chromeos/network/policy_util.cc

   1 // Copyright 2013 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "chromeos/network/policy_util.h"
   6
   7 #include "base/logging.h"
   8 #include "base/values.h"
   9 #include "chromeos/network/network_profile.h"
  10 #include "chromeos/network/network_ui_data.h"
  11 #include "chromeos/network/onc/onc_merger.h"
  12 #include "chromeos/network/onc/onc_normalizer.h"
  13 #include "chromeos/network/onc/onc_signature.h"
  14 #include "chromeos/network/onc/onc_translator.h"
  15 #include "chromeos/network/onc/onc_utils.h"
  16 #include "chromeos/network/shill_property_util.h"
  17 #include "components/onc/onc_constants.h"
  18 #include "third_party/cros_system_api/dbus/service_constants.h"
  19
  20 namespace chromeos {
  21
  22 namespace policy_util {
  23
  24 namespace {
  25
  26 // This fake credential contains a random postfix which is extremly unlikely to
  27 // be used by any user.
  28 const char kFakeCredential[] = "FAKE_CREDENTIAL_VPaJDV9x";
  29
  30
  31 // Removes all kFakeCredential values from sensitive fields (determined by
  32 // onc::FieldIsCredential) of |onc_object|.
  33 void RemoveFakeCredentials(
  34     const onc::OncValueSignature& signature,
  35     base::DictionaryValue* onc_object) {
  36   base::DictionaryValue::Iterator it(*onc_object);
  37   while (!it.IsAtEnd()) {
  38     base::Value* value = NULL;
  39     std::string field_name = it.key();
  40     // We need the non-const entry to remove nested values but DictionaryValue
  41     // has no non-const iterator.
  42     onc_object->GetWithoutPathExpansion(field_name, &value);
  43     // Advance before delete.
  44     it.Advance();
  45
  46     // If |value| is a dictionary, recurse.
  47     base::DictionaryValue* nested_object = NULL;
  48     if (value->GetAsDictionary(&nested_object)) {
  49       const onc::OncFieldSignature* field_signature =
  50           onc::GetFieldSignature(signature, field_name);
  51       if (field_signature)
  52         RemoveFakeCredentials(*field_signature->value_signature, nested_object);
  53       else
  54         LOG(ERROR) << "ONC has unrecoginzed field: " << field_name;
  55       continue;
  56     }
  57
  58     // If |value| is a string, check if it is a fake credential.
  59     std::string string_value;
  60     if (value->GetAsString(&string_value) &&
  61         onc::FieldIsCredential(signature, field_name)) {
  62       if (string_value == kFakeCredential) {
  63         // The value wasn't modified by the UI, thus we remove the field to keep
  64         // the existing value that is stored in Shill.
  65         onc_object->RemoveWithoutPathExpansion(field_name, NULL);
  66       }
  67       // Otherwise, the value is set and modified by the UI, thus we keep that
  68       // value to overwrite whatever is stored in Shill.
  69     }
  70   }
  71 }
  72
  73 // Returns true if |policy| matches |actual_network|, which must be part of a
  74 // ONC NetworkConfiguration. This should be the only such matching function
  75 // within Chrome. Shill does such matching in several functions for network
  76 // identification. For compatibility, we currently should stick to Shill's
  77 // matching behavior.
  78 bool IsPolicyMatching(const base::DictionaryValue& policy,
  79                       const base::DictionaryValue& actual_network) {
  80   std::string policy_type;
  81   policy.GetStringWithoutPathExpansion(::onc::network_config::kType,
  82                                        &policy_type);
  83   std::string actual_network_type;
  84   actual_network.GetStringWithoutPathExpansion(::onc::network_config::kType,
  85                                                &actual_network_type);
  86   if (policy_type != actual_network_type)
  87     return false;
  88
  89   if (actual_network_type == ::onc::network_type::kEthernet) {
  90     const base::DictionaryValue* policy_ethernet = NULL;
  91     policy.GetDictionaryWithoutPathExpansion(::onc::network_config::kEthernet,
  92                                              &policy_ethernet);
  93     const base::DictionaryValue* actual_ethernet = NULL;
  94     actual_network.GetDictionaryWithoutPathExpansion(
  95         ::onc::network_config::kEthernet, &actual_ethernet);
  96     if (!policy_ethernet || !actual_ethernet)
  97       return false;
  98
  99     std::string policy_auth;
 100     policy_ethernet->GetStringWithoutPathExpansion(
 101         ::onc::ethernet::kAuthentication, &policy_auth);
 102     std::string actual_auth;
 103     actual_ethernet->GetStringWithoutPathExpansion(
 104         ::onc::ethernet::kAuthentication, &actual_auth);
 105     return policy_auth == actual_auth;
 106   } else if (actual_network_type == ::onc::network_type::kWiFi) {
 107     const base::DictionaryValue* policy_wifi = NULL;
 108     policy.GetDictionaryWithoutPathExpansion(::onc::network_config::kWiFi,
 109                                              &policy_wifi);
 110     const base::DictionaryValue* actual_wifi = NULL;
 111     actual_network.GetDictionaryWithoutPathExpansion(
 112         ::onc::network_config::kWiFi,
 113         &actual_wifi);
 114     if (!policy_wifi || !actual_wifi)
 115       return false;
 116
 117     std::string policy_ssid;
 118     policy_wifi->GetStringWithoutPathExpansion(::onc::wifi::kSSID,
 119                                                &policy_ssid);
 120     std::string actual_ssid;
 121     actual_wifi->GetStringWithoutPathExpansion(::onc::wifi::kSSID,
 122                                                &actual_ssid);
 123     return (policy_ssid == actual_ssid);
 124   }
 125   return false;
 126 }
 127
 128 }  // namespace
 129
 130 scoped_ptr<base::DictionaryValue> CreateShillConfiguration(
 131     const NetworkProfile& profile,
 132     const std::string& guid,
 133     const base::DictionaryValue* policy,
 134     const base::DictionaryValue* settings) {
 135   scoped_ptr<base::DictionaryValue> effective;
 136   ::onc::ONCSource onc_source = ::onc::ONC_SOURCE_NONE;
 137   if (policy) {
 138     if (profile.type() == NetworkProfile::TYPE_SHARED) {
 139       effective = onc::MergeSettingsAndPoliciesToEffective(
 140           NULL,  // no user policy
 141           policy,  // device policy
 142           NULL,  // no user settings
 143           settings);  // shared settings
 144       onc_source = ::onc::ONC_SOURCE_DEVICE_POLICY;
 145     } else if (profile.type() == NetworkProfile::TYPE_USER) {
 146       effective = onc::MergeSettingsAndPoliciesToEffective(
 147           policy,  // user policy
 148           NULL,  // no device policy
 149           settings,  // user settings
 150           NULL);  // no shared settings
 151       onc_source = ::onc::ONC_SOURCE_USER_POLICY;
 152     } else {
 153       NOTREACHED();
 154     }
 155   } else if (settings) {
 156     effective.reset(settings->DeepCopy());
 157     // TODO(pneubeck): change to source ONC_SOURCE_USER
 158     onc_source = ::onc::ONC_SOURCE_NONE;
 159   } else {
 160     NOTREACHED();
 161     onc_source = ::onc::ONC_SOURCE_NONE;
 162   }
 163
 164   RemoveFakeCredentials(onc::kNetworkConfigurationSignature,
 165                         effective.get());
 166
 167   effective->SetStringWithoutPathExpansion(::onc::network_config::kGUID, guid);
 168
 169   // Remove irrelevant fields.
 170   onc::Normalizer normalizer(true /* remove recommended fields */);
 171   effective = normalizer.NormalizeObject(&onc::kNetworkConfigurationSignature,
 172                                          *effective);
 173
 174   scoped_ptr<base::DictionaryValue> shill_dictionary(
 175       onc::TranslateONCObjectToShill(&onc::kNetworkConfigurationSignature,
 176                                      *effective));
 177
 178   shill_dictionary->SetStringWithoutPathExpansion(shill::kProfileProperty,
 179                                                   profile.path);
 180
 181   scoped_ptr<NetworkUIData> ui_data;
 182   if (policy)
 183     ui_data = NetworkUIData::CreateFromONC(onc_source, *policy);
 184   else
 185     ui_data.reset(new NetworkUIData());
 186
 187   if (settings) {
 188     // Shill doesn't know that sensitive data is contained in the UIData
 189     // property and might write it into logs or other insecure places. Thus, we
 190     // have to remove or mask credentials.
 191     //
 192     // Shill's GetProperties doesn't return credentials. Masking credentials
 193     // instead of just removing them, allows remembering if a credential is set
 194     // or not.
 195     scoped_ptr<base::DictionaryValue> sanitized_settings(
 196         onc::MaskCredentialsInOncObject(onc::kNetworkConfigurationSignature,
 197                                         *settings,
 198                                         kFakeCredential));
 199     ui_data->set_user_settings(sanitized_settings.Pass());
 200   }
 201
 202   shill_property_util::SetUIData(*ui_data, shill_dictionary.get());
 203
 204   VLOG(2) << "Created Shill properties: " << *shill_dictionary;
 205
 206   return shill_dictionary.Pass();
 207 }
 208
 209 const base::DictionaryValue* FindMatchingPolicy(
 210     const GuidToPolicyMap& policies,
 211     const base::DictionaryValue& actual_network) {
 212   for (GuidToPolicyMap::const_iterator it = policies.begin();
 213        it != policies.end(); ++it) {
 214     if (IsPolicyMatching(*it->second, actual_network))
 215       return it->second;
 216   }
 217   return NULL;
 218 }
 219
 220 }  // namespace policy_util
 221
 222 }  // namespace chromeos