Verify the signature on user cloud policy downloads.

chrome/browser/policy/user_cloud_policy_store_chromeos.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/policy/user_cloud_policy_store_chromeos.h"
 
-#include <string>
-
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/callback.h"
 #include "base/file_util.h"
+#include "base/logging.h"
 #include "base/memory/ref_counted.h"
+#include "base/stl_util.h"
+#include "base/stringprintf.h"
 #include "chrome/browser/policy/proto/cloud_policy.pb.h"
 #include "chrome/browser/policy/proto/device_management_local.pb.h"
 #include "chrome/browser/policy/user_policy_disk_cache.h"
 #include "chrome/browser/policy/user_policy_token_loader.h"
+#include "chromeos/dbus/cryptohome_client.h"
 #include "chromeos/dbus/session_manager_client.h"
 #include "content/public/browser/browser_thread.h"
 #include "google_apis/gaia/gaia_auth_util.h"
 
 namespace em = enterprise_management;
 
 namespace policy {
 
 namespace {
-// Subdirectory in the user's profile for storing user policies.
-const FilePath::CharType kPolicyDir[] = FILE_PATH_LITERAL("Device Management");
-// File in the above directory for stroing user policy dmtokens.
-const FilePath::CharType kTokenCacheFile[] = FILE_PATH_LITERAL("Token");
-// File in the above directory for storing user policy data.
-const FilePath::CharType kPolicyCacheFile[] = FILE_PATH_LITERAL("Policy");
+
+// Path within |user_policy_key_dir_| that contains the policy key.
+// "%s" must be substituted with the sanitized username.
+const FilePath::CharType kPolicyKeyFile[] = FILE_PATH_LITERAL("%s/policy.pub");
+
+// Maximum key size that will be loaded, in bytes.
+const int kKeySizeLimit = 16 * 1024;
+
 }  // namespace
 
 
 // Helper class for loading legacy policy caches.
 class LegacyPolicyCacheLoader : public UserPolicyTokenLoader::Delegate,
                                 public UserPolicyDiskCache::Delegate {
  public:
   typedef base::Callback<void(const std::string&,
                               const std::string&,
                               CloudPolicyStore::Status,
@@ skipping 96 matching lines @@
       return CloudPolicyStore::STATUS_OK;
     case UserPolicyDiskCache::LOAD_RESULT_PARSE_ERROR:
     case UserPolicyDiskCache::LOAD_RESULT_READ_ERROR:
       return CloudPolicyStore::STATUS_LOAD_ERROR;
   }
   NOTREACHED();
   return CloudPolicyStore::STATUS_OK;
 }
 
 UserCloudPolicyStoreChromeOS::UserCloudPolicyStoreChromeOS(
+    chromeos::CryptohomeClient* cryptohome_client,
     chromeos::SessionManagerClient* session_manager_client,
     const std::string& username,
+    const FilePath& user_policy_key_dir,
     const FilePath& legacy_token_cache_file,
     const FilePath& legacy_policy_cache_file)
-    : session_manager_client_(session_manager_client),
+    : cryptohome_client_(cryptohome_client),
+      session_manager_client_(session_manager_client),
       username_(username),
+      user_policy_key_dir_(user_policy_key_dir),
       ALLOW_THIS_IN_INITIALIZER_LIST(weak_factory_(this)),
       legacy_cache_dir_(legacy_token_cache_file.DirName()),
       legacy_loader_(new LegacyPolicyCacheLoader(legacy_token_cache_file,
                                                  legacy_policy_cache_file)),
-      legacy_caches_loaded_(false) {}
+      legacy_caches_loaded_(false),
+      policy_key_loaded_(false) {}
 
 UserCloudPolicyStoreChromeOS::~UserCloudPolicyStoreChromeOS() {}
 
 void UserCloudPolicyStoreChromeOS::Store(
     const em::PolicyFetchResponse& policy) {
   // Cancel all pending requests.
   weak_factory_.InvalidateWeakPtrs();
-  Validate(
-      scoped_ptr<em::PolicyFetchResponse>(new em::PolicyFetchResponse(policy)),
-      base::Bind(&UserCloudPolicyStoreChromeOS::OnPolicyToStoreValidated,
-                 weak_factory_.GetWeakPtr()));
+  scoped_ptr<em::PolicyFetchResponse> response(
+      new em::PolicyFetchResponse(policy));
+  EnsurePolicyKeyLoaded(
+      base::Bind(&UserCloudPolicyStoreChromeOS::ValidatePolicyForStore,
+                 weak_factory_.GetWeakPtr(),
+                 base::Passed(&response)));
 }
 
 void UserCloudPolicyStoreChromeOS::Load() {
   // Cancel all pending requests.
   weak_factory_.InvalidateWeakPtrs();
   session_manager_client_->RetrieveUserPolicy(
       base::Bind(&UserCloudPolicyStoreChromeOS::OnPolicyRetrieved,
                  weak_factory_.GetWeakPtr()));
 }
 
+void UserCloudPolicyStoreChromeOS::ValidatePolicyForStore(
+    scoped_ptr<em::PolicyFetchResponse> policy) {
+  // Create and configure a validator.
+  scoped_ptr<UserCloudPolicyValidator> validator =
+      CreateValidator(policy.Pass());
+  validator->ValidateUsername(username_);
+  if (policy_key_.empty()) {
+    validator->ValidateInitialKey();
+  } else {
+    const bool allow_rotation = true;
+    validator->ValidateSignature(policy_key_, allow_rotation);
+  }
+
+  // Start validation. The Validator will delete itself once validation is
+  // complete.
+  validator.release()->StartValidation(
+      base::Bind(&UserCloudPolicyStoreChromeOS::OnPolicyToStoreValidated,
+                 weak_factory_.GetWeakPtr()));
+}
+
+void UserCloudPolicyStoreChromeOS::OnPolicyToStoreValidated(
+    UserCloudPolicyValidator* validator) {
+  validation_status_ = validator->status();
+  if (!validator->success()) {
+    status_ = STATUS_VALIDATION_ERROR;
+    NotifyStoreError();
+    return;
+  }
+
+  std::string policy_blob;
+  if (!validator->policy()->SerializeToString(&policy_blob)) {
+    status_ = STATUS_SERIALIZE_ERROR;
+    NotifyStoreError();
+    return;
+  }
+
+  session_manager_client_->StoreUserPolicy(
+      policy_blob,
+      base::Bind(&UserCloudPolicyStoreChromeOS::OnPolicyStored,
+                 weak_factory_.GetWeakPtr()));
+}
+
+void UserCloudPolicyStoreChromeOS::OnPolicyStored(bool success) {
+  if (!success) {
+    status_ = STATUS_STORE_ERROR;
+    NotifyStoreError();
+  } else {
+    // Load the policy right after storing it, to make sure it was accepted by
+    // the session manager. An additional validation is performed after the
+    // load; reload the key for that validation too, in case it was rotated.
+    ReloadPolicyKey(base::Bind(&UserCloudPolicyStoreChromeOS::Load,
+                               weak_factory_.GetWeakPtr()));
+  }
+}
+
 void UserCloudPolicyStoreChromeOS::OnPolicyRetrieved(
     const std::string& policy_blob) {
   if (policy_blob.empty()) {
     // Policy fetch failed. Try legacy caches if we haven't done that already.
     if (!legacy_caches_loaded_ && legacy_loader_.get()) {
       legacy_caches_loaded_ = true;
       legacy_loader_->Load(
           base::Bind(&UserCloudPolicyStoreChromeOS::OnLegacyLoadFinished,
                      weak_factory_.GetWeakPtr()));
     } else {
       // session_manager doesn't have policy. Adjust internal state and notify
       // the world about the policy update.
       policy_.reset();
       NotifyStoreLoaded();
     }
     return;
   }
 
   // Policy is supplied by session_manager. Disregard legacy data from now on.
   legacy_loader_.reset();
 
   scoped_ptr<em::PolicyFetchResponse> policy(new em::PolicyFetchResponse());
   if (!policy->ParseFromString(policy_blob)) {
     status_ = STATUS_PARSE_ERROR;
     NotifyStoreError();
     return;
   }
 
-  Validate(policy.Pass(),
-           base::Bind(&UserCloudPolicyStoreChromeOS::OnRetrievedPolicyValidated,
-                      weak_factory_.GetWeakPtr()));
+  // Load |policy_key_| to verify the loaded policy.
+  EnsurePolicyKeyLoaded(
+      base::Bind(&UserCloudPolicyStoreChromeOS::ValidateRetrievedPolicy,
+                 weak_factory_.GetWeakPtr(),
+                 base::Passed(&policy)));
+}
+
+void UserCloudPolicyStoreChromeOS::ValidateRetrievedPolicy(
+    scoped_ptr<em::PolicyFetchResponse> policy) {
+  // Create and configure a validator for the loaded policy.
+  scoped_ptr<UserCloudPolicyValidator> validator =
+      CreateValidator(policy.Pass());
+  validator->ValidateUsername(username_);
+  const bool allow_rotation = false;
+  validator->ValidateSignature(policy_key_, allow_rotation);
+  // Start validation. The Validator will delete itself once validation is
+  // complete.
+  validator.release()->StartValidation(
+      base::Bind(&UserCloudPolicyStoreChromeOS::OnRetrievedPolicyValidated,
+                 weak_factory_.GetWeakPtr()));
 }
 
 void UserCloudPolicyStoreChromeOS::OnRetrievedPolicyValidated(
     UserCloudPolicyValidator* validator) {
   validation_status_ = validator->status();
   if (!validator->success()) {
     status_ = STATUS_VALIDATION_ERROR;
     NotifyStoreError();
     return;
   }
 
   InstallPolicy(validator->policy_data().Pass(), validator->payload().Pass());
   status_ = STATUS_OK;
 
   // Policy has been loaded successfully. This indicates that new-style policy
   // is working, so the legacy cache directory can be removed.
   if (!legacy_cache_dir_.empty()) {
     content::BrowserThread::PostBlockingPoolTask(
         FROM_HERE,
         base::Bind(&UserCloudPolicyStoreChromeOS::RemoveLegacyCacheDir,
                    legacy_cache_dir_));
     legacy_cache_dir_.clear();
   }
   NotifyStoreLoaded();
 }
 
-void UserCloudPolicyStoreChromeOS::OnPolicyToStoreValidated(
-    UserCloudPolicyValidator* validator) {
-  validation_status_ = validator->status();
-  if (!validator->success()) {
-    status_ = STATUS_VALIDATION_ERROR;
-    NotifyStoreError();
-    return;
-  }
-
-  std::string policy_blob;
-  if (!validator->policy()->SerializeToString(&policy_blob)) {
-    status_ = STATUS_SERIALIZE_ERROR;
-    NotifyStoreError();
-    return;
-  }
-
-  session_manager_client_->StoreUserPolicy(
-      policy_blob,
-      base::Bind(&UserCloudPolicyStoreChromeOS::OnPolicyStored,
-                 weak_factory_.GetWeakPtr()));
-}
-
-void UserCloudPolicyStoreChromeOS::OnPolicyStored(bool success) {
-  if (!success) {
-    status_ = STATUS_STORE_ERROR;
-    NotifyStoreError();
-  } else {
-    // TODO(mnissler): Once we do signature verifications, we'll have to reload
-    // the key at this point to account for key rotations.
-    Load();
-  }
-}
-
-void UserCloudPolicyStoreChromeOS::Validate(
-    scoped_ptr<em::PolicyFetchResponse> policy,
-    const UserCloudPolicyValidator::CompletionCallback& callback) {
-  // Configure the validator.
-  scoped_ptr<UserCloudPolicyValidator> validator =
-      CreateValidator(policy.Pass());
-  validator->ValidateUsername(username_);
-
-  // TODO(mnissler): Do a signature check here as well. The key is stored by
-  // session_manager in the root-owned cryptohome area, which is currently
-  // inaccessible to Chrome though.
-
-  // Start validation. The Validator will free itself once validation is
-  // complete.
-  validator.release()->StartValidation(callback);
-}
-
 void UserCloudPolicyStoreChromeOS::OnLegacyLoadFinished(
     const std::string& dm_token,
     const std::string& device_id,
     Status status,
     scoped_ptr<em::PolicyFetchResponse> policy) {
   status_ = status;
   if (policy.get()) {
-    Validate(policy.Pass(),
-             base::Bind(&UserCloudPolicyStoreChromeOS::OnLegacyPolicyValidated,
-                        weak_factory_.GetWeakPtr(),
-                        dm_token, device_id));
+    // Create and configure a validator for the loaded legacy policy. Note that
+    // the signature on this policy is not verified.
+    scoped_ptr<UserCloudPolicyValidator> validator =
+        CreateValidator(policy.Pass());
+    validator->ValidateUsername(username_);
+    validator.release()->StartValidation(
+        base::Bind(&UserCloudPolicyStoreChromeOS::OnLegacyPolicyValidated,
+                   weak_factory_.GetWeakPtr(),
+                   dm_token,
+                   device_id));
   } else {
     InstallLegacyTokens(dm_token, device_id);
   }
 }
 
 void UserCloudPolicyStoreChromeOS::OnLegacyPolicyValidated(
     const std::string& dm_token,
     const std::string& device_id,
     UserCloudPolicyValidator* validator) {
   validation_status_ = validator->status();
   if (validator->success()) {
     status_ = STATUS_OK;
-    InstallPolicy(validator->policy_data().Pass(),
-                  validator->payload().Pass());
+    InstallPolicy(validator->policy_data().Pass(), validator->payload().Pass());
 
     // Clear the public key version. The public key version field would
     // otherwise indicate that we have key installed in the store when in fact
     // we haven't. This may result in policy updates failing signature
     // verification.
     policy_->clear_public_key_version();
   } else {
     status_ = STATUS_VALIDATION_ERROR;
   }
 
@@ skipping 16 matching lines @@
   // Tell the rest of the world that the policy load completed.
   NotifyStoreLoaded();
 }
 
 // static
 void UserCloudPolicyStoreChromeOS::RemoveLegacyCacheDir(const FilePath& dir) {
   if (file_util::PathExists(dir) && !file_util::Delete(dir, true))
     LOG(ERROR) << "Failed to remove cache dir " << dir.value();
 }
 
+void UserCloudPolicyStoreChromeOS::ReloadPolicyKey(
+    const base::Closure& callback) {
+  std::vector<uint8>* key = new std::vector<uint8>();
+  content::BrowserThread::PostBlockingPoolTaskAndReply(
+      FROM_HERE,
+      base::Bind(&UserCloudPolicyStoreChromeOS::LoadPolicyKey,
+                 policy_key_path_,
+                 key),
+      base::Bind(&UserCloudPolicyStoreChromeOS::OnPolicyKeyReloaded,
+                 weak_factory_.GetWeakPtr(),
+                 base::Owned(key),
+                 callback));
+}
+
+// static
+void UserCloudPolicyStoreChromeOS::LoadPolicyKey(const FilePath& path,
+                                                 std::vector<uint8>* key) {
+  if (!file_util::PathExists(path)) {
+    VLOG(1) << "No key at " << path.value();
+    return;
+  }
+
+  int64 size;
+  if (!file_util::GetFileSize(path, &size)) {
+    LOG(ERROR) << "Could not get size of " << path.value();
+  } else if (size == 0 || size > kKeySizeLimit) {
+    LOG(ERROR) << "Key at " << path.value() << " has bad size " << size;
+  } else {
+    key->resize(size);
+    int read_size = file_util::ReadFile(
+        path, reinterpret_cast<char*>(vector_as_array(key)), size);
+    if (read_size != size) {
+      LOG(ERROR) << "Failed to read key at " << path.value();
+      key->clear();
+    }
+  }
+}
+
+void UserCloudPolicyStoreChromeOS::OnPolicyKeyReloaded(
+    std::vector<uint8>* key,
+    const base::Closure& callback) {
+  policy_key_.swap(*key);
+  policy_key_loaded_ = true;
+  callback.Run();
+}
+
+void UserCloudPolicyStoreChromeOS::EnsurePolicyKeyLoaded(
+    const base::Closure& callback) {
+  if (policy_key_loaded_) {
+    callback.Run();
+  } else {
+    // Get the hashed username that's part of the key's path, to determine
+    // |policy_key_path_|.
+    cryptohome_client_->GetSanitizedUsername(username_,
+        base::Bind(&UserCloudPolicyStoreChromeOS::OnGetSanitizedUsername,
+                   weak_factory_.GetWeakPtr(),
+                   callback));
+  }
+}
+
+void UserCloudPolicyStoreChromeOS::OnGetSanitizedUsername(
+    const base::Closure& callback,
+    chromeos::DBusMethodCallStatus call_status,
+    const std::string& sanitized_username) {
+  // The default empty path will always yield an empty key.
+  if (call_status == chromeos::DBUS_METHOD_CALL_SUCCESS &&
+      !sanitized_username.empty()) {
+    policy_key_path_ = user_policy_key_dir_.Append(
+        base::StringPrintf(kPolicyKeyFile, sanitized_username.c_str()));
+  }
+  ReloadPolicyKey(callback);
+}
+
 }  // namespace policy