Chromium Code Reviews Chromium Code Reviews
Issue 2488573003:
Expose signing key from cloud policy stores (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/chromeos/policy/device_local_account_policy_store.h" | 5 #include "chrome/browser/chromeos/policy/device_local_account_policy_store.h" |
| 6 | 6 |
| 7 #include <utility> | 7 #include <utility> |
| 8 | 8 |
| 9 #include "base/bind.h" | 9 #include "base/bind.h" |
| 10 #include "base/callback.h" | 10 #include "base/callback.h" |
| (...skipping 55 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 66 base::Bind(&DeviceLocalAccountPolicyStore::UpdatePolicy, | 66 base::Bind(&DeviceLocalAccountPolicyStore::UpdatePolicy, |
| 67 weak_factory_.GetWeakPtr())); | 67 weak_factory_.GetWeakPtr())); |
| 68 } else { | 68 } else { |
| 69 status_ = CloudPolicyStore::STATUS_PARSE_ERROR; | 69 status_ = CloudPolicyStore::STATUS_PARSE_ERROR; |
| 70 NotifyStoreError(); | 70 NotifyStoreError(); |
| 71 } | 71 } |
| 72 } | 72 } |
| 73 } | 73 } |
| 74 | 74 |
| 75 void DeviceLocalAccountPolicyStore::UpdatePolicy( | 75 void DeviceLocalAccountPolicyStore::UpdatePolicy( |
| 76 const std::string& used_public_key, | |
| 76 UserCloudPolicyValidator* validator) { | 77 UserCloudPolicyValidator* validator) { |
| 78 DCHECK(!used_public_key.empty()); | |
| 79 | |
| 77 validation_status_ = validator->status(); | 80 validation_status_ = validator->status(); |
| 78 if (!validator->success()) { | 81 if (!validator->success()) { |
| 79 status_ = STATUS_VALIDATION_ERROR; | 82 status_ = STATUS_VALIDATION_ERROR; |
| 80 NotifyStoreError(); | 83 NotifyStoreError(); |
| 81 return; | 84 return; |
| 82 } | 85 } |
| 83 | 86 |
| 84 InstallPolicy(std::move(validator->policy_data()), | 87 InstallPolicy(std::move(validator->policy_data()), |
| 85 std::move(validator->payload())); | 88 std::move(validator->payload()), used_public_key); |
| 86 status_ = STATUS_OK; | 89 status_ = STATUS_OK; |
| 87 NotifyStoreLoaded(); | 90 NotifyStoreLoaded(); |
| 88 } | 91 } |
| 89 | 92 |
| 90 void DeviceLocalAccountPolicyStore::StoreValidatedPolicy( | 93 void DeviceLocalAccountPolicyStore::StoreValidatedPolicy( |
| 94 const std::string& used_public_key, | |
| 91 UserCloudPolicyValidator* validator) { | 95 UserCloudPolicyValidator* validator) { |
| 92 if (!validator->success()) { | 96 if (!validator->success()) { |
| 93 status_ = CloudPolicyStore::STATUS_VALIDATION_ERROR; | 97 status_ = CloudPolicyStore::STATUS_VALIDATION_ERROR; |
| 94 validation_status_ = validator->status(); | 98 validation_status_ = validator->status(); |
| 95 NotifyStoreError(); | 99 NotifyStoreError(); |
| 96 return; | 100 return; |
| 97 } | 101 } |
| 98 | 102 |
| 99 std::string policy_blob; | 103 std::string policy_blob; |
| 100 if (!validator->policy()->SerializeToString(&policy_blob)) { | 104 if (!validator->policy()->SerializeToString(&policy_blob)) { |
| (...skipping 14 matching lines...) Expand all Loading... | |
| 115 status_ = CloudPolicyStore::STATUS_STORE_ERROR; | 119 status_ = CloudPolicyStore::STATUS_STORE_ERROR; |
| 116 NotifyStoreError(); | 120 NotifyStoreError(); |
| 117 } else { | 121 } else { |
| 118 Load(); | 122 Load(); |
| 119 } | 123 } |
| 120 } | 124 } |
| 121 | 125 |
| 122 void DeviceLocalAccountPolicyStore::CheckKeyAndValidate( | 126 void DeviceLocalAccountPolicyStore::CheckKeyAndValidate( |
| 123 bool valid_timestamp_required, | 127 bool valid_timestamp_required, |
| 124 std::unique_ptr<em::PolicyFetchResponse> policy, | 128 std::unique_ptr<em::PolicyFetchResponse> policy, |
| 125 const UserCloudPolicyValidator::CompletionCallback& callback) { | 129 const ValidateCompletionCallback& callback) { |
| 126 device_settings_service_->GetOwnershipStatusAsync( | 130 device_settings_service_->GetOwnershipStatusAsync( |
| 127 base::Bind(&DeviceLocalAccountPolicyStore::Validate, | 131 base::Bind(&DeviceLocalAccountPolicyStore::Validate, |
| 128 weak_factory_.GetWeakPtr(), | 132 weak_factory_.GetWeakPtr(), |
| 129 valid_timestamp_required, | 133 valid_timestamp_required, |
| 130 base::Passed(&policy), | 134 base::Passed(&policy), |
| 131 callback)); | 135 callback)); |
| 132 } | 136 } |
| 133 | 137 |
| 134 void DeviceLocalAccountPolicyStore::Validate( | 138 void DeviceLocalAccountPolicyStore::Validate( |
| 135 bool valid_timestamp_required, | 139 bool valid_timestamp_required, |
| 136 std::unique_ptr<em::PolicyFetchResponse> policy_response, | 140 std::unique_ptr<em::PolicyFetchResponse> policy_response, |
| 137 const UserCloudPolicyValidator::CompletionCallback& callback, | 141 const ValidateCompletionCallback& callback, |
| 138 chromeos::DeviceSettingsService::OwnershipStatus ownership_status) { | 142 chromeos::DeviceSettingsService::OwnershipStatus ownership_status) { |
|
Thiemo Nagel
2016/11/21 17:45:33
Nit: Since you're touching this code, I'd suggest
emaxx
2016/11/21 20:04:58
Done.
| |
| 139 DCHECK_NE(chromeos::DeviceSettingsService::OWNERSHIP_UNKNOWN, | 143 DCHECK_NE(chromeos::DeviceSettingsService::OWNERSHIP_UNKNOWN, |
| 140 ownership_status); | 144 ownership_status); |
| 141 const em::PolicyData* device_policy_data = | 145 const em::PolicyData* device_policy_data = |
| 142 device_settings_service_->policy_data(); | 146 device_settings_service_->policy_data(); |
| 147 // Note that the key is obtained through the device settings service instead | |
| 148 // of using |public_key_| member, as the latter one is updated only after the | |
| 149 // successful installation of the policy. | |
| 143 scoped_refptr<ownership::PublicKey> key = | 150 scoped_refptr<ownership::PublicKey> key = |
| 144 device_settings_service_->GetPublicKey(); | 151 device_settings_service_->GetPublicKey(); |
| 145 if (!key.get() || !key->is_loaded() || !device_policy_data) { | 152 if (!key.get() || !key->is_loaded() || !device_policy_data) { |
| 146 status_ = CloudPolicyStore::STATUS_BAD_STATE; | 153 status_ = CloudPolicyStore::STATUS_BAD_STATE; |
| 147 NotifyStoreLoaded(); | 154 NotifyStoreLoaded(); |
| 148 return; | 155 return; |
| 149 } | 156 } |
| 150 | 157 |
| 151 std::unique_ptr<UserCloudPolicyValidator> validator( | 158 std::unique_ptr<UserCloudPolicyValidator> validator( |
| 152 UserCloudPolicyValidator::Create(std::move(policy_response), | 159 UserCloudPolicyValidator::Create(std::move(policy_response), |
| (...skipping 14 matching lines...) Expand all Loading... | |
| 167 // Validate the DMToken to match what device policy has. | 174 // Validate the DMToken to match what device policy has. |
| 168 validator->ValidateDMToken(device_policy_data->request_token(), | 175 validator->ValidateDMToken(device_policy_data->request_token(), |
| 169 CloudPolicyValidatorBase::DM_TOKEN_REQUIRED); | 176 CloudPolicyValidatorBase::DM_TOKEN_REQUIRED); |
| 170 | 177 |
| 171 // Validate the device id to match what device policy has. | 178 // Validate the device id to match what device policy has. |
| 172 validator->ValidateDeviceId(device_policy_data->device_id(), | 179 validator->ValidateDeviceId(device_policy_data->device_id(), |
| 173 CloudPolicyValidatorBase::DEVICE_ID_REQUIRED); | 180 CloudPolicyValidatorBase::DEVICE_ID_REQUIRED); |
| 174 | 181 |
| 175 validator->ValidatePayload(); | 182 validator->ValidatePayload(); |
| 176 validator->ValidateSignature(key->as_string()); | 183 validator->ValidateSignature(key->as_string()); |
| 177 validator.release()->StartValidation(callback); | 184 validator.release()->StartValidation(base::Bind(callback, key->as_string())); |
| 178 } | 185 } |
| 179 | 186 |
| 180 } // namespace policy | 187 } // namespace policy |
| OLD | NEW |
