Google Git
Sign in
chromium / chromium / src / 2fcda9488b475cdf535e5a24e83fac563c448db4 / . / chrome / browser / ash / arc / policy / arc_policy_bridge.cc
blob: f5cf8dcc39d1634b552079290e7fdd8d708da1a9 [file] [log] [blame]
// Copyright 2016 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "chrome/browser/ash/arc/policy/arc_policy_bridge.h"
#include <string>
#include <utility>
#include "ash/components/arc/arc_browser_context_keyed_service_factory_base.h"
#include "ash/components/arc/arc_prefs.h"
#include "ash/components/arc/enterprise/arc_data_snapshotd_manager.h"
#include "ash/components/arc/session/arc_bridge_service.h"
#include "base/bind.h"
#include "base/callback_helpers.h"
#include "base/guid.h"
#include "base/json/json_reader.h"
#include "base/json/json_string_value_serializer.h"
#include "base/logging.h"
#include "base/memory/singleton.h"
#include "base/metrics/histogram_macros.h"
#include "base/strings/string_number_conversions.h"
#include "base/strings/string_util.h"
#include "base/values.h"
#include "chrome/browser/ash/arc/enterprise/cert_store/cert_store_service.h"
#include "chrome/browser/ash/arc/policy/managed_configuration_variables.h"
#include "chrome/browser/ash/arc/session/arc_session_manager.h"
#include "chrome/browser/ash/profiles/profile_helper.h"
#include "chrome/browser/platform_keys/extension_key_permissions_service.h"
#include "chrome/browser/policy/developer_tools_policy_handler.h"
#include "chrome/browser/policy/profile_policy_connector.h"
#include "chrome/browser/profiles/profile.h"
#include "chrome/browser/profiles/profile_manager.h"
#include "chrome/common/pref_names.h"
#include "chromeos/components/onc/onc_utils.h"
#include "components/onc/onc_constants.h"
#include "components/policy/core/common/policy_map.h"
#include "components/policy/core/common/policy_namespace.h"
#include "components/policy/policy_constants.h"
#include "components/prefs/pref_service.h"
#include "components/user_manager/user.h"
#include "crypto/sha2.h"
#include "third_party/abseil-cpp/absl/types/optional.h"
// Enable VLOG level 1.
#undef ENABLED_VLOG_LEVEL
#define ENABLED_VLOG_LEVEL 1
namespace arc {
namespace {
constexpr char kArcCaCerts[] = "caCerts";
constexpr char kPolicyCompliantJson[] = "{ \"policyCompliant\": true }";
constexpr char kArcRequiredKeyPairs[] = "requiredKeyPairs";
constexpr char kPlayStorePackageName[] = "com.android.vending";
constexpr char kPrivateKeySelectionEnabled[] = "privateKeySelectionEnabled";
constexpr char kChoosePrivateKeyRules[] = "choosePrivateKeyRules";
// invert_bool_value: If the Chrome policy and the ARC policy with boolean value
// have opposite semantics, set this to true so the bool is inverted before
// being added. Otherwise, set it to false.
void MapBoolToBool(const std::string& arc_policy_name,
const std::string& policy_name,
const policy::PolicyMap& policy_map,
bool invert_bool_value,
base::Value* filtered_policies) {
if (!policy_map.IsPolicySet(policy_name))
return;
const base::Value* const policy_value =
policy_map.GetValue(policy_name, base::Value::Type::BOOLEAN);
if (!policy_value) {
NOTREACHED() << "Policy " << policy_name << " is not a boolean.";
return;
}
filtered_policies->SetBoolKey(arc_policy_name,
policy_value->GetBool() != invert_bool_value);
}
// int_true: value of Chrome OS policy for which arc policy is set to true.
// It is set to false for all other values.
void MapIntToBool(const std::string& arc_policy_name,
const std::string& policy_name,
const policy::PolicyMap& policy_map,
int int_true,
base::Value* filtered_policies) {
if (!policy_map.IsPolicySet(policy_name))
return;
const base::Value* const policy_value =
policy_map.GetValue(policy_name, base::Value::Type::INTEGER);
if (!policy_value) {
NOTREACHED() << "Policy " << policy_name << " is not an integer.";
return;
}
filtered_policies->SetBoolKey(arc_policy_name,
policy_value->GetInt() == int_true);
}
// |arc_policy_name| is only set if the |pref_name| pref is managed.
// int_true: value of Chrome OS pref for which arc policy is set to true.
// It is set to false for all other values.
void MapManagedIntPrefToBool(const std::string& arc_policy_name,
const std::string& pref_name,
const PrefService* profile_prefs,
int int_true,
base::Value* filtered_policies) {
if (!profile_prefs->IsManagedPreference(pref_name))
return;
filtered_policies->SetBoolKey(
arc_policy_name, profile_prefs->GetInteger(pref_name) == int_true);
}
// Checks whether |policy_name| is present as an object and has all |fields|,
// Sets |arc_policy_name| to true only if the condition above is satisfied.
void MapObjectToPresenceBool(const std::string& arc_policy_name,
const std::string& policy_name,
const policy::PolicyMap& policy_map,
base::Value* filtered_policies,
const std::vector<std::string>& fields) {
if (!policy_map.IsPolicySet(policy_name))
return;
const base::Value* const policy_value =
policy_map.GetValue(policy_name, base::Value::Type::DICT);
if (!policy_value) {
NOTREACHED() << "Policy " << policy_name << " is not an object.";
return;
}
for (const auto& field : fields) {
if (!policy_value->FindKey(field))
return;
}
filtered_policies->SetBoolKey(arc_policy_name, true);
}
void AddOncCaCertsToPolicies(const policy::PolicyMap& policy_map,
base::Value* filtered_policies) {
const base::Value* const policy_value = policy_map.GetValue(
policy::key::kArcCertificatesSyncMode, base::Value::Type::INTEGER);
// Old certs should be uninstalled if the sync is disabled or policy is not
// set.
if (!policy_value ||
policy_value->GetInt() != ArcCertsSyncMode::COPY_CA_CERTS) {
return;
}
if (!policy_map.IsPolicySet(policy::key::kOpenNetworkConfiguration)) {
VLOG(1) << "onc policy is not set.";
return;
}
// Importing CA certificates from device policy is not allowed.
// Import only from user policy.
const base::Value* onc_policy_value = policy_map.GetValue(
policy::key::kOpenNetworkConfiguration, base::Value::Type::STRING);
if (!onc_policy_value) {
LOG(ERROR) << "Value of onc policy has invalid format.";
return;
}
const std::string& onc_blob = onc_policy_value->GetString();
base::ListValue certificates;
{
base::ListValue unused_network_configs;
base::DictionaryValue unused_global_network_config;
if (!chromeos::onc::ParseAndValidateOncForImport(
onc_blob, onc::ONCSource::ONC_SOURCE_USER_POLICY,
"" /* no passphrase */, &unused_network_configs,
&unused_global_network_config, &certificates)) {
LOG(ERROR) << "Value of onc policy has invalid format =" << onc_blob;
}
}
base::Value ca_certs(base::Value::Type::LIST);
for (const auto& certificate : certificates.GetListDeprecated()) {
if (!certificate.is_dict()) {
DLOG(FATAL) << "Value of a certificate entry is not a dictionary "
<< "value.";
continue;
}
const std::string* const cert_type =
certificate.FindStringKey(::onc::certificate::kType);
if (!cert_type || *cert_type != ::onc::certificate::kAuthority)
continue;
const base::Value* const trust_list =
certificate.FindListKey(::onc::certificate::kTrustBits);
if (!trust_list)
continue;
bool web_trust_flag = false;
for (const auto& list_val : trust_list->GetListDeprecated()) {
if (!list_val.is_string())
NOTREACHED();
if (list_val.GetString() == ::onc::certificate::kWeb) {
// "Web" implies that the certificate is to be trusted for SSL
// identification.
web_trust_flag = true;
break;
}
}
if (!web_trust_flag)
continue;
const std::string* const x509_data =
certificate.FindStringKey(::onc::certificate::kX509);
if (!x509_data)
continue;
base::Value data(base::Value::Type::DICTIONARY);
data.SetStringKey("X509", *x509_data);
ca_certs.Append(std::move(data));
}
if (!ca_certs.GetListDeprecated().empty())
filtered_policies->SetKey("credentialsConfigDisabled", base::Value(true));
filtered_policies->SetKey(kArcCaCerts, std::move(ca_certs));
}
void AddRequiredKeyPairs(const CertStoreService* cert_store_service,
base::Value* filtered_policies) {
if (!cert_store_service)
return;
base::Value cert_names(base::Value::Type::LIST);
for (const auto& name : cert_store_service->get_required_cert_names()) {
base::Value value(base::Value::Type::DICTIONARY);
value.SetStringKey("alias", name);
cert_names.Append(std::move(value));
}
filtered_policies->SetKey(kArcRequiredKeyPairs, std::move(cert_names));
}
bool LooksLikeAndroidPackageName(const std::string& name) {
return name.find(".") != std::string::npos;
}
void AddChoosePrivateKeyRuleToPolicy(
policy::PolicyService* const policy_service,
const CertStoreService* cert_store_service,
base::Value* filtered_policies) {
if (!cert_store_service)
return;
auto app_ids = chromeos::platform_keys::ExtensionKeyPermissionsService::
GetCorporateKeyUsageAllowedAppIds(policy_service);
base::Value arc_app_ids(base::Value::Type::LIST);
for (const auto& app_id : app_ids) {
if (LooksLikeAndroidPackageName(app_id))
arc_app_ids.Append(app_id);
}
if (arc_app_ids.GetListDeprecated().empty() ||
cert_store_service->get_required_cert_names().empty()) {
return;
}
base::Value rules(base::Value::Type::LIST);
for (const auto& name : cert_store_service->get_required_cert_names()) {
base::Value value(base::Value::Type::DICTIONARY);
value.SetStringKey("privateKeyAlias", name);
value.SetKey("packageNames", arc_app_ids.Clone());
rules.Append(std::move(value));
}
filtered_policies->SetBoolKey(kPrivateKeySelectionEnabled, true);
filtered_policies->SetKey(kChoosePrivateKeyRules, std::move(rules));
}
// Finds managed configurations of applications in |arc_policy| and replace
// string values that refer to template variables.
void ReplaceManagedConfigurationVariables(const Profile* profile,
base::Value* arc_policy) {
// Replace template variables in application managed configuration.
base::Value* applications =
arc_policy->FindListKey(ArcPolicyBridge::kApplications);
if (applications) {
base::Value::ListView list_view = applications->GetListDeprecated();
for (base::Value& entry : list_view) {
base::Value* config =
entry.FindDictKey(ArcPolicyBridge::kManagedConfiguration);
if (config)
RecursivelyReplaceManagedConfigurationVariables(profile, config);
}
}
}
std::string GetFilteredJSONPolicies(policy::PolicyService* const policy_service,
const std::string& guid,
bool is_affiliated,
const CertStoreService* cert_store_service,
const Profile* profile) {
const policy::PolicyNamespace policy_namespace(policy::POLICY_DOMAIN_CHROME,
std::string());
const policy::PolicyMap& policy_map =
policy_service->GetPolicies(policy_namespace);
base::Value filtered_policies(base::Value::Type::DICTIONARY);
// It is safe to use `GetValueUnsafe()` because type checking is performed
// before the value is used.
// Parse ArcPolicy as JSON string before adding other policies to the
// dictionary.
const base::Value* const app_policy_value =
policy_map.GetValueUnsafe(policy::key::kArcPolicy);
if (app_policy_value) {
absl::optional<base::Value> app_policy_dict;
if (app_policy_value->is_string()) {
app_policy_dict = base::JSONReader::Read(
app_policy_value->GetString(),
base::JSONParserOptions::JSON_ALLOW_TRAILING_COMMAS);
}
if (app_policy_dict.has_value() && app_policy_dict.value().is_dict()) {
// Need a deep copy of all values here instead of doing a swap, because
// JSONReader::Read constructs a dictionary whose StringValues are
// JSONStringValues which are based on StringPiece instead of string.
filtered_policies.MergeDictionary(&app_policy_dict.value());
} else {
std::string app_policy_string =
app_policy_value->is_string() ? app_policy_value->GetString() : "";
LOG(ERROR) << "Value of ArcPolicy has invalid format: "
<< app_policy_string;
}
}
// Disable all required/force-installed apps when ARC data snapshot update is
// in progress.
if (arc::data_snapshotd::ArcDataSnapshotdManager::Get() &&
arc::data_snapshotd::ArcDataSnapshotdManager::Get()
->IsSnapshotInProgress()) {
base::Value* applications_value =
filtered_policies.FindListKey(ArcPolicyBridge::kApplications);
if (applications_value) {
base::Value::ListView list_view = applications_value->GetListDeprecated();
for (base::Value& entry : list_view) {
auto* installType = entry.FindStringKey("installType");
if (installType &&
(*installType == "REQUIRED" || *installType == "FORCE_INSTALLED")) {
entry.SetBoolKey("disabled", true);
}
}
}
// Always reset android_id if ARC data snapshot update is in progress.
filtered_policies.SetBoolKey(ArcPolicyBridge::kResetAndroidIdEnabled, true);
}
if (profile->IsChild() &&
ash::ProfileHelper::Get()->IsPrimaryProfile(profile)) {
// Adds "playStoreMode" policy. The policy value is used to restrict the
// user from being able to toggle between different accounts in ARC++.
filtered_policies.SetStringKey("playStoreMode", "SUPERVISED");
// Updates "applications" policy value for PlayStore to include the child's
// primary email account.
base::Value* applications_value =
filtered_policies.FindListKey(ArcPolicyBridge::kApplications);
if (applications_value) {
base::Value::ListView list_view = applications_value->GetListDeprecated();
for (base::Value& entry : list_view) {
const std::string* packageName =
entry.FindStringKey(ArcPolicyBridge::kPackageName);
if (packageName && *packageName != kPlayStorePackageName)
continue;
base::Value management_entry(base::Value::Type::DICTIONARY);
management_entry.SetStringKey("allowed_accounts",
profile->GetProfileUserName());
entry.SetKey(ArcPolicyBridge::kManagedConfiguration,
std::move(management_entry));
}
}
}
const PrefService* profile_prefs = profile->GetPrefs();
// Keep them sorted by the ARC policy names.
MapBoolToBool("cameraDisabled", policy::key::kVideoCaptureAllowed, policy_map,
/* invert_bool_value */ true, &filtered_policies);
// Use the pref for "debuggingFeaturesDisabled" to avoid duplicating the logic
// of handling DeveloperToolsDisabled / DeveloperToolsAvailability policies.
MapManagedIntPrefToBool(
"debuggingFeaturesDisabled", ::prefs::kDevToolsAvailability,
profile_prefs,
static_cast<int>(
policy::DeveloperToolsPolicyHandler::Availability::kDisallowed),
&filtered_policies);
MapBoolToBool("printingDisabled", policy::key::kPrintingEnabled, policy_map,
/* invert_bool_value */ true, &filtered_policies);
MapBoolToBool("screenCaptureDisabled", policy::key::kDisableScreenshots,
policy_map, false, &filtered_policies);
MapIntToBool("shareLocationDisabled", policy::key::kDefaultGeolocationSetting,
policy_map, 2 /*BlockGeolocation*/, &filtered_policies);
MapBoolToBool("unmuteMicrophoneDisabled", policy::key::kAudioCaptureAllowed,
policy_map, /* invert_bool_value */ true, &filtered_policies);
MapObjectToPresenceBool("setWallpaperDisabled", policy::key::kWallpaperImage,
policy_map, &filtered_policies, {"url", "hash"});
MapBoolToBool("vpnConfigDisabled", policy::key::kVpnConfigAllowed, policy_map,
/* invert_bool_value */ true, &filtered_policies);
// Add CA certificates.
AddOncCaCertsToPolicies(policy_map, &filtered_policies);
// Always enable APK Cache for affiliated users, and always disable it for not
// affiliated ones.
filtered_policies.SetBoolKey("apkCacheEnabled", is_affiliated);
filtered_policies.SetStringKey("guid", guid);
// Always allow mounting physical media because mounts are controlled outside
// of ARC based on policy in file_manager::VolumeManager.
// Since this Android policy used to be mapped from Chrome-side policy
// policy::key::kExternalStoragePolicy before, we hard-code it to false to
// ensure that the old policy setting does not remain on the ARC side.
// See b/217531658 for details.
filtered_policies.SetBoolKey("mountPhysicalMediaDisabled", false);
AddRequiredKeyPairs(cert_store_service, &filtered_policies);
AddChoosePrivateKeyRuleToPolicy(policy_service, cert_store_service,
&filtered_policies);
ReplaceManagedConfigurationVariables(profile, &filtered_policies);
std::string policy_json;
JSONStringValueSerializer serializer(&policy_json);
serializer.Serialize(filtered_policies);
return policy_json;
}
void UpdateFirstComplianceSinceSignInTiming(
const base::TimeDelta& elapsed_time) {
UMA_HISTOGRAM_CUSTOM_TIMES("Arc.FirstComplianceReportTime.SinceSignIn",
elapsed_time, base::Seconds(1), base::Minutes(10),
50);
}
void UpdateFirstComplianceSinceStartupTiming(
const base::TimeDelta& elapsed_time) {
UMA_HISTOGRAM_CUSTOM_TIMES("Arc.FirstComplianceReportTime.SinceStartup",
elapsed_time, base::Seconds(1), base::Minutes(10),
50);
}
void UpdateComplianceSinceUpdateTiming(const base::TimeDelta& elapsed_time) {
UMA_HISTOGRAM_CUSTOM_TIMES("Arc.ComplianceReportSinceUpdateNotificationTime",
elapsed_time, base::Milliseconds(100),
base::Minutes(10), 50);
}
// Returns the SHA-256 hash of the JSON dump of the ARC policies, in the textual
// hex dump format. Note that no specific JSON normalization is performed, as
// the spurious hash mismatches, even if they occur (which is unlikely), would
// only result in some UMA metrics not being sent.
std::string GetPoliciesHash(const std::string& json_policies) {
const std::string hash_bits = crypto::SHA256HashString(json_policies);
return base::ToLowerASCII(
base::HexEncode(hash_bits.c_str(), hash_bits.length()));
}
// Singleton factory for ArcPolicyBridge.
class ArcPolicyBridgeFactory
: public internal::ArcBrowserContextKeyedServiceFactoryBase<
ArcPolicyBridge,
ArcPolicyBridgeFactory> {
public:
// Factory name used by ArcBrowserContextKeyedServiceFactoryBase.
static constexpr const char* kName = "ArcPolicyBridgeFactory";
static ArcPolicyBridgeFactory* GetInstance() {
return base::Singleton<ArcPolicyBridgeFactory>::get();
}
private:
friend base::DefaultSingletonTraits<ArcPolicyBridgeFactory>;
ArcPolicyBridgeFactory() {}
~ArcPolicyBridgeFactory() override = default;
};
} // namespace
// static
const char ArcPolicyBridge::kApplications[] = "applications";
// static
const char ArcPolicyBridge::kPackageName[] = "packageName";
// static
const char ArcPolicyBridge::kManagedConfiguration[] = "managedConfiguration";
// static
const char ArcPolicyBridge::kResetAndroidIdEnabled[] = "resetAndroidIdEnabled";
// static
ArcPolicyBridge* ArcPolicyBridge::GetForBrowserContext(
content::BrowserContext* context) {
return ArcPolicyBridgeFactory::GetForBrowserContext(context);
}
// static
ArcPolicyBridge* ArcPolicyBridge::GetForBrowserContextForTesting(
content::BrowserContext* context) {
return ArcPolicyBridgeFactory::GetForBrowserContextForTesting(context);
}
// static
BrowserContextKeyedServiceFactory* ArcPolicyBridge::GetFactory() {
return ArcPolicyBridgeFactory::GetInstance();
}
base::WeakPtr<ArcPolicyBridge> ArcPolicyBridge::GetWeakPtr() {
return weak_ptr_factory_.GetWeakPtr();
}
ArcPolicyBridge::ArcPolicyBridge(content::BrowserContext* context,
ArcBridgeService* bridge_service)
: ArcPolicyBridge(context, bridge_service, nullptr /* policy_service */) {}
ArcPolicyBridge::ArcPolicyBridge(content::BrowserContext* context,
ArcBridgeService* bridge_service,
policy::PolicyService* policy_service)
: context_(context),
arc_bridge_service_(bridge_service),
policy_service_(policy_service),
instance_guid_(base::GenerateGUID()) {
VLOG(2) << "ArcPolicyBridge::ArcPolicyBridge";
arc_bridge_service_->policy()->SetHost(this);
arc_bridge_service_->policy()->AddObserver(this);
}
ArcPolicyBridge::~ArcPolicyBridge() {
VLOG(2) << "ArcPolicyBridge::~ArcPolicyBridge";
arc_bridge_service_->policy()->RemoveObserver(this);
arc_bridge_service_->policy()->SetHost(nullptr);
}
const std::string& ArcPolicyBridge::GetInstanceGuidForTesting() {
return instance_guid_;
}
void ArcPolicyBridge::AddObserver(Observer* observer) {
observers_.AddObserver(observer);
}
void ArcPolicyBridge::RemoveObserver(Observer* observer) {
observers_.RemoveObserver(observer);
}
void ArcPolicyBridge::OverrideIsManagedForTesting(bool is_managed) {
is_managed_ = is_managed;
}
void ArcPolicyBridge::OnConnectionReady() {
VLOG(1) << "ArcPolicyBridge::OnConnectionReady";
if (policy_service_ == nullptr) {
InitializePolicyService();
}
policy_service_->AddObserver(policy::POLICY_DOMAIN_CHROME, this);
initial_policies_hash_ = GetPoliciesHash(GetCurrentJSONPolicies());
if (!on_arc_instance_ready_callback_.is_null()) {
std::move(on_arc_instance_ready_callback_).Run();
}
}
void ArcPolicyBridge::OnConnectionClosed() {
VLOG(1) << "ArcPolicyBridge::OnConnectionClosed";
policy_service_->RemoveObserver(policy::POLICY_DOMAIN_CHROME, this);
policy_service_ = nullptr;
initial_policies_hash_.clear();
}
void ArcPolicyBridge::GetPolicies(GetPoliciesCallback callback) {
VLOG(1) << "ArcPolicyBridge::GetPolicies";
arc_policy_for_reporting_ = GetCurrentJSONPolicies();
for (Observer& observer : observers_) {
observer.OnPolicySent(arc_policy_for_reporting_);
}
std::move(callback).Run(arc_policy_for_reporting_);
}
void ArcPolicyBridge::ReportCompliance(const std::string& request,
ReportComplianceCallback callback) {
VLOG(1) << "ArcPolicyBridge::ReportCompliance";
data_decoder::DataDecoder::ParseJsonIsolated(
request,
base::BindOnce(&ArcPolicyBridge::OnReportComplianceParse,
weak_ptr_factory_.GetWeakPtr(), std::move(callback)));
}
void ArcPolicyBridge::ReportCloudDpsRequested(
base::Time time,
const std::vector<std::string>& package_names) {
const std::set<std::string> packages_set(package_names.begin(),
package_names.end());
for (Observer& observer : observers_)
observer.OnCloudDpsRequested(time, packages_set);
}
void ArcPolicyBridge::ReportCloudDpsSucceeded(
base::Time time,
const std::vector<std::string>& package_names) {
const std::set<std::string> packages_set(package_names.begin(),
package_names.end());
for (Observer& observer : observers_)
observer.OnCloudDpsSucceeded(time, packages_set);
}
void ArcPolicyBridge::ReportCloudDpsFailed(base::Time time,
const std::string& package_name,
mojom::InstallErrorReason reason) {
for (Observer& observer : observers_)
observer.OnCloudDpsFailed(time, package_name, reason);
}
void ArcPolicyBridge::ReportForceInstallMainLoopFailed(
base::Time time,
const std::vector<std::string>& package_names) {
const std::set<std::string> packages_set(package_names.begin(),
package_names.end());
for (Observer& observer : observers_)
observer.OnReportForceInstallMainLoopFailed(time, packages_set);
}
void ArcPolicyBridge::ReportDPCVersion(const std::string& version) {
arc_dpc_version_ = version;
for (Observer& observer : observers_)
observer.OnReportDPCVersion(version);
}
void ArcPolicyBridge::ReportPlayStoreLocalPolicySet(
base::Time time,
const std::vector<std::string>& package_names) {
const std::set<std::string> packages_set(package_names.begin(),
package_names.end());
for (Observer& observer : observers_)
observer.OnPlayStoreLocalPolicySet(time, packages_set);
}
void ArcPolicyBridge::OnPolicyUpdated(const policy::PolicyNamespace& ns,
const policy::PolicyMap& previous,
const policy::PolicyMap& current) {
VLOG(1) << "ArcPolicyBridge::OnPolicyUpdated";
auto* instance = ARC_GET_INSTANCE_FOR_METHOD(arc_bridge_service_->policy(),
OnPolicyUpdated);
if (!instance)
return;
const std::string policies_hash = GetPoliciesHash(GetCurrentJSONPolicies());
if (policies_hash != update_notification_policies_hash_) {
update_notification_policies_hash_ = policies_hash;
update_notification_time_ = base::TimeTicks::Now();
compliance_since_update_timing_reported_ = false;
}
instance->OnPolicyUpdated();
}
void ArcPolicyBridge::OnCommandReceived(
const std::string& command,
mojom::PolicyInstance::OnCommandReceivedCallback callback) {
VLOG(1) << "ArcPolicyBridge::OnCommandReceived";
auto* const instance = ARC_GET_INSTANCE_FOR_METHOD(
arc_bridge_service_->policy(), OnCommandReceived);
if (!instance) {
VLOG(1) << "ARC not ready yet, will retry remote command once it is ready.";
DCHECK(on_arc_instance_ready_callback_.is_null());
// base::Unretained is safe here since this class owns the callback's
// lifetime.
on_arc_instance_ready_callback_ =
base::BindOnce(&ArcPolicyBridge::OnCommandReceived,
base::Unretained(this), command, std::move(callback));
return;
}
instance->OnCommandReceived(command, std::move(callback));
}
void ArcPolicyBridge::InitializePolicyService() {
auto* profile_policy_connector =
Profile::FromBrowserContext(context_)->GetProfilePolicyConnector();
policy_service_ = profile_policy_connector->policy_service();
is_managed_ = profile_policy_connector->IsManaged();
}
std::string ArcPolicyBridge::GetCurrentJSONPolicies() const {
if (!is_managed_)
return std::string();
const Profile* const profile = Profile::FromBrowserContext(context_);
const user_manager::User* const user =
ash::ProfileHelper::Get()->GetUserByProfile(profile);
const CertStoreService* cert_store_service =
CertStoreService::GetForBrowserContext(context_);
return GetFilteredJSONPolicies(policy_service_, instance_guid_,
user->IsAffiliated(), cert_store_service,
profile);
}
void ArcPolicyBridge::OnReportComplianceParse(
base::OnceCallback<void(const std::string&)> callback,
data_decoder::DataDecoder::ValueOrError result) {
if (!result.has_value()) {
// TODO(poromov@): Report to histogram.
DLOG(ERROR) << "Can't parse policy compliance report";
std::move(callback).Run(kPolicyCompliantJson);
return;
}
// Always returns "compliant".
std::move(callback).Run(kPolicyCompliantJson);
Profile::FromBrowserContext(context_)->GetPrefs()->SetBoolean(
prefs::kArcPolicyComplianceReported, true);
const base::DictionaryValue* dict = nullptr;
if (result->GetAsDictionary(&dict)) {
UpdateComplianceReportMetrics(dict);
for (Observer& observer : observers_) {
observer.OnComplianceReportReceived(&*result);
}
}
}
void ArcPolicyBridge::UpdateComplianceReportMetrics(
const base::DictionaryValue* report) {
JSONStringValueSerializer serializer(&arc_policy_compliance_report_);
serializer.Serialize(*report);
bool is_arc_plus_plus_report_successful =
report->FindBoolKey("isArcPlusPlusReportSuccessful").value_or(false);
const std::string* reported_policies_hash =
report->FindStringKey("policyHash");
if (!is_arc_plus_plus_report_successful || !reported_policies_hash ||
reported_policies_hash->empty()) {
return;
}
const base::TimeTicks now = base::TimeTicks::Now();
ArcSessionManager* const session_manager = ArcSessionManager::Get();
if (*reported_policies_hash == initial_policies_hash_ &&
!first_compliance_timing_reported_) {
const base::TimeTicks sign_in_start_time =
session_manager->sign_in_start_time();
if (!sign_in_start_time.is_null()) {
UpdateFirstComplianceSinceSignInTiming(now - sign_in_start_time);
} else {
UpdateFirstComplianceSinceStartupTiming(now -
session_manager->start_time());
}
first_compliance_timing_reported_ = true;
}
if (*reported_policies_hash == update_notification_policies_hash_ &&
!compliance_since_update_timing_reported_) {
UpdateComplianceSinceUpdateTiming(now - update_notification_time_);
compliance_since_update_timing_reported_ = true;
}
}
} // namespace arc