Chromad: Cleanup extension policy |
||||||||||||
Issue descriptionMake sure Session Manager removes extension policy that it doesn't need anymore (i.e. that authpolicy doesn't send).
,
Jan 22 2018
,
Jul 13
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/e034ae012a13491bd8a3d9faf17a4ebd1181f00b commit e034ae012a13491bd8a3d9faf17a4ebd1181f00b Author: Lutz Justen <ljusten@chromium.org> Date: Fri Jul 13 15:14:30 2018 authpolicy: Refactor session manager client code Extracts Session Manager related code into SessionManagerClient class. There's going to be more calls to Session Manager, so it's probably a good idea to refactor it now. BUG= chromium:793314 TEST=cros_run_unit_tests --board=amd64-generic --packages authpolicyd Change-Id: Idbae89b88f5aaed54b2d89eeb0f719ce3c77b7a2 Reviewed-on: https://chromium-review.googlesource.com/1136045 Commit-Ready: Lutz Justen <ljusten@chromium.org> Tested-by: Lutz Justen <ljusten@chromium.org> Reviewed-by: Roman Sorokin <rsorokin@chromium.org> [modify] https://crrev.com/e034ae012a13491bd8a3d9faf17a4ebd1181f00b/authpolicy/authpolicy.gyp [add] https://crrev.com/e034ae012a13491bd8a3d9faf17a4ebd1181f00b/authpolicy/session_manager_client.cc [add] https://crrev.com/e034ae012a13491bd8a3d9faf17a4ebd1181f00b/authpolicy/session_manager_client.h [modify] https://crrev.com/e034ae012a13491bd8a3d9faf17a4ebd1181f00b/authpolicy/authpolicy.h [modify] https://crrev.com/e034ae012a13491bd8a3d9faf17a4ebd1181f00b/authpolicy/authpolicy.cc [modify] https://crrev.com/e034ae012a13491bd8a3d9faf17a4ebd1181f00b/authpolicy/authpolicy_main.cc
,
Jul 18
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform/system_api/+/ec1037793be74c602f3edfea04c574286315351e commit ec1037793be74c602f3edfea04c574286315351e Author: Lutz Justen <ljusten@chromium.org> Date: Wed Jul 18 17:26:31 2018 dbus/login_manager: Add "ListStoredComponentPolicies" Add a string constant for Session Manager's ListStoredComponentPolicies method, see CL:1128881 [login: Add method to query ids of stored component policy]. BUG= chromium:793314 TEST=None Change-Id: Ieb4b36acbcf5f28f93423e885b8279e38f2d126d Reviewed-on: https://chromium-review.googlesource.com/1129141 Commit-Ready: Lutz Justen <ljusten@chromium.org> Tested-by: Lutz Justen <ljusten@chromium.org> Reviewed-by: Dan Erat <derat@chromium.org> [modify] https://crrev.com/ec1037793be74c602f3edfea04c574286315351e/dbus/login_manager/dbus-constants.h
,
Jul 19
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/98961d5d239c0787f8590642317a5f3db9940f86 commit 98961d5d239c0787f8590642317a5f3db9940f86 Author: Lutz Justen <ljusten@chromium.org> Date: Thu Jul 19 01:15:21 2018 login: Add method to query ids of stored component policy Adds a D-Bus method to query all component IDs (e.g. extension IDs) for which Session Manager tracks policy in a given domain (e.g. POLICY_DOMAIN_EXTENSIONS). The method will be used by authpolicyd during policy fetch. If an Active Directory admin removes policy for a certain extension, there is no way for the daemon to know that the extension had policy before (because it only gets the list of extensions that currently have policy set), so it cannot delete (stale) extension policy on disk. CQ-DEPEND=CL:1129141 BUG= chromium:793314 TEST=cros_run_unit_tests --board=amd64-generic --packages chromeos-login Change-Id: I94578029369816ef55cd784e656c4c704f0dfdb0 Reviewed-on: https://chromium-review.googlesource.com/1128881 Commit-Ready: Lutz Justen <ljusten@chromium.org> Tested-by: Lutz Justen <ljusten@chromium.org> Reviewed-by: Dan Erat <derat@chromium.org> [modify] https://crrev.com/98961d5d239c0787f8590642317a5f3db9940f86/login_manager/session_manager_impl.cc [modify] https://crrev.com/98961d5d239c0787f8590642317a5f3db9940f86/login_manager/mock_device_policy_service.h [modify] https://crrev.com/98961d5d239c0787f8590642317a5f3db9940f86/login_manager/SessionManager.conf [modify] https://crrev.com/98961d5d239c0787f8590642317a5f3db9940f86/login_manager/session_manager_impl_unittest.cc [modify] https://crrev.com/98961d5d239c0787f8590642317a5f3db9940f86/login_manager/validator_utils.cc [modify] https://crrev.com/98961d5d239c0787f8590642317a5f3db9940f86/login_manager/policy_service.h [modify] https://crrev.com/98961d5d239c0787f8590642317a5f3db9940f86/login_manager/dbus_bindings/org.chromium.SessionManagerInterface.xml [modify] https://crrev.com/98961d5d239c0787f8590642317a5f3db9940f86/login_manager/policy_service_unittest.cc [modify] https://crrev.com/98961d5d239c0787f8590642317a5f3db9940f86/login_manager/policy_service.cc [modify] https://crrev.com/98961d5d239c0787f8590642317a5f3db9940f86/login_manager/validator_utils_unittest.cc [modify] https://crrev.com/98961d5d239c0787f8590642317a5f3db9940f86/login_manager/validator_utils.h [modify] https://crrev.com/98961d5d239c0787f8590642317a5f3db9940f86/login_manager/session_manager_impl.h
,
Aug 3
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform/system_api/+/742da1c42600c57a7645a575ad02b8eeaed520be commit 742da1c42600c57a7645a575ad02b8eeaed520be Author: Lutz Justen <ljusten@chromium.org> Date: Fri Aug 03 13:29:15 2018 dbus/login_manager: Add deletion error string The string is used when deleting a policy fails in Session Manager, see CL:1136038 [login: Add ability to delete component policy]. BUG= chromium:793314 TEST=None Change-Id: I656c57a2e2d71d60219f4f5edc2cdc04786ca653 Reviewed-on: https://chromium-review.googlesource.com/1136035 Commit-Ready: Lutz Justen <ljusten@chromium.org> Tested-by: Lutz Justen <ljusten@chromium.org> Reviewed-by: Mattias Nissler <mnissler@chromium.org> [modify] https://crrev.com/742da1c42600c57a7645a575ad02b8eeaed520be/dbus/login_manager/dbus-constants.h
,
Aug 4
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/46e8d97e70b330115dc00eab0d6a42ab7392aea2 commit 46e8d97e70b330115dc00eab0d6a42ab7392aea2 Author: Lutz Justen <ljusten@chromium.org> Date: Sat Aug 04 05:14:37 2018 login: Add ability to delete component policy If StoreUnsignedPolicyEx() is called with an empty policy blob and the policy descriptor specifies component policy, the policy is deleted from disk. This will allow authpolicyd to clean up stale extension policy. Deleting should not be extended to Chrome policy or signed policy for security reasons, e.g. a Chrome hack could just delete signed policy. CQ-DEPEND=CL:1136035 BUG= chromium:793314 TEST=cros_run_unit_tests --board=amd64-generic --packages chromeos-login Change-Id: Iae81ea9b74ed248bb75c1d23d583d07e1dfc3a5b Reviewed-on: https://chromium-review.googlesource.com/1136038 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> Tested-by: Lutz Justen <ljusten@chromium.org> Reviewed-by: Mattias Nissler <mnissler@chromium.org> [modify] https://crrev.com/46e8d97e70b330115dc00eab0d6a42ab7392aea2/login_manager/session_manager_impl_unittest.cc [modify] https://crrev.com/46e8d97e70b330115dc00eab0d6a42ab7392aea2/login_manager/session_manager_impl.cc [modify] https://crrev.com/46e8d97e70b330115dc00eab0d6a42ab7392aea2/login_manager/mock_device_policy_service.h [modify] https://crrev.com/46e8d97e70b330115dc00eab0d6a42ab7392aea2/login_manager/resilient_policy_store.h [modify] https://crrev.com/46e8d97e70b330115dc00eab0d6a42ab7392aea2/login_manager/policy_service.h [modify] https://crrev.com/46e8d97e70b330115dc00eab0d6a42ab7392aea2/login_manager/dbus_bindings/org.chromium.SessionManagerInterface.xml [modify] https://crrev.com/46e8d97e70b330115dc00eab0d6a42ab7392aea2/login_manager/policy_service_unittest.cc [modify] https://crrev.com/46e8d97e70b330115dc00eab0d6a42ab7392aea2/login_manager/policy_service.cc [modify] https://crrev.com/46e8d97e70b330115dc00eab0d6a42ab7392aea2/login_manager/policy_store_unittest.cc [modify] https://crrev.com/46e8d97e70b330115dc00eab0d6a42ab7392aea2/login_manager/resilient_policy_store.cc [modify] https://crrev.com/46e8d97e70b330115dc00eab0d6a42ab7392aea2/login_manager/policy_store.h [modify] https://crrev.com/46e8d97e70b330115dc00eab0d6a42ab7392aea2/login_manager/policy_store.cc
,
Aug 21
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/bf9a958e4995bc43086ca09baefba17c253bb341 commit bf9a958e4995bc43086ca09baefba17c253bb341 Author: Lutz Justen <ljusten@chromium.org> Date: Tue Aug 21 17:33:45 2018 authpolicy: Expose ListStoredComponentPolicies Exposes ListStoredComponentPolicies in SessionManagerClient. The method will be used to clean up policy for extensions that are no longer receiving policy from Active Directory. BUG= chromium:793314 TEST=cros_run_unit_tests --board=amd64-generic --packages authpolicy Change-Id: If08f82975f9471e1dda680f7b6aba8ecd6a962c5 Reviewed-on: https://chromium-review.googlesource.com/1136040 Commit-Ready: Lutz Justen <ljusten@chromium.org> Tested-by: Lutz Justen <ljusten@chromium.org> Reviewed-by: Roman Sorokin <rsorokin@chromium.org> [modify] https://crrev.com/bf9a958e4995bc43086ca09baefba17c253bb341/authpolicy/session_manager_client.h [modify] https://crrev.com/bf9a958e4995bc43086ca09baefba17c253bb341/authpolicy/session_manager_client.cc
,
Nov 23
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/platform2/+/f4490f4abae6f243b3a640f9628ff51343d7ece6 commit f4490f4abae6f243b3a640f9628ff51343d7ece6 Author: Lutz Justen <ljusten@chromium.org> Date: Fri Nov 23 03:08:00 2018 authpolicy: Clean up stale extension policy If policy for an extension is removed from the Group Policy editor in Active Directory, Session Manager still stores a backup copy for the policy of that extension. This CL removes that backup copy by looking at what policy is stored in Session Manager (using ListStoredComponentPolicies) and what's coming down from Active Directory and computing the set difference of the two. BUG= chromium:793314 TEST=cros_run_unit_tests --board=amd64-generic --packages authpolicy Change-Id: Ic82b0350ec258bd75273bb150d9d1aba280287be Reviewed-on: https://chromium-review.googlesource.com/1136041 Commit-Ready: Lutz Justen <ljusten@chromium.org> Tested-by: Lutz Justen <ljusten@chromium.org> Reviewed-by: Lutz Justen <ljusten@chromium.org> [modify] https://crrev.com/f4490f4abae6f243b3a640f9628ff51343d7ece6/authpolicy/authpolicy.cc [modify] https://crrev.com/f4490f4abae6f243b3a640f9628ff51343d7ece6/authpolicy/authpolicy.h [modify] https://crrev.com/f4490f4abae6f243b3a640f9628ff51343d7ece6/authpolicy/authpolicy_unittest.cc
,
Nov 26
To verify: - Get an Active Directory enrolled Chrome OS device - On device, install an extension that defines policy, e.g. https://chrome.google.com/webstore/detail/certificate-enrollment-fo/fhndealchbngfhdoncgcokameljahhog?hl=en - On the Windows server, install the ADMX template for this extension (AMDX/ADML files see attachment; this is already installed on chromeadm-lab) - On the Windows server, set some policy for this extension - On the device, refresh policy on chrome://policy and make sure it's coming down - On the Windows server, unset all policy for this extension - On the device, refresh policy on chrome://policy and make sure the policy is gone
,
Nov 26
Forgot to attach ADML file
,
Nov 29
Hi Lutz, I have a couple of questions about verification: - On the device, refresh policy on chrome://policy and make sure it's coming down I was not able to set policy for this extension (see attached screenshot), could you please provide some example? - On the Windows server, unset all policy for this extension Should I just delete a JSON and leave the policy enabled? In this case I see the error: "Line: 1, column: 1, Unexpected token." Thanks, Ivan Chrome OS: 11307.0.0, Chrome: 72.0.3623.3, Device: Nautilus Domain: chromeadm-lab.com, OU: ChromeTEmtv
,
Nov 30
Hi Ivan, - this isn't the right place to set extension policy. If you have installed the ADMX template, it should show up in the GPO editor under "User Configuration/Administrative Templates.../Google/Certificate Enrollment for Chrome OS". You can set any value there, e.g. help_text. (see attached screenshot) - Just set help_text to "Not Configured" again. Btw, there was a problem with the last templates I attached. I've fixed this and attached the proper ones.
,
Nov 30
Thanks for the clarification! I was able to set extension policies (Screenshot 1), but still don't see them on the device (Screenshot 2). The templates look updated on chromeadm-lab. Could you please take a look what is wrong with this? Chrome OS: 11316.0.0, Chrome: 72.0.3625.0, Device: Nautilus Domain: chromeadm-lab.com, OU: ChromeTEmtv
,
Dec 3
OK, that's a subtle one. There's a dev version (ID mefcnnkdafbfmdjgollliofipbmlopnh) and a non-dev version (fhndealchbngfhdoncgcokameljahhog). The template was for the dev version, you installed the non-dev version. Sorry for the confusion! I've updated the template name to "Certificate Enrollment for Chrome OS Dev" and added the non-dev version as "Certificate Enrollment for Chrome OS". I've already set policy there and tested that it's coming through.
,
Dec 3
Thanks a lot! Now I was able to verify it using a non-dev version (fhndealchbngfhdoncgcokameljahhog): - Screenshot 1 -> policy is set - Screenshot 2 -> policy is gone Chrome OS: 11316.0.0, Chrome: 72.0.3625.0, Device: Nautilus |
||||||||||||
►
Sign in to add a comment |
||||||||||||
Comment 1 by ljusten@chromium.org
, Jan 22 2018