libpolicy: Add checks for consumer devices in autoupdate policies
Make policies that affect autoupdate behavior check if the device is a
consumer device or an enterprise device. Consumer devices should not
be able to have those settings set. The following changes were made:
* Add IsEnterprisedEnrolled function to device policy.
* Add unit tests to check that policies return false when used in
consumer devices
BUG=chromium:871164
TEST=cros_workon_make libbrillo --test
Change-Id: I48fb72ac730e2285431a9548872c68124833a677
Reviewed-on: https://chromium-review.googlesource.com/1164561
Commit-Ready: Adolfo Higueros <adokar@google.com>
Tested-by: Adolfo Higueros <adokar@google.com>
Reviewed-by: Dan Erat <derat@chromium.org>
diff --git a/policy/device_policy.h b/policy/device_policy.h
index 5913d8c..204bcb5 100644
--- a/policy/device_policy.h
+++ b/policy/device_policy.h
@@ -69,6 +69,10 @@
// Returns true unless there is a policy on disk and loading it fails.
virtual bool LoadPolicy() = 0;
+ // Returns true if OOBE has been completed and if the device has been enrolled
+ // as an enterprise or enterpriseAD device.
+ virtual bool IsEnterpriseEnrolled() const = 0;
+
// Writes the value of the DevicePolicyRefreshRate policy in |rate|. Returns
// true on success.
virtual bool GetPolicyRefreshRate(int* rate) const = 0;
diff --git a/policy/device_policy_impl.cc b/policy/device_policy_impl.cc
index 76b82a1..8b5eeb2 100644
--- a/policy/device_policy_impl.cc
+++ b/policy/device_policy_impl.cc
@@ -196,6 +196,17 @@
return policy_loaded;
}
+bool DevicePolicyImpl::IsEnterpriseEnrolled() const {
+ DCHECK(install_attributes_reader_);
+ if (!install_attributes_reader_->IsLocked())
+ return false;
+
+ const std::string& device_mode = install_attributes_reader_->GetAttribute(
+ InstallAttributesReader::kAttrMode);
+ return device_mode == InstallAttributesReader::kDeviceModeEnterprise ||
+ device_mode == InstallAttributesReader::kDeviceModeEnterpriseAD;
+}
+
bool DevicePolicyImpl::GetPolicyRefreshRate(int* rate) const {
if (!device_policy_.has_device_policy_refresh_rate())
return false;
@@ -331,6 +342,9 @@
}
bool DevicePolicyImpl::GetUpdateDisabled(bool* update_disabled) const {
+ if (!IsEnterpriseEnrolled())
+ return false;
+
if (!device_policy_.has_auto_update_settings())
return false;
@@ -345,6 +359,9 @@
bool DevicePolicyImpl::GetTargetVersionPrefix(
std::string* target_version_prefix) const {
+ if (!IsEnterpriseEnrolled())
+ return false;
+
if (!device_policy_.has_auto_update_settings())
return false;
@@ -374,14 +391,7 @@
bool DevicePolicyImpl::GetRollbackAllowedMilestones(
int* rollback_allowed_milestones) const {
// This policy can be only set for devices which are enterprise enrolled.
- if (!install_attributes_reader_->IsLocked())
- return false;
- if (install_attributes_reader_->GetAttribute(
- InstallAttributesReader::kAttrMode) !=
- InstallAttributesReader::kDeviceModeEnterprise &&
- install_attributes_reader_->GetAttribute(
- InstallAttributesReader::kAttrMode) !=
- InstallAttributesReader::kDeviceModeEnterpriseAD)
+ if (!IsEnterpriseEnrolled())
return false;
if (device_policy_.has_auto_update_settings()) {
@@ -419,6 +429,9 @@
bool DevicePolicyImpl::GetAllowedConnectionTypesForUpdate(
std::set<std::string>* connection_types) const {
+ if (!IsEnterpriseEnrolled())
+ return false;
+
if (!device_policy_.has_auto_update_settings())
return false;
@@ -616,6 +629,8 @@
bool DevicePolicyImpl::GetDisallowedTimeIntervals(
std::vector<WeeklyTimeInterval>* intervals_out) const {
intervals_out->clear();
+ if (!IsEnterpriseEnrolled())
+ return false;
if (!device_policy_.has_auto_update_settings()) {
return false;
diff --git a/policy/device_policy_impl.h b/policy/device_policy_impl.h
index 6891312..cdc8a98 100644
--- a/policy/device_policy_impl.h
+++ b/policy/device_policy_impl.h
@@ -40,6 +40,7 @@
// DevicePolicy overrides:
bool LoadPolicy() override;
+ bool IsEnterpriseEnrolled() const override;
bool GetPolicyRefreshRate(int* rate) const override;
bool GetUserWhitelist(
std::vector<std::string>* user_whitelist) const override;
diff --git a/policy/mock_device_policy.h b/policy/mock_device_policy.h
index 90470e2..27635de 100644
--- a/policy/mock_device_policy.h
+++ b/policy/mock_device_policy.h
@@ -53,6 +53,7 @@
~MockDevicePolicy() override = default;
MOCK_METHOD0(LoadPolicy, bool(void));
+ MOCK_CONST_METHOD0(IsEnterpriseEnrolled, bool(void));
MOCK_CONST_METHOD1(GetPolicyRefreshRate,
bool(int*)); // NOLINT(readability/function)
diff --git a/policy/tests/device_policy_impl_unittest.cc b/policy/tests/device_policy_impl_unittest.cc
index 37c3916..a0d02cb 100644
--- a/policy/tests/device_policy_impl_unittest.cc
+++ b/policy/tests/device_policy_impl_unittest.cc
@@ -247,4 +247,60 @@
DayPercentagePair{28, 100}));
}
+// Updates should only be disabled for enterprise managed devices.
+TEST_F(DevicePolicyImplTest, GetUpdateDisabled_SetConsumer) {
+ em::ChromeDeviceSettingsProto device_policy_proto;
+ em::AutoUpdateSettingsProto* auto_update_settings =
+ device_policy_proto.mutable_auto_update_settings();
+ auto_update_settings->set_update_disabled(true);
+ InitializePolicy(InstallAttributesReader::kDeviceModeConsumer,
+ device_policy_proto);
+
+ bool value;
+ ASSERT_FALSE(device_policy_.GetUpdateDisabled(&value));
+}
+
+// Updates should only be pinned on enterprise managed devices.
+TEST_F(DevicePolicyImplTest, GetTargetVersionPrefix_SetConsumer) {
+ em::ChromeDeviceSettingsProto device_policy_proto;
+ em::AutoUpdateSettingsProto* auto_update_settings =
+ device_policy_proto.mutable_auto_update_settings();
+ auto_update_settings->set_target_version_prefix("hello");
+ InitializePolicy(InstallAttributesReader::kDeviceModeConsumer,
+ device_policy_proto);
+
+ std::string value = "";
+ ASSERT_FALSE(device_policy_.GetTargetVersionPrefix(&value));
+}
+
+// The allowed connection types should only be changed in enterprise devices.
+TEST_F(DevicePolicyImplTest, GetAllowedConnectionTypesForUpdate_SetConsumer) {
+ em::ChromeDeviceSettingsProto device_policy_proto;
+ em::AutoUpdateSettingsProto* auto_update_settings =
+ device_policy_proto.mutable_auto_update_settings();
+ auto_update_settings->add_allowed_connection_types(
+ em::AutoUpdateSettingsProto::CONNECTION_TYPE_ETHERNET);
+ InitializePolicy(InstallAttributesReader::kDeviceModeConsumer,
+ device_policy_proto);
+
+ std::set<std::string> value;
+ ASSERT_FALSE(device_policy_.GetAllowedConnectionTypesForUpdate(&value));
+}
+
+// Update time restrictions should only be used in enterprise devices.
+TEST_F(DevicePolicyImplTest, GetDisallowedTimeIntervals_SetConsumer) {
+ em::ChromeDeviceSettingsProto device_policy_proto;
+ em::AutoUpdateSettingsProto* auto_update_settings =
+ device_policy_proto.mutable_auto_update_settings();
+ auto_update_settings->set_disallowed_time_intervals(
+ "[{\"start\": {\"day_of_week\": \"Monday\", \"hours\": 10, \"minutes\": "
+ "0}, \"end\": {\"day_of_week\": \"Monday\", \"hours\": 10, \"minutes\": "
+ "0}}]");
+ InitializePolicy(InstallAttributesReader::kDeviceModeConsumer,
+ device_policy_proto);
+
+ std::vector<WeeklyTimeInterval> value;
+ ASSERT_FALSE(device_policy_.GetDisallowedTimeIntervals(&value));
+}
+
} // namespace policy
