| Index: chromeos/network/policy_util.cc
|
| diff --git a/chromeos/network/policy_util.cc b/chromeos/network/policy_util.cc
|
| new file mode 100644
|
| index 0000000000000000000000000000000000000000..e1a01a78dbad87048a591f89b29eaa615e040730
|
| --- /dev/null
|
| +++ b/chromeos/network/policy_util.cc
|
| @@ -0,0 +1,200 @@
|
| +// Copyright 2013 The Chromium Authors. All rights reserved.
|
| +// Use of this source code is governed by a BSD-style license that can be
|
| +// found in the LICENSE file.
|
| +
|
| +#include "chromeos/network/policy_util.h"
|
| +
|
| +#include "base/logging.h"
|
| +#include "chromeos/network/network_profile.h"
|
| +#include "chromeos/network/network_ui_data.h"
|
| +#include "chromeos/network/onc/onc_constants.h"
|
| +#include "chromeos/network/onc/onc_merger.h"
|
| +#include "chromeos/network/onc/onc_normalizer.h"
|
| +#include "chromeos/network/onc/onc_signature.h"
|
| +#include "chromeos/network/onc/onc_translator.h"
|
| +#include "chromeos/network/onc/onc_utils.h"
|
| +#include "chromeos/network/shill_property_util.h"
|
| +#include "third_party/cros_system_api/dbus/service_constants.h"
|
| +
|
| +namespace chromeos {
|
| +
|
| +namespace policy_util {
|
| +
|
| +namespace {
|
| +
|
| +// This fake credential contains a random postfix which is extremly unlikely to
|
| +// be used by any user.
|
| +const char kFakeCredential[] = "FAKE_CREDENTIAL_VPaJDV9x";
|
| +
|
| +
|
| +// Removes all kFakeCredential values from sensitive fields (determined by
|
| +// onc::FieldIsCredential) of |onc_object|.
|
| +void RemoveFakeCredentials(
|
| + const onc::OncValueSignature& signature,
|
| + base::DictionaryValue* onc_object) {
|
| + base::DictionaryValue::Iterator it(*onc_object);
|
| + while (!it.IsAtEnd()) {
|
| + base::Value* value = NULL;
|
| + std::string field_name = it.key();
|
| + // We need the non-const entry to remove nested values but DictionaryValue
|
| + // has no non-const iterator.
|
| + onc_object->GetWithoutPathExpansion(field_name, &value);
|
| + // Advance before delete.
|
| + it.Advance();
|
| +
|
| + // If |value| is a dictionary, recurse.
|
| + base::DictionaryValue* nested_object = NULL;
|
| + if (value->GetAsDictionary(&nested_object)) {
|
| + const onc::OncFieldSignature* field_signature =
|
| + onc::GetFieldSignature(signature, field_name);
|
| +
|
| + RemoveFakeCredentials(*field_signature->value_signature,
|
| + nested_object);
|
| + continue;
|
| + }
|
| +
|
| + // If |value| is a string, check if it is a fake credential.
|
| + std::string string_value;
|
| + if (value->GetAsString(&string_value) &&
|
| + onc::FieldIsCredential(signature, field_name)) {
|
| + if (string_value == kFakeCredential) {
|
| + // The value wasn't modified by the UI, thus we remove the field to keep
|
| + // the existing value that is stored in Shill.
|
| + onc_object->RemoveWithoutPathExpansion(field_name, NULL);
|
| + }
|
| + // Otherwise, the value is set and modified by the UI, thus we keep that
|
| + // value to overwrite whatever is stored in Shill.
|
| + }
|
| + }
|
| +}
|
| +
|
| +// Returns true if |policy| matches |actual_network|, which must be part of a
|
| +// ONC NetworkConfiguration. This should be the only such matching function
|
| +// within Chrome. Shill does such matching in several functions for network
|
| +// identification. For compatibility, we currently should stick to Shill's
|
| +// matching behavior.
|
| +bool IsPolicyMatching(const base::DictionaryValue& policy,
|
| + const base::DictionaryValue& actual_network) {
|
| + std::string policy_type;
|
| + policy.GetStringWithoutPathExpansion(onc::network_config::kType,
|
| + &policy_type);
|
| + std::string network_type;
|
| + actual_network.GetStringWithoutPathExpansion(onc::network_config::kType,
|
| + &network_type);
|
| + if (policy_type != network_type)
|
| + return false;
|
| +
|
| + if (network_type != onc::network_type::kWiFi)
|
| + return false;
|
| +
|
| + const base::DictionaryValue* policy_wifi = NULL;
|
| + policy.GetDictionaryWithoutPathExpansion(onc::network_config::kWiFi,
|
| + &policy_wifi);
|
| + const base::DictionaryValue* actual_wifi = NULL;
|
| + actual_network.GetDictionaryWithoutPathExpansion(onc::network_config::kWiFi,
|
| + &actual_wifi);
|
| + if (!policy_wifi || !actual_wifi)
|
| + return false;
|
| +
|
| + std::string policy_ssid;
|
| + policy_wifi->GetStringWithoutPathExpansion(onc::wifi::kSSID, &policy_ssid);
|
| + std::string actual_ssid;
|
| + actual_wifi->GetStringWithoutPathExpansion(onc::wifi::kSSID, &actual_ssid);
|
| + return (policy_ssid == actual_ssid);
|
| +}
|
| +
|
| +} // namespace
|
| +
|
| +scoped_ptr<base::DictionaryValue> CreateShillConfiguration(
|
| + const NetworkProfile& profile,
|
| + const std::string& guid,
|
| + const base::DictionaryValue* policy,
|
| + const base::DictionaryValue* settings) {
|
| + scoped_ptr<base::DictionaryValue> effective;
|
| + onc::ONCSource onc_source = onc::ONC_SOURCE_NONE;
|
| + if (policy) {
|
| + if (profile.type() == NetworkProfile::TYPE_SHARED) {
|
| + effective = onc::MergeSettingsAndPoliciesToEffective(
|
| + NULL, // no user policy
|
| + policy, // device policy
|
| + NULL, // no user settings
|
| + settings); // shared settings
|
| + onc_source = onc::ONC_SOURCE_DEVICE_POLICY;
|
| + } else if (profile.type() == NetworkProfile::TYPE_USER) {
|
| + effective = onc::MergeSettingsAndPoliciesToEffective(
|
| + policy, // user policy
|
| + NULL, // no device policy
|
| + settings, // user settings
|
| + NULL); // no shared settings
|
| + onc_source = onc::ONC_SOURCE_USER_POLICY;
|
| + } else {
|
| + NOTREACHED();
|
| + }
|
| + } else if (settings) {
|
| + effective.reset(settings->DeepCopy());
|
| + // TODO(pneubeck): change to source ONC_SOURCE_USER
|
| + onc_source = onc::ONC_SOURCE_NONE;
|
| + } else {
|
| + NOTREACHED();
|
| + onc_source = onc::ONC_SOURCE_NONE;
|
| + }
|
| +
|
| + RemoveFakeCredentials(onc::kNetworkConfigurationSignature,
|
| + effective.get());
|
| +
|
| + effective->SetStringWithoutPathExpansion(onc::network_config::kGUID, guid);
|
| +
|
| + // Remove irrelevant fields.
|
| + onc::Normalizer normalizer(true /* remove recommended fields */);
|
| + effective = normalizer.NormalizeObject(&onc::kNetworkConfigurationSignature,
|
| + *effective);
|
| +
|
| + scoped_ptr<base::DictionaryValue> shill_dictionary(
|
| + onc::TranslateONCObjectToShill(&onc::kNetworkConfigurationSignature,
|
| + *effective));
|
| +
|
| + shill_dictionary->SetStringWithoutPathExpansion(flimflam::kProfileProperty,
|
| + profile.path);
|
| +
|
| + scoped_ptr<NetworkUIData> ui_data;
|
| + if (policy)
|
| + ui_data = NetworkUIData::CreateFromONC(onc_source, *policy);
|
| + else
|
| + ui_data.reset(new NetworkUIData());
|
| +
|
| + if (settings) {
|
| + // Shill doesn't know that sensitive data is contained in the UIData
|
| + // property and might write it into logs or other insecure places. Thus, we
|
| + // have to remove or mask credentials.
|
| + //
|
| + // Shill's GetProperties doesn't return credentials. Masking credentials
|
| + // instead of just removing them, allows remembering if a credential is set
|
| + // or not.
|
| + scoped_ptr<base::DictionaryValue> sanitized_settings(
|
| + onc::MaskCredentialsInOncObject(onc::kNetworkConfigurationSignature,
|
| + *settings,
|
| + kFakeCredential));
|
| + ui_data->set_user_settings(sanitized_settings.Pass());
|
| + }
|
| +
|
| + shill_property_util::SetUIData(*ui_data, shill_dictionary.get());
|
| +
|
| + VLOG(2) << "Created Shill properties: " << *shill_dictionary;
|
| +
|
| + return shill_dictionary.Pass();
|
| +}
|
| +
|
| +const base::DictionaryValue* FindMatchingPolicy(
|
| + const GuidToPolicyMap& policies,
|
| + const base::DictionaryValue& actual_network) {
|
| + for (GuidToPolicyMap::const_iterator it = policies.begin();
|
| + it != policies.end(); ++it) {
|
| + if (IsPolicyMatching(*it->second, actual_network))
|
| + return it->second;
|
| + }
|
| + return NULL;
|
| +}
|
| +
|
| +} // namespace policy_util
|
| +
|
| +} // namespace chromeos
|
|
|
Chromium Code Reviews
Issue 23522004:
Separate PolicyApplicator from ManagedNetworkConfigurationHandler. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src