Chromium Code Reviews
|
|
Chromium Code Reviews
Issue
2493603002:
Implement component cloud policy signature validation (Closed)
|
Created:
4 years, 1 month ago by emaxx Modified:
4 years ago Reviewers:
Andrew T Wilson (Slow) CC:
chromium-reviews Target Ref:
refs/pending/heads/master Project:
chromium Visibility:
Public. |
DescriptionImplement component cloud policy signature validation
This adds signature validation for the component cloud policy
(e.g. policy for extensions). The signature is validated against
the same key that is used for the "superior" policy (e.g. the
user policy, the device local account policy, etc.).
This CL also adds keeping a copy of the most recent component
cloud policy and rechecking it when some of the credentials
change. This allows to handle key rotations gracefully: even
though the component cloud policy may fail the validation
immediately after the cloud policy refresh with the rotated key,
it will be re-validated and applied when the superior policy gets
processed and the credentials get propagated.
BUG=644632
TEST=existing tests (now with the signature checks enabled),
new unit tests and new browser test
Committed: https://crrev.com/4df0d565e3cd9258f0a5fc4517bfb739a7b28d4f
Cr-Commit-Position: refs/heads/master@{#434730}
Patch Set 1 #
Total comments: 2
Patch Set 2 : Remove owning domain passing #Patch Set 3 : Remove owning domain passing #Patch Set 4 : Rebase, add comment #Patch Set 5 : Rebase, disable the new test temporarily #Patch Set 6 : Rebase #Patch Set 7 : Rebase on top of policy test server change #
Total comments: 16
Patch Set 8 : Fix nits. Add more tests #Patch Set 9 : Add comment #Depends on Patchset: Messages
Total messages: 62 (52 generated)
The CQ bit was checked by emaxx@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: Try jobs failed on following builders: linux_chromium_rel_ng on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)
emaxx@chromium.org changed reviewers: + atwilson@chromium.org
Drew, PTAL. This is the second part of the bigger change. This CL relies on work that is being reviewed in http://crrev.com/2488573003 , which is adding the ways of obtaining credentials from user/device/etc. cloud policy stores. There's an open question regarding the new browser test in this CL. Also I'd like to tackle one security issue in a separate CL. Please see my comments below. https://codereview.chromium.org/2493603002/diff/1/chrome/browser/policy/cloud... File chrome/browser/policy/cloud/component_cloud_policy_browsertest.cc (right): https://codereview.chromium.org/2493603002/diff/1/chrome/browser/policy/cloud... chrome/browser/policy/cloud/component_cloud_policy_browsertest.cc:330: EXPECT_LT(public_key_version, new_public_key_version); This new test is failing here due to the policy test server not performing key rotation: http://crbug.com/663870 . I'd like to leave this test in the review as is until there's a feedback for that issue. https://codereview.chromium.org/2493603002/diff/1/components/policy/core/comm... File components/policy/core/common/cloud/component_cloud_policy_service.cc (right): https://codereview.chromium.org/2493603002/diff/1/components/policy/core/comm... components/policy/core/common/cloud/component_cloud_policy_service.cc:247: // TODO(emaxx): This is insecure, as it happens before the policy validation. I'd like to tackle this issue in a separate CL. This issue was present in the original code as well, I just moved this piece of code from ComponentCloudPolicyService::Backend::SetCurrentPolicies.
The CQ bit was checked by emaxx@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: Try jobs failed on following builders: linux_chromium_asan_rel_ng on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)
The CQ bit was checked by emaxx@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: Try jobs failed on following builders: linux_chromium_rel_ng on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)
Removed passing of the owning domain as per http://crrev.com/2488573003 and http://crrev.com/2494843002 .
The CQ bit was checked by emaxx@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: Try jobs failed on following builders: linux_chromium_rel_ng on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)
Drew, friendly ping. I've updated the CL to rebase on top of changes in other CLs.
Description was changed from ========== Implement component cloud policy signature validation This adds signature validation for the component cloud policy (e.g. policy for extensions). The signature is validated against the same key that is used for the "superior" policy (e.g. the user policy, the device local account policy, etc.). This CL also adds keeping a copy of the most recent component cloud policy and rechecking it when some of the credentials change. This allows to handle key rotations gracefully: even though the component cloud policy may fail the validation immediately after the cloud policy refresh with the rotated key, it will be re-validated and applied when the superior policy gets processed and the credentials get propagated. BUG=644632 TEST=new unit tests, new browser test ========== to ========== Implement component cloud policy signature validation This adds signature validation for the component cloud policy (e.g. policy for extensions). The signature is validated against the same key that is used for the "superior" policy (e.g. the user policy, the device local account policy, etc.). This CL also adds keeping a copy of the most recent component cloud policy and rechecking it when some of the credentials change. This allows to handle key rotations gracefully: even though the component cloud policy may fail the validation immediately after the cloud policy refresh with the rotated key, it will be re-validated and applied when the superior policy gets processed and the credentials get propagated. BUG=644632 TEST=existing tests (now with the added signature checks), new unit tests and new browser test ==========
The CQ bit was checked by emaxx@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was checked by emaxx@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
Rebased again after the first half has landed ( http://crrev.com/cc11f1e65bc21e264ec3a763e9c0d36f2d9025b1 ) has landed. I also disabled temporarily one of the new tests until the corresponding issue with the policy test server is fixed ( http://crbug.com/663870 ).
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: Try jobs failed on following builders: linux_chromium_clobber_rel_ng on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)
The CQ bit was checked by emaxx@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: This issue passed the CQ dry run.
The CQ bit was checked by emaxx@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: Try jobs failed on following builders: linux_chromium_compile_dbg_ng on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)
The CQ bit was checked by emaxx@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: Try jobs failed on following builders: linux_chromium_rel_ng on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)
The CQ bit was checked by emaxx@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: This issue passed the CQ dry run.
Enabled test back due to rebasing on top http://crrev.com/2530023002 .
LGTM with nits/comments https://codereview.chromium.org/2493603002/diff/120001/components/policy/core... File components/policy/core/common/cloud/component_cloud_policy_service.cc (right): https://codereview.chromium.org/2493603002/diff/120001/components/policy/core... components/policy/core/common/cloud/component_cloud_policy_service.cc:86: void ClearCache(); Useful to document what this does/when it should be invoked. https://codereview.chromium.org/2493603002/diff/120001/components/policy/core... components/policy/core/common/cloud/component_cloud_policy_service.cc:116: void UpdateWithMostRecentPolicies(); Document this? https://codereview.chromium.org/2493603002/diff/120001/components/policy/core... components/policy/core/common/cloud/component_cloud_policy_service.cc:245: // TODO(emaxx): This is insecure, as it happens before the policy validation. Add a bug for this and put a link to the bug with the TODO https://codereview.chromium.org/2493603002/diff/120001/components/policy/core... File components/policy/core/common/cloud/component_cloud_policy_service_unittest.cc (right): https://codereview.chromium.org/2493603002/diff/120001/components/policy/core... components/policy/core/common/cloud/component_cloud_policy_service_unittest.cc:8: #include <map> blank line between C and stl includes? https://codereview.chromium.org/2493603002/diff/120001/components/policy/core... File components/policy/core/common/cloud/component_cloud_policy_store.cc (right): https://codereview.chromium.org/2493603002/diff/120001/components/policy/core... components/policy/core/common/cloud/component_cloud_policy_store.cc:299: base::Time time_not_before; comment what we're validating here https://codereview.chromium.org/2493603002/diff/120001/components/policy/core... components/policy/core/common/cloud/component_cloud_policy_store.cc:354: policy_data->Swap(validator->policy_data().get()); This is fine, but why did we move this around? https://codereview.chromium.org/2493603002/diff/120001/components/policy/core... File components/policy/core/common/cloud/component_cloud_policy_store_unittest.cc (right): https://codereview.chromium.org/2493603002/diff/120001/components/policy/core... components/policy/core/common/cloud/component_cloud_policy_store_unittest.cc:292: "wrongtoken", This is fine, but I note it just tests the case where *everything* is wrong - it doesn't check that having a single incorrect credential (i.e. wrong device id) causes validation to fail. https://codereview.chromium.org/2493603002/diff/120001/components/policy/core... File components/policy/core/common/cloud/component_cloud_policy_updater_unittest.cc (right): https://codereview.chromium.org/2493603002/diff/120001/components/policy/core... components/policy/core/common/cloud/component_cloud_policy_updater_unittest.cc:91: ComponentCloudPolicyUpdaterTest::ComponentCloudPolicyUpdaterTest() QQ: is there a test that checks that policy validation fails here if the signing keys don't match the cached policy?
The CQ bit was checked by emaxx@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
Description was changed from
==========
Implement component cloud policy signature validation
This adds signature validation for the component cloud policy
(e.g. policy for extensions). The signature is validated against
the same key that is used for the "superior" policy (e.g. the
user policy, the device local account policy, etc.).
This CL also adds keeping a copy of the most recent component
cloud policy and rechecking it when some of the credentials
change. This allows to handle key rotations gracefully: even
though the component cloud policy may fail the validation
immediately after the cloud policy refresh with the rotated key,
it will be re-validated and applied when the superior policy gets
processed and the credentials get propagated.
BUG=644632
TEST=existing tests (now with the added signature checks), new unit tests and
new browser test
==========
to
==========
Implement component cloud policy signature validation
This adds signature validation for the component cloud policy
(e.g. policy for extensions). The signature is validated against
the same key that is used for the "superior" policy (e.g. the
user policy, the device local account policy, etc.).
This CL also adds keeping a copy of the most recent component
cloud policy and rechecking it when some of the credentials
change. This allows to handle key rotations gracefully: even
though the component cloud policy may fail the validation
immediately after the cloud policy refresh with the rotated key,
it will be re-validated and applied when the superior policy gets
processed and the credentials get propagated.
BUG=644632
TEST=existing tests (now with the signature checks enabled),
new unit tests and new browser test
==========
The CQ bit was checked by emaxx@chromium.org to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: This issue passed the CQ dry run.
https://codereview.chromium.org/2493603002/diff/120001/components/policy/core... File components/policy/core/common/cloud/component_cloud_policy_service.cc (right): https://codereview.chromium.org/2493603002/diff/120001/components/policy/core... components/policy/core/common/cloud/component_cloud_policy_service.cc:86: void ClearCache(); On 2016/11/25 16:13:24, Andrew T Wilson (Slow) wrote: > Useful to document what this does/when it should be invoked. Done. https://codereview.chromium.org/2493603002/diff/120001/components/policy/core... components/policy/core/common/cloud/component_cloud_policy_service.cc:116: void UpdateWithMostRecentPolicies(); On 2016/11/25 16:13:24, Andrew T Wilson (Slow) wrote: > Document this? Done. https://codereview.chromium.org/2493603002/diff/120001/components/policy/core... components/policy/core/common/cloud/component_cloud_policy_service.cc:245: // TODO(emaxx): This is insecure, as it happens before the policy validation. On 2016/11/25 16:13:24, Andrew T Wilson (Slow) wrote: > Add a bug for this and put a link to the bug with the TODO Good point, done. I planned to resolve this together with crbug.com/650785, but, surely, it's important to track this so that it doesn't drop out from radars. https://codereview.chromium.org/2493603002/diff/120001/components/policy/core... File components/policy/core/common/cloud/component_cloud_policy_service_unittest.cc (right): https://codereview.chromium.org/2493603002/diff/120001/components/policy/core... components/policy/core/common/cloud/component_cloud_policy_service_unittest.cc:8: #include <map> On 2016/11/25 16:13:24, Andrew T Wilson (Slow) wrote: > blank line between C and stl includes? Done. https://codereview.chromium.org/2493603002/diff/120001/components/policy/core... File components/policy/core/common/cloud/component_cloud_policy_store.cc (right): https://codereview.chromium.org/2493603002/diff/120001/components/policy/core... components/policy/core/common/cloud/component_cloud_policy_store.cc:299: base::Time time_not_before; On 2016/11/25 16:13:24, Andrew T Wilson (Slow) wrote: > comment what we're validating here Done. https://codereview.chromium.org/2493603002/diff/120001/components/policy/core... components/policy/core/common/cloud/component_cloud_policy_store.cc:354: policy_data->Swap(validator->policy_data().get()); On 2016/11/25 16:13:24, Andrew T Wilson (Slow) wrote: > This is fine, but why did we move this around? You mean, why do I have to return PolicyData from this method? That's needed for keeping the |stored_policy_times_| member up to date: it has to be updated in ComponentCloudPolicyStore::Store, but the policy timestamp is stored in the PolicyData which was not previously passed to it from ComponentCloudPolicyUpdater::UpdateExternalPolicy. https://codereview.chromium.org/2493603002/diff/120001/components/policy/core... File components/policy/core/common/cloud/component_cloud_policy_store_unittest.cc (right): https://codereview.chromium.org/2493603002/diff/120001/components/policy/core... components/policy/core/common/cloud/component_cloud_policy_store_unittest.cc:292: "wrongtoken", On 2016/11/25 16:13:24, Andrew T Wilson (Slow) wrote: > This is fine, but I note it just tests the case where *everything* is wrong - it > doesn't check that having a single incorrect credential (i.e. wrong device id) > causes validation to fail. That's true, probably the original author was a bit lazy to test all scenarios, but now I was stretching this even more. Fixed now. https://codereview.chromium.org/2493603002/diff/120001/components/policy/core... File components/policy/core/common/cloud/component_cloud_policy_updater_unittest.cc (right): https://codereview.chromium.org/2493603002/diff/120001/components/policy/core... components/policy/core/common/cloud/component_cloud_policy_updater_unittest.cc:91: ComponentCloudPolicyUpdaterTest::ComponentCloudPolicyUpdaterTest() On 2016/11/25 16:13:24, Andrew T Wilson (Slow) wrote: > QQ: is there a test that checks that policy validation fails here if the signing > keys don't match the cached policy? Nope, there were no tests for the signature validation failures. Fixed now.
The CQ bit was checked by emaxx@chromium.org
The patchset sent to the CQ was uploaded after l-g-t-m from atwilson@chromium.org Link to the patchset: https://codereview.chromium.org/2493603002/#ps160001 (title: "Add comment")
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
CQ is committing da patch.
Bot data: {"patchset_id": 160001, "attempt_start_ts": 1480356831063950,
"parent_rev": "77d23df1093915147287f0c917ca206e2b71a793", "commit_rev":
"0ae4fbb15aecc1d5b89f3f8d8e4d219b7039fc54"}
Message was sent while issue was closed.
Description was changed from
==========
Implement component cloud policy signature validation
This adds signature validation for the component cloud policy
(e.g. policy for extensions). The signature is validated against
the same key that is used for the "superior" policy (e.g. the
user policy, the device local account policy, etc.).
This CL also adds keeping a copy of the most recent component
cloud policy and rechecking it when some of the credentials
change. This allows to handle key rotations gracefully: even
though the component cloud policy may fail the validation
immediately after the cloud policy refresh with the rotated key,
it will be re-validated and applied when the superior policy gets
processed and the credentials get propagated.
BUG=644632
TEST=existing tests (now with the signature checks enabled),
new unit tests and new browser test
==========
to
==========
Implement component cloud policy signature validation
This adds signature validation for the component cloud policy
(e.g. policy for extensions). The signature is validated against
the same key that is used for the "superior" policy (e.g. the
user policy, the device local account policy, etc.).
This CL also adds keeping a copy of the most recent component
cloud policy and rechecking it when some of the credentials
change. This allows to handle key rotations gracefully: even
though the component cloud policy may fail the validation
immediately after the cloud policy refresh with the rotated key,
it will be re-validated and applied when the superior policy gets
processed and the credentials get propagated.
BUG=644632
TEST=existing tests (now with the signature checks enabled),
new unit tests and new browser test
==========
Message was sent while issue was closed.
Committed patchset #9 (id:160001)
Message was sent while issue was closed.
Description was changed from
==========
Implement component cloud policy signature validation
This adds signature validation for the component cloud policy
(e.g. policy for extensions). The signature is validated against
the same key that is used for the "superior" policy (e.g. the
user policy, the device local account policy, etc.).
This CL also adds keeping a copy of the most recent component
cloud policy and rechecking it when some of the credentials
change. This allows to handle key rotations gracefully: even
though the component cloud policy may fail the validation
immediately after the cloud policy refresh with the rotated key,
it will be re-validated and applied when the superior policy gets
processed and the credentials get propagated.
BUG=644632
TEST=existing tests (now with the signature checks enabled),
new unit tests and new browser test
==========
to
==========
Implement component cloud policy signature validation
This adds signature validation for the component cloud policy
(e.g. policy for extensions). The signature is validated against
the same key that is used for the "superior" policy (e.g. the
user policy, the device local account policy, etc.).
This CL also adds keeping a copy of the most recent component
cloud policy and rechecking it when some of the credentials
change. This allows to handle key rotations gracefully: even
though the component cloud policy may fail the validation
immediately after the cloud policy refresh with the rotated key,
it will be re-validated and applied when the superior policy gets
processed and the credentials get propagated.
BUG=644632
TEST=existing tests (now with the signature checks enabled),
new unit tests and new browser test
Committed: https://crrev.com/4df0d565e3cd9258f0a5fc4517bfb739a7b28d4f
Cr-Commit-Position: refs/heads/master@{#434730}
==========
Message was sent while issue was closed.
Patchset 9 (id:??) landed as https://crrev.com/4df0d565e3cd9258f0a5fc4517bfb739a7b28d4f Cr-Commit-Position: refs/heads/master@{#434730} |
