1 // Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #ifndef LIBBRILLO_POLICY_DEVICE_POLICY_H_
6 #define LIBBRILLO_POLICY_DEVICE_POLICY_H_
7 
8 #include <stdint.h>
9 
10 #include <set>
11 #include <string>
12 #include <utility>
13 #include <vector>
14 
15 #include <base/macros.h>
16 #include <base/time/time.h>
17 
18 #pragma GCC visibility push(default)
19 
20 namespace policy {
21 
22 // This class holds device settings that are to be enforced across all users.
23 // It is also responsible for loading the policy blob from disk and verifying
24 // the signature against the owner's key.
25 //
26 // This class defines the interface for querying device policy on ChromeOS.
27 // The implementation is hidden in DevicePolicyImpl to prevent protobuf
28 // definition from leaking into the libraries using this interface.
29 class DevicePolicy {
30  public:
31   // Identifiers of a USB device or device family.
32   struct UsbDeviceId {
33     // USB Vendor Identifier (aka idVendor).
34     uint16_t vendor_id;
35 
36     // USB Product Identifier (aka idProduct).
37     uint16_t product_id;
38   };
39 
40   // Time interval represented by two |day_of_week| and |time| pairs. The start
41   // of the interval is inclusive and the end is exclusive. The time represented
42   // by those pairs will be interpreted to be in the local timezone. Because of
43   // this, there exists the possibility of intervals being repeated or skipped
44   // in a day with daylight savings transitions, this is expected behavior.
45   struct WeeklyTimeInterval {
46     // Value is from 1 to 7 (1 = Monday, 2 = Tuesday, etc.). All values outside
47     // this range are invalid and will be discarded.
48     int start_day_of_week;
49     // Time since the start of the day. This value will be interpreted to be in
50     // the system's current timezone when used for range checking.
51     base::TimeDelta start_time;
52     int end_day_of_week;
53     base::TimeDelta end_time;
54   };
55 
56   // Identifies a <day, percentage> pair in a staging schedule.
57   struct DayPercentagePair {
58     bool operator==(const DayPercentagePair& other) const {
59       return days == other.days && percentage == other.percentage;
60     }
61     int days;
62     int percentage;
63   };
64 
65   DevicePolicy();
66   virtual ~DevicePolicy();
67 
68   // Load device policy off of disk into |policy_|.
69   // Returns true unless there is a policy on disk and loading it fails.
70   virtual bool LoadPolicy() = 0;
71 
72   // Returns true if OOBE has been completed and if the device has been enrolled
73   // as an enterprise or enterpriseAD device.
74   virtual bool IsEnterpriseEnrolled() const = 0;
75 
76   // Writes the value of the DevicePolicyRefreshRate policy in |rate|. Returns
77   // true on success.
78   virtual bool GetPolicyRefreshRate(int* rate) const = 0;
79 
80   // Writes the value of the UserWhitelist policy in |user_whitelist|. Returns
81   // true on success.
82   virtual bool GetUserWhitelist(
83       std::vector<std::string>* user_whitelist) const = 0;
84 
85   // Writes the value of the GuestModeEnabled policy in |guest_mode_enabled|.
86   // Returns true on success.
87   virtual bool GetGuestModeEnabled(bool* guest_mode_enabled) const = 0;
88 
89   // Writes the value of the CameraEnabled policy in |camera_enabled|. Returns
90   // true on success.
91   virtual bool GetCameraEnabled(bool* camera_enabled) const = 0;
92 
93   // Writes the value of the ShowUserNamesOnSignIn policy in |show_user_names|.
94   // Returns true on success.
95   virtual bool GetShowUserNames(bool* show_user_names) const = 0;
96 
97   // Writes the value of the DataRoamingEnabled policy in |data_roaming_enabled|
98   // Returns true on success.
99   virtual bool GetDataRoamingEnabled(bool* data_roaming_enabled) const = 0;
100 
101   // Writes the value of the AllowNewUsers policy in |allow_new_users|. Returns
102   // true on success.
103   virtual bool GetAllowNewUsers(bool* allow_new_users) const = 0;
104 
105   // Writes the value of MetricEnabled policy in |metrics_enabled|. Returns true
106   // on success.
107   virtual bool GetMetricsEnabled(bool* metrics_enabled) const = 0;
108 
109   // Writes the value of ReportVersionInfo policy in |report_version_info|.
110   // Returns true on success.
111   virtual bool GetReportVersionInfo(bool* report_version_info) const = 0;
112 
113   // Writes the value of ReportActivityTimes policy in |report_activity_times|.
114   // Returns true on success.
115   virtual bool GetReportActivityTimes(bool* report_activity_times) const = 0;
116 
117   // Writes the value of ReportBootMode policy in |report_boot_mode|. Returns
118   // true on success.
119   virtual bool GetReportBootMode(bool* report_boot_mode) const = 0;
120 
121   // Writes the value of the EphemeralUsersEnabled policy in
122   // |ephemeral_users_enabled|. Returns true on success.
123   virtual bool GetEphemeralUsersEnabled(
124       bool* ephemeral_users_enabled) const = 0;
125 
126   // Writes the value of the release channel policy in |release_channel|.
127   // Returns true on success.
128   virtual bool GetReleaseChannel(std::string* release_channel) const = 0;
129 
130   // Writes the value of the release_channel_delegated policy in
131   // |release_channel_delegated|. Returns true on success.
132   virtual bool GetReleaseChannelDelegated(
133       bool* release_channel_delegated) const = 0;
134 
135   // Writes the value of the update_disabled policy in |update_disabled|.
136   // Returns true on success.
137   virtual bool GetUpdateDisabled(bool* update_disabled) const = 0;
138 
139   // Writes the value of the target_version_prefix policy in
140   // |target_version_prefix|. Returns true on success.
141   virtual bool GetTargetVersionPrefix(
142       std::string* target_version_prefix) const = 0;
143 
144   // Writes the value of the rollback_to_target_version policy in
145   // |rollback_to_target_version|. |rollback_to_target_version| will be one of
146   // the values in AutoUpdateSettingsProto's RollbackToTargetVersion enum.
147   // Returns true on success.
148   virtual bool GetRollbackToTargetVersion(
149       int* rollback_to_target_version) const = 0;
150 
151   // Writes the value of the rollback_allowed_milestones policy in
152   // |rollback_allowed_milestones|. Returns true on success.
153   virtual bool GetRollbackAllowedMilestones(
154       int* rollback_allowed_milestones) const = 0;
155 
156   // Writes the value of the scatter_factor_in_seconds policy in
157   // |scatter_factor_in_seconds|. Returns true on success.
158   virtual bool GetScatterFactorInSeconds(
159       int64_t* scatter_factor_in_seconds) const = 0;
160 
161   // Writes the connection types on which updates are allowed to
162   // |connection_types|. The identifiers returned are intended to be consistent
163   // with what the connection manager users: ethernet, wifi, wimax, bluetooth,
164   // cellular.
165   virtual bool GetAllowedConnectionTypesForUpdate(
166       std::set<std::string>* connection_types) const = 0;
167 
168   // Writes the value of the OpenNetworkConfiguration policy in
169   // |open_network_configuration|. Returns true on success.
170   virtual bool GetOpenNetworkConfiguration(
171       std::string* open_network_configuration) const = 0;
172 
173   // Writes the name of the device owner in |owner|. For enterprise enrolled
174   // devices, this will be an empty string.
175   // Returns true on success.
176   virtual bool GetOwner(std::string* owner) const = 0;
177 
178   // Write the value of http_downloads_enabled policy in
179   // |http_downloads_enabled|. Returns true on success.
180   virtual bool GetHttpDownloadsEnabled(bool* http_downloads_enabled) const = 0;
181 
182   // Writes the value of au_p2p_enabled policy in
183   // |au_p2p_enabled|. Returns true on success.
184   virtual bool GetAuP2PEnabled(bool* au_p2p_enabled) const = 0;
185 
186   // Writes the value of allow_kiosk_app_control_chrome_version policy in
187   // |allow_kiosk_app_control_chrome_version|. Returns true on success.
188   virtual bool GetAllowKioskAppControlChromeVersion(
189       bool* allow_kiosk_app_control_chrome_version) const = 0;
190 
191   // Writes the value of the UsbDetachableWhitelist policy in |usb_whitelist|.
192   // Returns true on success.
193   virtual bool GetUsbDetachableWhitelist(
194       std::vector<UsbDeviceId>* usb_whitelist) const = 0;
195 
196   // Writes the value of the kiosk app id into |app_id_out|.
197   // Only succeeds if the device is in auto-launched kiosk mode.
198   virtual bool GetAutoLaunchedKioskAppId(std::string* app_id_out) const = 0;
199 
200   // Returns true if the policy data indicates that the device is enterprise
201   // managed. Note that this potentially could be faked by an exploit, therefore
202   // InstallAttributesReader must be used when tamper-proof evidence of the
203   // management state is required.
204   virtual bool IsEnterpriseManaged() const = 0;
205 
206   // Writes the value of the DeviceSecondFactorAuthentication policy in
207   // |mode_out|. |mode_out| is one of the values from
208   // DeviceSecondFactorAuthenticationProto's U2fMode enum (e.g. DISABLED,
209   // U2F or U2F_EXTENDED). Returns true on success.
210   virtual bool GetSecondFactorAuthenticationMode(int* mode_out) const = 0;
211 
212   // Writes the valid time intervals to |intervals_out|. These
213   // intervals are taken from the disallowed time intervals field in the
214   // AutoUpdateSettingsProto. Returns true if the intervals in the proto are
215   // valid.
216   virtual bool GetDisallowedTimeIntervals(
217       std::vector<WeeklyTimeInterval>* intervals_out) const = 0;
218 
219   // Writes the value of the DeviceUpdateStagingSchedule policy to
220   // |staging_schedule_out|. Returns true on success.
221   // The schedule is a list of <days, percentage> pairs. The percentages are
222   // expected to be mononically increasing in the range of [1, 100]. Similarly,
223   // days are expected to be monotonically increasing in the range [1, 28]. Each
224   // pair describes the |percentage| of the fleet that is expected to receive an
225   // update after |days| days after an update was discovered. e.g. [<4, 30>, <8,
226   // 100>] means that 30% of devices should be updated in the first 4 days, and
227   // then 100% should be updated after 8 days.
228   virtual bool GetDeviceUpdateStagingSchedule(
229       std::vector<DayPercentagePair>* staging_schedule_out) const = 0;
230 
231   // Writes the value of the DeviceQuickFixBuildToken to
232   // |device_quick_fix_build_token|.
233   // Returns true if it has been written, or false if the policy was not set.
234   virtual bool GetDeviceQuickFixBuildToken(
235       std::string* device_quick_fix_build_token) const = 0;
236 
237   // Writes the value of the Directory API ID to |directory_api_id_out|.
238   // Returns true on success, false if the ID is not available (eg if the device
239   // is not enrolled).
240   virtual bool GetDeviceDirectoryApiId(
241       std::string* directory_api_id_out) const = 0;
242 
243  private:
244   // Verifies that the policy signature is correct.
245   virtual bool VerifyPolicySignature() = 0;
246 
247   DISALLOW_COPY_AND_ASSIGN(DevicePolicy);
248 };
249 }  // namespace policy
250 
251 #pragma GCC visibility pop
252 
253 #endif  // LIBBRILLO_POLICY_DEVICE_POLICY_H_
254