Handle device ONC AllowOnlyPolicyNetworksToConnect

chromeos/network/network_connection_handler.cc

Index: chromeos/network/network_connection_handler.cc
diff --git a/chromeos/network/network_connection_handler.cc b/chromeos/network/network_connection_handler.cc
index e8c49396ba43b295dd1b3b19259b8d0cb5c92a66..fca3b76383765f57d8c360c6ad49b90c16adbb89 100644
--- a/chromeos/network/network_connection_handler.cc
+++ b/chromeos/network/network_connection_handler.cc
@@ -115,6 +115,8 @@ const char NetworkConnectionHandler::kErrorConnectCanceled[] =
     "connect-canceled";
 const char NetworkConnectionHandler::kErrorCertLoadTimeout[] =
     "cert-load-timeout";
+const char NetworkConnectionHandler::kErrorUnmanagedNetwork[] =
+    "unmanaged-network";
 
 struct NetworkConnectionHandler::ConnectRequest {
   ConnectRequest(const std::string& service_path,
@@ -285,6 +287,11 @@ void NetworkConnectionHandler::ConnectToNetwork(
   // Connect immediately to 'connectable' networks.
   // TODO(stevenjb): Shill needs to properly set Connectable for VPN.
   if (network && network->connectable() && network->type() != shill::kTypeVPN) {
+    if (IsNetworkProhibitedByPolicy(network->guid(), network->profile_path())) {
+      ErrorCallbackForPendingRequest(service_path, kErrorUnmanagedNetwork);
+      return;
+    }
+
     CallShillConnect(service_path);
     return;
   }
@@ -416,6 +423,11 @@ void NetworkConnectionHandler::VerifyConfiguredAndConnect(
   const base::DictionaryValue* user_policy =
       managed_configuration_handler_->FindPolicyByGuidAndProfile(guid, profile);
 
+  if (IsNetworkProhibitedByPolicy(guid, profile)) {
+    ErrorCallbackForPendingRequest(service_path, kErrorUnmanagedNetwork);
+    return;
+  }
+
   client_cert::ClientCertConfig cert_config_from_policy;
   if (user_policy)
     client_cert::OncToClientCertConfig(*user_policy, &cert_config_from_policy);
@@ -523,6 +535,30 @@ void NetworkConnectionHandler::VerifyConfiguredAndConnect(
     CallShillConnect(service_path);
 }
 
+bool NetworkConnectionHandler::IsNetworkProhibitedByPolicy(
+    const std::string& guid,
+    const std::string& profile_path) {
+  if (!logged_in_)
+    return false;
+  const base::DictionaryValue* global_network_config =
+      managed_configuration_handler_->GetGlobalConfigFromPolicy(std::string());

[stevenjb, 2015/11/18 23:46:47]

Add comment for empty arg:
std::string() /* no username hash, device policy */

[fqj, 2015/11/18 23:55:48]

Done.

+  if (!global_network_config)
+    return false;
+  bool policy_prohibites = false;
+  if (!global_network_config->GetBooleanWithoutPathExpansion(
+          ::onc::global_network_config::kAllowOnlyPolicyNetworksToConnect,
+          &policy_prohibites))
+    return false;
+  if (!policy_prohibites)
+    return false;

[stevenjb, 2015/11/18 23:46:47]

nit: Combine these two ifs, use {}

[fqj, 2015/11/18 23:55:48]

Done.

+  const base::DictionaryValue* user_policy =
+      managed_configuration_handler_->FindPolicyByGuidAndProfile(guid,
+                                                                 profile_path);
+  if (user_policy)
+    return false;
+  return true;

[stevenjb, 2015/11/18 23:46:47]

return !managed_configuration_handler_->FindPolicyByGuidAndProfile(guid,
profile_path);

[fqj, 2015/11/18 23:55:48]

Done.

+}
+
 void NetworkConnectionHandler::QueueConnectRequest(
     const std::string& service_path) {
   ConnectRequest* request = GetPendingRequest(service_path);