platformKeys: Add policy and corporate key tagging.

components/policy/resources/policy_templates.json

 {
 # policy_templates.json - Metafile for policy templates
 #
 # The content of this file is evaluated as a Python expression.
 #
 # This file is used as input to generate the following policy templates:
 # ADM, ADMX+ADML, MCX/plist and html documentation.
 #
 # Policy templates are user interface definitions or documents about the
 # policies that can be used to configure Chrome. Each policy is a name-value
@@ skipping 105 matching lines @@
 #   templates and documentation. The policy definition list that Chrome sees
 #   will include policies marked with 'future'. If a WIP policy isn't meant to
 #   be seen by the policy providers either, the 'supported_on' key should be set
 #   to an empty list.
 #
 # IDs:
 #   Since a Protocol Buffer definition is generated from this file, unique and
 #   persistent IDs for all fields (but not for groups!) are needed. These are
 #   specified by the 'id' keys of each policy. NEVER CHANGE EXISTING IDs,
 #   because doing so would break the deployed wire format!
-#   For your editing convenience: highest ID currently used: 301
+#   For your editing convenience: highest ID currently used: 302
 #
 # Placeholders:
 #   The following placeholder strings are automatically substituted:
 #     $1 -> Google Chrome / Chromium
 #     $2 -> Google Chrome OS / Chromium OS
 #     $3 -> Google Chrome Frame / Chromium Frame
 #     $6 is reserved for doc_writer
 #
 # Device Policy:
 #   An additional flag device_only (optional, defaults to False) indicates
@@ skipping 7221 matching lines @@
       'features': {
         'dynamic_refresh': False,
         'per_profile': False,
       },
       'example_value': True,
       'id': 301,
       'caption': '''Allows QUIC protocol''',
       'desc': '''If this policy is set to true or not set usage of QUIC protocol in <ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> is allowed.
       If this policy is set to false usage of QUIC protocol is disallowed.''',
     },
+    {
+      'name': 'KeyPermissions',
+      'type': 'dict',
+      'schema': {
+        'type': 'object',
+        'additionalProperties': {
+          'type': 'object',
+          'properties': {
+            'allowCorporateKeyUsage': {
+              'description': '''If set to true, this extension can use all corporate keys to sign arbitrary data. If set to false, it cannot access any corporate key and the user can not grant such permission either.''',

[bartfab (slow), 2015/06/15 17:28:16]

1: What is a corporate key? I never heard or saw the term before in our
documentation.
2: Nit: s/key and/keys and/

[pneubeck (no reviews), 2015/06/17 08:59:56]

Changed it to "keys designated for corporate usage".
The concept of "corporate usage" is effectively introduced by this CL and means:
a key created by the enterprise.platformKeys API is by default "for corporate
usage". currently no other keys have that intended purpose. In the future, I
would like to add however the option to also mark imported keys corporate usage.
If marked that way, the admin can allow certain extensions to use these keys
through this policy. That is not possible for other types of keys nor can the
user do this for corporate keys himself.

Do you think more of this explanation should be part of the policy? Maybe it
will make more sense in an admin help document.
done.

[bartfab (slow), 2015/06/17 09:57:40]

1: I think a bit more explanation would be useful.
2: Nit: s/keys,/keys/
3: Nit: s/usage,/usage/

[pneubeck (no reviews), 2015/06/17 13:00:36]

i extended the description of the whole policy.

On 2015/06/17 09:57:40, bartfab wrote:

+              'type': 'boolean',
+            },
+          },
+        },
+      },
+      'supported_on': ['chrome_os:45-'],
+      'features': {
+        'dynamic_refresh': True,
+        'per_profile': True,
+      },
+      'example_value': {
+        'extension1': {
+          'allowCorporateKeyUsage': 'true'
+        },
+        'extension2': {
+          'allowCorporateKeyUsage': 'false'
+        }
+      },
+      'id': 302,
+      'caption': 'Key Permissions',
+      'desc': '''Grants usage of private keys by extensions.
 
+      By default an extension cannot use a private key for signing data, which is equivalent to setting allowCorporateKeyUsage to false for that extension. A user cannot workaround that restriction.

[bartfab (slow), 2015/06/15 17:28:15]

Nit 1: Of course you can use "private keys" in general. You just cannot use
private keys associated with corporate key pairs.
Nit 2: s/workaround/work around/ or better, s/workaround/circumvent/

[pneubeck (no reviews), 2015/06/17 08:59:56]

Done.

+
+      Only if allowCorporateKeyUsage is set to true for an extension, it can use any private key marked for corporate usage to sign arbitrary data. This permission should only be granted if the extension is trusted to secure access to the key against attackers.''',
+    },
   ],
   'messages': {
     # Messages that are not associated to any policies.
     'win_supported_winxpsp2': {
       'desc': '''A label specifying the oldest possible compatible version of Windows. This text will appear right next to a label containing the text 'Supported on:'.''',
       'text': '''Microsoft Windows XP SP2 or later'''
     },
     'mac_chrome_preferences': {
       'desc': '''A text indicating in Mac OS X Workgroup Manager, that currently the preferences of Chromium are being edited''',
       'text': '''<ph name="PRODUCT_NAME">$1<ex>Google Chrome</ex></ph> preferences'''
@@ skipping 105 matching lines @@
       'desc': '''Text appended in parentheses next to the policies top-level container to indicate that those policies are of the Recommended level''',
       'text': 'Default Settings (users can override)',
     },
     'doc_complex_policies_on_windows': {
       'desc': '''Text pointing the user to a help article for complex policies on Windows''',
       'text': '''encoded as a JSON string, for details see <ph name="COMPLEX_POLICIES_URL">http://www.chromium.org/administrators/complex-policies-on-windows<ex>http://www.chromium.org/administrators/complex-policies-on-windows</ex></ph>''',
     },
   },
   'placeholders': [],
 }