Add immutable settings checks when handling policy.

chrome/browser/policy/device_policy_cache.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/policy/device_policy_cache.h"
 
 #include "base/basictypes.h"
 #include "base/compiler_specific.h"
 #include "base/logging.h"
 #include "base/task.h"
 #include "base/values.h"
 #include "chrome/browser/chromeos/cros_settings_names.h"
 #include "chrome/browser/chromeos/login/ownership_service.h"
 #include "chrome/browser/chromeos/login/signed_settings_helper.h"
 #include "chrome/browser/chromeos/user_cros_settings_provider.h"
 #include "chrome/browser/policy/configuration_policy_pref_store.h"
 #include "chrome/browser/policy/device_policy_identity_strategy.h"
+#include "chrome/browser/policy/enterprise_install_attributes.h"
 #include "chrome/browser/policy/policy_map.h"
 #include "chrome/browser/policy/proto/device_management_backend.pb.h"
 #include "chrome/browser/policy/proto/device_management_constants.h"
 #include "chrome/browser/policy/proto/device_management_local.pb.h"
 #include "content/browser/browser_thread.h"
 #include "policy/configuration_policy_type.h"
 
 namespace {
 
 // Stores policy, updates the owner key if required and reports the status
@@ skipping 74 matching lines @@
   }
 
   return Value::CreateIntegerValue(static_cast<int>(value));
 }
 
 }  // namespace
 
 namespace policy {
 
 DevicePolicyCache::DevicePolicyCache(
-    DevicePolicyIdentityStrategy* identity_strategy)
+    DevicePolicyIdentityStrategy* identity_strategy,
+    EnterpriseInstallAttributes* install_attributes)
     : identity_strategy_(identity_strategy),
+      install_attributes_(install_attributes),
       signed_settings_helper_(chromeos::SignedSettingsHelper::Get()),
       starting_up_(true),
       ALLOW_THIS_IN_INITIALIZER_LIST(callback_factory_(this)) {
+  // Do an opportunistic check with immutable attributes at startup.
+  install_attributes_->IsEnterpriseDevice();

[pastarmovj, 2011/04/17 15:20:46]

I can imagine this will fail most of the time until the TPM has been
initialized. It might be better to do this with in a two step. Here call the
some Tpm function like is TpmIsOwned and then post delayed task a few hundred
milliseconds later.

[Mattias Nissler (ping if slow), 2011/04/18 09:56:35]

I guess it's not worth the effort, let's just drop this line. Done.

 }
 
 DevicePolicyCache::DevicePolicyCache(
     DevicePolicyIdentityStrategy* identity_strategy,
+    EnterpriseInstallAttributes* install_attributes,
     chromeos::SignedSettingsHelper* signed_settings_helper)
     : identity_strategy_(identity_strategy),
+      install_attributes_(install_attributes),
       signed_settings_helper_(signed_settings_helper),
       starting_up_(true),
       ALLOW_THIS_IN_INITIALIZER_LIST(callback_factory_(this)) {
 }
 
 DevicePolicyCache::~DevicePolicyCache() {
   signed_settings_helper_->CancelCallback(this);
 }
 
 void DevicePolicyCache::Load() {
   signed_settings_helper_->StartRetrievePolicyOp(this);
 }
 
 void DevicePolicyCache::SetPolicy(const em::PolicyFetchResponse& policy) {
   DCHECK(!starting_up_);
+
+  // Make sure we have an enterprise device.
+  std::string registration_user(install_attributes_->GetRegistrationUser());
+  if (registration_user.empty()) {
+    LOG(WARNING) << "Refusing to accept policy on non-enterprise device.";
+    InformNotifier(CloudPolicySubsystem::LOCAL_ERROR,
+                   CloudPolicySubsystem::POLICY_LOCAL_ERROR);
+    return;
+  }
+
+  // Check the user this policy is for against the device-locked name.
+  em::PolicyData policy_data;
+  if (!policy_data.ParseFromString(policy.policy_data())) {
+    LOG(WARNING) << "Invalid policy protobuf";
+    InformNotifier(CloudPolicySubsystem::LOCAL_ERROR,
+                   CloudPolicySubsystem::POLICY_LOCAL_ERROR);
+    return;
+  }
+
+  if (registration_user != policy_data.username()) {
+    LOG(WARNING) << "Refusing policy blob for " << policy_data.username()
+                 << " which doesn't match " << registration_user;
+    InformNotifier(CloudPolicySubsystem::LOCAL_ERROR,
+                   CloudPolicySubsystem::POLICY_LOCAL_ERROR);
+    return;
+  }
+
   set_last_policy_refresh_time(base::Time::NowFromSystemTime());
 
   // Start a store operation.
   new StorePolicyOperation(signed_settings_helper_,
                            policy,
                            callback_factory_.NewCallback(
                                &DevicePolicyCache::PolicyStoreOpCompleted));
 }
 
 void DevicePolicyCache::SetUnmanaged() {
@@ skipping 93 matching lines @@
     const em::DevicePolicyRefreshRateProto container =
         policy.policy_refresh_rate();
     if (container.has_policy_refresh_rate()) {
       mandatory->Set(kPolicyPolicyRefreshRate,
                      DecodeIntegerValue(container.policy_refresh_rate()));
     }
   }
 }
 
 }  // namespace policy