Add a check for server and CA certificates in device policies to the ONC validator.

chromeos/network/onc/onc_certificate_importer.cc

Index: chromeos/network/onc/onc_certificate_importer.cc
diff --git a/chromeos/network/onc/onc_certificate_importer.cc b/chromeos/network/onc/onc_certificate_importer.cc
index 451c6d950c422e2113688ec2722b0878178f879d..430be018a434df28afba000582723e96bbebf05d 100644
--- a/chromeos/network/onc/onc_certificate_importer.cc
+++ b/chromeos/network/onc/onc_certificate_importer.cc
@@ -34,11 +34,8 @@ const char kX509CertificateHeader[] = "X509 CERTIFICATE";
 namespace chromeos {
 namespace onc {
 
-CertificateImporter::CertificateImporter(
-    ONCSource onc_source,
-    bool allow_web_trust_from_policy)
-    : onc_source_(onc_source),
-      allow_web_trust_from_policy_(allow_web_trust_from_policy) {
+CertificateImporter::CertificateImporter(bool allow_web_trust)
+    : allow_web_trust_(allow_web_trust) {
 }
 
 CertificateImporter::ParseResult CertificateImporter::ParseAndStoreCertificates(
@@ -46,10 +43,8 @@ CertificateImporter::ParseResult CertificateImporter::ParseAndStoreCertificates(
   size_t successful_imports = 0;
   for (size_t i = 0; i < certificates.GetSize(); ++i) {
     const base::DictionaryValue* certificate = NULL;
-    if (!certificates.GetDictionary(i, &certificate)) {
-      ONC_LOG_ERROR("Certificate data malformed");
-      continue;
-    }
+    certificates.GetDictionary(i, &certificate);
+    DCHECK(certificate != NULL);

[Joao da Silva, 2013/01/16 15:03:57]

|certificates| is user input, right? (It's from the ONC policiy, right?) So it's
very possible that it is malformed, and that should be handled.

[pneubeck (no reviews), 2013/01/16 15:18:04]

Policies are at first validated. The assumption here is that the argument is a
Certificate object according to the ONC spec.
This DCHECK should never occur.

The same below.

 
     VLOG(2) << "Parsing certificate at index " << i << ": " << *certificate;
 
@@ -74,10 +69,8 @@ bool CertificateImporter::ParseAndStoreCertificate(
     const base::DictionaryValue& certificate) {
   // Get out the attributes of the given certificate.
   std::string guid;
-  if (!certificate.GetString(kGUID, &guid) || guid.empty()) {
-    ONC_LOG_ERROR("Certificate missing GUID identifier");
-    return false;
-  }
+  certificate.GetString(kGUID, &guid);
+  DCHECK(!guid.empty());

[Joao da Silva, 2013/01/16 15:03:57]

Same

 
   bool remove = false;
   if (certificate.GetBoolean(kRemove, &remove) && remove) {
@@ -94,11 +87,10 @@ bool CertificateImporter::ParseAndStoreCertificate(
   certificate.GetString(certificate::kType, &cert_type);
   if (cert_type == certificate::kServer || cert_type == certificate::kAuthority)
     return ParseServerOrCaCertificate(cert_type, guid, certificate);
-
-  if (cert_type == certificate::kClient)
+  else if (cert_type == certificate::kClient)
     return ParseClientCertificate(guid, certificate);
 
-  ONC_LOG_ERROR("Certificate of unknown type: " + cert_type);
+  NOTREACHED();

[Joao da Silva, 2013/01/16 15:03:57]

Same

   return false;
 }
 
@@ -164,22 +156,14 @@ bool CertificateImporter::ParseServerOrCaCertificate(
     const std::string& cert_type,
     const std::string& guid,
     const base::DictionaryValue& certificate) {
-  // Device policy can't import certificates.
-  if (onc_source_ == ONC_SOURCE_DEVICE_POLICY) {
-    // This isn't a parsing error.
-    ONC_LOG_WARNING("Refusing to import certificate from device policy.");
-    return true;
-  }
-
   bool web_trust = false;
   const base::ListValue* trust_list = NULL;
   if (certificate.GetList(certificate::kTrust, &trust_list)) {
     for (size_t i = 0; i < trust_list->GetSize(); ++i) {
       std::string trust_type;
-      if (!trust_list->GetString(i, &trust_type)) {
-        ONC_LOG_ERROR("Certificate trust is invalid");
-        return false;
-      }
+      if (!trust_list->GetString(i, &trust_type))
+        NOTREACHED();

[Joao da Silva, 2013/01/16 15:03:57]

User input?

+
       if (trust_type == certificate::kWeb) {
         // "Web" implies that the certificate is to be trusted for SSL
         // identification.
@@ -191,10 +175,7 @@ bool CertificateImporter::ParseServerOrCaCertificate(
     }
   }
 
-  // Web trust is only granted to certificates imported for a managed user
-  // on a managed device.
-  if (onc_source_ == ONC_SOURCE_USER_POLICY &&
-      web_trust && !allow_web_trust_from_policy_) {
+  if (web_trust && !allow_web_trust_) {
     LOG(WARNING) << "Web trust not granted for certificate: " << guid;
     web_trust = false;
   }