blob: f0d6e3d8059a4b808bda8fabbd9ebbdeab5f91b7 [file] [log] [blame]
Alex Deymoc705cc82014-02-19 11:15:00 -08001// Copyright (c) 2014 The Chromium OS Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
Alex Deymo0d11c602014-04-23 20:12:20 -07005#include "update_engine/policy_manager/chromeos_policy.h"
Alex Deymo0d11c602014-04-23 20:12:20 -07006
Gilad Arnolde1218812014-05-07 12:21:36 -07007#include <algorithm>
Gilad Arnold0adbc942014-05-12 10:35:43 -07008#include <set>
Alex Deymoc705cc82014-02-19 11:15:00 -08009#include <string>
10
Gilad Arnoldf62a4b82014-05-01 07:41:07 -070011#include <base/logging.h>
12#include <base/time/time.h>
13
14#include "update_engine/policy_manager/device_policy_provider.h"
15#include "update_engine/policy_manager/policy_utils.h"
Gilad Arnold0adbc942014-05-12 10:35:43 -070016#include "update_engine/policy_manager/shill_provider.h"
Gilad Arnoldf62a4b82014-05-01 07:41:07 -070017
Alex Deymo0d11c602014-04-23 20:12:20 -070018using base::Time;
19using base::TimeDelta;
Gilad Arnoldf62a4b82014-05-01 07:41:07 -070020using std::min;
Gilad Arnold0adbc942014-05-12 10:35:43 -070021using std::set;
Alex Deymoc705cc82014-02-19 11:15:00 -080022using std::string;
23
24namespace chromeos_policy_manager {
25
Alex Deymo0d11c602014-04-23 20:12:20 -070026EvalStatus ChromeOSPolicy::UpdateCheckAllowed(
27 EvaluationContext* ec, State* state, string* error,
28 UpdateCheckParams* result) const {
29 Time next_update_check;
30 if (NextUpdateCheckTime(ec, state, error, &next_update_check) !=
31 EvalStatus::kSucceeded) {
32 return EvalStatus::kFailed;
33 }
34
35 if (!ec->IsTimeGreaterThan(next_update_check))
36 return EvalStatus::kAskMeAgainLater;
37
38 // It is time to check for an update.
39 result->updates_enabled = true;
Alex Deymoe636c3c2014-03-11 19:02:08 -070040 return EvalStatus::kSucceeded;
Alex Deymoc705cc82014-02-19 11:15:00 -080041}
42
Gilad Arnoldf62a4b82014-05-01 07:41:07 -070043EvalStatus ChromeOSPolicy::UpdateCanStart(
44 EvaluationContext* ec,
45 State* state,
46 string* error,
47 UpdateCanStartResult* result,
48 const bool interactive,
49 const UpdateState& update_state) const {
50 // Set the default return values.
51 result->update_can_start = true;
52 result->http_allowed = true;
53 result->p2p_allowed = false;
54 result->target_channel.clear();
55 result->cannot_start_reason = UpdateCannotStartReason::kUndefined;
56 result->scatter_wait_period = kZeroInterval;
57 result->scatter_check_threshold = 0;
58
59 // Make sure that we're not due for an update check.
60 UpdateCheckParams check_result;
61 EvalStatus check_status = UpdateCheckAllowed(ec, state, error, &check_result);
62 if (check_status == EvalStatus::kFailed)
63 return EvalStatus::kFailed;
64 if (check_status == EvalStatus::kSucceeded &&
65 check_result.updates_enabled == true) {
66 result->update_can_start = false;
67 result->cannot_start_reason = UpdateCannotStartReason::kCheckDue;
68 return EvalStatus::kSucceeded;
69 }
70
71 DevicePolicyProvider* const dp_provider = state->device_policy_provider();
Gilad Arnold76a11f62014-05-20 09:02:12 -070072 SystemProvider* const system_provider = state->system_provider();
Gilad Arnoldf62a4b82014-05-01 07:41:07 -070073
74 const bool* device_policy_is_loaded_p = ec->GetValue(
75 dp_provider->var_device_policy_is_loaded());
76 if (device_policy_is_loaded_p && *device_policy_is_loaded_p) {
77 // Ensure that update is enabled.
78 const bool* update_disabled_p = ec->GetValue(
79 dp_provider->var_update_disabled());
80 if (update_disabled_p && *update_disabled_p) {
81 result->update_can_start = false;
82 result->cannot_start_reason = UpdateCannotStartReason::kDisabledByPolicy;
83 return EvalStatus::kAskMeAgainLater;
84 }
85
Gilad Arnold76a11f62014-05-20 09:02:12 -070086 // Check whether scattering applies to this update attempt. We should not be
87 // scattering if this is an interactive update check, or if OOBE is enabled
88 // but not completed.
89 //
90 // Note: current code further suppresses scattering if a "deadline"
Gilad Arnoldf62a4b82014-05-01 07:41:07 -070091 // attribute is found in the Omaha response. However, it appears that the
Gilad Arnold76a11f62014-05-20 09:02:12 -070092 // presence of this attribute is merely indicative of an OOBE update, during
93 // which we suppress scattering anyway.
94 bool scattering_applies = false;
Gilad Arnoldf62a4b82014-05-01 07:41:07 -070095 if (!interactive) {
Gilad Arnold76a11f62014-05-20 09:02:12 -070096 const bool* is_oobe_enabled_p = ec->GetValue(
97 state->config_provider()->var_is_oobe_enabled());
98 if (is_oobe_enabled_p && !(*is_oobe_enabled_p)) {
99 scattering_applies = true;
100 } else {
101 const bool* is_oobe_complete_p = ec->GetValue(
102 system_provider->var_is_oobe_complete());
103 scattering_applies = (is_oobe_complete_p && *is_oobe_complete_p);
104 }
105 }
106
107 // Compute scattering values.
108 if (scattering_applies) {
Gilad Arnoldf62a4b82014-05-01 07:41:07 -0700109 UpdateScatteringResult scatter_result;
110 EvalStatus scattering_status = UpdateScattering(
111 ec, state, error, &scatter_result, update_state);
112 if (scattering_status != EvalStatus::kSucceeded ||
113 scatter_result.is_scattering) {
114 if (scattering_status != EvalStatus::kFailed) {
115 result->update_can_start = false;
116 result->cannot_start_reason = UpdateCannotStartReason::kScattering;
117 result->scatter_wait_period = scatter_result.wait_period;
118 result->scatter_check_threshold = scatter_result.check_threshold;
119 }
120 return scattering_status;
121 }
122 }
123
124 // Determine whether HTTP downloads are forbidden by policy. This only
125 // applies to official system builds; otherwise, HTTP is always enabled.
126 const bool* is_official_build_p = ec->GetValue(
Gilad Arnold76a11f62014-05-20 09:02:12 -0700127 system_provider->var_is_official_build());
Gilad Arnoldf62a4b82014-05-01 07:41:07 -0700128 if (is_official_build_p && *is_official_build_p) {
129 const bool* policy_http_downloads_enabled_p = ec->GetValue(
130 dp_provider->var_http_downloads_enabled());
131 result->http_allowed =
132 !policy_http_downloads_enabled_p || *policy_http_downloads_enabled_p;
133 }
134
135 // Determine whether use of P2P is allowed by policy.
136 const bool* policy_au_p2p_enabled_p = ec->GetValue(
137 dp_provider->var_au_p2p_enabled());
138 result->p2p_allowed = policy_au_p2p_enabled_p && *policy_au_p2p_enabled_p;
139
140 // Determine whether a target channel is dictated by policy.
141 const bool* release_channel_delegated_p = ec->GetValue(
142 dp_provider->var_release_channel_delegated());
143 if (release_channel_delegated_p && !(*release_channel_delegated_p)) {
144 const string* release_channel_p = ec->GetValue(
145 dp_provider->var_release_channel());
146 if (release_channel_p)
147 result->target_channel = *release_channel_p;
148 }
149 }
150
151 // Enable P2P, if so mandated by the updater configuration.
152 if (!result->p2p_allowed) {
153 const bool* updater_p2p_enabled_p = ec->GetValue(
154 state->updater_provider()->var_p2p_enabled());
155 result->p2p_allowed = updater_p2p_enabled_p && *updater_p2p_enabled_p;
156 }
157
Gilad Arnoldaf2f6ae2014-04-28 14:14:52 -0700158 return EvalStatus::kSucceeded;
159}
160
Alex Deymo0d11c602014-04-23 20:12:20 -0700161EvalStatus ChromeOSPolicy::NextUpdateCheckTime(EvaluationContext* ec,
162 State* state, string* error,
163 Time* next_update_check) const {
164 // Don't check for updates too often. We limit the update checks to once every
165 // some interval. The interval is kTimeoutInitialInterval the first time and
166 // kTimeoutPeriodicInterval for the subsequent update checks. If the update
167 // check fails, we increase the interval between the update checks
168 // exponentially until kTimeoutMaxBackoffInterval. Finally, to avoid having
169 // many chromebooks running update checks at the exact same time, we add some
170 // fuzz to the interval.
171 const Time* updater_started_time =
172 ec->GetValue(state->updater_provider()->var_updater_started_time());
173 POLICY_CHECK_VALUE_AND_FAIL(updater_started_time, error);
174
175 const base::Time* last_checked_time =
176 ec->GetValue(state->updater_provider()->var_last_checked_time());
177
178 const uint64_t* seed = ec->GetValue(state->random_provider()->var_seed());
179 POLICY_CHECK_VALUE_AND_FAIL(seed, error);
180
181 PRNG prng(*seed);
182
183 if (!last_checked_time || *last_checked_time < *updater_started_time) {
184 // First attempt.
185 *next_update_check = *updater_started_time + FuzzedInterval(
186 &prng, kTimeoutInitialInterval, kTimeoutRegularFuzz);
187 return EvalStatus::kSucceeded;
188 }
189 // Check for previous failed attempts to implement the exponential backoff.
190 const unsigned int* consecutive_failed_update_checks = ec->GetValue(
191 state->updater_provider()->var_consecutive_failed_update_checks());
192 POLICY_CHECK_VALUE_AND_FAIL(consecutive_failed_update_checks, error);
193
194 int interval = kTimeoutInitialInterval;
195 for (unsigned int i = 0; i < *consecutive_failed_update_checks; ++i) {
196 interval *= 2;
197 if (interval > kTimeoutMaxBackoffInterval) {
198 interval = kTimeoutMaxBackoffInterval;
199 break;
200 }
201 }
202
203 *next_update_check = *last_checked_time + FuzzedInterval(
204 &prng, interval, kTimeoutRegularFuzz);
205 return EvalStatus::kSucceeded;
206}
207
208TimeDelta ChromeOSPolicy::FuzzedInterval(PRNG* prng, int interval, int fuzz) {
Gilad Arnolde1218812014-05-07 12:21:36 -0700209 DCHECK_GE(interval, 0);
210 DCHECK_GE(fuzz, 0);
Alex Deymo0d11c602014-04-23 20:12:20 -0700211 int half_fuzz = fuzz / 2;
Alex Deymo0d11c602014-04-23 20:12:20 -0700212 // This guarantees the output interval is non negative.
Gilad Arnolde1218812014-05-07 12:21:36 -0700213 int interval_min = std::max(interval - half_fuzz, 0);
214 int interval_max = interval + half_fuzz;
215 return TimeDelta::FromSeconds(prng->RandMinMax(interval_min, interval_max));
Alex Deymo0d11c602014-04-23 20:12:20 -0700216}
217
Gilad Arnoldf62a4b82014-05-01 07:41:07 -0700218EvalStatus ChromeOSPolicy::UpdateScattering(
219 EvaluationContext* ec,
220 State* state,
221 string* error,
222 UpdateScatteringResult* result,
223 const UpdateState& update_state) const {
224 // Preconditions. These stem from the postconditions and usage contract.
225 DCHECK(update_state.scatter_wait_period >= kZeroInterval);
226 DCHECK_GE(update_state.scatter_check_threshold, 0);
227
228 // Set default result values.
229 result->is_scattering = false;
230 result->wait_period = kZeroInterval;
231 result->check_threshold = 0;
232
233 DevicePolicyProvider* const dp_provider = state->device_policy_provider();
234
235 // Ensure that a device policy is loaded.
236 const bool* device_policy_is_loaded_p = ec->GetValue(
237 dp_provider->var_device_policy_is_loaded());
238 if (!(device_policy_is_loaded_p && *device_policy_is_loaded_p))
239 return EvalStatus::kSucceeded;
240
241 // Is scattering enabled by policy?
242 const TimeDelta* scatter_factor_p = ec->GetValue(
243 dp_provider->var_scatter_factor());
244 if (!scatter_factor_p || *scatter_factor_p == kZeroInterval)
245 return EvalStatus::kSucceeded;
246
247 // Obtain a pseudo-random number generator.
248 const uint64_t* seed = ec->GetValue(state->random_provider()->var_seed());
249 POLICY_CHECK_VALUE_AND_FAIL(seed, error);
250 PRNG prng(*seed);
251
252 // Step 1: Maintain the scattering wait period.
253 //
254 // If no wait period was previously determined, or it no longer fits in the
255 // scatter factor, then generate a new one. Otherwise, keep the one we have.
256 // TODO(garnold) Current code (UpdateAttempter::GenerateNewWaitingPeriod())
257 // always generates a non-zero value, which seems to imply that *some*
258 // scattering always happens. Yet to validate whether this is intentional.
259 TimeDelta wait_period = update_state.scatter_wait_period;
260 if (wait_period == kZeroInterval || wait_period > *scatter_factor_p) {
261 wait_period = TimeDelta::FromSeconds(
262 prng.RandMinMax(1, scatter_factor_p->InSeconds()));
263 }
264
265 // If we surpass the wait period or the max scatter period associated with
266 // the update, then no wait is needed.
267 Time wait_expires = (update_state.first_seen +
268 min(wait_period, update_state.scatter_wait_period_max));
269 if (ec->IsTimeGreaterThan(wait_expires))
270 wait_period = kZeroInterval;
271
272 // Step 2: Maintain the update check threshold count.
273 //
274 // If an update check threshold is not specified then generate a new
275 // one.
276 int check_threshold = update_state.scatter_check_threshold;
277 if (check_threshold == 0) {
278 check_threshold = prng.RandMinMax(
279 update_state.scatter_check_threshold_min,
280 update_state.scatter_check_threshold_max);
281 }
282
283 // If the update check threshold is not within allowed range then nullify it.
284 // TODO(garnold) This is compliant with current logic found in
285 // OmahaRequestAction::IsUpdateCheckCountBasedWaitingSatisfied(). We may want
286 // to change it so that it behaves similarly to the wait period case, namely
287 // if the current value exceeds the maximum, we set a new one within range.
288 if (check_threshold > update_state.scatter_check_threshold_max)
289 check_threshold = 0;
290
291 // If the update check threshold is non-zero and satisfied, then nullify it.
292 if (check_threshold > 0 && update_state.num_checks >= check_threshold)
293 check_threshold = 0;
294
295 bool is_scattering = (wait_period != kZeroInterval || check_threshold);
296 EvalStatus ret = EvalStatus::kSucceeded;
297 if (is_scattering && wait_period == update_state.scatter_wait_period &&
298 check_threshold == update_state.scatter_check_threshold)
299 ret = EvalStatus::kAskMeAgainLater;
300 result->is_scattering = is_scattering;
301 result->wait_period = wait_period;
302 result->check_threshold = check_threshold;
303 return ret;
304}
305
Gilad Arnold0adbc942014-05-12 10:35:43 -0700306// TODO(garnold) Logic in this method is based on
307// ConnectionManager::IsUpdateAllowedOver(); be sure to deprecate the latter.
308//
309// TODO(garnold) The current logic generally treats the list of allowed
310// connections coming from the device policy as a whitelist, meaning that it
311// can only be used for enabling connections, but not disable them. Further,
312// certain connection types (like Bluetooth) cannot be enabled even by policy.
313// In effect, the only thing that device policy can change is to enable
314// updates over a cellular network (disabled by default). We may want to
315// revisit this semantics, allowing greater flexibility in defining specific
316// permissions over all types of networks.
317EvalStatus ChromeOSPolicy::UpdateCurrentConnectionAllowed(
318 EvaluationContext* ec,
319 State* state,
320 string* error,
321 bool* result) const {
322 // Get the current connection type.
323 ShillProvider* const shill_provider = state->shill_provider();
324 const ConnectionType* conn_type_p = ec->GetValue(
325 shill_provider->var_conn_type());
326 POLICY_CHECK_VALUE_AND_FAIL(conn_type_p, error);
327 ConnectionType conn_type = *conn_type_p;
328
329 // If we're tethering, treat it as a cellular connection.
330 if (conn_type != ConnectionType::kCellular) {
331 const ConnectionTethering* conn_tethering_p = ec->GetValue(
332 shill_provider->var_conn_tethering());
333 POLICY_CHECK_VALUE_AND_FAIL(conn_tethering_p, error);
334 if (*conn_tethering_p == ConnectionTethering::kConfirmed)
335 conn_type = ConnectionType::kCellular;
336 }
337
338 // By default, we allow updates for all connection types, with exceptions as
339 // noted below. This also determines whether a device policy can override the
340 // default.
341 *result = true;
342 bool device_policy_can_override = false;
343 switch (conn_type) {
344 case ConnectionType::kBluetooth:
345 *result = false;
346 break;
347
348 case ConnectionType::kCellular:
349 *result = false;
350 device_policy_can_override = true;
351 break;
352
353 case ConnectionType::kUnknown:
354 if (error)
355 *error = "Unknown connection type";
356 return EvalStatus::kFailed;
357
358 default:
359 break; // Nothing to do.
360 }
361
362 // If update is allowed, we're done.
363 if (*result)
364 return EvalStatus::kSucceeded;
365
366 // Check whether the device policy specifically allows this connection.
367 bool user_settings_can_override = false;
368 if (device_policy_can_override) {
369 DevicePolicyProvider* const dp_provider = state->device_policy_provider();
370 const bool* device_policy_is_loaded_p = ec->GetValue(
371 dp_provider->var_device_policy_is_loaded());
372 if (device_policy_is_loaded_p && *device_policy_is_loaded_p) {
373 const set<ConnectionType>* allowed_conn_types_p = ec->GetValue(
374 dp_provider->var_allowed_connection_types_for_update());
375 if (allowed_conn_types_p) {
376 if (allowed_conn_types_p->count(conn_type)) {
377 *result = true;
378 return EvalStatus::kSucceeded;
379 }
380 } else {
381 user_settings_can_override = true;
382 }
383 }
384 }
385
386 // Local user settings can allow updates iff a policy was loaded but no
387 // allowed connections were specified in it. In all other cases, we either
388 // stick with the default or use the values determined by the policy.
389 if (user_settings_can_override) {
390 const bool* update_over_cellular_allowed_p = ec->GetValue(
391 state->updater_provider()->var_cellular_enabled());
392 if (update_over_cellular_allowed_p && *update_over_cellular_allowed_p)
393 *result = true;
394 }
395
396 return EvalStatus::kSucceeded;
397}
398
Alex Deymoc705cc82014-02-19 11:15:00 -0800399} // namespace chromeos_policy_manager