Moving ManagedNetworkConfigurationHandler to chromeos/.

chrome/browser/chromeos/cros/certificate_pattern_matcher.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "chrome/browser/chromeos/cros/certificate_pattern.h"
+#include "chrome/browser/chromeos/cros/certificate_pattern_matcher.h"
 
-#include <algorithm>
+#include <cert.h>
+#include <pk11pub.h>
+
 #include <list>
 #include <string>
 #include <vector>
 
-#include <cert.h>
-#include <pk11pub.h>
-
-#include "base/logging.h"
-#include "base/values.h"
+#include "chromeos/network/certificate_pattern.h"
 #include "net/base/net_errors.h"
 #include "net/cert/cert_database.h"
 #include "net/cert/nss_cert_database.h"
 #include "net/cert/x509_cert_types.h"
 #include "net/cert/x509_certificate.h"
 
-// To shorten some of those long lines below.
-using base::DictionaryValue;
-using base::ListValue;
-using std::find;
-using std::list;
-using std::string;
-using std::vector;
-
 namespace chromeos {
 
 namespace {
 
-// Keys for converting classes below to/from dictionaries.
-const char kCommonNameKey[] = "CommonName";
-const char kLocalityKey[] = "Locality";
-const char kOrganizationKey[] = "Organization";
-const char kOrganizationalUnitKey[] = "OrganizationalUnit";
-const char kIssuerCaRefKey[] = "IssuerCARef";
-const char kIssuerKey[] = "Issuer";
-const char kSubjectKey[] = "Subject";
-const char kEnrollmentUriKey[] = "EnrollmentURI";
+// Returns true only if any fields set in this pattern match exactly with
+// similar fields in the principal.  If organization_ or organizational_unit_
+// are set, then at least one of the organizations or units in the principal
+// must match.
+bool CertPrincipalMatches(const IssuerSubjectPattern& pattern,
+                          const net::CertPrincipal& principal) {
+  if (!pattern.common_name().empty() &&
+      pattern.common_name() != principal.common_name) {
+    return false;
+  }
 
-bool GetAsListOfStrings(const base::Value& value,
-                        std::vector<std::string>* result) {
-  const base::ListValue* list = NULL;
-  if (!value.GetAsList(&list))
+  if (!pattern.locality().empty() &&
+      pattern.locality() != principal.locality_name) {
     return false;
-  result->clear();
-  result->reserve(list->GetSize());
-  for (size_t i = 0; i < list->GetSize(); i++) {
-    std::string item;
-    if (!list->GetString(i, &item))
+  }
+
+  if (!pattern.organization().empty()) {
+    if (std::find(principal.organization_names.begin(),
+                  principal.organization_names.end(),
+                  pattern.organization()) ==
+        principal.organization_names.end()) {
       return false;
-    result->push_back(item);
+    }
   }
+
+  if (!pattern.organizational_unit().empty()) {
+    if (std::find(principal.organization_unit_names.begin(),
+                  principal.organization_unit_names.end(),
+                  pattern.organizational_unit()) ==
+        principal.organization_unit_names.end()) {
+      return false;
+    }
+  }
+
   return true;
 }
 
-ListValue* CreateListFromStrings(const vector<string>& strings) {
-  ListValue* new_list = new ListValue;
-  for (vector<string>::const_iterator iter = strings.begin();
-       iter != strings.end(); ++iter) {
-    new_list->Append(new StringValue(*iter));
-  }
-  return new_list;
-}
-
 // Functor to filter out non-matching issuers.
 class IssuerFilter {
  public:
   explicit IssuerFilter(const IssuerSubjectPattern& issuer)
     : issuer_(issuer) {}
   bool operator()(const scoped_refptr<net::X509Certificate>& cert) const {
-    return !issuer_.Matches(cert.get()->issuer());
+    return !CertPrincipalMatches(issuer_, cert.get()->issuer());
   }
  private:
   const IssuerSubjectPattern& issuer_;
 };
 
 // Functor to filter out non-matching subjects.
 class SubjectFilter {
  public:
   explicit SubjectFilter(const IssuerSubjectPattern& subject)
     : subject_(subject) {}
   bool operator()(const scoped_refptr<net::X509Certificate>& cert) const {
-    return !subject_.Matches(cert.get()->subject());
+    return !CertPrincipalMatches(subject_, cert.get()->subject());
   }
  private:
   const IssuerSubjectPattern& subject_;
 };
 
 // Functor to filter out certs that don't have private keys, or are invalid.
 class PrivateKeyFilter {
  public:
   explicit PrivateKeyFilter(net::CertDatabase* cert_db) : cert_db_(cert_db) {}
   bool operator()(const scoped_refptr<net::X509Certificate>& cert) const {
     return cert_db_->CheckUserCert(cert.get()) != net::OK;
   }
  private:
   net::CertDatabase* cert_db_;
 };
 
 // Functor to filter out certs that don't have an issuer in the associated
 // IssuerCARef list.
 class IssuerCaRefFilter {
  public:
-  explicit IssuerCaRefFilter(const vector<string>& issuer_ca_ref_list)
+  explicit IssuerCaRefFilter(const std::vector<std::string>& issuer_ca_ref_list)
     : issuer_ca_ref_list_(issuer_ca_ref_list) {}
   bool operator()(const scoped_refptr<net::X509Certificate>& cert) const {
     // Find the certificate issuer for each certificate.
     // TODO(gspencer): this functionality should be available from
     // X509Certificate or NSSCertDatabase.
     CERTCertificate* issuer_cert = CERT_FindCertIssuer(
         cert.get()->os_cert_handle(), PR_Now(), certUsageAnyCA);
 
     if (issuer_cert && issuer_cert->nickname) {
       // Separate the nickname stored in the certificate at the colon, since
       // NSS likes to store it as token:nickname.
       const char* delimiter = ::strchr(issuer_cert->nickname, ':');
       if (delimiter) {
         delimiter++;  // move past the colon.
-        vector<string>::const_iterator pat_iter = issuer_ca_ref_list_.begin();
+        std::vector<std::string>::const_iterator pat_iter =
+            issuer_ca_ref_list_.begin();
         while (pat_iter != issuer_ca_ref_list_.end()) {
-          if (::strcmp(delimiter, pat_iter->c_str()) == 0)
+          if (*pat_iter == delimiter)
             return false;
           ++pat_iter;
         }
       }
     }
     return true;
   }
  private:
-  const vector<string>& issuer_ca_ref_list_;
+  const std::vector<std::string>& issuer_ca_ref_list_;
 };
 
 }  // namespace
 
-////////////////////////////////////////////////////////////////////////////////
-// IssuerSubjectPattern
-IssuerSubjectPattern::IssuerSubjectPattern(const std::string& common_name,
-                     const std::string& locality,
-                     const std::string& organization,
-                     const std::string& organizational_unit)
-    : common_name_(common_name),
-      locality_(locality),
-      organization_(organization),
-      organizational_unit_(organizational_unit) { }
-
-IssuerSubjectPattern::IssuerSubjectPattern() {}
-
-IssuerSubjectPattern::~IssuerSubjectPattern() {}
-
-bool IssuerSubjectPattern::Matches(const net::CertPrincipal& principal) const {
-  if (!common_name_.empty() && common_name_ != principal.common_name)
-    return false;
-
-  if (!locality_.empty() && locality_ != principal.locality_name)
-    return false;
-
-  if (!organization_.empty()) {
-    if (find(principal.organization_names.begin(),
-             principal.organization_names.end(), organization_) ==
-        principal.organization_names.end()) {
-      return false;
-    }
-  }
-
-  if (!organizational_unit_.empty()) {
-    if (find(principal.organization_unit_names.begin(),
-             principal.organization_unit_names.end(),
-             organizational_unit_) == principal.organization_unit_names.end()) {
-      return false;
-    }
-  }
-
-  return true;
-}
-
-bool IssuerSubjectPattern::Empty() const {
-  return common_name_.empty() &&
-         locality_.empty() &&
-         organization_.empty() &&
-         organizational_unit_.empty();
-}
-
-void IssuerSubjectPattern::Clear() {
-  common_name_.clear();
-  locality_.clear();
-  organization_.clear();
-  organizational_unit_.clear();
-}
-
-DictionaryValue* IssuerSubjectPattern::CreateAsDictionary() const {
-  DictionaryValue* dict = new DictionaryValue;
-  if (!common_name_.empty())
-    dict->SetString(kCommonNameKey, common_name_);
-  if (!locality_.empty())
-    dict->SetString(kLocalityKey, locality_);
-  if (!organization_.empty())
-    dict->SetString(kOrganizationKey, organization_);
-  if (!organizational_unit_.empty())
-    dict->SetString(kOrganizationalUnitKey, organizational_unit_);
-  return dict;
-}
-
-bool IssuerSubjectPattern::CopyFromDictionary(const DictionaryValue& dict) {
-  Clear();
-  dict.GetString(kCommonNameKey, &common_name_);
-  dict.GetString(kLocalityKey, &locality_);
-  dict.GetString(kOrganizationKey, &organization_);
-  dict.GetString(kOrganizationalUnitKey, &organizational_unit_);
-  // If the dictionary wasn't empty, but we are, or vice versa, then something
-  // went wrong.
-  DCHECK(dict.empty() == Empty());
-  if (dict.empty() != Empty())
-    return false;
-  return true;
-}
-
-////////////////////////////////////////////////////////////////////////////////
-// CertificatePattern
-
-CertificatePattern::CertificatePattern() {}
-
-CertificatePattern::~CertificatePattern() {}
-
-bool CertificatePattern::Empty() const {
-  return issuer_ca_ref_list_.empty() &&
-         issuer_.Empty() &&
-         subject_.Empty();
-}
-
-void CertificatePattern::Clear() {
-  issuer_ca_ref_list_.clear();
-  issuer_.Clear();
-  subject_.Clear();
-  enrollment_uri_list_.clear();
-}
-
-scoped_refptr<net::X509Certificate> CertificatePattern::GetMatch() const {
-  typedef list<scoped_refptr<net::X509Certificate> > CertificateStlList;
+scoped_refptr<net::X509Certificate> GetCertificateMatch(
+    const CertificatePattern& pattern) {
+  typedef std::list<scoped_refptr<net::X509Certificate> > CertificateStlList;
 
   // Start with all the certs, and narrow it down from there.
   net::CertificateList all_certs;
   CertificateStlList matching_certs;
   net::NSSCertDatabase::GetInstance()->ListCerts(&all_certs);
 
   if (all_certs.empty())
     return NULL;
 
   for (net::CertificateList::iterator iter = all_certs.begin();
        iter != all_certs.end(); ++iter) {
     matching_certs.push_back(*iter);
   }
 
   // Strip off any certs that don't have the right issuer and/or subject.
-  if (!issuer_.Empty()) {
-    matching_certs.remove_if(IssuerFilter(issuer_));
+  if (!pattern.issuer().Empty()) {
+    matching_certs.remove_if(IssuerFilter(pattern.issuer()));
     if (matching_certs.empty())
       return NULL;
   }
 
-  if (!subject_.Empty()) {
-    matching_certs.remove_if(SubjectFilter(subject_));
+  if (!pattern.subject().Empty()) {
+    matching_certs.remove_if(SubjectFilter(pattern.subject()));
     if (matching_certs.empty())
       return NULL;
   }
 
-  if (!issuer_ca_ref_list_.empty()) {
-    matching_certs.remove_if(IssuerCaRefFilter(issuer_ca_ref_list_));
+  if (!pattern.issuer_ca_ref_list().empty()) {
+    matching_certs.remove_if(IssuerCaRefFilter(pattern.issuer_ca_ref_list()));
     if (matching_certs.empty())
       return NULL;
   }
 
   // Eliminate any certs that don't have private keys associated with
   // them.  The CheckUserCert call in the filter is a little slow (because of
   // underlying PKCS11 calls), so we do this last to reduce the number of times
   // we have to call it.
   PrivateKeyFilter private_filter(net::CertDatabase::GetInstance());
   matching_certs.remove_if(private_filter);
 
   if (matching_certs.empty())
     return NULL;
 
   // We now have a list of certificates that match the pattern we're
   // looking for.  Now we find the one with the latest start date.
   scoped_refptr<net::X509Certificate> latest(NULL);
 
   // Iterate over the rest looking for the one that was issued latest.
   for (CertificateStlList::iterator iter = matching_certs.begin();
        iter != matching_certs.end(); ++iter) {
     if (!latest.get() || (*iter)->valid_start() > latest->valid_start())
       latest = *iter;
   }
 
   return latest;
 }
 
-DictionaryValue* CertificatePattern::CreateAsDictionary() const {
-  DictionaryValue* dict = new base::DictionaryValue;
-
-  if (!issuer_ca_ref_list_.empty())
-    dict->Set(kIssuerCaRefKey, CreateListFromStrings(issuer_ca_ref_list_));
-
-  if (!issuer_.Empty())
-    dict->Set(kIssuerKey, issuer_.CreateAsDictionary());
-
-  if (!subject_.Empty())
-    dict->Set(kSubjectKey, subject_.CreateAsDictionary());
-
-  if (!enrollment_uri_list_.empty())
-    dict->Set(kEnrollmentUriKey, CreateListFromStrings(enrollment_uri_list_));
-  return dict;
-}
-
-bool CertificatePattern::CopyFromDictionary(const DictionaryValue &dict) {
-  const DictionaryValue* child_dict = NULL;
-  const ListValue* child_list = NULL;
-  Clear();
-
-  // All of these are optional.
-  if (dict.GetList(kIssuerCaRefKey, &child_list) && child_list) {
-    if (!GetAsListOfStrings(*child_list, &issuer_ca_ref_list_))
-      return false;
-  }
-  if (dict.GetDictionary(kIssuerKey, &child_dict) && child_dict) {
-    if (!issuer_.CopyFromDictionary(*child_dict))
-      return false;
-  }
-  child_dict = NULL;
-  if (dict.GetDictionary(kSubjectKey, &child_dict) && child_dict) {
-    if (!subject_.CopyFromDictionary(*child_dict))
-      return false;
-  }
-  child_list = NULL;
-  if (dict.GetList(kEnrollmentUriKey, &child_list) && child_list) {
-    if (!GetAsListOfStrings(*child_list, &enrollment_uri_list_))
-      return false;
-  }
-
-  // If we didn't copy anything from the dictionary, then it had better be
-  // empty.
-  DCHECK(dict.empty() == Empty());
-  if (dict.empty() != Empty())
-    return false;
-
-  return true;
-}
-
 }  // namespace chromeos