update_engine: Modify Update Time Restrictions to block downloads
This makes Update Time Restrictions policy block downloads rather than
checks. This will allow for better capturing of metrics. Furthermore,
this change makes Update Time Restrictions only apply for kiosks, per
the discussion with security and PM.
The following changes are made:
* Use UpdateCanBeApplied rather than UpdateCheckAllowed in
UpdateTimeRestrictionsPolicyImpl.
* ChromeOSPolicy::UpdateCanBeApplied now checks for forced updates.
Modify the corresponding classes to implement UpdateCanBeApplied.
* Add the auto_launched_kiosk_app_id variable from libbrillo to the
policy provider, this variable lets us know if the device is in
kiosk-mode.
* If the device is not in kiosk mode, this policy won't be used.
* Change chromeos_policy to check for policies in UpdateCanBeApplied.
* Add unit tests accounting for the new changes.
BUG=chromium:852860
TEST=cros_workon_make update_engine --test
Change-Id: Iba52fa0fd1f89cc55e5009776036f8949e01e3a0
Reviewed-on: https://chromium-review.googlesource.com/1144435
Commit-Ready: Adolfo Higueros <adokar@google.com>
Tested-by: Adolfo Higueros <adokar@google.com>
Reviewed-by: Amin Hassani <ahassani@chromium.org>
diff --git a/update_manager/chromeos_policy_unittest.cc b/update_manager/chromeos_policy_unittest.cc
index 184c241..b5b1bd9 100644
--- a/update_manager/chromeos_policy_unittest.cc
+++ b/update_manager/chromeos_policy_unittest.cc
@@ -28,6 +28,7 @@
using chromeos_update_engine::ConnectionTethering;
using chromeos_update_engine::ConnectionType;
using chromeos_update_engine::ErrorCode;
+using chromeos_update_engine::InstallPlan;
using std::set;
using std::string;
@@ -151,20 +152,25 @@
// time.
void TestDisallowedTimeIntervals(const WeeklyTimeIntervalVector& intervals,
const EvalStatus& expected_status,
- bool is_forced_update) {
+ bool kiosk) {
SetUpDefaultTimeProvider();
- SetUpdateCheckAllowed(true);
-
- if (is_forced_update)
- fake_state_.updater_provider()->var_forced_update_requested()->reset(
- new UpdateRequestStatus(UpdateRequestStatus::kInteractive));
+ if (kiosk)
+ fake_state_.device_policy_provider()
+ ->var_auto_launched_kiosk_app_id()
+ ->reset(new string("myapp"));
fake_state_.device_policy_provider()
->var_disallowed_time_intervals()
->reset(new WeeklyTimeIntervalVector(intervals));
// Check that |expected_status| matches the value of UpdateCheckAllowed
- UpdateCheckParams result;
- ExpectPolicyStatus(expected_status, &Policy::UpdateCheckAllowed, &result);
+ ErrorCode result;
+ InstallPlan install_plan;
+ ExpectPolicyStatus(
+ expected_status, &Policy::UpdateCanBeApplied, &result, &install_plan);
+ if (expected_status == EvalStatus::kAskMeAgainLater)
+ EXPECT_EQ(result, ErrorCode::kOmahaUpdateDeferredPerPolicy);
+ else
+ EXPECT_EQ(result, ErrorCode::kSuccess);
}
};
@@ -328,43 +334,6 @@
}
TEST_F(UmChromeOSPolicyTest,
- UpdateCheckAllowedWaitsForEndOfDisallowedInterval) {
- // Check that the policy blocks during the disallowed checking intervals.
- Time curr_time = fake_clock_.GetWallclockTime();
- TestDisallowedTimeIntervals(
- {WeeklyTimeInterval(
- WeeklyTime::FromTime(curr_time),
- WeeklyTime::FromTime(curr_time + TimeDelta::FromMinutes(1)))},
- EvalStatus::kAskMeAgainLater,
- false);
-}
-
-TEST_F(UmChromeOSPolicyTest,
- UpdateCheckAllowedNoBlockOutsideDisallowedInterval) {
- // Check that updates are allowed outside interval.
- Time curr_time = fake_clock_.GetWallclockTime();
- TestDisallowedTimeIntervals(
- {WeeklyTimeInterval(
- WeeklyTime::FromTime(curr_time - TimeDelta::FromMinutes(2)),
- WeeklyTime::FromTime(curr_time - TimeDelta::FromMinutes(1)))},
- EvalStatus::kSucceeded,
- false);
-}
-
-TEST_F(UmChromeOSPolicyTest,
- UpdateCheckAllowedDisallowedIntervalNoBlockWhenForced) {
- // Check that updates are not blocked by this policy when an update is forced.
- Time curr_time = fake_clock_.GetWallclockTime();
- // Really big interval so that current time definitely falls in it.
- TestDisallowedTimeIntervals(
- {WeeklyTimeInterval(
- WeeklyTime::FromTime(curr_time - TimeDelta::FromMinutes(1234)),
- WeeklyTime::FromTime(curr_time + TimeDelta::FromMinutes(1234)))},
- EvalStatus::kSucceeded,
- true);
-}
-
-TEST_F(UmChromeOSPolicyTest,
UpdateCheckAllowedUpdatesDisabledWhenNotEnoughSlotsAbUpdates) {
// UpdateCheckAllowed should return false (kSucceeded) if the image booted
// without enough slots to do A/B updates.
@@ -1636,4 +1605,48 @@
&result, false);
}
+TEST_F(UmChromeOSPolicyTest,
+ UpdateCanBeAppliedForcedUpdatesDisablesTimeRestrictions) {
+ Time curr_time = fake_clock_.GetWallclockTime();
+ fake_state_.updater_provider()->var_forced_update_requested()->reset(
+ new UpdateRequestStatus(UpdateRequestStatus::kInteractive));
+ // Should return kAskMeAgainLater when updated are not forced.
+ TestDisallowedTimeIntervals(
+ {WeeklyTimeInterval(
+ WeeklyTime::FromTime(curr_time),
+ WeeklyTime::FromTime(curr_time + TimeDelta::FromMinutes(1)))},
+ EvalStatus::kSucceeded,
+ /* kiosk = */ true);
+}
+
+TEST_F(UmChromeOSPolicyTest, UpdateCanBeAppliedFailsInDisallowedTime) {
+ Time curr_time = fake_clock_.GetWallclockTime();
+ TestDisallowedTimeIntervals(
+ {WeeklyTimeInterval(
+ WeeklyTime::FromTime(curr_time),
+ WeeklyTime::FromTime(curr_time + TimeDelta::FromMinutes(1)))},
+ EvalStatus::kAskMeAgainLater,
+ /* kiosk = */ true);
+}
+
+TEST_F(UmChromeOSPolicyTest, UpdateCanBeAppliedOutsideDisallowedTime) {
+ Time curr_time = fake_clock_.GetWallclockTime();
+ TestDisallowedTimeIntervals(
+ {WeeklyTimeInterval(
+ WeeklyTime::FromTime(curr_time - TimeDelta::FromHours(3)),
+ WeeklyTime::FromTime(curr_time))},
+ EvalStatus::kSucceeded,
+ /* kiosk = */ true);
+}
+
+TEST_F(UmChromeOSPolicyTest, UpdateCanBeAppliedPassesOnNonKiosk) {
+ Time curr_time = fake_clock_.GetWallclockTime();
+ TestDisallowedTimeIntervals(
+ {WeeklyTimeInterval(
+ WeeklyTime::FromTime(curr_time),
+ WeeklyTime::FromTime(curr_time + TimeDelta::FromMinutes(1)))},
+ EvalStatus::kSucceeded,
+ /* kiosk = */ false);
+}
+
} // namespace chromeos_update_manager