Chromad: Prevent session from starting without policy

chrome/browser/chromeos/policy/user_cloud_policy_manager_chromeos.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/policy/user_cloud_policy_manager_chromeos.h"
 
 #include <set>
 #include <utility>
 
 #include "base/bind.h"
@@ skipping 69 matching lines @@
     chrome::AttemptUserExit();
   }
 }
 
 }  // namespace
 
 UserCloudPolicyManagerChromeOS::UserCloudPolicyManagerChromeOS(
     std::unique_ptr<CloudPolicyStore> store,
     std::unique_ptr<CloudExternalDataManager> external_data_manager,
     const base::FilePath& component_policy_cache_path,
-    bool wait_for_policy_fetch,
     base::TimeDelta initial_policy_fetch_timeout,
     const scoped_refptr<base::SequencedTaskRunner>& task_runner,
     const scoped_refptr<base::SequencedTaskRunner>& file_task_runner,
     const scoped_refptr<base::SequencedTaskRunner>& io_task_runner)
     : CloudPolicyManager(dm_protocol::kChromeUserPolicyType,
                          std::string(),
                          store.get(),
                          task_runner,
                          file_task_runner,
                          io_task_runner),
       store_(std::move(store)),
       external_data_manager_(std::move(external_data_manager)),
       component_policy_cache_path_(component_policy_cache_path),
-      wait_for_policy_fetch_(wait_for_policy_fetch) {
+      waiting_for_initial_policy_fetch_(
+          !initial_policy_fetch_timeout.is_zero()) {
   time_init_started_ = base::Time::Now();
 
-  // Caller must pass a non-zero policy_fetch_timeout iff
-  // |wait_for_policy_fetch| is true.
-  DCHECK_NE(wait_for_policy_fetch_, initial_policy_fetch_timeout.is_zero());
-  allow_failed_policy_fetches_ =
+  initial_policy_fetch_may_fail_ =
       base::CommandLine::ForCurrentProcess()->HasSwitch(
           chromeos::switches::kAllowFailedPolicyFetchForTest) ||
       !initial_policy_fetch_timeout.is_max();
   // No need to set the timer when the timeout is infinite.
-  if (wait_for_policy_fetch_ && !initial_policy_fetch_timeout.is_max()) {
+  if (waiting_for_initial_policy_fetch_ && initial_policy_fetch_may_fail_) {
     policy_fetch_timeout_.Start(
         FROM_HERE,
         initial_policy_fetch_timeout,
         base::Bind(&UserCloudPolicyManagerChromeOS::OnBlockingFetchTimeout,
                    base::Unretained(this)));
   }
 }
 
 void UserCloudPolicyManagerChromeOS::ForceTimeoutForTest() {
   DCHECK(policy_fetch_timeout_.IsRunning());
@@ skipping 41 matching lines @@
   external_data_manager_->Connect(system_request_context);
 
   // Determine the next step after the CloudPolicyService initializes.
   if (service()->IsInitializationComplete()) {
     OnInitializationCompleted(service());
 
     // The cloud policy client may be already registered by this point if the
     // store has already been loaded and contains a valid policy - the
     // registration setup in this case is performed by the CloudPolicyService
     // that is instantiated inside the CloudPolicyCore::Connect() method call.
-    // If that's the case and |wait_for_policy_fetch_| is true, then the policy
-    // fetch needs to be issued (it happens otherwise after the client
-    // registration is finished, in OnRegistrationStateChanged()).
-    if (client()->is_registered() && wait_for_policy_fetch_) {
+    // If that's the case and |waiting_for_initial_policy_fetch_| is true, then
+    // the policy fetch needs to be issued (it happens otherwise after the
+    // client registration is finished, in OnRegistrationStateChanged()).
+    if (client()->is_registered() && waiting_for_initial_policy_fetch_) {
       service()->RefreshPolicy(
           base::Bind(&UserCloudPolicyManagerChromeOS::CancelWaitForPolicyFetch,
                      base::Unretained(this)));
     }
   } else {
     service()->AddObserver(this);
   }
 }
 
 void UserCloudPolicyManagerChromeOS::OnAccessTokenAvailable(
@@ skipping 32 matching lines @@
   token_fetcher_.reset();
   external_data_manager_->Disconnect();
   CloudPolicyManager::Shutdown();
 }
 
 bool UserCloudPolicyManagerChromeOS::IsInitializationComplete(
     PolicyDomain domain) const {
   if (!CloudPolicyManager::IsInitializationComplete(domain))
     return false;
   if (domain == POLICY_DOMAIN_CHROME)
-    return !wait_for_policy_fetch_;
+    return !waiting_for_initial_policy_fetch_;
   return true;
 }
 
 void UserCloudPolicyManagerChromeOS::OnInitializationCompleted(
     CloudPolicyService* cloud_policy_service) {
   DCHECK_EQ(service(), cloud_policy_service);
   cloud_policy_service->RemoveObserver(this);
 
   time_init_completed_ = base::Time::Now();
   UMA_HISTOGRAM_MEDIUM_TIMES(kUMADelayInitialization,
                              time_init_completed_ - time_init_started_);
 
   // If the CloudPolicyClient isn't registered at this stage then it needs an
   // OAuth token for the initial registration.
   //
-  // If |wait_for_policy_fetch_| is true then Profile initialization is blocking
-  // on the initial policy fetch, so the token must be fetched immediately.
-  // In that case, the signin Profile is used to authenticate a Gaia request to
-  // fetch a refresh token, and then the policy token is fetched.
+  // If |waiting_for_initial_policy_fetch_| is true then Profile initialization
+  // is blocking on the initial policy fetch, so the token must be fetched
+  // immediately. In that case, the signin Profile is used to authenticate a
+  // Gaia request to fetch a refresh token, and then the policy token is
+  // fetched.
   //
-  // If |wait_for_policy_fetch_| is false then the UserCloudPolicyTokenForwarder
-  // service will eventually call OnAccessTokenAvailable() once an access token
-  // is available. That call may have already happened while waiting for
-  // initialization of the CloudPolicyService, so in that case check if an
-  // access token is already available.
+  // If |waiting_for_initial_policy_fetch_| is false then the
+  // UserCloudPolicyTokenForwarder service will eventually call
+  // OnAccessTokenAvailable() once an access token is available. That call may
+  // have already happened while waiting for initialization of the
+  // CloudPolicyService, so in that case check if an access token is already
+  // available.
   if (!client()->is_registered()) {
-    if (wait_for_policy_fetch_) {
+    if (waiting_for_initial_policy_fetch_) {
       FetchPolicyOAuthToken();
     } else if (!access_token_.empty()) {
       OnAccessTokenAvailable(access_token_);
     }
   }
 
-  if (!wait_for_policy_fetch_) {
+  if (!waiting_for_initial_policy_fetch_) {
     // If this isn't blocking on a policy fetch then
     // CloudPolicyManager::OnStoreLoaded() already published the cached policy.
     // Start the refresh scheduler now, which will eventually refresh the
     // cached policy or make the first fetch once the OAuth2 token is
     // available.
     StartRefreshSchedulerIfReady();
   }
 }
 
 void UserCloudPolicyManagerChromeOS::OnPolicyFetched(
     CloudPolicyClient* client) {
   // No action required. If we're blocked on a policy fetch, we'll learn about
   // completion of it through OnInitialPolicyFetchComplete(), or through the
   // CancelWaitForPolicyFetch() callback.
 }
 
 void UserCloudPolicyManagerChromeOS::OnRegistrationStateChanged(
     CloudPolicyClient* cloud_policy_client) {
   DCHECK_EQ(client(), cloud_policy_client);
 
-  if (wait_for_policy_fetch_) {
+  if (waiting_for_initial_policy_fetch_) {
     time_client_registered_ = base::Time::Now();
     if (!time_token_available_.is_null()) {
       UMA_HISTOGRAM_MEDIUM_TIMES(
           kUMAInitialFetchDelayClientRegister,
           time_client_registered_ - time_token_available_);
     }
 
     // If we're blocked on the policy fetch, now is a good time to issue it.
     if (client()->is_registered()) {
       service()->RefreshPolicy(
           base::Bind(
               &UserCloudPolicyManagerChromeOS::OnInitialPolicyFetchComplete,
               base::Unretained(this)));
     } else {
       // If the client has switched to not registered, we bail out as this
       // indicates the cloud policy setup flow has been aborted.
       CancelWaitForPolicyFetch(true);
     }
   }
 }
 
 void UserCloudPolicyManagerChromeOS::OnClientError(
     CloudPolicyClient* cloud_policy_client) {
   DCHECK_EQ(client(), cloud_policy_client);
-  if (wait_for_policy_fetch_) {
+  if (waiting_for_initial_policy_fetch_) {
     UMA_HISTOGRAM_SPARSE_SLOWLY(kUMAInitialFetchClientError,
                                 cloud_policy_client->status());
   }
   switch (client()->status()) {
     case DM_STATUS_SUCCESS:
     case DM_STATUS_SERVICE_MANAGEMENT_NOT_SUPPORTED:
       // If management is not supported for this user, then a registration
       // error is to be expected.
       CancelWaitForPolicyFetch(true);
       break;
@@ skipping 73 matching lines @@
       signin_context.get(), g_browser_process->system_request_context(),
       base::Bind(&UserCloudPolicyManagerChromeOS::OnOAuth2PolicyTokenFetched,
                  base::Unretained(this)));
 }
 
 void UserCloudPolicyManagerChromeOS::OnOAuth2PolicyTokenFetched(
     const std::string& policy_token,
     const GoogleServiceAuthError& error) {
   DCHECK(!client()->is_registered());
   time_token_available_ = base::Time::Now();
-  if (wait_for_policy_fetch_) {
+  if (waiting_for_initial_policy_fetch_) {
     UMA_HISTOGRAM_MEDIUM_TIMES(kUMAInitialFetchDelayOAuth2Token,
                                time_token_available_ - time_init_completed_);
   }
 
   if (error.state() == GoogleServiceAuthError::NONE) {
     // Start client registration. Either OnRegistrationStateChanged() or
     // OnClientError() will be called back.
     client()->Register(em::DeviceRegisterRequest::USER,
                        em::DeviceRegisterRequest::FLAVOR_USER_REGISTRATION,
                        policy_token, std::string(), std::string(),
@@ skipping 20 matching lines @@
     bool success) {
   const base::Time now = base::Time::Now();
   UMA_HISTOGRAM_MEDIUM_TIMES(kUMAInitialFetchDelayPolicyFetch,
                              now - time_client_registered_);
   UMA_HISTOGRAM_MEDIUM_TIMES(kUMAInitialFetchDelayTotal,
                              now - time_init_started_);
   CancelWaitForPolicyFetch(success);
 }
 
 void UserCloudPolicyManagerChromeOS::OnBlockingFetchTimeout() {
-  DCHECK(wait_for_policy_fetch_);
+  DCHECK(waiting_for_initial_policy_fetch_);
   LOG(WARNING) << "Timed out while waiting for the policy fetch. "
                << "The session will start with the cached policy.";
   CancelWaitForPolicyFetch(false);
 }
 
 void UserCloudPolicyManagerChromeOS::CancelWaitForPolicyFetch(bool success) {
-  if (!wait_for_policy_fetch_)
+  if (!waiting_for_initial_policy_fetch_)
     return;
 
   policy_fetch_timeout_.Stop();
 
   // If there was an error, and we don't want to allow profile initialization
   // to go forward after a failed policy fetch, then just return (profile
   // initialization will not complete).
   // TODO(atwilson): Add code to retry policy fetching.
-  if (!success && !allow_failed_policy_fetches_) {
+  if (!success && !initial_policy_fetch_may_fail_) {
     LOG(ERROR) << "Policy fetch failed for the user. "
                   "Aborting profile initialization";
     // Need to exit the current user, because we've already started this user's
     // session.
     chrome::AttemptUserExit();
     return;
   }
 
-  wait_for_policy_fetch_ = false;
+  waiting_for_initial_policy_fetch_ = false;
+
   CheckAndPublishPolicy();
-  // Now that |wait_for_policy_fetch_| is guaranteed to be false, the scheduler
-  // can be started.
+  // Now that |waiting_for_initial_policy_fetch_| is guaranteed to be false, the
+  // scheduler can be started.
   StartRefreshSchedulerIfReady();
 }
 
 void UserCloudPolicyManagerChromeOS::StartRefreshSchedulerIfReady() {
   if (core()->refresh_scheduler())
     return;  // Already started.
 
-  if (wait_for_policy_fetch_)
+  if (waiting_for_initial_policy_fetch_)
     return;  // Still waiting for the initial, blocking fetch.
 
   if (!service() || !local_state_)
     return;  // Not connected.
 
   if (component_policy_service() &&
       !component_policy_service()->is_initialized()) {
     // If the client doesn't have the list of components to fetch yet then don't
     // start the scheduler. The |component_policy_service_| will call back into
     // OnComponentCloudPolicyUpdated() once it's ready.
     return;
   }
 
   core()->StartRefreshScheduler();
   core()->TrackRefreshDelayPref(local_state_,
                                 policy_prefs::kUserPolicyRefreshRate);
 }
 
 }  // namespace policy