| Index: chrome/browser/chromeos/settings/session_manager_operation.cc
|
| diff --git a/chrome/browser/chromeos/settings/session_manager_operation.cc b/chrome/browser/chromeos/settings/session_manager_operation.cc
|
| index e99652f50e2c3505f6880bc5349cbf4b7b9983c6..bfe8316c87e30cb90f995b6934152ddfec25c6e7 100644
|
| --- a/chrome/browser/chromeos/settings/session_manager_operation.cc
|
| +++ b/chrome/browser/chromeos/settings/session_manager_operation.cc
|
| @@ -30,11 +30,7 @@ namespace em = enterprise_management;
|
| namespace chromeos {
|
|
|
| SessionManagerOperation::SessionManagerOperation(const Callback& callback)
|
| - : session_manager_client_(NULL),
|
| - callback_(callback),
|
| - force_key_load_(false),
|
| - is_loading_(false),
|
| - weak_factory_(this) {}
|
| + : callback_(callback), weak_factory_(this) {}
|
|
|
| SessionManagerOperation::~SessionManagerOperation() {}
|
|
|
| @@ -66,8 +62,12 @@ void SessionManagerOperation::StartLoading() {
|
| if (is_loading_)
|
| return;
|
| is_loading_ = true;
|
| - EnsurePublicKey(base::Bind(&SessionManagerOperation::RetrieveDeviceSettings,
|
| - weak_factory_.GetWeakPtr()));
|
| + if (cloud_validations_) {
|
| + EnsurePublicKey(base::Bind(&SessionManagerOperation::RetrieveDeviceSettings,
|
| + weak_factory_.GetWeakPtr()));
|
| + } else {
|
| + RetrieveDeviceSettings();
|
| + }
|
| }
|
|
|
| void SessionManagerOperation::ReportResult(
|
| @@ -158,34 +158,39 @@ void SessionManagerOperation::ValidateDeviceSettings(
|
| policy::DeviceCloudPolicyValidator::Create(std::move(policy),
|
| background_task_runner);
|
|
|
| - // Policy auto-generated by session manager doesn't include a timestamp, so
|
| - // the timestamp shouldn't be verified in that case.
|
| - //
|
| - // Additionally, offline devices can get their clock set backwards in time
|
| - // under some hardware conditions; checking the timestamp now could likely
|
| - // find a value in the future, and prevent the user from signing-in or
|
| - // starting guest mode. Tlsdate will eventually fix the clock when the device
|
| - // is back online, but the network configuration may come from device ONC.
|
| - //
|
| - // To prevent all of these issues the timestamp is just not verified when
|
| - // loading the device policy from session manager. Note that the timestamp is
|
| - // still verified during enrollment and when a new policy is fetched from the
|
| - // server.
|
| - //
|
| - // The two *_NOT_REQUIRED options are necessary because both the DM token and
|
| - // the device id are empty for a user logging in on an actual Chrome OS device
|
| - // that is not enterprise-managed. Note for devs: The strings are not empty
|
| - // when you test Chrome with target_os = "chromeos" on Linux!
|
| - validator->ValidateAgainstCurrentPolicy(
|
| - policy_data_.get(),
|
| - policy::CloudPolicyValidatorBase::TIMESTAMP_NOT_VALIDATED,
|
| - policy::CloudPolicyValidatorBase::DM_TOKEN_NOT_REQUIRED,
|
| - policy::CloudPolicyValidatorBase::DEVICE_ID_NOT_REQUIRED);
|
| + if (cloud_validations_) {
|
| + // Policy auto-generated by session manager doesn't include a timestamp, so
|
| + // the timestamp shouldn't be verified in that case.
|
| + //
|
| + // Additionally, offline devices can get their clock set backwards in time
|
| + // under some hardware conditions; checking the timestamp now could likely
|
| + // find a value in the future, and prevent the user from signing-in or
|
| + // starting guest mode. Tlsdate will eventually fix the clock when the
|
| + // device is back online, but the network configuration may come from device
|
| + // ONC.
|
| + //
|
| + // To prevent all of these issues the timestamp is just not verified when
|
| + // loading the device policy from session manager. Note that the timestamp
|
| + // is still verified during enrollment and when a new policy is fetched from
|
| + // the server.
|
| + //
|
| + // The two *_NOT_REQUIRED options are necessary because both the DM token
|
| + // and the device id are empty for a user logging in on an actual Chrome OS
|
| + // device that is not enterprise-managed. Note for devs: The strings are not
|
| + // empty when you test Chrome with target_os = "chromeos" on Linux!
|
| + validator->ValidateAgainstCurrentPolicy(
|
| + policy_data_.get(),
|
| + policy::CloudPolicyValidatorBase::TIMESTAMP_NOT_VALIDATED,
|
| + policy::CloudPolicyValidatorBase::DM_TOKEN_NOT_REQUIRED,
|
| + policy::CloudPolicyValidatorBase::DEVICE_ID_NOT_REQUIRED);
|
| +
|
| + // We don't check the DMServer verification key below, because the signing
|
| + // key is validated when it is installed.
|
| + validator->ValidateSignature(public_key_->as_string());
|
| + }
|
| +
|
| validator->ValidatePolicyType(policy::dm_protocol::kChromeDevicePolicyType);
|
| validator->ValidatePayload();
|
| - // We don't check the DMServer verification key below, because the signing
|
| - // key is validated when it is installed.
|
| - validator->ValidateSignature(public_key_->as_string());
|
| validator->StartValidation(
|
| base::Bind(&SessionManagerOperation::ReportValidatorStatus,
|
| weak_factory_.GetWeakPtr()));
|
| @@ -212,8 +217,13 @@ void SessionManagerOperation::ReportValidatorStatus(
|
| ReportResult(status);
|
| }
|
|
|
| -LoadSettingsOperation::LoadSettingsOperation(const Callback& callback)
|
| - : SessionManagerOperation(callback) {}
|
| +LoadSettingsOperation::LoadSettingsOperation(bool force_key_load,
|
| + bool cloud_validations,
|
| + const Callback& callback)
|
| + : SessionManagerOperation(callback) {
|
| + force_key_load_ = force_key_load;
|
| + cloud_validations_ = cloud_validations;
|
| +}
|
|
|
| LoadSettingsOperation::~LoadSettingsOperation() {}
|
|
|
|
|
Chromium Code Reviews
Issue 2486813002:
Add DeviceADPolicyManager to provide AD policy. (Closed)
