OLD | NEW |
1 #!/bin/sh | 1 #!/bin/sh |
2 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved. | 2 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved. |
3 # Use of this source code is governed by a BSD-style license that can be | 3 # Use of this source code is governed by a BSD-style license that can be |
4 # found in the LICENSE file. | 4 # found in the LICENSE file. |
5 | 5 |
6 # This script is temporary front-end to entd. It validates the policy's | 6 # This script is temporary front-end to entd. It validates the policy's |
7 # signature before starting the daemon. If the signing certificate or | 7 # signature before starting the daemon. If the signing certificate or |
8 # signature to not validate, then this script will log an error to syslog | 8 # signature to not validate, then this script will log an error to syslog |
9 # and exit without starting entd. | 9 # and exit without starting entd. |
10 # | 10 # |
(...skipping 240 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
251 log "Can't start enterprise daemon, no username provided." | 251 log "Can't start enterprise daemon, no username provided." |
252 return 1 | 252 return 1 |
253 fi | 253 fi |
254 | 254 |
255 local domain="$(echo "$FLAGS_username" | cut -f2 -d'@')" | 255 local domain="$(echo "$FLAGS_username" | cut -f2 -d'@')" |
256 if [ "$domain" = "gmail.com" ]; then | 256 if [ "$domain" = "gmail.com" ]; then |
257 log "Enterprise daemon disabled for gmail.com users." | 257 log "Enterprise daemon disabled for gmail.com users." |
258 return 1 | 258 return 1 |
259 fi | 259 fi |
260 | 260 |
| 261 local session_path="$extension/session-id.json" |
| 262 # Remove session-id file as it should be ignored when verifying |
| 263 # the signature. |
| 264 log "removing $session_path" |
| 265 rm -f "$session_path" |
| 266 |
261 if ! cmd_verify "$extension"; then | 267 if ! cmd_verify "$extension"; then |
262 return 1 | 268 return 1 |
263 fi | 269 fi |
264 | 270 |
| 271 # Remove session-id.json at exit to enable the extension to remain |
| 272 # backward compatible with earlier versions of entd/entwife. |
| 273 trap "rm -f $session_path" EXIT TERM |
| 274 |
| 275 # Provide a way for a developer to disable session id to simplify |
| 276 # iterating new extensions. |
| 277 local local_session_id="" |
| 278 if [ ! -r "/root/.disable-entd-session-id" ]; then |
| 279 session_id=$(head -c 8 /dev/urandom | openssl md5) |
| 280 fi |
| 281 |
| 282 cat > "$session_path" <<EOF |
| 283 { |
| 284 "session_id": "$session_id" |
| 285 } |
| 286 EOF |
| 287 |
265 local root_ca_option="" | 288 local root_ca_option="" |
266 if [ -f "$extension/$ROOT_CA_FILE" ]; then | 289 if [ -f "$extension/$ROOT_CA_FILE" ]; then |
267 root_ca_option="--root-ca-file=$extension/$ROOT_CA_FILE" | 290 root_ca_option="--root-ca-file=$extension/$ROOT_CA_FILE" |
268 fi | 291 fi |
269 | 292 |
270 local extid="$(basename $(dirname "$extension"))" | 293 local extid="$(basename $(dirname "$extension"))" |
271 | 294 |
272 exec "$FLAGS_entd" --utility="$FLAGS_utility" "$root_ca_option" \ | 295 # Run entd in the background and wait on it - this allows the |
| 296 # shell interpreter to catch TERM signal and clean up session_path. |
| 297 "$FLAGS_entd" --utility="$FLAGS_utility" "$root_ca_option" \ |
273 --policy="$extension/policy.js" --manifest="$extension/manifest.json" \ | 298 --policy="$extension/policy.js" --manifest="$extension/manifest.json" \ |
274 --username="$FLAGS_username" --callback-origin=chrome-extension://"$extid" | 299 --username="$FLAGS_username" --callback-origin=chrome-extension://"$extid" \ |
| 300 --session-id="$session_id" & |
| 301 local pid=$! |
| 302 wait $pid |
275 } | 303 } |
276 | 304 |
277 cmd_disapprove() { | 305 cmd_disapprove() { |
278 if [ -f "$FLAGS_user_var/$APPROVED_CA" ]; then | 306 if [ -f "$FLAGS_user_var/$APPROVED_CA" ]; then |
279 log "Removing enterprise certificate authority" | 307 log "Removing enterprise certificate authority" |
280 rm -f "$FLAGS_user_var/$APPROVED_CA" | 308 rm -f "$FLAGS_user_var/$APPROVED_CA" |
281 else | 309 else |
282 log "No enterprise certificate authority has been approved." | 310 log "No enterprise certificate authority has been approved." |
283 fi | 311 fi |
284 } | 312 } |
(...skipping 403 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
688 } | 716 } |
689 EOF | 717 EOF |
690 | 718 |
691 "$FLAGS_entd" --policy="$scriptfile" --manifest="$extension/manifest.json" \ | 719 "$FLAGS_entd" --policy="$scriptfile" --manifest="$extension/manifest.json" \ |
692 --username=user@example.com --allow-dirty-exit 2>/dev/null | 720 --username=user@example.com --allow-dirty-exit 2>/dev/null |
693 | 721 |
694 rm "$scriptfile" | 722 rm "$scriptfile" |
695 } | 723 } |
696 | 724 |
697 main "$@" | 725 main "$@" |
OLD | NEW |