OLD | NEW |
1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "components/policy/core/common/cloud/user_cloud_policy_store.h" | 5 #include "components/policy/core/common/cloud/user_cloud_policy_store.h" |
6 | 6 |
7 #include <stddef.h> | 7 #include <stddef.h> |
| 8 #include <utility> |
8 | 9 |
9 #include "base/bind.h" | 10 #include "base/bind.h" |
10 #include "base/files/file_util.h" | 11 #include "base/files/file_util.h" |
11 #include "base/location.h" | 12 #include "base/location.h" |
12 #include "base/metrics/histogram_macros.h" | 13 #include "base/metrics/histogram_macros.h" |
13 #include "base/task_runner_util.h" | 14 #include "base/task_runner_util.h" |
14 #include "google_apis/gaia/gaia_auth_util.h" | 15 #include "google_apis/gaia/gaia_auth_util.h" |
15 #include "policy/proto/cloud_policy.pb.h" | 16 #include "policy/proto/cloud_policy.pb.h" |
16 #include "policy/proto/device_management_backend.pb.h" | 17 #include "policy/proto/device_management_backend.pb.h" |
17 #include "policy/proto/policy_signing_key.pb.h" | 18 #include "policy/proto/policy_signing_key.pb.h" |
(...skipping 245 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
263 // The cached key didn't match our current key, so we're doing a key | 264 // The cached key didn't match our current key, so we're doing a key |
264 // rotation - make sure we request a new key from the server on our | 265 // rotation - make sure we request a new key from the server on our |
265 // next fetch. | 266 // next fetch. |
266 doing_key_rotation = true; | 267 doing_key_rotation = true; |
267 DLOG(WARNING) << "Verification key rotation detected"; | 268 DLOG(WARNING) << "Verification key rotation detected"; |
268 // TODO(atwilson): Add code to update |verification_key| to point to | 269 // TODO(atwilson): Add code to update |verification_key| to point to |
269 // the correct key to validate the existing blob (can't do this until | 270 // the correct key to validate the existing blob (can't do this until |
270 // we've done our first key rotation). | 271 // we've done our first key rotation). |
271 } | 272 } |
272 | 273 |
273 Validate(cloud_policy.Pass(), | 274 Validate( |
274 key.Pass(), | 275 std::move(cloud_policy), std::move(key), verification_key, |
275 verification_key, | 276 validate_in_background, |
276 validate_in_background, | 277 base::Bind(&UserCloudPolicyStore::InstallLoadedPolicyAfterValidation, |
277 base::Bind( | 278 weak_factory_.GetWeakPtr(), doing_key_rotation, |
278 &UserCloudPolicyStore::InstallLoadedPolicyAfterValidation, | 279 result.key.has_signing_key() ? result.key.signing_key() |
279 weak_factory_.GetWeakPtr(), | 280 : std::string())); |
280 doing_key_rotation, | |
281 result.key.has_signing_key() ? | |
282 result.key.signing_key() : std::string())); | |
283 break; | 281 break; |
284 } | 282 } |
285 default: | 283 default: |
286 NOTREACHED(); | 284 NOTREACHED(); |
287 } | 285 } |
288 } | 286 } |
289 | 287 |
290 void UserCloudPolicyStore::InstallLoadedPolicyAfterValidation( | 288 void UserCloudPolicyStore::InstallLoadedPolicyAfterValidation( |
291 bool doing_key_rotation, | 289 bool doing_key_rotation, |
292 const std::string& signing_key, | 290 const std::string& signing_key, |
(...skipping 17 matching lines...) Expand all Loading... |
310 // If we're doing a key rotation, clear the public key version so a future | 308 // If we're doing a key rotation, clear the public key version so a future |
311 // policy fetch will force regeneration of the keys. | 309 // policy fetch will force regeneration of the keys. |
312 if (doing_key_rotation) { | 310 if (doing_key_rotation) { |
313 validator->policy_data()->clear_public_key_version(); | 311 validator->policy_data()->clear_public_key_version(); |
314 policy_key_.clear(); | 312 policy_key_.clear(); |
315 } else { | 313 } else { |
316 // Policy validation succeeded, so we know the signing key is good. | 314 // Policy validation succeeded, so we know the signing key is good. |
317 policy_key_ = signing_key; | 315 policy_key_ = signing_key; |
318 } | 316 } |
319 | 317 |
320 InstallPolicy(validator->policy_data().Pass(), validator->payload().Pass()); | 318 InstallPolicy(std::move(validator->policy_data()), |
| 319 std::move(validator->payload())); |
321 status_ = STATUS_OK; | 320 status_ = STATUS_OK; |
322 NotifyStoreLoaded(); | 321 NotifyStoreLoaded(); |
323 } | 322 } |
324 | 323 |
325 void UserCloudPolicyStore::Store(const em::PolicyFetchResponse& policy) { | 324 void UserCloudPolicyStore::Store(const em::PolicyFetchResponse& policy) { |
326 // Stop any pending requests to store policy, then validate the new policy | 325 // Stop any pending requests to store policy, then validate the new policy |
327 // before storing it. | 326 // before storing it. |
328 weak_factory_.InvalidateWeakPtrs(); | 327 weak_factory_.InvalidateWeakPtrs(); |
329 scoped_ptr<em::PolicyFetchResponse> policy_copy( | 328 scoped_ptr<em::PolicyFetchResponse> policy_copy( |
330 new em::PolicyFetchResponse(policy)); | 329 new em::PolicyFetchResponse(policy)); |
331 Validate(policy_copy.Pass(), | 330 Validate(std::move(policy_copy), scoped_ptr<em::PolicySigningKey>(), |
332 scoped_ptr<em::PolicySigningKey>(), | 331 verification_key_, true, |
333 verification_key_, | |
334 true, | |
335 base::Bind(&UserCloudPolicyStore::StorePolicyAfterValidation, | 332 base::Bind(&UserCloudPolicyStore::StorePolicyAfterValidation, |
336 weak_factory_.GetWeakPtr())); | 333 weak_factory_.GetWeakPtr())); |
337 } | 334 } |
338 | 335 |
339 void UserCloudPolicyStore::Validate( | 336 void UserCloudPolicyStore::Validate( |
340 scoped_ptr<em::PolicyFetchResponse> policy, | 337 scoped_ptr<em::PolicyFetchResponse> policy, |
341 scoped_ptr<em::PolicySigningKey> cached_key, | 338 scoped_ptr<em::PolicySigningKey> cached_key, |
342 const std::string& verification_key, | 339 const std::string& verification_key, |
343 bool validate_in_background, | 340 bool validate_in_background, |
344 const UserCloudPolicyValidator::CompletionCallback& callback) { | 341 const UserCloudPolicyValidator::CompletionCallback& callback) { |
345 // Configure the validator. | 342 // Configure the validator. |
346 scoped_ptr<UserCloudPolicyValidator> validator = CreateValidator( | 343 scoped_ptr<UserCloudPolicyValidator> validator = CreateValidator( |
347 policy.Pass(), | 344 std::move(policy), CloudPolicyValidatorBase::TIMESTAMP_NOT_BEFORE); |
348 CloudPolicyValidatorBase::TIMESTAMP_NOT_BEFORE); | |
349 | 345 |
350 // Extract the owning domain from the signed-in user (if any is set yet). | 346 // Extract the owning domain from the signed-in user (if any is set yet). |
351 // If there's no owning domain, then the code just ensures that the policy | 347 // If there's no owning domain, then the code just ensures that the policy |
352 // is self-consistent (that the keys are signed with the same domain that the | 348 // is self-consistent (that the keys are signed with the same domain that the |
353 // username field in the policy contains). UserPolicySigninServerBase will | 349 // username field in the policy contains). UserPolicySigninServerBase will |
354 // verify that the username matches the signed in user once profile | 350 // verify that the username matches the signed in user once profile |
355 // initialization is complete (http://crbug.com/342327). | 351 // initialization is complete (http://crbug.com/342327). |
356 std::string owning_domain; | 352 std::string owning_domain; |
357 | 353 |
358 // Validate the username if the user is signed in. The signin_username_ can | 354 // Validate the username if the user is signed in. The signin_username_ can |
(...skipping 85 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
444 return; | 440 return; |
445 } | 441 } |
446 | 442 |
447 // Persist the validated policy (just fire a task - don't bother getting a | 443 // Persist the validated policy (just fire a task - don't bother getting a |
448 // reply because we can't do anything if it fails). | 444 // reply because we can't do anything if it fails). |
449 background_task_runner()->PostTask( | 445 background_task_runner()->PostTask( |
450 FROM_HERE, | 446 FROM_HERE, |
451 base::Bind(&StorePolicyToDiskOnBackgroundThread, | 447 base::Bind(&StorePolicyToDiskOnBackgroundThread, |
452 policy_path_, key_path_, verification_key_, | 448 policy_path_, key_path_, verification_key_, |
453 *validator->policy())); | 449 *validator->policy())); |
454 InstallPolicy(validator->policy_data().Pass(), validator->payload().Pass()); | 450 InstallPolicy(std::move(validator->policy_data()), |
| 451 std::move(validator->payload())); |
455 | 452 |
456 // If the key was rotated, update our local cache of the key. | 453 // If the key was rotated, update our local cache of the key. |
457 if (validator->policy()->has_new_public_key()) | 454 if (validator->policy()->has_new_public_key()) |
458 policy_key_ = validator->policy()->new_public_key(); | 455 policy_key_ = validator->policy()->new_public_key(); |
459 status_ = STATUS_OK; | 456 status_ = STATUS_OK; |
460 NotifyStoreLoaded(); | 457 NotifyStoreLoaded(); |
461 } | 458 } |
462 | 459 |
463 } // namespace policy | 460 } // namespace policy |
OLD | NEW |