Chromium Code Reviews Chromium Code Reviews
Issue 2486813002:
Add DeviceADPolicyManager to provide AD policy. (Closed)
| Index: chrome/browser/chromeos/settings/session_manager_operation.cc |
| diff --git a/chrome/browser/chromeos/settings/session_manager_operation.cc b/chrome/browser/chromeos/settings/session_manager_operation.cc |
| index e99652f50e2c3505f6880bc5349cbf4b7b9983c6..305cdd2987b89de7fdcb4c5fb2ddd5af1fede543 100644 |
| --- a/chrome/browser/chromeos/settings/session_manager_operation.cc |
| +++ b/chrome/browser/chromeos/settings/session_manager_operation.cc |
| @@ -30,11 +30,7 @@ namespace em = enterprise_management; |
| namespace chromeos { |
| SessionManagerOperation::SessionManagerOperation(const Callback& callback) |
| - : session_manager_client_(NULL), |
| - callback_(callback), |
| - force_key_load_(false), |
| - is_loading_(false), |
| - weak_factory_(this) {} |
| + : callback_(callback), weak_factory_(this) {} |
| SessionManagerOperation::~SessionManagerOperation() {} |
| @@ -66,8 +62,12 @@ void SessionManagerOperation::StartLoading() { |
| if (is_loading_) |
| return; |
| is_loading_ = true; |
| - EnsurePublicKey(base::Bind(&SessionManagerOperation::RetrieveDeviceSettings, |
| - weak_factory_.GetWeakPtr())); |
| + if (verify_signature_) { |
| + EnsurePublicKey(base::Bind(&SessionManagerOperation::RetrieveDeviceSettings, |
| + weak_factory_.GetWeakPtr())); |
| + } else { |
| + RetrieveDeviceSettings(); |
| + } |
| } |
| void SessionManagerOperation::ReportResult( |
| @@ -158,34 +158,39 @@ void SessionManagerOperation::ValidateDeviceSettings( |
| policy::DeviceCloudPolicyValidator::Create(std::move(policy), |
| background_task_runner); |
| - // Policy auto-generated by session manager doesn't include a timestamp, so |
| - // the timestamp shouldn't be verified in that case. |
| - // |
| - // Additionally, offline devices can get their clock set backwards in time |
| - // under some hardware conditions; checking the timestamp now could likely |
| - // find a value in the future, and prevent the user from signing-in or |
| - // starting guest mode. Tlsdate will eventually fix the clock when the device |
| - // is back online, but the network configuration may come from device ONC. |
| - // |
| - // To prevent all of these issues the timestamp is just not verified when |
| - // loading the device policy from session manager. Note that the timestamp is |
| - // still verified during enrollment and when a new policy is fetched from the |
| - // server. |
| - // |
| - // The two *_NOT_REQUIRED options are necessary because both the DM token and |
| - // the device id are empty for a user logging in on an actual Chrome OS device |
| - // that is not enterprise-managed. Note for devs: The strings are not empty |
| - // when you test Chrome with target_os = "chromeos" on Linux! |
| - validator->ValidateAgainstCurrentPolicy( |
| - policy_data_.get(), |
| - policy::CloudPolicyValidatorBase::TIMESTAMP_NOT_VALIDATED, |
| - policy::CloudPolicyValidatorBase::DM_TOKEN_NOT_REQUIRED, |
| - policy::CloudPolicyValidatorBase::DEVICE_ID_NOT_REQUIRED); |
| + if (verify_signature_) { |
| + // Policy auto-generated by session manager doesn't include a timestamp, so |
| + // the timestamp shouldn't be verified in that case. |
| + // |
| + // Additionally, offline devices can get their clock set backwards in time |
| + // under some hardware conditions; checking the timestamp now could likely |
| + // find a value in the future, and prevent the user from signing-in or |
| + // starting guest mode. Tlsdate will eventually fix the clock when the |
| + // device is back online, but the network configuration may come from device |
| + // ONC. |
| + // |
| + // To prevent all of these issues the timestamp is just not verified when |
| + // loading the device policy from session manager. Note that the timestamp |
| + // is still verified during enrollment and when a new policy is fetched from |
| + // the server. |
| + // |
| + // The two *_NOT_REQUIRED options are necessary because both the DM token |
| + // and the device id are empty for a user logging in on an actual Chrome OS |
| + // device that is not enterprise-managed. Note for devs: The strings are not |
| + // empty when you test Chrome with target_os = "chromeos" on Linux! |
| + validator->ValidateAgainstCurrentPolicy( |
|
emaxx
2016/11/17 01:14:32
There's some contradiction between the flag variab
Thiemo Nagel
2016/11/17 14:19:07
Done.
|
| + policy_data_.get(), |
| + policy::CloudPolicyValidatorBase::TIMESTAMP_NOT_VALIDATED, |
| + policy::CloudPolicyValidatorBase::DM_TOKEN_NOT_REQUIRED, |
| + policy::CloudPolicyValidatorBase::DEVICE_ID_NOT_REQUIRED); |
| + |
| + // We don't check the DMServer verification key below, because the signing |
| + // key is validated when it is installed. |
| + validator->ValidateSignature(public_key_->as_string()); |
| + } |
| + |
| validator->ValidatePolicyType(policy::dm_protocol::kChromeDevicePolicyType); |
| validator->ValidatePayload(); |
| - // We don't check the DMServer verification key below, because the signing |
| - // key is validated when it is installed. |
| - validator->ValidateSignature(public_key_->as_string()); |
| validator->StartValidation( |
| base::Bind(&SessionManagerOperation::ReportValidatorStatus, |
| weak_factory_.GetWeakPtr())); |
| @@ -212,8 +217,13 @@ void SessionManagerOperation::ReportValidatorStatus( |
| ReportResult(status); |
| } |
| -LoadSettingsOperation::LoadSettingsOperation(const Callback& callback) |
| - : SessionManagerOperation(callback) {} |
| +LoadSettingsOperation::LoadSettingsOperation(bool force_key_load, |
| + bool verify_signature, |
| + const Callback& callback) |
| + : SessionManagerOperation(callback) { |
| + force_key_load_ = force_key_load; |
| + verify_signature_ = verify_signature; |
| +} |
| LoadSettingsOperation::~LoadSettingsOperation() {} |
