Enable user policy for Kiosk App sessions.

This enables user policy to take effect in Kiosk App sessions. It's currently using the standard user policy protobuf in the backend as is used for Public Sessions. We may want to change that once Kiosk Apps get handled by app_shell. BUG=chromium:333434 Review URL: https://codereview.chromium.org/181383003 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@254424 0039d316-1c4b-4281-b951-d872f2087c98
author: mnissler@chromium.org <mnissler@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2014-03-02 23:59:35 +0000
committer: mnissler@chromium.org <mnissler@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2014-03-02 23:59:35 +0000
commit: b48ab6f0c08d95ca61957b967147c6ac9df6fee4 (patch)
tree: 6aabcf79454bb18fe29e05c49ef3cd610ee71f35
parent: 6a000171a7a8ef6c667bb441a0c58a209e315be8 (diff)
download: chromium_src-b48ab6f0c08d95ca61957b967147c6ac9df6fee4.zip
chromium_src-b48ab6f0c08d95ca61957b967147c6ac9df6fee4.tar.gz
chromium_src-b48ab6f0c08d95ca61957b967147c6ac9df6fee4.tar.bz2
7 files changed, 137 insertions, 91 deletions
diff --git a/chrome/browser/chromeos/policy/cloud_external_data_policy_observer_unittest.cc b/chrome/browser/chromeos/policy/cloud_external_data_policy_observer_unittest.cc
index 8f60889..7ba3d06 100644
--- a/chrome/browser/chromeos/policy/cloud_external_data_policy_observer_unittest.cc
+++ b/chrome/browser/chromeos/policy/cloud_external_data_policy_observer_unittest.cc
@@ -318,7 +318,8 @@ void CloudExternalDataPolicyObserverTest::LogInAsDeviceLocalAccount(
   device_local_account_policy_provider_.reset(
       new DeviceLocalAccountPolicyProvider(
           user_id,
-          device_local_account_policy_service_.get()));
+          device_local_account_policy_service_.get(),
+          scoped_ptr<PolicyMap>()));
 
   PolicyServiceImpl::Providers providers;
   providers.push_back(device_local_account_policy_provider_.get());
diff --git a/chrome/browser/chromeos/policy/device_local_account_policy_provider.cc b/chrome/browser/chromeos/policy/device_local_account_policy_provider.cc
index dafac17..a662c5e 100644
--- a/chrome/browser/chromeos/policy/device_local_account_policy_provider.cc
+++ b/chrome/browser/chromeos/policy/device_local_account_policy_provider.cc
@@ -5,19 +5,26 @@
 #include "chrome/browser/chromeos/policy/device_local_account_policy_provider.h"
 
 #include "base/bind.h"
+#include "base/values.h"
+#include "chrome/browser/chromeos/policy/device_local_account.h"
 #include "chrome/browser/chromeos/policy/device_local_account_external_data_manager.h"
+#include "chromeos/dbus/power_policy_controller.h"
 #include "components/policy/core/common/cloud/cloud_policy_core.h"
 #include "components/policy/core/common/cloud/cloud_policy_service.h"
 #include "components/policy/core/common/policy_bundle.h"
+#include "components/policy/core/common/policy_map.h"
 #include "components/policy/core/common/policy_namespace.h"
+#include "policy/policy_constants.h"
 
 namespace policy {
 
 DeviceLocalAccountPolicyProvider::DeviceLocalAccountPolicyProvider(
     const std::string& user_id,
-    DeviceLocalAccountPolicyService* service)
+    DeviceLocalAccountPolicyService* service,
+    scoped_ptr<PolicyMap> chrome_policy_overrides)
     : user_id_(user_id),
       service_(service),
+      chrome_policy_overrides_(chrome_policy_overrides.Pass()),
       store_initialized_(false),
       waiting_for_policy_refresh_(false),
       weak_factory_(this) {
@@ -29,6 +36,64 @@ DeviceLocalAccountPolicyProvider::~DeviceLocalAccountPolicyProvider() {
   service_->RemoveObserver(this);
 }
 
+// static
+scoped_ptr<DeviceLocalAccountPolicyProvider>
+DeviceLocalAccountPolicyProvider::Create(
+    const std::string& user_id,
+    DeviceLocalAccountPolicyService* device_local_account_policy_service) {
+  DeviceLocalAccount::Type type;
+  if (!device_local_account_policy_service ||
+      !IsDeviceLocalAccountUser(user_id, &type)) {
+    return scoped_ptr<DeviceLocalAccountPolicyProvider>();
+  }
+
+  scoped_ptr<PolicyMap> chrome_policy_overrides;
+  if (type == DeviceLocalAccount::TYPE_PUBLIC_SESSION) {
+    chrome_policy_overrides.reset(new PolicyMap());
+
+    // Exit the session when the lid is closed. The default behavior is to
+    // suspend while leaving the session running, which is not desirable for
+    // public sessions.
+    chrome_policy_overrides->Set(
+        key::kLidCloseAction,
+        POLICY_LEVEL_MANDATORY,
+        POLICY_SCOPE_MACHINE,
+        base::Value::CreateIntegerValue(
+            chromeos::PowerPolicyController::ACTION_STOP_SESSION),
+        NULL);
+    // Force the |ShelfAutoHideBehavior| policy to |Never|, ensuring that the
+    // ash shelf does not auto-hide.
+    chrome_policy_overrides->Set(
+        key::kShelfAutoHideBehavior,
+        POLICY_LEVEL_MANDATORY,
+        POLICY_SCOPE_MACHINE,
+        base::Value::CreateStringValue("Never"),
+        NULL);
+    // Force the |ShowLogoutButtonInTray| policy to |true|, ensuring that a big,
+    // red logout button is shown in the ash system tray.
+    chrome_policy_overrides->Set(
+        key::kShowLogoutButtonInTray,
+        POLICY_LEVEL_MANDATORY,
+        POLICY_SCOPE_MACHINE,
+        base::Value::CreateBooleanValue(true),
+        NULL);
+    // Force the |FullscreenAllowed| policy to |false|, ensuring that the ash
+    // shelf cannot be hidden by entering fullscreen mode.
+    chrome_policy_overrides->Set(
+        key::kFullscreenAllowed,
+        POLICY_LEVEL_MANDATORY,
+        POLICY_SCOPE_MACHINE,
+        base::Value::CreateBooleanValue(false),
+        NULL);
+  }
+
+  scoped_ptr<DeviceLocalAccountPolicyProvider> provider(
+      new DeviceLocalAccountPolicyProvider(user_id,
+                                           device_local_account_policy_service,
+                                           chrome_policy_overrides.Pass()));
+  return provider.Pass();
+}
+
 bool DeviceLocalAccountPolicyProvider::IsInitializationComplete(
     PolicyDomain domain) const {
   if (domain == POLICY_DOMAIN_CHROME)
@@ -87,6 +152,20 @@ void DeviceLocalAccountPolicyProvider::UpdateFromBroker() {
     weak_factory_.InvalidateWeakPtrs();
     bundle->CopyFrom(policies());
   }
+
+  // Apply overrides.
+  if (chrome_policy_overrides_) {
+    PolicyMap& chrome_policy =
+        bundle->Get(PolicyNamespace(POLICY_DOMAIN_CHROME, std::string()));
+    for (PolicyMap::const_iterator it(chrome_policy_overrides_->begin());
+         it != chrome_policy_overrides_->end();
+         ++it) {
+      const PolicyMap::Entry& entry = it->second;
+      chrome_policy.Set(
+          it->first, entry.level, entry.scope, entry.value->DeepCopy(), NULL);
+    }
+  }
+
   UpdatePolicy(bundle.Pass());
 }
 
diff --git a/chrome/browser/chromeos/policy/device_local_account_policy_provider.h b/chrome/browser/chromeos/policy/device_local_account_policy_provider.h
index d0324ea..fa39815 100644
--- a/chrome/browser/chromeos/policy/device_local_account_policy_provider.h
+++ b/chrome/browser/chromeos/policy/device_local_account_policy_provider.h
@@ -10,6 +10,7 @@
 #include "base/basictypes.h"
 #include "base/compiler_specific.h"
 #include "base/memory/ref_counted.h"
+#include "base/memory/scoped_ptr.h"
 #include "base/memory/weak_ptr.h"
 #include "chrome/browser/chromeos/policy/device_local_account_external_data_manager.h"
 #include "chrome/browser/chromeos/policy/device_local_account_policy_service.h"
@@ -17,6 +18,8 @@
 
 namespace policy {
 
+class PolicyMap;
+
 // Policy provider for a device-local account. Pulls policy from
 // DeviceLocalAccountPolicyService. Note that this implementation keeps
 // functioning when the device-local account disappears from
@@ -26,10 +29,19 @@ class DeviceLocalAccountPolicyProvider
     : public ConfigurationPolicyProvider,
       public DeviceLocalAccountPolicyService::Observer {
  public:
-  DeviceLocalAccountPolicyProvider(const std::string& user_id,
-                                   DeviceLocalAccountPolicyService* service);
+  DeviceLocalAccountPolicyProvider(
+      const std::string& user_id,
+      DeviceLocalAccountPolicyService* service,
+      scoped_ptr<PolicyMap> chrome_policy_overrides);
   virtual ~DeviceLocalAccountPolicyProvider();
 
+  // Factory function to create and initialize a provider for |user_id|. Returns
+  // NULL if |user_id| is not a device-local account or user policy isn't
+  // applicable for user_id's user type.
+  static scoped_ptr<DeviceLocalAccountPolicyProvider> Create(
+      const std::string& user_id,
+      DeviceLocalAccountPolicyService* service);
+
   // ConfigurationPolicyProvider:
   virtual bool IsInitializationComplete(PolicyDomain domain) const OVERRIDE;
   virtual void RefreshPolicies() OVERRIDE;
@@ -55,6 +67,11 @@ class DeviceLocalAccountPolicyProvider
 
   DeviceLocalAccountPolicyService* service_;
 
+  // A policy map providing overrides to apply on top of the Chrome policy
+  // received from |service_|. This is used to fix certain policies for public
+  // sessions regardless of what's actually specified in policy.
+  scoped_ptr<PolicyMap> chrome_policy_overrides_;
+
   bool store_initialized_;
   bool waiting_for_policy_refresh_;
 
diff --git a/chrome/browser/chromeos/policy/device_local_account_policy_service_unittest.cc b/chrome/browser/chromeos/policy/device_local_account_policy_service_unittest.cc
index c9349ad..12bc4d2 100644
--- a/chrome/browser/chromeos/policy/device_local_account_policy_service_unittest.cc
+++ b/chrome/browser/chromeos/policy/device_local_account_policy_service_unittest.cc
@@ -34,6 +34,8 @@
 #include "components/policy/core/common/cloud/policy_builder.h"
 #include "components/policy/core/common/external_data_fetcher.h"
 #include "components/policy/core/common/mock_configuration_policy_provider.h"
+#include "components/policy/core/common/policy_bundle.h"
+#include "components/policy/core/common/policy_map.h"
 #include "components/policy/core/common/schema_registry.h"
 #include "net/url_request/url_request_context_getter.h"
 #include "net/url_request/url_request_test_util.h"
@@ -133,31 +135,6 @@ DeviceLocalAccountPolicyServiceTestBase::
 void DeviceLocalAccountPolicyServiceTestBase::SetUp() {
   chromeos::DeviceSettingsTestBase::SetUp();
 
-  // Values implicitly enforced for public accounts.
-  expected_policy_map_.Set(key::kLidCloseAction,
-                           POLICY_LEVEL_MANDATORY,
-                           POLICY_SCOPE_USER,
-                           base::Value::CreateIntegerValue(
-                               chromeos::PowerPolicyController::
-                                   ACTION_STOP_SESSION),
-                           NULL);
-  expected_policy_map_.Set(key::kShelfAutoHideBehavior,
-                           POLICY_LEVEL_MANDATORY,
-                           POLICY_SCOPE_USER,
-                           base::Value::CreateStringValue("Never"),
-                           NULL);
-  expected_policy_map_.Set(key::kShowLogoutButtonInTray,
-                           POLICY_LEVEL_MANDATORY,
-                           POLICY_SCOPE_USER,
-                           base::Value::CreateBooleanValue(true),
-                           NULL);
-  expected_policy_map_.Set(key::kFullscreenAllowed,
-                           POLICY_LEVEL_MANDATORY,
-                           POLICY_SCOPE_USER,
-                           base::Value::CreateBooleanValue(false),
-                           NULL);
-
-  // Explicitly set value.
   expected_policy_map_.Set(key::kDisableSpdy,
                            POLICY_LEVEL_MANDATORY,
                            POLICY_SCOPE_USER,
@@ -787,16 +764,40 @@ class DeviceLocalAccountPolicyProviderTest
 
 DeviceLocalAccountPolicyProviderTest::DeviceLocalAccountPolicyProviderTest() {
   CreatePolicyService();
-  provider_.reset(new DeviceLocalAccountPolicyProvider(
+  provider_ = DeviceLocalAccountPolicyProvider::Create(
       GenerateDeviceLocalAccountUserId(kAccount1,
                                        DeviceLocalAccount::TYPE_PUBLIC_SESSION),
-      service_.get()));
+      service_.get());
 }
 
 void DeviceLocalAccountPolicyProviderTest::SetUp() {
   DeviceLocalAccountPolicyServiceTestBase::SetUp();
   provider_->Init(&schema_registry_);
   provider_->AddObserver(&provider_observer_);
+
+  // Values implicitly enforced for public accounts.
+  expected_policy_map_.Set(key::kLidCloseAction,
+                           POLICY_LEVEL_MANDATORY,
+                           POLICY_SCOPE_MACHINE,
+                           base::Value::CreateIntegerValue(
+                               chromeos::PowerPolicyController::
+                                   ACTION_STOP_SESSION),
+                           NULL);
+  expected_policy_map_.Set(key::kShelfAutoHideBehavior,
+                           POLICY_LEVEL_MANDATORY,
+                           POLICY_SCOPE_MACHINE,
+                           base::Value::CreateStringValue("Never"),
+                           NULL);
+  expected_policy_map_.Set(key::kShowLogoutButtonInTray,
+                           POLICY_LEVEL_MANDATORY,
+                           POLICY_SCOPE_MACHINE,
+                           base::Value::CreateBooleanValue(true),
+                           NULL);
+  expected_policy_map_.Set(key::kFullscreenAllowed,
+                           POLICY_LEVEL_MANDATORY,
+                           POLICY_SCOPE_MACHINE,
+                           base::Value::CreateBooleanValue(false),
+                           NULL);
 }
 
 void DeviceLocalAccountPolicyProviderTest::TearDown() {
diff --git a/chrome/browser/chromeos/policy/device_local_account_policy_store.cc b/chrome/browser/chromeos/policy/device_local_account_policy_store.cc
index 7ead08265..d74cb7c72 100644
--- a/chrome/browser/chromeos/policy/device_local_account_policy_store.cc
+++ b/chrome/browser/chromeos/policy/device_local_account_policy_store.cc
@@ -6,15 +6,13 @@
 
 #include "base/bind.h"
 #include "base/callback.h"
-#include "base/values.h"
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h"
-#include "chromeos/dbus/power_policy_controller.h"
 #include "chromeos/dbus/session_manager_client.h"
 #include "components/policy/core/common/cloud/device_management_service.h"
 #include "components/policy/core/common/external_data_fetcher.h"
+#include "components/policy/core/common/policy_map.h"
 #include "components/policy/core/common/policy_types.h"
-#include "policy/policy_constants.h"
 #include "policy/proto/cloud_policy.pb.h"
 #include "policy/proto/device_management_backend.pb.h"
 
@@ -83,37 +81,6 @@ void DeviceLocalAccountPolicyStore::UpdatePolicy(
   }
 
   InstallPolicy(validator->policy_data().Pass(), validator->payload().Pass());
-  // Exit the session when the lid is closed. The default behavior is to
-  // suspend while leaving the session running, which is not desirable for
-  // public sessions.
-  policy_map_.Set(key::kLidCloseAction,
-                  POLICY_LEVEL_MANDATORY,
-                  POLICY_SCOPE_USER,
-                  base::Value::CreateIntegerValue(
-                      chromeos::PowerPolicyController::ACTION_STOP_SESSION),
-                  NULL);
-  // Force the |ShelfAutoHideBehavior| policy to |Never|, ensuring that the ash
-  // shelf does not auto-hide.
-  policy_map_.Set(key::kShelfAutoHideBehavior,
-                  POLICY_LEVEL_MANDATORY,
-                  POLICY_SCOPE_USER,
-                  base::Value::CreateStringValue("Never"),
-                  NULL);
-  // Force the |ShowLogoutButtonInTray| policy to |true|, ensuring that a big,
-  // red logout button is shown in the ash system tray.
-  policy_map_.Set(key::kShowLogoutButtonInTray,
-                  POLICY_LEVEL_MANDATORY,
-                  POLICY_SCOPE_USER,
-                  base::Value::CreateBooleanValue(true),
-                  NULL);
-  // Force the |FullscreenAllowed| policy to |false|, ensuring that the ash
-  // shelf cannot be hidden by entering fullscreen mode.
-  policy_map_.Set(key::kFullscreenAllowed,
-                  POLICY_LEVEL_MANDATORY,
-                  POLICY_SCOPE_USER,
-                  base::Value::CreateBooleanValue(false),
-                  NULL);
-
   status_ = STATUS_OK;
   NotifyStoreLoaded();
 }
diff --git a/chrome/browser/policy/profile_policy_connector.cc b/chrome/browser/policy/profile_policy_connector.cc
index 525d04e..52c7f91 100644
--- a/chrome/browser/policy/profile_policy_connector.cc
+++ b/chrome/browser/policy/profile_policy_connector.cc
@@ -8,6 +8,7 @@
 
 #include "base/bind.h"
 #include "base/logging.h"
+#include "base/values.h"
 #include "chrome/browser/browser_process.h"
 #include "components/policy/core/browser/browser_policy_connector.h"
 #include "components/policy/core/common/cloud/cloud_policy_core.h"
@@ -88,17 +89,17 @@ void ProfilePolicyConnector::Init(
     // This case occurs for the signin profile.
     special_user_policy_provider_.reset(
         new LoginProfilePolicyProvider(connector->GetPolicyService()));
-    special_user_policy_provider_->Init(schema_registry);
   } else {
     // |user| should never be NULL except for the signin profile.
     is_primary_user_ = user == chromeos::UserManager::Get()->GetPrimaryUser();
-    if (user->GetType() == chromeos::User::USER_TYPE_PUBLIC_ACCOUNT) {
-      InitializeDeviceLocalAccountPolicyProvider(user->email(),
-                                                 schema_registry);
-    }
+    special_user_policy_provider_ = DeviceLocalAccountPolicyProvider::Create(
+        user->email(),
+        connector->GetDeviceLocalAccountPolicyService());
   }
-  if (special_user_policy_provider_)
+  if (special_user_policy_provider_) {
+    special_user_policy_provider_->Init(schema_registry);
     providers.push_back(special_user_policy_provider_.get());
+  }
 #endif
 
   policy_service_.reset(new PolicyServiceImpl(providers));
@@ -143,20 +144,4 @@ std::string ProfilePolicyConnector::GetManagementDomain() const {
   return "";
 }
 
-#if defined(OS_CHROMEOS)
-void ProfilePolicyConnector::InitializeDeviceLocalAccountPolicyProvider(
-    const std::string& username,
-    SchemaRegistry* schema_registry) {
-  BrowserPolicyConnectorChromeOS* connector =
-      g_browser_process->platform_part()->browser_policy_connector_chromeos();
-  DeviceLocalAccountPolicyService* device_local_account_policy_service =
-      connector->GetDeviceLocalAccountPolicyService();
-  if (!device_local_account_policy_service)
-    return;
-  special_user_policy_provider_.reset(new DeviceLocalAccountPolicyProvider(
-      username, device_local_account_policy_service));
-  special_user_policy_provider_->Init(schema_registry);
-}
-#endif
-
 }  // namespace policy
diff --git a/chrome/browser/policy/profile_policy_connector.h b/chrome/browser/policy/profile_policy_connector.h
index c73d87f..5785f71 100644
--- a/chrome/browser/policy/profile_policy_connector.h
+++ b/chrome/browser/policy/profile_policy_connector.h
@@ -55,10 +55,6 @@ class ProfilePolicyConnector : public BrowserContextKeyedService {
  private:
 #if defined(ENABLE_CONFIGURATION_POLICY)
 #if defined(OS_CHROMEOS)
-  void InitializeDeviceLocalAccountPolicyProvider(
-      const std::string& username,
-      SchemaRegistry* schema_registry);
-
   // Some of the user policy configuration affects browser global state, and
   // can only come from one Profile. |is_primary_user_| is true if this
   // connector belongs to the first signed-in Profile, and in that case that
author	mnissler@chromium.org <mnissler@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2014-03-02 23:59:35 +0000
committer	mnissler@chromium.org <mnissler@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2014-03-02 23:59:35 +0000
commit	b48ab6f0c08d95ca61957b967147c6ac9df6fee4 (patch)
tree	6aabcf79454bb18fe29e05c49ef3cd610ee71f35
parent	6a000171a7a8ef6c667bb441a0c58a209e315be8 (diff)
download	chromium_src-b48ab6f0c08d95ca61957b967147c6ac9df6fee4.zip chromium_src-b48ab6f0c08d95ca61957b967147c6ac9df6fee4.tar.gz chromium_src-b48ab6f0c08d95ca61957b967147c6ac9df6fee4.tar.bz2