Add support for public account policy to CloudPolicyClient.

net/tools/testserver/device_management.py

 # Copyright (c) 2012 The Chromium Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
 """A bare-bones test server for testing cloud policy support.
 
 This implements a simple cloud policy test server that can be used to test
 chrome's device management service client. The policy information is read from
 the file named device_management in the server's data directory. It contains
 enforced and recommended policies for the device and user scope, and a list
 of managed users.
 
 The format of the file is JSON. The root dictionary contains a list under the
 key "managed_users". It contains auth tokens for which the server will claim
 that the user is managed. The token string "*" indicates that all users are
 claimed to be managed. Other keys in the root dictionary identify request
 scopes. The user-request scope is described by a dictionary that holds two
 sub-dictionaries: "mandatory" and "recommended". Both these hold the policy
 definitions as key/value stores, their format is identical to what the Linux
 implementation reads from /etc.
 The device-scope holds the policy-definition directly as key/value stores in the
 protobuf-format.
 
 Example:
 
 {
   "google/chromeos/device" : {
-      "guest_mode_enabled" : false
+    "guest_mode_enabled" : false
   },
   "google/chromeos/user" : {
-     "mandatory" : {
+    "mandatory" : {
       "HomepageLocation" : "http://www.chromium.org",
       "IncognitoEnabled" : false
     },
      "recommended" : {
       "JavascriptEnabled": false
     }
   },
+  "google/chromeos/publicaccount/user@example.com" : {
+    "mandatory" : {
+      "HomepageLocation" : "http://www.chromium.org"
+    },
+     "recommended" : {
+    }
+  }

[Joao da Silva, 2012/12/04 16:33:31]

nitty nit: comma

[Mattias Nissler (ping if slow), 2012/12/04 16:58:36]

Done.

   "managed_users" : [
     "secret123456"
   ]
 }
 
 """
 
 import cgi
 import hashlib
 import logging
@@ skipping 205 matching lines @@
     and constructs the response.
 
     Args:
       msg: The DevicePolicyRequest message received from the client.
 
     Returns:
       A tuple of HTTP status code and response data to send to the client.
     """
     for request in msg.request:
       if (request.policy_type in
-             ('google/chromeos/user', 'google/chromeos/device')):
+             ('google/chromeos/user',
+              'google/chromeos/device',
+              'google/chromeos/publicaccount')):
         if request_type != 'policy':
           return (400, 'Invalid request type')
         else:
           return self.ProcessCloudPolicy(request)
       else:
         return (400, 'Invalid policy_type')
 
   def ProcessAutoEnrollment(self, msg):
     """Handles an auto-enrollment check request.
 
@@ skipping 109 matching lines @@
     Args:
       settings: The destination: a CloudPolicySettings protobuf.
       policies: The source: a dictionary containing policies under keys
           'recommended' and 'mandatory'.
     '''
     for field in settings.DESCRIPTOR.fields:
       # |field| is the entry for a specific policy in the top-level
       # CloudPolicySettings proto.
 
       # Look for this policy's value in the mandatory or recommended dicts.
-      if field.name in policies['mandatory']:
+      if field.name in policies.get('mandatory', {}):
         mode = cp.PolicyOptions.MANDATORY
         value = policies['mandatory'][field.name]
-      elif field.name in policies['recommended']:
+      elif field.name in policies.get('recommended', {}):
         mode = cp.PolicyOptions.RECOMMENDED
         value = policies['recommended'][field.name]
       else:
         continue
 
       # Create protobuf message for this policy.
       policy_message = eval('cp.' + field.message_type.name + '()')
       policy_message.policy_options.mode = mode
       field_descriptor = policy_message.DESCRIPTOR.fields_by_name['value']
       self.SetProtobufMessageField(policy_message, field_descriptor, value)
@@ skipping 13 matching lines @@
     """
 
     token_info, error = self.CheckToken()
     if not token_info:
       return error
 
     if msg.machine_id:
       self._server.UpdateMachineId(token_info['device_token'], msg.machine_id)
 
     # Response is only given if the scope is specified in the config file.
-    # Normally 'google/chromeos/device' and 'google/chromeos/user' should be
-    # accepted.
+    # Normally 'google/chromeos/device', 'google/chromeos/user' and
+    # 'google/chromeos/publicaccount' should be accepted.
     policy = self._server.GetPolicies()
     policy_value = ''
-    if (msg.policy_type in token_info['allowed_policy_types'] and
-        msg.policy_type in policy):
+    policy_key = msg.policy_type
+    if msg.settings_entity_id:
+      policy_key += '/' + msg.settings_entity_id
+    if msg.policy_type in token_info['allowed_policy_types']:
       if msg.policy_type == 'google/chromeos/user':
         settings = cp.CloudPolicySettings()
-        self.GatherUserPolicySettings(settings,
-                                      policy[msg.policy_type])
-        policy_value = settings.SerializeToString()
+        self.GatherUserPolicySettings(settings, policy.get(policy_key, {}))
       elif msg.policy_type == 'google/chromeos/device':
         settings = dp.ChromeDeviceSettingsProto()
-        self.GatherDevicePolicySettings(settings,
-                                        policy[msg.policy_type])
-        policy_value = settings.SerializeToString()
+        self.GatherDevicePolicySettings(settings, policy.get(policy_key, {}))
+      elif msg.policy_type == 'google/chromeos/publicaccount':
+        settings = cp.CloudPolicySettings()
+        self.GatherUserPolicySettings(settings, policy.get(policy_key, {}))
 
     # Figure out the key we want to use. If multiple keys are configured, the
     # server will rotate through them in a round-robin fashion.
     signing_key = None
     req_key = None
     key_version = 1
     nkeys = len(self._server.keys)
     if msg.signature_type == dm.PolicyFetchRequest.SHA1_RSA and nkeys > 0:
       if msg.public_key_version in range(1, nkeys + 1):
         # requested key exists, use for signing and rotate.
         req_key = self._server.keys[msg.public_key_version - 1]['private_key']
         key_version = (msg.public_key_version % nkeys) + 1
       signing_key = self._server.keys[key_version - 1]
 
     # Fill the policy data protobuf.
     policy_data = dm.PolicyData()
     policy_data.policy_type = msg.policy_type
     policy_data.timestamp = int(time.time() * 1000)
     policy_data.request_token = token_info['device_token']
-    policy_data.policy_value = policy_value
+    policy_data.policy_value = settings.SerializeToString()
     policy_data.machine_name = token_info['machine_name']
     policy_data.valid_serial_number_missing = (
         token_info['machine_id'] in BAD_MACHINE_IDS)
 
     if signing_key:
       policy_data.public_key_version = key_version
-    # There is no way for the testserver to know the user name belonging to
-    # the GAIA auth token we received (short of actually talking to GAIA). To
-    # address this, we read the username from the policy configuration
-    # dictionary, or use a default.
-    policy_data.username = policy.get('policy_user', 'user@example.com')
+    if msg.policy_type == 'google/chromeos/publicaccount':
+      policy_data.username = msg.settings_entity_id
+    else:
+      # For regular user/device policy, there is no way for the testserver to
+      # know the user name belonging to the GAIA auth token we received (short
+      # of actually talking to GAIA). To address this, we read the username from
+      # the policy configuration dictionary, or use a default.
+      policy_data.username = policy.get('policy_user', 'user@example.com')
     policy_data.device_id = token_info['device_id']
     signed_data = policy_data.SerializeToString()
 
     response = dm.DeviceManagementResponse()
     fetch_response = response.policy_response.response.add()
     fetch_response.policy_data = signed_data
     if signing_key:
       fetch_response.policy_data_signature = (
           signing_key['private_key'].hashAndSign(signed_data).tostring())
       if msg.public_key_version != key_version:
@@ skipping 122 matching lines @@
 
     Returns:
       The newly generated device token for the device.
     """
     dmtoken_chars = []
     while len(dmtoken_chars) < 32:
       dmtoken_chars.append(random.choice('0123456789abcdef'))
     dmtoken = ''.join(dmtoken_chars)
     allowed_policy_types = {
       dm.DeviceRegisterRequest.USER: ['google/chromeos/user'],
-      dm.DeviceRegisterRequest.DEVICE: ['google/chromeos/device'],
+      dm.DeviceRegisterRequest.DEVICE: [
+          'google/chromeos/device',
+          'google/chromeos/publicaccount'
+      ],
       dm.DeviceRegisterRequest.TT: ['google/chromeos/user'],
     }
     if machine_id in KIOSK_MACHINE_IDS:
       enrollment_mode = dm.DeviceRegisterResponse.RETAIL
     else:
       enrollment_mode = dm.DeviceRegisterResponse.ENTERPRISE
     self._registered_tokens[dmtoken] = {
       'device_id': device_id,
       'device_token': dmtoken,
       'allowed_policy_types': allowed_policy_types[type],
@@ skipping 26 matching lines @@
     return self._registered_tokens.get(dmtoken, None)
 
   def UnregisterDevice(self, dmtoken):
     """Unregisters a device identified by the given DM token.
 
     Args:
       dmtoken: The device management token provided by the client.
     """
     if dmtoken in self._registered_tokens.keys():
       del self._registered_tokens[dmtoken]