platformKeys: Add policy and corporate key tagging.

chrome/browser/chromeos/platform_keys/key_permissions.h

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef CHROME_BROWSER_CHROMEOS_PLATFORM_KEYS_KEY_PERMISSIONS_H_
 #define CHROME_BROWSER_CHROMEOS_PLATFORM_KEYS_KEY_PERMISSIONS_H_
 
 #include <string>
 #include <vector>
 
 #include "base/callback_forward.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/memory/weak_ptr.h"
 
+class PrefService;
+
 namespace base {
+class DictionaryValue;
 class Value;
 }
 
 namespace extensions {
 class StateStore;
 }
 
+namespace policy {
+class PolicyService;
+}
+
+namespace user_prefs {
+class PrefRegistrySyncable;
+}
+
 namespace chromeos {
 
 // This class manages permissions for extensions to use private keys through
 // chrome.platformKeys .
 // It handles the following permissions:
 //  * The extension that generated a key has the permission to sign arbitrary
 //    data with that key at most once.
 //  * The user can explicitly grant an extension the permission to sign
 //    arbitrary data with a key an unlimited number of times.
+//
+// Additionally, it takes care of restrictions that apply on managed profiles,
+// applies the KeyPermissions policy and distinguishes corporate from
+// non-corporate keys.
 class KeyPermissions {
  public:
   // Allows querying and modifying permissions and registering keys for a
   // specific extension.
   class PermissionsForExtension {
    public:
     // |key_permissions| must not be null and outlive this object.
     // Methods of this object refer implicitly to the extension with the id
     // |extension_id|. Don't use this constructor directly. Call
     // |KeyPermissions::GetPermissionsForExtension| instead.
     PermissionsForExtension(const std::string& extension_id,
                             scoped_ptr<base::Value> state_store_value,
+                            PrefService* profile_prefs,
+                            policy::PolicyService* profile_policies,
                             KeyPermissions* key_permissions);
 
     ~PermissionsForExtension();
 
     // Returns true if the private key matching |public_key_spki_der| can be
     // used for signing by the extension with id |extension_id|.
     // |public_key_spki_der| must be the DER of a Subject Public Key Info.
     bool CanUseKeyForSigning(const std::string& public_key_spki_der);
 
     // Registers the key |public_key_spki_der| as being generated by the
@@ skipping 31 matching lines @@
     scoped_ptr<base::Value> KeyEntriesToState();
 
     // Returns an existing entry for |public_key_spki_der_b64| from
     // |state_store_entries_|. If there is no existing entry, creates, adds and
     // returns a new entry.
     // |public_key_spki_der| must be the base64 encoding of the DER of a Subject
     // Public Key Info.
     KeyPermissions::PermissionsForExtension::KeyEntry* GetStateStoreEntry(
         const std::string& public_key_spki_der_b64);
 
+    bool PolicyAllowsCorporateKeyUsage();
+
     const std::string extension_id_;
     std::vector<KeyEntry> state_store_entries_;
+    PrefService* const profile_prefs_;
+    policy::PolicyService* const profile_policies_;
     KeyPermissions* const key_permissions_;
 
     DISALLOW_COPY_AND_ASSIGN(PermissionsForExtension);
   };
 
-  // |extensions_state_store| must not be null and outlive this object.
+  // |profile_prefs| and |extensions_state_store| must not be null and outlive
+  // this object.
+  // If |profile_is_managed| is false, |profile_policies| is ignored. Otherwise,
+  // |profile_policies| must not be null and outlive this object.
   // |profile_is_managed| determines the default usage and permissions for
   // keys without explicitly assigned usage.
   KeyPermissions(bool profile_is_managed,
+                 PrefService* profile_prefs,
+                 policy::PolicyService* profile_policies,
                  extensions::StateStore* extensions_state_store);
 
   ~KeyPermissions();
 
   using PermissionsCallback =
       base::Callback<void(scoped_ptr<PermissionsForExtension>)>;
 
   // Passes an object managing the key permissions of the extension with id
   // |extension_id| to |callback|. This can happen synchronously or
   // asynchronously.
   void GetPermissionsForExtension(const std::string& extension_id,
                                   const PermissionsCallback& callback);
 
   // Returns true if the user can grant any permission for |public_key_spki_der|
   // to extensions. |public_key_spki_der| must be the DER of a Subject Public
   // Key Info.
   bool CanUserGrantPermissionFor(const std::string& public_key_spki_der);
 
+  static void RegisterProfilePrefs(user_prefs::PrefRegistrySyncable* registry);
+
  private:
+  bool IsCorporateKey(const std::string& public_key_spki_der_b64);
+
   // Creates a PermissionsForExtension object from |extension_id| and |value|
   // and passes the object to |callback|.
   void CreatePermissionObjectAndPassToCallback(
       const std::string& extension_id,
       const PermissionsCallback& callback,
       scoped_ptr<base::Value> value);
 
   // Writes |value| to the state store of the extension with id |extension_id|.
   void SetPlatformKeysOfExtension(const std::string& extension_id,
                                   scoped_ptr<base::Value> value);
 
+  const base::DictionaryValue* GetPrefsEntry(
+      const std::string& public_key_spki_der_b64);
+
   const bool profile_is_managed_;
+  PrefService* const profile_prefs_;
+  policy::PolicyService* const profile_policies_;
   extensions::StateStore* const extensions_state_store_;
   base::WeakPtrFactory<KeyPermissions> weak_factory_;
 
   DISALLOW_COPY_AND_ASSIGN(KeyPermissions);
 };
 
 }  // namespace chromeos
 
 #endif  // CHROME_BROWSER_CHROMEOS_PLATFORM_KEYS_KEY_PERMISSIONS_H_