summaryrefslogtreecommitdiffstats
path: root/chrome/browser/policy/device_policy_cache.cc
diff options
context:
space:
mode:
authormnissler@chromium.org <mnissler@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2011-04-18 11:09:07 +0000
committermnissler@chromium.org <mnissler@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2011-04-18 11:09:07 +0000
commit6c900e518112ed63338250707510bc5a87a476d4 (patch)
treefdc2464b229cbdd15fcda1d479925d45fdda615a /chrome/browser/policy/device_policy_cache.cc
parent0ea4fc7dcb594a37ecc7cb9810438d8c695ac67d (diff)
downloadchromium_src-6c900e518112ed63338250707510bc5a87a476d4.zip
chromium_src-6c900e518112ed63338250707510bc5a87a476d4.tar.gz
chromium_src-6c900e518112ed63338250707510bc5a87a476d4.tar.bz2
Add immutable settings checks when handling policy.
When receiving device policy from the server, make sure that the device is an enterprise device and the policy information is meant for the user who registered the device. While at it, move all the enterprise-related install attributes checking to a helper. BUG=chromium-os:14197 TEST=unit tests Review URL: http://codereview.chromium.org/6869042 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@81932 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'chrome/browser/policy/device_policy_cache.cc')
-rw-r--r--chrome/browser/policy/device_policy_cache.cc34
1 files changed, 33 insertions, 1 deletions
diff --git a/chrome/browser/policy/device_policy_cache.cc b/chrome/browser/policy/device_policy_cache.cc
index 6ab2e33..57456fb 100644
--- a/chrome/browser/policy/device_policy_cache.cc
+++ b/chrome/browser/policy/device_policy_cache.cc
@@ -15,6 +15,7 @@
#include "chrome/browser/chromeos/user_cros_settings_provider.h"
#include "chrome/browser/policy/configuration_policy_pref_store.h"
#include "chrome/browser/policy/device_policy_identity_strategy.h"
+#include "chrome/browser/policy/enterprise_install_attributes.h"
#include "chrome/browser/policy/policy_map.h"
#include "chrome/browser/policy/proto/device_management_backend.pb.h"
#include "chrome/browser/policy/proto/device_management_constants.h"
@@ -109,8 +110,10 @@ Value* DecodeIntegerValue(google::protobuf::int64 value) {
namespace policy {
DevicePolicyCache::DevicePolicyCache(
- DevicePolicyIdentityStrategy* identity_strategy)
+ DevicePolicyIdentityStrategy* identity_strategy,
+ EnterpriseInstallAttributes* install_attributes)
: identity_strategy_(identity_strategy),
+ install_attributes_(install_attributes),
signed_settings_helper_(chromeos::SignedSettingsHelper::Get()),
starting_up_(true),
ALLOW_THIS_IN_INITIALIZER_LIST(callback_factory_(this)) {
@@ -118,8 +121,10 @@ DevicePolicyCache::DevicePolicyCache(
DevicePolicyCache::DevicePolicyCache(
DevicePolicyIdentityStrategy* identity_strategy,
+ EnterpriseInstallAttributes* install_attributes,
chromeos::SignedSettingsHelper* signed_settings_helper)
: identity_strategy_(identity_strategy),
+ install_attributes_(install_attributes),
signed_settings_helper_(signed_settings_helper),
starting_up_(true),
ALLOW_THIS_IN_INITIALIZER_LIST(callback_factory_(this)) {
@@ -135,6 +140,33 @@ void DevicePolicyCache::Load() {
void DevicePolicyCache::SetPolicy(const em::PolicyFetchResponse& policy) {
DCHECK(!starting_up_);
+
+ // Make sure we have an enterprise device.
+ std::string registration_user(install_attributes_->GetRegistrationUser());
+ if (registration_user.empty()) {
+ LOG(WARNING) << "Refusing to accept policy on non-enterprise device.";
+ InformNotifier(CloudPolicySubsystem::LOCAL_ERROR,
+ CloudPolicySubsystem::POLICY_LOCAL_ERROR);
+ return;
+ }
+
+ // Check the user this policy is for against the device-locked name.
+ em::PolicyData policy_data;
+ if (!policy_data.ParseFromString(policy.policy_data())) {
+ LOG(WARNING) << "Invalid policy protobuf";
+ InformNotifier(CloudPolicySubsystem::LOCAL_ERROR,
+ CloudPolicySubsystem::POLICY_LOCAL_ERROR);
+ return;
+ }
+
+ if (registration_user != policy_data.username()) {
+ LOG(WARNING) << "Refusing policy blob for " << policy_data.username()
+ << " which doesn't match " << registration_user;
+ InformNotifier(CloudPolicySubsystem::LOCAL_ERROR,
+ CloudPolicySubsystem::POLICY_LOCAL_ERROR);
+ return;
+ }
+
set_last_policy_refresh_time(base::Time::NowFromSystemTime());
// Start a store operation.