Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(374)

Unified Diff: chrome/browser/policy/cloud_policy_validator.cc

Issue 10828032: Add DeviceSettingsService. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Created 8 years, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: chrome/browser/policy/cloud_policy_validator.cc
diff --git a/chrome/browser/policy/cloud_policy_validator.cc b/chrome/browser/policy/cloud_policy_validator.cc
index 6609cb91371345dbc9d0864886f50f27c10f956e..8ee7841cff4164e2d9c3d82cd2b4db9b3ab8fba0 100644
--- a/chrome/browser/policy/cloud_policy_validator.cc
+++ b/chrome/browser/policy/cloud_policy_validator.cc
@@ -35,13 +35,15 @@ const uint8 kSignatureAlgorithm[] = {
CloudPolicyValidatorBase::~CloudPolicyValidatorBase() {}
void CloudPolicyValidatorBase::ValidateTimestamp(base::Time not_before,
- base::Time now) {
+ base::Time now,
+ bool allow_missing_timestamp) {
// Timestamp should be from the past. We allow for a 1-minute grace interval
// to cover clock drift.
validation_flags_ |= VALIDATE_TIMESTAMP;
timestamp_not_before_ = not_before;
timestamp_not_after_ =
now + base::TimeDelta::FromSeconds(kTimestampGraceIntervalSeconds);
+ allow_missing_timestamp_ = allow_missing_timestamp;
}
void CloudPolicyValidatorBase::ValidateUsername(
@@ -71,9 +73,11 @@ void CloudPolicyValidatorBase::ValidatePayload() {
validation_flags_ |= VALIDATE_PAYLOAD;
}
-void CloudPolicyValidatorBase::ValidateSignature(const std::string& key) {
+void CloudPolicyValidatorBase::ValidateSignature(const std::string& key,
+ bool allow_key_rotation) {
validation_flags_ |= VALIDATE_SIGNATURE;
key_ = key;
+ allow_key_rotation_ = allow_key_rotation;
}
void CloudPolicyValidatorBase::ValidateInitialKey() {
@@ -81,7 +85,8 @@ void CloudPolicyValidatorBase::ValidateInitialKey() {
}
void CloudPolicyValidatorBase::ValidateAgainstCurrentPolicy(
- const em::PolicyData* policy_data) {
+ const em::PolicyData* policy_data,
+ bool allow_missing_timestamp) {
base::Time last_policy_timestamp;
std::string expected_dm_token;
if (policy_data) {
@@ -90,7 +95,8 @@ void CloudPolicyValidatorBase::ValidateAgainstCurrentPolicy(
base::TimeDelta::FromMilliseconds(policy_data->timestamp());
expected_dm_token = policy_data->request_token();
}
- ValidateTimestamp(last_policy_timestamp, base::Time::NowFromSystemTime());
+ ValidateTimestamp(last_policy_timestamp, base::Time::NowFromSystemTime(),
+ allow_missing_timestamp);
if (!expected_dm_token.empty())
ValidateDMToken(expected_dm_token);
}
@@ -179,7 +185,7 @@ void CloudPolicyValidatorBase::RunChecks() {
CloudPolicyValidatorBase::Status CloudPolicyValidatorBase::CheckSignature() {
std::string signature_key(key_);
- if (policy_->has_new_public_key()) {
+ if (policy_->has_new_public_key() && allow_key_rotation_) {
signature_key = policy_->new_public_key();
if (!policy_->has_new_public_key_signature() ||
!VerifySignature(policy_->new_public_key(), key_,
@@ -222,13 +228,18 @@ CloudPolicyValidatorBase::Status CloudPolicyValidatorBase::CheckPolicyType() {
}
CloudPolicyValidatorBase::Status CloudPolicyValidatorBase::CheckTimestamp() {
+ if (!policy_data_->has_timestamp()) {
+ if (allow_missing_timestamp_) {
+ return VALIDATION_OK;
+ } else {
+ LOG(ERROR) << "Policy timestamp missing";
+ return VALIDATION_BAD_TIMESTAMP;
+ }
+ }
+
base::Time policy_time =
base::Time::UnixEpoch() +
base::TimeDelta::FromMilliseconds(policy_data_->timestamp());
- if (!policy_data_->has_timestamp()) {
- LOG(ERROR) << "Policy timestamp missing";
- return VALIDATION_BAD_TIMESTAMP;
- }
if (policy_time < timestamp_not_before_) {
LOG(ERROR) << "Policy too old: " << policy_data_->timestamp();
return VALIDATION_BAD_TIMESTAMP;

Powered by Google App Engine
This is Rietveld 408576698