chrome/browser/chromeos/enrollment_dialog_view.cc - Issue 2828713002: Enable client certificate patterns in device ONC policy

Side by Side Diff: chrome/browser/chromeos/enrollment_dialog_view.cc

Issue 2828713002: Enable client certificate patterns in device ONC policy (Closed)

Patch Set: Addressed comments. Created 3 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "chrome/browser/chromeos/enrollment_dialog_view.h"	5 #include "chrome/browser/chromeos/enrollment_dialog_view.h"

6	6

7 #include "base/bind.h"	7 #include "base/bind.h"

8 #include "base/callback.h"	8 #include "base/callback.h"

9 #include "base/macros.h"	9 #include "base/macros.h"

10 #include "base/strings/utf_string_conversions.h"	10 #include "base/strings/utf_string_conversions.h"

11 #include "chrome/browser/chromeos/profiles/profile_helper.h"	11 #include "chrome/browser/chromeos/profiles/profile_helper.h"

12 #include "chrome/browser/profiles/profile.h"	12 #include "chrome/browser/profiles/profile.h"

13 #include "chrome/browser/profiles/profile_manager.h"	13 #include "chrome/browser/profiles/profile_manager.h"

14 #include "chrome/browser/ui/ash/system_tray_client.h"	14 #include "chrome/browser/ui/ash/system_tray_client.h"

15 #include "chrome/browser/ui/browser_finder.h"	15 #include "chrome/browser/ui/browser_finder.h"

16 #include "chrome/browser/ui/browser_navigator.h"	16 #include "chrome/browser/ui/browser_navigator.h"

17 #include "chrome/browser/ui/browser_navigator_params.h"	17 #include "chrome/browser/ui/browser_navigator_params.h"

18 #include "chrome/grit/generated_resources.h"	18 #include "chrome/grit/generated_resources.h"

	19 #include "chromeos/login/login_state.h"

19 #include "chromeos/network/client_cert_util.h"	20 #include "chromeos/network/client_cert_util.h"

20 #include "chromeos/network/managed_network_configuration_handler.h"	21 #include "chromeos/network/managed_network_configuration_handler.h"

21 #include "chromeos/network/network_event_log.h"	22 #include "chromeos/network/network_event_log.h"

22 #include "chromeos/network/network_state.h"	23 #include "chromeos/network/network_state.h"

23 #include "chromeos/network/network_state_handler.h"	24 #include "chromeos/network/network_state_handler.h"

24 #include "extensions/browser/extension_host.h"	25 #include "extensions/browser/extension_host.h"

25 #include "extensions/common/constants.h"	26 #include "extensions/common/constants.h"

26 #include "ui/base/l10n/l10n_util.h"	27 #include "ui/base/l10n/l10n_util.h"

27 #include "ui/base/page_transition_types.h"	28 #include "ui/base/page_transition_types.h"

28 #include "ui/views/controls/label.h"	29 #include "ui/views/controls/label.h"

(...skipping 215 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
244	245

245 // No appropriate scheme was found.	246 // No appropriate scheme was found.

246 NET_LOG_ERROR("No usable enrollment URI", network_name_);	247 NET_LOG_ERROR("No usable enrollment URI", network_name_);

247 return false;	248 return false;

248 }	249 }

249	250

250 void EnrollmentComplete(const std::string& network_id) {	251 void EnrollmentComplete(const std::string& network_id) {

251 NET_LOG_USER("Enrollment Complete", network_id);	252 NET_LOG_USER("Enrollment Complete", network_id);

252 }	253 }

253	254

	255 // Decides if the enrollment dialog is allowed in the current login state.

	256 bool EnrollmentDialogAllowed() {

	257 chromeos::LoginState::LoggedInUserType user_type =

	258 LoginState::Get()->GetLoggedInUserType();

	259 switch (user_type) {

	260 case LoginState::LOGGED_IN_USER_NONE:

	261 // Enrollment on the sign-in screen would not work anyway because we have

	262 // no extensions there yet and no PKCS11 token is loaded.
	emaxx 2017/04/25 15:15:58 nit: The part "because we have no extensions there nit: The part "because we have no extensions there yet" will change soon, but this comment will likely stay here unnoticed. Also, maybe something else may prevent us from enabling this on the login screen - like the UI restrictions. So I'd rather recommend not to have this detailed comment here. If you want to document the reasoning here against the current state of things, the crbug or the Design Doc will be a better place for this, IMO. pmarko 2017/04/25 16:59:57 Done. (You're right - I've dropped the comments he Show quoted text On 2017/04/25 15:15:58, emaxx wrote: > nit: The part "because we have no extensions there yet" will change soon, but > this comment will likely stay here unnoticed. Also, maybe something else may > prevent us from enabling this on the login screen - like the UI restrictions. > So I'd rather recommend not to have this detailed comment here. If you want to > document the reasoning here against the current state of things, the crbug or > the Design Doc will be a better place for this, IMO. Done. (You're right - I've dropped the comments here. They're just waiting to be outdated/incorrect).
	263 return false;

	264 case LoginState::LOGGED_IN_USER_REGULAR:

	265 return true;
	emaxx 2017/04/25 15:15:58 I'm afraid this potentially opens the possibility I'm afraid this potentially opens the possibility for showing the enrollment dialog on the lock screen and maybe in some other scenarios. So I think that the check against IsSigninProfile(browser) is still required. pmarko 2017/04/25 16:59:57 Done. (Added back IsSigninProfile check in the beg Show quoted text On 2017/04/25 15:15:58, emaxx wrote: > I'm afraid this potentially opens the possibility for showing the enrollment > dialog on the lock screen and maybe in some other scenarios. > So I think that the check against IsSigninProfile(browser) is still required. Done. (Added back IsSigninProfile check in the beginning of this function)
	266 case LoginState::LOGGED_IN_USER_OWNER:

	267 return true;

	268 case LoginState::LOGGED_IN_USER_GUEST:

	269 return true;

	270 case LoginState::LOGGED_IN_USER_PUBLIC_ACCOUNT:

	271 // Not allowed for now because we haven't tested this.
	emaxx 2017/04/25 15:15:58 nit: I think it's better not to track in the code nit: I think it's better not to track in the code what is tested and what is not; moreover, this may also be influenced by a PM decision. So crbugs work better for tracking this stuff (and you won't have to file another CL if the resulting decision is to keep "false" :) ). So I'd recommend to drop this comment unless you can come up with a more neutral form. pmarko 2017/04/25 16:59:57 Done. Show quoted text On 2017/04/25 15:15:58, emaxx wrote: > nit: I think it's better not to track in the code what is tested and what is > not; moreover, this may also be influenced by a PM decision. So crbugs work > better for tracking this stuff (and you won't have to file another CL if the > resulting decision is to keep "false" :) ). > So I'd recommend to drop this comment unless you can come up with a more neutral > form. Done.
	272 return false;

	273 case LoginState::LOGGED_IN_USER_SUPERVISED:

	274 return true;

	275 case LoginState::LOGGED_IN_USER_KIOSK_APP:

	276 // We don't want to show dialogs on kiosk.

	277 return false;

	278 case LoginState::LOGGED_IN_USER_ARC_KIOSK_APP:

	279 // We don't want to show dialogs on kiosk.

	280 return false;

	281 }

	282 NOTREACHED();

	283 return false;

	284 }

	285

254 } // namespace	286 } // namespace

255	287

256 ////////////////////////////////////////////////////////////////////////////////	288 ////////////////////////////////////////////////////////////////////////////////

257 // Factory function.	289 // Factory function.

258	290

259 namespace enrollment {	291 namespace enrollment {

260	292

261 bool CreateEnrollmentDialog(const std::string& network_id,	293 bool CreateEnrollmentDialog(const std::string& network_id,

262 gfx::NativeWindow owning_window) {	294 gfx::NativeWindow owning_window) {

263 const NetworkState* network =	295 const NetworkState* network =

264 NetworkHandler::Get()->network_state_handler()->GetNetworkStateFromGuid(	296 NetworkHandler::Get()->network_state_handler()->GetNetworkStateFromGuid(

265 network_id);	297 network_id);

266 if (!network) {	298 if (!network) {

267 NET_LOG_ERROR("Enrolling Unknown network", network_id);	299 NET_LOG_ERROR("Enrolling Unknown network", network_id);

268 return false;	300 return false;

269 }	301 }

270 Browser* browser = chrome::FindBrowserWithWindow(owning_window);	302 Browser* browser = chrome::FindBrowserWithWindow(owning_window);

271 Profile* profile =	303 Profile* profile =

272 browser ? browser->profile() : ProfileManager::GetPrimaryUserProfile();	304 browser ? browser->profile() : ProfileManager::GetPrimaryUserProfile();

	305 if (!EnrollmentDialogAllowed())

	306 return false;

273 std::string username_hash = ProfileHelper::GetUserIdHashFromProfile(profile);	307 std::string username_hash = ProfileHelper::GetUserIdHashFromProfile(profile);

274	308

275 onc::ONCSource onc_source = onc::ONC_SOURCE_NONE;	309 onc::ONCSource onc_source = onc::ONC_SOURCE_NONE;

276 const base::DictionaryValue* policy =	310 const base::DictionaryValue* policy =

277 NetworkHandler::Get()	311 NetworkHandler::Get()

278 ->managed_network_configuration_handler()	312 ->managed_network_configuration_handler()

279 ->FindPolicyByGUID(username_hash, network_id, &onc_source);	313 ->FindPolicyByGUID(username_hash, network_id, &onc_source);

280	314

281 // We skip certificate patterns for device policy ONC so that an unmanaged	315 if (!policy)

282 // user can't get to the place where a cert is presented for them

283 // involuntarily.

284 if (!policy \|\| onc_source == onc::ONC_SOURCE_DEVICE_POLICY)

285 return false;	316 return false;

286	317

287 client_cert::ClientCertConfig cert_config;	318 client_cert::ClientCertConfig cert_config;

288 OncToClientCertConfig(*policy, &cert_config);	319 OncToClientCertConfig(onc_source, *policy, &cert_config);

289	320

290 if (cert_config.client_cert_type != onc::client_cert::kPattern)	321 if (cert_config.client_cert_type != onc::client_cert::kPattern)

291 return false;	322 return false;

292	323

293 if (cert_config.pattern.Empty())	324 if (cert_config.pattern.Empty())

294 NET_LOG_ERROR("Certificate pattern is empty", network_id);	325 NET_LOG_ERROR("Certificate pattern is empty", network_id);

295	326

296 if (cert_config.pattern.enrollment_uri_list().empty()) {	327 if (cert_config.pattern.enrollment_uri_list().empty()) {

297 NET_LOG_EVENT("No enrollment URIs", network_id);	328 NET_LOG_EVENT("No enrollment URIs", network_id);

298 return false;	329 return false;

299 }	330 }

300	331

301 NET_LOG_USER("Enrolling", network_id);	332 NET_LOG_USER("Enrolling", network_id);

302	333

303 DialogEnrollmentDelegate* enrollment =	334 DialogEnrollmentDelegate* enrollment =

304 new DialogEnrollmentDelegate(owning_window, network->name(), profile);	335 new DialogEnrollmentDelegate(owning_window, network->name(), profile);

305 return enrollment->Enroll(cert_config.pattern.enrollment_uri_list(),	336 return enrollment->Enroll(cert_config.pattern.enrollment_uri_list(),

306 base::Bind(&EnrollmentComplete, network_id));	337 base::Bind(&EnrollmentComplete, network_id));

307 }	338 }

308	339

309 } // namespace enrollment	340 } // namespace enrollment

310	341

311 } // namespace chromeos	342 } // namespace chromeos

OLD	NEW

« no previous file with comments | « ash/system/network/network_list.cc ('k') | chromeos/cert_loader.h » ('j') | chromeos/cert_loader.cc » ('J')