1 // Copyright 2013 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "chromeos/network/policy_util.h" 6 7 #include "base/logging.h" 8 #include "base/values.h" 9 #include "chromeos/network/network_profile.h" 10 #include "chromeos/network/network_ui_data.h" 11 #include "chromeos/network/onc/onc_merger.h" 12 #include "chromeos/network/onc/onc_normalizer.h" 13 #include "chromeos/network/onc/onc_signature.h" 14 #include "chromeos/network/onc/onc_translator.h" 15 #include "chromeos/network/onc/onc_utils.h" 16 #include "chromeos/network/shill_property_util.h" 17 #include "components/onc/onc_constants.h" 18 #include "third_party/cros_system_api/dbus/service_constants.h" 19 20 namespace chromeos { 21 22 namespace policy_util { 23 24 namespace { 25 26 // This fake credential contains a random postfix which is extremly unlikely to 27 // be used by any user. 28 const char kFakeCredential[] = "FAKE_CREDENTIAL_VPaJDV9x"; 29 30 31 // Removes all kFakeCredential values from sensitive fields (determined by 32 // onc::FieldIsCredential) of |onc_object|. 33 void RemoveFakeCredentials( 34 const onc::OncValueSignature& signature, 35 base::DictionaryValue* onc_object) { 36 base::DictionaryValue::Iterator it(*onc_object); 37 while (!it.IsAtEnd()) { 38 base::Value* value = NULL; 39 std::string field_name = it.key(); 40 // We need the non-const entry to remove nested values but DictionaryValue 41 // has no non-const iterator. 42 onc_object->GetWithoutPathExpansion(field_name, &value); 43 // Advance before delete. 44 it.Advance(); 45 46 // If |value| is a dictionary, recurse. 47 base::DictionaryValue* nested_object = NULL; 48 if (value->GetAsDictionary(&nested_object)) { 49 const onc::OncFieldSignature* field_signature = 50 onc::GetFieldSignature(signature, field_name); 51 if (field_signature) 52 RemoveFakeCredentials(*field_signature->value_signature, nested_object); 53 else 54 LOG(ERROR) << "ONC has unrecoginzed field: " << field_name; 55 continue; 56 } 57 58 // If |value| is a string, check if it is a fake credential. 59 std::string string_value; 60 if (value->GetAsString(&string_value) && 61 onc::FieldIsCredential(signature, field_name)) { 62 if (string_value == kFakeCredential) { 63 // The value wasn't modified by the UI, thus we remove the field to keep 64 // the existing value that is stored in Shill. 65 onc_object->RemoveWithoutPathExpansion(field_name, NULL); 66 } 67 // Otherwise, the value is set and modified by the UI, thus we keep that 68 // value to overwrite whatever is stored in Shill. 69 } 70 } 71 } 72 73 // Returns true if |policy| matches |actual_network|, which must be part of a 74 // ONC NetworkConfiguration. This should be the only such matching function 75 // within Chrome. Shill does such matching in several functions for network 76 // identification. For compatibility, we currently should stick to Shill's 77 // matching behavior. 78 bool IsPolicyMatching(const base::DictionaryValue& policy, 79 const base::DictionaryValue& actual_network) { 80 std::string policy_type; 81 policy.GetStringWithoutPathExpansion(::onc::network_config::kType, 82 &policy_type); 83 std::string actual_network_type; 84 actual_network.GetStringWithoutPathExpansion(::onc::network_config::kType, 85 &actual_network_type); 86 if (policy_type != actual_network_type) 87 return false; 88 89 if (actual_network_type == ::onc::network_type::kEthernet) { 90 const base::DictionaryValue* policy_ethernet = NULL; 91 policy.GetDictionaryWithoutPathExpansion(::onc::network_config::kEthernet, 92 &policy_ethernet); 93 const base::DictionaryValue* actual_ethernet = NULL; 94 actual_network.GetDictionaryWithoutPathExpansion( 95 ::onc::network_config::kEthernet, &actual_ethernet); 96 if (!policy_ethernet || !actual_ethernet) 97 return false; 98 99 std::string policy_auth; 100 policy_ethernet->GetStringWithoutPathExpansion( 101 ::onc::ethernet::kAuthentication, &policy_auth); 102 std::string actual_auth; 103 actual_ethernet->GetStringWithoutPathExpansion( 104 ::onc::ethernet::kAuthentication, &actual_auth); 105 return policy_auth == actual_auth; 106 } else if (actual_network_type == ::onc::network_type::kWiFi) { 107 const base::DictionaryValue* policy_wifi = NULL; 108 policy.GetDictionaryWithoutPathExpansion(::onc::network_config::kWiFi, 109 &policy_wifi); 110 const base::DictionaryValue* actual_wifi = NULL; 111 actual_network.GetDictionaryWithoutPathExpansion( 112 ::onc::network_config::kWiFi, 113 &actual_wifi); 114 if (!policy_wifi || !actual_wifi) 115 return false; 116 117 std::string policy_ssid; 118 policy_wifi->GetStringWithoutPathExpansion(::onc::wifi::kSSID, 119 &policy_ssid); 120 std::string actual_ssid; 121 actual_wifi->GetStringWithoutPathExpansion(::onc::wifi::kSSID, 122 &actual_ssid); 123 return (policy_ssid == actual_ssid); 124 } 125 return false; 126 } 127 128 } // namespace 129 130 scoped_ptr<base::DictionaryValue> CreateShillConfiguration( 131 const NetworkProfile& profile, 132 const std::string& guid, 133 const base::DictionaryValue* policy, 134 const base::DictionaryValue* settings) { 135 scoped_ptr<base::DictionaryValue> effective; 136 ::onc::ONCSource onc_source = ::onc::ONC_SOURCE_NONE; 137 if (policy) { 138 if (profile.type() == NetworkProfile::TYPE_SHARED) { 139 effective = onc::MergeSettingsAndPoliciesToEffective( 140 NULL, // no user policy 141 policy, // device policy 142 NULL, // no user settings 143 settings); // shared settings 144 onc_source = ::onc::ONC_SOURCE_DEVICE_POLICY; 145 } else if (profile.type() == NetworkProfile::TYPE_USER) { 146 effective = onc::MergeSettingsAndPoliciesToEffective( 147 policy, // user policy 148 NULL, // no device policy 149 settings, // user settings 150 NULL); // no shared settings 151 onc_source = ::onc::ONC_SOURCE_USER_POLICY; 152 } else { 153 NOTREACHED(); 154 } 155 } else if (settings) { 156 effective.reset(settings->DeepCopy()); 157 // TODO(pneubeck): change to source ONC_SOURCE_USER 158 onc_source = ::onc::ONC_SOURCE_NONE; 159 } else { 160 NOTREACHED(); 161 onc_source = ::onc::ONC_SOURCE_NONE; 162 } 163 164 RemoveFakeCredentials(onc::kNetworkConfigurationSignature, 165 effective.get()); 166 167 effective->SetStringWithoutPathExpansion(::onc::network_config::kGUID, guid); 168 169 // Remove irrelevant fields. 170 onc::Normalizer normalizer(true /* remove recommended fields */); 171 effective = normalizer.NormalizeObject(&onc::kNetworkConfigurationSignature, 172 *effective); 173 174 scoped_ptr<base::DictionaryValue> shill_dictionary( 175 onc::TranslateONCObjectToShill(&onc::kNetworkConfigurationSignature, 176 *effective)); 177 178 shill_dictionary->SetStringWithoutPathExpansion(shill::kProfileProperty, 179 profile.path); 180 181 scoped_ptr<NetworkUIData> ui_data; 182 if (policy) 183 ui_data = NetworkUIData::CreateFromONC(onc_source, *policy); 184 else 185 ui_data.reset(new NetworkUIData()); 186 187 if (settings) { 188 // Shill doesn't know that sensitive data is contained in the UIData 189 // property and might write it into logs or other insecure places. Thus, we 190 // have to remove or mask credentials. 191 // 192 // Shill's GetProperties doesn't return credentials. Masking credentials 193 // instead of just removing them, allows remembering if a credential is set 194 // or not. 195 scoped_ptr<base::DictionaryValue> sanitized_settings( 196 onc::MaskCredentialsInOncObject(onc::kNetworkConfigurationSignature, 197 *settings, 198 kFakeCredential)); 199 ui_data->set_user_settings(sanitized_settings.Pass()); 200 } 201 202 shill_property_util::SetUIData(*ui_data, shill_dictionary.get()); 203 204 VLOG(2) << "Created Shill properties: " << *shill_dictionary; 205 206 return shill_dictionary.Pass(); 207 } 208 209 const base::DictionaryValue* FindMatchingPolicy( 210 const GuidToPolicyMap& policies, 211 const base::DictionaryValue& actual_network) { 212 for (GuidToPolicyMap::const_iterator it = policies.begin(); 213 it != policies.end(); ++it) { 214 if (IsPolicyMatching(*it->second, actual_network)) 215 return it->second; 216 } 217 return NULL; 218 } 219 220 } // namespace policy_util 221 222 } // namespace chromeos 223