| OLD | NEW |
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/policy/cloud_policy_validator.h" | 5 #include "chrome/browser/policy/cloud_policy_validator.h" |
| 6 | 6 |
| 7 #include "base/bind.h" | 7 #include "base/bind.h" |
| 8 #include "base/bind_helpers.h" | 8 #include "base/bind_helpers.h" |
| 9 #include "base/message_loop.h" | 9 #include "base/message_loop.h" |
| 10 #include "chrome/browser/policy/cloud_policy_constants.h" | 10 #include "chrome/browser/policy/cloud_policy_constants.h" |
| (...skipping 17 matching lines...) Expand all Loading... |
| 28 const uint8 kSignatureAlgorithm[] = { | 28 const uint8 kSignatureAlgorithm[] = { |
| 29 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, | 29 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, |
| 30 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00 | 30 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00 |
| 31 }; | 31 }; |
| 32 | 32 |
| 33 } // namespace | 33 } // namespace |
| 34 | 34 |
| 35 CloudPolicyValidatorBase::~CloudPolicyValidatorBase() {} | 35 CloudPolicyValidatorBase::~CloudPolicyValidatorBase() {} |
| 36 | 36 |
| 37 void CloudPolicyValidatorBase::ValidateTimestamp(base::Time not_before, | 37 void CloudPolicyValidatorBase::ValidateTimestamp(base::Time not_before, |
| 38 base::Time now) { | 38 base::Time now, |
| 39 bool allow_missing_timestamp) { |
| 39 // Timestamp should be from the past. We allow for a 1-minute grace interval | 40 // Timestamp should be from the past. We allow for a 1-minute grace interval |
| 40 // to cover clock drift. | 41 // to cover clock drift. |
| 41 validation_flags_ |= VALIDATE_TIMESTAMP; | 42 validation_flags_ |= VALIDATE_TIMESTAMP; |
| 42 timestamp_not_before_ = not_before; | 43 timestamp_not_before_ = not_before; |
| 43 timestamp_not_after_ = | 44 timestamp_not_after_ = |
| 44 now + base::TimeDelta::FromSeconds(kTimestampGraceIntervalSeconds); | 45 now + base::TimeDelta::FromSeconds(kTimestampGraceIntervalSeconds); |
| 46 allow_missing_timestamp_ = allow_missing_timestamp; |
| 45 } | 47 } |
| 46 | 48 |
| 47 void CloudPolicyValidatorBase::ValidateUsername( | 49 void CloudPolicyValidatorBase::ValidateUsername( |
| 48 const std::string& expected_user) { | 50 const std::string& expected_user) { |
| 49 validation_flags_ |= VALIDATE_USERNAME; | 51 validation_flags_ |= VALIDATE_USERNAME; |
| 50 user_ = gaia::CanonicalizeEmail(expected_user); | 52 user_ = gaia::CanonicalizeEmail(expected_user); |
| 51 } | 53 } |
| 52 | 54 |
| 53 void CloudPolicyValidatorBase::ValidateDomain( | 55 void CloudPolicyValidatorBase::ValidateDomain( |
| 54 const std::string& expected_domain) { | 56 const std::string& expected_domain) { |
| 55 validation_flags_ |= VALIDATE_DOMAIN; | 57 validation_flags_ |= VALIDATE_DOMAIN; |
| 56 domain_ = gaia::CanonicalizeDomain(expected_domain); | 58 domain_ = gaia::CanonicalizeDomain(expected_domain); |
| 57 } | 59 } |
| 58 | 60 |
| 59 void CloudPolicyValidatorBase::ValidateDMToken(const std::string& token) { | 61 void CloudPolicyValidatorBase::ValidateDMToken(const std::string& token) { |
| 60 validation_flags_ |= VALIDATE_TOKEN; | 62 validation_flags_ |= VALIDATE_TOKEN; |
| 61 token_ = token; | 63 token_ = token; |
| 62 } | 64 } |
| 63 | 65 |
| 64 void CloudPolicyValidatorBase::ValidatePolicyType( | 66 void CloudPolicyValidatorBase::ValidatePolicyType( |
| 65 const std::string& policy_type) { | 67 const std::string& policy_type) { |
| 66 validation_flags_ |= VALIDATE_POLICY_TYPE; | 68 validation_flags_ |= VALIDATE_POLICY_TYPE; |
| 67 policy_type_ = policy_type; | 69 policy_type_ = policy_type; |
| 68 } | 70 } |
| 69 | 71 |
| 70 void CloudPolicyValidatorBase::ValidatePayload() { | 72 void CloudPolicyValidatorBase::ValidatePayload() { |
| 71 validation_flags_ |= VALIDATE_PAYLOAD; | 73 validation_flags_ |= VALIDATE_PAYLOAD; |
| 72 } | 74 } |
| 73 | 75 |
| 74 void CloudPolicyValidatorBase::ValidateSignature(const std::string& key) { | 76 void CloudPolicyValidatorBase::ValidateSignature(const std::string& key, |
| 77 bool allow_key_rotation) { |
| 75 validation_flags_ |= VALIDATE_SIGNATURE; | 78 validation_flags_ |= VALIDATE_SIGNATURE; |
| 76 key_ = key; | 79 key_ = key; |
| 80 allow_key_rotation_ = allow_key_rotation; |
| 77 } | 81 } |
| 78 | 82 |
| 79 void CloudPolicyValidatorBase::ValidateInitialKey() { | 83 void CloudPolicyValidatorBase::ValidateInitialKey() { |
| 80 validation_flags_ |= VALIDATE_INITIAL_KEY; | 84 validation_flags_ |= VALIDATE_INITIAL_KEY; |
| 81 } | 85 } |
| 82 | 86 |
| 83 void CloudPolicyValidatorBase::ValidateAgainstCurrentPolicy( | 87 void CloudPolicyValidatorBase::ValidateAgainstCurrentPolicy( |
| 84 const em::PolicyData* policy_data) { | 88 const em::PolicyData* policy_data, |
| 89 bool allow_missing_timestamp) { |
| 85 base::Time last_policy_timestamp; | 90 base::Time last_policy_timestamp; |
| 86 std::string expected_dm_token; | 91 std::string expected_dm_token; |
| 87 if (policy_data) { | 92 if (policy_data) { |
| 88 last_policy_timestamp = | 93 last_policy_timestamp = |
| 89 base::Time::UnixEpoch() + | 94 base::Time::UnixEpoch() + |
| 90 base::TimeDelta::FromMilliseconds(policy_data->timestamp()); | 95 base::TimeDelta::FromMilliseconds(policy_data->timestamp()); |
| 91 expected_dm_token = policy_data->request_token(); | 96 expected_dm_token = policy_data->request_token(); |
| 92 } | 97 } |
| 93 ValidateTimestamp(last_policy_timestamp, base::Time::NowFromSystemTime()); | 98 ValidateTimestamp(last_policy_timestamp, base::Time::NowFromSystemTime(), |
| 99 allow_missing_timestamp); |
| 94 if (!expected_dm_token.empty()) | 100 if (!expected_dm_token.empty()) |
| 95 ValidateDMToken(expected_dm_token); | 101 ValidateDMToken(expected_dm_token); |
| 96 } | 102 } |
| 97 | 103 |
| 98 void CloudPolicyValidatorBase::StartValidation() { | 104 void CloudPolicyValidatorBase::StartValidation() { |
| 99 content::BrowserThread::PostTask( | 105 content::BrowserThread::PostTask( |
| 100 content::BrowserThread::FILE, FROM_HERE, | 106 content::BrowserThread::FILE, FROM_HERE, |
| 101 base::Bind(&CloudPolicyValidatorBase::PerformValidation, | 107 base::Bind(&CloudPolicyValidatorBase::PerformValidation, |
| 102 base::Passed(scoped_ptr<CloudPolicyValidatorBase>(this)), | 108 base::Passed(scoped_ptr<CloudPolicyValidatorBase>(this)), |
| 103 MessageLoop::current()->message_loop_proxy())); | 109 MessageLoop::current()->message_loop_proxy())); |
| (...skipping 68 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 172 if (validation_flags_ & kCheckFunctions[i].flag) { | 178 if (validation_flags_ & kCheckFunctions[i].flag) { |
| 173 status_ = (this->*(kCheckFunctions[i].checkFunction))(); | 179 status_ = (this->*(kCheckFunctions[i].checkFunction))(); |
| 174 if (status_ != VALIDATION_OK) | 180 if (status_ != VALIDATION_OK) |
| 175 break; | 181 break; |
| 176 } | 182 } |
| 177 } | 183 } |
| 178 } | 184 } |
| 179 | 185 |
| 180 CloudPolicyValidatorBase::Status CloudPolicyValidatorBase::CheckSignature() { | 186 CloudPolicyValidatorBase::Status CloudPolicyValidatorBase::CheckSignature() { |
| 181 std::string signature_key(key_); | 187 std::string signature_key(key_); |
| 182 if (policy_->has_new_public_key()) { | 188 if (policy_->has_new_public_key() && allow_key_rotation_) { |
| 183 signature_key = policy_->new_public_key(); | 189 signature_key = policy_->new_public_key(); |
| 184 if (!policy_->has_new_public_key_signature() || | 190 if (!policy_->has_new_public_key_signature() || |
| 185 !VerifySignature(policy_->new_public_key(), key_, | 191 !VerifySignature(policy_->new_public_key(), key_, |
| 186 policy_->new_public_key_signature())) { | 192 policy_->new_public_key_signature())) { |
| 187 LOG(ERROR) << "New public key signature verification failed"; | 193 LOG(ERROR) << "New public key signature verification failed"; |
| 188 return VALIDATION_BAD_SIGNATURE; | 194 return VALIDATION_BAD_SIGNATURE; |
| 189 } | 195 } |
| 190 } | 196 } |
| 191 | 197 |
| 192 if (!policy_->has_policy_data_signature() || | 198 if (!policy_->has_policy_data_signature() || |
| (...skipping 22 matching lines...) Expand all Loading... |
| 215 if (!policy_data_->has_policy_type() || | 221 if (!policy_data_->has_policy_type() || |
| 216 policy_data_->policy_type() != policy_type_) { | 222 policy_data_->policy_type() != policy_type_) { |
| 217 LOG(ERROR) << "Wrong policy type " << policy_data_->policy_type(); | 223 LOG(ERROR) << "Wrong policy type " << policy_data_->policy_type(); |
| 218 return VALIDATION_WRONG_POLICY_TYPE; | 224 return VALIDATION_WRONG_POLICY_TYPE; |
| 219 } | 225 } |
| 220 | 226 |
| 221 return VALIDATION_OK; | 227 return VALIDATION_OK; |
| 222 } | 228 } |
| 223 | 229 |
| 224 CloudPolicyValidatorBase::Status CloudPolicyValidatorBase::CheckTimestamp() { | 230 CloudPolicyValidatorBase::Status CloudPolicyValidatorBase::CheckTimestamp() { |
| 231 if (!policy_data_->has_timestamp()) { |
| 232 if (allow_missing_timestamp_) { |
| 233 return VALIDATION_OK; |
| 234 } else { |
| 235 LOG(ERROR) << "Policy timestamp missing"; |
| 236 return VALIDATION_BAD_TIMESTAMP; |
| 237 } |
| 238 } |
| 239 |
| 225 base::Time policy_time = | 240 base::Time policy_time = |
| 226 base::Time::UnixEpoch() + | 241 base::Time::UnixEpoch() + |
| 227 base::TimeDelta::FromMilliseconds(policy_data_->timestamp()); | 242 base::TimeDelta::FromMilliseconds(policy_data_->timestamp()); |
| 228 if (!policy_data_->has_timestamp()) { | |
| 229 LOG(ERROR) << "Policy timestamp missing"; | |
| 230 return VALIDATION_BAD_TIMESTAMP; | |
| 231 } | |
| 232 if (policy_time < timestamp_not_before_) { | 243 if (policy_time < timestamp_not_before_) { |
| 233 LOG(ERROR) << "Policy too old: " << policy_data_->timestamp(); | 244 LOG(ERROR) << "Policy too old: " << policy_data_->timestamp(); |
| 234 return VALIDATION_BAD_TIMESTAMP; | 245 return VALIDATION_BAD_TIMESTAMP; |
| 235 } | 246 } |
| 236 if (policy_time > timestamp_not_after_) { | 247 if (policy_time > timestamp_not_after_) { |
| 237 LOG(ERROR) << "Policy in the future: " << policy_data_->timestamp(); | 248 LOG(ERROR) << "Policy in the future: " << policy_data_->timestamp(); |
| 238 return VALIDATION_BAD_TIMESTAMP; | 249 return VALIDATION_BAD_TIMESTAMP; |
| 239 } | 250 } |
| 240 | 251 |
| 241 return VALIDATION_OK; | 252 return VALIDATION_OK; |
| (...skipping 96 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 338 : CloudPolicyValidatorBase(policy_response.Pass(), payload.get(), | 349 : CloudPolicyValidatorBase(policy_response.Pass(), payload.get(), |
| 339 base::Bind(completion_callback, this)), | 350 base::Bind(completion_callback, this)), |
| 340 payload_(payload.Pass()) {} | 351 payload_(payload.Pass()) {} |
| 341 | 352 |
| 342 template class CloudPolicyValidator< | 353 template class CloudPolicyValidator< |
| 343 enterprise_management::ChromeDeviceSettingsProto>; | 354 enterprise_management::ChromeDeviceSettingsProto>; |
| 344 template class CloudPolicyValidator< | 355 template class CloudPolicyValidator< |
| 345 enterprise_management::CloudPolicySettings>; | 356 enterprise_management::CloudPolicySettings>; |
| 346 | 357 |
| 347 } // namespace policy | 358 } // namespace policy |
| OLD | NEW |