Chromium Code Reviews Chromium Code Reviews
Issue 2606773002:
Setup Chromad user policy plumbing (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.h" | 5 #include "chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.h" |
| 6 | 6 |
| 7 #include <stddef.h> | 7 #include <stddef.h> |
| 8 #include <utility> | 8 #include <utility> |
| 9 | 9 |
| 10 #include "base/bind.h" | 10 #include "base/bind.h" |
| (...skipping 48 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 59 return gaia::ExtractDomainName(gaia::CanonicalizeEmail(username)); | 59 return gaia::ExtractDomainName(gaia::CanonicalizeEmail(username)); |
| 60 } | 60 } |
| 61 | 61 |
| 62 } // namespace | 62 } // namespace |
| 63 | 63 |
| 64 UserCloudPolicyStoreChromeOS::UserCloudPolicyStoreChromeOS( | 64 UserCloudPolicyStoreChromeOS::UserCloudPolicyStoreChromeOS( |
| 65 chromeos::CryptohomeClient* cryptohome_client, | 65 chromeos::CryptohomeClient* cryptohome_client, |
| 66 chromeos::SessionManagerClient* session_manager_client, | 66 chromeos::SessionManagerClient* session_manager_client, |
| 67 scoped_refptr<base::SequencedTaskRunner> background_task_runner, | 67 scoped_refptr<base::SequencedTaskRunner> background_task_runner, |
| 68 const AccountId& account_id, | 68 const AccountId& account_id, |
| 69 const base::FilePath& user_policy_key_dir) | 69 const base::FilePath& user_policy_key_dir, |
| 70 bool is_active_directory) | |
| 70 : UserCloudPolicyStoreBase(background_task_runner), | 71 : UserCloudPolicyStoreBase(background_task_runner), |
| 71 cryptohome_client_(cryptohome_client), | 72 cryptohome_client_(cryptohome_client), |
| 72 session_manager_client_(session_manager_client), | 73 session_manager_client_(session_manager_client), |
| 73 account_id_(account_id), | 74 account_id_(account_id), |
| 74 user_policy_key_dir_(user_policy_key_dir), | 75 user_policy_key_dir_(user_policy_key_dir), |
| 76 is_active_directory_(is_active_directory), | |
| 75 weak_factory_(this) {} | 77 weak_factory_(this) {} |
| 76 | 78 |
| 77 UserCloudPolicyStoreChromeOS::~UserCloudPolicyStoreChromeOS() {} | 79 UserCloudPolicyStoreChromeOS::~UserCloudPolicyStoreChromeOS() {} |
| 78 | 80 |
| 79 void UserCloudPolicyStoreChromeOS::Store( | 81 void UserCloudPolicyStoreChromeOS::Store( |
| 80 const em::PolicyFetchResponse& policy) { | 82 const em::PolicyFetchResponse& policy) { |
| 83 DCHECK(!is_active_directory_); | |
| 84 | |
| 81 // Cancel all pending requests. | 85 // Cancel all pending requests. |
| 82 weak_factory_.InvalidateWeakPtrs(); | 86 weak_factory_.InvalidateWeakPtrs(); |
| 83 std::unique_ptr<em::PolicyFetchResponse> response( | 87 std::unique_ptr<em::PolicyFetchResponse> response( |
| 84 new em::PolicyFetchResponse(policy)); | 88 new em::PolicyFetchResponse(policy)); |
| 85 EnsurePolicyKeyLoaded( | 89 EnsurePolicyKeyLoaded( |
| 86 base::Bind(&UserCloudPolicyStoreChromeOS::ValidatePolicyForStore, | 90 base::Bind(&UserCloudPolicyStoreChromeOS::ValidatePolicyForStore, |
| 87 weak_factory_.GetWeakPtr(), | 91 weak_factory_.GetWeakPtr(), |
| 88 base::Passed(&response))); | 92 base::Passed(&response))); |
| 89 } | 93 } |
| 90 | 94 |
| 91 void UserCloudPolicyStoreChromeOS::Load() { | 95 void UserCloudPolicyStoreChromeOS::Load() { |
| 92 // Cancel all pending requests. | 96 // Cancel all pending requests. |
| 93 weak_factory_.InvalidateWeakPtrs(); | 97 weak_factory_.InvalidateWeakPtrs(); |
| 94 session_manager_client_->RetrievePolicyForUser( | 98 session_manager_client_->RetrievePolicyForUser( |
| 95 cryptohome::Identification(account_id_), | 99 cryptohome::Identification(account_id_), |
| 96 base::Bind(&UserCloudPolicyStoreChromeOS::OnPolicyRetrieved, | 100 base::Bind(&UserCloudPolicyStoreChromeOS::OnPolicyRetrieved, |
| 97 weak_factory_.GetWeakPtr())); | 101 weak_factory_.GetWeakPtr())); |
| 98 } | 102 } |
| 99 | 103 |
| 100 void UserCloudPolicyStoreChromeOS::LoadImmediately() { | 104 void UserCloudPolicyStoreChromeOS::LoadImmediately() { |
| 101 // This blocking DBus call is in the startup path and will block the UI | 105 // This blocking D-Bus call is in the startup path and will block the UI |
| 102 // thread. This only happens when the Profile is created synchronously, which | 106 // thread. This only happens when the Profile is created synchronously, which |
| 103 // on ChromeOS happens whenever the browser is restarted into the same | 107 // on Chrome OS happens whenever the browser is restarted into the same |
| 104 // session. That happens when the browser crashes, or right after signin if | 108 // session. That happens when the browser crashes, or right after signin if |
| 105 // the user has flags configured in about:flags. | 109 // the user has flags configured in about:flags. |
| 106 // However, on those paths we must load policy synchronously so that the | 110 // However, on those paths we must load policy synchronously so that the |
| 107 // Profile initialization never sees unmanaged prefs, which would lead to | 111 // Profile initialization never sees unmanaged prefs, which would lead to |
| 108 // data loss. http://crbug.com/263061 | 112 // data loss. http://crbug.com/263061 |
| 109 std::string policy_blob = | 113 std::string policy_blob = |
| 110 session_manager_client_->BlockingRetrievePolicyForUser( | 114 session_manager_client_->BlockingRetrievePolicyForUser( |
| 111 cryptohome::Identification(account_id_)); | 115 cryptohome::Identification(account_id_)); |
| 112 if (policy_blob.empty()) { | 116 if (policy_blob.empty()) { |
| 113 // The session manager doesn't have policy, or the call failed. | 117 // The session manager doesn't have policy, or the call failed. |
| (...skipping 104 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 218 | 222 |
| 219 std::unique_ptr<em::PolicyFetchResponse> policy( | 223 std::unique_ptr<em::PolicyFetchResponse> policy( |
| 220 new em::PolicyFetchResponse()); | 224 new em::PolicyFetchResponse()); |
| 221 if (!policy->ParseFromString(policy_blob)) { | 225 if (!policy->ParseFromString(policy_blob)) { |
| 222 status_ = STATUS_PARSE_ERROR; | 226 status_ = STATUS_PARSE_ERROR; |
| 223 NotifyStoreError(); | 227 NotifyStoreError(); |
| 224 return; | 228 return; |
| 225 } | 229 } |
| 226 | 230 |
| 227 // Load |cached_policy_key_| to verify the loaded policy. | 231 // Load |cached_policy_key_| to verify the loaded policy. |
| 228 EnsurePolicyKeyLoaded( | 232 if (is_active_directory_) { |
| 229 base::Bind(&UserCloudPolicyStoreChromeOS::ValidateRetrievedPolicy, | 233 ValidateRetrievedPolicy(std::move(policy)); |
| 230 weak_factory_.GetWeakPtr(), | 234 } else { |
| 231 base::Passed(&policy))); | 235 EnsurePolicyKeyLoaded( |
|
emaxx
2016/12/28 19:09:20
Before the refactoring is done to separate out the
Thiemo Nagel
2016/12/29 15:08:27
Done.
| |
| 236 base::Bind(&UserCloudPolicyStoreChromeOS::ValidateRetrievedPolicy, | |
| 237 weak_factory_.GetWeakPtr(), base::Passed(&policy))); | |
| 238 } | |
| 232 } | 239 } |
| 233 | 240 |
| 234 void UserCloudPolicyStoreChromeOS::ValidateRetrievedPolicy( | 241 void UserCloudPolicyStoreChromeOS::ValidateRetrievedPolicy( |
| 235 std::unique_ptr<em::PolicyFetchResponse> policy) { | 242 std::unique_ptr<em::PolicyFetchResponse> policy) { |
| 236 // Create and configure a validator for the loaded policy. | 243 // Create and configure a validator for the loaded policy. |
| 237 std::unique_ptr<UserCloudPolicyValidator> validator = | 244 std::unique_ptr<UserCloudPolicyValidator> validator = |
| 238 CreateValidatorForLoad(std::move(policy)); | 245 CreateValidatorForLoad(std::move(policy)); |
| 239 // Start validation. The Validator will delete itself once validation is | 246 // Start validation. The Validator will delete itself once validation is |
| 240 // complete. | 247 // complete. |
| 241 validator.release()->StartValidation( | 248 validator.release()->StartValidation( |
| (...skipping 96 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 338 SampleValidationFailure(VALIDATION_FAILURE_DBUS); | 345 SampleValidationFailure(VALIDATION_FAILURE_DBUS); |
| 339 } | 346 } |
| 340 ReloadPolicyKey(callback); | 347 ReloadPolicyKey(callback); |
| 341 } | 348 } |
| 342 | 349 |
| 343 std::unique_ptr<UserCloudPolicyValidator> | 350 std::unique_ptr<UserCloudPolicyValidator> |
| 344 UserCloudPolicyStoreChromeOS::CreateValidatorForLoad( | 351 UserCloudPolicyStoreChromeOS::CreateValidatorForLoad( |
| 345 std::unique_ptr<em::PolicyFetchResponse> policy) { | 352 std::unique_ptr<em::PolicyFetchResponse> policy) { |
| 346 std::unique_ptr<UserCloudPolicyValidator> validator = CreateValidator( | 353 std::unique_ptr<UserCloudPolicyValidator> validator = CreateValidator( |
| 347 std::move(policy), CloudPolicyValidatorBase::TIMESTAMP_NOT_BEFORE); | 354 std::move(policy), CloudPolicyValidatorBase::TIMESTAMP_NOT_BEFORE); |
| 348 validator->ValidateUsername(account_id_.GetUserEmail(), true); | 355 if (is_active_directory_) { |
| 349 // The policy loaded from session manager need not be validated using the | 356 validator->ValidateTimestamp( |
| 350 // verification key since it is secure, and since there may be legacy policy | 357 base::Time(), base::Time(), |
| 351 // data that was stored without a verification key. | 358 CloudPolicyValidatorBase::TIMESTAMP_NOT_VALIDATED); |
| 352 validator->ValidateSignature(cached_policy_key_); | 359 validator->ValidateDMToken(std::string(), |
| 360 CloudPolicyValidatorBase::DM_TOKEN_NOT_REQUIRED); | |
| 361 validator->ValidateDeviceId( | |
| 362 std::string(), CloudPolicyValidatorBase::DEVICE_ID_NOT_REQUIRED); | |
| 363 } else { | |
| 364 validator->ValidateUsername(account_id_.GetUserEmail(), true); | |
| 365 // The policy loaded from session manager need not be validated using the | |
| 366 // verification key since it is secure, and since there may be legacy policy | |
| 367 // data that was stored without a verification key. | |
| 368 validator->ValidateSignature(cached_policy_key_); | |
| 369 } | |
| 353 return validator; | 370 return validator; |
| 354 } | 371 } |
| 355 | 372 |
| 356 } // namespace policy | 373 } // namespace policy |
| OLD | NEW |
