OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.h" | 5 #include "chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.h" |
6 | 6 |
7 #include <stddef.h> | 7 #include <stddef.h> |
8 #include <utility> | 8 #include <utility> |
9 | 9 |
10 #include "base/bind.h" | 10 #include "base/bind.h" |
11 #include "base/bind_helpers.h" | 11 #include "base/bind_helpers.h" |
12 #include "base/callback.h" | 12 #include "base/callback.h" |
13 #include "base/files/file_util.h" | 13 #include "base/files/file_util.h" |
14 #include "base/location.h" | 14 #include "base/location.h" |
15 #include "base/logging.h" | 15 #include "base/logging.h" |
16 #include "base/macros.h" | 16 #include "base/macros.h" |
17 #include "base/metrics/histogram_macros.h" | 17 #include "base/metrics/histogram_macros.h" |
18 #include "base/sequenced_task_runner.h" | 18 #include "base/sequenced_task_runner.h" |
19 #include "base/stl_util.h" | 19 #include "base/stl_util.h" |
20 #include "base/strings/stringprintf.h" | 20 #include "base/strings/stringprintf.h" |
21 #include "chrome/browser/chromeos/policy/user_policy_token_loader.h" | 21 #include "chrome/browser/chromeos/policy/user_policy_token_loader.h" |
22 #include "chrome/browser/lifetime/application_lifetime.h" | |
22 #include "chromeos/cryptohome/cryptohome_parameters.h" | 23 #include "chromeos/cryptohome/cryptohome_parameters.h" |
23 #include "chromeos/dbus/cryptohome_client.h" | 24 #include "chromeos/dbus/cryptohome_client.h" |
24 #include "chromeos/dbus/session_manager_client.h" | 25 #include "chromeos/dbus/session_manager_client.h" |
25 #include "components/policy/core/common/cloud/cloud_policy_constants.h" | 26 #include "components/policy/core/common/cloud/cloud_policy_constants.h" |
26 #include "components/policy/proto/cloud_policy.pb.h" | 27 #include "components/policy/proto/cloud_policy.pb.h" |
27 #include "components/policy/proto/device_management_local.pb.h" | 28 #include "components/policy/proto/device_management_local.pb.h" |
28 #include "google_apis/gaia/gaia_auth_util.h" | 29 #include "google_apis/gaia/gaia_auth_util.h" |
29 | 30 |
30 namespace em = enterprise_management; | 31 namespace em = enterprise_management; |
31 | 32 |
32 namespace policy { | 33 namespace policy { |
33 | 34 |
34 namespace { | 35 namespace { |
35 | 36 |
36 // Path within |user_policy_key_dir_| that contains the policy key. | 37 // Path within |user_policy_key_dir_| that contains the policy key. |
37 // "%s" must be substituted with the sanitized username. | 38 // "%s" must be substituted with the sanitized username. |
38 const base::FilePath::CharType kPolicyKeyFile[] = | 39 const base::FilePath::CharType kPolicyKeyFile[] = |
39 FILE_PATH_LITERAL("%s/policy.pub"); | 40 FILE_PATH_LITERAL("%s/policy.pub"); |
40 | 41 |
41 // Maximum key size that will be loaded, in bytes. | 42 // Maximum key size that will be loaded, in bytes. |
42 const size_t kKeySizeLimit = 16 * 1024; | 43 const size_t kKeySizeLimit = 16 * 1024; |
43 | 44 |
45 const char kSessionDoesNotExist[] = | |
46 "org.chromium.SessionManagerInterface.SessionDoesNotExist"; | |
Daniel Erat
2017/04/10 18:59:26
this is an implementation detail of the d-bus inte
igorcov
2017/04/18 10:23:18
Done - https://chromium-review.googlesource.com/c/
| |
47 | |
44 enum ValidationFailure { | 48 enum ValidationFailure { |
45 VALIDATION_FAILURE_DBUS, | 49 VALIDATION_FAILURE_DBUS, |
46 VALIDATION_FAILURE_LOAD_KEY, | 50 VALIDATION_FAILURE_LOAD_KEY, |
47 VALIDATION_FAILURE_SIZE, | 51 VALIDATION_FAILURE_SIZE, |
48 }; | 52 }; |
49 | 53 |
50 void SampleValidationFailure(ValidationFailure sample) { | 54 void SampleValidationFailure(ValidationFailure sample) { |
51 UMA_HISTOGRAM_ENUMERATION("Enterprise.UserPolicyValidationFailure", | 55 UMA_HISTOGRAM_ENUMERATION("Enterprise.UserPolicyValidationFailure", |
52 sample, | 56 sample, |
53 VALIDATION_FAILURE_SIZE); | 57 VALIDATION_FAILURE_SIZE); |
(...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
87 new em::PolicyFetchResponse(policy)); | 91 new em::PolicyFetchResponse(policy)); |
88 EnsurePolicyKeyLoaded( | 92 EnsurePolicyKeyLoaded( |
89 base::Bind(&UserCloudPolicyStoreChromeOS::ValidatePolicyForStore, | 93 base::Bind(&UserCloudPolicyStoreChromeOS::ValidatePolicyForStore, |
90 weak_factory_.GetWeakPtr(), | 94 weak_factory_.GetWeakPtr(), |
91 base::Passed(&response))); | 95 base::Passed(&response))); |
92 } | 96 } |
93 | 97 |
94 void UserCloudPolicyStoreChromeOS::Load() { | 98 void UserCloudPolicyStoreChromeOS::Load() { |
95 // Cancel all pending requests. | 99 // Cancel all pending requests. |
96 weak_factory_.InvalidateWeakPtrs(); | 100 weak_factory_.InvalidateWeakPtrs(); |
97 session_manager_client_->RetrievePolicyForUser( | 101 session_manager_client_->RetrievePolicyForUserWithErrorCallback( |
98 cryptohome::Identification(account_id_), | 102 cryptohome::Identification(account_id_), |
99 base::Bind(&UserCloudPolicyStoreChromeOS::OnPolicyRetrieved, | 103 base::Bind(&UserCloudPolicyStoreChromeOS::OnPolicyRetrieved, |
104 weak_factory_.GetWeakPtr()), | |
105 base::Bind(&UserCloudPolicyStoreChromeOS::OnPolicyRetrievedWithError, | |
100 weak_factory_.GetWeakPtr())); | 106 weak_factory_.GetWeakPtr())); |
101 } | 107 } |
102 | 108 |
103 void UserCloudPolicyStoreChromeOS::LoadImmediately() { | 109 void UserCloudPolicyStoreChromeOS::LoadImmediately() { |
104 // This blocking D-Bus call is in the startup path and will block the UI | 110 // This blocking D-Bus call is in the startup path and will block the UI |
105 // thread. This only happens when the Profile is created synchronously, which | 111 // thread. This only happens when the Profile is created synchronously, which |
106 // on Chrome OS happens whenever the browser is restarted into the same | 112 // on Chrome OS happens whenever the browser is restarted into the same |
107 // session. That happens when the browser crashes, or right after signin if | 113 // session. That happens when the browser crashes, or right after signin if |
108 // the user has flags configured in about:flags. | 114 // the user has flags configured in about:flags. |
109 // However, on those paths we must load policy synchronously so that the | 115 // However, on those paths we must load policy synchronously so that the |
(...skipping 126 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
236 // Load |cached_policy_key_| to verify the loaded policy. | 242 // Load |cached_policy_key_| to verify the loaded policy. |
237 if (is_active_directory_) { | 243 if (is_active_directory_) { |
238 ValidateRetrievedPolicy(std::move(policy)); | 244 ValidateRetrievedPolicy(std::move(policy)); |
239 } else { | 245 } else { |
240 EnsurePolicyKeyLoaded( | 246 EnsurePolicyKeyLoaded( |
241 base::Bind(&UserCloudPolicyStoreChromeOS::ValidateRetrievedPolicy, | 247 base::Bind(&UserCloudPolicyStoreChromeOS::ValidateRetrievedPolicy, |
242 weak_factory_.GetWeakPtr(), base::Passed(&policy))); | 248 weak_factory_.GetWeakPtr(), base::Passed(&policy))); |
243 } | 249 } |
244 } | 250 } |
245 | 251 |
252 void UserCloudPolicyStoreChromeOS::OnPolicyRetrievedWithError( | |
253 const std::string& error_name, | |
254 const std::string& error_message) { | |
255 LOG(ERROR) << "Error on policy retrieved " << error_name << ":" | |
Daniel Erat
2017/04/10 18:59:26
add space after ':'
igorcov
2017/04/18 10:23:18
Done.
| |
256 << error_message; | |
257 // Disallow the sign in when the error is dbus_error::kSessionDoesNotExist | |
258 // from Chrome OS. | |
Daniel Erat
2017/04/10 18:59:26
this is chrome-os-only code, so you should probabl
igorcov
2017/04/18 10:23:18
Done.
| |
259 // TODO(igorcov): crbug/689206. Find the root cause for the behavior that | |
260 // makes Chrome request the user policy before the session is started. | |
261 if (error_name == kSessionDoesNotExist) { | |
262 chrome::AttemptUserExit(); | |
Daniel Erat
2017/04/10 18:59:26
should chrome crash instead, or will that put us i
Andrew T Wilson (Slow)
2017/04/11 13:35:04
Signing out silently can indeed be confusing for u
| |
263 return; | |
264 } | |
265 | |
266 status_ = STATUS_PARSE_ERROR; | |
267 NotifyStoreError(); | |
268 } | |
269 | |
246 void UserCloudPolicyStoreChromeOS::ValidateRetrievedPolicy( | 270 void UserCloudPolicyStoreChromeOS::ValidateRetrievedPolicy( |
247 std::unique_ptr<em::PolicyFetchResponse> policy) { | 271 std::unique_ptr<em::PolicyFetchResponse> policy) { |
248 // Create and configure a validator for the loaded policy. | 272 // Create and configure a validator for the loaded policy. |
249 std::unique_ptr<UserCloudPolicyValidator> validator = | 273 std::unique_ptr<UserCloudPolicyValidator> validator = |
250 CreateValidatorForLoad(std::move(policy)); | 274 CreateValidatorForLoad(std::move(policy)); |
251 // Start validation. The Validator will delete itself once validation is | 275 // Start validation. The Validator will delete itself once validation is |
252 // complete. | 276 // complete. |
253 validator.release()->StartValidation( | 277 validator.release()->StartValidation( |
254 base::Bind(&UserCloudPolicyStoreChromeOS::OnRetrievedPolicyValidated, | 278 base::Bind(&UserCloudPolicyStoreChromeOS::OnRetrievedPolicyValidated, |
255 weak_factory_.GetWeakPtr())); | 279 weak_factory_.GetWeakPtr())); |
(...skipping 119 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
375 validator->ValidateUsername(account_id_.GetUserEmail(), true); | 399 validator->ValidateUsername(account_id_.GetUserEmail(), true); |
376 // The policy loaded from session manager need not be validated using the | 400 // The policy loaded from session manager need not be validated using the |
377 // verification key since it is secure, and since there may be legacy policy | 401 // verification key since it is secure, and since there may be legacy policy |
378 // data that was stored without a verification key. | 402 // data that was stored without a verification key. |
379 validator->ValidateSignature(cached_policy_key_); | 403 validator->ValidateSignature(cached_policy_key_); |
380 } | 404 } |
381 return validator; | 405 return validator; |
382 } | 406 } |
383 | 407 |
384 } // namespace policy | 408 } // namespace policy |
OLD | NEW |