Chromium Code Reviews Chromium Code Reviews
Issue 11970012:
Add a check for server and CA certificates in device policies to the ONC validator. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chromeos/network/onc/onc_validator.h" | 5 #include "chromeos/network/onc/onc_validator.h" |
| 6 | 6 |
| 7 #include <string> | 7 #include <string> |
| 8 #include <utility> | 8 #include <utility> |
| 9 | 9 |
| 10 #include "base/logging.h" | 10 #include "base/logging.h" |
| (...skipping 11 matching lines...) Expand all Loading... | |
| 22 class ONCValidatorTest : public ::testing::Test { | 22 class ONCValidatorTest : public ::testing::Test { |
| 23 public: | 23 public: |
| 24 // Validate |onc_object| with the given |signature|. The object is considered | 24 // Validate |onc_object| with the given |signature|. The object is considered |
| 25 // to be managed if |managed_onc| is true. A strict validator is used if | 25 // to be managed if |managed_onc| is true. A strict validator is used if |
| 26 // |strict| is true. |onc_object| and the resulting repaired object of the | 26 // |strict| is true. |onc_object| and the resulting repaired object of the |
| 27 // validation is stored, so that expectations can be checked afterwards using | 27 // validation is stored, so that expectations can be checked afterwards using |
| 28 // one of the Expect* functions below. | 28 // one of the Expect* functions below. |
| 29 void Validate(bool strict, | 29 void Validate(bool strict, |
| 30 scoped_ptr<base::DictionaryValue> onc_object, | 30 scoped_ptr<base::DictionaryValue> onc_object, |
| 31 const OncValueSignature* signature, | 31 const OncValueSignature* signature, |
| 32 bool managed_onc) { | |
| 33 Validate(strict, onc_object.Pass(), signature, managed_onc, | |
| 34 ONC_SOURCE_NONE); | |
| 35 } | |
| 36 | |
| 37 void Validate(bool strict, | |
| 38 scoped_ptr<base::DictionaryValue> onc_object, | |
| 39 const OncValueSignature* signature, | |
| 40 bool managed_onc, | 32 bool managed_onc, |
| 41 ONCSource onc_source) { | 33 ONCSource onc_source) { |
| 42 scoped_ptr<Validator> validator; | 34 scoped_ptr<Validator> validator; |
| 43 if (strict) { | 35 if (strict) { |
| 44 // Create a strict validator that complains about every error. | 36 // Create a strict validator that complains about every error. |
| 45 validator.reset(new Validator(true, true, true, managed_onc)); | 37 validator.reset(new Validator(true, true, true, managed_onc)); |
| 46 } else { | 38 } else { |
| 47 // Create a liberal validator that ignores or repairs non-critical errors. | 39 // Create a liberal validator that ignores or repairs non-critical errors. |
| 48 validator.reset(new Validator(false, false, false, managed_onc)); | 40 validator.reset(new Validator(false, false, false, managed_onc)); |
| 49 } | 41 } |
| (...skipping 27 matching lines...) Expand all Loading... | |
| 77 scoped_ptr<const base::DictionaryValue> repaired_object_; | 69 scoped_ptr<const base::DictionaryValue> repaired_object_; |
| 78 }; | 70 }; |
| 79 | 71 |
| 80 namespace { | 72 namespace { |
| 81 | 73 |
| 82 struct OncParams { | 74 struct OncParams { |
| 83 // |location_of_object| is a string to identify the object to be tested. It | 75 // |location_of_object| is a string to identify the object to be tested. It |
| 84 // may be used as a filename or as a dictionary key. | 76 // may be used as a filename or as a dictionary key. |
| 85 OncParams(const std::string& location_of_object, | 77 OncParams(const std::string& location_of_object, |
| 86 const OncValueSignature* onc_signature, | 78 const OncValueSignature* onc_signature, |
| 87 bool is_managed_onc) | 79 bool is_managed_onc, |
| 80 ONCSource onc_source = ONC_SOURCE_NONE) | |
|
pastarmovj
2013/01/16 14:49:38
Default values are not allowed by the style guide.
| |
| 88 : location(location_of_object), | 81 : location(location_of_object), |
| 89 signature(onc_signature), | 82 signature(onc_signature), |
| 90 is_managed(is_managed_onc) { | 83 is_managed(is_managed_onc), |
| 84 onc_source(onc_source) { | |
| 91 } | 85 } |
| 92 | 86 |
| 93 std::string location; | 87 std::string location; |
| 94 const OncValueSignature* signature; | 88 const OncValueSignature* signature; |
| 95 bool is_managed; | 89 bool is_managed; |
| 90 ONCSource onc_source; | |
| 96 }; | 91 }; |
| 97 | 92 |
| 98 ::std::ostream& operator<<(::std::ostream& os, const OncParams& onc) { | 93 ::std::ostream& operator<<(::std::ostream& os, const OncParams& onc) { |
| 99 return os << "(" << onc.location << ", " << onc.signature << ", " | 94 return os << "(" << onc.location << ", " << onc.signature << ", " |
| 100 << (onc.is_managed ? "managed" : "unmanaged") << ")"; | 95 << (onc.is_managed ? "managed" : "unmanaged") << ", " |
| 96 << GetSourceAsString(onc.onc_source) << ")"; | |
| 101 } | 97 } |
| 102 | 98 |
| 103 } // namespace | 99 } // namespace |
| 104 | 100 |
| 105 // Ensure that the constant |kEmptyUnencryptedConfiguration| describes a valid | 101 // Ensure that the constant |kEmptyUnencryptedConfiguration| describes a valid |
| 106 // ONC toplevel object. | 102 // ONC toplevel object. |
| 107 TEST_F(ONCValidatorTest, EmptyUnencryptedConfiguration) { | 103 TEST_F(ONCValidatorTest, EmptyUnencryptedConfiguration) { |
| 108 Validate(true, ReadDictionaryFromJson(kEmptyUnencryptedConfiguration), | 104 Validate(true, ReadDictionaryFromJson(kEmptyUnencryptedConfiguration), |
| 109 &kToplevelConfigurationSignature, false); | 105 &kToplevelConfigurationSignature, false, ONC_SOURCE_NONE); |
| 110 ExpectValid(); | 106 ExpectValid(); |
| 111 } | 107 } |
| 112 | 108 |
| 113 // Ensure that VPN is rejected in device policies. | |
| 114 TEST_F(ONCValidatorTest, VPNInDevicePolicyInvalid) { | |
| 115 Validate(true, test_utils::ReadTestDictionary("valid_openvpn.onc"), | |
| 116 &kNetworkConfigurationSignature, true, ONC_SOURCE_DEVICE_POLICY); | |
| 117 ExpectInvalid(); | |
| 118 } | |
| 119 | |
| 120 // Ensure that client certificate patterns are rejected in device policies. | |
| 121 TEST_F(ONCValidatorTest, ClientCertPatternInDevicePolicyInvalid) { | |
| 122 Validate(true, test_utils::ReadTestDictionary("valid_wifi_clientcert.onc"), | |
| 123 &kNetworkConfigurationSignature, true, ONC_SOURCE_DEVICE_POLICY); | |
| 124 ExpectInvalid(); | |
| 125 } | |
| 126 | |
| 127 // Check that at least one configuration is accepted for device policies. | |
| 128 TEST_F(ONCValidatorTest, ValidNetworkInDevicePolicy) { | |
| 129 Validate(true, test_utils::ReadTestDictionary("valid_wifi_psk.onc"), | |
| 130 &kNetworkConfigurationSignature, true, ONC_SOURCE_DEVICE_POLICY); | |
| 131 ExpectValid(); | |
| 132 } | |
| 133 | |
| 134 // This test case is about validating valid ONC objects without any errors. Both | 109 // This test case is about validating valid ONC objects without any errors. Both |
| 135 // the strict and the liberal validator accept the object. | 110 // the strict and the liberal validator accept the object. |
| 136 class ONCValidatorValidTest : public ONCValidatorTest, | 111 class ONCValidatorValidTest : public ONCValidatorTest, |
| 137 public ::testing::WithParamInterface<OncParams> { | 112 public ::testing::WithParamInterface<OncParams> { |
| 138 }; | 113 }; |
| 139 | 114 |
| 140 TEST_P(ONCValidatorValidTest, StrictValidationValid) { | 115 TEST_P(ONCValidatorValidTest, StrictValidationValid) { |
| 141 OncParams onc = GetParam(); | 116 OncParams onc = GetParam(); |
| 142 Validate(true, test_utils::ReadTestDictionary(onc.location), onc.signature, | 117 Validate(true, test_utils::ReadTestDictionary(onc.location), onc.signature, |
| 143 onc.is_managed); | 118 onc.is_managed, onc.onc_source); |
| 144 ExpectValid(); | 119 ExpectValid(); |
| 145 } | 120 } |
| 146 | 121 |
| 147 TEST_P(ONCValidatorValidTest, LiberalValidationValid) { | 122 TEST_P(ONCValidatorValidTest, LiberalValidationValid) { |
| 148 OncParams onc = GetParam(); | 123 OncParams onc = GetParam(); |
| 149 Validate(false, test_utils::ReadTestDictionary(onc.location), onc.signature, | 124 Validate(false, test_utils::ReadTestDictionary(onc.location), onc.signature, |
| 150 onc.is_managed); | 125 onc.is_managed, onc.onc_source); |
| 151 ExpectValid(); | 126 ExpectValid(); |
| 152 } | 127 } |
| 153 | 128 |
| 154 // The parameters are: | 129 // The parameters are: |
| 155 // OncParams(string: Filename of a ONC file that is to be validated, | 130 // OncParams(string: Filename of a ONC file that is to be validated, |
| 156 // OncValueSignature: signature of that ONC, | 131 // OncValueSignature: signature of that ONC, |
| 157 // bool: true if the ONC is managed). | 132 // bool: true if the ONC is managed). |
| 158 INSTANTIATE_TEST_CASE_P( | 133 INSTANTIATE_TEST_CASE_P( |
| 159 ONCValidatorValidTest, | 134 ONCValidatorValidTest, |
| 160 ONCValidatorValidTest, | 135 ONCValidatorValidTest, |
| 161 ::testing::Values(OncParams("managed_toplevel1.onc", | 136 ::testing::Values(OncParams("managed_toplevel1.onc", |
| 162 &kToplevelConfigurationSignature, | 137 &kToplevelConfigurationSignature, |
| 163 true), | 138 true), |
| 164 OncParams("managed_toplevel2.onc", | 139 OncParams("managed_toplevel2.onc", |
| 165 &kToplevelConfigurationSignature, | 140 &kToplevelConfigurationSignature, |
| 166 true), | 141 true), |
| 142 // Check that at least one configuration is accepted for | |
| 143 // device policies. | |
| 144 OncParams("managed_toplevel_wifi_peap.onc", | |
| 145 &kToplevelConfigurationSignature, | |
| 146 true, | |
| 147 ONC_SOURCE_DEVICE_POLICY), | |
| 167 OncParams("toplevel_wifi_wpa_psk.onc", | 148 OncParams("toplevel_wifi_wpa_psk.onc", |
| 168 &kToplevelConfigurationSignature, | 149 &kToplevelConfigurationSignature, |
| 169 false), | 150 false), |
| 170 OncParams("encrypted.onc", | 151 OncParams("encrypted.onc", |
| 171 &kToplevelConfigurationSignature, | 152 &kToplevelConfigurationSignature, |
| 172 true), | 153 true), |
| 173 OncParams("managed_vpn.onc", | 154 OncParams("managed_vpn.onc", |
| 174 &kNetworkConfigurationSignature, | 155 &kNetworkConfigurationSignature, |
| 175 true), | 156 true), |
| 176 OncParams("managed_ethernet.onc", | 157 OncParams("managed_ethernet.onc", |
| (...skipping 42 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 219 test_utils::ReadTestDictionary("invalid_settings_with_repairs.json")); | 200 test_utils::ReadTestDictionary("invalid_settings_with_repairs.json")); |
| 220 const base::DictionaryValue* onc_object = NULL; | 201 const base::DictionaryValue* onc_object = NULL; |
| 221 CHECK(dict->GetDictionary(name, &onc_object)); | 202 CHECK(dict->GetDictionary(name, &onc_object)); |
| 222 return make_scoped_ptr(onc_object->DeepCopy()); | 203 return make_scoped_ptr(onc_object->DeepCopy()); |
| 223 } | 204 } |
| 224 }; | 205 }; |
| 225 | 206 |
| 226 TEST_P(ONCValidatorTestRepairable, StrictValidation) { | 207 TEST_P(ONCValidatorTestRepairable, StrictValidation) { |
| 227 OncParams onc = GetParam().first; | 208 OncParams onc = GetParam().first; |
| 228 Validate(true, GetDictionaryFromTestFile(onc.location), onc.signature, | 209 Validate(true, GetDictionaryFromTestFile(onc.location), onc.signature, |
| 229 onc.is_managed); | 210 onc.is_managed, onc.onc_source); |
| 230 std::string location_of_repaired = | 211 std::string location_of_repaired = |
| 231 GetParam().second.location_of_strict_repaired; | 212 GetParam().second.location_of_strict_repaired; |
| 232 if (location_of_repaired.empty()) | 213 if (location_of_repaired.empty()) |
| 233 ExpectInvalid(); | 214 ExpectInvalid(); |
| 234 else | 215 else |
| 235 ExpectRepairWithWarnings(*GetDictionaryFromTestFile(location_of_repaired)); | 216 ExpectRepairWithWarnings(*GetDictionaryFromTestFile(location_of_repaired)); |
| 236 } | 217 } |
| 237 | 218 |
| 238 TEST_P(ONCValidatorTestRepairable, LiberalValidation) { | 219 TEST_P(ONCValidatorTestRepairable, LiberalValidation) { |
| 239 OncParams onc = GetParam().first; | 220 OncParams onc = GetParam().first; |
| 240 Validate(false, GetDictionaryFromTestFile(onc.location), onc.signature, | 221 Validate(false, GetDictionaryFromTestFile(onc.location), onc.signature, |
| 241 onc.is_managed); | 222 onc.is_managed, onc.onc_source); |
| 242 std::string location_of_repaired = | 223 std::string location_of_repaired = |
| 243 GetParam().second.location_of_liberal_repaired; | 224 GetParam().second.location_of_liberal_repaired; |
| 244 if (location_of_repaired.empty()) | 225 if (location_of_repaired.empty()) |
| 245 ExpectInvalid(); | 226 ExpectInvalid(); |
| 246 else | 227 else |
| 247 ExpectRepairWithWarnings(*GetDictionaryFromTestFile(location_of_repaired)); | 228 ExpectRepairWithWarnings(*GetDictionaryFromTestFile(location_of_repaired)); |
| 248 } | 229 } |
| 249 | 230 |
| 250 // The parameters for all test case instantations below are: | 231 // The parameters for all test case instantations below are: |
| 251 // OncParams(string: A fieldname in the dictionary from the file | 232 // OncParams(string: A fieldname in the dictionary from the file |
| (...skipping 52 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 304 "toplevel-repaired")), | 285 "toplevel-repaired")), |
| 305 std::make_pair(OncParams("toplevel-invalid-network", | 286 std::make_pair(OncParams("toplevel-invalid-network", |
| 306 &kToplevelConfigurationSignature, | 287 &kToplevelConfigurationSignature, |
| 307 true), | 288 true), |
| 308 RepairParams("toplevel-repaired", | 289 RepairParams("toplevel-repaired", |
| 309 "toplevel-repaired")), | 290 "toplevel-repaired")), |
| 310 // Ignore recommended arrays in unmanaged ONC. | 291 // Ignore recommended arrays in unmanaged ONC. |
| 311 std::make_pair(OncParams("network-with-illegal-recommended", | 292 std::make_pair(OncParams("network-with-illegal-recommended", |
| 312 &kNetworkConfigurationSignature, | 293 &kNetworkConfigurationSignature, |
| 313 false), | 294 false), |
| 314 RepairParams("network-repaired", "network-repaired")))); | 295 RepairParams("network-repaired", "network-repaired")), |
| 296 std::make_pair(OncParams("toplevel-with-vpn", | |
| 297 &kToplevelConfigurationSignature, | |
| 298 false, | |
| 299 ONC_SOURCE_DEVICE_POLICY), | |
| 300 RepairParams("toplevel-empty", "toplevel-empty")), | |
| 301 std::make_pair(OncParams("toplevel-with-server-and-ca-cert", | |
| 302 &kToplevelConfigurationSignature, | |
| 303 true, | |
| 304 ONC_SOURCE_DEVICE_POLICY), | |
| 305 RepairParams("toplevel-server-and-ca-cert-dropped", | |
| 306 "toplevel-server-and-ca-cert-dropped")))); | |
| 315 | 307 |
| 316 // Strict and liberal validator both repair, but with different results. | 308 // Strict and liberal validator both repair, but with different results. |
| 317 INSTANTIATE_TEST_CASE_P( | 309 INSTANTIATE_TEST_CASE_P( |
| 318 StrictAndLiberalRepairDifferently, | 310 StrictAndLiberalRepairDifferently, |
| 319 ONCValidatorTestRepairable, | 311 ONCValidatorTestRepairable, |
| 320 ::testing::Values( | 312 ::testing::Values( |
| 321 std::make_pair(OncParams("toplevel-with-nested-warning", | 313 std::make_pair(OncParams("toplevel-with-nested-warning", |
| 322 &kToplevelConfigurationSignature, | 314 &kToplevelConfigurationSignature, |
| 323 false), | 315 false), |
| 324 RepairParams("toplevel-empty", "toplevel-repaired")))); | 316 RepairParams("toplevel-empty", "toplevel-repaired")))); |
| (...skipping 13 matching lines...) Expand all Loading... | |
| 338 &kNetworkConfigurationSignature, false), | 330 &kNetworkConfigurationSignature, false), |
| 339 RepairParams("", "")), | 331 RepairParams("", "")), |
| 340 std::make_pair(OncParams("managed-network-value-out-of-range", | 332 std::make_pair(OncParams("managed-network-value-out-of-range", |
| 341 &kNetworkConfigurationSignature, true), | 333 &kNetworkConfigurationSignature, true), |
| 342 RepairParams("", "")), | 334 RepairParams("", "")), |
| 343 std::make_pair(OncParams("network-wrong-type", | 335 std::make_pair(OncParams("network-wrong-type", |
| 344 &kNetworkConfigurationSignature, false), | 336 &kNetworkConfigurationSignature, false), |
| 345 RepairParams("", "")), | 337 RepairParams("", "")), |
| 346 std::make_pair(OncParams("managed-network-wrong-type", | 338 std::make_pair(OncParams("managed-network-wrong-type", |
| 347 &kNetworkConfigurationSignature, true), | 339 &kNetworkConfigurationSignature, true), |
| 340 RepairParams("", "")), | |
| 341 std::make_pair(OncParams("network-with-client-cert-pattern", | |
| 342 &kNetworkConfigurationSignature, true, | |
| 343 ONC_SOURCE_DEVICE_POLICY), | |
| 348 RepairParams("", "")))); | 344 RepairParams("", "")))); |
| 349 | 345 |
| 350 } // namespace onc | 346 } // namespace onc |
| 351 } // namespace chromeos | 347 } // namespace chromeos |
| OLD | NEW |
