Implementation of ONC signature, validator and normalizer.

chrome/browser/chromeos/cros/onc_network_parser.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/cros/onc_network_parser.h"
 
 #include <keyhi.h>
 #include <pk11pub.h>
 
 #include "base/base64.h"
 #include "base/json/json_string_value_serializer.h"
 #include "chrome/browser/chromeos/login/user_manager.h"
 #include "base/json/json_writer.h"  // for debug output only.
 #include "base/stringprintf.h"
 #include "base/values.h"
 #include "chrome/browser/chromeos/cros/certificate_pattern.h"
 #include "chrome/browser/chromeos/cros/cros_library.h"
 #include "chrome/browser/chromeos/cros/native_network_constants.h"
 #include "chrome/browser/chromeos/cros/native_network_parser.h"
 #include "chrome/browser/chromeos/cros/network_library.h"
 #include "chrome/browser/chromeos/cros/onc_constants.h"
+#include "chrome/browser/chromeos/network_settings/onc_signature.h"
+#include "chrome/browser/chromeos/network_settings/onc_validator.h"
 #include "chrome/browser/chromeos/proxy_config_service_impl.h"
 #include "chrome/browser/prefs/proxy_config_dictionary.h"
 #include "chrome/common/net/x509_certificate_model.h"
 #include "content/public/browser/browser_thread.h"
 #include "crypto/encryptor.h"
 #include "crypto/hmac.h"
 #include "crypto/scoped_nss_types.h"
 #include "crypto/symmetric_key.h"
 #include "grit/generated_resources.h"
 #include "net/base/crypto_module.h"
@@ skipping 265 matching lines @@
 
     // Check and see if this is an encrypted ONC file.  If so, decrypt it.
     std::string ciphertext_test;
     if (root_dict_->GetString("Ciphertext", &ciphertext_test))
       root_dict_.reset(Decrypt(passphrase, root_dict_.get()));
 
     // Decryption failed, errors will be in parse_error_;
     if (!root_dict_.get())
       return;
 
+    // Validate the ONC dictionary. We are liberal and ignore unknown field
+    // names and ignore invalid field names in kRecommended arrays.
+    bool is_managed = onc_source == NetworkUIData::ONC_SOURCE_USER_POLICY ||
+        onc_source == NetworkUIData::ONC_SOURCE_DEVICE_POLICY;
+    scoped_ptr<onc::Validator> validator(
+        new onc::Validator(false, // Ignore unknown fields.
+                           false, // Ignore invalid recommended field names.
+                           true, // Fail on missing fields.
+                           is_managed));
+
+    // Unknown fields are removed from the result.
+    root_dict_ = validator->ValidateAndRepairObject(
+        &onc::kUnencryptedConfigurationSignature,
+        *root_dict_);
+
+    if (!root_dict_.get()) {
+      LOG(WARNING) << "Provided ONC is invalid and couldn't be repaired";
+      return;
+    }
+
     // At least one of NetworkConfigurations or Certificates is required.
     bool has_network_configurations =
         root_dict_->GetList("NetworkConfigurations", &network_configs_);
     bool has_certificates =
         root_dict_->GetList("Certificates", &certificates_);
     VLOG(2) << "ONC file has " << GetNetworkConfigsSize() << " networks and "
             << GetCertificatesSize() << " certificates";
     LOG_IF(WARNING, (!has_network_configurations && !has_certificates))
         << "ONC file has no NetworkConfigurations or Certificates.";
   }
@@ skipping 1713 matching lines @@
     // on the value of AuthenticationType.
     { "L2TP-IPsec", PROVIDER_TYPE_L2TP_IPSEC_PSK },
     { "OpenVPN", PROVIDER_TYPE_OPEN_VPN },
   };
   CR_DEFINE_STATIC_LOCAL(EnumMapper<ProviderType>, parser,
       (table, arraysize(table), PROVIDER_TYPE_MAX));
   return parser.Get(type);
 }
 
 }  // namespace chromeos