Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(200)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: components/policy/core/common/cloud/user_cloud_policy_store.cc

Issue 2488573003: Expose signing key from cloud policy stores (Closed)
Patch Set: Fix tests Created 4 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« components/policy/core/common/cloud/cloud_policy_store.h ('K') | « components/policy/core/common/cloud/user_cloud_policy_store.h ('k') | components/policy/core/common/cloud/user_cloud_policy_store_unittest.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: components/policy/core/common/cloud/user_cloud_policy_store.cc
diff --git a/components/policy/core/common/cloud/user_cloud_policy_store.cc b/components/policy/core/common/cloud/user_cloud_policy_store.cc
index 615d9a69def649b863e35fb0765eba58e2943afc..466962bbd9213179b28f05e5a3da3ecf190e95b4 100644
--- a/components/policy/core/common/cloud/user_cloud_policy_store.cc
+++ b/components/policy/core/common/cloud/user_cloud_policy_store.cc
@@ -196,6 +196,12 @@ std::unique_ptr<UserCloudPolicyStore> UserCloudPolicyStore::Create(
void UserCloudPolicyStore::SetSigninUsername(const std::string& username) {
signin_username_ = username;
+
+ owning_domain_.clear();
+ if (!signin_username_.empty()) {
+ owning_domain_ = gaia::ExtractDomainName(
+ gaia::CanonicalizeEmail(gaia::SanitizeEmail(signin_username_)));
+ }
}
void UserCloudPolicyStore::LoadImmediately() {
@@ -217,7 +223,7 @@ void UserCloudPolicyStore::Clear() {
base::Bind(base::IgnoreResult(&base::DeleteFile), key_path_, false));
policy_.reset();
policy_map_.Clear();
- policy_key_.clear();
+ public_key_.clear();
NotifyStoreLoaded();
}
@@ -312,10 +318,10 @@ void UserCloudPolicyStore::InstallLoadedPolicyAfterValidation(
// policy fetch will force regeneration of the keys.
if (doing_key_rotation) {
validator->policy_data()->clear_public_key_version();
- policy_key_.clear();
+ public_key_.clear();
} else {
// Policy validation succeeded, so we know the signing key is good.
- policy_key_ = signing_key;
+ public_key_ = signing_key;
}
InstallPolicy(std::move(validator->policy_data()),
@@ -346,22 +352,12 @@ void UserCloudPolicyStore::Validate(
std::unique_ptr<UserCloudPolicyValidator> validator = CreateValidator(
std::move(policy), CloudPolicyValidatorBase::TIMESTAMP_NOT_BEFORE);
- // Extract the owning domain from the signed-in user (if any is set yet).
- // If there's no owning domain, then the code just ensures that the policy
- // is self-consistent (that the keys are signed with the same domain that the
- // username field in the policy contains). UserPolicySigninServerBase will
- // verify that the username matches the signed in user once profile
- // initialization is complete (http://crbug.com/342327).
- std::string owning_domain;
-
// Validate the username if the user is signed in. The signin_username_ can
// be empty during initial policy load because this happens before the
// Prefs subsystem is initialized.
if (!signin_username_.empty()) {
DVLOG(1) << "Validating username: " << signin_username_;
validator->ValidateUsername(signin_username_, true);
- owning_domain = gaia::ExtractDomainName(
- gaia::CanonicalizeEmail(gaia::SanitizeEmail(signin_username_)));
}
// There are 4 cases:
@@ -379,42 +375,47 @@ void UserCloudPolicyStore::Validate(
//
// 4) Validation after loading new policy from the server with a cached key
// Action: Validate as normal, and allow key rotation.
+ //
+ // Note that the owning domain, used in the validations below, is extracted
+ // from the signed-in user (if any is set yet).
+ // If there's no owning domain, then the code just ensures that the policy
+ // is self-consistent (that the keys are signed with the same domain that the
+ // username field in the policy contains). UserPolicySigninServerBase will
+ // verify that the username matches the signed in user once profile
+ // initialization is complete (http://crbug.com/342327).
if (cached_key) {
// Case #1/#2 - loading from cache. Validate the cached key (if no key,
// then the validation will fail), then do normal policy data signature
// validation using the cached key.
// Loading from cache should not change the cached keys.
- DCHECK(policy_key_.empty() || policy_key_ == cached_key->signing_key());
+ DCHECK(public_key_.empty() || public_key_ == cached_key->signing_key());
DLOG_IF(WARNING, !cached_key->has_signing_key()) <<
"Unsigned policy blob detected";
validator->ValidateCachedKey(cached_key->signing_key(),
cached_key->signing_key_signature(),
- verification_key,
- owning_domain);
+ verification_key, owning_domain_);
// Loading from cache, so don't allow key rotation.
const bool no_rotation = false;
- validator->ValidateSignature(cached_key->signing_key(),
- verification_key,
- owning_domain,
- no_rotation);
+ validator->ValidateSignature(cached_key->signing_key(), verification_key,
+ owning_domain_, no_rotation);
} else {
// No passed cached_key - this is not validating the initial policy load
// from cache, but rather an update from the server.
- if (policy_key_.empty()) {
+ if (public_key_.empty()) {
// Case #3 - no valid existing policy key (either this is the initial
// policy fetch, or we're doing a key rotation), so this new policy fetch
// should include an initial key provision.
- validator->ValidateInitialKey(verification_key, owning_domain);
+ validator->ValidateInitialKey(verification_key, owning_domain_);
} else {
// Case #4 - verify new policy with existing key. We always allow key
// rotation - the verification key will prevent invalid policy from being
- // injected. |policy_key_| is already known to be valid, so no need to
+ // injected. |public_key_| is already known to be valid, so no need to
// verify via ValidateCachedKey().
const bool allow_rotation = true;
- validator->ValidateSignature(
- policy_key_, verification_key, owning_domain, allow_rotation);
+ validator->ValidateSignature(public_key_, verification_key,
+ owning_domain_, allow_rotation);
}
}
@@ -455,7 +456,7 @@ void UserCloudPolicyStore::StorePolicyAfterValidation(
// If the key was rotated, update our local cache of the key.
if (validator->policy()->has_new_public_key())
- policy_key_ = validator->policy()->new_public_key();
+ public_key_ = validator->policy()->new_public_key();
status_ = STATUS_OK;
NotifyStoreLoaded();
}
« components/policy/core/common/cloud/cloud_policy_store.h ('K') | « components/policy/core/common/cloud/user_cloud_policy_store.h ('k') | components/policy/core/common/cloud/user_cloud_policy_store_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698