Enable client certificate patterns in device ONC policy

chromeos/network/client_cert_resolver.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chromeos/network/client_cert_resolver.h"
 
 #include <cert.h>
 #include <certt.h>  // for (SECCertUsageEnum) certUsageAnyCA
 #include <pk11pub.h>
 
 #include <algorithm>
 
 #include "base/bind.h"
 #include "base/location.h"
 #include "base/logging.h"
+#include "base/memory/ptr_util.h"
 #include "base/stl_util.h"
 #include "base/strings/string_util.h"
 #include "base/task_scheduler/post_task.h"
 #include "base/time/clock.h"
 #include "chromeos/dbus/dbus_thread_manager.h"
 #include "chromeos/dbus/shill_service_client.h"
 #include "chromeos/network/managed_network_configuration_handler.h"
 #include "chromeos/network/network_state.h"
 #include "components/onc/onc_constants.h"
 #include "dbus/object_path.h"
@@ skipping 158 matching lines @@
     client_certs.push_back(CertAndIssuer(*it, GetPEMEncodedIssuer(cert)));
   }
 
   std::sort(client_certs.begin(), client_certs.end(), &CompareCertExpiration);
   return client_certs;
 }
 
 // Searches for matches between |networks| and |certs| and writes matches to
 // |matches|. Because this calls NSS functions and is potentially slow, it must
 // be run on a worker thread.
-void FindCertificateMatches(const net::CertificateList& certs,
-                            std::vector<NetworkAndCertPattern>* networks,
-                            base::Time now,
-                            NetworkCertMatches* matches) {
-  std::vector<CertAndIssuer> client_certs(
-      CreateSortedCertAndIssuerList(certs, now));
+std::unique_ptr<NetworkCertMatches> FindCertificateMatches(
+    const net::CertificateList& all_certs,
+    const net::CertificateList& system_certs,
+    std::vector<NetworkAndCertPattern>* networks,
+    base::Time now) {
+  std::unique_ptr<NetworkCertMatches> matches =
+      base::MakeUnique<NetworkCertMatches>();
+
+  std::vector<CertAndIssuer> all_client_certs(
+      CreateSortedCertAndIssuerList(all_certs, now));
+  std::vector<CertAndIssuer> system_client_certs(
+      CreateSortedCertAndIssuerList(system_certs, now));
 
   for (std::vector<NetworkAndCertPattern>::const_iterator it =
            networks->begin();
        it != networks->end(); ++it) {
-    std::vector<CertAndIssuer>::iterator cert_it =
-        std::find_if(client_certs.begin(),
-                     client_certs.end(),
-                     MatchCertWithPattern(it->cert_config.pattern));
+    // Use only certs from the system token if the source of the client cert
+    // pattern is device policy.
+    std::vector<CertAndIssuer>* client_certs =
+        it->cert_config.onc_source == ::onc::ONC_SOURCE_DEVICE_POLICY
+            ? &system_client_certs
+            : &all_client_certs;
+    auto cert_it = std::find_if(client_certs->begin(), client_certs->end(),
+                                MatchCertWithPattern(it->cert_config.pattern));
     std::string pkcs11_id;
     int slot_id = -1;
     std::string identity;
 
-    if (cert_it == client_certs.end()) {
+    if (cert_it == client_certs->end()) {
       VLOG(1) << "Couldn't find a matching client cert for network "
               << it->service_path;
       // Leave |pkcs11_id| empty to indicate that no cert was found for this
       // network.
     } else {
       pkcs11_id =
           CertLoader::GetPkcs11IdAndSlotForCert(*cert_it->cert, &slot_id);
       if (pkcs11_id.empty()) {
         LOG(ERROR) << "Couldn't determine PKCS#11 ID.";
         // So far this error is not expected to happen. We can just continue, in
@@ skipping 26 matching lines @@
         if (!names.empty()) {
           base::ReplaceSubstringsAfterOffset(
               &identity, offset, onc::substitutes::kCertSANUPN, names[0]);
         }
       }
     }
     matches->push_back(ClientCertResolver::NetworkAndMatchingCert(
         it->service_path, it->cert_config.location, pkcs11_id, slot_id,
         identity));
   }
+  return matches;
 }
 
 void LogError(const std::string& service_path,
               const std::string& dbus_error_name,
               const std::string& dbus_error_message) {
   network_handler::ShillErrorCallbackFunction(
       "ClientCertResolver.SetProperties failed",
       service_path,
       network_handler::ErrorCallback(),
       dbus_error_name,
@@ skipping 49 matching lines @@
   observers_.RemoveObserver(observer);
 }
 
 bool ClientCertResolver::IsAnyResolveTaskRunning() const {
   return resolve_task_running_;
 }
 
 // static
 bool ClientCertResolver::ResolveCertificatePatternSync(
     const client_cert::ConfigType client_cert_type,
-    const CertificatePattern& pattern,
+    const client_cert::ClientCertConfig& client_cert_config,
     base::DictionaryValue* shill_properties) {
-  // Prepare and sort the list of known client certs.
-  std::vector<CertAndIssuer> client_certs(CreateSortedCertAndIssuerList(
-      CertLoader::Get()->cert_list(), base::Time::Now()));
+  // Prepare and sort the list of known client certs. Use only certs from the
+  // system token if the source of the client cert pattern is device policy.
+  std::vector<CertAndIssuer> client_certs;
+  if (client_cert_config.onc_source == ::onc::ONC_SOURCE_DEVICE_POLICY) {
+    client_certs = CreateSortedCertAndIssuerList(
+        CertLoader::Get()->system_certs(), base::Time::Now());
+  } else {
+    client_certs = CreateSortedCertAndIssuerList(CertLoader::Get()->all_certs(),
+                                                 base::Time::Now());
+  }
 
   // Search for a certificate matching the pattern.
-  std::vector<CertAndIssuer>::iterator cert_it = std::find_if(
-      client_certs.begin(), client_certs.end(), MatchCertWithPattern(pattern));
+  std::vector<CertAndIssuer>::iterator cert_it =
+      std::find_if(client_certs.begin(), client_certs.end(),
+                   MatchCertWithPattern(client_cert_config.pattern));
 
   if (cert_it == client_certs.end()) {
     VLOG(1) << "Couldn't find a matching client cert";
     client_cert::SetEmptyShillProperties(client_cert_type, shill_properties);
     return false;
   }
 
   int slot_id = -1;
   std::string pkcs11_id =
       CertLoader::GetPkcs11IdAndSlotForCert(*cert_it->cert, &slot_id);
@@ skipping 98 matching lines @@
            networks.begin(); it != networks.end(); ++it) {
     const NetworkState* network = *it;
 
     // In any case, don't check this network again in NetworkListChanged.
     resolved_networks_.insert(network->path());
 
     // If this network is not configured, it cannot have a ClientCertPattern.
     if (network->profile_path().empty())
       continue;
 
+    onc::ONCSource onc_source = onc::ONC_SOURCE_NONE;
     const base::DictionaryValue* policy =
         managed_network_config_handler_->FindPolicyByGuidAndProfile(
-            network->guid(), network->profile_path());
+            network->guid(), network->profile_path(), &onc_source);
 
     if (!policy) {
       VLOG(1) << "The policy for network " << network->path() << " with GUID "
               << network->guid() << " is not available yet.";
       // Skip this network for now. Once the policy is loaded, PolicyApplied()
       // will retry.
       continue;
     }
 
     VLOG(2) << "Inspecting network " << network->path();
     client_cert::ClientCertConfig cert_config;
-    OncToClientCertConfig(*policy, &cert_config);
+    OncToClientCertConfig(onc_source, *policy, &cert_config);
 
     // Skip networks that don't have a ClientCertPattern.
     if (cert_config.client_cert_type != ::onc::client_cert::kPattern)
       continue;
 
     networks_to_resolve->push_back(
         NetworkAndCertPattern(network->path(), cert_config));
   }
 
   if (networks_to_resolve->empty()) {
     VLOG(1) << "No networks to resolve.";
     NotifyResolveRequestCompleted();
     return;
   }
 
   if (resolve_task_running_) {
     VLOG(1) << "A resolve task is already running. Queue this request.";
     for (const NetworkAndCertPattern& network_and_pattern :
          *networks_to_resolve) {
       queued_networks_to_resolve_.insert(network_and_pattern.service_path);
     }
     return;
   }
 
   VLOG(2) << "Start task for resolving client cert patterns.";
   resolve_task_running_ = true;
-  NetworkCertMatches* matches = new NetworkCertMatches;
-  base::PostTaskWithTraitsAndReply(
-      FROM_HERE, base::TaskTraits()
-                     .WithShutdownBehavior(
-                         base::TaskShutdownBehavior::CONTINUE_ON_SHUTDOWN)
-                     .MayBlock(),
-      base::Bind(&FindCertificateMatches, CertLoader::Get()->cert_list(),
-                 base::Owned(networks_to_resolve.release()), Now(), matches),
+  base::PostTaskWithTraitsAndReplyWithResult(
+      FROM_HERE,
+      base::TaskTraits()
+          .WithShutdownBehavior(
+              base::TaskShutdownBehavior::CONTINUE_ON_SHUTDOWN)
+          .MayBlock(),
+      base::Bind(&FindCertificateMatches, CertLoader::Get()->all_certs(),
+                 CertLoader::Get()->system_certs(),
+                 base::Owned(networks_to_resolve.release()), Now()),
       base::Bind(&ClientCertResolver::ConfigureCertificates,
-                 weak_ptr_factory_.GetWeakPtr(), base::Owned(matches)));
+                 weak_ptr_factory_.GetWeakPtr()));
 }
 
 void ClientCertResolver::ResolvePendingNetworks() {
   NetworkStateHandler::NetworkStateList networks;
   network_state_handler_->GetNetworkListByType(NetworkTypePattern::Default(),
                                                true /* configured_only */,
                                                false /* visible_only */,
                                                0 /* no limit */,
                                                &networks);
 
   NetworkStateHandler::NetworkStateList networks_to_resolve;
   for (const NetworkState* network : networks) {
     if (queued_networks_to_resolve_.count(network->path()) > 0)
       networks_to_resolve.push_back(network);
   }
   VLOG(1) << "Resolve pending " << networks_to_resolve.size() << " networks.";
   queued_networks_to_resolve_.clear();
   ResolveNetworks(networks_to_resolve);
 }
 
-void ClientCertResolver::ConfigureCertificates(NetworkCertMatches* matches) {
+void ClientCertResolver::ConfigureCertificates(
+    std::unique_ptr<NetworkCertMatches> matches) {
   for (NetworkCertMatches::const_iterator it = matches->begin();
        it != matches->end(); ++it) {
     VLOG(1) << "Configuring certificate of network " << it->service_path;
     base::DictionaryValue shill_properties;
     if (it->pkcs11_id.empty()) {
       client_cert::SetEmptyShillProperties(it->cert_config_type,
                                            &shill_properties);
     } else {
       client_cert::SetShillProperties(it->cert_config_type,
                                       it->key_slot_id,
@@ skipping 28 matching lines @@
     observer.ResolveRequestCompleted(changed);
 }
 
 base::Time ClientCertResolver::Now() const {
   if (testing_clock_)
     return testing_clock_->Now();
   return base::Time::Now();
 }
 
 }  // namespace chromeos