Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(122)

Side by Side Diff: bin/entdwife.sh

Issue 6874035: entd: require a per-entd-invocation session id in every request (Closed) Base URL: ssh://git@gitrw.chromium.org:9222/entd.git@master
Patch Set: few more bug fixes Created 9 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | callback_server.h » ('j') | callback_server.h » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 #!/bin/sh 1 #!/bin/sh
2 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved. 2 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
3 # Use of this source code is governed by a BSD-style license that can be 3 # Use of this source code is governed by a BSD-style license that can be
4 # found in the LICENSE file. 4 # found in the LICENSE file.
5 5
6 # This script is temporary front-end to entd. It validates the policy's 6 # This script is temporary front-end to entd. It validates the policy's
7 # signature before starting the daemon. If the signing certificate or 7 # signature before starting the daemon. If the signing certificate or
8 # signature to not validate, then this script will log an error to syslog 8 # signature to not validate, then this script will log an error to syslog
9 # and exit without starting entd. 9 # and exit without starting entd.
10 # 10 #
(...skipping 240 matching lines...) Expand 10 before | Expand all | Expand 10 after
251 log "Can't start enterprise daemon, no username provided." 251 log "Can't start enterprise daemon, no username provided."
252 return 1 252 return 1
253 fi 253 fi
254 254
255 local domain="$(echo "$FLAGS_username" | cut -f2 -d'@')" 255 local domain="$(echo "$FLAGS_username" | cut -f2 -d'@')"
256 if [ "$domain" = "gmail.com" ]; then 256 if [ "$domain" = "gmail.com" ]; then
257 log "Enterprise daemon disabled for gmail.com users." 257 log "Enterprise daemon disabled for gmail.com users."
258 return 1 258 return 1
259 fi 259 fi
260 260
261 local session_path="$extension/session-id.json"
262 # Remove session-id file as it should be ignored when verifying
263 # the signature.
264 log "removing $session_path"
265 rm -f "$session_path"
266
261 if ! cmd_verify "$extension"; then 267 if ! cmd_verify "$extension"; then
262 return 1 268 return 1
263 fi 269 fi
264 270
271 # Remove session-id.json at exit to enable the extension to remain
272 # backward compatible with earlier versions of entd/entwife.
273 trap "rm -f $session_path" EXIT TERM
274
275 local session_id=$(head -c 8 /dev/urandom | openssl md5)
276
277 cat > "$session_path" <<EOF
278 {
279 "session_id": "$session_id"
280 }
281 EOF
282
265 local root_ca_option="" 283 local root_ca_option=""
266 if [ -f "$extension/$ROOT_CA_FILE" ]; then 284 if [ -f "$extension/$ROOT_CA_FILE" ]; then
267 root_ca_option="--root-ca-file=$extension/$ROOT_CA_FILE" 285 root_ca_option="--root-ca-file=$extension/$ROOT_CA_FILE"
268 fi 286 fi
269 287
270 local extid="$(basename $(dirname "$extension"))" 288 local extid="$(basename $(dirname "$extension"))"
271 289
272 exec "$FLAGS_entd" --utility="$FLAGS_utility" "$root_ca_option" \ 290 # Run entd in the background and wait on it - this allows the
291 # shell interpreter to catch TERM signal and clean up session_path.
292 "$FLAGS_entd" --utility="$FLAGS_utility" "$root_ca_option" \
273 --policy="$extension/policy.js" --manifest="$extension/manifest.json" \ 293 --policy="$extension/policy.js" --manifest="$extension/manifest.json" \
274 --username="$FLAGS_username" --callback-origin=chrome-extension://"$extid" 294 --username="$FLAGS_username" --callback-origin=chrome-extension://"$extid" \
295 --session-id="$session_id" &
296 local pid=$!
297 wait $pid
275 } 298 }
276 299
277 cmd_disapprove() { 300 cmd_disapprove() {
278 if [ -f "$FLAGS_user_var/$APPROVED_CA" ]; then 301 if [ -f "$FLAGS_user_var/$APPROVED_CA" ]; then
279 log "Removing enterprise certificate authority" 302 log "Removing enterprise certificate authority"
280 rm -f "$FLAGS_user_var/$APPROVED_CA" 303 rm -f "$FLAGS_user_var/$APPROVED_CA"
281 else 304 else
282 log "No enterprise certificate authority has been approved." 305 log "No enterprise certificate authority has been approved."
283 fi 306 fi
284 } 307 }
(...skipping 403 matching lines...) Expand 10 before | Expand all | Expand 10 after
688 } 711 }
689 EOF 712 EOF
690 713
691 "$FLAGS_entd" --policy="$scriptfile" --manifest="$extension/manifest.json" \ 714 "$FLAGS_entd" --policy="$scriptfile" --manifest="$extension/manifest.json" \
692 --username=user@example.com --allow-dirty-exit 2>/dev/null 715 --username=user@example.com --allow-dirty-exit 2>/dev/null
693 716
694 rm "$scriptfile" 717 rm "$scriptfile"
695 } 718 }
696 719
697 main "$@" 720 main "$@"
OLDNEW
« no previous file with comments | « no previous file | callback_server.h » ('j') | callback_server.h » ('J')

Powered by Google App Engine
This is Rietveld 408576698