Implement cloud policy invalidations using the invalidation service framework.

chrome/browser/policy/cloud/cloud_policy_validator.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef CHROME_BROWSER_POLICY_CLOUD_CLOUD_POLICY_VALIDATOR_H_
 #define CHROME_BROWSER_POLICY_CLOUD_CLOUD_POLICY_VALIDATOR_H_
 
 #include <string>
 #include <vector>
 
@@ skipping 83 matching lines @@
 
   // The policy objects owned by the validator. These are scoped_ptr
   // references, so ownership can be passed on once validation is complete.
   scoped_ptr<enterprise_management::PolicyFetchResponse>& policy() {
     return policy_;
   }
   scoped_ptr<enterprise_management::PolicyData>& policy_data() {
     return policy_data_;
   }
 
+  // If ValidateHashValue() is called, the hash value of the policy value can
+  // be read with this method after completion has been signaled.
+  uint32 hash_value() const {
+    return hash_value_;
+  }
+
   // Instructs the validator to check that the policy timestamp is not before
   // |not_before| and not after |now| + grace interval. If
   // |timestamp_option| is set to TIMESTAMP_REQUIRED, then the policy will fail
   // validation if it does not have a timestamp field.
   void ValidateTimestamp(base::Time not_before,
                          base::Time now,
                          ValidateTimestampOption timestamp_option);
 
   // Validates the username in the policy blob matches |expected_user|.
   void ValidateUsername(const std::string& expected_user);
@@ skipping 24 matching lines @@
   void ValidateSignature(const std::vector<uint8>& key,
                          bool allow_key_rotation);
 
   // Similar to StartSignatureVerification(), this checks the signature on the
   // policy blob. However, this variant expects a new policy key set in the
   // policy blob and makes sure the policy is signed using that key. This should
   // be called at setup time when there is no existing policy key present to
   // check against.
   void ValidateInitialKey();
 
+  // Causes the validator to calculate the hash value of the policy value.
+  // This can be used to determine if two policies are different.
+  void ValidateHashValue();
+
   // Convenience helper that configures timestamp and token validation based on
   // the current policy blob. |policy_data| may be NULL, in which case the
   // timestamp validation will drop the lower bound. |dm_token_option|
   // and |timestamp_option| have the same effect as the corresponding
   // parameters for ValidateTimestamp() and ValidateDMToken().
   void ValidateAgainstCurrentPolicy(
       const enterprise_management::PolicyData* policy_data,
       ValidateTimestampOption timestamp_option,
       ValidateDMTokenOption dm_token_option);
 
@@ skipping 17 matching lines @@
   enum ValidationFlags {
     VALIDATE_TIMESTAMP   = 1 << 0,
     VALIDATE_USERNAME    = 1 << 1,
     VALIDATE_DOMAIN      = 1 << 2,
     VALIDATE_TOKEN       = 1 << 3,
     VALIDATE_POLICY_TYPE = 1 << 4,
     VALIDATE_ENTITY_ID   = 1 << 5,
     VALIDATE_PAYLOAD     = 1 << 6,
     VALIDATE_SIGNATURE   = 1 << 7,
     VALIDATE_INITIAL_KEY = 1 << 8,
+    VALIDATE_HASH_VALUE  = 1 << 9,
   };
 
   // Performs validation, called on a background thread.
   static void PerformValidation(
       scoped_ptr<CloudPolicyValidatorBase> self,
       scoped_refptr<base::MessageLoopProxy> message_loop,
       const base::Closure& completion_callback);
 
   // Reports completion to the |completion_callback_|.
   static void ReportCompletion(scoped_ptr<CloudPolicyValidatorBase> self,
                                const base::Closure& completion_callback);
 
   // Invokes all the checks and reports the result.
   void RunChecks();
 
   // Helper functions implementing individual checks.
   Status CheckTimestamp();
   Status CheckUsername();
   Status CheckDomain();
   Status CheckToken();
   Status CheckPolicyType();
   Status CheckEntityId();
   Status CheckPayload();
   Status CheckSignature();
   Status CheckInitialKey();
+  Status CheckHashValue();
 
   // Verifies the SHA1/RSA |signature| on |data| against |key|.
   static bool VerifySignature(const std::string& data,
                               const std::string& key,
                               const std::string& signature);
 
   Status status_;
   scoped_ptr<enterprise_management::PolicyFetchResponse> policy_;
   scoped_ptr<enterprise_management::PolicyData> policy_data_;
   google::protobuf::MessageLite* payload_;
+  uint32 hash_value_;
 
   int validation_flags_;
   int64 timestamp_not_before_;
   int64 timestamp_not_after_;
   ValidateTimestampOption timestamp_option_;
   ValidateDMTokenOption dm_token_option_;
   std::string user_;
   std::string domain_;
   std::string token_;
   std::string policy_type_;
@@ skipping 47 matching lines @@
 };
 
 typedef CloudPolicyValidator<enterprise_management::CloudPolicySettings>
     UserCloudPolicyValidator;
 typedef CloudPolicyValidator<enterprise_management::ExternalPolicyData>
     ComponentCloudPolicyValidator;
 
 }  // namespace policy
 
 #endif  // CHROME_BROWSER_POLICY_CLOUD_CLOUD_POLICY_VALIDATOR_H_