Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(49)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: chrome/browser/policy/cloud_policy_validator.cc

Issue 12189011: Split up chrome/browser/policy subdirectory (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Address comments. Created 7 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« chrome/browser/policy/browser_policy_connector.h ('K') | « chrome/browser/policy/cloud_policy_validator.h ('k') | chrome/browser/policy/cloud_policy_validator_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "chrome/browser/policy/cloud_policy_validator.h"
6
7 #include "base/bind.h"
8 #include "base/bind_helpers.h"
9 #include "base/message_loop.h"
10 #include "base/stl_util.h"
11 #include "chrome/browser/policy/cloud_policy_constants.h"
12 #include "chrome/browser/policy/proto/chrome_device_policy.pb.h"
13 #include "chrome/browser/policy/proto/chrome_extension_policy.pb.h"
14 #include "chrome/browser/policy/proto/cloud_policy.pb.h"
15 #include "chrome/browser/policy/proto/device_management_backend.pb.h"
16 #include "content/public/browser/browser_thread.h"
17 #include "crypto/signature_verifier.h"
18 #include "google_apis/gaia/gaia_auth_util.h"
19
20 namespace em = enterprise_management;
21
22 namespace policy {
23
24 namespace {
25
26 // Grace interval for policy timestamp checks, in seconds.
27 const int kTimestampGraceIntervalSeconds = 60;
28
29 // DER-encoded ASN.1 object identifier for the SHA1-RSA signature algorithm.
30 const uint8 kSignatureAlgorithm[] = {
31 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
32 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00
33 };
34
35 } // namespace
36
37 CloudPolicyValidatorBase::~CloudPolicyValidatorBase() {}
38
39 void CloudPolicyValidatorBase::ValidateTimestamp(
40 base::Time not_before,
41 base::Time now,
42 ValidateTimestampOption timestamp_option) {
43 // Timestamp should be from the past. We allow for a 1-minute grace interval
44 // to cover clock drift.
45 validation_flags_ |= VALIDATE_TIMESTAMP;
46 timestamp_not_before_ =
47 (not_before - base::Time::UnixEpoch()).InMilliseconds();
48 timestamp_not_after_ =
49 ((now + base::TimeDelta::FromSeconds(kTimestampGraceIntervalSeconds)) -
50 base::Time::UnixEpoch()).InMillisecondsRoundedUp();
51 timestamp_option_ = timestamp_option;
52 }
53
54 void CloudPolicyValidatorBase::ValidateUsername(
55 const std::string& expected_user) {
56 validation_flags_ |= VALIDATE_USERNAME;
57 user_ = gaia::CanonicalizeEmail(expected_user);
58 }
59
60 void CloudPolicyValidatorBase::ValidateDomain(
61 const std::string& expected_domain) {
62 validation_flags_ |= VALIDATE_DOMAIN;
63 domain_ = gaia::CanonicalizeDomain(expected_domain);
64 }
65
66 void CloudPolicyValidatorBase::ValidateDMToken(
67 const std::string& token,
68 ValidateDMTokenOption dm_token_option) {
69 validation_flags_ |= VALIDATE_TOKEN;
70 token_ = token;
71 dm_token_option_ = dm_token_option;
72 }
73
74 void CloudPolicyValidatorBase::ValidatePolicyType(
75 const std::string& policy_type) {
76 validation_flags_ |= VALIDATE_POLICY_TYPE;
77 policy_type_ = policy_type;
78 }
79
80 void CloudPolicyValidatorBase::ValidateSettingsEntityId(
81 const std::string& settings_entity_id) {
82 validation_flags_ |= VALIDATE_ENTITY_ID;
83 settings_entity_id_ = settings_entity_id;
84 }
85
86 void CloudPolicyValidatorBase::ValidatePayload() {
87 validation_flags_ |= VALIDATE_PAYLOAD;
88 }
89
90 void CloudPolicyValidatorBase::ValidateSignature(const std::vector<uint8>& key,
91 bool allow_key_rotation) {
92 validation_flags_ |= VALIDATE_SIGNATURE;
93 key_ = std::string(reinterpret_cast<const char*>(vector_as_array(&key)),
94 key.size());
95 allow_key_rotation_ = allow_key_rotation;
96 }
97
98 void CloudPolicyValidatorBase::ValidateInitialKey() {
99 validation_flags_ |= VALIDATE_INITIAL_KEY;
100 }
101
102 void CloudPolicyValidatorBase::ValidateAgainstCurrentPolicy(
103 const em::PolicyData* policy_data,
104 ValidateTimestampOption timestamp_option,
105 ValidateDMTokenOption dm_token_option) {
106 base::Time last_policy_timestamp;
107 std::string expected_dm_token;
108 if (policy_data) {
109 last_policy_timestamp =
110 base::Time::UnixEpoch() +
111 base::TimeDelta::FromMilliseconds(policy_data->timestamp());
112 expected_dm_token = policy_data->request_token();
113 }
114 ValidateTimestamp(last_policy_timestamp, base::Time::NowFromSystemTime(),
115 timestamp_option);
116 ValidateDMToken(expected_dm_token, dm_token_option);
117 }
118
119 CloudPolicyValidatorBase::CloudPolicyValidatorBase(
120 scoped_ptr<em::PolicyFetchResponse> policy_response,
121 google::protobuf::MessageLite* payload)
122 : status_(VALIDATION_OK),
123 policy_(policy_response.Pass()),
124 payload_(payload),
125 validation_flags_(0),
126 timestamp_not_before_(0),
127 timestamp_not_after_(0),
128 timestamp_option_(TIMESTAMP_REQUIRED),
129 dm_token_option_(DM_TOKEN_REQUIRED),
130 allow_key_rotation_(false) {}
131
132 // static
133 void CloudPolicyValidatorBase::PerformValidation(
134 scoped_ptr<CloudPolicyValidatorBase> self,
135 scoped_refptr<base::MessageLoopProxy> message_loop,
136 const base::Closure& completion_callback) {
137 // Run the validation activities on this thread.
138 self->RunValidation();
139
140 // Report completion on |message_loop|.
141 message_loop->PostTask(
142 FROM_HERE,
143 base::Bind(&CloudPolicyValidatorBase::ReportCompletion,
144 base::Passed(&self),
145 completion_callback));
146 }
147
148 // static
149 void CloudPolicyValidatorBase::ReportCompletion(
150 scoped_ptr<CloudPolicyValidatorBase> self,
151 const base::Closure& completion_callback) {
152 completion_callback.Run();
153 }
154
155 void CloudPolicyValidatorBase::RunValidation() {
156 policy_data_.reset(new em::PolicyData());
157 RunChecks();
158 }
159
160 void CloudPolicyValidatorBase::RunChecks() {
161 status_ = VALIDATION_OK;
162 if ((policy_->has_error_code() && policy_->error_code() != 200) ||
163 (policy_->has_error_message() && !policy_->error_message().empty())) {
164 LOG(ERROR) << "Error in policy blob."
165 << " code: " << policy_->error_code()
166 << " message: " << policy_->error_message();
167 status_ = VALIDATION_ERROR_CODE_PRESENT;
168 return;
169 }
170
171 // Parse policy data.
172 if (!policy_data_->ParseFromString(policy_->policy_data()) ||
173 !policy_data_->IsInitialized()) {
174 LOG(ERROR) << "Failed to parse policy response";
175 status_ = VALIDATION_PAYLOAD_PARSE_ERROR;
176 return;
177 }
178
179 // Table of checks we run. These are sorted by descending severity of the
180 // error, s.t. the most severe check will determine the validation status.
181 static const struct {
182 int flag;
183 Status (CloudPolicyValidatorBase::* checkFunction)();
184 } kCheckFunctions[] = {
185 { VALIDATE_SIGNATURE, &CloudPolicyValidatorBase::CheckSignature },
186 { VALIDATE_INITIAL_KEY, &CloudPolicyValidatorBase::CheckInitialKey },
187 { VALIDATE_POLICY_TYPE, &CloudPolicyValidatorBase::CheckPolicyType },
188 { VALIDATE_ENTITY_ID, &CloudPolicyValidatorBase::CheckEntityId },
189 { VALIDATE_TOKEN, &CloudPolicyValidatorBase::CheckToken },
190 { VALIDATE_USERNAME, &CloudPolicyValidatorBase::CheckUsername },
191 { VALIDATE_DOMAIN, &CloudPolicyValidatorBase::CheckDomain },
192 { VALIDATE_TIMESTAMP, &CloudPolicyValidatorBase::CheckTimestamp },
193 { VALIDATE_PAYLOAD, &CloudPolicyValidatorBase::CheckPayload },
194 };
195
196 for (size_t i = 0; i < ARRAYSIZE_UNSAFE(kCheckFunctions); ++i) {
197 if (validation_flags_ & kCheckFunctions[i].flag) {
198 status_ = (this->*(kCheckFunctions[i].checkFunction))();
199 if (status_ != VALIDATION_OK)
200 break;
201 }
202 }
203 }
204
205 CloudPolicyValidatorBase::Status CloudPolicyValidatorBase::CheckSignature() {
206 const std::string* signature_key = &key_;
207 if (policy_->has_new_public_key() && allow_key_rotation_) {
208 signature_key = &policy_->new_public_key();
209 if (!policy_->has_new_public_key_signature() ||
210 !VerifySignature(policy_->new_public_key(), key_,
211 policy_->new_public_key_signature())) {
212 LOG(ERROR) << "New public key signature verification failed";
213 return VALIDATION_BAD_SIGNATURE;
214 }
215 }
216
217 if (!policy_->has_policy_data_signature() ||
218 !VerifySignature(policy_->policy_data(), *signature_key,
219 policy_->policy_data_signature())) {
220 LOG(ERROR) << "Policy signature validation failed";
221 return VALIDATION_BAD_SIGNATURE;
222 }
223
224 return VALIDATION_OK;
225 }
226
227 CloudPolicyValidatorBase::Status CloudPolicyValidatorBase::CheckInitialKey() {
228 if (!policy_->has_new_public_key() ||
229 !policy_->has_policy_data_signature() ||
230 !VerifySignature(policy_->policy_data(), policy_->new_public_key(),
231 policy_->policy_data_signature())) {
232 LOG(ERROR) << "Initial policy signature validation failed";
233 return VALIDATION_BAD_INITIAL_SIGNATURE;
234 }
235
236 return VALIDATION_OK;
237 }
238
239 CloudPolicyValidatorBase::Status CloudPolicyValidatorBase::CheckPolicyType() {
240 if (!policy_data_->has_policy_type() ||
241 policy_data_->policy_type() != policy_type_) {
242 LOG(ERROR) << "Wrong policy type " << policy_data_->policy_type();
243 return VALIDATION_WRONG_POLICY_TYPE;
244 }
245
246 return VALIDATION_OK;
247 }
248
249 CloudPolicyValidatorBase::Status CloudPolicyValidatorBase::CheckEntityId() {
250 if (!policy_data_->has_settings_entity_id() ||
251 policy_data_->settings_entity_id() != settings_entity_id_) {
252 LOG(ERROR) << "Wrong settings_entity_id "
253 << policy_data_->settings_entity_id() << ", expected "
254 << settings_entity_id_;
255 return VALIDATION_WRONG_SETTINGS_ENTITY_ID;
256 }
257
258 return VALIDATION_OK;
259 }
260
261 CloudPolicyValidatorBase::Status CloudPolicyValidatorBase::CheckTimestamp() {
262 if (!policy_data_->has_timestamp()) {
263 if (timestamp_option_ == TIMESTAMP_NOT_REQUIRED) {
264 return VALIDATION_OK;
265 } else {
266 LOG(ERROR) << "Policy timestamp missing";
267 return VALIDATION_BAD_TIMESTAMP;
268 }
269 }
270
271 if (policy_data_->timestamp() < timestamp_not_before_) {
272 LOG(ERROR) << "Policy too old: " << policy_data_->timestamp();
273 return VALIDATION_BAD_TIMESTAMP;
274 }
275 if (policy_data_->timestamp() > timestamp_not_after_) {
276 LOG(ERROR) << "Policy from the future: " << policy_data_->timestamp();
277 return VALIDATION_BAD_TIMESTAMP;
278 }
279
280 return VALIDATION_OK;
281 }
282
283 CloudPolicyValidatorBase::Status CloudPolicyValidatorBase::CheckToken() {
284 // Make sure the token matches the expected token (if any) and also
285 // make sure the token itself is valid (non-empty if DM_TOKEN_REQUIRED).
286 if (dm_token_option_ == DM_TOKEN_REQUIRED &&
287 (!policy_data_->has_request_token() ||
288 policy_data_->request_token().empty())) {
289 LOG(ERROR) << "Empty DM token encountered - expected: " << token_;
290 return VALIDATION_WRONG_TOKEN;
291 }
292 if (!token_.empty() && policy_data_->request_token() != token_) {
293 LOG(ERROR) << "Invalid DM token: " << policy_data_->request_token()
294 << " - expected: " << token_;
295 return VALIDATION_WRONG_TOKEN;
296 }
297
298 return VALIDATION_OK;
299 }
300
301 CloudPolicyValidatorBase::Status CloudPolicyValidatorBase::CheckUsername() {
302 if (!policy_data_->has_username()) {
303 LOG(ERROR) << "Policy is missing user name";
304 return VALIDATION_BAD_USERNAME;
305 }
306
307 std::string policy_username =
308 gaia::CanonicalizeEmail(gaia::SanitizeEmail(policy_data_->username()));
309
310 if (user_ != policy_username) {
311 LOG(ERROR) << "Invalid user name " << policy_data_->username();
312 return VALIDATION_BAD_USERNAME;
313 }
314
315 return VALIDATION_OK;
316 }
317
318
319 CloudPolicyValidatorBase::Status CloudPolicyValidatorBase::CheckDomain() {
320 if (!policy_data_->has_username()) {
321 LOG(ERROR) << "Policy is missing user name";
322 return VALIDATION_BAD_USERNAME;
323 }
324
325 std::string policy_domain =
326 gaia::ExtractDomainName(
327 gaia::CanonicalizeEmail(
328 gaia::SanitizeEmail(policy_data_->username())));
329
330 if (domain_ != policy_domain) {
331 LOG(ERROR) << "Invalid user name " << policy_data_->username();
332 return VALIDATION_BAD_USERNAME;
333 }
334
335 return VALIDATION_OK;
336 }
337
338 CloudPolicyValidatorBase::Status CloudPolicyValidatorBase::CheckPayload() {
339 if (!policy_data_->has_policy_value() ||
340 !payload_->ParseFromString(policy_data_->policy_value()) ||
341 !payload_->IsInitialized()) {
342 LOG(ERROR) << "Failed to decode policy payload protobuf";
343 return VALIDATION_POLICY_PARSE_ERROR;
344 }
345
346 return VALIDATION_OK;
347 }
348
349 // static
350 bool CloudPolicyValidatorBase::VerifySignature(const std::string& data,
351 const std::string& key,
352 const std::string& signature) {
353 crypto::SignatureVerifier verifier;
354
355 if (!verifier.VerifyInit(kSignatureAlgorithm, sizeof(kSignatureAlgorithm),
356 reinterpret_cast<const uint8*>(signature.c_str()),
357 signature.size(),
358 reinterpret_cast<const uint8*>(key.c_str()),
359 key.size())) {
360 return false;
361 }
362 verifier.VerifyUpdate(reinterpret_cast<const uint8*>(data.c_str()),
363 data.size());
364 return verifier.VerifyFinal();
365 }
366
367 template<typename PayloadProto>
368 CloudPolicyValidator<PayloadProto>::~CloudPolicyValidator() {}
369
370 template<typename PayloadProto>
371 CloudPolicyValidator<PayloadProto>* CloudPolicyValidator<PayloadProto>::Create(
372 scoped_ptr<em::PolicyFetchResponse> policy_response) {
373 return new CloudPolicyValidator(
374 policy_response.Pass(),
375 scoped_ptr<PayloadProto>(new PayloadProto()));
376 }
377
378 template<typename PayloadProto>
379 CloudPolicyValidator<PayloadProto>::CloudPolicyValidator(
380 scoped_ptr<em::PolicyFetchResponse> policy_response,
381 scoped_ptr<PayloadProto> payload)
382 : CloudPolicyValidatorBase(policy_response.Pass(), payload.get()),
383 payload_(payload.Pass()) {}
384
385 template<typename PayloadProto>
386 void CloudPolicyValidator<PayloadProto>::StartValidation(
387 const CompletionCallback& completion_callback) {
388 content::BrowserThread::PostTask(
389 content::BrowserThread::FILE, FROM_HERE,
390 base::Bind(&CloudPolicyValidatorBase::PerformValidation,
391 base::Passed(scoped_ptr<CloudPolicyValidatorBase>(this)),
392 MessageLoop::current()->message_loop_proxy(),
393 base::Bind(completion_callback, this)));
394 }
395
396 template class CloudPolicyValidator<em::ChromeDeviceSettingsProto>;
397 template class CloudPolicyValidator<em::CloudPolicySettings>;
398 template class CloudPolicyValidator<em::ExternalPolicyData>;
399
400 } // namespace policy
OLDNEW
« chrome/browser/policy/browser_policy_connector.h ('K') | « chrome/browser/policy/cloud_policy_validator.h ('k') | chrome/browser/policy/cloud_policy_validator_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698