Implementation of ONC signature, validator and normalizer.

chrome/browser/chromeos/cros/onc_network_parser.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/cros/onc_network_parser.h"
 
 #include <keyhi.h>
 #include <pk11pub.h>
 
 #include "base/base64.h"
 #include "base/json/json_string_value_serializer.h"
 #include "chrome/browser/chromeos/login/user_manager.h"
 #include "base/json/json_writer.h"  // for debug output only.
 #include "base/stringprintf.h"
 #include "base/values.h"
 #include "chrome/browser/chromeos/cros/certificate_pattern.h"
 #include "chrome/browser/chromeos/cros/cros_library.h"
 #include "chrome/browser/chromeos/cros/native_network_constants.h"
 #include "chrome/browser/chromeos/cros/native_network_parser.h"
 #include "chrome/browser/chromeos/cros/network_library.h"
 #include "chrome/browser/chromeos/cros/onc_constants.h"
+#include "chrome/browser/chromeos/network_settings/onc_signature.h"
+#include "chrome/browser/chromeos/network_settings/onc_validator.h"
 #include "chrome/browser/chromeos/proxy_config_service_impl.h"
 #include "chrome/browser/prefs/proxy_config_dictionary.h"
 #include "chrome/common/net/x509_certificate_model.h"
 #include "content/public/browser/browser_thread.h"
 #include "crypto/encryptor.h"
 #include "crypto/hmac.h"
 #include "crypto/scoped_nss_types.h"
 #include "crypto/symmetric_key.h"
 #include "grit/generated_resources.h"
 #include "net/base/crypto_module.h"
@@ skipping 94 matching lines @@
   { onc::eap::kUseSystemCAs, PROPERTY_INDEX_EAP_USE_SYSTEM_CAS, TYPE_BOOLEAN },
   { onc::eap::kSaveCredentials, PROPERTY_INDEX_SAVE_CREDENTIALS, TYPE_BOOLEAN },
   { NULL }
 };
 
 OncValueSignature vpn_signature[] = {
   { onc::vpn::kHost, PROPERTY_INDEX_PROVIDER_HOST, TYPE_STRING },
   { onc::vpn::kIPsec, PROPERTY_INDEX_ONC_IPSEC, TYPE_DICTIONARY },
   { onc::vpn::kL2TP, PROPERTY_INDEX_ONC_L2TP, TYPE_DICTIONARY },
   { onc::vpn::kOpenVPN, PROPERTY_INDEX_ONC_OPENVPN, TYPE_DICTIONARY },
-  { onc::vpn::kType, PROPERTY_INDEX_PROVIDER_TYPE, TYPE_STRING },

[Mattias Nissler (ping if slow), 2012/11/02 10:10:00]

Shouldn't this stay onc::vpn::kType? It's the type field for vpns after all.

[pneubeck (no reviews), 2012/11/05 12:04:48]

Done.

+  { onc::kType, PROPERTY_INDEX_PROVIDER_TYPE, TYPE_STRING },
   { NULL }
 };
 
 OncValueSignature ipsec_signature[] = {
   { onc::vpn::kAuthenticationType, PROPERTY_INDEX_IPSEC_AUTHENTICATIONTYPE,
     TYPE_STRING },
   { onc::vpn::kGroup, PROPERTY_INDEX_L2TPIPSEC_GROUP_NAME, TYPE_STRING },
   { onc::vpn::kIKEVersion, PROPERTY_INDEX_IPSEC_IKEVERSION, TYPE_INTEGER },
   { onc::vpn::kClientCertPattern, PROPERTY_INDEX_ONC_CLIENT_CERT_PATTERN,
     TYPE_DICTIONARY },
@@ skipping 49 matching lines @@
   { onc::vpn::kStaticChallenge, PROPERTY_INDEX_OPEN_VPN_STATICCHALLENGE,
     TYPE_STRING },
   { onc::vpn::kTLSAuthContents, PROPERTY_INDEX_OPEN_VPN_TLSAUTHCONTENTS,
     TYPE_STRING },
   { onc::vpn::kTLSRemote, PROPERTY_INDEX_OPEN_VPN_TLSREMOTE, TYPE_STRING },
   { onc::vpn::kUsername, PROPERTY_INDEX_OPEN_VPN_USER, TYPE_STRING },
   { NULL }
 };
 
 OncValueSignature proxy_settings_signature[] = {
-  { onc::proxy::kType, PROPERTY_INDEX_ONC_PROXY_TYPE, TYPE_STRING },

[Mattias Nissler (ping if slow), 2012/11/02 10:10:00]

ditto

[pneubeck (no reviews), 2012/11/05 12:04:48]

Done.

+  { onc::kType, PROPERTY_INDEX_ONC_PROXY_TYPE, TYPE_STRING },
   { onc::proxy::kPAC, PROPERTY_INDEX_ONC_PROXY_PAC, TYPE_STRING },
   { onc::proxy::kManual, PROPERTY_INDEX_ONC_PROXY_MANUAL, TYPE_DICTIONARY },
   { onc::proxy::kExcludeDomains, PROPERTY_INDEX_ONC_PROXY_EXCLUDE_DOMAINS,
     TYPE_LIST },
   { NULL },
 };
 
 OncValueSignature proxy_manual_signature[] = {
   { onc::proxy::kHttp, PROPERTY_INDEX_ONC_PROXY_HTTP, TYPE_DICTIONARY },
   { onc::proxy::kHttps, PROPERTY_INDEX_ONC_PROXY_HTTPS, TYPE_DICTIONARY },
@@ skipping 80 matching lines @@
 
     // Check and see if this is an encrypted ONC file.  If so, decrypt it.
     std::string ciphertext_test;
     if (root_dict_->GetString("Ciphertext", &ciphertext_test))
       root_dict_.reset(Decrypt(passphrase, root_dict_.get()));
 
     // Decryption failed, errors will be in parse_error_;
     if (!root_dict_.get())
       return;
 
+    bool is_managed = onc_source == NetworkUIData::ONC_SOURCE_USER_POLICY ||
+        onc_source == NetworkUIData::ONC_SOURCE_DEVICE_POLICY;
+    // Validate the ONC dictionary. We are liberal and ignore unknown field
+    // names.

[Mattias Nissler (ping if slow), 2012/11/02 10:10:00]

I think this comment should go before the is_managed definition in line 309.

[pneubeck (no reviews), 2012/11/05 12:04:48]

Done.

+    bool error_on_unknown_field = false;
+    bool error_on_wrong_recommended = false;

[Mattias Nissler (ping if slow), 2012/11/02 10:10:00]

I don't understand what that means. Better name? Comment?

[pneubeck (no reviews), 2012/11/05 12:04:48]

Done.

+    bool error_on_missing_field = true;
+    scoped_ptr<onc::Validator> validator(
+        new onc::Validator(error_on_unknown_field, error_on_wrong_recommended,
+                           error_on_missing_field, is_managed));
+
+    // Unknown fields are removed from the result.
+    root_dict_ = validator->ValidateAndRepairObject(
+        &onc::kUnencryptedConfigurationSignature,
+        *root_dict_);
+
+    if (!root_dict_.get()) {
+      LOG(WARNING) << "Provided ONC is invalid and couldn't be repaired";
+      return;
+    }
+
     // At least one of NetworkConfigurations or Certificates is required.
     bool has_network_configurations =
         root_dict_->GetList("NetworkConfigurations", &network_configs_);
     bool has_certificates =
         root_dict_->GetList("Certificates", &certificates_);
     VLOG(2) << "ONC file has " << GetNetworkConfigsSize() << " networks and "
             << GetCertificatesSize() << " certificates";
     LOG_IF(WARNING, (!has_network_configurations && !has_certificates))
         << "ONC file has no NetworkConfigurations or Certificates.";
   }
@@ skipping 750 matching lines @@
 
   VLOG(2) << "Successfully imported client certificate at index "
           << cert_index;
   return cert_result;
 }
 
 // static
 ClientCertType OncNetworkParser::ParseClientCertType(
     const std::string& type) {
   static EnumMapper<ClientCertType>::Pair table[] = {
-    { onc::certificate::kNone, CLIENT_CERT_TYPE_NONE },
+    { onc::kNone, CLIENT_CERT_TYPE_NONE },

[Mattias Nissler (ping if slow), 2012/11/02 10:10:00]

same here. I'd prefer clarity of where to find constants over sharing.

[pneubeck (no reviews), 2012/11/05 12:04:48]

Done.

     { onc::certificate::kRef, CLIENT_CERT_TYPE_REF },
     { onc::certificate::kPattern, CLIENT_CERT_TYPE_PATTERN },
   };
   CR_DEFINE_STATIC_LOCAL(EnumMapper<ClientCertType>, parser,
       (table, arraysize(table), CLIENT_CERT_TYPE_NONE));
   return parser.Get(type);
 }
 
 // static
 void OncNetworkParser::ListCertsWithNickname(const std::string& label,
@@ skipping 69 matching lines @@
                                             const base::Value& value,
                                             Network* network) {
   VLOG(1) << "Processing ProxySettings: " << ConvertValueToString(value);
 
   // Got "ProxySettings" field.  Immediately store the ProxySettings.Type
   // field value so that we can properly validate fields in the ProxySettings
   // object based on the type.
   const DictionaryValue* dict = NULL;
   CHECK(value.GetAsDictionary(&dict));
   std::string proxy_type_string;
-  if (!dict->GetString(onc::proxy::kType, &proxy_type_string)) {
+  if (!dict->GetString(onc::kType, &proxy_type_string)) {
     VLOG(1) << network->name() << ": ProxySettings.Type is missing";
     return false;
   }
   Network::ProxyOncConfig& config = network->proxy_onc_config();
   config.type = ParseProxyType(proxy_type_string);
 
   // For Direct and WPAD, all other fields are ignored.
   // Otherwise, recursively parse the children of ProxySettings dictionary.
   if (config.type != PROXY_ONC_DIRECT && config.type != PROXY_ONC_WPAD) {
     if (!parser->ParseNestedObject(network,
@@ skipping 852 matching lines @@
     // on the value of AuthenticationType.
     { "L2TP-IPsec", PROVIDER_TYPE_L2TP_IPSEC_PSK },
     { "OpenVPN", PROVIDER_TYPE_OPEN_VPN },
   };
   CR_DEFINE_STATIC_LOCAL(EnumMapper<ProviderType>, parser,
       (table, arraysize(table), PROVIDER_TYPE_MAX));
   return parser.Get(type);
 }
 
 }  // namespace chromeos