You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
254 lines
10 KiB
254 lines
10 KiB
// Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
#ifndef LIBBRILLO_POLICY_DEVICE_POLICY_H_
|
|
#define LIBBRILLO_POLICY_DEVICE_POLICY_H_
|
|
|
|
#include <stdint.h>
|
|
|
|
#include <set>
|
|
#include <string>
|
|
#include <utility>
|
|
#include <vector>
|
|
|
|
#include <base/macros.h>
|
|
#include <base/time/time.h>
|
|
|
|
#pragma GCC visibility push(default)
|
|
|
|
namespace policy {
|
|
|
|
// This class holds device settings that are to be enforced across all users.
|
|
// It is also responsible for loading the policy blob from disk and verifying
|
|
// the signature against the owner's key.
|
|
//
|
|
// This class defines the interface for querying device policy on ChromeOS.
|
|
// The implementation is hidden in DevicePolicyImpl to prevent protobuf
|
|
// definition from leaking into the libraries using this interface.
|
|
class DevicePolicy {
|
|
public:
|
|
// Identifiers of a USB device or device family.
|
|
struct UsbDeviceId {
|
|
// USB Vendor Identifier (aka idVendor).
|
|
uint16_t vendor_id;
|
|
|
|
// USB Product Identifier (aka idProduct).
|
|
uint16_t product_id;
|
|
};
|
|
|
|
// Time interval represented by two |day_of_week| and |time| pairs. The start
|
|
// of the interval is inclusive and the end is exclusive. The time represented
|
|
// by those pairs will be interpreted to be in the local timezone. Because of
|
|
// this, there exists the possibility of intervals being repeated or skipped
|
|
// in a day with daylight savings transitions, this is expected behavior.
|
|
struct WeeklyTimeInterval {
|
|
// Value is from 1 to 7 (1 = Monday, 2 = Tuesday, etc.). All values outside
|
|
// this range are invalid and will be discarded.
|
|
int start_day_of_week;
|
|
// Time since the start of the day. This value will be interpreted to be in
|
|
// the system's current timezone when used for range checking.
|
|
base::TimeDelta start_time;
|
|
int end_day_of_week;
|
|
base::TimeDelta end_time;
|
|
};
|
|
|
|
// Identifies a <day, percentage> pair in a staging schedule.
|
|
struct DayPercentagePair {
|
|
bool operator==(const DayPercentagePair& other) const {
|
|
return days == other.days && percentage == other.percentage;
|
|
}
|
|
int days;
|
|
int percentage;
|
|
};
|
|
|
|
DevicePolicy();
|
|
virtual ~DevicePolicy();
|
|
|
|
// Load device policy off of disk into |policy_|.
|
|
// Returns true unless there is a policy on disk and loading it fails.
|
|
virtual bool LoadPolicy() = 0;
|
|
|
|
// Returns true if OOBE has been completed and if the device has been enrolled
|
|
// as an enterprise or enterpriseAD device.
|
|
virtual bool IsEnterpriseEnrolled() const = 0;
|
|
|
|
// Writes the value of the DevicePolicyRefreshRate policy in |rate|. Returns
|
|
// true on success.
|
|
virtual bool GetPolicyRefreshRate(int* rate) const = 0;
|
|
|
|
// Writes the value of the UserWhitelist policy in |user_whitelist|. Returns
|
|
// true on success.
|
|
virtual bool GetUserWhitelist(
|
|
std::vector<std::string>* user_whitelist) const = 0;
|
|
|
|
// Writes the value of the GuestModeEnabled policy in |guest_mode_enabled|.
|
|
// Returns true on success.
|
|
virtual bool GetGuestModeEnabled(bool* guest_mode_enabled) const = 0;
|
|
|
|
// Writes the value of the CameraEnabled policy in |camera_enabled|. Returns
|
|
// true on success.
|
|
virtual bool GetCameraEnabled(bool* camera_enabled) const = 0;
|
|
|
|
// Writes the value of the ShowUserNamesOnSignIn policy in |show_user_names|.
|
|
// Returns true on success.
|
|
virtual bool GetShowUserNames(bool* show_user_names) const = 0;
|
|
|
|
// Writes the value of the DataRoamingEnabled policy in |data_roaming_enabled|
|
|
// Returns true on success.
|
|
virtual bool GetDataRoamingEnabled(bool* data_roaming_enabled) const = 0;
|
|
|
|
// Writes the value of the AllowNewUsers policy in |allow_new_users|. Returns
|
|
// true on success.
|
|
virtual bool GetAllowNewUsers(bool* allow_new_users) const = 0;
|
|
|
|
// Writes the value of MetricEnabled policy in |metrics_enabled|. Returns true
|
|
// on success.
|
|
virtual bool GetMetricsEnabled(bool* metrics_enabled) const = 0;
|
|
|
|
// Writes the value of ReportVersionInfo policy in |report_version_info|.
|
|
// Returns true on success.
|
|
virtual bool GetReportVersionInfo(bool* report_version_info) const = 0;
|
|
|
|
// Writes the value of ReportActivityTimes policy in |report_activity_times|.
|
|
// Returns true on success.
|
|
virtual bool GetReportActivityTimes(bool* report_activity_times) const = 0;
|
|
|
|
// Writes the value of ReportBootMode policy in |report_boot_mode|. Returns
|
|
// true on success.
|
|
virtual bool GetReportBootMode(bool* report_boot_mode) const = 0;
|
|
|
|
// Writes the value of the EphemeralUsersEnabled policy in
|
|
// |ephemeral_users_enabled|. Returns true on success.
|
|
virtual bool GetEphemeralUsersEnabled(
|
|
bool* ephemeral_users_enabled) const = 0;
|
|
|
|
// Writes the value of the release channel policy in |release_channel|.
|
|
// Returns true on success.
|
|
virtual bool GetReleaseChannel(std::string* release_channel) const = 0;
|
|
|
|
// Writes the value of the release_channel_delegated policy in
|
|
// |release_channel_delegated|. Returns true on success.
|
|
virtual bool GetReleaseChannelDelegated(
|
|
bool* release_channel_delegated) const = 0;
|
|
|
|
// Writes the value of the update_disabled policy in |update_disabled|.
|
|
// Returns true on success.
|
|
virtual bool GetUpdateDisabled(bool* update_disabled) const = 0;
|
|
|
|
// Writes the value of the target_version_prefix policy in
|
|
// |target_version_prefix|. Returns true on success.
|
|
virtual bool GetTargetVersionPrefix(
|
|
std::string* target_version_prefix) const = 0;
|
|
|
|
// Writes the value of the rollback_to_target_version policy in
|
|
// |rollback_to_target_version|. |rollback_to_target_version| will be one of
|
|
// the values in AutoUpdateSettingsProto's RollbackToTargetVersion enum.
|
|
// Returns true on success.
|
|
virtual bool GetRollbackToTargetVersion(
|
|
int* rollback_to_target_version) const = 0;
|
|
|
|
// Writes the value of the rollback_allowed_milestones policy in
|
|
// |rollback_allowed_milestones|. Returns true on success.
|
|
virtual bool GetRollbackAllowedMilestones(
|
|
int* rollback_allowed_milestones) const = 0;
|
|
|
|
// Writes the value of the scatter_factor_in_seconds policy in
|
|
// |scatter_factor_in_seconds|. Returns true on success.
|
|
virtual bool GetScatterFactorInSeconds(
|
|
int64_t* scatter_factor_in_seconds) const = 0;
|
|
|
|
// Writes the connection types on which updates are allowed to
|
|
// |connection_types|. The identifiers returned are intended to be consistent
|
|
// with what the connection manager users: ethernet, wifi, wimax, bluetooth,
|
|
// cellular.
|
|
virtual bool GetAllowedConnectionTypesForUpdate(
|
|
std::set<std::string>* connection_types) const = 0;
|
|
|
|
// Writes the value of the OpenNetworkConfiguration policy in
|
|
// |open_network_configuration|. Returns true on success.
|
|
virtual bool GetOpenNetworkConfiguration(
|
|
std::string* open_network_configuration) const = 0;
|
|
|
|
// Writes the name of the device owner in |owner|. For enterprise enrolled
|
|
// devices, this will be an empty string.
|
|
// Returns true on success.
|
|
virtual bool GetOwner(std::string* owner) const = 0;
|
|
|
|
// Write the value of http_downloads_enabled policy in
|
|
// |http_downloads_enabled|. Returns true on success.
|
|
virtual bool GetHttpDownloadsEnabled(bool* http_downloads_enabled) const = 0;
|
|
|
|
// Writes the value of au_p2p_enabled policy in
|
|
// |au_p2p_enabled|. Returns true on success.
|
|
virtual bool GetAuP2PEnabled(bool* au_p2p_enabled) const = 0;
|
|
|
|
// Writes the value of allow_kiosk_app_control_chrome_version policy in
|
|
// |allow_kiosk_app_control_chrome_version|. Returns true on success.
|
|
virtual bool GetAllowKioskAppControlChromeVersion(
|
|
bool* allow_kiosk_app_control_chrome_version) const = 0;
|
|
|
|
// Writes the value of the UsbDetachableWhitelist policy in |usb_whitelist|.
|
|
// Returns true on success.
|
|
virtual bool GetUsbDetachableWhitelist(
|
|
std::vector<UsbDeviceId>* usb_whitelist) const = 0;
|
|
|
|
// Writes the value of the kiosk app id into |app_id_out|.
|
|
// Only succeeds if the device is in auto-launched kiosk mode.
|
|
virtual bool GetAutoLaunchedKioskAppId(std::string* app_id_out) const = 0;
|
|
|
|
// Returns true if the policy data indicates that the device is enterprise
|
|
// managed. Note that this potentially could be faked by an exploit, therefore
|
|
// InstallAttributesReader must be used when tamper-proof evidence of the
|
|
// management state is required.
|
|
virtual bool IsEnterpriseManaged() const = 0;
|
|
|
|
// Writes the value of the DeviceSecondFactorAuthentication policy in
|
|
// |mode_out|. |mode_out| is one of the values from
|
|
// DeviceSecondFactorAuthenticationProto's U2fMode enum (e.g. DISABLED,
|
|
// U2F or U2F_EXTENDED). Returns true on success.
|
|
virtual bool GetSecondFactorAuthenticationMode(int* mode_out) const = 0;
|
|
|
|
// Writes the valid time intervals to |intervals_out|. These
|
|
// intervals are taken from the disallowed time intervals field in the
|
|
// AutoUpdateSettingsProto. Returns true if the intervals in the proto are
|
|
// valid.
|
|
virtual bool GetDisallowedTimeIntervals(
|
|
std::vector<WeeklyTimeInterval>* intervals_out) const = 0;
|
|
|
|
// Writes the value of the DeviceUpdateStagingSchedule policy to
|
|
// |staging_schedule_out|. Returns true on success.
|
|
// The schedule is a list of <days, percentage> pairs. The percentages are
|
|
// expected to be mononically increasing in the range of [1, 100]. Similarly,
|
|
// days are expected to be monotonically increasing in the range [1, 28]. Each
|
|
// pair describes the |percentage| of the fleet that is expected to receive an
|
|
// update after |days| days after an update was discovered. e.g. [<4, 30>, <8,
|
|
// 100>] means that 30% of devices should be updated in the first 4 days, and
|
|
// then 100% should be updated after 8 days.
|
|
virtual bool GetDeviceUpdateStagingSchedule(
|
|
std::vector<DayPercentagePair>* staging_schedule_out) const = 0;
|
|
|
|
// Writes the value of the DeviceQuickFixBuildToken to
|
|
// |device_quick_fix_build_token|.
|
|
// Returns true if it has been written, or false if the policy was not set.
|
|
virtual bool GetDeviceQuickFixBuildToken(
|
|
std::string* device_quick_fix_build_token) const = 0;
|
|
|
|
// Writes the value of the Directory API ID to |directory_api_id_out|.
|
|
// Returns true on success, false if the ID is not available (eg if the device
|
|
// is not enrolled).
|
|
virtual bool GetDeviceDirectoryApiId(
|
|
std::string* directory_api_id_out) const = 0;
|
|
|
|
private:
|
|
// Verifies that the policy signature is correct.
|
|
virtual bool VerifyPolicySignature() = 0;
|
|
|
|
DISALLOW_COPY_AND_ASSIGN(DevicePolicy);
|
|
};
|
|
} // namespace policy
|
|
|
|
#pragma GCC visibility pop
|
|
|
|
#endif // LIBBRILLO_POLICY_DEVICE_POLICY_H_
|