Chromium Code Reviews Chromium Code Reviews
Issue 10868113:
Disable certificate patterns for device policy ONC files (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/chromeos/cros/onc_network_parser.h" | 5 #include "chrome/browser/chromeos/cros/onc_network_parser.h" |
| 6 | 6 |
| 7 #include <keyhi.h> | 7 #include <keyhi.h> |
| 8 #include <pk11pub.h> | 8 #include <pk11pub.h> |
| 9 | 9 |
| 10 #include "base/base64.h" | 10 #include "base/base64.h" |
| (...skipping 1347 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1358 // Process the Host and Port values into net::HostPortPair, and then | 1358 // Process the Host and Port values into net::HostPortPair, and then |
| 1359 // net::ProxyServer for the specific scheme. | 1359 // net::ProxyServer for the specific scheme. |
| 1360 net::HostPortPair host_port(host, static_cast<uint16>(port)); | 1360 net::HostPortPair host_port(host, static_cast<uint16>(port)); |
| 1361 return net::ProxyServer(scheme, host_port); | 1361 return net::ProxyServer(scheme, host_port); |
| 1362 } | 1362 } |
| 1363 | 1363 |
| 1364 // static | 1364 // static |
| 1365 bool OncNetworkParser::ParseClientCertPattern(OncNetworkParser* parser, | 1365 bool OncNetworkParser::ParseClientCertPattern(OncNetworkParser* parser, |
| 1366 PropertyIndex index, | 1366 PropertyIndex index, |
| 1367 const base::Value& value, | 1367 const base::Value& value, |
| 1368 Network* network) { | 1368 Network* network) { |
|
Mattias Nissler (ping if slow)
2012/08/28 11:38:09
Maybe it's better to put the check here instead of
Greg Spencer (Chromium)
2012/09/17 18:25:44
Done. For some reason I thought it would mess wit
| |
| 1369 // Only WiFi and VPN have this type. | 1369 // Only WiFi and VPN have this type. |
| 1370 if (network->type() != TYPE_WIFI && | 1370 if (network->type() != TYPE_WIFI && |
| 1371 network->type() != TYPE_VPN) { | 1371 network->type() != TYPE_VPN) { |
| 1372 LOG(WARNING) << "Tried to parse a ClientCertPattern from something " | 1372 LOG(WARNING) << "Tried to parse a ClientCertPattern from something " |
| 1373 << "that wasn't a WiFi or VPN network."; | 1373 << "that wasn't a WiFi or VPN network."; |
| 1374 return false; | 1374 return false; |
| 1375 } | 1375 } |
| 1376 | 1376 |
| 1377 // Below, we fail when parsing certificate patterns for device policy ONC so | |
| 1378 // that an unmanaged user can't get to the place where a cert is presented for | |
| 1379 // them involuntarily. | |
| 1380 | |
| 1377 switch (index) { | 1381 switch (index) { |
| 1378 case PROPERTY_INDEX_ONC_CERTIFICATE_PATTERN_ENROLLMENT_URI: { | 1382 case PROPERTY_INDEX_ONC_CERTIFICATE_PATTERN_ENROLLMENT_URI: { |
| 1379 std::vector<std::string> resulting_list; | 1383 std::vector<std::string> resulting_list; |
| 1380 if (!GetAsListOfStrings(value, &resulting_list)) | 1384 if (!GetAsListOfStrings(value, &resulting_list) || |
| 1385 parser->onc_source() == NetworkUIData::ONC_SOURCE_DEVICE_POLICY) | |
|
Mattias Nissler (ping if slow)
2012/08/28 11:38:09
nit: Other code in this file seems to add curly br
Greg Spencer (Chromium)
2012/09/17 18:25:44
Done.
| |
| 1381 return false; | 1386 return false; |
| 1382 CertificatePattern pattern = network->client_cert_pattern(); | 1387 CertificatePattern pattern = network->client_cert_pattern(); |
| 1383 pattern.set_enrollment_uri_list(resulting_list); | 1388 pattern.set_enrollment_uri_list(resulting_list); |
| 1384 network->set_client_cert_pattern(pattern); | 1389 network->set_client_cert_pattern(pattern); |
| 1385 return true; | 1390 return true; |
| 1386 } | 1391 } |
| 1387 case PROPERTY_INDEX_ONC_CERTIFICATE_PATTERN_ISSUER_CA_REF: { | 1392 case PROPERTY_INDEX_ONC_CERTIFICATE_PATTERN_ISSUER_CA_REF: { |
| 1388 std::vector<std::string> resulting_list; | 1393 std::vector<std::string> resulting_list; |
| 1389 if (!GetAsListOfStrings(value, &resulting_list)) | 1394 if (!GetAsListOfStrings(value, &resulting_list) || |
| 1395 parser->onc_source() == NetworkUIData::ONC_SOURCE_DEVICE_POLICY) | |
| 1390 return false; | 1396 return false; |
| 1391 CertificatePattern pattern = network->client_cert_pattern(); | 1397 CertificatePattern pattern = network->client_cert_pattern(); |
| 1392 pattern.set_issuer_ca_ref_list(resulting_list); | 1398 pattern.set_issuer_ca_ref_list(resulting_list); |
| 1393 network->set_client_cert_pattern(pattern); | 1399 network->set_client_cert_pattern(pattern); |
| 1394 return true; | 1400 return true; |
| 1395 } | 1401 } |
| 1396 case PROPERTY_INDEX_ONC_CERTIFICATE_PATTERN_ISSUER: | 1402 case PROPERTY_INDEX_ONC_CERTIFICATE_PATTERN_ISSUER: |
| 1397 return parser->ParseNestedObject(network, | 1403 return parser->ParseNestedObject(network, |
| 1398 onc::certificate::kIssuer, | 1404 onc::certificate::kIssuer, |
| 1399 value, | 1405 value, |
| (...skipping 10 matching lines...) Expand all Loading... | |
| 1410 } | 1416 } |
| 1411 return false; | 1417 return false; |
| 1412 } | 1418 } |
| 1413 | 1419 |
| 1414 // static | 1420 // static |
| 1415 bool OncNetworkParser::ParseIssuerPattern(OncNetworkParser* parser, | 1421 bool OncNetworkParser::ParseIssuerPattern(OncNetworkParser* parser, |
| 1416 PropertyIndex index, | 1422 PropertyIndex index, |
| 1417 const base::Value& value, | 1423 const base::Value& value, |
| 1418 Network* network) { | 1424 Network* network) { |
| 1419 IssuerSubjectPattern pattern; | 1425 IssuerSubjectPattern pattern; |
| 1420 if (ParseIssuerSubjectPattern(&pattern, parser, index, value, network)) { | 1426 if (ParseIssuerSubjectPattern(&pattern, parser, index, value, network) && |
| 1427 parser->onc_source() != NetworkUIData::ONC_SOURCE_DEVICE_POLICY) { | |
| 1421 CertificatePattern cert_pattern = network->client_cert_pattern(); | 1428 CertificatePattern cert_pattern = network->client_cert_pattern(); |
| 1422 cert_pattern.set_issuer(pattern); | 1429 cert_pattern.set_issuer(pattern); |
| 1423 network->set_client_cert_pattern(cert_pattern); | 1430 network->set_client_cert_pattern(cert_pattern); |
| 1424 return true; | 1431 return true; |
| 1425 } | 1432 } |
| 1426 return false; | 1433 return false; |
| 1427 } | 1434 } |
| 1428 | 1435 |
| 1429 // static | 1436 // static |
| 1430 bool OncNetworkParser::ParseSubjectPattern(OncNetworkParser* parser, | 1437 bool OncNetworkParser::ParseSubjectPattern(OncNetworkParser* parser, |
| 1431 PropertyIndex index, | 1438 PropertyIndex index, |
| 1432 const base::Value& value, | 1439 const base::Value& value, |
| 1433 Network* network) { | 1440 Network* network) { |
| 1434 IssuerSubjectPattern pattern; | 1441 IssuerSubjectPattern pattern; |
| 1435 if (ParseIssuerSubjectPattern(&pattern, parser, index, value, network)) { | 1442 if (ParseIssuerSubjectPattern(&pattern, parser, index, value, network) && |
| 1443 parser->onc_source() != NetworkUIData::ONC_SOURCE_DEVICE_POLICY) { | |
| 1436 CertificatePattern cert_pattern = network->client_cert_pattern(); | 1444 CertificatePattern cert_pattern = network->client_cert_pattern(); |
| 1437 cert_pattern.set_subject(pattern); | 1445 cert_pattern.set_subject(pattern); |
| 1438 network->set_client_cert_pattern(cert_pattern); | 1446 network->set_client_cert_pattern(cert_pattern); |
| 1439 return true; | 1447 return true; |
| 1440 } | 1448 } |
| 1441 return false; | 1449 return false; |
| 1442 } | 1450 } |
| 1443 | 1451 |
| 1444 // static | 1452 // static |
| 1445 bool OncNetworkParser::ParseIssuerSubjectPattern(IssuerSubjectPattern* pattern, | 1453 bool OncNetworkParser::ParseIssuerSubjectPattern(IssuerSubjectPattern* pattern, |
| (...skipping 565 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 2011 // on the value of AuthenticationType. | 2019 // on the value of AuthenticationType. |
| 2012 { "L2TP-IPsec", PROVIDER_TYPE_L2TP_IPSEC_PSK }, | 2020 { "L2TP-IPsec", PROVIDER_TYPE_L2TP_IPSEC_PSK }, |
| 2013 { "OpenVPN", PROVIDER_TYPE_OPEN_VPN }, | 2021 { "OpenVPN", PROVIDER_TYPE_OPEN_VPN }, |
| 2014 }; | 2022 }; |
| 2015 CR_DEFINE_STATIC_LOCAL(EnumMapper<ProviderType>, parser, | 2023 CR_DEFINE_STATIC_LOCAL(EnumMapper<ProviderType>, parser, |
| 2016 (table, arraysize(table), PROVIDER_TYPE_MAX)); | 2024 (table, arraysize(table), PROVIDER_TYPE_MAX)); |
| 2017 return parser.Get(type); | 2025 return parser.Get(type); |
| 2018 } | 2026 } |
| 2019 | 2027 |
| 2020 } // namespace chromeos | 2028 } // namespace chromeos |
| OLD | NEW |
