Check configuration for networks without UIData

chromeos/network/client_cert_util.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chromeos/network/client_cert_util.h"
 
 #include <cert.h>
 #include <pk11pub.h>
 
 #include <list>
@@ skipping 73 matching lines @@
     }
 
     return (std::find(issuer_ca_pems_.begin(), issuer_ca_pems_.end(),
                       pem_encoded) ==
             issuer_ca_pems_.end());
   }
  private:
   const std::vector<std::string>& issuer_ca_pems_;
 };
 
+std::string GetStringFromDictionary(const base::DictionaryValue& dict,
+                                    const std::string& key) {
+  std::string s;
+  dict.GetStringWithoutPathExpansion(key, &s);
+  return s;
+}
+
 }  // namespace
 
 // Returns true only if any fields set in this pattern match exactly with
 // similar fields in the principal.  If organization_ or organizational_unit_
 // are set, then at least one of the organizations or units in the principal
 // must match.
 bool CertPrincipalMatches(const IssuerSubjectPattern& pattern,
                           const net::CertPrincipal& principal) {
   if (!pattern.common_name().empty() &&
       pattern.common_name() != principal.common_name) {
@@ skipping 127 matching lines @@
                                                   *pkcs11_id);
       }
       break;
     }
   }
   DCHECK(tpm_pin_property);
   if (!tpm_pin.empty())
     properties->SetStringWithoutPathExpansion(tpm_pin_property, tpm_pin);
 }
 
+bool IsCertificateConfigured(const client_cert::ConfigType cert_config_type,
+                             const base::DictionaryValue& service_properties) {
+  // VPN certificate properties are read from the Provider dictionary.
+  const base::DictionaryValue* provider_properties = NULL;
+  service_properties.GetDictionaryWithoutPathExpansion(
+      flimflam::kProviderProperty, &provider_properties);
+  switch (cert_config_type) {
+    case CONFIG_TYPE_NONE:
+      return true;
+    case CONFIG_TYPE_OPENVPN: {
+      if (!provider_properties)
+        return false;
+      std::string cert_id = GetStringFromDictionary(
+          *provider_properties, flimflam::kOpenVPNClientCertIdProperty);
+      std::string username = GetStringFromDictionary(
+          *provider_properties, flimflam::kOpenVPNUserProperty);

[pneubeck (no reviews), 2013/08/31 05:31:30]

I'm find it irritating that here Username is checked and not tpm pin.

[stevenjb, 2013/09/03 22:33:05]

TPM Pin is something configured by Chrome, so it does not actually need to be
configured for us to be able to connect, i.e. Chrome can set it.

+      return !cert_id.empty() && !username.empty();
+    }
+    case CONFIG_TYPE_IPSEC: {
+      if (!provider_properties)
+        return false;
+      std::string cert_id = GetStringFromDictionary(
+          *provider_properties, flimflam::kL2tpIpsecClientCertIdProperty);
+      std::string username = GetStringFromDictionary(

[pneubeck (no reviews), 2013/08/31 05:31:30]

and here, tpm pin + slot instead of username.

Is there a specific reason for the deviation from SetShillProperties above?

[stevenjb, 2013/09/03 22:33:05]

This isn't really intended to be the opposite of SetShillProperties, which is
why I named it differently. In practice, those properties would also be set, but
since they are well known values that Chrome can set if necessary, they are not
actually required. Whereas, unless I am mistaken, if CertId or Username are
unset, there is no possibility of connecting to the network.

[pneubeck (no reviews), 2013/09/04 08:40:00]

AFAIU, VPNs can be setup without Username or without client cert.

OpenVPN can be setup without client cert and instead with username/password: on
http://openvpn.net/index.php/open-source/documentation/howto.html
 grep for "client-cert-not-required".

In case of EAP, there are at least variants that don't require a client cert:
http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol#EAP-TTLS
mentions "The client can, but does not have to be authenticated via a CA-signed
PKI certificate to the server"

Similar might be true for L2TP/IPsec.

[stevenjb, 2013/09/04 17:58:13]

Until/unless Shill sets 'Configured' properly, all we can do is check the
situations where we are reasonably certain that the network is configured. It
sounds like for VPN we just need to always return 'false' here, which is the M29
behavior (always show the config UI first).

+          *provider_properties, flimflam::kL2tpIpsecUserProperty);
+      return !cert_id.empty() && !username.empty();
+    }
+    case CONFIG_TYPE_EAP: {
+      std::string cert_id = GetStringFromDictionary(
+          service_properties, flimflam::kEapCertIdProperty);
+      std::string key_id = GetStringFromDictionary(
+          service_properties, flimflam::kEapKeyIdProperty);
+      std::string identity = GetStringFromDictionary(
+          service_properties, flimflam::kEapIdentityProperty);
+      return !cert_id.empty() && !key_id.empty() && !identity.empty();
+    }
+  }
+  NOTREACHED();
+  return false;
+}
+
 }  // namespace client_cert
 
 }  // namespace chromeos