Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(472)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: bin/entdwife.sh

Issue 6874035: entd: require a per-entd-invocation session id in every request (Closed) Base URL: ssh://git@gitrw.chromium.org:9222/entd.git@master
Patch Set: Allow a developer switch to disable session id' Created 9 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | callback_server.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 #!/bin/sh 1 #!/bin/sh
2 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved. 2 # Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
3 # Use of this source code is governed by a BSD-style license that can be 3 # Use of this source code is governed by a BSD-style license that can be
4 # found in the LICENSE file. 4 # found in the LICENSE file.
5 5
6 # This script is temporary front-end to entd. It validates the policy's 6 # This script is temporary front-end to entd. It validates the policy's
7 # signature before starting the daemon. If the signing certificate or 7 # signature before starting the daemon. If the signing certificate or
8 # signature to not validate, then this script will log an error to syslog 8 # signature to not validate, then this script will log an error to syslog
9 # and exit without starting entd. 9 # and exit without starting entd.
10 # 10 #
(...skipping 240 matching lines...) Expand 10 before | Expand all | Expand 10 after
251 log "Can't start enterprise daemon, no username provided." 251 log "Can't start enterprise daemon, no username provided."
252 return 1 252 return 1
253 fi 253 fi
254 254
255 local domain="$(echo "$FLAGS_username" | cut -f2 -d'@')" 255 local domain="$(echo "$FLAGS_username" | cut -f2 -d'@')"
256 if [ "$domain" = "gmail.com" ]; then 256 if [ "$domain" = "gmail.com" ]; then
257 log "Enterprise daemon disabled for gmail.com users." 257 log "Enterprise daemon disabled for gmail.com users."
258 return 1 258 return 1
259 fi 259 fi
260 260
261 local session_path="$extension/session-id.json"
262 # Remove session-id file as it should be ignored when verifying
263 # the signature.
264 log "removing $session_path"
265 rm -f "$session_path"
266
261 if ! cmd_verify "$extension"; then 267 if ! cmd_verify "$extension"; then
262 return 1 268 return 1
263 fi 269 fi
264 270
271 # Remove session-id.json at exit to enable the extension to remain
272 # backward compatible with earlier versions of entd/entwife.
273 trap "rm -f $session_path" EXIT TERM
274
275 # Provide a way for a developer to disable session id to simplify
276 # iterating new extensions.
277 local local_session_id=""
278 if [ ! -r "/root/.disable-entd-session-id" ]; then
279 session_id=$(head -c 8 /dev/urandom | openssl md5)
280 fi
281
282 cat > "$session_path" <<EOF
283 {
284 "session_id": "$session_id"
285 }
286 EOF
287
265 local root_ca_option="" 288 local root_ca_option=""
266 if [ -f "$extension/$ROOT_CA_FILE" ]; then 289 if [ -f "$extension/$ROOT_CA_FILE" ]; then
267 root_ca_option="--root-ca-file=$extension/$ROOT_CA_FILE" 290 root_ca_option="--root-ca-file=$extension/$ROOT_CA_FILE"
268 fi 291 fi
269 292
270 local extid="$(basename $(dirname "$extension"))" 293 local extid="$(basename $(dirname "$extension"))"
271 294
272 exec "$FLAGS_entd" --utility="$FLAGS_utility" "$root_ca_option" \ 295 # Run entd in the background and wait on it - this allows the
296 # shell interpreter to catch TERM signal and clean up session_path.
297 "$FLAGS_entd" --utility="$FLAGS_utility" "$root_ca_option" \
273 --policy="$extension/policy.js" --manifest="$extension/manifest.json" \ 298 --policy="$extension/policy.js" --manifest="$extension/manifest.json" \
274 --username="$FLAGS_username" --callback-origin=chrome-extension://"$extid" 299 --username="$FLAGS_username" --callback-origin=chrome-extension://"$extid" \
300 --session-id="$session_id" &
301 local pid=$!
302 wait $pid
275 } 303 }
276 304
277 cmd_disapprove() { 305 cmd_disapprove() {
278 if [ -f "$FLAGS_user_var/$APPROVED_CA" ]; then 306 if [ -f "$FLAGS_user_var/$APPROVED_CA" ]; then
279 log "Removing enterprise certificate authority" 307 log "Removing enterprise certificate authority"
280 rm -f "$FLAGS_user_var/$APPROVED_CA" 308 rm -f "$FLAGS_user_var/$APPROVED_CA"
281 else 309 else
282 log "No enterprise certificate authority has been approved." 310 log "No enterprise certificate authority has been approved."
283 fi 311 fi
284 } 312 }
(...skipping 403 matching lines...) Expand 10 before | Expand all | Expand 10 after
688 } 716 }
689 EOF 717 EOF
690 718
691 "$FLAGS_entd" --policy="$scriptfile" --manifest="$extension/manifest.json" \ 719 "$FLAGS_entd" --policy="$scriptfile" --manifest="$extension/manifest.json" \
692 --username=user@example.com --allow-dirty-exit 2>/dev/null 720 --username=user@example.com --allow-dirty-exit 2>/dev/null
693 721
694 rm "$scriptfile" 722 rm "$scriptfile"
695 } 723 }
696 724
697 main "$@" 725 main "$@"
OLDNEW
« no previous file with comments | « no previous file | callback_server.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698