src/chromeos/network/policy_util.cc

   1 // Copyright 2013 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "chromeos/network/policy_util.h"
   6
   7 #include "base/logging.h"
   8 #include "base/values.h"
   9 #include "chromeos/network/network_profile.h"
  10 #include "chromeos/network/network_ui_data.h"
  11 #include "chromeos/network/onc/onc_merger.h"
  12 #include "chromeos/network/onc/onc_normalizer.h"
  13 #include "chromeos/network/onc/onc_signature.h"
  14 #include "chromeos/network/onc/onc_translator.h"
  15 #include "chromeos/network/onc/onc_utils.h"
  16 #include "chromeos/network/shill_property_util.h"
  17 #include "components/onc/onc_constants.h"
  18 #include "third_party/cros_system_api/dbus/service_constants.h"
  19
  20 namespace chromeos {
  21
  22 namespace policy_util {
  23
  24 namespace {
  25
  26 // This fake credential contains a random postfix which is extremly unlikely to
  27 // be used by any user.
  28 const char kFakeCredential[] = "FAKE_CREDENTIAL_VPaJDV9x";
  29
  30
  31 // Removes all kFakeCredential values from sensitive fields (determined by
  32 // onc::FieldIsCredential) of |onc_object|.
  33 void RemoveFakeCredentials(
  34     const onc::OncValueSignature& signature,
  35     base::DictionaryValue* onc_object) {
  36   base::DictionaryValue::Iterator it(*onc_object);
  37   while (!it.IsAtEnd()) {
  38     base::Value* value = NULL;
  39     std::string field_name = it.key();
  40     // We need the non-const entry to remove nested values but DictionaryValue
  41     // has no non-const iterator.
  42     onc_object->GetWithoutPathExpansion(field_name, &value);
  43     // Advance before delete.
  44     it.Advance();
  45
  46     // If |value| is a dictionary, recurse.
  47     base::DictionaryValue* nested_object = NULL;
  48     if (value->GetAsDictionary(&nested_object)) {
  49       const onc::OncFieldSignature* field_signature =
  50           onc::GetFieldSignature(signature, field_name);
  51       if (field_signature)
  52         RemoveFakeCredentials(*field_signature->value_signature, nested_object);
  53       else
  54         LOG(ERROR) << "ONC has unrecoginzed field: " << field_name;
  55       continue;
  56     }
  57
  58     // If |value| is a string, check if it is a fake credential.
  59     std::string string_value;
  60     if (value->GetAsString(&string_value) &&
  61         onc::FieldIsCredential(signature, field_name)) {
  62       if (string_value == kFakeCredential) {
  63         // The value wasn't modified by the UI, thus we remove the field to keep
  64         // the existing value that is stored in Shill.
  65         onc_object->RemoveWithoutPathExpansion(field_name, NULL);
  66       }
  67       // Otherwise, the value is set and modified by the UI, thus we keep that
  68       // value to overwrite whatever is stored in Shill.
  69     }
  70   }
  71 }
  72
  73 // Returns true if |policy| matches |actual_network|, which must be part of a
  74 // ONC NetworkConfiguration. This should be the only such matching function
  75 // within Chrome. Shill does such matching in several functions for network
  76 // identification. For compatibility, we currently should stick to Shill's
  77 // matching behavior.
  78 bool IsPolicyMatching(const base::DictionaryValue& policy,
  79                       const base::DictionaryValue& actual_network) {
  80   std::string policy_type;
  81   policy.GetStringWithoutPathExpansion(::onc::network_config::kType,
  82                                        &policy_type);
  83   std::string actual_network_type;
  84   actual_network.GetStringWithoutPathExpansion(::onc::network_config::kType,
  85                                                &actual_network_type);
  86   if (policy_type != actual_network_type)
  87     return false;
  88
  89   if (actual_network_type == ::onc::network_type::kEthernet) {
  90     const base::DictionaryValue* policy_ethernet = NULL;
  91     policy.GetDictionaryWithoutPathExpansion(::onc::network_config::kEthernet,
  92                                              &policy_ethernet);
  93     const base::DictionaryValue* actual_ethernet = NULL;
  94     actual_network.GetDictionaryWithoutPathExpansion(
  95         ::onc::network_config::kEthernet, &actual_ethernet);
  96     if (!policy_ethernet || !actual_ethernet)
  97       return false;
  98
  99     std::string policy_auth;
 100     policy_ethernet->GetStringWithoutPathExpansion(
 101         ::onc::ethernet::kAuthentication, &policy_auth);
 102     std::string actual_auth;
 103     actual_ethernet->GetStringWithoutPathExpansion(
 104         ::onc::ethernet::kAuthentication, &actual_auth);
 105     return policy_auth == actual_auth;
 106   } else if (actual_network_type == ::onc::network_type::kWiFi) {
 107     const base::DictionaryValue* policy_wifi = NULL;
 108     policy.GetDictionaryWithoutPathExpansion(::onc::network_config::kWiFi,
 109                                              &policy_wifi);
 110     const base::DictionaryValue* actual_wifi = NULL;
 111     actual_network.GetDictionaryWithoutPathExpansion(
 112         ::onc::network_config::kWiFi,
 113         &actual_wifi);
 114     if (!policy_wifi || !actual_wifi)
 115       return false;
 116
 117     std::string policy_ssid;
 118     policy_wifi->GetStringWithoutPathExpansion(::onc::wifi::kSSID,
 119                                                &policy_ssid);
 120     std::string actual_ssid;
 121     actual_wifi->GetStringWithoutPathExpansion(::onc::wifi::kSSID,
 122                                                &actual_ssid);
 123     return (policy_ssid == actual_ssid);
 124   }
 125   return false;
 126 }
 127
 128 // Returns true if AutoConnect is enabled by |policy| (as mandatory or
 129 // recommended setting). Otherwise and on error returns false.
 130 bool IsAutoConnectEnabledInPolicy(const base::DictionaryValue& policy) {
 131   std::string type;
 132   policy.GetStringWithoutPathExpansion(::onc::network_config::kType, &type);
 133
 134   std::string autoconnect_key;
 135   std::string network_dict_key;
 136   if (type == ::onc::network_type::kWiFi) {
 137     network_dict_key = ::onc::network_config::kWiFi;
 138     autoconnect_key = ::onc::wifi::kAutoConnect;
 139   } else if (type == ::onc::network_type::kVPN) {
 140     network_dict_key = ::onc::network_config::kVPN;
 141     autoconnect_key = ::onc::vpn::kAutoConnect;
 142   } else {
 143     VLOG(2) << "Network type without autoconnect property.";
 144     return false;
 145   }
 146
 147   const base::DictionaryValue* network_dict = NULL;
 148   policy.GetDictionaryWithoutPathExpansion(network_dict_key, &network_dict);
 149   if (!network_dict) {
 150     LOG(ERROR) << "ONC doesn't contain a " << network_dict_key
 151                << " dictionary.";
 152     return false;
 153   }
 154
 155   bool autoconnect = false;
 156   network_dict->GetBooleanWithoutPathExpansion(autoconnect_key, &autoconnect);
 157   return autoconnect;
 158 }
 159
 160 base::DictionaryValue* GetOrCreateDictionary(const std::string& key,
 161                                              base::DictionaryValue* dict) {
 162   base::DictionaryValue* inner_dict = NULL;
 163   if (!dict->GetDictionaryWithoutPathExpansion(key, &inner_dict)) {
 164     inner_dict = new base::DictionaryValue;
 165     dict->SetWithoutPathExpansion(key, inner_dict);
 166   }
 167   return inner_dict;
 168 }
 169
 170 base::DictionaryValue* GetOrCreateNestedDictionary(
 171     const std::string& key1,
 172     const std::string& key2,
 173     base::DictionaryValue* dict) {
 174   base::DictionaryValue* inner_dict = GetOrCreateDictionary(key1, dict);
 175   return GetOrCreateDictionary(key2, inner_dict);
 176 }
 177
 178 void ApplyGlobalAutoconnectPolicy(
 179     NetworkProfile::Type profile_type,
 180     base::DictionaryValue* augmented_onc_network) {
 181   base::DictionaryValue* type_dictionary = NULL;
 182   augmented_onc_network->GetDictionaryWithoutPathExpansion(
 183       ::onc::network_config::kType, &type_dictionary);
 184   std::string type;
 185   if (!type_dictionary ||
 186       !type_dictionary->GetStringWithoutPathExpansion(
 187           ::onc::kAugmentationActiveSetting, &type) ||
 188       type.empty()) {
 189     LOG(ERROR) << "ONC dictionary with no Type.";
 190     return;
 191   }
 192
 193   // Managed dictionaries don't contain empty dictionaries (see onc_merger.cc),
 194   // so add the Autoconnect dictionary in case Shill didn't report a value.
 195   base::DictionaryValue* auto_connect_dictionary = NULL;
 196   if (type == ::onc::network_type::kWiFi) {
 197     auto_connect_dictionary =
 198         GetOrCreateNestedDictionary(::onc::network_config::kWiFi,
 199                                     ::onc::wifi::kAutoConnect,
 200                                     augmented_onc_network);
 201   } else if (type == ::onc::network_type::kVPN) {
 202     auto_connect_dictionary =
 203         GetOrCreateNestedDictionary(::onc::network_config::kVPN,
 204                                     ::onc::vpn::kAutoConnect,
 205                                     augmented_onc_network);
 206   } else {
 207     return;  // Network type without auto-connect property.
 208   }
 209
 210   std::string policy_source;
 211   if (profile_type == NetworkProfile::TYPE_USER)
 212     policy_source = ::onc::kAugmentationUserPolicy;
 213   else if(profile_type == NetworkProfile::TYPE_SHARED)
 214     policy_source = ::onc::kAugmentationDevicePolicy;
 215   else
 216     NOTREACHED();
 217
 218   auto_connect_dictionary->SetBooleanWithoutPathExpansion(policy_source, false);
 219   auto_connect_dictionary->SetStringWithoutPathExpansion(
 220       ::onc::kAugmentationEffectiveSetting, policy_source);
 221 }
 222
 223 }  // namespace
 224
 225 scoped_ptr<base::DictionaryValue> CreateManagedONC(
 226     const base::DictionaryValue* global_policy,
 227     const base::DictionaryValue* network_policy,
 228     const base::DictionaryValue* user_settings,
 229     const base::DictionaryValue* active_settings,
 230     const NetworkProfile* profile) {
 231   const base::DictionaryValue* user_policy = NULL;
 232   const base::DictionaryValue* device_policy = NULL;
 233   const base::DictionaryValue* nonshared_user_settings = NULL;
 234   const base::DictionaryValue* shared_user_settings = NULL;
 235
 236   if (profile) {
 237     if (profile->type() == NetworkProfile::TYPE_SHARED) {
 238       device_policy = network_policy;
 239       shared_user_settings = user_settings;
 240     } else if (profile->type() == NetworkProfile::TYPE_USER) {
 241       user_policy = network_policy;
 242       nonshared_user_settings = user_settings;
 243     } else {
 244       NOTREACHED();
 245     }
 246   }
 247
 248   // This call also removes credentials from policies.
 249   scoped_ptr<base::DictionaryValue> augmented_onc_network =
 250       onc::MergeSettingsAndPoliciesToAugmented(
 251           onc::kNetworkConfigurationSignature,
 252           user_policy,
 253           device_policy,
 254           nonshared_user_settings,
 255           shared_user_settings,
 256           active_settings);
 257
 258   // If present, apply the Autoconnect policy only to networks that are not
 259   // managed by policy.
 260   if (!network_policy && global_policy && profile) {
 261     bool allow_only_policy_autoconnect = false;
 262     global_policy->GetBooleanWithoutPathExpansion(
 263         ::onc::global_network_config::kAllowOnlyPolicyNetworksToAutoconnect,
 264         &allow_only_policy_autoconnect);
 265     if (allow_only_policy_autoconnect) {
 266       ApplyGlobalAutoconnectPolicy(profile->type(),
 267                                    augmented_onc_network.get());
 268     }
 269   }
 270
 271   return augmented_onc_network.Pass();
 272 }
 273
 274 void SetShillPropertiesForGlobalPolicy(
 275     const base::DictionaryValue& shill_dictionary,
 276     const base::DictionaryValue& global_network_policy,
 277     base::DictionaryValue* shill_properties_to_update) {
 278   // kAllowOnlyPolicyNetworksToAutoconnect is currently the only global config.
 279
 280   std::string type;
 281   shill_dictionary.GetStringWithoutPathExpansion(shill::kTypeProperty, &type);
 282   if (NetworkTypePattern::Ethernet().MatchesType(type))
 283     return;  // Autoconnect for Ethernet cannot be configured.
 284
 285   // By default all networks are allowed to autoconnect.
 286   bool only_policy_autoconnect = false;
 287   global_network_policy.GetBooleanWithoutPathExpansion(
 288       ::onc::global_network_config::kAllowOnlyPolicyNetworksToAutoconnect,
 289       &only_policy_autoconnect);
 290   if (!only_policy_autoconnect)
 291     return;
 292
 293   bool old_autoconnect = false;
 294   if (shill_dictionary.GetBooleanWithoutPathExpansion(
 295           shill::kAutoConnectProperty, &old_autoconnect) &&
 296       !old_autoconnect) {
 297     // Autoconnect is already explictly disabled. No need to set it again.
 298     return;
 299   }
 300
 301   // If autconnect is not explicitly set yet, it might automatically be enabled
 302   // by Shill. To prevent that, disable it explicitly.
 303   shill_properties_to_update->SetBooleanWithoutPathExpansion(
 304       shill::kAutoConnectProperty, false);
 305 }
 306
 307 scoped_ptr<base::DictionaryValue> CreateShillConfiguration(
 308     const NetworkProfile& profile,
 309     const std::string& guid,
 310     const base::DictionaryValue* global_policy,
 311     const base::DictionaryValue* network_policy,
 312     const base::DictionaryValue* user_settings) {
 313   scoped_ptr<base::DictionaryValue> effective;
 314   ::onc::ONCSource onc_source = ::onc::ONC_SOURCE_NONE;
 315   if (network_policy) {
 316     if (profile.type() == NetworkProfile::TYPE_SHARED) {
 317       effective = onc::MergeSettingsAndPoliciesToEffective(
 318           NULL,  // no user policy
 319           network_policy,  // device policy
 320           NULL,  // no user settings
 321           user_settings);  // shared settings
 322       onc_source = ::onc::ONC_SOURCE_DEVICE_POLICY;
 323     } else if (profile.type() == NetworkProfile::TYPE_USER) {
 324       effective = onc::MergeSettingsAndPoliciesToEffective(
 325           network_policy,  // user policy
 326           NULL,  // no device policy
 327           user_settings,  // user settings
 328           NULL);  // no shared settings
 329       onc_source = ::onc::ONC_SOURCE_USER_POLICY;
 330     } else {
 331       NOTREACHED();
 332     }
 333   } else if (user_settings) {
 334     effective.reset(user_settings->DeepCopy());
 335     // TODO(pneubeck): change to source ONC_SOURCE_USER
 336     onc_source = ::onc::ONC_SOURCE_NONE;
 337   } else {
 338     NOTREACHED();
 339     onc_source = ::onc::ONC_SOURCE_NONE;
 340   }
 341
 342   RemoveFakeCredentials(onc::kNetworkConfigurationSignature,
 343                         effective.get());
 344
 345   effective->SetStringWithoutPathExpansion(::onc::network_config::kGUID, guid);
 346
 347   // Remove irrelevant fields.
 348   onc::Normalizer normalizer(true /* remove recommended fields */);
 349   effective = normalizer.NormalizeObject(&onc::kNetworkConfigurationSignature,
 350                                          *effective);
 351
 352   scoped_ptr<base::DictionaryValue> shill_dictionary(
 353       onc::TranslateONCObjectToShill(&onc::kNetworkConfigurationSignature,
 354                                      *effective));
 355
 356   shill_dictionary->SetStringWithoutPathExpansion(shill::kProfileProperty,
 357                                                   profile.path);
 358
 359   // If AutoConnect is enabled by policy, set the ManagedCredentials property to
 360   // indicate to Shill that this network can be used for autoconnect even
 361   // without a manual and successful connection attempt.
 362   // Note that this is only an indicator for the administrator's true intention,
 363   // i.e. when the administrator enables AutoConnect, we assume that the network
 364   // is indeed connectable.
 365   // Ideally, we would know whether the (policy) provided credentials are
 366   // complete and only set ManagedCredentials in that case.
 367   if (network_policy && IsAutoConnectEnabledInPolicy(*network_policy)) {
 368     VLOG(1) << "Enable ManagedCredentials for managed network with GUID "
 369             << guid;
 370     shill_dictionary->SetBooleanWithoutPathExpansion(
 371         shill::kManagedCredentialsProperty, true);
 372   }
 373
 374   if (!network_policy && global_policy) {
 375     // The network isn't managed. Global network policies have to be applied.
 376     SetShillPropertiesForGlobalPolicy(
 377         *shill_dictionary, *global_policy, shill_dictionary.get());
 378   }
 379
 380   scoped_ptr<NetworkUIData> ui_data(NetworkUIData::CreateFromONC(onc_source));
 381
 382   if (user_settings) {
 383     // Shill doesn't know that sensitive data is contained in the UIData
 384     // property and might write it into logs or other insecure places. Thus, we
 385     // have to remove or mask credentials.
 386     //
 387     // Shill's GetProperties doesn't return credentials. Masking credentials
 388     // instead of just removing them, allows remembering if a credential is set
 389     // or not.
 390     scoped_ptr<base::DictionaryValue> sanitized_user_settings(
 391         onc::MaskCredentialsInOncObject(onc::kNetworkConfigurationSignature,
 392                                         *user_settings,
 393                                         kFakeCredential));
 394     ui_data->set_user_settings(sanitized_user_settings.Pass());
 395   }
 396
 397   shill_property_util::SetUIData(*ui_data, shill_dictionary.get());
 398
 399   VLOG(2) << "Created Shill properties: " << *shill_dictionary;
 400
 401   return shill_dictionary.Pass();
 402 }
 403
 404 const base::DictionaryValue* FindMatchingPolicy(
 405     const GuidToPolicyMap& policies,
 406     const base::DictionaryValue& actual_network) {
 407   for (GuidToPolicyMap::const_iterator it = policies.begin();
 408        it != policies.end(); ++it) {
 409     if (IsPolicyMatching(*it->second, actual_network))
 410       return it->second;
 411   }
 412   return NULL;
 413 }
 414
 415 }  // namespace policy_util
 416
 417 }  // namespace chromeos