| Index: chrome/browser/policy/user_cloud_policy_store_chromeos.cc
|
| ===================================================================
|
| --- chrome/browser/policy/user_cloud_policy_store_chromeos.cc (revision 182301)
|
| +++ chrome/browser/policy/user_cloud_policy_store_chromeos.cc (working copy)
|
| @@ -4,19 +4,17 @@
|
|
|
| #include "chrome/browser/policy/user_cloud_policy_store_chromeos.h"
|
|
|
| +#include <string>
|
| +
|
| #include "base/bind.h"
|
| #include "base/bind_helpers.h"
|
| #include "base/callback.h"
|
| #include "base/file_util.h"
|
| -#include "base/logging.h"
|
| #include "base/memory/ref_counted.h"
|
| -#include "base/stl_util.h"
|
| -#include "base/stringprintf.h"
|
| #include "chrome/browser/policy/proto/cloud_policy.pb.h"
|
| #include "chrome/browser/policy/proto/device_management_local.pb.h"
|
| #include "chrome/browser/policy/user_policy_disk_cache.h"
|
| #include "chrome/browser/policy/user_policy_token_loader.h"
|
| -#include "chromeos/dbus/cryptohome_client.h"
|
| #include "chromeos/dbus/session_manager_client.h"
|
| #include "content/public/browser/browser_thread.h"
|
| #include "google_apis/gaia/gaia_auth_util.h"
|
| @@ -26,17 +24,16 @@
|
| namespace policy {
|
|
|
| namespace {
|
| -
|
| -// Path within |user_policy_key_dir_| that contains the policy key.
|
| -// "%s" must be substituted with the sanitized username.
|
| -const base::FilePath::CharType kPolicyKeyFile[] =
|
| - FILE_PATH_LITERAL("%s/policy.pub");
|
| -
|
| -// Maximum key size that will be loaded, in bytes.
|
| -const int kKeySizeLimit = 16 * 1024;
|
| -
|
| +// Subdirectory in the user's profile for storing user policies.
|
| +const base::FilePath::CharType kPolicyDir[] =
|
| + FILE_PATH_LITERAL("Device Management");
|
| +// File in the above directory for stroing user policy dmtokens.
|
| +const base::FilePath::CharType kTokenCacheFile[] = FILE_PATH_LITERAL("Token");
|
| +// File in the above directory for storing user policy data.
|
| +const base::FilePath::CharType kPolicyCacheFile[] = FILE_PATH_LITERAL("Policy");
|
| } // namespace
|
|
|
| +
|
| // Helper class for loading legacy policy caches.
|
| class LegacyPolicyCacheLoader : public UserPolicyTokenLoader::Delegate,
|
| public UserPolicyDiskCache::Delegate {
|
| @@ -150,22 +147,17 @@
|
| }
|
|
|
| UserCloudPolicyStoreChromeOS::UserCloudPolicyStoreChromeOS(
|
| - chromeos::CryptohomeClient* cryptohome_client,
|
| chromeos::SessionManagerClient* session_manager_client,
|
| const std::string& username,
|
| - const base::FilePath& user_policy_key_dir,
|
| const base::FilePath& legacy_token_cache_file,
|
| const base::FilePath& legacy_policy_cache_file)
|
| - : cryptohome_client_(cryptohome_client),
|
| - session_manager_client_(session_manager_client),
|
| + : session_manager_client_(session_manager_client),
|
| username_(username),
|
| - user_policy_key_dir_(user_policy_key_dir),
|
| ALLOW_THIS_IN_INITIALIZER_LIST(weak_factory_(this)),
|
| legacy_cache_dir_(legacy_token_cache_file.DirName()),
|
| legacy_loader_(new LegacyPolicyCacheLoader(legacy_token_cache_file,
|
| legacy_policy_cache_file)),
|
| - legacy_caches_loaded_(false),
|
| - policy_key_loaded_(false) {}
|
| + legacy_caches_loaded_(false) {}
|
|
|
| UserCloudPolicyStoreChromeOS::~UserCloudPolicyStoreChromeOS() {}
|
|
|
| @@ -173,12 +165,10 @@
|
| const em::PolicyFetchResponse& policy) {
|
| // Cancel all pending requests.
|
| weak_factory_.InvalidateWeakPtrs();
|
| - scoped_ptr<em::PolicyFetchResponse> response(
|
| - new em::PolicyFetchResponse(policy));
|
| - EnsurePolicyKeyLoaded(
|
| - base::Bind(&UserCloudPolicyStoreChromeOS::ValidatePolicyForStore,
|
| - weak_factory_.GetWeakPtr(),
|
| - base::Passed(&response)));
|
| + Validate(
|
| + scoped_ptr<em::PolicyFetchResponse>(new em::PolicyFetchResponse(policy)),
|
| + base::Bind(&UserCloudPolicyStoreChromeOS::OnPolicyToStoreValidated,
|
| + weak_factory_.GetWeakPtr()));
|
| }
|
|
|
| void UserCloudPolicyStoreChromeOS::Load() {
|
| @@ -189,61 +179,6 @@
|
| weak_factory_.GetWeakPtr()));
|
| }
|
|
|
| -void UserCloudPolicyStoreChromeOS::ValidatePolicyForStore(
|
| - scoped_ptr<em::PolicyFetchResponse> policy) {
|
| - // Create and configure a validator.
|
| - scoped_ptr<UserCloudPolicyValidator> validator =
|
| - CreateValidator(policy.Pass());
|
| - validator->ValidateUsername(username_);
|
| - if (policy_key_.empty()) {
|
| - validator->ValidateInitialKey();
|
| - } else {
|
| - const bool allow_rotation = true;
|
| - validator->ValidateSignature(policy_key_, allow_rotation);
|
| - }
|
| -
|
| - // Start validation. The Validator will delete itself once validation is
|
| - // complete.
|
| - validator.release()->StartValidation(
|
| - base::Bind(&UserCloudPolicyStoreChromeOS::OnPolicyToStoreValidated,
|
| - weak_factory_.GetWeakPtr()));
|
| -}
|
| -
|
| -void UserCloudPolicyStoreChromeOS::OnPolicyToStoreValidated(
|
| - UserCloudPolicyValidator* validator) {
|
| - validation_status_ = validator->status();
|
| - if (!validator->success()) {
|
| - status_ = STATUS_VALIDATION_ERROR;
|
| - NotifyStoreError();
|
| - return;
|
| - }
|
| -
|
| - std::string policy_blob;
|
| - if (!validator->policy()->SerializeToString(&policy_blob)) {
|
| - status_ = STATUS_SERIALIZE_ERROR;
|
| - NotifyStoreError();
|
| - return;
|
| - }
|
| -
|
| - session_manager_client_->StoreUserPolicy(
|
| - policy_blob,
|
| - base::Bind(&UserCloudPolicyStoreChromeOS::OnPolicyStored,
|
| - weak_factory_.GetWeakPtr()));
|
| -}
|
| -
|
| -void UserCloudPolicyStoreChromeOS::OnPolicyStored(bool success) {
|
| - if (!success) {
|
| - status_ = STATUS_STORE_ERROR;
|
| - NotifyStoreError();
|
| - } else {
|
| - // Load the policy right after storing it, to make sure it was accepted by
|
| - // the session manager. An additional validation is performed after the
|
| - // load; reload the key for that validation too, in case it was rotated.
|
| - ReloadPolicyKey(base::Bind(&UserCloudPolicyStoreChromeOS::Load,
|
| - weak_factory_.GetWeakPtr()));
|
| - }
|
| -}
|
| -
|
| void UserCloudPolicyStoreChromeOS::OnPolicyRetrieved(
|
| const std::string& policy_blob) {
|
| if (policy_blob.empty()) {
|
| @@ -272,28 +207,11 @@
|
| return;
|
| }
|
|
|
| - // Load |policy_key_| to verify the loaded policy.
|
| - EnsurePolicyKeyLoaded(
|
| - base::Bind(&UserCloudPolicyStoreChromeOS::ValidateRetrievedPolicy,
|
| - weak_factory_.GetWeakPtr(),
|
| - base::Passed(&policy)));
|
| + Validate(policy.Pass(),
|
| + base::Bind(&UserCloudPolicyStoreChromeOS::OnRetrievedPolicyValidated,
|
| + weak_factory_.GetWeakPtr()));
|
| }
|
|
|
| -void UserCloudPolicyStoreChromeOS::ValidateRetrievedPolicy(
|
| - scoped_ptr<em::PolicyFetchResponse> policy) {
|
| - // Create and configure a validator for the loaded policy.
|
| - scoped_ptr<UserCloudPolicyValidator> validator =
|
| - CreateValidator(policy.Pass());
|
| - validator->ValidateUsername(username_);
|
| - const bool allow_rotation = false;
|
| - validator->ValidateSignature(policy_key_, allow_rotation);
|
| - // Start validation. The Validator will delete itself once validation is
|
| - // complete.
|
| - validator.release()->StartValidation(
|
| - base::Bind(&UserCloudPolicyStoreChromeOS::OnRetrievedPolicyValidated,
|
| - weak_factory_.GetWeakPtr()));
|
| -}
|
| -
|
| void UserCloudPolicyStoreChromeOS::OnRetrievedPolicyValidated(
|
| UserCloudPolicyValidator* validator) {
|
| validation_status_ = validator->status();
|
| @@ -318,6 +236,56 @@
|
| NotifyStoreLoaded();
|
| }
|
|
|
| +void UserCloudPolicyStoreChromeOS::OnPolicyToStoreValidated(
|
| + UserCloudPolicyValidator* validator) {
|
| + validation_status_ = validator->status();
|
| + if (!validator->success()) {
|
| + status_ = STATUS_VALIDATION_ERROR;
|
| + NotifyStoreError();
|
| + return;
|
| + }
|
| +
|
| + std::string policy_blob;
|
| + if (!validator->policy()->SerializeToString(&policy_blob)) {
|
| + status_ = STATUS_SERIALIZE_ERROR;
|
| + NotifyStoreError();
|
| + return;
|
| + }
|
| +
|
| + session_manager_client_->StoreUserPolicy(
|
| + policy_blob,
|
| + base::Bind(&UserCloudPolicyStoreChromeOS::OnPolicyStored,
|
| + weak_factory_.GetWeakPtr()));
|
| +}
|
| +
|
| +void UserCloudPolicyStoreChromeOS::OnPolicyStored(bool success) {
|
| + if (!success) {
|
| + status_ = STATUS_STORE_ERROR;
|
| + NotifyStoreError();
|
| + } else {
|
| + // TODO(mnissler): Once we do signature verifications, we'll have to reload
|
| + // the key at this point to account for key rotations.
|
| + Load();
|
| + }
|
| +}
|
| +
|
| +void UserCloudPolicyStoreChromeOS::Validate(
|
| + scoped_ptr<em::PolicyFetchResponse> policy,
|
| + const UserCloudPolicyValidator::CompletionCallback& callback) {
|
| + // Configure the validator.
|
| + scoped_ptr<UserCloudPolicyValidator> validator =
|
| + CreateValidator(policy.Pass());
|
| + validator->ValidateUsername(username_);
|
| +
|
| + // TODO(mnissler): Do a signature check here as well. The key is stored by
|
| + // session_manager in the root-owned cryptohome area, which is currently
|
| + // inaccessible to Chrome though.
|
| +
|
| + // Start validation. The Validator will free itself once validation is
|
| + // complete.
|
| + validator.release()->StartValidation(callback);
|
| +}
|
| +
|
| void UserCloudPolicyStoreChromeOS::OnLegacyLoadFinished(
|
| const std::string& dm_token,
|
| const std::string& device_id,
|
| @@ -325,16 +293,10 @@
|
| scoped_ptr<em::PolicyFetchResponse> policy) {
|
| status_ = status;
|
| if (policy.get()) {
|
| - // Create and configure a validator for the loaded legacy policy. Note that
|
| - // the signature on this policy is not verified.
|
| - scoped_ptr<UserCloudPolicyValidator> validator =
|
| - CreateValidator(policy.Pass());
|
| - validator->ValidateUsername(username_);
|
| - validator.release()->StartValidation(
|
| - base::Bind(&UserCloudPolicyStoreChromeOS::OnLegacyPolicyValidated,
|
| - weak_factory_.GetWeakPtr(),
|
| - dm_token,
|
| - device_id));
|
| + Validate(policy.Pass(),
|
| + base::Bind(&UserCloudPolicyStoreChromeOS::OnLegacyPolicyValidated,
|
| + weak_factory_.GetWeakPtr(),
|
| + dm_token, device_id));
|
| } else {
|
| InstallLegacyTokens(dm_token, device_id);
|
| }
|
| @@ -347,7 +309,8 @@
|
| validation_status_ = validator->status();
|
| if (validator->success()) {
|
| status_ = STATUS_OK;
|
| - InstallPolicy(validator->policy_data().Pass(), validator->payload().Pass());
|
| + InstallPolicy(validator->policy_data().Pass(),
|
| + validator->payload().Pass());
|
|
|
| // Clear the public key version. The public key version field would
|
| // otherwise indicate that we have key installed in the store when in fact
|
| @@ -385,77 +348,4 @@
|
| LOG(ERROR) << "Failed to remove cache dir " << dir.value();
|
| }
|
|
|
| -void UserCloudPolicyStoreChromeOS::ReloadPolicyKey(
|
| - const base::Closure& callback) {
|
| - std::vector<uint8>* key = new std::vector<uint8>();
|
| - content::BrowserThread::PostBlockingPoolTaskAndReply(
|
| - FROM_HERE,
|
| - base::Bind(&UserCloudPolicyStoreChromeOS::LoadPolicyKey,
|
| - policy_key_path_,
|
| - key),
|
| - base::Bind(&UserCloudPolicyStoreChromeOS::OnPolicyKeyReloaded,
|
| - weak_factory_.GetWeakPtr(),
|
| - base::Owned(key),
|
| - callback));
|
| -}
|
| -
|
| -// static
|
| -void UserCloudPolicyStoreChromeOS::LoadPolicyKey(const base::FilePath& path,
|
| - std::vector<uint8>* key) {
|
| - if (!file_util::PathExists(path)) {
|
| - VLOG(1) << "No key at " << path.value();
|
| - return;
|
| - }
|
| -
|
| - int64 size;
|
| - if (!file_util::GetFileSize(path, &size)) {
|
| - LOG(ERROR) << "Could not get size of " << path.value();
|
| - } else if (size == 0 || size > kKeySizeLimit) {
|
| - LOG(ERROR) << "Key at " << path.value() << " has bad size " << size;
|
| - } else {
|
| - key->resize(size);
|
| - int read_size = file_util::ReadFile(
|
| - path, reinterpret_cast<char*>(vector_as_array(key)), size);
|
| - if (read_size != size) {
|
| - LOG(ERROR) << "Failed to read key at " << path.value();
|
| - key->clear();
|
| - }
|
| - }
|
| -}
|
| -
|
| -void UserCloudPolicyStoreChromeOS::OnPolicyKeyReloaded(
|
| - std::vector<uint8>* key,
|
| - const base::Closure& callback) {
|
| - policy_key_.swap(*key);
|
| - policy_key_loaded_ = true;
|
| - callback.Run();
|
| -}
|
| -
|
| -void UserCloudPolicyStoreChromeOS::EnsurePolicyKeyLoaded(
|
| - const base::Closure& callback) {
|
| - if (policy_key_loaded_) {
|
| - callback.Run();
|
| - } else {
|
| - // Get the hashed username that's part of the key's path, to determine
|
| - // |policy_key_path_|.
|
| - cryptohome_client_->GetSanitizedUsername(username_,
|
| - base::Bind(&UserCloudPolicyStoreChromeOS::OnGetSanitizedUsername,
|
| - weak_factory_.GetWeakPtr(),
|
| - callback));
|
| - }
|
| -}
|
| -
|
| -void UserCloudPolicyStoreChromeOS::OnGetSanitizedUsername(
|
| - const base::Closure& callback,
|
| - chromeos::DBusMethodCallStatus call_status,
|
| - const std::string& sanitized_username) {
|
| - // The default empty path will always yield an empty key.
|
| - if (call_status == chromeos::DBUS_METHOD_CALL_SUCCESS &&
|
| - !sanitized_username.empty()) {
|
| - policy_key_path_ = user_policy_key_dir_.Append(
|
| - base::StringPrintf(kPolicyKeyFile, sanitized_username.c_str()));
|
| - }
|
| - ReloadPolicyKey(callback);
|
| -}
|
| -
|
| } // namespace policy
|
|
|
Chromium Code Reviews
Issue 12255017:
Revert 182279 due to failure in CloudPolicyTest.FetchPolicyWithRotatedKey on ChromeOS Asan bots. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src/