ChromeOS: Add more host verification options for OpenVpn.

chromeos/network/onc/onc_validator.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chromeos/network/onc/onc_validator.h"
 
 #include <algorithm>
 #include <string>
 
 #include "base/json/json_writer.h"
@@ skipping 114 matching lines @@
     else if (&signature == &kIPConfigSignature)
       valid = ValidateIPConfig(onc_object, repaired.get());
     else if (&signature == &kWiFiSignature)
       valid = ValidateWiFi(onc_object, repaired.get());
     else if (&signature == &kVPNSignature)
       valid = ValidateVPN(onc_object, repaired.get());
     else if (&signature == &kIPsecSignature)
       valid = ValidateIPsec(onc_object, repaired.get());
     else if (&signature == &kOpenVPNSignature)
       valid = ValidateOpenVPN(onc_object, repaired.get());
+    else if (&signature == &kVerifyX509Signature)
+      valid = ValidateVerifyX509(onc_object, repaired.get());
     else if (&signature == &kCertificatePatternSignature)
       valid = ValidateCertificatePattern(onc_object, repaired.get());
     else if (&signature == &kProxySettingsSignature)
       valid = ValidateProxySettings(onc_object, repaired.get());
     else if (&signature == &kProxyLocationSignature)
       valid = ValidateProxyLocation(onc_object, repaired.get());
     else if (&signature == &kEAPSignature)
       valid = ValidateEAP(onc_object, repaired.get());
     else if (&signature == &kCertificateSignature)
       valid = ValidateCertificate(onc_object, repaired.get());
@@ skipping 520 matching lines @@
     return false;
 
   if (cert_type == kPattern)
     allRequiredExist &= RequireField(*result, ::onc::vpn::kClientCertPattern);
   else if (cert_type == kRef)
     allRequiredExist &= RequireField(*result, ::onc::vpn::kClientCertRef);
 
   return !error_on_missing_field_ || allRequiredExist;
 }
 
+bool Validator::ValidateVerifyX509(const base::DictionaryValue& onc_object,
+                                   base::DictionaryValue* result) {
+  using namespace ::onc::verify_x509;
+
+  static const char* kValidTypeValues[] =
+    {types::kName, types::kNamePrefix, types::kSubject, NULL};
+
+  if (FieldExistsAndHasNoValidValue(*result, kType, kValidTypeValues))
+    return false;
+
+  bool allRequiredExist = RequireField(*result, kName);

[armansito, 2013/11/11 20:01:41]

nit: s/allRequiredExist/all_required_exist. You could technically also just
short-circuit the call to RequireField, since you only refer to
|allRequiredExist| in the return line. I.e.:

return !error_on_missing_field_ || RequireField(*result, kName);

Unless of course you're depending on the call to RequireField to log a message.

[pneubeck (no reviews), 2013/11/12 13:11:04]

Good point. Actually, the intended behavior is:
if |error_on_missing_field_| is false, then missing required fields raise a
warning.
I.e. error_or_warning_found is true and the return value is true.

+
+  return !error_on_missing_field_ || allRequiredExist;
+}
+
 bool Validator::ValidateCertificatePattern(
     const base::DictionaryValue& onc_object,
     base::DictionaryValue* result) {
   using namespace ::onc::certificate;
 
   bool allRequiredExist = true;
   if (!result->HasKey(kSubject) && !result->HasKey(kIssuer) &&
       !result->HasKey(kIssuerCARef)) {
     error_or_warning_found_ = true;
     allRequiredExist = false;
@@ skipping 111 matching lines @@
 }
 
 std::string Validator::MessageHeader() {
   std::string path = path_.empty() ? "toplevel" : JoinString(path_, ".");
   std::string message = "At " + path + ": ";
   return message;
 }
 
 }  // namespace onc
 }  // namespace chromeos