Expose signing key from cloud policy stores

chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.h"
 
 #include <stddef.h>
 #include <utility>
 
 #include "base/bind.h"
@@ skipping 175 matching lines @@
     const base::FilePath& legacy_policy_cache_file)
     : UserCloudPolicyStoreBase(background_task_runner),
       cryptohome_client_(cryptohome_client),
       session_manager_client_(session_manager_client),
       account_id_(account_id),
       user_policy_key_dir_(user_policy_key_dir),
       legacy_cache_dir_(legacy_token_cache_file.DirName()),
       legacy_loader_(new LegacyPolicyCacheLoader(legacy_token_cache_file,
                                                  legacy_policy_cache_file,
                                                  background_task_runner)),
-      legacy_caches_loaded_(false),
-      policy_key_loaded_(false),
       weak_factory_(this) {}
 
 UserCloudPolicyStoreChromeOS::~UserCloudPolicyStoreChromeOS() {}
 
 void UserCloudPolicyStoreChromeOS::Store(
     const em::PolicyFetchResponse& policy) {
   // Cancel all pending requests.
   weak_factory_.InvalidateWeakPtrs();
   std::unique_ptr<em::PolicyFetchResponse> response(
       new em::PolicyFetchResponse(policy));
@@ skipping 42 matching lines @@
 
   std::string sanitized_username =
       cryptohome_client_->BlockingGetSanitizedUsername(
           cryptohome::Identification(account_id_));
   if (sanitized_username.empty()) {
     status_ = STATUS_LOAD_ERROR;
     NotifyStoreError();
     return;
   }
 
-  policy_key_path_ = user_policy_key_dir_.Append(
+  cached_policy_key_path_ = user_policy_key_dir_.Append(
       base::StringPrintf(kPolicyKeyFile, sanitized_username.c_str()));
-  LoadPolicyKey(policy_key_path_, &policy_key_);
-  policy_key_loaded_ = true;
+  LoadPolicyKey(cached_policy_key_path_, &cached_policy_key_);
+  is_cached_policy_key_loaded_ = true;
 
   std::unique_ptr<UserCloudPolicyValidator> validator =
       CreateValidatorForLoad(std::move(policy));
   validator->RunValidation();
   OnRetrievedPolicyValidated(validator.get());
 }
 
 void UserCloudPolicyStoreChromeOS::ValidatePolicyForStore(
     std::unique_ptr<em::PolicyFetchResponse> policy) {
   // Create and configure a validator.
   std::unique_ptr<UserCloudPolicyValidator> validator = CreateValidator(
       std::move(policy), CloudPolicyValidatorBase::TIMESTAMP_FULLY_VALIDATED);
   validator->ValidateUsername(account_id_.GetUserEmail(), true);
-  if (policy_key_.empty()) {
+  if (cached_policy_key_.empty()) {
     validator->ValidateInitialKey(GetPolicyVerificationKey(),
                                   ExtractDomain(account_id_.GetUserEmail()));
   } else {
     validator->ValidateSignatureAllowingRotation(
-        policy_key_, GetPolicyVerificationKey(),
+        cached_policy_key_, GetPolicyVerificationKey(),
         ExtractDomain(account_id_.GetUserEmail()));
   }
 
   // Start validation. The Validator will delete itself once validation is
   // complete.
   validator.release()->StartValidation(
       base::Bind(&UserCloudPolicyStoreChromeOS::OnPolicyToStoreValidated,
                  weak_factory_.GetWeakPtr()));
 }
 
@@ skipping 35 matching lines @@
     // load; reload the key for that validation too, in case it was rotated.
     ReloadPolicyKey(base::Bind(&UserCloudPolicyStoreChromeOS::Load,
                                weak_factory_.GetWeakPtr()));
   }
 }
 
 void UserCloudPolicyStoreChromeOS::OnPolicyRetrieved(
     const std::string& policy_blob) {
   if (policy_blob.empty()) {
     // Policy fetch failed. Try legacy caches if we haven't done that already.
-    if (!legacy_caches_loaded_ && legacy_loader_.get()) {
-      legacy_caches_loaded_ = true;
+    if (!is_legacy_caches_load_performed_ && legacy_loader_.get()) {
+      is_legacy_caches_load_performed_ = true;
       legacy_loader_->Load(
           base::Bind(&UserCloudPolicyStoreChromeOS::OnLegacyLoadFinished,
                      weak_factory_.GetWeakPtr()));
     } else {
       // session_manager doesn't have policy. Adjust internal state and notify
       // the world about the policy update.
+      policy_map_.Clear();
       policy_.reset();
+      policy_signature_public_key_.clear();
       NotifyStoreLoaded();
     }
     return;
   }
 
   // Policy is supplied by session_manager. Disregard legacy data from now on.
   legacy_loader_.reset();
 
   std::unique_ptr<em::PolicyFetchResponse> policy(
       new em::PolicyFetchResponse());
   if (!policy->ParseFromString(policy_blob)) {
     status_ = STATUS_PARSE_ERROR;
     NotifyStoreError();
     return;
   }
 
-  // Load |policy_key_| to verify the loaded policy.
+  // Load |cached_policy_key_| to verify the loaded policy.
   EnsurePolicyKeyLoaded(
       base::Bind(&UserCloudPolicyStoreChromeOS::ValidateRetrievedPolicy,
                  weak_factory_.GetWeakPtr(),
                  base::Passed(&policy)));
 }
 
 void UserCloudPolicyStoreChromeOS::ValidateRetrievedPolicy(
     std::unique_ptr<em::PolicyFetchResponse> policy) {
   // Create and configure a validator for the loaded policy.
   std::unique_ptr<UserCloudPolicyValidator> validator =
@@ skipping 14 matching lines @@
       validation_status_,
       UserCloudPolicyValidator::VALIDATION_STATUS_SIZE);
 
   if (!validator->success()) {
     status_ = STATUS_VALIDATION_ERROR;
     NotifyStoreError();
     return;
   }
 
   InstallPolicy(std::move(validator->policy_data()),
-                std::move(validator->payload()));
+                std::move(validator->payload()), cached_policy_key_);
   status_ = STATUS_OK;
 
   // Policy has been loaded successfully. This indicates that new-style policy
   // is working, so the legacy cache directory can be removed.
   if (!legacy_cache_dir_.empty()) {
     background_task_runner()->PostTask(
         FROM_HERE,
         base::Bind(&UserCloudPolicyStoreChromeOS::RemoveLegacyCacheDir,
                    legacy_cache_dir_));
     legacy_cache_dir_.clear();
@@ skipping 24 matching lines @@
 }
 
 void UserCloudPolicyStoreChromeOS::OnLegacyPolicyValidated(
     const std::string& dm_token,
     const std::string& device_id,
     UserCloudPolicyValidator* validator) {
   validation_status_ = validator->status();
   if (validator->success()) {
     status_ = STATUS_OK;
     InstallPolicy(std::move(validator->policy_data()),
-                  std::move(validator->payload()));
+                  std::move(validator->payload()),
+                  std::string() /* public_key */);

[Thiemo Nagel, 2016/11/22 11:57:15]

Nit: policy_signature_public_key

 
     // Clear the public key version. The public key version field would
     // otherwise indicate that we have key installed in the store when in fact
     // we haven't. This may result in policy updates failing signature
     // verification.
     policy_->clear_public_key_version();
   } else {
     status_ = STATUS_VALIDATION_ERROR;
   }
 
   InstallLegacyTokens(dm_token, device_id);
 }
 
 void UserCloudPolicyStoreChromeOS::InstallLegacyTokens(
     const std::string& dm_token,
     const std::string& device_id) {
   // Write token and device ID to |policy_|, giving them precedence over the
   // policy blob. This is to match the legacy behavior, which used token and
   // device id exclusively from the token cache file.
   if (!dm_token.empty() && !device_id.empty()) {
     if (!policy_.get())
       policy_.reset(new em::PolicyData());
     policy_->set_request_token(dm_token);
     policy_->set_device_id(device_id);
   }
+  policy_signature_public_key_.clear();
 
   // Tell the rest of the world that the policy load completed.
   NotifyStoreLoaded();
 }
 
 // static
 void UserCloudPolicyStoreChromeOS::RemoveLegacyCacheDir(
     const base::FilePath& dir) {
   if (base::PathExists(dir) && !base::DeleteFile(dir, true))
     LOG(ERROR) << "Failed to remove cache dir " << dir.value();
 }
 
 void UserCloudPolicyStoreChromeOS::ReloadPolicyKey(
     const base::Closure& callback) {
   std::string* key = new std::string();
   background_task_runner()->PostTaskAndReply(
-      FROM_HERE,
-      base::Bind(&UserCloudPolicyStoreChromeOS::LoadPolicyKey,
-                 policy_key_path_,
-                 key),
+      FROM_HERE, base::Bind(&UserCloudPolicyStoreChromeOS::LoadPolicyKey,
+                            cached_policy_key_path_, key),
       base::Bind(&UserCloudPolicyStoreChromeOS::OnPolicyKeyReloaded,
-                 weak_factory_.GetWeakPtr(),
-                 base::Owned(key),
-                 callback));
+                 weak_factory_.GetWeakPtr(), base::Owned(key), callback));
 }
 
 // static
 void UserCloudPolicyStoreChromeOS::LoadPolicyKey(const base::FilePath& path,
                                                  std::string* key) {
   if (!base::PathExists(path)) {
     // There is no policy key the first time that a user fetches policy. If
     // |path| does not exist then that is the most likely scenario, so there's
     // no need to sample a failure.
     VLOG(1) << "No key at " << path.value();
@@ skipping 13 matching lines @@
     LOG(ERROR) << "Failed to read key at " << path.value();
   }
 
   if (key->empty())
     SampleValidationFailure(VALIDATION_FAILURE_LOAD_KEY);
 }
 
 void UserCloudPolicyStoreChromeOS::OnPolicyKeyReloaded(
     std::string* key,
     const base::Closure& callback) {
-  policy_key_ = *key;
-  policy_key_loaded_ = true;
+  cached_policy_key_ = *key;
+  is_cached_policy_key_loaded_ = true;
   callback.Run();
 }
 
 void UserCloudPolicyStoreChromeOS::EnsurePolicyKeyLoaded(
     const base::Closure& callback) {
-  if (policy_key_loaded_) {
+  if (is_cached_policy_key_loaded_) {
     callback.Run();
   } else {
     // Get the hashed username that's part of the key's path, to determine
-    // |policy_key_path_|.
+    // |cached_policy_key_path_|.
     cryptohome_client_->GetSanitizedUsername(
         cryptohome::Identification(account_id_),
         base::Bind(&UserCloudPolicyStoreChromeOS::OnGetSanitizedUsername,
                    weak_factory_.GetWeakPtr(), callback));
   }
 }
 
 void UserCloudPolicyStoreChromeOS::OnGetSanitizedUsername(
     const base::Closure& callback,
     chromeos::DBusMethodCallStatus call_status,
     const std::string& sanitized_username) {
   // The default empty path will always yield an empty key.
   if (call_status == chromeos::DBUS_METHOD_CALL_SUCCESS &&
       !sanitized_username.empty()) {
-    policy_key_path_ = user_policy_key_dir_.Append(
+    cached_policy_key_path_ = user_policy_key_dir_.Append(
         base::StringPrintf(kPolicyKeyFile, sanitized_username.c_str()));
   } else {
     SampleValidationFailure(VALIDATION_FAILURE_DBUS);
   }
   ReloadPolicyKey(callback);
 }
 
 std::unique_ptr<UserCloudPolicyValidator>
 UserCloudPolicyStoreChromeOS::CreateValidatorForLoad(
     std::unique_ptr<em::PolicyFetchResponse> policy) {
   std::unique_ptr<UserCloudPolicyValidator> validator = CreateValidator(
       std::move(policy), CloudPolicyValidatorBase::TIMESTAMP_NOT_BEFORE);
   validator->ValidateUsername(account_id_.GetUserEmail(), true);
   // The policy loaded from session manager need not be validated using the
   // verification key since it is secure, and since there may be legacy policy
   // data that was stored without a verification key.
-  validator->ValidateSignature(policy_key_);
+  validator->ValidateSignature(cached_policy_key_);
   return validator;
 }
+
 }  // namespace policy