| Index: device_policy.cc
|
| diff --git a/device_policy.cc b/device_policy.cc
|
| index bb9840085096b6bfa1c692d7a6ab5c6419fd04bf..4b8f59e202bd58aeec3d88afe42733aa85265101 100644
|
| --- a/device_policy.cc
|
| +++ b/device_policy.cc
|
| @@ -11,12 +11,21 @@
|
| #include <base/file_util.h>
|
| #include <base/logging.h>
|
|
|
| +#include "login_manager/bindings/chrome_device_policy.pb.h"
|
| #include "login_manager/bindings/device_management_backend.pb.h"
|
| +#include "login_manager/owner_key.h"
|
| #include "login_manager/system_utils.h"
|
|
|
| +namespace em = enterprise_management;
|
| +
|
| namespace login_manager {
|
| +using google::protobuf::RepeatedPtrField;
|
| +using std::string;
|
| +
|
| // static
|
| const char DevicePolicy::kDefaultPath[] = "/var/lib/whitelist/policy";
|
| +// static
|
| +const char DevicePolicy::kDevicePolicyType[] = "google/chromeos/device";
|
|
|
| DevicePolicy::DevicePolicy(const FilePath& policy_path)
|
| : policy_path_(policy_path) {
|
| @@ -40,8 +49,8 @@ bool DevicePolicy::LoadOrCreate() {
|
| return true;
|
| }
|
|
|
| -bool DevicePolicy::Get(std::string* output) const {
|
| - return policy_.SerializeToString(output);
|
| +const enterprise_management::PolicyFetchResponse& DevicePolicy::Get() const {
|
| + return policy_;
|
| }
|
|
|
| bool DevicePolicy::Persist() {
|
| @@ -54,6 +63,10 @@ bool DevicePolicy::Persist() {
|
| return utils.AtomicFileWrite(policy_path_, polstr.c_str(), polstr.length());
|
| }
|
|
|
| +bool DevicePolicy::SerializeToString(std::string* output) const {
|
| + return policy_.SerializeToString(output);
|
| +}
|
| +
|
| void DevicePolicy::Set(
|
| const enterprise_management::PolicyFetchResponse& policy) {
|
| policy_.Clear();
|
| @@ -61,4 +74,62 @@ void DevicePolicy::Set(
|
| policy_.CheckTypeAndMergeFrom(policy);
|
| }
|
|
|
| +bool DevicePolicy::StoreOwnerProperties(OwnerKey* key,
|
| + const std::string& current_user,
|
| + GError** error) {
|
| + em::PolicyData poldata;
|
| + if (policy_.has_policy_data())
|
| + poldata.ParseFromString(policy_.policy_data());
|
| + em::ChromeDeviceSettingsProto polval;
|
| + if (poldata.has_policy_type() &&
|
| + poldata.policy_type() == kDevicePolicyType) {
|
| + if (poldata.has_policy_value())
|
| + polval.ParseFromString(poldata.policy_value());
|
| + } else {
|
| + poldata.set_policy_type(kDevicePolicyType);
|
| + }
|
| + // If there existed some device policy, we've got it now!
|
| + // Update the UserWhitelistProto inside the ChromeDeviceSettingsProto we made.
|
| + em::UserWhitelistProto* whitelist_proto = polval.mutable_user_whitelist();
|
| + bool on_whitelist = false;
|
| + const RepeatedPtrField<string>& whitelist = whitelist_proto->user_whitelist();
|
| + for (RepeatedPtrField<string>::const_iterator it = whitelist.begin();
|
| + it != whitelist.end();
|
| + ++it) {
|
| + if (on_whitelist = (current_user == *it))
|
| + break;
|
| + }
|
| + if (!on_whitelist)
|
| + whitelist_proto->add_user_whitelist(current_user);
|
| + bool current_user_is_owner = true;
|
| + // TODO(cmasone): once ChromeDeviceSettingsProto contains an owner name field
|
| + // check that against |current_user| here.
|
| + if (current_user_is_owner && on_whitelist)
|
| + return true; // No changes are needed.
|
| +
|
| + // We have now updated the whitelist and owner setting in |polval|.
|
| + // We need to put it into |poldata|, serialize that, sign it, and
|
| + // put both into |policy_|.
|
| + poldata.set_policy_value(polval.SerializeAsString());
|
| + std::string new_data = poldata.SerializeAsString();
|
| + std::vector<uint8> sig;
|
| + const uint8* data = reinterpret_cast<const uint8*>(new_data.c_str());
|
| + if (!key || !key->Sign(data, new_data.length(), &sig)) {
|
| + SystemUtils utils;
|
| + const char err_msg[] = "Could not sign policy containing new owner data.";
|
| + LOG_IF(ERROR, error) << err_msg;
|
| + LOG_IF(WARNING, !error) << err_msg;
|
| + utils.SetGError(error, CHROMEOS_LOGIN_ERROR_ILLEGAL_PUBKEY, err_msg);
|
| + return false;
|
| + }
|
| +
|
| + em::PolicyFetchResponse new_policy;
|
| + new_policy.CheckTypeAndMergeFrom(policy_);
|
| + new_policy.set_policy_data(new_data);
|
| + new_policy.set_policy_data_signature(
|
| + std::string(reinterpret_cast<const char*>(&sig[0]), sig.size()));
|
| + Set(new_policy);
|
| + return true;
|
| +}
|
| +
|
| } // namespace login_manager
|
|
|
Chromium Code Reviews
Issue 6815021:
[login_manager] Code to add the owner to the whitelist in a device policy (Closed)
Base URL: http://git.chromium.org/git/login_manager.git@master