Turn off future-timestamp cloud policy checks on desktop

BUG=279099

Review URL: https://chromiumcodereview.appspot.com/24041002

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@222028 0039d316-1c4b-4281-b951-d872f2087c98

chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.cc

@@ -243,7 +243,8 @@ void UserCloudPolicyStoreChromeOS::LoadImmediately() {
   policy_key_loaded_ = true;
 
   scoped_ptr<UserCloudPolicyValidator> validator =
-      CreateValidator(policy.Pass());
+      CreateValidator(policy.Pass(),
+                      CloudPolicyValidatorBase::TIMESTAMP_REQUIRED);
   validator->ValidateUsername(username_);
   const bool allow_rotation = false;
   validator->ValidateSignature(policy_key_, allow_rotation);
@@ -255,7 +256,8 @@ void UserCloudPolicyStoreChromeOS::ValidatePolicyForStore(
     scoped_ptr<em::PolicyFetchResponse> policy) {
   // Create and configure a validator.
   scoped_ptr<UserCloudPolicyValidator> validator =
-      CreateValidator(policy.Pass());
+      CreateValidator(policy.Pass(),
+                      CloudPolicyValidatorBase::TIMESTAMP_REQUIRED);
   validator->ValidateUsername(username_);
   if (policy_key_.empty()) {
     validator->ValidateInitialKey();
@@ -353,7 +355,8 @@ void UserCloudPolicyStoreChromeOS::ValidateRetrievedPolicy(
     scoped_ptr<em::PolicyFetchResponse> policy) {
   // Create and configure a validator for the loaded policy.
   scoped_ptr<UserCloudPolicyValidator> validator =
-      CreateValidator(policy.Pass());
+      CreateValidator(policy.Pass(),
+                      CloudPolicyValidatorBase::TIMESTAMP_REQUIRED);
   validator->ValidateUsername(username_);
   const bool allow_rotation = false;
   validator->ValidateSignature(policy_key_, allow_rotation);
@@ -404,7 +407,8 @@ void UserCloudPolicyStoreChromeOS::OnLegacyLoadFinished(
     // Create and configure a validator for the loaded legacy policy. Note that
     // the signature on this policy is not verified.
     scoped_ptr<UserCloudPolicyValidator> validator =
-        CreateValidator(policy.Pass());
+        CreateValidator(policy.Pass(),
+                        CloudPolicyValidatorBase::TIMESTAMP_REQUIRED);
     validator->ValidateUsername(username_);
     validator.release()->StartValidation(
         base::Bind(&UserCloudPolicyStoreChromeOS::OnLegacyPolicyValidated,

chrome/browser/policy/cloud/cloud_policy_validator.cc

@@ -278,7 +278,8 @@ CloudPolicyValidatorBase::Status CloudPolicyValidatorBase::CheckTimestamp() {
     LOG(ERROR) << "Policy too old: " << policy_data_->timestamp();
     return VALIDATION_BAD_TIMESTAMP;
   }
-  if (policy_data_->timestamp() > timestamp_not_after_) {
+  if (timestamp_option_ != TIMESTAMP_NOT_BEFORE &&
+      policy_data_->timestamp() > timestamp_not_after_) {
     LOG(ERROR) << "Policy from the future: " << policy_data_->timestamp();
     return VALIDATION_BAD_TIMESTAMP;
   }

chrome/browser/policy/cloud/cloud_policy_validator.h

@@ -79,9 +79,16 @@ class CloudPolicyValidatorBase {
   };
 
   enum ValidateTimestampOption {
-    // The policy must have a timestamp field.
+    // The policy must have a timestamp field and it should be checked against
+    // both the start and end times.
     TIMESTAMP_REQUIRED,
 
+    // The timestamp should only be compared vs the |not_before| value (this
+    // is appropriate for platforms with unreliable system times, where we want
+    // to ensure that fresh policy is newer than existing policy, but we can't
+    // do any other validation).
+    TIMESTAMP_NOT_BEFORE,
+
     // No timestamp field is required.
     TIMESTAMP_NOT_REQUIRED,
   };
@@ -102,11 +109,11 @@ class CloudPolicyValidatorBase {
   }
 
   // Instructs the validator to check that the policy timestamp is not before
-  // |not_before| and not after |now| + grace interval. If
+  // |not_before| and not after |not_after| + grace interval. If
   // |timestamp_option| is set to TIMESTAMP_REQUIRED, then the policy will fail
   // validation if it does not have a timestamp field.
   void ValidateTimestamp(base::Time not_before,
-                         base::Time now,
+                         base::Time not_after,
                          ValidateTimestampOption timestamp_option);
 
   // Validates the username in the policy blob matches |expected_user|.

chrome/browser/policy/cloud/cloud_policy_validator_unittest.cc

@@ -36,7 +36,7 @@ class CloudPolicyValidatorTest : public testing::Test {
         timestamp_(base::Time::UnixEpoch() +
                    base::TimeDelta::FromMilliseconds(
                        PolicyBuilder::kFakeTimestamp)),
-        ignore_missing_timestamp_(CloudPolicyValidatorBase::TIMESTAMP_REQUIRED),
+        timestamp_option_(CloudPolicyValidatorBase::TIMESTAMP_REQUIRED),
         ignore_missing_dm_token_(CloudPolicyValidatorBase::DM_TOKEN_REQUIRED),
         allow_key_rotation_(true),
         existing_dm_token_(PolicyBuilder::kFakeToken),
@@ -67,7 +67,7 @@ class CloudPolicyValidatorTest : public testing::Test {
     UserCloudPolicyValidator* validator =
         UserCloudPolicyValidator::Create(policy_.GetCopy());
     validator->ValidateTimestamp(timestamp_, timestamp_,
-                                 ignore_missing_timestamp_);
+                                 timestamp_option_);
     validator->ValidateUsername(PolicyBuilder::kFakeUsername);
     validator->ValidateDomain(PolicyBuilder::kFakeDomain);
     validator->ValidateDMToken(existing_dm_token_, ignore_missing_dm_token_);
@@ -92,7 +92,7 @@ class CloudPolicyValidatorTest : public testing::Test {
 
   base::MessageLoop loop_;
   base::Time timestamp_;
-  CloudPolicyValidatorBase::ValidateTimestampOption ignore_missing_timestamp_;
+  CloudPolicyValidatorBase::ValidateTimestampOption timestamp_option_;
   CloudPolicyValidatorBase::ValidateDMTokenOption ignore_missing_dm_token_;
   std::string signing_key_;
   bool allow_key_rotation_;
@@ -153,7 +153,7 @@ TEST_F(CloudPolicyValidatorTest, ErrorNoTimestamp) {
 }
 
 TEST_F(CloudPolicyValidatorTest, IgnoreMissingTimestamp) {
-  ignore_missing_timestamp_ = CloudPolicyValidatorBase::TIMESTAMP_NOT_REQUIRED;
+  timestamp_option_ = CloudPolicyValidatorBase::TIMESTAMP_NOT_REQUIRED;
   policy_.policy_data().clear_timestamp();
   Validate(CheckStatus(CloudPolicyValidatorBase::VALIDATION_OK));
 }
@@ -172,6 +172,15 @@ TEST_F(CloudPolicyValidatorTest, ErrorTimestampFromTheFuture) {
   Validate(CheckStatus(CloudPolicyValidatorBase::VALIDATION_BAD_TIMESTAMP));
 }
 
+TEST_F(CloudPolicyValidatorTest, IgnoreErrorTimestampFromTheFuture) {
+  base::Time timestamp(timestamp_ + base::TimeDelta::FromMinutes(5));
+  timestamp_option_ =
+      CloudPolicyValidatorBase::TIMESTAMP_NOT_BEFORE;
+  policy_.policy_data().set_timestamp(
+      (timestamp - base::Time::UnixEpoch()).InMilliseconds());
+  Validate(CheckStatus(CloudPolicyValidatorBase::VALIDATION_OK));
+}
+
 TEST_F(CloudPolicyValidatorTest, ErrorNoRequestToken) {
   policy_.policy_data().clear_request_token();
   Validate(CheckStatus(CloudPolicyValidatorBase::VALIDATION_WRONG_TOKEN));

chrome/browser/policy/cloud/user_cloud_policy_store.cc

@@ -210,8 +210,9 @@ void UserCloudPolicyStore::Validate(
     bool validate_in_background,
     const UserCloudPolicyValidator::CompletionCallback& callback) {
   // Configure the validator.
-  scoped_ptr<UserCloudPolicyValidator> validator =
-      CreateValidator(policy.Pass());
+  scoped_ptr<UserCloudPolicyValidator> validator = CreateValidator(
+      policy.Pass(),
+      CloudPolicyValidatorBase::TIMESTAMP_NOT_BEFORE);
   SigninManager* signin = SigninManagerFactory::GetForProfileIfExists(profile_);
   if (signin) {
     std::string username = signin->GetAuthenticatedUsername();

chrome/browser/policy/cloud/user_cloud_policy_store_base.cc

@@ -24,14 +24,15 @@ UserCloudPolicyStoreBase::~UserCloudPolicyStoreBase() {
 }
 
 scoped_ptr<UserCloudPolicyValidator> UserCloudPolicyStoreBase::CreateValidator(
-    scoped_ptr<enterprise_management::PolicyFetchResponse> policy) {
+    scoped_ptr<enterprise_management::PolicyFetchResponse> policy,
+    CloudPolicyValidatorBase::ValidateTimestampOption timestamp_option) {
   // Configure the validator.
   UserCloudPolicyValidator* validator =
       UserCloudPolicyValidator::Create(policy.Pass());
   validator->ValidatePolicyType(GetChromeUserPolicyType());
   validator->ValidateAgainstCurrentPolicy(
       policy_.get(),
-      CloudPolicyValidatorBase::TIMESTAMP_REQUIRED,
+      timestamp_option,
       CloudPolicyValidatorBase::DM_TOKEN_REQUIRED);
   validator->ValidatePayload();
   return scoped_ptr<UserCloudPolicyValidator>(validator);

chrome/browser/policy/cloud/user_cloud_policy_store_base.h

@@ -11,6 +11,7 @@
 #include "base/memory/scoped_ptr.h"
 #include "base/memory/weak_ptr.h"
 #include "chrome/browser/policy/cloud/cloud_policy_store.h"
+#include "chrome/browser/policy/cloud/cloud_policy_validator.h"
 
 namespace policy {
 
@@ -25,7 +26,8 @@ class UserCloudPolicyStoreBase : public CloudPolicyStore {
   // Creates a validator configured to validate a user policy. The caller owns
   // the resulting object until StartValidation() is invoked.
   scoped_ptr<UserCloudPolicyValidator> CreateValidator(
-      scoped_ptr<enterprise_management::PolicyFetchResponse> policy);
+      scoped_ptr<enterprise_management::PolicyFetchResponse> policy,
+      CloudPolicyValidatorBase::ValidateTimestampOption option);
 
   // Sets |policy_data| and |payload| as the active policy.
   void InstallPolicy(