Enable client certificate patterns in device ONC policy

chromeos/cert_loader.h

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef CHROMEOS_CERT_LOADER_H_
 #define CHROMEOS_CERT_LOADER_H_
 
 #include <string>
 #include <vector>
 
 #include "base/compiler_specific.h"
 #include "base/macros.h"
 #include "base/memory/ref_counted.h"
 #include "base/memory/weak_ptr.h"
 #include "base/observer_list.h"
 #include "base/threading/thread_checker.h"
 #include "chromeos/chromeos_export.h"
 #include "net/cert/cert_database.h"
 
+namespace base {
+class TaskRunner;

[emaxx, 2017/04/24 21:23:13]

nit: Include this header directly, as I believe scoped_refptr doesn't work with
incomplete types by default.

[pmarko, 2017/04/25 12:10:02]

Removed becuse TaskRunner is not necessary in the interface due to the switch to
TaskScheduler.

+}
+
 namespace net {
 class NSSCertDatabase;
 class X509Certificate;
 typedef std::vector<scoped_refptr<X509Certificate> > CertificateList;
 }
 
 namespace chromeos {
 
 // This class is responsible for loading certificates once the TPM is
 // initialized. It is expected to be constructed on the UI thread and public
@@ skipping 46 matching lines @@
 
   // Returns true if |cert| is hardware backed. See also
   // ForceHardwareBackedForTesting().
   static bool IsCertificateHardwareBacked(const net::X509Certificate* cert);
 
   // Returns true when the certificate list has been requested but not loaded.
   bool CertificatesLoading() const;
 
   bool certificates_loaded() const { return certificates_loaded_; }
 
-  // This will be empty until certificates_loaded() is true.
+  // Returns all certificates. This will be empty until certificates_loaded() is
+  // true.
   const net::CertificateList& cert_list() const { return *cert_list_; }

[stevenjb, 2017/04/24 15:53:59]

nit: I'm not sure how much churn this would cause, but I think the code would be
more clear if we rename these something like all_certs_list and
system_certs_list, or just all_certs and system_certs.

(When there was just one list, "cert list" meant "a list of type cert"; now that
we have multiple lists, we really want to mean "a list of all certs" and "a list
of system certs").

[pmarko, 2017/04/25 12:10:02]

Good idea, changed to all_certs+system_certs. Not too much churn caused. Done.

 
+  // Returns certificates from the system token. This will be empty until
+  // certificates_loaded() is true.
+  const net::CertificateList& system_cert_list() const {
+    return *system_cert_list_;
+  }
+
+  // Overrides task runner that's used for running slow tasks.
+  void SetSlowTaskRunnerForTest(

[emaxx, 2017/04/24 21:23:13]

nit: s/ForTest/ForTesting/ - as that form is used in this class already, and is
also contained in the Style Guide.

[pmarko, 2017/04/25 12:10:02]

Done. / Removed because the switch to TaskScheduler made this obsolete.

+      const scoped_refptr<base::TaskRunner>& task_runner);
+
   // Called in tests if |IsCertificateHardwareBacked()| should always return
   // true.
   static void ForceHardwareBackedForTesting();
 
  private:
   CertLoader();
   ~CertLoader() override;
 
   // Trigger a certificate load. If a certificate loading task is already in
   // progress, will start a reload once the current task is finished.
   void LoadCertificates();
 
+  // Called when the underlying NSS database finished loading certificates.
+  void CertificatesLoaded(std::unique_ptr<net::CertificateList> cert_list);
+
   // Called if a certificate load task is finished.
-  void UpdateCertificates(std::unique_ptr<net::CertificateList> cert_list);
+  void UpdateCertificates(
+      std::unique_ptr<net::CertificateList> cert_list,
+      std::unique_ptr<net::CertificateList> system_cert_list);
 
   void NotifyCertificatesLoaded(bool initial_load);
 
   // net::CertDatabase::Observer
   void OnCertDBChanged() override;
 
+  // Gets task runner that should be used for potentially slow tasks like
+  // certificate filtering. Defaults to a base::WorkerPool runner, but may be
+  // overriden in tests (see SetSlowTaskRunnerForTest).
+  scoped_refptr<base::TaskRunner> GetSlowTaskRunner() const;
+
   base::ObserverList<Observer> observers_;
 
   // Flags describing current CertLoader state.
   bool certificates_loaded_;
   bool certificates_update_required_;
   bool certificates_update_running_;
 
   // The user-specific NSS certificate database from which the certificates
   // should be loaded.
   net::NSSCertDatabase* database_;
 
-  // Cached Certificates loaded from the database.
+  // Cached certificates loaded from the database.
   std::unique_ptr<net::CertificateList> cert_list_;
 
+  // Cached Certifictes from system token. Currently this is a sublist of

[emaxx, 2017/04/24 21:23:13]

nit: s/Certifictes/certificates/

[pmarko, 2017/04/25 12:10:02]

Done.

+  // |cert_list_|.
+  std::unique_ptr<net::CertificateList> system_cert_list_;
+
+  // Task runner that should be used for slow tasks in tests if set.
+  scoped_refptr<base::TaskRunner> slow_task_runner_for_test_;
+
   base::ThreadChecker thread_checker_;
 
   base::WeakPtrFactory<CertLoader> weak_factory_;
 
   DISALLOW_COPY_AND_ASSIGN(CertLoader);
 };
 
 }  // namespace chromeos
 
 #endif  // CHROMEOS_CERT_LOADER_H_