Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(211)

Unified Diff: chromeos/network/onc/onc_utils.cc

Issue 14192017: Extract certificate policy application from NetworkLibrary. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Rebased. Created 7 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « chromeos/network/onc/onc_utils.h ('k') | chromeos/network/onc/onc_validator_unittest.cc » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: chromeos/network/onc/onc_utils.cc
diff --git a/chromeos/network/onc/onc_utils.cc b/chromeos/network/onc/onc_utils.cc
index c14a2a08990a080e540c79aecce03616303f39fa..1b31c9d96713997201289d4797273c2b7c0e0b3c 100644
--- a/chromeos/network/onc/onc_utils.cc
+++ b/chromeos/network/onc/onc_utils.cc
@@ -7,11 +7,14 @@
#include "base/base64.h"
#include "base/json/json_reader.h"
#include "base/logging.h"
+#include "base/metrics/histogram.h"
#include "base/string_util.h"
#include "base/values.h"
#include "chromeos/network/network_event_log.h"
#include "chromeos/network/onc/onc_mapper.h"
#include "chromeos/network/onc/onc_signature.h"
+#include "chromeos/network/onc/onc_utils.h"
+#include "chromeos/network/onc/onc_validator.h"
#include "crypto/encryptor.h"
#include "crypto/hmac.h"
#include "crypto/symmetric_key.h"
@@ -211,6 +214,8 @@ void ExpandStringsInOncObject(
const OncFieldSignature* field_signature =
GetFieldSignature(signature, it.key());
+ if (!field_signature)
+ continue;
ExpandStringsInOncObject(*field_signature->value_signature,
substitution, inner_object);
@@ -255,12 +260,93 @@ class OncMaskValues : public onc::Mapper {
} // namespace
-CHROMEOS_EXPORT scoped_ptr<base::DictionaryValue> MaskCredentialsInOncObject(
+scoped_ptr<base::DictionaryValue> MaskCredentialsInOncObject(
const onc::OncValueSignature& signature,
const base::DictionaryValue& onc_object,
const std::string& mask) {
return OncMaskValues::Mask(signature, onc_object, mask);
}
+bool ParseAndValidateOncForImport(
+ const std::string& onc_blob,
+ chromeos::onc::ONCSource onc_source,
+ const std::string& passphrase,
+ base::ListValue* network_configs,
+ base::ListValue* certificates) {
+ certificates->Clear();
+ network_configs->Clear();
+ if (onc_blob.empty())
+ return true;
+
+ scoped_ptr<base::DictionaryValue> toplevel_onc =
+ onc::ReadDictionaryFromJson(onc_blob);
+ if (toplevel_onc.get() == NULL) {
+ LOG(ERROR) << "ONC loaded from " << onc::GetSourceAsString(onc_source)
+ << " is not a valid JSON dictionary.";
+ return false;
+ }
+
+ // Check and see if this is an encrypted ONC file. If so, decrypt it.
+ std::string onc_type;
+ toplevel_onc->GetStringWithoutPathExpansion(onc::toplevel_config::kType,
+ &onc_type);
+ if (onc_type == onc::toplevel_config::kEncryptedConfiguration) {
+ toplevel_onc = onc::Decrypt(passphrase, *toplevel_onc);
+ if (toplevel_onc.get() == NULL) {
+ LOG(ERROR) << "Couldn't decrypt the ONC from "
+ << onc::GetSourceAsString(onc_source);
+ return false;
+ }
+ }
+
+ bool from_policy = (onc_source == onc::ONC_SOURCE_USER_POLICY ||
+ onc_source == onc::ONC_SOURCE_DEVICE_POLICY);
+
+ // Validate the ONC dictionary. We are liberal and ignore unknown field
+ // names and ignore invalid field names in kRecommended arrays.
+ onc::Validator validator(false, // Ignore unknown fields.
+ false, // Ignore invalid recommended field names.
+ true, // Fail on missing fields.
+ from_policy);
+ validator.SetOncSource(onc_source);
+
+ onc::Validator::Result validation_result;
+ toplevel_onc = validator.ValidateAndRepairObject(
+ &onc::kToplevelConfigurationSignature,
+ *toplevel_onc,
+ &validation_result);
+
+ if (from_policy) {
+ UMA_HISTOGRAM_BOOLEAN("Enterprise.ONC.PolicyValidation",
+ validation_result == onc::Validator::VALID);
+ }
+
+ bool success = true;
+ if (validation_result == onc::Validator::VALID_WITH_WARNINGS) {
+ LOG(WARNING) << "ONC from " << onc::GetSourceAsString(onc_source)
+ << " produced warnings.";
+ success = false;
+ } else if (validation_result == onc::Validator::INVALID ||
+ toplevel_onc == NULL) {
+ LOG(ERROR) << "ONC from " << onc::GetSourceAsString(onc_source)
+ << " is invalid and couldn't be repaired.";
+ return false;
+ }
+
+ base::ListValue* validated_certs = NULL;
+ if (toplevel_onc->GetListWithoutPathExpansion(
+ onc::toplevel_config::kCertificates, &validated_certs)) {
+ certificates->Swap(validated_certs);
+ }
+
+ base::ListValue* validated_networks = NULL;
+ if (toplevel_onc->GetListWithoutPathExpansion(
+ onc::toplevel_config::kNetworkConfigurations, &validated_networks)) {
+ network_configs->Swap(validated_networks);
+ }
+
+ return success;
+}
+
} // namespace onc
} // namespace chromeos
« no previous file with comments | « chromeos/network/onc/onc_utils.h ('k') | chromeos/network/onc/onc_validator_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698