Handle device ONC AllowOnlyPolicyNetworksToConnect

BUG=208378

Review URL: https://codereview.chromium.org/1461823002

Cr-Commit-Position: refs/heads/master@{#360474}

5 files changed, 97 insertions, 1 deletions

diff --git a/chromeos/network/auto_connect_handler.cc b/chromeos/network/auto_connect_handler.cc
index 4665cfe..b444789 100644
--- a/chromeos/network/auto_connect_handler.cc
+++ b/chromeos/network/auto_connect_handler.cc
@@ -214,8 +214,12 @@ void AutoConnectHandler::DisconnectIfPolicyRequires() {
   global_network_config->GetBooleanWithoutPathExpansion(
       ::onc::global_network_config::kAllowOnlyPolicyNetworksToAutoconnect,
       &only_policy_autoconnect);
+  bool only_policy_connect = false;
+  global_network_config->GetBooleanWithoutPathExpansion(
+      ::onc::global_network_config::kAllowOnlyPolicyNetworksToConnect,
+      &only_policy_connect);
 
-  if (only_policy_autoconnect)
+  if (only_policy_autoconnect || only_policy_connect)
     DisconnectFromUnmanagedSharedWiFiNetworks();
 }
 
diff --git a/chromeos/network/auto_connect_handler_unittest.cc b/chromeos/network/auto_connect_handler_unittest.cc
index 0181a74..4f7edb6 100644
--- a/chromeos/network/auto_connect_handler_unittest.cc
+++ b/chromeos/network/auto_connect_handler_unittest.cc
@@ -418,6 +418,37 @@ TEST_F(AutoConnectHandlerTest, DisconnectOnPolicyLoading) {
   EXPECT_EQ(shill::kStateIdle, GetServiceState("wifi1"));
 }
 
+TEST_F(AutoConnectHandlerTest,
+       DisconnectOnPolicyLoadingAllowOnlyPolicyNetworksToConnect) {
+  EXPECT_TRUE(Configure(kConfigUnmanagedSharedConnected));
+  EXPECT_TRUE(Configure(kConfigManagedSharedConnectable));
+
+  // User login and certificate loading shouldn't trigger any change until the
+  // policy is loaded.
+  LoginToRegularUser();
+  StartCertLoader();
+  EXPECT_EQ(shill::kStateOnline, GetServiceState("wifi0"));
+  EXPECT_EQ(shill::kStateIdle, GetServiceState("wifi1"));
+
+  base::DictionaryValue global_config;
+  global_config.SetBooleanWithoutPathExpansion(
+      ::onc::global_network_config::kAllowOnlyPolicyNetworksToConnect, true);
+
+  // Applying the policy which restricts autoconnect should disconnect from the
+  // shared, unmanaged network.
+  // Because no best service is set, the fake implementation of
+  // ConnectToBestServices will be a no-op.
+  SetupPolicy(kPolicy, global_config, false /* load as device policy */);
+
+  // Should not trigger any change until user policy is loaded
+  EXPECT_EQ(shill::kStateOnline, GetServiceState("wifi0"));
+  EXPECT_EQ(shill::kStateIdle, GetServiceState("wifi1"));
+
+  SetupPolicy(std::string(), base::DictionaryValue(), true);
+  EXPECT_EQ(shill::kStateIdle, GetServiceState("wifi0"));
+  EXPECT_EQ(shill::kStateIdle, GetServiceState("wifi1"));
+}
+
 // After login a reconnect is triggered even if there is no managed network.
 TEST_F(AutoConnectHandlerTest, ReconnectAfterLogin) {
   EXPECT_TRUE(Configure(kConfigUnmanagedSharedConnected));
diff --git a/chromeos/network/network_connection_handler.cc b/chromeos/network/network_connection_handler.cc
index e8c4939..47c1f6b 100644
--- a/chromeos/network/network_connection_handler.cc
+++ b/chromeos/network/network_connection_handler.cc
@@ -115,6 +115,8 @@ const char NetworkConnectionHandler::kErrorConnectCanceled[] =
     "connect-canceled";
 const char NetworkConnectionHandler::kErrorCertLoadTimeout[] =
     "cert-load-timeout";
+const char NetworkConnectionHandler::kErrorUnmanagedNetwork[] =
+    "unmanaged-network";
 
 struct NetworkConnectionHandler::ConnectRequest {
   ConnectRequest(const std::string& service_path,
@@ -285,6 +287,11 @@ void NetworkConnectionHandler::ConnectToNetwork(
   // Connect immediately to 'connectable' networks.
   // TODO(stevenjb): Shill needs to properly set Connectable for VPN.
   if (network && network->connectable() && network->type() != shill::kTypeVPN) {
+    if (IsNetworkProhibitedByPolicy(network->guid(), network->profile_path())) {
+      ErrorCallbackForPendingRequest(service_path, kErrorUnmanagedNetwork);
+      return;
+    }
+
     CallShillConnect(service_path);
     return;
   }
@@ -416,6 +423,11 @@ void NetworkConnectionHandler::VerifyConfiguredAndConnect(
   const base::DictionaryValue* user_policy =
       managed_configuration_handler_->FindPolicyByGuidAndProfile(guid, profile);
 
+  if (IsNetworkProhibitedByPolicy(guid, profile)) {
+    ErrorCallbackForPendingRequest(service_path, kErrorUnmanagedNetwork);
+    return;
+  }
+
   client_cert::ClientCertConfig cert_config_from_policy;
   if (user_policy)
     client_cert::OncToClientCertConfig(*user_policy, &cert_config_from_policy);
@@ -523,6 +535,27 @@ void NetworkConnectionHandler::VerifyConfiguredAndConnect(
     CallShillConnect(service_path);
 }
 
+bool NetworkConnectionHandler::IsNetworkProhibitedByPolicy(
+    const std::string& guid,
+    const std::string& profile_path) {
+  if (!logged_in_)
+    return false;
+  const base::DictionaryValue* global_network_config =
+      managed_configuration_handler_->GetGlobalConfigFromPolicy(
+          std::string() /* no username hash, device policy */);
+  if (!global_network_config)
+    return false;
+  bool policy_prohibites = false;
+  if (!global_network_config->GetBooleanWithoutPathExpansion(
+          ::onc::global_network_config::kAllowOnlyPolicyNetworksToConnect,
+          &policy_prohibites) ||
+      !policy_prohibites) {
+    return false;
+  }
+  return !managed_configuration_handler_->FindPolicyByGuidAndProfile(
+      guid, profile_path);
+}
+
 void NetworkConnectionHandler::QueueConnectRequest(
     const std::string& service_path) {
   ConnectRequest* request = GetPendingRequest(service_path);
diff --git a/chromeos/network/network_connection_handler.h b/chromeos/network/network_connection_handler.h
index 8b4e93f..c36bb0f 100644
--- a/chromeos/network/network_connection_handler.h
+++ b/chromeos/network/network_connection_handler.h
@@ -96,6 +96,9 @@ class CHROMEOS_EXPORT NetworkConnectionHandler
   // Certificate load timed out.
   static const char kErrorCertLoadTimeout[];
 
+  // Trying to configure an unmanged network but policy prohibits that
+  static const char kErrorUnmanagedNetwork[];
+
   ~NetworkConnectionHandler() override;
 
   void AddObserver(NetworkConnectionObserver* observer);
@@ -167,6 +170,9 @@ class CHROMEOS_EXPORT NetworkConnectionHandler
                                   const std::string& service_path,
                                   const base::DictionaryValue& properties);
 
+  bool IsNetworkProhibitedByPolicy(const std::string& guid,
+                                   const std::string& profile_path);
+
   // Queues a connect request until certificates have loaded.
   void QueueConnectRequest(const std::string& service_path);
 
diff --git a/chromeos/network/network_connection_handler_unittest.cc b/chromeos/network/network_connection_handler_unittest.cc
index 1ae00af..0c613be 100644
--- a/chromeos/network/network_connection_handler_unittest.cc
+++ b/chromeos/network/network_connection_handler_unittest.cc
@@ -333,6 +333,11 @@ const char* kConfigRequiresPassphrase =
     "{ \"GUID\": \"wifi3\", \"Type\": \"wifi\", "
     "  \"PassphraseRequired\": true }";
 
+const char* kPolicyWifi0 =
+    "[{ \"GUID\": \"wifi0\",  \"IPAddressConfigType\": \"DHCP\", "
+    "   \"Type\": \"WiFi\", \"Name\": \"My WiFi Network\","
+    "   \"WiFi\": { \"SSID\": \"wifi0\"}}]";
+
 }  // namespace
 
 TEST_F(NetworkConnectionHandlerTest, NetworkConnectionHandlerConnectSuccess) {
@@ -346,6 +351,23 @@ TEST_F(NetworkConnectionHandlerTest, NetworkConnectionHandlerConnectSuccess) {
   EXPECT_EQ(kSuccessResult, network_connection_observer_->GetResult(kWifi0));
 }
 
+TEST_F(NetworkConnectionHandlerTest,
+       NetworkConnectionHandlerConnectProhibited) {
+  EXPECT_TRUE(Configure(kConfigConnectable));
+  base::DictionaryValue global_config;
+  global_config.SetBooleanWithoutPathExpansion(
+      ::onc::global_network_config::kAllowOnlyPolicyNetworksToConnect, true);
+  SetupPolicy("[]", global_config, false /* load as device policy */);
+  LoginToRegularUser();
+  Connect(kWifi0);
+  EXPECT_EQ(NetworkConnectionHandler::kErrorUnmanagedNetwork,
+            GetResultAndReset());
+
+  SetupPolicy(kPolicyWifi0, global_config, false /* load as device policy */);
+  Connect(kWifi0);
+  EXPECT_EQ(kSuccessResult, GetResultAndReset());
+}
+
 // Handles basic failure cases.
 TEST_F(NetworkConnectionHandlerTest, NetworkConnectionHandlerConnectFailure) {
   Connect(kNoNetwork);