diff options
author | xhwang <xhwang@chromium.org> | 2015-03-30 21:17:21 -0700 |
---|---|---|
committer | Commit bot <commit-bot@chromium.org> | 2015-03-31 04:17:56 +0000 |
commit | f94f269e9cce7ea603f49c2a3e11e6a3e386d4fa (patch) | |
tree | 5b942f5e2ec4b660270573ee9434ed32ce0b03f6 | |
parent | 9e2b282e1a448ad6b3f4f3717efa5d7b376d106b (diff) | |
download | chromium_src-f94f269e9cce7ea603f49c2a3e11e6a3e386d4fa.zip chromium_src-f94f269e9cce7ea603f49c2a3e11e6a3e386d4fa.tar.gz chromium_src-f94f269e9cce7ea603f49c2a3e11e6a3e386d4fa.tar.bz2 |
media: Disable platform verification in dev mode.
Platform verification is disabled in dev mode unless overridden by the flag
--allow-ra-in-dev-mode.
BUG=314782
TEST=Manually tested in dev mode.
Review URL: https://codereview.chromium.org/1046963003
Cr-Commit-Position: refs/heads/master@{#322975}
6 files changed, 42 insertions, 19 deletions
diff --git a/chrome/browser/chromeos/attestation/platform_verification_flow.cc b/chrome/browser/chromeos/attestation/platform_verification_flow.cc index a1db8b0..cb15208 100644 --- a/chrome/browser/chromeos/attestation/platform_verification_flow.cc +++ b/chrome/browser/chromeos/attestation/platform_verification_flow.cc @@ -18,6 +18,7 @@ #include "chrome/browser/media/protected_media_identifier_permission_context_factory.h" #include "chrome/browser/profiles/profile.h" #include "chromeos/attestation/attestation_flow.h" +#include "chromeos/chromeos_switches.h" #include "chromeos/cryptohome/async_method_caller.h" #include "chromeos/dbus/cryptohome_client.h" #include "chromeos/dbus/dbus_thread_manager.h" @@ -107,10 +108,15 @@ class DefaultDelegate : public PlatformVerificationFlow::Delegate { return content_setting == CONTENT_SETTING_ALLOW; } - bool IsGuestOrIncognito(content::WebContents* web_contents) override { + bool IsInSupportedMode(content::WebContents* web_contents) override { Profile* profile = Profile::FromBrowserContext(web_contents->GetBrowserContext()); - return (profile->IsOffTheRecord() || profile->IsGuestSession()); + if (profile->IsOffTheRecord() || profile->IsGuestSession()) + return false; + + base::CommandLine* command_line = base::CommandLine::ForCurrentProcess(); + return !command_line->HasSwitch(chromeos::switches::kSystemDevMode) || + command_line->HasSwitch(chromeos::switches::kAllowRAInDevMode); } private: @@ -188,13 +194,11 @@ void PlatformVerificationFlow::ChallengePlatformKey( return; } - // A platform key must be bound to a user. They are not allowed in incognito - // or guest mode. // TODO(xhwang): Change to DCHECK when prefixed EME support is removed. // See http://crbug.com/249976 - if (delegate_->IsGuestOrIncognito(web_contents)) { - VLOG(1) << "Platform verification denied because the current session is " - << "guest or incognito."; + if (!delegate_->IsInSupportedMode(web_contents)) { + VLOG(1) << "Platform verification denied because it's not supported in the " + << "current mode."; ReportError(callback, PLATFORM_NOT_VERIFIED); return; } diff --git a/chrome/browser/chromeos/attestation/platform_verification_flow.h b/chrome/browser/chromeos/attestation/platform_verification_flow.h index d60f5ad..eaa6abb 100644 --- a/chrome/browser/chromeos/attestation/platform_verification_flow.h +++ b/chrome/browser/chromeos/attestation/platform_verification_flow.h @@ -85,8 +85,11 @@ class PlatformVerificationFlow // Checks whether attestation is permitted by user. virtual bool IsPermittedByUser(content::WebContents* web_contents) = 0; - // Returns true iff |web_contents| belongs to a guest or incognito session. - virtual bool IsGuestOrIncognito(content::WebContents* web_contents) = 0; + // Returns true iff the device is in a mode that supports platform + // verification. For example, platform verification is not supported in + // guest or incognito mode. It is also not supported in dev mode unless + // overridden by a flag. + virtual bool IsInSupportedMode(content::WebContents* web_contents) = 0; }; // This callback will be called when a challenge operation completes. If diff --git a/chrome/browser/chromeos/attestation/platform_verification_flow_unittest.cc b/chrome/browser/chromeos/attestation/platform_verification_flow_unittest.cc index fb5ac95..a3101e5 100644 --- a/chrome/browser/chromeos/attestation/platform_verification_flow_unittest.cc +++ b/chrome/browser/chromeos/attestation/platform_verification_flow_unittest.cc @@ -47,7 +47,9 @@ const char kTestURL[] = "http://mytestdomain/test"; class FakeDelegate : public PlatformVerificationFlow::Delegate { public: FakeDelegate() - : url_(kTestURL), is_permitted_by_user_(true), is_incognito_(false) { + : url_(kTestURL), + is_permitted_by_user_(true), + is_in_supported_mode_(true) { // Configure a user for the mock user manager. mock_user_manager_.SetActiveUser(kTestEmail); } @@ -65,8 +67,8 @@ class FakeDelegate : public PlatformVerificationFlow::Delegate { return is_permitted_by_user_; } - bool IsGuestOrIncognito(content::WebContents* web_contents) override { - return is_incognito_; + bool IsInSupportedMode(content::WebContents* web_contents) override { + return is_in_supported_mode_; } void set_url(const GURL& url) { @@ -77,15 +79,15 @@ class FakeDelegate : public PlatformVerificationFlow::Delegate { is_permitted_by_user_ = is_permitted_by_user; } - void set_is_incognito(bool is_incognito) { - is_incognito_ = is_incognito; + void set_is_in_supported_mode(bool is_in_supported_mode) { + is_in_supported_mode_ = is_in_supported_mode; } private: MockUserManager mock_user_manager_; GURL url_; bool is_permitted_by_user_; - bool is_incognito_; + bool is_in_supported_mode_; DISALLOW_COPY_AND_ASSIGN(FakeDelegate); }; @@ -328,8 +330,8 @@ TEST_F(PlatformVerificationFlowTest, ExpiredCert) { EXPECT_EQ(certificate_, fake_certificate_list_[1]); } -TEST_F(PlatformVerificationFlowTest, IncognitoMode) { - fake_delegate_.set_is_incognito(true); +TEST_F(PlatformVerificationFlowTest, UnsupportedMode) { + fake_delegate_.set_is_in_supported_mode(false); verifier_->ChallengePlatformKey(NULL, kTestID, kTestChallenge, callback_); base::RunLoop().RunUntilIdle(); EXPECT_EQ(PlatformVerificationFlow::PLATFORM_NOT_VERIFIED, result_); diff --git a/chrome/browser/media/protected_media_identifier_permission_context.cc b/chrome/browser/media/protected_media_identifier_permission_context.cc index abdd046..47b1b861 100644 --- a/chrome/browser/media/protected_media_identifier_permission_context.cc +++ b/chrome/browser/media/protected_media_identifier_permission_context.cc @@ -4,6 +4,7 @@ #include "chrome/browser/media/protected_media_identifier_permission_context.h" +#include "base/command_line.h" #include "base/prefs/pref_service.h" #include "chrome/browser/content_settings/tab_specific_content_settings.h" #include "chrome/browser/profiles/profile.h" @@ -12,18 +13,17 @@ #include "content/public/browser/browser_thread.h" #include "content/public/browser/user_metrics.h" #include "content/public/browser/web_contents.h" - #if defined(OS_CHROMEOS) #include <utility> #include "chrome/browser/chromeos/attestation/platform_verification_dialog.h" #include "chrome/browser/chromeos/settings/cros_settings.h" +#include "chromeos/chromeos_switches.h" #include "chromeos/settings/cros_settings_names.h" #include "components/pref_registry/pref_registry_syncable.h" #include "components/user_prefs/user_prefs.h" #include "ui/views/widget/widget.h" #elif defined(OS_ANDROID) -#include "base/command_line.h" #include "media/base/media_switches.h" #else #error This file currently only supports Chrome OS and Android. @@ -203,6 +203,13 @@ bool ProtectedMediaIdentifierPermissionContext:: return false; } + base::CommandLine* command_line = base::CommandLine::ForCurrentProcess(); + if (command_line->HasSwitch(chromeos::switches::kSystemDevMode) && + !command_line->HasSwitch(chromeos::switches::kAllowRAInDevMode)) { + DVLOG(1) << "Protected media identifier disabled in dev mode."; + return false; + } + // This could be disabled by the device policy or by user's master switch. bool enabled_for_device = false; if (!chromeos::CrosSettings::Get()->GetBoolean( diff --git a/chromeos/chromeos_switches.cc b/chromeos/chromeos_switches.cc index 4c7ea09..6d20a95 100644 --- a/chromeos/chromeos_switches.cc +++ b/chromeos/chromeos_switches.cc @@ -13,6 +13,12 @@ namespace chromeos { namespace switches { +// Allows remote attestation (RA) in dev mode for testing purpose. Usually RA +// is disabled in dev mode because it will always fail. However, there are cases +// in testing where we do want to go through the permission flow even in dev +// mode. This can be enabled by this flag. +const char kAllowRAInDevMode[] = "allow-ra-in-dev-mode"; + // Path for app's OEM manifest file. const char kAppOemManifestFile[] = "app-mode-oem-manifest"; diff --git a/chromeos/chromeos_switches.h b/chromeos/chromeos_switches.h index 1c21f0c..fb3d47a 100644 --- a/chromeos/chromeos_switches.h +++ b/chromeos/chromeos_switches.h @@ -21,6 +21,7 @@ namespace switches { // see chromeos::LoginUtil::GetOffTheRecordCommandLine().) // Please keep alphabetized. +CHROMEOS_EXPORT extern const char kAllowRAInDevMode[]; CHROMEOS_EXPORT extern const char kAppOemManifestFile[]; CHROMEOS_EXPORT extern const char kArtifactsDir[]; CHROMEOS_EXPORT extern const char kAshWebUIInit[]; |