OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "chrome/browser/chromeos/policy/device_local_account_policy_store.h" | 5 #include "chrome/browser/chromeos/policy/device_local_account_policy_store.h" |
6 | 6 |
7 #include <utility> | 7 #include <utility> |
8 | 8 |
9 #include "base/bind.h" | 9 #include "base/bind.h" |
10 #include "base/callback.h" | 10 #include "base/callback.h" |
(...skipping 25 matching lines...) Expand all Loading... | |
36 DeviceLocalAccountPolicyStore::~DeviceLocalAccountPolicyStore() {} | 36 DeviceLocalAccountPolicyStore::~DeviceLocalAccountPolicyStore() {} |
37 | 37 |
38 void DeviceLocalAccountPolicyStore::Load() { | 38 void DeviceLocalAccountPolicyStore::Load() { |
39 weak_factory_.InvalidateWeakPtrs(); | 39 weak_factory_.InvalidateWeakPtrs(); |
40 session_manager_client_->RetrieveDeviceLocalAccountPolicy( | 40 session_manager_client_->RetrieveDeviceLocalAccountPolicy( |
41 account_id_, | 41 account_id_, |
42 base::Bind(&DeviceLocalAccountPolicyStore::ValidateLoadedPolicyBlob, | 42 base::Bind(&DeviceLocalAccountPolicyStore::ValidateLoadedPolicyBlob, |
43 weak_factory_.GetWeakPtr())); | 43 weak_factory_.GetWeakPtr())); |
44 } | 44 } |
45 | 45 |
46 void DeviceLocalAccountPolicyStore::LoadImmediately() { | |
Andrew T Wilson (Slow)
2017/02/23 12:05:48
In general, there will also be an asynchronous loa
Sergey Poromov
2017/02/28 14:01:17
Done.
| |
47 // This blocking D-Bus call is in the startup path and will block the UI | |
48 // thread. This only happens when the Profile is created synchronously, which | |
49 // on Chrome OS happens whenever the browser is restarted into the same | |
50 // session. That happens when the browser crashes, or right after signin if | |
emaxx
2017/02/22 17:24:33
nit: It's a little bit unclear what "that happens"
Sergey Poromov
2017/02/28 14:01:17
Done.
| |
51 // the user has flags configured in about:flags. | |
52 // However, on those paths we must load policy synchronously so that the | |
53 // Profile initialization never sees unmanaged prefs, which would lead to | |
54 // data loss. http://crbug.com/263061 | |
55 | |
56 std::string policy_blob = | |
emaxx
2017/02/22 17:24:33
nit: const
Sergey Poromov
2017/02/28 14:01:17
Done.
| |
57 session_manager_client_->BlockingRetrieveDeviceLocalAccountPolicy( | |
58 account_id_); | |
59 if (policy_blob.empty()) { | |
60 status_ = CloudPolicyStore::STATUS_LOAD_ERROR; | |
emaxx
2017/02/22 17:24:33
Isn't it possible to get rid of this code duplicat
Sergey Poromov
2017/02/28 14:01:17
Done.
| |
61 NotifyStoreError(); | |
62 return; | |
63 } | |
64 std::unique_ptr<em::PolicyFetchResponse> policy( | |
65 new em::PolicyFetchResponse()); | |
66 if (!policy->ParseFromString(policy_blob)) { | |
67 status_ = CloudPolicyStore::STATUS_PARSE_ERROR; | |
68 NotifyStoreError(); | |
69 return; | |
70 } | |
71 | |
72 chromeos::DeviceSettingsService::OwnershipStatus ownership_status = | |
73 device_settings_service_->GetOwnershipStatus(); | |
74 | |
75 DCHECK_NE(chromeos::DeviceSettingsService::OWNERSHIP_UNKNOWN, | |
76 ownership_status); | |
77 const em::PolicyData* device_policy_data = | |
78 device_settings_service_->policy_data(); | |
79 // Note that the key is obtained through the device settings service instead | |
80 // of using |policy_signature_public_key_| member, as the latter one is | |
81 // updated only after the successful installation of the policy. | |
82 scoped_refptr<ownership::PublicKey> key = | |
83 device_settings_service_->GetPublicKey(); | |
84 if (!key.get() || !key->is_loaded() || !device_policy_data) { | |
85 status_ = CloudPolicyStore::STATUS_BAD_STATE; | |
86 NotifyStoreLoaded(); | |
87 return; | |
88 } | |
89 | |
90 std::unique_ptr<UserCloudPolicyValidator> validator = | |
91 CreateValidatorForLoad(false /*valid_timestamp_required*/, | |
92 device_policy_data, key, std::move(policy)); | |
93 // Start validation. The Validator will delete itself once validation is | |
94 // complete. | |
Andrew T Wilson (Slow)
2017/02/23 12:05:48
Wait, what? But we have a unique_ptr holding |vali
Sergey Poromov
2017/02/28 14:01:17
You are right, that was true only for StartValidat
| |
95 validator->RunValidation(); | |
96 | |
97 UpdatePolicy(key->as_string(), validator.get()); | |
98 } | |
99 | |
46 void DeviceLocalAccountPolicyStore::Store( | 100 void DeviceLocalAccountPolicyStore::Store( |
47 const em::PolicyFetchResponse& policy) { | 101 const em::PolicyFetchResponse& policy) { |
48 weak_factory_.InvalidateWeakPtrs(); | 102 weak_factory_.InvalidateWeakPtrs(); |
49 CheckKeyAndValidate( | 103 CheckKeyAndValidate( |
50 true, base::MakeUnique<em::PolicyFetchResponse>(policy), | 104 true, base::MakeUnique<em::PolicyFetchResponse>(policy), |
51 base::Bind(&DeviceLocalAccountPolicyStore::StoreValidatedPolicy, | 105 base::Bind(&DeviceLocalAccountPolicyStore::StoreValidatedPolicy, |
52 weak_factory_.GetWeakPtr())); | 106 weak_factory_.GetWeakPtr())); |
53 } | 107 } |
54 | 108 |
55 void DeviceLocalAccountPolicyStore::ValidateLoadedPolicyBlob( | 109 void DeviceLocalAccountPolicyStore::ValidateLoadedPolicyBlob( |
(...skipping 93 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
149 // of using |policy_signature_public_key_| member, as the latter one is | 203 // of using |policy_signature_public_key_| member, as the latter one is |
150 // updated only after the successful installation of the policy. | 204 // updated only after the successful installation of the policy. |
151 scoped_refptr<ownership::PublicKey> key = | 205 scoped_refptr<ownership::PublicKey> key = |
152 device_settings_service_->GetPublicKey(); | 206 device_settings_service_->GetPublicKey(); |
153 if (!key.get() || !key->is_loaded() || !device_policy_data) { | 207 if (!key.get() || !key->is_loaded() || !device_policy_data) { |
154 status_ = CloudPolicyStore::STATUS_BAD_STATE; | 208 status_ = CloudPolicyStore::STATUS_BAD_STATE; |
155 NotifyStoreLoaded(); | 209 NotifyStoreLoaded(); |
156 return; | 210 return; |
157 } | 211 } |
158 | 212 |
213 std::unique_ptr<UserCloudPolicyValidator> validator = | |
214 CreateValidatorForLoad(valid_timestamp_required, device_policy_data, key, | |
215 std::move(policy_response)); | |
216 // Start validation. The Validator will delete itself once validation is | |
217 // complete. | |
218 validator.release()->StartValidation(base::Bind(callback, key->as_string())); | |
219 } | |
220 | |
221 std::unique_ptr<UserCloudPolicyValidator> | |
222 DeviceLocalAccountPolicyStore::CreateValidatorForLoad( | |
223 bool valid_timestamp_required, | |
224 const em::PolicyData* device_policy_data, | |
225 scoped_refptr<ownership::PublicKey> key, | |
226 std::unique_ptr<em::PolicyFetchResponse> policy_response) { | |
159 std::unique_ptr<UserCloudPolicyValidator> validator( | 227 std::unique_ptr<UserCloudPolicyValidator> validator( |
160 UserCloudPolicyValidator::Create(std::move(policy_response), | 228 UserCloudPolicyValidator::Create(std::move(policy_response), |
161 background_task_runner())); | 229 background_task_runner())); |
162 validator->ValidateUsername(account_id_, false); | 230 validator->ValidateUsername(account_id_, false); |
163 validator->ValidatePolicyType(dm_protocol::kChromePublicAccountPolicyType); | 231 validator->ValidatePolicyType(dm_protocol::kChromePublicAccountPolicyType); |
164 // The timestamp is verified when storing a new policy downloaded from the | 232 // The timestamp is verified when storing a new policy downloaded from the |
165 // server but not when loading a cached policy from disk. | 233 // server but not when loading a cached policy from disk. |
166 // See SessionManagerOperation::ValidateDeviceSettings for the rationale. | 234 // See SessionManagerOperation::ValidateDeviceSettings for the rationale. |
167 validator->ValidateAgainstCurrentPolicy( | 235 validator->ValidateAgainstCurrentPolicy( |
168 policy(), | 236 policy(), |
169 valid_timestamp_required | 237 valid_timestamp_required |
170 ? CloudPolicyValidatorBase::TIMESTAMP_FULLY_VALIDATED | 238 ? CloudPolicyValidatorBase::TIMESTAMP_FULLY_VALIDATED |
171 : CloudPolicyValidatorBase::TIMESTAMP_NOT_VALIDATED, | 239 : CloudPolicyValidatorBase::TIMESTAMP_NOT_VALIDATED, |
172 CloudPolicyValidatorBase::DM_TOKEN_NOT_REQUIRED, | 240 CloudPolicyValidatorBase::DM_TOKEN_NOT_REQUIRED, |
173 CloudPolicyValidatorBase::DEVICE_ID_NOT_REQUIRED); | 241 CloudPolicyValidatorBase::DEVICE_ID_NOT_REQUIRED); |
174 | 242 |
175 // Validate the DMToken to match what device policy has. | 243 // Validate the DMToken to match what device policy has. |
176 validator->ValidateDMToken(device_policy_data->request_token(), | 244 validator->ValidateDMToken(device_policy_data->request_token(), |
177 CloudPolicyValidatorBase::DM_TOKEN_REQUIRED); | 245 CloudPolicyValidatorBase::DM_TOKEN_REQUIRED); |
178 | 246 |
179 // Validate the device id to match what device policy has. | 247 // Validate the device id to match what device policy has. |
180 validator->ValidateDeviceId(device_policy_data->device_id(), | 248 validator->ValidateDeviceId(device_policy_data->device_id(), |
181 CloudPolicyValidatorBase::DEVICE_ID_REQUIRED); | 249 CloudPolicyValidatorBase::DEVICE_ID_REQUIRED); |
182 | 250 |
183 validator->ValidatePayload(); | 251 validator->ValidatePayload(); |
184 validator->ValidateSignature(key->as_string()); | 252 validator->ValidateSignature(key->as_string()); |
185 validator.release()->StartValidation(base::Bind(callback, key->as_string())); | 253 return validator; |
186 } | 254 } |
187 | 255 |
188 } // namespace policy | 256 } // namespace policy |
OLD | NEW |