Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(4948)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.cc

Issue 2488573003: Expose signing key from cloud policy stores (Closed)
Patch Set: Some renamings according to feedback Created 4 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.h ('K') | « chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.h ('k') | chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos_unittest.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.cc
diff --git a/chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.cc b/chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.cc
index 1f98da2ba9a6f1990ba8cc5be4fcaf014ef7b900..ad74f3247dfbe180c2759c11685330e3c0d9185c 100644
--- a/chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.cc
+++ b/chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.cc
@@ -193,8 +193,6 @@ UserCloudPolicyStoreChromeOS::UserCloudPolicyStoreChromeOS(
legacy_loader_(new LegacyPolicyCacheLoader(legacy_token_cache_file,
legacy_policy_cache_file,
background_task_runner)),
- legacy_caches_loaded_(false),
- policy_key_loaded_(false),
weak_factory_(this) {}
UserCloudPolicyStoreChromeOS::~UserCloudPolicyStoreChromeOS() {}
@@ -257,10 +255,10 @@ void UserCloudPolicyStoreChromeOS::LoadImmediately() {
return;
}
- policy_key_path_ = user_policy_key_dir_.Append(
+ cached_policy_key_path_ = user_policy_key_dir_.Append(
base::StringPrintf(kPolicyKeyFile, sanitized_username.c_str()));
- LoadPolicyKey(policy_key_path_, &policy_key_);
- policy_key_loaded_ = true;
+ LoadPolicyKey(cached_policy_key_path_, &cached_policy_key_);
+ is_cached_policy_key_loaded_ = true;
std::unique_ptr<UserCloudPolicyValidator> validator =
CreateValidatorForLoad(std::move(policy));
@@ -274,12 +272,12 @@ void UserCloudPolicyStoreChromeOS::ValidatePolicyForStore(
std::unique_ptr<UserCloudPolicyValidator> validator = CreateValidator(
std::move(policy), CloudPolicyValidatorBase::TIMESTAMP_FULLY_VALIDATED);
validator->ValidateUsername(account_id_.GetUserEmail(), true);
- if (policy_key_.empty()) {
+ if (cached_policy_key_.empty()) {
validator->ValidateInitialKey(GetPolicyVerificationKey(),
ExtractDomain(account_id_.GetUserEmail()));
} else {
validator->ValidateSignatureAllowingRotation(
- policy_key_, GetPolicyVerificationKey(),
+ cached_policy_key_, GetPolicyVerificationKey(),
ExtractDomain(account_id_.GetUserEmail()));
}
@@ -335,15 +333,17 @@ void UserCloudPolicyStoreChromeOS::OnPolicyRetrieved(
const std::string& policy_blob) {
if (policy_blob.empty()) {
// Policy fetch failed. Try legacy caches if we haven't done that already.
- if (!legacy_caches_loaded_ && legacy_loader_.get()) {
- legacy_caches_loaded_ = true;
+ if (!is_legacy_caches_load_performed_ && legacy_loader_.get()) {
+ is_legacy_caches_load_performed_ = true;
legacy_loader_->Load(
base::Bind(&UserCloudPolicyStoreChromeOS::OnLegacyLoadFinished,
weak_factory_.GetWeakPtr()));
} else {
// session_manager doesn't have policy. Adjust internal state and notify
// the world about the policy update.
+ policy_map_.Clear();
policy_.reset();
+ policy_signature_public_key_.clear();
NotifyStoreLoaded();
}
return;
@@ -360,7 +360,7 @@ void UserCloudPolicyStoreChromeOS::OnPolicyRetrieved(
return;
}
- // Load |policy_key_| to verify the loaded policy.
+ // Load |cached_policy_key_| to verify the loaded policy.
EnsurePolicyKeyLoaded(
base::Bind(&UserCloudPolicyStoreChromeOS::ValidateRetrievedPolicy,
weak_factory_.GetWeakPtr(),
@@ -395,7 +395,7 @@ void UserCloudPolicyStoreChromeOS::OnRetrievedPolicyValidated(
}
InstallPolicy(std::move(validator->policy_data()),
- std::move(validator->payload()));
+ std::move(validator->payload()), cached_policy_key_);
status_ = STATUS_OK;
// Policy has been loaded successfully. This indicates that new-style policy
@@ -440,7 +440,8 @@ void UserCloudPolicyStoreChromeOS::OnLegacyPolicyValidated(
if (validator->success()) {
status_ = STATUS_OK;
InstallPolicy(std::move(validator->policy_data()),
- std::move(validator->payload()));
+ std::move(validator->payload()),
+ std::string() /* public_key */);
Thiemo Nagel 2016/11/22 11:57:15 Nit: policy_signature_public_key
// Clear the public key version. The public key version field would
// otherwise indicate that we have key installed in the store when in fact
@@ -466,6 +467,7 @@ void UserCloudPolicyStoreChromeOS::InstallLegacyTokens(
policy_->set_request_token(dm_token);
policy_->set_device_id(device_id);
}
+ policy_signature_public_key_.clear();
// Tell the rest of the world that the policy load completed.
NotifyStoreLoaded();
@@ -482,14 +484,10 @@ void UserCloudPolicyStoreChromeOS::ReloadPolicyKey(
const base::Closure& callback) {
std::string* key = new std::string();
background_task_runner()->PostTaskAndReply(
- FROM_HERE,
- base::Bind(&UserCloudPolicyStoreChromeOS::LoadPolicyKey,
- policy_key_path_,
- key),
+ FROM_HERE, base::Bind(&UserCloudPolicyStoreChromeOS::LoadPolicyKey,
+ cached_policy_key_path_, key),
base::Bind(&UserCloudPolicyStoreChromeOS::OnPolicyKeyReloaded,
- weak_factory_.GetWeakPtr(),
- base::Owned(key),
- callback));
+ weak_factory_.GetWeakPtr(), base::Owned(key), callback));
}
// static
@@ -523,18 +521,18 @@ void UserCloudPolicyStoreChromeOS::LoadPolicyKey(const base::FilePath& path,
void UserCloudPolicyStoreChromeOS::OnPolicyKeyReloaded(
std::string* key,
const base::Closure& callback) {
- policy_key_ = *key;
- policy_key_loaded_ = true;
+ cached_policy_key_ = *key;
+ is_cached_policy_key_loaded_ = true;
callback.Run();
}
void UserCloudPolicyStoreChromeOS::EnsurePolicyKeyLoaded(
const base::Closure& callback) {
- if (policy_key_loaded_) {
+ if (is_cached_policy_key_loaded_) {
callback.Run();
} else {
// Get the hashed username that's part of the key's path, to determine
- // |policy_key_path_|.
+ // |cached_policy_key_path_|.
cryptohome_client_->GetSanitizedUsername(
cryptohome::Identification(account_id_),
base::Bind(&UserCloudPolicyStoreChromeOS::OnGetSanitizedUsername,
@@ -549,7 +547,7 @@ void UserCloudPolicyStoreChromeOS::OnGetSanitizedUsername(
// The default empty path will always yield an empty key.
if (call_status == chromeos::DBUS_METHOD_CALL_SUCCESS &&
!sanitized_username.empty()) {
- policy_key_path_ = user_policy_key_dir_.Append(
+ cached_policy_key_path_ = user_policy_key_dir_.Append(
base::StringPrintf(kPolicyKeyFile, sanitized_username.c_str()));
} else {
SampleValidationFailure(VALIDATION_FAILURE_DBUS);
@@ -566,7 +564,8 @@ UserCloudPolicyStoreChromeOS::CreateValidatorForLoad(
// The policy loaded from session manager need not be validated using the
// verification key since it is secure, and since there may be legacy policy
// data that was stored without a verification key.
- validator->ValidateSignature(policy_key_);
+ validator->ValidateSignature(cached_policy_key_);
return validator;
}
+
} // namespace policy
« chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.h ('K') | « chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.h ('k') | chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698