| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.h" | 5 #include "chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.h" |
| 6 | 6 |
| 7 #include "base/bind.h" | 7 #include "base/bind.h" |
| 8 #include "base/bind_helpers.h" | 8 #include "base/bind_helpers.h" |
| 9 #include "base/callback.h" | 9 #include "base/callback.h" |
| 10 #include "base/file_util.h" | 10 #include "base/file_util.h" |
| (...skipping 31 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 42 VALIDATION_FAILURE_LOAD_KEY, | 42 VALIDATION_FAILURE_LOAD_KEY, |
| 43 VALIDATION_FAILURE_SIZE, | 43 VALIDATION_FAILURE_SIZE, |
| 44 }; | 44 }; |
| 45 | 45 |
| 46 void SampleValidationFailure(ValidationFailure sample) { | 46 void SampleValidationFailure(ValidationFailure sample) { |
| 47 UMA_HISTOGRAM_ENUMERATION("Enterprise.UserPolicyValidationFailure", | 47 UMA_HISTOGRAM_ENUMERATION("Enterprise.UserPolicyValidationFailure", |
| 48 sample, | 48 sample, |
| 49 VALIDATION_FAILURE_SIZE); | 49 VALIDATION_FAILURE_SIZE); |
| 50 } | 50 } |
| 51 | 51 |
| 52 // Extracts the domain name from the passed username. |
| 53 std::string ExtractDomain(const std::string& username) { |
| 54 return gaia::ExtractDomainName(gaia::CanonicalizeEmail(username)); |
| 55 } |
| 56 |
| 52 } // namespace | 57 } // namespace |
| 53 | 58 |
| 54 // Helper class for loading legacy policy caches. | 59 // Helper class for loading legacy policy caches. |
| 55 class LegacyPolicyCacheLoader : public UserPolicyTokenLoader::Delegate, | 60 class LegacyPolicyCacheLoader : public UserPolicyTokenLoader::Delegate, |
| 56 public UserPolicyDiskCache::Delegate { | 61 public UserPolicyDiskCache::Delegate { |
| 57 public: | 62 public: |
| 58 typedef base::Callback<void(const std::string&, | 63 typedef base::Callback<void(const std::string&, |
| 59 const std::string&, | 64 const std::string&, |
| 60 CloudPolicyStore::Status, | 65 CloudPolicyStore::Status, |
| 61 scoped_ptr<em::PolicyFetchResponse>)> Callback; | 66 scoped_ptr<em::PolicyFetchResponse>)> Callback; |
| (...skipping 190 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 252 policy_key_loaded_ = true; | 257 policy_key_loaded_ = true; |
| 253 | 258 |
| 254 scoped_ptr<UserCloudPolicyValidator> validator = | 259 scoped_ptr<UserCloudPolicyValidator> validator = |
| 255 CreateValidator(policy.Pass(), | 260 CreateValidator(policy.Pass(), |
| 256 CloudPolicyValidatorBase::TIMESTAMP_REQUIRED); | 261 CloudPolicyValidatorBase::TIMESTAMP_REQUIRED); |
| 257 validator->ValidateUsername(username_); | 262 validator->ValidateUsername(username_); |
| 258 const bool allow_rotation = false; | 263 const bool allow_rotation = false; |
| 259 validator->ValidateSignature( | 264 validator->ValidateSignature( |
| 260 policy_key_, | 265 policy_key_, |
| 261 GetPolicyVerificationKey(), | 266 GetPolicyVerificationKey(), |
| 262 std::string(), // No signature verification needed. | 267 ExtractDomain(sanitized_username), |
| 263 allow_rotation); | 268 allow_rotation); |
| 264 validator->RunValidation(); | 269 validator->RunValidation(); |
| 265 OnRetrievedPolicyValidated(validator.get()); | 270 OnRetrievedPolicyValidated(validator.get()); |
| 266 } | 271 } |
| 267 | 272 |
| 268 void UserCloudPolicyStoreChromeOS::ValidatePolicyForStore( | 273 void UserCloudPolicyStoreChromeOS::ValidatePolicyForStore( |
| 269 scoped_ptr<em::PolicyFetchResponse> policy) { | 274 scoped_ptr<em::PolicyFetchResponse> policy) { |
| 270 // Create and configure a validator. | 275 // Create and configure a validator. |
| 271 scoped_ptr<UserCloudPolicyValidator> validator = | 276 scoped_ptr<UserCloudPolicyValidator> validator = |
| 272 CreateValidator(policy.Pass(), | 277 CreateValidator(policy.Pass(), |
| 273 CloudPolicyValidatorBase::TIMESTAMP_REQUIRED); | 278 CloudPolicyValidatorBase::TIMESTAMP_REQUIRED); |
| 274 validator->ValidateUsername(username_); | 279 validator->ValidateUsername(username_); |
| 275 if (policy_key_.empty()) { | 280 if (policy_key_.empty()) { |
| 276 validator->ValidateInitialKey(GetPolicyVerificationKey()); | 281 validator->ValidateInitialKey(GetPolicyVerificationKey(), |
| 282 ExtractDomain(username_)); |
| 277 } else { | 283 } else { |
| 278 const bool allow_rotation = true; | 284 const bool allow_rotation = true; |
| 279 validator->ValidateSignature(policy_key_, | 285 validator->ValidateSignature(policy_key_, |
| 280 GetPolicyVerificationKey(), | 286 GetPolicyVerificationKey(), |
| 281 std::string(), | 287 ExtractDomain(username_), |
| 282 allow_rotation); | 288 allow_rotation); |
| 283 } | 289 } |
| 284 | 290 |
| 285 // Start validation. The Validator will delete itself once validation is | 291 // Start validation. The Validator will delete itself once validation is |
| 286 // complete. | 292 // complete. |
| 287 validator.release()->StartValidation( | 293 validator.release()->StartValidation( |
| 288 base::Bind(&UserCloudPolicyStoreChromeOS::OnPolicyToStoreValidated, | 294 base::Bind(&UserCloudPolicyStoreChromeOS::OnPolicyToStoreValidated, |
| 289 weak_factory_.GetWeakPtr())); | 295 weak_factory_.GetWeakPtr())); |
| 290 } | 296 } |
| 291 | 297 |
| (...skipping 78 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 370 void UserCloudPolicyStoreChromeOS::ValidateRetrievedPolicy( | 376 void UserCloudPolicyStoreChromeOS::ValidateRetrievedPolicy( |
| 371 scoped_ptr<em::PolicyFetchResponse> policy) { | 377 scoped_ptr<em::PolicyFetchResponse> policy) { |
| 372 // Create and configure a validator for the loaded policy. | 378 // Create and configure a validator for the loaded policy. |
| 373 scoped_ptr<UserCloudPolicyValidator> validator = | 379 scoped_ptr<UserCloudPolicyValidator> validator = |
| 374 CreateValidator(policy.Pass(), | 380 CreateValidator(policy.Pass(), |
| 375 CloudPolicyValidatorBase::TIMESTAMP_REQUIRED); | 381 CloudPolicyValidatorBase::TIMESTAMP_REQUIRED); |
| 376 validator->ValidateUsername(username_); | 382 validator->ValidateUsername(username_); |
| 377 const bool allow_rotation = false; | 383 const bool allow_rotation = false; |
| 378 validator->ValidateSignature(policy_key_, | 384 validator->ValidateSignature(policy_key_, |
| 379 GetPolicyVerificationKey(), | 385 GetPolicyVerificationKey(), |
| 380 std::string(), | 386 ExtractDomain(username_), |
| 381 allow_rotation); | 387 allow_rotation); |
| 382 // Start validation. The Validator will delete itself once validation is | 388 // Start validation. The Validator will delete itself once validation is |
| 383 // complete. | 389 // complete. |
| 384 validator.release()->StartValidation( | 390 validator.release()->StartValidation( |
| 385 base::Bind(&UserCloudPolicyStoreChromeOS::OnRetrievedPolicyValidated, | 391 base::Bind(&UserCloudPolicyStoreChromeOS::OnRetrievedPolicyValidated, |
| 386 weak_factory_.GetWeakPtr())); | 392 weak_factory_.GetWeakPtr())); |
| 387 } | 393 } |
| 388 | 394 |
| 389 void UserCloudPolicyStoreChromeOS::OnRetrievedPolicyValidated( | 395 void UserCloudPolicyStoreChromeOS::OnRetrievedPolicyValidated( |
| 390 UserCloudPolicyValidator* validator) { | 396 UserCloudPolicyValidator* validator) { |
| (...skipping 169 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 560 !sanitized_username.empty()) { | 566 !sanitized_username.empty()) { |
| 561 policy_key_path_ = user_policy_key_dir_.Append( | 567 policy_key_path_ = user_policy_key_dir_.Append( |
| 562 base::StringPrintf(kPolicyKeyFile, sanitized_username.c_str())); | 568 base::StringPrintf(kPolicyKeyFile, sanitized_username.c_str())); |
| 563 } else { | 569 } else { |
| 564 SampleValidationFailure(VALIDATION_FAILURE_DBUS); | 570 SampleValidationFailure(VALIDATION_FAILURE_DBUS); |
| 565 } | 571 } |
| 566 ReloadPolicyKey(callback); | 572 ReloadPolicyKey(callback); |
| 567 } | 573 } |
| 568 | 574 |
| 569 } // namespace policy | 575 } // namespace policy |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 143183007:
Update policy signature verification to include policy domain. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src