Enable client certificate patterns in device ONC policy

chromeos/network/network_connection_handler.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chromeos/network/network_connection_handler.h"
 
 #include "base/bind.h"
 #include "base/json/json_reader.h"
 #include "base/location.h"
 #include "base/single_thread_task_runner.h"
@@ skipping 404 matching lines @@
       ErrorCallbackForPendingRequest(service_path, kErrorConfigurationRequired);
       return;
     }
   }
 
   std::string guid;
   service_properties.GetStringWithoutPathExpansion(shill::kGuidProperty, &guid);
   std::string profile;
   service_properties.GetStringWithoutPathExpansion(shill::kProfileProperty,
                                                    &profile);
-  const base::DictionaryValue* user_policy =
-      managed_configuration_handler_->FindPolicyByGuidAndProfile(guid, profile);
+  ::onc::ONCSource onc_source;

[emaxx, 2017/04/20 20:10:39]

nit: I believe the general guideline is to initialize all variables with some
default values, even in such cases when it's actually an output parameter.

[pmarko, 2017/04/24 14:49:56]

Done. (also in chromeos/network/client_cert_resolver.cc)

+  const base::DictionaryValue* policy =
+      managed_configuration_handler_->FindPolicyByGuidAndProfile(guid, profile,
+                                                                 &onc_source);
 
   if (IsNetworkProhibitedByPolicy(type, guid, profile)) {
     ErrorCallbackForPendingRequest(service_path, kErrorUnmanagedNetwork);
     return;
   }
 
   client_cert::ClientCertConfig cert_config_from_policy;
-  if (user_policy)
-    client_cert::OncToClientCertConfig(*user_policy, &cert_config_from_policy);
+  if (policy) {
+    client_cert::OncToClientCertConfig(onc_source, *policy,
+                                       &cert_config_from_policy);
+  }
 
   client_cert::ConfigType client_cert_type = client_cert::CONFIG_TYPE_NONE;
   if (type == shill::kTypeVPN) {
     if (vpn_provider_type == shill::kProviderOpenVpn) {
       client_cert_type = client_cert::CONFIG_TYPE_OPENVPN;
     } else {
       // L2TP/IPSec only requires a certificate if one is specified in ONC
       // or one was configured by the UI. Otherwise it is L2TP/IPSec with
       // PSK and doesn't require a certificate.
       //
@@ skipping 105 matching lines @@
   if (!global_network_config)
     return false;
   bool policy_prohibites = false;
   if (!global_network_config->GetBooleanWithoutPathExpansion(
           ::onc::global_network_config::kAllowOnlyPolicyNetworksToConnect,
           &policy_prohibites) ||
       !policy_prohibites) {
     return false;
   }
   return !managed_configuration_handler_->FindPolicyByGuidAndProfile(
-      guid, profile_path);
+      guid, profile_path, nullptr);
 }
 
 void NetworkConnectionHandler::QueueConnectRequest(
     const std::string& service_path) {
   ConnectRequest* request = GetPendingRequest(service_path);
   if (!request) {
     NET_LOG_ERROR("No pending request to queue", service_path);
     return;
   }
 
@@ skipping 238 matching lines @@
 
 void NetworkConnectionHandler::HandleShillDisconnectSuccess(
     const std::string& service_path,
     const base::Closure& success_callback) {
   NET_LOG_EVENT("Disconnect Request Sent", service_path);
   if (!success_callback.is_null())
     success_callback.Run();
 }
 
 }  // namespace chromeos