Enable client certificate patterns in device ONC policy

chrome/browser/chromeos/enrollment_dialog_view.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/enrollment_dialog_view.h"
 
 #include "base/bind.h"
 #include "base/callback.h"
 #include "base/macros.h"
 #include "base/strings/utf_string_conversions.h"
@@ skipping 252 matching lines @@
   const NetworkState* network =
       NetworkHandler::Get()->network_state_handler()->GetNetworkStateFromGuid(
           network_id);
   if (!network) {
     NET_LOG_ERROR("Enrolling Unknown network", network_id);
     return false;
   }
   Browser* browser = chrome::FindBrowserWithWindow(owning_window);
   Profile* profile =
       browser ? browser->profile() : ProfileManager::GetPrimaryUserProfile();
+  if (chromeos::ProfileHelper::IsSigninProfile(profile))

[emaxx, 2017/04/24 21:23:13]

So what about other types of sessions - aren't we opening unwanted surfaces for
the enrollment dialog?
E.g. kiosks - I guess they only can have the device ONC. If that's true, then
this CL enables the enrollment dialog for them, which is probably undesired.

Maybe we'd have to solve this issue on a point-by-point basis for each possible
value of the chromeos::LoginState::LoggedInUserType enum. (Don't know - maybe
I'm failing to see some simpler approach.)

[pmarko, 2017/04/25 12:10:02]

Oh yes, good point.
I've thought about getting the user for the current profile and examining
user->GetType() but I think LoggerInUserType is easier.
I've moved the logic to a new "EnrollmentDialogAllowed()" method.
I'm not sure about LOGGED_IN_USER_GUEST - WDYT?

+    return false;

[stevenjb, 2017/04/24 15:53:59]

Could you add a comment for this exit?

[pmarko, 2017/04/25 12:10:02]

Done. (on the new method - if you'd like an explicit comment here, please tell
me)

   std::string username_hash = ProfileHelper::GetUserIdHashFromProfile(profile);
 
   onc::ONCSource onc_source = onc::ONC_SOURCE_NONE;
   const base::DictionaryValue* policy =
       NetworkHandler::Get()
           ->managed_network_configuration_handler()
           ->FindPolicyByGUID(username_hash, network_id, &onc_source);
 
-  // We skip certificate patterns for device policy ONC so that an unmanaged
-  // user can't get to the place where a cert is presented for them
-  // involuntarily.
-  if (!policy || onc_source == onc::ONC_SOURCE_DEVICE_POLICY)
+  if (!policy)
     return false;
 
   client_cert::ClientCertConfig cert_config;
-  OncToClientCertConfig(*policy, &cert_config);
+  OncToClientCertConfig(onc_source, *policy, &cert_config);
 
   if (cert_config.client_cert_type != onc::client_cert::kPattern)
     return false;
 
   if (cert_config.pattern.Empty())
     NET_LOG_ERROR("Certificate pattern is empty", network_id);
 
   if (cert_config.pattern.enrollment_uri_list().empty()) {
     NET_LOG_EVENT("No enrollment URIs", network_id);
     return false;
   }
 
   NET_LOG_USER("Enrolling", network_id);
 
   DialogEnrollmentDelegate* enrollment =
       new DialogEnrollmentDelegate(owning_window, network->name(), profile);
   return enrollment->Enroll(cert_config.pattern.enrollment_uri_list(),
                             base::Bind(&EnrollmentComplete, network_id));
 }
 
 }  // namespace enrollment
 
 }  // namespace chromeos