# Policy Invalidate / Refresh Checking the policy invalidation and refresh. ## How policy is updated There are mainly two paths. Once is from server sending invalidation request. Second is periodic policy update. [PolicyFetchReason](https://source.chromium.org/chromium/chromium/src/+/main:components/policy/core/common/policy_types.h;l=120;drc=d7d69375c25df2dc3980e6a4edc5d032ec940efc) is a list of the reason to update the policy. We can see [kInvalidation](https://source.chromium.org/chromium/chromium/src/+/main:components/policy/core/common/policy_types.h;l=129;drc=d7d69375c25df2dc3980e6a4edc5d032ec940efc) as the policy fetch triggered by incoming FCM invalidation. [kScheduled](https://source.chromium.org/chromium/chromium/src/+/main:components/policy/core/common/policy_types.h;l=148;drc=d7d69375c25df2dc3980e6a4edc5d032ec940efc) represents the latter once, according to the comment, it runs once per day. In either way, [PerformRefresh](https://source.chromium.org/chromium/chromium/src/+/main:components/policy/core/common/cloud/cloud_policy_refresh_scheduler.cc;l=367;drc=d7d69375c25df2dc3980e6a4edc5d032ec940efc) will be called to run [CloudPolicyService::RefreshPolicy](https://source.chromium.org/chromium/chromium/src/+/main:components/policy/core/common/cloud/cloud_policy_service.cc;l=50;drc=d7d69375c25df2dc3980e6a4edc5d032ec940efc). ## Invalidation [CloudPolicyInvalidator](https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/policy/cloud/cloud_policy_invalidator.h;l=37;drc=fe132eeb21687c455d695d6af346f15454828d01) listens the policy invalidation request. [OnIncomingInvalidation](https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/policy/cloud/cloud_policy_invalidator.cc;l=219;drc=d7d69375c25df2dc3980e6a4edc5d032ec940efc) is the [InvalidationHandler](https://source.chromium.org/chromium/chromium/src/+/main:components/invalidation/public/invalidation_handler.h;l=19;drc=d7d69375c25df2dc3980e6a4edc5d032ec940efc) observer and called from [FCMInvalidationService](https://source.chromium.org/chromium/chromium/src/+/main:components/invalidation/impl/fcm_invalidation_service.cc;l=157;drc=d7d69375c25df2dc3980e6a4edc5d032ec940efc). This observer will [HandleInvalidation](https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/policy/cloud/cloud_policy_invalidator.cc;l=297;drc=d7d69375c25df2dc3980e6a4edc5d032ec940efc). Invalidation request is managed as [invalidation::Invalidation](https://source.chromium.org/chromium/chromium/src/+/main:components/invalidation/public/invalidation.h;l=24;drc=d7d69375c25df2dc3980e6a4edc5d032ec940efc) class and has a corresponding `version_` value. If the incoming invalidation versin is older than [`invalidation_version_`](https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/policy/cloud/cloud_policy_invalidator.h;l=217;drc=d7d69375c25df2dc3980e6a4edc5d032ec940efc) which stores the latest invalidation received, we can ignore the old invalidation. Or if it's older than `highest_handled_invalidation_version_`, it implies that the incoming invalidation is already handled. On invalidate, we call [AcknowledgeInvalidation](https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/policy/cloud/cloud_policy_invalidator.cc;l=454;drc=d7d69375c25df2dc3980e6a4edc5d032ec940efc) and send back [Acknowledge](https://source.chromium.org/chromium/chromium/src/+/main:components/invalidation/public/invalidation.cc;l=51;drc=d7d69375c25df2dc3980e6a4edc5d032ec940efc) message to the server. In the end, it posts [RefreshPolicy](https://source.chromium.org/chromium/chromium/src/+/main:chrome/browser/policy/cloud/cloud_policy_invalidator.cc;l=359;drc=d7d69375c25df2dc3980e6a4edc5d032ec940efc) as a delayed task. This is delayed because we want to prevent the cloud policy server from becoming overwhelmed when a policy with many users is modified. ## Scheduled update [PolicyFetchReason::kSchedule refresh](https://source.chromium.org/chromium/chromium/src/+/main:components/policy/core/common/cloud/cloud_policy_refresh_scheduler.cc;l=290;drc=d7d69375c25df2dc3980e6a4edc5d032ec940efc) is triggered when DM_STATUS_SUCCESS. If so, the policy refresh delay will be [GetActualRefreshDelay](https://source.chromium.org/chromium/chromium/src/+/main:components/policy/core/common/cloud/cloud_policy_refresh_scheduler.cc;l=126;drc=d7d69375c25df2dc3980e6a4edc5d032ec940efc). It's almost the same as [kWithInvalidationsRefreshDelayMs](https://source.chromium.org/chromium/chromium/src/+/main:components/policy/core/common/cloud/cloud_policy_refresh_scheduler.cc;l=73;drc=d7d69375c25df2dc3980e6a4edc5d032ec940efc) which is `24*60*60*1000`, 1 day. ## Scheduler [CloudPolicyRefreshScheduler](https://source.chromium.org/chromium/chromium/src/+/main:components/policy/core/common/cloud/cloud_policy_refresh_scheduler.h;l=58;drc=8562867d06aade4cb81009c9870a73105622a653) observes CloudPolicyClient and CloudPolicyStore. [CloudPolicyClient](https://source.chromium.org/chromium/chromium/src/+/main:components/policy/core/common/cloud/cloud_policy_client.h;l=59;drc=040898c60b5364f019c0103da033146a4d3243e7) implements the core logic to talk to the device management service. Policy validation stuff is assumed to be already done when coming here. [CloudPolicyClient::Observer](https://source.chromium.org/chromium/chromium/src/+/main:components/policy/core/common/cloud/cloud_policy_client.h;l=95;drc=040898c60b5364f019c0103da033146a4d3243e7) observers the policy changes. On the other hand, [CloudPolicyStore](https://source.chromium.org/chromium/chromium/src/+/main:components/policy/core/common/cloud/cloud_policy_store.h;l=34;drc=7a196dcb7a8bfbd8d5787ffd68b99220810cc5ae) defines the low-level interface used by the cloud policy code. It validates and decodes the policy blobs. There cloud be a case where the policy is invalid, cannot be parsed or cannot be serialized. [Status](https://source.chromium.org/chromium/chromium/src/+/main:components/policy/core/common/cloud/cloud_policy_store.h;l=37;drc=7a196dcb7a8bfbd8d5787ffd68b99220810cc5ae) represents each status. On refresh, it fetches policy. [CloudPolicyClient::FetchPolicy](https://source.chromium.org/chromium/chromium/src/+/main:components/policy/core/common/cloud/cloud_policy_client.cc;l=534;drc=d7d69375c25df2dc3980e6a4edc5d032ec940efc) is a client method.