1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "chromeos/network/policy_util.h"
7 #include "base/logging.h"
8 #include "base/values.h"
9 #include "chromeos/network/network_profile.h"
10 #include "chromeos/network/network_ui_data.h"
11 #include "chromeos/network/onc/onc_merger.h"
12 #include "chromeos/network/onc/onc_normalizer.h"
13 #include "chromeos/network/onc/onc_signature.h"
14 #include "chromeos/network/onc/onc_translator.h"
15 #include "chromeos/network/onc/onc_utils.h"
16 #include "chromeos/network/shill_property_util.h"
17 #include "components/onc/onc_constants.h"
18 #include "third_party/cros_system_api/dbus/service_constants.h"
22 namespace policy_util {
26 // This fake credential contains a random postfix which is extremly unlikely to
27 // be used by any user.
28 const char kFakeCredential[] = "FAKE_CREDENTIAL_VPaJDV9x";
31 // Removes all kFakeCredential values from sensitive fields (determined by
32 // onc::FieldIsCredential) of |onc_object|.
33 void RemoveFakeCredentials(
34 const onc::OncValueSignature& signature,
35 base::DictionaryValue* onc_object) {
36 base::DictionaryValue::Iterator it(*onc_object);
37 while (!it.IsAtEnd()) {
38 base::Value* value = NULL;
39 std::string field_name = it.key();
40 // We need the non-const entry to remove nested values but DictionaryValue
41 // has no non-const iterator.
42 onc_object->GetWithoutPathExpansion(field_name, &value);
43 // Advance before delete.
46 // If |value| is a dictionary, recurse.
47 base::DictionaryValue* nested_object = NULL;
48 if (value->GetAsDictionary(&nested_object)) {
49 const onc::OncFieldSignature* field_signature =
50 onc::GetFieldSignature(signature, field_name);
52 RemoveFakeCredentials(*field_signature->value_signature, nested_object);
54 LOG(ERROR) << "ONC has unrecoginzed field: " << field_name;
58 // If |value| is a string, check if it is a fake credential.
59 std::string string_value;
60 if (value->GetAsString(&string_value) &&
61 onc::FieldIsCredential(signature, field_name)) {
62 if (string_value == kFakeCredential) {
63 // The value wasn't modified by the UI, thus we remove the field to keep
64 // the existing value that is stored in Shill.
65 onc_object->RemoveWithoutPathExpansion(field_name, NULL);
67 // Otherwise, the value is set and modified by the UI, thus we keep that
68 // value to overwrite whatever is stored in Shill.
73 // Returns true if |policy| matches |actual_network|, which must be part of a
74 // ONC NetworkConfiguration. This should be the only such matching function
75 // within Chrome. Shill does such matching in several functions for network
76 // identification. For compatibility, we currently should stick to Shill's
78 bool IsPolicyMatching(const base::DictionaryValue& policy,
79 const base::DictionaryValue& actual_network) {
80 std::string policy_type;
81 policy.GetStringWithoutPathExpansion(::onc::network_config::kType,
83 std::string actual_network_type;
84 actual_network.GetStringWithoutPathExpansion(::onc::network_config::kType,
85 &actual_network_type);
86 if (policy_type != actual_network_type)
89 if (actual_network_type == ::onc::network_type::kEthernet) {
90 const base::DictionaryValue* policy_ethernet = NULL;
91 policy.GetDictionaryWithoutPathExpansion(::onc::network_config::kEthernet,
93 const base::DictionaryValue* actual_ethernet = NULL;
94 actual_network.GetDictionaryWithoutPathExpansion(
95 ::onc::network_config::kEthernet, &actual_ethernet);
96 if (!policy_ethernet || !actual_ethernet)
99 std::string policy_auth;
100 policy_ethernet->GetStringWithoutPathExpansion(
101 ::onc::ethernet::kAuthentication, &policy_auth);
102 std::string actual_auth;
103 actual_ethernet->GetStringWithoutPathExpansion(
104 ::onc::ethernet::kAuthentication, &actual_auth);
105 return policy_auth == actual_auth;
106 } else if (actual_network_type == ::onc::network_type::kWiFi) {
107 const base::DictionaryValue* policy_wifi = NULL;
108 policy.GetDictionaryWithoutPathExpansion(::onc::network_config::kWiFi,
110 const base::DictionaryValue* actual_wifi = NULL;
111 actual_network.GetDictionaryWithoutPathExpansion(
112 ::onc::network_config::kWiFi,
114 if (!policy_wifi || !actual_wifi)
117 std::string policy_ssid;
118 policy_wifi->GetStringWithoutPathExpansion(::onc::wifi::kSSID,
120 std::string actual_ssid;
121 actual_wifi->GetStringWithoutPathExpansion(::onc::wifi::kSSID,
123 return (policy_ssid == actual_ssid);
130 scoped_ptr<base::DictionaryValue> CreateShillConfiguration(
131 const NetworkProfile& profile,
132 const std::string& guid,
133 const base::DictionaryValue* policy,
134 const base::DictionaryValue* settings) {
135 scoped_ptr<base::DictionaryValue> effective;
136 ::onc::ONCSource onc_source = ::onc::ONC_SOURCE_NONE;
138 if (profile.type() == NetworkProfile::TYPE_SHARED) {
139 effective = onc::MergeSettingsAndPoliciesToEffective(
140 NULL, // no user policy
141 policy, // device policy
142 NULL, // no user settings
143 settings); // shared settings
144 onc_source = ::onc::ONC_SOURCE_DEVICE_POLICY;
145 } else if (profile.type() == NetworkProfile::TYPE_USER) {
146 effective = onc::MergeSettingsAndPoliciesToEffective(
147 policy, // user policy
148 NULL, // no device policy
149 settings, // user settings
150 NULL); // no shared settings
151 onc_source = ::onc::ONC_SOURCE_USER_POLICY;
155 } else if (settings) {
156 effective.reset(settings->DeepCopy());
157 // TODO(pneubeck): change to source ONC_SOURCE_USER
158 onc_source = ::onc::ONC_SOURCE_NONE;
161 onc_source = ::onc::ONC_SOURCE_NONE;
164 RemoveFakeCredentials(onc::kNetworkConfigurationSignature,
167 effective->SetStringWithoutPathExpansion(::onc::network_config::kGUID, guid);
169 // Remove irrelevant fields.
170 onc::Normalizer normalizer(true /* remove recommended fields */);
171 effective = normalizer.NormalizeObject(&onc::kNetworkConfigurationSignature,
174 scoped_ptr<base::DictionaryValue> shill_dictionary(
175 onc::TranslateONCObjectToShill(&onc::kNetworkConfigurationSignature,
178 shill_dictionary->SetStringWithoutPathExpansion(shill::kProfileProperty,
181 scoped_ptr<NetworkUIData> ui_data;
183 ui_data = NetworkUIData::CreateFromONC(onc_source, *policy);
185 ui_data.reset(new NetworkUIData());
188 // Shill doesn't know that sensitive data is contained in the UIData
189 // property and might write it into logs or other insecure places. Thus, we
190 // have to remove or mask credentials.
192 // Shill's GetProperties doesn't return credentials. Masking credentials
193 // instead of just removing them, allows remembering if a credential is set
195 scoped_ptr<base::DictionaryValue> sanitized_settings(
196 onc::MaskCredentialsInOncObject(onc::kNetworkConfigurationSignature,
199 ui_data->set_user_settings(sanitized_settings.Pass());
202 shill_property_util::SetUIData(*ui_data, shill_dictionary.get());
204 VLOG(2) << "Created Shill properties: " << *shill_dictionary;
206 return shill_dictionary.Pass();
209 const base::DictionaryValue* FindMatchingPolicy(
210 const GuidToPolicyMap& policies,
211 const base::DictionaryValue& actual_network) {
212 for (GuidToPolicyMap::const_iterator it = policies.begin();
213 it != policies.end(); ++it) {
214 if (IsPolicyMatching(*it->second, actual_network))
220 } // namespace policy_util
222 } // namespace chromeos