New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 780792 link

Starred by 5 users
Status: Fixed
Owner:
poromov@chromium.org
Closed: Apr 2018
Cc:
atwilson@chromium.org
kotah@chromium.org
blumberg@chromium.org
poromov@chromium.org
jayhlee@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug

Blocked on:
issue 831663
Blocking:
issue 727992



Sign in to add a comment

We should use Gaia ID when verifying user policy, not email address

Project Member Reported by atwilson@chromium.org, Nov 2 2017 
Currently, we send down the user's email address as part of user policy - since email addresses can change (see  crbug.com/727992 ) we should instead rely on gaia ID.

Step one would be to have the gaia ID sent down as part of user policy - once we have this everywhere, it should be simple to change CloudPolicyValidator to check that gaia ID doesn't change instead of email address.

Comment 1 by yanglee@chromium.org, Nov 2 2017

Cc: blumberg@chromium.org

Comment 2 by lawrence...@chromium.org, Nov 2 2017

Labels: primary-domain-change

Comment 3 by lawrence...@chromium.org, Nov 2 2017 

Just to confirm, this wouldn't be covered under the general migration away from using email address? crbug/462823

Comment 4 by lawrence...@chromium.org, Nov 2 2017

Cc: jayhlee@chromium.org

Comment 5 by atwilson@chromium.org, Nov 2 2017 

That bug tracks the changes required on the UserManager side (alemate's area) - this bug is for the policy infra side of things.

Comment 6 by kotah@chromium.org, Nov 2 2017

Cc: kotah@chromium.org
Labels: Hotlist-Enterprise

Comment 7 by lawrence...@chromium.org, Nov 3 2017 

Thanks for clarifying. Would this bug be blocked on that in any way? I imagine both would need to be fixed for user login in generally to be fully working, but can the work be done in parallel?

Comment 8 by atwilson@chromium.org, Nov 22 2017 

Tracking server side of this at b/69662524.

Yes, work can be done in parallel.

I also remembered that we use the domain of the policy to validate the signing key - not sure if changing the domain would affect validation of existing policy/update to new policy, though. Probably not, but something we need to validate.

Comment 9 by atwilson@chromium.org, Nov 22 2017

Cc: dskaram@chromium.org
Labels: -Pri-3 Pri-2
Updating to P2 per Eve's guidance.

Comment 10 by krishna...@chromium.org, Nov 27 2017

Blocking: 727992
Project Member

Comment 11 by bugdroid1@chromium.org, Apr 9 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4405a297421d54ff809c8eaac59efc174af57dec

commit 4405a297421d54ff809c8eaac59efc174af57dec
Author: Sergey Poromov <poromov@chromium.org>
Date: Mon Apr 09 22:36:40 2018

Use Gaia id for user policy validation on Chrome OS.

Gaia id is provided together with username in PolicyData
for user policy.
It should be used instead of username for validation of
these policies to be resilient to user rename.
For other policies old username check is still used.

BUG= 780792 
TEST=New unit tests covering gaia id check + browser tests
are updated to use the new check though PolicyBuilder update.

Change-Id: I81ef8953a4a079341b70ab75aeb2d157c65067e5
Reviewed-on: https://chromium-review.googlesource.com/980873
Commit-Queue: Sergey Poromov <poromov@chromium.org>
Reviewed-by: Gayane Petrosyan <gayane@chromium.org>
Reviewed-by: Roger Tawa <rogerta@chromium.org>
Reviewed-by: Maksim Ivanov <emaxx@chromium.org>
Reviewed-by: Xiyuan Xia <xiyuan@chromium.org>
Reviewed-by: Drew Wilson <atwilson@chromium.org>
Cr-Commit-Position: refs/heads/master@{#549307}
[modify] https://crrev.com/4405a297421d54ff809c8eaac59efc174af57dec/chrome/browser/chromeos/login/users/avatar/user_image_manager_browsertest.cc
[modify] https://crrev.com/4405a297421d54ff809c8eaac59efc174af57dec/chrome/browser/chromeos/login/users/wallpaper_policy_browsertest.cc
[modify] https://crrev.com/4405a297421d54ff809c8eaac59efc174af57dec/chrome/browser/chromeos/policy/affiliation_test_helper.cc
[modify] https://crrev.com/4405a297421d54ff809c8eaac59efc174af57dec/chrome/browser/chromeos/policy/affiliation_test_helper.h
[modify] https://crrev.com/4405a297421d54ff809c8eaac59efc174af57dec/chrome/browser/chromeos/policy/power_policy_browsertest.cc
[modify] https://crrev.com/4405a297421d54ff809c8eaac59efc174af57dec/chrome/browser/chromeos/policy/pre_signin_policy_fetcher.cc
[modify] https://crrev.com/4405a297421d54ff809c8eaac59efc174af57dec/chrome/browser/chromeos/policy/unaffiliated_arc_allowed_browsertest.cc
[modify] https://crrev.com/4405a297421d54ff809c8eaac59efc174af57dec/chrome/browser/chromeos/policy/user_affiliation_browsertest.cc
[modify] https://crrev.com/4405a297421d54ff809c8eaac59efc174af57dec/chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.cc
[modify] https://crrev.com/4405a297421d54ff809c8eaac59efc174af57dec/chrome/browser/extensions/api/enterprise_device_attributes/enterprise_device_attributes_apitest.cc
[modify] https://crrev.com/4405a297421d54ff809c8eaac59efc174af57dec/chrome/browser/extensions/api/platform_keys/platform_keys_test_base.cc
[modify] https://crrev.com/4405a297421d54ff809c8eaac59efc174af57dec/components/policy/core/browser/cloud/message_util.cc
[modify] https://crrev.com/4405a297421d54ff809c8eaac59efc174af57dec/components/policy/core/common/BUILD.gn
[modify] https://crrev.com/4405a297421d54ff809c8eaac59efc174af57dec/components/policy/core/common/DEPS
[modify] https://crrev.com/4405a297421d54ff809c8eaac59efc174af57dec/components/policy/core/common/cloud/cloud_policy_validator.cc
[modify] https://crrev.com/4405a297421d54ff809c8eaac59efc174af57dec/components/policy/core/common/cloud/cloud_policy_validator.h
[modify] https://crrev.com/4405a297421d54ff809c8eaac59efc174af57dec/components/policy/core/common/cloud/cloud_policy_validator_unittest.cc
[modify] https://crrev.com/4405a297421d54ff809c8eaac59efc174af57dec/components/policy/core/common/cloud/policy_builder.cc
[modify] https://crrev.com/4405a297421d54ff809c8eaac59efc174af57dec/components/policy/core/common/cloud/policy_builder.h
[modify] https://crrev.com/4405a297421d54ff809c8eaac59efc174af57dec/components/policy/proto/device_management_backend.proto
[modify] https://crrev.com/4405a297421d54ff809c8eaac59efc174af57dec/components/policy_strings.grdp
[modify] https://crrev.com/4405a297421d54ff809c8eaac59efc174af57dec/tools/metrics/histograms/enums.xml
[modify] https://crrev.com/4405a297421d54ff809c8eaac59efc174af57dec/tools/metrics/histograms/histograms.xml
Project Member

Comment 12 by bugdroid1@chromium.org, Apr 12 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d601a085f9ad65923adc8b06fe5e44b0093006c9

commit d601a085f9ad65923adc8b06fe5e44b0093006c9
Author: Sergey Poromov <poromov@chromium.org>
Date: Thu Apr 12 09:27:31 2018

Use AccountId for component policy validation.

This is part of migration from username check to Gaia id check.
Component policies are validated against user policies,
so gaia id could be used together with username, resulting in one
AccountId.

BUG= 780792 
TEST=Unit tests updated.

Change-Id: I1c40587d2d6f193450a2c312609de0eba1822a83
Reviewed-on: https://chromium-review.googlesource.com/1003193
Commit-Queue: Sergey Poromov <poromov@chromium.org>
Reviewed-by: Lutz Justen <ljusten@chromium.org>
Reviewed-by: Maksim Ivanov <emaxx@chromium.org>
Cr-Commit-Position: refs/heads/master@{#550111}
[modify] https://crrev.com/d601a085f9ad65923adc8b06fe5e44b0093006c9/components/policy/core/common/BUILD.gn
[modify] https://crrev.com/d601a085f9ad65923adc8b06fe5e44b0093006c9/components/policy/core/common/cloud/component_cloud_policy_service.cc
[modify] https://crrev.com/d601a085f9ad65923adc8b06fe5e44b0093006c9/components/policy/core/common/cloud/component_cloud_policy_store.cc
[modify] https://crrev.com/d601a085f9ad65923adc8b06fe5e44b0093006c9/components/policy/core/common/cloud/component_cloud_policy_store.h
[modify] https://crrev.com/d601a085f9ad65923adc8b06fe5e44b0093006c9/components/policy/core/common/cloud/component_cloud_policy_store_unittest.cc
[modify] https://crrev.com/d601a085f9ad65923adc8b06fe5e44b0093006c9/components/policy/core/common/cloud/component_cloud_policy_updater_unittest.cc
[modify] https://crrev.com/d601a085f9ad65923adc8b06fe5e44b0093006c9/components/policy/core/common/cloud/policy_builder.cc
[modify] https://crrev.com/d601a085f9ad65923adc8b06fe5e44b0093006c9/components/policy/core/common/cloud/policy_builder.h

Comment 13 by poromov@chromium.org, Apr 12 2018

Blockedon: 831663

Comment 14 by dskaram@google.com, Apr 12 2018

Cc: -dskaram@chromium.org
Project Member

Comment 15 by bugdroid1@chromium.org, Apr 17 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/59f46ba74374b8c493f37810a7d920e47a7bc2bc

commit 59f46ba74374b8c493f37810a7d920e47a7bc2bc
Author: Sergey Poromov <poromov@chromium.org>
Date: Tue Apr 17 14:53:00 2018

Use AccountId for desktop user policy validation.

This is part of migration from username check to Gaia id check.
Desktop policies are validated in UserCloudPolicyStore, that will now
receive AccountId with Gaia id where it's possible to populate it
from AccountInfo.

BUG= 780792 
TEST=Unit/browser tests updated.

Change-Id: I7f7620e4ff6c1630975e8f6b7d808c629d90716a
Reviewed-on: https://chromium-review.googlesource.com/1005348
Reviewed-by: Roger Tawa <rogerta@chromium.org>
Reviewed-by: Alexander Alekseev <alemate@chromium.org>
Reviewed-by: Maksim Ivanov <emaxx@chromium.org>
Reviewed-by: Boris Sazonov <bsazonov@chromium.org>
Commit-Queue: Sergey Poromov <poromov@chromium.org>
Cr-Commit-Position: refs/heads/master@{#551334}
[modify] https://crrev.com/59f46ba74374b8c493f37810a7d920e47a7bc2bc/chrome/browser/android/signin/signin_manager_android.cc
[modify] https://crrev.com/59f46ba74374b8c493f37810a7d920e47a7bc2bc/chrome/browser/policy/cloud/component_cloud_policy_browsertest.cc
[modify] https://crrev.com/59f46ba74374b8c493f37810a7d920e47a7bc2bc/chrome/browser/policy/cloud/user_policy_signin_service.cc
[modify] https://crrev.com/59f46ba74374b8c493f37810a7d920e47a7bc2bc/chrome/browser/policy/cloud/user_policy_signin_service.h
[modify] https://crrev.com/59f46ba74374b8c493f37810a7d920e47a7bc2bc/chrome/browser/policy/cloud/user_policy_signin_service_base.cc
[modify] https://crrev.com/59f46ba74374b8c493f37810a7d920e47a7bc2bc/chrome/browser/policy/cloud/user_policy_signin_service_base.h
[modify] https://crrev.com/59f46ba74374b8c493f37810a7d920e47a7bc2bc/chrome/browser/policy/cloud/user_policy_signin_service_unittest.cc
[modify] https://crrev.com/59f46ba74374b8c493f37810a7d920e47a7bc2bc/chrome/browser/ui/sync/one_click_signin_sync_starter.cc
[modify] https://crrev.com/59f46ba74374b8c493f37810a7d920e47a7bc2bc/chrome/browser/ui/webui/signin/dice_turn_sync_on_helper.cc
[modify] https://crrev.com/59f46ba74374b8c493f37810a7d920e47a7bc2bc/chrome/browser/ui/webui/signin/dice_turn_sync_on_helper_unittest.cc
[modify] https://crrev.com/59f46ba74374b8c493f37810a7d920e47a7bc2bc/components/policy/core/common/cloud/component_cloud_policy_store_unittest.cc
[modify] https://crrev.com/59f46ba74374b8c493f37810a7d920e47a7bc2bc/components/policy/core/common/cloud/component_cloud_policy_updater_unittest.cc
[modify] https://crrev.com/59f46ba74374b8c493f37810a7d920e47a7bc2bc/components/policy/core/common/cloud/policy_builder.cc
[modify] https://crrev.com/59f46ba74374b8c493f37810a7d920e47a7bc2bc/components/policy/core/common/cloud/policy_builder.h
[modify] https://crrev.com/59f46ba74374b8c493f37810a7d920e47a7bc2bc/components/policy/core/common/cloud/user_cloud_policy_manager.cc
[modify] https://crrev.com/59f46ba74374b8c493f37810a7d920e47a7bc2bc/components/policy/core/common/cloud/user_cloud_policy_manager.h
[modify] https://crrev.com/59f46ba74374b8c493f37810a7d920e47a7bc2bc/components/policy/core/common/cloud/user_cloud_policy_store.cc
[modify] https://crrev.com/59f46ba74374b8c493f37810a7d920e47a7bc2bc/components/policy/core/common/cloud/user_cloud_policy_store.h
[modify] https://crrev.com/59f46ba74374b8c493f37810a7d920e47a7bc2bc/components/policy/core/common/cloud/user_cloud_policy_store_unittest.cc
[modify] https://crrev.com/59f46ba74374b8c493f37810a7d920e47a7bc2bc/components/signin/core/browser/BUILD.gn
[modify] https://crrev.com/59f46ba74374b8c493f37810a7d920e47a7bc2bc/components/signin/core/browser/account_info.cc
[modify] https://crrev.com/59f46ba74374b8c493f37810a7d920e47a7bc2bc/components/signin/core/browser/account_info.h
[modify] https://crrev.com/59f46ba74374b8c493f37810a7d920e47a7bc2bc/components/signin/core/browser/signin_manager.cc
[modify] https://crrev.com/59f46ba74374b8c493f37810a7d920e47a7bc2bc/components/signin/core/browser/signin_manager.h
Project Member

Comment 16 by bugdroid1@chromium.org, Apr 18 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/12b295bbff146a175c49c8d75f11b886343d8b98

commit 12b295bbff146a175c49c8d75f11b886343d8b98
Author: Sergey Poromov <poromov@chromium.org>
Date: Wed Apr 18 18:44:48 2018

Remove unused CloudPolicyService::ManagedBy()

This function was extracting domain from username in PolicyData
which could be not up-to-date after domain rename.
It's better to get rid of as much |username| usages as possible.

BUG= 780792 
TEST=Trybots

Change-Id: I6aba952cb63d4450863ac7f3ee30c18a3a9830d1
Reviewed-on: https://chromium-review.googlesource.com/1017122
Reviewed-by: Maksim Ivanov <emaxx@chromium.org>
Commit-Queue: Sergey Poromov <poromov@chromium.org>
Cr-Commit-Position: refs/heads/master@{#551761}
[modify] https://crrev.com/12b295bbff146a175c49c8d75f11b886343d8b98/components/policy/core/common/cloud/cloud_policy_service.cc
[modify] https://crrev.com/12b295bbff146a175c49c8d75f11b886343d8b98/components/policy/core/common/cloud/cloud_policy_service.h
[modify] https://crrev.com/12b295bbff146a175c49c8d75f11b886343d8b98/components/policy/core/common/cloud/cloud_policy_service_unittest.cc

Comment 17 by poromov@chromium.org, Apr 18 2018

Status: Fixed (was: Untriaged)

Comment 18 by atwilson@chromium.org, Jul 31

Cc: poromov@chromium.org atwilson@chromium.org
 Issue 868718  has been merged into this issue.

Sign in to add a comment