#include <memory>
#include "base/bind.h"
#include "base/macros.h"
#include "base/memory/weak_ptr.h"
#include "base/time/time.h"
#include "base/timer/timer.h"
#include "chrome/browser/chromeos/policy/component_active_directory_policy_service.h"
#include "components/account_id/account_id.h"
#include "components/policy/core/common/cloud/cloud_policy_store.h"
#include "components/policy/core/common/configuration_policy_provider.h"
#include "components/policy/core/common/policy_scheduler.h"
namespace policy {
class CloudExternalDataManager;
// ConfigurationPolicyProvider for policy from Active Directory.
// Derived classes implement specializations for user and device policy.
// Data flow: Triggered by DoPolicyFetch(), policy is fetched by authpolicyd and
// stored in session manager with completion indicated by OnPolicyFetched().
// From there policy load from session manager is triggered, completion of which
// is notified via OnStoreLoaded()/OnStoreError().
class ActiveDirectoryPolicyManager
: public ConfigurationPolicyProvider,
public CloudPolicyStore::Observer,
public ComponentActiveDirectoryPolicyService::Delegate {
~ActiveDirectoryPolicyManager() override;
// ConfigurationPolicyProvider:
void Init(SchemaRegistry* registry) override;
void Shutdown() override;
bool IsInitializationComplete(PolicyDomain domain) const override;
void RefreshPolicies() override;
// CloudPolicyStore::Observer:
void OnStoreLoaded(CloudPolicyStore* cloud_policy_store) override;
void OnStoreError(CloudPolicyStore* cloud_policy_store) override;
// ComponentActiveDirectoryPolicyService::Delegate
void OnComponentActiveDirectoryPolicyUpdated() override;
CloudPolicyStore* store() const { return store_.get(); }
CloudExternalDataManager* external_data_manager() {
return external_data_manager_.get();
PolicyScheduler* scheduler() { return scheduler_.get(); }
ComponentActiveDirectoryPolicyService* extension_policy_service() {
return extension_policy_service_.get();
std::unique_ptr<CloudPolicyStore> store,
std::unique_ptr<CloudExternalDataManager> external_data_manager,
PolicyDomain extension_policy_domain);
// Publish the policy that's currently cached in the store.
void PublishPolicy();
// Creates the policy service to load extension policy from Session Manager.
// |scope| specifies whether the component policy is fetched along with user
// or device policy. |account_type| specifies which account Session Manager
// should load policy from (device vs user). |account_id| must be empty for
// the device account and the user's account id for user accounts.
// |schema_registry| is the registry that contains the extension schemas.
void CreateExtensionPolicyService(
PolicyScope scope,
login_manager::PolicyAccountType account_type,
const AccountId& account_id,
SchemaRegistry* schema_registry);
// Calls into authpolicyd to fetch policy. Reports success or failure via
// |callback|.
virtual void DoPolicyFetch(PolicyScheduler::TaskCallback callback) = 0;
// Allows derived classes to cancel waiting for the initial policy fetch/load
// and to flag the ConfigurationPolicyProvider ready (assuming all other
// initialization tasks have completed) or to exit the session in case the
// requirements to continue have not been met.
virtual void CancelWaitForInitialPolicy() {}
// Whether policy fetch has ever been reported as completed by authpolicyd
// during lifetime of the object (after Chrome was started).
bool fetch_ever_completed_ = false;
// Called by scheduler with result of policy fetch. This covers policy
// download, parsing and storing into session manager. (To access and publish
// the policy, the store needs to be reloaded from session manager.)
void OnPolicyFetched(bool success);
// Called right before policy is published. Expands e.g. ${machine_name} for
// a selected set of policies.
void ExpandVariables(PolicyMap* policy_map);
// Store used to serialize policy, usually sends data to Session Manager.
const std::unique_ptr<CloudPolicyStore> store_;
// Manages external data referenced by policies.
const std::unique_ptr<CloudExternalDataManager> external_data_manager_;
// Manages policy for Chrome extensions.
// Type of extension policy to manage. Must be either POLICY_DOMAIN_EXTENSIONS
const PolicyDomain extension_policy_domain_;
std::unique_ptr<PolicyScheduler> scheduler_;
// Must be last member.
base::WeakPtrFactory<ActiveDirectoryPolicyManager> weak_ptr_factory_{this};
// Manages user policy for Active Directory managed devices.
class UserActiveDirectoryPolicyManager : public ActiveDirectoryPolicyManager {
// If |initial_policy_fetch_timeout| is non-zero, IsInitializationComplete()
// is forced to false until either there has been a successful policy fetch
// from the server and a subsequent successful load from session manager or
// |initial_policy_fetch_timeout| has expired and there has been a successful
// load from session manager. If |policy_required| is true then the user
// session is aborted by calling |exit_session| if no policy was loaded from
// session manager and this is either immediate load in case of Chrome restart
// or policy fetch failed.
const AccountId& account_id,
bool policy_required,
base::TimeDelta initial_policy_fetch_timeout,
base::OnceClosure exit_session,
std::unique_ptr<CloudPolicyStore> store,
std::unique_ptr<CloudExternalDataManager> external_data_manager);
~UserActiveDirectoryPolicyManager() override;
// ConfigurationPolicyProvider:
void Init(SchemaRegistry* registry) override;
bool IsInitializationComplete(PolicyDomain domain) const override;
// Helper function to force a policy fetch timeout.
void ForceTimeoutForTesting();
// ActiveDirectoryPolicyManager:
void DoPolicyFetch(PolicyScheduler::TaskCallback callback) override;
void CancelWaitForInitialPolicy() override;
// Called when |initial_policy_timeout_| times out, to cancel the blocking
// wait for the initial policy fetch.
void OnBlockingFetchTimeout();
// The user's account id.
const AccountId account_id_;
// If policy is required, but cannot be obtained (via fetch or load),
// |exit_session_| is called.
const bool policy_required_;
// Whether we're waiting for a policy fetch to complete before reporting
// IsInitializationComplete().
bool waiting_for_initial_policy_fetch_ = false;
// A timer that puts a hard limit on the maximum time to wait for the initial
// policy fetch/load.
base::OneShotTimer initial_policy_timeout_;
// Callback to exit the session.
base::OnceClosure exit_session_;
// Must be last member.
base::WeakPtrFactory<UserActiveDirectoryPolicyManager> weak_ptr_factory_{
// Manages device policy for Active Directory managed devices.
class DeviceActiveDirectoryPolicyManager : public ActiveDirectoryPolicyManager {
explicit DeviceActiveDirectoryPolicyManager(
std::unique_ptr<CloudPolicyStore> store);
~DeviceActiveDirectoryPolicyManager() override;
// ConfigurationPolicyProvider:
void Shutdown() override;
// Passes the |schema_registry| that corresponds to the signin profile and
// uses it (wrapped in a ForwardingSchemaRegistry) to create the extension
// policy service.
void SetSigninProfileSchemaRegistry(SchemaRegistry* schema_registry);
// ActiveDirectoryPolicyManager:
void DoPolicyFetch(PolicyScheduler::TaskCallback callback) override;
// Wrapper schema registry that tracks the signin profile schema registry once
// it is passed to this class.
} // namespace policy