platformKeys: Add policy and corporate key tagging.

chrome/browser/chromeos/platform_keys/key_permissions.h

Index: chrome/browser/chromeos/platform_keys/key_permissions.h
diff --git a/chrome/browser/chromeos/platform_keys/key_permissions.h b/chrome/browser/chromeos/platform_keys/key_permissions.h
index af584e2d10c60696045c9fc4077abbaaee7c2c69..46b159ff67894b1e58da7f9677f8a902f3fa397f 100644
--- a/chrome/browser/chromeos/platform_keys/key_permissions.h
+++ b/chrome/browser/chromeos/platform_keys/key_permissions.h
@@ -12,7 +12,10 @@
 #include "base/memory/scoped_ptr.h"
 #include "base/memory/weak_ptr.h"
 
+class PrefService;
+
 namespace base {
+class DictionaryValue;
 class Value;
 }
 
@@ -20,6 +23,14 @@ namespace extensions {
 class StateStore;
 }
 
+namespace policy {
+class PolicyService;
+}
+
+namespace user_prefs {
+class PrefRegistrySyncable;
+}
+
 namespace chromeos {
 
 // This class manages permissions for extensions to use private keys through
@@ -29,6 +40,10 @@ namespace chromeos {
 //    data with that key at most once.
 //  * The user can explicitly grant an extension the permission to sign
 //    arbitrary data with a key an unlimited number of times.
+//
+// Additionally, it takes care of restrictions that apply on managed profiles,
+// applies the KeyPermissions policy and distinguishes corporate from
+// non-corporate keys.
 class KeyPermissions {
  public:
   // Allows querying and modifying permissions and registering keys for a
@@ -41,6 +56,8 @@ class KeyPermissions {
     // |KeyPermissions::GetPermissionsForExtension| instead.
     PermissionsForExtension(const std::string& extension_id,
                             scoped_ptr<base::Value> state_store_value,
+                            PrefService* profile_prefs,
+                            policy::PolicyService* profile_policies,
                             KeyPermissions* key_permissions);
 
     ~PermissionsForExtension();
@@ -92,17 +109,26 @@ class KeyPermissions {
     KeyPermissions::PermissionsForExtension::KeyEntry* GetStateStoreEntry(
         const std::string& public_key_spki_der_b64);
 
+    bool PolicyAllowsCorporateKeyUsage();
+
     const std::string extension_id_;
     std::vector<KeyEntry> state_store_entries_;
+    PrefService* const profile_prefs_;
+    policy::PolicyService* const profile_policies_;
     KeyPermissions* const key_permissions_;
 
     DISALLOW_COPY_AND_ASSIGN(PermissionsForExtension);
   };
 
-  // |extensions_state_store| must not be null and outlive this object.
+  // |profile_prefs| and |extensions_state_store| must not be null and outlive
+  // this object.
+  // If |profile_is_managed| is false, |profile_policies| is ignored. Otherwise,
+  // |profile_policies| must not be null and outlive this object.
   // |profile_is_managed| determines the default usage and permissions for
   // keys without explicitly assigned usage.
   KeyPermissions(bool profile_is_managed,
+                 PrefService* profile_prefs,
+                 policy::PolicyService* profile_policies,
                  extensions::StateStore* extensions_state_store);
 
   ~KeyPermissions();
@@ -121,7 +147,11 @@ class KeyPermissions {
   // Key Info.
   bool CanUserGrantPermissionFor(const std::string& public_key_spki_der);
 
+  static void RegisterProfilePrefs(user_prefs::PrefRegistrySyncable* registry);
+
  private:
+  bool IsCorporateKey(const std::string& public_key_spki_der_b64);
+
   // Creates a PermissionsForExtension object from |extension_id| and |value|
   // and passes the object to |callback|.
   void CreatePermissionObjectAndPassToCallback(
@@ -133,7 +163,12 @@ class KeyPermissions {
   void SetPlatformKeysOfExtension(const std::string& extension_id,
                                   scoped_ptr<base::Value> value);
 
+  const base::DictionaryValue* GetPrefsEntry(
+      const std::string& public_key_spki_der_b64);
+
   const bool profile_is_managed_;
+  PrefService* const profile_prefs_;
+  policy::PolicyService* const profile_policies_;
   extensions::StateStore* const extensions_state_store_;
   base::WeakPtrFactory<KeyPermissions> weak_factory_;