Turn off future-timestamp cloud policy checks on desktop

chrome/browser/policy/cloud/cloud_policy_validator.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef CHROME_BROWSER_POLICY_CLOUD_CLOUD_POLICY_VALIDATOR_H_
 #define CHROME_BROWSER_POLICY_CLOUD_CLOUD_POLICY_VALIDATOR_H_
 
 #include <string>
 #include <vector>
 
@@ skipping 61 matching lines @@
   enum ValidateDMTokenOption {
     // The policy must have a non-empty DMToken.
     DM_TOKEN_REQUIRED,
 
     // The policy may have an empty or missing DMToken, if the expected token
     // is also empty.
     DM_TOKEN_NOT_REQUIRED,
   };
 
   enum ValidateTimestampOption {
-    // The policy must have a timestamp field.
+    // The policy must have a timestamp field and it should be checked against
+    // both the start and end times.
     TIMESTAMP_REQUIRED,
 
+    // The timestamp should only be compared vs the |not_before| value (this
+    // is appropriate for platforms with unreliable system times, where we want
+    // to ensure that fresh policy is newer than existing policy, but we can't
+    // do any other validation).
+    TIMESTAMP_NOT_BEFORE,
+
     // No timestamp field is required.
     TIMESTAMP_NOT_REQUIRED,
   };
 
   virtual ~CloudPolicyValidatorBase();
 
   // Validation status which can be read after completion has been signaled.
   Status status() const { return status_; }
   bool success() const { return status_ == VALIDATION_OK; }
 
   // The policy objects owned by the validator. These are scoped_ptr
   // references, so ownership can be passed on once validation is complete.
   scoped_ptr<enterprise_management::PolicyFetchResponse>& policy() {
     return policy_;
   }
   scoped_ptr<enterprise_management::PolicyData>& policy_data() {
     return policy_data_;
   }
 
   // Instructs the validator to check that the policy timestamp is not before
-  // |not_before| and not after |now| + grace interval. If
+  // |not_before| and not after |not_after| + grace interval. If
   // |timestamp_option| is set to TIMESTAMP_REQUIRED, then the policy will fail
   // validation if it does not have a timestamp field.
   void ValidateTimestamp(base::Time not_before,
-                         base::Time now,
+                         base::Time not_after,
                          ValidateTimestampOption timestamp_option);
 
   // Validates the username in the policy blob matches |expected_user|.
   void ValidateUsername(const std::string& expected_user);
 
   // Validates the policy blob is addressed to |expected_domain|. This uses the
   // domain part of the username field in the policy for the check.
   void ValidateDomain(const std::string& expected_domain);
 
   // Makes sure the DM token on the policy matches |expected_token|.
@@ skipping 157 matching lines @@
 };
 
 typedef CloudPolicyValidator<enterprise_management::CloudPolicySettings>
     UserCloudPolicyValidator;
 typedef CloudPolicyValidator<enterprise_management::ExternalPolicyData>
     ComponentCloudPolicyValidator;
 
 }  // namespace policy
 
 #endif  // CHROME_BROWSER_POLICY_CLOUD_CLOUD_POLICY_VALIDATOR_H_