Execute ClientCertResolver on network disconnection.

chromeos/network/client_cert_resolver.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chromeos/network/client_cert_resolver.h"
 
 #include <cert.h>
 #include <certt.h>  // for (SECCertUsageEnum) certUsageAnyCA
 #include <pk11pub.h>
 
 #include <algorithm>
 
 #include "base/bind.h"
 #include "base/location.h"
 #include "base/logging.h"
 #include "base/stl_util.h"
 #include "base/task_runner.h"
 #include "base/threading/worker_pool.h"
+#include "base/time/clock.h"
 #include "chromeos/dbus/dbus_thread_manager.h"
 #include "chromeos/dbus/shill_service_client.h"
 #include "chromeos/network/managed_network_configuration_handler.h"
 #include "chromeos/network/network_state.h"
 #include "components/onc/onc_constants.h"
 #include "dbus/object_path.h"
 #include "net/cert/scoped_nss_types.h"
 #include "net/cert/x509_certificate.h"
 
 namespace chromeos {
@@ skipping 26 matching lines @@
 namespace {
 
 // Returns true if |vector| contains |value|.
 template <class T>
 bool ContainsValue(const std::vector<T>& vector, const T& value) {
   return find(vector.begin(), vector.end(), value) != vector.end();
 }
 
 // Returns true if a private key for certificate |cert| is installed.
 bool HasPrivateKey(const net::X509Certificate& cert) {
-  PK11SlotInfo* slot = PK11_KeyForCertExists(cert.os_cert_handle(), NULL, NULL);
+  PK11SlotInfo* slot =
+      PK11_KeyForCertExists(cert.os_cert_handle(), nullptr, nullptr);
   if (!slot)
     return false;
 
   PK11_FreeSlot(slot);
   return true;
 }
 
 // Describes a certificate which is issued by |issuer| (encoded as PEM).
 // |issuer| can be empty if no issuer certificate is found in the database.
 struct CertAndIssuer {
@@ skipping 73 matching lines @@
   std::string pem_encoded_issuer;
   if (!net::X509Certificate::GetPEMEncoded(issuer->os_cert_handle(),
                                            &pem_encoded_issuer)) {
     LOG(ERROR) << "Couldn't PEM-encode certificate.";
     return std::string();
   }
   return pem_encoded_issuer;
 }
 
 std::vector<CertAndIssuer> CreateSortedCertAndIssuerList(
-    const net::CertificateList& certs) {
+    const net::CertificateList& certs,
+    base::Time now) {
   // Filter all client certs and determines each certificate's issuer, which is
   // required for the pattern matching.
   std::vector<CertAndIssuer> client_certs;
   for (net::CertificateList::const_iterator it = certs.begin();
        it != certs.end(); ++it) {
     const net::X509Certificate& cert = **it;
-    if (cert.valid_expiry().is_null() || cert.HasExpired() ||
+    if (cert.valid_expiry().is_null() || now > cert.valid_expiry() ||
         !HasPrivateKey(cert) ||
         !CertLoader::IsCertificateHardwareBacked(&cert)) {
       continue;
     }
     client_certs.push_back(CertAndIssuer(*it, GetPEMEncodedIssuer(cert)));
   }
 
   std::sort(client_certs.begin(), client_certs.end(), &CompareCertExpiration);
   return client_certs;
 }
 
 // Searches for matches between |networks| and |certs| and writes matches to
 // |matches|. Because this calls NSS functions and is potentially slow, it must
 // be run on a worker thread.
 void FindCertificateMatches(const net::CertificateList& certs,
                             std::vector<NetworkAndCertPattern>* networks,
+                            base::Time now,
                             NetworkCertMatches* matches) {
-  std::vector<CertAndIssuer> client_certs(CreateSortedCertAndIssuerList(certs));
+  std::vector<CertAndIssuer> client_certs(
+      CreateSortedCertAndIssuerList(certs, now));
 
   for (std::vector<NetworkAndCertPattern>::const_iterator it =
            networks->begin();
        it != networks->end(); ++it) {
     std::vector<CertAndIssuer>::iterator cert_it =
         std::find_if(client_certs.begin(),
                      client_certs.end(),
                      MatchCertWithPattern(it->cert_config.pattern));
     std::string pkcs11_id;
     int slot_id = -1;
@@ skipping 34 matching lines @@
     return false;
   }
   return true;
 }
 
 }  // namespace
 
 ClientCertResolver::ClientCertResolver()
     : resolve_task_running_(false),
       network_properties_changed_(false),
-      network_state_handler_(NULL),
-      managed_network_config_handler_(NULL),
-      weak_ptr_factory_(this) {
-}
+      network_state_handler_(nullptr),
+      managed_network_config_handler_(nullptr),
+      testing_clock_(nullptr),
+      weak_ptr_factory_(this) {}
 
 ClientCertResolver::~ClientCertResolver() {
   if (network_state_handler_)
     network_state_handler_->RemoveObserver(this, FROM_HERE);
   if (CertLoader::IsInitialized())
     CertLoader::Get()->RemoveObserver(this);
   if (managed_network_config_handler_)
     managed_network_config_handler_->RemoveObserver(this);
 }
 
@@ skipping 27 matching lines @@
 bool ClientCertResolver::IsAnyResolveTaskRunning() const {
   return resolve_task_running_;
 }
 
 // static
 bool ClientCertResolver::ResolveCertificatePatternSync(
     const client_cert::ConfigType client_cert_type,
     const CertificatePattern& pattern,
     base::DictionaryValue* shill_properties) {
   // Prepare and sort the list of known client certs.
-  std::vector<CertAndIssuer> client_certs(
-      CreateSortedCertAndIssuerList(CertLoader::Get()->cert_list()));
+  std::vector<CertAndIssuer> client_certs(CreateSortedCertAndIssuerList(
+      CertLoader::Get()->cert_list(), base::Time::Now()));
 
   // Search for a certificate matching the pattern.
   std::vector<CertAndIssuer>::iterator cert_it = std::find_if(
       client_certs.begin(), client_certs.end(), MatchCertWithPattern(pattern));
 
   if (cert_it == client_certs.end()) {
     VLOG(1) << "Couldn't find a matching client cert";
     client_cert::SetEmptyShillProperties(client_cert_type, shill_properties);
     return false;
   }
 
   int slot_id = -1;
   std::string pkcs11_id =
       CertLoader::GetPkcs11IdAndSlotForCert(*cert_it->cert, &slot_id);
   if (pkcs11_id.empty()) {
     LOG(ERROR) << "Couldn't determine PKCS#11 ID.";
     // So far this error is not expected to happen. We can just continue, in
     // the worst case the user can remove the problematic cert.
     return false;
   }
   client_cert::SetShillProperties(
       client_cert_type, slot_id, pkcs11_id, shill_properties);
   return true;
 }
 
+void ClientCertResolver::SetClockForTesting(base::Clock* clock) {
+  testing_clock_ = clock;
+}
+
 void ClientCertResolver::NetworkListChanged() {
   VLOG(2) << "NetworkListChanged.";
   if (!ClientCertificatesLoaded())
     return;
   // Configure only networks that were not configured before.
 
   // We'll drop networks from |resolved_networks_|, which are not known anymore.
   std::set<std::string> old_resolved_networks;
   old_resolved_networks.swap(resolved_networks_);
 
@@ skipping 12 matching lines @@
     if (ContainsKey(old_resolved_networks, service_path)) {
       resolved_networks_.insert(service_path);
       continue;
     }
     networks_to_check.push_back(*it);
   }
 
   ResolveNetworks(networks_to_check);
 }
 
+void ClientCertResolver::NetworkConnectionStateChanged(
+    const NetworkState* network) {
+  if (!ClientCertificatesLoaded())
+    return;
+  if (!network->IsConnectedState() && !network->IsConnectingState())
+    ResolveNetworks(NetworkStateHandler::NetworkStateList(1, network));
+}
+
 void ClientCertResolver::OnCertificatesLoaded(
     const net::CertificateList& cert_list,
     bool initial_load) {
   VLOG(2) << "OnCertificatesLoaded.";
   if (!ClientCertificatesLoaded())
     return;
   // Compare all networks with all certificates.
   NetworkStateHandler::NetworkStateList networks;
   network_state_handler_->GetNetworkListByType(
       NetworkTypePattern::Default(),
@@ skipping 82 matching lines @@
   VLOG(2) << "Start task for resolving client cert patterns.";
   base::TaskRunner* task_runner = slow_task_runner_for_test_.get();
   if (!task_runner)
     task_runner =
         base::WorkerPool::GetTaskRunner(true /* task is slow */).get();
 
   resolve_task_running_ = true;
   NetworkCertMatches* matches = new NetworkCertMatches;
   task_runner->PostTaskAndReply(
       FROM_HERE,
-      base::Bind(&FindCertificateMatches,
-                 CertLoader::Get()->cert_list(),
-                 base::Owned(networks_to_resolve.release()),
-                 matches),
+      base::Bind(&FindCertificateMatches, CertLoader::Get()->cert_list(),
+                 base::Owned(networks_to_resolve.release()), Now(), matches),
       base::Bind(&ClientCertResolver::ConfigureCertificates,
-                 weak_ptr_factory_.GetWeakPtr(),
-                 base::Owned(matches)));
+                 weak_ptr_factory_.GetWeakPtr(), base::Owned(matches)));
 }
 
 void ClientCertResolver::ResolvePendingNetworks() {
   NetworkStateHandler::NetworkStateList networks;
   network_state_handler_->GetNetworkListByType(NetworkTypePattern::Default(),
                                                true /* configured_only */,
                                                false /* visible_only */,
                                                0 /* no limit */,
                                                &networks);
 
@@ skipping 37 matching lines @@
 
 void ClientCertResolver::NotifyResolveRequestCompleted() {
   VLOG(2) << "Notify observers: " << (network_properties_changed_ ? "" : "no ")
           << "networks changed.";
   resolve_task_running_ = false;
   const bool changed = network_properties_changed_;
   network_properties_changed_ = false;
   FOR_EACH_OBSERVER(Observer, observers_, ResolveRequestCompleted(changed));
 }
 
+base::Time ClientCertResolver::Now() const {
+  if (testing_clock_)
+    return testing_clock_->Now();
+  return base::Time::Now();
+}
+
 }  // namespace chromeos