Implement cloud policy invalidations using the invalidation service framework.

chrome/browser/policy/cloud/cloud_policy_validator.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/policy/cloud/cloud_policy_validator.h"
 
 #include "base/bind_helpers.h"
+#include "base/hash.h"
 #include "base/message_loop/message_loop.h"
 #include "base/stl_util.h"
 #include "chrome/browser/policy/cloud/cloud_policy_constants.h"
 #include "chrome/browser/policy/proto/cloud/device_management_backend.pb.h"
 #include "content/public/browser/browser_thread.h"
 #include "crypto/signature_verifier.h"
 #include "google_apis/gaia/gaia_auth_util.h"
 
 namespace em = enterprise_management;
 
@@ skipping 70 matching lines @@
   validation_flags_ |= VALIDATE_SIGNATURE;
   key_ = std::string(reinterpret_cast<const char*>(vector_as_array(&key)),
                      key.size());
   allow_key_rotation_ = allow_key_rotation;
 }
 
 void CloudPolicyValidatorBase::ValidateInitialKey() {
   validation_flags_ |= VALIDATE_INITIAL_KEY;
 }
 
+void CloudPolicyValidatorBase::ValidateHashValue() {
+  validation_flags_ |= VALIDATE_HASH_VALUE;
+}
+
 void CloudPolicyValidatorBase::ValidateAgainstCurrentPolicy(
     const em::PolicyData* policy_data,
     ValidateTimestampOption timestamp_option,
     ValidateDMTokenOption dm_token_option) {
   base::Time last_policy_timestamp;
   std::string expected_dm_token;
   if (policy_data) {
     last_policy_timestamp =
         base::Time::UnixEpoch() +
         base::TimeDelta::FromMilliseconds(policy_data->timestamp());
     expected_dm_token = policy_data->request_token();
   }
   ValidateTimestamp(last_policy_timestamp, base::Time::NowFromSystemTime(),
                     timestamp_option);
   ValidateDMToken(expected_dm_token, dm_token_option);
 }
 
 CloudPolicyValidatorBase::CloudPolicyValidatorBase(
     scoped_ptr<em::PolicyFetchResponse> policy_response,
     google::protobuf::MessageLite* payload)
     : status_(VALIDATION_OK),
       policy_(policy_response.Pass()),
       payload_(payload),
+      hash_value_(0),
       validation_flags_(0),
       timestamp_not_before_(0),
       timestamp_not_after_(0),
       timestamp_option_(TIMESTAMP_REQUIRED),
       dm_token_option_(DM_TOKEN_REQUIRED),
       allow_key_rotation_(false) {}
 
 void CloudPolicyValidatorBase::PostValidationTask(
     const base::Closure& completion_callback) {
   content::BrowserThread::PostTask(
@@ skipping 59 matching lines @@
   } kCheckFunctions[] = {
     { VALIDATE_SIGNATURE,   &CloudPolicyValidatorBase::CheckSignature },
     { VALIDATE_INITIAL_KEY, &CloudPolicyValidatorBase::CheckInitialKey },
     { VALIDATE_POLICY_TYPE, &CloudPolicyValidatorBase::CheckPolicyType },
     { VALIDATE_ENTITY_ID,   &CloudPolicyValidatorBase::CheckEntityId },
     { VALIDATE_TOKEN,       &CloudPolicyValidatorBase::CheckToken },
     { VALIDATE_USERNAME,    &CloudPolicyValidatorBase::CheckUsername },
     { VALIDATE_DOMAIN,      &CloudPolicyValidatorBase::CheckDomain },
     { VALIDATE_TIMESTAMP,   &CloudPolicyValidatorBase::CheckTimestamp },
     { VALIDATE_PAYLOAD,     &CloudPolicyValidatorBase::CheckPayload },
+    { VALIDATE_HASH_VALUE,  &CloudPolicyValidatorBase::CheckHashValue },
   };
 
   for (size_t i = 0; i < ARRAYSIZE_UNSAFE(kCheckFunctions); ++i) {
     if (validation_flags_ & kCheckFunctions[i].flag) {
       status_ = (this->*(kCheckFunctions[i].checkFunction))();
       if (status_ != VALIDATION_OK)
         break;
     }
   }
 }
@@ skipping 135 matching lines @@
   if (!policy_data_->has_policy_value() ||
       !payload_->ParseFromString(policy_data_->policy_value()) ||
       !payload_->IsInitialized()) {
     LOG(ERROR) << "Failed to decode policy payload protobuf";
     return VALIDATION_POLICY_PARSE_ERROR;
   }
 
   return VALIDATION_OK;
 }
 
+CloudPolicyValidatorBase::Status CloudPolicyValidatorBase::CheckHashValue() {
+  hash_value_ = base::Hash(policy_data_->policy_value());

[Joao da Silva, 2013/07/23 20:44:47]

This isn't a validation of the policy (it can't fail).

I think this can be done on the CloudPolicyStore, see the comments there.

[Steve Condie, 2013/07/24 01:42:04]

I agree the way you suggested is cleaner. The only reason I put it here in the
first place was so that the hash computation would be performed on the file
thread, just in case for a large policy we didn't want to do that computation on
the UI thread.

+  return VALIDATION_OK;
+}
+
 // static
 bool CloudPolicyValidatorBase::VerifySignature(const std::string& data,
                                                const std::string& key,
                                                const std::string& signature) {
   crypto::SignatureVerifier verifier;
 
   if (!verifier.VerifyInit(kSignatureAlgorithm, sizeof(kSignatureAlgorithm),
                            reinterpret_cast<const uint8*>(signature.c_str()),
                            signature.size(),
                            reinterpret_cast<const uint8*>(key.c_str()),
                            key.size())) {
     return false;
   }
   verifier.VerifyUpdate(reinterpret_cast<const uint8*>(data.c_str()),
                         data.size());
   return verifier.VerifyFinal();
 }
 
 template class CloudPolicyValidator<em::CloudPolicySettings>;
 template class CloudPolicyValidator<em::ExternalPolicyData>;
 
 }  // namespace policy