| // Copyright 2016 The Chromium Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #include "chrome/browser/chromeos/arc/arc_policy_bridge.h" |
| |
| #include <memory> |
| #include <string> |
| #include <utility> |
| |
| #include "base/json/json_reader.h" |
| #include "base/json/json_string_value_serializer.h" |
| #include "base/logging.h" |
| #include "base/memory/ptr_util.h" |
| #include "base/values.h" |
| #include "chrome/browser/chromeos/profiles/profile_helper.h" |
| #include "chrome/browser/policy/profile_policy_connector.h" |
| #include "chrome/browser/policy/profile_policy_connector_factory.h" |
| #include "chromeos/network/onc/onc_utils.h" |
| #include "components/arc/arc_bridge_service.h" |
| #include "components/onc/onc_constants.h" |
| #include "components/policy/core/common/policy_map.h" |
| #include "components/policy/core/common/policy_namespace.h" |
| #include "components/policy/policy_constants.h" |
| #include "components/user_manager/user.h" |
| #include "mojo/public/cpp/bindings/string.h" |
| |
| namespace arc { |
| |
| namespace { |
| |
| const char kArcGlobalAppRestrictions[] = "globalAppRestrictions"; |
| const char kArcCaCerts[] = "caCerts"; |
| |
| // invert_bool_value: If the Chrome policy and the ARC policy with boolean value |
| // have opposite semantics, set this to true so the bool is inverted before |
| // being added. Otherwise, set it to false. |
| void MapBoolToBool(const std::string& arc_policy_name, |
| const std::string& policy_name, |
| const policy::PolicyMap& policy_map, |
| bool invert_bool_value, |
| base::DictionaryValue* filtered_policies) { |
| const base::Value* const policy_value = policy_map.GetValue(policy_name); |
| if (!policy_value) |
| return; |
| if (!policy_value->IsType(base::Value::TYPE_BOOLEAN)) { |
| LOG(ERROR) << "Policy " << policy_name << " is not a boolean."; |
| return; |
| } |
| bool bool_value; |
| policy_value->GetAsBoolean(&bool_value); |
| filtered_policies->SetBoolean(arc_policy_name, |
| bool_value != invert_bool_value); |
| } |
| |
| // int_true: value of Chrome OS policy for which arc policy is set to true. |
| // It is set to false for all other values. |
| void MapIntToBool(const std::string& arc_policy_name, |
| const std::string& policy_name, |
| const policy::PolicyMap& policy_map, |
| int int_true, |
| base::DictionaryValue* filtered_policies) { |
| const base::Value* const policy_value = policy_map.GetValue(policy_name); |
| if (!policy_value) |
| return; |
| if (!policy_value->IsType(base::Value::TYPE_INTEGER)) { |
| LOG(ERROR) << "Policy " << policy_name << " is not an integer."; |
| return; |
| } |
| int int_value; |
| policy_value->GetAsInteger(&int_value); |
| filtered_policies->SetBoolean(arc_policy_name, int_value == int_true); |
| } |
| |
| void AddGlobalAppRestriction(const std::string& arc_app_restriction_name, |
| const std::string& policy_name, |
| const policy::PolicyMap& policy_map, |
| base::DictionaryValue* filtered_policies) { |
| const base::Value* const policy_value = policy_map.GetValue(policy_name); |
| if (policy_value) { |
| base::DictionaryValue* global_app_restrictions = nullptr; |
| if (!filtered_policies->GetDictionary(kArcGlobalAppRestrictions, |
| &global_app_restrictions)) { |
| global_app_restrictions = new base::DictionaryValue(); |
| filtered_policies->Set(kArcGlobalAppRestrictions, |
| global_app_restrictions); |
| } |
| global_app_restrictions->SetWithoutPathExpansion( |
| arc_app_restriction_name, policy_value->CreateDeepCopy()); |
| } |
| } |
| |
| void AddOncCaCertsToPolicies(const policy::PolicyMap& policy_map, |
| base::DictionaryValue* filtered_policies) { |
| const base::Value* const policy_value = |
| policy_map.GetValue(policy::key::kArcCertificatesSyncMode); |
| int32_t mode = ArcCertsSyncMode::SYNC_DISABLED; |
| |
| // Old certs should be uninstalled if the sync is disabled or policy is not |
| // set. |
| if (!policy_value || !policy_value->GetAsInteger(&mode) || |
| mode != ArcCertsSyncMode::COPY_CA_CERTS) { |
| return; |
| } |
| |
| // Importing CA certificates from device policy is not allowed. |
| // Import only from user policy. |
| const base::Value* onc_policy_value = |
| policy_map.GetValue(policy::key::kOpenNetworkConfiguration); |
| if (!onc_policy_value) { |
| VLOG(1) << "onc policy is not set."; |
| return; |
| } |
| std::string onc_blob; |
| if (!onc_policy_value->GetAsString(&onc_blob)) { |
| LOG(ERROR) << "Value of onc policy has invalid format."; |
| return; |
| } |
| |
| base::ListValue certificates; |
| { |
| base::ListValue unused_network_configs; |
| base::DictionaryValue unused_global_network_config; |
| if (!chromeos::onc::ParseAndValidateOncForImport( |
| onc_blob, onc::ONCSource::ONC_SOURCE_USER_POLICY, |
| "" /* no passphrase */, &unused_network_configs, |
| &unused_global_network_config, &certificates)) { |
| LOG(ERROR) << "Value of onc policy has invalid format =" << onc_blob; |
| } |
| } |
| |
| std::unique_ptr<base::ListValue> ca_certs( |
| base::MakeUnique<base::ListValue>()); |
| for (const auto& entry : certificates) { |
| const base::DictionaryValue* certificate = nullptr; |
| if (!entry->GetAsDictionary(&certificate)) { |
| DLOG(FATAL) << "Value of a certificate entry is not a dictionary " |
| << "value."; |
| continue; |
| } |
| |
| std::string cert_type; |
| certificate->GetStringWithoutPathExpansion(::onc::certificate::kType, |
| &cert_type); |
| if (cert_type != ::onc::certificate::kAuthority) |
| continue; |
| |
| const base::ListValue* trust_list = nullptr; |
| if (!certificate->GetListWithoutPathExpansion( |
| ::onc::certificate::kTrustBits, &trust_list)) { |
| continue; |
| } |
| |
| bool web_trust_flag = false; |
| for (const auto& list_val : *trust_list) { |
| std::string trust_type; |
| if (!list_val->GetAsString(&trust_type)) |
| NOTREACHED(); |
| |
| if (trust_type == ::onc::certificate::kWeb) { |
| // "Web" implies that the certificate is to be trusted for SSL |
| // identification. |
| web_trust_flag = true; |
| break; |
| } |
| } |
| if (!web_trust_flag) |
| continue; |
| |
| std::string x509_data; |
| if (!certificate->GetStringWithoutPathExpansion(::onc::certificate::kX509, |
| &x509_data)) { |
| continue; |
| } |
| |
| base::DictionaryValue data; |
| data.SetString("X509", x509_data); |
| ca_certs->Append(data.CreateDeepCopy()); |
| } |
| filtered_policies->Set(kArcCaCerts, std::move(ca_certs)); |
| } |
| |
| std::string GetFilteredJSONPolicies(const policy::PolicyMap& policy_map) { |
| base::DictionaryValue filtered_policies; |
| // Parse ArcPolicy as JSON string before adding other policies to the |
| // dictionary. |
| const base::Value* const app_policy_value = |
| policy_map.GetValue(policy::key::kArcPolicy); |
| if (app_policy_value) { |
| std::string app_policy_string; |
| app_policy_value->GetAsString(&app_policy_string); |
| std::unique_ptr<base::DictionaryValue> app_policy_dict = |
| base::DictionaryValue::From(base::JSONReader::Read(app_policy_string)); |
| if (app_policy_dict) { |
| // Need a deep copy of all values here instead of doing a swap, because |
| // JSONReader::Read constructs a dictionary whose StringValues are |
| // JSONStringValues which are based on StringPiece instead of string. |
| filtered_policies.MergeDictionary(app_policy_dict.get()); |
| } else { |
| LOG(ERROR) << "Value of ArcPolicy has invalid format: " |
| << app_policy_string; |
| } |
| } |
| |
| // Keep them sorted by the ARC policy names. |
| MapBoolToBool("cameraDisabled", policy::key::kVideoCaptureAllowed, policy_map, |
| true, &filtered_policies); |
| MapBoolToBool("debuggingFeaturesDisabled", |
| policy::key::kDeveloperToolsDisabled, policy_map, false, |
| &filtered_policies); |
| MapBoolToBool("screenCaptureDisabled", policy::key::kDisableScreenshots, |
| policy_map, false, &filtered_policies); |
| MapIntToBool("shareLocationDisabled", policy::key::kDefaultGeolocationSetting, |
| policy_map, 2 /*BlockGeolocation*/, &filtered_policies); |
| MapBoolToBool("unmuteMicrophoneDisabled", policy::key::kAudioCaptureAllowed, |
| policy_map, true, &filtered_policies); |
| MapBoolToBool("mountPhysicalMediaDisabled", |
| policy::key::kExternalStorageDisabled, policy_map, false, |
| &filtered_policies); |
| |
| // Add global app restrictions. |
| AddGlobalAppRestriction("com.android.browser:URLBlacklist", |
| policy::key::kURLBlacklist, policy_map, |
| &filtered_policies); |
| AddGlobalAppRestriction("com.android.browser:URLWhitelist", |
| policy::key::kURLWhitelist, policy_map, |
| &filtered_policies); |
| |
| // Add CA certificates. |
| AddOncCaCertsToPolicies(policy_map, &filtered_policies); |
| |
| std::string policy_json; |
| JSONStringValueSerializer serializer(&policy_json); |
| serializer.Serialize(filtered_policies); |
| return policy_json; |
| } |
| |
| } // namespace |
| |
| ArcPolicyBridge::ArcPolicyBridge(ArcBridgeService* bridge_service) |
| : ArcService(bridge_service), binding_(this) { |
| VLOG(2) << "ArcPolicyBridge::ArcPolicyBridge"; |
| arc_bridge_service()->policy()->AddObserver(this); |
| } |
| |
| ArcPolicyBridge::ArcPolicyBridge(ArcBridgeService* bridge_service, |
| policy::PolicyService* policy_service) |
| : ArcService(bridge_service), |
| binding_(this), |
| policy_service_(policy_service) { |
| VLOG(2) << "ArcPolicyBridge::ArcPolicyBridge(bridge_service, policy_service)"; |
| arc_bridge_service()->policy()->AddObserver(this); |
| } |
| |
| ArcPolicyBridge::~ArcPolicyBridge() { |
| VLOG(2) << "ArcPolicyBridge::~ArcPolicyBridge"; |
| arc_bridge_service()->policy()->RemoveObserver(this); |
| } |
| |
| void ArcPolicyBridge::OverrideIsManagedForTesting(bool is_managed) { |
| is_managed_ = is_managed; |
| } |
| |
| void ArcPolicyBridge::OnInstanceReady() { |
| VLOG(1) << "ArcPolicyBridge::OnPolicyInstanceReady"; |
| if (policy_service_ == nullptr) { |
| InitializePolicyService(); |
| } |
| policy_service_->AddObserver(policy::POLICY_DOMAIN_CHROME, this); |
| |
| mojom::PolicyInstance* const policy_instance = |
| arc_bridge_service()->policy()->GetInstanceForMethod("Init"); |
| DCHECK(policy_instance); |
| policy_instance->Init(binding_.CreateInterfacePtrAndBind()); |
| } |
| |
| void ArcPolicyBridge::OnInstanceClosed() { |
| VLOG(1) << "ArcPolicyBridge::OnPolicyInstanceClosed"; |
| policy_service_->RemoveObserver(policy::POLICY_DOMAIN_CHROME, this); |
| policy_service_ = nullptr; |
| } |
| |
| void ArcPolicyBridge::GetPolicies(const GetPoliciesCallback& callback) { |
| VLOG(1) << "ArcPolicyBridge::GetPolicies"; |
| if (!is_managed_) { |
| callback.Run(mojo::String("")); |
| return; |
| } |
| const policy::PolicyNamespace policy_namespace(policy::POLICY_DOMAIN_CHROME, |
| std::string()); |
| const policy::PolicyMap& policy_map = |
| policy_service_->GetPolicies(policy_namespace); |
| const std::string json_policies = GetFilteredJSONPolicies(policy_map); |
| callback.Run(mojo::String(json_policies)); |
| } |
| |
| void ArcPolicyBridge::OnPolicyUpdated(const policy::PolicyNamespace& ns, |
| const policy::PolicyMap& previous, |
| const policy::PolicyMap& current) { |
| VLOG(1) << "ArcPolicyBridge::OnPolicyUpdated"; |
| auto* instance = |
| arc_bridge_service()->policy()->GetInstanceForMethod("OnPolicyUpdated"); |
| if (!instance) |
| return; |
| instance->OnPolicyUpdated(); |
| } |
| |
| void ArcPolicyBridge::InitializePolicyService() { |
| const user_manager::User* const primary_user = |
| user_manager::UserManager::Get()->GetPrimaryUser(); |
| Profile* const profile = |
| chromeos::ProfileHelper::Get()->GetProfileByUser(primary_user); |
| auto* profile_policy_connector = |
| policy::ProfilePolicyConnectorFactory::GetForBrowserContext(profile); |
| policy_service_ = profile_policy_connector->policy_service(); |
| is_managed_ = profile_policy_connector->IsManaged(); |
| } |
| |
| } // namespace arc |