platformKeys: Add policy and corporate key tagging.

chrome/browser/chromeos/platform_keys/key_permissions.h

Index: chrome/browser/chromeos/platform_keys/key_permissions.h
diff --git a/chrome/browser/chromeos/platform_keys/key_permissions.h b/chrome/browser/chromeos/platform_keys/key_permissions.h
index af584e2d10c60696045c9fc4077abbaaee7c2c69..69eb4038aebb24ef81c4a5a6719be3953ef9367b 100644
--- a/chrome/browser/chromeos/platform_keys/key_permissions.h
+++ b/chrome/browser/chromeos/platform_keys/key_permissions.h
@@ -12,7 +12,10 @@
 #include "base/memory/scoped_ptr.h"
 #include "base/memory/weak_ptr.h"
 
+class PrefService;
+
 namespace base {
+class DictionaryValue;
 class Value;
 }
 
@@ -20,15 +23,53 @@ namespace extensions {
 class StateStore;
 }
 
+namespace policy {
+class PolicyService;
+}
+
+namespace user_prefs {
+class PrefRegistrySyncable;
+}
+
 namespace chromeos {
 
 // This class manages permissions for extensions to use private keys through
-// chrome.platformKeys .
-// It handles the following permissions:
-//  * The extension that generated a key has the permission to sign arbitrary
-//    data with that key at most once.
-//  * The user can explicitly grant an extension the permission to sign
-//    arbitrary data with a key an unlimited number of times.
+// chrome.platformKeys or chrome.enterprise.platformKeys .
+// The permission model depends on whether the user account is managed or not.
+//
+// ** If the user account is not managed **
+// The user is under full control of the keys that are generated or imported
+// while the device is not managed.  For that, a user can grant a specific
+// extension the permission to sign arbitrary data with a specific key for an
+// unlimited number of times.
+//
+// ** If the user account is managed **
+// The administrator is in charge of granting access to keys that are meant for
+// corporate usage.
+//
+// As not every key is meant for corporate usage but probably for the user's
+// private usage, this class introduces the concept of tagging keys with the
+// intended purpose of the key. Currently, the only usage that can be assigned
+// to a key is "corporate".
+//
+// Every key that is generated by the chrome.enterprise.platformKeys API (which
+// requires the user account to be managed), is marked for corporate usage.
+// Any key that is generated or imported by other means is currently not marked
+// for corporate usage.
+//
+// The KeyPermissions policy allows the administrator to list exactly the
+// extensions that are allowed to use such corporate keys. Non-corporate keys
+// are not affected. This policy is the only means to grant this permission.
+//
+// ** One-off Permission for the Certification Requests **
+// Independent of the above, the extension that generates a key using the
+// chrome.enterprise.platformKeys API is allowed to sign arbitrary data with the
+// private key for a single time in order to create a certification request.
+// The assumption is that certification requests usually require a signature of
+// data including the public key. So the one-off permission implies that once a
+// certificate authority creates the certificate of the generated key, the
+// generating extension isn't able to use the key anymore except if explicitly
+// permitted by the administrator.
 class KeyPermissions {
  public:
   // Allows querying and modifying permissions and registering keys for a
@@ -41,6 +82,8 @@ class KeyPermissions {
     // |KeyPermissions::GetPermissionsForExtension| instead.
     PermissionsForExtension(const std::string& extension_id,
                             scoped_ptr<base::Value> state_store_value,
+                            PrefService* profile_prefs,
+                            policy::PolicyService* profile_policies,
                             KeyPermissions* key_permissions);
 
     ~PermissionsForExtension();
@@ -92,17 +135,26 @@ class KeyPermissions {
     KeyPermissions::PermissionsForExtension::KeyEntry* GetStateStoreEntry(
         const std::string& public_key_spki_der_b64);
 
+    bool PolicyAllowsCorporateKeyUsage() const;
+
     const std::string extension_id_;
     std::vector<KeyEntry> state_store_entries_;
+    PrefService* const profile_prefs_;
+    policy::PolicyService* const profile_policies_;
     KeyPermissions* const key_permissions_;
 
     DISALLOW_COPY_AND_ASSIGN(PermissionsForExtension);
   };
 
-  // |extensions_state_store| must not be null and outlive this object.
+  // |profile_prefs| and |extensions_state_store| must not be null and must
+  // outlive this object.
+  // If |profile_is_managed| is false, |profile_policies| is ignored. Otherwise,
+  // |profile_policies| must not be null and must outlive this object.
   // |profile_is_managed| determines the default usage and permissions for
   // keys without explicitly assigned usage.
   KeyPermissions(bool profile_is_managed,
+                 PrefService* profile_prefs,
+                 policy::PolicyService* profile_policies,
                  extensions::StateStore* extensions_state_store);
 
   ~KeyPermissions();
@@ -119,9 +171,13 @@ class KeyPermissions {
   // Returns true if the user can grant any permission for |public_key_spki_der|
   // to extensions. |public_key_spki_der| must be the DER of a Subject Public
   // Key Info.
-  bool CanUserGrantPermissionFor(const std::string& public_key_spki_der);
+  bool CanUserGrantPermissionFor(const std::string& public_key_spki_der) const;
+
+  static void RegisterProfilePrefs(user_prefs::PrefRegistrySyncable* registry);
 
  private:
+  bool IsCorporateKey(const std::string& public_key_spki_der_b64) const;
+
   // Creates a PermissionsForExtension object from |extension_id| and |value|
   // and passes the object to |callback|.
   void CreatePermissionObjectAndPassToCallback(
@@ -133,7 +189,12 @@ class KeyPermissions {
   void SetPlatformKeysOfExtension(const std::string& extension_id,
                                   scoped_ptr<base::Value> value);
 
+  const base::DictionaryValue* GetPrefsEntry(
+      const std::string& public_key_spki_der_b64) const;
+
   const bool profile_is_managed_;
+  PrefService* const profile_prefs_;
+  policy::PolicyService* const profile_policies_;
   extensions::StateStore* const extensions_state_store_;
   base::WeakPtrFactory<KeyPermissions> weak_factory_;