platformKeys: Add policy and corporate key tagging.

chrome/browser/chromeos/platform_keys/key_permissions.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/platform_keys/key_permissions.h"
 
 #include "base/base64.h"
 #include "base/bind.h"
 #include "base/callback.h"
 #include "base/logging.h"
+#include "base/prefs/pref_service.h"
+#include "base/prefs/scoped_user_pref_update.h"
 #include "base/values.h"
+#include "chrome/common/pref_names.h"
+#include "components/policy/core/common/policy_map.h"
+#include "components/policy/core/common/policy_namespace.h"
+#include "components/policy/core/common/policy_service.h"
+#include "components/pref_registry/pref_registry_syncable.h"
 #include "extensions/browser/state_store.h"
+#include "policy/policy_constants.h"
 
 namespace chromeos {
 
 namespace {
 
 // The key at which platform key specific data is stored in each extension's
 // state store.
 // From older versions of ChromeOS, this key can hold a list of base64 and
 // DER-encoded SPKIs. A key can be used for signing at most once if it is part
 // of that list
 // and removed from that list afterwards.
 //
 // The current format of data that is written to the PlatformKeys field is a
 // list of serialized KeyEntry objects:
 //   { 'SPKI': string,
 //     'signOnce': bool,  // if not present, defaults to false
 //     'signUnlimited': bool  // if not present, defaults to false
 //   }
 //
 // Do not change this constant as clients will lose their existing state.
 const char kStateStorePlatformKeys[] = "PlatformKeys";
 const char kStateStoreSPKI[] = "SPKI";
 const char kStateStoreSignOnce[] = "signOnce";
 const char kStateStoreSignUnlimited[] = "signUnlimited";
 
+const char kPrefIsCorporateKey[] = "is_platform_key";
+const char kPolicyAllowCorporateKeyUsage[] = "allowCorporateKeyUsage";
+
 }  // namespace
 
 struct KeyPermissions::PermissionsForExtension::KeyEntry {
   explicit KeyEntry(const std::string& public_key_spki_der_b64)
       : spki_b64(public_key_spki_der_b64) {}
 
   // The base64-encoded DER of a X.509 Subject Public Key Info.
   const std::string spki_b64;
 
   // True if the key can be used once for singing.
   // This permission is granted if an extension generated a key using the
   // enterprise.platformKeys API, so that it can build a certification request..
   // After the first signing operation this permission will be revoked.
   bool sign_once = false;
 
   // True if the key can be used for signing an unlimited number of times.
-  // This permission is granted by the user or by policy to allow the extension
-  // to use the key for signing through the enterprise.platformKeys or
-  // platformKeys API.
+  // This permission is granted by the user to allow the extension to use the
+  // key for signing through the enterprise.platformKeys or platformKeys API.
   // This permission is granted until revoked by the user or the policy.
   bool sign_unlimited = false;
 };
 
 KeyPermissions::PermissionsForExtension::PermissionsForExtension(
     const std::string& extension_id,
     scoped_ptr<base::Value> state_store_value,
+    PrefService* profile_prefs,
+    policy::PolicyService* profile_policies,
     KeyPermissions* key_permissions)
-    : extension_id_(extension_id), key_permissions_(key_permissions) {
+    : extension_id_(extension_id),
+      profile_prefs_(profile_prefs),
+      profile_policies_(profile_policies),
+      key_permissions_(key_permissions) {
+  DCHECK(profile_prefs_);
+  DCHECK(profile_policies_);
   DCHECK(key_permissions_);
   if (state_store_value)
     KeyEntriesFromState(*state_store_value);
 }
 
 KeyPermissions::PermissionsForExtension::~PermissionsForExtension() {
 }
 
 bool KeyPermissions::PermissionsForExtension::CanUseKeyForSigning(
     const std::string& public_key_spki_der) {
-  KeyEntry* matching_entry = GetKeyEntry(public_key_spki_der);
+  KeyEntry* matching_entry = GetStateStoreEntry(public_key_spki_der);
+  if (matching_entry->sign_once)
+    return true;
 
-  return matching_entry->sign_once || matching_entry->sign_unlimited;
+  if (key_permissions_->IsCorporateKey(public_key_spki_der)) {
+    LOG(ERROR) << "is corporate key";
+    return PolicyAllowsCorporateKeyUsage();
+  }
+
+  return matching_entry->sign_unlimited;
 }
 
 void KeyPermissions::PermissionsForExtension::SetKeyUsedForSigning(
     const std::string& public_key_spki_der) {
-  KeyEntry* matching_entry = GetKeyEntry(public_key_spki_der);
+  KeyEntry* matching_entry = GetStateStoreEntry(public_key_spki_der);
 
   if (!matching_entry->sign_once) {
     if (matching_entry->sign_unlimited)
       VLOG(1) << "Key is already marked as not usable for signing, skipping.";
     else
       LOG(ERROR) << "Key was not allowed for signing.";
     return;
   }
 
   matching_entry->sign_once = false;
   WriteToStateStore();
 }
 
 void KeyPermissions::PermissionsForExtension::RegisterKeyForCorporateUsage(
     const std::string& public_key_spki_der) {
-  KeyEntry* matching_entry = GetKeyEntry(public_key_spki_der);
+  KeyEntry* matching_entry = GetStateStoreEntry(public_key_spki_der);
 
   if (matching_entry->sign_once) {
     VLOG(1) << "Key is already allowed for signing, skipping.";
     return;
   }
 
   matching_entry->sign_once = true;
   WriteToStateStore();
+
+  DictionaryPrefUpdate update(profile_prefs_, prefs::kPlatformKeys);
+
+  scoped_ptr<base::DictionaryValue> new_pref_entry(new base::DictionaryValue);
+  new_pref_entry->SetBooleanWithoutPathExpansion(kPrefIsCorporateKey, true);
+
+  std::string public_key_spki_der_b64;
+  base::Base64Encode(public_key_spki_der, &public_key_spki_der_b64);
+
+  update->SetWithoutPathExpansion(public_key_spki_der_b64,
+                                  new_pref_entry.release());
 }
 
 void KeyPermissions::PermissionsForExtension::SetUserGrantedPermission(
     const std::string& public_key_spki_der) {
-  KeyEntry* matching_entry = GetKeyEntry(public_key_spki_der);
+  if (key_permissions_->IsCorporateKey(public_key_spki_der)) {
+    LOG(WARNING) << "Tried to grant permission for corporate key.";
+    return;
+  }
+
+  KeyEntry* matching_entry = GetStateStoreEntry(public_key_spki_der);
 
   if (matching_entry->sign_unlimited) {
     VLOG(1) << "Key is already allowed for signing, skipping.";
     return;
   }
 
   matching_entry->sign_unlimited = true;
   WriteToStateStore();
 }
 
+bool KeyPermissions::PermissionsForExtension::PolicyAllowsCorporateKeyUsage() {
+  const policy::PolicyMap& policies = profile_policies_->GetPolicies(
+      policy::PolicyNamespace(policy::POLICY_DOMAIN_CHROME, std::string()));
+  const base::Value* policy_value =
+      policies.GetValue(policy::key::kKeyPermissions);
+LOG(ERROR) << "policy value " << policy_value;
+  if (!policy_value)
+    return false;
+LOG(ERROR) << *policy_value;
+
+  const base::DictionaryValue* key_permissions_map = nullptr;
+  policy_value->GetAsDictionary(&key_permissions_map);
+  if (!key_permissions_map) {
+    LOG(ERROR) << "Expected policy to be a dictionary.";
+    return false;
+  }
+
+  const base::DictionaryValue* key_permissions_for_ext = nullptr;
+  key_permissions_map->GetDictionaryWithoutPathExpansion(
+      extension_id_, &key_permissions_for_ext);
+  if (!key_permissions_for_ext) {
+LOG(ERROR) << "no entry for " << extension_id_;
+    return false;
+}
+
+  bool allow_corporate_key_usage = false;
+  key_permissions_for_ext->GetBooleanWithoutPathExpansion(
+      kPolicyAllowCorporateKeyUsage, &allow_corporate_key_usage);
+
+LOG(ERROR) << "policy allows corp usage " << allow_corporate_key_usage;
+  return allow_corporate_key_usage;
+}
+
 void KeyPermissions::PermissionsForExtension::WriteToStateStore() {
   key_permissions_->SetPlatformKeysOfExtension(extension_id_,
                                                KeyEntriesToState());
 }
 
 void KeyPermissions::PermissionsForExtension::KeyEntriesFromState(
     const base::Value& state) {
   state_store_entries_.clear();
 
   const base::ListValue* entries = nullptr;
@@ skipping 51 matching lines @@
                                                 entry.sign_unlimited);
     }
     new_state->Append(new_entry.release());
   }
   return new_state.Pass();
 }
 
 // Searches |platform_keys| for an entry for |public_key_spki_der_b64|. If found
 // returns a pointer to it, otherwise returns null.
 KeyPermissions::PermissionsForExtension::KeyEntry*
-KeyPermissions::PermissionsForExtension::GetKeyEntry(
+KeyPermissions::PermissionsForExtension::GetStateStoreEntry(
     const std::string& public_key_spki_der) {
   std::string public_key_spki_der_b64;
   base::Base64Encode(public_key_spki_der, &public_key_spki_der_b64);
 
   for (KeyEntry& entry : state_store_entries_) {
     // For every ASN.1 value there is exactly one DER encoding, so it is fine to
     // compare the DER (or its base64 encoding).
     if (entry.spki_b64 == public_key_spki_der_b64)
       return &entry;
   }
 
   state_store_entries_.push_back(KeyEntry(public_key_spki_der_b64));
   return &state_store_entries_.back();
 }
 
-KeyPermissions::KeyPermissions(extensions::StateStore* extensions_state_store)
-    : extensions_state_store_(extensions_state_store), weak_factory_(this) {
+KeyPermissions::KeyPermissions(PrefService* profile_prefs,
+                               bool profile_is_managed,
+                               policy::PolicyService* profile_policies,
+                               extensions::StateStore* extensions_state_store)
+    : profile_prefs_(profile_prefs),
+      profile_is_managed_(profile_is_managed),
+      profile_policies_(profile_policies),
+      extensions_state_store_(extensions_state_store),
+      weak_factory_(this) {
+  DCHECK(profile_prefs_);
+  DCHECK(extensions_state_store_);
+  DCHECK(!profile_is_managed_ || profile_policies_);
 }
 
 KeyPermissions::~KeyPermissions() {
 }
 
 void KeyPermissions::GetPermissionsForExtension(
     const std::string& extension_id,
     const PermissionsCallback& callback) {
   extensions_state_store_->GetExtensionValue(
       extension_id, kStateStorePlatformKeys,
       base::Bind(&KeyPermissions::CreatePermissionObjectAndPassToCallback,
                  weak_factory_.GetWeakPtr(), extension_id, callback));
 }
 
+bool KeyPermissions::CanUserGrantPermissionFor(
+    const std::string& public_key_spki_der) {
+LOG(ERROR) << "profile is managed " << profile_is_managed_;
+  // As keys cannot be tagged for non-corporate usage, the user can currently
+  // not grant any permissions if the profile is managed.
+  if (profile_is_managed_)
+    return false;
+
+  // If this profile is not managed but we find a corporate key, don't allow
+  // the user to grant permissions.
+  return !IsCorporateKey(public_key_spki_der);
+}
+
+bool KeyPermissions::IsCorporateKey(const std::string& public_key_spki_der) {
+  const base::DictionaryValue* prefs_entry = GetPrefsEntry(public_key_spki_der);
+  if (prefs_entry) {
+    bool is_corporate_key = false;
+    prefs_entry->GetBooleanWithoutPathExpansion(kPrefIsCorporateKey,
+                                                &is_corporate_key);
+    return is_corporate_key;
+  }
+  return false;
+}
+
+void KeyPermissions::RegisterProfilePrefs(
+    user_prefs::PrefRegistrySyncable* registry) {
+  registry->RegisterDictionaryPref(prefs::kPlatformKeys);
+}
+
+void KeyPermissions::CreatePermissionObjectAndPassToCallback(
+    const std::string& extension_id,
+    const PermissionsCallback& callback,
+    scoped_ptr<base::Value> value) {
+  callback.Run(make_scoped_ptr(new PermissionsForExtension(
+      extension_id, value.Pass(), profile_prefs_, profile_policies_, this)));
+}
+
 void KeyPermissions::SetPlatformKeysOfExtension(const std::string& extension_id,
                                                 scoped_ptr<base::Value> value) {
   extensions_state_store_->SetExtensionValue(
       extension_id, kStateStorePlatformKeys, value.Pass());
 }
 
-void KeyPermissions::CreatePermissionObjectAndPassToCallback(
-    const std::string& extension_id,
-    const PermissionsCallback& callback,
-    scoped_ptr<base::Value> value) {
-  callback.Run(make_scoped_ptr(
-      new PermissionsForExtension(extension_id, value.Pass(), this)));
+const base::DictionaryValue* KeyPermissions::GetPrefsEntry(
+    const std::string& public_key_spki_der) {
+  std::string public_key_spki_der_b64;
+  base::Base64Encode(public_key_spki_der, &public_key_spki_der_b64);
+
+  const base::DictionaryValue* platform_keys =
+      profile_prefs_->GetDictionary(prefs::kPlatformKeys);
+
+  const base::DictionaryValue* key_entry = nullptr;
+  platform_keys->GetDictionaryWithoutPathExpansion(public_key_spki_der_b64,
+                                                   &key_entry);
+  return key_entry;
 }
 
 }  // namespace chromeos