diff options
author | joaodasilva@chromium.org <joaodasilva@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-02-23 17:01:32 +0000 |
---|---|---|
committer | joaodasilva@chromium.org <joaodasilva@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-02-23 17:01:32 +0000 |
commit | 7b72492425d945770afab5dc5c6fabae0ed24596 (patch) | |
tree | c6311a2db2a4df3e523c3f80574c7e6c92e5ab77 | |
parent | d639fba7ac46b1ed3677a6d088c248d4d4380f03 (diff) | |
download | chromium_src-7b72492425d945770afab5dc5c6fabae0ed24596.zip chromium_src-7b72492425d945770afab5dc5c6fabae0ed24596.tar.gz chromium_src-7b72492425d945770afab5dc5c6fabae0ed24596.tar.bz2 |
Extend the CloudPolicyValidator to support ExternalPolicyData.
The CloudPolicyValidator verifies that policy downloaded from the cloud server
is valid and checks its signature. This CL specializes the template to parse
ExternalPolicyData protobufs, which are used for extensions policy.
NOTE: This is a reland of http://crrev.com/184157 without modifications; it was reverted
because DeviceLocalAccountTest.PolicyDownload failed, but that test is flaky
and fails for unrelated reasons (http://crbug.com/177880).
BUG=163318
TBR=mnissler@chromium.org
Review URL: https://chromiumcodereview.appspot.com/12320079
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@184321 0039d316-1c4b-4281-b951-d872f2087c98
-rw-r--r-- | chrome/app/generated_resources.grd | 3 | ||||
-rw-r--r-- | chrome/browser/policy/cloud_policy_validator.cc | 21 | ||||
-rw-r--r-- | chrome/browser/policy/cloud_policy_validator.h | 17 | ||||
-rw-r--r-- | chrome/browser/policy/message_util.cc | 2 |
4 files changed, 40 insertions, 3 deletions
diff --git a/chrome/app/generated_resources.grd b/chrome/app/generated_resources.grd index 41d704a..f0b2891 100644 --- a/chrome/app/generated_resources.grd +++ b/chrome/app/generated_resources.grd @@ -5892,6 +5892,9 @@ Keep your key file in a safe place. You will need it to create new versions of y <message name="IDS_POLICY_VALIDATION_WRONG_POLICY_TYPE" desc="Message indicating the policy did not have the expected type."> Wrong policy type </message> + <message name="IDS_POLICY_VALIDATION_WRONG_SETTINGS_ENTITY_ID" desc="Message indicating the policy did not have the expected entity identifier."> + Wrong entity identifier + </message> <message name="IDS_POLICY_VALIDATION_BAD_TIMESTAMP" desc="Message indicating the policy timestamp is bad."> Bad policy timestamp </message> diff --git a/chrome/browser/policy/cloud_policy_validator.cc b/chrome/browser/policy/cloud_policy_validator.cc index d16f3cd..6cedc2e 100644 --- a/chrome/browser/policy/cloud_policy_validator.cc +++ b/chrome/browser/policy/cloud_policy_validator.cc @@ -10,6 +10,7 @@ #include "base/stl_util.h" #include "chrome/browser/policy/cloud_policy_constants.h" #include "chrome/browser/policy/proto/chrome_device_policy.pb.h" +#include "chrome/browser/policy/proto/chrome_extension_policy.pb.h" #include "chrome/browser/policy/proto/cloud_policy.pb.h" #include "chrome/browser/policy/proto/device_management_backend.pb.h" #include "content/public/browser/browser_thread.h" @@ -76,6 +77,12 @@ void CloudPolicyValidatorBase::ValidatePolicyType( policy_type_ = policy_type; } +void CloudPolicyValidatorBase::ValidateSettingsEntityId( + const std::string& settings_entity_id) { + validation_flags_ |= VALIDATE_ENTITY_ID; + settings_entity_id_ = settings_entity_id; +} + void CloudPolicyValidatorBase::ValidatePayload() { validation_flags_ |= VALIDATE_PAYLOAD; } @@ -178,6 +185,7 @@ void CloudPolicyValidatorBase::RunChecks() { { VALIDATE_SIGNATURE, &CloudPolicyValidatorBase::CheckSignature }, { VALIDATE_INITIAL_KEY, &CloudPolicyValidatorBase::CheckInitialKey }, { VALIDATE_POLICY_TYPE, &CloudPolicyValidatorBase::CheckPolicyType }, + { VALIDATE_ENTITY_ID, &CloudPolicyValidatorBase::CheckEntityId }, { VALIDATE_TOKEN, &CloudPolicyValidatorBase::CheckToken }, { VALIDATE_USERNAME, &CloudPolicyValidatorBase::CheckUsername }, { VALIDATE_DOMAIN, &CloudPolicyValidatorBase::CheckDomain }, @@ -238,6 +246,18 @@ CloudPolicyValidatorBase::Status CloudPolicyValidatorBase::CheckPolicyType() { return VALIDATION_OK; } +CloudPolicyValidatorBase::Status CloudPolicyValidatorBase::CheckEntityId() { + if (!policy_data_->has_settings_entity_id() || + policy_data_->settings_entity_id() != settings_entity_id_) { + LOG(ERROR) << "Wrong settings_entity_id " + << policy_data_->settings_entity_id() << ", expected " + << settings_entity_id_; + return VALIDATION_WRONG_SETTINGS_ENTITY_ID; + } + + return VALIDATION_OK; +} + CloudPolicyValidatorBase::Status CloudPolicyValidatorBase::CheckTimestamp() { if (!policy_data_->has_timestamp()) { if (timestamp_option_ == TIMESTAMP_NOT_REQUIRED) { @@ -375,5 +395,6 @@ void CloudPolicyValidator<PayloadProto>::StartValidation( template class CloudPolicyValidator<em::ChromeDeviceSettingsProto>; template class CloudPolicyValidator<em::CloudPolicySettings>; +template class CloudPolicyValidator<em::ExternalPolicyData>; } // namespace policy diff --git a/chrome/browser/policy/cloud_policy_validator.h b/chrome/browser/policy/cloud_policy_validator.h index 3daf4d7..6aeb4f1 100644 --- a/chrome/browser/policy/cloud_policy_validator.h +++ b/chrome/browser/policy/cloud_policy_validator.h @@ -27,6 +27,7 @@ class MessageLite; namespace enterprise_management { class ChromeDeviceSettingsProto; class CloudPolicySettings; +class ExternalPolicyData; class PolicyData; class PolicyFetchResponse; } @@ -52,6 +53,8 @@ class CloudPolicyValidatorBase { VALIDATION_PAYLOAD_PARSE_ERROR, // Unexpected policy type. VALIDATION_WRONG_POLICY_TYPE, + // Unexpected settings entity id. + VALIDATION_WRONG_SETTINGS_ENTITY_ID, // Time stamp from the future. VALIDATION_BAD_TIMESTAMP, // Token doesn't match. @@ -118,6 +121,9 @@ class CloudPolicyValidatorBase { // Validates the policy type. void ValidatePolicyType(const std::string& policy_type); + // Validates the settings_entity_id value. + void ValidateSettingsEntityId(const std::string& settings_entity_id); + // Validates that the payload can be decoded successfully. void ValidatePayload(); @@ -170,9 +176,10 @@ class CloudPolicyValidatorBase { VALIDATE_DOMAIN = 1 << 2, VALIDATE_TOKEN = 1 << 3, VALIDATE_POLICY_TYPE = 1 << 4, - VALIDATE_PAYLOAD = 1 << 5, - VALIDATE_SIGNATURE = 1 << 6, - VALIDATE_INITIAL_KEY = 1 << 7, + VALIDATE_ENTITY_ID = 1 << 5, + VALIDATE_PAYLOAD = 1 << 6, + VALIDATE_SIGNATURE = 1 << 7, + VALIDATE_INITIAL_KEY = 1 << 8, }; // Reports completion to the |completion_callback_|. @@ -188,6 +195,7 @@ class CloudPolicyValidatorBase { Status CheckDomain(); Status CheckToken(); Status CheckPolicyType(); + Status CheckEntityId(); Status CheckPayload(); Status CheckSignature(); Status CheckInitialKey(); @@ -211,6 +219,7 @@ class CloudPolicyValidatorBase { std::string domain_; std::string token_; std::string policy_type_; + std::string settings_entity_id_; std::string key_; bool allow_key_rotation_; @@ -255,6 +264,8 @@ typedef CloudPolicyValidator<enterprise_management::ChromeDeviceSettingsProto> DeviceCloudPolicyValidator; typedef CloudPolicyValidator<enterprise_management::CloudPolicySettings> UserCloudPolicyValidator; +typedef CloudPolicyValidator<enterprise_management::ExternalPolicyData> + ComponentCloudPolicyValidator; } // namespace policy diff --git a/chrome/browser/policy/message_util.cc b/chrome/browser/policy/message_util.cc index e4ca37a..66e46ae 100644 --- a/chrome/browser/policy/message_util.cc +++ b/chrome/browser/policy/message_util.cc @@ -59,6 +59,8 @@ int GetIDSForValidationStatus(CloudPolicyValidatorBase::Status status) { return IDS_POLICY_VALIDATION_PAYLOAD_PARSE_ERROR; case CloudPolicyValidatorBase::VALIDATION_WRONG_POLICY_TYPE: return IDS_POLICY_VALIDATION_WRONG_POLICY_TYPE; + case CloudPolicyValidatorBase::VALIDATION_WRONG_SETTINGS_ENTITY_ID: + return IDS_POLICY_VALIDATION_WRONG_SETTINGS_ENTITY_ID; case CloudPolicyValidatorBase::VALIDATION_BAD_TIMESTAMP: return IDS_POLICY_VALIDATION_BAD_TIMESTAMP; case CloudPolicyValidatorBase::VALIDATION_WRONG_TOKEN: |