summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--chromeos/network/onc/onc_validator.cc6
-rw-r--r--chromeos/network/onc/onc_validator_unittest.cc91
-rw-r--r--chromeos/test/data/network/invalid_settings_with_repairs.json12
-rw-r--r--components/onc/docs/onc_spec.html2
4 files changed, 68 insertions, 43 deletions
diff --git a/chromeos/network/onc/onc_validator.cc b/chromeos/network/onc/onc_validator.cc
index d5bbb77..7fdaba8 100644
--- a/chromeos/network/onc/onc_validator.cc
+++ b/chromeos/network/onc/onc_validator.cc
@@ -594,7 +594,13 @@ bool Validator::ValidateIPsec(base::DictionaryValue* result) {
if (auth == kCert) {
all_required_exist &= RequireField(*result, ::onc::vpn::kClientCertType) &&
RequireField(*result, kServerCARef);
+ } else if (result->HasKey(kServerCARef)) {
+ error_or_warning_found_ = true;
+ LOG(ERROR) << MessageHeader() << kServerCARef << " can only be set if "
+ << kAuthenticationType << " is set to " << kCert << ".";
+ return false;
}
+
std::string cert_type;
result->GetStringWithoutPathExpansion(::onc::vpn::kClientCertType,
&cert_type);
diff --git a/chromeos/network/onc/onc_validator_unittest.cc b/chromeos/network/onc/onc_validator_unittest.cc
index 0f7e616..d100aea 100644
--- a/chromeos/network/onc/onc_validator_unittest.cc
+++ b/chromeos/network/onc/onc_validator_unittest.cc
@@ -276,49 +276,53 @@ INSTANTIATE_TEST_CASE_P(
StrictInvalidLiberalRepair,
ONCValidatorTestRepairable,
::testing::Values(
- std::make_pair(OncParams("network-unknown-fieldname",
- &kNetworkConfigurationSignature,
- false),
- RepairParams("", "network-repaired")),
- std::make_pair(OncParams("managed-network-unknown-fieldname",
- &kNetworkConfigurationSignature,
- true),
- RepairParams("", "managed-network-repaired")),
- std::make_pair(OncParams("managed-network-unknown-recommended",
- &kNetworkConfigurationSignature,
- true),
- RepairParams("", "managed-network-repaired")),
- std::make_pair(OncParams("managed-network-dict-recommended",
- &kNetworkConfigurationSignature,
- true),
- RepairParams("", "managed-network-repaired")),
- std::make_pair(OncParams("network-missing-required",
- &kNetworkConfigurationSignature,
- false),
- RepairParams("", "network-missing-required")),
- std::make_pair(OncParams("managed-network-missing-required",
- &kNetworkConfigurationSignature,
- true),
- RepairParams("", "managed-network-missing-required")),
- // Ensure that state values from Shill aren't accepted as
- // configuration.
- std::make_pair(OncParams("network-state-field",
- &kNetworkConfigurationSignature,
- false),
- RepairParams("", "network-repaired")),
- std::make_pair(OncParams("network-nested-state-field",
- &kNetworkConfigurationSignature,
- false),
- RepairParams("",
- "network-nested-state-field-repaired")),
- std::make_pair(OncParams("openvpn-missing-verify-x509-name",
- &kNetworkConfigurationSignature, false),
+ std::make_pair(OncParams("network-unknown-fieldname",
+ &kNetworkConfigurationSignature,
+ false),
+ RepairParams("", "network-repaired")),
+ std::make_pair(OncParams("managed-network-unknown-fieldname",
+ &kNetworkConfigurationSignature,
+ true),
+ RepairParams("", "managed-network-repaired")),
+ std::make_pair(OncParams("managed-network-unknown-recommended",
+ &kNetworkConfigurationSignature,
+ true),
+ RepairParams("", "managed-network-repaired")),
+ std::make_pair(OncParams("managed-network-dict-recommended",
+ &kNetworkConfigurationSignature,
+ true),
+ RepairParams("", "managed-network-repaired")),
+ std::make_pair(OncParams("network-missing-required",
+ &kNetworkConfigurationSignature,
+ false),
+ RepairParams("", "network-missing-required")),
+ std::make_pair(OncParams("managed-network-missing-required",
+ &kNetworkConfigurationSignature,
+ true),
+ RepairParams("", "managed-network-missing-required")),
+ // Ensure that state values from Shill aren't accepted as
+ // configuration.
+ std::make_pair(OncParams("network-state-field",
+ &kNetworkConfigurationSignature,
+ false),
+ RepairParams("", "network-repaired")),
+ std::make_pair(OncParams("network-nested-state-field",
+ &kNetworkConfigurationSignature,
+ false),
+ RepairParams("", "network-nested-state-field-repaired")),
+ std::make_pair(OncParams("openvpn-missing-verify-x509-name",
+ &kNetworkConfigurationSignature, false),
RepairParams("", "openvpn-missing-verify-x509-name")),
- std::make_pair(OncParams("toplevel-with-repairable-networks",
- &kToplevelConfigurationSignature,
- false,
- ::onc::ONC_SOURCE_DEVICE_POLICY),
- RepairParams("", "toplevel-with-repaired-networks"))));
+ std::make_pair(OncParams("ipsec-with-client-cert-missing-cacert",
+ &kIPsecSignature,
+ false),
+ RepairParams("",
+ "ipsec-with-client-cert-missing-cacert")),
+ std::make_pair(OncParams("toplevel-with-repairable-networks",
+ &kToplevelConfigurationSignature,
+ false,
+ ::onc::ONC_SOURCE_DEVICE_POLICY),
+ RepairParams("", "toplevel-with-repaired-networks"))));
// Strict and liberal validator repair identically.
INSTANTIATE_TEST_CASE_P(
@@ -376,6 +380,9 @@ INSTANTIATE_TEST_CASE_P(
std::make_pair(OncParams("network-value-out-of-range",
&kNetworkConfigurationSignature, false),
RepairParams("", "")),
+ std::make_pair(OncParams("ipsec-with-psk-and-cacert",
+ &kIPsecSignature, false),
+ RepairParams("", "")),
std::make_pair(OncParams("managed-network-value-out-of-range",
&kNetworkConfigurationSignature, true),
RepairParams("", "")),
diff --git a/chromeos/test/data/network/invalid_settings_with_repairs.json b/chromeos/test/data/network/invalid_settings_with_repairs.json
index 4f80434..0815629 100644
--- a/chromeos/test/data/network/invalid_settings_with_repairs.json
+++ b/chromeos/test/data/network/invalid_settings_with_repairs.json
@@ -187,6 +187,18 @@
}
}
},
+ "ipsec-with-psk-and-cacert": {
+ "AuthenticationType": "PSK",
+ "IKEVersion": 1,
+ "PSK": "some psk",
+ "ServerCARef": "a cert ref"
+ },
+ "ipsec-with-client-cert-missing-cacert": {
+ "AuthenticationType": "Cert",
+ "IKEVersion": 1,
+ "ClientCertType": "Ref",
+ "ClientCertRef": "a cert ref"
+ },
"openvpn-missing-verify-x509-name": {
"GUID": "guid",
"Type": "VPN",
diff --git a/components/onc/docs/onc_spec.html b/components/onc/docs/onc_spec.html
index f7c87e6..709ca0f 100644
--- a/components/onc/docs/onc_spec.html
+++ b/components/onc/docs/onc_spec.html
@@ -753,7 +753,7 @@
<dd>
<span class="field_meta">
(required if <span class="field">AuthenticationType</span>
- is <span class="value">Cert</span>, otherwise ignored)
+ is <span class="value">Cert</span>, otherwise rejected)
<span class="type">string</span>
</span>
Reference to server certificate authority stored in certificate section.