Refactor the client certificate code in chromeos/network/.

chromeos/network/network_connection_handler.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chromeos/network/network_connection_handler.h"
 
 #include "base/bind.h"
 #include "base/command_line.h"
 #include "base/json/json_reader.h"
 #include "chromeos/chromeos_switches.h"
 #include "chromeos/dbus/dbus_thread_manager.h"
 #include "chromeos/dbus/shill_manager_client.h"
 #include "chromeos/dbus/shill_service_client.h"
-#include "chromeos/network/certificate_pattern_matcher.h"
+#include "chromeos/network/client_cert_util.h"
 #include "chromeos/network/managed_network_configuration_handler.h"
 #include "chromeos/network/network_configuration_handler.h"
 #include "chromeos/network/network_event_log.h"
 #include "chromeos/network/network_handler_callbacks.h"
 #include "chromeos/network/network_state.h"
 #include "chromeos/network/network_state_handler.h"
 #include "chromeos/network/network_ui_data.h"
 #include "dbus/object_path.h"
 #include "net/cert/x509_certificate.h"
 #include "third_party/cros_system_api/dbus/service_constants.h"
@@ skipping 369 matching lines @@
     }
     // VPN requires a host and username to be set.
     if (!VPNIsConfigured(
             service_path, vpn_provider_type, *provider_properties)) {
       NET_LOG_ERROR("VPN Not Configured", service_path);
       ErrorCallbackForPendingRequest(service_path, kErrorConfigurationRequired);
       return;
     }
   }
 
-  // These will be set if they need to be configured, otherwise they will
-  // be left empty and the properties will not be set.
-  std::string pkcs11_id, tpm_slot, tpm_pin;
+  client_cert::ConfigType client_cert_type = client_cert::CONFIG_TYPE_NONE;
+  if (type == flimflam::kTypeVPN) {
+      if (vpn_provider_type == flimflam::kProviderOpenVpn)
+        client_cert_type = client_cert::CONFIG_TYPE_OPENVPN;
+      else
+        client_cert_type = client_cert::CONFIG_TYPE_IPSEC;
+  } else if (type == flimflam::kTypeWifi) {
+    client_cert_type = client_cert::CONFIG_TYPE_EAP;
+  }
 
-  // Check certificate properties in kUIDataProperty if configured.
-  // Note: Wifi/VPNConfigView set these properties explicitly.
-  scoped_ptr<NetworkUIData> ui_data =
-      ManagedNetworkConfigurationHandler::GetUIData(service_properties);
-  if (ui_data && ui_data->certificate_type() == CLIENT_CERT_TYPE_PATTERN) {
-    // User must be logged in to connect to a network requiring a certificate.
-    if (!logged_in_ || !cert_loader_) {
-      ErrorCallbackForPendingRequest(service_path, kErrorCertificateRequired);
-      return;
+  base::DictionaryValue config_properties;
+  if (client_cert_type != client_cert::CONFIG_TYPE_NONE) {
+    // If the client certificate must be configured, this will be set to a
+    // non-empty string.
+    std::string pkcs11_id;
+
+    // Check certificate properties in kUIDataProperty if configured.
+    // Note: Wifi/VPNConfigView set these properties explicitly, in which case
+    //   only the TPM must be configured.
+    scoped_ptr<NetworkUIData> ui_data =
+        ManagedNetworkConfigurationHandler::GetUIData(service_properties);
+    if (ui_data && ui_data->certificate_type() == CLIENT_CERT_TYPE_PATTERN) {
+      // User must be logged in to connect to a network requiring a certificate.
+      if (!logged_in_ || !cert_loader_) {
+        ErrorCallbackForPendingRequest(service_path, kErrorCertificateRequired);
+        return;
+      }
+
+      // If certificates have not been loaded yet, queue the connect request.
+      if (!certificates_loaded_) {
+        ConnectRequest* request = pending_request(service_path);
+        DCHECK(request);
+        NET_LOG_EVENT("Connect Request Queued", service_path);
+        queued_connect_.reset(new ConnectRequest(
+            service_path, request->success_callback, request->error_callback));
+        pending_requests_.erase(service_path);
+        return;
+      }
+
+      pkcs11_id = CertificateIsConfigured(ui_data.get());
+      // Ensure the certificate is available and configured.
+      if (!cert_loader_->IsHardwareBacked() || pkcs11_id.empty()) {
+        ErrorCallbackForPendingRequest(service_path, kErrorCertificateRequired);
+        return;
+      }
     }
 
-    // If certificates have not been loaded yet, queue the connect request.
-    if (!certificates_loaded_) {
-      ConnectRequest* request = pending_request(service_path);
-      DCHECK(request);
-      NET_LOG_EVENT("Connect Request Queued", service_path);
-      queued_connect_.reset(new ConnectRequest(
-          service_path, request->success_callback, request->error_callback));
-      pending_requests_.erase(service_path);
-      return;
-    }
-
-    // Ensure the certificate is available and configured.
-    if (!CertificateIsConfigured(ui_data.get(), &pkcs11_id)) {
-      ErrorCallbackForPendingRequest(service_path, kErrorCertificateRequired);
-      return;
+    // The network may not be 'Connectable' because the TPM properties are not
+    // set up, so configure tpm slot/pin before connecting.
+    if (cert_loader_ && cert_loader_->IsHardwareBacked()) {
+      // Pass NULL if pkcs11_id is empty, so that it doesn't clear any
+      // previously configured client cert.
+      client_cert::SetShillProperties(client_cert_type,
+                                      cert_loader_->tpm_token_slot(),
+                                      cert_loader_->tpm_user_pin(),
+                                      pkcs11_id.empty() ? NULL : &pkcs11_id,
+                                      &config_properties);
     }
   }
 
-  // The network may not be 'Connectable' because the TPM properties are
-  // not set up, so configure tpm slot/pin before connecting.
-  if (cert_loader_) {
-    tpm_slot = cert_loader_->tpm_token_slot();
-    tpm_pin = cert_loader_->tpm_user_pin();
-  }
-
-  base::DictionaryValue config_properties;
-
-  if (type == flimflam::kTypeVPN) {
-    if (vpn_provider_type == flimflam::kProviderOpenVpn) {
-      if (!pkcs11_id.empty()) {
-        config_properties.SetStringWithoutPathExpansion(
-            flimflam::kOpenVPNClientCertIdProperty, pkcs11_id);
-      }
-      if (!tpm_pin.empty()) {
-        config_properties.SetStringWithoutPathExpansion(
-            flimflam::kOpenVPNPinProperty, tpm_pin);
-      }
-    } else {
-      if (!pkcs11_id.empty()) {
-        config_properties.SetStringWithoutPathExpansion(
-            flimflam::kL2tpIpsecClientCertIdProperty, pkcs11_id);
-      }
-      if (!tpm_slot.empty()) {
-        config_properties.SetStringWithoutPathExpansion(
-            flimflam::kL2tpIpsecClientCertSlotProperty, tpm_slot);
-      }
-      if (!tpm_pin.empty()) {
-        config_properties.SetStringWithoutPathExpansion(
-            flimflam::kL2tpIpsecPinProperty, tpm_pin);
-      }
-    }
-  } else if (type == flimflam::kTypeWifi) {
-    if (!pkcs11_id.empty()) {
-      config_properties.SetStringWithoutPathExpansion(
-          flimflam::kEapCertIdProperty, pkcs11_id);
-      config_properties.SetStringWithoutPathExpansion(
-          flimflam::kEapKeyIdProperty, pkcs11_id);
-    }
-    if (!tpm_pin.empty()) {
-      config_properties.SetStringWithoutPathExpansion(
-          flimflam::kEapPinProperty, tpm_pin);
-    }
-  }
-
   if (!config_properties.empty()) {
     NET_LOG_EVENT("Configuring Network", service_path);
 
     // Set configuration properties required by Shill to identify the network.
     config_properties.SetStringWithoutPathExpansion(
         flimflam::kTypeProperty, type);
     CopyStringFromDictionary(service_properties, flimflam::kNameProperty,
                              &config_properties);
     CopyStringFromDictionary(service_properties, flimflam::kGuidProperty,
                              &config_properties);
@@ skipping 126 matching lines @@
   error_callback.Run(error_name, error_data.Pass());
 }
 
 void NetworkConnectionHandler::CheckAllPendingRequests() {
   for (std::map<std::string, ConnectRequest>::iterator iter =
            pending_requests_.begin(); iter != pending_requests_.end(); ++iter) {
     CheckPendingRequest(iter->first);
   }
 }
 
-bool NetworkConnectionHandler::CertificateIsConfigured(NetworkUIData* ui_data,
-                                                       std::string* pkcs11_id) {
+std::string NetworkConnectionHandler::CertificateIsConfigured(
+    NetworkUIData* ui_data) {
   if (ui_data->certificate_pattern().Empty())
-    return false;
-
+    return std::string();
   // Find the matching certificate.
   scoped_refptr<net::X509Certificate> matching_cert =
-      certificate_pattern::GetCertificateMatch(ui_data->certificate_pattern());
+      client_cert::GetCertificateMatch(ui_data->certificate_pattern());
   if (!matching_cert.get())
-    return false;
-  *pkcs11_id = cert_loader_->GetPkcs11IdForCert(*matching_cert.get());
-  return true;
+    return std::string();
+  return CertLoader::GetPkcs11IdForCert(*matching_cert.get());
 }
 
 void NetworkConnectionHandler::ErrorCallbackForPendingRequest(
     const std::string& service_path,
     const std::string& error_name) {
   ConnectRequest* request = pending_request(service_path);
   DCHECK(request);
   // Remove the entry before invoking the callback in case it triggers a retry.
   network_handler::ErrorCallback error_callback = request->error_callback;
   pending_requests_.erase(service_path);
@@ skipping 42 matching lines @@
 
 void NetworkConnectionHandler::HandleShillActivateSuccess(
     const std::string& service_path,
     const base::Closure& success_callback) {
   NET_LOG_EVENT("Activate Request Sent", service_path);
   if (!success_callback.is_null())
     success_callback.Run();
 }
 
 }  // namespace chromeos