device_policy.cc - Issue 6815021: [login_manager] Code to add the owner to the whitelist in a device policy

Side by Side Diff: device_policy.cc

Issue 6815021: [login_manager] Code to add the owner to the whitelist in a device policy (Closed) Base URL: http://git.chromium.org/git/login_manager.git@master

Patch Set: Created 9 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2011 The Chromium OS Authors. All rights reserved.	1 // Copyright (c) 2011 The Chromium OS Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "login_manager/device_policy.h"	5 #include "login_manager/device_policy.h"

6	6

7 #include <string>	7 #include <string>

8	8

9 #include <base/basictypes.h>	9 #include <base/basictypes.h>

10 #include <base/file_path.h>	10 #include <base/file_path.h>

11 #include <base/file_util.h>	11 #include <base/file_util.h>

12 #include <base/logging.h>	12 #include <base/logging.h>

13	13

14 #include "login_manager/bindings/device_management_backend.pb.h"	14 #include "login_manager/bindings/device_management_backend.pb.h"

	15 #include "login_manager/bindings/chrome_device_policy.pb.h"
	gauravsh 2011/04/08 04:58:49 nit: alpha order of #includes. nit: alpha order of #includes. Chris Masone 2011/04/08 05:57:41 Done. Show quoted text On 2011/04/08 04:58:49, gauravsh wrote: > nit: alpha order of #includes. Done.
15 #include "login_manager/system_utils.h"	16 #include "login_manager/system_utils.h"

	17 #include "login_manager/owner_key.h"
	gauravsh 2011/04/08 04:58:49 nit: alpha order of includes. nit: alpha order of includes. Chris Masone 2011/04/08 05:57:41 Done. Show quoted text On 2011/04/08 04:58:49, gauravsh wrote: > nit: alpha order of includes. Done.
	18

	19 namespace em = enterprise_management;

16	20

17 namespace login_manager {	21 namespace login_manager {

	22 using google::protobuf::RepeatedPtrField;

	23 using std::string;

	24

18 // static	25 // static

19 const char DevicePolicy::kDefaultPath[] = "/var/lib/whitelist/policy";	26 const char DevicePolicy::kDefaultPath[] = "/var/lib/whitelist/policy";

	27 // static

	28 const char DevicePolicy::kDevicePolicyType[] = "google/chromeos/device";

20	29

21 DevicePolicy::DevicePolicy(const FilePath& policy_path)	30 DevicePolicy::DevicePolicy(const FilePath& policy_path)

22 : policy_path_(policy_path) {	31 : policy_path_(policy_path) {

23 }	32 }

24	33

25 DevicePolicy::~DevicePolicy() {	34 DevicePolicy::~DevicePolicy() {

26 }	35 }

27	36

28 bool DevicePolicy::LoadOrCreate() {	37 bool DevicePolicy::LoadOrCreate() {

29 if (!file_util::PathExists(policy_path_))	38 if (!file_util::PathExists(policy_path_))

30 return true;	39 return true;

31 std::string polstr;	40 std::string polstr;

32 if (!file_util::ReadFileToString(policy_path_, &polstr) \|\| polstr.empty()) {	41 if (!file_util::ReadFileToString(policy_path_, &polstr) \|\| polstr.empty()) {

33 PLOG(ERROR) << "Could not read policy off disk";	42 PLOG(ERROR) << "Could not read policy off disk";

34 return false;	43 return false;

35 }	44 }

36 if (!policy_.ParseFromString(polstr)) {	45 if (!policy_.ParseFromString(polstr)) {

37 LOG(ERROR) << "Policy on disk could not be parsed!";	46 LOG(ERROR) << "Policy on disk could not be parsed!";

38 return false;	47 return false;

39 }	48 }

40 return true;	49 return true;

41 }	50 }

42	51

43 bool DevicePolicy::Get(std::string* output) const {	52 const enterprise_management::PolicyFetchResponse& DevicePolicy::Get() const {

44 return policy_.SerializeToString(output);	53 return policy_;

45 }	54 }

46	55

47 bool DevicePolicy::Persist() {	56 bool DevicePolicy::Persist() {

48 SystemUtils utils;	57 SystemUtils utils;

49 std::string polstr;	58 std::string polstr;

50 if (!policy_.SerializeToString(&polstr)) {	59 if (!policy_.SerializeToString(&polstr)) {

51 LOG(ERROR) << "Could not be serialize policy!";	60 LOG(ERROR) << "Could not be serialize policy!";

52 return false;	61 return false;

53 }	62 }

54 return utils.AtomicFileWrite(policy_path_, polstr.c_str(), polstr.length());	63 return utils.AtomicFileWrite(policy_path_, polstr.c_str(), polstr.length());

55 }	64 }

56	65

	66 bool DevicePolicy::SerializeToString(std::string* output) const {

	67 return policy_.SerializeToString(output);

	68 }

	69

57 void DevicePolicy::Set(	70 void DevicePolicy::Set(

58 const enterprise_management::PolicyFetchResponse& policy) {	71 const enterprise_management::PolicyFetchResponse& policy) {

59 policy_.Clear();	72 policy_.Clear();

60 // This can only fail if \|policy\| and \|policy_\| are different types.	73 // This can only fail if \|policy\| and \|policy_\| are different types.

61 policy_.CheckTypeAndMergeFrom(policy);	74 policy_.CheckTypeAndMergeFrom(policy);

62 }	75 }

63	76

	77 bool DevicePolicy::StoreOwnerProperties(OwnerKey* key,

	78 const std::string& current_user,

	79 GError** error) {

	80 em::PolicyData poldata;

	81 if (policy_.has_policy_data())

	82 poldata.ParseFromString(policy_.policy_data());

	83 em::ChromeDeviceSettingsProto polval;

	84 if (poldata.has_policy_type() &&

	85 poldata.policy_type() == kDevicePolicyType) {

	86 if (poldata.has_policy_value())

	87 polval.ParseFromString(poldata.policy_value());

	88 } else {

	89 poldata.set_policy_type(kDevicePolicyType);

	90 }

	91 // If there existed some device policy, we've got it now!

	92 // Updtae the UserWhitelistProto inside the ChromeDeviceSettingsProto we made.
	gauravsh 2011/04/08 04:58:49 Update Update Chris Masone 2011/04/08 05:57:41 Done. Show quoted text On 2011/04/08 04:58:49, gauravsh wrote: > Update Done.
	93 em::UserWhitelistProto* whitelist_proto = polval.mutable_user_whitelist();

	94 bool on_whitelist = false;

	95 const RepeatedPtrField<string>& whitelist = whitelist_proto->user_whitelist();

	96 for (RepeatedPtrField<string>::const_iterator it = whitelist.begin();

	97 it != whitelist.end();

	98 ++it) {

	99 on_whitelist = (current_user == *it);
	gauravsh 2011/04/08 04:58:49 you should break here if on_whitelist gets set to you should break here if on_whitelist gets set to true. Otherwise os_whitelist is always set to the last comparison. Chris Masone 2011/04/08 05:57:41 Done. Show quoted text On 2011/04/08 04:58:49, gauravsh wrote: > you should break here if on_whitelist gets set to true. Otherwise os_whitelist > is always set to the last comparison. Done.
	100 }

	101 if (!on_whitelist)

	102 whitelist_proto->add_user_whitelist(current_user);

	103 bool current_user_is_owner = true;

	104

	105 if (current_user_is_owner && on_whitelist)
	gauravsh 2011/04/08 04:58:49 you set current_user_is_owner in the line above? i you set current_user_is_owner in the line above? is that temporary? If so, add a todo. Otherwise, explain yourself. Chris Masone 2011/04/08 05:57:41 TODO added Show quoted text On 2011/04/08 04:58:49, gauravsh wrote: > you set current_user_is_owner in the line above? is that temporary? If so, add a > todo. Otherwise, explain yourself. TODO added
	106 return TRUE; // No changes are needed.
	gauravsh 2011/04/08 04:58:49 holy capslock batman! true? (After going through holy capslock batman! true? (After going through the other files in the CL, you seem to use TRUE/FALSE usually. However, in this file, there are some places you use true/false, and TRUE/FALSE elsewhere. Change to be consistent.) Chris Masone 2011/04/08 05:57:41 TRUE/FALSE are the gboolean values. I usually use Show quoted text On 2011/04/08 04:58:49, gauravsh wrote: > holy capslock batman! true? > > (After going through the other files in the CL, you seem to use TRUE/FALSE > usually. However, in this file, there are some places you use true/false, and > TRUE/FALSE elsewhere. Change to be consistent.) TRUE/FALSE are the gboolean values. I usually use true/false where I need a bool, but this originally returned a gboolean. I've changed to use true/false now, to match the function prototype.
	107

	108 // \|polval\| now has what we want in it. We need to put it into
	gauravsh 2011/04/08 04:58:49 Confusing comment. \|polval\| was set much further a Confusing comment. \|polval\| was set much further above on line 87. This comment implies that it happened just now. Maybe get rid of 'now'? Chris Masone 2011/04/08 05:57:41 Done. Show quoted text On 2011/04/08 04:58:49, gauravsh wrote: > Confusing comment. \|polval\| was set much further above on line 87. This comment > implies that it happened just now. Maybe get rid of 'now'? Done.
	109 // \|poldata\|, serialize that, sign it, and put both into \|policy_\|.

	110 poldata.set_policy_value(polval.SerializeAsString());

	111 std::string new_data = poldata.SerializeAsString();

	112 std::vector<uint8> sig;

	113 const uint8* data = reinterpret_cast<const uint8*>(new_data.c_str());

	114 if (!key->Sign(data, new_data.length(), &sig)) {
	gauravsh 2011/04/08 04:58:49 should you NULL-check key? should you NULL-check key? Chris Masone 2011/04/08 05:57:41 Done. Show quoted text On 2011/04/08 04:58:49, gauravsh wrote: > should you NULL-check key? Done.
	115 SystemUtils utils;

	116 const char err_msg[] = "Could not sign policy containing new owner data.";

	117 LOG_IF(ERROR, error) << err_msg;

	118 LOG_IF(WARNING, !error) << err_msg;

	119 utils.SetGError(error, CHROMEOS_LOGIN_ERROR_ILLEGAL_PUBKEY, err_msg);
	gauravsh 2011/04/08 04:58:49 so a NULL \|error\| will be handled correctly by Set so a NULL \|error\| will be handled correctly by SetGError? Chris Masone 2011/04/08 05:57:41 by g_set_error inside SetGError, actually. Show quoted text On 2011/04/08 04:58:49, gauravsh wrote: > so a NULL \|error\| will be handled correctly by SetGError? by g_set_error inside SetGError, actually.
	120 return FALSE;
	gauravsh 2011/04/08 04:58:49 false? false? Chris Masone 2011/04/08 05:57:41 Done. Show quoted text On 2011/04/08 04:58:49, gauravsh wrote: > false? Done.
	121 }

	122

	123 em::PolicyFetchResponse new_policy;

	124 new_policy.CheckTypeAndMergeFrom(policy_);

	125 new_policy.set_policy_data(new_data);

	126 new_policy.set_policy_data_signature(

	127 std::string(reinterpret_cast<const char*>(&sig[0]), sig.size()));

	128 Set(new_policy);

	129 return TRUE;
	gauravsh 2011/04/08 04:58:49 true? true? Chris Masone 2011/04/08 05:57:41 Done. Show quoted text On 2011/04/08 04:58:49, gauravsh wrote: > true? Done.
	130 }

	131

64 } // namespace login_manager	132 } // namespace login_manager

OLD	NEW

« device_policy.h ('K') | « device_policy.h ('k') | device_policy_unittest.cc » ('j') | device_policy_unittest.cc » ('J')