Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(62)

Side by Side Diff: chrome/browser/policy/cloud_policy_validator.h

Issue 10828032: Add DeviceSettingsService. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Oops. Created 8 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #ifndef CHROME_BROWSER_POLICY_CLOUD_POLICY_VALIDATOR_H_ 5 #ifndef CHROME_BROWSER_POLICY_CLOUD_POLICY_VALIDATOR_H_
6 #define CHROME_BROWSER_POLICY_CLOUD_POLICY_VALIDATOR_H_ 6 #define CHROME_BROWSER_POLICY_CLOUD_POLICY_VALIDATOR_H_
7 7
8 #include <string> 8 #include <string>
9 9
10 #include "base/basictypes.h" 10 #include "base/basictypes.h"
(...skipping 59 matching lines...) Expand 10 before | Expand all | Expand 10 after
70 // references, so ownership can be passed on once validation is complete. 70 // references, so ownership can be passed on once validation is complete.
71 scoped_ptr<enterprise_management::PolicyFetchResponse>& policy() { 71 scoped_ptr<enterprise_management::PolicyFetchResponse>& policy() {
72 return policy_; 72 return policy_;
73 } 73 }
74 scoped_ptr<enterprise_management::PolicyData>& policy_data() { 74 scoped_ptr<enterprise_management::PolicyData>& policy_data() {
75 return policy_data_; 75 return policy_data_;
76 } 76 }
77 77
78 // Instructs the validator to check that the policy timestamp is not before 78 // Instructs the validator to check that the policy timestamp is not before
79 // |not_before| and not after |now| + grace interval. 79 // |not_before| and not after |now| + grace interval.
80 void ValidateTimestamp(base::Time not_before, base::Time now); 80 void ValidateTimestamp(base::Time not_before,
81 base::Time now,
82 bool allow_missing_timestamp);
81 83
82 // Validates the username in the policy blob matches |expected_user|. 84 // Validates the username in the policy blob matches |expected_user|.
83 void ValidateUsername(const std::string& expected_user); 85 void ValidateUsername(const std::string& expected_user);
84 86
85 // Validates the policy blob is addressed to |expected_domain|. This uses the 87 // Validates the policy blob is addressed to |expected_domain|. This uses the
86 // domain part of the username field in the policy for the check. 88 // domain part of the username field in the policy for the check.
87 void ValidateDomain(const std::string& expected_domain); 89 void ValidateDomain(const std::string& expected_domain);
88 90
89 // Makes sure the DM token on the policy matches |expected_token|. 91 // Makes sure the DM token on the policy matches |expected_token|.
90 void ValidateDMToken(const std::string& dm_token); 92 void ValidateDMToken(const std::string& dm_token);
91 93
92 // Validates the policy type. 94 // Validates the policy type.
93 void ValidatePolicyType(const std::string& policy_type); 95 void ValidatePolicyType(const std::string& policy_type);
94 96
95 // Validates that the payload can be decoded successfully. 97 // Validates that the payload can be decoded successfully.
96 void ValidatePayload(); 98 void ValidatePayload();
97 99
98 // Verifies that the signature on the policy blob verifies against |key|. If 100 // Verifies that the signature on the policy blob verifies against |key|. If |
99 // there is a key rotation present in the policy blob, this checks the 101 // |allow_key_rotation| is true and there is a key rotation present in the
100 // signature on the new key against |key| and the policy blob against the new 102 // policy blob, this checks the signature on the new key against |key| and the
101 // key. 103 // policy blob against the new key.
102 void ValidateSignature(const std::string& key); 104 void ValidateSignature(const std::string& key, bool allow_key_rotation);
103 105
104 // Similar to StartSignatureVerification(), this checks the signature on the 106 // Similar to StartSignatureVerification(), this checks the signature on the
105 // policy blob. However, this variant expects a new policy key set in the 107 // policy blob. However, this variant expects a new policy key set in the
106 // policy blob and makes sure the policy is signed using that key. This should 108 // policy blob and makes sure the policy is signed using that key. This should
107 // be called at setup time when there is no existing policy key present to 109 // be called at setup time when there is no existing policy key present to
108 // check against. 110 // check against.
109 void ValidateInitialKey(); 111 void ValidateInitialKey();
110 112
111 // Convenience helper that configures timestamp and token validation based on 113 // Convenience helper that configures timestamp and token validation based on
112 // the current policy blob. |policy_data| may be NULL, in which case the 114 // the current policy blob. |policy_data| may be NULL, in which case the
113 // timestamp validation will drop the lower bound and no token validation will 115 // timestamp validation will drop the lower bound and no token validation will
114 // be configured. 116 // be configured.
115 void ValidateAgainstCurrentPolicy( 117 void ValidateAgainstCurrentPolicy(
116 const enterprise_management::PolicyData* policy_data); 118 const enterprise_management::PolicyData* policy_data,
119 bool allow_missing_timestamp);
117 120
118 // Kicks off validation. From this point on, the validator manages its own 121 // Kicks off validation. From this point on, the validator manages its own
119 // lifetime. |completion_callback| is invoked when done. 122 // lifetime. |completion_callback| is invoked when done.
120 void StartValidation(); 123 void StartValidation();
121 124
122 protected: 125 protected:
123 // Create a new validator that checks |policy_response|. |payload| is the 126 // Create a new validator that checks |policy_response|. |payload| is the
124 // message that the policy payload will be parsed to, and it needs to stay 127 // message that the policy payload will be parsed to, and it needs to stay
125 // valid for the lifetime of the validator. 128 // valid for the lifetime of the validator.
126 CloudPolicyValidatorBase( 129 CloudPolicyValidatorBase(
(...skipping 42 matching lines...) Expand 10 before | Expand all | Expand 10 after
169 172
170 Status status_; 173 Status status_;
171 scoped_ptr<enterprise_management::PolicyFetchResponse> policy_; 174 scoped_ptr<enterprise_management::PolicyFetchResponse> policy_;
172 scoped_ptr<enterprise_management::PolicyData> policy_data_; 175 scoped_ptr<enterprise_management::PolicyData> policy_data_;
173 google::protobuf::MessageLite* payload_; 176 google::protobuf::MessageLite* payload_;
174 base::Closure completion_callback_; 177 base::Closure completion_callback_;
175 178
176 int validation_flags_; 179 int validation_flags_;
177 base::Time timestamp_not_before_; 180 base::Time timestamp_not_before_;
178 base::Time timestamp_not_after_; 181 base::Time timestamp_not_after_;
182 bool allow_missing_timestamp_;
179 std::string user_; 183 std::string user_;
180 std::string domain_; 184 std::string domain_;
181 std::string token_; 185 std::string token_;
182 std::string policy_type_; 186 std::string policy_type_;
183 std::string key_; 187 std::string key_;
188 bool allow_key_rotation_;
184 189
185 DISALLOW_COPY_AND_ASSIGN(CloudPolicyValidatorBase); 190 DISALLOW_COPY_AND_ASSIGN(CloudPolicyValidatorBase);
186 }; 191 };
187 192
188 // A simple type-parameterized extension of CloudPolicyValidator that 193 // A simple type-parameterized extension of CloudPolicyValidator that
189 // facilitates working with the actual protobuf payload type. 194 // facilitates working with the actual protobuf payload type.
190 template<typename PayloadProto> 195 template<typename PayloadProto>
191 class CloudPolicyValidator : public CloudPolicyValidatorBase { 196 class CloudPolicyValidator : public CloudPolicyValidatorBase {
192 public: 197 public:
193 typedef base::Callback<void(CloudPolicyValidator<PayloadProto>*)> 198 typedef base::Callback<void(CloudPolicyValidator<PayloadProto>*)>
(...skipping 22 matching lines...) Expand all
216 }; 221 };
217 222
218 typedef CloudPolicyValidator<enterprise_management::ChromeDeviceSettingsProto> 223 typedef CloudPolicyValidator<enterprise_management::ChromeDeviceSettingsProto>
219 DeviceCloudPolicyValidator; 224 DeviceCloudPolicyValidator;
220 typedef CloudPolicyValidator<enterprise_management::CloudPolicySettings> 225 typedef CloudPolicyValidator<enterprise_management::CloudPolicySettings>
221 UserCloudPolicyValidator; 226 UserCloudPolicyValidator;
222 227
223 } // namespace policy 228 } // namespace policy
224 229
225 #endif // CHROME_BROWSER_POLICY_CLOUD_POLICY_VALIDATOR_H_ 230 #endif // CHROME_BROWSER_POLICY_CLOUD_POLICY_VALIDATOR_H_
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698