Rename the PolicyManager to UpdateManager.
This change renames the PolicyManager class, directory, tests, etc,
to avoid confusion with libpolicy and its classes.
BUG=chromium:373551
TEST=emerged on link.
CQ-DEPEND=CL:I43081673c7ba409f02273197da7915537bde39c6
Change-Id: Iffa76caa3b95ecbbdba87ab01006d1d8ce35a27f
Reviewed-on: https://chromium-review.googlesource.com/201876
Tested-by: Alex Deymo <deymo@chromium.org>
Reviewed-by: David Zeuthen <zeuthen@chromium.org>
Commit-Queue: Alex Deymo <deymo@chromium.org>
diff --git a/update_manager/chromeos_policy.cc b/update_manager/chromeos_policy.cc
new file mode 100644
index 0000000..6cf1fd1
--- /dev/null
+++ b/update_manager/chromeos_policy.cc
@@ -0,0 +1,396 @@
+// Copyright (c) 2014 The Chromium OS Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "update_engine/update_manager/chromeos_policy.h"
+
+#include <algorithm>
+#include <set>
+#include <string>
+
+#include <base/logging.h>
+#include <base/time/time.h>
+
+#include "update_engine/update_manager/device_policy_provider.h"
+#include "update_engine/update_manager/policy_utils.h"
+#include "update_engine/update_manager/shill_provider.h"
+
+using base::Time;
+using base::TimeDelta;
+using std::min;
+using std::set;
+using std::string;
+
+namespace chromeos_update_manager {
+
+EvalStatus ChromeOSPolicy::UpdateCheckAllowed(
+ EvaluationContext* ec, State* state, string* error,
+ UpdateCheckParams* result) const {
+ Time next_update_check;
+ if (NextUpdateCheckTime(ec, state, error, &next_update_check) !=
+ EvalStatus::kSucceeded) {
+ return EvalStatus::kFailed;
+ }
+
+ if (!ec->IsTimeGreaterThan(next_update_check))
+ return EvalStatus::kAskMeAgainLater;
+
+ // It is time to check for an update.
+ result->updates_enabled = true;
+ return EvalStatus::kSucceeded;
+}
+
+EvalStatus ChromeOSPolicy::UpdateCanStart(
+ EvaluationContext* ec,
+ State* state,
+ string* error,
+ UpdateCanStartResult* result,
+ const bool interactive,
+ const UpdateState& update_state) const {
+ // Set the default return values.
+ result->update_can_start = true;
+ result->http_allowed = true;
+ result->p2p_allowed = false;
+ result->target_channel.clear();
+ result->cannot_start_reason = UpdateCannotStartReason::kUndefined;
+ result->scatter_wait_period = kZeroInterval;
+ result->scatter_check_threshold = 0;
+
+ // Make sure that we're not due for an update check.
+ UpdateCheckParams check_result;
+ EvalStatus check_status = UpdateCheckAllowed(ec, state, error, &check_result);
+ if (check_status == EvalStatus::kFailed)
+ return EvalStatus::kFailed;
+ if (check_status == EvalStatus::kSucceeded &&
+ check_result.updates_enabled == true) {
+ result->update_can_start = false;
+ result->cannot_start_reason = UpdateCannotStartReason::kCheckDue;
+ return EvalStatus::kSucceeded;
+ }
+
+ DevicePolicyProvider* const dp_provider = state->device_policy_provider();
+ SystemProvider* const system_provider = state->system_provider();
+
+ const bool* device_policy_is_loaded_p = ec->GetValue(
+ dp_provider->var_device_policy_is_loaded());
+ if (device_policy_is_loaded_p && *device_policy_is_loaded_p) {
+ // Ensure that update is enabled.
+ const bool* update_disabled_p = ec->GetValue(
+ dp_provider->var_update_disabled());
+ if (update_disabled_p && *update_disabled_p) {
+ result->update_can_start = false;
+ result->cannot_start_reason = UpdateCannotStartReason::kDisabledByPolicy;
+ return EvalStatus::kAskMeAgainLater;
+ }
+
+ // Check whether scattering applies to this update attempt. We should not be
+ // scattering if this is an interactive update check, or if OOBE is enabled
+ // but not completed.
+ //
+ // Note: current code further suppresses scattering if a "deadline"
+ // attribute is found in the Omaha response. However, it appears that the
+ // presence of this attribute is merely indicative of an OOBE update, during
+ // which we suppress scattering anyway.
+ bool scattering_applies = false;
+ if (!interactive) {
+ const bool* is_oobe_enabled_p = ec->GetValue(
+ state->config_provider()->var_is_oobe_enabled());
+ if (is_oobe_enabled_p && !(*is_oobe_enabled_p)) {
+ scattering_applies = true;
+ } else {
+ const bool* is_oobe_complete_p = ec->GetValue(
+ system_provider->var_is_oobe_complete());
+ scattering_applies = (is_oobe_complete_p && *is_oobe_complete_p);
+ }
+ }
+
+ // Compute scattering values.
+ if (scattering_applies) {
+ UpdateScatteringResult scatter_result;
+ EvalStatus scattering_status = UpdateScattering(
+ ec, state, error, &scatter_result, update_state);
+ if (scattering_status != EvalStatus::kSucceeded ||
+ scatter_result.is_scattering) {
+ if (scattering_status != EvalStatus::kFailed) {
+ result->update_can_start = false;
+ result->cannot_start_reason = UpdateCannotStartReason::kScattering;
+ result->scatter_wait_period = scatter_result.wait_period;
+ result->scatter_check_threshold = scatter_result.check_threshold;
+ }
+ return scattering_status;
+ }
+ }
+
+ // Determine whether HTTP downloads are forbidden by policy. This only
+ // applies to official system builds; otherwise, HTTP is always enabled.
+ const bool* is_official_build_p = ec->GetValue(
+ system_provider->var_is_official_build());
+ if (is_official_build_p && *is_official_build_p) {
+ const bool* policy_http_downloads_enabled_p = ec->GetValue(
+ dp_provider->var_http_downloads_enabled());
+ result->http_allowed =
+ !policy_http_downloads_enabled_p || *policy_http_downloads_enabled_p;
+ }
+
+ // Determine whether use of P2P is allowed by policy.
+ const bool* policy_au_p2p_enabled_p = ec->GetValue(
+ dp_provider->var_au_p2p_enabled());
+ result->p2p_allowed = policy_au_p2p_enabled_p && *policy_au_p2p_enabled_p;
+
+ // Determine whether a target channel is dictated by policy.
+ const bool* release_channel_delegated_p = ec->GetValue(
+ dp_provider->var_release_channel_delegated());
+ if (release_channel_delegated_p && !(*release_channel_delegated_p)) {
+ const string* release_channel_p = ec->GetValue(
+ dp_provider->var_release_channel());
+ if (release_channel_p)
+ result->target_channel = *release_channel_p;
+ }
+ }
+
+ // Enable P2P, if so mandated by the updater configuration.
+ if (!result->p2p_allowed) {
+ const bool* updater_p2p_enabled_p = ec->GetValue(
+ state->updater_provider()->var_p2p_enabled());
+ result->p2p_allowed = updater_p2p_enabled_p && *updater_p2p_enabled_p;
+ }
+
+ return EvalStatus::kSucceeded;
+}
+
+EvalStatus ChromeOSPolicy::NextUpdateCheckTime(EvaluationContext* ec,
+ State* state, string* error,
+ Time* next_update_check) const {
+ // Don't check for updates too often. We limit the update checks to once every
+ // some interval. The interval is kTimeoutInitialInterval the first time and
+ // kTimeoutPeriodicInterval for the subsequent update checks. If the update
+ // check fails, we increase the interval between the update checks
+ // exponentially until kTimeoutMaxBackoffInterval. Finally, to avoid having
+ // many chromebooks running update checks at the exact same time, we add some
+ // fuzz to the interval.
+ const Time* updater_started_time =
+ ec->GetValue(state->updater_provider()->var_updater_started_time());
+ POLICY_CHECK_VALUE_AND_FAIL(updater_started_time, error);
+
+ const base::Time* last_checked_time =
+ ec->GetValue(state->updater_provider()->var_last_checked_time());
+
+ const uint64_t* seed = ec->GetValue(state->random_provider()->var_seed());
+ POLICY_CHECK_VALUE_AND_FAIL(seed, error);
+
+ PRNG prng(*seed);
+
+ if (!last_checked_time || *last_checked_time < *updater_started_time) {
+ // First attempt.
+ *next_update_check = *updater_started_time + FuzzedInterval(
+ &prng, kTimeoutInitialInterval, kTimeoutRegularFuzz);
+ return EvalStatus::kSucceeded;
+ }
+ // Check for previous failed attempts to implement the exponential backoff.
+ const unsigned int* consecutive_failed_update_checks = ec->GetValue(
+ state->updater_provider()->var_consecutive_failed_update_checks());
+ POLICY_CHECK_VALUE_AND_FAIL(consecutive_failed_update_checks, error);
+
+ int interval = kTimeoutInitialInterval;
+ for (unsigned int i = 0; i < *consecutive_failed_update_checks; ++i) {
+ interval *= 2;
+ if (interval > kTimeoutMaxBackoffInterval) {
+ interval = kTimeoutMaxBackoffInterval;
+ break;
+ }
+ }
+
+ *next_update_check = *last_checked_time + FuzzedInterval(
+ &prng, interval, kTimeoutRegularFuzz);
+ return EvalStatus::kSucceeded;
+}
+
+TimeDelta ChromeOSPolicy::FuzzedInterval(PRNG* prng, int interval, int fuzz) {
+ DCHECK_GE(interval, 0);
+ DCHECK_GE(fuzz, 0);
+ int half_fuzz = fuzz / 2;
+ // This guarantees the output interval is non negative.
+ int interval_min = std::max(interval - half_fuzz, 0);
+ int interval_max = interval + half_fuzz;
+ return TimeDelta::FromSeconds(prng->RandMinMax(interval_min, interval_max));
+}
+
+EvalStatus ChromeOSPolicy::UpdateScattering(
+ EvaluationContext* ec,
+ State* state,
+ string* error,
+ UpdateScatteringResult* result,
+ const UpdateState& update_state) const {
+ // Preconditions. These stem from the postconditions and usage contract.
+ DCHECK(update_state.scatter_wait_period >= kZeroInterval);
+ DCHECK_GE(update_state.scatter_check_threshold, 0);
+
+ // Set default result values.
+ result->is_scattering = false;
+ result->wait_period = kZeroInterval;
+ result->check_threshold = 0;
+
+ DevicePolicyProvider* const dp_provider = state->device_policy_provider();
+
+ // Ensure that a device policy is loaded.
+ const bool* device_policy_is_loaded_p = ec->GetValue(
+ dp_provider->var_device_policy_is_loaded());
+ if (!(device_policy_is_loaded_p && *device_policy_is_loaded_p))
+ return EvalStatus::kSucceeded;
+
+ // Is scattering enabled by policy?
+ const TimeDelta* scatter_factor_p = ec->GetValue(
+ dp_provider->var_scatter_factor());
+ if (!scatter_factor_p || *scatter_factor_p == kZeroInterval)
+ return EvalStatus::kSucceeded;
+
+ // Obtain a pseudo-random number generator.
+ const uint64_t* seed = ec->GetValue(state->random_provider()->var_seed());
+ POLICY_CHECK_VALUE_AND_FAIL(seed, error);
+ PRNG prng(*seed);
+
+ // Step 1: Maintain the scattering wait period.
+ //
+ // If no wait period was previously determined, or it no longer fits in the
+ // scatter factor, then generate a new one. Otherwise, keep the one we have.
+ TimeDelta wait_period = update_state.scatter_wait_period;
+ if (wait_period == kZeroInterval || wait_period > *scatter_factor_p) {
+ wait_period = TimeDelta::FromSeconds(
+ prng.RandMinMax(1, scatter_factor_p->InSeconds()));
+ }
+
+ // If we surpass the wait period or the max scatter period associated with
+ // the update, then no wait is needed.
+ Time wait_expires = (update_state.first_seen +
+ min(wait_period, update_state.scatter_wait_period_max));
+ if (ec->IsTimeGreaterThan(wait_expires))
+ wait_period = kZeroInterval;
+
+ // Step 2: Maintain the update check threshold count.
+ //
+ // If an update check threshold is not specified then generate a new
+ // one.
+ int check_threshold = update_state.scatter_check_threshold;
+ if (check_threshold == 0) {
+ check_threshold = prng.RandMinMax(
+ update_state.scatter_check_threshold_min,
+ update_state.scatter_check_threshold_max);
+ }
+
+ // If the update check threshold is not within allowed range then nullify it.
+ // TODO(garnold) This is compliant with current logic found in
+ // OmahaRequestAction::IsUpdateCheckCountBasedWaitingSatisfied(). We may want
+ // to change it so that it behaves similarly to the wait period case, namely
+ // if the current value exceeds the maximum, we set a new one within range.
+ if (check_threshold > update_state.scatter_check_threshold_max)
+ check_threshold = 0;
+
+ // If the update check threshold is non-zero and satisfied, then nullify it.
+ if (check_threshold > 0 && update_state.num_checks >= check_threshold)
+ check_threshold = 0;
+
+ bool is_scattering = (wait_period != kZeroInterval || check_threshold);
+ EvalStatus ret = EvalStatus::kSucceeded;
+ if (is_scattering && wait_period == update_state.scatter_wait_period &&
+ check_threshold == update_state.scatter_check_threshold)
+ ret = EvalStatus::kAskMeAgainLater;
+ result->is_scattering = is_scattering;
+ result->wait_period = wait_period;
+ result->check_threshold = check_threshold;
+ return ret;
+}
+
+// TODO(garnold) Logic in this method is based on
+// ConnectionManager::IsUpdateAllowedOver(); be sure to deprecate the latter.
+//
+// TODO(garnold) The current logic generally treats the list of allowed
+// connections coming from the device policy as a whitelist, meaning that it
+// can only be used for enabling connections, but not disable them. Further,
+// certain connection types (like Bluetooth) cannot be enabled even by policy.
+// In effect, the only thing that device policy can change is to enable
+// updates over a cellular network (disabled by default). We may want to
+// revisit this semantics, allowing greater flexibility in defining specific
+// permissions over all types of networks.
+EvalStatus ChromeOSPolicy::UpdateCurrentConnectionAllowed(
+ EvaluationContext* ec,
+ State* state,
+ string* error,
+ bool* result) const {
+ // Get the current connection type.
+ ShillProvider* const shill_provider = state->shill_provider();
+ const ConnectionType* conn_type_p = ec->GetValue(
+ shill_provider->var_conn_type());
+ POLICY_CHECK_VALUE_AND_FAIL(conn_type_p, error);
+ ConnectionType conn_type = *conn_type_p;
+
+ // If we're tethering, treat it as a cellular connection.
+ if (conn_type != ConnectionType::kCellular) {
+ const ConnectionTethering* conn_tethering_p = ec->GetValue(
+ shill_provider->var_conn_tethering());
+ POLICY_CHECK_VALUE_AND_FAIL(conn_tethering_p, error);
+ if (*conn_tethering_p == ConnectionTethering::kConfirmed)
+ conn_type = ConnectionType::kCellular;
+ }
+
+ // By default, we allow updates for all connection types, with exceptions as
+ // noted below. This also determines whether a device policy can override the
+ // default.
+ *result = true;
+ bool device_policy_can_override = false;
+ switch (conn_type) {
+ case ConnectionType::kBluetooth:
+ *result = false;
+ break;
+
+ case ConnectionType::kCellular:
+ *result = false;
+ device_policy_can_override = true;
+ break;
+
+ case ConnectionType::kUnknown:
+ if (error)
+ *error = "Unknown connection type";
+ return EvalStatus::kFailed;
+
+ default:
+ break; // Nothing to do.
+ }
+
+ // If update is allowed, we're done.
+ if (*result)
+ return EvalStatus::kSucceeded;
+
+ // Check whether the device policy specifically allows this connection.
+ bool user_settings_can_override = false;
+ if (device_policy_can_override) {
+ DevicePolicyProvider* const dp_provider = state->device_policy_provider();
+ const bool* device_policy_is_loaded_p = ec->GetValue(
+ dp_provider->var_device_policy_is_loaded());
+ if (device_policy_is_loaded_p && *device_policy_is_loaded_p) {
+ const set<ConnectionType>* allowed_conn_types_p = ec->GetValue(
+ dp_provider->var_allowed_connection_types_for_update());
+ if (allowed_conn_types_p) {
+ if (allowed_conn_types_p->count(conn_type)) {
+ *result = true;
+ return EvalStatus::kSucceeded;
+ }
+ } else {
+ user_settings_can_override = true;
+ }
+ }
+ }
+
+ // Local user settings can allow updates iff a policy was loaded but no
+ // allowed connections were specified in it. In all other cases, we either
+ // stick with the default or use the values determined by the policy.
+ if (user_settings_can_override) {
+ const bool* update_over_cellular_allowed_p = ec->GetValue(
+ state->updater_provider()->var_cellular_enabled());
+ if (update_over_cellular_allowed_p && *update_over_cellular_allowed_p)
+ *result = true;
+ }
+
+ return EvalStatus::kSucceeded;
+}
+
+} // namespace chromeos_update_manager