| Index: chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.cc
|
| diff --git a/chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.cc b/chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.cc
|
| index 1f98da2ba9a6f1990ba8cc5be4fcaf014ef7b900..02ced8bf27cdf3eb74221280189fa2f8f9300b32 100644
|
| --- a/chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.cc
|
| +++ b/chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.cc
|
| @@ -193,8 +193,7 @@ UserCloudPolicyStoreChromeOS::UserCloudPolicyStoreChromeOS(
|
| legacy_loader_(new LegacyPolicyCacheLoader(legacy_token_cache_file,
|
| legacy_policy_cache_file,
|
| background_task_runner)),
|
| - legacy_caches_loaded_(false),
|
| - policy_key_loaded_(false),
|
| + owning_domain_(ExtractDomain(account_id_.GetUserEmail())),
|
| weak_factory_(this) {}
|
|
|
| UserCloudPolicyStoreChromeOS::~UserCloudPolicyStoreChromeOS() {}
|
| @@ -259,8 +258,8 @@ void UserCloudPolicyStoreChromeOS::LoadImmediately() {
|
|
|
| policy_key_path_ = user_policy_key_dir_.Append(
|
| base::StringPrintf(kPolicyKeyFile, sanitized_username.c_str()));
|
| - LoadPolicyKey(policy_key_path_, &policy_key_);
|
| - policy_key_loaded_ = true;
|
| + LoadPolicyKey(policy_key_path_, &loaded_policy_key_);
|
| + is_policy_key_loaded_ = true;
|
|
|
| std::unique_ptr<UserCloudPolicyValidator> validator =
|
| CreateValidatorForLoad(std::move(policy));
|
| @@ -274,12 +273,11 @@ void UserCloudPolicyStoreChromeOS::ValidatePolicyForStore(
|
| std::unique_ptr<UserCloudPolicyValidator> validator = CreateValidator(
|
| std::move(policy), CloudPolicyValidatorBase::TIMESTAMP_FULLY_VALIDATED);
|
| validator->ValidateUsername(account_id_.GetUserEmail(), true);
|
| - if (policy_key_.empty()) {
|
| - validator->ValidateInitialKey(GetPolicyVerificationKey(),
|
| - ExtractDomain(account_id_.GetUserEmail()));
|
| + if (loaded_policy_key_.empty()) {
|
| + validator->ValidateInitialKey(GetPolicyVerificationKey(), owning_domain_);
|
| } else {
|
| validator->ValidateSignatureAllowingRotation(
|
| - policy_key_, GetPolicyVerificationKey(),
|
| + loaded_policy_key_, GetPolicyVerificationKey(),
|
| ExtractDomain(account_id_.GetUserEmail()));
|
| }
|
|
|
| @@ -335,15 +333,17 @@ void UserCloudPolicyStoreChromeOS::OnPolicyRetrieved(
|
| const std::string& policy_blob) {
|
| if (policy_blob.empty()) {
|
| // Policy fetch failed. Try legacy caches if we haven't done that already.
|
| - if (!legacy_caches_loaded_ && legacy_loader_.get()) {
|
| - legacy_caches_loaded_ = true;
|
| + if (!is_legacy_caches_load_performed_ && legacy_loader_.get()) {
|
| + is_legacy_caches_load_performed_ = true;
|
| legacy_loader_->Load(
|
| base::Bind(&UserCloudPolicyStoreChromeOS::OnLegacyLoadFinished,
|
| weak_factory_.GetWeakPtr()));
|
| } else {
|
| // session_manager doesn't have policy. Adjust internal state and notify
|
| // the world about the policy update.
|
| + policy_map_.Clear();
|
| policy_.reset();
|
| + public_key_.clear();
|
| NotifyStoreLoaded();
|
| }
|
| return;
|
| @@ -360,7 +360,7 @@ void UserCloudPolicyStoreChromeOS::OnPolicyRetrieved(
|
| return;
|
| }
|
|
|
| - // Load |policy_key_| to verify the loaded policy.
|
| + // Load |loaded_policy_key_| to verify the loaded policy.
|
| EnsurePolicyKeyLoaded(
|
| base::Bind(&UserCloudPolicyStoreChromeOS::ValidateRetrievedPolicy,
|
| weak_factory_.GetWeakPtr(),
|
| @@ -395,7 +395,7 @@ void UserCloudPolicyStoreChromeOS::OnRetrievedPolicyValidated(
|
| }
|
|
|
| InstallPolicy(std::move(validator->policy_data()),
|
| - std::move(validator->payload()));
|
| + std::move(validator->payload()), loaded_policy_key_);
|
| status_ = STATUS_OK;
|
|
|
| // Policy has been loaded successfully. This indicates that new-style policy
|
| @@ -440,7 +440,8 @@ void UserCloudPolicyStoreChromeOS::OnLegacyPolicyValidated(
|
| if (validator->success()) {
|
| status_ = STATUS_OK;
|
| InstallPolicy(std::move(validator->policy_data()),
|
| - std::move(validator->payload()));
|
| + std::move(validator->payload()),
|
| + std::string() /* public_key */);
|
|
|
| // Clear the public key version. The public key version field would
|
| // otherwise indicate that we have key installed in the store when in fact
|
| @@ -466,6 +467,7 @@ void UserCloudPolicyStoreChromeOS::InstallLegacyTokens(
|
| policy_->set_request_token(dm_token);
|
| policy_->set_device_id(device_id);
|
| }
|
| + public_key_.clear();
|
|
|
| // Tell the rest of the world that the policy load completed.
|
| NotifyStoreLoaded();
|
| @@ -523,14 +525,14 @@ void UserCloudPolicyStoreChromeOS::LoadPolicyKey(const base::FilePath& path,
|
| void UserCloudPolicyStoreChromeOS::OnPolicyKeyReloaded(
|
| std::string* key,
|
| const base::Closure& callback) {
|
| - policy_key_ = *key;
|
| - policy_key_loaded_ = true;
|
| + loaded_policy_key_ = *key;
|
| + is_policy_key_loaded_ = true;
|
| callback.Run();
|
| }
|
|
|
| void UserCloudPolicyStoreChromeOS::EnsurePolicyKeyLoaded(
|
| const base::Closure& callback) {
|
| - if (policy_key_loaded_) {
|
| + if (is_policy_key_loaded_) {
|
| callback.Run();
|
| } else {
|
| // Get the hashed username that's part of the key's path, to determine
|
| @@ -566,7 +568,8 @@ UserCloudPolicyStoreChromeOS::CreateValidatorForLoad(
|
| // The policy loaded from session manager need not be validated using the
|
| // verification key since it is secure, and since there may be legacy policy
|
| // data that was stored without a verification key.
|
| - validator->ValidateSignature(policy_key_);
|
| + validator->ValidateSignature(loaded_policy_key_);
|
| return validator;
|
| }
|
| +
|
| } // namespace policy
|
|
|
Chromium Code Reviews
Issue 2488573003:
Expose signing key from cloud policy stores (Closed)
