Only import certificates with Web trust from ONC if the user is managed and matches the enterprise domain of the device.

BUG=chromium-os:33879

Review URL: https://chromiumcodereview.appspot.com/10868076

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@155390 0039d316-1c4b-4281-b951-d872f2087c98

5 files changed, 65 insertions, 10 deletions

diff --git a/chrome/browser/policy/browser_policy_connector.cc b/chrome/browser/policy/browser_policy_connector.cc
index c748796..463c1f4 100644
--- a/chrome/browser/policy/browser_policy_connector.cc
+++ b/chrome/browser/policy/browser_policy_connector.cc
@@ -56,6 +56,7 @@
 #include "chrome/browser/policy/app_pack_updater.h"
 #include "chrome/browser/policy/cros_user_policy_cache.h"
 #include "chrome/browser/policy/device_policy_cache.h"
+#include "chrome/browser/policy/network_configuration_updater.h"
 #include "chromeos/dbus/dbus_thread_manager.h"
 #endif
 
@@ -178,10 +179,10 @@ scoped_ptr<UserCloudPolicyManager>
     // TODO(mnissler): Revisit once Chrome OS gains multi-profiles support.
     // Don't wait for a policy fetch if there's no logged in user.
     if (chromeos::UserManager::Get()->IsUserLoggedIn()) {
+      std::string email =
+          chromeos::UserManager::Get()->GetLoggedInUser().email();
       wait_for_policy_fetch =
-          g_browser_process->browser_policy_connector()->GetUserAffiliation(
-              chromeos::UserManager::Get()->GetLoggedInUser().email()) ==
-                  policy::USER_AFFILIATION_MANAGED;
+          GetUserAffiliation(email) == USER_AFFILIATION_MANAGED;
     }
 #else
     // On desktop, there's no way to figure out if a user is logged in yet
@@ -346,6 +347,14 @@ void BrowserPolicyConnector::ScheduleServiceInitialization(
 void BrowserPolicyConnector::InitializeUserPolicy(
     const std::string& user_name,
     bool wait_for_policy_fetch) {
+#if defined(OS_CHROMEOS)
+  // If the user is managed then importing certificates from ONC policy is
+  // allowed, otherwise it's not. Update this flag once the user has signed in,
+  // and before user policy is loaded.
+  GetNetworkConfigurationUpdater()->set_allow_web_trust(
+      GetUserAffiliation(user_name) == USER_AFFILIATION_MANAGED);
+#endif
+
   // Throw away the old backend.
   user_cloud_policy_subsystem_.reset();
   user_policy_token_cache_.reset();
@@ -485,6 +494,20 @@ AppPackUpdater* BrowserPolicyConnector::GetAppPackUpdater() {
 #endif
 }
 
+NetworkConfigurationUpdater*
+    BrowserPolicyConnector::GetNetworkConfigurationUpdater() {
+#if defined(OS_CHROMEOS)
+  if (!network_configuration_updater_.get()) {
+    network_configuration_updater_.reset(new NetworkConfigurationUpdater(
+        g_browser_process->policy_service(),
+        chromeos::CrosLibrary::Get()->GetNetworkLibrary()));
+  }
+  return network_configuration_updater_.get();
+#else
+  return NULL;
+#endif
+}
+
 // static
 void BrowserPolicyConnector::SetPolicyProviderForTesting(
     ConfigurationPolicyProvider* provider) {
diff --git a/chrome/browser/policy/browser_policy_connector.h b/chrome/browser/policy/browser_policy_connector.h
index fc38904..17b3450 100644
--- a/chrome/browser/policy/browser_policy_connector.h
+++ b/chrome/browser/policy/browser_policy_connector.h
@@ -28,6 +28,7 @@ class CloudPolicyProvider;
 class CloudPolicySubsystem;
 class ConfigurationPolicyProvider;
 class DeviceManagementService;
+class NetworkConfigurationUpdater;
 class PolicyService;
 class UserCloudPolicyManager;
 class UserPolicyTokenCache;
@@ -145,6 +146,8 @@ class BrowserPolicyConnector : public content::NotificationObserver {
 
   AppPackUpdater* GetAppPackUpdater();
 
+  NetworkConfigurationUpdater* GetNetworkConfigurationUpdater();
+
   DeviceManagementService* device_management_service() {
     return device_management_service_.get();
   }
@@ -220,6 +223,7 @@ class BrowserPolicyConnector : public content::NotificationObserver {
 
 #if defined(OS_CHROMEOS)
   scoped_ptr<AppPackUpdater> app_pack_updater_;
+  scoped_ptr<NetworkConfigurationUpdater> network_configuration_updater_;
 #endif
 
   DISALLOW_COPY_AND_ASSIGN(BrowserPolicyConnector);
diff --git a/chrome/browser/policy/network_configuration_updater.cc b/chrome/browser/policy/network_configuration_updater.cc
index dcc2ead..68439a3 100644
--- a/chrome/browser/policy/network_configuration_updater.cc
+++ b/chrome/browser/policy/network_configuration_updater.cc
@@ -22,7 +22,8 @@ NetworkConfigurationUpdater::NetworkConfigurationUpdater(
     chromeos::NetworkLibrary* network_library)
     : policy_change_registrar_(
           policy_service, POLICY_DOMAIN_CHROME, std::string()),
-      network_library_(network_library) {
+      network_library_(network_library),
+      allow_web_trust_(false) {
   DCHECK(network_library_);
   policy_change_registrar_.Observe(
       key::kDeviceOpenNetworkConfiguration,
@@ -77,7 +78,7 @@ void NetworkConfigurationUpdater::ApplyNetworkConfiguration(
     *cached_value = new_network_config;
     std::string error;
     if (!network_library_->LoadOncNetworks(new_network_config, "", onc_source,
-                                           &error)) {
+                                           allow_web_trust_, &error)) {
       LOG(WARNING) << "Network library failed to load ONC configuration:"
                    << error;
     }
diff --git a/chrome/browser/policy/network_configuration_updater.h b/chrome/browser/policy/network_configuration_updater.h
index 325d10f..b83818f 100644
--- a/chrome/browser/policy/network_configuration_updater.h
+++ b/chrome/browser/policy/network_configuration_updater.h
@@ -30,6 +30,11 @@ class NetworkConfigurationUpdater {
                               chromeos::NetworkLibrary* network_library);
   virtual ~NetworkConfigurationUpdater();
 
+  // Web trust isn't given to certificates imported from ONC by default.
+  // Setting |allow_web_trust| to true allows giving Web trust to the
+  // certificates that request it.
+  void set_allow_web_trust(bool allow) { allow_web_trust_ = allow; }
+
   // Empty network configuration blob.
   static const char kEmptyConfiguration[];
 
@@ -48,6 +53,9 @@ class NetworkConfigurationUpdater {
   // Network library to write network configuration to.
   chromeos::NetworkLibrary* network_library_;
 
+  // Whether Web trust is allowed or not.
+  bool allow_web_trust_;
+
   // Current settings.
   std::string device_network_config_;
   std::string user_network_config_;
diff --git a/chrome/browser/policy/network_configuration_updater_unittest.cc b/chrome/browser/policy/network_configuration_updater_unittest.cc
index a61a1c2..51ae40f9 100644
--- a/chrome/browser/policy/network_configuration_updater_unittest.cc
+++ b/chrome/browser/policy/network_configuration_updater_unittest.cc
@@ -25,7 +25,7 @@ class NetworkConfigurationUpdaterTest
     : public testing::TestWithParam<const char*> {
  protected:
   virtual void SetUp() OVERRIDE {
-    EXPECT_CALL(network_library_, LoadOncNetworks(_, "", _, _))
+    EXPECT_CALL(network_library_, LoadOncNetworks(_, "", _, _, _))
         .WillRepeatedly(Return(true));
     EXPECT_CALL(provider_, IsInitializationComplete())
         .WillRepeatedly(Return(true));
@@ -56,19 +56,37 @@ TEST_P(NetworkConfigurationUpdaterTest, InitialUpdate) {
   provider_.UpdateChromePolicy(policy);
 
   EXPECT_CALL(network_library_,
-              LoadOncNetworks(kFakeONC, "", NameToONCSource(GetParam()), _))
+              LoadOncNetworks(kFakeONC, "", NameToONCSource(GetParam()),
+                              false, _))
       .WillOnce(Return(true));
 
   NetworkConfigurationUpdater updater(policy_service_.get(), &network_library_);
   Mock::VerifyAndClearExpectations(&network_library_);
 }
 
+TEST_P(NetworkConfigurationUpdaterTest, AllowWebTrust) {
+  NetworkConfigurationUpdater updater(policy_service_.get(), &network_library_);
+  updater.set_allow_web_trust(true);
+
+  EXPECT_CALL(network_library_,
+              LoadOncNetworks(kFakeONC, "", NameToONCSource(GetParam()),
+                              true, _))
+      .WillOnce(Return(true));
+
+  PolicyMap policy;
+  policy.Set(GetParam(), POLICY_LEVEL_MANDATORY, POLICY_SCOPE_USER,
+             Value::CreateStringValue(kFakeONC));
+  provider_.UpdateChromePolicy(policy);
+  Mock::VerifyAndClearExpectations(&network_library_);
+}
+
 TEST_P(NetworkConfigurationUpdaterTest, PolicyChange) {
   NetworkConfigurationUpdater updater(policy_service_.get(), &network_library_);
 
   // We should update if policy changes.
   EXPECT_CALL(network_library_,
-              LoadOncNetworks(kFakeONC, "", NameToONCSource(GetParam()), _))
+              LoadOncNetworks(kFakeONC, "", NameToONCSource(GetParam()),
+                              false, _))
       .WillOnce(Return(true));
   PolicyMap policy;
   policy.Set(GetParam(), POLICY_LEVEL_MANDATORY, POLICY_SCOPE_USER,
@@ -78,7 +96,8 @@ TEST_P(NetworkConfigurationUpdaterTest, PolicyChange) {
 
   // No update if the set the same value again.
   EXPECT_CALL(network_library_,
-              LoadOncNetworks(kFakeONC, "", NameToONCSource(GetParam()), _))
+              LoadOncNetworks(kFakeONC, "", NameToONCSource(GetParam()),
+                              false, _))
       .Times(0);
   provider_.UpdateChromePolicy(policy);
   Mock::VerifyAndClearExpectations(&network_library_);
@@ -86,7 +105,7 @@ TEST_P(NetworkConfigurationUpdaterTest, PolicyChange) {
   // Another update is expected if the policy goes away.
   EXPECT_CALL(network_library_,
               LoadOncNetworks(NetworkConfigurationUpdater::kEmptyConfiguration,
-                              "", NameToONCSource(GetParam()), _))
+                              "", NameToONCSource(GetParam()), false, _))
       .WillOnce(Return(true));
   policy.Erase(GetParam());
   provider_.UpdateChromePolicy(policy);