Chromium Code Reviews Chromium Code Reviews
Issue 11970012:
Add a check for server and CA certificates in device policies to the ONC validator. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chromeos/network/onc/onc_validator.h" | 5 #include "chromeos/network/onc/onc_validator.h" |
| 6 | 6 |
| 7 #include <algorithm> | 7 #include <algorithm> |
| 8 #include <string> | 8 #include <string> |
| 9 | 9 |
| 10 #include "base/json/json_writer.h" | 10 #include "base/json/json_writer.h" |
| (...skipping 336 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 347 } | 347 } |
| 348 error_or_warning_found_ = true; | 348 error_or_warning_found_ = true; |
| 349 path_.push_back(field_name); | 349 path_.push_back(field_name); |
| 350 LOG(ERROR) << ErrorHeader() << "Found value '" << actual_value | 350 LOG(ERROR) << ErrorHeader() << "Found value '" << actual_value |
| 351 << "', but expected a value in the range [" << lower_bound | 351 << "', but expected a value in the range [" << lower_bound |
| 352 << ", " << upper_bound << "] (boundaries inclusive)"; | 352 << ", " << upper_bound << "] (boundaries inclusive)"; |
| 353 path_.pop_back(); | 353 path_.pop_back(); |
| 354 return true; | 354 return true; |
| 355 } | 355 } |
| 356 | 356 |
| 357 bool Validator::FieldExistsAndIsEmpty(const base::DictionaryValue& object, | |
| 358 const std::string &field_name) { | |
|
Joao da Silva
2013/01/16 15:03:57
& next to std::string
pneubeck (no reviews)
2013/01/16 15:18:04
Done.
| |
| 359 std::string value; | |
| 360 if (!object.GetStringWithoutPathExpansion(field_name, &value) || | |
| 361 !value.empty()) { | |
| 362 return false; | |
| 363 } | |
| 364 | |
| 365 error_or_warning_found_ = true; | |
| 366 path_.push_back(field_name); | |
| 367 LOG(ERROR) << ErrorHeader() << "Found an empty string, but expected a " | |
| 368 << "non-empty string."; | |
| 369 path_.pop_back(); | |
| 370 return true; | |
| 371 } | |
| 372 | |
| 357 bool Validator::RequireField(const base::DictionaryValue& dict, | 373 bool Validator::RequireField(const base::DictionaryValue& dict, |
| 358 const std::string& field_name) { | 374 const std::string& field_name) { |
| 359 if (dict.HasKey(field_name)) | 375 if (dict.HasKey(field_name)) |
| 360 return true; | 376 return true; |
| 361 error_or_warning_found_ = true; | 377 error_or_warning_found_ = true; |
| 362 LOG(ERROR) << ErrorHeader() << "The required field '" << field_name | 378 LOG(ERROR) << ErrorHeader() << "The required field '" << field_name |
| 363 << "' is missing."; | 379 << "' is missing."; |
| 364 return false; | 380 return false; |
| 365 } | 381 } |
| 366 | 382 |
| (...skipping 48 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 415 | 431 |
| 416 bool Validator::ValidateNetworkConfiguration( | 432 bool Validator::ValidateNetworkConfiguration( |
| 417 const base::DictionaryValue& onc_object, | 433 const base::DictionaryValue& onc_object, |
| 418 base::DictionaryValue* result) { | 434 base::DictionaryValue* result) { |
| 419 if (!ValidateObjectDefault(kNetworkConfigurationSignature, | 435 if (!ValidateObjectDefault(kNetworkConfigurationSignature, |
| 420 onc_object, result)) { | 436 onc_object, result)) { |
| 421 return false; | 437 return false; |
| 422 } | 438 } |
| 423 | 439 |
| 424 static const char* kValidTypes[] = { kEthernet, kVPN, kWiFi, NULL }; | 440 static const char* kValidTypes[] = { kEthernet, kVPN, kWiFi, NULL }; |
| 425 if (FieldExistsAndHasNoValidValue(*result, kType, kValidTypes)) | 441 if (FieldExistsAndHasNoValidValue(*result, kType, kValidTypes) || |
| 442 FieldExistsAndIsEmpty(*result, kGUID)) { | |
| 426 return false; | 443 return false; |
| 444 } | |
| 427 | 445 |
| 428 bool allRequiredExist = RequireField(*result, kGUID); | 446 bool allRequiredExist = RequireField(*result, kGUID); |
| 429 | 447 |
| 430 bool remove = false; | 448 bool remove = false; |
| 431 result->GetBooleanWithoutPathExpansion(kRemove, &remove); | 449 result->GetBooleanWithoutPathExpansion(kRemove, &remove); |
| 432 if (!remove) { | 450 if (!remove) { |
| 433 allRequiredExist &= RequireField(*result, kName); | 451 allRequiredExist &= RequireField(*result, kName); |
| 434 allRequiredExist &= RequireField(*result, kType); | 452 allRequiredExist &= RequireField(*result, kType); |
| 435 | 453 |
| 436 std::string type; | 454 std::string type; |
| (...skipping 292 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 729 } | 747 } |
| 730 | 748 |
| 731 bool Validator::ValidateCertificate( | 749 bool Validator::ValidateCertificate( |
| 732 const base::DictionaryValue& onc_object, | 750 const base::DictionaryValue& onc_object, |
| 733 base::DictionaryValue* result) { | 751 base::DictionaryValue* result) { |
| 734 using namespace onc::certificate; | 752 using namespace onc::certificate; |
| 735 if (!ValidateObjectDefault(kCertificateSignature, onc_object, result)) | 753 if (!ValidateObjectDefault(kCertificateSignature, onc_object, result)) |
| 736 return false; | 754 return false; |
| 737 | 755 |
| 738 static const char* kValidTypes[] = { kClient, kServer, kAuthority, NULL }; | 756 static const char* kValidTypes[] = { kClient, kServer, kAuthority, NULL }; |
| 739 if (FieldExistsAndHasNoValidValue(*result, certificate::kType, kValidTypes)) | 757 if (FieldExistsAndHasNoValidValue(*result, certificate::kType, kValidTypes) || |
| 758 FieldExistsAndIsEmpty(*result, kGUID)) { | |
| 740 return false; | 759 return false; |
| 760 } | |
| 761 | |
| 762 std::string type; | |
| 763 result->GetStringWithoutPathExpansion(certificate::kType, &type); | |
| 764 if (onc_source_ == ONC_SOURCE_DEVICE_POLICY && | |
| 765 (type == kServer || type == kAuthority)) { | |
| 766 error_or_warning_found_ = true; | |
| 767 LOG(ERROR) << ErrorHeader() << "Server and authority certificates are " | |
| 768 << "prohibited in ONC device policies."; | |
| 769 return false; | |
| 770 } | |
| 741 | 771 |
| 742 bool allRequiredExist = RequireField(*result, kGUID); | 772 bool allRequiredExist = RequireField(*result, kGUID); |
| 743 | 773 |
| 744 bool remove = false; | 774 bool remove = false; |
| 745 result->GetBooleanWithoutPathExpansion(kRemove, &remove); | 775 result->GetBooleanWithoutPathExpansion(kRemove, &remove); |
| 746 if (!remove) { | 776 if (!remove) { |
| 747 allRequiredExist &= RequireField(*result, certificate::kType); | 777 allRequiredExist &= RequireField(*result, certificate::kType); |
| 748 | 778 |
| 749 std::string type; | |
| 750 result->GetStringWithoutPathExpansion(certificate::kType, &type); | |
| 751 if (type == kClient) | 779 if (type == kClient) |
| 752 allRequiredExist &= RequireField(*result, kPKCS12); | 780 allRequiredExist &= RequireField(*result, kPKCS12); |
| 753 else if (type == kServer || type == kAuthority) | 781 else if (type == kServer || type == kAuthority) |
| 754 allRequiredExist &= RequireField(*result, kX509); | 782 allRequiredExist &= RequireField(*result, kX509); |
| 755 } | 783 } |
| 756 | 784 |
| 757 return !error_on_missing_field_ || allRequiredExist; | 785 return !error_on_missing_field_ || allRequiredExist; |
| 758 } | 786 } |
| 759 | 787 |
| 760 std::string Validator::WarningHeader() { | 788 std::string Validator::WarningHeader() { |
| 761 return MessageHeader(false); | 789 return MessageHeader(false); |
| 762 } | 790 } |
| 763 | 791 |
| 764 std::string Validator::ErrorHeader() { | 792 std::string Validator::ErrorHeader() { |
| 765 return MessageHeader(true); | 793 return MessageHeader(true); |
| 766 } | 794 } |
| 767 | 795 |
| 768 std::string Validator::MessageHeader(bool is_error) { | 796 std::string Validator::MessageHeader(bool is_error) { |
| 769 std::string path = path_.empty() ? "toplevel" : JoinString(path_, "."); | 797 std::string path = path_.empty() ? "toplevel" : JoinString(path_, "."); |
| 770 std::string message = "At " + path + ": "; | 798 std::string message = "At " + path + ": "; |
| 771 return message; | 799 return message; |
| 772 } | 800 } |
| 773 | 801 |
| 774 } // namespace onc | 802 } // namespace onc |
| 775 } // namespace chromeos | 803 } // namespace chromeos |
| OLD | NEW |
