Disable certificate patterns for device policy ONC files

chrome/browser/chromeos/cros/network_library.cc

Index: chrome/browser/chromeos/cros/network_library.cc
diff --git a/chrome/browser/chromeos/cros/network_library.cc b/chrome/browser/chromeos/cros/network_library.cc
index e98b7de4e7d35eea9ad06bfa8c053bf01c66fcad..2b42fd3bca9d0439f7c3d338cf3c89a8afed30b4 100644
--- a/chrome/browser/chromeos/cros/network_library.cc
+++ b/chrome/browser/chromeos/cros/network_library.cc
@@ -729,7 +729,12 @@ void VirtualNetwork::MatchCertificatePattern(bool allow_enroll,
                                              const base::Closure& connect) {
   DCHECK(client_cert_type() == CLIENT_CERT_TYPE_PATTERN);
   DCHECK(!client_cert_pattern().Empty());
-  if (client_cert_pattern().Empty()) {
+
+  // We skip certificate patterns for device policy ONC so that an unmanaged
+  // user can't get to the place where a cert is presented for them
+  // involuntarily.
+  if (client_cert_pattern().Empty() ||
+      ui_data().onc_source() == NetworkUIData::ONC_SOURCE_DEVICE_POLICY) {

[Greg Spencer (Chromium), 2012/08/27 21:22:52]

I added this check in addition to the ONC file loading failure so that already
imported policies will not do this either.

     connect.Run();
     return;
   }
@@ -756,8 +761,8 @@ void VirtualNetwork::MatchCertificatePattern(bool allow_enroll,
                      false,
                      connect);
 
-     enrollment_delegate()->Enroll(client_cert_pattern().enrollment_uri_list(),
-                                   wrapped_connect);
+      enrollment_delegate()->Enroll(client_cert_pattern().enrollment_uri_list(),
+                                    wrapped_connect);
       // Enrollment delegate will take care of running the closure at the
       // appropriate time, if the user doesn't cancel.
       return;