Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(45)

Side by Side Diff: chrome/browser/policy/cloud_policy_validator.h

Issue 10828032: Add DeviceSettingsService. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Rebase. Created 8 years, 3 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #ifndef CHROME_BROWSER_POLICY_CLOUD_POLICY_VALIDATOR_H_ 5 #ifndef CHROME_BROWSER_POLICY_CLOUD_POLICY_VALIDATOR_H_
6 #define CHROME_BROWSER_POLICY_CLOUD_POLICY_VALIDATOR_H_ 6 #define CHROME_BROWSER_POLICY_CLOUD_POLICY_VALIDATOR_H_
7 7
8 #include <string> 8 #include <string>
9 #include <vector>
9 10
10 #include "base/basictypes.h" 11 #include "base/basictypes.h"
11 #include "base/callback.h" 12 #include "base/callback.h"
12 #include "base/memory/ref_counted.h" 13 #include "base/memory/ref_counted.h"
13 #include "base/memory/scoped_ptr.h" 14 #include "base/memory/scoped_ptr.h"
14 #include "base/time.h" 15 #include "base/time.h"
15 16
16 namespace base { 17 namespace base {
17 class MessageLoopProxy; 18 class MessageLoopProxy;
18 } 19 }
(...skipping 51 matching lines...) Expand 10 before | Expand all | Expand 10 after
70 // references, so ownership can be passed on once validation is complete. 71 // references, so ownership can be passed on once validation is complete.
71 scoped_ptr<enterprise_management::PolicyFetchResponse>& policy() { 72 scoped_ptr<enterprise_management::PolicyFetchResponse>& policy() {
72 return policy_; 73 return policy_;
73 } 74 }
74 scoped_ptr<enterprise_management::PolicyData>& policy_data() { 75 scoped_ptr<enterprise_management::PolicyData>& policy_data() {
75 return policy_data_; 76 return policy_data_;
76 } 77 }
77 78
78 // Instructs the validator to check that the policy timestamp is not before 79 // Instructs the validator to check that the policy timestamp is not before
79 // |not_before| and not after |now| + grace interval. 80 // |not_before| and not after |now| + grace interval.
80 void ValidateTimestamp(base::Time not_before, base::Time now); 81 void ValidateTimestamp(base::Time not_before,
82 base::Time now,
83 bool allow_missing_timestamp);
81 84
82 // Validates the username in the policy blob matches |expected_user|. 85 // Validates the username in the policy blob matches |expected_user|.
83 void ValidateUsername(const std::string& expected_user); 86 void ValidateUsername(const std::string& expected_user);
84 87
85 // Validates the policy blob is addressed to |expected_domain|. This uses the 88 // Validates the policy blob is addressed to |expected_domain|. This uses the
86 // domain part of the username field in the policy for the check. 89 // domain part of the username field in the policy for the check.
87 void ValidateDomain(const std::string& expected_domain); 90 void ValidateDomain(const std::string& expected_domain);
88 91
89 // Makes sure the DM token on the policy matches |expected_token|. 92 // Makes sure the DM token on the policy matches |expected_token|.
90 void ValidateDMToken(const std::string& dm_token); 93 void ValidateDMToken(const std::string& dm_token);
91 94
92 // Validates the policy type. 95 // Validates the policy type.
93 void ValidatePolicyType(const std::string& policy_type); 96 void ValidatePolicyType(const std::string& policy_type);
94 97
95 // Validates that the payload can be decoded successfully. 98 // Validates that the payload can be decoded successfully.
96 void ValidatePayload(); 99 void ValidatePayload();
97 100
98 // Verifies that the signature on the policy blob verifies against |key|. If 101 // Verifies that the signature on the policy blob verifies against |key|. If |
99 // there is a key rotation present in the policy blob, this checks the 102 // |allow_key_rotation| is true and there is a key rotation present in the
100 // signature on the new key against |key| and the policy blob against the new 103 // policy blob, this checks the signature on the new key against |key| and the
101 // key. 104 // policy blob against the new key.
102 void ValidateSignature(const std::string& key); 105 void ValidateSignature(const std::vector<uint8>& key,
106 bool allow_key_rotation);
103 107
104 // Similar to StartSignatureVerification(), this checks the signature on the 108 // Similar to StartSignatureVerification(), this checks the signature on the
105 // policy blob. However, this variant expects a new policy key set in the 109 // policy blob. However, this variant expects a new policy key set in the
106 // policy blob and makes sure the policy is signed using that key. This should 110 // policy blob and makes sure the policy is signed using that key. This should
107 // be called at setup time when there is no existing policy key present to 111 // be called at setup time when there is no existing policy key present to
108 // check against. 112 // check against.
109 void ValidateInitialKey(); 113 void ValidateInitialKey();
110 114
111 // Convenience helper that configures timestamp and token validation based on 115 // Convenience helper that configures timestamp and token validation based on
112 // the current policy blob. |policy_data| may be NULL, in which case the 116 // the current policy blob. |policy_data| may be NULL, in which case the
113 // timestamp validation will drop the lower bound and no token validation will 117 // timestamp validation will drop the lower bound and no token validation will
114 // be configured. 118 // be configured.
115 void ValidateAgainstCurrentPolicy( 119 void ValidateAgainstCurrentPolicy(
116 const enterprise_management::PolicyData* policy_data); 120 const enterprise_management::PolicyData* policy_data,
121 bool allow_missing_timestamp);
117 122
118 // Kicks off validation. From this point on, the validator manages its own 123 // Kicks off validation. From this point on, the validator manages its own
119 // lifetime. |completion_callback| is invoked when done. 124 // lifetime. |completion_callback| is invoked when done.
120 void StartValidation(); 125 void StartValidation();
121 126
122 protected: 127 protected:
123 // Create a new validator that checks |policy_response|. |payload| is the 128 // Create a new validator that checks |policy_response|. |payload| is the
124 // message that the policy payload will be parsed to, and it needs to stay 129 // message that the policy payload will be parsed to, and it needs to stay
125 // valid for the lifetime of the validator. 130 // valid for the lifetime of the validator.
126 CloudPolicyValidatorBase( 131 CloudPolicyValidatorBase(
(...skipping 40 matching lines...) Expand 10 before | Expand all | Expand 10 after
167 const std::string& key, 172 const std::string& key,
168 const std::string& signature); 173 const std::string& signature);
169 174
170 Status status_; 175 Status status_;
171 scoped_ptr<enterprise_management::PolicyFetchResponse> policy_; 176 scoped_ptr<enterprise_management::PolicyFetchResponse> policy_;
172 scoped_ptr<enterprise_management::PolicyData> policy_data_; 177 scoped_ptr<enterprise_management::PolicyData> policy_data_;
173 google::protobuf::MessageLite* payload_; 178 google::protobuf::MessageLite* payload_;
174 base::Closure completion_callback_; 179 base::Closure completion_callback_;
175 180
176 int validation_flags_; 181 int validation_flags_;
177 base::Time timestamp_not_before_; 182 int64 timestamp_not_before_;
178 base::Time timestamp_not_after_; 183 int64 timestamp_not_after_;
184 bool allow_missing_timestamp_;
179 std::string user_; 185 std::string user_;
180 std::string domain_; 186 std::string domain_;
181 std::string token_; 187 std::string token_;
182 std::string policy_type_; 188 std::string policy_type_;
183 std::string key_; 189 std::string key_;
190 bool allow_key_rotation_;
184 191
185 DISALLOW_COPY_AND_ASSIGN(CloudPolicyValidatorBase); 192 DISALLOW_COPY_AND_ASSIGN(CloudPolicyValidatorBase);
186 }; 193 };
187 194
188 // A simple type-parameterized extension of CloudPolicyValidator that 195 // A simple type-parameterized extension of CloudPolicyValidator that
189 // facilitates working with the actual protobuf payload type. 196 // facilitates working with the actual protobuf payload type.
190 template<typename PayloadProto> 197 template<typename PayloadProto>
191 class CloudPolicyValidator : public CloudPolicyValidatorBase { 198 class CloudPolicyValidator : public CloudPolicyValidatorBase {
192 public: 199 public:
193 typedef base::Callback<void(CloudPolicyValidator<PayloadProto>*)> 200 typedef base::Callback<void(CloudPolicyValidator<PayloadProto>*)>
(...skipping 22 matching lines...) Expand all
216 }; 223 };
217 224
218 typedef CloudPolicyValidator<enterprise_management::ChromeDeviceSettingsProto> 225 typedef CloudPolicyValidator<enterprise_management::ChromeDeviceSettingsProto>
219 DeviceCloudPolicyValidator; 226 DeviceCloudPolicyValidator;
220 typedef CloudPolicyValidator<enterprise_management::CloudPolicySettings> 227 typedef CloudPolicyValidator<enterprise_management::CloudPolicySettings>
221 UserCloudPolicyValidator; 228 UserCloudPolicyValidator;
222 229
223 } // namespace policy 230 } // namespace policy
224 231
225 #endif // CHROME_BROWSER_POLICY_CLOUD_POLICY_VALIDATOR_H_ 232 #endif // CHROME_BROWSER_POLICY_CLOUD_POLICY_VALIDATOR_H_
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698