| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chromeos/network/onc/onc_validator.h" | 5 #include "chromeos/network/onc/onc_validator.h" |
| 6 | 6 |
| 7 #include <algorithm> | 7 #include <algorithm> |
| 8 #include <string> | 8 #include <string> |
| 9 | 9 |
| 10 #include "base/json/json_writer.h" | 10 #include "base/json/json_writer.h" |
| (...skipping 128 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 139 else if (&signature == &kEAPSignature) | 139 else if (&signature == &kEAPSignature) |
| 140 valid = ValidateEAP(onc_object, repaired.get()); | 140 valid = ValidateEAP(onc_object, repaired.get()); |
| 141 else if (&signature == &kCertificateSignature) | 141 else if (&signature == &kCertificateSignature) |
| 142 valid = ValidateCertificate(onc_object, repaired.get()); | 142 valid = ValidateCertificate(onc_object, repaired.get()); |
| 143 else | 143 else |
| 144 valid = ValidateObjectDefault(signature, onc_object, repaired.get()); | 144 valid = ValidateObjectDefault(signature, onc_object, repaired.get()); |
| 145 | 145 |
| 146 if (valid) { | 146 if (valid) { |
| 147 return repaired.Pass(); | 147 return repaired.Pass(); |
| 148 } else { | 148 } else { |
| 149 DCHECK(error_or_warning_found_); |
| 149 error_or_warning_found_ = *error = true; | 150 error_or_warning_found_ = *error = true; |
| 150 return scoped_ptr<base::DictionaryValue>(); | 151 return scoped_ptr<base::DictionaryValue>(); |
| 151 } | 152 } |
| 152 } | 153 } |
| 153 | 154 |
| 154 scoped_ptr<base::Value> Validator::MapField( | 155 scoped_ptr<base::Value> Validator::MapField( |
| 155 const std::string& field_name, | 156 const std::string& field_name, |
| 156 const OncValueSignature& object_signature, | 157 const OncValueSignature& object_signature, |
| 157 const base::Value& onc_value, | 158 const base::Value& onc_value, |
| 158 bool* found_unknown_field, | 159 bool* found_unknown_field, |
| (...skipping 197 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 356 bool Validator::RequireField(const base::DictionaryValue& dict, | 357 bool Validator::RequireField(const base::DictionaryValue& dict, |
| 357 const std::string& field_name) { | 358 const std::string& field_name) { |
| 358 if (dict.HasKey(field_name)) | 359 if (dict.HasKey(field_name)) |
| 359 return true; | 360 return true; |
| 360 error_or_warning_found_ = true; | 361 error_or_warning_found_ = true; |
| 361 LOG(ERROR) << ErrorHeader() << "The required field '" << field_name | 362 LOG(ERROR) << ErrorHeader() << "The required field '" << field_name |
| 362 << "' is missing."; | 363 << "' is missing."; |
| 363 return false; | 364 return false; |
| 364 } | 365 } |
| 365 | 366 |
| 367 // Prohibit certificate patterns for device policy ONC so that an unmanaged user |
| 368 // won't have a certificate presented for them involuntarily. |
| 369 bool Validator::CertPatternInDevicePolicy(const std::string& cert_type) { |
| 370 if (cert_type == certificate::kPattern && |
| 371 onc_source_ == ONC_SOURCE_DEVICE_POLICY) { |
| 372 error_or_warning_found_ = true; |
| 373 LOG(ERROR) << ErrorHeader() << "Client certificate patterns are " |
| 374 << "prohibited in ONC device policies."; |
| 375 return true; |
| 376 } |
| 377 return false; |
| 378 } |
| 379 |
| 366 bool Validator::ValidateToplevelConfiguration( | 380 bool Validator::ValidateToplevelConfiguration( |
| 367 const base::DictionaryValue& onc_object, | 381 const base::DictionaryValue& onc_object, |
| 368 base::DictionaryValue* result) { | 382 base::DictionaryValue* result) { |
| 369 if (!ValidateObjectDefault(kToplevelConfigurationSignature, | 383 if (!ValidateObjectDefault(kToplevelConfigurationSignature, |
| 370 onc_object, result)) { | 384 onc_object, result)) { |
| 371 return false; | 385 return false; |
| 372 } | 386 } |
| 373 | 387 |
| 374 static const char* kValidTypes[] = | 388 static const char* kValidTypes[] = |
| 375 { kUnencryptedConfiguration, kEncryptedConfiguration, NULL }; | 389 { kUnencryptedConfiguration, kEncryptedConfiguration, NULL }; |
| (...skipping 38 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 414 bool allRequiredExist = RequireField(*result, kGUID); | 428 bool allRequiredExist = RequireField(*result, kGUID); |
| 415 | 429 |
| 416 bool remove = false; | 430 bool remove = false; |
| 417 result->GetBooleanWithoutPathExpansion(kRemove, &remove); | 431 result->GetBooleanWithoutPathExpansion(kRemove, &remove); |
| 418 if (!remove) { | 432 if (!remove) { |
| 419 allRequiredExist &= RequireField(*result, kName); | 433 allRequiredExist &= RequireField(*result, kName); |
| 420 allRequiredExist &= RequireField(*result, kType); | 434 allRequiredExist &= RequireField(*result, kType); |
| 421 | 435 |
| 422 std::string type; | 436 std::string type; |
| 423 result->GetStringWithoutPathExpansion(kType, &type); | 437 result->GetStringWithoutPathExpansion(kType, &type); |
| 438 |
| 439 // Prohibit anything but WiFi and Ethernet for device-level policy (which |
| 440 // corresponds to shared networks). See also http://crosbug.com/28741. |
| 441 if (onc_source_ == ONC_SOURCE_DEVICE_POLICY && |
| 442 type != kWiFi && |
| 443 type != kEthernet) { |
| 444 error_or_warning_found_ = true; |
| 445 LOG(ERROR) << ErrorHeader() << "Networks of type '" |
| 446 << type << "' are prohibited in ONC device policies."; |
| 447 return false; |
| 448 } |
| 424 allRequiredExist &= type.empty() || RequireField(*result, type); | 449 allRequiredExist &= type.empty() || RequireField(*result, type); |
| 425 } | 450 } |
| 426 | 451 |
| 427 return !error_on_missing_field_ || allRequiredExist; | 452 return !error_on_missing_field_ || allRequiredExist; |
| 428 } | 453 } |
| 429 | 454 |
| 430 bool Validator::ValidateEthernet( | 455 bool Validator::ValidateEthernet( |
| 431 const base::DictionaryValue& onc_object, | 456 const base::DictionaryValue& onc_object, |
| 432 base::DictionaryValue* result) { | 457 base::DictionaryValue* result) { |
| 433 using namespace onc::ethernet; | 458 using namespace onc::ethernet; |
| (...skipping 116 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 550 bool allRequiredExist = RequireField(*result, kAuthenticationType) & | 575 bool allRequiredExist = RequireField(*result, kAuthenticationType) & |
| 551 RequireField(*result, kIKEVersion); | 576 RequireField(*result, kIKEVersion); |
| 552 std::string auth; | 577 std::string auth; |
| 553 result->GetStringWithoutPathExpansion(kAuthenticationType, &auth); | 578 result->GetStringWithoutPathExpansion(kAuthenticationType, &auth); |
| 554 if (auth == kCert) { | 579 if (auth == kCert) { |
| 555 allRequiredExist &= RequireField(*result, kClientCertType) & | 580 allRequiredExist &= RequireField(*result, kClientCertType) & |
| 556 RequireField(*result, kServerCARef); | 581 RequireField(*result, kServerCARef); |
| 557 } | 582 } |
| 558 std::string cert_type; | 583 std::string cert_type; |
| 559 result->GetStringWithoutPathExpansion(kClientCertType, &cert_type); | 584 result->GetStringWithoutPathExpansion(kClientCertType, &cert_type); |
| 585 |
| 586 if (CertPatternInDevicePolicy(cert_type)) |
| 587 return false; |
| 588 |
| 560 if (cert_type == kPattern) | 589 if (cert_type == kPattern) |
| 561 allRequiredExist &= RequireField(*result, kClientCertPattern); | 590 allRequiredExist &= RequireField(*result, kClientCertPattern); |
| 562 else if (cert_type == kRef) | 591 else if (cert_type == kRef) |
| 563 allRequiredExist &= RequireField(*result, kClientCertRef); | 592 allRequiredExist &= RequireField(*result, kClientCertRef); |
| 564 | 593 |
| 565 return !error_on_missing_field_ || allRequiredExist; | 594 return !error_on_missing_field_ || allRequiredExist; |
| 566 } | 595 } |
| 567 | 596 |
| 568 bool Validator::ValidateOpenVPN( | 597 bool Validator::ValidateOpenVPN( |
| 569 const base::DictionaryValue& onc_object, | 598 const base::DictionaryValue& onc_object, |
| (...skipping 16 matching lines...) Expand all Loading... |
| 586 kValidAuthRetryValues) | | 615 kValidAuthRetryValues) | |
| 587 FieldExistsAndHasNoValidValue(*result, kClientCertType, kValidCertTypes) | | 616 FieldExistsAndHasNoValidValue(*result, kClientCertType, kValidCertTypes) | |
| 588 FieldExistsAndHasNoValidValue(*result, kRemoteCertTLS, | 617 FieldExistsAndHasNoValidValue(*result, kRemoteCertTLS, |
| 589 kValidCertTlsValues)) { | 618 kValidCertTlsValues)) { |
| 590 return false; | 619 return false; |
| 591 } | 620 } |
| 592 | 621 |
| 593 bool allRequiredExist = RequireField(*result, kClientCertType); | 622 bool allRequiredExist = RequireField(*result, kClientCertType); |
| 594 std::string cert_type; | 623 std::string cert_type; |
| 595 result->GetStringWithoutPathExpansion(kClientCertType, &cert_type); | 624 result->GetStringWithoutPathExpansion(kClientCertType, &cert_type); |
| 625 |
| 626 if (CertPatternInDevicePolicy(cert_type)) |
| 627 return false; |
| 628 |
| 596 if (cert_type == kPattern) | 629 if (cert_type == kPattern) |
| 597 allRequiredExist &= RequireField(*result, kClientCertPattern); | 630 allRequiredExist &= RequireField(*result, kClientCertPattern); |
| 598 else if (cert_type == kRef) | 631 else if (cert_type == kRef) |
| 599 allRequiredExist &= RequireField(*result, kClientCertRef); | 632 allRequiredExist &= RequireField(*result, kClientCertRef); |
| 600 | 633 |
| 601 return !error_on_missing_field_ || allRequiredExist; | 634 return !error_on_missing_field_ || allRequiredExist; |
| 602 } | 635 } |
| 603 | 636 |
| 604 bool Validator::ValidateCertificatePattern( | 637 bool Validator::ValidateCertificatePattern( |
| 605 const base::DictionaryValue& onc_object, | 638 const base::DictionaryValue& onc_object, |
| (...skipping 70 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 676 if (FieldExistsAndHasNoValidValue(*result, kInner, kValidInnerValues) | | 709 if (FieldExistsAndHasNoValidValue(*result, kInner, kValidInnerValues) | |
| 677 FieldExistsAndHasNoValidValue(*result, kOuter, kValidOuterValues) | | 710 FieldExistsAndHasNoValidValue(*result, kOuter, kValidOuterValues) | |
| 678 FieldExistsAndHasNoValidValue(*result, kClientCertType, | 711 FieldExistsAndHasNoValidValue(*result, kClientCertType, |
| 679 kValidCertTypes)) { | 712 kValidCertTypes)) { |
| 680 return false; | 713 return false; |
| 681 } | 714 } |
| 682 | 715 |
| 683 bool allRequiredExist = RequireField(*result, kOuter); | 716 bool allRequiredExist = RequireField(*result, kOuter); |
| 684 std::string cert_type; | 717 std::string cert_type; |
| 685 result->GetStringWithoutPathExpansion(kClientCertType, &cert_type); | 718 result->GetStringWithoutPathExpansion(kClientCertType, &cert_type); |
| 719 |
| 720 if (CertPatternInDevicePolicy(cert_type)) |
| 721 return false; |
| 722 |
| 686 if (cert_type == kPattern) | 723 if (cert_type == kPattern) |
| 687 allRequiredExist &= RequireField(*result, kClientCertPattern); | 724 allRequiredExist &= RequireField(*result, kClientCertPattern); |
| 688 else if (cert_type == kRef) | 725 else if (cert_type == kRef) |
| 689 allRequiredExist &= RequireField(*result, kClientCertRef); | 726 allRequiredExist &= RequireField(*result, kClientCertRef); |
| 690 | 727 |
| 691 return !error_on_missing_field_ || allRequiredExist; | 728 return !error_on_missing_field_ || allRequiredExist; |
| 692 } | 729 } |
| 693 | 730 |
| 694 bool Validator::ValidateCertificate( | 731 bool Validator::ValidateCertificate( |
| 695 const base::DictionaryValue& onc_object, | 732 const base::DictionaryValue& onc_object, |
| (...skipping 33 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 729 } | 766 } |
| 730 | 767 |
| 731 std::string Validator::MessageHeader(bool is_error) { | 768 std::string Validator::MessageHeader(bool is_error) { |
| 732 std::string path = path_.empty() ? "toplevel" : JoinString(path_, "."); | 769 std::string path = path_.empty() ? "toplevel" : JoinString(path_, "."); |
| 733 std::string message = "At " + path + ": "; | 770 std::string message = "At " + path + ": "; |
| 734 return message; | 771 return message; |
| 735 } | 772 } |
| 736 | 773 |
| 737 } // namespace onc | 774 } // namespace onc |
| 738 } // namespace chromeos | 775 } // namespace chromeos |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 11578052:
Replace OncNetworkParser by the new ONC translator. (Closed)
Base URL: http://git.chromium.org/chromium/src.git@extend_onc_to_shill