Skip to content

GitLab

T
tangled
Commit 4ee8711f authored by tnagel@chromium.org's avatar tnagel@chromium.org
Browse files
Options

Be more picky in triggering enrollment recovery. 

Restrict triggering of enrollment recovery to a smaller subset of
DeviceSettingsService status codes just to be on the safe side.

BUG=389481

Review URL: https://codereview.chromium.org/400623002

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@284083 0039d316-1c4b-4281-b951-d872f2087c98
parent 38283897
Hide whitespace changes
Inline Side-by-side
Showing with 39 additions and 25 deletions
chrome/browser/chromeos/policy/device_cloud_policy_store_chromeos.cc
View file @ 4ee8711f
...@@ -26,7 +26,7 @@ DeviceCloudPolicyStoreChromeOS::DeviceCloudPolicyStoreChromeOS( ...@@ -26,7 +26,7 @@ DeviceCloudPolicyStoreChromeOS::DeviceCloudPolicyStoreChromeOS(
: device_settings_service_(device_settings_service), : device_settings_service_(device_settings_service),
install_attributes_(install_attributes), install_attributes_(install_attributes),
background_task_runner_(background_task_runner), background_task_runner_(background_task_runner),
first_update_(true), enrollment_validation_done_(false),
weak_factory_(this) { weak_factory_(this) {
device_settings_service_->AddObserver(this); device_settings_service_->AddObserver(this);
} }
...@@ -138,32 +138,47 @@ void DeviceCloudPolicyStoreChromeOS::UpdateFromService() { ...@@ -138,32 +138,47 @@ void DeviceCloudPolicyStoreChromeOS::UpdateFromService() {
return; return;
} }
// Fill UMA histogram once per session. Skip temp validation error because it // Once per session, validate internal consistency of enrollment state (DM
// is not a definitive result (policy load will be retried). // token must be present on enrolled devices) and in case of failure set flag
// to indicate that recovery is required.
const chromeos::DeviceSettingsService::Status status = const chromeos::DeviceSettingsService::Status status =
device_settings_service_->status(); device_settings_service_->status();
if (first_update_ && switch (status) {
status != chromeos::DeviceSettingsService::STORE_TEMP_VALIDATION_ERROR) { case chromeos::DeviceSettingsService::STORE_SUCCESS:
first_update_ = false; case chromeos::DeviceSettingsService::STORE_KEY_UNAVAILABLE:
const bool has_dm_token = case chromeos::DeviceSettingsService::STORE_NO_POLICY:
status == chromeos::DeviceSettingsService::STORE_SUCCESS && case chromeos::DeviceSettingsService::STORE_INVALID_POLICY:
device_settings_service_->policy_data() && case chromeos::DeviceSettingsService::STORE_VALIDATION_ERROR: {
device_settings_service_->policy_data()->has_request_token(); if (!enrollment_validation_done_) {
enrollment_validation_done_ = true;
// At the time LoginDisplayHostImpl decides whether enrollment flow is to be const bool has_dm_token =
// started, policy hasn't been read yet, so LoginDisplayHostImpl is not in a status == chromeos::DeviceSettingsService::STORE_SUCCESS &&
// position to decide whether recovery is required. To work around this, device_settings_service_->policy_data() &&
// upon policy load on machines requiring recovery, a flag is stored in device_settings_service_->policy_data()->has_request_token();
// prefs which is accessed by LoginDisplayHostImpl early during (next) boot.
if (!has_dm_token) { // At the time LoginDisplayHostImpl decides whether enrollment flow is
LOG(ERROR) << "Policy read on enrolled device yields no DM token! " // to be started, policy hasn't been read yet. To work around this,
<< "Status: " << status << "."; // once the need for recovery is detected upon policy load, a flag is
chromeos::StartupUtils::MarkEnrollmentRecoveryRequired(); // stored in prefs which is accessed by LoginDisplayHostImpl early
// during (next) boot.
if (!has_dm_token) {
LOG(ERROR) << "Device policy read on enrolled device yields "
<< "no DM token! Status: " << status << ".";
chromeos::StartupUtils::MarkEnrollmentRecoveryRequired();
}
UMA_HISTOGRAM_BOOLEAN("Enterprise.EnrolledPolicyHasDMToken",
has_dm_token);
}
break;
} }
UMA_HISTOGRAM_BOOLEAN("Enterprise.EnrolledPolicyHasDMToken", has_dm_token); case chromeos::DeviceSettingsService::STORE_POLICY_ERROR:
case chromeos::DeviceSettingsService::STORE_OPERATION_FAILED:
case chromeos::DeviceSettingsService::STORE_TEMP_VALIDATION_ERROR:
// Do nothing for write errors or transient read errors.
break;
} }
switch (device_settings_service_->status()) { switch (status) {
case chromeos::DeviceSettingsService::STORE_SUCCESS: { case chromeos::DeviceSettingsService::STORE_SUCCESS: {
status_ = STATUS_OK; status_ = STATUS_OK;
policy_.reset(new em::PolicyData()); policy_.reset(new em::PolicyData());
......
chrome/browser/chromeos/policy/device_cloud_policy_store_chromeos.h
View file @ 4ee8711f
...@@ -76,9 +76,8 @@ class DeviceCloudPolicyStoreChromeOS ...@@ -76,9 +76,8 @@ class DeviceCloudPolicyStoreChromeOS
scoped_refptr<base::SequencedTaskRunner> background_task_runner_; scoped_refptr<base::SequencedTaskRunner> background_task_runner_;
// Run enrollment sanity check and UMA stats only upon the first policy // Whether enterprise enrollment validation has yet been done.
// read/update. bool enrollment_validation_done_;
bool first_update_;
base::WeakPtrFactory<DeviceCloudPolicyStoreChromeOS> weak_factory_; base::WeakPtrFactory<DeviceCloudPolicyStoreChromeOS> weak_factory_;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment