chrome/browser/chromeos/policy/device_local_account_policy_store.cc - Issue 2488573003: Expose signing key from cloud policy stores

Side by Side Diff: chrome/browser/chromeos/policy/device_local_account_policy_store.cc

Issue 2488573003: Expose signing key from cloud policy stores (Closed)

Patch Set: Rebase Created 4 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

« no previous file with comments | « chrome/browser/chromeos/policy/device_local_account_policy_store.h ('k') | chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.h » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "chrome/browser/chromeos/policy/device_local_account_policy_store.h"	5 #include "chrome/browser/chromeos/policy/device_local_account_policy_store.h"

6	6

7 #include <utility>	7 #include <utility>

8	8

9 #include "base/bind.h"	9 #include "base/bind.h"

10 #include "base/callback.h"	10 #include "base/callback.h"

(...skipping 129 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
140 ownership_status);	140 ownership_status);

141 const em::PolicyData* device_policy_data =	141 const em::PolicyData* device_policy_data =

142 device_settings_service_->policy_data();	142 device_settings_service_->policy_data();

143 scoped_refptr<ownership::PublicKey> key =	143 scoped_refptr<ownership::PublicKey> key =

144 device_settings_service_->GetPublicKey();	144 device_settings_service_->GetPublicKey();

145 if (!key.get() \|\| !key->is_loaded() \|\| !device_policy_data) {	145 if (!key.get() \|\| !key->is_loaded() \|\| !device_policy_data) {

146 status_ = CloudPolicyStore::STATUS_BAD_STATE;	146 status_ = CloudPolicyStore::STATUS_BAD_STATE;

147 NotifyStoreLoaded();	147 NotifyStoreLoaded();

148 return;	148 return;

149 }	149 }

	150 public_key_ = key->as_string();
	Thiemo Nagel 2016/11/17 17:19:56 What about moving this next to the InstallPolicy() What about moving this next to the InstallPolicy() call? It would seem cleaner to me to only store the key when validation has been successful and policy is being stored as well, though that probably would require to add an accessor for the key to the validator. Wdyt? emaxx 2016/11/17 18:44:55 Sounds reasonable. Do you think it's better to hav Show quoted text On 2016/11/17 17:19:56, Thiemo Nagel (slow) wrote: > What about moving this next to the InstallPolicy() call? It would seem cleaner > to me to only store the key when validation has been successful and policy is > being stored as well, though that probably would require to add an accessor for > the key to the validator. Wdyt? Sounds reasonable. Do you think it's better to have this semantics ("update key only after successful policy load/store") in all touched classes? I had a similar concern for other classes - see my comments in user_cloud_policy_store_chromeos_unittest.cc: https://codereview.chromium.org/2488573003/diff/40001/chrome/browser/chromeos... https://codereview.chromium.org/2488573003/diff/40001/chrome/browser/chromeos... I was not sure because, for example, in case of user store it's not clear which should be trusted more: policy blob or public key.
150	151

151 std::unique_ptr<UserCloudPolicyValidator> validator(	152 std::unique_ptr<UserCloudPolicyValidator> validator(

152 UserCloudPolicyValidator::Create(std::move(policy_response),	153 UserCloudPolicyValidator::Create(std::move(policy_response),

153 background_task_runner()));	154 background_task_runner()));

154 validator->ValidateUsername(account_id_, false);	155 validator->ValidateUsername(account_id_, false);

155 validator->ValidatePolicyType(dm_protocol::kChromePublicAccountPolicyType);	156 validator->ValidatePolicyType(dm_protocol::kChromePublicAccountPolicyType);

156 // The timestamp is verified when storing a new policy downloaded from the	157 // The timestamp is verified when storing a new policy downloaded from the

157 // server but not when loading a cached policy from disk.	158 // server but not when loading a cached policy from disk.

158 // See SessionManagerOperation::ValidateDeviceSettings for the rationale.	159 // See SessionManagerOperation::ValidateDeviceSettings for the rationale.

159 validator->ValidateAgainstCurrentPolicy(	160 validator->ValidateAgainstCurrentPolicy(

(...skipping 11 matching lines...) Expand all Loading...
171 // Validate the device id to match what device policy has.	172 // Validate the device id to match what device policy has.

172 validator->ValidateDeviceId(device_policy_data->device_id(),	173 validator->ValidateDeviceId(device_policy_data->device_id(),

173 CloudPolicyValidatorBase::DEVICE_ID_REQUIRED);	174 CloudPolicyValidatorBase::DEVICE_ID_REQUIRED);

174	175

175 validator->ValidatePayload();	176 validator->ValidatePayload();

176 validator->ValidateSignature(key->as_string());	177 validator->ValidateSignature(key->as_string());

177 validator.release()->StartValidation(callback);	178 validator.release()->StartValidation(callback);

178 }	179 }

179	180

180 } // namespace policy	181 } // namespace policy

OLD	NEW