Handle device ONC AllowOnlyPolicyNetworksToConnect

chromeos/network/network_connection_handler.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chromeos/network/network_connection_handler.h"
 
 #include "base/bind.h"
 #include "base/json/json_reader.h"
 #include "base/location.h"
 #include "base/single_thread_task_runner.h"
@@ skipping 97 matching lines @@
     "authentication-required";
 const char NetworkConnectionHandler::kErrorConnectFailed[] = "connect-failed";
 const char NetworkConnectionHandler::kErrorDisconnectFailed[] =
     "disconnect-failed";
 const char NetworkConnectionHandler::kErrorConfigureFailed[] =
     "configure-failed";
 const char NetworkConnectionHandler::kErrorConnectCanceled[] =
     "connect-canceled";
 const char NetworkConnectionHandler::kErrorCertLoadTimeout[] =
     "cert-load-timeout";
+const char NetworkConnectionHandler::kErrorUnmanagedNetwork[] =
+    "unmanaged-network";
 
 struct NetworkConnectionHandler::ConnectRequest {
   ConnectRequest(const std::string& service_path,
                  const std::string& profile_path,
                  const base::Closure& success,
                  const network_handler::ErrorCallback& error)
       : service_path(service_path),
         profile_path(profile_path),
         connect_state(CONNECT_REQUESTED),
         success_callback(success),
@@ skipping 150 matching lines @@
 
   // All synchronous checks passed, add |service_path| to connecting list.
   pending_requests_.insert(std::make_pair(
       service_path,
       ConnectRequest(service_path, profile_path,
                      success_callback, error_callback)));
 
   // Connect immediately to 'connectable' networks.
   // TODO(stevenjb): Shill needs to properly set Connectable for VPN.
   if (network && network->connectable() && network->type() != shill::kTypeVPN) {
+    if (IsNetworkProhibitedByPolicy(network->guid(), network->profile_path())) {
+      ErrorCallbackForPendingRequest(service_path, kErrorUnmanagedNetwork);
+      return;
+    }
+
     CallShillConnect(service_path);
     return;
   }
 
   // Request additional properties to check. VerifyConfiguredAndConnect will
   // use only these properties, not cached properties, to ensure that they
   // are up to date after any recent configuration.
   configuration_handler_->GetShillProperties(
       service_path,
       base::Bind(&NetworkConnectionHandler::VerifyConfiguredAndConnect,
@@ skipping 111 matching lines @@
   }
 
   std::string guid;
   service_properties.GetStringWithoutPathExpansion(shill::kGuidProperty, &guid);
   std::string profile;
   service_properties.GetStringWithoutPathExpansion(shill::kProfileProperty,
                                                    &profile);
   const base::DictionaryValue* user_policy =
       managed_configuration_handler_->FindPolicyByGuidAndProfile(guid, profile);
 
+  if (IsNetworkProhibitedByPolicy(guid, profile)) {
+    ErrorCallbackForPendingRequest(service_path, kErrorUnmanagedNetwork);
+    return;
+  }
+
   client_cert::ClientCertConfig cert_config_from_policy;
   if (user_policy)
     client_cert::OncToClientCertConfig(*user_policy, &cert_config_from_policy);
 
   client_cert::ConfigType client_cert_type = client_cert::CONFIG_TYPE_NONE;
   if (type == shill::kTypeVPN) {
     if (vpn_provider_type == shill::kProviderOpenVpn) {
       client_cert_type = client_cert::CONFIG_TYPE_OPENVPN;
     } else {
       // L2TP/IPSec only requires a certificate if one is specified in ONC
@@ skipping 87 matching lines @@
   // Otherwise, we probably still need to configure the network since
   // 'Connectable' is false. If |check_error_state| is true, signal an
   // error, otherwise attempt to connect to possibly gain additional error
   // state from Shill (or in case 'Connectable' is improperly unset).
   if (check_error_state)
     ErrorCallbackForPendingRequest(service_path, kErrorConfigurationRequired);
   else
     CallShillConnect(service_path);
 }
 
+bool NetworkConnectionHandler::IsNetworkProhibitedByPolicy(
+    const std::string& guid,
+    const std::string& profile_path) {
+  if (!logged_in_)
+    return false;
+  const base::DictionaryValue* global_network_config =
+      managed_configuration_handler_->GetGlobalConfigFromPolicy(
+          std::string() /* no username hash, device policy */);
+  if (!global_network_config)
+    return false;
+  bool policy_prohibites = false;
+  if (!global_network_config->GetBooleanWithoutPathExpansion(
+          ::onc::global_network_config::kAllowOnlyPolicyNetworksToConnect,
+          &policy_prohibites) ||
+      !policy_prohibites) {
+    return false;
+  }
+  return !managed_configuration_handler_->FindPolicyByGuidAndProfile(
+      guid, profile_path);
+}
+
 void NetworkConnectionHandler::QueueConnectRequest(
     const std::string& service_path) {
   ConnectRequest* request = GetPendingRequest(service_path);
   if (!request) {
     NET_LOG_ERROR("No pending request to queue", service_path);
     return;
   }
 
   const int kMaxCertLoadTimeSeconds = 15;
   base::TimeDelta dtime = base::TimeTicks::Now() - logged_in_time_;
@@ skipping 236 matching lines @@
 
 void NetworkConnectionHandler::HandleShillDisconnectSuccess(
     const std::string& service_path,
     const base::Closure& success_callback) {
   NET_LOG_EVENT("Disconnect Request Sent", service_path);
   if (!success_callback.is_null())
     success_callback.Run();
 }
 
 }  // namespace chromeos