search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Check USB device path access when prompting users to select a device.
[chromium-blink-merge.git] / chrome / browser / chromeos / net / onc_utils.cc
blobabcd08a3eccf8385d434855b60001d46ed3aea5d
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "chrome/browser/chromeos/net/onc_utils.h"
6
7 #include "base/bind_helpers.h"
8 #include "base/json/json_writer.h"
9 #include "base/logging.h"
10 #include "base/prefs/pref_service.h"
11 #include "base/values.h"
12 #include "chrome/browser/chromeos/ui_proxy_config.h"
13 #include "chrome/browser/prefs/proxy_config_dictionary.h"
14 #include "chrome/common/pref_names.h"
15 #include "chromeos/network/managed_network_configuration_handler.h"
16 #include "chromeos/network/network_configuration_handler.h"
17 #include "chromeos/network/network_handler.h"
18 #include "chromeos/network/network_profile.h"
19 #include "chromeos/network/network_profile_handler.h"
20 #include "chromeos/network/network_state.h"
21 #include "chromeos/network/network_state_handler.h"
22 #include "chromeos/network/network_ui_data.h"
23 #include "chromeos/network/onc/onc_normalizer.h"
24 #include "chromeos/network/onc/onc_signature.h"
25 #include "chromeos/network/onc/onc_translator.h"
26 #include "chromeos/network/onc/onc_utils.h"
27 #include "components/user_manager/user.h"
28 #include "components/user_manager/user_manager.h"
29 #include "net/base/host_port_pair.h"
30 #include "net/proxy/proxy_bypass_rules.h"
31 #include "net/proxy/proxy_server.h"
32 #include "third_party/cros_system_api/dbus/service_constants.h"
33 #include "url/gurl.h"
34
35 namespace chromeos {
36 namespace onc {
37
38 namespace {
39
40 net::ProxyServer ConvertOncProxyLocationToHostPort(
41 net::ProxyServer::Scheme default_proxy_scheme,
42 const base::DictionaryValue& onc_proxy_location) {
43 std::string host;
44 onc_proxy_location.GetStringWithoutPathExpansion(::onc::proxy::kHost, &host);
45 // Parse |host| according to the format [<scheme>"://"]<server>[":"<port>].
46 net::ProxyServer proxy_server =
47 net::ProxyServer::FromURI(host, default_proxy_scheme);
48 int port = 0;
49 onc_proxy_location.GetIntegerWithoutPathExpansion(::onc::proxy::kPort, &port);
50
51 // Replace the port parsed from |host| by the provided |port|.
52 return net::ProxyServer(
53 proxy_server.scheme(),
54 net::HostPortPair(proxy_server.host_port_pair().host(),
55 static_cast<uint16>(port)));
56 }
57
58 void AppendProxyServerForScheme(
59 const base::DictionaryValue& onc_manual,
60 const std::string& onc_scheme,
61 std::string* spec) {
62 const base::DictionaryValue* onc_proxy_location = NULL;
63 if (!onc_manual.GetDictionaryWithoutPathExpansion(onc_scheme,
64 &onc_proxy_location)) {
65 return;
66 }
67
68 net::ProxyServer::Scheme default_proxy_scheme = net::ProxyServer::SCHEME_HTTP;
69 std::string url_scheme;
70 if (onc_scheme == ::onc::proxy::kFtp) {
71 url_scheme = "ftp";
72 } else if (onc_scheme == ::onc::proxy::kHttp) {
73 url_scheme = "http";
74 } else if (onc_scheme == ::onc::proxy::kHttps) {
75 url_scheme = "https";
76 } else if (onc_scheme == ::onc::proxy::kSocks) {
77 default_proxy_scheme = net::ProxyServer::SCHEME_SOCKS4;
78 url_scheme = "socks";
79 } else {
80 NOTREACHED();
81 }
82
83 net::ProxyServer proxy_server = ConvertOncProxyLocationToHostPort(
84 default_proxy_scheme, *onc_proxy_location);
85
86 UIProxyConfig::EncodeAndAppendProxyServer(url_scheme, proxy_server, spec);
87 }
88
89 net::ProxyBypassRules ConvertOncExcludeDomainsToBypassRules(
90 const base::ListValue& onc_exclude_domains) {
91 net::ProxyBypassRules rules;
92 for (base::ListValue::const_iterator it = onc_exclude_domains.begin();
93 it != onc_exclude_domains.end(); ++it) {
94 std::string rule;
95 (*it)->GetAsString(&rule);
96 rules.AddRuleFromString(rule);
97 }
98 return rules;
99 }
100
101 } // namespace
102
103 scoped_ptr<base::DictionaryValue> ConvertOncProxySettingsToProxyConfig(
104 const base::DictionaryValue& onc_proxy_settings) {
105 std::string type;
106 onc_proxy_settings.GetStringWithoutPathExpansion(::onc::proxy::kType, &type);
107 scoped_ptr<base::DictionaryValue> proxy_dict;
108
109 if (type == ::onc::proxy::kDirect) {
110 proxy_dict.reset(ProxyConfigDictionary::CreateDirect());
111 } else if (type == ::onc::proxy::kWPAD) {
112 proxy_dict.reset(ProxyConfigDictionary::CreateAutoDetect());
113 } else if (type == ::onc::proxy::kPAC) {
114 std::string pac_url;
115 onc_proxy_settings.GetStringWithoutPathExpansion(::onc::proxy::kPAC,
116 &pac_url);
117 GURL url(pac_url);
118 DCHECK(url.is_valid())
119 << "PAC field is invalid for this ProxySettings.Type";
120 proxy_dict.reset(ProxyConfigDictionary::CreatePacScript(url.spec(),
121 false));
122 } else if (type == ::onc::proxy::kManual) {
123 const base::DictionaryValue* manual_dict = NULL;
124 onc_proxy_settings.GetDictionaryWithoutPathExpansion(::onc::proxy::kManual,
125 &manual_dict);
126 std::string manual_spec;
127 AppendProxyServerForScheme(*manual_dict, ::onc::proxy::kFtp, &manual_spec);
128 AppendProxyServerForScheme(*manual_dict, ::onc::proxy::kHttp, &manual_spec);
129 AppendProxyServerForScheme(*manual_dict, ::onc::proxy::kSocks,
130 &manual_spec);
131 AppendProxyServerForScheme(*manual_dict, ::onc::proxy::kHttps,
132 &manual_spec);
133
134 const base::ListValue* exclude_domains = NULL;
135 net::ProxyBypassRules bypass_rules;
136 if (onc_proxy_settings.GetListWithoutPathExpansion(
137 ::onc::proxy::kExcludeDomains, &exclude_domains)) {
138 bypass_rules.AssignFrom(
139 ConvertOncExcludeDomainsToBypassRules(*exclude_domains));
140 }
141 proxy_dict.reset(ProxyConfigDictionary::CreateFixedServers(
142 manual_spec, bypass_rules.ToString()));
143 } else {
144 NOTREACHED();
145 }
146 return proxy_dict.Pass();
147 }
148
149 namespace {
150
151 // This class defines which string placeholders of ONC are replaced by which
152 // user attribute.
153 class UserStringSubstitution : public chromeos::onc::StringSubstitution {
154 public:
155 explicit UserStringSubstitution(const user_manager::User* user)
156 : user_(user) {}
157 ~UserStringSubstitution() override {}
158
159 bool GetSubstitute(const std::string& placeholder,
160 std::string* substitute) const override {
161 if (placeholder == ::onc::substitutes::kLoginIDField)
162 *substitute = user_->GetAccountName(false);
163 else if (placeholder == ::onc::substitutes::kEmailField)
164 *substitute = user_->email();
165 else
166 return false;
167 return true;
168 }
169
170 private:
171 const user_manager::User* user_;
172
173 DISALLOW_COPY_AND_ASSIGN(UserStringSubstitution);
174 };
175
176 } // namespace
177
178 void ExpandStringPlaceholdersInNetworksForUser(
179 const user_manager::User* user,
180 base::ListValue* network_configs) {
181 if (!user) {
182 // In tests no user may be logged in. It's not harmful if we just don't
183 // expand the strings.
184 return;
185 }
186 UserStringSubstitution substitution(user);
187 chromeos::onc::ExpandStringsInNetworks(substitution, network_configs);
188 }
189
190 void ImportNetworksForUser(const user_manager::User* user,
191 const base::ListValue& network_configs,
192 std::string* error) {
193 error->clear();
194
195 scoped_ptr<base::ListValue> expanded_networks(network_configs.DeepCopy());
196 ExpandStringPlaceholdersInNetworksForUser(user, expanded_networks.get());
197
198 const NetworkProfile* profile =
199 NetworkHandler::Get()->network_profile_handler()->GetProfileForUserhash(
200 user->username_hash());
201 if (!profile) {
202 *error = "User profile doesn't exist.";
203 return;
204 }
205
206 bool ethernet_not_found = false;
207 for (base::ListValue::const_iterator it = expanded_networks->begin();
208 it != expanded_networks->end();
209 ++it) {
210 const base::DictionaryValue* network = NULL;
211 (*it)->GetAsDictionary(&network);
212 DCHECK(network);
213
214 // Remove irrelevant fields.
215 onc::Normalizer normalizer(true /* remove recommended fields */);
216 scoped_ptr<base::DictionaryValue> normalized_network =
217 normalizer.NormalizeObject(&onc::kNetworkConfigurationSignature,
218 *network);
219
220 // TODO(pneubeck): Use ONC and ManagedNetworkConfigurationHandler instead.
221 // crbug.com/457936
222 scoped_ptr<base::DictionaryValue> shill_dict =
223 onc::TranslateONCObjectToShill(&onc::kNetworkConfigurationSignature,
224 *normalized_network);
225
226 scoped_ptr<NetworkUIData> ui_data(
227 NetworkUIData::CreateFromONC(::onc::ONC_SOURCE_USER_IMPORT));
228 base::DictionaryValue ui_data_dict;
229 ui_data->FillDictionary(&ui_data_dict);
230 std::string ui_data_json;
231 base::JSONWriter::Write(&ui_data_dict, &ui_data_json);
232 shill_dict->SetStringWithoutPathExpansion(shill::kUIDataProperty,
233 ui_data_json);
234
235 shill_dict->SetStringWithoutPathExpansion(shill::kProfileProperty,
236 profile->path);
237
238 std::string type;
239 shill_dict->GetStringWithoutPathExpansion(shill::kTypeProperty, &type);
240 NetworkConfigurationHandler* config_handler =
241 NetworkHandler::Get()->network_configuration_handler();
242 if (NetworkTypePattern::Ethernet().MatchesType(type)) {
243 // Ethernet has to be configured using an existing Ethernet service.
244 const NetworkState* ethernet =
245 NetworkHandler::Get()->network_state_handler()->FirstNetworkByType(
246 NetworkTypePattern::Ethernet());
247 if (ethernet) {
248 config_handler->SetShillProperties(
249 ethernet->path(), *shill_dict,
250 NetworkConfigurationObserver::SOURCE_USER_ACTION, base::Closure(),
251 network_handler::ErrorCallback());
252 } else {
253 ethernet_not_found = true;
254 }
255
256 } else {
257 config_handler->CreateShillConfiguration(
258 *shill_dict, NetworkConfigurationObserver::SOURCE_USER_ACTION,
259 network_handler::StringResultCallback(),
260 network_handler::ErrorCallback());
261 }
262 }
263
264 if (ethernet_not_found)
265 *error = "No Ethernet available to configure.";
266 }
267
268 const base::DictionaryValue* FindPolicyForActiveUser(
269 const std::string& guid,
270 ::onc::ONCSource* onc_source) {
271 const user_manager::User* user =
272 user_manager::UserManager::Get()->GetActiveUser();
273 std::string username_hash = user ? user->username_hash() : std::string();
274 return NetworkHandler::Get()->managed_network_configuration_handler()->
275 FindPolicyByGUID(username_hash, guid, onc_source);
276 }
277
278 const base::DictionaryValue* GetGlobalConfigFromPolicy(bool for_active_user) {
279 std::string username_hash;
280 if (for_active_user) {
281 const user_manager::User* user =
282 user_manager::UserManager::Get()->GetActiveUser();
283 if (!user) {
284 LOG(ERROR) << "No user logged in yet.";
285 return NULL;
286 }
287 username_hash = user->username_hash();
288 }
289 return NetworkHandler::Get()->managed_network_configuration_handler()->
290 GetGlobalConfigFromPolicy(username_hash);
291 }
292
293 bool PolicyAllowsOnlyPolicyNetworksToAutoconnect(bool for_active_user) {
294 const base::DictionaryValue* global_config =
295 GetGlobalConfigFromPolicy(for_active_user);
296 if (!global_config)
297 return false; // By default, all networks are allowed to autoconnect.
298
299 bool only_policy_autoconnect = false;
300 global_config->GetBooleanWithoutPathExpansion(
301 ::onc::global_network_config::kAllowOnlyPolicyNetworksToAutoconnect,
302 &only_policy_autoconnect);
303 return only_policy_autoconnect;
304 }
305
306 namespace {
307
308 const base::DictionaryValue* GetNetworkConfigByGUID(
309 const base::ListValue& network_configs,
310 const std::string& guid) {
311 for (base::ListValue::const_iterator it = network_configs.begin();
312 it != network_configs.end(); ++it) {
313 const base::DictionaryValue* network = NULL;
314 (*it)->GetAsDictionary(&network);
315 DCHECK(network);
316
317 std::string current_guid;
318 network->GetStringWithoutPathExpansion(::onc::network_config::kGUID,
319 &current_guid);
320 if (current_guid == guid)
321 return network;
322 }
323 return NULL;
324 }
325
326 const base::DictionaryValue* GetNetworkConfigForEthernetWithoutEAP(
327 const base::ListValue& network_configs) {
328 VLOG(2) << "Search for ethernet policy without EAP.";
329 for (base::ListValue::const_iterator it = network_configs.begin();
330 it != network_configs.end(); ++it) {
331 const base::DictionaryValue* network = NULL;
332 (*it)->GetAsDictionary(&network);
333 DCHECK(network);
334
335 std::string type;
336 network->GetStringWithoutPathExpansion(::onc::network_config::kType, &type);
337 if (type != ::onc::network_type::kEthernet)
338 continue;
339
340 const base::DictionaryValue* ethernet = NULL;
341 network->GetDictionaryWithoutPathExpansion(::onc::network_config::kEthernet,
342 &ethernet);
343
344 std::string auth;
345 ethernet->GetStringWithoutPathExpansion(::onc::ethernet::kAuthentication,
346 &auth);
347 if (auth == ::onc::ethernet::kAuthenticationNone)
348 return network;
349 }
350 return NULL;
351 }
352
353 const base::DictionaryValue* GetNetworkConfigForNetworkFromOnc(
354 const base::ListValue& network_configs,
355 const NetworkState& network) {
356 // In all cases except Ethernet, we use the GUID of |network|.
357 if (!network.Matches(NetworkTypePattern::Ethernet()))
358 return GetNetworkConfigByGUID(network_configs, network.guid());
359
360 // Ethernet is always shared and thus cannot store a GUID per user. Thus we
361 // search for any Ethernet policy intead of a matching GUID.
362 // EthernetEAP service contains only the EAP parameters and stores the GUID of
363 // the respective ONC policy. The EthernetEAP service itself is however never
364 // in state "connected". An EthernetEAP policy must be applied, if an Ethernet
365 // service is connected using the EAP parameters.
366 const NetworkState* ethernet_eap = NULL;
367 if (NetworkHandler::IsInitialized()) {
368 ethernet_eap =
369 NetworkHandler::Get()->network_state_handler()->GetEAPForEthernet(
370 network.path());
371 }
372
373 // The GUID associated with the EthernetEAP service refers to the ONC policy
374 // with "Authentication: 8021X".
375 if (ethernet_eap)
376 return GetNetworkConfigByGUID(network_configs, ethernet_eap->guid());
377
378 // Otherwise, EAP is not used and instead the Ethernet policy with
379 // "Authentication: None" applies.
380 return GetNetworkConfigForEthernetWithoutEAP(network_configs);
381 }
382
383 const base::DictionaryValue* GetPolicyForNetworkFromPref(
384 const PrefService* pref_service,
385 const char* pref_name,
386 const NetworkState& network) {
387 if (!pref_service) {
388 VLOG(2) << "No pref service";
389 return NULL;
390 }
391
392 const PrefService::Preference* preference =
393 pref_service->FindPreference(pref_name);
394 if (!preference) {
395 VLOG(2) << "No preference " << pref_name;
396 // The preference may not exist in tests.
397 return NULL;
398 }
399
400 // User prefs are not stored in this Preference yet but only the policy.
401 //
402 // The policy server incorrectly configures the OpenNetworkConfiguration user
403 // policy as Recommended. To work around that, we handle the Recommended and
404 // the Mandatory value in the same way.
405 // TODO(pneubeck): Remove this workaround, once the server is fixed. See
406 // http://crbug.com/280553 .
407 if (preference->IsDefaultValue()) {
408 VLOG(2) << "Preference has no recommended or mandatory value.";
409 // No policy set.
410 return NULL;
411 }
412 VLOG(2) << "Preference with policy found.";
413 const base::Value* onc_policy_value = preference->GetValue();
414 DCHECK(onc_policy_value);
415
416 const base::ListValue* onc_policy = NULL;
417 onc_policy_value->GetAsList(&onc_policy);
418 DCHECK(onc_policy);
419
420 return GetNetworkConfigForNetworkFromOnc(*onc_policy, network);
421 }
422
423 } // namespace
424
425 const base::DictionaryValue* GetPolicyForNetwork(
426 const PrefService* profile_prefs,
427 const PrefService* local_state_prefs,
428 const NetworkState& network,
429 ::onc::ONCSource* onc_source) {
430 VLOG(2) << "GetPolicyForNetwork: " << network.path();
431 *onc_source = ::onc::ONC_SOURCE_NONE;
432
433 const base::DictionaryValue* network_policy = GetPolicyForNetworkFromPref(
434 profile_prefs, prefs::kOpenNetworkConfiguration, network);
435 if (network_policy) {
436 VLOG(1) << "Network " << network.path() << " is managed by user policy.";
437 *onc_source = ::onc::ONC_SOURCE_USER_POLICY;
438 return network_policy;
439 }
440 network_policy = GetPolicyForNetworkFromPref(
441 local_state_prefs, prefs::kDeviceOpenNetworkConfiguration, network);
442 if (network_policy) {
443 VLOG(1) << "Network " << network.path() << " is managed by device policy.";
444 *onc_source = ::onc::ONC_SOURCE_DEVICE_POLICY;
445 return network_policy;
446 }
447 VLOG(2) << "Network " << network.path() << " is unmanaged.";
448 return NULL;
449 }
450
451 bool HasPolicyForNetwork(const PrefService* profile_prefs,
452 const PrefService* local_state_prefs,
453 const NetworkState& network) {
454 ::onc::ONCSource ignored_onc_source;
455 const base::DictionaryValue* policy = onc::GetPolicyForNetwork(
456 profile_prefs, local_state_prefs, network, &ignored_onc_source);
457 return policy != NULL;
458 }
459
460 } // namespace onc
461 } // namespace chromeos