diff options
| author | fqj <fqj@chromium.org> | 2015-11-13 12:12:59 -0800 |
|---|---|---|
| committer | Commit bot <commit-bot@chromium.org> | 2015-11-13 20:14:14 +0000 |
| commit | fee5067aaad72d7b0525d23d5f6eb2500831feab (patch) | |
| tree | ddcfce303fca05ca87b182c857723e10d1847ae6 | |
| parent | ca1054043bbb319a687bf7214c8d206de53a07c1 (diff) | |
| download | chromium_src-fee5067aaad72d7b0525d23d5f6eb2500831feab.zip chromium_src-fee5067aaad72d7b0525d23d5f6eb2500831feab.tar.gz chromium_src-fee5067aaad72d7b0525d23d5f6eb2500831feab.tar.bz2 | |
Handle prohibited technologies in device policy ONC
This commit changes prohibited technologies from user policy ONC to device
policy ONC, and then handles it.
The device policy ONC will only take effect after user session starts.
After use has logged in, the prohibited technologies in ONC will take effect
and disable and prohibit specific technologies.
BUG=426390
Review URL: https://codereview.chromium.org/1431563005
Cr-Commit-Position: refs/heads/master@{#359602}
20 files changed, 520 insertions, 26 deletions
diff --git a/chromeos/chromeos.gyp b/chromeos/chromeos.gyp index 2f93d9e..4499f75 100644 --- a/chromeos/chromeos.gyp +++ b/chromeos/chromeos.gyp @@ -350,6 +350,8 @@ 'network/portal_detector/network_portal_detector_strategy.h', 'network/portal_detector/network_portal_detector_stub.cc', 'network/portal_detector/network_portal_detector_stub.h', + 'network/prohibited_technologies_handler.cc', + 'network/prohibited_technologies_handler.h', 'network/shill_property_handler.cc', 'network/shill_property_handler.h', 'network/shill_property_util.cc', @@ -446,6 +448,7 @@ 'network/onc/onc_translator_unittest.cc', 'network/onc/onc_utils_unittest.cc', 'network/onc/onc_validator_unittest.cc', + 'network/prohibited_technologies_handler_unittest.cc', 'network/shill_property_handler_unittest.cc', 'process_proxy/process_output_watcher_unittest.cc', 'process_proxy/process_proxy_unittest.cc', diff --git a/chromeos/network/auto_connect_handler_unittest.cc b/chromeos/network/auto_connect_handler_unittest.cc index 9749ee4..0181a74 100644 --- a/chromeos/network/auto_connect_handler_unittest.cc +++ b/chromeos/network/auto_connect_handler_unittest.cc @@ -121,7 +121,8 @@ class AutoConnectHandlerTest : public testing::Test { managed_config_handler_.reset(new ManagedNetworkConfigurationHandlerImpl()); managed_config_handler_->Init( network_state_handler_.get(), network_profile_handler_.get(), - network_config_handler_.get(), nullptr /* network_device_handler */); + network_config_handler_.get(), nullptr /* network_device_handler */, + nullptr /* prohibited_technologies_handler */); client_cert_resolver_.reset(new ClientCertResolver()); client_cert_resolver_->Init(network_state_handler_.get(), diff --git a/chromeos/network/client_cert_resolver_unittest.cc b/chromeos/network/client_cert_resolver_unittest.cc index 0109b8c..7f2035b 100644 --- a/chromeos/network/client_cert_resolver_unittest.cc +++ b/chromeos/network/client_cert_resolver_unittest.cc @@ -140,11 +140,11 @@ class ClientCertResolverTest : public testing::Test, network_profile_handler_->Init(); network_config_handler_->Init(network_state_handler_.get(), - NULL /* network_device_handler */); - managed_config_handler_->Init(network_state_handler_.get(), - network_profile_handler_.get(), - network_config_handler_.get(), - NULL /* network_device_handler */); + nullptr /* network_device_handler */); + managed_config_handler_->Init( + network_state_handler_.get(), network_profile_handler_.get(), + network_config_handler_.get(), nullptr /* network_device_handler */, + nullptr /* prohibited_technologies_handler */); // Run all notifications before starting the cert loader to reduce run time. base::RunLoop().RunUntilIdle(); diff --git a/chromeos/network/managed_network_configuration_handler_impl.cc b/chromeos/network/managed_network_configuration_handler_impl.cc index c040723..16648c3 100644 --- a/chromeos/network/managed_network_configuration_handler_impl.cc +++ b/chromeos/network/managed_network_configuration_handler_impl.cc @@ -34,6 +34,7 @@ #include "chromeos/network/onc/onc_utils.h" #include "chromeos/network/onc/onc_validator.h" #include "chromeos/network/policy_util.h" +#include "chromeos/network/prohibited_technologies_handler.h" #include "chromeos/network/shill_property_util.h" #include "components/onc/onc_constants.h" #include "third_party/cros_system_api/dbus/service_constants.h" @@ -426,6 +427,19 @@ void ManagedNetworkConfigurationHandlerImpl::SetPolicy( policies->global_network_config.MergeDictionary(&global_network_config); + // Update prohibited technologies. + const base::ListValue* prohibited_list = nullptr; + if (policies->global_network_config.GetListWithoutPathExpansion( + ::onc::global_network_config::kDisableNetworkTypes, + &prohibited_list) && + prohibited_technologies_handler_) { + // Prohobited technologies are only allowed in user policy. + DCHECK_EQ(::onc::ONC_SOURCE_DEVICE_POLICY, onc_source); + + prohibited_technologies_handler_->SetProhibitedTechnologies( + prohibited_list); + } + GuidToPolicyMap old_per_network_config; policies->per_network_config.swap(old_per_network_config); @@ -709,12 +723,14 @@ void ManagedNetworkConfigurationHandlerImpl::Init( NetworkStateHandler* network_state_handler, NetworkProfileHandler* network_profile_handler, NetworkConfigurationHandler* network_configuration_handler, - NetworkDeviceHandler* network_device_handler) { + NetworkDeviceHandler* network_device_handler, + ProhibitedTechnologiesHandler* prohibited_technologies_handler) { network_state_handler_ = network_state_handler; network_profile_handler_ = network_profile_handler; network_configuration_handler_ = network_configuration_handler; network_device_handler_ = network_device_handler; network_profile_handler_->AddObserver(this); + prohibited_technologies_handler_ = prohibited_technologies_handler; } void ManagedNetworkConfigurationHandlerImpl::OnPolicyAppliedToNetwork( diff --git a/chromeos/network/managed_network_configuration_handler_impl.h b/chromeos/network/managed_network_configuration_handler_impl.h index a204b04..23a8f72 100644 --- a/chromeos/network/managed_network_configuration_handler_impl.h +++ b/chromeos/network/managed_network_configuration_handler_impl.h @@ -112,6 +112,7 @@ class CHROMEOS_EXPORT ManagedNetworkConfigurationHandlerImpl friend class ManagedNetworkConfigurationHandlerTest; friend class NetworkConnectionHandlerTest; friend class NetworkHandler; + friend class ProhibitedTechnologiesHandlerTest; struct Policies; typedef base::Callback<void(const std::string& service_path, @@ -130,7 +131,8 @@ class CHROMEOS_EXPORT ManagedNetworkConfigurationHandlerImpl void Init(NetworkStateHandler* network_state_handler, NetworkProfileHandler* network_profile_handler, NetworkConfigurationHandler* network_configuration_handler, - NetworkDeviceHandler* network_device_handler); + NetworkDeviceHandler* network_device_handler, + ProhibitedTechnologiesHandler* prohibitied_technologies_handler); // Sends the response to the caller of GetManagedProperties. void SendManagedProperties( @@ -201,6 +203,7 @@ class CHROMEOS_EXPORT ManagedNetworkConfigurationHandlerImpl NetworkProfileHandler* network_profile_handler_; NetworkConfigurationHandler* network_configuration_handler_; NetworkDeviceHandler* network_device_handler_; + ProhibitedTechnologiesHandler* prohibited_technologies_handler_; // Owns the currently running PolicyApplicators. UserToPolicyApplicatorMap policy_applicators_; diff --git a/chromeos/network/managed_network_configuration_handler_unittest.cc b/chromeos/network/managed_network_configuration_handler_unittest.cc index c95d6b1..6580156 100644 --- a/chromeos/network/managed_network_configuration_handler_unittest.cc +++ b/chromeos/network/managed_network_configuration_handler_unittest.cc @@ -260,14 +260,13 @@ class ManagedNetworkConfigurationHandlerTest : public testing::Test { network_configuration_handler_.reset( NetworkConfigurationHandler::InitializeForTest( network_state_handler_.get(), - NULL /* no NetworkDeviceHandler */)); + nullptr /* no NetworkDeviceHandler */)); managed_network_configuration_handler_.reset( new ManagedNetworkConfigurationHandlerImpl()); managed_network_configuration_handler_->Init( - network_state_handler_.get(), - network_profile_handler_.get(), - network_configuration_handler_.get(), - NULL /* no DeviceHandler */); + network_state_handler_.get(), network_profile_handler_.get(), + network_configuration_handler_.get(), nullptr /* no DeviceHandler */, + nullptr /* no ProhibitedTechnologiesHandler */); managed_network_configuration_handler_->AddObserver(&policy_observer_); message_loop_.RunUntilIdle(); @@ -337,7 +336,10 @@ class ManagedNetworkConfigurationHandlerTest : public testing::Test { // These calls occur in NetworkConfigurationHandler. EXPECT_CALL(*mock_manager_client_, GetProperties(_)).Times(AnyNumber()); EXPECT_CALL(*mock_manager_client_, - AddPropertyChangedObserver(_)).Times(AnyNumber()); + SetProperty("ProhibitedTechnologies", _, _, _)) + .Times(AnyNumber()); + EXPECT_CALL(*mock_manager_client_, AddPropertyChangedObserver(_)) + .Times(AnyNumber()); EXPECT_CALL(*mock_manager_client_, RemovePropertyChangedObserver(_)).Times(AnyNumber()); } diff --git a/chromeos/network/network_connection_handler_unittest.cc b/chromeos/network/network_connection_handler_unittest.cc index f4d2b15..1ae00af 100644 --- a/chromeos/network/network_connection_handler_unittest.cc +++ b/chromeos/network/network_connection_handler_unittest.cc @@ -145,7 +145,8 @@ class NetworkConnectionHandlerTest : public testing::Test { managed_config_handler_.reset(new ManagedNetworkConfigurationHandlerImpl()); managed_config_handler_->Init( network_state_handler_.get(), network_profile_handler_.get(), - network_config_handler_.get(), nullptr /* network_device_handler */); + network_config_handler_.get(), nullptr /* network_device_handler */, + nullptr /* prohibited_tecnologies_handler */); network_connection_handler_.reset(new NetworkConnectionHandler); network_connection_handler_->Init(network_state_handler_.get(), diff --git a/chromeos/network/network_handler.cc b/chromeos/network/network_handler.cc index 0ce9ff8..b10bad7 100644 --- a/chromeos/network/network_handler.cc +++ b/chromeos/network/network_handler.cc @@ -21,6 +21,7 @@ #include "chromeos/network/network_sms_handler.h" #include "chromeos/network/network_state_handler.h" #include "chromeos/network/network_state_handler_observer.h" +#include "chromeos/network/prohibited_technologies_handler.h" namespace chromeos { @@ -36,6 +37,7 @@ NetworkHandler::NetworkHandler() network_configuration_handler_.reset(new NetworkConfigurationHandler()); managed_network_configuration_handler_.reset( new ManagedNetworkConfigurationHandlerImpl()); + prohibited_technologies_handler_.reset(new ProhibitedTechnologiesHandler()); if (CertLoader::IsInitialized()) { auto_connect_handler_.reset(new AutoConnectHandler()); network_cert_migrator_.reset(new NetworkCertMigrator()); @@ -57,10 +59,9 @@ void NetworkHandler::Init() { network_configuration_handler_->Init(network_state_handler_.get(), network_device_handler_.get()); managed_network_configuration_handler_->Init( - network_state_handler_.get(), - network_profile_handler_.get(), - network_configuration_handler_.get(), - network_device_handler_.get()); + network_state_handler_.get(), network_profile_handler_.get(), + network_configuration_handler_.get(), network_device_handler_.get(), + prohibited_technologies_handler_.get()); network_connection_handler_->Init( network_state_handler_.get(), network_configuration_handler_.get(), @@ -77,6 +78,9 @@ void NetworkHandler::Init() { network_state_handler_.get(), managed_network_configuration_handler_.get()); } + prohibited_technologies_handler_->Init( + managed_network_configuration_handler_.get(), + network_state_handler_.get()); network_sms_handler_->Init(); geolocation_handler_->Init(); } @@ -144,4 +148,9 @@ GeolocationHandler* NetworkHandler::geolocation_handler() { return geolocation_handler_.get(); } +ProhibitedTechnologiesHandler* +NetworkHandler::prohibited_technologies_handler() { + return prohibited_technologies_handler_.get(); +} + } // namespace chromeos diff --git a/chromeos/network/network_handler.h b/chromeos/network/network_handler.h index 82d7441..93658e0 100644 --- a/chromeos/network/network_handler.h +++ b/chromeos/network/network_handler.h @@ -27,6 +27,7 @@ class NetworkDeviceHandlerImpl; class NetworkProfileHandler; class NetworkStateHandler; class NetworkSmsHandler; +class ProhibitedTechnologiesHandler; // Class for handling initialization and access to chromeos network handlers. // This class should NOT be used in unit tests. Instead, construct individual @@ -61,6 +62,7 @@ class CHROMEOS_EXPORT NetworkHandler { NetworkConnectionHandler* network_connection_handler(); NetworkSmsHandler* network_sms_handler(); GeolocationHandler* geolocation_handler(); + ProhibitedTechnologiesHandler* prohibited_technologies_handler(); private: NetworkHandler(); @@ -83,6 +85,7 @@ class CHROMEOS_EXPORT NetworkHandler { scoped_ptr<AutoConnectHandler> auto_connect_handler_; scoped_ptr<NetworkSmsHandler> network_sms_handler_; scoped_ptr<GeolocationHandler> geolocation_handler_; + scoped_ptr<ProhibitedTechnologiesHandler> prohibited_technologies_handler_; DISALLOW_COPY_AND_ASSIGN(NetworkHandler); }; diff --git a/chromeos/network/network_profile_handler.h b/chromeos/network/network_profile_handler.h index 5b55ba6..af5045a 100644 --- a/chromeos/network/network_profile_handler.h +++ b/chromeos/network/network_profile_handler.h @@ -65,6 +65,7 @@ class CHROMEOS_EXPORT NetworkProfileHandler friend class ClientCertResolverTest; friend class NetworkConnectionHandlerTest; friend class NetworkHandler; + friend class ProhibitedTechnologiesHandlerTest; NetworkProfileHandler(); // Add ShillManagerClient property observer and request initial list. diff --git a/chromeos/network/network_state_handler.cc b/chromeos/network/network_state_handler.cc index e1f1890..5007837 100644 --- a/chromeos/network/network_state_handler.cc +++ b/chromeos/network/network_state_handler.cc @@ -144,6 +144,15 @@ void NetworkStateHandler::SetTechnologyEnabled( NotifyDeviceListChanged(); } +void NetworkStateHandler::SetProhibitedTechnologies( + const std::vector<std::string>& prohibited_technologies, + const network_handler::ErrorCallback& error_callback) { + shill_property_handler_->SetProhibitedTechnologies(prohibited_technologies, + error_callback); + // Signal Device/Technology state changed. + NotifyDeviceListChanged(); +} + const DeviceState* NetworkStateHandler::GetDeviceState( const std::string& device_path) const { const DeviceState* device = GetModifiableDeviceState(device_path); diff --git a/chromeos/network/network_state_handler.h b/chromeos/network/network_state_handler.h index d7d1acd..a700f82 100644 --- a/chromeos/network/network_state_handler.h +++ b/chromeos/network/network_state_handler.h @@ -103,6 +103,13 @@ class CHROMEOS_EXPORT NetworkStateHandler bool enabled, const network_handler::ErrorCallback& error_callback); + // Asynchronously sets the list of prohibited technologies. The accepted + // values are the shill network technology identifiers. See also + // chromeos::onc::Validator::ValidateGlobalNetworkConfiguration(). + void SetProhibitedTechnologies( + const std::vector<std::string>& prohibited_technologies, + const network_handler::ErrorCallback& error_callback); + // Finds and returns a device state by |device_path| or NULL if not found. const DeviceState* GetDeviceState(const std::string& device_path) const; diff --git a/chromeos/network/onc/onc_validator.cc b/chromeos/network/onc/onc_validator.cc index 6574561..ee681aa 100644 --- a/chromeos/network/onc/onc_validator.cc +++ b/chromeos/network/onc/onc_validator.cc @@ -887,11 +887,11 @@ bool Validator::ValidateGlobalNetworkConfiguration( const base::ListValue* disabled_network_types = NULL; if (result->GetListWithoutPathExpansion(kDisableNetworkTypes, &disabled_network_types)) { - // The kDisableNetworkTypes field is only allowed in user policy. + // The kDisableNetworkTypes field is only allowed in device policy. if (!disabled_network_types->empty() && - onc_source_ != ::onc::ONC_SOURCE_USER_POLICY) { + onc_source_ != ::onc::ONC_SOURCE_DEVICE_POLICY) { error_or_warning_found_ = true; - LOG(ERROR) << "Disabled network types only allowed in user policy."; + LOG(ERROR) << "Disabled network types only allowed in device policy."; return false; } } diff --git a/chromeos/network/onc/onc_validator_unittest.cc b/chromeos/network/onc/onc_validator_unittest.cc index f1bf451..7fc6a26 100644 --- a/chromeos/network/onc/onc_validator_unittest.cc +++ b/chromeos/network/onc/onc_validator_unittest.cc @@ -149,11 +149,11 @@ INSTANTIATE_TEST_CASE_P( &kToplevelConfigurationSignature, true, ::onc::ONC_SOURCE_DEVICE_POLICY), - // Disabled technologies are only allowed for user policies. + // Disabled technologies are only allowed for device policies. OncParams("managed_toplevel_with_disabled_technologies.onc", &kToplevelConfigurationSignature, true, - ::onc::ONC_SOURCE_USER_POLICY), + ::onc::ONC_SOURCE_DEVICE_POLICY), // AllowOnlyPolicyNetworksToConnect is only allowed for device policies. OncParams("managed_toplevel_with_only_managed.onc", &kToplevelConfigurationSignature, diff --git a/chromeos/network/prohibited_technologies_handler.cc b/chromeos/network/prohibited_technologies_handler.cc new file mode 100644 index 0000000..5d41e31 --- /dev/null +++ b/chromeos/network/prohibited_technologies_handler.cc @@ -0,0 +1,112 @@ +// Copyright 2014 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "chromeos/network/prohibited_technologies_handler.h" + +#include "chromeos/network/managed_network_configuration_handler.h" +#include "chromeos/network/network_state_handler.h" +#include "chromeos/network/network_util.h" +#include "third_party/cros_system_api/dbus/service_constants.h" + +namespace chromeos { + +ProhibitedTechnologiesHandler::ProhibitedTechnologiesHandler() {} + +ProhibitedTechnologiesHandler::~ProhibitedTechnologiesHandler() { + if (managed_network_configuration_handler_) + managed_network_configuration_handler_->RemoveObserver(this); + if (LoginState::IsInitialized()) + LoginState::Get()->RemoveObserver(this); +} + +void ProhibitedTechnologiesHandler::Init( + ManagedNetworkConfigurationHandler* managed_network_configuration_handler, + NetworkStateHandler* network_state_handler) { + if (LoginState::IsInitialized()) + LoginState::Get()->AddObserver(this); + + managed_network_configuration_handler_ = + managed_network_configuration_handler; + if (managed_network_configuration_handler_) + managed_network_configuration_handler_->AddObserver(this); + network_state_handler_ = network_state_handler; + + // Clear the list of prohibited network technologies. As a user logout always + // triggers a browser process restart, Init() is always invoked to reallow any + // network technology forbidden for the previous user. + network_state_handler_->SetProhibitedTechnologies( + std::vector<std::string>(), chromeos::network_handler::ErrorCallback()); + + if (LoginState::IsInitialized()) + LoggedInStateChanged(); +} + +void ProhibitedTechnologiesHandler::LoggedInStateChanged() { + user_logged_in_ = LoginState::Get()->IsUserLoggedIn(); + EnforceProhibitedTechnologies(); +} + +void ProhibitedTechnologiesHandler::PoliciesChanged( + const std::string& userhash) {} + +void ProhibitedTechnologiesHandler::PoliciesApplied( + const std::string& userhash) { + if (userhash.empty()) + return; + user_policy_applied_ = true; + EnforceProhibitedTechnologies(); +} + +void ProhibitedTechnologiesHandler::SetProhibitedTechnologies( + const base::ListValue* prohibited_list) { + // Build up prohibited network type list and save it for furthur use when + // enforced + prohibited_technologies_.clear(); + for (const base::Value* item : *prohibited_list) { + std::string prohibited_technology; + item->GetAsString(&prohibited_technology); + std::string translated_tech = + network_util::TranslateONCTypeToShill(prohibited_technology); + if (!translated_tech.empty()) + prohibited_technologies_.push_back(translated_tech); + } + EnforceProhibitedTechnologies(); +} + +void ProhibitedTechnologiesHandler::EnforceProhibitedTechnologies() { + if (user_logged_in_ && user_policy_applied_) { + network_state_handler_->SetProhibitedTechnologies( + prohibited_technologies_, network_handler::ErrorCallback()); + if (std::find(prohibited_technologies_.begin(), + prohibited_technologies_.end(), + shill::kTypeEthernet) != prohibited_technologies_.end()) + return; + } else { + // This is done to make sure prohibited technologies are cleared + // before user policy is applied. + network_state_handler_->SetProhibitedTechnologies( + std::vector<std::string>(), network_handler::ErrorCallback()); + } + + // Enable ethernet back as user doesn't have a place to enable it back + // if user shuts down directly in a user session. As shill will persist + // ProhibitedTechnologies which may include ethernet, making users can + // not find Ethernet at next boot or logging out unless user log out first + // and then shutdown. + if (network_state_handler_->IsTechnologyAvailable( + NetworkTypePattern::Ethernet()) && + !network_state_handler_->IsTechnologyEnabled( + NetworkTypePattern::Ethernet())) + network_state_handler_->SetTechnologyEnabled( + NetworkTypePattern::Ethernet(), true, network_handler::ErrorCallback()); +} + +std::vector<std::string> +ProhibitedTechnologiesHandler::GetCurrentlyProhibitedTechnologies() { + if (user_logged_in_ && user_policy_applied_) + return prohibited_technologies_; + return std::vector<std::string>(); +} + +} // namespace chromeos diff --git a/chromeos/network/prohibited_technologies_handler.h b/chromeos/network/prohibited_technologies_handler.h new file mode 100644 index 0000000..8f5136a --- /dev/null +++ b/chromeos/network/prohibited_technologies_handler.h @@ -0,0 +1,59 @@ +// Copyright 2015 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef CHROMEOS_NETWORK_PROHIBITED_TECHNOLOGIES_HANDLER_H_ +#define CHROMEOS_NETWORK_PROHIBITED_TECHNOLOGIES_HANDLER_H_ + +#include <string> + +#include "base/macros.h" +#include "base/values.h" +#include "chromeos/chromeos_export.h" +#include "chromeos/login/login_state.h" +#include "chromeos/network/network_handler.h" +#include "chromeos/network/network_policy_observer.h" + +namespace chromeos { + +class CHROMEOS_EXPORT ProhibitedTechnologiesHandler + : public LoginState::Observer, + public NetworkPolicyObserver { + public: + ~ProhibitedTechnologiesHandler() override; + + // LoginState::Observer + void LoggedInStateChanged() override; + + // NetworkPolicyObserver + void PoliciesChanged(const std::string& userhash) override; + void PoliciesApplied(const std::string& userhash) override; + + void SetProhibitedTechnologies(const base::ListValue* prohibited_list); + std::vector<std::string> GetCurrentlyProhibitedTechnologies(); + + private: + friend class NetworkHandler; + friend class ProhibitedTechnologiesHandlerTest; + + ProhibitedTechnologiesHandler(); + + void Init( + ManagedNetworkConfigurationHandler* managed_network_configuration_handler, + NetworkStateHandler* network_state_handler); + + void EnforceProhibitedTechnologies(); + + std::vector<std::string> prohibited_technologies_; + ManagedNetworkConfigurationHandler* managed_network_configuration_handler_ = + nullptr; + NetworkStateHandler* network_state_handler_ = nullptr; + bool user_logged_in_ = false; + bool user_policy_applied_ = false; + + DISALLOW_COPY_AND_ASSIGN(ProhibitedTechnologiesHandler); +}; + +} // namespace chromeos + +#endif // CHROMEOS_NETWORK_PROHIBITED_TECHNOLOGIES_HANDLER_H_ diff --git a/chromeos/network/prohibited_technologies_handler_unittest.cc b/chromeos/network/prohibited_technologies_handler_unittest.cc new file mode 100644 index 0000000..68e186f --- /dev/null +++ b/chromeos/network/prohibited_technologies_handler_unittest.cc @@ -0,0 +1,190 @@ +// Copyright 2015 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "chromeos/network/prohibited_technologies_handler.h" + +#include <string> + +#include "base/bind.h" +#include "base/callback.h" +#include "base/json/json_reader.h" +#include "base/memory/scoped_ptr.h" +#include "base/message_loop/message_loop.h" +#include "base/run_loop.h" +#include "chromeos/dbus/dbus_thread_manager.h" +#include "chromeos/dbus/shill_manager_client.h" +#include "chromeos/dbus/shill_profile_client.h" +#include "chromeos/network/managed_network_configuration_handler_impl.h" +#include "chromeos/network/network_configuration_handler.h" +#include "chromeos/network/network_profile_handler.h" +#include "chromeos/network/network_state_handler.h" +#include "chromeos/network/onc/onc_utils.h" +#include "testing/gtest/include/gtest/gtest.h" +#include "third_party/cros_system_api/dbus/service_constants.h" + +namespace chromeos { + +namespace { +const char* kUserHash = "user_hash"; +} + +class ProhibitedTechnologiesHandlerTest : public testing::Test { + public: + ProhibitedTechnologiesHandlerTest() {} + + void SetUp() override { + DBusThreadManager::Initialize(); + LoginState::Initialize(); + DBusThreadManager* dbus_manager = DBusThreadManager::Get(); + test_manager_client_ = + dbus_manager->GetShillManagerClient()->GetTestInterface(); + + test_manager_client_->AddTechnology(shill::kTypeWifi, true /* enabled */); + test_manager_client_->AddTechnology(shill::kTypeCellular, + true /* enabled */); + dbus_manager->GetShillProfileClient()->GetTestInterface()->AddProfile( + "shared_profile_path", std::string() /* shared profile */); + dbus_manager->GetShillProfileClient()->GetTestInterface()->AddProfile( + "user_profile_path", kUserHash); + + base::RunLoop().RunUntilIdle(); + network_state_handler_.reset(NetworkStateHandler::InitializeForTest()); + network_config_handler_.reset( + NetworkConfigurationHandler::InitializeForTest( + network_state_handler_.get(), NULL /* network_device_handler */)); + + network_profile_handler_.reset(new NetworkProfileHandler()); + network_profile_handler_->Init(); + + managed_config_handler_.reset(new ManagedNetworkConfigurationHandlerImpl()); + prohibited_technologies_handler_.reset(new ProhibitedTechnologiesHandler()); + + managed_config_handler_->Init( + network_state_handler_.get(), network_profile_handler_.get(), + network_config_handler_.get(), nullptr /* network_device_handler */, + prohibited_technologies_handler_.get()); + + prohibited_technologies_handler_->Init(managed_config_handler_.get(), + network_state_handler_.get()); + + base::RunLoop().RunUntilIdle(); + + PreparePolicies(); + } + + void PreparePolicies() { + scoped_ptr<base::ListValue> val(new base::ListValue()); + val->AppendString("WiFi"); + global_config_disable_wifi.Set("DisableNetworkTypes", val.Pass()); + val.reset(new base::ListValue()); + val->AppendString("WiFi"); + val->AppendString("Cellular"); + global_config_disable_wifi_and_cell.Set("DisableNetworkTypes", val.Pass()); + } + + void TearDown() override { + prohibited_technologies_handler_.reset(); + managed_config_handler_.reset(); + network_profile_handler_.reset(); + network_config_handler_.reset(); + network_state_handler_.reset(); + LoginState::Shutdown(); + DBusThreadManager::Shutdown(); + } + + protected: + void LoginToRegularUser() { + LoginState::Get()->SetLoggedInState(LoginState::LOGGED_IN_ACTIVE, + LoginState::LOGGED_IN_USER_REGULAR); + base::RunLoop().RunUntilIdle(); + } + + void SetupPolicy(const base::DictionaryValue& global_config, + bool user_policy) { + if (user_policy) { + managed_config_handler_->SetPolicy(::onc::ONC_SOURCE_USER_POLICY, + kUserHash, base::ListValue(), + global_config); + } else { + managed_config_handler_->SetPolicy(::onc::ONC_SOURCE_DEVICE_POLICY, + std::string(), // no username hash + base::ListValue(), global_config); + } + base::RunLoop().RunUntilIdle(); + } + + scoped_ptr<ProhibitedTechnologiesHandler> prohibited_technologies_handler_; + scoped_ptr<NetworkStateHandler> network_state_handler_; + scoped_ptr<NetworkConfigurationHandler> network_config_handler_; + scoped_ptr<ManagedNetworkConfigurationHandlerImpl> managed_config_handler_; + scoped_ptr<NetworkProfileHandler> network_profile_handler_; + ShillManagerClient::TestInterface* test_manager_client_; + base::MessageLoopForUI message_loop_; + base::DictionaryValue global_config_disable_wifi; + base::DictionaryValue global_config_disable_wifi_and_cell; + + private: + DISALLOW_COPY_AND_ASSIGN(ProhibitedTechnologiesHandlerTest); +}; + +TEST_F(ProhibitedTechnologiesHandlerTest, + ProhibitedTechnologiesAllowedLoginScreen) { + EXPECT_TRUE( + network_state_handler_->IsTechnologyEnabled(NetworkTypePattern::WiFi())); + EXPECT_TRUE(network_state_handler_->IsTechnologyEnabled( + NetworkTypePattern::Cellular())); + SetupPolicy(global_config_disable_wifi_and_cell, false); + EXPECT_TRUE( + network_state_handler_->IsTechnologyEnabled(NetworkTypePattern::WiFi())); + EXPECT_TRUE(network_state_handler_->IsTechnologyEnabled( + NetworkTypePattern::Cellular())); +}; + +TEST_F(ProhibitedTechnologiesHandlerTest, + ProhibitedTechnologiesNotAllowedUserSession) { + EXPECT_TRUE( + network_state_handler_->IsTechnologyEnabled(NetworkTypePattern::WiFi())); + EXPECT_TRUE(network_state_handler_->IsTechnologyEnabled( + NetworkTypePattern::Cellular())); + SetupPolicy(global_config_disable_wifi_and_cell, false); + + LoginToRegularUser(); + EXPECT_TRUE( + network_state_handler_->IsTechnologyEnabled(NetworkTypePattern::WiFi())); + EXPECT_TRUE(network_state_handler_->IsTechnologyEnabled( + NetworkTypePattern::Cellular())); + + SetupPolicy(base::DictionaryValue(), true); // wait for user policy + + // Should be disabled after logged in + EXPECT_FALSE( + network_state_handler_->IsTechnologyEnabled(NetworkTypePattern::WiFi())); + EXPECT_FALSE(network_state_handler_->IsTechnologyEnabled( + NetworkTypePattern::Cellular())); + + // Can not enable it back + network_state_handler_->SetTechnologyEnabled( + NetworkTypePattern::WiFi(), true, network_handler::ErrorCallback()); + network_state_handler_->SetTechnologyEnabled( + NetworkTypePattern::Cellular(), true, network_handler::ErrorCallback()); + message_loop_.RunUntilIdle(); + EXPECT_FALSE( + network_state_handler_->IsTechnologyEnabled(NetworkTypePattern::WiFi())); + EXPECT_FALSE(network_state_handler_->IsTechnologyEnabled( + NetworkTypePattern::Cellular())); + + // Can enable Cellular back after modifying policy + SetupPolicy(global_config_disable_wifi, false); + network_state_handler_->SetTechnologyEnabled( + NetworkTypePattern::WiFi(), true, network_handler::ErrorCallback()); + network_state_handler_->SetTechnologyEnabled( + NetworkTypePattern::Cellular(), true, network_handler::ErrorCallback()); + message_loop_.RunUntilIdle(); + EXPECT_FALSE( + network_state_handler_->IsTechnologyEnabled(NetworkTypePattern::WiFi())); + EXPECT_TRUE(network_state_handler_->IsTechnologyEnabled( + NetworkTypePattern::Cellular())); +}; + +} // namespace chromeos diff --git a/chromeos/network/shill_property_handler.cc b/chromeos/network/shill_property_handler.cc index 02b620d..eb73b83 100644 --- a/chromeos/network/shill_property_handler.cc +++ b/chromeos/network/shill_property_handler.cc @@ -9,6 +9,7 @@ #include "base/bind.h" #include "base/format_macros.h" #include "base/stl_util.h" +#include "base/strings/string_util.h" #include "base/values.h" #include "chromeos/dbus/dbus_thread_manager.h" #include "chromeos/dbus/shill_device_client.h" @@ -104,8 +105,7 @@ class ShillPropertyObserver : public ShillPropertyChangedObserver { ShillPropertyHandler::ShillPropertyHandler(Listener* listener) : listener_(listener), - shill_manager_(DBusThreadManager::Get()->GetShillManagerClient()) { -} + shill_manager_(DBusThreadManager::Get()->GetShillManagerClient()) {} ShillPropertyHandler::~ShillPropertyHandler() { // Delete network service observers. @@ -153,6 +153,14 @@ void ShillPropertyHandler::SetTechnologyEnabled( bool enabled, const network_handler::ErrorCallback& error_callback) { if (enabled) { + if (prohibited_technologies_.find(technology) != + prohibited_technologies_.end()) { + chromeos::network_handler::RunErrorCallback( + error_callback, "", "prohibited_technologies", + "Ignored: Attempt to enable prohibited network technology " + + technology); + return; + } enabling_technologies_.insert(technology); shill_manager_->EnableTechnology( technology, base::Bind(&base::DoNothing), @@ -169,6 +177,35 @@ void ShillPropertyHandler::SetTechnologyEnabled( } } +void ShillPropertyHandler::SetProhibitedTechnologies( + const std::vector<std::string>& prohibited_technologies, + const network_handler::ErrorCallback& error_callback) { + prohibited_technologies_.clear(); + prohibited_technologies_.insert(prohibited_technologies.begin(), + prohibited_technologies.end()); + + // Remove technologies from the other lists. + // And manually disable them. + for (const auto& technology : prohibited_technologies) { + enabling_technologies_.erase(technology); + enabled_technologies_.erase(technology); + shill_manager_->DisableTechnology( + technology, base::Bind(&base::DoNothing), + base::Bind(&network_handler::ShillErrorCallbackFunction, + "DisableTechnology Failed", technology, error_callback)); + } + + // Send updated prohibited technology list to shill. + const std::string prohibited_list = + base::JoinString(prohibited_technologies, ","); + base::StringValue value(prohibited_list); + shill_manager_->SetProperty( + "ProhibitedTechnologies", value, base::Bind(&base::DoNothing), + base::Bind(&network_handler::ShillErrorCallbackFunction, + "SetTechnologiesProhibited Failed", prohibited_list, + error_callback)); +} + void ShillPropertyHandler::SetCheckPortalList( const std::string& check_portal_list) { base::StringValue value(check_portal_list); diff --git a/chromeos/network/shill_property_handler.h b/chromeos/network/shill_property_handler.h index 8b2cd42..d88ac28 100644 --- a/chromeos/network/shill_property_handler.h +++ b/chromeos/network/shill_property_handler.h @@ -9,6 +9,7 @@ #include <map> #include <set> #include <string> +#include <vector> #include "base/memory/weak_ptr.h" #include "chromeos/dbus/dbus_method_call_status.h" @@ -122,6 +123,13 @@ class CHROMEOS_EXPORT ShillPropertyHandler bool enabled, const network_handler::ErrorCallback& error_callback); + // Asynchronously sets the prohibited state for every network technology + // listed in |technologies|. Note: Modifies Manager state. Calls + // |error_callback| on failure. + void SetProhibitedTechnologies( + const std::vector<std::string>& technologies, + const network_handler::ErrorCallback& error_callback); + // Sets the list of devices on which portal check is enabled. void SetCheckPortalList(const std::string& check_portal_list); @@ -214,6 +222,8 @@ class CHROMEOS_EXPORT ShillPropertyHandler DBusMethodCallStatus call_status, const base::DictionaryValue& properties); + void SetProhibitedTechnologiesEnforced(bool enforced); + // Pointer to containing class (owns this) Listener* listener_; @@ -237,6 +247,7 @@ class CHROMEOS_EXPORT ShillPropertyHandler std::set<std::string> available_technologies_; std::set<std::string> enabled_technologies_; std::set<std::string> enabling_technologies_; + std::set<std::string> prohibited_technologies_; std::set<std::string> uninitialized_technologies_; DISALLOW_COPY_AND_ASSIGN(ShillPropertyHandler); diff --git a/chromeos/network/shill_property_handler_unittest.cc b/chromeos/network/shill_property_handler_unittest.cc index 3f705ab..7593194 100644 --- a/chromeos/network/shill_property_handler_unittest.cc +++ b/chromeos/network/shill_property_handler_unittest.cc @@ -501,4 +501,34 @@ TEST_F(ShillPropertyHandlerTest, ShillPropertyHandlerServiceList) { shill::kServiceCompleteListProperty)[kTestServicePath2]); } +TEST_F(ShillPropertyHandlerTest, ProhibitedTechnologies) { + std::vector<std::string> prohibited_technologies; + prohibited_technologies.push_back(shill::kTypeEthernet); + EXPECT_TRUE( + shill_property_handler_->IsTechnologyEnabled(shill::kTypeEthernet)); + shill_property_handler_->SetProhibitedTechnologies( + prohibited_technologies, network_handler::ErrorCallback()); + message_loop_.RunUntilIdle(); + // Disabled + EXPECT_FALSE( + shill_property_handler_->IsTechnologyEnabled(shill::kTypeEthernet)); + + // Can not enable it back + shill_property_handler_->SetTechnologyEnabled( + shill::kTypeEthernet, true, network_handler::ErrorCallback()); + message_loop_.RunUntilIdle(); + EXPECT_FALSE( + shill_property_handler_->IsTechnologyEnabled(shill::kTypeEthernet)); + + // Can enable it back after policy changes + prohibited_technologies.clear(); + shill_property_handler_->SetProhibitedTechnologies( + prohibited_technologies, network_handler::ErrorCallback()); + shill_property_handler_->SetTechnologyEnabled( + shill::kTypeEthernet, true, network_handler::ErrorCallback()); + message_loop_.RunUntilIdle(); + EXPECT_TRUE( + shill_property_handler_->IsTechnologyEnabled(shill::kTypeEthernet)); +} + } // namespace chromeos |