chromium/src
0
Fork 0
Code Activity

Automatically resolve ClientCertificatePatterns.

Browse Source 
This adds a new ClientCertResolver to chromeos/network, which automatically resolves ClientCertificatePatterns and writes the cert id of the matching certificate to Shill.

This should fix several issues like updating client certs and auto-connect immediately after installing EAP networks from policy.
It's required for Ethernet EAP policies where the current pattern matching on each manual connect isn't sufficient.

BUG=234983, 126870

Review URL: https://chromiumcodereview.appspot.com/22327005

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@217257 0039d316-1c4b-4281-b951-d872f2087c98
This commit is contained in:
pneubeck@chromium.org
2013-08-13 15:30:04 +00:00
parent 514a497e58
commit 72b3a7eea9
14 changed files with 977 additions and 42 deletions

43
chromeos/cert_loader.cc

@ -52,7 +52,8 @@ void CallOpenPersistentNSSDB() {
VLOG(1) << "CallOpenPersistentNSSDB";
// Ensure we've opened the user's key/certificate database.
crypto::OpenPersistentNSSDB();
if (base::chromeos::IsRunningOnChromeOS())
crypto::OpenPersistentNSSDB();
crypto::EnableTPMTokenForNSS();
}
@ -64,7 +65,6 @@ static CertLoader* g_cert_loader = NULL;
void CertLoader::Initialize() {
CHECK(!g_cert_loader);
g_cert_loader = new CertLoader();
g_cert_loader->Init();
}
// static
@ -86,7 +86,8 @@ bool CertLoader::IsInitialized() {
}
CertLoader::CertLoader()
: certificates_requested_(false),
: initialize_tpm_for_test_(false),
certificates_requested_(false),
certificates_loaded_(false),
certificates_update_required_(false),
certificates_update_running_(false),
@ -95,14 +96,14 @@ CertLoader::CertLoader()
base::TimeDelta::FromMilliseconds(kInitialRequestDelayMs)),
initialize_token_factory_(this),
update_certificates_factory_(this) {
}
void CertLoader::Init() {
net::CertDatabase::GetInstance()->AddObserver(this);
if (LoginState::IsInitialized())
LoginState::Get()->AddObserver(this);
}
void CertLoader::InitializeTPMForTest() {
initialize_tpm_for_test_ = true;
}
void CertLoader::SetCryptoTaskRunner(
const scoped_refptr<base::SequencedTaskRunner>& crypto_task_runner) {
crypto_task_runner_ = crypto_task_runner;
@ -154,7 +155,11 @@ void CertLoader::MaybeRequestCertificates() {
// Ensure we only initialize the TPM token once.
DCHECK_EQ(tpm_token_state_, TPM_STATE_UNKNOWN);
if (!base::chromeos::IsRunningOnChromeOS())
if (!initialize_tpm_for_test_ && !base::chromeos::IsRunningOnChromeOS())
tpm_token_state_ = TPM_DISABLED;
// Treat TPM as disabled for guest users since they do not store certs.
if (LoginState::IsInitialized() && LoginState::Get()->IsGuestUser())
tpm_token_state_ = TPM_DISABLED;
InitializeTokenAndLoadCertificates();
@ -164,10 +169,6 @@ void CertLoader::InitializeTokenAndLoadCertificates() {
CHECK(thread_checker_.CalledOnValidThread());
VLOG(1) << "InitializeTokenAndLoadCertificates: " << tpm_token_state_;
// Treat TPM as disabled for guest users since they do not store certs.
if (LoginState::IsInitialized() && LoginState::Get()->IsGuestUser())
tpm_token_state_ = TPM_DISABLED;
switch (tpm_token_state_) {
case TPM_STATE_UNKNOWN: {
crypto_task_runner_->PostTaskAndReply(
@ -211,8 +212,6 @@ void CertLoader::InitializeTokenAndLoadCertificates() {
base::Bind(&CertLoader::OnTPMTokenInitialized,
initialize_token_factory_.GetWeakPtr()));
return;
tpm_token_state_ = TPM_TOKEN_INITIALIZED;
// FALL_THROUGH_INTENDED
}
case TPM_TOKEN_INITIALIZED: {
StartLoadCertificates();
@ -223,7 +222,7 @@ void CertLoader::InitializeTokenAndLoadCertificates() {
void CertLoader::RetryTokenInitializationLater() {
CHECK(thread_checker_.CalledOnValidThread());
LOG(WARNING) << "Re-Requesting Certificates later.";
LOG(WARNING) << "Retry token initialization later.";
base::MessageLoop::current()->PostDelayedTask(
FROM_HERE,
base::Bind(&CertLoader::InitializeTokenAndLoadCertificates,
@ -324,8 +323,14 @@ void CertLoader::OnTPMTokenInitialized(bool success) {
}
void CertLoader::StartLoadCertificates() {
DCHECK(!certificates_loaded_ && !certificates_update_running_);
net::CertDatabase::GetInstance()->AddObserver(this);
LoadCertificates();
}
void CertLoader::LoadCertificates() {
CHECK(thread_checker_.CalledOnValidThread());
VLOG(1) << "StartLoadCertificates: " << certificates_update_running_;
VLOG(1) << "LoadCertificates: " << certificates_update_running_;
if (certificates_update_running_) {
certificates_update_required_ = true;
@ -361,7 +366,7 @@ void CertLoader::UpdateCertificates(net::CertificateList* cert_list) {
certificates_update_running_ = false;
if (certificates_update_required_)
StartLoadCertificates();
LoadCertificates();
}
void CertLoader::NotifyCertificatesLoaded(bool initial_load) {
@ -374,12 +379,12 @@ void CertLoader::OnCertTrustChanged(const net::X509Certificate* cert) {
void CertLoader::OnCertAdded(const net::X509Certificate* cert) {
VLOG(1) << "OnCertAdded";
StartLoadCertificates();
LoadCertificates();
}
void CertLoader::OnCertRemoved(const net::X509Certificate* cert) {
VLOG(1) << "OnCertRemoved";
StartLoadCertificates();
LoadCertificates();
}
void CertLoader::LoggedInStateChanged(LoginState::LoggedInState state) {

20
chromeos/cert_loader.h

@ -69,10 +69,15 @@ class CHROMEOS_EXPORT CertLoader : public net::CertDatabase::Observer,
static std::string GetPkcs11IdForCert(const net::X509Certificate& cert);
// By default, CertLoader tries to load the TPMToken only if running in a
// ChromeOS environment. Tests can call this function after Initialize() and
// before SetCryptoTaskRunner() to enable the TPM initialization.
void InitializeTPMForTest();
// |crypto_task_runner| is the task runner that any synchronous crypto calls
// should be made from, e.g. in Chrome this is the IO thread. Must be called
// after the thread is started. Certificate loading will not happen unless
// this is set.
// after the thread is started. Starts TPM initialization and Certificate
// loading.
void SetCryptoTaskRunner(
const scoped_refptr<base::SequencedTaskRunner>& crypto_task_runner);
@ -105,7 +110,6 @@ class CHROMEOS_EXPORT CertLoader : public net::CertDatabase::Observer,
CertLoader();
virtual ~CertLoader();
void Init();
void MaybeRequestCertificates();
// This is the cyclic chain of callbacks to initialize the TPM token and to
@ -124,7 +128,15 @@ class CHROMEOS_EXPORT CertLoader : public net::CertDatabase::Observer,
// These calls handle the updating of the certificate list after the TPM token
// was initialized.
// Start certificate loading. Must be called at most once.
void StartLoadCertificates();
// Trigger a certificate load. If a certificate loading task is already in
// progress, will start a reload once the current task finised.
void LoadCertificates();
// Called if a certificate load task is finished.
void UpdateCertificates(net::CertificateList* cert_list);
void NotifyCertificatesLoaded(bool initial_load);
@ -137,6 +149,8 @@ class CHROMEOS_EXPORT CertLoader : public net::CertDatabase::Observer,
// LoginState::Observer
virtual void LoggedInStateChanged(LoginState::LoggedInState state) OVERRIDE;
bool initialize_tpm_for_test_;
ObserverList<Observer> observers_;
bool certificates_requested_;

3
chromeos/chromeos.gyp

@ -217,6 +217,8 @@
'login/login_state.h',
'network/certificate_pattern.cc',
'network/certificate_pattern.h',
'network/client_cert_resolver.cc',
'network/client_cert_resolver.h',
'network/client_cert_util.cc',
'network/client_cert_util.h',
'network/cros_network_functions.cc',
@ -497,6 +499,7 @@
'ime/input_method_whitelist_unittest.cc',
'ime/xkeyboard_unittest.cc',
'login/login_state_unittest.cc',
'network/client_cert_resolver_unittest.cc',
'network/cros_network_functions_unittest.cc',
'network/geolocation_handler_unittest.cc',
'network/managed_network_configuration_handler_unittest.cc',

450
chromeos/network/client_cert_resolver.cc Normal file

@ -0,0 +1,450 @@
// Copyright 2013 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "chromeos/network/client_cert_resolver.h"
#include <cert.h>
#include <certt.h> // for (SECCertUsageEnum) certUsageAnyCA
#include <pk11pub.h>
#include <algorithm>
#include <string>
#include "base/stl_util.h"
#include "base/task_runner.h"
#include "base/threading/worker_pool.h"
#include "base/time/time.h"
#include "chromeos/cert_loader.h"
#include "chromeos/dbus/dbus_thread_manager.h"
#include "chromeos/dbus/shill_service_client.h"
#include "chromeos/network/certificate_pattern.h"
#include "chromeos/network/client_cert_util.h"
#include "chromeos/network/managed_network_configuration_handler.h"
#include "chromeos/network/network_state.h"
#include "chromeos/network/network_state_handler.h"
#include "chromeos/network/network_ui_data.h"
#include "chromeos/network/onc/onc_constants.h"
#include "dbus/object_path.h"
#include "net/cert/x509_certificate.h"
namespace chromeos {
// Describes a network |network_path| for which a matching certificate |cert_id|
// was found.
struct ClientCertResolver::NetworkAndMatchingCert {
NetworkAndMatchingCert(const std::string& network_path,
client_cert::ConfigType config_type,
const std::string& cert_id)
: service_path(network_path),
cert_config_type(config_type),
pkcs11_id(cert_id) {}
std::string service_path;
client_cert::ConfigType cert_config_type;
// The id of the matching certificate.
std::string pkcs11_id;
};
typedef std::vector<ClientCertResolver::NetworkAndMatchingCert>
NetworkCertMatches;
namespace {
// Returns true if |vector| contains |value|.
template <class T>
bool ContainsValue(const std::vector<T>& vector, const T& value) {
return find(vector.begin(), vector.end(), value) != vector.end();
}
// Returns true if a private key for certificate |cert| is installed.
bool HasPrivateKey(const net::X509Certificate& cert) {
PK11SlotInfo* slot = PK11_KeyForCertExists(cert.os_cert_handle(), NULL, NULL);
if (!slot)
return false;
PK11_FreeSlot(slot);
return true;
}
// Describes a certificate which is issued by |issuer| (encoded as PEM).
struct CertAndIssuer {
CertAndIssuer(const scoped_refptr<net::X509Certificate>& certificate,
const std::string& issuer)
: cert(certificate),
pem_encoded_issuer(issuer) {}
scoped_refptr<net::X509Certificate> cert;
std::string pem_encoded_issuer;
};
bool CompareCertExpiration(const CertAndIssuer& a,
const CertAndIssuer& b) {
return (a.cert->valid_expiry() < b.cert->valid_expiry());
}
// Describes a network that is configured with the certificate pattern
// |client_cert_pattern|.
struct NetworkAndCertPattern {
NetworkAndCertPattern(const std::string& network_path,
client_cert::ConfigType config_type,
const CertificatePattern& pattern)
: service_path(network_path),
cert_config_type(config_type),
client_cert_pattern(pattern) {}
std::string service_path;
client_cert::ConfigType cert_config_type;
CertificatePattern client_cert_pattern;
};
// A unary predicate that returns true if the given CertAndIssuer matches the
// certificate pattern of the NetworkAndCertPattern.
struct MatchCertWithPattern {
MatchCertWithPattern(const NetworkAndCertPattern& pattern)
: net_and_pattern(pattern) {}
bool operator()(const CertAndIssuer& cert_and_issuer) {
const CertificatePattern& pattern = net_and_pattern.client_cert_pattern;
if (!pattern.issuer().Empty() &&
!client_cert::CertPrincipalMatches(pattern.issuer(),
cert_and_issuer.cert->issuer())) {
return false;
}
if (!pattern.subject().Empty() &&
!client_cert::CertPrincipalMatches(pattern.subject(),
cert_and_issuer.cert->subject())) {
return false;
}
const std::vector<std::string>& issuer_ca_pems = pattern.issuer_ca_pems();
if (!issuer_ca_pems.empty() &&
!ContainsValue(issuer_ca_pems, cert_and_issuer.pem_encoded_issuer)) {
return false;
}
return true;
}
NetworkAndCertPattern net_and_pattern;
};
// Searches for matches between |networks| and |certs| and writes matches to
// |matches|. Because this calls NSS functions and is potentially slow, it must
// be run on a worker thread.
void FindCertificateMatches(const net::CertificateList& certs,
std::vector<NetworkAndCertPattern>* networks,
NetworkCertMatches* matches) {
// Filter all client certs and determines each certificate's issuer, which is
// required for the pattern matching.
std::vector<CertAndIssuer> client_certs;
for (net::CertificateList::const_iterator it = certs.begin();
it != certs.end(); ++it) {
const net::X509Certificate& cert = **it;
if (cert.valid_expiry().is_null() || cert.HasExpired() ||
!HasPrivateKey(cert)) {
continue;
}
scoped_refptr<net::X509Certificate> issuer =
net::X509Certificate::CreateFromHandle(
CERT_FindCertIssuer(
cert.os_cert_handle(), PR_Now(), certUsageAnyCA),
net::X509Certificate::OSCertHandles());
if (!issuer) {
LOG(ERROR) << "Couldn't find cert issuer.";
continue;
}
std::string pem_encoded_issuer;
if (!net::X509Certificate::GetPEMEncoded(issuer->os_cert_handle(),
&pem_encoded_issuer)) {
LOG(ERROR) << "Couldn't PEM-encode certificate.";
continue;
}
client_certs.push_back(CertAndIssuer(*it, pem_encoded_issuer));
}
std::sort(client_certs.begin(), client_certs.end(), &CompareCertExpiration);
for (std::vector<NetworkAndCertPattern>::const_iterator it =
networks->begin();
it != networks->end(); ++it) {
std::vector<CertAndIssuer>::iterator cert_it = std::find_if(
client_certs.begin(), client_certs.end(), MatchCertWithPattern(*it));
if (cert_it == client_certs.end()) {
LOG(WARNING) << "Couldn't find a matching client cert for network "
<< it->service_path;
continue;
}
std::string pkcs11_id = CertLoader::GetPkcs11IdForCert(*cert_it->cert);
if (pkcs11_id.empty()) {
LOG(ERROR) << "Couldn't determine PKCS#11 ID.";
continue;
}
matches->push_back(ClientCertResolver::NetworkAndMatchingCert(
it->service_path, it->cert_config_type, pkcs11_id));
}
}
// Determines the type of the CertificatePattern configuration, i.e. is it a
// pattern within an EAP, IPsec or OpenVPN configuration.
client_cert::ConfigType OncToClientCertConfigurationType(
const base::DictionaryValue& network_config) {
using namespace ::chromeos::onc;
const base::DictionaryValue* wifi = NULL;
network_config.GetDictionaryWithoutPathExpansion(network_config::kWiFi,
&wifi);
if (wifi) {
const base::DictionaryValue* eap = NULL;
wifi->GetDictionaryWithoutPathExpansion(wifi::kEAP, &eap);
if (!eap)
return client_cert::CONFIG_TYPE_NONE;
return client_cert::CONFIG_TYPE_EAP;
}
const base::DictionaryValue* vpn = NULL;
network_config.GetDictionaryWithoutPathExpansion(network_config::kVPN, &vpn);
if (vpn) {
const base::DictionaryValue* openvpn = NULL;
vpn->GetDictionaryWithoutPathExpansion(vpn::kOpenVPN, &openvpn);
if (openvpn)
return client_cert::CONFIG_TYPE_OPENVPN;
const base::DictionaryValue* ipsec = NULL;
vpn->GetDictionaryWithoutPathExpansion(vpn::kIPsec, &ipsec);
if (ipsec)
return client_cert::CONFIG_TYPE_IPSEC;
return client_cert::CONFIG_TYPE_NONE;
}
const base::DictionaryValue* ethernet = NULL;
network_config.GetDictionaryWithoutPathExpansion(network_config::kEthernet,
&ethernet);
if (ethernet) {
const base::DictionaryValue* eap = NULL;
ethernet->GetDictionaryWithoutPathExpansion(wifi::kEAP, &eap);
if (eap)
return client_cert::CONFIG_TYPE_EAP;
return client_cert::CONFIG_TYPE_NONE;
}
return client_cert::CONFIG_TYPE_NONE;
}
void LogError(const std::string& service_path,
const std::string& dbus_error_name,
const std::string& dbus_error_message) {
network_handler::ShillErrorCallbackFunction(
"ClientCertResolver.SetProperties failed",
service_path,
network_handler::ErrorCallback(),
dbus_error_name,
dbus_error_message);
}
bool ClientCertificatesLoaded() {
if(!CertLoader::Get()->certificates_loaded()) {
VLOG(1) << "Certificates not loaded yet.";
return false;
}
if (!CertLoader::Get()->IsHardwareBacked()) {
VLOG(1) << "TPM is not available.";
return false;
}
return true;
}
} // namespace
ClientCertResolver::ClientCertResolver()
: network_state_handler_(NULL),
managed_network_config_handler_(NULL),
weak_ptr_factory_(this) {
}
ClientCertResolver::~ClientCertResolver() {
if (network_state_handler_)
network_state_handler_->RemoveObserver(this, FROM_HERE);
if (CertLoader::IsInitialized())
CertLoader::Get()->RemoveObserver(this);
if (managed_network_config_handler_)
managed_network_config_handler_->RemoveObserver(this);
}
void ClientCertResolver::Init(
NetworkStateHandler* network_state_handler,
ManagedNetworkConfigurationHandler* managed_network_config_handler) {
DCHECK(network_state_handler);
network_state_handler_ = network_state_handler;
network_state_handler_->AddObserver(this, FROM_HERE);
DCHECK(managed_network_config_handler);
managed_network_config_handler_ = managed_network_config_handler;
managed_network_config_handler_->AddObserver(this);
CertLoader::Get()->AddObserver(this);
}
void ClientCertResolver::SetSlowTaskRunnerForTest(
const scoped_refptr<base::TaskRunner>& task_runner) {
slow_task_runner_for_test_ = task_runner;
}
void ClientCertResolver::NetworkListChanged() {
VLOG(2) << "NetworkListChanged.";
if (!ClientCertificatesLoaded())
return;
// Configure only networks that were not configured before.
// We'll drop networks from |resolved_networks_|, which are not known anymore.
std::set<std::string> old_resolved_networks;
old_resolved_networks.swap(resolved_networks_);
NetworkStateList networks;
network_state_handler_->GetNetworkList(&networks);
NetworkStateList networks_to_check;
for (NetworkStateList::const_iterator it = networks.begin();
it != networks.end(); ++it) {
// If this network is not managed, it cannot have a ClientCertPattern.
// We do this check here additionally to ResolveNetworks because it's cheap
// and prevents |resolved_networks_| from becoming too large.
if ((*it)->guid().empty())
continue;
const std::string& service_path = (*it)->path();
if (ContainsKey(old_resolved_networks, service_path)) {
resolved_networks_.insert(service_path);
continue;
}
networks_to_check.push_back(*it);
}
ResolveNetworks(networks_to_check);
}
void ClientCertResolver::OnCertificatesLoaded(
const net::CertificateList& cert_list,
bool initial_load) {
VLOG(2) << "OnCertificatesLoaded.";
if (!ClientCertificatesLoaded())
return;
// Compare all networks with all certificates.
NetworkStateList networks;
network_state_handler_->GetNetworkList(&networks);
ResolveNetworks(networks);
}
void ClientCertResolver::PolicyApplied(const std::string& service_path) {
VLOG(2) << "PolicyApplied " << service_path;
if (!ClientCertificatesLoaded())
return;
// Compare this network with all certificates.
const NetworkState* network =
network_state_handler_->GetNetworkState(service_path);
if (!network) {
LOG(ERROR) << "service path '" << service_path << "' unknown.";
return;
}
NetworkStateList networks;
networks.push_back(network);
ResolveNetworks(networks);
}
void ClientCertResolver::ResolveNetworks(
const NetworkStateList& networks) {
scoped_ptr<std::vector<NetworkAndCertPattern> > networks_with_pattern(
new std::vector<NetworkAndCertPattern>);
// Filter networks with ClientCertPattern. As ClientCertPatterns can only be
// set by policy, we check there.
for (NetworkStateList::const_iterator it = networks.begin();
it != networks.end(); ++it) {
const NetworkState* network = *it;
// In any case, don't check this network again in NetworkListChanged.
resolved_networks_.insert(network->path());
// If this network is not managed, it cannot have a ClientCertPattern.
if (network->guid().empty())
continue;
if (network->profile_path().empty()) {
LOG(ERROR) << "Network " << network->path()
<< " has a GUID but not profile path";
continue;
}
const base::DictionaryValue* policy =
managed_network_config_handler_->FindPolicyByGuidAndProfile(
network->guid(), network->profile_path());
if (!policy) {
VLOG(1) << "The policy for network " << network->path() << " with GUID "
<< network->guid() << " is not available yet.";
// Skip this network for now. Once the policy is loaded, PolicyApplied()
// will retry.
continue;
}
VLOG(2) << "Inspecting network " << network->path();
// TODO(pneubeck): Access the ClientCertPattern without relying on
// NetworkUIData, which also parses other things that we don't need here.
// The ONCSource is irrelevant here.
scoped_ptr<NetworkUIData> ui_data(
NetworkUIData::CreateFromONC(onc::ONC_SOURCE_NONE, *policy));
// Skip networks that don't have a ClientCertPattern.
if (ui_data->certificate_type() != CLIENT_CERT_TYPE_PATTERN)
continue;
client_cert::ConfigType config_type =
OncToClientCertConfigurationType(*policy);
if (config_type == client_cert::CONFIG_TYPE_NONE) {
LOG(ERROR) << "UIData contains a CertificatePattern, but the policy "
<< "doesn't. Network: " << network->path();
continue;
}
networks_with_pattern->push_back(NetworkAndCertPattern(
network->path(), config_type, ui_data->certificate_pattern()));
}
if (networks_with_pattern->empty())
return;
VLOG(2) << "Start task for resolving client cert patterns.";
base::TaskRunner* task_runner = slow_task_runner_for_test_.get();
if (!task_runner)
task_runner = base::WorkerPool::GetTaskRunner(true /* task is slow */);
NetworkCertMatches* matches = new NetworkCertMatches;
task_runner->PostTaskAndReply(
FROM_HERE,
base::Bind(&FindCertificateMatches,
CertLoader::Get()->cert_list(),
base::Owned(networks_with_pattern.release()),
matches),
base::Bind(&ClientCertResolver::ConfigureCertificates,
weak_ptr_factory_.GetWeakPtr(),
base::Owned(matches)));
}
void ClientCertResolver::ConfigureCertificates(NetworkCertMatches* matches) {
for (NetworkCertMatches::const_iterator it = matches->begin();
it != matches->end(); ++it) {
VLOG(1) << "Configuring certificate of network " << it->service_path;
CertLoader* cert_loader = CertLoader::Get();
base::DictionaryValue shill_properties;
client_cert::SetShillProperties(it->cert_config_type,
cert_loader->tpm_token_slot(),
cert_loader->tpm_user_pin(),
&it->pkcs11_id,
&shill_properties);
DBusThreadManager::Get()->GetShillServiceClient()->
SetProperties(dbus::ObjectPath(it->service_path),
shill_properties,
base::Bind(&base::DoNothing),
base::Bind(&LogError, it->service_path));
network_state_handler_->RequestUpdateForNetwork(it->service_path);
}
}
} // namespace chromeos

92
chromeos/network/client_cert_resolver.h Normal file

@ -0,0 +1,92 @@
// Copyright 2013 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef CHROMEOS_NETWORK_CLIENT_CERT_RESOLVER_H_
#define CHROMEOS_NETWORK_CLIENT_CERT_RESOLVER_H_
#include <string>
#include <vector>
#include "base/basictypes.h"
#include "base/memory/ref_counted.h"
#include "base/memory/scoped_ptr.h"
#include "base/memory/weak_ptr.h"
#include "chromeos/cert_loader.h"
#include "chromeos/chromeos_export.h"
#include "chromeos/network/network_policy_observer.h"
#include "chromeos/network/network_state_handler_observer.h"
namespace base {
class TaskRunner;
}
namespace chromeos {
class NetworkState;
class NetworkStateHandler;
class ManagedNetworkConfigurationHandler;
// Observes the known networks. If a network is configured with a client
// certificate pattern, this class searches for a matching client certificate.
// Each time it finds a match, it configures the network accordingly.
class CHROMEOS_EXPORT ClientCertResolver : public NetworkStateHandlerObserver,
public CertLoader::Observer,
public NetworkPolicyObserver {
public:
struct NetworkAndMatchingCert;
ClientCertResolver();
virtual ~ClientCertResolver();
void Init(NetworkStateHandler* network_state_handler,
ManagedNetworkConfigurationHandler* managed_network_config_handler);
// Sets the task runner that any slow calls will be made from, e.g. calls
// to the NSS database. If not set, uses base::WorkerPool.
void SetSlowTaskRunnerForTest(
const scoped_refptr<base::TaskRunner>& task_runner);
private:
typedef std::vector<const NetworkState*> NetworkStateList;
// NetworkStateHandlerObserver overrides
virtual void NetworkListChanged() OVERRIDE;
// CertLoader::Observer overrides
virtual void OnCertificatesLoaded(const net::CertificateList& cert_list,
bool initial_load) OVERRIDE;
// NetworkPolicyObserver overrides
virtual void PolicyApplied(const std::string& service_path) OVERRIDE;
// Check which networks of |networks| are configured with a client certificate
// pattern. Search for certificates, on the worker thread, and configure the
// networks for which a matching cert is found (see ConfigureCertificates).
void ResolveNetworks(const NetworkStateList& networks);
// |matches| contains networks for which a matching certificate was found.
// Configures these networks.
void ConfigureCertificates(std::vector<NetworkAndMatchingCert>* matches);
// The set of networks that were checked/resolved in previous passes. These
// networks are skipped in the NetworkListChanged notification.
std::set<std::string> resolved_networks_;
// Unowned associated (global or test) instance.
NetworkStateHandler* network_state_handler_;
// Unowned associated (global or test) instance.
ManagedNetworkConfigurationHandler* managed_network_config_handler_;
// TaskRunner for slow tasks.
scoped_refptr<base::TaskRunner> slow_task_runner_for_test_;
base::WeakPtrFactory<ClientCertResolver> weak_ptr_factory_;
DISALLOW_COPY_AND_ASSIGN(ClientCertResolver);
};
} // namespace chromeos
#endif // CHROMEOS_NETWORK_CLIENT_CERT_RESOLVER_H_

281
chromeos/network/client_cert_resolver_unittest.cc Normal file

@ -0,0 +1,281 @@
// Copyright 2013 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "chromeos/network/client_cert_resolver.h"
#include <cert.h>
#include <pk11pub.h>
#include "base/file_util.h"
#include "base/files/file_path.h"
#include "base/json/json_reader.h"
#include "base/run_loop.h"
#include "base/strings/stringprintf.h"
#include "chromeos/dbus/dbus_thread_manager.h"
#include "chromeos/dbus/shill_profile_client.h"
#include "chromeos/dbus/shill_service_client.h"
#include "chromeos/login/login_state.h"
#include "chromeos/network/managed_network_configuration_handler.h"
#include "chromeos/network/network_configuration_handler.h"
#include "chromeos/network/network_profile_handler.h"
#include "chromeos/network/network_state_handler.h"
#include "crypto/nss_util.h"
#include "net/base/crypto_module.h"
#include "net/base/net_errors.h"
#include "net/base/test_data_directory.h"
#include "net/cert/nss_cert_database.h"
#include "net/cert/x509_certificate.h"
#include "net/test/cert_test_util.h"
#include "testing/gtest/include/gtest/gtest.h"
#include "third_party/cros_system_api/dbus/service_constants.h"
namespace chromeos {
namespace {
const char* kWifiStub = "wifi_stub";
const char* kWifiSSID = "wifi_ssid";
const char* kUserProfilePath = "user_profile";
const char* kUserHash = "user_hash";
} // namespace
class ClientCertResolverTest : public testing::Test {
public:
ClientCertResolverTest() {}
virtual ~ClientCertResolverTest() {}
virtual void SetUp() OVERRIDE {
ASSERT_TRUE(test_nssdb_.is_open());
slot_ = net::NSSCertDatabase::GetInstance()->GetPublicModule();
ASSERT_TRUE(slot_->os_module_handle());
LoginState::Initialize();
DBusThreadManager::InitializeWithStub();
service_test_ =
DBusThreadManager::Get()->GetShillServiceClient()->GetTestInterface();
profile_test_ =
DBusThreadManager::Get()->GetShillProfileClient()->GetTestInterface();
message_loop_.RunUntilIdle();
service_test_->ClearServices();
message_loop_.RunUntilIdle();
CertLoader::Initialize();
CertLoader* cert_loader = CertLoader::Get();
cert_loader->InitializeTPMForTest();
cert_loader->SetSlowTaskRunnerForTest(message_loop_.message_loop_proxy());
cert_loader->SetCryptoTaskRunner(message_loop_.message_loop_proxy());
}
virtual void TearDown() OVERRIDE {
client_cert_resolver_.reset();
managed_config_handler_.reset();
network_config_handler_.reset();
network_profile_handler_.reset();
network_state_handler_.reset();
CertLoader::Shutdown();
DBusThreadManager::Shutdown();
LoginState::Shutdown();
CleanupSlotContents();
}
protected:
// Imports a CA cert (stored as PEM in test_ca_cert_pem_) and a client
// certificate signed by that CA. Its PKCS#11 ID is stored in
// |test_pkcs11_id_|.
void SetupTestCerts() {
// Import a CA cert.
net::NSSCertDatabase* cert_db = net::NSSCertDatabase::GetInstance();
net::CertificateList ca_cert_list =
net::CreateCertificateListFromFile(net::GetTestCertsDirectory(),
"websocket_cacert.pem",
net::X509Certificate::FORMAT_AUTO);
ASSERT_TRUE(!ca_cert_list.empty());
net::NSSCertDatabase::ImportCertFailureList failures;
EXPECT_TRUE(cert_db->ImportCACerts(
ca_cert_list, net::NSSCertDatabase::TRUST_DEFAULT, &failures));
ASSERT_TRUE(failures.empty()) << net::ErrorToString(failures[0].net_error);
net::X509Certificate::GetPEMEncoded(ca_cert_list[0]->os_cert_handle(),
&test_ca_cert_pem_);
ASSERT_TRUE(!test_ca_cert_pem_.empty());
// Import a client cert signed by that CA.
scoped_refptr<net::CryptoModule> crypt_module = cert_db->GetPrivateModule();
std::string pkcs12_data;
ASSERT_TRUE(file_util::ReadFileToString(
net::GetTestCertsDirectory().Append("websocket_client_cert.p12"),
&pkcs12_data));
net::CertificateList client_cert_list;
ASSERT_EQ(net::OK,
cert_db->ImportFromPKCS12(crypt_module.get(),
pkcs12_data,
string16(),
false,
&client_cert_list));
ASSERT_TRUE(!client_cert_list.empty());
test_pkcs11_id_ = CertLoader::GetPkcs11IdForCert(*client_cert_list[0]);
ASSERT_TRUE(!test_pkcs11_id_.empty());
}
void SetupNetworkHandlers() {
network_state_handler_.reset(NetworkStateHandler::InitializeForTest());
network_profile_handler_.reset(new NetworkProfileHandler());
network_config_handler_.reset(new NetworkConfigurationHandler());
managed_config_handler_.reset(new ManagedNetworkConfigurationHandler());
client_cert_resolver_.reset(new ClientCertResolver());
network_profile_handler_->Init(network_state_handler_.get());
network_config_handler_->Init(network_state_handler_.get());
managed_config_handler_->Init(network_state_handler_.get(),
network_profile_handler_.get(),
network_config_handler_.get());
client_cert_resolver_->Init(network_state_handler_.get(),
managed_config_handler_.get());
client_cert_resolver_->SetSlowTaskRunnerForTest(
message_loop_.message_loop_proxy());
profile_test_->AddProfile(kUserProfilePath, kUserHash);
}
void SetupWifi() {
const bool add_to_visible = true;
const bool add_to_watchlist = true;
service_test_->AddService(kWifiStub,
kWifiSSID,
flimflam::kTypeWifi,
flimflam::kStateOnline,
add_to_visible,
add_to_watchlist);
service_test_->SetServiceProperty(
kWifiStub, flimflam::kGuidProperty, base::StringValue(kWifiStub));
profile_test_->AddService(kUserProfilePath, kWifiStub);
}
// Setup a policy with a certificate pattern that matches any client cert that
// is signed by the test CA cert (stored in |test_ca_cert_pem_|). In
// particular it will match the test client cert.
void SetupPolicy() {
const char* kTestPolicyTemplate =
"[ { \"GUID\": \"wifi_stub\","
" \"Name\": \"wifi_stub\","
" \"Type\": \"WiFi\","
" \"WiFi\": {"
" \"Security\": \"WPA-EAP\","
" \"SSID\": \"wifi_ssid\","
" \"EAP\": {"
" \"Outer\": \"EAP-TLS\","
" \"ClientCertType\": \"Pattern\","
" \"ClientCertPattern\": {"
" \"IssuerCAPEMs\": [ \"%s\" ]"
" }"
" }"
" }"
"} ]";
std::string policy_json =
base::StringPrintf(kTestPolicyTemplate, test_ca_cert_pem_.c_str());
std::string error;
scoped_ptr<base::Value> policy_value(base::JSONReader::ReadAndReturnError(
policy_json, base::JSON_ALLOW_TRAILING_COMMAS, NULL, &error));
ASSERT_TRUE(policy_value) << error;
base::ListValue* policy = NULL;
ASSERT_TRUE(policy_value->GetAsList(&policy));
managed_config_handler_->SetPolicy(
onc::ONC_SOURCE_USER_POLICY, kUserHash, *policy);
}
void GetClientCertProperties(std::string* pkcs11_id) {
pkcs11_id->clear();
const base::DictionaryValue* properties =
service_test_->GetServiceProperties(kWifiStub);
if (!properties)
return;
properties->GetStringWithoutPathExpansion(flimflam::kEapCertIdProperty,
pkcs11_id);
}
ShillServiceClient::TestInterface* service_test_;
ShillProfileClient::TestInterface* profile_test_;
std::string test_pkcs11_id_;
scoped_refptr<net::X509Certificate> test_ca_cert_;
std::string test_ca_cert_pem_;
base::MessageLoop message_loop_;
private:
void CleanupSlotContents() {
CERTCertList* cert_list = PK11_ListCertsInSlot(slot_->os_module_handle());
for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
!CERT_LIST_END(node, cert_list);
node = CERT_LIST_NEXT(node)) {
scoped_refptr<net::X509Certificate> cert(
net::X509Certificate::CreateFromHandle(
node->cert, net::X509Certificate::OSCertHandles()));
net::NSSCertDatabase::GetInstance()->DeleteCertAndKey(cert.get());
}
CERT_DestroyCertList(cert_list);
}
scoped_ptr<NetworkStateHandler> network_state_handler_;
scoped_ptr<NetworkProfileHandler> network_profile_handler_;
scoped_ptr<NetworkConfigurationHandler> network_config_handler_;
scoped_ptr<ManagedNetworkConfigurationHandler> managed_config_handler_;
scoped_ptr<ClientCertResolver> client_cert_resolver_;
scoped_refptr<net::CryptoModule> slot_;
crypto::ScopedTestNSSDB test_nssdb_;
DISALLOW_COPY_AND_ASSIGN(ClientCertResolverTest);
};
TEST_F(ClientCertResolverTest, NoMatchingCertificates) {
SetupNetworkHandlers();
SetupPolicy();
message_loop_.RunUntilIdle();
SetupWifi();
message_loop_.RunUntilIdle();
// Verify that no client certificate was configured.
std::string pkcs11_id;
GetClientCertProperties(&pkcs11_id);
EXPECT_TRUE(pkcs11_id.empty());
}
TEST_F(ClientCertResolverTest, ResolveOnInitialization) {
SetupTestCerts();
SetupNetworkHandlers();
SetupPolicy();
message_loop_.RunUntilIdle();
SetupWifi();
message_loop_.RunUntilIdle();
// Verify that the resolver positively matched the pattern in the policy with
// the test client cert and configured the network.
std::string pkcs11_id;
GetClientCertProperties(&pkcs11_id);
EXPECT_EQ(test_pkcs11_id_, pkcs11_id);
}
TEST_F(ClientCertResolverTest, ResolveAfterPolicyApplication) {
SetupTestCerts();
SetupNetworkHandlers();
message_loop_.RunUntilIdle();
// The policy will trigger the creation of a new wifi service.
SetupPolicy();
message_loop_.RunUntilIdle();
// Verify that the resolver positively matched the pattern in the policy with
// the test client cert and configured the network.
std::string pkcs11_id;
GetClientCertProperties(&pkcs11_id);
EXPECT_EQ(test_pkcs11_id_, pkcs11_id);
}
} // namespace chromeos

62
chromeos/network/managed_network_configuration_handler.cc

@ -25,6 +25,7 @@
#include "chromeos/network/network_configuration_handler.h"
#include "chromeos/network/network_event_log.h"
#include "chromeos/network/network_handler_callbacks.h"
#include "chromeos/network/network_policy_observer.h"
#include "chromeos/network/network_profile.h"
#include "chromeos/network/network_profile_handler.h"
#include "chromeos/network/network_state.h"
@ -98,10 +99,6 @@ void SetUIData(const NetworkUIData& ui_data,
ui_data_blob);
}
// A dummy callback to ignore the result of Shill calls.
void IgnoreString(const std::string& str) {
}
void LogErrorWithDict(const tracked_objects::Location& from_where,
const std::string& error_name,
scoped_ptr<base::DictionaryValue> error_data) {
@ -374,6 +371,16 @@ scoped_ptr<NetworkUIData> ManagedNetworkConfigurationHandler::GetUIData(
return scoped_ptr<NetworkUIData>();
}
void ManagedNetworkConfigurationHandler::AddObserver(
NetworkPolicyObserver* observer) {
observers_.AddObserver(observer);
}
void ManagedNetworkConfigurationHandler::RemoveObserver(
NetworkPolicyObserver* observer) {
observers_.RemoveObserver(observer);
}
void ManagedNetworkConfigurationHandler::GetManagedProperties(
const std::string& userhash,
const std::string& service_path,
@ -734,6 +741,27 @@ ManagedNetworkConfigurationHandler::FindPolicyByGUID(
return NULL;
}
const base::DictionaryValue*
ManagedNetworkConfigurationHandler::FindPolicyByGuidAndProfile(
const std::string& guid,
const std::string& profile_path) const {
const NetworkProfile* profile =
network_profile_handler_->GetProfileForPath(profile_path);
if (!profile) {
LOG(ERROR) << "Profile path unknown: " << profile_path;
return NULL;
}
const GuidToPolicyMap* policies = GetPoliciesForProfile(*profile);
if (!policies)
return NULL;
GuidToPolicyMap::const_iterator it = policies->find(guid);
if (it == policies->end())
return NULL;
return it->second;
}
void ManagedNetworkConfigurationHandler::OnProfileRemoved(
const NetworkProfile& profile) {
// Nothing to do in this case.
@ -781,6 +809,14 @@ void ManagedNetworkConfigurationHandler::Init(
network_profile_handler_->AddObserver(this);
}
void ManagedNetworkConfigurationHandler::OnPolicyApplied(
const std::string& service_path) {
if (service_path.empty())
return;
FOR_EACH_OBSERVER(
NetworkPolicyObserver, observers_, PolicyApplied(service_path));
}
ManagedNetworkConfigurationHandler::PolicyApplicator::PolicyApplicator(
base::WeakPtr<ManagedNetworkConfigurationHandler> handler,
const NetworkProfile& profile,
@ -921,10 +957,11 @@ void ManagedNetworkConfigurationHandler::PolicyApplicator::GetEntryCallback(
scoped_ptr<base::DictionaryValue> shill_dictionary =
CreateShillConfiguration(
profile_, new_guid, new_policy, user_settings);
handler_->network_configuration_handler()
->CreateConfiguration(*shill_dictionary,
base::Bind(&IgnoreString),
base::Bind(&LogErrorWithDict, FROM_HERE));
handler_->network_configuration_handler()->CreateConfiguration(
*shill_dictionary,
base::Bind(&ManagedNetworkConfigurationHandler::OnPolicyApplied,
handler_),
base::Bind(&LogErrorWithDict, FROM_HERE));
remaining_policies_.erase(new_guid);
}
} else if (was_managed) {
@ -987,10 +1024,11 @@ ManagedNetworkConfigurationHandler::PolicyApplicator::~PolicyApplicator() {
scoped_ptr<base::DictionaryValue> shill_dictionary =
CreateShillConfiguration(
profile_, *it, policy, NULL /* no user settings */);
handler_->network_configuration_handler()
->CreateConfiguration(*shill_dictionary,
base::Bind(&IgnoreString),
base::Bind(&LogErrorWithDict, FROM_HERE));
handler_->network_configuration_handler()->CreateConfiguration(
*shill_dictionary,
base::Bind(&ManagedNetworkConfigurationHandler::OnPolicyApplied,
handler_),
base::Bind(&LogErrorWithDict, FROM_HERE));
}
}

19
chromeos/network/managed_network_configuration_handler.h

@ -12,6 +12,7 @@
#include "base/callback.h"
#include "base/gtest_prod_util.h"
#include "base/memory/weak_ptr.h"
#include "base/observer_list.h"
#include "chromeos/chromeos_export.h"
#include "chromeos/network/network_handler.h"
#include "chromeos/network/network_handler_callbacks.h"
@ -26,6 +27,7 @@ class ListValue;
namespace chromeos {
class NetworkConfigurationHandler;
class NetworkPolicyObserver;
class NetworkProfileHandler;
class NetworkStateHandler;
class NetworkUIData;
@ -69,6 +71,9 @@ class CHROMEOS_EXPORT ManagedNetworkConfigurationHandler
static scoped_ptr<NetworkUIData> GetUIData(
const base::DictionaryValue& shill_dictionary);
void AddObserver(NetworkPolicyObserver* observer);
void RemoveObserver(NetworkPolicyObserver* observer);
// Provides the properties of the network with |service_path| to |callback|.
void GetProperties(
const std::string& service_path,
@ -132,7 +137,13 @@ class CHROMEOS_EXPORT ManagedNetworkConfigurationHandler
const std::string& guid,
onc::ONCSource* onc_source) const;
// NetworkProfileObserver overrides
// Returns the policy with |guid| for profile |profile_path|. If such
// doesn't exist, returns NULL.
const base::DictionaryValue* FindPolicyByGuidAndProfile(
const std::string& guid,
const std::string& profile_path) const;
// NetworkProfileObserver overrides
virtual void OnProfileAdded(const NetworkProfile& profile) OVERRIDE;
virtual void OnProfileRemoved(const NetworkProfile& profile) OVERRIDE;
@ -141,6 +152,7 @@ class CHROMEOS_EXPORT ManagedNetworkConfigurationHandler
}
private:
friend class ClientCertResolverTest;
friend class NetworkHandler;
friend class ManagedNetworkConfigurationHandlerTest;
class PolicyApplicator;
@ -151,7 +163,6 @@ class CHROMEOS_EXPORT ManagedNetworkConfigurationHandler
NetworkProfileHandler* network_profile_handler,
NetworkConfigurationHandler* network_configuration_handler);
void GetManagedPropertiesCallback(
const network_handler::DictionaryResultCallback& callback,
const network_handler::ErrorCallback& error_callback,
@ -162,6 +173,8 @@ class CHROMEOS_EXPORT ManagedNetworkConfigurationHandler
const GuidToPolicyMap* GetPoliciesForProfile(
const NetworkProfile& profile) const;
void OnPolicyApplied(const std::string& service_path);
// The DictionaryValues of the nested maps are owned by this class and are
// explicitly deleted where necessary. If present, the empty string maps to
// the device policy.
@ -172,6 +185,8 @@ class CHROMEOS_EXPORT ManagedNetworkConfigurationHandler
NetworkProfileHandler* network_profile_handler_;
NetworkConfigurationHandler* network_configuration_handler_;
ObserverList<NetworkPolicyObserver> observers_;
// For Shill client callbacks
base::WeakPtrFactory<ManagedNetworkConfigurationHandler> weak_ptr_factory_;

1
chromeos/network/managed_network_configuration_handler_unittest.cc

@ -13,7 +13,6 @@
#include "chromeos/dbus/mock_shill_manager_client.h"
#include "chromeos/dbus/mock_shill_profile_client.h"
#include "chromeos/dbus/mock_shill_service_client.h"
#include "chromeos/dbus/shill_profile_client_stub.h"
#include "chromeos/network/network_configuration_handler.h"
#include "chromeos/network/network_profile_handler.h"
#include "chromeos/network/onc/onc_test_utils.h"

1
chromeos/network/network_configuration_handler.h

@ -111,6 +111,7 @@ class CHROMEOS_EXPORT NetworkConfigurationHandler
NetworkStateHandler* network_state_handler);
protected:
friend class ClientCertResolverTest;
friend class NetworkHandler;
friend class NetworkConfigurationHandlerTest;
friend class NetworkConfigurationHandlerStubTest;

15
chromeos/network/network_handler.cc

@ -6,6 +6,7 @@
#include "base/threading/worker_pool.h"
#include "chromeos/dbus/dbus_thread_manager.h"
#include "chromeos/network/client_cert_resolver.h"
#include "chromeos/network/geolocation_handler.h"
#include "chromeos/network/managed_network_configuration_handler.h"
#include "chromeos/network/network_cert_migrator.h"
@ -31,11 +32,13 @@ NetworkHandler::NetworkHandler() {
network_state_handler_.reset(new NetworkStateHandler());
network_device_handler_.reset(new NetworkDeviceHandler());
network_profile_handler_.reset(new NetworkProfileHandler());
if (CertLoader::IsInitialized())
network_cert_migrator_.reset(new NetworkCertMigrator());
network_configuration_handler_.reset(new NetworkConfigurationHandler());
managed_network_configuration_handler_.reset(
new ManagedNetworkConfigurationHandler());
if (CertLoader::IsInitialized()) {
network_cert_migrator_.reset(new NetworkCertMigrator());
client_cert_resolver_.reset(new ClientCertResolver());
}
network_connection_handler_.reset(new NetworkConnectionHandler());
network_sms_handler_.reset(new NetworkSmsHandler());
geolocation_handler_.reset(new GeolocationHandler());
@ -48,8 +51,6 @@ NetworkHandler::~NetworkHandler() {
void NetworkHandler::Init() {
network_state_handler_->InitShillPropertyHandler();
network_profile_handler_->Init(network_state_handler_.get());
if (network_cert_migrator_)
network_cert_migrator_->Init(network_state_handler_.get());
network_configuration_handler_->Init(network_state_handler_.get());
managed_network_configuration_handler_->Init(
network_state_handler_.get(),
@ -57,6 +58,12 @@ void NetworkHandler::Init() {
network_configuration_handler_.get());
network_connection_handler_->Init(network_state_handler_.get(),
network_configuration_handler_.get());
if (network_cert_migrator_)
network_cert_migrator_->Init(network_state_handler_.get());
if (client_cert_resolver_) {
client_cert_resolver_->Init(network_state_handler_.get(),
managed_network_configuration_handler_.get());
}
network_sms_handler_->Init();
geolocation_handler_->Init();
}

4
chromeos/network/network_handler.h

@ -11,6 +11,7 @@
namespace chromeos {
class ClientCertResolver;
class GeolocationHandler;
class ManagedNetworkConfigurationHandler;
class NetworkCertMigrator;
@ -60,10 +61,11 @@ class CHROMEOS_EXPORT NetworkHandler {
scoped_ptr<NetworkStateHandler> network_state_handler_;
scoped_ptr<NetworkDeviceHandler> network_device_handler_;
scoped_ptr<NetworkProfileHandler> network_profile_handler_;
scoped_ptr<NetworkCertMigrator> network_cert_migrator_;
scoped_ptr<NetworkConfigurationHandler> network_configuration_handler_;
scoped_ptr<ManagedNetworkConfigurationHandler>
managed_network_configuration_handler_;
scoped_ptr<NetworkCertMigrator> network_cert_migrator_;
scoped_ptr<ClientCertResolver> client_cert_resolver_;
scoped_ptr<NetworkConnectionHandler> network_connection_handler_;
scoped_ptr<NetworkSmsHandler> network_sms_handler_;
scoped_ptr<GeolocationHandler> geolocation_handler_;

27
chromeos/network/network_policy_observer.h Normal file

@ -0,0 +1,27 @@
// Copyright 2013 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#ifndef CHROMEOS_NETWORK_NETWORK_POLICY_OBSERVER_H_
#define CHROMEOS_NETWORK_NETWORK_POLICY_OBSERVER_H_
#include <string>
#include "base/basictypes.h"
namespace chromeos {
class NetworkPolicyObserver {
public:
virtual void PolicyApplied(const std::string& service_path) = 0;
protected:
virtual ~NetworkPolicyObserver() {};
private:
DISALLOW_ASSIGN(NetworkPolicyObserver);
};
} // namespace chromeos
#endif // CHROMEOS_NETWORK_NETWORK_POLICY_OBSERVER_H_

1
chromeos/network/network_profile_handler.h

@ -60,6 +60,7 @@ class CHROMEOS_EXPORT NetworkProfileHandler
static const char kSharedProfilePath[];
protected:
friend class ClientCertResolverTest;
friend class NetworkHandler;
NetworkProfileHandler();