chrome/browser/chromeos/policy/enrollment_handler_chromeos.cc - Issue 143183007: Update policy signature verification to include policy domain.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: chrome/browser/chromeos/policy/enrollment_handler_chromeos.cc

Issue 143183007: Update policy signature verification to include policy domain. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Trying again after mysterious chunk-mismatch error on last upload. Created 6 years, 10 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

Index: chrome/browser/chromeos/policy/enrollment_handler_chromeos.cc

diff --git a/chrome/browser/chromeos/policy/enrollment_handler_chromeos.cc b/chrome/browser/chromeos/policy/enrollment_handler_chromeos.cc

index 3c25bac230efe9a6ec9d37bfe6db4f1c6d187c16..5387b05314666d396120a7a8b9363795c2c12e5c 100644

--- a/chrome/browser/chromeos/policy/enrollment_handler_chromeos.cc

+++ b/chrome/browser/chromeos/policy/enrollment_handler_chromeos.cc

@@ -109,13 +109,24 @@ void EnrollmentHandlerChromeOS::OnPolicyFetched(CloudPolicyClient* client) {

validator->ValidateTimestamp(base::Time(), base::Time::NowFromSystemTime(),

CloudPolicyValidatorBase::TIMESTAMP_REQUIRED);

- if (install_attributes_->IsEnterpriseDevice())

- validator->ValidateDomain(install_attributes_->GetDomain());

+ std::string domain;

Mattias Nissler (ping if slow) 2014/02/13 10:52:53 nit: Can you move this after the comment?

Andrew T Wilson (Slow) 2014/02/13 12:15:36 Done.

+ // If this is re-enrollment, make sure that the new policy matches the

+ // previously-enrolled domain.

+ if (install_attributes_->IsEnterpriseDevice()) {

+ domain = install_attributes_->GetDomain();

+ validator->ValidateDomain(domain);

+ }

validator->ValidateDMToken(client->dm_token(),

CloudPolicyValidatorBase::DM_TOKEN_REQUIRED);

validator->ValidatePolicyType(dm_protocol::kChromeDevicePolicyType);

validator->ValidatePayload();

- validator->ValidateInitialKey(GetPolicyVerificationKey());

+ // If |domain| is empty here, the policy validation code will just use the

+ // domain from the username field in the policy itself to do key validation.

+ // TODO(mnissler): Plumb the enrolling user's username into this object so

+ // we can validate the username on the resulting policy, and use the domain

+ // from that username to validate the key below (http://crbug.com/343074).

+ validator->ValidateInitialKey(GetPolicyVerificationKey(), domain);

validator.release()->StartValidation(

base::Bind(&EnrollmentHandlerChromeOS::PolicyValidated,

weak_ptr_factory_.GetWeakPtr()));