diff options
-rw-r--r-- | chromeos/network/onc/onc_validator.cc | 6 | ||||
-rw-r--r-- | chromeos/network/onc/onc_validator_unittest.cc | 91 | ||||
-rw-r--r-- | chromeos/test/data/network/invalid_settings_with_repairs.json | 12 | ||||
-rw-r--r-- | components/onc/docs/onc_spec.html | 2 |
4 files changed, 68 insertions, 43 deletions
diff --git a/chromeos/network/onc/onc_validator.cc b/chromeos/network/onc/onc_validator.cc index d5bbb77..7fdaba8 100644 --- a/chromeos/network/onc/onc_validator.cc +++ b/chromeos/network/onc/onc_validator.cc @@ -594,7 +594,13 @@ bool Validator::ValidateIPsec(base::DictionaryValue* result) { if (auth == kCert) { all_required_exist &= RequireField(*result, ::onc::vpn::kClientCertType) && RequireField(*result, kServerCARef); + } else if (result->HasKey(kServerCARef)) { + error_or_warning_found_ = true; + LOG(ERROR) << MessageHeader() << kServerCARef << " can only be set if " + << kAuthenticationType << " is set to " << kCert << "."; + return false; } + std::string cert_type; result->GetStringWithoutPathExpansion(::onc::vpn::kClientCertType, &cert_type); diff --git a/chromeos/network/onc/onc_validator_unittest.cc b/chromeos/network/onc/onc_validator_unittest.cc index 0f7e616..d100aea 100644 --- a/chromeos/network/onc/onc_validator_unittest.cc +++ b/chromeos/network/onc/onc_validator_unittest.cc @@ -276,49 +276,53 @@ INSTANTIATE_TEST_CASE_P( StrictInvalidLiberalRepair, ONCValidatorTestRepairable, ::testing::Values( - std::make_pair(OncParams("network-unknown-fieldname", - &kNetworkConfigurationSignature, - false), - RepairParams("", "network-repaired")), - std::make_pair(OncParams("managed-network-unknown-fieldname", - &kNetworkConfigurationSignature, - true), - RepairParams("", "managed-network-repaired")), - std::make_pair(OncParams("managed-network-unknown-recommended", - &kNetworkConfigurationSignature, - true), - RepairParams("", "managed-network-repaired")), - std::make_pair(OncParams("managed-network-dict-recommended", - &kNetworkConfigurationSignature, - true), - RepairParams("", "managed-network-repaired")), - std::make_pair(OncParams("network-missing-required", - &kNetworkConfigurationSignature, - false), - RepairParams("", "network-missing-required")), - std::make_pair(OncParams("managed-network-missing-required", - &kNetworkConfigurationSignature, - true), - RepairParams("", "managed-network-missing-required")), - // Ensure that state values from Shill aren't accepted as - // configuration. - std::make_pair(OncParams("network-state-field", - &kNetworkConfigurationSignature, - false), - RepairParams("", "network-repaired")), - std::make_pair(OncParams("network-nested-state-field", - &kNetworkConfigurationSignature, - false), - RepairParams("", - "network-nested-state-field-repaired")), - std::make_pair(OncParams("openvpn-missing-verify-x509-name", - &kNetworkConfigurationSignature, false), + std::make_pair(OncParams("network-unknown-fieldname", + &kNetworkConfigurationSignature, + false), + RepairParams("", "network-repaired")), + std::make_pair(OncParams("managed-network-unknown-fieldname", + &kNetworkConfigurationSignature, + true), + RepairParams("", "managed-network-repaired")), + std::make_pair(OncParams("managed-network-unknown-recommended", + &kNetworkConfigurationSignature, + true), + RepairParams("", "managed-network-repaired")), + std::make_pair(OncParams("managed-network-dict-recommended", + &kNetworkConfigurationSignature, + true), + RepairParams("", "managed-network-repaired")), + std::make_pair(OncParams("network-missing-required", + &kNetworkConfigurationSignature, + false), + RepairParams("", "network-missing-required")), + std::make_pair(OncParams("managed-network-missing-required", + &kNetworkConfigurationSignature, + true), + RepairParams("", "managed-network-missing-required")), + // Ensure that state values from Shill aren't accepted as + // configuration. + std::make_pair(OncParams("network-state-field", + &kNetworkConfigurationSignature, + false), + RepairParams("", "network-repaired")), + std::make_pair(OncParams("network-nested-state-field", + &kNetworkConfigurationSignature, + false), + RepairParams("", "network-nested-state-field-repaired")), + std::make_pair(OncParams("openvpn-missing-verify-x509-name", + &kNetworkConfigurationSignature, false), RepairParams("", "openvpn-missing-verify-x509-name")), - std::make_pair(OncParams("toplevel-with-repairable-networks", - &kToplevelConfigurationSignature, - false, - ::onc::ONC_SOURCE_DEVICE_POLICY), - RepairParams("", "toplevel-with-repaired-networks")))); + std::make_pair(OncParams("ipsec-with-client-cert-missing-cacert", + &kIPsecSignature, + false), + RepairParams("", + "ipsec-with-client-cert-missing-cacert")), + std::make_pair(OncParams("toplevel-with-repairable-networks", + &kToplevelConfigurationSignature, + false, + ::onc::ONC_SOURCE_DEVICE_POLICY), + RepairParams("", "toplevel-with-repaired-networks")))); // Strict and liberal validator repair identically. INSTANTIATE_TEST_CASE_P( @@ -376,6 +380,9 @@ INSTANTIATE_TEST_CASE_P( std::make_pair(OncParams("network-value-out-of-range", &kNetworkConfigurationSignature, false), RepairParams("", "")), + std::make_pair(OncParams("ipsec-with-psk-and-cacert", + &kIPsecSignature, false), + RepairParams("", "")), std::make_pair(OncParams("managed-network-value-out-of-range", &kNetworkConfigurationSignature, true), RepairParams("", "")), diff --git a/chromeos/test/data/network/invalid_settings_with_repairs.json b/chromeos/test/data/network/invalid_settings_with_repairs.json index 4f80434..0815629 100644 --- a/chromeos/test/data/network/invalid_settings_with_repairs.json +++ b/chromeos/test/data/network/invalid_settings_with_repairs.json @@ -187,6 +187,18 @@ } } }, + "ipsec-with-psk-and-cacert": { + "AuthenticationType": "PSK", + "IKEVersion": 1, + "PSK": "some psk", + "ServerCARef": "a cert ref" + }, + "ipsec-with-client-cert-missing-cacert": { + "AuthenticationType": "Cert", + "IKEVersion": 1, + "ClientCertType": "Ref", + "ClientCertRef": "a cert ref" + }, "openvpn-missing-verify-x509-name": { "GUID": "guid", "Type": "VPN", diff --git a/components/onc/docs/onc_spec.html b/components/onc/docs/onc_spec.html index f7c87e6..709ca0f 100644 --- a/components/onc/docs/onc_spec.html +++ b/components/onc/docs/onc_spec.html @@ -753,7 +753,7 @@ <dd> <span class="field_meta"> (required if <span class="field">AuthenticationType</span> - is <span class="value">Cert</span>, otherwise ignored) + is <span class="value">Cert</span>, otherwise rejected) <span class="type">string</span> </span> Reference to server certificate authority stored in certificate section. |