chrome/browser/extensions/api/enterprise_platform_keys_private/enterprise_platform_keys_private_api.cc - Issue 2841553002: Allow machine key challenges by signin profiles.

Unified Diff: chrome/browser/extensions/api/enterprise_platform_keys_private/enterprise_platform_keys_private_api.cc

Issue 2841553002: Allow machine key challenges by signin profiles. (Closed)

Patch Set: Review nits. Created 3 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

« no previous file with comments | « chrome/browser/extensions/api/enterprise_platform_keys_private/enterprise_platform_keys_private_api.h ('k') | chrome/browser/extensions/api/enterprise_platform_keys_private/enterprise_platform_keys_private_api_unittest.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

Index: chrome/browser/extensions/api/enterprise_platform_keys_private/enterprise_platform_keys_private_api.cc

diff --git a/chrome/browser/extensions/api/enterprise_platform_keys_private/enterprise_platform_keys_private_api.cc b/chrome/browser/extensions/api/enterprise_platform_keys_private/enterprise_platform_keys_private_api.cc

index 4b69f12dfd8c0ac8054ff21d95c4fe3c909912cf..2edc30d4f7e4c7b6c370e474f98817e72dc36299 100644

--- a/chrome/browser/extensions/api/enterprise_platform_keys_private/enterprise_platform_keys_private_api.cc

+++ b/chrome/browser/extensions/api/enterprise_platform_keys_private/enterprise_platform_keys_private_api.cc

@@ -38,6 +38,7 @@

#include "components/user_manager/known_user.h"

#include "components/user_manager/user.h"

#include "components/user_manager/user_manager.h"

+#include "extensions/common/manifest.h"

#include "google_apis/gaia/gaia_auth_util.h"

#include "third_party/cros_system_api/dbus/service_constants.h"

@@ -140,9 +141,15 @@ bool EPKPChallengeKeyBase::IsEnterpriseDevice() const {

}

bool EPKPChallengeKeyBase::IsExtensionWhitelisted() const {

+ if (chromeos::ProfileHelper::IsSigninProfile(profile_)) {

+ // Only allow remote attestation for apps that were force-installed on the

+ // login/signin screen.

+ // TODO(drcrash): Use a separate device-wide policy for the API.

+ return Manifest::IsPolicyLocation(extension_->location());

+ }

const base::ListValue* list =

profile_->GetPrefs()->GetList(prefs::kAttestationExtensionWhitelist);

- base::Value value(extension_id_);

+ base::Value value(extension_->id());

return list->Find(value) != list->end();

}

@@ -318,7 +325,7 @@ void EPKPChallengeMachineKey::Run(

bool register_key) {

callback_ = callback;

profile_ = ChromeExtensionFunctionDetails(caller.get()).GetProfile();

- extension_id_ = caller->extension_id();

+ extension_ = scoped_refptr<const Extension>(caller->extension());

// Check if the device is enterprise enrolled.

if (!IsEnterpriseDevice()) {

@@ -332,7 +339,9 @@ void EPKPChallengeMachineKey::Run(

return;

}

- if (!IsUserAffiliated()) {

+ // Check whether the user is managed unless the signin profile is used.

+ if (!chromeos::ProfileHelper::IsSigninProfile(profile_) &&

+ !IsUserAffiliated()) {

callback_.Run(false, kUserNotManaged);

return;

}

@@ -466,7 +475,7 @@ void EPKPChallengeUserKey::Run(scoped_refptr<UIThreadExtensionFunction> caller,

bool register_key) {

callback_ = callback;

profile_ = ChromeExtensionFunctionDetails(caller.get()).GetProfile();

- extension_id_ = caller->extension_id();

+ extension_ = scoped_refptr<const Extension>(caller->extension());

// Check if RA is enabled in the user policy.

if (!IsRemoteAttestationEnabledForUser()) {