Enable client certificate patterns in device ONC policy

Enable client certificate patterns in device ONC policy

Enables client certificate patterns for EAP-TLS networks in device
ONC policy. Device-wide client certificate patterns are restricted
to only match certificates which are present in the system token.
This prevents the device from presenting the user's certificates
involuntarily.

Two supporting changes were made to achieve this:
- CertLoader has been extended by the system_cert_list() method
  to retrieve available certificates which exist on the system token.
- The ClientCertConfig struct has a new onc_source member which 
  can be checked to see if the client cert pattern originates from
  device policy.

BUG=655266
TEST=unit_tests && chromeos_unittests
Manual test scenario:
--
Prerequisites:
Install a certificate (subject common name e.g.: “cert_user”)
into the user token and a different certificate (subject common
name e.g.: “cert_system”) into the system token.
Have a EAP-TLS wifi network connected to a radius server which
would accept both client certificates.
--
Test Case 1: device policy ONC / user token certificate
Configure a device policy OpenNetworkPolicy to connect to the
EAP-TLS network with
     "ClientCertPattern": {
      "Subject": {
       "CommonName": "cert_user"
      }
Expected result: The device does not try to auto-connect to the
wifi network because the ClientCertPattern originating from device
policy does not match user certificates.
--
Test Case 2: device policy ONC / system token certificate
Configure a device policy OpenNetworkPolicy to connect to the
EAP-TLS network with
     "ClientCertPattern": {
      "Subject": {
       "CommonName": "cert_system"
      }
Expected result: The device auto-connects to the wifi network
because the ClientCertPattern originating from device policy
matches certificates present on the system token. It authenticates
with cert_system.
--
Test Case 3: user policy ONC / user token certificate
Configure a user policy OpenNetworkPolicy to connect to the
EAP-TLS network with
     "ClientCertPattern": {
      "Subject": {
       "CommonName": "cert_user"
      }
Expected result: The device auto-connects to the wifi network. It
authenticates with cert_user.
--
Test Case 4: user policy ONC / system token certificate
Configure a user OpenNetworkPolicy to connect to the EAP-TLS network
with
     "ClientCertPattern": {
      "Subject": {
       "CommonName": "cert_system"
      }
Expected result: The device auto-connects to the wifi network. It
authenticates with cert_system.

Review-Url: https://codereview.chromium.org/2828713002
Cr-Commit-Position: refs/heads/master@{#467634}
Committed: https://chromium.googlesource.com/chromium/src/+/93bc5d7c02d275d27c030ab15a8c68efc8efdd99

[pmarko, 2017-04-20 17:12:52]

Description was changed from

==========
[TEMP] Enable client certificate patterns in device ONC policy

This CL enables client certificate patterns for EAP-TLS networks in
device ONC policy. Device-wide client certificate patterns are
restricted to only match certificates which are present in the system
token. This prevents the device from presenting the user's certificates
involuntarily.

BUG=655266
==========

to

==========
Enable client certificate patterns in device ONC policy

Enables client certificate patterns for EAP-TLS networks in device
ONC policy. Device-wide client certificate patterns are restricted
to only match certificates which are present in the system token.
This prevents the device from presenting the user's certificates
involuntarily.

Two supporting changes were made to achieve this:
- CertLoader has been extended by the system_cert_list() method
  to retrieve available certificates which exist on the system token.
- The ClientCertConfig struct has a new flag which indicates if it
  originates from device policy.

BUG=655266
==========

[pmarko, 2017-04-20 17:16:07]

pmarko@chromium.org changed reviewers:
+ emaxx@chromium.org

[pmarko, 2017-04-20 17:16:08]

Hey Maksim,
would you please take a look before I send this out?

Thanks!!

[emaxx, 2017-04-20 20:10:40]

Tried to provide an early feedback (not sure whether I reviewed everything
thoroughly - but feel free to proceed to OWNERS after you process the comments
from me).

https://codereview.chromium.org/2828713002/diff/80001/ash/system/network/netw...
File ash/system/network/network_list.cc (right):

https://codereview.chromium.org/2828713002/diff/80001/ash/system/network/netw...
ash/system/network/network_list.cc:69: network->guid(), network->profile_path(),
nullptr);
nit: Append the comment /* onc_source */ to explain what this nullptr actually
means.
(The same applies to other files in the CL.)

https://codereview.chromium.org/2828713002/diff/80001/chrome/browser/chromeos...
File chrome/browser/chromeos/enrollment_dialog_view.cc (left):

https://codereview.chromium.org/2828713002/diff/80001/chrome/browser/chromeos...
chrome/browser/chromeos/enrollment_dialog_view.cc:284: if (!policy || onc_source
== onc::ONC_SOURCE_DEVICE_POLICY)
Shouldn't the "!policy" exit route be preserved?
The policy pointer is even dereferenced in the next couple of lines.

https://codereview.chromium.org/2828713002/diff/80001/chrome/browser/chromeos...
chrome/browser/chromeos/enrollment_dialog_view.cc:284: if (!policy || onc_source
== onc::ONC_SOURCE_DEVICE_POLICY)
We should also check whether the enrollment dialog should be suppressed in some
use cases, like kiosks - don't know whether this dialog would make sense for
them (need to check the product side and the technical side effects, like not
having ability to access browser in kiosks).

https://codereview.chromium.org/2828713002/diff/80001/chrome/browser/chromeos...
File chrome/browser/chromeos/enrollment_dialog_view.cc (right):

https://codereview.chromium.org/2828713002/diff/80001/chrome/browser/chromeos...
chrome/browser/chromeos/enrollment_dialog_view.cc:274: NET_LOG_EVENT("Skipping
enrollment on sign-in profile", network_id);
Is this log message really helpful?

https://codereview.chromium.org/2828713002/diff/80001/chromeos/cert_loader.cc
File chromeos/cert_loader.cc (right):

https://codereview.chromium.org/2828713002/diff/80001/chromeos/cert_loader.cc...
chromeos/cert_loader.cc:166: for (net::CertificateList::const_iterator it =
cert_list_->begin();
nit: Use range-based for loop?

https://codereview.chromium.org/2828713002/diff/80001/chromeos/cert_loader.cc...
chromeos/cert_loader.cc:170: if (IsCertificateInSystemToken(cert.get())) {
Isn't it bad to call this function on the UI thread? I mean, considering NSS as
a black box, it may easily happen that listing all slots for a dozen of certs
may work noticeably long. Or there's some evidence that performing this is fine
on the UI thread?

https://codereview.chromium.org/2828713002/diff/80001/chromeos/cert_loader.cc...
chromeos/cert_loader.cc:210: return true;
I didn't look into the NSS sources to check, but can't a memory leak happen
there? Or ScopedPK11SlotList will take care of that? (hopefully without
double-freeing stuff due to PK11_GetNextSafe() calls)

https://codereview.chromium.org/2828713002/diff/80001/chromeos/cert_loader.h
File chromeos/cert_loader.h (right):

https://codereview.chromium.org/2828713002/diff/80001/chromeos/cert_loader.h#...
chromeos/cert_loader.h:86: // Returns certificates from the system token. This
will be empty until
nit: Maybe move this method to be after cert_list, as the latter one is what the
most clients in the code will need?

https://codereview.chromium.org/2828713002/diff/80001/chromeos/cert_loader.h#...
chromeos/cert_loader.h:116: // Retruns true if |cert| is in the system token.
nit: Typo in "Returns".

https://codereview.chromium.org/2828713002/diff/80001/chromeos/cert_loader.h#...
chromeos/cert_loader.h:134: // cert_list_.
nit: s/cert_list_/|cert_list_|/

https://codereview.chromium.org/2828713002/diff/80001/chromeos/cert_loader_un...
File chromeos/cert_loader_unittest.cc (right):

https://codereview.chromium.org/2828713002/diff/80001/chromeos/cert_loader_un...
chromeos/cert_loader_unittest.cc:118: void AddSystemToken(TestNSSCertDatabase*
certdb) {
nit: As this method is not going to be used from the tests themselves, better
move it to private.

https://codereview.chromium.org/2828713002/diff/80001/chromeos/cert_loader_un...
chromeos/cert_loader_unittest.cc:143: // Import a client cert and key into a
PKCS 11 slot. Then notify
nit: s/PKCS 11/PKCS11/

https://codereview.chromium.org/2828713002/diff/80001/chromeos/cert_loader_un...
chromeos/cert_loader_unittest.cc:154:
database_to_notify->NotifyOfCertAdded(client_cert.get());
Looks like this parameter is actually unused, so proposing to do a small clean
up (remove this parameter from NotifyOfCertAdded, maybe rename the method,
etc.).

https://codereview.chromium.org/2828713002/diff/80001/chromeos/network/client...
File chromeos/network/client_cert_resolver.cc (right):

https://codereview.chromium.org/2828713002/diff/80001/chromeos/network/client...
chromeos/network/client_cert_resolver.cc:192: // client cert config based on ONC
policy source. Device policy certificate
nit: I'd prefer to move the second sentence inside the function, as it talks
already about the implementation detail, but not the interface of the function.

https://codereview.chromium.org/2828713002/diff/80001/chromeos/network/client...
chromeos/network/client_cert_resolver.cc:195: const std::vector<CertAndIssuer>&
ChooseCertList(
Returning a reference that follows the reference received by an argument - that
looks a little bit unsafe to me. IIUC, this is correct only as long as the
function parameters are not temporary objects, so that it's becoming easy to
break this by an unrelated change.

When using pointers, it's becoming harder to break it and don't notice.
Or maybe find some other way to structure the code here.

https://codereview.chromium.org/2828713002/diff/80001/chromeos/network/client...
chromeos/network/client_cert_resolver.cc:201: else
nit: Remove else. See here:
https://chromium.googlesource.com/chromium/src/+/master/styleguide/c++/c++.md...

https://codereview.chromium.org/2828713002/diff/80001/chromeos/network/client...
chromeos/network/client_cert_resolver.cc:224:
std::vector<CertAndIssuer>::const_iterator cert_it =
nit: I think "auto" instead of this long iterator type should be fine to use
here.

https://codereview.chromium.org/2828713002/diff/80001/chromeos/network/client...
File chromeos/network/client_cert_resolver_unittest.cc (right):

https://codereview.chromium.org/2828713002/diff/80001/chromeos/network/client...
chromeos/network/client_cert_resolver_unittest.cc:58: cert_loader_(nullptr),
nit: It's generally advisable to move onto C++11 in-class initializers in such
straightforward cases. (If you take this change on, please also update other
members that are initialized here.)

https://codereview.chromium.org/2828713002/diff/80001/chromeos/network/client...
File chromeos/network/client_cert_util.h (right):

https://codereview.chromium.org/2828713002/diff/80001/chromeos/network/client...
chromeos/network/client_cert_util.h:56: bool source_is_device_policy_;
nit: The trailing underscore is extra.

https://codereview.chromium.org/2828713002/diff/80001/chromeos/network/client...
chromeos/network/client_cert_util.h:56: bool source_is_device_policy_;
Maybe just including ONCSource here would be better? This will allow more
granularity if someone wants it in the future.

https://codereview.chromium.org/2828713002/diff/80001/chromeos/network/networ...
File chromeos/network/network_connection_handler.cc (right):

https://codereview.chromium.org/2828713002/diff/80001/chromeos/network/networ...
chromeos/network/network_connection_handler.cc:425: ::onc::ONCSource onc_source;
nit: I believe the general guideline is to initialize all variables with some
default values, even in such cases when it's actually an output parameter.

[pmarko, 2017-04-24 13:01:59]

Patchset #6 (id:100001) has been deleted

[pmarko, 2017-04-24 14:02:14]

Description was changed from

==========
Enable client certificate patterns in device ONC policy

Enables client certificate patterns for EAP-TLS networks in device
ONC policy. Device-wide client certificate patterns are restricted
to only match certificates which are present in the system token.
This prevents the device from presenting the user's certificates
involuntarily.

Two supporting changes were made to achieve this:
- CertLoader has been extended by the system_cert_list() method
  to retrieve available certificates which exist on the system token.
- The ClientCertConfig struct has a new flag which indicates if it
  originates from device policy.

BUG=655266
==========

to

==========
Enable client certificate patterns in device ONC policy

Enables client certificate patterns for EAP-TLS networks in device
ONC policy. Device-wide client certificate patterns are restricted
to only match certificates which are present in the system token.
This prevents the device from presenting the user's certificates
involuntarily.

Two supporting changes were made to achieve this:
- CertLoader has been extended by the system_cert_list() method
  to retrieve available certificates which exist on the system token.
- The ClientCertConfig struct has a new onc_source member which 
  can be checked to see if the client cert pattern originates from
  device policy.

BUG=655266
==========

[pmarko, 2017-04-24 14:49:56]

Thank you for the excellent review, emaxx! I'll proceed to OWNERs as discussed,
but I would appreciate it if you could take a look at how I've resolved your
comments and if that is fine with you.

https://codereview.chromium.org/2828713002/diff/80001/ash/system/network/netw...
File ash/system/network/network_list.cc (right):

https://codereview.chromium.org/2828713002/diff/80001/ash/system/network/netw...
ash/system/network/network_list.cc:69: network->guid(), network->profile_path(),
nullptr);
On 2017/04/20 20:10:38, emaxx wrote:
> nit: Append the comment /* onc_source */ to explain what this nullptr actually
> means.
> (The same applies to other files in the CL.)

Done.
(ash/system/network/network_list.cc, chromeos/network/auto_connect_handler.cc,
chromeos/network/network_connection_handler.cc)

https://codereview.chromium.org/2828713002/diff/80001/chrome/browser/chromeos...
File chrome/browser/chromeos/enrollment_dialog_view.cc (left):

https://codereview.chromium.org/2828713002/diff/80001/chrome/browser/chromeos...
chrome/browser/chromeos/enrollment_dialog_view.cc:284: if (!policy || onc_source
== onc::ONC_SOURCE_DEVICE_POLICY)
On 2017/04/20 20:10:39, emaxx wrote:
> Shouldn't the "!policy" exit route be preserved?
> The policy pointer is even dereferenced in the next couple of lines.

Whoops. Done.

https://codereview.chromium.org/2828713002/diff/80001/chrome/browser/chromeos...
File chrome/browser/chromeos/enrollment_dialog_view.cc (right):

https://codereview.chromium.org/2828713002/diff/80001/chrome/browser/chromeos...
chrome/browser/chromeos/enrollment_dialog_view.cc:274: NET_LOG_EVENT("Skipping
enrollment on sign-in profile", network_id);
On 2017/04/20 20:10:39, emaxx wrote:
> Is this log message really helpful?

Done.
(No, removed :-) )

https://codereview.chromium.org/2828713002/diff/80001/chromeos/cert_loader.cc
File chromeos/cert_loader.cc (right):

https://codereview.chromium.org/2828713002/diff/80001/chromeos/cert_loader.cc...
chromeos/cert_loader.cc:166: for (net::CertificateList::const_iterator it =
cert_list_->begin();
On 2017/04/20 20:10:39, emaxx wrote:
> nit: Use range-based for loop?

Done.

https://codereview.chromium.org/2828713002/diff/80001/chromeos/cert_loader.cc...
chromeos/cert_loader.cc:170: if (IsCertificateInSystemToken(cert.get())) {
On 2017/04/20 20:10:39, emaxx wrote:
> Isn't it bad to call this function on the UI thread? I mean, considering NSS
as
> a black box, it may easily happen that listing all slots for a dozen of certs
> may work noticeably long. Or there's some evidence that performing this is
fine
> on the UI thread?

Done. Offloaded to slow task runner, see new member function CertLoader::
CertificatesLoaded and anonymous namespace::FilterSystemTokenCertificates.

https://codereview.chromium.org/2828713002/diff/80001/chromeos/cert_loader.cc...
chromeos/cert_loader.cc:210: return true;
On 2017/04/20 20:10:39, emaxx wrote:
> I didn't look into the NSS sources to check, but can't a memory leak happen
> there? Or ScopedPK11SlotList will take care of that? (hopefully without
> double-freeing stuff due to PK11_GetNextSafe() calls)

You are right! I forgot and repeated bug 329104.
Done.
(This is now in the anonymous namespace on the top of this file)

https://codereview.chromium.org/2828713002/diff/80001/chromeos/cert_loader.h
File chromeos/cert_loader.h (right):

https://codereview.chromium.org/2828713002/diff/80001/chromeos/cert_loader.h#...
chromeos/cert_loader.h:86: // Returns certificates from the system token. This
will be empty until
On 2017/04/20 20:10:39, emaxx wrote:
> nit: Maybe move this method to be after cert_list, as the latter one is what
the
> most clients in the code will need?

Done.

https://codereview.chromium.org/2828713002/diff/80001/chromeos/cert_loader.h#...
chromeos/cert_loader.h:116: // Retruns true if |cert| is in the system token.
On 2017/04/20 20:10:39, emaxx wrote:
> nit: Typo in "Returns".

Done.

https://codereview.chromium.org/2828713002/diff/80001/chromeos/cert_loader.h#...
chromeos/cert_loader.h:134: // cert_list_.
On 2017/04/20 20:10:39, emaxx wrote:
> nit: s/cert_list_/|cert_list_|/

Done.

https://codereview.chromium.org/2828713002/diff/80001/chromeos/cert_loader_un...
File chromeos/cert_loader_unittest.cc (right):

https://codereview.chromium.org/2828713002/diff/80001/chromeos/cert_loader_un...
chromeos/cert_loader_unittest.cc:118: void AddSystemToken(TestNSSCertDatabase*
certdb) {
On 2017/04/20 20:10:39, emaxx wrote:
> nit: As this method is not going to be used from the tests themselves, better
> move it to private.

Done.

https://codereview.chromium.org/2828713002/diff/80001/chromeos/cert_loader_un...
chromeos/cert_loader_unittest.cc:143: // Import a client cert and key into a
PKCS 11 slot. Then notify
On 2017/04/20 20:10:39, emaxx wrote:
> nit: s/PKCS 11/PKCS11/

Done.

https://codereview.chromium.org/2828713002/diff/80001/chromeos/cert_loader_un...
chromeos/cert_loader_unittest.cc:154:
database_to_notify->NotifyOfCertAdded(client_cert.get());
On 2017/04/20 20:10:39, emaxx wrote:
> Looks like this parameter is actually unused, so proposing to do a small clean
> up (remove this parameter from NotifyOfCertAdded, maybe rename the method,
> etc.).

Done.

https://codereview.chromium.org/2828713002/diff/80001/chromeos/network/client...
File chromeos/network/client_cert_resolver.cc (right):

https://codereview.chromium.org/2828713002/diff/80001/chromeos/network/client...
chromeos/network/client_cert_resolver.cc:192: // client cert config based on ONC
policy source. Device policy certificate
On 2017/04/20 20:10:39, emaxx wrote:
> nit: I'd prefer to move the second sentence inside the function, as it talks
> already about the implementation detail, but not the interface of the
function.

Done. / Moved logic into the call site.

https://codereview.chromium.org/2828713002/diff/80001/chromeos/network/client...
chromeos/network/client_cert_resolver.cc:195: const std::vector<CertAndIssuer>&
ChooseCertList(
On 2017/04/20 20:10:39, emaxx wrote:
> Returning a reference that follows the reference received by an argument -
that
> looks a little bit unsafe to me. IIUC, this is correct only as long as the
> function parameters are not temporary objects, so that it's becoming easy to
> break this by an unrelated change.
> 
> When using pointers, it's becoming harder to break it and don't notice.
> Or maybe find some other way to structure the code here.

Done.
Very good point - yes, it would compile and crash if a temporary object was
passed. It is fragile because it relies on the caller keeping the instances
alive after the method returns. I've moved the logic into the call site and
removed this function.

https://codereview.chromium.org/2828713002/diff/80001/chromeos/network/client...
chromeos/network/client_cert_resolver.cc:201: else
On 2017/04/20 20:10:39, emaxx wrote:
> nit: Remove else. See here:
>
https://chromium.googlesource.com/chromium/src/+/master/styleguide/c++/c++.md...

Done. / Moved logic into the call site.

https://codereview.chromium.org/2828713002/diff/80001/chromeos/network/client...
chromeos/network/client_cert_resolver.cc:224:
std::vector<CertAndIssuer>::const_iterator cert_it =
On 2017/04/20 20:10:39, emaxx wrote:
> nit: I think "auto" instead of this long iterator type should be fine to use
> here.

Done.

https://codereview.chromium.org/2828713002/diff/80001/chromeos/network/client...
File chromeos/network/client_cert_resolver_unittest.cc (right):

https://codereview.chromium.org/2828713002/diff/80001/chromeos/network/client...
chromeos/network/client_cert_resolver_unittest.cc:58: cert_loader_(nullptr),
On 2017/04/20 20:10:39, emaxx wrote:
> nit: It's generally advisable to move onto C++11 in-class initializers in such
> straightforward cases. (If you take this change on, please also update other
> members that are initialized here.)

Done. I've left scoped_task_scheduler(&message_loop) in the initializer list
because it's the only non-trivial one.

https://codereview.chromium.org/2828713002/diff/80001/chromeos/network/client...
File chromeos/network/client_cert_util.h (right):

https://codereview.chromium.org/2828713002/diff/80001/chromeos/network/client...
chromeos/network/client_cert_util.h:56: bool source_is_device_policy_;
On 2017/04/20 20:10:39, emaxx wrote:
> Maybe just including ONCSource here would be better? This will allow more
> granularity if someone wants it in the future.

Done. (both - renamed to onc_source)

https://codereview.chromium.org/2828713002/diff/80001/chromeos/network/networ...
File chromeos/network/network_connection_handler.cc (right):

https://codereview.chromium.org/2828713002/diff/80001/chromeos/network/networ...
chromeos/network/network_connection_handler.cc:425: ::onc::ONCSource onc_source;
On 2017/04/20 20:10:39, emaxx wrote:
> nit: I believe the general guideline is to initialize all variables with some
> default values, even in such cases when it's actually an output parameter.

Done. (also in chromeos/network/client_cert_resolver.cc)

[pmarko, 2017-04-24 14:52:56]

pmarko@chromium.org changed reviewers:
+ stevenjb@chromium.org

[pmarko, 2017-04-24 14:52:57]

stevenjb@chromium.org: Please review this CL. Thank you!

[stevenjb, 2017-04-24 15:53:59]

Note: I'm not very familiar with the lower level certificate details, so please
wait for emaxx@ to review this also, but the networking / cert_loader code lgtm
w/ a couple of suggestions.

https://codereview.chromium.org/2828713002/diff/140001/chrome/browser/chromeo...
File chrome/browser/chromeos/enrollment_dialog_view.cc (right):

https://codereview.chromium.org/2828713002/diff/140001/chrome/browser/chromeo...
chrome/browser/chromeos/enrollment_dialog_view.cc:274: return false;
Could you add a comment for this exit?

https://codereview.chromium.org/2828713002/diff/140001/chromeos/cert_loader.h
File chromeos/cert_loader.h (right):

https://codereview.chromium.org/2828713002/diff/140001/chromeos/cert_loader.h...
chromeos/cert_loader.h:92: const net::CertificateList& cert_list() const {
return *cert_list_; }
nit: I'm not sure how much churn this would cause, but I think the code would be
more clear if we rename these something like all_certs_list and
system_certs_list, or just all_certs and system_certs.

(When there was just one list, "cert list" meant "a list of type cert"; now that
we have multiple lists, we really want to mean "a list of all certs" and "a list
of system certs").

[emaxx, 2017-04-24 21:23:13]

Two general notes:

1. Isn't there an update required in onc_spec.md? Or it doesn't say where the
cert patterns don't work anyway?

2. Please add a "TEST=" section into the CL description. Apart from mentioning
unit tests, it will be useful to track the exact scenario of the manual testing
for this change.

https://codereview.chromium.org/2828713002/diff/140001/chrome/browser/chromeo...
File chrome/browser/chromeos/enrollment_dialog_view.cc (right):

https://codereview.chromium.org/2828713002/diff/140001/chrome/browser/chromeo...
chrome/browser/chromeos/enrollment_dialog_view.cc:273: if
(chromeos::ProfileHelper::IsSigninProfile(profile))
So what about other types of sessions - aren't we opening unwanted surfaces for
the enrollment dialog?
E.g. kiosks - I guess they only can have the device ONC. If that's true, then
this CL enables the enrollment dialog for them, which is probably undesired.

Maybe we'd have to solve this issue on a point-by-point basis for each possible
value of the chromeos::LoginState::LoggedInUserType enum. (Don't know - maybe
I'm failing to see some simpler approach.)

https://codereview.chromium.org/2828713002/diff/140001/chromeos/cert_loader.cc
File chromeos/cert_loader.cc (right):

https://codereview.chromium.org/2828713002/diff/140001/chromeos/cert_loader.c...
chromeos/cert_loader.cc:30:
PK11_GetAllSlotsForCert(certificate->os_cert_handle(), NULL));
nit: Maybe use nullptr? (Sorry for proposing this only now.)

https://codereview.chromium.org/2828713002/diff/140001/chromeos/cert_loader.c...
chromeos/cert_loader.cc:39: PK11_FreeSlotListElement(slots_for_cert.get(),
slot_element);
nit: Maybe drop an explanatory comment here? Something like that (please correct
if it's wrong and/or feel free to rephrase it as you wish):
// Free the remaining list elements. All previously visited items have
// been freed by PK11_GetNextSafe().

https://codereview.chromium.org/2828713002/diff/140001/chromeos/cert_loader.c...
chromeos/cert_loader.cc:252: return base::WorkerPool::GetTaskRunner(true /*task
is slow*/);
I'm concerned about using WorkerPool. It's used only in a small number of call
sites, and looks like it's being deprecated: http://crbug.com/659191

I believe you may use the following tools (though I may be wrong here):
* PostTaskWithTraitsAndReply - with, I guess, the following traits: WithWait(),
WithPriority(BACKGROUND), WithShutdownBehavior(CONTINUE_ON_SHUTDOWN);
* ScopedTaskScheduler for tests.

https://codereview.chromium.org/2828713002/diff/140001/chromeos/cert_loader.h
File chromeos/cert_loader.h (right):

https://codereview.chromium.org/2828713002/diff/140001/chromeos/cert_loader.h...
chromeos/cert_loader.h:21: class TaskRunner;
nit: Include this header directly, as I believe scoped_refptr doesn't work with
incomplete types by default.

https://codereview.chromium.org/2828713002/diff/140001/chromeos/cert_loader.h...
chromeos/cert_loader.h:101: void SetSlowTaskRunnerForTest(
nit: s/ForTest/ForTesting/ - as that form is used in this class already, and is
also contained in the Style Guide.

https://codereview.chromium.org/2828713002/diff/140001/chromeos/cert_loader.h...
chromeos/cert_loader.h:148: // Cached Certifictes from system token. Currently
this is a sublist of
nit: s/Certifictes/certificates/

[pmarko, 2017-04-25 12:09:03]

Description was changed from

==========
Enable client certificate patterns in device ONC policy

Enables client certificate patterns for EAP-TLS networks in device
ONC policy. Device-wide client certificate patterns are restricted
to only match certificates which are present in the system token.
This prevents the device from presenting the user's certificates
involuntarily.

Two supporting changes were made to achieve this:
- CertLoader has been extended by the system_cert_list() method
  to retrieve available certificates which exist on the system token.
- The ClientCertConfig struct has a new onc_source member which 
  can be checked to see if the client cert pattern originates from
  device policy.

BUG=655266
==========

to

==========
Enable client certificate patterns in device ONC policy

Enables client certificate patterns for EAP-TLS networks in device
ONC policy. Device-wide client certificate patterns are restricted
to only match certificates which are present in the system token.
This prevents the device from presenting the user's certificates
involuntarily.

Two supporting changes were made to achieve this:
- CertLoader has been extended by the system_cert_list() method
  to retrieve available certificates which exist on the system token.
- The ClientCertConfig struct has a new onc_source member which 
  can be checked to see if the client cert pattern originates from
  device policy.

BUG=655266
TEST=unit_tests && chromeos_unittests
Manual test scenario:
--
Prerequisites:
Install a certificate (subject common name e.g.: “cert_user”)
into the user token and a different certificate (subject common
name e.g.: “cert_system”) into the system token.
Have a EAP-TLS wifi network connected to a radius server which
would accept both client certificates.
--
Test Case 1: device policy ONC / user token certificate
Configure a device policy OpenNetworkPolicy to connect to the
EAP-TLS network with
     "ClientCertPattern": {
      "Subject": {
       "CommonName": "cert_user"
      }
Expected result: The device does not try to auto-connect to the
wifi network because the ClientCertPattern originating from device
policy does not match user certificates.
--
Test Case 2: device policy ONC / system token certificate
Configure a device policy OpenNetworkPolicy to connect to the
EAP-TLS network with
     "ClientCertPattern": {
      "Subject": {
       "CommonName": "cert_system"
      }
Expected result: The device auto-connects to the wifi network
because the ClientCertPattern originating from device policy
matches certificates present on the system token. It authenticates
with cert_system.
--
Test Case 3: user policy ONC / user token certificate
Configure a user policy OpenNetworkPolicy to connect to the
EAP-TLS network with
     "ClientCertPattern": {
      "Subject": {
       "CommonName": "cert_user"
      }
Expected result: The device auto-connects to the wifi network. It
authenticates with cert_user.
--
Test Case 4: user policy ONC / system token certificate
Configure a user OpenNetworkPolicy to connect to the EAP-TLS network
with
     "ClientCertPattern": {
      "Subject": {
       "CommonName": "cert_system"
      }
Expected result: The device auto-connects to the wifi network. It
authenticates with cert_system.
==========

[pmarko, 2017-04-25 12:10:03]

Addressing general notes:
(1) onc_spec.md:
The restriction about client certificate patterns not being usable in device
policy does not seem to be documented in onc_spec.md. The change originally
introducing this restriction (https://chromiumcodereview.appspot.com/10868113)
did not touch onc_spec.html (as it was named back then) either. I think we're
fine
(2) Updated issue description to include TEST=. Is this fine or too much
text/detail?

Thanks!

https://codereview.chromium.org/2828713002/diff/140001/chrome/browser/chromeo...
File chrome/browser/chromeos/enrollment_dialog_view.cc (right):

https://codereview.chromium.org/2828713002/diff/140001/chrome/browser/chromeo...
chrome/browser/chromeos/enrollment_dialog_view.cc:273: if
(chromeos::ProfileHelper::IsSigninProfile(profile))
On 2017/04/24 21:23:13, emaxx wrote:
> So what about other types of sessions - aren't we opening unwanted surfaces
for
> the enrollment dialog?
> E.g. kiosks - I guess they only can have the device ONC. If that's true, then
> this CL enables the enrollment dialog for them, which is probably undesired.
> 
> Maybe we'd have to solve this issue on a point-by-point basis for each
possible
> value of the chromeos::LoginState::LoggedInUserType enum. (Don't know - maybe
> I'm failing to see some simpler approach.)

Oh yes, good point.
I've thought about getting the user for the current profile and examining
user->GetType() but I think LoggerInUserType is easier.
I've moved the logic to a new "EnrollmentDialogAllowed()" method.
I'm not sure about LOGGED_IN_USER_GUEST - WDYT?

https://codereview.chromium.org/2828713002/diff/140001/chrome/browser/chromeo...
chrome/browser/chromeos/enrollment_dialog_view.cc:274: return false;
On 2017/04/24 15:53:59, stevenjb wrote:
> Could you add a comment for this exit?

Done. (on the new method - if you'd like an explicit comment here, please tell
me)

https://codereview.chromium.org/2828713002/diff/140001/chromeos/cert_loader.cc
File chromeos/cert_loader.cc (right):

https://codereview.chromium.org/2828713002/diff/140001/chromeos/cert_loader.c...
chromeos/cert_loader.cc:30:
PK11_GetAllSlotsForCert(certificate->os_cert_handle(), NULL));
On 2017/04/24 21:23:13, emaxx wrote:
> nit: Maybe use nullptr? (Sorry for proposing this only now.)

Done. (whole file)

https://codereview.chromium.org/2828713002/diff/140001/chromeos/cert_loader.c...
chromeos/cert_loader.cc:39: PK11_FreeSlotListElement(slots_for_cert.get(),
slot_element);
On 2017/04/24 21:23:13, emaxx wrote:
> nit: Maybe drop an explanatory comment here? Something like that (please
correct
> if it's wrong and/or feel free to rephrase it as you wish):
> // Free the remaining list elements. All previously visited items have
> // been freed by PK11_GetNextSafe().

Done. (please see if my comment is good or too much detail)

https://codereview.chromium.org/2828713002/diff/140001/chromeos/cert_loader.c...
chromeos/cert_loader.cc:252: return base::WorkerPool::GetTaskRunner(true /*task
is slow*/);
On 2017/04/24 21:23:13, emaxx wrote:
> I'm concerned about using WorkerPool. It's used only in a small number of call
> sites, and looks like it's being deprecated: http://crbug.com/659191
> 
> I believe you may use the following tools (though I may be wrong here):
> * PostTaskWithTraitsAndReply - with, I guess, the following traits:
WithWait(),
> WithPriority(BACKGROUND), WithShutdownBehavior(CONTINUE_ON_SHUTDOWN);
> * ScopedTaskScheduler for tests.

Good find, thanks! I used WorkerPool because that's what other NSS-using places
use. I've checked why and stumbled upon
https://codereview.chromium.org/2722733002 and
https://groups.google.com/a/chromium.org/forum/#!topic/net-dev/SubA-WOEB18.

IIUC, the main concern is that if chrome calls a NSS function which requires the
user to login to a token, NSS uses the callback set by PK11_SetPasswordFunc to
perform the password request. In chrome, this invokes UI, so it might do things
asynchronously and use TaskScheduler. If TaskScheduler can't grow its task pool,
it might be starved and cause a deadlock.

I think that this is not an issue for our callsite because we don't do
operations which would require a token auth (esp. no private key access and no
access to new tokens). So switching to TaskScheduler.

WDYT?

https://codereview.chromium.org/2828713002/diff/140001/chromeos/cert_loader.h
File chromeos/cert_loader.h (right):

https://codereview.chromium.org/2828713002/diff/140001/chromeos/cert_loader.h...
chromeos/cert_loader.h:21: class TaskRunner;
On 2017/04/24 21:23:13, emaxx wrote:
> nit: Include this header directly, as I believe scoped_refptr doesn't work
with
> incomplete types by default.

Removed becuse TaskRunner is not necessary in the interface due to the switch to
TaskScheduler.

https://codereview.chromium.org/2828713002/diff/140001/chromeos/cert_loader.h...
chromeos/cert_loader.h:92: const net::CertificateList& cert_list() const {
return *cert_list_; }
On 2017/04/24 15:53:59, stevenjb wrote:
> nit: I'm not sure how much churn this would cause, but I think the code would
be
> more clear if we rename these something like all_certs_list and
> system_certs_list, or just all_certs and system_certs.
> 
> (When there was just one list, "cert list" meant "a list of type cert"; now
that
> we have multiple lists, we really want to mean "a list of all certs" and "a
list
> of system certs").

Good idea, changed to all_certs+system_certs. Not too much churn caused. Done.

https://codereview.chromium.org/2828713002/diff/140001/chromeos/cert_loader.h...
chromeos/cert_loader.h:101: void SetSlowTaskRunnerForTest(
On 2017/04/24 21:23:13, emaxx wrote:
> nit: s/ForTest/ForTesting/ - as that form is used in this class already, and
is
> also contained in the Style Guide.

Done. / Removed because the switch to TaskScheduler made this obsolete.

https://codereview.chromium.org/2828713002/diff/140001/chromeos/cert_loader.h...
chromeos/cert_loader.h:148: // Cached Certifictes from system token. Currently
this is a sublist of
On 2017/04/24 21:23:13, emaxx wrote:
> nit: s/Certifictes/certificates/

Done.

https://codereview.chromium.org/2828713002/diff/160001/chromeos/cert_loader.cc
File chromeos/cert_loader.cc (right):

https://codereview.chromium.org/2828713002/diff/160001/chromeos/cert_loader.c...
chromeos/cert_loader.cc:210: .WithShutdownBehavior(
I've used the same traits that were used in the referenced CL. Do you think we
should explicitly set the priority? It seems that the default priority would be
USER_VISIBLE which might be true if the user is waiting for the certs to get
loaded on the wifi connect dialog or for the network to start connecting (i.e.
for ClientCertResolver to do its work). On other cases, BACKGROUND would be
appropriate, but we don't know.

[emaxx, 2017-04-25 15:15:58]

https://codereview.chromium.org/2828713002/diff/140001/chromeos/cert_loader.cc
File chromeos/cert_loader.cc (right):

https://codereview.chromium.org/2828713002/diff/140001/chromeos/cert_loader.c...
chromeos/cert_loader.cc:252: return base::WorkerPool::GetTaskRunner(true /*task
is slow*/);
On 2017/04/25 12:10:02, pmarko wrote:
> On 2017/04/24 21:23:13, emaxx wrote:
> > I'm concerned about using WorkerPool. It's used only in a small number of
call
> > sites, and looks like it's being deprecated: http://crbug.com/659191
> > 
> > I believe you may use the following tools (though I may be wrong here):
> > * PostTaskWithTraitsAndReply - with, I guess, the following traits:
> WithWait(),
> > WithPriority(BACKGROUND), WithShutdownBehavior(CONTINUE_ON_SHUTDOWN);
> > * ScopedTaskScheduler for tests.
> 
> Good find, thanks! I used WorkerPool because that's what other NSS-using
places
> use. I've checked why and stumbled upon
> https://codereview.chromium.org/2722733002 and
> https://groups.google.com/a/chromium.org/forum/#!topic/net-dev/SubA-WOEB18.
> 
> IIUC, the main concern is that if chrome calls a NSS function which requires
the
> user to login to a token, NSS uses the callback set by PK11_SetPasswordFunc to
> perform the password request. In chrome, this invokes UI, so it might do
things
> asynchronously and use TaskScheduler. If TaskScheduler can't grow its task
pool,
> it might be starved and cause a deadlock.
> 
> I think that this is not an issue for our callsite because we don't do
> operations which would require a token auth (esp. no private key access and no
> access to new tokens). So switching to TaskScheduler.
> 
> WDYT?

Yes, I think the remaining uses of WorkerPool are there because of the tasks
that may involve the user gesture and are therefore unbound in the execution
time.
I agree that it shouldn't be an issue for this code (and maybe even never for
Chrome OS specific code).

https://codereview.chromium.org/2828713002/diff/160001/chrome/browser/chromeo...
File chrome/browser/chromeos/enrollment_dialog_view.cc (right):

https://codereview.chromium.org/2828713002/diff/160001/chrome/browser/chromeo...
chrome/browser/chromeos/enrollment_dialog_view.cc:262: // no extensions there
yet and no PKCS11 token is loaded.
nit: The part "because we have no extensions there yet" will change soon, but
this comment will likely stay here unnoticed. Also, maybe something else may
prevent us from enabling this on the login screen - like the UI restrictions.
So I'd rather recommend not to have this detailed comment here. If you want to
document the reasoning here against the current state of things, the crbug or
the Design Doc will be a better place for this, IMO.

https://codereview.chromium.org/2828713002/diff/160001/chrome/browser/chromeo...
chrome/browser/chromeos/enrollment_dialog_view.cc:265: return true;
I'm afraid this potentially opens the possibility for showing the enrollment
dialog on the lock screen and maybe in some other scenarios.
So I think that the check against IsSigninProfile(browser) is still required.

https://codereview.chromium.org/2828713002/diff/160001/chrome/browser/chromeo...
chrome/browser/chromeos/enrollment_dialog_view.cc:271: // Not allowed for now
because we haven't tested this.
nit: I think it's better not to track in the code what is tested and what is
not; moreover, this may also be influenced by a PM decision. So crbugs work
better for tracking this stuff (and you won't have to file another CL if the
resulting decision is to keep "false" :) ).
So I'd recommend to drop this comment unless you can come up with a more neutral
form.

https://codereview.chromium.org/2828713002/diff/160001/chromeos/cert_loader.cc
File chromeos/cert_loader.cc (right):

https://codereview.chromium.org/2828713002/diff/160001/chromeos/cert_loader.c...
chromeos/cert_loader.cc:40: // but we're not calling that for the last one, so
free it explicitly.
nit: My understanding was that the issue is not only with freeing the currrent
element ("the last one" as is said currently), but with all remaining elements
starting from |slot_element|? If so, then please adjust the comment accordingly.

https://codereview.chromium.org/2828713002/diff/160001/chromeos/cert_loader.c...
chromeos/cert_loader.cc:210: .WithShutdownBehavior(
On 2017/04/25 12:10:03, pmarko wrote:
> I've used the same traits that were used in the referenced CL. Do you think we
> should explicitly set the priority? It seems that the default priority would
be
> USER_VISIBLE which might be true if the user is waiting for the certs to get
> loaded on the wifi connect dialog or for the network to start connecting (i.e.
> for ClientCertResolver to do its work). On other cases, BACKGROUND would be
> appropriate, but we don't know.

Maybe you're right; to me the difference between these task priorities is a bit
too vague.

I think you may want to involve some of the corresponding OWNERS (maybe
fdoray@).

[pmarko, 2017-04-25 16:59:55]

pmarko@chromium.org changed reviewers:
+ fdoray@chromium.org

[pmarko, 2017-04-25 16:59:57]

@fdoray: Would you please take a look at the propsed TaskScheduler /
base::PostTaskWithTraitsAndReply use in chromeos/cert_loader.cc? Thanks!

https://codereview.chromium.org/2828713002/diff/160001/chrome/browser/chromeo...
File chrome/browser/chromeos/enrollment_dialog_view.cc (right):

https://codereview.chromium.org/2828713002/diff/160001/chrome/browser/chromeo...
chrome/browser/chromeos/enrollment_dialog_view.cc:262: // no extensions there
yet and no PKCS11 token is loaded.
On 2017/04/25 15:15:58, emaxx wrote:
> nit: The part "because we have no extensions there yet" will change soon, but
> this comment will likely stay here unnoticed. Also, maybe something else may
> prevent us from enabling this on the login screen - like the UI restrictions.
> So I'd rather recommend not to have this detailed comment here. If you want to
> document the reasoning here against the current state of things, the crbug or
> the Design Doc will be a better place for this, IMO.

Done. (You're right - I've dropped the comments here. They're just waiting to be
outdated/incorrect).

https://codereview.chromium.org/2828713002/diff/160001/chrome/browser/chromeo...
chrome/browser/chromeos/enrollment_dialog_view.cc:265: return true;
On 2017/04/25 15:15:58, emaxx wrote:
> I'm afraid this potentially opens the possibility for showing the enrollment
> dialog on the lock screen and maybe in some other scenarios.
> So I think that the check against IsSigninProfile(browser) is still required.

Done. (Added back IsSigninProfile check in the beginning of this function)

https://codereview.chromium.org/2828713002/diff/160001/chrome/browser/chromeo...
chrome/browser/chromeos/enrollment_dialog_view.cc:271: // Not allowed for now
because we haven't tested this.
On 2017/04/25 15:15:58, emaxx wrote:
> nit: I think it's better not to track in the code what is tested and what is
> not; moreover, this may also be influenced by a PM decision. So crbugs work
> better for tracking this stuff (and you won't have to file another CL if the
> resulting decision is to keep "false" :) ).
> So I'd recommend to drop this comment unless you can come up with a more
neutral
> form.

Done.

https://codereview.chromium.org/2828713002/diff/160001/chromeos/cert_loader.cc
File chromeos/cert_loader.cc (right):

https://codereview.chromium.org/2828713002/diff/160001/chromeos/cert_loader.c...
chromeos/cert_loader.cc:40: // but we're not calling that for the last one, so
free it explicitly.
On 2017/04/25 15:15:58, emaxx wrote:
> nit: My understanding was that the issue is not only with freeing the currrent
> element ("the last one" as is said currently), but with all remaining elements
> starting from |slot_element|? If so, then please adjust the comment
accordingly.

Actually:
- Each element in the list starts out with refcount=1 (PK11_AddSlotToList sets
it to 1 and is used by PK11_GetAllSlotsForCert)
- PK11_GetFirstSafe increases the refcount of list->head
- PK11_GetNextSafe increases the refcount of the next element (which is then
returned) and decreases the refcount of the passed element
- PK11_FreeSlotListElement indeed only decreases the refcount of the passed
element. It needs the list to acquire the list-level lock.
- When ScopedPK11SlotList goes out of scope, it calls PK11_FreeSlotList which
actually iterates the whole list and decreases the refcount of each element,
reaching 0.

So, it seems that the semantics are that:
- the existence of the list increases the refcount of each element (+1)
- the element in the current iteration has a further increased refcount (+2).
This is probably done to support "find and return" loops where a matched element
is required to survive after exiting the loop.
See https://github.com/servo/nss/blob/master/lib/pk11wrap/pk11slot.c for more
details.

So, all in all, this is pretty confusing but I think the comment is correct.

https://codereview.chromium.org/2828713002/diff/160001/chromeos/cert_loader.c...
chromeos/cert_loader.cc:210: .WithShutdownBehavior(
On 2017/04/25 15:15:58, emaxx wrote:
> On 2017/04/25 12:10:03, pmarko wrote:
> > I've used the same traits that were used in the referenced CL. Do you think
we
> > should explicitly set the priority? It seems that the default priority would
> be
> > USER_VISIBLE which might be true if the user is waiting for the certs to get
> > loaded on the wifi connect dialog or for the network to start connecting
(i.e.
> > for ClientCertResolver to do its work). On other cases, BACKGROUND would be
> > appropriate, but we don't know.
> 
> Maybe you're right; to me the difference between these task priorities is a
bit
> too vague.
> 
> I think you may want to involve some of the corresponding OWNERS (maybe
> fdoray@).

@fdoray: Could you give advice here? We have a task which in some circumstances
is user-visible (e.g. networks needing client certificates will only connect
after this has been done). Is the default priority fine for this?

[fdoray, 2017-04-25 17:40:25]

https://codereview.chromium.org/2828713002/diff/180001/chromeos/cert_loader.cc
File chromeos/cert_loader.cc (right):

https://codereview.chromium.org/2828713002/diff/180001/chromeos/cert_loader.c...
chromeos/cert_loader.cc:201: CHECK(thread_checker_.CalledOnValidThread());
DCHECK?

https://codereview.chromium.org/2828713002/diff/180001/chromeos/cert_loader.c...
chromeos/cert_loader.cc:207: base::PostTaskWithTraitsAndReply(
You could return a std::unique_ptr<net::CertificateList> in
FilterSystemTokenCertificates and use base::PostTaskWithTraitsAndReplyWithResult
to automatically bind the return value of the first callback to the second
callback.

std::unique_ptr<net::CertificateList>
    FilterSystemTokenCertificates(
        const net::CertificateList* all_certs,
        crypto::ScopedPK11Slot system_slot) {
  auto system_certs = base::MakeUnique<net::CertificateList>();
  ...
  return system_certs;
}

base::PostTaskWithTraitsAndReplyWithResult(
    FROM_HERE,
    base::TaskTraits()...,
    base::BindOnce(
        &FilterSystemTokenCertificates,
        base::Unretained(all_certs.get()),
        base::Passed(&system_slot)),
    base::BindOnce(
        &CertLoader::UpdateCertificates,
        weak_factory_.GetWeakPtr(),
        base::Passed(&all_certs)));

https://codereview.chromium.org/2828713002/diff/180001/chromeos/cert_loader.c...
chromeos/cert_loader.cc:213: base::Bind(
base::Bind -> base::BindOnce
https://chromium.googlesource.com/chromium/src/+/87356e8607d5c60651e22ab2ed40...

https://codereview.chromium.org/2828713002/diff/180001/chromeos/cert_loader.c...
chromeos/cert_loader.cc:223: CHECK(thread_checker_.CalledOnValidThread());
DCHECK?

[pmarko, 2017-04-26 08:01:29]

https://codereview.chromium.org/2828713002/diff/180001/chromeos/cert_loader.cc
File chromeos/cert_loader.cc (right):

https://codereview.chromium.org/2828713002/diff/180001/chromeos/cert_loader.c...
chromeos/cert_loader.cc:201: CHECK(thread_checker_.CalledOnValidThread());
On 2017/04/25 17:40:24, fdoray wrote:
> DCHECK?

Good question. The rest of cert_loader.cc used CHECK for CalledOnValidThread
before this CL so I tended to stick to that, but:
- codesearch for [^D]CHECK\(.*\.CalledOnValidThread\(\)\) gives 10 results 
- codesearch for DCHECK\(.*\.CalledOnValidThread\(\)\) gives 730 results
I'll switch cert_loader.cc to go with DCHECK.
Done.

https://codereview.chromium.org/2828713002/diff/180001/chromeos/cert_loader.c...
chromeos/cert_loader.cc:207: base::PostTaskWithTraitsAndReply(
On 2017/04/25 17:40:24, fdoray wrote:
> You could return a std::unique_ptr<net::CertificateList> in
> FilterSystemTokenCertificates and use
base::PostTaskWithTraitsAndReplyWithResult
> to automatically bind the return value of the first callback to the second
> callback.
> 
> std::unique_ptr<net::CertificateList>
>     FilterSystemTokenCertificates(
>         const net::CertificateList* all_certs,
>         crypto::ScopedPK11Slot system_slot) {
>   auto system_certs = base::MakeUnique<net::CertificateList>();
>   ...
>   return system_certs;
> }
> 
> base::PostTaskWithTraitsAndReplyWithResult(
>     FROM_HERE,
>     base::TaskTraits()...,
>     base::BindOnce(
>         &FilterSystemTokenCertificates,
>         base::Unretained(all_certs.get()),
>         base::Passed(&system_slot)),
>     base::BindOnce(
>         &CertLoader::UpdateCertificates,
>         weak_factory_.GetWeakPtr(),
>         base::Passed(&all_certs)));

Done. - Good idea, I've also changed base::Passed to std::move because IIUC that
seems to be the preferred way to do it with BindOnce [1] and it looks like
standard C++11. 

[1]
https://groups.google.com/a/chromium.org/forum/#!msg/cxx/KXWZtoP5HJ4/5TRPU81Z...

https://codereview.chromium.org/2828713002/diff/180001/chromeos/cert_loader.c...
chromeos/cert_loader.cc:213: base::Bind(
On 2017/04/25 17:40:24, fdoray wrote:
> base::Bind -> base::BindOnce
>
https://chromium.googlesource.com/chromium/src/+/87356e8607d5c60651e22ab2ed40...

Done.

https://codereview.chromium.org/2828713002/diff/180001/chromeos/cert_loader.c...
chromeos/cert_loader.cc:223: CHECK(thread_checker_.CalledOnValidThread());
On 2017/04/25 17:40:24, fdoray wrote:
> DCHECK?

Done.

[pmarko, 2017-04-26 11:34:17]

https://codereview.chromium.org/2828713002/diff/180001/chromeos/cert_loader.cc
File chromeos/cert_loader.cc (right):

https://codereview.chromium.org/2828713002/diff/180001/chromeos/cert_loader.c...
chromeos/cert_loader.cc:207: base::PostTaskWithTraitsAndReply(
On 2017/04/26 08:01:29, pmarko wrote:
> On 2017/04/25 17:40:24, fdoray wrote:
> > You could return a std::unique_ptr<net::CertificateList> in
> > FilterSystemTokenCertificates and use
> base::PostTaskWithTraitsAndReplyWithResult
> > to automatically bind the return value of the first callback to the second
> > callback.
> > 
> > std::unique_ptr<net::CertificateList>
> >     FilterSystemTokenCertificates(
> >         const net::CertificateList* all_certs,
> >         crypto::ScopedPK11Slot system_slot) {
> >   auto system_certs = base::MakeUnique<net::CertificateList>();
> >   ...
> >   return system_certs;
> > }
> > 
> > base::PostTaskWithTraitsAndReplyWithResult(
> >     FROM_HERE,
> >     base::TaskTraits()...,
> >     base::BindOnce(
> >         &FilterSystemTokenCertificates,
> >         base::Unretained(all_certs.get()),
> >         base::Passed(&system_slot)),
> >     base::BindOnce(
> >         &CertLoader::UpdateCertificates,
> >         weak_factory_.GetWeakPtr(),
> >         base::Passed(&all_certs)));
> 
> Done. - Good idea, I've also changed base::Passed to std::move because IIUC
that
> seems to be the preferred way to do it with BindOnce [1] and it looks like
> standard C++11. 
> 
> [1]
>
https://groups.google.com/a/chromium.org/forum/#!msg/cxx/KXWZtoP5HJ4/5TRPU81Z...

Also, could you give me a recommendation about using the default priority vs.
specifying a priority explicitly? I would tend to use USER_VISIBLE if specifying
explicitly. This is called on the UI thread in real chrome (mentioning this
because the default priority seems to be thread-local). What is the usecase for
"default priority"?

[fdoray, 2017-04-26 13:11:36]

lgtm

https://codereview.chromium.org/2828713002/diff/180001/chromeos/cert_loader.cc
File chromeos/cert_loader.cc (right):

https://codereview.chromium.org/2828713002/diff/180001/chromeos/cert_loader.c...
chromeos/cert_loader.cc:207: base::PostTaskWithTraitsAndReply(
On 2017/04/26 11:34:17, pmarko wrote:
> On 2017/04/26 08:01:29, pmarko wrote:
> > On 2017/04/25 17:40:24, fdoray wrote:
> > > You could return a std::unique_ptr<net::CertificateList> in
> > > FilterSystemTokenCertificates and use
> > base::PostTaskWithTraitsAndReplyWithResult
> > > to automatically bind the return value of the first callback to the second
> > > callback.
> > > 
> > > std::unique_ptr<net::CertificateList>
> > >     FilterSystemTokenCertificates(
> > >         const net::CertificateList* all_certs,
> > >         crypto::ScopedPK11Slot system_slot) {
> > >   auto system_certs = base::MakeUnique<net::CertificateList>();
> > >   ...
> > >   return system_certs;
> > > }
> > > 
> > > base::PostTaskWithTraitsAndReplyWithResult(
> > >     FROM_HERE,
> > >     base::TaskTraits()...,
> > >     base::BindOnce(
> > >         &FilterSystemTokenCertificates,
> > >         base::Unretained(all_certs.get()),
> > >         base::Passed(&system_slot)),
> > >     base::BindOnce(
> > >         &CertLoader::UpdateCertificates,
> > >         weak_factory_.GetWeakPtr(),
> > >         base::Passed(&all_certs)));
> > 
> > Done. - Good idea, I've also changed base::Passed to std::move because IIUC
> that
> > seems to be the preferred way to do it with BindOnce [1] and it looks like
> > standard C++11. 
> > 
> > [1]
> >
>
https://groups.google.com/a/chromium.org/forum/#!msg/cxx/KXWZtoP5HJ4/5TRPU81Z...
> 
> Also, could you give me a recommendation about using the default priority vs.
> specifying a priority explicitly? I would tend to use USER_VISIBLE if
specifying
> explicitly. This is called on the UI thread in real chrome (mentioning this
> because the default priority seems to be thread-local). What is the usecase
for
> "default priority"?

The default priority (inherited) should be used most of the time. It allows code
to be reused in multiple contexts. 

The USER_BLOCKING and USER_VISIBLE priority should be set explicitly in code
that is explicitly responding to a user action or updating the UI. It doesn't
seem to be the case here.

The BACKGROUND priority should be set explicitly when you know that you are
doing something that the user is not waiting on. E.g. Reporting metrics, writing
data on disk, downloading an update.

https://codereview.chromium.org/2828713002/diff/200001/chromeos/cert_loader.cc
File chromeos/cert_loader.cc (right):

https://codereview.chromium.org/2828713002/diff/200001/chromeos/cert_loader.c...
chromeos/cert_loader.cc:62: // system_certs_ sublist.
|system_certs_|

https://codereview.chromium.org/2828713002/diff/200001/chromeos/cert_loader.c...
chromeos/cert_loader.cc:63: for (auto cert : *all_certs) {
const auto& to avoid an unnecessary ref-count bump

https://codereview.chromium.org/2828713002/diff/200001/chromeos/cert_loader.c...
chromeos/cert_loader.cc:105: all_certs_(new net::CertificateList),
base::MakeUnique<net::CertificateList>()

https://codereview.chromium.org/2828713002/diff/200001/chromeos/cert_loader.h
File chromeos/cert_loader.h (right):

https://codereview.chromium.org/2828713002/diff/200001/chromeos/cert_loader.h...
chromeos/cert_loader.h:88: const net::CertificateList& all_certs() const {
return *all_certs_; }
DCHECK(thread_checker_.CalledOnValidThread());

https://codereview.chromium.org/2828713002/diff/200001/chromeos/cert_loader.h...
chromeos/cert_loader.h:92: const net::CertificateList& system_certs() const {
return *system_certs_; }
DCHECK(thread_checker_.CalledOnValidThread());

https://codereview.chromium.org/2828713002/diff/200001/chromeos/network/clien...
File chromeos/network/client_cert_resolver.cc (right):

https://codereview.chromium.org/2828713002/diff/200001/chromeos/network/clien...
chromeos/network/client_cert_resolver.cc:513: base::PostTaskWithTraitsAndReply(
PostTaskWithTraitsAndReplyWithResult() could be used to automatically bind a
NetworkCertMatches returned by the first callback to the second callback. But it
is not mandatory to improve this in this CL.

[emaxx, 2017-04-26 14:43:58]

LGTM

[pmarko, 2017-04-27 08:51:55]

pmarko@chromium.org changed reviewers:
+ blundell@chromium.org

[pmarko, 2017-04-27 08:51:56]

blundell@chromium.org: Please review changes in components/sync_wifi/. Thanks!

https://codereview.chromium.org/2828713002/diff/200001/chromeos/cert_loader.cc
File chromeos/cert_loader.cc (right):

https://codereview.chromium.org/2828713002/diff/200001/chromeos/cert_loader.c...
chromeos/cert_loader.cc:62: // system_certs_ sublist.
On 2017/04/26 13:11:36, fdoray wrote:
> |system_certs_|

Done.

https://codereview.chromium.org/2828713002/diff/200001/chromeos/cert_loader.c...
chromeos/cert_loader.cc:63: for (auto cert : *all_certs) {
On 2017/04/26 13:11:36, fdoray wrote:
> const auto& to avoid an unnecessary ref-count bump

Done.

https://codereview.chromium.org/2828713002/diff/200001/chromeos/cert_loader.c...
chromeos/cert_loader.cc:105: all_certs_(new net::CertificateList),
On 2017/04/26 13:11:35, fdoray wrote:
> base::MakeUnique<net::CertificateList>()

Done.

https://codereview.chromium.org/2828713002/diff/200001/chromeos/cert_loader.h
File chromeos/cert_loader.h (right):

https://codereview.chromium.org/2828713002/diff/200001/chromeos/cert_loader.h...
chromeos/cert_loader.h:88: const net::CertificateList& all_certs() const {
return *all_certs_; }
On 2017/04/26 13:11:36, fdoray wrote:
> DCHECK(thread_checker_.CalledOnValidThread());

Done.

https://codereview.chromium.org/2828713002/diff/200001/chromeos/cert_loader.h...
chromeos/cert_loader.h:92: const net::CertificateList& system_certs() const {
return *system_certs_; }
On 2017/04/26 13:11:36, fdoray wrote:
> DCHECK(thread_checker_.CalledOnValidThread());

Done.

https://codereview.chromium.org/2828713002/diff/200001/chromeos/network/clien...
File chromeos/network/client_cert_resolver.cc (right):

https://codereview.chromium.org/2828713002/diff/200001/chromeos/network/clien...
chromeos/network/client_cert_resolver.cc:513: base::PostTaskWithTraitsAndReply(
On 2017/04/26 13:11:36, fdoray wrote:
> PostTaskWithTraitsAndReplyWithResult() could be used to automatically bind a
> NetworkCertMatches returned by the first callback to the second callback. But
it
> is not mandatory to improve this in this CL.

Done.

[blundell, 2017-04-27 09:09:44]

//components/sync_wifi lgtm

[pmarko, 2017-04-27 10:29:14]

The CQ bit was checked by pmarko@chromium.org

[pmarko, 2017-04-27 10:29:14]

The patchset sent to the CQ was uploaded after l-g-t-m from
stevenjb@chromium.org, fdoray@chromium.org, emaxx@chromium.org
Link to the patchset: https://codereview.chromium.org/2828713002/#ps220001
(title: "Addressed comments - more DCHECKs, use PostTask..WithReply in
client_cert_resolver.cc.")

[commit-bot: I haz the power, 2017-04-27 10:29:30]

CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-04-27 10:58:32]

CQ is committing da patch.

Bot data: {"patchset_id": 220001, "attempt_start_ts": 1493288954128750,
"parent_rev": "c18764a33a595baab6ba35a1447e51c7c74b6e30", "commit_rev":
"93bc5d7c02d275d27c030ab15a8c68efc8efdd99"}

[commit-bot: I haz the power, 2017-04-27 10:58:43]

Description was changed from

==========
Enable client certificate patterns in device ONC policy

Enables client certificate patterns for EAP-TLS networks in device
ONC policy. Device-wide client certificate patterns are restricted
to only match certificates which are present in the system token.
This prevents the device from presenting the user's certificates
involuntarily.

Two supporting changes were made to achieve this:
- CertLoader has been extended by the system_cert_list() method
  to retrieve available certificates which exist on the system token.
- The ClientCertConfig struct has a new onc_source member which 
  can be checked to see if the client cert pattern originates from
  device policy.

BUG=655266
TEST=unit_tests && chromeos_unittests
Manual test scenario:
--
Prerequisites:
Install a certificate (subject common name e.g.: “cert_user”)
into the user token and a different certificate (subject common
name e.g.: “cert_system”) into the system token.
Have a EAP-TLS wifi network connected to a radius server which
would accept both client certificates.
--
Test Case 1: device policy ONC / user token certificate
Configure a device policy OpenNetworkPolicy to connect to the
EAP-TLS network with
     "ClientCertPattern": {
      "Subject": {
       "CommonName": "cert_user"
      }
Expected result: The device does not try to auto-connect to the
wifi network because the ClientCertPattern originating from device
policy does not match user certificates.
--
Test Case 2: device policy ONC / system token certificate
Configure a device policy OpenNetworkPolicy to connect to the
EAP-TLS network with
     "ClientCertPattern": {
      "Subject": {
       "CommonName": "cert_system"
      }
Expected result: The device auto-connects to the wifi network
because the ClientCertPattern originating from device policy
matches certificates present on the system token. It authenticates
with cert_system.
--
Test Case 3: user policy ONC / user token certificate
Configure a user policy OpenNetworkPolicy to connect to the
EAP-TLS network with
     "ClientCertPattern": {
      "Subject": {
       "CommonName": "cert_user"
      }
Expected result: The device auto-connects to the wifi network. It
authenticates with cert_user.
--
Test Case 4: user policy ONC / system token certificate
Configure a user OpenNetworkPolicy to connect to the EAP-TLS network
with
     "ClientCertPattern": {
      "Subject": {
       "CommonName": "cert_system"
      }
Expected result: The device auto-connects to the wifi network. It
authenticates with cert_system.
==========

to

==========
Enable client certificate patterns in device ONC policy

Enables client certificate patterns for EAP-TLS networks in device
ONC policy. Device-wide client certificate patterns are restricted
to only match certificates which are present in the system token.
This prevents the device from presenting the user's certificates
involuntarily.

Two supporting changes were made to achieve this:
- CertLoader has been extended by the system_cert_list() method
  to retrieve available certificates which exist on the system token.
- The ClientCertConfig struct has a new onc_source member which 
  can be checked to see if the client cert pattern originates from
  device policy.

BUG=655266
TEST=unit_tests && chromeos_unittests
Manual test scenario:
--
Prerequisites:
Install a certificate (subject common name e.g.: “cert_user”)
into the user token and a different certificate (subject common
name e.g.: “cert_system”) into the system token.
Have a EAP-TLS wifi network connected to a radius server which
would accept both client certificates.
--
Test Case 1: device policy ONC / user token certificate
Configure a device policy OpenNetworkPolicy to connect to the
EAP-TLS network with
     "ClientCertPattern": {
      "Subject": {
       "CommonName": "cert_user"
      }
Expected result: The device does not try to auto-connect to the
wifi network because the ClientCertPattern originating from device
policy does not match user certificates.
--
Test Case 2: device policy ONC / system token certificate
Configure a device policy OpenNetworkPolicy to connect to the
EAP-TLS network with
     "ClientCertPattern": {
      "Subject": {
       "CommonName": "cert_system"
      }
Expected result: The device auto-connects to the wifi network
because the ClientCertPattern originating from device policy
matches certificates present on the system token. It authenticates
with cert_system.
--
Test Case 3: user policy ONC / user token certificate
Configure a user policy OpenNetworkPolicy to connect to the
EAP-TLS network with
     "ClientCertPattern": {
      "Subject": {
       "CommonName": "cert_user"
      }
Expected result: The device auto-connects to the wifi network. It
authenticates with cert_user.
--
Test Case 4: user policy ONC / system token certificate
Configure a user OpenNetworkPolicy to connect to the EAP-TLS network
with
     "ClientCertPattern": {
      "Subject": {
       "CommonName": "cert_system"
      }
Expected result: The device auto-connects to the wifi network. It
authenticates with cert_system.

Review-Url: https://codereview.chromium.org/2828713002
Cr-Commit-Position: refs/heads/master@{#467634}
Committed:
https://chromium.googlesource.com/chromium/src/+/93bc5d7c02d275d27c030ab15a8c...
==========

[commit-bot: I haz the power, 2017-04-27 10:58:44]

Committed patchset #11 (id:220001) as
https://chromium.googlesource.com/chromium/src/+/93bc5d7c02d275d27c030ab15a8c...