Ensure that challenging user keys is unavailable on signin.

Returns a specific error saying the keys are not available in the signin profile. BUG=715121 TEST=unit tests Review-Url: https://codereview.chromium.org/2838423003 Cr-Commit-Position: refs/heads/master@{#468019}

Ensure that challenging user keys is unavailable on signin.
Returns a specific error saying the keys are not available in the signin profile. BUG=715121 TEST=unit tests Review-Url: https://codereview.chromium.org/2838423003 Cr-Commit-Position: refs/heads/master@{#468019}
26916760 · drcrash · Commit bot · 638b48e2 · 26916760 · 26916760
Commit 26916760 authored Apr 28, 2017 by drcrash Committed by Commit bot Apr 28, 2017
3 changed files
--- a/chrome/browser/extensions/api/enterprise_platform_keys_private/enterprise_platform_keys_private_api.cc
+++ b/chrome/browser/extensions/api/enterprise_platform_keys_private/enterprise_platform_keys_private_api.cc
@@ -141,7 +141,7 @@ bool EPKPChallengeKeyBase::IsEnterpriseDevice() const {
 }
 bool EPKPChallengeKeyBase::IsExtensionWhitelisted() const {
-  if (chromeos::ProfileHelper::IsSigninProfile(profile_)) {
+  if (!chromeos::ProfileHelper::Get()->GetUserByProfile(profile_)) {
    // Only allow remote attestation for apps that were force-installed on the
    // login/signin screen.
    // TODO(drcrash): Use a separate device-wide policy for the API.
@@ -340,7 +340,7 @@ void EPKPChallengeMachineKey::Run(
  }
  // Check whether the user is managed unless the signin profile is used.
-  if (!chromeos::ProfileHelper::IsSigninProfile(profile_) &&
+  if (chromeos::ProfileHelper::Get()->GetUserByProfile(profile_) &&
      !IsUserAffiliated()) {
    callback_.Run(false, kUserNotManaged);
    return;
@@ -443,6 +443,8 @@ const char EPKPChallengeUserKey::kKeyRegistrationFailedError[] =
    "Key registration failed.";
 const char EPKPChallengeUserKey::kUserPolicyDisabledError[] =
    "Remote attestation is not enabled for your account.";
+const char EPKPChallengeUserKey::kUserKeyNotAvailable[] =
+    "User keys cannot be challenged in this profile.";
 const char EPKPChallengeUserKey::kKeyName[] = "attest-ent-user";
@@ -477,6 +479,12 @@ void EPKPChallengeUserKey::Run(scoped_refptr<UIThreadExtensionFunction> caller,
  profile_ = ChromeExtensionFunctionDetails(caller.get()).GetProfile();
  extension_ = scoped_refptr<const Extension>(caller->extension());
+  // Check if user keys are available in this profile.
+  if (!chromeos::ProfileHelper::Get()->GetUserByProfile(profile_)) {
+    callback_.Run(false, EPKPChallengeUserKey::kUserKeyNotAvailable);
+    return;
+  }
  // Check if RA is enabled in the user policy.
  if (!IsRemoteAttestationEnabledForUser()) {
    callback_.Run(false, kUserPolicyDisabledError);

--- a/chrome/browser/extensions/api/enterprise_platform_keys_private/enterprise_platform_keys_private_api.h
+++ b/chrome/browser/extensions/api/enterprise_platform_keys_private/enterprise_platform_keys_private_api.h
@@ -209,6 +209,7 @@ class EPKPChallengeUserKey : public EPKPChallengeKeyBase {
 public:
  static const char kGetCertificateFailedError[];
  static const char kKeyRegistrationFailedError[];
+  static const char kUserKeyNotAvailable[];
  static const char kUserPolicyDisabledError[];
  EPKPChallengeUserKey();

--- a/chrome/browser/extensions/api/enterprise_platform_keys_private/enterprise_platform_keys_private_api_unittest.cc
+++ b/chrome/browser/extensions/api/enterprise_platform_keys_private/enterprise_platform_keys_private_api_unittest.cc
@@ -409,8 +409,9 @@ class EPKPChallengeUserKeyTest : public EPKPChallengeKeyTestBase {
 protected:
  static const char kArgs[];
-  EPKPChallengeUserKeyTest()
+  explicit EPKPChallengeUserKeyTest(
-      : EPKPChallengeKeyTestBase(ProfileType::USER_PROFILE),
+      ProfileType profile_type = ProfileType::USER_PROFILE)
+      : EPKPChallengeKeyTestBase(profile_type),
        impl_(&mock_cryptohome_client_,
              &mock_async_method_caller_,
              &mock_attestation_flow_,
@@ -423,8 +424,10 @@ class EPKPChallengeUserKeyTest : public EPKPChallengeKeyTestBase {
  void SetUp() override {
    EPKPChallengeKeyTestBase::SetUp();
-    // Set the user preferences.
+    if (profile_type_ == ProfileType::USER_PROFILE) {
-    prefs_->SetBoolean(prefs::kAttestationEnabled, true);
+      // Set the user preferences.
+      prefs_->SetBoolean(prefs::kAttestationEnabled, true);
+    }
  }
  // Returns an error string for the given code.
@@ -578,6 +581,19 @@ TEST_F(EPKPChallengeUserKeyTest, AttestationPreparedDbusFailed) {
            utils::RunFunctionAndReturnError(func_.get(), kArgs, browser()));
 }
+class EPKPChallengeUserKeySigninProfileTest : public EPKPChallengeUserKeyTest {
+ protected:
+  EPKPChallengeUserKeySigninProfileTest()
+      : EPKPChallengeUserKeyTest(ProfileType::SIGNIN_PROFILE) {}
+};
+TEST_F(EPKPChallengeUserKeySigninProfileTest, UserKeyNotAvailable) {
+  settings_helper_.SetBoolean(chromeos::kDeviceAttestationEnabled, false);
+  EXPECT_EQ(EPKPChallengeUserKey::kUserKeyNotAvailable,
+            utils::RunFunctionAndReturnError(func_.get(), kArgs, browser()));
+}
 class EPKPChallengeMachineKeyUnmanagedUserTest
    : public EPKPChallengeMachineKeyTest {
 protected: