Expose signing key from cloud policy stores

chrome/browser/chromeos/policy/device_local_account_policy_store.cc

Index: chrome/browser/chromeos/policy/device_local_account_policy_store.cc
diff --git a/chrome/browser/chromeos/policy/device_local_account_policy_store.cc b/chrome/browser/chromeos/policy/device_local_account_policy_store.cc
index 3cd5673c1b3d3548f17ccba78615f3d2b1282767..07723bc5d513ba0e0986987569ee03d9b2c2f85b 100644
--- a/chrome/browser/chromeos/policy/device_local_account_policy_store.cc
+++ b/chrome/browser/chromeos/policy/device_local_account_policy_store.cc
@@ -73,7 +73,10 @@ void DeviceLocalAccountPolicyStore::ValidateLoadedPolicyBlob(
 }
 
 void DeviceLocalAccountPolicyStore::UpdatePolicy(
+    const std::string& used_public_key,
     UserCloudPolicyValidator* validator) {
+  DCHECK(!used_public_key.empty());
+
   validation_status_ = validator->status();
   if (!validator->success()) {
     status_ = STATUS_VALIDATION_ERROR;
@@ -82,12 +85,13 @@ void DeviceLocalAccountPolicyStore::UpdatePolicy(
   }
 
   InstallPolicy(std::move(validator->policy_data()),
-                std::move(validator->payload()));
+                std::move(validator->payload()), used_public_key);
   status_ = STATUS_OK;
   NotifyStoreLoaded();
 }
 
 void DeviceLocalAccountPolicyStore::StoreValidatedPolicy(
+    const std::string& used_public_key,
     UserCloudPolicyValidator* validator) {
   if (!validator->success()) {
     status_ = CloudPolicyStore::STATUS_VALIDATION_ERROR;
@@ -122,7 +126,7 @@ void DeviceLocalAccountPolicyStore::HandleStoreResult(bool success) {
 void DeviceLocalAccountPolicyStore::CheckKeyAndValidate(
     bool valid_timestamp_required,
     std::unique_ptr<em::PolicyFetchResponse> policy,
-    const UserCloudPolicyValidator::CompletionCallback& callback) {
+    const ValidateCompletionCallback& callback) {
   device_settings_service_->GetOwnershipStatusAsync(
       base::Bind(&DeviceLocalAccountPolicyStore::Validate,
                  weak_factory_.GetWeakPtr(),
@@ -134,12 +138,15 @@ void DeviceLocalAccountPolicyStore::CheckKeyAndValidate(
 void DeviceLocalAccountPolicyStore::Validate(
     bool valid_timestamp_required,
     std::unique_ptr<em::PolicyFetchResponse> policy_response,
-    const UserCloudPolicyValidator::CompletionCallback& callback,
+    const ValidateCompletionCallback& callback,
     chromeos::DeviceSettingsService::OwnershipStatus ownership_status) {

[Thiemo Nagel, 2016/11/21 17:45:33]

Nit: Since you're touching this code, I'd suggest to rename to
|ownership_status_unused|.

[emaxx, 2016/11/21 20:04:58]

Done.

   DCHECK_NE(chromeos::DeviceSettingsService::OWNERSHIP_UNKNOWN,
             ownership_status);
   const em::PolicyData* device_policy_data =
       device_settings_service_->policy_data();
+  // Note that the key is obtained through the device settings service instead
+  // of using |public_key_| member, as the latter one is updated only after the
+  // successful installation of the policy.
   scoped_refptr<ownership::PublicKey> key =
       device_settings_service_->GetPublicKey();
   if (!key.get() || !key->is_loaded() || !device_policy_data) {
@@ -174,7 +181,7 @@ void DeviceLocalAccountPolicyStore::Validate(
 
   validator->ValidatePayload();
   validator->ValidateSignature(key->as_string());
-  validator.release()->StartValidation(callback);
+  validator.release()->StartValidation(base::Bind(callback, key->as_string()));
 }
 
 }  // namespace policy