Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(57)

Issue 116273002: Added support for signed policy blobs on desktop. (Closed)

Created:
7 years ago by Andrew T Wilson (Slow)
Modified:
6 years, 10 months ago
CC:
chromium-reviews
Visibility:
Public.

Description

Added support for signed policy blobs on desktop. PolicyFetchRequests on desktop now request signed policy blobs. Also added plumbing for injecting a google-supplied key to verify the blob signing keys to protect against local tampering. BUG=275291 TBR=joaodasilva@chromium.org Committed: https://src.chromium.org/viewvc/chrome?view=rev&revision=248416

Patch Set 1 #

Patch Set 2 : Sync to ToT #

Patch Set 3 : Checkpoint that compiles. #

Patch Set 4 : Fixed components_unittests errors. #

Patch Set 5 : Fixed components issues. #

Patch Set 6 : Compiling locally. #

Patch Set 7 : Added tests, merged to ToT. #

Patch Set 8 : Fixed clang issues. #

Patch Set 9 : Added test for migration case. #

Patch Set 10 : Fixed cros issues. #

Patch Set 11 : Cleanup from self-review + cros clang fix. #

Total comments: 62

Patch Set 12 : Review feedback. #

Patch Set 13 : Fix for ios. #

Total comments: 2
Unified diffs Side-by-side diffs Delta from patch set Stats (+777 lines, -147 lines) Patch
M build/ios/grit_whitelist.txt View 1 2 3 4 5 6 7 8 9 10 11 12 1 chunk +1 line, -0 lines 0 comments Download
M chrome/browser/chromeos/policy/device_cloud_policy_manager_chromeos.cc View 1 2 3 4 5 6 7 8 9 10 11 1 chunk +1 line, -0 lines 0 comments Download
M chrome/browser/chromeos/policy/device_cloud_policy_store_chromeos.cc View 1 2 3 4 5 6 7 8 9 10 11 12 2 chunks +5 lines, -2 lines 0 comments Download
M chrome/browser/chromeos/policy/device_local_account_policy_service.cc View 1 2 3 4 5 6 7 8 9 1 chunk +1 line, -0 lines 0 comments Download
M chrome/browser/chromeos/policy/device_local_account_policy_store.cc View 1 2 3 4 5 6 7 8 9 1 chunk +4 lines, -1 line 0 comments Download
M chrome/browser/chromeos/policy/enrollment_handler_chromeos.cc View 1 2 3 4 5 6 7 8 9 1 chunk +1 line, -1 line 0 comments Download
M chrome/browser/chromeos/policy/user_cloud_policy_manager_chromeos.cc View 1 2 3 4 5 6 7 8 9 10 11 1 chunk +2 lines, -1 line 0 comments Download
M chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.h View 1 2 3 4 5 2 chunks +3 lines, -3 lines 0 comments Download
M chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.cc View 1 2 3 4 5 6 7 8 9 10 11 10 chunks +26 lines, -14 lines 0 comments Download
M chrome/browser/chromeos/settings/device_settings_service.h View 1 2 3 4 5 6 7 8 9 10 11 2 chunks +7 lines, -0 lines 0 comments Download
M chrome/browser/chromeos/settings/session_manager_operation.cc View 1 2 3 4 5 6 7 8 9 1 chunk +4 lines, -1 line 0 comments Download
M chrome/browser/chromeos/settings/session_manager_operation_unittest.cc View 1 2 3 4 5 6 7 8 9 10 11 1 chunk +10 lines, -1 line 0 comments Download
M chrome/browser/policy/cloud/policy_header_service_factory.cc View 1 2 3 4 5 6 7 8 9 10 11 1 chunk +4 lines, -2 lines 0 comments Download
M chrome/browser/policy/cloud/user_cloud_policy_manager_factory.cc View 1 2 3 4 5 6 7 8 9 10 11 2 chunks +4 lines, -1 line 0 comments Download
M components/policy.gypi View 1 2 3 4 5 6 1 chunk +1 line, -0 lines 0 comments Download
M components/policy/core/DEPS View 1 2 1 chunk +1 line, -0 lines 0 comments Download
M components/policy/core/browser/cloud/message_util.cc View 1 2 3 4 5 6 7 8 9 10 11 1 chunk +4 lines, -0 lines 0 comments Download
M components/policy/core/common/cloud/cloud_policy_client.h View 1 2 2 chunks +4 lines, -0 lines 0 comments Download
M components/policy/core/common/cloud/cloud_policy_client.cc View 1 2 3 4 5 6 7 8 9 10 2 chunks +6 lines, -6 lines 0 comments Download
M components/policy/core/common/cloud/cloud_policy_client_unittest.cc View 1 2 3 4 5 2 chunks +2 lines, -4 lines 0 comments Download
M components/policy/core/common/cloud/cloud_policy_constants.h View 1 2 3 4 5 1 chunk +5 lines, -0 lines 0 comments Download
M components/policy/core/common/cloud/cloud_policy_constants.cc View 1 2 3 4 5 6 7 8 9 10 2 chunks +51 lines, -0 lines 0 comments Download
M components/policy/core/common/cloud/cloud_policy_validator.h View 1 2 3 4 5 6 7 8 9 10 11 6 chunks +37 lines, -9 lines 0 comments Download
M components/policy/core/common/cloud/cloud_policy_validator.cc View 1 2 3 4 5 6 7 8 9 10 11 7 chunks +108 lines, -6 lines 2 comments Download
M components/policy/core/common/cloud/cloud_policy_validator_unittest.cc View 1 2 3 4 5 6 7 8 9 10 11 3 chunks +15 lines, -4 lines 0 comments Download
M components/policy/core/common/cloud/mock_cloud_policy_client.cc View 1 2 1 chunk +1 line, -0 lines 0 comments Download
M components/policy/core/common/cloud/mock_user_cloud_policy_store.cc View 1 2 1 chunk +2 lines, -0 lines 0 comments Download
M components/policy/core/common/cloud/policy_builder.h View 1 2 3 4 5 6 7 8 9 10 11 2 chunks +10 lines, -0 lines 0 comments Download
M components/policy/core/common/cloud/policy_builder.cc View 1 2 3 4 5 6 7 8 9 10 11 3 chunks +23 lines, -0 lines 0 comments Download
M components/policy/core/common/cloud/policy_header_service.h View 1 2 2 chunks +4 lines, -0 lines 0 comments Download
M components/policy/core/common/cloud/policy_header_service.cc View 1 2 3 4 5 6 7 8 9 10 2 chunks +18 lines, -3 lines 0 comments Download
M components/policy/core/common/cloud/policy_header_service_unittest.cc View 1 2 3 2 chunks +5 lines, -2 lines 0 comments Download
M components/policy/core/common/cloud/user_cloud_policy_manager.h View 1 2 3 4 5 6 7 8 9 10 11 1 chunk +2 lines, -1 line 0 comments Download
M components/policy/core/common/cloud/user_cloud_policy_manager.cc View 1 2 3 4 5 6 7 8 9 10 11 1 chunk +1 line, -0 lines 0 comments Download
M components/policy/core/common/cloud/user_cloud_policy_store.h View 1 2 3 4 5 6 chunks +21 lines, -2 lines 0 comments Download
M components/policy/core/common/cloud/user_cloud_policy_store.cc View 1 2 3 4 5 6 7 8 9 10 11 12 chunks +163 lines, -26 lines 0 comments Download
M components/policy/core/common/cloud/user_cloud_policy_store_unittest.cc View 1 2 3 4 5 6 7 8 9 10 11 15 chunks +165 lines, -57 lines 0 comments Download
M components/policy/core/common/policy_switches.h View 1 2 3 4 5 6 1 chunk +1 line, -0 lines 0 comments Download
M components/policy/core/common/policy_switches.cc View 1 2 3 4 5 6 1 chunk +3 lines, -0 lines 0 comments Download
M components/policy/proto/device_management_backend.proto View 1 2 2 chunks +28 lines, -0 lines 0 comments Download
A components/policy/proto/policy_signing_key.proto View 1 2 3 4 5 6 7 8 9 10 11 1 chunk +20 lines, -0 lines 0 comments Download
M components/policy_strings.grdp View 1 2 3 4 5 6 7 8 9 10 11 1 chunk +3 lines, -0 lines 0 comments Download

Messages

Total messages: 18 (0 generated)
Andrew T Wilson (Slow)
PTAL
6 years, 11 months ago (2014-01-25 00:18:12 UTC) #1
Mattias Nissler (ping if slow)
Here's the initial review. https://codereview.chromium.org/116273002/diff/490001/chrome/browser/chromeos/policy/device_cloud_policy_store_chromeos.cc File chrome/browser/chromeos/policy/device_cloud_policy_store_chromeos.cc (right): https://codereview.chromium.org/116273002/diff/490001/chrome/browser/chromeos/policy/device_cloud_policy_store_chromeos.cc#newcode51 chrome/browser/chromeos/policy/device_cloud_policy_store_chromeos.cc:51: GetPolicyVerificationKey(), So we actually do ...
6 years, 11 months ago (2014-01-27 13:52:12 UTC) #2
Andrew T Wilson (Slow)
PTAL https://codereview.chromium.org/116273002/diff/490001/chrome/browser/chromeos/policy/device_cloud_policy_store_chromeos.cc File chrome/browser/chromeos/policy/device_cloud_policy_store_chromeos.cc (right): https://codereview.chromium.org/116273002/diff/490001/chrome/browser/chromeos/policy/device_cloud_policy_store_chromeos.cc#newcode51 chrome/browser/chromeos/policy/device_cloud_policy_store_chromeos.cc:51: GetPolicyVerificationKey(), On 2014/01/27 13:52:13, Mattias Nissler wrote: > ...
6 years, 10 months ago (2014-01-30 17:10:30 UTC) #3
Mattias Nissler (ping if slow)
This LGTM, improvements can be done in subsequent CLs. https://codereview.chromium.org/116273002/diff/490001/components/policy/core/common/cloud/policy_builder.cc File components/policy/core/common/cloud/policy_builder.cc (right): https://codereview.chromium.org/116273002/diff/490001/components/policy/core/common/cloud/policy_builder.cc#newcode182 components/policy/core/common/cloud/policy_builder.cc:182: ...
6 years, 10 months ago (2014-01-31 21:00:34 UTC) #4
Andrew T Wilson (Slow)
Done, landing, will push a separate CL to address any further comments. https://codereview.chromium.org/116273002/diff/490001/components/policy/core/common/cloud/policy_builder.cc File components/policy/core/common/cloud/policy_builder.cc ...
6 years, 10 months ago (2014-02-02 11:31:57 UTC) #5
Andrew T Wilson (Slow)
The CQ bit was checked by atwilson@chromium.org
6 years, 10 months ago (2014-02-02 11:32:32 UTC) #6
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/atwilson@chromium.org/116273002/690001
6 years, 10 months ago (2014-02-02 11:32:43 UTC) #7
commit-bot: I haz the power
The CQ bit was unchecked by commit-bot@chromium.org
6 years, 10 months ago (2014-02-02 11:57:27 UTC) #8
commit-bot: I haz the power
Retried try job too often on chromium_presubmit for step(s) presubmit http://build.chromium.org/p/tryserver.chromium/buildstatus?builder=chromium_presubmit&number=47576
6 years, 10 months ago (2014-02-02 11:57:28 UTC) #9
commit-bot: I haz the power
CQ bit was unchecked on CL. Ignoring.
6 years, 10 months ago (2014-02-02 11:57:30 UTC) #10
commit-bot: I haz the power
CQ bit was unchecked on CL. Ignoring.
6 years, 10 months ago (2014-02-02 11:57:33 UTC) #11
Andrew T Wilson (Slow)
On 2014/02/02 11:57:33, I haz the power (commit-bot) wrote: > CQ bit was unchecked on ...
6 years, 10 months ago (2014-02-02 15:11:27 UTC) #12
Andrew T Wilson (Slow)
The CQ bit was checked by atwilson@chromium.org
6 years, 10 months ago (2014-02-02 15:11:39 UTC) #13
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/atwilson@chromium.org/116273002/690001
6 years, 10 months ago (2014-02-02 15:11:47 UTC) #14
commit-bot: I haz the power
Change committed as 248416
6 years, 10 months ago (2014-02-02 17:28:47 UTC) #15
commit-bot: I haz the power
CQ bit was unchecked on CL. Ignoring.
6 years, 10 months ago (2014-02-02 17:28:54 UTC) #16
commit-bot: I haz the power
CQ bit was unchecked on CL. Ignoring.
6 years, 10 months ago (2014-02-02 17:28:55 UTC) #17
Joao da Silva
6 years, 10 months ago (2014-02-03 09:11:34 UTC) #18
Message was sent while issue was closed.
An approval from a "foo" owner is required when "foo" is added to "policy/DEPS".
The "policy/proto" includes come from generated files that have no OWNERS and
it's fine to bypass these errors, IMO.

checkdeps.py can probably be improved to avoid these false positives.

Powered by Google App Engine
This is Rietveld 408576698