chrome/browser/chromeos/login/multi_profile_user_controller.cc - Issue 117263002: Prevent ONC-pushed certificates from being used with multiprofiles.

Side by Side Diff: chrome/browser/chromeos/login/multi_profile_user_controller.cc

Issue 117263002: Prevent ONC-pushed certificates from being used with multiprofiles. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: fixed login_utils_browsertest Created 7 years ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« no previous file with comments | « no previous file | chrome/browser/chromeos/login/multi_profile_user_controller_unittest.cc » ('j') | chrome/browser/chromeos/login/multi_profile_user_controller_unittest.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 // Copyright 2013 The Chromium Authors. All rights reserved.	1 // Copyright 2013 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "chrome/browser/chromeos/login/multi_profile_user_controller.h"	5 #include "chrome/browser/chromeos/login/multi_profile_user_controller.h"

6	6

7 #include "base/bind.h"	7 #include "base/bind.h"

8 #include "base/memory/scoped_ptr.h"	8 #include "base/memory/scoped_ptr.h"

9 #include "base/prefs/pref_change_registrar.h"	9 #include "base/prefs/pref_change_registrar.h"

10 #include "base/prefs/pref_registry_simple.h"	10 #include "base/prefs/pref_registry_simple.h"

11 #include "base/prefs/pref_service.h"	11 #include "base/prefs/pref_service.h"

12 #include "base/prefs/scoped_user_pref_update.h"	12 #include "base/prefs/scoped_user_pref_update.h"

13 #include "chrome/browser/chromeos/login/multi_profile_user_controller_delegate.h "	13 #include "chrome/browser/chromeos/login/multi_profile_user_controller_delegate.h "

14 #include "chrome/browser/chromeos/login/user_manager.h"	14 #include "chrome/browser/chromeos/login/user_manager.h"

	15 #include "chrome/browser/chromeos/policy/policy_cert_service_factory.h"

15 #include "chrome/browser/prefs/pref_service_syncable.h"	16 #include "chrome/browser/prefs/pref_service_syncable.h"

16 #include "chrome/browser/profiles/profile.h"	17 #include "chrome/browser/profiles/profile.h"

17 #include "chrome/common/pref_names.h"	18 #include "chrome/common/pref_names.h"

18 #include "google_apis/gaia/gaia_auth_util.h"	19 #include "google_apis/gaia/gaia_auth_util.h"

19	20

20 namespace chromeos {	21 namespace chromeos {

21	22

22 namespace {	23 namespace {

23	24

24 std::string SanitizeBehaviorValue(const std::string& value) {	25 std::string SanitizeBehaviorValue(const std::string& value) {

(...skipping 48 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
73	74

74 // Always allow if there is no primary user or user being checked is the	75 // Always allow if there is no primary user or user being checked is the

75 // primary user.	76 // primary user.

76 if (primary_user_email.empty() \|\| primary_user_email == user_email)	77 if (primary_user_email.empty() \|\| primary_user_email == user_email)

77 return true;	78 return true;

78	79

79 // Owner is not allowed to be secondary user.	80 // Owner is not allowed to be secondary user.

80 if (user_manager->GetOwnerEmail() == user_email)	81 if (user_manager->GetOwnerEmail() == user_email)

81 return false;	82 return false;

82	83

	84 // Don't allow profiles potentially tainted by data fetched with policy-pushed

	85 // certificates to join a multiprofile session.

	86 if (policy::PolicyCertServiceFactory::UsedPolicyCertificates(user_email))
	Nikita (slow) 2013/12/17 18:42:05 What if you have primary user in session that has What if you have primary user in session that has such certificates. Are you allowed to add other users into that session? Joao da Silva 2013/12/17 20:44:21 No, that is not allowed. That used to be handled i Show quoted text On 2013/12/17 18:42:05, Nikita Kostylev wrote: > What if you have primary user in session that has such certificates. > Are you allowed to add other users into that session? No, that is not allowed. That used to be handled in the chrome_shell_delegate.cc and has been moved here. Turns out that if this is always false (which is the case when the primary user has certificates) then the list of allowed users is empty, which achieves the same on the UI.
	87 return false;

	88

83 // No user is allowed if the primary user policy forbids it.	89 // No user is allowed if the primary user policy forbids it.

84 const std::string primary_user_behavior = GetCachedValue(primary_user_email);	90 const std::string primary_user_behavior = GetCachedValue(primary_user_email);

85 if (primary_user_behavior == kBehaviorNotAllowed)	91 if (primary_user_behavior == kBehaviorNotAllowed)

86 return false;	92 return false;

87	93

88 // The user must have 'unrestricted' policy to be a secondary user.	94 // The user must have 'unrestricted' policy to be a secondary user.

89 const std::string behavior = GetCachedValue(user_email);	95 const std::string behavior = GetCachedValue(user_email);

90 return behavior == kBehaviorUnrestricted;	96 return behavior == kBehaviorUnrestricted;

91 }	97 }

92	98

(...skipping 59 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
152	158

153 PrefService* prefs = user_profile->GetPrefs();	159 PrefService* prefs = user_profile->GetPrefs();

154 const std::string behavior =	160 const std::string behavior =

155 prefs->GetString(prefs::kMultiProfileUserBehavior);	161 prefs->GetString(prefs::kMultiProfileUserBehavior);

156 SetCachedValue(user_email, behavior);	162 SetCachedValue(user_email, behavior);

157	163

158 CheckSessionUsers();	164 CheckSessionUsers();

159 }	165 }

160	166

161 } // namespace chromeos	167 } // namespace chromeos

OLD	NEW