Extract certificate policy application from NetworkLibrary.

chrome/browser/chromeos/cros/network_library_impl_base.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/cros/network_library_impl_base.h"
 
 #include "base/bind.h"
 #include "base/json/json_writer.h"
 #include "base/memory/scoped_vector.h"
-#include "base/metrics/histogram.h"
 #include "base/stl_util.h"
 #include "base/string_util.h"
 #include "chrome/browser/chromeos/cros/network_constants.h"
 #include "chrome/browser/chromeos/login/user_manager.h"
 #include "chrome/browser/chromeos/net/onc_utils.h"
 #include "chrome/browser/chromeos/network_login_observer.h"
 #include "chromeos/network/network_ui_data.h"
-#include "chromeos/network/onc/onc_certificate_importer.h"
 #include "chromeos/network/onc/onc_constants.h"
 #include "chromeos/network/onc/onc_normalizer.h"
 #include "chromeos/network/onc/onc_signature.h"
 #include "chromeos/network/onc/onc_translator.h"
 #include "chromeos/network/onc/onc_utils.h"
-#include "chromeos/network/onc/onc_validator.h"
 #include "content/public/browser/browser_thread.h"
 #include "crypto/nss_util.h"  // crypto::GetTPMTokenInfo() for 802.1X and VPN.
 #include "third_party/cros_system_api/dbus/service_constants.h"
 
 using content::BrowserThread;
 
 namespace chromeos {
 
 namespace {
 
@@ skipping 1021 matching lines @@
     else if (placeholder == onc::substitutes::kEmailField)
       *substitute = logged_in_user->email();
     else
       return false;
     return true;
   }
 };
 
 }  // namespace
 
-bool NetworkLibraryImplBase::LoadOncNetworks(
-    const std::string& onc_blob,
-    const std::string& passphrase,
-    onc::ONCSource source,
-    net::CertificateList* onc_trusted_certificates) {
-  VLOG(2) << __func__ << ": called on " << onc_blob;
+void NetworkLibraryImplBase::LoadOncNetworks(
+    const base::ListValue& network_configs,
+    onc::ONCSource source) {
+  VLOG(2) << __func__ << ": called on " << network_configs;
   NetworkProfile* profile = NULL;
   bool from_policy = (source == onc::ONC_SOURCE_USER_POLICY ||
                       source == onc::ONC_SOURCE_DEVICE_POLICY);
 
   // Policies are applied to a specific Shill profile. User ONC import however
   // is applied to whatever profile Shill chooses. This should be the profile
   // that is already associated with a network and if no profile is associated
   // yet, it should be the user profile.
   if (from_policy) {
     profile = GetProfileForType(GetProfileTypeForSource(source));
     if (profile == NULL) {
       VLOG(2) << "Profile for ONC source " << onc::GetSourceAsString(source)
               << " doesn't exist.";
-      return true;
-    }
-  }
-
-  scoped_ptr<base::DictionaryValue> root_dict =
-      onc::ReadDictionaryFromJson(onc_blob);
-  if (root_dict.get() == NULL) {
-    LOG(ERROR) << "ONC loaded from " << onc::GetSourceAsString(source)
-               << " is not a valid JSON dictionary.";
-    return false;
-  }
-
-  // Check and see if this is an encrypted ONC file. If so, decrypt it.
-  std::string onc_type;
-  root_dict->GetStringWithoutPathExpansion(onc::toplevel_config::kType,
-                                           &onc_type);
-  if (onc_type == onc::toplevel_config::kEncryptedConfiguration) {
-    root_dict = onc::Decrypt(passphrase, *root_dict);
-    if (root_dict.get() == NULL) {
-      LOG(ERROR) << "Couldn't decrypt the ONC from "
-                 << onc::GetSourceAsString(source);
-      return false;
-    }
-  }
-
-  // Validate the ONC dictionary. We are liberal and ignore unknown field
-  // names and ignore invalid field names in kRecommended arrays.
-  onc::Validator validator(false,  // Ignore unknown fields.
-                           false,  // Ignore invalid recommended field names.
-                           true,  // Fail on missing fields.
-                           from_policy);
-  validator.SetOncSource(source);
-
-  onc::Validator::Result validation_result;
-  root_dict = validator.ValidateAndRepairObject(
-      &onc::kToplevelConfigurationSignature,
-      *root_dict,
-      &validation_result);
-
-  if (from_policy) {
-    UMA_HISTOGRAM_BOOLEAN("Enterprise.ONC.PolicyValidation",
-                          validation_result == onc::Validator::VALID);
-  }
-
-  bool success = true;
-  if (validation_result == onc::Validator::VALID_WITH_WARNINGS) {
-    LOG(WARNING) << "ONC from " << onc::GetSourceAsString(source)
-                 << " produced warnings.";
-    success = false;
-  } else if (validation_result == onc::Validator::INVALID ||
-             root_dict == NULL) {
-    LOG(ERROR) << "ONC from " << onc::GetSourceAsString(source)
-               << " is invalid and couldn't be repaired.";
-    return false;
-  }
-
-  const base::ListValue* certificates;
-  bool has_certificates =
-      root_dict->GetListWithoutPathExpansion(
-          onc::toplevel_config::kCertificates,
-          &certificates);
-
-  const base::ListValue* network_configs;
-  bool has_network_configurations = root_dict->GetListWithoutPathExpansion(
-      onc::toplevel_config::kNetworkConfigurations,
-      &network_configs);
-
-  if (has_certificates) {
-    VLOG(2) << "ONC file has " << certificates->GetSize() << " certificates";
-
-    // Web trust is only granted to certificates imported by the user.
-    bool allow_trust_imports = source == onc::ONC_SOURCE_USER_IMPORT;
-    onc::CertificateImporter cert_importer(allow_trust_imports);
-    if (cert_importer.ParseAndStoreCertificates(
-            *certificates, onc_trusted_certificates) !=
-        onc::CertificateImporter::IMPORT_OK) {
-      LOG(ERROR) << "Cannot parse some of the certificates in the ONC from "
-                 << onc::GetSourceAsString(source);
-      success = false;
+      return;
     }
   }
 
   std::set<std::string> removal_ids;
   std::set<std::string>& network_ids(network_source_map_[source]);
   network_ids.clear();
-  if (has_network_configurations) {
-    VLOG(2) << "ONC file has " << network_configs->GetSize() << " networks";
-    for (base::ListValue::const_iterator it(network_configs->begin());
-         it != network_configs->end(); ++it) {
+  if (true) {

[Joao da Silva, 2013/04/22 10:38:09]

?

[pneubeck (no reviews), 2013/04/23 18:05:25]

Done.

+    VLOG(2) << "ONC file has " << network_configs.GetSize() << " networks";
+    for (base::ListValue::const_iterator it(network_configs.begin());
+         it != network_configs.end(); ++it) {
       const base::DictionaryValue* network;
       (*it)->GetAsDictionary(&network);
 
       bool marked_for_removal = false;
       network->GetBooleanWithoutPathExpansion(onc::kRemove,
                                               &marked_for_removal);
 
       std::string type;
       network->GetStringWithoutPathExpansion(onc::network_config::kType, &type);
 
@@ skipping 88 matching lines @@
 
   if (from_policy) {
     // For policy-managed networks, go through the list of existing remembered
     // networks and clean out the ones that no longer have a definition in the
     // ONC blob. We first collect the networks and do the actual deletion later
     // because ForgetNetwork() changes the remembered network vectors.
     ForgetNetworksById(source, network_ids, false);
   } else if (source == onc::ONC_SOURCE_USER_IMPORT && !removal_ids.empty()) {
     ForgetNetworksById(source, removal_ids, true);
   }
-
-  return success;
 }
 
 ////////////////////////////////////////////////////////////////////////////
 // Testing functions.
 
 bool NetworkLibraryImplBase::SetActiveNetwork(
     ConnectionType type, const std::string& service_path) {
   Network* network = NULL;
   if (!service_path.empty())
     network = FindNetworkByPath(service_path);
@@ skipping 503 matching lines @@
   GetTpmInfo();
   return tpm_slot_;
 }
 
 const std::string& NetworkLibraryImplBase::GetTpmPin() {
   GetTpmInfo();
   return tpm_pin_;
 }
 
 }  // namespace chromeos