Add DeviceADPolicyManager to provide AD policy.

chrome/browser/chromeos/settings/session_manager_operation.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/settings/session_manager_operation.h"
 
 #include <utility>
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
@@ skipping 12 matching lines @@
 #include "crypto/signature_creator.h"
 
 using ownership::OwnerKeyUtil;
 using ownership::PublicKey;
 
 namespace em = enterprise_management;
 
 namespace chromeos {
 
 SessionManagerOperation::SessionManagerOperation(const Callback& callback)
-    : session_manager_client_(NULL),
-      callback_(callback),
-      force_key_load_(false),
-      is_loading_(false),
-      weak_factory_(this) {}
+    : callback_(callback), weak_factory_(this) {}
 
 SessionManagerOperation::~SessionManagerOperation() {}
 
 void SessionManagerOperation::Start(
     SessionManagerClient* session_manager_client,
     scoped_refptr<OwnerKeyUtil> owner_key_util,
     scoped_refptr<PublicKey> public_key) {
   session_manager_client_ = session_manager_client;
   owner_key_util_ = owner_key_util;
   public_key_ = public_key;
@@ skipping 11 matching lines @@
   weak_factory_.InvalidateWeakPtrs();
   // Mark as not loading to start loading again.
   is_loading_ = false;
   StartLoading();
 }
 
 void SessionManagerOperation::StartLoading() {
   if (is_loading_)
     return;
   is_loading_ = true;
-  EnsurePublicKey(base::Bind(&SessionManagerOperation::RetrieveDeviceSettings,
-                             weak_factory_.GetWeakPtr()));
+  if (verify_signature_) {
+    EnsurePublicKey(base::Bind(&SessionManagerOperation::RetrieveDeviceSettings,
+                               weak_factory_.GetWeakPtr()));
+  } else {
+    RetrieveDeviceSettings();
+  }
 }
 
 void SessionManagerOperation::ReportResult(
     DeviceSettingsService::Status status) {
   callback_.Run(this, status);
 }
 
 void SessionManagerOperation::EnsurePublicKey(const base::Closure& callback) {
   if (force_key_load_ || !public_key_.get() || !public_key_->is_loaded()) {
     scoped_refptr<base::TaskRunner> task_runner =
@@ skipping 70 matching lines @@
       content::BrowserThread::GetBlockingPool();
   scoped_refptr<base::SequencedTaskRunner> background_task_runner =
       pool->GetSequencedTaskRunnerWithShutdownBehavior(
           pool->GetSequenceToken(),
           base::SequencedWorkerPool::SKIP_ON_SHUTDOWN);
 
   policy::DeviceCloudPolicyValidator* validator =
       policy::DeviceCloudPolicyValidator::Create(std::move(policy),
                                                  background_task_runner);
 
-  // Policy auto-generated by session manager doesn't include a timestamp, so
-  // the timestamp shouldn't be verified in that case.
-  //
-  // Additionally, offline devices can get their clock set backwards in time
-  // under some hardware conditions; checking the timestamp now could likely
-  // find a value in the future, and prevent the user from signing-in or
-  // starting guest mode. Tlsdate will eventually fix the clock when the device
-  // is back online, but the network configuration may come from device ONC.
-  //
-  // To prevent all of these issues the timestamp is just not verified when
-  // loading the device policy from session manager. Note that the timestamp is
-  // still verified during enrollment and when a new policy is fetched from the
-  // server.
-  //
-  // The two *_NOT_REQUIRED options are necessary because both the DM token and
-  // the device id are empty for a user logging in on an actual Chrome OS device
-  // that is not enterprise-managed. Note for devs: The strings are not empty
-  // when you test Chrome with target_os = "chromeos" on Linux!
-  validator->ValidateAgainstCurrentPolicy(
-      policy_data_.get(),
-      policy::CloudPolicyValidatorBase::TIMESTAMP_NOT_VALIDATED,
-      policy::CloudPolicyValidatorBase::DM_TOKEN_NOT_REQUIRED,
-      policy::CloudPolicyValidatorBase::DEVICE_ID_NOT_REQUIRED);
+  if (verify_signature_) {
+    // Policy auto-generated by session manager doesn't include a timestamp, so
+    // the timestamp shouldn't be verified in that case.
+    //
+    // Additionally, offline devices can get their clock set backwards in time
+    // under some hardware conditions; checking the timestamp now could likely
+    // find a value in the future, and prevent the user from signing-in or
+    // starting guest mode. Tlsdate will eventually fix the clock when the
+    // device is back online, but the network configuration may come from device
+    // ONC.
+    //
+    // To prevent all of these issues the timestamp is just not verified when
+    // loading the device policy from session manager. Note that the timestamp
+    // is still verified during enrollment and when a new policy is fetched from
+    // the server.
+    //
+    // The two *_NOT_REQUIRED options are necessary because both the DM token
+    // and the device id are empty for a user logging in on an actual Chrome OS
+    // device that is not enterprise-managed. Note for devs: The strings are not
+    // empty when you test Chrome with target_os = "chromeos" on Linux!
+    validator->ValidateAgainstCurrentPolicy(

[emaxx, 2016/11/17 01:14:32]

There's some contradiction between the flag variable name (verify_signature_)
and what is actually done here. It seems that the flag triggers the validation
of signature, DM token, device ID.
Maybe something like "verify_credentials_and_signature_" will be more precise?
(Though I agree that's a lengthy name. Maybe you'll have a better idea.)

[Thiemo Nagel, 2016/11/17 14:19:07]

Done.

+        policy_data_.get(),
+        policy::CloudPolicyValidatorBase::TIMESTAMP_NOT_VALIDATED,
+        policy::CloudPolicyValidatorBase::DM_TOKEN_NOT_REQUIRED,
+        policy::CloudPolicyValidatorBase::DEVICE_ID_NOT_REQUIRED);
+
+    // We don't check the DMServer verification key below, because the signing
+    // key is validated when it is installed.
+    validator->ValidateSignature(public_key_->as_string());
+  }
+
   validator->ValidatePolicyType(policy::dm_protocol::kChromeDevicePolicyType);
   validator->ValidatePayload();
-  // We don't check the DMServer verification key below, because the signing
-  // key is validated when it is installed.
-  validator->ValidateSignature(public_key_->as_string());
   validator->StartValidation(
       base::Bind(&SessionManagerOperation::ReportValidatorStatus,
                  weak_factory_.GetWeakPtr()));
 }
 
 void SessionManagerOperation::ReportValidatorStatus(
     policy::DeviceCloudPolicyValidator* validator) {
   DeviceSettingsService::Status status =
       DeviceSettingsService::STORE_VALIDATION_ERROR;
   if (validator->success()) {
     status = DeviceSettingsService::STORE_SUCCESS;
     policy_data_ = std::move(validator->policy_data());
     device_settings_ = std::move(validator->payload());
   } else {
     LOG(ERROR) << "Policy validation failed: " << validator->status();
 
     // Those are mostly caused by RTC loss and are recoverable.
     if (validator->status() ==
         policy::DeviceCloudPolicyValidator::VALIDATION_BAD_TIMESTAMP) {
       status = DeviceSettingsService::STORE_TEMP_VALIDATION_ERROR;
     }
   }
 
   ReportResult(status);
 }
 
-LoadSettingsOperation::LoadSettingsOperation(const Callback& callback)
-    : SessionManagerOperation(callback) {}
+LoadSettingsOperation::LoadSettingsOperation(bool force_key_load,
+                                             bool verify_signature,
+                                             const Callback& callback)
+    : SessionManagerOperation(callback) {
+  force_key_load_ = force_key_load;
+  verify_signature_ = verify_signature;
+}
 
 LoadSettingsOperation::~LoadSettingsOperation() {}
 
 void LoadSettingsOperation::Run() {
   StartLoading();
 }
 
 StoreSettingsOperation::StoreSettingsOperation(
     const Callback& callback,
     std::unique_ptr<em::PolicyFetchResponse> policy)
@@ skipping 11 matching lines @@
 }
 
 void StoreSettingsOperation::HandleStoreResult(bool success) {
   if (!success)
     ReportResult(DeviceSettingsService::STORE_OPERATION_FAILED);
   else
     StartLoading();
 }
 
 }  // namespace chromeos