Always verify key and signature for CBCM
Omaha should always provides key this day. So we don't need to skip the key verification step when loading policies. It also allows CBCM validate policy proto and key from server properly. Change-Id: Ia457069464f9bc2e1852b2550151c9a5bce29630 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6395175 Reviewed-by: Yann Dago <ydago@chromium.org> Commit-Queue: Owen Min <zmin@chromium.org> Cr-Commit-Position: refs/heads/main@{#1444545}
This commit is contained in:
Owen Min
committed by
Chromium LUCI CQ
Chromium LUCI CQ
parent
6afcb4e0e7
commit
f9ee0c67cb
@ -6,6 +6,7 @@
|
||||
|
||||
#include <utility>
|
||||
|
||||
#include "base/feature_list.h"
|
||||
#include "base/files/file_path.h"
|
||||
#include "base/logging.h"
|
||||
#include "base/task/sequenced_task_runner.h"
|
||||
@ -22,6 +23,10 @@ namespace em = enterprise_management;
|
||||
namespace policy {
|
||||
namespace {
|
||||
|
||||
BASE_FEATURE(kAlwaysVerifyPolicyKey,
|
||||
"AlwaysVerifyPolicyKey",
|
||||
base::FEATURE_ENABLED_BY_DEFAULT);
|
||||
|
||||
const base::FilePath::CharType kPolicyCache[] =
|
||||
FILE_PATH_LITERAL("Machine Level User Cloud Policy");
|
||||
const base::FilePath::CharType kKeyCache[] =
|
||||
@ -139,8 +144,9 @@ MachineLevelUserCloudPolicyStore::MaybeUseExternalCachedPolicies(
|
||||
PolicyLoadResult default_cached_policy_load_result) {
|
||||
PolicyLoadResult external_policy_cache_load_result =
|
||||
LoadExternalCachedPolicies(policy_cache_path, policy_info_path);
|
||||
if (external_policy_cache_load_result.status != policy::LOAD_RESULT_SUCCESS)
|
||||
if (external_policy_cache_load_result.status != policy::LOAD_RESULT_SUCCESS) {
|
||||
return default_cached_policy_load_result;
|
||||
}
|
||||
|
||||
// If default key is missing or not matches the external one, enable key
|
||||
// rotation mode to re-fetch public key again.
|
||||
@ -149,8 +155,9 @@ MachineLevelUserCloudPolicyStore::MaybeUseExternalCachedPolicies(
|
||||
external_policy_cache_load_result.doing_key_rotation = true;
|
||||
}
|
||||
|
||||
if (default_cached_policy_load_result.status != policy::LOAD_RESULT_SUCCESS)
|
||||
if (default_cached_policy_load_result.status != policy::LOAD_RESULT_SUCCESS) {
|
||||
return external_policy_cache_load_result;
|
||||
}
|
||||
|
||||
enterprise_management::PolicyData default_data;
|
||||
enterprise_management::PolicyData external_data;
|
||||
@ -239,8 +246,9 @@ void MachineLevelUserCloudPolicyStore::Validate(
|
||||
|
||||
// Policies cached by the external provider do not require key and signature
|
||||
// validation since they are stored in a secure location.
|
||||
if (key)
|
||||
if (key || base::FeatureList::IsEnabled(kAlwaysVerifyPolicyKey)) {
|
||||
ValidateKeyAndSignature(validator.get(), key.get(), std::string());
|
||||
}
|
||||
|
||||
if (validate_in_background) {
|
||||
UserCloudPolicyValidator::StartValidation(std::move(validator),
|
||||
|
||||
Reference in New Issue
Block a user