diff options
author | Lutz Justen <ljusten@chromium.org> | 2018-01-29 14:46:42 +0100 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2018-02-02 03:40:35 -0800 |
commit | c794a05538bb87a9e18f744d893475ded1b973e2 (patch) | |
tree | 0c57b9b973fb717a2f9ff6a3d293a1fe54642ce1 | |
parent | cd5ebb24e6c74e3f64eb0d3877ecb75473b2e96f (diff) | |
download | platform_external_libbrillo-c794a05538bb87a9e18f744d893475ded1b973e2.tar.gz platform_external_libbrillo-c794a05538bb87a9e18f744d893475ded1b973e2.tar.bz2 platform_external_libbrillo-c794a05538bb87a9e18f744d893475ded1b973e2.zip |
libpolicy: Add getter for ChromeDeviceSettingsProto
Adds a getter for ChromeDeviceSettingsProto in DevicePolicyImpl. This
prevents a lot of boilerplate code when used by classes that deal with
device policy, anyway, like authpolicyd.
Also adds a way to disable validation to be used for authpolicyd unit
tests.
BUG=chromium:801704
TEST=cros_run_unit_tests --board=amd64-generic --packages libbrillo
Change-Id: Ide9e8f87c9798c6d482e9d88bb7e2f909b1ff02e
Reviewed-on: https://chromium-review.googlesource.com/893180
Commit-Ready: Lutz Justen <ljusten@chromium.org>
Tested-by: Lutz Justen <ljusten@chromium.org>
Reviewed-by: Lutz Justen <ljusten@chromium.org>
Reviewed-by: Dan Erat <derat@chromium.org>
-rw-r--r-- | policy/device_policy.h | 7 | ||||
-rw-r--r-- | policy/device_policy_impl.cc | 6 | ||||
-rw-r--r-- | policy/device_policy_impl.h | 21 | ||||
-rw-r--r-- | policy/libpolicy.h | 1 |
4 files changed, 23 insertions, 12 deletions
diff --git a/policy/device_policy.h b/policy/device_policy.h index c33d508..144759c 100644 --- a/policy/device_policy.h +++ b/policy/device_policy.h @@ -38,7 +38,7 @@ class DevicePolicy { DevicePolicy(); virtual ~DevicePolicy(); - // Load the signed policy off of disk into |policy_|. + // Load device policy off of disk into |policy_|. // Returns true unless there is a policy on disk and loading it fails. virtual bool LoadPolicy() = 0; @@ -90,7 +90,7 @@ class DevicePolicy { // Writes the value of the EphemeralUsersEnabled policy in // |ephemeral_users_enabled|. Returns true on success. virtual bool GetEphemeralUsersEnabled( - bool* ephemeral_users_enabled) const = 0; + bool* ephemeral_users_enabled) const = 0; // Writes the value of the release channel policy in |release_channel|. // Returns true on success. @@ -152,8 +152,7 @@ class DevicePolicy { // Writes the value of the kiosk app id into |app_id_out|. // Only succeeds if the device is in auto-launched kiosk mode. - virtual bool GetAutoLaunchedKioskAppId( - std::string* app_id_out) const = 0; + virtual bool GetAutoLaunchedKioskAppId(std::string* app_id_out) const = 0; // Returns true if the policy data indicates that the device is enterprise // managed. Note that this potentially could be faked by an exploit, therefore diff --git a/policy/device_policy_impl.cc b/policy/device_policy_impl.cc index 4f7d051..eeba17e 100644 --- a/policy/device_policy_impl.cc +++ b/policy/device_policy_impl.cc @@ -98,9 +98,7 @@ std::string DecodeConnectionType(int type) { } // namespace DevicePolicyImpl::DevicePolicyImpl() - : policy_path_(kPolicyPath), - keyfile_path_(kPublicKeyPath), - verify_root_ownership_(true) {} + : policy_path_(kPolicyPath), keyfile_path_(kPublicKeyPath) {} DevicePolicyImpl::~DevicePolicyImpl() {} @@ -523,7 +521,7 @@ bool DevicePolicyImpl::LoadPolicyFromFile(const base::FilePath& policy_path) { return false; } - bool verify_policy = true; + bool verify_policy = verify_policy_; if (!install_attributes_reader_) { install_attributes_reader_ = std::make_unique<InstallAttributesReader>(); } diff --git a/policy/device_policy_impl.h b/policy/device_policy_impl.h index dba0de1..902daa9 100644 --- a/policy/device_policy_impl.h +++ b/policy/device_policy_impl.h @@ -32,6 +32,12 @@ class DevicePolicyImpl : public DevicePolicy { DevicePolicyImpl(); ~DevicePolicyImpl() override; + const enterprise_management::ChromeDeviceSettingsProto& get_device_policy() + const { + return device_policy_; + } + + // DevicePolicy overrides: bool LoadPolicy() override; bool GetPolicyRefreshRate(int* rate) const override; bool GetUserWhitelist( @@ -87,6 +93,7 @@ class DevicePolicyImpl : public DevicePolicy { void set_key_file_path_for_testing(const base::FilePath& keyfile_path) { keyfile_path_ = keyfile_path; } + void set_verify_policy_for_testing(bool value) { verify_policy_ = value; } private: // Verifies that both the policy file and the signature file exist and are @@ -97,11 +104,14 @@ class DevicePolicyImpl : public DevicePolicy { // Verifies that the policy signature is correct. bool VerifyPolicySignature() override; - // Loads the signed policy off of disk from |policy_path| into |policy_|. - // Returns true if the |policy_path| is present on disk and loading it is - // successful. + // Loads policy off of disk from |policy_path| into |policy_|. Returns true if + // the |policy_path| is present on disk and loading it is successful. bool LoadPolicyFromFile(const base::FilePath& policy_path); + // Path of the default policy file, e.g. /path/to/policy. In order to make + // device policy more resilient against broken files, this class also tries to + // load indexed paths /path/to/policy.1, /path/to/policy.2 etc., see + // resilient_policy_utils.h. base::FilePath policy_path_; base::FilePath keyfile_path_; std::unique_ptr<InstallAttributesReader> install_attributes_reader_; @@ -111,7 +121,10 @@ class DevicePolicyImpl : public DevicePolicy { // If true, verify that policy files are owned by root. True in production // but can be set to false by tests. - bool verify_root_ownership_; + bool verify_root_ownership_ = true; + // If false, all types of verification are disabled. True in production + // but can be set to false by tests. + bool verify_policy_ = true; DISALLOW_COPY_AND_ASSIGN(DevicePolicyImpl); }; diff --git a/policy/libpolicy.h b/policy/libpolicy.h index 4a54518..ac39bd9 100644 --- a/policy/libpolicy.h +++ b/policy/libpolicy.h @@ -22,6 +22,7 @@ class DevicePolicy; // its signature. class PolicyProvider { public: + // The default constructor does not load policy. PolicyProvider(); virtual ~PolicyProvider(); |