// Copyright 2021 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "chrome/browser/ash/dbus/dlp_files_policy_service_provider.h"
#include <memory>
#include <vector>
#include "base/files/file_path.h"
#include "base/functional/bind.h"
#include "base/logging.h"
#include "chrome/browser/ash/policy/dlp/dlp_files_controller_ash.h"
#include "chrome/browser/chromeos/policy/dlp/dlp_file_destination.h"
#include "chrome/browser/chromeos/policy/dlp/dlp_files_utils.h"
#include "chrome/browser/profiles/profile.h"
#include "chromeos/dbus/dlp/dlp_service.pb.h"
#include "dbus/message.h"
#include "third_party/cros_system_api/dbus/dlp/dbus-constants.h"
#include "url/gurl.h"
namespace ash {
namespace {
// Maps dlp::FileAction proto enum to DlpFilesController::FileAction enum.
policy::dlp::FileAction MapProtoToFileAction(dlp::FileAction file_action) {
switch (file_action) {
case dlp::FileAction::UPLOAD:
return policy::dlp::FileAction::kUpload;
case dlp::FileAction::COPY:
return policy::dlp::FileAction::kCopy;
case dlp::FileAction::MOVE:
return policy::dlp::FileAction::kMove;
case dlp::FileAction::OPEN:
return policy::dlp::FileAction::kOpen;
case dlp::FileAction::SHARE:
return policy::dlp::FileAction::kShare;
case dlp::FileAction::TRANSFER:
return policy::dlp::FileAction::kTransfer;
}
}
// Maps |component| to data_controls::Component.
data_controls::Component MapProtoToPolicyComponent(
::dlp::DlpComponent component) {
switch (component) {
case ::dlp::DlpComponent::ARC:
return data_controls::Component::kArc;
case ::dlp::DlpComponent::CROSTINI:
return data_controls::Component::kCrostini;
case ::dlp::DlpComponent::PLUGIN_VM:
return data_controls::Component::kPluginVm;
case ::dlp::DlpComponent::USB:
return data_controls::Component::kUsb;
case ::dlp::DlpComponent::GOOGLE_DRIVE:
return data_controls::Component::kDrive;
case ::dlp::DlpComponent::MICROSOFT_ONEDRIVE:
return data_controls::Component::kOneDrive;
case ::dlp::DlpComponent::UNKNOWN_COMPONENT:
case ::dlp::DlpComponent::SYSTEM:
return data_controls::Component::kUnknownComponent;
}
}
// Called when restricted files sources are obtained.
void RespondWithRestrictedFilesTransfer(
dbus::MethodCall* method_call,
dbus::ExportedObject::ResponseSender response_sender,
const std::vector<std::pair<policy::DlpFilesControllerAsh::FileDaemonInfo,
dlp::RestrictionLevel>>& requested_files) {
dlp::IsFilesTransferRestrictedResponse response_proto;
for (const auto& [file, level] : requested_files) {
dlp::FileRestriction* files_restriction =
response_proto.add_files_restrictions();
files_restriction->mutable_file_metadata()->set_inode(file.inode);
files_restriction->mutable_file_metadata()->set_crtime(file.crtime);
files_restriction->mutable_file_metadata()->set_path(file.path.value());
files_restriction->mutable_file_metadata()->set_source_url(
file.source_url.spec());
files_restriction->mutable_file_metadata()->set_referrer_url(
file.referrer_url.spec());
files_restriction->set_restriction_level(level);
}
std::unique_ptr<dbus::Response> response =
dbus::Response::FromMethodCall(method_call);
dbus::MessageWriter writer(response.get());
writer.AppendProtoAsArrayOfBytes(response_proto);
std::move(response_sender).Run(std::move(response));
}
// Respond with a single restriction level.
void DirectRespondWithRestrictedFilesTransfer(
dbus::MethodCall* method_call,
dbus::ExportedObject::ResponseSender response_sender,
const std::vector<policy::DlpFilesControllerAsh::FileDaemonInfo>&
files_info,
::dlp::RestrictionLevel restriction_level) {
std::vector<std::pair<policy::DlpFilesControllerAsh::FileDaemonInfo,
dlp::RestrictionLevel>>
response_files;
for (const auto& file : files_info) {
response_files.emplace_back(file, restriction_level);
}
RespondWithRestrictedFilesTransfer(method_call, std::move(response_sender),
std::move(response_files));
}
} // namespace
DlpFilesPolicyServiceProvider::DlpFilesPolicyServiceProvider() = default;
DlpFilesPolicyServiceProvider::~DlpFilesPolicyServiceProvider() = default;
void DlpFilesPolicyServiceProvider::Start(
scoped_refptr<dbus::ExportedObject> exported_object) {
exported_object->ExportMethod(
dlp::kDlpFilesPolicyServiceInterface,
dlp::kDlpFilesPolicyServiceIsDlpPolicyMatchedMethod,
base::BindRepeating(&DlpFilesPolicyServiceProvider::IsDlpPolicyMatched,
weak_ptr_factory_.GetWeakPtr()),
base::BindOnce(&DlpFilesPolicyServiceProvider::OnExported,
weak_ptr_factory_.GetWeakPtr()));
exported_object->ExportMethod(
dlp::kDlpFilesPolicyServiceInterface,
dlp::kDlpFilesPolicyServiceIsFilesTransferRestrictedMethod,
base::BindRepeating(
&DlpFilesPolicyServiceProvider::IsFilesTransferRestricted,
weak_ptr_factory_.GetWeakPtr()),
base::BindOnce(&DlpFilesPolicyServiceProvider::OnExported,
weak_ptr_factory_.GetWeakPtr()));
}
void DlpFilesPolicyServiceProvider::OnExported(
const std::string& interface_name,
const std::string& method_name,
bool success) {
if (!success) {
LOG(ERROR) << "Failed to export " << interface_name << "." << method_name;
}
}
void DlpFilesPolicyServiceProvider::IsDlpPolicyMatched(
dbus::MethodCall* method_call,
dbus::ExportedObject::ResponseSender response_sender) {
dbus::MessageReader reader(method_call);
dlp::IsDlpPolicyMatchedRequest request;
if (!reader.PopArrayOfBytesAsProto(&request)) {
std::move(response_sender)
.Run(dbus::ErrorResponse::FromMethodCall(
method_call, DBUS_ERROR_INVALID_ARGS,
"Unable to parse IsDlpPolicyMatchedRequest"));
return;
}
policy::DlpFilesControllerAsh* files_controller =
policy::DlpFilesControllerAsh::GetForPrimaryProfile();
bool restricted =
files_controller
? files_controller->IsDlpPolicyMatched(
policy::DlpFilesControllerAsh::FileDaemonInfo(
request.file_metadata().inode(),
request.file_metadata().crtime(), base::FilePath(),
request.file_metadata().source_url(),
request.file_metadata().referrer_url()))
: false;
dlp::IsDlpPolicyMatchedResponse response_proto;
response_proto.set_restricted(restricted);
std::unique_ptr<dbus::Response> response =
dbus::Response::FromMethodCall(method_call);
dbus::MessageWriter writer(response.get());
writer.AppendProtoAsArrayOfBytes(response_proto);
std::move(response_sender).Run(std::move(response));
}
void DlpFilesPolicyServiceProvider::IsFilesTransferRestricted(
dbus::MethodCall* method_call,
dbus::ExportedObject::ResponseSender response_sender) {
dbus::MessageReader reader(method_call);
dlp::IsFilesTransferRestrictedRequest request;
if (!reader.PopArrayOfBytesAsProto(&request)) {
std::move(response_sender)
.Run(dbus::ErrorResponse::FromMethodCall(
method_call, DBUS_ERROR_INVALID_ARGS,
"Unable to parse IsFilesTransferRestrictedRequest"));
return;
}
if (!request.has_destination_url() && !request.has_destination_component()) {
std::move(response_sender)
.Run(dbus::ErrorResponse::FromMethodCall(
method_call, DBUS_ERROR_INVALID_ARGS,
"Missing both destination url and component in request"));
return;
}
std::vector<policy::DlpFilesControllerAsh::FileDaemonInfo> files_info;
for (const auto& file : request.transferred_files()) {
if (!file.has_inode() || !file.has_path() || !file.has_source_url()) {
LOG(ERROR) << "Missing file path or file source url";
continue;
}
files_info.emplace_back(file.inode(), file.crtime(),
base::FilePath(file.path()), file.source_url(),
file.referrer_url());
}
// Transfer to local file system or access by system components is always
// allowed.
if (request.has_destination_component() &&
request.destination_component() == dlp::SYSTEM) {
DirectRespondWithRestrictedFilesTransfer(
method_call, std::move(response_sender), files_info,
::dlp::RestrictionLevel::LEVEL_ALLOW);
return;
}
policy::DlpFilesControllerAsh* files_controller =
policy::DlpFilesControllerAsh::GetForPrimaryProfile();
if (!files_controller) {
DirectRespondWithRestrictedFilesTransfer(
method_call, std::move(response_sender), files_info,
::dlp::RestrictionLevel::LEVEL_UNSPECIFIED);
return;
}
std::optional<policy::DlpFileDestination> destination;
if (request.has_destination_component()) {
destination.emplace(
MapProtoToPolicyComponent(request.destination_component()));
} else {
destination.emplace(GURL(request.destination_url()));
}
policy::dlp::FileAction files_action = policy::dlp::FileAction::kTransfer;
if (request.has_file_action()) {
files_action = MapProtoToFileAction(request.file_action());
}
std::optional<file_manager::io_task::IOTaskId> task_id = std::nullopt;
if (request.has_io_task_id()) {
task_id = request.io_task_id();
}
files_controller->IsFilesTransferRestricted(
std::move(task_id), std::move(files_info), std::move(destination.value()),
files_action,
base::BindOnce(&RespondWithRestrictedFilesTransfer, method_call,
std::move(response_sender)));
}
} // namespace ash
Codebase Browser
chromium