1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
|
// Copyright 2013 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef CHROMEOS_NETWORK_CLIENT_CERT_RESOLVER_H_
#define CHROMEOS_NETWORK_CLIENT_CERT_RESOLVER_H_
#include <set>
#include <string>
#include <vector>
#include "base/macros.h"
#include "base/memory/ref_counted.h"
#include "base/memory/weak_ptr.h"
#include "base/observer_list.h"
#include "base/time/time.h"
#include "chromeos/cert_loader.h"
#include "chromeos/chromeos_export.h"
#include "chromeos/network/client_cert_util.h"
#include "chromeos/network/network_policy_observer.h"
#include "chromeos/network/network_state_handler.h"
#include "chromeos/network/network_state_handler_observer.h"
namespace base {
class Clock;
class TaskRunner;
}
namespace chromeos {
class NetworkState;
class ManagedNetworkConfigurationHandler;
// Observes the known networks. If a network is configured with a client
// certificate pattern, this class searches for a matching client certificate.
// Each time it finds a match, it configures the network accordingly.
class CHROMEOS_EXPORT ClientCertResolver : public NetworkStateHandlerObserver,
public CertLoader::Observer,
public NetworkPolicyObserver {
public:
struct NetworkAndMatchingCert;
class Observer {
public:
// Called every time resolving of client certificate patterns finishes,
// no resolve requests are pending and no tasks are running.
// |network_properties_changed| will be true if any network properties were
// changed by this resolver since the last notification.
virtual void ResolveRequestCompleted(bool network_properties_changed) = 0;
protected:
virtual ~Observer() {}
private:
DISALLOW_ASSIGN(Observer);
};
ClientCertResolver();
~ClientCertResolver() override;
void Init(NetworkStateHandler* network_state_handler,
ManagedNetworkConfigurationHandler* managed_network_config_handler);
// Sets the task runner that any slow calls will be made from, e.g. calls
// to the NSS database. If not set, uses base::WorkerPool.
void SetSlowTaskRunnerForTest(
const scoped_refptr<base::TaskRunner>& task_runner);
void AddObserver(Observer* observer);
void RemoveObserver(Observer* observer);
// Returns true if any resolve tasks are running. Every time a task finishes
// and no further requests are pending, a notification is sent, see
// |Observer|.
bool IsAnyResolveTaskRunning() const;
// Sets the clock for testing. This clock is used when checking the
// certificates for expiration.
void SetClockForTesting(base::Clock* clock);
// Returns true and sets the Shill properties that have to be configured in
// |shill_properties| if the certificate pattern |pattern| could be resolved.
// Returns false otherwise and sets empty Shill properties to clear the
// certificate configuration.
// Note that it uses the global clock when checking the certificates for
// expiration.
static bool ResolveCertificatePatternSync(
const client_cert::ConfigType client_cert_type,
const CertificatePattern& pattern,
base::DictionaryValue* shill_properties);
private:
// NetworkStateHandlerObserver overrides
void NetworkListChanged() override;
void NetworkConnectionStateChanged(const NetworkState* network) override;
// CertLoader::Observer overrides
void OnCertificatesLoaded(const net::CertificateList& cert_list,
bool initial_load) override;
// NetworkPolicyObserver overrides
void PolicyAppliedToNetwork(const std::string& service_path) override;
// Check which networks of |networks| are configured with a client certificate
// pattern. Search for certificates, on the worker thread, and configure the
// networks for which a matching cert is found (see ConfigureCertificates).
void ResolveNetworks(const NetworkStateHandler::NetworkStateList& networks);
// Resolves certificates for the pending networks. This will always trigger a
// ResolveRequestCompleted notification, even if the queue is empty.
void ResolvePendingNetworks();
// |matches| contains networks for which a matching certificate was found.
// Configures these networks.
void ConfigureCertificates(std::vector<NetworkAndMatchingCert>* matches);
// Trigger a ResolveRequestCompleted event on all observers.
void NotifyResolveRequestCompleted();
// Returns Time::Now() unless a mock clock has been installed with
// SetClockForTesting, in which case the time according to that clock is used
// instead.
base::Time Now() const;
base::ObserverList<Observer, true> observers_;
// The set of networks that were checked/resolved in previous passes. These
// networks are skipped in the NetworkListChanged notification.
std::set<std::string> resolved_networks_;
// The list of network paths that still have to be resolved.
std::set<std::string> queued_networks_to_resolve_;
// True if currently a resolve task is running.
bool resolve_task_running_;
// True if any network properties were changed since the last notification to
// observers.
bool network_properties_changed_;
// Unowned associated (global or test) instance.
NetworkStateHandler* network_state_handler_;
// Unowned associated (global or test) instance.
ManagedNetworkConfigurationHandler* managed_network_config_handler_;
// TaskRunner for slow tasks.
scoped_refptr<base::TaskRunner> slow_task_runner_for_test_;
// Can be set for testing.
base::Clock* testing_clock_;
base::WeakPtrFactory<ClientCertResolver> weak_ptr_factory_;
DISALLOW_COPY_AND_ASSIGN(ClientCertResolver);
};
} // namespace chromeos
#endif // CHROMEOS_NETWORK_CLIENT_CERT_RESOLVER_H_
|
