1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "chromeos/network/policy_applicator.h"
10 #include "base/location.h"
11 #include "base/logging.h"
12 #include "base/memory/scoped_ptr.h"
13 #include "base/stl_util.h"
14 #include "chromeos/dbus/dbus_thread_manager.h"
15 #include "chromeos/dbus/shill_profile_client.h"
16 #include "chromeos/network/network_type_pattern.h"
17 #include "chromeos/network/network_ui_data.h"
18 #include "chromeos/network/onc/onc_signature.h"
19 #include "chromeos/network/onc/onc_translator.h"
20 #include "chromeos/network/policy_util.h"
21 #include "chromeos/network/shill_property_util.h"
22 #include "components/onc/onc_constants.h"
23 #include "dbus/object_path.h"
24 #include "third_party/cros_system_api/dbus/service_constants.h"
30 void LogErrorMessage(const tracked_objects::Location
& from_where
,
31 const std::string
& error_name
,
32 const std::string
& error_message
) {
33 LOG(ERROR
) << from_where
.ToString() << ": " << error_message
;
36 const base::DictionaryValue
* GetByGUID(
37 const PolicyApplicator::GuidToPolicyMap
& policies
,
38 const std::string
& guid
) {
39 PolicyApplicator::GuidToPolicyMap::const_iterator it
= policies
.find(guid
);
40 if (it
== policies
.end())
47 PolicyApplicator::PolicyApplicator(
48 const NetworkProfile
& profile
,
49 const GuidToPolicyMap
& all_policies
,
50 const base::DictionaryValue
& global_network_config
,
51 ConfigurationHandler
* handler
,
52 std::set
<std::string
>* modified_policies
)
53 : handler_(handler
), profile_(profile
), weak_ptr_factory_(this) {
54 global_network_config_
.MergeDictionary(&global_network_config
);
55 remaining_policies_
.swap(*modified_policies
);
56 for (GuidToPolicyMap::const_iterator it
= all_policies
.begin();
57 it
!= all_policies
.end(); ++it
) {
58 all_policies_
.insert(std::make_pair(it
->first
, it
->second
->DeepCopy()));
62 PolicyApplicator::~PolicyApplicator() {
63 STLDeleteValues(&all_policies_
);
64 VLOG(1) << "Destroying PolicyApplicator for " << profile_
.userhash
;
67 void PolicyApplicator::Run() {
68 DBusThreadManager::Get()->GetShillProfileClient()->GetProperties(
69 dbus::ObjectPath(profile_
.path
),
70 base::Bind(&PolicyApplicator::GetProfilePropertiesCallback
,
71 weak_ptr_factory_
.GetWeakPtr()),
72 base::Bind(&PolicyApplicator::GetProfilePropertiesError
,
73 weak_ptr_factory_
.GetWeakPtr()));
76 void PolicyApplicator::ProfileEntryFinished(const std::string
& entry
) {
77 pending_get_entry_calls_
.erase(entry
);
78 if (pending_get_entry_calls_
.empty()) {
79 ApplyRemainingPolicies();
80 NotifyConfigurationHandlerAndFinish();
84 void PolicyApplicator::GetProfilePropertiesCallback(
85 const base::DictionaryValue
& profile_properties
) {
86 VLOG(2) << "Received properties for profile " << profile_
.ToDebugString();
87 const base::ListValue
* entries
= NULL
;
88 if (!profile_properties
.GetListWithoutPathExpansion(
89 shill::kEntriesProperty
, &entries
)) {
90 LOG(ERROR
) << "Profile " << profile_
.ToDebugString()
91 << " doesn't contain the property "
92 << shill::kEntriesProperty
;
93 NotifyConfigurationHandlerAndFinish();
97 for (base::ListValue::const_iterator it
= entries
->begin();
98 it
!= entries
->end(); ++it
) {
100 (*it
)->GetAsString(&entry
);
102 pending_get_entry_calls_
.insert(entry
);
103 DBusThreadManager::Get()->GetShillProfileClient()->GetEntry(
104 dbus::ObjectPath(profile_
.path
),
106 base::Bind(&PolicyApplicator::GetEntryCallback
,
107 weak_ptr_factory_
.GetWeakPtr(),
109 base::Bind(&PolicyApplicator::GetEntryError
,
110 weak_ptr_factory_
.GetWeakPtr(),
113 if (pending_get_entry_calls_
.empty()) {
114 ApplyRemainingPolicies();
115 NotifyConfigurationHandlerAndFinish();
119 void PolicyApplicator::GetProfilePropertiesError(
120 const std::string
& error_name
,
121 const std::string
& error_message
) {
122 LOG(ERROR
) << "Could not retrieve properties of profile " << profile_
.path
123 << ": " << error_message
;
124 NotifyConfigurationHandlerAndFinish();
127 void PolicyApplicator::GetEntryCallback(
128 const std::string
& entry
,
129 const base::DictionaryValue
& entry_properties
) {
130 VLOG(2) << "Received properties for entry " << entry
<< " of profile "
131 << profile_
.ToDebugString();
133 scoped_ptr
<base::DictionaryValue
> onc_part(
134 onc::TranslateShillServiceToONCPart(entry_properties
,
135 ::onc::ONC_SOURCE_UNKNOWN
,
136 &onc::kNetworkWithStateSignature
));
138 std::string old_guid
;
139 if (!onc_part
->GetStringWithoutPathExpansion(::onc::network_config::kGUID
,
141 VLOG(1) << "Entry " << entry
<< " of profile " << profile_
.ToDebugString()
142 << " doesn't contain a GUID.";
143 // This might be an entry of an older ChromeOS version. Assume it to be
147 scoped_ptr
<NetworkUIData
> ui_data
=
148 shill_property_util::GetUIDataFromProperties(entry_properties
);
150 VLOG(1) << "Entry " << entry
<< " of profile " << profile_
.ToDebugString()
151 << " contains no or no valid UIData.";
152 // This might be an entry of an older ChromeOS version. Assume it to be
153 // unmanaged. It's an inconsistency if there is a GUID but no UIData, thus
154 // clear the GUID just in case.
158 bool was_managed
= !old_guid
.empty() && ui_data
&&
159 (ui_data
->onc_source() ==
160 ::onc::ONC_SOURCE_DEVICE_POLICY
||
161 ui_data
->onc_source() == ::onc::ONC_SOURCE_USER_POLICY
);
163 const base::DictionaryValue
* new_policy
= NULL
;
165 // If we have a GUID that might match a current policy, do a lookup using
166 // that GUID at first. In particular this is necessary, as some networks
167 // can't be matched to policies by properties (e.g. VPN).
168 new_policy
= GetByGUID(all_policies_
, old_guid
);
172 // If we didn't find a policy by GUID, still a new policy might match.
173 new_policy
= policy_util::FindMatchingPolicy(all_policies_
, *onc_part
);
177 std::string new_guid
;
178 new_policy
->GetStringWithoutPathExpansion(::onc::network_config::kGUID
,
181 VLOG_IF(1, was_managed
&& old_guid
!= new_guid
)
182 << "Updating configuration previously managed by policy " << old_guid
183 << " with new policy " << new_guid
<< ".";
184 VLOG_IF(1, !was_managed
) << "Applying policy " << new_guid
185 << " to previously unmanaged "
188 if (old_guid
== new_guid
&&
189 remaining_policies_
.find(new_guid
) == remaining_policies_
.end()) {
190 VLOG(1) << "Not updating existing managed configuration with guid "
191 << new_guid
<< " because the policy didn't change.";
193 const base::DictionaryValue
* user_settings
=
194 ui_data
? ui_data
->user_settings() : NULL
;
195 scoped_ptr
<base::DictionaryValue
> new_shill_properties
=
196 policy_util::CreateShillConfiguration(profile_
,
198 &global_network_config_
,
201 // A new policy has to be applied to this profile entry. In order to keep
202 // implicit state of Shill like "connected successfully before", keep the
203 // entry if a policy is reapplied (e.g. after reboot) or is updated.
204 // However, some Shill properties are used to identify the network and
205 // cannot be modified after initial configuration, so we have to delete
206 // the profile entry in these cases. Also, keeping Shill's state if the
207 // SSID changed might not be a good idea anyways. If the policy GUID
208 // changed, or there was no policy before, we delete the entry at first to
209 // ensure that no old configuration remains.
210 if (old_guid
== new_guid
&&
211 shill_property_util::DoIdentifyingPropertiesMatch(
212 *new_shill_properties
, entry_properties
)) {
213 VLOG(1) << "Updating previously managed configuration with the "
214 << "updated policy " << new_guid
<< ".";
216 VLOG(1) << "Deleting profile entry before writing new policy "
217 << new_guid
<< " because of identifying properties changed.";
221 // In general, old entries should at first be deleted before new
222 // configurations are written to prevent inconsistencies. Therefore, we
223 // delay the writing of the new config here until ~PolicyApplicator.
224 // E.g. one problematic case is if a policy { {GUID=X, SSID=Y} } is
225 // applied to the profile entries
226 // { ENTRY1 = {GUID=X, SSID=X, USER_SETTINGS=X},
227 // ENTRY2 = {SSID=Y, ... } }.
228 // At first ENTRY1 and ENTRY2 should be removed, then the new config be
229 // written and the result should be:
230 // { {GUID=X, SSID=Y, USER_SETTINGS=X} }
231 WriteNewShillConfiguration(
232 *new_shill_properties
, *new_policy
, true /* write later */);
233 remaining_policies_
.erase(new_guid
);
235 } else if (was_managed
) {
236 VLOG(1) << "Removing configuration previously managed by policy "
237 << old_guid
<< ", because the policy was removed.";
239 // Remove the entry, because the network was managed but isn't anymore.
240 // Note: An alternative might be to preserve the user settings, but it's
241 // unclear which values originating the policy should be removed.
244 // The entry wasn't managed and doesn't match any current policy. Global
245 // network settings have to be applied.
246 base::DictionaryValue shill_properties_to_update
;
247 policy_util::SetShillPropertiesForGlobalPolicy(
248 entry_properties
, global_network_config_
, &shill_properties_to_update
);
249 if (shill_properties_to_update
.empty()) {
250 VLOG(2) << "Ignore unmanaged entry.";
251 // Calling a SetProperties of Shill with an empty dictionary is a no op.
253 VLOG(2) << "Apply global network config to unmanaged entry.";
254 handler_
->UpdateExistingConfigurationWithPropertiesFromPolicy(
255 entry_properties
, shill_properties_to_update
);
259 ProfileEntryFinished(entry
);
262 void PolicyApplicator::GetEntryError(const std::string
& entry
,
263 const std::string
& error_name
,
264 const std::string
& error_message
) {
265 LOG(ERROR
) << "Could not retrieve entry " << entry
<< " of profile "
266 << profile_
.path
<< ": " << error_message
;
267 ProfileEntryFinished(entry
);
270 void PolicyApplicator::DeleteEntry(const std::string
& entry
) {
271 DBusThreadManager::Get()->GetShillProfileClient()->DeleteEntry(
272 dbus::ObjectPath(profile_
.path
),
274 base::Bind(&base::DoNothing
),
275 base::Bind(&LogErrorMessage
, FROM_HERE
));
278 void PolicyApplicator::WriteNewShillConfiguration(
279 const base::DictionaryValue
& shill_dictionary
,
280 const base::DictionaryValue
& policy
,
282 // Ethernet (non EAP) settings, like GUID or UIData, cannot be stored per
283 // user. Abort in that case.
285 policy
.GetStringWithoutPathExpansion(::onc::network_config::kType
, &type
);
286 if (type
== ::onc::network_type::kEthernet
&&
287 profile_
.type() == NetworkProfile::TYPE_USER
) {
288 const base::DictionaryValue
* ethernet
= NULL
;
289 policy
.GetDictionaryWithoutPathExpansion(::onc::network_config::kEthernet
,
292 ethernet
->GetStringWithoutPathExpansion(::onc::ethernet::kAuthentication
,
294 if (auth
== ::onc::ethernet::kAuthenticationNone
)
299 new_shill_configurations_
.push_back(shill_dictionary
.DeepCopy());
301 handler_
->CreateConfigurationFromPolicy(shill_dictionary
);
304 void PolicyApplicator::ApplyRemainingPolicies() {
305 DCHECK(pending_get_entry_calls_
.empty());
307 // Write all queued configurations now.
308 for (ScopedVector
<base::DictionaryValue
>::const_iterator it
=
309 new_shill_configurations_
.begin();
310 it
!= new_shill_configurations_
.end();
312 handler_
->CreateConfigurationFromPolicy(**it
);
314 new_shill_configurations_
.clear();
316 VLOG_IF(2, !remaining_policies_
.empty())
317 << "Create new managed network configurations in profile"
318 << profile_
.ToDebugString() << ".";
320 // All profile entries were compared to policies. |remaining_policies_|
321 // contains all modified policies that didn't match any entry. For these
322 // remaining policies, new configurations have to be created.
323 for (std::set
<std::string
>::iterator it
= remaining_policies_
.begin();
324 it
!= remaining_policies_
.end(); ++it
) {
325 const base::DictionaryValue
* network_policy
= GetByGUID(all_policies_
, *it
);
326 DCHECK(network_policy
);
328 VLOG(1) << "Creating new configuration managed by policy " << *it
329 << " in profile " << profile_
.ToDebugString() << ".";
331 scoped_ptr
<base::DictionaryValue
> shill_dictionary
=
332 policy_util::CreateShillConfiguration(profile_
,
334 &global_network_config_
,
336 NULL
/* no user settings */);
337 WriteNewShillConfiguration(
338 *shill_dictionary
, *network_policy
, false /* write now */);
340 remaining_policies_
.clear();
343 void PolicyApplicator::NotifyConfigurationHandlerAndFinish() {
344 weak_ptr_factory_
.InvalidateWeakPtrs();
345 handler_
->OnPoliciesApplied(profile_
);
348 } // namespace chromeos