Supervised user whitelists: Cleanup
[chromium-blink-merge.git] / chromeos / network / policy_util.cc
blob8ac485629168a8006d95555dc15813e8988f475e
1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "chromeos/network/policy_util.h"
7 #include "base/logging.h"
8 #include "base/values.h"
9 #include "chromeos/network/network_profile.h"
10 #include "chromeos/network/network_ui_data.h"
11 #include "chromeos/network/onc/onc_merger.h"
12 #include "chromeos/network/onc/onc_normalizer.h"
13 #include "chromeos/network/onc/onc_signature.h"
14 #include "chromeos/network/onc/onc_translator.h"
15 #include "chromeos/network/onc/onc_utils.h"
16 #include "chromeos/network/shill_property_util.h"
17 #include "components/onc/onc_constants.h"
18 #include "third_party/cros_system_api/dbus/service_constants.h"
20 namespace chromeos {
22 namespace policy_util {
24 namespace {
26 // This fake credential contains a random postfix which is extremly unlikely to
27 // be used by any user.
28 const char kFakeCredential[] = "FAKE_CREDENTIAL_VPaJDV9x";
31 // Removes all kFakeCredential values from sensitive fields (determined by
32 // onc::FieldIsCredential) of |onc_object|.
33 void RemoveFakeCredentials(
34 const onc::OncValueSignature& signature,
35 base::DictionaryValue* onc_object) {
36 base::DictionaryValue::Iterator it(*onc_object);
37 while (!it.IsAtEnd()) {
38 base::Value* value = NULL;
39 std::string field_name = it.key();
40 // We need the non-const entry to remove nested values but DictionaryValue
41 // has no non-const iterator.
42 onc_object->GetWithoutPathExpansion(field_name, &value);
43 // Advance before delete.
44 it.Advance();
46 // If |value| is a dictionary, recurse.
47 base::DictionaryValue* nested_object = NULL;
48 if (value->GetAsDictionary(&nested_object)) {
49 const onc::OncFieldSignature* field_signature =
50 onc::GetFieldSignature(signature, field_name);
51 if (field_signature)
52 RemoveFakeCredentials(*field_signature->value_signature, nested_object);
53 else
54 LOG(ERROR) << "ONC has unrecoginzed field: " << field_name;
55 continue;
58 // If |value| is a string, check if it is a fake credential.
59 std::string string_value;
60 if (value->GetAsString(&string_value) &&
61 onc::FieldIsCredential(signature, field_name)) {
62 if (string_value == kFakeCredential) {
63 // The value wasn't modified by the UI, thus we remove the field to keep
64 // the existing value that is stored in Shill.
65 onc_object->RemoveWithoutPathExpansion(field_name, NULL);
67 // Otherwise, the value is set and modified by the UI, thus we keep that
68 // value to overwrite whatever is stored in Shill.
73 // Returns true if |policy| matches |actual_network|, which must be part of a
74 // ONC NetworkConfiguration. This should be the only such matching function
75 // within Chrome. Shill does such matching in several functions for network
76 // identification. For compatibility, we currently should stick to Shill's
77 // matching behavior.
78 bool IsPolicyMatching(const base::DictionaryValue& policy,
79 const base::DictionaryValue& actual_network) {
80 std::string policy_type;
81 policy.GetStringWithoutPathExpansion(::onc::network_config::kType,
82 &policy_type);
83 std::string actual_network_type;
84 actual_network.GetStringWithoutPathExpansion(::onc::network_config::kType,
85 &actual_network_type);
86 if (policy_type != actual_network_type)
87 return false;
89 if (actual_network_type == ::onc::network_type::kEthernet) {
90 const base::DictionaryValue* policy_ethernet = NULL;
91 policy.GetDictionaryWithoutPathExpansion(::onc::network_config::kEthernet,
92 &policy_ethernet);
93 const base::DictionaryValue* actual_ethernet = NULL;
94 actual_network.GetDictionaryWithoutPathExpansion(
95 ::onc::network_config::kEthernet, &actual_ethernet);
96 if (!policy_ethernet || !actual_ethernet)
97 return false;
99 std::string policy_auth;
100 policy_ethernet->GetStringWithoutPathExpansion(
101 ::onc::ethernet::kAuthentication, &policy_auth);
102 std::string actual_auth;
103 actual_ethernet->GetStringWithoutPathExpansion(
104 ::onc::ethernet::kAuthentication, &actual_auth);
105 return policy_auth == actual_auth;
106 } else if (actual_network_type == ::onc::network_type::kWiFi) {
107 const base::DictionaryValue* policy_wifi = NULL;
108 policy.GetDictionaryWithoutPathExpansion(::onc::network_config::kWiFi,
109 &policy_wifi);
110 const base::DictionaryValue* actual_wifi = NULL;
111 actual_network.GetDictionaryWithoutPathExpansion(
112 ::onc::network_config::kWiFi,
113 &actual_wifi);
114 if (!policy_wifi || !actual_wifi)
115 return false;
117 std::string policy_ssid;
118 policy_wifi->GetStringWithoutPathExpansion(::onc::wifi::kHexSSID,
119 &policy_ssid);
120 std::string actual_ssid;
121 actual_wifi->GetStringWithoutPathExpansion(::onc::wifi::kHexSSID,
122 &actual_ssid);
123 return (policy_ssid == actual_ssid);
125 return false;
128 // Returns true if AutoConnect is enabled by |policy| (as mandatory or
129 // recommended setting). Otherwise and on error returns false.
130 bool IsAutoConnectEnabledInPolicy(const base::DictionaryValue& policy) {
131 std::string type;
132 policy.GetStringWithoutPathExpansion(::onc::network_config::kType, &type);
134 std::string autoconnect_key;
135 std::string network_dict_key;
136 if (type == ::onc::network_type::kWiFi) {
137 network_dict_key = ::onc::network_config::kWiFi;
138 autoconnect_key = ::onc::wifi::kAutoConnect;
139 } else if (type == ::onc::network_type::kVPN) {
140 network_dict_key = ::onc::network_config::kVPN;
141 autoconnect_key = ::onc::vpn::kAutoConnect;
142 } else {
143 VLOG(2) << "Network type without autoconnect property.";
144 return false;
147 const base::DictionaryValue* network_dict = NULL;
148 policy.GetDictionaryWithoutPathExpansion(network_dict_key, &network_dict);
149 if (!network_dict) {
150 LOG(ERROR) << "ONC doesn't contain a " << network_dict_key
151 << " dictionary.";
152 return false;
155 bool autoconnect = false;
156 network_dict->GetBooleanWithoutPathExpansion(autoconnect_key, &autoconnect);
157 return autoconnect;
160 base::DictionaryValue* GetOrCreateDictionary(const std::string& key,
161 base::DictionaryValue* dict) {
162 base::DictionaryValue* inner_dict = NULL;
163 if (!dict->GetDictionaryWithoutPathExpansion(key, &inner_dict)) {
164 inner_dict = new base::DictionaryValue;
165 dict->SetWithoutPathExpansion(key, inner_dict);
167 return inner_dict;
170 base::DictionaryValue* GetOrCreateNestedDictionary(
171 const std::string& key1,
172 const std::string& key2,
173 base::DictionaryValue* dict) {
174 base::DictionaryValue* inner_dict = GetOrCreateDictionary(key1, dict);
175 return GetOrCreateDictionary(key2, inner_dict);
178 void ApplyGlobalAutoconnectPolicy(
179 NetworkProfile::Type profile_type,
180 base::DictionaryValue* augmented_onc_network) {
181 base::DictionaryValue* type_dictionary = NULL;
182 augmented_onc_network->GetDictionaryWithoutPathExpansion(
183 ::onc::network_config::kType, &type_dictionary);
184 std::string type;
185 if (!type_dictionary ||
186 !type_dictionary->GetStringWithoutPathExpansion(
187 ::onc::kAugmentationActiveSetting, &type) ||
188 type.empty()) {
189 LOG(ERROR) << "ONC dictionary with no Type.";
190 return;
193 // Managed dictionaries don't contain empty dictionaries (see onc_merger.cc),
194 // so add the Autoconnect dictionary in case Shill didn't report a value.
195 base::DictionaryValue* auto_connect_dictionary = NULL;
196 if (type == ::onc::network_type::kWiFi) {
197 auto_connect_dictionary =
198 GetOrCreateNestedDictionary(::onc::network_config::kWiFi,
199 ::onc::wifi::kAutoConnect,
200 augmented_onc_network);
201 } else if (type == ::onc::network_type::kVPN) {
202 auto_connect_dictionary =
203 GetOrCreateNestedDictionary(::onc::network_config::kVPN,
204 ::onc::vpn::kAutoConnect,
205 augmented_onc_network);
206 } else {
207 return; // Network type without auto-connect property.
210 std::string policy_source;
211 if (profile_type == NetworkProfile::TYPE_USER)
212 policy_source = ::onc::kAugmentationUserPolicy;
213 else if (profile_type == NetworkProfile::TYPE_SHARED)
214 policy_source = ::onc::kAugmentationDevicePolicy;
215 else
216 NOTREACHED();
218 auto_connect_dictionary->SetBooleanWithoutPathExpansion(policy_source, false);
219 auto_connect_dictionary->SetStringWithoutPathExpansion(
220 ::onc::kAugmentationEffectiveSetting, policy_source);
223 } // namespace
225 scoped_ptr<base::DictionaryValue> CreateManagedONC(
226 const base::DictionaryValue* global_policy,
227 const base::DictionaryValue* network_policy,
228 const base::DictionaryValue* user_settings,
229 const base::DictionaryValue* active_settings,
230 const NetworkProfile* profile) {
231 const base::DictionaryValue* user_policy = NULL;
232 const base::DictionaryValue* device_policy = NULL;
233 const base::DictionaryValue* nonshared_user_settings = NULL;
234 const base::DictionaryValue* shared_user_settings = NULL;
236 if (profile) {
237 if (profile->type() == NetworkProfile::TYPE_SHARED) {
238 device_policy = network_policy;
239 shared_user_settings = user_settings;
240 } else if (profile->type() == NetworkProfile::TYPE_USER) {
241 user_policy = network_policy;
242 nonshared_user_settings = user_settings;
243 } else {
244 NOTREACHED();
248 // This call also removes credentials from policies.
249 scoped_ptr<base::DictionaryValue> augmented_onc_network =
250 onc::MergeSettingsAndPoliciesToAugmented(
251 onc::kNetworkConfigurationSignature,
252 user_policy,
253 device_policy,
254 nonshared_user_settings,
255 shared_user_settings,
256 active_settings);
258 // If present, apply the Autoconnect policy only to networks that are not
259 // managed by policy.
260 if (!network_policy && global_policy && profile) {
261 bool allow_only_policy_autoconnect = false;
262 global_policy->GetBooleanWithoutPathExpansion(
263 ::onc::global_network_config::kAllowOnlyPolicyNetworksToAutoconnect,
264 &allow_only_policy_autoconnect);
265 if (allow_only_policy_autoconnect) {
266 ApplyGlobalAutoconnectPolicy(profile->type(),
267 augmented_onc_network.get());
271 return augmented_onc_network.Pass();
274 void SetShillPropertiesForGlobalPolicy(
275 const base::DictionaryValue& shill_dictionary,
276 const base::DictionaryValue& global_network_policy,
277 base::DictionaryValue* shill_properties_to_update) {
278 // kAllowOnlyPolicyNetworksToAutoconnect is currently the only global config.
280 std::string type;
281 shill_dictionary.GetStringWithoutPathExpansion(shill::kTypeProperty, &type);
282 if (NetworkTypePattern::Ethernet().MatchesType(type))
283 return; // Autoconnect for Ethernet cannot be configured.
285 // By default all networks are allowed to autoconnect.
286 bool only_policy_autoconnect = false;
287 global_network_policy.GetBooleanWithoutPathExpansion(
288 ::onc::global_network_config::kAllowOnlyPolicyNetworksToAutoconnect,
289 &only_policy_autoconnect);
290 if (!only_policy_autoconnect)
291 return;
293 bool old_autoconnect = false;
294 if (shill_dictionary.GetBooleanWithoutPathExpansion(
295 shill::kAutoConnectProperty, &old_autoconnect) &&
296 !old_autoconnect) {
297 // Autoconnect is already explictly disabled. No need to set it again.
298 return;
301 // If autconnect is not explicitly set yet, it might automatically be enabled
302 // by Shill. To prevent that, disable it explicitly.
303 shill_properties_to_update->SetBooleanWithoutPathExpansion(
304 shill::kAutoConnectProperty, false);
307 scoped_ptr<base::DictionaryValue> CreateShillConfiguration(
308 const NetworkProfile& profile,
309 const std::string& guid,
310 const base::DictionaryValue* global_policy,
311 const base::DictionaryValue* network_policy,
312 const base::DictionaryValue* user_settings) {
313 scoped_ptr<base::DictionaryValue> effective;
314 ::onc::ONCSource onc_source = ::onc::ONC_SOURCE_NONE;
315 if (network_policy) {
316 if (profile.type() == NetworkProfile::TYPE_SHARED) {
317 effective = onc::MergeSettingsAndPoliciesToEffective(
318 NULL, // no user policy
319 network_policy, // device policy
320 NULL, // no user settings
321 user_settings); // shared settings
322 onc_source = ::onc::ONC_SOURCE_DEVICE_POLICY;
323 } else if (profile.type() == NetworkProfile::TYPE_USER) {
324 effective = onc::MergeSettingsAndPoliciesToEffective(
325 network_policy, // user policy
326 NULL, // no device policy
327 user_settings, // user settings
328 NULL); // no shared settings
329 onc_source = ::onc::ONC_SOURCE_USER_POLICY;
330 } else {
331 NOTREACHED();
333 } else if (user_settings) {
334 effective.reset(user_settings->DeepCopy());
335 // TODO(pneubeck): change to source ONC_SOURCE_USER
336 onc_source = ::onc::ONC_SOURCE_NONE;
337 } else {
338 NOTREACHED();
339 onc_source = ::onc::ONC_SOURCE_NONE;
342 RemoveFakeCredentials(onc::kNetworkConfigurationSignature,
343 effective.get());
345 effective->SetStringWithoutPathExpansion(::onc::network_config::kGUID, guid);
347 // Remove irrelevant fields.
348 onc::Normalizer normalizer(true /* remove recommended fields */);
349 effective = normalizer.NormalizeObject(&onc::kNetworkConfigurationSignature,
350 *effective);
352 scoped_ptr<base::DictionaryValue> shill_dictionary(
353 onc::TranslateONCObjectToShill(&onc::kNetworkConfigurationSignature,
354 *effective));
356 shill_dictionary->SetStringWithoutPathExpansion(shill::kProfileProperty,
357 profile.path);
359 // If AutoConnect is enabled by policy, set the ManagedCredentials property to
360 // indicate to Shill that this network can be used for autoconnect even
361 // without a manual and successful connection attempt.
362 // Note that this is only an indicator for the administrator's true intention,
363 // i.e. when the administrator enables AutoConnect, we assume that the network
364 // is indeed connectable.
365 // Ideally, we would know whether the (policy) provided credentials are
366 // complete and only set ManagedCredentials in that case.
367 if (network_policy && IsAutoConnectEnabledInPolicy(*network_policy)) {
368 VLOG(1) << "Enable ManagedCredentials for managed network with GUID "
369 << guid;
370 shill_dictionary->SetBooleanWithoutPathExpansion(
371 shill::kManagedCredentialsProperty, true);
374 if (!network_policy && global_policy) {
375 // The network isn't managed. Global network policies have to be applied.
376 SetShillPropertiesForGlobalPolicy(
377 *shill_dictionary, *global_policy, shill_dictionary.get());
380 scoped_ptr<NetworkUIData> ui_data(NetworkUIData::CreateFromONC(onc_source));
382 if (user_settings) {
383 // Shill doesn't know that sensitive data is contained in the UIData
384 // property and might write it into logs or other insecure places. Thus, we
385 // have to remove or mask credentials.
387 // Shill's GetProperties doesn't return credentials. Masking credentials
388 // instead of just removing them, allows remembering if a credential is set
389 // or not.
390 scoped_ptr<base::DictionaryValue> sanitized_user_settings(
391 onc::MaskCredentialsInOncObject(onc::kNetworkConfigurationSignature,
392 *user_settings,
393 kFakeCredential));
394 ui_data->set_user_settings(sanitized_user_settings.Pass());
397 shill_property_util::SetUIData(*ui_data, shill_dictionary.get());
399 VLOG(2) << "Created Shill properties: " << *shill_dictionary;
401 return shill_dictionary.Pass();
404 const base::DictionaryValue* FindMatchingPolicy(
405 const GuidToPolicyMap& policies,
406 const base::DictionaryValue& actual_network) {
407 for (GuidToPolicyMap::const_iterator it = policies.begin();
408 it != policies.end(); ++it) {
409 if (IsPolicyMatching(*it->second, actual_network))
410 return it->second;
412 return NULL;
415 } // namespace policy_util
417 } // namespace chromeos