| Index: components/policy/core/common/cloud/cloud_policy_validator.cc
|
| diff --git a/components/policy/core/common/cloud/cloud_policy_validator.cc b/components/policy/core/common/cloud/cloud_policy_validator.cc
|
| index 03971e62aff3118a6c8c79891da56f1e9e2d7b40..3968708b4d6651fc52a0eb67b6818af66049fe70 100644
|
| --- a/components/policy/core/common/cloud/cloud_policy_validator.cc
|
| +++ b/components/policy/core/common/cloud/cloud_policy_validator.cc
|
| @@ -86,6 +86,12 @@ void CloudPolicyValidatorBase::ValidateDMToken(
|
| dm_token_option_ = dm_token_option;
|
| }
|
|
|
| +void CloudPolicyValidatorBase::ValidateDeviceId(
|
| + const std::string& device_id) {
|
| + validation_flags_ |= VALIDATE_DEVICE_ID;
|
| + device_id_ = device_id;
|
| +}
|
| +
|
| void CloudPolicyValidatorBase::ValidatePolicyType(
|
| const std::string& policy_type) {
|
| validation_flags_ |= VALIDATE_POLICY_TYPE;
|
| @@ -138,15 +144,18 @@ void CloudPolicyValidatorBase::ValidateAgainstCurrentPolicy(
|
| ValidateDMTokenOption dm_token_option) {
|
| base::Time last_policy_timestamp;
|
| std::string expected_dm_token;
|
| + std::string expected_device_id;
|
| if (policy_data) {
|
| last_policy_timestamp =
|
| base::Time::UnixEpoch() +
|
| base::TimeDelta::FromMilliseconds(policy_data->timestamp());
|
| expected_dm_token = policy_data->request_token();
|
| + expected_device_id = policy_data->device_id();
|
| }
|
| ValidateTimestamp(last_policy_timestamp, base::Time::NowFromSystemTime(),
|
| timestamp_option);
|
| ValidateDMToken(expected_dm_token, dm_token_option);
|
| + ValidateDeviceId(expected_device_id);
|
| }
|
|
|
| CloudPolicyValidatorBase::CloudPolicyValidatorBase(
|
| @@ -233,6 +242,7 @@ void CloudPolicyValidatorBase::RunChecks() {
|
| { VALIDATE_POLICY_TYPE, &CloudPolicyValidatorBase::CheckPolicyType },
|
| { VALIDATE_ENTITY_ID, &CloudPolicyValidatorBase::CheckEntityId },
|
| { VALIDATE_TOKEN, &CloudPolicyValidatorBase::CheckToken },
|
| + { VALIDATE_DEVICE_ID, &CloudPolicyValidatorBase::CheckDeviceId },
|
| { VALIDATE_USERNAME, &CloudPolicyValidatorBase::CheckUsername },
|
| { VALIDATE_DOMAIN, &CloudPolicyValidatorBase::CheckDomain },
|
| { VALIDATE_TIMESTAMP, &CloudPolicyValidatorBase::CheckTimestamp },
|
| @@ -455,6 +465,24 @@ CloudPolicyValidatorBase::Status CloudPolicyValidatorBase::CheckToken() {
|
| return VALIDATION_OK;
|
| }
|
|
|
| +CloudPolicyValidatorBase::Status CloudPolicyValidatorBase::CheckDeviceId() {
|
| + // Make sure the device id is not empty and matches the expected device id.
|
| + if (!policy_data_->has_device_id() ||
|
| + policy_data_->device_id().empty()) {
|
| + LOG(ERROR) << "Empty device id encountered - expected: " << device_id_;
|
| + return VALIDATION_WRONG_DEVICE_ID;
|
| + }
|
| + // Prevent that the device id is wiped or changed.
|
| + // Only allow going from no device id to a non-empty device id.
|
| + if (!device_id_.empty() && policy_data_->device_id() != device_id_) {
|
| + LOG(ERROR) << "Invalid device id: " << policy_data_->device_id()
|
| + << " - expected: " << device_id_;
|
| + return VALIDATION_WRONG_DEVICE_ID;
|
| + }
|
| +
|
| + return VALIDATION_OK;
|
| +}
|
| +
|
| CloudPolicyValidatorBase::Status CloudPolicyValidatorBase::CheckUsername() {
|
| if (!policy_data_->has_username()) {
|
| LOG(ERROR) << "Policy is missing user name";
|
|
|
Chromium Code Reviews
Issue 2150603002:
Added policy device id validation similar to the existing DM token validation. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master