Verify the signature on user cloud policy downloads.

chrome/browser/policy/browser_policy_connector.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/policy/browser_policy_connector.h"
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/command_line.h"
-#include "base/file_path.h"
 #include "base/message_loop.h"
 #include "base/path_service.h"
 #include "base/string_util.h"
 #include "base/utf_string_conversions.h"
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/policy/async_policy_provider.h"
 #include "chrome/browser/policy/cloud_policy_client.h"
 #include "chrome/browser/policy/cloud_policy_service.h"
 #include "chrome/browser/policy/configuration_policy_provider.h"
 #include "chrome/browser/policy/device_management_service.h"
@@ skipping 49 matching lines @@
 namespace policy {
 
 namespace {
 
 // Subdirectory in the user's profile for storing user policies.
 const FilePath::CharType kPolicyDir[] = FILE_PATH_LITERAL("Device Management");
 // File in the above directory for stroing user policy dmtokens.
 const FilePath::CharType kTokenCacheFile[] = FILE_PATH_LITERAL("Token");
 // File in the above directory for storing user policy data.
 const FilePath::CharType kPolicyCacheFile[] = FILE_PATH_LITERAL("Policy");
+// Path that contains the user policy keys after the user's vault is mounted.
+// This is appended to |g_root_path|.
+const FilePath::CharType kUserPolicyKeyDir[] =
+    FILE_PATH_LITERAL("var/run/user_policy");
 
 // The following constants define delays applied before the initial policy fetch
 // on startup. (So that displaying Chrome's GUI does not get delayed.)
 // Delay in milliseconds from startup.
 const int64 kServiceInitializationStartupDelay = 5000;
 
 // Default policy refresh rate.
 const int64 kDefaultPolicyRefreshRateMs = 3 * 60 * 60 * 1000;  // 3 hours.
 
 // The URL for the device management server.
 const char kDefaultDeviceManagementServerUrl[] =
     "https://m.google.com/devicemanagement/data/api";
 
 // Used in BrowserPolicyConnector::SetPolicyProviderForTesting.
 ConfigurationPolicyProvider* g_testing_provider = NULL;
 
+// Used in BrowserPolicyConnector::SetRootPathForTesting.
+const FilePath::CharType* g_root_path = FILE_PATH_LITERAL("/");
+
 }  // namespace
 
 BrowserPolicyConnector::BrowserPolicyConnector()
     : is_initialized_(false),
       ALLOW_THIS_IN_INITIALIZER_LIST(weak_ptr_factory_(this)) {}
 
 BrowserPolicyConnector::~BrowserPolicyConnector() {
   if (is_initialized()) {
     // Shutdown() wasn't invoked by our owner after having called Init().
     // This usually means it's an early shutdown and
@@ skipping 142 matching lines @@
 
   CommandLine* command_line = CommandLine::ForCurrentProcess();
 
   FilePath profile_dir;
   PathService::Get(chrome::DIR_USER_DATA, &profile_dir);
   profile_dir = profile_dir.Append(
       command_line->GetSwitchValuePath(switches::kLoginProfile));
   const FilePath policy_dir = profile_dir.Append(kPolicyDir);
   const FilePath policy_cache_file = policy_dir.Append(kPolicyCacheFile);
   const FilePath token_cache_file = policy_dir.Append(kTokenCacheFile);
+  const FilePath root_path(g_root_path);
+  const FilePath policy_key_dir(root_path.Append(kUserPolicyKeyDir));
 
   if (wait_for_policy_fetch)
     device_management_service_->ScheduleInitialization(0);
   if (is_public_account && device_local_account_policy_service_.get()) {
     device_local_account_policy_provider_.reset(
         new DeviceLocalAccountPolicyProvider(
             user_name, device_local_account_policy_service_.get()));
 
     device_local_account_policy_provider_->Init();
     global_user_cloud_policy_provider_.SetDelegate(
         device_local_account_policy_provider_.get());
   } else if (!IsNonEnterpriseUser(user_name)) {
     scoped_ptr<CloudPolicyStore> store(
         new UserCloudPolicyStoreChromeOS(
+            chromeos::DBusThreadManager::Get()->GetCryptohomeClient(),
             chromeos::DBusThreadManager::Get()->GetSessionManagerClient(),
-            user_name, token_cache_file, policy_cache_file));
+            user_name, policy_key_dir, token_cache_file, policy_cache_file));
     user_cloud_policy_manager_.reset(
         new UserCloudPolicyManagerChromeOS(store.Pass(),
                                            wait_for_policy_fetch));
 
     user_cloud_policy_manager_->Init();
     user_cloud_policy_manager_->Connect(g_browser_process->local_state(),
                                         device_management_service_.get(),
                                         GetUserAffiliation(user_name));
     global_user_cloud_policy_provider_.SetDelegate(
         user_cloud_policy_manager_.get());
@@ skipping 39 matching lines @@
     BrowserPolicyConnector::GetNetworkConfigurationUpdater() {
   if (!network_configuration_updater_.get()) {
     network_configuration_updater_.reset(new NetworkConfigurationUpdater(
         g_browser_process->policy_service(),
         chromeos::CrosLibrary::Get()->GetNetworkLibrary()));
   }
   return network_configuration_updater_.get();
 }
 #endif
 
+// static
+void BrowserPolicyConnector::SetRootPathForTesting(
+    const FilePath::CharType* root_path) {
+  g_root_path = root_path;
+}
+
 void BrowserPolicyConnector::SetDeviceManagementServiceForTesting(
     scoped_ptr<DeviceManagementService> service) {
   device_management_service_ = service.Pass();
 }
 
 // static
 void BrowserPolicyConnector::SetPolicyProviderForTesting(
     ConfigurationPolicyProvider* provider) {
   CHECK(!g_browser_process) << "Must be invoked before the browser is created";
   DCHECK(!g_testing_provider);
@@ skipping 185 matching lines @@
     return new AsyncPolicyProvider(loader.Pass());
   } else {
     return NULL;
   }
 #else
   return NULL;
 #endif
 }
 
 }  // namespace policy