Add OpenVPN OTP and UserAuthenticationType fields to ONC.

Reland of https://codereview.chromium.org/560863002/ which the CQ failed to commit correctly.

This does not adapt the UI to respect the policy's UserAuthenticationType, yet.

BUG=347916
TBR=stevenjb@chromium.org
TEST=Ensured that a previously working policy pushed OpenVPN network still works.

Review URL: https://codereview.chromium.org/632223002

Cr-Commit-Position: refs/heads/master@{#298431}

3 files changed, 90 insertions, 2 deletions

diff --git a/components/onc/docs/onc_spec.html b/components/onc/docs/onc_spec.html
index 6a42ae0..f4e70c8 100644
--- a/components/onc/docs/onc_spec.html
+++ b/components/onc/docs/onc_spec.html
@@ -1231,13 +1231,40 @@
       to <span class="value">server</span> if set.
     </dd>
 
+    <dt class="field">OTP</dt>
+    <dd>
+      <span class="field_meta">
+        (optional if <span class="field">UserAuthenticationType</span> is
+        <span class="value">OTP</span>,
+        <span class="value">PasswordAndOTP</span> or unset, otherwise ignored,
+        defaults to empty string)
+        <span class="type">string</span>
+      </span>
+      If <span class="field">UserAuthenticationType</span> is
+      <span class="value">OTP</span> or <span class="value">PasswordAndOTP</span>
+      and this field is not set, the user will be asked for an OTP.
+      The OTP is never persisted and must be provided on every connection
+      attempt.
+    </dd>
+
     <dt class="field">Password</dt>
     <dd>
       <span class="field_meta">
-        (optional)
+        (optional if <span class="field">UserAuthenticationType</span> is
+        <span class="value">Password</span>,
+        <span class="value">PasswordAndOTP</span> or unset, otherwise ignored,
+        defaults to empty string)
         <span class="type">string</span>
       </span>
-      XAUTH password. If not specified, user is prompted at time of connection.
+      If <span class="field">UserAuthenticationType</span> is
+      <span class="value">Password</span> or
+      <span class="value">PasswordAndOTP</span> and this field is not set, the user
+      will be asked for a password.
+      If <span class="field">SaveCredentials</span> is
+      <span class="value">true</span>, the password is persisted for future
+      connection attempts. Otherwise it is not persisted but might still be
+      reused for consecutive connection attempts (opposed to an OTP, which will
+      never be reused).
     </dd>
 
     <dt class="field">Port</dt>
@@ -1396,6 +1423,47 @@
       name equal to this string.
     </dd>
 
+    <dt class="field">UserAuthenticationType</dt>
+    <dd>
+      <span class="field_meta">
+        (optional, defaults to <span class="value">None</span>)
+        <span class="type">string</span>
+      </span>
+      <span class="rule">
+        <span class="rule_id"></span>
+        Allowed values are <span class="value">None</span>,
+        <span class="value">Password</span>,
+        <span class="value">PasswordAndOTP</span> and
+        <span class="value">OTP</span>.
+      </span>
+      Determines the required form of user authentication:
+      <ul><li>
+        <span class="value">PasswordAndOTP</span>: This VPN requires a password
+        and an OTP (possibly empty). Both will be send to the server in the
+        'password' response using the SCRv1 encoding.
+      </li><li>
+        <span class="value">Password</span>: This VPN requires only a password,
+        which will be send without modification to the server in the 'password'
+        response (no CRv1 or SCRv1 encoding).
+      </li><li>
+        <span class="value">OTP</span>: This VPN requires only an OTP, which
+        will be send without modification to the server in the 'password'
+        response (no CRv1 or SCRv1 encoding).
+      </li><li>
+        <span class="value">None</span>: Neither password nor OTP are required.
+        No password request from the server is expected.
+      </li></ul>
+      If not set, the user can provide a password and an OTP (both not
+      mandatory) and the network manager will send both in the SCRv1 encoding,
+      when the server sends a static-challenge. If the server does not send a
+      static-challenge, the client will reply with only the password (without
+      any encoding). This behavior is deprecated and new configurations should
+      explicitly set one of the above values.
+
+      See the fields <span class="field">Password</span> and
+      <span class="field">OTP</span> for configuring the password and OTP.
+    </dd>
+
     <dt class="field">Username</dt>
     <dd>
       <span class="field_meta">
diff --git a/components/onc/onc_constants.cc b/components/onc/onc_constants.cc
index f8798a3..06342dfa 100644
--- a/components/onc/onc_constants.cc
+++ b/components/onc/onc_constants.cc
@@ -310,6 +310,8 @@ const char kKeyDirection[] = "KeyDirection";
 const char kNoInteract[] = "nointeract";
 const char kNone[] = "none";
 const char kNsCertType[] = "NsCertType";
+const char kOTP[] = "OTP";
+const char kPassword[] = "Password";
 const char kPort[] = "Port";
 const char kProto[] = "Proto";
 const char kPushPeerInfo[] = "PushPeerInfo";
@@ -328,11 +330,19 @@ const char kShaper[] = "Shaper";
 const char kStaticChallenge[] = "StaticChallenge";
 const char kTLSAuthContents[] = "TLSAuthContents";
 const char kTLSRemote[] = "TLSRemote";
+const char kUserAuthenticationType[] = "UserAuthenticationType";
 const char kVerb[] = "Verb";
 const char kVerifyHash[] = "VerifyHash";
 const char kVerifyX509[] = "VerifyX509";
 }  // namespace openvpn
 
+namespace openvpn_user_auth_type {
+const char kNone[] = "None";
+const char kOTP[] = "OTP";
+const char kPassword[] = "Password";
+const char kPasswordAndOTP[] = "PasswordAndOTP";
+}  // openvpn_user_auth_type
+
 namespace verify_x509 {
 const char kName[] = "Name";
 const char kType[] = "Type";
diff --git a/components/onc/onc_constants.h b/components/onc/onc_constants.h
index d96e190..5e197e0 100644
--- a/components/onc/onc_constants.h
+++ b/components/onc/onc_constants.h
@@ -328,6 +328,8 @@ ONC_EXPORT extern const char kKeyDirection[];
 ONC_EXPORT extern const char kNoInteract[];
 ONC_EXPORT extern const char kNone[];
 ONC_EXPORT extern const char kNsCertType[];
+ONC_EXPORT extern const char kOTP[];
+ONC_EXPORT extern const char kPassword[];
 ONC_EXPORT extern const char kPort[];
 ONC_EXPORT extern const char kProto[];
 ONC_EXPORT extern const char kPushPeerInfo[];
@@ -346,11 +348,19 @@ ONC_EXPORT extern const char kShaper[];
 ONC_EXPORT extern const char kStaticChallenge[];
 ONC_EXPORT extern const char kTLSAuthContents[];
 ONC_EXPORT extern const char kTLSRemote[];
+ONC_EXPORT extern const char kUserAuthenticationType[];
 ONC_EXPORT extern const char kVerb[];
 ONC_EXPORT extern const char kVerifyHash[];
 ONC_EXPORT extern const char kVerifyX509[];
 }  // namespace openvpn
 
+namespace openvpn_user_auth_type {
+ONC_EXPORT extern const char kNone[];
+ONC_EXPORT extern const char kOTP[];
+ONC_EXPORT extern const char kPassword[];
+ONC_EXPORT extern const char kPasswordAndOTP[];
+}  // openvpn_user_auth_type
+
 namespace verify_x509 {
 ONC_EXPORT extern const char kName[];
 ONC_EXPORT extern const char kType[];