chrome/browser/policy/cloud_policy_validator.cc - Issue 12189011: Split up chrome/browser/policy subdirectory

Side by Side Diff: chrome/browser/policy/cloud_policy_validator.cc

Issue 12189011: Split up chrome/browser/policy subdirectory (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Rebase, add chrome/browser/chromeos/policy/OWNERS Created 7 years, 9 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
	(Empty)
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.

4

5 #include "chrome/browser/policy/cloud_policy_validator.h"

6

7 #include "base/bind.h"

8 #include "base/bind_helpers.h"

9 #include "base/message_loop.h"

10 #include "base/stl_util.h"

11 #include "chrome/browser/policy/cloud_policy_constants.h"

12 #include "chrome/browser/policy/proto/chrome_device_policy.pb.h"

13 #include "chrome/browser/policy/proto/chrome_extension_policy.pb.h"

14 #include "chrome/browser/policy/proto/cloud_policy.pb.h"

15 #include "chrome/browser/policy/proto/device_management_backend.pb.h"

16 #include "content/public/browser/browser_thread.h"

17 #include "crypto/signature_verifier.h"

18 #include "google_apis/gaia/gaia_auth_util.h"

19

20 namespace em = enterprise_management;

21

22 namespace policy {

23

24 namespace {

25

26 // Grace interval for policy timestamp checks, in seconds.

27 const int kTimestampGraceIntervalSeconds = 60;

28

29 // DER-encoded ASN.1 object identifier for the SHA1-RSA signature algorithm.

30 const uint8 kSignatureAlgorithm[] = {

31 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,

32 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00

33 };

34

35 } // namespace

36

37 CloudPolicyValidatorBase::~CloudPolicyValidatorBase() {}

38

39 void CloudPolicyValidatorBase::ValidateTimestamp(

40 base::Time not_before,

41 base::Time now,

42 ValidateTimestampOption timestamp_option) {

43 // Timestamp should be from the past. We allow for a 1-minute grace interval

44 // to cover clock drift.

45 validation_flags_ \|= VALIDATE_TIMESTAMP;

46 timestamp_not_before_ =

47 (not_before - base::Time::UnixEpoch()).InMilliseconds();

48 timestamp_not_after_ =

49 ((now + base::TimeDelta::FromSeconds(kTimestampGraceIntervalSeconds)) -

50 base::Time::UnixEpoch()).InMillisecondsRoundedUp();

51 timestamp_option_ = timestamp_option;

52 }

53

54 void CloudPolicyValidatorBase::ValidateUsername(

55 const std::string& expected_user) {

56 validation_flags_ \|= VALIDATE_USERNAME;

57 user_ = gaia::CanonicalizeEmail(expected_user);

58 }

59

60 void CloudPolicyValidatorBase::ValidateDomain(

61 const std::string& expected_domain) {

62 validation_flags_ \|= VALIDATE_DOMAIN;

63 domain_ = gaia::CanonicalizeDomain(expected_domain);

64 }

65

66 void CloudPolicyValidatorBase::ValidateDMToken(

67 const std::string& token,

68 ValidateDMTokenOption dm_token_option) {

69 validation_flags_ \|= VALIDATE_TOKEN;

70 token_ = token;

71 dm_token_option_ = dm_token_option;

72 }

73

74 void CloudPolicyValidatorBase::ValidatePolicyType(

75 const std::string& policy_type) {

76 validation_flags_ \|= VALIDATE_POLICY_TYPE;

77 policy_type_ = policy_type;

78 }

79

80 void CloudPolicyValidatorBase::ValidateSettingsEntityId(

81 const std::string& settings_entity_id) {

82 validation_flags_ \|= VALIDATE_ENTITY_ID;

83 settings_entity_id_ = settings_entity_id;

84 }

85

86 void CloudPolicyValidatorBase::ValidatePayload() {

87 validation_flags_ \|= VALIDATE_PAYLOAD;

88 }

89

90 void CloudPolicyValidatorBase::ValidateSignature(const std::vector<uint8>& key,

91 bool allow_key_rotation) {

92 validation_flags_ \|= VALIDATE_SIGNATURE;

93 key_ = std::string(reinterpret_cast<const char*>(vector_as_array(&key)),

94 key.size());

95 allow_key_rotation_ = allow_key_rotation;

96 }

97

98 void CloudPolicyValidatorBase::ValidateInitialKey() {

99 validation_flags_ \|= VALIDATE_INITIAL_KEY;

100 }

101

102 void CloudPolicyValidatorBase::ValidateAgainstCurrentPolicy(

103 const em::PolicyData* policy_data,

104 ValidateTimestampOption timestamp_option,

105 ValidateDMTokenOption dm_token_option) {

106 base::Time last_policy_timestamp;

107 std::string expected_dm_token;

108 if (policy_data) {

109 last_policy_timestamp =

110 base::Time::UnixEpoch() +

111 base::TimeDelta::FromMilliseconds(policy_data->timestamp());

112 expected_dm_token = policy_data->request_token();

113 }

114 ValidateTimestamp(last_policy_timestamp, base::Time::NowFromSystemTime(),

115 timestamp_option);

116 ValidateDMToken(expected_dm_token, dm_token_option);

117 }

118

119 CloudPolicyValidatorBase::CloudPolicyValidatorBase(

120 scoped_ptr<em::PolicyFetchResponse> policy_response,

121 google::protobuf::MessageLite* payload)

122 : status_(VALIDATION_OK),

123 policy_(policy_response.Pass()),

124 payload_(payload),

125 validation_flags_(0),

126 timestamp_not_before_(0),

127 timestamp_not_after_(0),

128 timestamp_option_(TIMESTAMP_REQUIRED),

129 dm_token_option_(DM_TOKEN_REQUIRED),

130 allow_key_rotation_(false) {}

131

132 // static

133 void CloudPolicyValidatorBase::PerformValidation(

134 scoped_ptr<CloudPolicyValidatorBase> self,

135 scoped_refptr<base::MessageLoopProxy> message_loop,

136 const base::Closure& completion_callback) {

137 // Run the validation activities on this thread.

138 self->RunValidation();

139

140 // Report completion on \|message_loop\|.

141 message_loop->PostTask(

142 FROM_HERE,

143 base::Bind(&CloudPolicyValidatorBase::ReportCompletion,

144 base::Passed(&self),

145 completion_callback));

146 }

147

148 // static

149 void CloudPolicyValidatorBase::ReportCompletion(

150 scoped_ptr<CloudPolicyValidatorBase> self,

151 const base::Closure& completion_callback) {

152 completion_callback.Run();

153 }

154

155 void CloudPolicyValidatorBase::RunValidation() {

156 policy_data_.reset(new em::PolicyData());

157 RunChecks();

158 }

159

160 void CloudPolicyValidatorBase::RunChecks() {

161 status_ = VALIDATION_OK;

162 if ((policy_->has_error_code() && policy_->error_code() != 200) \|\|

163 (policy_->has_error_message() && !policy_->error_message().empty())) {

164 LOG(ERROR) << "Error in policy blob."

165 << " code: " << policy_->error_code()

166 << " message: " << policy_->error_message();

167 status_ = VALIDATION_ERROR_CODE_PRESENT;

168 return;

169 }

170

171 // Parse policy data.

172 if (!policy_data_->ParseFromString(policy_->policy_data()) \|\|

173 !policy_data_->IsInitialized()) {

174 LOG(ERROR) << "Failed to parse policy response";

175 status_ = VALIDATION_PAYLOAD_PARSE_ERROR;

176 return;

177 }

178

179 // Table of checks we run. These are sorted by descending severity of the

180 // error, s.t. the most severe check will determine the validation status.

181 static const struct {

182 int flag;

183 Status (CloudPolicyValidatorBase::* checkFunction)();

184 } kCheckFunctions[] = {

185 { VALIDATE_SIGNATURE, &CloudPolicyValidatorBase::CheckSignature },

186 { VALIDATE_INITIAL_KEY, &CloudPolicyValidatorBase::CheckInitialKey },

187 { VALIDATE_POLICY_TYPE, &CloudPolicyValidatorBase::CheckPolicyType },

188 { VALIDATE_ENTITY_ID, &CloudPolicyValidatorBase::CheckEntityId },

189 { VALIDATE_TOKEN, &CloudPolicyValidatorBase::CheckToken },

190 { VALIDATE_USERNAME, &CloudPolicyValidatorBase::CheckUsername },

191 { VALIDATE_DOMAIN, &CloudPolicyValidatorBase::CheckDomain },

192 { VALIDATE_TIMESTAMP, &CloudPolicyValidatorBase::CheckTimestamp },

193 { VALIDATE_PAYLOAD, &CloudPolicyValidatorBase::CheckPayload },

194 };

195

196 for (size_t i = 0; i < ARRAYSIZE_UNSAFE(kCheckFunctions); ++i) {

197 if (validation_flags_ & kCheckFunctions[i].flag) {

198 status_ = (this->*(kCheckFunctions[i].checkFunction))();

199 if (status_ != VALIDATION_OK)

200 break;

201 }

202 }

203 }

204

205 CloudPolicyValidatorBase::Status CloudPolicyValidatorBase::CheckSignature() {

206 const std::string* signature_key = &key_;

207 if (policy_->has_new_public_key() && allow_key_rotation_) {

208 signature_key = &policy_->new_public_key();

209 if (!policy_->has_new_public_key_signature() \|\|

210 !VerifySignature(policy_->new_public_key(), key_,

211 policy_->new_public_key_signature())) {

212 LOG(ERROR) << "New public key signature verification failed";

213 return VALIDATION_BAD_SIGNATURE;

214 }

215 }

216

217 if (!policy_->has_policy_data_signature() \|\|

218 !VerifySignature(policy_->policy_data(), *signature_key,

219 policy_->policy_data_signature())) {

220 LOG(ERROR) << "Policy signature validation failed";

221 return VALIDATION_BAD_SIGNATURE;

222 }

223

224 return VALIDATION_OK;

225 }

226

227 CloudPolicyValidatorBase::Status CloudPolicyValidatorBase::CheckInitialKey() {

228 if (!policy_->has_new_public_key() \|\|

229 !policy_->has_policy_data_signature() \|\|

230 !VerifySignature(policy_->policy_data(), policy_->new_public_key(),

231 policy_->policy_data_signature())) {

232 LOG(ERROR) << "Initial policy signature validation failed";

233 return VALIDATION_BAD_INITIAL_SIGNATURE;

234 }

235

236 return VALIDATION_OK;

237 }

238

239 CloudPolicyValidatorBase::Status CloudPolicyValidatorBase::CheckPolicyType() {

240 if (!policy_data_->has_policy_type() \|\|

241 policy_data_->policy_type() != policy_type_) {

242 LOG(ERROR) << "Wrong policy type " << policy_data_->policy_type();

243 return VALIDATION_WRONG_POLICY_TYPE;

244 }

245

246 return VALIDATION_OK;

247 }

248

249 CloudPolicyValidatorBase::Status CloudPolicyValidatorBase::CheckEntityId() {

250 if (!policy_data_->has_settings_entity_id() \|\|

251 policy_data_->settings_entity_id() != settings_entity_id_) {

252 LOG(ERROR) << "Wrong settings_entity_id "

253 << policy_data_->settings_entity_id() << ", expected "

254 << settings_entity_id_;

255 return VALIDATION_WRONG_SETTINGS_ENTITY_ID;

256 }

257

258 return VALIDATION_OK;

259 }

260

261 CloudPolicyValidatorBase::Status CloudPolicyValidatorBase::CheckTimestamp() {

262 if (!policy_data_->has_timestamp()) {

263 if (timestamp_option_ == TIMESTAMP_NOT_REQUIRED) {

264 return VALIDATION_OK;

265 } else {

266 LOG(ERROR) << "Policy timestamp missing";

267 return VALIDATION_BAD_TIMESTAMP;

268 }

269 }

270

271 if (policy_data_->timestamp() < timestamp_not_before_) {

272 LOG(ERROR) << "Policy too old: " << policy_data_->timestamp();

273 return VALIDATION_BAD_TIMESTAMP;

274 }

275 if (policy_data_->timestamp() > timestamp_not_after_) {

276 LOG(ERROR) << "Policy from the future: " << policy_data_->timestamp();

277 return VALIDATION_BAD_TIMESTAMP;

278 }

279

280 return VALIDATION_OK;

281 }

282

283 CloudPolicyValidatorBase::Status CloudPolicyValidatorBase::CheckToken() {

284 // Make sure the token matches the expected token (if any) and also

285 // make sure the token itself is valid (non-empty if DM_TOKEN_REQUIRED).

286 if (dm_token_option_ == DM_TOKEN_REQUIRED &&

287 (!policy_data_->has_request_token() \|\|

288 policy_data_->request_token().empty())) {

289 LOG(ERROR) << "Empty DM token encountered - expected: " << token_;

290 return VALIDATION_WRONG_TOKEN;

291 }

292 if (!token_.empty() && policy_data_->request_token() != token_) {

293 LOG(ERROR) << "Invalid DM token: " << policy_data_->request_token()

294 << " - expected: " << token_;

295 return VALIDATION_WRONG_TOKEN;

296 }

297

298 return VALIDATION_OK;

299 }

300

301 CloudPolicyValidatorBase::Status CloudPolicyValidatorBase::CheckUsername() {

302 if (!policy_data_->has_username()) {

303 LOG(ERROR) << "Policy is missing user name";

304 return VALIDATION_BAD_USERNAME;

305 }

306

307 std::string policy_username =

308 gaia::CanonicalizeEmail(gaia::SanitizeEmail(policy_data_->username()));

309

310 if (user_ != policy_username) {

311 LOG(ERROR) << "Invalid user name " << policy_data_->username();

312 return VALIDATION_BAD_USERNAME;

313 }

314

315 return VALIDATION_OK;

316 }

317

318

319 CloudPolicyValidatorBase::Status CloudPolicyValidatorBase::CheckDomain() {

320 if (!policy_data_->has_username()) {

321 LOG(ERROR) << "Policy is missing user name";

322 return VALIDATION_BAD_USERNAME;

323 }

324

325 std::string policy_domain =

326 gaia::ExtractDomainName(

327 gaia::CanonicalizeEmail(

328 gaia::SanitizeEmail(policy_data_->username())));

329

330 if (domain_ != policy_domain) {

331 LOG(ERROR) << "Invalid user name " << policy_data_->username();

332 return VALIDATION_BAD_USERNAME;

333 }

334

335 return VALIDATION_OK;

336 }

337

338 CloudPolicyValidatorBase::Status CloudPolicyValidatorBase::CheckPayload() {

339 if (!policy_data_->has_policy_value() \|\|

340 !payload_->ParseFromString(policy_data_->policy_value()) \|\|

341 !payload_->IsInitialized()) {

342 LOG(ERROR) << "Failed to decode policy payload protobuf";

343 return VALIDATION_POLICY_PARSE_ERROR;

344 }

345

346 return VALIDATION_OK;

347 }

348

349 // static

350 bool CloudPolicyValidatorBase::VerifySignature(const std::string& data,

351 const std::string& key,

352 const std::string& signature) {

353 crypto::SignatureVerifier verifier;

354

355 if (!verifier.VerifyInit(kSignatureAlgorithm, sizeof(kSignatureAlgorithm),

356 reinterpret_cast<const uint8*>(signature.c_str()),

357 signature.size(),

358 reinterpret_cast<const uint8*>(key.c_str()),

359 key.size())) {

360 return false;

361 }

362 verifier.VerifyUpdate(reinterpret_cast<const uint8*>(data.c_str()),

363 data.size());

364 return verifier.VerifyFinal();

365 }

366

367 template<typename PayloadProto>

368 CloudPolicyValidator<PayloadProto>::~CloudPolicyValidator() {}

369

370 template<typename PayloadProto>

371 CloudPolicyValidator<PayloadProto>* CloudPolicyValidator<PayloadProto>::Create(

372 scoped_ptr<em::PolicyFetchResponse> policy_response) {

373 return new CloudPolicyValidator(

374 policy_response.Pass(),

375 scoped_ptr<PayloadProto>(new PayloadProto()));

376 }

377

378 template<typename PayloadProto>

379 CloudPolicyValidator<PayloadProto>::CloudPolicyValidator(

380 scoped_ptr<em::PolicyFetchResponse> policy_response,

381 scoped_ptr<PayloadProto> payload)

382 : CloudPolicyValidatorBase(policy_response.Pass(), payload.get()),

383 payload_(payload.Pass()) {}

384

385 template<typename PayloadProto>

386 void CloudPolicyValidator<PayloadProto>::StartValidation(

387 const CompletionCallback& completion_callback) {

388 content::BrowserThread::PostTask(

389 content::BrowserThread::FILE, FROM_HERE,

390 base::Bind(&CloudPolicyValidatorBase::PerformValidation,

391 base::Passed(scoped_ptr<CloudPolicyValidatorBase>(this)),

392 MessageLoop::current()->message_loop_proxy(),

393 base::Bind(completion_callback, this)));

394 }

395

396 template class CloudPolicyValidator<em::ChromeDeviceSettingsProto>;

397 template class CloudPolicyValidator<em::CloudPolicySettings>;

398 template class CloudPolicyValidator<em::ExternalPolicyData>;

399

400 } // namespace policy

OLD	NEW

« no previous file with comments | « chrome/browser/policy/cloud_policy_validator.h ('k') | chrome/browser/policy/cloud_policy_validator_unittest.cc » ('j') | no next file with comments »