policy_cert_service_factory.cc revision 5f1c94371a64b3196d4be9466099bb892df9b88e
1f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)// Copyright 2013 The Chromium Authors. All rights reserved. 2f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)// Use of this source code is governed by a BSD-style license that can be 3f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)// found in the LICENSE file. 4f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) 5f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)#include "chrome/browser/chromeos/policy/policy_cert_service_factory.h" 6f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) 7f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)#include "base/memory/singleton.h" 85d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)#include "base/prefs/pref_registry_simple.h" 95d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)#include "base/prefs/pref_service.h" 105d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)#include "base/prefs/scoped_user_pref_update.h" 115d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)#include "chrome/browser/browser_process.h" 12cedac228d2dd51db4b79ea1e72c7f249408ee061Torne (Richard Coles)#include "chrome/browser/chromeos/login/users/user_manager.h" 13f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)#include "chrome/browser/chromeos/policy/policy_cert_service.h" 14f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)#include "chrome/browser/chromeos/policy/policy_cert_verifier.h" 15f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)#include "chrome/browser/chromeos/policy/user_network_configuration_updater_factory.h" 16116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch#include "chrome/browser/chromeos/profiles/profile_helper.h" 175d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)#include "chrome/browser/lifetime/application_lifetime.h" 18f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)#include "chrome/browser/profiles/incognito_helpers.h" 19f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)#include "chrome/browser/profiles/profile.h" 20f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)#include "chrome/common/pref_names.h" 21a1401311d1ab56c4ed0a474bd38c108f75cb0cd9Torne (Richard Coles)#include "components/keyed_service/content/browser_context_dependency_manager.h" 22cedac228d2dd51db4b79ea1e72c7f249408ee061Torne (Richard Coles)#include "components/pref_registry/pref_registry_syncable.h" 23f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) 24f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)namespace policy { 25f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) 26f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)// static 27f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)PolicyCertService* PolicyCertServiceFactory::GetForProfile(Profile* profile) { 28f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) return static_cast<PolicyCertService*>( 29f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) GetInstance()->GetServiceForBrowserContext(profile, false)); 30f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)} 31f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) 32f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)// static 33f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)scoped_ptr<PolicyCertVerifier> PolicyCertServiceFactory::CreateForProfile( 34f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) Profile* profile) { 35f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) DCHECK(!GetInstance()->GetServiceForBrowserContext(profile, false)); 36f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) PolicyCertService* service = static_cast<PolicyCertService*>( 37f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) GetInstance()->GetServiceForBrowserContext(profile, true)); 38f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) if (!service) 39f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) return scoped_ptr<PolicyCertVerifier>(); 40f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) return service->CreatePolicyCertVerifier(); 41f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)} 42f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) 43f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)// static 44f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)PolicyCertServiceFactory* PolicyCertServiceFactory::GetInstance() { 45f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) return Singleton<PolicyCertServiceFactory>::get(); 46f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)} 47f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) 485d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)// static 495d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)void PolicyCertServiceFactory::SetUsedPolicyCertificates( 505d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) const std::string& user_id) { 515d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) if (UsedPolicyCertificates(user_id)) 525d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) return; 535d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) ListPrefUpdate update(g_browser_process->local_state(), 545d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) prefs::kUsedPolicyCertificates); 555d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) update->AppendString(user_id); 565d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)} 575d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 585d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)// static 595d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)void PolicyCertServiceFactory::ClearUsedPolicyCertificates( 605d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) const std::string& user_id) { 615d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) ListPrefUpdate update(g_browser_process->local_state(), 625d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) prefs::kUsedPolicyCertificates); 635d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) update->Remove(base::StringValue(user_id), NULL); 645d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)} 655d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 665d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)// static 675d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)bool PolicyCertServiceFactory::UsedPolicyCertificates( 685d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) const std::string& user_id) { 695d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) base::StringValue value(user_id); 705d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) const base::ListValue* list = 715d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) g_browser_process->local_state()->GetList(prefs::kUsedPolicyCertificates); 725d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) if (!list) { 735d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) NOTREACHED(); 745d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) return false; 755d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) } 765d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) return list->Find(value) != list->end(); 775d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)} 785d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 795d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)// static 805d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)void PolicyCertServiceFactory::RegisterPrefs(PrefRegistrySimple* local_state) { 815d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) local_state->RegisterListPref(prefs::kUsedPolicyCertificates); 825d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles)} 835d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 84f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)PolicyCertServiceFactory::PolicyCertServiceFactory() 85f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) : BrowserContextKeyedServiceFactory( 86f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) "PolicyCertService", 87f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) BrowserContextDependencyManager::GetInstance()) { 88f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) DependsOn(UserNetworkConfigurationUpdaterFactory::GetInstance()); 89f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)} 90f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) 91f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)PolicyCertServiceFactory::~PolicyCertServiceFactory() {} 92f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) 93a1401311d1ab56c4ed0a474bd38c108f75cb0cd9Torne (Richard Coles)KeyedService* PolicyCertServiceFactory::BuildServiceInstanceFor( 94f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) content::BrowserContext* context) const { 95f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) Profile* profile = static_cast<Profile*>(context); 965d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 975d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) chromeos::UserManager* user_manager = chromeos::UserManager::Get(); 985f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) user_manager::User* user = chromeos::ProfileHelper::Get()->GetUserByProfile( 99116680a4aac90f2aa7413d9095a592090648e557Ben Murdoch profile->GetOriginalProfile()); 1005d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) if (!user) 1015d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) return NULL; 1025d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 1035d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) // Backwards compatibility: profiles that used policy-pushed certificates used 1045d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) // to have this condition marked in their prefs. This signal has moved to 1055d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) // local_state though, to support checking it before the profile is loaded. 1065d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) // Check the profile here and update the local_state, if appropriate. 1075d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) // TODO(joaodasilva): remove this, eventually. 1085d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) PrefService* prefs = profile->GetOriginalProfile()->GetPrefs(); 1095d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) if (prefs->GetBoolean(prefs::kUsedPolicyCertificatesOnce)) { 1105d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) SetUsedPolicyCertificates(user->email()); 1115d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) prefs->ClearPref(prefs::kUsedPolicyCertificatesOnce); 1125d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 1135d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) if (user_manager->GetLoggedInUsers().size() > 1u) { 1145d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) // This login should not have been allowed. After rebooting, local_state 1155d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) // will contain the updated list of users that used policy-pushed 1165d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) // certificates and this won't happen again. 1175d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) // Note that a user becomes logged in before his profile is created. 1185d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) LOG(ERROR) << "Shutdown session because a tainted profile was added."; 1195d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) g_browser_process->local_state()->CommitPendingWrite(); 1205d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) prefs->CommitPendingWrite(); 1215d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) chrome::AttemptUserExit(); 1225d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) } 1235d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) } 1245d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) 125f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) UserNetworkConfigurationUpdater* net_conf_updater = 126f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) UserNetworkConfigurationUpdaterFactory::GetForProfile(profile); 127f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) if (!net_conf_updater) 128f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) return NULL; 129f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) 1305d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) return new PolicyCertService(user->email(), net_conf_updater, user_manager); 131f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)} 132f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) 133f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)content::BrowserContext* PolicyCertServiceFactory::GetBrowserContextToUse( 134f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) content::BrowserContext* context) const { 135f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) return chrome::GetBrowserContextOwnInstanceInIncognito(context); 136f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)} 137f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) 138f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)void PolicyCertServiceFactory::RegisterProfilePrefs( 139f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) user_prefs::PrefRegistrySyncable* registry) { 1405d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) // TODO(joaodasilva): this is used for backwards compatibility. 1415d1f7b1de12d16ceb2c938c56701a3e8bfa558f7Torne (Richard Coles) // Remove once it's not necessary anymore. 142f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) registry->RegisterBooleanPref( 143f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) prefs::kUsedPolicyCertificatesOnce, 144f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) false, 145f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) user_prefs::PrefRegistrySyncable::UNSYNCABLE_PREF); 146f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)} 147f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) 148f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)bool PolicyCertServiceFactory::ServiceIsNULLWhileTesting() const { 149f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) return true; 150f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)} 151f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles) 152f2477e01787aa58f445919b809d89e252beef54fTorne (Richard Coles)} // namespace policy 153