Prevent ONC-pushed certificates from being used with multiprofiles.

chrome/browser/chromeos/login/multi_profile_user_controller.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/login/multi_profile_user_controller.h"
 
 #include "base/bind.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/prefs/pref_change_registrar.h"
 #include "base/prefs/pref_registry_simple.h"
 #include "base/prefs/pref_service.h"
 #include "base/prefs/scoped_user_pref_update.h"
 #include "chrome/browser/chromeos/login/multi_profile_user_controller_delegate.h"
+#include "chrome/browser/chromeos/login/user.h"
 #include "chrome/browser/chromeos/login/user_manager.h"
+#include "chrome/browser/chromeos/policy/policy_cert_service.h"
+#include "chrome/browser/chromeos/policy/policy_cert_service_factory.h"
 #include "chrome/browser/prefs/pref_service_syncable.h"
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/common/pref_names.h"
 #include "google_apis/gaia/gaia_auth_util.h"
 
 namespace chromeos {
 
 namespace {
 
 std::string SanitizeBehaviorValue(const std::string& value) {
@@ skipping 48 matching lines @@
 
   // Always allow if there is no primary user or user being checked is the
   // primary user.
   if (primary_user_email.empty() || primary_user_email == user_email)
     return true;
 
   // Owner is not allowed to be secondary user.
   if (user_manager->GetOwnerEmail() == user_email)
     return false;
 
+  // Don't allow profiles potentially tainted by data fetched with policy-pushed
+  // certificates to join a multiprofile session.
+  if (policy::PolicyCertServiceFactory::UsedPolicyCertificates(user_email))
+    return false;
+
+  // Don't allow any secondary profiles if the primary profile is potentially
+  // tainted.
+  const User* primary_user = user_manager->GetPrimaryUser();
+  Profile* profile =
+      primary_user ? user_manager->GetProfileByUser(primary_user) : NULL;
+  policy::PolicyCertService* service =
+      profile ? policy::PolicyCertServiceFactory::GetForProfile(profile) : NULL;
+  if (service && (service->UsedPolicyCertificates() ||
+                  service->has_policy_certificates())) {
+    return false;
+  }
+
   // No user is allowed if the primary user policy forbids it.
   const std::string primary_user_behavior = GetCachedValue(primary_user_email);
   if (primary_user_behavior == kBehaviorNotAllowed)
     return false;
 
   // The user must have 'unrestricted' policy to be a secondary user.
   const std::string behavior = GetCachedValue(user_email);
   return behavior == kBehaviorUnrestricted;
 }
 
 void MultiProfileUserController::StartObserving(Profile* user_profile) {
   // Profile name could be empty during tests.
   if (user_profile->GetProfileName().empty())
     return;
 
   scoped_ptr<PrefChangeRegistrar> registrar(new PrefChangeRegistrar);
   registrar->Init(user_profile->GetPrefs());
   registrar->Add(
       prefs::kMultiProfileUserBehavior,
       base::Bind(&MultiProfileUserController::OnUserPrefChanged,
                  base::Unretained(this),
                  user_profile));
   pref_watchers_.push_back(registrar.release());
 
   OnUserPrefChanged(user_profile);
 }
 
-void MultiProfileUserController::RemoveCachedValue(
+void MultiProfileUserController::RemoveCachedValues(
     const std::string& user_email) {
   DictionaryPrefUpdate update(local_state_,
                               prefs::kCachedMultiProfileUserBehavior);
   update->RemoveWithoutPathExpansion(user_email, NULL);
+  policy::PolicyCertServiceFactory::ClearUsedPolicyCertificates(user_email);

[pneubeck (no reviews), 2013/12/18 09:11:07]

i think the old place was better for this as the tainting information is used by
multiprofile, but doesn't depend on it.

[Joao da Silva, 2013/12/18 09:40:13]

I'd prefer to have this next to the code that calls the Set() (which is
PolicyCertService), but its profile does not exist when the user is deleted. So
it has to be in UserManagerImpl or in one of the methods that it calls; since
the test logic is here and there's also cleanup logic in this class then I think
this is the least bad place.

 }
 
 std::string MultiProfileUserController::GetCachedValue(
     const std::string& user_email) const {
   const DictionaryValue* dict =
       local_state_->GetDictionary(prefs::kCachedMultiProfileUserBehavior);
   std::string value;
   if (dict && dict->GetStringWithoutPathExpansion(user_email, &value))
     return SanitizeBehaviorValue(value);
 
@@ skipping 27 matching lines @@
 
   PrefService* prefs = user_profile->GetPrefs();
   const std::string behavior =
       prefs->GetString(prefs::kMultiProfileUserBehavior);
   SetCachedValue(user_email, behavior);
 
   CheckSessionUsers();
 }
 
 }  // namespace chromeos