diff options
-rw-r--r-- | chromeos/cert_loader.cc | 43 | ||||
-rw-r--r-- | chromeos/cert_loader.h | 20 | ||||
-rw-r--r-- | chromeos/chromeos.gyp | 3 | ||||
-rw-r--r-- | chromeos/network/client_cert_resolver.cc | 450 | ||||
-rw-r--r-- | chromeos/network/client_cert_resolver.h | 92 | ||||
-rw-r--r-- | chromeos/network/client_cert_resolver_unittest.cc | 281 | ||||
-rw-r--r-- | chromeos/network/managed_network_configuration_handler.cc | 62 | ||||
-rw-r--r-- | chromeos/network/managed_network_configuration_handler.h | 19 | ||||
-rw-r--r-- | chromeos/network/managed_network_configuration_handler_unittest.cc | 1 | ||||
-rw-r--r-- | chromeos/network/network_configuration_handler.h | 1 | ||||
-rw-r--r-- | chromeos/network/network_handler.cc | 15 | ||||
-rw-r--r-- | chromeos/network/network_handler.h | 4 | ||||
-rw-r--r-- | chromeos/network/network_policy_observer.h | 27 | ||||
-rw-r--r-- | chromeos/network/network_profile_handler.h | 1 |
14 files changed, 977 insertions, 42 deletions
diff --git a/chromeos/cert_loader.cc b/chromeos/cert_loader.cc index 964c777..060d464 100644 --- a/chromeos/cert_loader.cc +++ b/chromeos/cert_loader.cc @@ -52,7 +52,8 @@ void CallOpenPersistentNSSDB() { VLOG(1) << "CallOpenPersistentNSSDB"; // Ensure we've opened the user's key/certificate database. - crypto::OpenPersistentNSSDB(); + if (base::chromeos::IsRunningOnChromeOS()) + crypto::OpenPersistentNSSDB(); crypto::EnableTPMTokenForNSS(); } @@ -64,7 +65,6 @@ static CertLoader* g_cert_loader = NULL; void CertLoader::Initialize() { CHECK(!g_cert_loader); g_cert_loader = new CertLoader(); - g_cert_loader->Init(); } // static @@ -86,7 +86,8 @@ bool CertLoader::IsInitialized() { } CertLoader::CertLoader() - : certificates_requested_(false), + : initialize_tpm_for_test_(false), + certificates_requested_(false), certificates_loaded_(false), certificates_update_required_(false), certificates_update_running_(false), @@ -95,14 +96,14 @@ CertLoader::CertLoader() base::TimeDelta::FromMilliseconds(kInitialRequestDelayMs)), initialize_token_factory_(this), update_certificates_factory_(this) { -} - -void CertLoader::Init() { - net::CertDatabase::GetInstance()->AddObserver(this); if (LoginState::IsInitialized()) LoginState::Get()->AddObserver(this); } +void CertLoader::InitializeTPMForTest() { + initialize_tpm_for_test_ = true; +} + void CertLoader::SetCryptoTaskRunner( const scoped_refptr<base::SequencedTaskRunner>& crypto_task_runner) { crypto_task_runner_ = crypto_task_runner; @@ -154,7 +155,11 @@ void CertLoader::MaybeRequestCertificates() { // Ensure we only initialize the TPM token once. DCHECK_EQ(tpm_token_state_, TPM_STATE_UNKNOWN); - if (!base::chromeos::IsRunningOnChromeOS()) + if (!initialize_tpm_for_test_ && !base::chromeos::IsRunningOnChromeOS()) + tpm_token_state_ = TPM_DISABLED; + + // Treat TPM as disabled for guest users since they do not store certs. + if (LoginState::IsInitialized() && LoginState::Get()->IsGuestUser()) tpm_token_state_ = TPM_DISABLED; InitializeTokenAndLoadCertificates(); @@ -164,10 +169,6 @@ void CertLoader::InitializeTokenAndLoadCertificates() { CHECK(thread_checker_.CalledOnValidThread()); VLOG(1) << "InitializeTokenAndLoadCertificates: " << tpm_token_state_; - // Treat TPM as disabled for guest users since they do not store certs. - if (LoginState::IsInitialized() && LoginState::Get()->IsGuestUser()) - tpm_token_state_ = TPM_DISABLED; - switch (tpm_token_state_) { case TPM_STATE_UNKNOWN: { crypto_task_runner_->PostTaskAndReply( @@ -211,8 +212,6 @@ void CertLoader::InitializeTokenAndLoadCertificates() { base::Bind(&CertLoader::OnTPMTokenInitialized, initialize_token_factory_.GetWeakPtr())); return; - tpm_token_state_ = TPM_TOKEN_INITIALIZED; - // FALL_THROUGH_INTENDED } case TPM_TOKEN_INITIALIZED: { StartLoadCertificates(); @@ -223,7 +222,7 @@ void CertLoader::InitializeTokenAndLoadCertificates() { void CertLoader::RetryTokenInitializationLater() { CHECK(thread_checker_.CalledOnValidThread()); - LOG(WARNING) << "Re-Requesting Certificates later."; + LOG(WARNING) << "Retry token initialization later."; base::MessageLoop::current()->PostDelayedTask( FROM_HERE, base::Bind(&CertLoader::InitializeTokenAndLoadCertificates, @@ -324,8 +323,14 @@ void CertLoader::OnTPMTokenInitialized(bool success) { } void CertLoader::StartLoadCertificates() { + DCHECK(!certificates_loaded_ && !certificates_update_running_); + net::CertDatabase::GetInstance()->AddObserver(this); + LoadCertificates(); +} + +void CertLoader::LoadCertificates() { CHECK(thread_checker_.CalledOnValidThread()); - VLOG(1) << "StartLoadCertificates: " << certificates_update_running_; + VLOG(1) << "LoadCertificates: " << certificates_update_running_; if (certificates_update_running_) { certificates_update_required_ = true; @@ -361,7 +366,7 @@ void CertLoader::UpdateCertificates(net::CertificateList* cert_list) { certificates_update_running_ = false; if (certificates_update_required_) - StartLoadCertificates(); + LoadCertificates(); } void CertLoader::NotifyCertificatesLoaded(bool initial_load) { @@ -374,12 +379,12 @@ void CertLoader::OnCertTrustChanged(const net::X509Certificate* cert) { void CertLoader::OnCertAdded(const net::X509Certificate* cert) { VLOG(1) << "OnCertAdded"; - StartLoadCertificates(); + LoadCertificates(); } void CertLoader::OnCertRemoved(const net::X509Certificate* cert) { VLOG(1) << "OnCertRemoved"; - StartLoadCertificates(); + LoadCertificates(); } void CertLoader::LoggedInStateChanged(LoginState::LoggedInState state) { diff --git a/chromeos/cert_loader.h b/chromeos/cert_loader.h index 75d2cd0..bc1123e 100644 --- a/chromeos/cert_loader.h +++ b/chromeos/cert_loader.h @@ -69,10 +69,15 @@ class CHROMEOS_EXPORT CertLoader : public net::CertDatabase::Observer, static std::string GetPkcs11IdForCert(const net::X509Certificate& cert); + // By default, CertLoader tries to load the TPMToken only if running in a + // ChromeOS environment. Tests can call this function after Initialize() and + // before SetCryptoTaskRunner() to enable the TPM initialization. + void InitializeTPMForTest(); + // |crypto_task_runner| is the task runner that any synchronous crypto calls // should be made from, e.g. in Chrome this is the IO thread. Must be called - // after the thread is started. Certificate loading will not happen unless - // this is set. + // after the thread is started. Starts TPM initialization and Certificate + // loading. void SetCryptoTaskRunner( const scoped_refptr<base::SequencedTaskRunner>& crypto_task_runner); @@ -105,7 +110,6 @@ class CHROMEOS_EXPORT CertLoader : public net::CertDatabase::Observer, CertLoader(); virtual ~CertLoader(); - void Init(); void MaybeRequestCertificates(); // This is the cyclic chain of callbacks to initialize the TPM token and to @@ -124,7 +128,15 @@ class CHROMEOS_EXPORT CertLoader : public net::CertDatabase::Observer, // These calls handle the updating of the certificate list after the TPM token // was initialized. + + // Start certificate loading. Must be called at most once. void StartLoadCertificates(); + + // Trigger a certificate load. If a certificate loading task is already in + // progress, will start a reload once the current task finised. + void LoadCertificates(); + + // Called if a certificate load task is finished. void UpdateCertificates(net::CertificateList* cert_list); void NotifyCertificatesLoaded(bool initial_load); @@ -137,6 +149,8 @@ class CHROMEOS_EXPORT CertLoader : public net::CertDatabase::Observer, // LoginState::Observer virtual void LoggedInStateChanged(LoginState::LoggedInState state) OVERRIDE; + bool initialize_tpm_for_test_; + ObserverList<Observer> observers_; bool certificates_requested_; diff --git a/chromeos/chromeos.gyp b/chromeos/chromeos.gyp index 57fd83b..5086f2d 100644 --- a/chromeos/chromeos.gyp +++ b/chromeos/chromeos.gyp @@ -217,6 +217,8 @@ 'login/login_state.h', 'network/certificate_pattern.cc', 'network/certificate_pattern.h', + 'network/client_cert_resolver.cc', + 'network/client_cert_resolver.h', 'network/client_cert_util.cc', 'network/client_cert_util.h', 'network/cros_network_functions.cc', @@ -497,6 +499,7 @@ 'ime/input_method_whitelist_unittest.cc', 'ime/xkeyboard_unittest.cc', 'login/login_state_unittest.cc', + 'network/client_cert_resolver_unittest.cc', 'network/cros_network_functions_unittest.cc', 'network/geolocation_handler_unittest.cc', 'network/managed_network_configuration_handler_unittest.cc', diff --git a/chromeos/network/client_cert_resolver.cc b/chromeos/network/client_cert_resolver.cc new file mode 100644 index 0000000..adbb9de --- /dev/null +++ b/chromeos/network/client_cert_resolver.cc @@ -0,0 +1,450 @@ +// Copyright 2013 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#include "chromeos/network/client_cert_resolver.h" + +#include <cert.h> +#include <certt.h> // for (SECCertUsageEnum) certUsageAnyCA +#include <pk11pub.h> + +#include <algorithm> +#include <string> + +#include "base/stl_util.h" +#include "base/task_runner.h" +#include "base/threading/worker_pool.h" +#include "base/time/time.h" +#include "chromeos/cert_loader.h" +#include "chromeos/dbus/dbus_thread_manager.h" +#include "chromeos/dbus/shill_service_client.h" +#include "chromeos/network/certificate_pattern.h" +#include "chromeos/network/client_cert_util.h" +#include "chromeos/network/managed_network_configuration_handler.h" +#include "chromeos/network/network_state.h" +#include "chromeos/network/network_state_handler.h" +#include "chromeos/network/network_ui_data.h" +#include "chromeos/network/onc/onc_constants.h" +#include "dbus/object_path.h" +#include "net/cert/x509_certificate.h" + +namespace chromeos { + +// Describes a network |network_path| for which a matching certificate |cert_id| +// was found. +struct ClientCertResolver::NetworkAndMatchingCert { + NetworkAndMatchingCert(const std::string& network_path, + client_cert::ConfigType config_type, + const std::string& cert_id) + : service_path(network_path), + cert_config_type(config_type), + pkcs11_id(cert_id) {} + + std::string service_path; + client_cert::ConfigType cert_config_type; + // The id of the matching certificate. + std::string pkcs11_id; +}; + +typedef std::vector<ClientCertResolver::NetworkAndMatchingCert> + NetworkCertMatches; + +namespace { + +// Returns true if |vector| contains |value|. +template <class T> +bool ContainsValue(const std::vector<T>& vector, const T& value) { + return find(vector.begin(), vector.end(), value) != vector.end(); +} + +// Returns true if a private key for certificate |cert| is installed. +bool HasPrivateKey(const net::X509Certificate& cert) { + PK11SlotInfo* slot = PK11_KeyForCertExists(cert.os_cert_handle(), NULL, NULL); + if (!slot) + return false; + + PK11_FreeSlot(slot); + return true; +} + +// Describes a certificate which is issued by |issuer| (encoded as PEM). +struct CertAndIssuer { + CertAndIssuer(const scoped_refptr<net::X509Certificate>& certificate, + const std::string& issuer) + : cert(certificate), + pem_encoded_issuer(issuer) {} + + scoped_refptr<net::X509Certificate> cert; + std::string pem_encoded_issuer; +}; + +bool CompareCertExpiration(const CertAndIssuer& a, + const CertAndIssuer& b) { + return (a.cert->valid_expiry() < b.cert->valid_expiry()); +} + +// Describes a network that is configured with the certificate pattern +// |client_cert_pattern|. +struct NetworkAndCertPattern { + NetworkAndCertPattern(const std::string& network_path, + client_cert::ConfigType config_type, + const CertificatePattern& pattern) + : service_path(network_path), + cert_config_type(config_type), + client_cert_pattern(pattern) {} + std::string service_path; + client_cert::ConfigType cert_config_type; + CertificatePattern client_cert_pattern; +}; + +// A unary predicate that returns true if the given CertAndIssuer matches the +// certificate pattern of the NetworkAndCertPattern. +struct MatchCertWithPattern { + MatchCertWithPattern(const NetworkAndCertPattern& pattern) + : net_and_pattern(pattern) {} + + bool operator()(const CertAndIssuer& cert_and_issuer) { + const CertificatePattern& pattern = net_and_pattern.client_cert_pattern; + if (!pattern.issuer().Empty() && + !client_cert::CertPrincipalMatches(pattern.issuer(), + cert_and_issuer.cert->issuer())) { + return false; + } + if (!pattern.subject().Empty() && + !client_cert::CertPrincipalMatches(pattern.subject(), + cert_and_issuer.cert->subject())) { + return false; + } + + const std::vector<std::string>& issuer_ca_pems = pattern.issuer_ca_pems(); + if (!issuer_ca_pems.empty() && + !ContainsValue(issuer_ca_pems, cert_and_issuer.pem_encoded_issuer)) { + return false; + } + return true; + } + + NetworkAndCertPattern net_and_pattern; +}; + +// Searches for matches between |networks| and |certs| and writes matches to +// |matches|. Because this calls NSS functions and is potentially slow, it must +// be run on a worker thread. +void FindCertificateMatches(const net::CertificateList& certs, + std::vector<NetworkAndCertPattern>* networks, + NetworkCertMatches* matches) { + // Filter all client certs and determines each certificate's issuer, which is + // required for the pattern matching. + std::vector<CertAndIssuer> client_certs; + for (net::CertificateList::const_iterator it = certs.begin(); + it != certs.end(); ++it) { + const net::X509Certificate& cert = **it; + if (cert.valid_expiry().is_null() || cert.HasExpired() || + !HasPrivateKey(cert)) { + continue; + } + scoped_refptr<net::X509Certificate> issuer = + net::X509Certificate::CreateFromHandle( + CERT_FindCertIssuer( + cert.os_cert_handle(), PR_Now(), certUsageAnyCA), + net::X509Certificate::OSCertHandles()); + if (!issuer) { + LOG(ERROR) << "Couldn't find cert issuer."; + continue; + } + std::string pem_encoded_issuer; + if (!net::X509Certificate::GetPEMEncoded(issuer->os_cert_handle(), + &pem_encoded_issuer)) { + LOG(ERROR) << "Couldn't PEM-encode certificate."; + continue; + } + client_certs.push_back(CertAndIssuer(*it, pem_encoded_issuer)); + } + + std::sort(client_certs.begin(), client_certs.end(), &CompareCertExpiration); + + for (std::vector<NetworkAndCertPattern>::const_iterator it = + networks->begin(); + it != networks->end(); ++it) { + std::vector<CertAndIssuer>::iterator cert_it = std::find_if( + client_certs.begin(), client_certs.end(), MatchCertWithPattern(*it)); + if (cert_it == client_certs.end()) { + LOG(WARNING) << "Couldn't find a matching client cert for network " + << it->service_path; + continue; + } + std::string pkcs11_id = CertLoader::GetPkcs11IdForCert(*cert_it->cert); + if (pkcs11_id.empty()) { + LOG(ERROR) << "Couldn't determine PKCS#11 ID."; + continue; + } + matches->push_back(ClientCertResolver::NetworkAndMatchingCert( + it->service_path, it->cert_config_type, pkcs11_id)); + } +} + +// Determines the type of the CertificatePattern configuration, i.e. is it a +// pattern within an EAP, IPsec or OpenVPN configuration. +client_cert::ConfigType OncToClientCertConfigurationType( + const base::DictionaryValue& network_config) { + using namespace ::chromeos::onc; + + const base::DictionaryValue* wifi = NULL; + network_config.GetDictionaryWithoutPathExpansion(network_config::kWiFi, + &wifi); + if (wifi) { + const base::DictionaryValue* eap = NULL; + wifi->GetDictionaryWithoutPathExpansion(wifi::kEAP, &eap); + if (!eap) + return client_cert::CONFIG_TYPE_NONE; + return client_cert::CONFIG_TYPE_EAP; + } + + const base::DictionaryValue* vpn = NULL; + network_config.GetDictionaryWithoutPathExpansion(network_config::kVPN, &vpn); + if (vpn) { + const base::DictionaryValue* openvpn = NULL; + vpn->GetDictionaryWithoutPathExpansion(vpn::kOpenVPN, &openvpn); + if (openvpn) + return client_cert::CONFIG_TYPE_OPENVPN; + + const base::DictionaryValue* ipsec = NULL; + vpn->GetDictionaryWithoutPathExpansion(vpn::kIPsec, &ipsec); + if (ipsec) + return client_cert::CONFIG_TYPE_IPSEC; + + return client_cert::CONFIG_TYPE_NONE; + } + + const base::DictionaryValue* ethernet = NULL; + network_config.GetDictionaryWithoutPathExpansion(network_config::kEthernet, + ðernet); + if (ethernet) { + const base::DictionaryValue* eap = NULL; + ethernet->GetDictionaryWithoutPathExpansion(wifi::kEAP, &eap); + if (eap) + return client_cert::CONFIG_TYPE_EAP; + return client_cert::CONFIG_TYPE_NONE; + } + + return client_cert::CONFIG_TYPE_NONE; +} + +void LogError(const std::string& service_path, + const std::string& dbus_error_name, + const std::string& dbus_error_message) { + network_handler::ShillErrorCallbackFunction( + "ClientCertResolver.SetProperties failed", + service_path, + network_handler::ErrorCallback(), + dbus_error_name, + dbus_error_message); +} + +bool ClientCertificatesLoaded() { + if(!CertLoader::Get()->certificates_loaded()) { + VLOG(1) << "Certificates not loaded yet."; + return false; + } + if (!CertLoader::Get()->IsHardwareBacked()) { + VLOG(1) << "TPM is not available."; + return false; + } + return true; +} + +} // namespace + +ClientCertResolver::ClientCertResolver() + : network_state_handler_(NULL), + managed_network_config_handler_(NULL), + weak_ptr_factory_(this) { +} + +ClientCertResolver::~ClientCertResolver() { + if (network_state_handler_) + network_state_handler_->RemoveObserver(this, FROM_HERE); + if (CertLoader::IsInitialized()) + CertLoader::Get()->RemoveObserver(this); + if (managed_network_config_handler_) + managed_network_config_handler_->RemoveObserver(this); +} + +void ClientCertResolver::Init( + NetworkStateHandler* network_state_handler, + ManagedNetworkConfigurationHandler* managed_network_config_handler) { + DCHECK(network_state_handler); + network_state_handler_ = network_state_handler; + network_state_handler_->AddObserver(this, FROM_HERE); + + DCHECK(managed_network_config_handler); + managed_network_config_handler_ = managed_network_config_handler; + managed_network_config_handler_->AddObserver(this); + + CertLoader::Get()->AddObserver(this); +} + +void ClientCertResolver::SetSlowTaskRunnerForTest( + const scoped_refptr<base::TaskRunner>& task_runner) { + slow_task_runner_for_test_ = task_runner; +} + +void ClientCertResolver::NetworkListChanged() { + VLOG(2) << "NetworkListChanged."; + if (!ClientCertificatesLoaded()) + return; + // Configure only networks that were not configured before. + + // We'll drop networks from |resolved_networks_|, which are not known anymore. + std::set<std::string> old_resolved_networks; + old_resolved_networks.swap(resolved_networks_); + + NetworkStateList networks; + network_state_handler_->GetNetworkList(&networks); + + NetworkStateList networks_to_check; + for (NetworkStateList::const_iterator it = networks.begin(); + it != networks.end(); ++it) { + // If this network is not managed, it cannot have a ClientCertPattern. + // We do this check here additionally to ResolveNetworks because it's cheap + // and prevents |resolved_networks_| from becoming too large. + if ((*it)->guid().empty()) + continue; + + const std::string& service_path = (*it)->path(); + if (ContainsKey(old_resolved_networks, service_path)) { + resolved_networks_.insert(service_path); + continue; + } + networks_to_check.push_back(*it); + } + + ResolveNetworks(networks_to_check); +} + +void ClientCertResolver::OnCertificatesLoaded( + const net::CertificateList& cert_list, + bool initial_load) { + VLOG(2) << "OnCertificatesLoaded."; + if (!ClientCertificatesLoaded()) + return; + // Compare all networks with all certificates. + NetworkStateList networks; + network_state_handler_->GetNetworkList(&networks); + ResolveNetworks(networks); +} + +void ClientCertResolver::PolicyApplied(const std::string& service_path) { + VLOG(2) << "PolicyApplied " << service_path; + if (!ClientCertificatesLoaded()) + return; + // Compare this network with all certificates. + const NetworkState* network = + network_state_handler_->GetNetworkState(service_path); + if (!network) { + LOG(ERROR) << "service path '" << service_path << "' unknown."; + return; + } + NetworkStateList networks; + networks.push_back(network); + ResolveNetworks(networks); +} + +void ClientCertResolver::ResolveNetworks( + const NetworkStateList& networks) { + scoped_ptr<std::vector<NetworkAndCertPattern> > networks_with_pattern( + new std::vector<NetworkAndCertPattern>); + + // Filter networks with ClientCertPattern. As ClientCertPatterns can only be + // set by policy, we check there. + for (NetworkStateList::const_iterator it = networks.begin(); + it != networks.end(); ++it) { + const NetworkState* network = *it; + + // In any case, don't check this network again in NetworkListChanged. + resolved_networks_.insert(network->path()); + + // If this network is not managed, it cannot have a ClientCertPattern. + if (network->guid().empty()) + continue; + + if (network->profile_path().empty()) { + LOG(ERROR) << "Network " << network->path() + << " has a GUID but not profile path"; + continue; + } + const base::DictionaryValue* policy = + managed_network_config_handler_->FindPolicyByGuidAndProfile( + network->guid(), network->profile_path()); + + if (!policy) { + VLOG(1) << "The policy for network " << network->path() << " with GUID " + << network->guid() << " is not available yet."; + // Skip this network for now. Once the policy is loaded, PolicyApplied() + // will retry. + continue; + } + + VLOG(2) << "Inspecting network " << network->path(); + // TODO(pneubeck): Access the ClientCertPattern without relying on + // NetworkUIData, which also parses other things that we don't need here. + // The ONCSource is irrelevant here. + scoped_ptr<NetworkUIData> ui_data( + NetworkUIData::CreateFromONC(onc::ONC_SOURCE_NONE, *policy)); + + // Skip networks that don't have a ClientCertPattern. + if (ui_data->certificate_type() != CLIENT_CERT_TYPE_PATTERN) + continue; + + client_cert::ConfigType config_type = + OncToClientCertConfigurationType(*policy); + if (config_type == client_cert::CONFIG_TYPE_NONE) { + LOG(ERROR) << "UIData contains a CertificatePattern, but the policy " + << "doesn't. Network: " << network->path(); + continue; + } + + networks_with_pattern->push_back(NetworkAndCertPattern( + network->path(), config_type, ui_data->certificate_pattern())); + } + if (networks_with_pattern->empty()) + return; + + VLOG(2) << "Start task for resolving client cert patterns."; + base::TaskRunner* task_runner = slow_task_runner_for_test_.get(); + if (!task_runner) + task_runner = base::WorkerPool::GetTaskRunner(true /* task is slow */); + + NetworkCertMatches* matches = new NetworkCertMatches; + task_runner->PostTaskAndReply( + FROM_HERE, + base::Bind(&FindCertificateMatches, + CertLoader::Get()->cert_list(), + base::Owned(networks_with_pattern.release()), + matches), + base::Bind(&ClientCertResolver::ConfigureCertificates, + weak_ptr_factory_.GetWeakPtr(), + base::Owned(matches))); +} + +void ClientCertResolver::ConfigureCertificates(NetworkCertMatches* matches) { + for (NetworkCertMatches::const_iterator it = matches->begin(); + it != matches->end(); ++it) { + VLOG(1) << "Configuring certificate of network " << it->service_path; + CertLoader* cert_loader = CertLoader::Get(); + base::DictionaryValue shill_properties; + client_cert::SetShillProperties(it->cert_config_type, + cert_loader->tpm_token_slot(), + cert_loader->tpm_user_pin(), + &it->pkcs11_id, + &shill_properties); + DBusThreadManager::Get()->GetShillServiceClient()-> + SetProperties(dbus::ObjectPath(it->service_path), + shill_properties, + base::Bind(&base::DoNothing), + base::Bind(&LogError, it->service_path)); + network_state_handler_->RequestUpdateForNetwork(it->service_path); + } +} + +} // namespace chromeos diff --git a/chromeos/network/client_cert_resolver.h b/chromeos/network/client_cert_resolver.h new file mode 100644 index 0000000..a1be963 --- /dev/null +++ b/chromeos/network/client_cert_resolver.h @@ -0,0 +1,92 @@ +// Copyright 2013 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef CHROMEOS_NETWORK_CLIENT_CERT_RESOLVER_H_ +#define CHROMEOS_NETWORK_CLIENT_CERT_RESOLVER_H_ + +#include <string> +#include <vector> + +#include "base/basictypes.h" +#include "base/memory/ref_counted.h" +#include "base/memory/scoped_ptr.h" +#include "base/memory/weak_ptr.h" +#include "chromeos/cert_loader.h" +#include "chromeos/chromeos_export.h" +#include "chromeos/network/network_policy_observer.h" +#include "chromeos/network/network_state_handler_observer.h" + +namespace base { +class TaskRunner; +} + +namespace chromeos { + +class NetworkState; +class NetworkStateHandler; +class ManagedNetworkConfigurationHandler; + +// Observes the known networks. If a network is configured with a client +// certificate pattern, this class searches for a matching client certificate. +// Each time it finds a match, it configures the network accordingly. +class CHROMEOS_EXPORT ClientCertResolver : public NetworkStateHandlerObserver, + public CertLoader::Observer, + public NetworkPolicyObserver { + public: + struct NetworkAndMatchingCert; + + ClientCertResolver(); + virtual ~ClientCertResolver(); + + void Init(NetworkStateHandler* network_state_handler, + ManagedNetworkConfigurationHandler* managed_network_config_handler); + + // Sets the task runner that any slow calls will be made from, e.g. calls + // to the NSS database. If not set, uses base::WorkerPool. + void SetSlowTaskRunnerForTest( + const scoped_refptr<base::TaskRunner>& task_runner); + + private: + typedef std::vector<const NetworkState*> NetworkStateList; + + // NetworkStateHandlerObserver overrides + virtual void NetworkListChanged() OVERRIDE; + + // CertLoader::Observer overrides + virtual void OnCertificatesLoaded(const net::CertificateList& cert_list, + bool initial_load) OVERRIDE; + + // NetworkPolicyObserver overrides + virtual void PolicyApplied(const std::string& service_path) OVERRIDE; + + // Check which networks of |networks| are configured with a client certificate + // pattern. Search for certificates, on the worker thread, and configure the + // networks for which a matching cert is found (see ConfigureCertificates). + void ResolveNetworks(const NetworkStateList& networks); + + // |matches| contains networks for which a matching certificate was found. + // Configures these networks. + void ConfigureCertificates(std::vector<NetworkAndMatchingCert>* matches); + + // The set of networks that were checked/resolved in previous passes. These + // networks are skipped in the NetworkListChanged notification. + std::set<std::string> resolved_networks_; + + // Unowned associated (global or test) instance. + NetworkStateHandler* network_state_handler_; + + // Unowned associated (global or test) instance. + ManagedNetworkConfigurationHandler* managed_network_config_handler_; + + // TaskRunner for slow tasks. + scoped_refptr<base::TaskRunner> slow_task_runner_for_test_; + + base::WeakPtrFactory<ClientCertResolver> weak_ptr_factory_; + + DISALLOW_COPY_AND_ASSIGN(ClientCertResolver); +}; + +} // namespace chromeos + +#endif // CHROMEOS_NETWORK_CLIENT_CERT_RESOLVER_H_ diff --git a/chromeos/network/client_cert_resolver_unittest.cc b/chromeos/network/client_cert_resolver_unittest.cc new file mode 100644 index 0000000..004bf07 --- /dev/null +++ b/chromeos/network/client_cert_resolver_unittest.cc @@ -0,0 +1,281 @@ +// Copyright 2013 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. +#include "chromeos/network/client_cert_resolver.h" + +#include <cert.h> +#include <pk11pub.h> + +#include "base/file_util.h" +#include "base/files/file_path.h" +#include "base/json/json_reader.h" +#include "base/run_loop.h" +#include "base/strings/stringprintf.h" +#include "chromeos/dbus/dbus_thread_manager.h" +#include "chromeos/dbus/shill_profile_client.h" +#include "chromeos/dbus/shill_service_client.h" +#include "chromeos/login/login_state.h" +#include "chromeos/network/managed_network_configuration_handler.h" +#include "chromeos/network/network_configuration_handler.h" +#include "chromeos/network/network_profile_handler.h" +#include "chromeos/network/network_state_handler.h" +#include "crypto/nss_util.h" +#include "net/base/crypto_module.h" +#include "net/base/net_errors.h" +#include "net/base/test_data_directory.h" +#include "net/cert/nss_cert_database.h" +#include "net/cert/x509_certificate.h" +#include "net/test/cert_test_util.h" +#include "testing/gtest/include/gtest/gtest.h" +#include "third_party/cros_system_api/dbus/service_constants.h" + +namespace chromeos { + +namespace { + +const char* kWifiStub = "wifi_stub"; +const char* kWifiSSID = "wifi_ssid"; +const char* kUserProfilePath = "user_profile"; +const char* kUserHash = "user_hash"; + +} // namespace + +class ClientCertResolverTest : public testing::Test { + public: + ClientCertResolverTest() {} + virtual ~ClientCertResolverTest() {} + + virtual void SetUp() OVERRIDE { + ASSERT_TRUE(test_nssdb_.is_open()); + slot_ = net::NSSCertDatabase::GetInstance()->GetPublicModule(); + ASSERT_TRUE(slot_->os_module_handle()); + + LoginState::Initialize(); + + DBusThreadManager::InitializeWithStub(); + service_test_ = + DBusThreadManager::Get()->GetShillServiceClient()->GetTestInterface(); + profile_test_ = + DBusThreadManager::Get()->GetShillProfileClient()->GetTestInterface(); + message_loop_.RunUntilIdle(); + service_test_->ClearServices(); + message_loop_.RunUntilIdle(); + + CertLoader::Initialize(); + CertLoader* cert_loader = CertLoader::Get(); + cert_loader->InitializeTPMForTest(); + cert_loader->SetSlowTaskRunnerForTest(message_loop_.message_loop_proxy()); + cert_loader->SetCryptoTaskRunner(message_loop_.message_loop_proxy()); + } + + virtual void TearDown() OVERRIDE { + client_cert_resolver_.reset(); + managed_config_handler_.reset(); + network_config_handler_.reset(); + network_profile_handler_.reset(); + network_state_handler_.reset(); + CertLoader::Shutdown(); + DBusThreadManager::Shutdown(); + LoginState::Shutdown(); + CleanupSlotContents(); + } + + protected: + // Imports a CA cert (stored as PEM in test_ca_cert_pem_) and a client + // certificate signed by that CA. Its PKCS#11 ID is stored in + // |test_pkcs11_id_|. + void SetupTestCerts() { + // Import a CA cert. + net::NSSCertDatabase* cert_db = net::NSSCertDatabase::GetInstance(); + net::CertificateList ca_cert_list = + net::CreateCertificateListFromFile(net::GetTestCertsDirectory(), + "websocket_cacert.pem", + net::X509Certificate::FORMAT_AUTO); + ASSERT_TRUE(!ca_cert_list.empty()); + net::NSSCertDatabase::ImportCertFailureList failures; + EXPECT_TRUE(cert_db->ImportCACerts( + ca_cert_list, net::NSSCertDatabase::TRUST_DEFAULT, &failures)); + ASSERT_TRUE(failures.empty()) << net::ErrorToString(failures[0].net_error); + + net::X509Certificate::GetPEMEncoded(ca_cert_list[0]->os_cert_handle(), + &test_ca_cert_pem_); + ASSERT_TRUE(!test_ca_cert_pem_.empty()); + + // Import a client cert signed by that CA. + scoped_refptr<net::CryptoModule> crypt_module = cert_db->GetPrivateModule(); + std::string pkcs12_data; + ASSERT_TRUE(file_util::ReadFileToString( + net::GetTestCertsDirectory().Append("websocket_client_cert.p12"), + &pkcs12_data)); + + net::CertificateList client_cert_list; + ASSERT_EQ(net::OK, + cert_db->ImportFromPKCS12(crypt_module.get(), + pkcs12_data, + string16(), + false, + &client_cert_list)); + ASSERT_TRUE(!client_cert_list.empty()); + test_pkcs11_id_ = CertLoader::GetPkcs11IdForCert(*client_cert_list[0]); + ASSERT_TRUE(!test_pkcs11_id_.empty()); + } + + void SetupNetworkHandlers() { + network_state_handler_.reset(NetworkStateHandler::InitializeForTest()); + network_profile_handler_.reset(new NetworkProfileHandler()); + network_config_handler_.reset(new NetworkConfigurationHandler()); + managed_config_handler_.reset(new ManagedNetworkConfigurationHandler()); + client_cert_resolver_.reset(new ClientCertResolver()); + + network_profile_handler_->Init(network_state_handler_.get()); + network_config_handler_->Init(network_state_handler_.get()); + managed_config_handler_->Init(network_state_handler_.get(), + network_profile_handler_.get(), + network_config_handler_.get()); + client_cert_resolver_->Init(network_state_handler_.get(), + managed_config_handler_.get()); + client_cert_resolver_->SetSlowTaskRunnerForTest( + message_loop_.message_loop_proxy()); + + profile_test_->AddProfile(kUserProfilePath, kUserHash); + } + + void SetupWifi() { + const bool add_to_visible = true; + const bool add_to_watchlist = true; + service_test_->AddService(kWifiStub, + kWifiSSID, + flimflam::kTypeWifi, + flimflam::kStateOnline, + add_to_visible, + add_to_watchlist); + service_test_->SetServiceProperty( + kWifiStub, flimflam::kGuidProperty, base::StringValue(kWifiStub)); + + profile_test_->AddService(kUserProfilePath, kWifiStub); + } + + // Setup a policy with a certificate pattern that matches any client cert that + // is signed by the test CA cert (stored in |test_ca_cert_pem_|). In + // particular it will match the test client cert. + void SetupPolicy() { + const char* kTestPolicyTemplate = + "[ { \"GUID\": \"wifi_stub\"," + " \"Name\": \"wifi_stub\"," + " \"Type\": \"WiFi\"," + " \"WiFi\": {" + " \"Security\": \"WPA-EAP\"," + " \"SSID\": \"wifi_ssid\"," + " \"EAP\": {" + " \"Outer\": \"EAP-TLS\"," + " \"ClientCertType\": \"Pattern\"," + " \"ClientCertPattern\": {" + " \"IssuerCAPEMs\": [ \"%s\" ]" + " }" + " }" + " }" + "} ]"; + std::string policy_json = + base::StringPrintf(kTestPolicyTemplate, test_ca_cert_pem_.c_str()); + + std::string error; + scoped_ptr<base::Value> policy_value(base::JSONReader::ReadAndReturnError( + policy_json, base::JSON_ALLOW_TRAILING_COMMAS, NULL, &error)); + ASSERT_TRUE(policy_value) << error; + + base::ListValue* policy = NULL; + ASSERT_TRUE(policy_value->GetAsList(&policy)); + + managed_config_handler_->SetPolicy( + onc::ONC_SOURCE_USER_POLICY, kUserHash, *policy); + } + + void GetClientCertProperties(std::string* pkcs11_id) { + pkcs11_id->clear(); + const base::DictionaryValue* properties = + service_test_->GetServiceProperties(kWifiStub); + if (!properties) + return; + properties->GetStringWithoutPathExpansion(flimflam::kEapCertIdProperty, + pkcs11_id); + } + + ShillServiceClient::TestInterface* service_test_; + ShillProfileClient::TestInterface* profile_test_; + std::string test_pkcs11_id_; + scoped_refptr<net::X509Certificate> test_ca_cert_; + std::string test_ca_cert_pem_; + base::MessageLoop message_loop_; + + private: + void CleanupSlotContents() { + CERTCertList* cert_list = PK11_ListCertsInSlot(slot_->os_module_handle()); + for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list); + !CERT_LIST_END(node, cert_list); + node = CERT_LIST_NEXT(node)) { + scoped_refptr<net::X509Certificate> cert( + net::X509Certificate::CreateFromHandle( + node->cert, net::X509Certificate::OSCertHandles())); + net::NSSCertDatabase::GetInstance()->DeleteCertAndKey(cert.get()); + } + CERT_DestroyCertList(cert_list); + } + + scoped_ptr<NetworkStateHandler> network_state_handler_; + scoped_ptr<NetworkProfileHandler> network_profile_handler_; + scoped_ptr<NetworkConfigurationHandler> network_config_handler_; + scoped_ptr<ManagedNetworkConfigurationHandler> managed_config_handler_; + scoped_ptr<ClientCertResolver> client_cert_resolver_; + scoped_refptr<net::CryptoModule> slot_; + crypto::ScopedTestNSSDB test_nssdb_; + + DISALLOW_COPY_AND_ASSIGN(ClientCertResolverTest); +}; + +TEST_F(ClientCertResolverTest, NoMatchingCertificates) { + SetupNetworkHandlers(); + SetupPolicy(); + message_loop_.RunUntilIdle(); + + SetupWifi(); + message_loop_.RunUntilIdle(); + + // Verify that no client certificate was configured. + std::string pkcs11_id; + GetClientCertProperties(&pkcs11_id); + EXPECT_TRUE(pkcs11_id.empty()); +} + +TEST_F(ClientCertResolverTest, ResolveOnInitialization) { + SetupTestCerts(); + SetupNetworkHandlers(); + SetupPolicy(); + message_loop_.RunUntilIdle(); + + SetupWifi(); + message_loop_.RunUntilIdle(); + + // Verify that the resolver positively matched the pattern in the policy with + // the test client cert and configured the network. + std::string pkcs11_id; + GetClientCertProperties(&pkcs11_id); + EXPECT_EQ(test_pkcs11_id_, pkcs11_id); +} + +TEST_F(ClientCertResolverTest, ResolveAfterPolicyApplication) { + SetupTestCerts(); + SetupNetworkHandlers(); + message_loop_.RunUntilIdle(); + + // The policy will trigger the creation of a new wifi service. + SetupPolicy(); + message_loop_.RunUntilIdle(); + + // Verify that the resolver positively matched the pattern in the policy with + // the test client cert and configured the network. + std::string pkcs11_id; + GetClientCertProperties(&pkcs11_id); + EXPECT_EQ(test_pkcs11_id_, pkcs11_id); +} + +} // namespace chromeos diff --git a/chromeos/network/managed_network_configuration_handler.cc b/chromeos/network/managed_network_configuration_handler.cc index 5ee791f..e7dd0b6 100644 --- a/chromeos/network/managed_network_configuration_handler.cc +++ b/chromeos/network/managed_network_configuration_handler.cc @@ -25,6 +25,7 @@ #include "chromeos/network/network_configuration_handler.h" #include "chromeos/network/network_event_log.h" #include "chromeos/network/network_handler_callbacks.h" +#include "chromeos/network/network_policy_observer.h" #include "chromeos/network/network_profile.h" #include "chromeos/network/network_profile_handler.h" #include "chromeos/network/network_state.h" @@ -98,10 +99,6 @@ void SetUIData(const NetworkUIData& ui_data, ui_data_blob); } -// A dummy callback to ignore the result of Shill calls. -void IgnoreString(const std::string& str) { -} - void LogErrorWithDict(const tracked_objects::Location& from_where, const std::string& error_name, scoped_ptr<base::DictionaryValue> error_data) { @@ -374,6 +371,16 @@ scoped_ptr<NetworkUIData> ManagedNetworkConfigurationHandler::GetUIData( return scoped_ptr<NetworkUIData>(); } +void ManagedNetworkConfigurationHandler::AddObserver( + NetworkPolicyObserver* observer) { + observers_.AddObserver(observer); +} + +void ManagedNetworkConfigurationHandler::RemoveObserver( + NetworkPolicyObserver* observer) { + observers_.RemoveObserver(observer); +} + void ManagedNetworkConfigurationHandler::GetManagedProperties( const std::string& userhash, const std::string& service_path, @@ -734,6 +741,27 @@ ManagedNetworkConfigurationHandler::FindPolicyByGUID( return NULL; } +const base::DictionaryValue* +ManagedNetworkConfigurationHandler::FindPolicyByGuidAndProfile( + const std::string& guid, + const std::string& profile_path) const { + const NetworkProfile* profile = + network_profile_handler_->GetProfileForPath(profile_path); + if (!profile) { + LOG(ERROR) << "Profile path unknown: " << profile_path; + return NULL; + } + + const GuidToPolicyMap* policies = GetPoliciesForProfile(*profile); + if (!policies) + return NULL; + + GuidToPolicyMap::const_iterator it = policies->find(guid); + if (it == policies->end()) + return NULL; + return it->second; +} + void ManagedNetworkConfigurationHandler::OnProfileRemoved( const NetworkProfile& profile) { // Nothing to do in this case. @@ -781,6 +809,14 @@ void ManagedNetworkConfigurationHandler::Init( network_profile_handler_->AddObserver(this); } +void ManagedNetworkConfigurationHandler::OnPolicyApplied( + const std::string& service_path) { + if (service_path.empty()) + return; + FOR_EACH_OBSERVER( + NetworkPolicyObserver, observers_, PolicyApplied(service_path)); +} + ManagedNetworkConfigurationHandler::PolicyApplicator::PolicyApplicator( base::WeakPtr<ManagedNetworkConfigurationHandler> handler, const NetworkProfile& profile, @@ -921,10 +957,11 @@ void ManagedNetworkConfigurationHandler::PolicyApplicator::GetEntryCallback( scoped_ptr<base::DictionaryValue> shill_dictionary = CreateShillConfiguration( profile_, new_guid, new_policy, user_settings); - handler_->network_configuration_handler() - ->CreateConfiguration(*shill_dictionary, - base::Bind(&IgnoreString), - base::Bind(&LogErrorWithDict, FROM_HERE)); + handler_->network_configuration_handler()->CreateConfiguration( + *shill_dictionary, + base::Bind(&ManagedNetworkConfigurationHandler::OnPolicyApplied, + handler_), + base::Bind(&LogErrorWithDict, FROM_HERE)); remaining_policies_.erase(new_guid); } } else if (was_managed) { @@ -987,10 +1024,11 @@ ManagedNetworkConfigurationHandler::PolicyApplicator::~PolicyApplicator() { scoped_ptr<base::DictionaryValue> shill_dictionary = CreateShillConfiguration( profile_, *it, policy, NULL /* no user settings */); - handler_->network_configuration_handler() - ->CreateConfiguration(*shill_dictionary, - base::Bind(&IgnoreString), - base::Bind(&LogErrorWithDict, FROM_HERE)); + handler_->network_configuration_handler()->CreateConfiguration( + *shill_dictionary, + base::Bind(&ManagedNetworkConfigurationHandler::OnPolicyApplied, + handler_), + base::Bind(&LogErrorWithDict, FROM_HERE)); } } diff --git a/chromeos/network/managed_network_configuration_handler.h b/chromeos/network/managed_network_configuration_handler.h index 0ac1e6e..357a0f3 100644 --- a/chromeos/network/managed_network_configuration_handler.h +++ b/chromeos/network/managed_network_configuration_handler.h @@ -12,6 +12,7 @@ #include "base/callback.h" #include "base/gtest_prod_util.h" #include "base/memory/weak_ptr.h" +#include "base/observer_list.h" #include "chromeos/chromeos_export.h" #include "chromeos/network/network_handler.h" #include "chromeos/network/network_handler_callbacks.h" @@ -26,6 +27,7 @@ class ListValue; namespace chromeos { class NetworkConfigurationHandler; +class NetworkPolicyObserver; class NetworkProfileHandler; class NetworkStateHandler; class NetworkUIData; @@ -69,6 +71,9 @@ class CHROMEOS_EXPORT ManagedNetworkConfigurationHandler static scoped_ptr<NetworkUIData> GetUIData( const base::DictionaryValue& shill_dictionary); + void AddObserver(NetworkPolicyObserver* observer); + void RemoveObserver(NetworkPolicyObserver* observer); + // Provides the properties of the network with |service_path| to |callback|. void GetProperties( const std::string& service_path, @@ -132,7 +137,13 @@ class CHROMEOS_EXPORT ManagedNetworkConfigurationHandler const std::string& guid, onc::ONCSource* onc_source) const; - // NetworkProfileObserver overrides + // Returns the policy with |guid| for profile |profile_path|. If such + // doesn't exist, returns NULL. + const base::DictionaryValue* FindPolicyByGuidAndProfile( + const std::string& guid, + const std::string& profile_path) const; + + // NetworkProfileObserver overrides virtual void OnProfileAdded(const NetworkProfile& profile) OVERRIDE; virtual void OnProfileRemoved(const NetworkProfile& profile) OVERRIDE; @@ -141,6 +152,7 @@ class CHROMEOS_EXPORT ManagedNetworkConfigurationHandler } private: + friend class ClientCertResolverTest; friend class NetworkHandler; friend class ManagedNetworkConfigurationHandlerTest; class PolicyApplicator; @@ -151,7 +163,6 @@ class CHROMEOS_EXPORT ManagedNetworkConfigurationHandler NetworkProfileHandler* network_profile_handler, NetworkConfigurationHandler* network_configuration_handler); - void GetManagedPropertiesCallback( const network_handler::DictionaryResultCallback& callback, const network_handler::ErrorCallback& error_callback, @@ -162,6 +173,8 @@ class CHROMEOS_EXPORT ManagedNetworkConfigurationHandler const GuidToPolicyMap* GetPoliciesForProfile( const NetworkProfile& profile) const; + void OnPolicyApplied(const std::string& service_path); + // The DictionaryValues of the nested maps are owned by this class and are // explicitly deleted where necessary. If present, the empty string maps to // the device policy. @@ -172,6 +185,8 @@ class CHROMEOS_EXPORT ManagedNetworkConfigurationHandler NetworkProfileHandler* network_profile_handler_; NetworkConfigurationHandler* network_configuration_handler_; + ObserverList<NetworkPolicyObserver> observers_; + // For Shill client callbacks base::WeakPtrFactory<ManagedNetworkConfigurationHandler> weak_ptr_factory_; diff --git a/chromeos/network/managed_network_configuration_handler_unittest.cc b/chromeos/network/managed_network_configuration_handler_unittest.cc index 4b0a1c7..21ccec1 100644 --- a/chromeos/network/managed_network_configuration_handler_unittest.cc +++ b/chromeos/network/managed_network_configuration_handler_unittest.cc @@ -13,7 +13,6 @@ #include "chromeos/dbus/mock_shill_manager_client.h" #include "chromeos/dbus/mock_shill_profile_client.h" #include "chromeos/dbus/mock_shill_service_client.h" -#include "chromeos/dbus/shill_profile_client_stub.h" #include "chromeos/network/network_configuration_handler.h" #include "chromeos/network/network_profile_handler.h" #include "chromeos/network/onc/onc_test_utils.h" diff --git a/chromeos/network/network_configuration_handler.h b/chromeos/network/network_configuration_handler.h index f1ee856..c8a0b5b 100644 --- a/chromeos/network/network_configuration_handler.h +++ b/chromeos/network/network_configuration_handler.h @@ -111,6 +111,7 @@ class CHROMEOS_EXPORT NetworkConfigurationHandler NetworkStateHandler* network_state_handler); protected: + friend class ClientCertResolverTest; friend class NetworkHandler; friend class NetworkConfigurationHandlerTest; friend class NetworkConfigurationHandlerStubTest; diff --git a/chromeos/network/network_handler.cc b/chromeos/network/network_handler.cc index ae272fa..b1aac26 100644 --- a/chromeos/network/network_handler.cc +++ b/chromeos/network/network_handler.cc @@ -6,6 +6,7 @@ #include "base/threading/worker_pool.h" #include "chromeos/dbus/dbus_thread_manager.h" +#include "chromeos/network/client_cert_resolver.h" #include "chromeos/network/geolocation_handler.h" #include "chromeos/network/managed_network_configuration_handler.h" #include "chromeos/network/network_cert_migrator.h" @@ -31,11 +32,13 @@ NetworkHandler::NetworkHandler() { network_state_handler_.reset(new NetworkStateHandler()); network_device_handler_.reset(new NetworkDeviceHandler()); network_profile_handler_.reset(new NetworkProfileHandler()); - if (CertLoader::IsInitialized()) - network_cert_migrator_.reset(new NetworkCertMigrator()); network_configuration_handler_.reset(new NetworkConfigurationHandler()); managed_network_configuration_handler_.reset( new ManagedNetworkConfigurationHandler()); + if (CertLoader::IsInitialized()) { + network_cert_migrator_.reset(new NetworkCertMigrator()); + client_cert_resolver_.reset(new ClientCertResolver()); + } network_connection_handler_.reset(new NetworkConnectionHandler()); network_sms_handler_.reset(new NetworkSmsHandler()); geolocation_handler_.reset(new GeolocationHandler()); @@ -48,8 +51,6 @@ NetworkHandler::~NetworkHandler() { void NetworkHandler::Init() { network_state_handler_->InitShillPropertyHandler(); network_profile_handler_->Init(network_state_handler_.get()); - if (network_cert_migrator_) - network_cert_migrator_->Init(network_state_handler_.get()); network_configuration_handler_->Init(network_state_handler_.get()); managed_network_configuration_handler_->Init( network_state_handler_.get(), @@ -57,6 +58,12 @@ void NetworkHandler::Init() { network_configuration_handler_.get()); network_connection_handler_->Init(network_state_handler_.get(), network_configuration_handler_.get()); + if (network_cert_migrator_) + network_cert_migrator_->Init(network_state_handler_.get()); + if (client_cert_resolver_) { + client_cert_resolver_->Init(network_state_handler_.get(), + managed_network_configuration_handler_.get()); + } network_sms_handler_->Init(); geolocation_handler_->Init(); } diff --git a/chromeos/network/network_handler.h b/chromeos/network/network_handler.h index a791f9e..9924dea 100644 --- a/chromeos/network/network_handler.h +++ b/chromeos/network/network_handler.h @@ -11,6 +11,7 @@ namespace chromeos { +class ClientCertResolver; class GeolocationHandler; class ManagedNetworkConfigurationHandler; class NetworkCertMigrator; @@ -60,10 +61,11 @@ class CHROMEOS_EXPORT NetworkHandler { scoped_ptr<NetworkStateHandler> network_state_handler_; scoped_ptr<NetworkDeviceHandler> network_device_handler_; scoped_ptr<NetworkProfileHandler> network_profile_handler_; - scoped_ptr<NetworkCertMigrator> network_cert_migrator_; scoped_ptr<NetworkConfigurationHandler> network_configuration_handler_; scoped_ptr<ManagedNetworkConfigurationHandler> managed_network_configuration_handler_; + scoped_ptr<NetworkCertMigrator> network_cert_migrator_; + scoped_ptr<ClientCertResolver> client_cert_resolver_; scoped_ptr<NetworkConnectionHandler> network_connection_handler_; scoped_ptr<NetworkSmsHandler> network_sms_handler_; scoped_ptr<GeolocationHandler> geolocation_handler_; diff --git a/chromeos/network/network_policy_observer.h b/chromeos/network/network_policy_observer.h new file mode 100644 index 0000000..c51982e --- /dev/null +++ b/chromeos/network/network_policy_observer.h @@ -0,0 +1,27 @@ +// Copyright 2013 The Chromium Authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +#ifndef CHROMEOS_NETWORK_NETWORK_POLICY_OBSERVER_H_ +#define CHROMEOS_NETWORK_NETWORK_POLICY_OBSERVER_H_ + +#include <string> + +#include "base/basictypes.h" + +namespace chromeos { + +class NetworkPolicyObserver { + public: + virtual void PolicyApplied(const std::string& service_path) = 0; + + protected: + virtual ~NetworkPolicyObserver() {}; + + private: + DISALLOW_ASSIGN(NetworkPolicyObserver); +}; + +} // namespace chromeos + +#endif // CHROMEOS_NETWORK_NETWORK_POLICY_OBSERVER_H_ diff --git a/chromeos/network/network_profile_handler.h b/chromeos/network/network_profile_handler.h index 15bb0fd..15f52289 100644 --- a/chromeos/network/network_profile_handler.h +++ b/chromeos/network/network_profile_handler.h @@ -60,6 +60,7 @@ class CHROMEOS_EXPORT NetworkProfileHandler static const char kSharedProfilePath[]; protected: + friend class ClientCertResolverTest; friend class NetworkHandler; NetworkProfileHandler(); |