diff options
author | fqj <fqj@chromium.org> | 2015-11-18 17:51:45 -0800 |
---|---|---|
committer | Commit bot <commit-bot@chromium.org> | 2015-11-19 01:53:06 +0000 |
commit | 44cc1ab351e14882f3e0522004eddca120a780e5 (patch) | |
tree | edba3926214502e80a1634c3d6005869e9cc5d93 /chromeos | |
parent | 13db1406f0aa142c8b2e777d080b76bc08d49896 (diff) | |
download | chromium_src-44cc1ab351e14882f3e0522004eddca120a780e5.zip chromium_src-44cc1ab351e14882f3e0522004eddca120a780e5.tar.gz chromium_src-44cc1ab351e14882f3e0522004eddca120a780e5.tar.bz2 |
Handle device ONC AllowOnlyPolicyNetworksToConnect
BUG=208378
Review URL: https://codereview.chromium.org/1461823002
Cr-Commit-Position: refs/heads/master@{#360474}
Diffstat (limited to 'chromeos')
-rw-r--r-- | chromeos/network/auto_connect_handler.cc | 6 | ||||
-rw-r--r-- | chromeos/network/auto_connect_handler_unittest.cc | 31 | ||||
-rw-r--r-- | chromeos/network/network_connection_handler.cc | 33 | ||||
-rw-r--r-- | chromeos/network/network_connection_handler.h | 6 | ||||
-rw-r--r-- | chromeos/network/network_connection_handler_unittest.cc | 22 |
5 files changed, 97 insertions, 1 deletions
diff --git a/chromeos/network/auto_connect_handler.cc b/chromeos/network/auto_connect_handler.cc index 4665cfe..b444789 100644 --- a/chromeos/network/auto_connect_handler.cc +++ b/chromeos/network/auto_connect_handler.cc @@ -214,8 +214,12 @@ void AutoConnectHandler::DisconnectIfPolicyRequires() { global_network_config->GetBooleanWithoutPathExpansion( ::onc::global_network_config::kAllowOnlyPolicyNetworksToAutoconnect, &only_policy_autoconnect); + bool only_policy_connect = false; + global_network_config->GetBooleanWithoutPathExpansion( + ::onc::global_network_config::kAllowOnlyPolicyNetworksToConnect, + &only_policy_connect); - if (only_policy_autoconnect) + if (only_policy_autoconnect || only_policy_connect) DisconnectFromUnmanagedSharedWiFiNetworks(); } diff --git a/chromeos/network/auto_connect_handler_unittest.cc b/chromeos/network/auto_connect_handler_unittest.cc index 0181a74..4f7edb6 100644 --- a/chromeos/network/auto_connect_handler_unittest.cc +++ b/chromeos/network/auto_connect_handler_unittest.cc @@ -418,6 +418,37 @@ TEST_F(AutoConnectHandlerTest, DisconnectOnPolicyLoading) { EXPECT_EQ(shill::kStateIdle, GetServiceState("wifi1")); } +TEST_F(AutoConnectHandlerTest, + DisconnectOnPolicyLoadingAllowOnlyPolicyNetworksToConnect) { + EXPECT_TRUE(Configure(kConfigUnmanagedSharedConnected)); + EXPECT_TRUE(Configure(kConfigManagedSharedConnectable)); + + // User login and certificate loading shouldn't trigger any change until the + // policy is loaded. + LoginToRegularUser(); + StartCertLoader(); + EXPECT_EQ(shill::kStateOnline, GetServiceState("wifi0")); + EXPECT_EQ(shill::kStateIdle, GetServiceState("wifi1")); + + base::DictionaryValue global_config; + global_config.SetBooleanWithoutPathExpansion( + ::onc::global_network_config::kAllowOnlyPolicyNetworksToConnect, true); + + // Applying the policy which restricts autoconnect should disconnect from the + // shared, unmanaged network. + // Because no best service is set, the fake implementation of + // ConnectToBestServices will be a no-op. + SetupPolicy(kPolicy, global_config, false /* load as device policy */); + + // Should not trigger any change until user policy is loaded + EXPECT_EQ(shill::kStateOnline, GetServiceState("wifi0")); + EXPECT_EQ(shill::kStateIdle, GetServiceState("wifi1")); + + SetupPolicy(std::string(), base::DictionaryValue(), true); + EXPECT_EQ(shill::kStateIdle, GetServiceState("wifi0")); + EXPECT_EQ(shill::kStateIdle, GetServiceState("wifi1")); +} + // After login a reconnect is triggered even if there is no managed network. TEST_F(AutoConnectHandlerTest, ReconnectAfterLogin) { EXPECT_TRUE(Configure(kConfigUnmanagedSharedConnected)); diff --git a/chromeos/network/network_connection_handler.cc b/chromeos/network/network_connection_handler.cc index e8c4939..47c1f6b 100644 --- a/chromeos/network/network_connection_handler.cc +++ b/chromeos/network/network_connection_handler.cc @@ -115,6 +115,8 @@ const char NetworkConnectionHandler::kErrorConnectCanceled[] = "connect-canceled"; const char NetworkConnectionHandler::kErrorCertLoadTimeout[] = "cert-load-timeout"; +const char NetworkConnectionHandler::kErrorUnmanagedNetwork[] = + "unmanaged-network"; struct NetworkConnectionHandler::ConnectRequest { ConnectRequest(const std::string& service_path, @@ -285,6 +287,11 @@ void NetworkConnectionHandler::ConnectToNetwork( // Connect immediately to 'connectable' networks. // TODO(stevenjb): Shill needs to properly set Connectable for VPN. if (network && network->connectable() && network->type() != shill::kTypeVPN) { + if (IsNetworkProhibitedByPolicy(network->guid(), network->profile_path())) { + ErrorCallbackForPendingRequest(service_path, kErrorUnmanagedNetwork); + return; + } + CallShillConnect(service_path); return; } @@ -416,6 +423,11 @@ void NetworkConnectionHandler::VerifyConfiguredAndConnect( const base::DictionaryValue* user_policy = managed_configuration_handler_->FindPolicyByGuidAndProfile(guid, profile); + if (IsNetworkProhibitedByPolicy(guid, profile)) { + ErrorCallbackForPendingRequest(service_path, kErrorUnmanagedNetwork); + return; + } + client_cert::ClientCertConfig cert_config_from_policy; if (user_policy) client_cert::OncToClientCertConfig(*user_policy, &cert_config_from_policy); @@ -523,6 +535,27 @@ void NetworkConnectionHandler::VerifyConfiguredAndConnect( CallShillConnect(service_path); } +bool NetworkConnectionHandler::IsNetworkProhibitedByPolicy( + const std::string& guid, + const std::string& profile_path) { + if (!logged_in_) + return false; + const base::DictionaryValue* global_network_config = + managed_configuration_handler_->GetGlobalConfigFromPolicy( + std::string() /* no username hash, device policy */); + if (!global_network_config) + return false; + bool policy_prohibites = false; + if (!global_network_config->GetBooleanWithoutPathExpansion( + ::onc::global_network_config::kAllowOnlyPolicyNetworksToConnect, + &policy_prohibites) || + !policy_prohibites) { + return false; + } + return !managed_configuration_handler_->FindPolicyByGuidAndProfile( + guid, profile_path); +} + void NetworkConnectionHandler::QueueConnectRequest( const std::string& service_path) { ConnectRequest* request = GetPendingRequest(service_path); diff --git a/chromeos/network/network_connection_handler.h b/chromeos/network/network_connection_handler.h index 8b4e93f..c36bb0f 100644 --- a/chromeos/network/network_connection_handler.h +++ b/chromeos/network/network_connection_handler.h @@ -96,6 +96,9 @@ class CHROMEOS_EXPORT NetworkConnectionHandler // Certificate load timed out. static const char kErrorCertLoadTimeout[]; + // Trying to configure an unmanged network but policy prohibits that + static const char kErrorUnmanagedNetwork[]; + ~NetworkConnectionHandler() override; void AddObserver(NetworkConnectionObserver* observer); @@ -167,6 +170,9 @@ class CHROMEOS_EXPORT NetworkConnectionHandler const std::string& service_path, const base::DictionaryValue& properties); + bool IsNetworkProhibitedByPolicy(const std::string& guid, + const std::string& profile_path); + // Queues a connect request until certificates have loaded. void QueueConnectRequest(const std::string& service_path); diff --git a/chromeos/network/network_connection_handler_unittest.cc b/chromeos/network/network_connection_handler_unittest.cc index 1ae00af..0c613be 100644 --- a/chromeos/network/network_connection_handler_unittest.cc +++ b/chromeos/network/network_connection_handler_unittest.cc @@ -333,6 +333,11 @@ const char* kConfigRequiresPassphrase = "{ \"GUID\": \"wifi3\", \"Type\": \"wifi\", " " \"PassphraseRequired\": true }"; +const char* kPolicyWifi0 = + "[{ \"GUID\": \"wifi0\", \"IPAddressConfigType\": \"DHCP\", " + " \"Type\": \"WiFi\", \"Name\": \"My WiFi Network\"," + " \"WiFi\": { \"SSID\": \"wifi0\"}}]"; + } // namespace TEST_F(NetworkConnectionHandlerTest, NetworkConnectionHandlerConnectSuccess) { @@ -346,6 +351,23 @@ TEST_F(NetworkConnectionHandlerTest, NetworkConnectionHandlerConnectSuccess) { EXPECT_EQ(kSuccessResult, network_connection_observer_->GetResult(kWifi0)); } +TEST_F(NetworkConnectionHandlerTest, + NetworkConnectionHandlerConnectProhibited) { + EXPECT_TRUE(Configure(kConfigConnectable)); + base::DictionaryValue global_config; + global_config.SetBooleanWithoutPathExpansion( + ::onc::global_network_config::kAllowOnlyPolicyNetworksToConnect, true); + SetupPolicy("[]", global_config, false /* load as device policy */); + LoginToRegularUser(); + Connect(kWifi0); + EXPECT_EQ(NetworkConnectionHandler::kErrorUnmanagedNetwork, + GetResultAndReset()); + + SetupPolicy(kPolicyWifi0, global_config, false /* load as device policy */); + Connect(kWifi0); + EXPECT_EQ(kSuccessResult, GetResultAndReset()); +} + // Handles basic failure cases. TEST_F(NetworkConnectionHandlerTest, NetworkConnectionHandlerConnectFailure) { Connect(kNoNetwork); |