Home | History | Annotate | Download | only in network
      1 // Copyright 2013 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #include "chromeos/network/policy_util.h"
      6 
      7 #include "base/logging.h"
      8 #include "base/values.h"
      9 #include "chromeos/network/network_profile.h"
     10 #include "chromeos/network/network_ui_data.h"
     11 #include "chromeos/network/onc/onc_merger.h"
     12 #include "chromeos/network/onc/onc_normalizer.h"
     13 #include "chromeos/network/onc/onc_signature.h"
     14 #include "chromeos/network/onc/onc_translator.h"
     15 #include "chromeos/network/onc/onc_utils.h"
     16 #include "chromeos/network/shill_property_util.h"
     17 #include "components/onc/onc_constants.h"
     18 #include "third_party/cros_system_api/dbus/service_constants.h"
     19 
     20 namespace chromeos {
     21 
     22 namespace policy_util {
     23 
     24 namespace {
     25 
     26 // This fake credential contains a random postfix which is extremly unlikely to
     27 // be used by any user.
     28 const char kFakeCredential[] = "FAKE_CREDENTIAL_VPaJDV9x";
     29 
     30 
     31 // Removes all kFakeCredential values from sensitive fields (determined by
     32 // onc::FieldIsCredential) of |onc_object|.
     33 void RemoveFakeCredentials(
     34     const onc::OncValueSignature& signature,
     35     base::DictionaryValue* onc_object) {
     36   base::DictionaryValue::Iterator it(*onc_object);
     37   while (!it.IsAtEnd()) {
     38     base::Value* value = NULL;
     39     std::string field_name = it.key();
     40     // We need the non-const entry to remove nested values but DictionaryValue
     41     // has no non-const iterator.
     42     onc_object->GetWithoutPathExpansion(field_name, &value);
     43     // Advance before delete.
     44     it.Advance();
     45 
     46     // If |value| is a dictionary, recurse.
     47     base::DictionaryValue* nested_object = NULL;
     48     if (value->GetAsDictionary(&nested_object)) {
     49       const onc::OncFieldSignature* field_signature =
     50           onc::GetFieldSignature(signature, field_name);
     51       if (field_signature)
     52         RemoveFakeCredentials(*field_signature->value_signature, nested_object);
     53       else
     54         LOG(ERROR) << "ONC has unrecoginzed field: " << field_name;
     55       continue;
     56     }
     57 
     58     // If |value| is a string, check if it is a fake credential.
     59     std::string string_value;
     60     if (value->GetAsString(&string_value) &&
     61         onc::FieldIsCredential(signature, field_name)) {
     62       if (string_value == kFakeCredential) {
     63         // The value wasn't modified by the UI, thus we remove the field to keep
     64         // the existing value that is stored in Shill.
     65         onc_object->RemoveWithoutPathExpansion(field_name, NULL);
     66       }
     67       // Otherwise, the value is set and modified by the UI, thus we keep that
     68       // value to overwrite whatever is stored in Shill.
     69     }
     70   }
     71 }
     72 
     73 // Returns true if |policy| matches |actual_network|, which must be part of a
     74 // ONC NetworkConfiguration. This should be the only such matching function
     75 // within Chrome. Shill does such matching in several functions for network
     76 // identification. For compatibility, we currently should stick to Shill's
     77 // matching behavior.
     78 bool IsPolicyMatching(const base::DictionaryValue& policy,
     79                       const base::DictionaryValue& actual_network) {
     80   std::string policy_type;
     81   policy.GetStringWithoutPathExpansion(::onc::network_config::kType,
     82                                        &policy_type);
     83   std::string actual_network_type;
     84   actual_network.GetStringWithoutPathExpansion(::onc::network_config::kType,
     85                                                &actual_network_type);
     86   if (policy_type != actual_network_type)
     87     return false;
     88 
     89   if (actual_network_type == ::onc::network_type::kEthernet) {
     90     const base::DictionaryValue* policy_ethernet = NULL;
     91     policy.GetDictionaryWithoutPathExpansion(::onc::network_config::kEthernet,
     92                                              &policy_ethernet);
     93     const base::DictionaryValue* actual_ethernet = NULL;
     94     actual_network.GetDictionaryWithoutPathExpansion(
     95         ::onc::network_config::kEthernet, &actual_ethernet);
     96     if (!policy_ethernet || !actual_ethernet)
     97       return false;
     98 
     99     std::string policy_auth;
    100     policy_ethernet->GetStringWithoutPathExpansion(
    101         ::onc::ethernet::kAuthentication, &policy_auth);
    102     std::string actual_auth;
    103     actual_ethernet->GetStringWithoutPathExpansion(
    104         ::onc::ethernet::kAuthentication, &actual_auth);
    105     return policy_auth == actual_auth;
    106   } else if (actual_network_type == ::onc::network_type::kWiFi) {
    107     const base::DictionaryValue* policy_wifi = NULL;
    108     policy.GetDictionaryWithoutPathExpansion(::onc::network_config::kWiFi,
    109                                              &policy_wifi);
    110     const base::DictionaryValue* actual_wifi = NULL;
    111     actual_network.GetDictionaryWithoutPathExpansion(
    112         ::onc::network_config::kWiFi,
    113         &actual_wifi);
    114     if (!policy_wifi || !actual_wifi)
    115       return false;
    116 
    117     std::string policy_ssid;
    118     policy_wifi->GetStringWithoutPathExpansion(::onc::wifi::kSSID,
    119                                                &policy_ssid);
    120     std::string actual_ssid;
    121     actual_wifi->GetStringWithoutPathExpansion(::onc::wifi::kSSID,
    122                                                &actual_ssid);
    123     return (policy_ssid == actual_ssid);
    124   }
    125   return false;
    126 }
    127 
    128 }  // namespace
    129 
    130 scoped_ptr<base::DictionaryValue> CreateShillConfiguration(
    131     const NetworkProfile& profile,
    132     const std::string& guid,
    133     const base::DictionaryValue* policy,
    134     const base::DictionaryValue* settings) {
    135   scoped_ptr<base::DictionaryValue> effective;
    136   ::onc::ONCSource onc_source = ::onc::ONC_SOURCE_NONE;
    137   if (policy) {
    138     if (profile.type() == NetworkProfile::TYPE_SHARED) {
    139       effective = onc::MergeSettingsAndPoliciesToEffective(
    140           NULL,  // no user policy
    141           policy,  // device policy
    142           NULL,  // no user settings
    143           settings);  // shared settings
    144       onc_source = ::onc::ONC_SOURCE_DEVICE_POLICY;
    145     } else if (profile.type() == NetworkProfile::TYPE_USER) {
    146       effective = onc::MergeSettingsAndPoliciesToEffective(
    147           policy,  // user policy
    148           NULL,  // no device policy
    149           settings,  // user settings
    150           NULL);  // no shared settings
    151       onc_source = ::onc::ONC_SOURCE_USER_POLICY;
    152     } else {
    153       NOTREACHED();
    154     }
    155   } else if (settings) {
    156     effective.reset(settings->DeepCopy());
    157     // TODO(pneubeck): change to source ONC_SOURCE_USER
    158     onc_source = ::onc::ONC_SOURCE_NONE;
    159   } else {
    160     NOTREACHED();
    161     onc_source = ::onc::ONC_SOURCE_NONE;
    162   }
    163 
    164   RemoveFakeCredentials(onc::kNetworkConfigurationSignature,
    165                         effective.get());
    166 
    167   effective->SetStringWithoutPathExpansion(::onc::network_config::kGUID, guid);
    168 
    169   // Remove irrelevant fields.
    170   onc::Normalizer normalizer(true /* remove recommended fields */);
    171   effective = normalizer.NormalizeObject(&onc::kNetworkConfigurationSignature,
    172                                          *effective);
    173 
    174   scoped_ptr<base::DictionaryValue> shill_dictionary(
    175       onc::TranslateONCObjectToShill(&onc::kNetworkConfigurationSignature,
    176                                      *effective));
    177 
    178   shill_dictionary->SetStringWithoutPathExpansion(shill::kProfileProperty,
    179                                                   profile.path);
    180 
    181   scoped_ptr<NetworkUIData> ui_data;
    182   if (policy)
    183     ui_data = NetworkUIData::CreateFromONC(onc_source, *policy);
    184   else
    185     ui_data.reset(new NetworkUIData());
    186 
    187   if (settings) {
    188     // Shill doesn't know that sensitive data is contained in the UIData
    189     // property and might write it into logs or other insecure places. Thus, we
    190     // have to remove or mask credentials.
    191     //
    192     // Shill's GetProperties doesn't return credentials. Masking credentials
    193     // instead of just removing them, allows remembering if a credential is set
    194     // or not.
    195     scoped_ptr<base::DictionaryValue> sanitized_settings(
    196         onc::MaskCredentialsInOncObject(onc::kNetworkConfigurationSignature,
    197                                         *settings,
    198                                         kFakeCredential));
    199     ui_data->set_user_settings(sanitized_settings.Pass());
    200   }
    201 
    202   shill_property_util::SetUIData(*ui_data, shill_dictionary.get());
    203 
    204   VLOG(2) << "Created Shill properties: " << *shill_dictionary;
    205 
    206   return shill_dictionary.Pass();
    207 }
    208 
    209 const base::DictionaryValue* FindMatchingPolicy(
    210     const GuidToPolicyMap& policies,
    211     const base::DictionaryValue& actual_network) {
    212   for (GuidToPolicyMap::const_iterator it = policies.begin();
    213        it != policies.end(); ++it) {
    214     if (IsPolicyMatching(*it->second, actual_network))
    215       return it->second;
    216   }
    217   return NULL;
    218 }
    219 
    220 }  // namespace policy_util
    221 
    222 }  // namespace chromeos
    223