Rejecting networks/certificates independently on ONC import and policy loading.

chrome/browser/chromeos/cros/network_library_impl_base.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/cros/network_library_impl_base.h"
 
 #include "base/bind.h"
 #include "base/json/json_reader.h"
 #include "base/memory/scoped_vector.h"
 #include "base/metrics/histogram.h"
@@ skipping 1053 matching lines @@
     }
   }
 
   // Validate the ONC dictionary. We are liberal and ignore unknown field
   // names and ignore invalid field names in kRecommended arrays.
   onc::Validator validator(false,  // Ignore unknown fields.
                            false,  // Ignore invalid recommended field names.
                            true,  // Fail on missing fields.
                            from_policy);
 
-  // Unknown fields are removed from the result.
   onc::Validator::Result validation_result;
   validator.ValidateAndRepairObject(&onc::kToplevelConfigurationSignature,
                                     *root_dict,
                                     &validation_result);
 
   if (from_policy) {
     UMA_HISTOGRAM_BOOLEAN("Enterprise.ONC.PolicyValidation",
                           validation_result == onc::Validator::VALID);
   }
 
+  bool success = true;
   if (validation_result == onc::Validator::VALID_WITH_WARNINGS) {
     LOG(WARNING) << "ONC from " << onc::GetSourceAsString(source)
                  << " produced warnings.";
   } else if (validation_result == onc::Validator::INVALID) {
     LOG(ERROR) << "ONC from " << onc::GetSourceAsString(source)
                << " is invalid and couldn't be repaired.";
+    success = false;
   }
 
   const base::ListValue* certificates;
   bool has_certificates =
       root_dict->GetListWithoutPathExpansion(onc::kCertificates, &certificates);
 
   const base::ListValue* network_configs;
   bool has_network_configurations = root_dict->GetListWithoutPathExpansion(
       onc::kNetworkConfigurations,
       &network_configs);
 
   if (has_certificates) {
     VLOG(2) << "ONC file has " << certificates->GetSize() << " certificates";
 
     onc::CertificateImporter cert_importer(source, allow_web_trust_from_policy);
     if (cert_importer.ParseAndStoreCertificates(*certificates) !=
         onc::CertificateImporter::IMPORT_OK) {
       LOG(ERROR) << "Cannot parse some of the certificates in the ONC from "
                  << onc::GetSourceAsString(source);
-      return false;
+      success = false;
     }
   }
 
   std::set<std::string> removal_ids;
   std::set<std::string>& network_ids(network_source_map_[source]);
   network_ids.clear();
   if (has_network_configurations) {
     VLOG(2) << "ONC file has " << network_configs->GetSize() << " networks";
     OncNetworkParser parser(*network_configs, source);
 
     // Parse all networks. Bail out if that fails.
     NetworkOncMap added_onc_map;
     ScopedVector<Network> networks;
     for (int i = 0; i < parser.GetNetworkConfigsSize(); i++) {
       // Parse Open Network Configuration blob into a temporary Network object.
       bool marked_for_removal = false;
       Network* network = parser.ParseNetwork(i, &marked_for_removal);
       if (!network) {
         LOG(ERROR) << "Error during ONC parsing network at index " << i
                    << " from " << onc::GetSourceAsString(source);
-        return false;
+        success = false;
+        continue;
       }
 
       // Disallow anything but WiFi and Ethernet for device-level policy (which
       // corresponds to shared networks). See also http://crosbug.com/28741.
       if (source == onc::ONC_SOURCE_DEVICE_POLICY &&
           network->type() != TYPE_WIFI &&
           network->type() != TYPE_ETHERNET) {
         LOG(WARNING) << "Ignoring device-level policy-pushed network of type "
                      << network->type();
         delete network;
@@ skipping 66 matching lines @@
       network_ids.insert(network->unique_id());
     }
   }
 
   if (from_policy) {
     // For policy-managed networks, go through the list of existing remembered
     // networks and clean out the ones that no longer have a definition in the
     // ONC blob. We first collect the networks and do the actual deletion later
     // because ForgetNetwork() changes the remembered network vectors.
     ForgetNetworksById(source, network_ids, false);
-  } else if (source == onc::ONC_SOURCE_USER_IMPORT) {
-    if (removal_ids.empty())
-      return true;
-
+  } else if (source == onc::ONC_SOURCE_USER_IMPORT && !removal_ids.empty()) {
     ForgetNetworksById(source, removal_ids, true);
   }
 
-  return true;
+  return success;
 }
 
 ////////////////////////////////////////////////////////////////////////////
 // Testing functions.
 
 bool NetworkLibraryImplBase::SetActiveNetwork(
     ConnectionType type, const std::string& service_path) {
   Network* network = NULL;
   if (!service_path.empty())
     network = FindNetworkByPath(service_path);
@@ skipping 503 matching lines @@
   GetTpmInfo();
   return tpm_slot_;
 }
 
 const std::string& NetworkLibraryImplBase::GetTpmPin() {
   GetTpmInfo();
   return tpm_pin_;
 }
 
 }  // namespace chromeos