1 // Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #include "policy/device_policy_impl.h"
6 
7 #include <algorithm>
8 #include <map>
9 #include <memory>
10 #include <set>
11 #include <string>
12 
13 #include <base/containers/adapters.h>
14 #include <base/files/file_util.h>
15 #include <base/json/json_reader.h>
16 #include <base/logging.h>
17 #include <base/macros.h>
18 #include <base/memory/ptr_util.h>
19 #include <base/stl_util.h>
20 #include <base/time/time.h>
21 #include <base/values.h>
22 #include <openssl/evp.h>
23 #include <openssl/x509.h>
24 
25 #include "bindings/chrome_device_policy.pb.h"
26 #include "bindings/device_management_backend.pb.h"
27 #include "policy/policy_util.h"
28 #include "policy/resilient_policy_util.h"
29 
30 namespace em = enterprise_management;
31 
32 namespace policy {
33 
34 // TODO(crbug.com/984789): Remove once support for OpenSSL <1.1 is dropped.
35 #if OPENSSL_VERSION_NUMBER < 0x10100000L
36 #define EVP_MD_CTX_new EVP_MD_CTX_create
37 #define EVP_MD_CTX_free EVP_MD_CTX_destroy
38 #endif
39 
40 // Maximum value of RollbackAllowedMilestones policy.
41 const int kMaxRollbackAllowedMilestones = 4;
42 
43 namespace {
44 const char kPolicyPath[] = "/var/lib/whitelist/policy";
45 const char kPublicKeyPath[] = "/var/lib/whitelist/owner.key";
46 
47 // Reads the public key used to sign the policy from |key_file| and stores it
48 // in |public_key|. Returns true on success.
ReadPublicKeyFromFile(const base::FilePath & key_file,std::string * public_key)49 bool ReadPublicKeyFromFile(const base::FilePath& key_file,
50                            std::string* public_key) {
51   if (!base::PathExists(key_file))
52     return false;
53   public_key->clear();
54   if (!base::ReadFileToString(key_file, public_key) || public_key->empty()) {
55     LOG(ERROR) << "Could not read public key off disk";
56     return false;
57   }
58   return true;
59 }
60 
61 // Verifies that the |signed_data| has correct |signature| with |public_key|.
VerifySignature(const std::string & signed_data,const std::string & signature,const std::string & public_key)62 bool VerifySignature(const std::string& signed_data,
63                      const std::string& signature,
64                      const std::string& public_key) {
65   std::unique_ptr<EVP_MD_CTX, void (*)(EVP_MD_CTX *)> ctx(EVP_MD_CTX_new(),
66                                                           EVP_MD_CTX_free);
67   if (!ctx)
68     return false;
69 
70   const EVP_MD* digest = EVP_sha1();
71 
72   char* key = const_cast<char*>(public_key.data());
73   BIO* bio = BIO_new_mem_buf(key, public_key.length());
74   if (!bio)
75     return false;
76 
77   EVP_PKEY* public_key_ssl = d2i_PUBKEY_bio(bio, nullptr);
78   if (!public_key_ssl) {
79     BIO_free_all(bio);
80     return false;
81   }
82 
83   const unsigned char* sig =
84       reinterpret_cast<const unsigned char*>(signature.data());
85   int rv = EVP_VerifyInit_ex(ctx.get(), digest, nullptr);
86   if (rv == 1) {
87     EVP_VerifyUpdate(ctx.get(), signed_data.data(), signed_data.length());
88     rv = EVP_VerifyFinal(ctx.get(), sig, signature.length(), public_key_ssl);
89   }
90 
91   EVP_PKEY_free(public_key_ssl);
92   BIO_free_all(bio);
93 
94   return rv == 1;
95 }
96 
97 // Decodes the connection type enum from the device settings protobuf to string
98 // representations. The strings must match the connection manager definitions.
DecodeConnectionType(int type)99 std::string DecodeConnectionType(int type) {
100   static const char* const kConnectionTypes[] = {
101       "ethernet", "wifi", "wimax", "bluetooth", "cellular",
102   };
103 
104   if (type < 0 || type >= static_cast<int>(base::size(kConnectionTypes)))
105     return std::string();
106 
107   return kConnectionTypes[type];
108 }
109 
110 // TODO(adokar): change type to base::Optional<int> when available.
ConvertDayOfWeekStringToInt(const std::string & day_of_week_str)111 int ConvertDayOfWeekStringToInt(const std::string& day_of_week_str) {
112   if (day_of_week_str == "Sunday") return 0;
113   if (day_of_week_str == "Monday") return 1;
114   if (day_of_week_str == "Tuesday") return 2;
115   if (day_of_week_str == "Wednesday") return 3;
116   if (day_of_week_str == "Thursday") return 4;
117   if (day_of_week_str == "Friday") return 5;
118   if (day_of_week_str == "Saturday") return 6;
119   return -1;
120 }
121 
DecodeWeeklyTimeFromValue(const base::DictionaryValue & dict_value,int * day_of_week_out,base::TimeDelta * time_out)122 bool DecodeWeeklyTimeFromValue(const base::DictionaryValue& dict_value,
123                                int* day_of_week_out,
124                                base::TimeDelta* time_out) {
125   std::string day_of_week_str;
126   if (!dict_value.GetString("day_of_week", &day_of_week_str)) {
127     LOG(ERROR) << "Day of the week is absent.";
128     return false;
129   }
130   *day_of_week_out = ConvertDayOfWeekStringToInt(day_of_week_str);
131   if (*day_of_week_out == -1) {
132     LOG(ERROR) << "Undefined day of the week: " << day_of_week_str;
133     return false;
134   }
135 
136   int hours;
137   if (!dict_value.GetInteger("hours", &hours) || hours < 0 || hours > 23) {
138     LOG(ERROR) << "Hours are absent or are outside of the range [0, 24).";
139     return false;
140   }
141 
142   int minutes;
143   if (!dict_value.GetInteger("minutes", &minutes) || minutes < 0 ||
144       minutes > 59) {
145     LOG(ERROR) << "Minutes are absent or are outside the range [0, 60)";
146     return false;
147   }
148 
149   *time_out =
150       base::TimeDelta::FromMinutes(minutes) + base::TimeDelta::FromHours(hours);
151   return true;
152 }
153 
DecodeListValueFromJSON(const std::string & json_string)154 std::unique_ptr<base::ListValue> DecodeListValueFromJSON(
155     const std::string& json_string) {
156   std::string error;
157   std::unique_ptr<base::Value> decoded_json =
158       base::JSONReader::ReadAndReturnError(json_string,
159                                            base::JSON_ALLOW_TRAILING_COMMAS,
160                                            nullptr, &error);
161   if (!decoded_json) {
162     LOG(ERROR) << "Invalid JSON string: " << error;
163     return nullptr;
164   }
165 
166   std::unique_ptr<base::ListValue> list_val =
167       base::ListValue::From(std::move(decoded_json));
168   if (!list_val) {
169     LOG(ERROR) << "JSON string is not a list";
170     return nullptr;
171   }
172 
173   return list_val;
174 }
175 
176 }  // namespace
177 
DevicePolicyImpl()178 DevicePolicyImpl::DevicePolicyImpl()
179     : policy_path_(kPolicyPath), keyfile_path_(kPublicKeyPath) {}
180 
~DevicePolicyImpl()181 DevicePolicyImpl::~DevicePolicyImpl() {}
182 
LoadPolicy()183 bool DevicePolicyImpl::LoadPolicy() {
184   std::map<int, base::FilePath> sorted_policy_file_paths =
185       policy::GetSortedResilientPolicyFilePaths(policy_path_);
186   if (sorted_policy_file_paths.empty())
187     return false;
188 
189   // Try to load the existent policy files one by one in reverse order of their
190   // index until we succeed. The default policy, if present, appears as index 0
191   // in the map and is loaded the last. This is intentional as that file is the
192   // oldest.
193   bool policy_loaded = false;
194   for (const auto& map_pair : base::Reversed(sorted_policy_file_paths)) {
195     const base::FilePath& policy_path = map_pair.second;
196     if (LoadPolicyFromFile(policy_path)) {
197       policy_loaded = true;
198       break;
199     }
200   }
201 
202   return policy_loaded;
203 }
204 
IsEnterpriseEnrolled() const205 bool DevicePolicyImpl::IsEnterpriseEnrolled() const {
206   DCHECK(install_attributes_reader_);
207   if (!install_attributes_reader_->IsLocked())
208     return false;
209 
210   const std::string& device_mode = install_attributes_reader_->GetAttribute(
211       InstallAttributesReader::kAttrMode);
212   return device_mode == InstallAttributesReader::kDeviceModeEnterprise ||
213       device_mode == InstallAttributesReader::kDeviceModeEnterpriseAD;
214 }
215 
GetPolicyRefreshRate(int * rate) const216 bool DevicePolicyImpl::GetPolicyRefreshRate(int* rate) const {
217   if (!device_policy_.has_device_policy_refresh_rate())
218     return false;
219   *rate = static_cast<int>(
220       device_policy_.device_policy_refresh_rate().device_policy_refresh_rate());
221   return true;
222 }
223 
GetUserWhitelist(std::vector<std::string> * user_whitelist) const224 bool DevicePolicyImpl::GetUserWhitelist(
225     std::vector<std::string>* user_whitelist) const {
226   if (!device_policy_.has_user_whitelist())
227     return false;
228   const em::UserWhitelistProto& proto = device_policy_.user_whitelist();
229   user_whitelist->clear();
230   for (int i = 0; i < proto.user_whitelist_size(); i++)
231     user_whitelist->push_back(proto.user_whitelist(i));
232   return true;
233 }
234 
GetGuestModeEnabled(bool * guest_mode_enabled) const235 bool DevicePolicyImpl::GetGuestModeEnabled(bool* guest_mode_enabled) const {
236   if (!device_policy_.has_guest_mode_enabled())
237     return false;
238   *guest_mode_enabled =
239       device_policy_.guest_mode_enabled().guest_mode_enabled();
240   return true;
241 }
242 
GetCameraEnabled(bool * camera_enabled) const243 bool DevicePolicyImpl::GetCameraEnabled(bool* camera_enabled) const {
244   if (!device_policy_.has_camera_enabled())
245     return false;
246   *camera_enabled = device_policy_.camera_enabled().camera_enabled();
247   return true;
248 }
249 
GetShowUserNames(bool * show_user_names) const250 bool DevicePolicyImpl::GetShowUserNames(bool* show_user_names) const {
251   if (!device_policy_.has_show_user_names())
252     return false;
253   *show_user_names = device_policy_.show_user_names().show_user_names();
254   return true;
255 }
256 
GetDataRoamingEnabled(bool * data_roaming_enabled) const257 bool DevicePolicyImpl::GetDataRoamingEnabled(bool* data_roaming_enabled) const {
258   if (!device_policy_.has_data_roaming_enabled())
259     return false;
260   *data_roaming_enabled =
261       device_policy_.data_roaming_enabled().data_roaming_enabled();
262   return true;
263 }
264 
GetAllowNewUsers(bool * allow_new_users) const265 bool DevicePolicyImpl::GetAllowNewUsers(bool* allow_new_users) const {
266   if (!device_policy_.has_allow_new_users())
267     return false;
268   *allow_new_users = device_policy_.allow_new_users().allow_new_users();
269   return true;
270 }
271 
GetMetricsEnabled(bool * metrics_enabled) const272 bool DevicePolicyImpl::GetMetricsEnabled(bool* metrics_enabled) const {
273   if (!device_policy_.has_metrics_enabled())
274     return false;
275   *metrics_enabled = device_policy_.metrics_enabled().metrics_enabled();
276   return true;
277 }
278 
GetReportVersionInfo(bool * report_version_info) const279 bool DevicePolicyImpl::GetReportVersionInfo(bool* report_version_info) const {
280   if (!device_policy_.has_device_reporting())
281     return false;
282 
283   const em::DeviceReportingProto& proto = device_policy_.device_reporting();
284   if (!proto.has_report_version_info())
285     return false;
286 
287   *report_version_info = proto.report_version_info();
288   return true;
289 }
290 
GetReportActivityTimes(bool * report_activity_times) const291 bool DevicePolicyImpl::GetReportActivityTimes(
292     bool* report_activity_times) const {
293   if (!device_policy_.has_device_reporting())
294     return false;
295 
296   const em::DeviceReportingProto& proto = device_policy_.device_reporting();
297   if (!proto.has_report_activity_times())
298     return false;
299 
300   *report_activity_times = proto.report_activity_times();
301   return true;
302 }
303 
GetReportBootMode(bool * report_boot_mode) const304 bool DevicePolicyImpl::GetReportBootMode(bool* report_boot_mode) const {
305   if (!device_policy_.has_device_reporting())
306     return false;
307 
308   const em::DeviceReportingProto& proto = device_policy_.device_reporting();
309   if (!proto.has_report_boot_mode())
310     return false;
311 
312   *report_boot_mode = proto.report_boot_mode();
313   return true;
314 }
315 
GetEphemeralUsersEnabled(bool * ephemeral_users_enabled) const316 bool DevicePolicyImpl::GetEphemeralUsersEnabled(
317     bool* ephemeral_users_enabled) const {
318   if (!device_policy_.has_ephemeral_users_enabled())
319     return false;
320   *ephemeral_users_enabled =
321       device_policy_.ephemeral_users_enabled().ephemeral_users_enabled();
322   return true;
323 }
324 
GetReleaseChannel(std::string * release_channel) const325 bool DevicePolicyImpl::GetReleaseChannel(std::string* release_channel) const {
326   if (!device_policy_.has_release_channel())
327     return false;
328 
329   const em::ReleaseChannelProto& proto = device_policy_.release_channel();
330   if (!proto.has_release_channel())
331     return false;
332 
333   *release_channel = proto.release_channel();
334   return true;
335 }
336 
GetReleaseChannelDelegated(bool * release_channel_delegated) const337 bool DevicePolicyImpl::GetReleaseChannelDelegated(
338     bool* release_channel_delegated) const {
339   if (!device_policy_.has_release_channel())
340     return false;
341 
342   const em::ReleaseChannelProto& proto = device_policy_.release_channel();
343   if (!proto.has_release_channel_delegated())
344     return false;
345 
346   *release_channel_delegated = proto.release_channel_delegated();
347   return true;
348 }
349 
GetUpdateDisabled(bool * update_disabled) const350 bool DevicePolicyImpl::GetUpdateDisabled(bool* update_disabled) const {
351   if (!IsEnterpriseEnrolled())
352     return false;
353 
354   if (!device_policy_.has_auto_update_settings())
355     return false;
356 
357   const em::AutoUpdateSettingsProto& proto =
358       device_policy_.auto_update_settings();
359   if (!proto.has_update_disabled())
360     return false;
361 
362   *update_disabled = proto.update_disabled();
363   return true;
364 }
365 
GetTargetVersionPrefix(std::string * target_version_prefix) const366 bool DevicePolicyImpl::GetTargetVersionPrefix(
367     std::string* target_version_prefix) const {
368   if (!IsEnterpriseEnrolled())
369     return false;
370 
371   if (!device_policy_.has_auto_update_settings())
372     return false;
373 
374   const em::AutoUpdateSettingsProto& proto =
375       device_policy_.auto_update_settings();
376   if (!proto.has_target_version_prefix())
377     return false;
378 
379   *target_version_prefix = proto.target_version_prefix();
380   return true;
381 }
382 
GetRollbackToTargetVersion(int * rollback_to_target_version) const383 bool DevicePolicyImpl::GetRollbackToTargetVersion(
384     int* rollback_to_target_version) const {
385   if (!device_policy_.has_auto_update_settings())
386     return false;
387 
388   const em::AutoUpdateSettingsProto& proto =
389       device_policy_.auto_update_settings();
390   if (!proto.has_rollback_to_target_version())
391     return false;
392 
393   *rollback_to_target_version = proto.rollback_to_target_version();
394   return true;
395 }
396 
GetRollbackAllowedMilestones(int * rollback_allowed_milestones) const397 bool DevicePolicyImpl::GetRollbackAllowedMilestones(
398     int* rollback_allowed_milestones) const {
399   // This policy can be only set for devices which are enterprise enrolled.
400   if (!IsEnterpriseEnrolled())
401     return false;
402 
403   if (device_policy_.has_auto_update_settings()) {
404     const em::AutoUpdateSettingsProto& proto =
405         device_policy_.auto_update_settings();
406     if (proto.has_rollback_allowed_milestones()) {
407       // Policy is set, enforce minimum and maximum constraints.
408       *rollback_allowed_milestones = proto.rollback_allowed_milestones();
409       if (*rollback_allowed_milestones < 0)
410         *rollback_allowed_milestones = 0;
411       if (*rollback_allowed_milestones > kMaxRollbackAllowedMilestones)
412         *rollback_allowed_milestones = kMaxRollbackAllowedMilestones;
413       return true;
414     }
415   }
416   // Policy is not present, use default for enterprise devices.
417   VLOG(1) << "RollbackAllowedMilestones policy is not set, using default "
418           << kMaxRollbackAllowedMilestones << ".";
419   *rollback_allowed_milestones = kMaxRollbackAllowedMilestones;
420   return true;
421 }
422 
GetScatterFactorInSeconds(int64_t * scatter_factor_in_seconds) const423 bool DevicePolicyImpl::GetScatterFactorInSeconds(
424     int64_t* scatter_factor_in_seconds) const {
425   if (!device_policy_.has_auto_update_settings())
426     return false;
427 
428   const em::AutoUpdateSettingsProto& proto =
429       device_policy_.auto_update_settings();
430   if (!proto.has_scatter_factor_in_seconds())
431     return false;
432 
433   *scatter_factor_in_seconds = proto.scatter_factor_in_seconds();
434   return true;
435 }
436 
GetAllowedConnectionTypesForUpdate(std::set<std::string> * connection_types) const437 bool DevicePolicyImpl::GetAllowedConnectionTypesForUpdate(
438     std::set<std::string>* connection_types) const {
439   if (!IsEnterpriseEnrolled())
440     return false;
441 
442   if (!device_policy_.has_auto_update_settings())
443     return false;
444 
445   const em::AutoUpdateSettingsProto& proto =
446       device_policy_.auto_update_settings();
447   if (proto.allowed_connection_types_size() <= 0)
448     return false;
449 
450   for (int i = 0; i < proto.allowed_connection_types_size(); i++) {
451     std::string type = DecodeConnectionType(proto.allowed_connection_types(i));
452     if (!type.empty())
453       connection_types->insert(type);
454   }
455   return true;
456 }
457 
GetOpenNetworkConfiguration(std::string * open_network_configuration) const458 bool DevicePolicyImpl::GetOpenNetworkConfiguration(
459     std::string* open_network_configuration) const {
460   if (!device_policy_.has_open_network_configuration())
461     return false;
462 
463   const em::DeviceOpenNetworkConfigurationProto& proto =
464       device_policy_.open_network_configuration();
465   if (!proto.has_open_network_configuration())
466     return false;
467 
468   *open_network_configuration = proto.open_network_configuration();
469   return true;
470 }
471 
GetOwner(std::string * owner) const472 bool DevicePolicyImpl::GetOwner(std::string* owner) const {
473   if (IsEnterpriseManaged()) {
474     *owner = "";
475     return true;
476   }
477 
478   if (!policy_data_.has_username())
479     return false;
480   *owner = policy_data_.username();
481   return true;
482 }
483 
GetHttpDownloadsEnabled(bool * http_downloads_enabled) const484 bool DevicePolicyImpl::GetHttpDownloadsEnabled(
485     bool* http_downloads_enabled) const {
486   if (!device_policy_.has_auto_update_settings())
487     return false;
488 
489   const em::AutoUpdateSettingsProto& proto =
490       device_policy_.auto_update_settings();
491 
492   if (!proto.has_http_downloads_enabled())
493     return false;
494 
495   *http_downloads_enabled = proto.http_downloads_enabled();
496   return true;
497 }
498 
GetAuP2PEnabled(bool * au_p2p_enabled) const499 bool DevicePolicyImpl::GetAuP2PEnabled(bool* au_p2p_enabled) const {
500   if (!device_policy_.has_auto_update_settings())
501     return false;
502 
503   const em::AutoUpdateSettingsProto& proto =
504       device_policy_.auto_update_settings();
505 
506   if (!proto.has_p2p_enabled())
507     return false;
508 
509   *au_p2p_enabled = proto.p2p_enabled();
510   return true;
511 }
512 
GetAllowKioskAppControlChromeVersion(bool * allow_kiosk_app_control_chrome_version) const513 bool DevicePolicyImpl::GetAllowKioskAppControlChromeVersion(
514     bool* allow_kiosk_app_control_chrome_version) const {
515   if (!device_policy_.has_allow_kiosk_app_control_chrome_version())
516     return false;
517 
518   const em::AllowKioskAppControlChromeVersionProto& proto =
519       device_policy_.allow_kiosk_app_control_chrome_version();
520 
521   if (!proto.has_allow_kiosk_app_control_chrome_version())
522     return false;
523 
524   *allow_kiosk_app_control_chrome_version =
525       proto.allow_kiosk_app_control_chrome_version();
526   return true;
527 }
528 
GetUsbDetachableWhitelist(std::vector<UsbDeviceId> * usb_whitelist) const529 bool DevicePolicyImpl::GetUsbDetachableWhitelist(
530     std::vector<UsbDeviceId>* usb_whitelist) const {
531   if (!device_policy_.has_usb_detachable_whitelist())
532     return false;
533   const em::UsbDetachableWhitelistProto& proto =
534       device_policy_.usb_detachable_whitelist();
535   usb_whitelist->clear();
536   for (int i = 0; i < proto.id_size(); i++) {
537     const em::UsbDeviceIdProto& id = proto.id(i);
538     UsbDeviceId dev_id;
539     dev_id.vendor_id = id.has_vendor_id() ? id.vendor_id() : 0;
540     dev_id.product_id = id.has_product_id() ? id.product_id() : 0;
541     usb_whitelist->push_back(dev_id);
542   }
543   return true;
544 }
545 
GetDeviceUpdateStagingSchedule(std::vector<DayPercentagePair> * staging_schedule_out) const546 bool DevicePolicyImpl::GetDeviceUpdateStagingSchedule(
547     std::vector<DayPercentagePair>* staging_schedule_out) const {
548   staging_schedule_out->clear();
549 
550   if (!device_policy_.has_auto_update_settings())
551     return false;
552 
553   const em::AutoUpdateSettingsProto &proto =
554       device_policy_.auto_update_settings();
555 
556   if (!proto.has_staging_schedule())
557     return false;
558 
559   std::unique_ptr<base::ListValue> list_val =
560       DecodeListValueFromJSON(proto.staging_schedule());
561   if (!list_val)
562     return false;
563 
564   for (const auto& pair_value : *list_val) {
565     const base::DictionaryValue* day_percentage_pair;
566     if (!pair_value.GetAsDictionary(&day_percentage_pair))
567       return false;
568     int days, percentage;
569     if (!day_percentage_pair->GetInteger("days", &days) ||
570         !day_percentage_pair->GetInteger("percentage", &percentage))
571       return false;
572     // Limit the percentage to [0, 100] and days to [1, 28];
573     staging_schedule_out->push_back({std::max(std::min(days, 28), 1),
574                                      std::max(std::min(percentage, 100), 0)});
575   }
576 
577   return true;
578 }
579 
GetAutoLaunchedKioskAppId(std::string * app_id_out) const580 bool DevicePolicyImpl::GetAutoLaunchedKioskAppId(
581     std::string* app_id_out) const {
582   if (!device_policy_.has_device_local_accounts())
583     return false;
584 
585   const em::DeviceLocalAccountsProto& local_accounts =
586       device_policy_.device_local_accounts();
587 
588   // For auto-launched kiosk apps, the delay needs to be 0.
589   if (local_accounts.has_auto_login_delay() &&
590       local_accounts.auto_login_delay() != 0)
591     return false;
592 
593   for (const em::DeviceLocalAccountInfoProto& account :
594        local_accounts.account()) {
595     // If this isn't an auto-login account, move to the next one.
596     if (account.account_id() != local_accounts.auto_login_id())
597       continue;
598 
599     // If the auto-launched account is not a kiosk app, bail out, we aren't
600     // running in auto-launched kiosk mode.
601     if (account.type() !=
602         em::DeviceLocalAccountInfoProto::ACCOUNT_TYPE_KIOSK_APP) {
603       return false;
604     }
605 
606     *app_id_out = account.kiosk_app().app_id();
607     return true;
608   }
609 
610   // No auto-launched account found.
611   return false;
612 }
613 
IsEnterpriseManaged() const614 bool DevicePolicyImpl::IsEnterpriseManaged() const {
615   if (policy_data_.has_management_mode())
616     return policy_data_.management_mode() == em::PolicyData::ENTERPRISE_MANAGED;
617   // Fall back to checking the request token, see management_mode documentation
618   // in device_management_backend.proto.
619   return policy_data_.has_request_token();
620 }
621 
GetSecondFactorAuthenticationMode(int * mode_out) const622 bool DevicePolicyImpl::GetSecondFactorAuthenticationMode(int* mode_out) const {
623   if (!device_policy_.has_device_second_factor_authentication())
624     return false;
625 
626   const em::DeviceSecondFactorAuthenticationProto& proto =
627       device_policy_.device_second_factor_authentication();
628 
629   if (!proto.has_mode())
630     return false;
631 
632   *mode_out = proto.mode();
633   return true;
634 }
635 
GetDisallowedTimeIntervals(std::vector<WeeklyTimeInterval> * intervals_out) const636 bool DevicePolicyImpl::GetDisallowedTimeIntervals(
637     std::vector<WeeklyTimeInterval>* intervals_out) const {
638   intervals_out->clear();
639   if (!IsEnterpriseEnrolled())
640     return false;
641 
642   if (!device_policy_.has_auto_update_settings()) {
643     return false;
644   }
645 
646   const em::AutoUpdateSettingsProto& proto =
647       device_policy_.auto_update_settings();
648 
649   if (!proto.has_disallowed_time_intervals()) {
650     return false;
651   }
652 
653   std::unique_ptr<base::ListValue> list_val =
654       DecodeListValueFromJSON(proto.disallowed_time_intervals());
655   if (!list_val)
656     return false;
657 
658   for (const auto& interval_value : *list_val) {
659     const base::DictionaryValue* interval_dict;
660     if (!interval_value.GetAsDictionary(&interval_dict)) {
661       LOG(ERROR) << "Invalid JSON string given. Interval is not a dict.";
662       return false;
663     }
664     const base::DictionaryValue* start;
665     const base::DictionaryValue* end;
666     if (!interval_dict->GetDictionary("start", &start) ||
667         !interval_dict->GetDictionary("end", &end)) {
668       LOG(ERROR) << "Interval is missing start/end.";
669       return false;
670     }
671     WeeklyTimeInterval weekly_interval;
672     if (!DecodeWeeklyTimeFromValue(*start, &weekly_interval.start_day_of_week,
673                                    &weekly_interval.start_time) ||
674         !DecodeWeeklyTimeFromValue(*end, &weekly_interval.end_day_of_week,
675                                    &weekly_interval.end_time)) {
676       return false;
677     }
678 
679     intervals_out->push_back(weekly_interval);
680   }
681   return true;
682 }
683 
GetDeviceQuickFixBuildToken(std::string * device_quick_fix_build_token) const684 bool DevicePolicyImpl::GetDeviceQuickFixBuildToken(
685     std::string* device_quick_fix_build_token) const {
686   if (!IsEnterpriseEnrolled() || !device_policy_.has_auto_update_settings())
687     return false;
688 
689   const em::AutoUpdateSettingsProto& proto =
690       device_policy_.auto_update_settings();
691   if (!proto.has_device_quick_fix_build_token())
692     return false;
693 
694   *device_quick_fix_build_token = proto.device_quick_fix_build_token();
695   return true;
696 }
697 
GetDeviceDirectoryApiId(std::string * directory_api_id_out) const698 bool DevicePolicyImpl::GetDeviceDirectoryApiId(
699     std::string* directory_api_id_out) const {
700   if (!policy_data_.has_directory_api_id())
701     return false;
702 
703   *directory_api_id_out = policy_data_.directory_api_id();
704   return true;
705 }
706 
VerifyPolicyFile(const base::FilePath & policy_path)707 bool DevicePolicyImpl::VerifyPolicyFile(const base::FilePath& policy_path) {
708   if (!verify_root_ownership_) {
709     return true;
710   }
711 
712   // Both the policy and its signature have to exist.
713   if (!base::PathExists(policy_path) || !base::PathExists(keyfile_path_)) {
714     return false;
715   }
716 
717   // Check if the policy and signature file is owned by root.
718   struct stat file_stat;
719   stat(policy_path.value().c_str(), &file_stat);
720   if (file_stat.st_uid != 0) {
721     LOG(ERROR) << "Policy file is not owned by root!";
722     return false;
723   }
724   stat(keyfile_path_.value().c_str(), &file_stat);
725   if (file_stat.st_uid != 0) {
726     LOG(ERROR) << "Policy signature file is not owned by root!";
727     return false;
728   }
729   return true;
730 }
731 
VerifyPolicySignature()732 bool DevicePolicyImpl::VerifyPolicySignature() {
733   if (policy_.has_policy_data_signature()) {
734     std::string policy_data = policy_.policy_data();
735     std::string policy_data_signature = policy_.policy_data_signature();
736     std::string public_key;
737     if (!ReadPublicKeyFromFile(base::FilePath(keyfile_path_), &public_key)) {
738       LOG(ERROR) << "Could not read owner key off disk";
739       return false;
740     }
741     if (!VerifySignature(policy_data, policy_data_signature, public_key)) {
742       LOG(ERROR) << "Signature does not match the data or can not be verified!";
743       return false;
744     }
745     return true;
746   }
747   LOG(ERROR) << "The policy blob is not signed!";
748   return false;
749 }
750 
LoadPolicyFromFile(const base::FilePath & policy_path)751 bool DevicePolicyImpl::LoadPolicyFromFile(const base::FilePath& policy_path) {
752   std::string policy_data_str;
753   if (policy::LoadPolicyFromPath(policy_path, &policy_data_str, &policy_) !=
754       LoadPolicyResult::kSuccess) {
755     return false;
756   }
757   if (!policy_.has_policy_data()) {
758     LOG(ERROR) << "Policy on disk could not be parsed!";
759     return false;
760   }
761   if (!policy_data_.ParseFromString(policy_.policy_data()) ||
762       !policy_data_.has_policy_value()) {
763     LOG(ERROR) << "Policy on disk could not be parsed!";
764     return false;
765   }
766 
767   bool verify_policy = verify_policy_;
768   if (!install_attributes_reader_) {
769     install_attributes_reader_ = std::make_unique<InstallAttributesReader>();
770   }
771   const std::string& mode = install_attributes_reader_->GetAttribute(
772       InstallAttributesReader::kAttrMode);
773   if (mode == InstallAttributesReader::kDeviceModeEnterpriseAD) {
774     verify_policy = false;
775   }
776   if (verify_policy && !VerifyPolicyFile(policy_path)) {
777     return false;
778   }
779 
780   // Make sure the signature is still valid.
781   if (verify_policy && !VerifyPolicySignature()) {
782     LOG(ERROR) << "Policy signature verification failed!";
783     return false;
784   }
785   if (!device_policy_.ParseFromString(policy_data_.policy_value())) {
786     LOG(ERROR) << "Policy on disk could not be parsed!";
787     return false;
788   }
789 
790   return true;
791 }
792 
793 }  // namespace policy
794