create); + PathService::Override( + DIR_DEVICE_LOCAL_ACCOUNT_EXTENSIONS, + parent.AppendASCII("stub_device_local_account_extensions")); + PathService::Override( + DIR_DEVICE_LOCAL_ACCOUNT_EXTERNAL_DATA, + parent.AppendASCII("stub_device_local_account_external_data")); + PathService::Override( + DIR_DEVICE_LOCAL_ACCOUNT_COMPONENT_POLICY, + parent.AppendASCII("stub_device_local_account_component_policy")); } } // namespace chromeos diff --git a/chromeos/chromeos_paths.h b/chromeos/chromeos_paths.h index fe9be13..db55c27 100644 --- a/chromeos/chromeos_paths.h +++ b/chromeos/chromeos_paths.h @@ -38,6 +38,11 @@ enum { DIR_DEVICE_LOCAL_ACCOUNT_EXTERNAL_DATA, // Directory where external data // referenced by policies is cached // for device-local accounts. + DIR_DEVICE_LOCAL_ACCOUNT_COMPONENT_POLICY, // Directory where policy for the + // components of device-local + // account is stored. Currently + // this is used for policy for + // extensions. PATH_END }; |