You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
794 lines
24 KiB
794 lines
24 KiB
// Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
#include "policy/device_policy_impl.h"
|
|
|
|
#include <algorithm>
|
|
#include <map>
|
|
#include <memory>
|
|
#include <set>
|
|
#include <string>
|
|
|
|
#include <base/containers/adapters.h>
|
|
#include <base/files/file_util.h>
|
|
#include <base/json/json_reader.h>
|
|
#include <base/logging.h>
|
|
#include <base/macros.h>
|
|
#include <base/memory/ptr_util.h>
|
|
#include <base/stl_util.h>
|
|
#include <base/time/time.h>
|
|
#include <base/values.h>
|
|
#include <openssl/evp.h>
|
|
#include <openssl/x509.h>
|
|
|
|
#include "bindings/chrome_device_policy.pb.h"
|
|
#include "bindings/device_management_backend.pb.h"
|
|
#include "policy/policy_util.h"
|
|
#include "policy/resilient_policy_util.h"
|
|
|
|
namespace em = enterprise_management;
|
|
|
|
namespace policy {
|
|
|
|
// TODO(crbug.com/984789): Remove once support for OpenSSL <1.1 is dropped.
|
|
#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
#define EVP_MD_CTX_new EVP_MD_CTX_create
|
|
#define EVP_MD_CTX_free EVP_MD_CTX_destroy
|
|
#endif
|
|
|
|
// Maximum value of RollbackAllowedMilestones policy.
|
|
const int kMaxRollbackAllowedMilestones = 4;
|
|
|
|
namespace {
|
|
const char kPolicyPath[] = "/var/lib/whitelist/policy";
|
|
const char kPublicKeyPath[] = "/var/lib/whitelist/owner.key";
|
|
|
|
// Reads the public key used to sign the policy from |key_file| and stores it
|
|
// in |public_key|. Returns true on success.
|
|
bool ReadPublicKeyFromFile(const base::FilePath& key_file,
|
|
std::string* public_key) {
|
|
if (!base::PathExists(key_file))
|
|
return false;
|
|
public_key->clear();
|
|
if (!base::ReadFileToString(key_file, public_key) || public_key->empty()) {
|
|
LOG(ERROR) << "Could not read public key off disk";
|
|
return false;
|
|
}
|
|
return true;
|
|
}
|
|
|
|
// Verifies that the |signed_data| has correct |signature| with |public_key|.
|
|
bool VerifySignature(const std::string& signed_data,
|
|
const std::string& signature,
|
|
const std::string& public_key) {
|
|
std::unique_ptr<EVP_MD_CTX, void (*)(EVP_MD_CTX *)> ctx(EVP_MD_CTX_new(),
|
|
EVP_MD_CTX_free);
|
|
if (!ctx)
|
|
return false;
|
|
|
|
const EVP_MD* digest = EVP_sha1();
|
|
|
|
char* key = const_cast<char*>(public_key.data());
|
|
BIO* bio = BIO_new_mem_buf(key, public_key.length());
|
|
if (!bio)
|
|
return false;
|
|
|
|
EVP_PKEY* public_key_ssl = d2i_PUBKEY_bio(bio, nullptr);
|
|
if (!public_key_ssl) {
|
|
BIO_free_all(bio);
|
|
return false;
|
|
}
|
|
|
|
const unsigned char* sig =
|
|
reinterpret_cast<const unsigned char*>(signature.data());
|
|
int rv = EVP_VerifyInit_ex(ctx.get(), digest, nullptr);
|
|
if (rv == 1) {
|
|
EVP_VerifyUpdate(ctx.get(), signed_data.data(), signed_data.length());
|
|
rv = EVP_VerifyFinal(ctx.get(), sig, signature.length(), public_key_ssl);
|
|
}
|
|
|
|
EVP_PKEY_free(public_key_ssl);
|
|
BIO_free_all(bio);
|
|
|
|
return rv == 1;
|
|
}
|
|
|
|
// Decodes the connection type enum from the device settings protobuf to string
|
|
// representations. The strings must match the connection manager definitions.
|
|
std::string DecodeConnectionType(int type) {
|
|
static const char* const kConnectionTypes[] = {
|
|
"ethernet", "wifi", "wimax", "bluetooth", "cellular",
|
|
};
|
|
|
|
if (type < 0 || type >= static_cast<int>(base::size(kConnectionTypes)))
|
|
return std::string();
|
|
|
|
return kConnectionTypes[type];
|
|
}
|
|
|
|
// TODO(adokar): change type to base::Optional<int> when available.
|
|
int ConvertDayOfWeekStringToInt(const std::string& day_of_week_str) {
|
|
if (day_of_week_str == "Sunday") return 0;
|
|
if (day_of_week_str == "Monday") return 1;
|
|
if (day_of_week_str == "Tuesday") return 2;
|
|
if (day_of_week_str == "Wednesday") return 3;
|
|
if (day_of_week_str == "Thursday") return 4;
|
|
if (day_of_week_str == "Friday") return 5;
|
|
if (day_of_week_str == "Saturday") return 6;
|
|
return -1;
|
|
}
|
|
|
|
bool DecodeWeeklyTimeFromValue(const base::DictionaryValue& dict_value,
|
|
int* day_of_week_out,
|
|
base::TimeDelta* time_out) {
|
|
std::string day_of_week_str;
|
|
if (!dict_value.GetString("day_of_week", &day_of_week_str)) {
|
|
LOG(ERROR) << "Day of the week is absent.";
|
|
return false;
|
|
}
|
|
*day_of_week_out = ConvertDayOfWeekStringToInt(day_of_week_str);
|
|
if (*day_of_week_out == -1) {
|
|
LOG(ERROR) << "Undefined day of the week: " << day_of_week_str;
|
|
return false;
|
|
}
|
|
|
|
int hours;
|
|
if (!dict_value.GetInteger("hours", &hours) || hours < 0 || hours > 23) {
|
|
LOG(ERROR) << "Hours are absent or are outside of the range [0, 24).";
|
|
return false;
|
|
}
|
|
|
|
int minutes;
|
|
if (!dict_value.GetInteger("minutes", &minutes) || minutes < 0 ||
|
|
minutes > 59) {
|
|
LOG(ERROR) << "Minutes are absent or are outside the range [0, 60)";
|
|
return false;
|
|
}
|
|
|
|
*time_out =
|
|
base::TimeDelta::FromMinutes(minutes) + base::TimeDelta::FromHours(hours);
|
|
return true;
|
|
}
|
|
|
|
std::unique_ptr<base::ListValue> DecodeListValueFromJSON(
|
|
const std::string& json_string) {
|
|
std::string error;
|
|
std::unique_ptr<base::Value> decoded_json =
|
|
base::JSONReader::ReadAndReturnError(json_string,
|
|
base::JSON_ALLOW_TRAILING_COMMAS,
|
|
nullptr, &error);
|
|
if (!decoded_json) {
|
|
LOG(ERROR) << "Invalid JSON string: " << error;
|
|
return nullptr;
|
|
}
|
|
|
|
std::unique_ptr<base::ListValue> list_val =
|
|
base::ListValue::From(std::move(decoded_json));
|
|
if (!list_val) {
|
|
LOG(ERROR) << "JSON string is not a list";
|
|
return nullptr;
|
|
}
|
|
|
|
return list_val;
|
|
}
|
|
|
|
} // namespace
|
|
|
|
DevicePolicyImpl::DevicePolicyImpl()
|
|
: policy_path_(kPolicyPath), keyfile_path_(kPublicKeyPath) {}
|
|
|
|
DevicePolicyImpl::~DevicePolicyImpl() {}
|
|
|
|
bool DevicePolicyImpl::LoadPolicy() {
|
|
std::map<int, base::FilePath> sorted_policy_file_paths =
|
|
policy::GetSortedResilientPolicyFilePaths(policy_path_);
|
|
if (sorted_policy_file_paths.empty())
|
|
return false;
|
|
|
|
// Try to load the existent policy files one by one in reverse order of their
|
|
// index until we succeed. The default policy, if present, appears as index 0
|
|
// in the map and is loaded the last. This is intentional as that file is the
|
|
// oldest.
|
|
bool policy_loaded = false;
|
|
for (const auto& map_pair : base::Reversed(sorted_policy_file_paths)) {
|
|
const base::FilePath& policy_path = map_pair.second;
|
|
if (LoadPolicyFromFile(policy_path)) {
|
|
policy_loaded = true;
|
|
break;
|
|
}
|
|
}
|
|
|
|
return policy_loaded;
|
|
}
|
|
|
|
bool DevicePolicyImpl::IsEnterpriseEnrolled() const {
|
|
DCHECK(install_attributes_reader_);
|
|
if (!install_attributes_reader_->IsLocked())
|
|
return false;
|
|
|
|
const std::string& device_mode = install_attributes_reader_->GetAttribute(
|
|
InstallAttributesReader::kAttrMode);
|
|
return device_mode == InstallAttributesReader::kDeviceModeEnterprise ||
|
|
device_mode == InstallAttributesReader::kDeviceModeEnterpriseAD;
|
|
}
|
|
|
|
bool DevicePolicyImpl::GetPolicyRefreshRate(int* rate) const {
|
|
if (!device_policy_.has_device_policy_refresh_rate())
|
|
return false;
|
|
*rate = static_cast<int>(
|
|
device_policy_.device_policy_refresh_rate().device_policy_refresh_rate());
|
|
return true;
|
|
}
|
|
|
|
bool DevicePolicyImpl::GetUserWhitelist(
|
|
std::vector<std::string>* user_whitelist) const {
|
|
if (!device_policy_.has_user_whitelist())
|
|
return false;
|
|
const em::UserWhitelistProto& proto = device_policy_.user_whitelist();
|
|
user_whitelist->clear();
|
|
for (int i = 0; i < proto.user_whitelist_size(); i++)
|
|
user_whitelist->push_back(proto.user_whitelist(i));
|
|
return true;
|
|
}
|
|
|
|
bool DevicePolicyImpl::GetGuestModeEnabled(bool* guest_mode_enabled) const {
|
|
if (!device_policy_.has_guest_mode_enabled())
|
|
return false;
|
|
*guest_mode_enabled =
|
|
device_policy_.guest_mode_enabled().guest_mode_enabled();
|
|
return true;
|
|
}
|
|
|
|
bool DevicePolicyImpl::GetCameraEnabled(bool* camera_enabled) const {
|
|
if (!device_policy_.has_camera_enabled())
|
|
return false;
|
|
*camera_enabled = device_policy_.camera_enabled().camera_enabled();
|
|
return true;
|
|
}
|
|
|
|
bool DevicePolicyImpl::GetShowUserNames(bool* show_user_names) const {
|
|
if (!device_policy_.has_show_user_names())
|
|
return false;
|
|
*show_user_names = device_policy_.show_user_names().show_user_names();
|
|
return true;
|
|
}
|
|
|
|
bool DevicePolicyImpl::GetDataRoamingEnabled(bool* data_roaming_enabled) const {
|
|
if (!device_policy_.has_data_roaming_enabled())
|
|
return false;
|
|
*data_roaming_enabled =
|
|
device_policy_.data_roaming_enabled().data_roaming_enabled();
|
|
return true;
|
|
}
|
|
|
|
bool DevicePolicyImpl::GetAllowNewUsers(bool* allow_new_users) const {
|
|
if (!device_policy_.has_allow_new_users())
|
|
return false;
|
|
*allow_new_users = device_policy_.allow_new_users().allow_new_users();
|
|
return true;
|
|
}
|
|
|
|
bool DevicePolicyImpl::GetMetricsEnabled(bool* metrics_enabled) const {
|
|
if (!device_policy_.has_metrics_enabled())
|
|
return false;
|
|
*metrics_enabled = device_policy_.metrics_enabled().metrics_enabled();
|
|
return true;
|
|
}
|
|
|
|
bool DevicePolicyImpl::GetReportVersionInfo(bool* report_version_info) const {
|
|
if (!device_policy_.has_device_reporting())
|
|
return false;
|
|
|
|
const em::DeviceReportingProto& proto = device_policy_.device_reporting();
|
|
if (!proto.has_report_version_info())
|
|
return false;
|
|
|
|
*report_version_info = proto.report_version_info();
|
|
return true;
|
|
}
|
|
|
|
bool DevicePolicyImpl::GetReportActivityTimes(
|
|
bool* report_activity_times) const {
|
|
if (!device_policy_.has_device_reporting())
|
|
return false;
|
|
|
|
const em::DeviceReportingProto& proto = device_policy_.device_reporting();
|
|
if (!proto.has_report_activity_times())
|
|
return false;
|
|
|
|
*report_activity_times = proto.report_activity_times();
|
|
return true;
|
|
}
|
|
|
|
bool DevicePolicyImpl::GetReportBootMode(bool* report_boot_mode) const {
|
|
if (!device_policy_.has_device_reporting())
|
|
return false;
|
|
|
|
const em::DeviceReportingProto& proto = device_policy_.device_reporting();
|
|
if (!proto.has_report_boot_mode())
|
|
return false;
|
|
|
|
*report_boot_mode = proto.report_boot_mode();
|
|
return true;
|
|
}
|
|
|
|
bool DevicePolicyImpl::GetEphemeralUsersEnabled(
|
|
bool* ephemeral_users_enabled) const {
|
|
if (!device_policy_.has_ephemeral_users_enabled())
|
|
return false;
|
|
*ephemeral_users_enabled =
|
|
device_policy_.ephemeral_users_enabled().ephemeral_users_enabled();
|
|
return true;
|
|
}
|
|
|
|
bool DevicePolicyImpl::GetReleaseChannel(std::string* release_channel) const {
|
|
if (!device_policy_.has_release_channel())
|
|
return false;
|
|
|
|
const em::ReleaseChannelProto& proto = device_policy_.release_channel();
|
|
if (!proto.has_release_channel())
|
|
return false;
|
|
|
|
*release_channel = proto.release_channel();
|
|
return true;
|
|
}
|
|
|
|
bool DevicePolicyImpl::GetReleaseChannelDelegated(
|
|
bool* release_channel_delegated) const {
|
|
if (!device_policy_.has_release_channel())
|
|
return false;
|
|
|
|
const em::ReleaseChannelProto& proto = device_policy_.release_channel();
|
|
if (!proto.has_release_channel_delegated())
|
|
return false;
|
|
|
|
*release_channel_delegated = proto.release_channel_delegated();
|
|
return true;
|
|
}
|
|
|
|
bool DevicePolicyImpl::GetUpdateDisabled(bool* update_disabled) const {
|
|
if (!IsEnterpriseEnrolled())
|
|
return false;
|
|
|
|
if (!device_policy_.has_auto_update_settings())
|
|
return false;
|
|
|
|
const em::AutoUpdateSettingsProto& proto =
|
|
device_policy_.auto_update_settings();
|
|
if (!proto.has_update_disabled())
|
|
return false;
|
|
|
|
*update_disabled = proto.update_disabled();
|
|
return true;
|
|
}
|
|
|
|
bool DevicePolicyImpl::GetTargetVersionPrefix(
|
|
std::string* target_version_prefix) const {
|
|
if (!IsEnterpriseEnrolled())
|
|
return false;
|
|
|
|
if (!device_policy_.has_auto_update_settings())
|
|
return false;
|
|
|
|
const em::AutoUpdateSettingsProto& proto =
|
|
device_policy_.auto_update_settings();
|
|
if (!proto.has_target_version_prefix())
|
|
return false;
|
|
|
|
*target_version_prefix = proto.target_version_prefix();
|
|
return true;
|
|
}
|
|
|
|
bool DevicePolicyImpl::GetRollbackToTargetVersion(
|
|
int* rollback_to_target_version) const {
|
|
if (!device_policy_.has_auto_update_settings())
|
|
return false;
|
|
|
|
const em::AutoUpdateSettingsProto& proto =
|
|
device_policy_.auto_update_settings();
|
|
if (!proto.has_rollback_to_target_version())
|
|
return false;
|
|
|
|
*rollback_to_target_version = proto.rollback_to_target_version();
|
|
return true;
|
|
}
|
|
|
|
bool DevicePolicyImpl::GetRollbackAllowedMilestones(
|
|
int* rollback_allowed_milestones) const {
|
|
// This policy can be only set for devices which are enterprise enrolled.
|
|
if (!IsEnterpriseEnrolled())
|
|
return false;
|
|
|
|
if (device_policy_.has_auto_update_settings()) {
|
|
const em::AutoUpdateSettingsProto& proto =
|
|
device_policy_.auto_update_settings();
|
|
if (proto.has_rollback_allowed_milestones()) {
|
|
// Policy is set, enforce minimum and maximum constraints.
|
|
*rollback_allowed_milestones = proto.rollback_allowed_milestones();
|
|
if (*rollback_allowed_milestones < 0)
|
|
*rollback_allowed_milestones = 0;
|
|
if (*rollback_allowed_milestones > kMaxRollbackAllowedMilestones)
|
|
*rollback_allowed_milestones = kMaxRollbackAllowedMilestones;
|
|
return true;
|
|
}
|
|
}
|
|
// Policy is not present, use default for enterprise devices.
|
|
VLOG(1) << "RollbackAllowedMilestones policy is not set, using default "
|
|
<< kMaxRollbackAllowedMilestones << ".";
|
|
*rollback_allowed_milestones = kMaxRollbackAllowedMilestones;
|
|
return true;
|
|
}
|
|
|
|
bool DevicePolicyImpl::GetScatterFactorInSeconds(
|
|
int64_t* scatter_factor_in_seconds) const {
|
|
if (!device_policy_.has_auto_update_settings())
|
|
return false;
|
|
|
|
const em::AutoUpdateSettingsProto& proto =
|
|
device_policy_.auto_update_settings();
|
|
if (!proto.has_scatter_factor_in_seconds())
|
|
return false;
|
|
|
|
*scatter_factor_in_seconds = proto.scatter_factor_in_seconds();
|
|
return true;
|
|
}
|
|
|
|
bool DevicePolicyImpl::GetAllowedConnectionTypesForUpdate(
|
|
std::set<std::string>* connection_types) const {
|
|
if (!IsEnterpriseEnrolled())
|
|
return false;
|
|
|
|
if (!device_policy_.has_auto_update_settings())
|
|
return false;
|
|
|
|
const em::AutoUpdateSettingsProto& proto =
|
|
device_policy_.auto_update_settings();
|
|
if (proto.allowed_connection_types_size() <= 0)
|
|
return false;
|
|
|
|
for (int i = 0; i < proto.allowed_connection_types_size(); i++) {
|
|
std::string type = DecodeConnectionType(proto.allowed_connection_types(i));
|
|
if (!type.empty())
|
|
connection_types->insert(type);
|
|
}
|
|
return true;
|
|
}
|
|
|
|
bool DevicePolicyImpl::GetOpenNetworkConfiguration(
|
|
std::string* open_network_configuration) const {
|
|
if (!device_policy_.has_open_network_configuration())
|
|
return false;
|
|
|
|
const em::DeviceOpenNetworkConfigurationProto& proto =
|
|
device_policy_.open_network_configuration();
|
|
if (!proto.has_open_network_configuration())
|
|
return false;
|
|
|
|
*open_network_configuration = proto.open_network_configuration();
|
|
return true;
|
|
}
|
|
|
|
bool DevicePolicyImpl::GetOwner(std::string* owner) const {
|
|
if (IsEnterpriseManaged()) {
|
|
*owner = "";
|
|
return true;
|
|
}
|
|
|
|
if (!policy_data_.has_username())
|
|
return false;
|
|
*owner = policy_data_.username();
|
|
return true;
|
|
}
|
|
|
|
bool DevicePolicyImpl::GetHttpDownloadsEnabled(
|
|
bool* http_downloads_enabled) const {
|
|
if (!device_policy_.has_auto_update_settings())
|
|
return false;
|
|
|
|
const em::AutoUpdateSettingsProto& proto =
|
|
device_policy_.auto_update_settings();
|
|
|
|
if (!proto.has_http_downloads_enabled())
|
|
return false;
|
|
|
|
*http_downloads_enabled = proto.http_downloads_enabled();
|
|
return true;
|
|
}
|
|
|
|
bool DevicePolicyImpl::GetAuP2PEnabled(bool* au_p2p_enabled) const {
|
|
if (!device_policy_.has_auto_update_settings())
|
|
return false;
|
|
|
|
const em::AutoUpdateSettingsProto& proto =
|
|
device_policy_.auto_update_settings();
|
|
|
|
if (!proto.has_p2p_enabled())
|
|
return false;
|
|
|
|
*au_p2p_enabled = proto.p2p_enabled();
|
|
return true;
|
|
}
|
|
|
|
bool DevicePolicyImpl::GetAllowKioskAppControlChromeVersion(
|
|
bool* allow_kiosk_app_control_chrome_version) const {
|
|
if (!device_policy_.has_allow_kiosk_app_control_chrome_version())
|
|
return false;
|
|
|
|
const em::AllowKioskAppControlChromeVersionProto& proto =
|
|
device_policy_.allow_kiosk_app_control_chrome_version();
|
|
|
|
if (!proto.has_allow_kiosk_app_control_chrome_version())
|
|
return false;
|
|
|
|
*allow_kiosk_app_control_chrome_version =
|
|
proto.allow_kiosk_app_control_chrome_version();
|
|
return true;
|
|
}
|
|
|
|
bool DevicePolicyImpl::GetUsbDetachableWhitelist(
|
|
std::vector<UsbDeviceId>* usb_whitelist) const {
|
|
if (!device_policy_.has_usb_detachable_whitelist())
|
|
return false;
|
|
const em::UsbDetachableWhitelistProto& proto =
|
|
device_policy_.usb_detachable_whitelist();
|
|
usb_whitelist->clear();
|
|
for (int i = 0; i < proto.id_size(); i++) {
|
|
const em::UsbDeviceIdProto& id = proto.id(i);
|
|
UsbDeviceId dev_id;
|
|
dev_id.vendor_id = id.has_vendor_id() ? id.vendor_id() : 0;
|
|
dev_id.product_id = id.has_product_id() ? id.product_id() : 0;
|
|
usb_whitelist->push_back(dev_id);
|
|
}
|
|
return true;
|
|
}
|
|
|
|
bool DevicePolicyImpl::GetDeviceUpdateStagingSchedule(
|
|
std::vector<DayPercentagePair>* staging_schedule_out) const {
|
|
staging_schedule_out->clear();
|
|
|
|
if (!device_policy_.has_auto_update_settings())
|
|
return false;
|
|
|
|
const em::AutoUpdateSettingsProto &proto =
|
|
device_policy_.auto_update_settings();
|
|
|
|
if (!proto.has_staging_schedule())
|
|
return false;
|
|
|
|
std::unique_ptr<base::ListValue> list_val =
|
|
DecodeListValueFromJSON(proto.staging_schedule());
|
|
if (!list_val)
|
|
return false;
|
|
|
|
for (const auto& pair_value : *list_val) {
|
|
const base::DictionaryValue* day_percentage_pair;
|
|
if (!pair_value.GetAsDictionary(&day_percentage_pair))
|
|
return false;
|
|
int days, percentage;
|
|
if (!day_percentage_pair->GetInteger("days", &days) ||
|
|
!day_percentage_pair->GetInteger("percentage", &percentage))
|
|
return false;
|
|
// Limit the percentage to [0, 100] and days to [1, 28];
|
|
staging_schedule_out->push_back({std::max(std::min(days, 28), 1),
|
|
std::max(std::min(percentage, 100), 0)});
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
bool DevicePolicyImpl::GetAutoLaunchedKioskAppId(
|
|
std::string* app_id_out) const {
|
|
if (!device_policy_.has_device_local_accounts())
|
|
return false;
|
|
|
|
const em::DeviceLocalAccountsProto& local_accounts =
|
|
device_policy_.device_local_accounts();
|
|
|
|
// For auto-launched kiosk apps, the delay needs to be 0.
|
|
if (local_accounts.has_auto_login_delay() &&
|
|
local_accounts.auto_login_delay() != 0)
|
|
return false;
|
|
|
|
for (const em::DeviceLocalAccountInfoProto& account :
|
|
local_accounts.account()) {
|
|
// If this isn't an auto-login account, move to the next one.
|
|
if (account.account_id() != local_accounts.auto_login_id())
|
|
continue;
|
|
|
|
// If the auto-launched account is not a kiosk app, bail out, we aren't
|
|
// running in auto-launched kiosk mode.
|
|
if (account.type() !=
|
|
em::DeviceLocalAccountInfoProto::ACCOUNT_TYPE_KIOSK_APP) {
|
|
return false;
|
|
}
|
|
|
|
*app_id_out = account.kiosk_app().app_id();
|
|
return true;
|
|
}
|
|
|
|
// No auto-launched account found.
|
|
return false;
|
|
}
|
|
|
|
bool DevicePolicyImpl::IsEnterpriseManaged() const {
|
|
if (policy_data_.has_management_mode())
|
|
return policy_data_.management_mode() == em::PolicyData::ENTERPRISE_MANAGED;
|
|
// Fall back to checking the request token, see management_mode documentation
|
|
// in device_management_backend.proto.
|
|
return policy_data_.has_request_token();
|
|
}
|
|
|
|
bool DevicePolicyImpl::GetSecondFactorAuthenticationMode(int* mode_out) const {
|
|
if (!device_policy_.has_device_second_factor_authentication())
|
|
return false;
|
|
|
|
const em::DeviceSecondFactorAuthenticationProto& proto =
|
|
device_policy_.device_second_factor_authentication();
|
|
|
|
if (!proto.has_mode())
|
|
return false;
|
|
|
|
*mode_out = proto.mode();
|
|
return true;
|
|
}
|
|
|
|
bool DevicePolicyImpl::GetDisallowedTimeIntervals(
|
|
std::vector<WeeklyTimeInterval>* intervals_out) const {
|
|
intervals_out->clear();
|
|
if (!IsEnterpriseEnrolled())
|
|
return false;
|
|
|
|
if (!device_policy_.has_auto_update_settings()) {
|
|
return false;
|
|
}
|
|
|
|
const em::AutoUpdateSettingsProto& proto =
|
|
device_policy_.auto_update_settings();
|
|
|
|
if (!proto.has_disallowed_time_intervals()) {
|
|
return false;
|
|
}
|
|
|
|
std::unique_ptr<base::ListValue> list_val =
|
|
DecodeListValueFromJSON(proto.disallowed_time_intervals());
|
|
if (!list_val)
|
|
return false;
|
|
|
|
for (const auto& interval_value : *list_val) {
|
|
const base::DictionaryValue* interval_dict;
|
|
if (!interval_value.GetAsDictionary(&interval_dict)) {
|
|
LOG(ERROR) << "Invalid JSON string given. Interval is not a dict.";
|
|
return false;
|
|
}
|
|
const base::DictionaryValue* start;
|
|
const base::DictionaryValue* end;
|
|
if (!interval_dict->GetDictionary("start", &start) ||
|
|
!interval_dict->GetDictionary("end", &end)) {
|
|
LOG(ERROR) << "Interval is missing start/end.";
|
|
return false;
|
|
}
|
|
WeeklyTimeInterval weekly_interval;
|
|
if (!DecodeWeeklyTimeFromValue(*start, &weekly_interval.start_day_of_week,
|
|
&weekly_interval.start_time) ||
|
|
!DecodeWeeklyTimeFromValue(*end, &weekly_interval.end_day_of_week,
|
|
&weekly_interval.end_time)) {
|
|
return false;
|
|
}
|
|
|
|
intervals_out->push_back(weekly_interval);
|
|
}
|
|
return true;
|
|
}
|
|
|
|
bool DevicePolicyImpl::GetDeviceQuickFixBuildToken(
|
|
std::string* device_quick_fix_build_token) const {
|
|
if (!IsEnterpriseEnrolled() || !device_policy_.has_auto_update_settings())
|
|
return false;
|
|
|
|
const em::AutoUpdateSettingsProto& proto =
|
|
device_policy_.auto_update_settings();
|
|
if (!proto.has_device_quick_fix_build_token())
|
|
return false;
|
|
|
|
*device_quick_fix_build_token = proto.device_quick_fix_build_token();
|
|
return true;
|
|
}
|
|
|
|
bool DevicePolicyImpl::GetDeviceDirectoryApiId(
|
|
std::string* directory_api_id_out) const {
|
|
if (!policy_data_.has_directory_api_id())
|
|
return false;
|
|
|
|
*directory_api_id_out = policy_data_.directory_api_id();
|
|
return true;
|
|
}
|
|
|
|
bool DevicePolicyImpl::VerifyPolicyFile(const base::FilePath& policy_path) {
|
|
if (!verify_root_ownership_) {
|
|
return true;
|
|
}
|
|
|
|
// Both the policy and its signature have to exist.
|
|
if (!base::PathExists(policy_path) || !base::PathExists(keyfile_path_)) {
|
|
return false;
|
|
}
|
|
|
|
// Check if the policy and signature file is owned by root.
|
|
struct stat file_stat;
|
|
stat(policy_path.value().c_str(), &file_stat);
|
|
if (file_stat.st_uid != 0) {
|
|
LOG(ERROR) << "Policy file is not owned by root!";
|
|
return false;
|
|
}
|
|
stat(keyfile_path_.value().c_str(), &file_stat);
|
|
if (file_stat.st_uid != 0) {
|
|
LOG(ERROR) << "Policy signature file is not owned by root!";
|
|
return false;
|
|
}
|
|
return true;
|
|
}
|
|
|
|
bool DevicePolicyImpl::VerifyPolicySignature() {
|
|
if (policy_.has_policy_data_signature()) {
|
|
std::string policy_data = policy_.policy_data();
|
|
std::string policy_data_signature = policy_.policy_data_signature();
|
|
std::string public_key;
|
|
if (!ReadPublicKeyFromFile(base::FilePath(keyfile_path_), &public_key)) {
|
|
LOG(ERROR) << "Could not read owner key off disk";
|
|
return false;
|
|
}
|
|
if (!VerifySignature(policy_data, policy_data_signature, public_key)) {
|
|
LOG(ERROR) << "Signature does not match the data or can not be verified!";
|
|
return false;
|
|
}
|
|
return true;
|
|
}
|
|
LOG(ERROR) << "The policy blob is not signed!";
|
|
return false;
|
|
}
|
|
|
|
bool DevicePolicyImpl::LoadPolicyFromFile(const base::FilePath& policy_path) {
|
|
std::string policy_data_str;
|
|
if (policy::LoadPolicyFromPath(policy_path, &policy_data_str, &policy_) !=
|
|
LoadPolicyResult::kSuccess) {
|
|
return false;
|
|
}
|
|
if (!policy_.has_policy_data()) {
|
|
LOG(ERROR) << "Policy on disk could not be parsed!";
|
|
return false;
|
|
}
|
|
if (!policy_data_.ParseFromString(policy_.policy_data()) ||
|
|
!policy_data_.has_policy_value()) {
|
|
LOG(ERROR) << "Policy on disk could not be parsed!";
|
|
return false;
|
|
}
|
|
|
|
bool verify_policy = verify_policy_;
|
|
if (!install_attributes_reader_) {
|
|
install_attributes_reader_ = std::make_unique<InstallAttributesReader>();
|
|
}
|
|
const std::string& mode = install_attributes_reader_->GetAttribute(
|
|
InstallAttributesReader::kAttrMode);
|
|
if (mode == InstallAttributesReader::kDeviceModeEnterpriseAD) {
|
|
verify_policy = false;
|
|
}
|
|
if (verify_policy && !VerifyPolicyFile(policy_path)) {
|
|
return false;
|
|
}
|
|
|
|
// Make sure the signature is still valid.
|
|
if (verify_policy && !VerifyPolicySignature()) {
|
|
LOG(ERROR) << "Policy signature verification failed!";
|
|
return false;
|
|
}
|
|
if (!device_policy_.ParseFromString(policy_data_.policy_value())) {
|
|
LOG(ERROR) << "Policy on disk could not be parsed!";
|
|
return false;
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
} // namespace policy
|