Make sure the device recovers from policy loss in the consumer case.

chrome/browser/chromeos/device_settings_provider.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/device_settings_provider.h"
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/callback.h"
 #include "base/file_util.h"
 #include "base/logging.h"
 #include "base/string_util.h"
 #include "base/threading/thread_restrictions.h"
 #include "base/values.h"
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/chromeos/cros/cros_library.h"
 #include "chrome/browser/chromeos/cros/network_library.h"
 #include "chrome/browser/chromeos/cros_settings.h"
 #include "chrome/browser/chromeos/cros_settings_names.h"
 #include "chrome/browser/chromeos/login/ownership_service.h"
 #include "chrome/browser/chromeos/login/signed_settings_cache.h"
 #include "chrome/browser/chromeos/login/signed_settings_helper.h"
 #include "chrome/browser/chromeos/login/user_manager.h"
 #include "chrome/browser/policy/app_pack_updater.h"
+#include "chrome/browser/policy/browser_policy_connector.h"
+#include "chrome/browser/policy/cloud_policy_constants.h"
 #include "chrome/browser/ui/options/options_util.h"
 #include "chrome/common/chrome_notification_types.h"
 #include "chrome/installer/util/google_update_settings.h"
 #include "content/public/browser/notification_service.h"
 
 using google::protobuf::RepeatedPtrField;
 
 namespace em = enterprise_management;
 
 namespace chromeos {
 
 namespace {
 
 // List of settings handled by the DeviceSettingsProvider.
 const char* kKnownSettings[] = {
   kAccountsPrefAllowGuest,
   kAccountsPrefAllowNewUser,
   kAccountsPrefEphemeralUsersEnabled,
   kAccountsPrefShowUserNamesOnSignIn,
   kAccountsPrefUsers,
   kAppPack,
   kDeviceOwner,
   kIdleLogoutTimeout,
   kIdleLogoutWarningDuration,
+  kPolicyMissingMitigationMode,
   kReleaseChannel,
   kReleaseChannelDelegated,
   kReportDeviceActivityTimes,
   kReportDeviceBootMode,
   kReportDeviceVersionInfo,
   kScreenSaverExtensionId,
   kScreenSaverTimeout,
   kSettingProxyEverywhere,
   kSignedDataRoamingEnabled,
   kStartUpUrls,
@@ skipping 536 matching lines @@
   if (pol.has_metrics_enabled())
     ApplyMetricsSetting(false, pol.metrics_enabled().metrics_enabled());
   else
     ApplyMetricsSetting(true, false);
   // Next set the roaming setting as needed.
   ApplyRoamingSetting(pol.has_data_roaming_enabled() ?
       pol.data_roaming_enabled().data_roaming_enabled() : false);
 }
 
 bool DeviceSettingsProvider::MitigateMissingPolicy() {
-  // As this code runs only in exceptional cases it's fine to allow I/O here.
-  base::ThreadRestrictions::ScopedAllowIO allow_io;
-  FilePath legacy_policy_file(kLegacyPolicyFile);
-  // Check if legacy file exists but is not writable to avoid possible
-  // attack of creating this file through chronos (although this should be
-  // not possible in root owned location), but better be safe than sorry.
-  // TODO(pastarmovj): Remove this workaround once we have proper checking
-  // for policy corruption or when Cr48 is phased out the very latest.
-  // See: http://crosbug.com/24916.
-  if (file_util::PathExists(legacy_policy_file) &&
-      !file_util::PathIsWritable(legacy_policy_file)) {
-    // We are in pre 11 dev upgrading to post 17 version mode.
-    LOG(ERROR) << "Detected system upgraded from ChromeOS 11 or older with "
-               << "missing policies. Switching to migration policy mode "
-               << "until the owner logs in to regenerate the policy data.";
-    // In this situation we should pretend we have policy even though we
-    // don't until the owner logs in and restores the policy blob.
-    values_cache_.SetBoolean(kAccountsPrefAllowNewUser, true);
-    values_cache_.SetBoolean(kAccountsPrefAllowGuest, true);
-    trusted_ = true;
-    // Make sure we will recreate the policy once the owner logs in.
-    // Any value not in this list will be left to the default which is fine as
-    // we repopulate the whitelist with the owner and any other possible every
-    // time the user enables whitelist filtering on the UI.
-    migration_helper_->AddMigrationValue(
-        kAccountsPrefAllowNewUser, base::Value::CreateBooleanValue(true));
-    migration_helper_->MigrateValues();
-    // The last step is to pretend we loaded policy correctly and call everyone.
-    for (size_t i = 0; i < callbacks_.size(); ++i)
-      callbacks_[i].Run();
-    callbacks_.clear();
-    return true;
+  // First check if the device has been owned already and if not exit
+  // immediately.
+  if (g_browser_process->browser_policy_connector()->GetDeviceMode() !=
+      policy::DEVICE_MODE_CONSUMER) {
+    return false;
   }
-  return false;
+
+  // If we are here the policy file were corrupted or missing. This can happen
+  // because we are migrating Pre R11 device to the new secure policies or there
+  // was an attempt to circumvent policy system. In this case we should populate
+  // the policy cache with "safe-mode" defaults which should allow the owner to
+  // log in but lock the device for anyone else until the policy blob has been
+  // recreated by the session manager.
+  LOG(ERROR) << "Corruption of the policy data has been detected."
+             << "Switching to \"safe-mode\" policies until the owner logs in "
+             << "to regenerate the policy data.";
+  values_cache_.SetBoolean(kAccountsPrefAllowNewUser, true);
+  values_cache_.SetBoolean(kAccountsPrefAllowGuest, true);
+  values_cache_.SetBoolean(kPolicyMissingMitigationMode, true);
+  trusted_ = true;
+  // Make sure we will recreate the policy once the owner logs in.
+  // Any value not in this list will be left to the default which is fine as
+  // we repopulate the whitelist with the owner and all other existing users
+  // every time the owner enables whitelist filtering on the UI.
+  migration_helper_->AddMigrationValue(
+      kAccountsPrefAllowNewUser, base::Value::CreateBooleanValue(true));
+  migration_helper_->MigrateValues();
+  // The last step is to pretend we loaded policy correctly and call everyone.
+  for (size_t i = 0; i < callbacks_.size(); ++i)
+    callbacks_[i].Run();
+  callbacks_.clear();
+  return true;
 }
 
 const base::Value* DeviceSettingsProvider::Get(const std::string& path) const {
   if (IsControlledSetting(path)) {
     const base::Value* value;
     if (values_cache_.GetValue(path, &value))
       return value;
   } else {
     NOTREACHED() << "Trying to get non cros setting.";
   }
@@ skipping 50 matching lines @@
       trusted_ = true;
       for (size_t i = 0; i < callbacks_.size(); ++i)
         callbacks_[i].Run();
       callbacks_.clear();
       // TODO(pastarmovj): Make those side effects responsibility of the
       // respective subsystems.
       ApplySideEffects();
       break;
     }
     case SignedSettings::NOT_FOUND:
-      // Verify if we don't have to mitigate pre Chrome 12 machine here and if
-      // needed do the magic.
       if (MitigateMissingPolicy())
         break;
     case SignedSettings::KEY_UNAVAILABLE: {
       if (ownership_status_ != OwnershipService::OWNERSHIP_TAKEN)
         NOTREACHED() << "No policies present yet, will use the temp storage.";
       break;
     }
     case SignedSettings::BAD_SIGNATURE:
     case SignedSettings::OPERATION_FAILED: {
       LOG(ERROR) << "Failed to retrieve cros policies. Reason:" << code;
       if (retries_left_ > 0) {
         retries_left_ -= 1;
         Reload();
         return;
       }
       LOG(ERROR) << "No retries left";
       break;
     }
   }
 }
 
 }  // namespace chromeos