| // Copyright 2018 The Chromium Authors. All rights reserved. |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #include "chrome/browser/policy/browser_dm_token_storage_linux.h" |
| |
| #include <string> |
| |
| #include "base/base64url.h" |
| #include "base/bind.h" |
| #include "base/bind_helpers.h" |
| #include "base/callback.h" |
| #include "base/files/file_util.h" |
| #include "base/files/important_file_writer.h" |
| #include "base/logging.h" |
| #include "base/no_destructor.h" |
| #include "base/path_service.h" |
| #include "base/sha1.h" |
| #include "base/strings/string16.h" |
| #include "base/strings/string_util.h" |
| #include "base/strings/utf_string_conversions.h" |
| #include "base/syslog_logging.h" |
| #include "base/task/post_task.h" |
| #include "base/task_runner_util.h" |
| #include "base/threading/scoped_blocking_call.h" |
| #include "base/threading/sequenced_task_runner_handle.h" |
| #include "chrome/common/chrome_paths.h" |
| |
| namespace policy { |
| |
| namespace { |
| |
| const char kDmTokenBaseDir[] = FILE_PATH_LITERAL("Policy/Enrollment/"); |
| const char kEnrollmentTokenFilename[] = |
| FILE_PATH_LITERAL("enrollment/CloudManagementEnrollmentToken"); |
| // TODO(crbug.com/907589) : Remove once no longer in use. |
| const char kEnrollmentTokenOldFilename[] = |
| FILE_PATH_LITERAL("enrollment/enrollment_token"); |
| const char kMachineIdFilename[] = FILE_PATH_LITERAL("/etc/machine-id"); |
| |
| // Enrollment Mandatory Option. |
| const char kEnrollmentOptionsFilePath[] = |
| FILE_PATH_LITERAL("enrollment/CloudManagementEnrollmentOptions"); |
| const char kEnrollmentMandatoryOption[] = "Mandatory"; |
| |
| bool GetDmTokenFilePath(base::FilePath* token_file_path, |
| const std::string& client_id, |
| bool create_dir) { |
| if (!base::PathService::Get(chrome::DIR_USER_DATA, token_file_path)) |
| return false; |
| |
| *token_file_path = token_file_path->Append(kDmTokenBaseDir); |
| |
| if (create_dir && !base::CreateDirectory(*token_file_path)) |
| return false; |
| |
| *token_file_path = token_file_path->Append(client_id); |
| |
| return true; |
| } |
| |
| bool StoreDMTokenInUserDataDir(const std::string& token, |
| const std::string& client_id) { |
| base::FilePath token_file_path; |
| if (!GetDmTokenFilePath(&token_file_path, client_id, true)) { |
| NOTREACHED(); |
| return false; |
| } |
| |
| return base::ImportantFileWriter::WriteFileAtomically(token_file_path, token); |
| } |
| |
| } // namespace |
| |
| // static |
| BrowserDMTokenStorage* BrowserDMTokenStorage::Get() { |
| if (storage_for_testing_) |
| return storage_for_testing_; |
| |
| static base::NoDestructor<BrowserDMTokenStorageLinux> storage; |
| return storage.get(); |
| } |
| |
| BrowserDMTokenStorageLinux::BrowserDMTokenStorageLinux() |
| : weak_factory_(this) {} |
| |
| BrowserDMTokenStorageLinux::~BrowserDMTokenStorageLinux() {} |
| |
| std::string BrowserDMTokenStorageLinux::InitClientId() { |
| // The client ID is derived from /etc/machine-id |
| // (https://www.freedesktop.org/software/systemd/man/machine-id.html). As per |
| // guidelines, this ID must not be transmitted outside of the machine, which |
| // is why we hash it first and then encode it in base64 before transmitting |
| // it. |
| const int machine_id_size = 32; |
| std::string machine_id; |
| machine_id = ReadMachineIdFile(); |
| base::StringPiece machine_id_trimmed = |
| base::TrimWhitespaceASCII(machine_id, base::TRIM_TRAILING); |
| if (machine_id_trimmed.size() != machine_id_size) { |
| SYSLOG(ERROR) << "Error: /etc/machine-id contains " |
| << machine_id_trimmed.size() << " characters (" |
| << machine_id_size << " were expected)."; |
| return std::string(); |
| } |
| |
| std::string machine_id_base64; |
| base::Base64UrlEncode(base::SHA1HashString(std::string(machine_id_trimmed)), |
| base::Base64UrlEncodePolicy::OMIT_PADDING, |
| &machine_id_base64); |
| return machine_id_base64; |
| } |
| |
| std::string BrowserDMTokenStorageLinux::InitEnrollmentToken() { |
| std::string enrollment_token; |
| base::FilePath dir_policy_files_path; |
| |
| if (!base::PathService::Get(chrome::DIR_POLICY_FILES, |
| &dir_policy_files_path)) { |
| return std::string(); |
| } |
| |
| base::FilePath token_file_path = |
| dir_policy_files_path.Append(kEnrollmentTokenFilename); |
| |
| // Read the enrollment token from the new location. If that fails, try the old |
| // location (which will be deprecated soon). If that also fails, bail as there |
| // is no token set. |
| if (!base::ReadFileToString(token_file_path, &enrollment_token)) { |
| // TODO(crbug.com/907589) : Remove once no longer in use. |
| token_file_path = dir_policy_files_path.Append(kEnrollmentTokenOldFilename); |
| if (!base::ReadFileToString(token_file_path, &enrollment_token)) |
| return std::string(); |
| } |
| |
| return base::TrimWhitespaceASCII(enrollment_token, base::TRIM_ALL) |
| .as_string(); |
| } |
| |
| std::string BrowserDMTokenStorageLinux::InitDMToken() { |
| base::FilePath token_file_path; |
| if (!GetDmTokenFilePath(&token_file_path, RetrieveClientId(), false)) |
| return std::string(); |
| |
| std::string token; |
| if (!base::ReadFileToString(token_file_path, &token)) |
| return std::string(); |
| |
| return token; |
| } |
| |
| bool BrowserDMTokenStorageLinux::InitEnrollmentErrorOption() { |
| std::string options; |
| base::FilePath dir_policy_files_path; |
| |
| if (!base::PathService::Get(chrome::DIR_POLICY_FILES, |
| &dir_policy_files_path)) { |
| return false; |
| } |
| |
| base::FilePath options_file_path = |
| dir_policy_files_path.Append(kEnrollmentOptionsFilePath); |
| |
| if (!base::ReadFileToString(options_file_path, &options)) |
| return false; |
| |
| return base::TrimWhitespaceASCII(options, base::TRIM_ALL).as_string() == |
| kEnrollmentMandatoryOption; |
| } |
| |
| void BrowserDMTokenStorageLinux::SaveDMToken(const std::string& token) { |
| std::string client_id = RetrieveClientId(); |
| base::PostTaskWithTraitsAndReplyWithResult( |
| FROM_HERE, {base::MayBlock()}, |
| base::BindOnce(&StoreDMTokenInUserDataDir, token, client_id), |
| base::BindOnce(&BrowserDMTokenStorage::OnDMTokenStored, |
| weak_factory_.GetWeakPtr())); |
| } |
| |
| void BrowserDMTokenStorageLinux::DeletePolicyDirectory() { |
| base::FilePath token_file_path; |
| std::string dummy_id = "id"; |
| if (!GetDmTokenFilePath(&token_file_path, dummy_id, /* create_dir = */ false)) |
| return; |
| |
| base::FilePath token_dir_path = token_file_path.DirName(); |
| if (base::DirectoryExists(token_dir_path) && |
| base::IsDirectoryEmpty(token_dir_path)) { |
| base::DeleteFile(token_dir_path, /* recursive = */ false); |
| } |
| |
| base::FilePath policy_dir_path = token_dir_path.DirName(); |
| if (base::DirectoryExists(policy_dir_path) && |
| base::IsDirectoryEmpty(policy_dir_path)) { |
| base::DeleteFile(policy_dir_path, /* recursive = */ false); |
| } |
| } |
| |
| std::string BrowserDMTokenStorageLinux::ReadMachineIdFile() { |
| std::string machine_id; |
| if (!base::ReadFileToString(base::FilePath(kMachineIdFilename), &machine_id)) |
| return std::string(); |
| return machine_id; |
| } |
| |
| } // namespace policy |