Adding a NetworkProfileHandler used by ManagedNetworkConfigurationHandler.

chromeos/network/managed_network_configuration_handler.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chromeos/network/managed_network_configuration_handler.h"
 
 #include <string>
 #include <vector>
 
 #include "base/bind.h"
 #include "base/guid.h"
 #include "base/json/json_writer.h"
 #include "base/location.h"
 #include "base/logging.h"
 #include "base/memory/ref_counted.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/stl_util.h"
+#include "base/string_util.h"
 #include "base/values.h"
 #include "chromeos/dbus/dbus_method_call_status.h"
 #include "chromeos/dbus/dbus_thread_manager.h"
 #include "chromeos/dbus/shill_manager_client.h"
 #include "chromeos/dbus/shill_profile_client.h"
 #include "chromeos/dbus/shill_service_client.h"
 #include "chromeos/network/network_configuration_handler.h"
 #include "chromeos/network/network_event_log.h"
 #include "chromeos/network/network_handler_callbacks.h"
+#include "chromeos/network/network_profile.h"
+#include "chromeos/network/network_profile_handler.h"
 #include "chromeos/network/network_state.h"
 #include "chromeos/network/network_state_handler.h"
 #include "chromeos/network/network_ui_data.h"
 #include "chromeos/network/onc/onc_constants.h"
 #include "chromeos/network/onc/onc_merger.h"
 #include "chromeos/network/onc/onc_signature.h"
 #include "chromeos/network/onc/onc_translator.h"
 #include "chromeos/network/onc/onc_utils.h"
 #include "chromeos/network/onc/onc_validator.h"
 #include "dbus/object_path.h"
 #include "third_party/cros_system_api/dbus/service_constants.h"
 
 namespace chromeos {
 
+struct ManagedNetworkConfigurationHandler::Policies {
+  typedef std::map<std::string, const base::DictionaryValue*> Map;
+
+  ~Policies() {
+    STLDeleteValues(&map);
+  }
+
+  const base::DictionaryValue* GetByGUID(const std::string& guid) const {
+    Map::const_iterator it = map.find(guid);
+    if (it == map.end())
+      return NULL;
+    return it->second;
+  }
+
+  // Objects of this struct own the map entries (policies).
+  Map map;
+};

[stevenjb, 2013/04/26 21:00:49]

This seems unnecessary and confusing. Why not just make GetByGUID a private
method and Map a typedef/member of of ManagedNetworkConfiguarionHandler ?

[pneubeck (no reviews), 2013/04/29 18:05:51]

Seems that I was overprotective against copies of the nested maps and ignorant
about the actual implementation of std::map.

Changing to map<string, map<string, dictionaryvalue*>>.

+
 namespace {
 
 ManagedNetworkConfigurationHandler* g_configuration_handler_instance = NULL;
 
 const char kLogModule[] = "ManagedNetworkConfigurationHandler";
 
 // These are error strings used for error callbacks. None of these error
 // messages are user-facing: they should only appear in logs.
 const char kInvalidUserSettingsMessage[] = "User settings are invalid.";
 const char kInvalidUserSettings[] = "Error.InvalidUserSettings";
 const char kNetworkAlreadyConfiguredMessage[] =
     "Network is already configured.";
 const char kNetworkAlreadyConfigured[] = "Error.NetworkAlreadyConfigured";
 const char kPoliciesNotInitializedMessage[] = "Policies not initialized.";
 const char kPoliciesNotInitialized[] = "Error.PoliciesNotInitialized";
+const char kProfileNotInitializedMessage[] = "Profile not initialized.";
+const char kProfileNotInitialized[] = "Error.ProflieNotInitialized";
 const char kServicePath[] = "servicePath";
 const char kSetOnUnconfiguredNetworkMessage[] =
     "Unable to modify properties of an unconfigured network.";
 const char kSetOnUnconfiguredNetwork[] = "Error.SetCalledOnUnconfiguredNetwork";
 const char kUIDataErrorMessage[] = "UI data contains errors.";
 const char kUIDataError[] = "Error.UIData";
+const char kUnknownProfilePathMessage[] = "Profile path is unknown.";
+const char kUnknownProfilePath[] = "Error.UnknownProfilePath";
 const char kUnknownServicePathMessage[] = "Service path is unknown.";
 const char kUnknownServicePath[] = "Error.UnknownServicePath";
 
-enum ProfileType {
-  PROFILE_NONE,    // Not in any profile.
-  PROFILE_SHARED,  // In the shared profile, shared by all users on device.
-  PROFILE_USER     // In the user profile, not visible to other users.
-};
-
-const char kSharedProfilePath[] = "/profile/default";
-const char kUserProfilePath[] = "/profile/chronos/shill";
-
 // This fake credential contains a random postfix which is extremly unlikely to
 // be used by any user.
 const char kFakeCredential[] = "FAKE_CREDENTIAL_VPaJDV9x";
 
+std::string PolicySource(onc::ONCSource source,
+                         const std::string& userhash) {
+  return source == onc::ONC_SOURCE_USER_POLICY ?
+      ("user policy of " + userhash) : "device policy";
+}

[stevenjb, 2013/04/26 21:00:49]

Is this only for logging? If so, name it appropriately, otherwise we need to
localize it.

[pneubeck (no reviews), 2013/04/29 18:05:51]

Done.

+
 void RunErrorCallback(const std::string& service_path,
                       const std::string& error_name,
                       const std::string& error_message,
                       const network_handler::ErrorCallback& error_callback) {
   network_event_log::AddEntry(kLogModule, error_name, error_message);
   error_callback.Run(
       error_name,
       make_scoped_ptr(
           network_handler::CreateErrorData(service_path,
                                            error_name,
@@ skipping 87 matching lines @@
       // value to overwrite whatever is stored in Shill.
     }
   }
 }
 
 // Creates a Shill property dictionary from the given arguments. The resulting
 // dictionary will be sent to Shill by the caller. Depending on the profile
 // path, |policy| is interpreted as the user or device policy and |settings| as
 // the user or shared settings.
 scoped_ptr<base::DictionaryValue> CreateShillConfiguration(
-    const std::string& profile_path,
+    const NetworkProfile& profile,
     const std::string& guid,
     const base::DictionaryValue* policy,
     const base::DictionaryValue* settings) {
   scoped_ptr<base::DictionaryValue> effective;
-
   onc::ONCSource onc_source;
   if (policy) {
-    if (profile_path == kSharedProfilePath) {
-      effective = onc::MergeSettingsAndPoliciesToEffective(
-          NULL,  // no user policy
-          policy,  // device policy
-          NULL,  // no user settings
-          settings);  // shared settings
-      onc_source = onc::ONC_SOURCE_DEVICE_POLICY;
-    } else {
-      effective = onc::MergeSettingsAndPoliciesToEffective(
-          policy,  // user policy
-          NULL,  // no device policy
-          settings,  // user settings
-          NULL);  // no shared settings
-      onc_source = onc::ONC_SOURCE_USER_POLICY;
+    switch (profile.type()) {
+      case NetworkProfile::TYPE_SHARED: {
+        effective = onc::MergeSettingsAndPoliciesToEffective(
+            NULL,  // no user policy
+            policy,  // device policy
+            NULL,  // no user settings
+            settings);  // shared settings
+        onc_source = onc::ONC_SOURCE_DEVICE_POLICY;
+        break;
+      }
+      case NetworkProfile::TYPE_USER: {
+        effective = onc::MergeSettingsAndPoliciesToEffective(
+            policy,  // user policy
+            NULL,  // no device policy
+            settings,  // user settings
+            NULL);  // no shared settings
+        onc_source = onc::ONC_SOURCE_USER_POLICY;
+        break;
+      }

[stevenjb, 2013/04/26 21:00:49]

nit: I tend to prefer if() over case for complex code like this. It doesn't seem
like the kind of thing where a type might get added and a compiler warning would
prevent a bug; adding an 'else NOTREACHED()' would be sufficient.

[pneubeck (no reviews), 2013/04/29 18:05:51]

Done.

     }
   } else if (settings) {
     effective.reset(settings->DeepCopy());
     // TODO(pneubeck): change to source ONC_SOURCE_USER
     onc_source = onc::ONC_SOURCE_NONE;
   } else {
     NOTREACHED();
     onc_source = onc::ONC_SOURCE_NONE;
   }
 
   RemoveFakeCredentials(onc::kNetworkConfigurationSignature,
                         effective.get());
 
   effective->SetStringWithoutPathExpansion(onc::network_config::kGUID, guid);
 
   scoped_ptr<base::DictionaryValue> shill_dictionary(
       onc::TranslateONCObjectToShill(&onc::kNetworkConfigurationSignature,
                                      *effective));
 
   shill_dictionary->SetStringWithoutPathExpansion(flimflam::kProfileProperty,
-                                                  profile_path);
+                                                  profile.path);
 
   scoped_ptr<NetworkUIData> ui_data;
   if (policy)
     ui_data = CreateUIDataFromONC(onc_source, *policy);
   else
     ui_data.reset(new NetworkUIData());
 
   if (settings) {
     // Shill doesn't know that sensitive data is contained in the UIData
     // property and might write it into logs or other insecure places. Thus, we
@@ skipping 38 matching lines @@
   policy.GetStringWithoutPathExpansion(onc::wifi::kSSID, &policy_ssid);
   std::string network_ssid;
   onc_network_part.GetStringWithoutPathExpansion(onc::wifi::kSSID,
                                                  &network_ssid);
   return (policy_ssid == network_ssid);
 }
 
 // Returns the policy of |policies| matching |onc_network_part|, if any
 // exists. Returns NULL otherwise.
 const base::DictionaryValue* FindMatchingPolicy(
-    const ManagedNetworkConfigurationHandler::PolicyMap &policies,
+    const ManagedNetworkConfigurationHandler::Policies &policies,
     const base::DictionaryValue& onc_network_part) {
-  for (ManagedNetworkConfigurationHandler::PolicyMap::const_iterator it =
-           policies.begin(); it != policies.end(); ++it) {
+  for (ManagedNetworkConfigurationHandler::Policies::Map::const_iterator it =
+           policies.map.begin(); it != policies.map.end(); ++it) {
     if (IsPolicyMatching(*it->second, onc_network_part))
       return it->second;
   }
   return NULL;
 }
 
 void TranslatePropertiesToOncAndRunCallback(
     const network_handler::DictionaryResultCallback& callback,
     const std::string& service_path,
     const base::DictionaryValue& shill_properties) {
   scoped_ptr<base::DictionaryValue> onc_network(
       onc::TranslateShillServiceToONCPart(
           shill_properties,
           &onc::kNetworkWithStateSignature));
   callback.Run(service_path, *onc_network);
 }
 
 }  // namespace
 
 // static
-void ManagedNetworkConfigurationHandler::Initialize() {
+void ManagedNetworkConfigurationHandler::Initialize(
+    NetworkProfileHandler* profile_handler) {
   CHECK(!g_configuration_handler_instance);
-  g_configuration_handler_instance = new ManagedNetworkConfigurationHandler;
+  g_configuration_handler_instance =
+      new ManagedNetworkConfigurationHandler(profile_handler);
 }
 
 // static
 bool ManagedNetworkConfigurationHandler::IsInitialized() {
   return g_configuration_handler_instance;
 }
 
 // static
 void ManagedNetworkConfigurationHandler::Shutdown() {
   CHECK(g_configuration_handler_instance);
   delete g_configuration_handler_instance;
   g_configuration_handler_instance = NULL;
 }
 
 // static
 ManagedNetworkConfigurationHandler* ManagedNetworkConfigurationHandler::Get() {
   CHECK(g_configuration_handler_instance);
   return g_configuration_handler_instance;
 }
 
 void ManagedNetworkConfigurationHandler::GetManagedProperties(
+    const std::string& userhash,
     const std::string& service_path,
     const network_handler::DictionaryResultCallback& callback,
     const network_handler::ErrorCallback& error_callback) {
-  if (!user_policies_initialized_ || !device_policies_initialized_) {
+  if (!GetPoliciesForUser(userhash) || !GetPoliciesForUser(std::string())) {
     RunErrorCallback(service_path,
                      kPoliciesNotInitialized,
                      kPoliciesNotInitializedMessage,
                      error_callback);
     return;
   }
   NetworkConfigurationHandler::Get()->GetProperties(
       service_path,
       base::Bind(
           &ManagedNetworkConfigurationHandler::GetManagedPropertiesCallback,
           weak_ptr_factory_.GetWeakPtr(),
           callback,
           error_callback),
       error_callback);
 }
 
 void ManagedNetworkConfigurationHandler::GetManagedPropertiesCallback(
     const network_handler::DictionaryResultCallback& callback,
     const network_handler::ErrorCallback& error_callback,
     const std::string& service_path,
     const base::DictionaryValue& shill_properties) {
   std::string profile_path;
-  ProfileType profile_type = PROFILE_NONE;
-  if (shill_properties.GetStringWithoutPathExpansion(
-          flimflam::kProfileProperty, &profile_path)) {
-    if (profile_path == kSharedProfilePath)
-      profile_type = PROFILE_SHARED;
-    else if (!profile_path.empty())
-      profile_type = PROFILE_USER;
-  } else {
-    VLOG(1) << "No profile path for service " << service_path << ".";
+  shill_properties.GetStringWithoutPathExpansion(flimflam::kProfileProperty,
+                                                 &profile_path);
+  const NetworkProfile* profile =
+      profile_handler_->GetProfileForPath(profile_path);
+  if (!profile) {
+    VLOG(1) << "No or no known profile received for service "
+            << service_path << ".";
   }
 
   scoped_ptr<NetworkUIData> ui_data = GetUIData(shill_properties);
 
   const base::DictionaryValue* user_settings = NULL;
   const base::DictionaryValue* shared_settings = NULL;
 
-  if (ui_data) {
-    if (profile_type == PROFILE_SHARED)
-      shared_settings = ui_data->user_settings();
-    else if (profile_type == PROFILE_USER)
-      user_settings = ui_data->user_settings();
-  } else if (profile_type != PROFILE_NONE) {
+  if (ui_data && profile) {
+    switch (profile->type()) {
+      case NetworkProfile::TYPE_SHARED:
+        shared_settings = ui_data->user_settings();
+        break;
+      case NetworkProfile::TYPE_USER:
+        user_settings = ui_data->user_settings();
+        break;
+    }

[stevenjb, 2013/04/26 21:00:49]

nit: Again, even though it's less complex, if/else is simpler.

[pneubeck (no reviews), 2013/04/29 18:05:51]

Done.

+  } else if (profile) {
     LOG(WARNING) << "Service " << service_path << " of profile "
                  << profile_path << " contains no or no valid UIData.";
     // TODO(pneubeck): add a conversion of user configured entries of old
     // ChromeOS versions. We will have to use a heuristic to determine which
     // properties _might_ be user configured.
   }
 
   scoped_ptr<base::DictionaryValue> active_settings(
       onc::TranslateShillServiceToONCPart(
           shill_properties,
           &onc::kNetworkWithStateSignature));
 
   std::string guid;
   active_settings->GetStringWithoutPathExpansion(onc::network_config::kGUID,
                                                  &guid);
 
   const base::DictionaryValue* user_policy = NULL;
   const base::DictionaryValue* device_policy = NULL;
-  if (!guid.empty()) {
-    // We already checked that the policies were initialized. No need to do that
-    // again.
-    if (profile_type == PROFILE_SHARED)
-      device_policy = device_policies_by_guid_[guid];
-    else if (profile_type == PROFILE_USER)
-      user_policy = user_policies_by_guid_[guid];
+  if (!guid.empty() && profile) {
+    const Policies* policies = GetPoliciesForProfile(*profile);
+    if (!policies) {
+      RunErrorCallback(service_path,
+                       kPoliciesNotInitialized,
+                       kPoliciesNotInitializedMessage,
+                       error_callback);
+      return;
+    }
+    const base::DictionaryValue* policy = policies->GetByGUID(guid);
+    switch (profile->type()) {
+      case NetworkProfile::TYPE_SHARED:
+        device_policy = policy;
+        break;
+      case NetworkProfile::TYPE_USER:
+        user_policy = policy;
+        break;

[stevenjb, 2013/04/26 21:00:49]

nit: ditto

[pneubeck (no reviews), 2013/04/29 18:05:51]

Done.

+    }
   }
 
   // This call also removes credentials from policies.
   scoped_ptr<base::DictionaryValue> augmented_properties =
       onc::MergeSettingsAndPoliciesToAugmented(
           onc::kNetworkConfigurationSignature,
           user_policy,
           device_policy,
           user_settings,
           shared_settings,
@@ skipping 32 matching lines @@
     // TODO(pneubeck): create an initial configuration in this case. As for
     // CreateConfiguration, user settings from older ChromeOS versions have to
     // determined here.
     RunErrorCallback(service_path,
                      kSetOnUnconfiguredNetwork,
                      kSetOnUnconfiguredNetworkMessage,
                      error_callback);
     return;
   }
 
+  const std::string& profile_path = state->profile_path();
+  const NetworkProfile *profile =
+      profile_handler_->GetProfileForPath(profile_path);
+  if (!profile) {
+    RunErrorCallback(service_path,
+                     kUnknownProfilePath,
+                     kUnknownProfilePathMessage,
+                     error_callback);
+    return;
+  }
+
+  VLOG(2) << "SetProperties: Found GUID " << guid << " and profile "
+          << ProfileToString(profile);
+
+  const Policies* policies = GetPoliciesForProfile(*profile);
+  if (!policies) {
+    RunErrorCallback(service_path,
+                     kPoliciesNotInitialized,
+                     kPoliciesNotInitializedMessage,
+                     error_callback);
+    return;
+  }
+
   // Validate the ONC dictionary. We are liberal and ignore unknown field
   // names. User settings are only partial ONC, thus we ignore missing fields.
   onc::Validator validator(false,  // Ignore unknown fields.
                            false,  // Ignore invalid recommended field names.
                            false,  // Ignore missing fields.
                            false);  // This ONC does not comes from policy.
 
   onc::Validator::Result validation_result;
   scoped_ptr<base::DictionaryValue> validated_user_settings =
       validator.ValidateAndRepairObject(
           &onc::kNetworkConfigurationSignature,
           user_settings,
           &validation_result);
 
   if (validation_result == onc::Validator::INVALID) {
-    LOG(ERROR) << "ONC user settings are invalid and couldn't be repaired.";
     RunErrorCallback(service_path,
                      kInvalidUserSettings,
                      kInvalidUserSettingsMessage,
                      error_callback);
     return;
   }
   if (validation_result == onc::Validator::VALID_WITH_WARNINGS)
     LOG(WARNING) << "Validation of ONC user settings produced warnings.";
 
-  VLOG(2) << "SetProperties: Found GUID " << guid << " and profile "
-          << state->profile_path();
-
-  const PolicyMap* policies_by_guid =
-      GetPoliciesForProfile(state->profile_path());
-
-  if (!policies_by_guid) {
-    RunErrorCallback(service_path,
-                     kPoliciesNotInitialized,
-                     kPoliciesNotInitializedMessage,
-                     error_callback);
-    return;
-  }
-
-  const base::DictionaryValue* policy = NULL;
-  PolicyMap::const_iterator it = policies_by_guid->find(guid);
-  if (it != policies_by_guid->end())
-    policy = it->second;
-
+  const base::DictionaryValue* policy = policies->GetByGUID(guid);
   VLOG(2) << "This configuration is " << (policy ? "" : "not ") << "managed.";
 
   scoped_ptr<base::DictionaryValue> shill_dictionary(
-      CreateShillConfiguration(state->profile_path(), guid, policy,
-                               &user_settings));
+      CreateShillConfiguration(*profile, guid, policy, &user_settings));
 
   NetworkConfigurationHandler::Get()->SetProperties(service_path,
                                                     *shill_dictionary,
                                                     callback,
                                                     error_callback);
 }
 
 void ManagedNetworkConfigurationHandler::Connect(
     const std::string& service_path,
     const base::Closure& callback,
     const network_handler::ErrorCallback& error_callback) const {
   NetworkConfigurationHandler::Get()->Connect(service_path,
                                               callback,
                                               error_callback);
 }
 
 void ManagedNetworkConfigurationHandler::Disconnect(
     const std::string& service_path,
     const base::Closure& callback,
     const network_handler::ErrorCallback& error_callback) const {
   NetworkConfigurationHandler::Get()->Disconnect(service_path,
                                                  callback,
                                                  error_callback);
 }
 
 void ManagedNetworkConfigurationHandler::CreateConfiguration(
+    const std::string& userhash,
     const base::DictionaryValue& properties,
     const network_handler::StringResultCallback& callback,
     const network_handler::ErrorCallback& error_callback) const {
-  std::string profile_path = kUserProfilePath;
-  const PolicyMap* policies_by_guid = GetPoliciesForProfile(profile_path);
-
-  if (!policies_by_guid) {
+  const Policies* policies = GetPoliciesForUser(userhash);
+  if (!policies) {
     RunErrorCallback("",
                      kPoliciesNotInitialized,
                      kPoliciesNotInitializedMessage,
                      error_callback);
     return;
   }
 
-  if (FindMatchingPolicy(*policies_by_guid, properties)) {
+  if (FindMatchingPolicy(*policies, properties)) {
     RunErrorCallback("",
                      kNetworkAlreadyConfigured,
                      kNetworkAlreadyConfiguredMessage,
                      error_callback);
   }
 
+  const NetworkProfile* profile =
+      profile_handler_->GetProfileForUserhash(userhash);
+  if (!profile) {
+    RunErrorCallback("",
+                     kProfileNotInitialized,
+                     kProfileNotInitializedMessage,
+                     error_callback);
+  }
+
   // TODO(pneubeck): In case of WiFi, check that no other configuration for the
   // same {SSID, mode, security} exists. We don't support such multiple
   // configurations, yet.
 
   // Generate a new GUID for this configuration. Ignore the maybe provided GUID
   // in |properties| as it is not our own and from an untrusted source.
   std::string guid = base::GenerateGUID();
-
   scoped_ptr<base::DictionaryValue> shill_dictionary(
-      CreateShillConfiguration(profile_path, guid, NULL /*no policy*/,
+      CreateShillConfiguration(*profile, guid, NULL /*no policy*/,
                                &properties));
 
   NetworkConfigurationHandler::Get()->CreateConfiguration(*shill_dictionary,
                                                           callback,
                                                           error_callback);
 }
 
 void ManagedNetworkConfigurationHandler::RemoveConfiguration(
     const std::string& service_path,
     const base::Closure& callback,
     const network_handler::ErrorCallback& error_callback) const {
   NetworkConfigurationHandler::Get()->RemoveConfiguration(service_path,
                                                           callback,
                                                           error_callback);
 }
 
 // This class compares (entry point is Run()) |modified_policies| with the
 // existing entries in the provided Shill profile |profile|. It fetches all
 // entries in parallel (GetProfileProperties), compares each entry with the
 // current policies (GetEntry) and adds all missing policies
 // (~PolicyApplicator).
 class ManagedNetworkConfigurationHandler::PolicyApplicator
     : public base::RefCounted<PolicyApplicator> {
  public:
-  typedef ManagedNetworkConfigurationHandler::PolicyMap PolicyMap;
+  typedef ManagedNetworkConfigurationHandler::Policies Policies;
 
   // |modified_policies| must not be NULL and will be empty afterwards.
   PolicyApplicator(base::WeakPtr<ManagedNetworkConfigurationHandler> handler,
-                   const std::string& profile,
+                   const NetworkProfile& profile,
                    std::set<std::string>* modified_policies)
       : handler_(handler),
-        profile_path_(profile) {
+        profile_(profile) {
     remaining_policies_.swap(*modified_policies);
   }
 
   void Run() {
     DBusThreadManager::Get()->GetShillProfileClient()->GetProperties(
-        dbus::ObjectPath(profile_path_),
+        dbus::ObjectPath(profile_.path),
         base::Bind(&PolicyApplicator::GetProfileProperties, this),
         base::Bind(&LogErrorMessage, FROM_HERE));
   }
 
  private:
   friend class base::RefCounted<PolicyApplicator>;
 
   void GetProfileProperties(const base::DictionaryValue& profile_properties) {
     if (!handler_) {
       LOG(WARNING) << "Handler destructed during policy application to profile "
-                   << profile_path_;
+                   << ProfileToString(&profile_);
       return;
     }
 
-    VLOG(2) << "Received properties for profile " << profile_path_;
+    VLOG(2) << "Received properties for profile " << ProfileToString(&profile_);
     const base::ListValue* entries = NULL;
     if (!profile_properties.GetListWithoutPathExpansion(
             flimflam::kEntriesProperty, &entries)) {
-      LOG(ERROR) << "Profile " << profile_path_
+      LOG(ERROR) << "Profile " << ProfileToString(&profile_)
                  << " doesn't contain the property "
                  << flimflam::kEntriesProperty;
       return;
     }
 
     for (base::ListValue::const_iterator it = entries->begin();
          it != entries->end(); ++it) {
       std::string entry;
       (*it)->GetAsString(&entry);
 
       std::ostringstream entry_failure;
       DBusThreadManager::Get()->GetShillProfileClient()->GetEntry(
-        dbus::ObjectPath(profile_path_),
-        entry,
-        base::Bind(&PolicyApplicator::GetEntry, this, entry),
-        base::Bind(&LogErrorMessage, FROM_HERE));
+          dbus::ObjectPath(profile_.path),
+          entry,
+          base::Bind(&PolicyApplicator::GetEntry, this, entry),
+          base::Bind(&LogErrorMessage, FROM_HERE));
     }
   }
 
   void GetEntry(const std::string& entry,
                 const base::DictionaryValue& entry_properties) {
     if (!handler_) {
       LOG(WARNING) << "Handler destructed during policy application to profile "
-                   << profile_path_;
+                   << ProfileToString(&profile_);
       return;
     }
 
     VLOG(2) << "Received properties for entry " << entry << " of profile "
-            << profile_path_;
+            << ProfileToString(&profile_);
 
     scoped_ptr<base::DictionaryValue> onc_part(
         onc::TranslateShillServiceToONCPart(
             entry_properties,
             &onc::kNetworkWithStateSignature));
 
     std::string old_guid;
     if (!onc_part->GetStringWithoutPathExpansion(onc::network_config::kGUID,
                                                  &old_guid)) {
-      LOG(WARNING) << "Entry " << entry << " of profile " << profile_path_
-                   << " doesn't contain a GUID.";
+      LOG(WARNING) << "Entry " << entry << " of profile "
+                   << ProfileToString(&profile_) << " doesn't contain a GUID.";
       // This might be an entry of an older ChromeOS version. Assume it to be
       // unmanaged.
       return;
     }
 
     scoped_ptr<NetworkUIData> ui_data = GetUIData(entry_properties);
     if (!ui_data) {
-      VLOG(1) << "Entry " << entry << " of profile " << profile_path_
+      VLOG(1) << "Entry " << entry << " of profile "
+              << ProfileToString(&profile_)
               << " contains no or no valid UIData.";
       // This might be an entry of an older ChromeOS version. Assume it to be
       // unmanaged.
       return;
     }
 
     bool was_managed =
         (ui_data->onc_source() == onc::ONC_SOURCE_DEVICE_POLICY ||
          ui_data->onc_source() == onc::ONC_SOURCE_USER_POLICY);
 
     // The relevant policy must have been initialized, otherwise we hadn't Run
     // this PolicyApplicator.
-    const PolicyMap& policies_by_guid =
-        *handler_->GetPoliciesForProfile(profile_path_);
+    const Policies& policies = *handler_->GetPoliciesForProfile(profile_);
 
     const base::DictionaryValue* new_policy = NULL;
     if (was_managed) {
       // If we have a GUID that might match a current policy, do a lookup using
       // that GUID at first. In particular this is necessary, as some networks
       // can't be matched to policies by properties (e.g. VPN).
-      PolicyMap::const_iterator it = policies_by_guid.find(old_guid);
-      if (it != policies_by_guid.end())
-        new_policy = it->second;
+      new_policy = policies.GetByGUID(old_guid);
     }
 
     if (!new_policy) {
       // If we didn't find a policy by GUID, still a new policy might match.
-      new_policy = FindMatchingPolicy(policies_by_guid, *onc_part);
+      new_policy = FindMatchingPolicy(policies, *onc_part);
     }
 
     if (new_policy) {
       std::string new_guid;
       new_policy->GetStringWithoutPathExpansion(onc::network_config::kGUID,
                                                 &new_guid);
 
       VLOG_IF(1, was_managed && old_guid != new_guid)
           << "Updating configuration previously managed by policy " << old_guid
           << " with new policy " << new_guid << ".";
       VLOG_IF(1, !was_managed)
           << "Applying policy " << new_guid << " to previously unmanaged "
           << "configuration.";
 
       if (old_guid == new_guid &&
           remaining_policies_.find(new_guid) == remaining_policies_.end()) {
         VLOG(1) << "Not updating existing managed configuration with guid "
                 << new_guid << " because the policy didn't change.";
       } else {
         VLOG_IF(1, old_guid == new_guid)
             << "Updating previously managed configuration with the updated "
             << "policy " << new_guid << ".";
 
         // Update the existing configuration with the maybe changed
         // policy. Thereby the GUID might change.
         scoped_ptr<base::DictionaryValue> shill_dictionary =
-            CreateShillConfiguration(profile_path_, new_guid, new_policy,
+            CreateShillConfiguration(profile_, new_guid, new_policy,
                                      ui_data->user_settings());
         NetworkConfigurationHandler::Get()->CreateConfiguration(
             *shill_dictionary,
             base::Bind(&IgnoreString),
             base::Bind(&LogErrorWithDict, FROM_HERE));
         remaining_policies_.erase(new_guid);
       }
     } else if (was_managed) {
       VLOG(1) << "Removing configuration previously managed by policy "
               << old_guid << ", because the policy was removed.";
 
       // Remove the entry, because the network was managed but isn't anymore.
       // Note: An alternative might be to preserve the user settings, but it's
       // unclear which values originating the policy should be removed.
       DeleteEntry(entry);
     } else {
       VLOG(2) << "Ignore unmanaged entry.";
 
       // The entry wasn't managed and doesn't match any current policy. Thus
       // leave it as it is.
     }
   }
 
   void DeleteEntry(const std::string& entry) {
     DBusThreadManager::Get()->GetShillProfileClient()->DeleteEntry(
-        dbus::ObjectPath(profile_path_),
+        dbus::ObjectPath(profile_.path),
         entry,
         base::Bind(&base::DoNothing),
         base::Bind(&LogErrorMessage, FROM_HERE));
   }
 
   virtual ~PolicyApplicator() {
+    if (!handler_) {
+      LOG(WARNING) << "Handler destructed during policy application to profile "
+                   << ProfileToString(&profile_);
+      return;
+    }
+
     if (remaining_policies_.empty())
       return;
 
     VLOG(2) << "Create new managed network configurations in profile"
-            << profile_path_ << ".";
+            << ProfileToString(&profile_) << ".";
     // All profile entries were compared to policies. |configureGUIDs_| contains
     // all matched policies. From the remainder of policies, new configurations
     // have to be created.
 
     // The relevant policy must have been initialized, otherwise we hadn't Run
     // this PolicyApplicator.
-    const PolicyMap& policies_by_guid =
-        *handler_->GetPoliciesForProfile(profile_path_);
+    const Policies& policies = *handler_->GetPoliciesForProfile(profile_);
 
     for (std::set<std::string>::iterator it = remaining_policies_.begin();
          it != remaining_policies_.end(); ++it) {
-      PolicyMap::const_iterator policy_it = policies_by_guid.find(*it);
-      if (policy_it == policies_by_guid.end()) {
+      const base::DictionaryValue* policy = policies.GetByGUID(*it);
+      if (!policy) {
         LOG(ERROR) << "Policy " << *it << " doesn't exist anymore.";
         continue;
       }
 
-      const base::DictionaryValue* policy = policy_it->second;
-
       VLOG(1) << "Creating new configuration managed by policy " << *it
-              << " in profile " << profile_path_ << ".";
+              << " in profile " << ProfileToString(&profile_) << ".";
 
       scoped_ptr<base::DictionaryValue> shill_dictionary =
-          CreateShillConfiguration(profile_path_, *it, policy, NULL);
+          CreateShillConfiguration(profile_, *it, policy,
+                                   NULL /* no user settings */);
       NetworkConfigurationHandler::Get()->CreateConfiguration(
           *shill_dictionary,
           base::Bind(&IgnoreString),
           base::Bind(&LogErrorWithDict, FROM_HERE));
     }
   }
 
   std::set<std::string> remaining_policies_;
   base::WeakPtr<ManagedNetworkConfigurationHandler> handler_;
-  std::string profile_path_;
+  NetworkProfile profile_;
 
   DISALLOW_COPY_AND_ASSIGN(PolicyApplicator);
 };
 
 void ManagedNetworkConfigurationHandler::SetPolicy(
     onc::ONCSource onc_source,
+    const std::string& userhash,
     const base::ListValue& network_configs_onc) {
-  VLOG(1) << "Setting policies for ONC source "
-          << onc::GetSourceAsString(onc_source) << ".";
+  VLOG(1) << "Setting policies from " << PolicySource(onc_source, userhash)
+          << ".";
 
-  PolicyMap* policies;
-  std::string profile;
-  if (onc_source == chromeos::onc::ONC_SOURCE_USER_POLICY) {
-    policies = &user_policies_by_guid_;
-    profile = kUserProfilePath;
-    user_policies_initialized_ = true;
-  } else {
-    policies = &device_policies_by_guid_;
-    profile = kSharedProfilePath;
-    device_policies_initialized_ = true;
-  }
+  // |userhash| must be empty for device policies.
+  DCHECK(onc_source != chromeos::onc::ONC_SOURCE_DEVICE_POLICY ||
+         userhash.empty());
+  Policies*& policies = policies_by_user_[userhash];
+  if (!policies)
+    policies = new Policies;
 
-  PolicyMap old_policies;
-  policies->swap(old_policies);
+  Policies::Map old_policies;
+  policies->map.swap(old_policies);
 
   // This stores all GUIDs of policies that have changed or are new.
   std::set<std::string> modified_policies;
 
   for (base::ListValue::const_iterator it = network_configs_onc.begin();
        it != network_configs_onc.end(); ++it) {
     const base::DictionaryValue* network = NULL;
     (*it)->GetAsDictionary(&network);
     DCHECK(network);
 
     std::string guid;
     network->GetStringWithoutPathExpansion(onc::network_config::kGUID, &guid);
     DCHECK(!guid.empty());
 
-    if (policies->count(guid) > 0) {
-      LOG(ERROR) << "ONC from " << onc::GetSourceAsString(onc_source)
+    if (policies->map.count(guid) > 0) {
+      LOG(ERROR) << "ONC from " << PolicySource(onc_source, userhash)
                  << " contains several entries for the same GUID "
                  << guid << ".";
-      delete (*policies)[guid];
+      delete policies->map[guid];
     }
     const base::DictionaryValue* new_entry = network->DeepCopy();
-    (*policies)[guid] = new_entry;
+    policies->map[guid] = new_entry;
 
     const base::DictionaryValue* old_entry = old_policies[guid];
     if (!old_entry || !old_entry->Equals(new_entry))
       modified_policies.insert(guid);
   }
 
   STLDeleteValues(&old_policies);
 
+  const NetworkProfile* profile =
+      profile_handler_->GetProfileForUserhash(userhash);
+  if (!profile) {
+    VLOG(1) << "The relevant Shill profile isn't initialized yet, postponing "
+            << "policy application.";
+    return;
+  }
+
+  scoped_refptr<PolicyApplicator> applicator = new PolicyApplicator(
+      weak_ptr_factory_.GetWeakPtr(),
+      *profile,
+      &modified_policies);
+  applicator->Run();
+}
+
+void ManagedNetworkConfigurationHandler::OnProfileAdded(
+    const NetworkProfile& profile) {
+  VLOG(1) << "Adding profile " << ProfileToString(&profile) << "'.";
+
+  const Policies* policies = GetPoliciesForProfile(profile);
+  if (!policies) {
+    VLOG(1) << "The relevant policy is not initialized, "
+            << "postponing policy application.";
+    return;
+  }
+
+  std::set<std::string> policy_guids;
+  for (Policies::Map::const_iterator it = policies->map.begin();
+       it != policies->map.end(); ++it) {
+    policy_guids.insert(it->first);
+  }
+
   scoped_refptr<PolicyApplicator> applicator = new PolicyApplicator(
       weak_ptr_factory_.GetWeakPtr(),
       profile,
-      &modified_policies);
+      &policy_guids);
   applicator->Run();
 }
 
-const ManagedNetworkConfigurationHandler::PolicyMap*
-ManagedNetworkConfigurationHandler::GetPoliciesForProfile(
-    const std::string& profile) const {
-  if (profile == kSharedProfilePath) {
-    if (device_policies_initialized_)
-      return &device_policies_by_guid_;
-  } else if (user_policies_initialized_) {
-    return &user_policies_by_guid_;
-  }
-  return NULL;
+void ManagedNetworkConfigurationHandler::OnProfileRemoved(
+    const NetworkProfile& profile) {
+  // Nothing to do in this case.
 }
 
-ManagedNetworkConfigurationHandler::ManagedNetworkConfigurationHandler()
-    : user_policies_initialized_(false),
-      device_policies_initialized_(false),
+const ManagedNetworkConfigurationHandler::Policies*
+ManagedNetworkConfigurationHandler::GetPoliciesForUser(
+    const std::string& userhash) const {
+  UserToPolicies::const_iterator it = policies_by_user_.find(userhash);
+  if (it == policies_by_user_.end())
+    return NULL;
+  return it->second;
+}
+
+const ManagedNetworkConfigurationHandler::Policies*
+ManagedNetworkConfigurationHandler::GetPoliciesForProfile(
+    const NetworkProfile& profile) const {
+  DCHECK(profile.type() != NetworkProfile::TYPE_SHARED ||
+         profile.userhash.empty());
+  return GetPoliciesForUser(profile.userhash);
+}
+
+ManagedNetworkConfigurationHandler::ManagedNetworkConfigurationHandler(
+    NetworkProfileHandler* profile_handler)
+    : profile_handler_(profile_handler),
       weak_ptr_factory_(this) {
+  profile_handler_->AddObserver(this);
 }
 
 ManagedNetworkConfigurationHandler::~ManagedNetworkConfigurationHandler() {
-  STLDeleteValues(&user_policies_by_guid_);
-  STLDeleteValues(&device_policies_by_guid_);
+  profile_handler_->RemoveObserver(this);
+  STLDeleteValues(&policies_by_user_);
 }
 
 }  // namespace chromeos