1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "chromeos/network/onc/onc_validator.h"
10 #include "base/json/json_writer.h"
11 #include "base/logging.h"
12 #include "base/strings/string_number_conversions.h"
13 #include "base/strings/string_util.h"
14 #include "base/values.h"
15 #include "chromeos/network/onc/onc_signature.h"
16 #include "components/onc/onc_constants.h"
23 // Copied from policy/configuration_policy_handler.cc.
24 // TODO(pneubeck): move to a common place like base/.
25 std::string ValueTypeToString(base::Value::Type type) {
26 static const char* strings[] = {
36 CHECK(static_cast<size_t>(type) < arraysize(strings));
42 Validator::Validator(bool error_on_unknown_field,
43 bool error_on_wrong_recommended,
44 bool error_on_missing_field,
46 : error_on_unknown_field_(error_on_unknown_field),
47 error_on_wrong_recommended_(error_on_wrong_recommended),
48 error_on_missing_field_(error_on_missing_field),
49 managed_onc_(managed_onc),
50 onc_source_(::onc::ONC_SOURCE_NONE) {}
52 Validator::~Validator() {}
54 scoped_ptr<base::DictionaryValue> Validator::ValidateAndRepairObject(
55 const OncValueSignature* object_signature,
56 const base::DictionaryValue& onc_object,
58 CHECK(object_signature != NULL);
60 error_or_warning_found_ = false;
62 scoped_ptr<base::Value> result_value =
63 MapValue(*object_signature, onc_object, &error);
67 } else if (error_or_warning_found_) {
68 *result = VALID_WITH_WARNINGS;
70 // The return value should be NULL if, and only if, |result| equals INVALID.
71 DCHECK_EQ(result_value.get() == NULL, *result == INVALID);
73 base::DictionaryValue* result_dict = NULL;
74 if (result_value.get() != NULL) {
75 result_value.release()->GetAsDictionary(&result_dict);
76 CHECK(result_dict != NULL);
79 return make_scoped_ptr(result_dict);
82 scoped_ptr<base::Value> Validator::MapValue(const OncValueSignature& signature,
83 const base::Value& onc_value,
85 if (onc_value.GetType() != signature.onc_type) {
86 LOG(ERROR) << MessageHeader() << "Found value '" << onc_value
87 << "' of type '" << ValueTypeToString(onc_value.GetType())
88 << "', but type '" << ValueTypeToString(signature.onc_type)
90 error_or_warning_found_ = *error = true;
91 return scoped_ptr<base::Value>();
94 scoped_ptr<base::Value> repaired =
95 Mapper::MapValue(signature, onc_value, error);
96 if (repaired.get() != NULL)
97 CHECK_EQ(repaired->GetType(), signature.onc_type);
98 return repaired.Pass();
101 scoped_ptr<base::DictionaryValue> Validator::MapObject(
102 const OncValueSignature& signature,
103 const base::DictionaryValue& onc_object,
105 scoped_ptr<base::DictionaryValue> repaired(new base::DictionaryValue);
107 bool valid = ValidateObjectDefault(signature, onc_object, repaired.get());
109 if (&signature == &kToplevelConfigurationSignature)
110 valid = ValidateToplevelConfiguration(repaired.get());
111 else if (&signature == &kNetworkConfigurationSignature)
112 valid = ValidateNetworkConfiguration(repaired.get());
113 else if (&signature == &kEthernetSignature)
114 valid = ValidateEthernet(repaired.get());
115 else if (&signature == &kIPConfigSignature)
116 valid = ValidateIPConfig(repaired.get());
117 else if (&signature == &kWiFiSignature)
118 valid = ValidateWiFi(repaired.get());
119 else if (&signature == &kVPNSignature)
120 valid = ValidateVPN(repaired.get());
121 else if (&signature == &kIPsecSignature)
122 valid = ValidateIPsec(repaired.get());
123 else if (&signature == &kOpenVPNSignature)
124 valid = ValidateOpenVPN(repaired.get());
125 else if (&signature == &kVerifyX509Signature)
126 valid = ValidateVerifyX509(repaired.get());
127 else if (&signature == &kCertificatePatternSignature)
128 valid = ValidateCertificatePattern(repaired.get());
129 else if (&signature == &kProxySettingsSignature)
130 valid = ValidateProxySettings(repaired.get());
131 else if (&signature == &kProxyLocationSignature)
132 valid = ValidateProxyLocation(repaired.get());
133 else if (&signature == &kEAPSignature)
134 valid = ValidateEAP(repaired.get());
135 else if (&signature == &kCertificateSignature)
136 valid = ValidateCertificate(repaired.get());
140 return repaired.Pass();
142 DCHECK(error_or_warning_found_);
143 error_or_warning_found_ = *error = true;
144 return scoped_ptr<base::DictionaryValue>();
148 scoped_ptr<base::Value> Validator::MapField(
149 const std::string& field_name,
150 const OncValueSignature& object_signature,
151 const base::Value& onc_value,
152 bool* found_unknown_field,
154 path_.push_back(field_name);
155 bool current_field_unknown = false;
156 scoped_ptr<base::Value> result = Mapper::MapField(
157 field_name, object_signature, onc_value, ¤t_field_unknown, error);
159 DCHECK_EQ(field_name, path_.back());
162 if (current_field_unknown) {
163 error_or_warning_found_ = *found_unknown_field = true;
164 std::string message = MessageHeader() + "Field name '" + field_name +
166 if (error_on_unknown_field_)
167 LOG(ERROR) << message;
169 LOG(WARNING) << message;
172 return result.Pass();
175 scoped_ptr<base::ListValue> Validator::MapArray(
176 const OncValueSignature& array_signature,
177 const base::ListValue& onc_array,
178 bool* nested_error) {
179 bool nested_error_in_current_array = false;
180 scoped_ptr<base::ListValue> result = Mapper::MapArray(
181 array_signature, onc_array, &nested_error_in_current_array);
183 // Drop individual networks and certificates instead of rejecting all of
184 // the configuration.
185 if (nested_error_in_current_array &&
186 &array_signature != &kNetworkConfigurationListSignature &&
187 &array_signature != &kCertificateListSignature) {
188 *nested_error = nested_error_in_current_array;
190 return result.Pass();
193 scoped_ptr<base::Value> Validator::MapEntry(int index,
194 const OncValueSignature& signature,
195 const base::Value& onc_value,
197 std::string str = base::IntToString(index);
198 path_.push_back(str);
199 scoped_ptr<base::Value> result =
200 Mapper::MapEntry(index, signature, onc_value, error);
201 DCHECK_EQ(str, path_.back());
203 return result.Pass();
206 bool Validator::ValidateObjectDefault(const OncValueSignature& signature,
207 const base::DictionaryValue& onc_object,
208 base::DictionaryValue* result) {
209 bool found_unknown_field = false;
210 bool nested_error_occured = false;
211 MapFields(signature, onc_object, &found_unknown_field, &nested_error_occured,
214 if (found_unknown_field && error_on_unknown_field_) {
215 DVLOG(1) << "Unknown field names are errors: Aborting.";
219 if (nested_error_occured)
222 return ValidateRecommendedField(signature, result);
225 bool Validator::ValidateRecommendedField(
226 const OncValueSignature& object_signature,
227 base::DictionaryValue* result) {
228 CHECK(result != NULL);
230 scoped_ptr<base::ListValue> recommended;
231 scoped_ptr<base::Value> recommended_value;
232 // This remove passes ownership to |recommended_value|.
233 if (!result->RemoveWithoutPathExpansion(::onc::kRecommended,
234 &recommended_value)) {
237 base::ListValue* recommended_list = NULL;
238 recommended_value.release()->GetAsList(&recommended_list);
239 CHECK(recommended_list);
241 recommended.reset(recommended_list);
244 error_or_warning_found_ = true;
245 LOG(WARNING) << MessageHeader() << "Found the field '"
246 << ::onc::kRecommended
247 << "' in an unmanaged ONC. Removing it.";
251 scoped_ptr<base::ListValue> repaired_recommended(new base::ListValue);
252 for (base::ListValue::iterator it = recommended->begin();
253 it != recommended->end(); ++it) {
254 std::string field_name;
255 if (!(*it)->GetAsString(&field_name)) {
260 const OncFieldSignature* field_signature =
261 GetFieldSignature(object_signature, field_name);
263 bool found_error = false;
264 std::string error_cause;
265 if (field_signature == NULL) {
267 error_cause = "unknown";
268 } else if (field_signature->value_signature->onc_type ==
269 base::Value::TYPE_DICTIONARY) {
271 error_cause = "dictionary-typed";
275 error_or_warning_found_ = true;
276 path_.push_back(::onc::kRecommended);
277 std::string message = MessageHeader() + "The " + error_cause +
278 " field '" + field_name + "' cannot be recommended.";
280 if (error_on_wrong_recommended_) {
281 LOG(ERROR) << message;
284 LOG(WARNING) << message;
289 repaired_recommended->Append((*it)->DeepCopy());
292 result->Set(::onc::kRecommended, repaired_recommended.release());
298 std::string JoinStringRange(const char** range_begin,
299 const char** range_end,
300 const std::string& separator) {
301 std::vector<std::string> string_vector;
302 std::copy(range_begin, range_end, std::back_inserter(string_vector));
303 return JoinString(string_vector, separator);
308 bool Validator::FieldExistsAndHasNoValidValue(
309 const base::DictionaryValue& object,
310 const std::string& field_name,
311 const char** valid_values) {
312 std::string actual_value;
313 if (!object.GetStringWithoutPathExpansion(field_name, &actual_value))
316 const char** it = valid_values;
317 for (; *it != NULL; ++it) {
318 if (actual_value == *it)
321 error_or_warning_found_ = true;
322 std::string valid_values_str =
323 "[" + JoinStringRange(valid_values, it, ", ") + "]";
324 path_.push_back(field_name);
325 LOG(ERROR) << MessageHeader() << "Found value '" << actual_value <<
326 "', but expected one of the values " << valid_values_str;
331 bool Validator::FieldExistsAndIsNotInRange(const base::DictionaryValue& object,
332 const std::string& field_name,
336 if (!object.GetIntegerWithoutPathExpansion(field_name, &actual_value) ||
337 (lower_bound <= actual_value && actual_value <= upper_bound)) {
340 error_or_warning_found_ = true;
341 path_.push_back(field_name);
342 LOG(ERROR) << MessageHeader() << "Found value '" << actual_value
343 << "', but expected a value in the range [" << lower_bound
344 << ", " << upper_bound << "] (boundaries inclusive)";
349 bool Validator::FieldExistsAndIsEmpty(const base::DictionaryValue& object,
350 const std::string& field_name) {
351 const base::Value* value = NULL;
352 if (!object.GetWithoutPathExpansion(field_name, &value))
356 const base::ListValue* list = NULL;
357 if (value->GetAsString(&str)) {
360 } else if (value->GetAsList(&list)) {
368 error_or_warning_found_ = true;
369 path_.push_back(field_name);
370 LOG(ERROR) << MessageHeader() << "Found an empty string, but expected a "
371 << "non-empty string.";
376 bool Validator::RequireField(const base::DictionaryValue& dict,
377 const std::string& field_name) {
378 if (dict.HasKey(field_name))
380 error_or_warning_found_ = true;
381 std::string message = MessageHeader() + "The required field '" + field_name +
383 if (error_on_missing_field_)
384 LOG(ERROR) << message;
386 LOG(WARNING) << message;
390 bool Validator::CheckGuidIsUniqueAndAddToSet(const base::DictionaryValue& dict,
391 const std::string& key_guid,
392 std::set<std::string> *guids) {
394 if (dict.GetStringWithoutPathExpansion(key_guid, &guid)) {
395 if (guids->count(guid) != 0) {
396 error_or_warning_found_ = true;
397 LOG(ERROR) << MessageHeader() << "Found a duplicate GUID " << guid << ".";
405 bool Validator::IsCertPatternInDevicePolicy(const std::string& cert_type) {
406 if (cert_type == ::onc::certificate::kPattern &&
407 onc_source_ == ::onc::ONC_SOURCE_DEVICE_POLICY) {
408 error_or_warning_found_ = true;
409 LOG(ERROR) << MessageHeader() << "Client certificate patterns are "
410 << "prohibited in ONC device policies.";
416 bool Validator::IsGlobalNetworkConfigInUserImport(
417 const base::DictionaryValue& onc_object) {
418 if (onc_source_ == ::onc::ONC_SOURCE_USER_IMPORT &&
419 onc_object.HasKey(::onc::toplevel_config::kGlobalNetworkConfiguration)) {
420 error_or_warning_found_ = true;
421 LOG(ERROR) << MessageHeader() << "GlobalNetworkConfiguration is prohibited "
422 << "in ONC user imports";
428 bool Validator::ValidateToplevelConfiguration(base::DictionaryValue* result) {
429 using namespace ::onc::toplevel_config;
431 static const char* kValidTypes[] = { kUnencryptedConfiguration,
432 kEncryptedConfiguration,
434 if (FieldExistsAndHasNoValidValue(*result, kType, kValidTypes))
437 bool all_required_exist = true;
439 // Not part of the ONC spec yet:
440 // We don't require the type field and default to UnencryptedConfiguration.
441 std::string type = kUnencryptedConfiguration;
442 result->GetStringWithoutPathExpansion(kType, &type);
443 if (type == kUnencryptedConfiguration &&
444 !result->HasKey(kNetworkConfigurations) &&
445 !result->HasKey(kCertificates)) {
446 error_or_warning_found_ = true;
447 std::string message = MessageHeader() + "Neither the field '" +
448 kNetworkConfigurations + "' nor '" + kCertificates +
449 "is present, but at least one is required.";
450 if (error_on_missing_field_)
451 LOG(ERROR) << message;
453 LOG(WARNING) << message;
454 all_required_exist = false;
457 if (IsGlobalNetworkConfigInUserImport(*result))
460 return !error_on_missing_field_ || all_required_exist;
463 bool Validator::ValidateNetworkConfiguration(base::DictionaryValue* result) {
464 using namespace ::onc::network_config;
466 static const char* kValidTypes[] = { ::onc::network_type::kEthernet,
467 ::onc::network_type::kVPN,
468 ::onc::network_type::kWiFi,
469 ::onc::network_type::kCellular,
471 if (FieldExistsAndHasNoValidValue(*result, kType, kValidTypes) ||
472 FieldExistsAndIsEmpty(*result, kGUID)) {
476 if (!CheckGuidIsUniqueAndAddToSet(*result, kGUID, &network_guids_))
479 bool all_required_exist = RequireField(*result, kGUID);
482 result->GetBooleanWithoutPathExpansion(::onc::kRemove, &remove);
484 all_required_exist &=
485 RequireField(*result, kName) && RequireField(*result, kType);
488 result->GetStringWithoutPathExpansion(kType, &type);
490 // Prohibit anything but WiFi and Ethernet for device-level policy (which
491 // corresponds to shared networks). See also http://crosbug.com/28741.
492 if (onc_source_ == ::onc::ONC_SOURCE_DEVICE_POLICY &&
493 type != ::onc::network_type::kWiFi &&
494 type != ::onc::network_type::kEthernet) {
495 error_or_warning_found_ = true;
496 LOG(ERROR) << MessageHeader() << "Networks of type '"
497 << type << "' are prohibited in ONC device policies.";
501 if (type == ::onc::network_type::kWiFi) {
502 all_required_exist &= RequireField(*result, ::onc::network_config::kWiFi);
503 } else if (type == ::onc::network_type::kEthernet) {
504 all_required_exist &=
505 RequireField(*result, ::onc::network_config::kEthernet);
506 } else if (type == ::onc::network_type::kCellular) {
507 all_required_exist &=
508 RequireField(*result, ::onc::network_config::kCellular);
509 } else if (type == ::onc::network_type::kVPN) {
510 all_required_exist &= RequireField(*result, ::onc::network_config::kVPN);
511 } else if (!type.empty()) {
516 return !error_on_missing_field_ || all_required_exist;
519 bool Validator::ValidateEthernet(base::DictionaryValue* result) {
520 using namespace ::onc::ethernet;
522 static const char* kValidAuthentications[] = { kNone, k8021X, NULL };
523 if (FieldExistsAndHasNoValidValue(
524 *result, kAuthentication, kValidAuthentications)) {
528 bool all_required_exist = true;
530 result->GetStringWithoutPathExpansion(kAuthentication, &auth);
532 all_required_exist &= RequireField(*result, kEAP);
534 return !error_on_missing_field_ || all_required_exist;
537 bool Validator::ValidateIPConfig(base::DictionaryValue* result) {
538 using namespace ::onc::ipconfig;
540 static const char* kValidTypes[] = { kIPv4, kIPv6, NULL };
541 if (FieldExistsAndHasNoValidValue(
542 *result, ::onc::ipconfig::kType, kValidTypes))
546 result->GetStringWithoutPathExpansion(::onc::ipconfig::kType, &type);
548 // In case of missing type, choose higher upper_bound.
549 int upper_bound = (type == kIPv4) ? 32 : 128;
550 if (FieldExistsAndIsNotInRange(
551 *result, kRoutingPrefix, lower_bound, upper_bound)) {
555 bool all_required_exist = RequireField(*result, kIPAddress) &&
556 RequireField(*result, kRoutingPrefix) &&
557 RequireField(*result, ::onc::ipconfig::kType);
559 return !error_on_missing_field_ || all_required_exist;
562 bool Validator::ValidateWiFi(base::DictionaryValue* result) {
563 using namespace ::onc::wifi;
565 static const char* kValidSecurities[] =
566 { kNone, kWEP_PSK, kWEP_8021X, kWPA_PSK, kWPA_EAP, NULL };
567 if (FieldExistsAndHasNoValidValue(*result, kSecurity, kValidSecurities))
570 bool all_required_exist =
571 RequireField(*result, kSecurity) && RequireField(*result, kSSID);
573 std::string security;
574 result->GetStringWithoutPathExpansion(kSecurity, &security);
575 if (security == kWEP_8021X || security == kWPA_EAP)
576 all_required_exist &= RequireField(*result, kEAP);
577 else if (security == kWEP_PSK || security == kWPA_PSK)
578 all_required_exist &= RequireField(*result, kPassphrase);
580 return !error_on_missing_field_ || all_required_exist;
583 bool Validator::ValidateVPN(base::DictionaryValue* result) {
584 using namespace ::onc::vpn;
586 static const char* kValidTypes[] =
587 { kIPsec, kTypeL2TP_IPsec, kOpenVPN, NULL };
588 if (FieldExistsAndHasNoValidValue(*result, ::onc::vpn::kType, kValidTypes))
591 bool all_required_exist = RequireField(*result, ::onc::vpn::kType);
593 result->GetStringWithoutPathExpansion(::onc::vpn::kType, &type);
594 if (type == kOpenVPN) {
595 all_required_exist &= RequireField(*result, kOpenVPN);
596 } else if (type == kIPsec) {
597 all_required_exist &= RequireField(*result, kIPsec);
598 } else if (type == kTypeL2TP_IPsec) {
599 all_required_exist &=
600 RequireField(*result, kIPsec) && RequireField(*result, kL2TP);
603 return !error_on_missing_field_ || all_required_exist;
606 bool Validator::ValidateIPsec(base::DictionaryValue* result) {
607 using namespace ::onc::ipsec;
608 using namespace ::onc::certificate;
610 static const char* kValidAuthentications[] = { kPSK, kCert, NULL };
611 static const char* kValidCertTypes[] = { kRef, kPattern, NULL };
612 if (FieldExistsAndHasNoValidValue(
613 *result, kAuthenticationType, kValidAuthentications) ||
614 FieldExistsAndHasNoValidValue(
615 *result, ::onc::vpn::kClientCertType, kValidCertTypes) ||
616 FieldExistsAndIsEmpty(*result, kServerCARefs)) {
620 if (result->HasKey(kServerCARefs) && result->HasKey(kServerCARef)) {
621 error_or_warning_found_ = true;
622 LOG(ERROR) << MessageHeader() << "At most one of " << kServerCARefs
623 << " and " << kServerCARef << " can be set.";
627 bool all_required_exist = RequireField(*result, kAuthenticationType) &&
628 RequireField(*result, kIKEVersion);
630 result->GetStringWithoutPathExpansion(kAuthenticationType, &auth);
631 bool has_server_ca_cert =
632 result->HasKey(kServerCARefs) || result->HasKey(kServerCARef);
634 all_required_exist &= RequireField(*result, ::onc::vpn::kClientCertType);
635 if (!has_server_ca_cert) {
636 all_required_exist = false;
637 error_or_warning_found_ = true;
638 std::string message = MessageHeader() + "The required field '" +
639 kServerCARefs + "' is missing.";
640 if (error_on_missing_field_)
641 LOG(ERROR) << message;
643 LOG(WARNING) << message;
645 } else if (has_server_ca_cert) {
646 error_or_warning_found_ = true;
647 LOG(ERROR) << MessageHeader() << kServerCARefs << " (or " << kServerCARef
648 << ") can only be set if " << kAuthenticationType
649 << " is set to " << kCert << ".";
653 std::string cert_type;
654 result->GetStringWithoutPathExpansion(::onc::vpn::kClientCertType,
657 if (IsCertPatternInDevicePolicy(cert_type))
660 if (cert_type == kPattern)
661 all_required_exist &= RequireField(*result, ::onc::vpn::kClientCertPattern);
662 else if (cert_type == kRef)
663 all_required_exist &= RequireField(*result, ::onc::vpn::kClientCertRef);
665 return !error_on_missing_field_ || all_required_exist;
668 bool Validator::ValidateOpenVPN(base::DictionaryValue* result) {
669 using namespace ::onc::openvpn;
670 using namespace ::onc::certificate;
672 static const char* kValidAuthRetryValues[] =
673 { ::onc::openvpn::kNone, kInteract, kNoInteract, NULL };
674 static const char* kValidCertTypes[] =
675 { ::onc::certificate::kNone, kRef, kPattern, NULL };
676 static const char* kValidCertTlsValues[] =
677 { ::onc::openvpn::kNone, ::onc::openvpn::kServer, NULL };
679 if (FieldExistsAndHasNoValidValue(
680 *result, kAuthRetry, kValidAuthRetryValues) ||
681 FieldExistsAndHasNoValidValue(
682 *result, ::onc::vpn::kClientCertType, kValidCertTypes) ||
683 FieldExistsAndHasNoValidValue(
684 *result, kRemoteCertTLS, kValidCertTlsValues) ||
685 FieldExistsAndIsEmpty(*result, kServerCARefs)) {
689 if (result->HasKey(kServerCARefs) && result->HasKey(kServerCARef)) {
690 error_or_warning_found_ = true;
691 LOG(ERROR) << MessageHeader() << "At most one of " << kServerCARefs
692 << " and " << kServerCARef << " can be set.";
696 bool all_required_exist = RequireField(*result, ::onc::vpn::kClientCertType);
697 std::string cert_type;
698 result->GetStringWithoutPathExpansion(::onc::vpn::kClientCertType,
701 if (IsCertPatternInDevicePolicy(cert_type))
704 if (cert_type == kPattern)
705 all_required_exist &= RequireField(*result, ::onc::vpn::kClientCertPattern);
706 else if (cert_type == kRef)
707 all_required_exist &= RequireField(*result, ::onc::vpn::kClientCertRef);
709 return !error_on_missing_field_ || all_required_exist;
712 bool Validator::ValidateVerifyX509(base::DictionaryValue* result) {
713 using namespace ::onc::verify_x509;
715 static const char* kValidTypeValues[] =
716 {types::kName, types::kNamePrefix, types::kSubject, NULL};
718 if (FieldExistsAndHasNoValidValue(*result, kType, kValidTypeValues))
721 bool all_required_exist = RequireField(*result, kName);
723 return !error_on_missing_field_ || all_required_exist;
726 bool Validator::ValidateCertificatePattern(base::DictionaryValue* result) {
727 using namespace ::onc::certificate;
729 bool all_required_exist = true;
730 if (!result->HasKey(kSubject) && !result->HasKey(kIssuer) &&
731 !result->HasKey(kIssuerCARef)) {
732 error_or_warning_found_ = true;
733 all_required_exist = false;
734 std::string message = MessageHeader() + "None of the fields '" + kSubject +
735 "', '" + kIssuer + "', and '" + kIssuerCARef +
736 "' is present, but at least one is required.";
737 if (error_on_missing_field_)
738 LOG(ERROR) << message;
740 LOG(WARNING) << message;
743 return !error_on_missing_field_ || all_required_exist;
746 bool Validator::ValidateProxySettings(base::DictionaryValue* result) {
747 using namespace ::onc::proxy;
749 static const char* kValidTypes[] = { kDirect, kManual, kPAC, kWPAD, NULL };
750 if (FieldExistsAndHasNoValidValue(*result, ::onc::proxy::kType, kValidTypes))
753 bool all_required_exist = RequireField(*result, ::onc::proxy::kType);
755 result->GetStringWithoutPathExpansion(::onc::proxy::kType, &type);
757 all_required_exist &= RequireField(*result, kManual);
758 else if (type == kPAC)
759 all_required_exist &= RequireField(*result, kPAC);
761 return !error_on_missing_field_ || all_required_exist;
764 bool Validator::ValidateProxyLocation(base::DictionaryValue* result) {
765 using namespace ::onc::proxy;
767 bool all_required_exist =
768 RequireField(*result, kHost) && RequireField(*result, kPort);
770 return !error_on_missing_field_ || all_required_exist;
773 bool Validator::ValidateEAP(base::DictionaryValue* result) {
774 using namespace ::onc::eap;
775 using namespace ::onc::certificate;
777 static const char* kValidInnerValues[] =
778 { kAutomatic, kMD5, kMSCHAPv2, kPAP, NULL };
779 static const char* kValidOuterValues[] =
780 { kPEAP, kEAP_TLS, kEAP_TTLS, kLEAP, kEAP_SIM, kEAP_FAST, kEAP_AKA,
782 static const char* kValidCertTypes[] = { kRef, kPattern, NULL };
784 if (FieldExistsAndHasNoValidValue(*result, kInner, kValidInnerValues) ||
785 FieldExistsAndHasNoValidValue(*result, kOuter, kValidOuterValues) ||
786 FieldExistsAndHasNoValidValue(
787 *result, kClientCertType, kValidCertTypes) ||
788 FieldExistsAndIsEmpty(*result, kServerCARefs)) {
792 if (result->HasKey(kServerCARefs) && result->HasKey(kServerCARef)) {
793 error_or_warning_found_ = true;
794 LOG(ERROR) << MessageHeader() << "At most one of " << kServerCARefs
795 << " and " << kServerCARef << " can be set.";
799 bool all_required_exist = RequireField(*result, kOuter);
800 std::string cert_type;
801 result->GetStringWithoutPathExpansion(kClientCertType, &cert_type);
803 if (IsCertPatternInDevicePolicy(cert_type))
806 if (cert_type == kPattern)
807 all_required_exist &= RequireField(*result, kClientCertPattern);
808 else if (cert_type == kRef)
809 all_required_exist &= RequireField(*result, kClientCertRef);
811 return !error_on_missing_field_ || all_required_exist;
814 bool Validator::ValidateCertificate(base::DictionaryValue* result) {
815 using namespace ::onc::certificate;
817 static const char* kValidTypes[] = { kClient, kServer, kAuthority, NULL };
818 if (FieldExistsAndHasNoValidValue(*result, kType, kValidTypes) ||
819 FieldExistsAndIsEmpty(*result, kGUID)) {
824 result->GetStringWithoutPathExpansion(kType, &type);
825 if (onc_source_ == ::onc::ONC_SOURCE_DEVICE_POLICY &&
826 (type == kServer || type == kAuthority)) {
827 error_or_warning_found_ = true;
828 LOG(ERROR) << MessageHeader() << "Server and authority certificates are "
829 << "prohibited in ONC device policies.";
833 if (!CheckGuidIsUniqueAndAddToSet(*result, kGUID, &certificate_guids_))
836 bool all_required_exist = RequireField(*result, kGUID);
839 result->GetBooleanWithoutPathExpansion(::onc::kRemove, &remove);
841 all_required_exist &= RequireField(*result, kType);
844 all_required_exist &= RequireField(*result, kPKCS12);
845 else if (type == kServer || type == kAuthority)
846 all_required_exist &= RequireField(*result, kX509);
849 return !error_on_missing_field_ || all_required_exist;
852 std::string Validator::MessageHeader() {
853 std::string path = path_.empty() ? "toplevel" : JoinString(path_, ".");
854 std::string message = "At " + path + ": ";
859 } // namespace chromeos