OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "chrome/browser/chromeos/policy/device_local_account_policy_store.h" | 5 #include "chrome/browser/chromeos/policy/device_local_account_policy_store.h" |
6 | 6 |
7 #include <utility> | 7 #include <utility> |
8 | 8 |
9 #include "base/bind.h" | 9 #include "base/bind.h" |
10 #include "base/callback.h" | 10 #include "base/callback.h" |
| 11 #include "base/memory/ptr_util.h" |
11 #include "chrome/browser/browser_process.h" | 12 #include "chrome/browser/browser_process.h" |
12 #include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h" | 13 #include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h" |
13 #include "chromeos/dbus/session_manager_client.h" | 14 #include "chromeos/dbus/session_manager_client.h" |
14 #include "components/ownership/owner_key_util.h" | 15 #include "components/ownership/owner_key_util.h" |
15 #include "components/policy/core/common/cloud/device_management_service.h" | 16 #include "components/policy/core/common/cloud/device_management_service.h" |
16 #include "components/policy/core/common/external_data_fetcher.h" | 17 #include "components/policy/core/common/external_data_fetcher.h" |
17 #include "components/policy/core/common/policy_map.h" | 18 #include "components/policy/core/common/policy_map.h" |
18 #include "components/policy/core/common/policy_types.h" | 19 #include "components/policy/core/common/policy_types.h" |
19 #include "policy/proto/cloud_policy.pb.h" | 20 #include "policy/proto/cloud_policy.pb.h" |
20 #include "policy/proto/device_management_backend.pb.h" | 21 #include "policy/proto/device_management_backend.pb.h" |
(...skipping 20 matching lines...) Expand all Loading... |
41 session_manager_client_->RetrieveDeviceLocalAccountPolicy( | 42 session_manager_client_->RetrieveDeviceLocalAccountPolicy( |
42 account_id_, | 43 account_id_, |
43 base::Bind(&DeviceLocalAccountPolicyStore::ValidateLoadedPolicyBlob, | 44 base::Bind(&DeviceLocalAccountPolicyStore::ValidateLoadedPolicyBlob, |
44 weak_factory_.GetWeakPtr())); | 45 weak_factory_.GetWeakPtr())); |
45 } | 46 } |
46 | 47 |
47 void DeviceLocalAccountPolicyStore::Store( | 48 void DeviceLocalAccountPolicyStore::Store( |
48 const em::PolicyFetchResponse& policy) { | 49 const em::PolicyFetchResponse& policy) { |
49 weak_factory_.InvalidateWeakPtrs(); | 50 weak_factory_.InvalidateWeakPtrs(); |
50 CheckKeyAndValidate( | 51 CheckKeyAndValidate( |
51 true, | 52 true, base::WrapUnique(new em::PolicyFetchResponse(policy)), |
52 make_scoped_ptr(new em::PolicyFetchResponse(policy)), | |
53 base::Bind(&DeviceLocalAccountPolicyStore::StoreValidatedPolicy, | 53 base::Bind(&DeviceLocalAccountPolicyStore::StoreValidatedPolicy, |
54 weak_factory_.GetWeakPtr())); | 54 weak_factory_.GetWeakPtr())); |
55 } | 55 } |
56 | 56 |
57 void DeviceLocalAccountPolicyStore::ValidateLoadedPolicyBlob( | 57 void DeviceLocalAccountPolicyStore::ValidateLoadedPolicyBlob( |
58 const std::string& policy_blob) { | 58 const std::string& policy_blob) { |
59 if (policy_blob.empty()) { | 59 if (policy_blob.empty()) { |
60 status_ = CloudPolicyStore::STATUS_LOAD_ERROR; | 60 status_ = CloudPolicyStore::STATUS_LOAD_ERROR; |
61 NotifyStoreError(); | 61 NotifyStoreError(); |
62 } else { | 62 } else { |
63 scoped_ptr<em::PolicyFetchResponse> policy(new em::PolicyFetchResponse()); | 63 std::unique_ptr<em::PolicyFetchResponse> policy( |
| 64 new em::PolicyFetchResponse()); |
64 if (policy->ParseFromString(policy_blob)) { | 65 if (policy->ParseFromString(policy_blob)) { |
65 CheckKeyAndValidate( | 66 CheckKeyAndValidate( |
66 false, std::move(policy), | 67 false, std::move(policy), |
67 base::Bind(&DeviceLocalAccountPolicyStore::UpdatePolicy, | 68 base::Bind(&DeviceLocalAccountPolicyStore::UpdatePolicy, |
68 weak_factory_.GetWeakPtr())); | 69 weak_factory_.GetWeakPtr())); |
69 } else { | 70 } else { |
70 status_ = CloudPolicyStore::STATUS_PARSE_ERROR; | 71 status_ = CloudPolicyStore::STATUS_PARSE_ERROR; |
71 NotifyStoreError(); | 72 NotifyStoreError(); |
72 } | 73 } |
73 } | 74 } |
(...skipping 41 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
115 if (!success) { | 116 if (!success) { |
116 status_ = CloudPolicyStore::STATUS_STORE_ERROR; | 117 status_ = CloudPolicyStore::STATUS_STORE_ERROR; |
117 NotifyStoreError(); | 118 NotifyStoreError(); |
118 } else { | 119 } else { |
119 Load(); | 120 Load(); |
120 } | 121 } |
121 } | 122 } |
122 | 123 |
123 void DeviceLocalAccountPolicyStore::CheckKeyAndValidate( | 124 void DeviceLocalAccountPolicyStore::CheckKeyAndValidate( |
124 bool valid_timestamp_required, | 125 bool valid_timestamp_required, |
125 scoped_ptr<em::PolicyFetchResponse> policy, | 126 std::unique_ptr<em::PolicyFetchResponse> policy, |
126 const UserCloudPolicyValidator::CompletionCallback& callback) { | 127 const UserCloudPolicyValidator::CompletionCallback& callback) { |
127 device_settings_service_->GetOwnershipStatusAsync( | 128 device_settings_service_->GetOwnershipStatusAsync( |
128 base::Bind(&DeviceLocalAccountPolicyStore::Validate, | 129 base::Bind(&DeviceLocalAccountPolicyStore::Validate, |
129 weak_factory_.GetWeakPtr(), | 130 weak_factory_.GetWeakPtr(), |
130 valid_timestamp_required, | 131 valid_timestamp_required, |
131 base::Passed(&policy), | 132 base::Passed(&policy), |
132 callback)); | 133 callback)); |
133 } | 134 } |
134 | 135 |
135 void DeviceLocalAccountPolicyStore::Validate( | 136 void DeviceLocalAccountPolicyStore::Validate( |
136 bool valid_timestamp_required, | 137 bool valid_timestamp_required, |
137 scoped_ptr<em::PolicyFetchResponse> policy_response, | 138 std::unique_ptr<em::PolicyFetchResponse> policy_response, |
138 const UserCloudPolicyValidator::CompletionCallback& callback, | 139 const UserCloudPolicyValidator::CompletionCallback& callback, |
139 chromeos::DeviceSettingsService::OwnershipStatus ownership_status) { | 140 chromeos::DeviceSettingsService::OwnershipStatus ownership_status) { |
140 DCHECK_NE(chromeos::DeviceSettingsService::OWNERSHIP_UNKNOWN, | 141 DCHECK_NE(chromeos::DeviceSettingsService::OWNERSHIP_UNKNOWN, |
141 ownership_status); | 142 ownership_status); |
142 const em::PolicyData* device_policy_data = | 143 const em::PolicyData* device_policy_data = |
143 device_settings_service_->policy_data(); | 144 device_settings_service_->policy_data(); |
144 scoped_refptr<ownership::PublicKey> key = | 145 scoped_refptr<ownership::PublicKey> key = |
145 device_settings_service_->GetPublicKey(); | 146 device_settings_service_->GetPublicKey(); |
146 if (!key.get() || !key->is_loaded() || !device_policy_data) { | 147 if (!key.get() || !key->is_loaded() || !device_policy_data) { |
147 status_ = CloudPolicyStore::STATUS_BAD_STATE; | 148 status_ = CloudPolicyStore::STATUS_BAD_STATE; |
148 NotifyStoreLoaded(); | 149 NotifyStoreLoaded(); |
149 return; | 150 return; |
150 } | 151 } |
151 | 152 |
152 scoped_ptr<UserCloudPolicyValidator> validator( | 153 std::unique_ptr<UserCloudPolicyValidator> validator( |
153 UserCloudPolicyValidator::Create(std::move(policy_response), | 154 UserCloudPolicyValidator::Create(std::move(policy_response), |
154 background_task_runner())); | 155 background_task_runner())); |
155 validator->ValidateUsername(account_id_, false); | 156 validator->ValidateUsername(account_id_, false); |
156 validator->ValidatePolicyType(dm_protocol::kChromePublicAccountPolicyType); | 157 validator->ValidatePolicyType(dm_protocol::kChromePublicAccountPolicyType); |
157 // The timestamp is verified when storing a new policy downloaded from the | 158 // The timestamp is verified when storing a new policy downloaded from the |
158 // server but not when loading a cached policy from disk. | 159 // server but not when loading a cached policy from disk. |
159 // See SessionManagerOperation::ValidateDeviceSettings for the rationale. | 160 // See SessionManagerOperation::ValidateDeviceSettings for the rationale. |
160 validator->ValidateAgainstCurrentPolicy( | 161 validator->ValidateAgainstCurrentPolicy( |
161 policy(), | 162 policy(), |
162 valid_timestamp_required | 163 valid_timestamp_required |
163 ? CloudPolicyValidatorBase::TIMESTAMP_REQUIRED | 164 ? CloudPolicyValidatorBase::TIMESTAMP_REQUIRED |
164 : CloudPolicyValidatorBase::TIMESTAMP_NOT_REQUIRED, | 165 : CloudPolicyValidatorBase::TIMESTAMP_NOT_REQUIRED, |
165 CloudPolicyValidatorBase::DM_TOKEN_NOT_REQUIRED); | 166 CloudPolicyValidatorBase::DM_TOKEN_NOT_REQUIRED); |
166 | 167 |
167 // Validate the DMToken to match what device policy has. | 168 // Validate the DMToken to match what device policy has. |
168 validator->ValidateDMToken(device_policy_data->request_token(), | 169 validator->ValidateDMToken(device_policy_data->request_token(), |
169 CloudPolicyValidatorBase::DM_TOKEN_REQUIRED); | 170 CloudPolicyValidatorBase::DM_TOKEN_REQUIRED); |
170 | 171 |
171 validator->ValidatePayload(); | 172 validator->ValidatePayload(); |
172 policy::BrowserPolicyConnectorChromeOS* connector = | 173 policy::BrowserPolicyConnectorChromeOS* connector = |
173 g_browser_process->platform_part()->browser_policy_connector_chromeos(); | 174 g_browser_process->platform_part()->browser_policy_connector_chromeos(); |
174 validator->ValidateSignature(key->as_string(), | 175 validator->ValidateSignature(key->as_string(), |
175 GetPolicyVerificationKey(), | 176 GetPolicyVerificationKey(), |
176 connector->GetEnterpriseDomain(), | 177 connector->GetEnterpriseDomain(), |
177 false); | 178 false); |
178 validator.release()->StartValidation(callback); | 179 validator.release()->StartValidation(callback); |
179 } | 180 } |
180 | 181 |
181 } // namespace policy | 182 } // namespace policy |
OLD | NEW |