Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(427)

Side by Side Diff: chrome/browser/policy/cloud_policy_validator.cc

Issue 10828032: Add DeviceSettingsService. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Oops. Created 8 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "chrome/browser/policy/cloud_policy_validator.h" 5 #include "chrome/browser/policy/cloud_policy_validator.h"
6 6
7 #include "base/bind.h" 7 #include "base/bind.h"
8 #include "base/bind_helpers.h" 8 #include "base/bind_helpers.h"
9 #include "base/message_loop.h" 9 #include "base/message_loop.h"
10 #include "chrome/browser/policy/cloud_policy_constants.h" 10 #include "chrome/browser/policy/cloud_policy_constants.h"
(...skipping 17 matching lines...) Expand all
28 const uint8 kSignatureAlgorithm[] = { 28 const uint8 kSignatureAlgorithm[] = {
29 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 29 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
30 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00 30 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00
31 }; 31 };
32 32
33 } // namespace 33 } // namespace
34 34
35 CloudPolicyValidatorBase::~CloudPolicyValidatorBase() {} 35 CloudPolicyValidatorBase::~CloudPolicyValidatorBase() {}
36 36
37 void CloudPolicyValidatorBase::ValidateTimestamp(base::Time not_before, 37 void CloudPolicyValidatorBase::ValidateTimestamp(base::Time not_before,
38 base::Time now) { 38 base::Time now,
39 bool allow_missing_timestamp) {
39 // Timestamp should be from the past. We allow for a 1-minute grace interval 40 // Timestamp should be from the past. We allow for a 1-minute grace interval
40 // to cover clock drift. 41 // to cover clock drift.
41 validation_flags_ |= VALIDATE_TIMESTAMP; 42 validation_flags_ |= VALIDATE_TIMESTAMP;
42 timestamp_not_before_ = not_before; 43 timestamp_not_before_ = not_before;
43 timestamp_not_after_ = 44 timestamp_not_after_ =
44 now + base::TimeDelta::FromSeconds(kTimestampGraceIntervalSeconds); 45 now + base::TimeDelta::FromSeconds(kTimestampGraceIntervalSeconds);
46 allow_missing_timestamp_ = allow_missing_timestamp;
45 } 47 }
46 48
47 void CloudPolicyValidatorBase::ValidateUsername( 49 void CloudPolicyValidatorBase::ValidateUsername(
48 const std::string& expected_user) { 50 const std::string& expected_user) {
49 validation_flags_ |= VALIDATE_USERNAME; 51 validation_flags_ |= VALIDATE_USERNAME;
50 user_ = gaia::CanonicalizeEmail(expected_user); 52 user_ = gaia::CanonicalizeEmail(expected_user);
51 } 53 }
52 54
53 void CloudPolicyValidatorBase::ValidateDomain( 55 void CloudPolicyValidatorBase::ValidateDomain(
54 const std::string& expected_domain) { 56 const std::string& expected_domain) {
55 validation_flags_ |= VALIDATE_DOMAIN; 57 validation_flags_ |= VALIDATE_DOMAIN;
56 domain_ = gaia::CanonicalizeDomain(expected_domain); 58 domain_ = gaia::CanonicalizeDomain(expected_domain);
57 } 59 }
58 60
59 void CloudPolicyValidatorBase::ValidateDMToken(const std::string& token) { 61 void CloudPolicyValidatorBase::ValidateDMToken(const std::string& token) {
60 validation_flags_ |= VALIDATE_TOKEN; 62 validation_flags_ |= VALIDATE_TOKEN;
61 token_ = token; 63 token_ = token;
62 } 64 }
63 65
64 void CloudPolicyValidatorBase::ValidatePolicyType( 66 void CloudPolicyValidatorBase::ValidatePolicyType(
65 const std::string& policy_type) { 67 const std::string& policy_type) {
66 validation_flags_ |= VALIDATE_POLICY_TYPE; 68 validation_flags_ |= VALIDATE_POLICY_TYPE;
67 policy_type_ = policy_type; 69 policy_type_ = policy_type;
68 } 70 }
69 71
70 void CloudPolicyValidatorBase::ValidatePayload() { 72 void CloudPolicyValidatorBase::ValidatePayload() {
71 validation_flags_ |= VALIDATE_PAYLOAD; 73 validation_flags_ |= VALIDATE_PAYLOAD;
72 } 74 }
73 75
74 void CloudPolicyValidatorBase::ValidateSignature(const std::string& key) { 76 void CloudPolicyValidatorBase::ValidateSignature(const std::string& key,
77 bool allow_key_rotation) {
75 validation_flags_ |= VALIDATE_SIGNATURE; 78 validation_flags_ |= VALIDATE_SIGNATURE;
76 key_ = key; 79 key_ = key;
80 allow_key_rotation_ = allow_key_rotation;
77 } 81 }
78 82
79 void CloudPolicyValidatorBase::ValidateInitialKey() { 83 void CloudPolicyValidatorBase::ValidateInitialKey() {
80 validation_flags_ |= VALIDATE_INITIAL_KEY; 84 validation_flags_ |= VALIDATE_INITIAL_KEY;
81 } 85 }
82 86
83 void CloudPolicyValidatorBase::ValidateAgainstCurrentPolicy( 87 void CloudPolicyValidatorBase::ValidateAgainstCurrentPolicy(
84 const em::PolicyData* policy_data) { 88 const em::PolicyData* policy_data,
89 bool allow_missing_timestamp) {
85 base::Time last_policy_timestamp; 90 base::Time last_policy_timestamp;
86 std::string expected_dm_token; 91 std::string expected_dm_token;
87 if (policy_data) { 92 if (policy_data) {
88 last_policy_timestamp = 93 last_policy_timestamp =
89 base::Time::UnixEpoch() + 94 base::Time::UnixEpoch() +
90 base::TimeDelta::FromMilliseconds(policy_data->timestamp()); 95 base::TimeDelta::FromMilliseconds(policy_data->timestamp());
91 expected_dm_token = policy_data->request_token(); 96 expected_dm_token = policy_data->request_token();
92 } 97 }
93 ValidateTimestamp(last_policy_timestamp, base::Time::NowFromSystemTime()); 98 ValidateTimestamp(last_policy_timestamp, base::Time::NowFromSystemTime(),
99 allow_missing_timestamp);
94 if (!expected_dm_token.empty()) 100 if (!expected_dm_token.empty())
95 ValidateDMToken(expected_dm_token); 101 ValidateDMToken(expected_dm_token);
96 } 102 }
97 103
98 void CloudPolicyValidatorBase::StartValidation() { 104 void CloudPolicyValidatorBase::StartValidation() {
99 content::BrowserThread::PostTask( 105 content::BrowserThread::PostTask(
100 content::BrowserThread::FILE, FROM_HERE, 106 content::BrowserThread::FILE, FROM_HERE,
101 base::Bind(&CloudPolicyValidatorBase::PerformValidation, 107 base::Bind(&CloudPolicyValidatorBase::PerformValidation,
102 base::Passed(scoped_ptr<CloudPolicyValidatorBase>(this)), 108 base::Passed(scoped_ptr<CloudPolicyValidatorBase>(this)),
103 MessageLoop::current()->message_loop_proxy())); 109 MessageLoop::current()->message_loop_proxy()));
(...skipping 68 matching lines...) Expand 10 before | Expand all | Expand 10 after
172 if (validation_flags_ & kCheckFunctions[i].flag) { 178 if (validation_flags_ & kCheckFunctions[i].flag) {
173 status_ = (this->*(kCheckFunctions[i].checkFunction))(); 179 status_ = (this->*(kCheckFunctions[i].checkFunction))();
174 if (status_ != VALIDATION_OK) 180 if (status_ != VALIDATION_OK)
175 break; 181 break;
176 } 182 }
177 } 183 }
178 } 184 }
179 185
180 CloudPolicyValidatorBase::Status CloudPolicyValidatorBase::CheckSignature() { 186 CloudPolicyValidatorBase::Status CloudPolicyValidatorBase::CheckSignature() {
181 std::string signature_key(key_); 187 std::string signature_key(key_);
182 if (policy_->has_new_public_key()) { 188 if (policy_->has_new_public_key() && allow_key_rotation_) {
183 signature_key = policy_->new_public_key(); 189 signature_key = policy_->new_public_key();
184 if (!policy_->has_new_public_key_signature() || 190 if (!policy_->has_new_public_key_signature() ||
185 !VerifySignature(policy_->new_public_key(), key_, 191 !VerifySignature(policy_->new_public_key(), key_,
186 policy_->new_public_key_signature())) { 192 policy_->new_public_key_signature())) {
187 LOG(ERROR) << "New public key signature verification failed"; 193 LOG(ERROR) << "New public key signature verification failed";
188 return VALIDATION_BAD_SIGNATURE; 194 return VALIDATION_BAD_SIGNATURE;
189 } 195 }
190 } 196 }
191 197
192 if (!policy_->has_policy_data_signature() || 198 if (!policy_->has_policy_data_signature() ||
(...skipping 22 matching lines...) Expand all
215 if (!policy_data_->has_policy_type() || 221 if (!policy_data_->has_policy_type() ||
216 policy_data_->policy_type() != policy_type_) { 222 policy_data_->policy_type() != policy_type_) {
217 LOG(ERROR) << "Wrong policy type " << policy_data_->policy_type(); 223 LOG(ERROR) << "Wrong policy type " << policy_data_->policy_type();
218 return VALIDATION_WRONG_POLICY_TYPE; 224 return VALIDATION_WRONG_POLICY_TYPE;
219 } 225 }
220 226
221 return VALIDATION_OK; 227 return VALIDATION_OK;
222 } 228 }
223 229
224 CloudPolicyValidatorBase::Status CloudPolicyValidatorBase::CheckTimestamp() { 230 CloudPolicyValidatorBase::Status CloudPolicyValidatorBase::CheckTimestamp() {
231 if (!policy_data_->has_timestamp()) {
232 if (allow_missing_timestamp_) {
233 return VALIDATION_OK;
234 } else {
235 LOG(ERROR) << "Policy timestamp missing";
236 return VALIDATION_BAD_TIMESTAMP;
237 }
238 }
239
225 base::Time policy_time = 240 base::Time policy_time =
226 base::Time::UnixEpoch() + 241 base::Time::UnixEpoch() +
227 base::TimeDelta::FromMilliseconds(policy_data_->timestamp()); 242 base::TimeDelta::FromMilliseconds(policy_data_->timestamp());
228 if (!policy_data_->has_timestamp()) {
229 LOG(ERROR) << "Policy timestamp missing";
230 return VALIDATION_BAD_TIMESTAMP;
231 }
232 if (policy_time < timestamp_not_before_) { 243 if (policy_time < timestamp_not_before_) {
233 LOG(ERROR) << "Policy too old: " << policy_data_->timestamp(); 244 LOG(ERROR) << "Policy too old: " << policy_data_->timestamp();
234 return VALIDATION_BAD_TIMESTAMP; 245 return VALIDATION_BAD_TIMESTAMP;
235 } 246 }
236 if (policy_time > timestamp_not_after_) { 247 if (policy_time > timestamp_not_after_) {
237 LOG(ERROR) << "Policy in the future: " << policy_data_->timestamp(); 248 LOG(ERROR) << "Policy in the future: " << policy_data_->timestamp();
238 return VALIDATION_BAD_TIMESTAMP; 249 return VALIDATION_BAD_TIMESTAMP;
239 } 250 }
240 251
241 return VALIDATION_OK; 252 return VALIDATION_OK;
(...skipping 96 matching lines...) Expand 10 before | Expand all | Expand 10 after
338 : CloudPolicyValidatorBase(policy_response.Pass(), payload.get(), 349 : CloudPolicyValidatorBase(policy_response.Pass(), payload.get(),
339 base::Bind(completion_callback, this)), 350 base::Bind(completion_callback, this)),
340 payload_(payload.Pass()) {} 351 payload_(payload.Pass()) {}
341 352
342 template class CloudPolicyValidator< 353 template class CloudPolicyValidator<
343 enterprise_management::ChromeDeviceSettingsProto>; 354 enterprise_management::ChromeDeviceSettingsProto>;
344 template class CloudPolicyValidator< 355 template class CloudPolicyValidator<
345 enterprise_management::CloudPolicySettings>; 356 enterprise_management::CloudPolicySettings>;
346 357
347 } // namespace policy 358 } // namespace policy
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698