diff --git a/chromeos/cert_loader.cc b/chromeos/cert_loader.cc
index 964c777fbd588..060d4641129de 100644
--- a/chromeos/cert_loader.cc
+++ b/chromeos/cert_loader.cc
@@ -52,7 +52,8 @@ void CallOpenPersistentNSSDB() {
VLOG(1) << "CallOpenPersistentNSSDB";
// Ensure we've opened the user's key/certificate database.
- crypto::OpenPersistentNSSDB();
+ if (base::chromeos::IsRunningOnChromeOS())
+ crypto::OpenPersistentNSSDB();
crypto::EnableTPMTokenForNSS();
}
@@ -64,7 +65,6 @@ static CertLoader* g_cert_loader = NULL;
void CertLoader::Initialize() {
CHECK(!g_cert_loader);
g_cert_loader = new CertLoader();
- g_cert_loader->Init();
}
// static
@@ -86,7 +86,8 @@ bool CertLoader::IsInitialized() {
}
CertLoader::CertLoader()
- : certificates_requested_(false),
+ : initialize_tpm_for_test_(false),
+ certificates_requested_(false),
certificates_loaded_(false),
certificates_update_required_(false),
certificates_update_running_(false),
@@ -95,14 +96,14 @@ CertLoader::CertLoader()
base::TimeDelta::FromMilliseconds(kInitialRequestDelayMs)),
initialize_token_factory_(this),
update_certificates_factory_(this) {
-}
-
-void CertLoader::Init() {
- net::CertDatabase::GetInstance()->AddObserver(this);
if (LoginState::IsInitialized())
LoginState::Get()->AddObserver(this);
}
+void CertLoader::InitializeTPMForTest() {
+ initialize_tpm_for_test_ = true;
+}
+
void CertLoader::SetCryptoTaskRunner(
const scoped_refptr<base::SequencedTaskRunner>& crypto_task_runner) {
crypto_task_runner_ = crypto_task_runner;
@@ -154,7 +155,11 @@ void CertLoader::MaybeRequestCertificates() {
// Ensure we only initialize the TPM token once.
DCHECK_EQ(tpm_token_state_, TPM_STATE_UNKNOWN);
- if (!base::chromeos::IsRunningOnChromeOS())
+ if (!initialize_tpm_for_test_ && !base::chromeos::IsRunningOnChromeOS())
+ tpm_token_state_ = TPM_DISABLED;
+
+ // Treat TPM as disabled for guest users since they do not store certs.
+ if (LoginState::IsInitialized() && LoginState::Get()->IsGuestUser())
tpm_token_state_ = TPM_DISABLED;
InitializeTokenAndLoadCertificates();
@@ -164,10 +169,6 @@ void CertLoader::InitializeTokenAndLoadCertificates() {
CHECK(thread_checker_.CalledOnValidThread());
VLOG(1) << "InitializeTokenAndLoadCertificates: " << tpm_token_state_;
- // Treat TPM as disabled for guest users since they do not store certs.
- if (LoginState::IsInitialized() && LoginState::Get()->IsGuestUser())
- tpm_token_state_ = TPM_DISABLED;
-
switch (tpm_token_state_) {
case TPM_STATE_UNKNOWN: {
crypto_task_runner_->PostTaskAndReply(
@@ -211,8 +212,6 @@ void CertLoader::InitializeTokenAndLoadCertificates() {
base::Bind(&CertLoader::OnTPMTokenInitialized,
initialize_token_factory_.GetWeakPtr()));
return;
- tpm_token_state_ = TPM_TOKEN_INITIALIZED;
- // FALL_THROUGH_INTENDED
}
case TPM_TOKEN_INITIALIZED: {
StartLoadCertificates();
@@ -223,7 +222,7 @@ void CertLoader::InitializeTokenAndLoadCertificates() {
void CertLoader::RetryTokenInitializationLater() {
CHECK(thread_checker_.CalledOnValidThread());
- LOG(WARNING) << "Re-Requesting Certificates later.";
+ LOG(WARNING) << "Retry token initialization later.";
base::MessageLoop::current()->PostDelayedTask(
FROM_HERE,
base::Bind(&CertLoader::InitializeTokenAndLoadCertificates,
@@ -324,8 +323,14 @@ void CertLoader::OnTPMTokenInitialized(bool success) {
}
void CertLoader::StartLoadCertificates() {
+ DCHECK(!certificates_loaded_ && !certificates_update_running_);
+ net::CertDatabase::GetInstance()->AddObserver(this);
+ LoadCertificates();
+}
+
+void CertLoader::LoadCertificates() {
CHECK(thread_checker_.CalledOnValidThread());
- VLOG(1) << "StartLoadCertificates: " << certificates_update_running_;
+ VLOG(1) << "LoadCertificates: " << certificates_update_running_;
if (certificates_update_running_) {
certificates_update_required_ = true;
@@ -361,7 +366,7 @@ void CertLoader::UpdateCertificates(net::CertificateList* cert_list) {
certificates_update_running_ = false;
if (certificates_update_required_)
- StartLoadCertificates();
+ LoadCertificates();
}
void CertLoader::NotifyCertificatesLoaded(bool initial_load) {
@@ -374,12 +379,12 @@ void CertLoader::OnCertTrustChanged(const net::X509Certificate* cert) {
void CertLoader::OnCertAdded(const net::X509Certificate* cert) {
VLOG(1) << "OnCertAdded";
- StartLoadCertificates();
+ LoadCertificates();
}
void CertLoader::OnCertRemoved(const net::X509Certificate* cert) {
VLOG(1) << "OnCertRemoved";
- StartLoadCertificates();
+ LoadCertificates();
}
void CertLoader::LoggedInStateChanged(LoginState::LoggedInState state) {
diff --git a/chromeos/cert_loader.h b/chromeos/cert_loader.h
index 75d2cd07a3d56..bc1123e394654 100644
--- a/chromeos/cert_loader.h
+++ b/chromeos/cert_loader.h
@@ -69,10 +69,15 @@ class CHROMEOS_EXPORT CertLoader : public net::CertDatabase::Observer,
static std::string GetPkcs11IdForCert(const net::X509Certificate& cert);
+ // By default, CertLoader tries to load the TPMToken only if running in a
+ // ChromeOS environment. Tests can call this function after Initialize() and
+ // before SetCryptoTaskRunner() to enable the TPM initialization.
+ void InitializeTPMForTest();
+
// |crypto_task_runner| is the task runner that any synchronous crypto calls
// should be made from, e.g. in Chrome this is the IO thread. Must be called
- // after the thread is started. Certificate loading will not happen unless
- // this is set.
+ // after the thread is started. Starts TPM initialization and Certificate
+ // loading.
void SetCryptoTaskRunner(
const scoped_refptr<base::SequencedTaskRunner>& crypto_task_runner);
@@ -105,7 +110,6 @@ class CHROMEOS_EXPORT CertLoader : public net::CertDatabase::Observer,
CertLoader();
virtual ~CertLoader();
- void Init();
void MaybeRequestCertificates();
// This is the cyclic chain of callbacks to initialize the TPM token and to
@@ -124,7 +128,15 @@ class CHROMEOS_EXPORT CertLoader : public net::CertDatabase::Observer,
// These calls handle the updating of the certificate list after the TPM token
// was initialized.
+
+ // Start certificate loading. Must be called at most once.
void StartLoadCertificates();
+
+ // Trigger a certificate load. If a certificate loading task is already in
+ // progress, will start a reload once the current task finised.
+ void LoadCertificates();
+
+ // Called if a certificate load task is finished.
void UpdateCertificates(net::CertificateList* cert_list);
void NotifyCertificatesLoaded(bool initial_load);
@@ -137,6 +149,8 @@ class CHROMEOS_EXPORT CertLoader : public net::CertDatabase::Observer,
// LoginState::Observer
virtual void LoggedInStateChanged(LoginState::LoggedInState state) OVERRIDE;
+ bool initialize_tpm_for_test_;
+
ObserverList<Observer> observers_;
bool certificates_requested_;
diff --git a/chromeos/chromeos.gyp b/chromeos/chromeos.gyp
index 57fd83be78e5e..5086f2d4b1042 100644
--- a/chromeos/chromeos.gyp
+++ b/chromeos/chromeos.gyp
@@ -217,6 +217,8 @@
'login/login_state.h',
'network/certificate_pattern.cc',
'network/certificate_pattern.h',
+ 'network/client_cert_resolver.cc',
+ 'network/client_cert_resolver.h',
'network/client_cert_util.cc',
'network/client_cert_util.h',
'network/cros_network_functions.cc',
@@ -497,6 +499,7 @@
'ime/input_method_whitelist_unittest.cc',
'ime/xkeyboard_unittest.cc',
'login/login_state_unittest.cc',
+ 'network/client_cert_resolver_unittest.cc',
'network/cros_network_functions_unittest.cc',
'network/geolocation_handler_unittest.cc',
'network/managed_network_configuration_handler_unittest.cc',
diff --git a/chromeos/network/client_cert_resolver.cc b/chromeos/network/client_cert_resolver.cc
new file mode 100644
index 0000000000000..adbb9de9ac215
--- /dev/null
+++ b/chromeos/network/client_cert_resolver.cc
@@ -0,0 +1,450 @@
+// Copyright 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chromeos/network/client_cert_resolver.h"
+
+#include <cert.h>
+#include <certt.h> // for (SECCertUsageEnum) certUsageAnyCA
+#include <pk11pub.h>
+
+#include <algorithm>
+#include <string>
+
+#include "base/stl_util.h"
+#include "base/task_runner.h"
+#include "base/threading/worker_pool.h"
+#include "base/time/time.h"
+#include "chromeos/cert_loader.h"
+#include "chromeos/dbus/dbus_thread_manager.h"
+#include "chromeos/dbus/shill_service_client.h"
+#include "chromeos/network/certificate_pattern.h"
+#include "chromeos/network/client_cert_util.h"
+#include "chromeos/network/managed_network_configuration_handler.h"
+#include "chromeos/network/network_state.h"
+#include "chromeos/network/network_state_handler.h"
+#include "chromeos/network/network_ui_data.h"
+#include "chromeos/network/onc/onc_constants.h"
+#include "dbus/object_path.h"
+#include "net/cert/x509_certificate.h"
+
+namespace chromeos {
+
+// Describes a network |network_path| for which a matching certificate |cert_id|
+// was found.
+struct ClientCertResolver::NetworkAndMatchingCert {
+ NetworkAndMatchingCert(const std::string& network_path,
+ client_cert::ConfigType config_type,
+ const std::string& cert_id)
+ : service_path(network_path),
+ cert_config_type(config_type),
+ pkcs11_id(cert_id) {}
+
+ std::string service_path;
+ client_cert::ConfigType cert_config_type;
+ // The id of the matching certificate.
+ std::string pkcs11_id;
+};
+
+typedef std::vector<ClientCertResolver::NetworkAndMatchingCert>
+ NetworkCertMatches;
+
+namespace {
+
+// Returns true if |vector| contains |value|.
+template <class T>
+bool ContainsValue(const std::vector<T>& vector, const T& value) {
+ return find(vector.begin(), vector.end(), value) != vector.end();
+}
+
+// Returns true if a private key for certificate |cert| is installed.
+bool HasPrivateKey(const net::X509Certificate& cert) {
+ PK11SlotInfo* slot = PK11_KeyForCertExists(cert.os_cert_handle(), NULL, NULL);
+ if (!slot)
+ return false;
+
+ PK11_FreeSlot(slot);
+ return true;
+}
+
+// Describes a certificate which is issued by |issuer| (encoded as PEM).
+struct CertAndIssuer {
+ CertAndIssuer(const scoped_refptr<net::X509Certificate>& certificate,
+ const std::string& issuer)
+ : cert(certificate),
+ pem_encoded_issuer(issuer) {}
+
+ scoped_refptr<net::X509Certificate> cert;
+ std::string pem_encoded_issuer;
+};
+
+bool CompareCertExpiration(const CertAndIssuer& a,
+ const CertAndIssuer& b) {
+ return (a.cert->valid_expiry() < b.cert->valid_expiry());
+}
+
+// Describes a network that is configured with the certificate pattern
+// |client_cert_pattern|.
+struct NetworkAndCertPattern {
+ NetworkAndCertPattern(const std::string& network_path,
+ client_cert::ConfigType config_type,
+ const CertificatePattern& pattern)
+ : service_path(network_path),
+ cert_config_type(config_type),
+ client_cert_pattern(pattern) {}
+ std::string service_path;
+ client_cert::ConfigType cert_config_type;
+ CertificatePattern client_cert_pattern;
+};
+
+// A unary predicate that returns true if the given CertAndIssuer matches the
+// certificate pattern of the NetworkAndCertPattern.
+struct MatchCertWithPattern {
+ MatchCertWithPattern(const NetworkAndCertPattern& pattern)
+ : net_and_pattern(pattern) {}
+
+ bool operator()(const CertAndIssuer& cert_and_issuer) {
+ const CertificatePattern& pattern = net_and_pattern.client_cert_pattern;
+ if (!pattern.issuer().Empty() &&
+ !client_cert::CertPrincipalMatches(pattern.issuer(),
+ cert_and_issuer.cert->issuer())) {
+ return false;
+ }
+ if (!pattern.subject().Empty() &&
+ !client_cert::CertPrincipalMatches(pattern.subject(),
+ cert_and_issuer.cert->subject())) {
+ return false;
+ }
+
+ const std::vector<std::string>& issuer_ca_pems = pattern.issuer_ca_pems();
+ if (!issuer_ca_pems.empty() &&
+ !ContainsValue(issuer_ca_pems, cert_and_issuer.pem_encoded_issuer)) {
+ return false;
+ }
+ return true;
+ }
+
+ NetworkAndCertPattern net_and_pattern;
+};
+
+// Searches for matches between |networks| and |certs| and writes matches to
+// |matches|. Because this calls NSS functions and is potentially slow, it must
+// be run on a worker thread.
+void FindCertificateMatches(const net::CertificateList& certs,
+ std::vector<NetworkAndCertPattern>* networks,
+ NetworkCertMatches* matches) {
+ // Filter all client certs and determines each certificate's issuer, which is
+ // required for the pattern matching.
+ std::vector<CertAndIssuer> client_certs;
+ for (net::CertificateList::const_iterator it = certs.begin();
+ it != certs.end(); ++it) {
+ const net::X509Certificate& cert = **it;
+ if (cert.valid_expiry().is_null() || cert.HasExpired() ||
+ !HasPrivateKey(cert)) {
+ continue;
+ }
+ scoped_refptr<net::X509Certificate> issuer =
+ net::X509Certificate::CreateFromHandle(
+ CERT_FindCertIssuer(
+ cert.os_cert_handle(), PR_Now(), certUsageAnyCA),
+ net::X509Certificate::OSCertHandles());
+ if (!issuer) {
+ LOG(ERROR) << "Couldn't find cert issuer.";
+ continue;
+ }
+ std::string pem_encoded_issuer;
+ if (!net::X509Certificate::GetPEMEncoded(issuer->os_cert_handle(),
+ &pem_encoded_issuer)) {
+ LOG(ERROR) << "Couldn't PEM-encode certificate.";
+ continue;
+ }
+ client_certs.push_back(CertAndIssuer(*it, pem_encoded_issuer));
+ }
+
+ std::sort(client_certs.begin(), client_certs.end(), &CompareCertExpiration);
+
+ for (std::vector<NetworkAndCertPattern>::const_iterator it =
+ networks->begin();
+ it != networks->end(); ++it) {
+ std::vector<CertAndIssuer>::iterator cert_it = std::find_if(
+ client_certs.begin(), client_certs.end(), MatchCertWithPattern(*it));
+ if (cert_it == client_certs.end()) {
+ LOG(WARNING) << "Couldn't find a matching client cert for network "
+ << it->service_path;
+ continue;
+ }
+ std::string pkcs11_id = CertLoader::GetPkcs11IdForCert(*cert_it->cert);
+ if (pkcs11_id.empty()) {
+ LOG(ERROR) << "Couldn't determine PKCS#11 ID.";
+ continue;
+ }
+ matches->push_back(ClientCertResolver::NetworkAndMatchingCert(
+ it->service_path, it->cert_config_type, pkcs11_id));
+ }
+}
+
+// Determines the type of the CertificatePattern configuration, i.e. is it a
+// pattern within an EAP, IPsec or OpenVPN configuration.
+client_cert::ConfigType OncToClientCertConfigurationType(
+ const base::DictionaryValue& network_config) {
+ using namespace ::chromeos::onc;
+
+ const base::DictionaryValue* wifi = NULL;
+ network_config.GetDictionaryWithoutPathExpansion(network_config::kWiFi,
+ &wifi);
+ if (wifi) {
+ const base::DictionaryValue* eap = NULL;
+ wifi->GetDictionaryWithoutPathExpansion(wifi::kEAP, &eap);
+ if (!eap)
+ return client_cert::CONFIG_TYPE_NONE;
+ return client_cert::CONFIG_TYPE_EAP;
+ }
+
+ const base::DictionaryValue* vpn = NULL;
+ network_config.GetDictionaryWithoutPathExpansion(network_config::kVPN, &vpn);
+ if (vpn) {
+ const base::DictionaryValue* openvpn = NULL;
+ vpn->GetDictionaryWithoutPathExpansion(vpn::kOpenVPN, &openvpn);
+ if (openvpn)
+ return client_cert::CONFIG_TYPE_OPENVPN;
+
+ const base::DictionaryValue* ipsec = NULL;
+ vpn->GetDictionaryWithoutPathExpansion(vpn::kIPsec, &ipsec);
+ if (ipsec)
+ return client_cert::CONFIG_TYPE_IPSEC;
+
+ return client_cert::CONFIG_TYPE_NONE;
+ }
+
+ const base::DictionaryValue* ethernet = NULL;
+ network_config.GetDictionaryWithoutPathExpansion(network_config::kEthernet,
+ ðernet);
+ if (ethernet) {
+ const base::DictionaryValue* eap = NULL;
+ ethernet->GetDictionaryWithoutPathExpansion(wifi::kEAP, &eap);
+ if (eap)
+ return client_cert::CONFIG_TYPE_EAP;
+ return client_cert::CONFIG_TYPE_NONE;
+ }
+
+ return client_cert::CONFIG_TYPE_NONE;
+}
+
+void LogError(const std::string& service_path,
+ const std::string& dbus_error_name,
+ const std::string& dbus_error_message) {
+ network_handler::ShillErrorCallbackFunction(
+ "ClientCertResolver.SetProperties failed",
+ service_path,
+ network_handler::ErrorCallback(),
+ dbus_error_name,
+ dbus_error_message);
+}
+
+bool ClientCertificatesLoaded() {
+ if(!CertLoader::Get()->certificates_loaded()) {
+ VLOG(1) << "Certificates not loaded yet.";
+ return false;
+ }
+ if (!CertLoader::Get()->IsHardwareBacked()) {
+ VLOG(1) << "TPM is not available.";
+ return false;
+ }
+ return true;
+}
+
+} // namespace
+
+ClientCertResolver::ClientCertResolver()
+ : network_state_handler_(NULL),
+ managed_network_config_handler_(NULL),
+ weak_ptr_factory_(this) {
+}
+
+ClientCertResolver::~ClientCertResolver() {
+ if (network_state_handler_)
+ network_state_handler_->RemoveObserver(this, FROM_HERE);
+ if (CertLoader::IsInitialized())
+ CertLoader::Get()->RemoveObserver(this);
+ if (managed_network_config_handler_)
+ managed_network_config_handler_->RemoveObserver(this);
+}
+
+void ClientCertResolver::Init(
+ NetworkStateHandler* network_state_handler,
+ ManagedNetworkConfigurationHandler* managed_network_config_handler) {
+ DCHECK(network_state_handler);
+ network_state_handler_ = network_state_handler;
+ network_state_handler_->AddObserver(this, FROM_HERE);
+
+ DCHECK(managed_network_config_handler);
+ managed_network_config_handler_ = managed_network_config_handler;
+ managed_network_config_handler_->AddObserver(this);
+
+ CertLoader::Get()->AddObserver(this);
+}
+
+void ClientCertResolver::SetSlowTaskRunnerForTest(
+ const scoped_refptr<base::TaskRunner>& task_runner) {
+ slow_task_runner_for_test_ = task_runner;
+}
+
+void ClientCertResolver::NetworkListChanged() {
+ VLOG(2) << "NetworkListChanged.";
+ if (!ClientCertificatesLoaded())
+ return;
+ // Configure only networks that were not configured before.
+
+ // We'll drop networks from |resolved_networks_|, which are not known anymore.
+ std::set<std::string> old_resolved_networks;
+ old_resolved_networks.swap(resolved_networks_);
+
+ NetworkStateList networks;
+ network_state_handler_->GetNetworkList(&networks);
+
+ NetworkStateList networks_to_check;
+ for (NetworkStateList::const_iterator it = networks.begin();
+ it != networks.end(); ++it) {
+ // If this network is not managed, it cannot have a ClientCertPattern.
+ // We do this check here additionally to ResolveNetworks because it's cheap
+ // and prevents |resolved_networks_| from becoming too large.
+ if ((*it)->guid().empty())
+ continue;
+
+ const std::string& service_path = (*it)->path();
+ if (ContainsKey(old_resolved_networks, service_path)) {
+ resolved_networks_.insert(service_path);
+ continue;
+ }
+ networks_to_check.push_back(*it);
+ }
+
+ ResolveNetworks(networks_to_check);
+}
+
+void ClientCertResolver::OnCertificatesLoaded(
+ const net::CertificateList& cert_list,
+ bool initial_load) {
+ VLOG(2) << "OnCertificatesLoaded.";
+ if (!ClientCertificatesLoaded())
+ return;
+ // Compare all networks with all certificates.
+ NetworkStateList networks;
+ network_state_handler_->GetNetworkList(&networks);
+ ResolveNetworks(networks);
+}
+
+void ClientCertResolver::PolicyApplied(const std::string& service_path) {
+ VLOG(2) << "PolicyApplied " << service_path;
+ if (!ClientCertificatesLoaded())
+ return;
+ // Compare this network with all certificates.
+ const NetworkState* network =
+ network_state_handler_->GetNetworkState(service_path);
+ if (!network) {
+ LOG(ERROR) << "service path '" << service_path << "' unknown.";
+ return;
+ }
+ NetworkStateList networks;
+ networks.push_back(network);
+ ResolveNetworks(networks);
+}
+
+void ClientCertResolver::ResolveNetworks(
+ const NetworkStateList& networks) {
+ scoped_ptr<std::vector<NetworkAndCertPattern> > networks_with_pattern(
+ new std::vector<NetworkAndCertPattern>);
+
+ // Filter networks with ClientCertPattern. As ClientCertPatterns can only be
+ // set by policy, we check there.
+ for (NetworkStateList::const_iterator it = networks.begin();
+ it != networks.end(); ++it) {
+ const NetworkState* network = *it;
+
+ // In any case, don't check this network again in NetworkListChanged.
+ resolved_networks_.insert(network->path());
+
+ // If this network is not managed, it cannot have a ClientCertPattern.
+ if (network->guid().empty())
+ continue;
+
+ if (network->profile_path().empty()) {
+ LOG(ERROR) << "Network " << network->path()
+ << " has a GUID but not profile path";
+ continue;
+ }
+ const base::DictionaryValue* policy =
+ managed_network_config_handler_->FindPolicyByGuidAndProfile(
+ network->guid(), network->profile_path());
+
+ if (!policy) {
+ VLOG(1) << "The policy for network " << network->path() << " with GUID "
+ << network->guid() << " is not available yet.";
+ // Skip this network for now. Once the policy is loaded, PolicyApplied()
+ // will retry.
+ continue;
+ }
+
+ VLOG(2) << "Inspecting network " << network->path();
+ // TODO(pneubeck): Access the ClientCertPattern without relying on
+ // NetworkUIData, which also parses other things that we don't need here.
+ // The ONCSource is irrelevant here.
+ scoped_ptr<NetworkUIData> ui_data(
+ NetworkUIData::CreateFromONC(onc::ONC_SOURCE_NONE, *policy));
+
+ // Skip networks that don't have a ClientCertPattern.
+ if (ui_data->certificate_type() != CLIENT_CERT_TYPE_PATTERN)
+ continue;
+
+ client_cert::ConfigType config_type =
+ OncToClientCertConfigurationType(*policy);
+ if (config_type == client_cert::CONFIG_TYPE_NONE) {
+ LOG(ERROR) << "UIData contains a CertificatePattern, but the policy "
+ << "doesn't. Network: " << network->path();
+ continue;
+ }
+
+ networks_with_pattern->push_back(NetworkAndCertPattern(
+ network->path(), config_type, ui_data->certificate_pattern()));
+ }
+ if (networks_with_pattern->empty())
+ return;
+
+ VLOG(2) << "Start task for resolving client cert patterns.";
+ base::TaskRunner* task_runner = slow_task_runner_for_test_.get();
+ if (!task_runner)
+ task_runner = base::WorkerPool::GetTaskRunner(true /* task is slow */);
+
+ NetworkCertMatches* matches = new NetworkCertMatches;
+ task_runner->PostTaskAndReply(
+ FROM_HERE,
+ base::Bind(&FindCertificateMatches,
+ CertLoader::Get()->cert_list(),
+ base::Owned(networks_with_pattern.release()),
+ matches),
+ base::Bind(&ClientCertResolver::ConfigureCertificates,
+ weak_ptr_factory_.GetWeakPtr(),
+ base::Owned(matches)));
+}
+
+void ClientCertResolver::ConfigureCertificates(NetworkCertMatches* matches) {
+ for (NetworkCertMatches::const_iterator it = matches->begin();
+ it != matches->end(); ++it) {
+ VLOG(1) << "Configuring certificate of network " << it->service_path;
+ CertLoader* cert_loader = CertLoader::Get();
+ base::DictionaryValue shill_properties;
+ client_cert::SetShillProperties(it->cert_config_type,
+ cert_loader->tpm_token_slot(),
+ cert_loader->tpm_user_pin(),
+ &it->pkcs11_id,
+ &shill_properties);
+ DBusThreadManager::Get()->GetShillServiceClient()->
+ SetProperties(dbus::ObjectPath(it->service_path),
+ shill_properties,
+ base::Bind(&base::DoNothing),
+ base::Bind(&LogError, it->service_path));
+ network_state_handler_->RequestUpdateForNetwork(it->service_path);
+ }
+}
+
+} // namespace chromeos
diff --git a/chromeos/network/client_cert_resolver.h b/chromeos/network/client_cert_resolver.h
new file mode 100644
index 0000000000000..a1be9630c0144
--- /dev/null
+++ b/chromeos/network/client_cert_resolver.h
@@ -0,0 +1,92 @@
+// Copyright 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROMEOS_NETWORK_CLIENT_CERT_RESOLVER_H_
+#define CHROMEOS_NETWORK_CLIENT_CERT_RESOLVER_H_
+
+#include <string>
+#include <vector>
+
+#include "base/basictypes.h"
+#include "base/memory/ref_counted.h"
+#include "base/memory/scoped_ptr.h"
+#include "base/memory/weak_ptr.h"
+#include "chromeos/cert_loader.h"
+#include "chromeos/chromeos_export.h"
+#include "chromeos/network/network_policy_observer.h"
+#include "chromeos/network/network_state_handler_observer.h"
+
+namespace base {
+class TaskRunner;
+}
+
+namespace chromeos {
+
+class NetworkState;
+class NetworkStateHandler;
+class ManagedNetworkConfigurationHandler;
+
+// Observes the known networks. If a network is configured with a client
+// certificate pattern, this class searches for a matching client certificate.
+// Each time it finds a match, it configures the network accordingly.
+class CHROMEOS_EXPORT ClientCertResolver : public NetworkStateHandlerObserver,
+ public CertLoader::Observer,
+ public NetworkPolicyObserver {
+ public:
+ struct NetworkAndMatchingCert;
+
+ ClientCertResolver();
+ virtual ~ClientCertResolver();
+
+ void Init(NetworkStateHandler* network_state_handler,
+ ManagedNetworkConfigurationHandler* managed_network_config_handler);
+
+ // Sets the task runner that any slow calls will be made from, e.g. calls
+ // to the NSS database. If not set, uses base::WorkerPool.
+ void SetSlowTaskRunnerForTest(
+ const scoped_refptr<base::TaskRunner>& task_runner);
+
+ private:
+ typedef std::vector<const NetworkState*> NetworkStateList;
+
+ // NetworkStateHandlerObserver overrides
+ virtual void NetworkListChanged() OVERRIDE;
+
+ // CertLoader::Observer overrides
+ virtual void OnCertificatesLoaded(const net::CertificateList& cert_list,
+ bool initial_load) OVERRIDE;
+
+ // NetworkPolicyObserver overrides
+ virtual void PolicyApplied(const std::string& service_path) OVERRIDE;
+
+ // Check which networks of |networks| are configured with a client certificate
+ // pattern. Search for certificates, on the worker thread, and configure the
+ // networks for which a matching cert is found (see ConfigureCertificates).
+ void ResolveNetworks(const NetworkStateList& networks);
+
+ // |matches| contains networks for which a matching certificate was found.
+ // Configures these networks.
+ void ConfigureCertificates(std::vector<NetworkAndMatchingCert>* matches);
+
+ // The set of networks that were checked/resolved in previous passes. These
+ // networks are skipped in the NetworkListChanged notification.
+ std::set<std::string> resolved_networks_;
+
+ // Unowned associated (global or test) instance.
+ NetworkStateHandler* network_state_handler_;
+
+ // Unowned associated (global or test) instance.
+ ManagedNetworkConfigurationHandler* managed_network_config_handler_;
+
+ // TaskRunner for slow tasks.
+ scoped_refptr<base::TaskRunner> slow_task_runner_for_test_;
+
+ base::WeakPtrFactory<ClientCertResolver> weak_ptr_factory_;
+
+ DISALLOW_COPY_AND_ASSIGN(ClientCertResolver);
+};
+
+} // namespace chromeos
+
+#endif // CHROMEOS_NETWORK_CLIENT_CERT_RESOLVER_H_
diff --git a/chromeos/network/client_cert_resolver_unittest.cc b/chromeos/network/client_cert_resolver_unittest.cc
new file mode 100644
index 0000000000000..004bf077a580e
--- /dev/null
+++ b/chromeos/network/client_cert_resolver_unittest.cc
@@ -0,0 +1,281 @@
+// Copyright 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+#include "chromeos/network/client_cert_resolver.h"
+
+#include <cert.h>
+#include <pk11pub.h>
+
+#include "base/file_util.h"
+#include "base/files/file_path.h"
+#include "base/json/json_reader.h"
+#include "base/run_loop.h"
+#include "base/strings/stringprintf.h"
+#include "chromeos/dbus/dbus_thread_manager.h"
+#include "chromeos/dbus/shill_profile_client.h"
+#include "chromeos/dbus/shill_service_client.h"
+#include "chromeos/login/login_state.h"
+#include "chromeos/network/managed_network_configuration_handler.h"
+#include "chromeos/network/network_configuration_handler.h"
+#include "chromeos/network/network_profile_handler.h"
+#include "chromeos/network/network_state_handler.h"
+#include "crypto/nss_util.h"
+#include "net/base/crypto_module.h"
+#include "net/base/net_errors.h"
+#include "net/base/test_data_directory.h"
+#include "net/cert/nss_cert_database.h"
+#include "net/cert/x509_certificate.h"
+#include "net/test/cert_test_util.h"
+#include "testing/gtest/include/gtest/gtest.h"
+#include "third_party/cros_system_api/dbus/service_constants.h"
+
+namespace chromeos {
+
+namespace {
+
+const char* kWifiStub = "wifi_stub";
+const char* kWifiSSID = "wifi_ssid";
+const char* kUserProfilePath = "user_profile";
+const char* kUserHash = "user_hash";
+
+} // namespace
+
+class ClientCertResolverTest : public testing::Test {
+ public:
+ ClientCertResolverTest() {}
+ virtual ~ClientCertResolverTest() {}
+
+ virtual void SetUp() OVERRIDE {
+ ASSERT_TRUE(test_nssdb_.is_open());
+ slot_ = net::NSSCertDatabase::GetInstance()->GetPublicModule();
+ ASSERT_TRUE(slot_->os_module_handle());
+
+ LoginState::Initialize();
+
+ DBusThreadManager::InitializeWithStub();
+ service_test_ =
+ DBusThreadManager::Get()->GetShillServiceClient()->GetTestInterface();
+ profile_test_ =
+ DBusThreadManager::Get()->GetShillProfileClient()->GetTestInterface();
+ message_loop_.RunUntilIdle();
+ service_test_->ClearServices();
+ message_loop_.RunUntilIdle();
+
+ CertLoader::Initialize();
+ CertLoader* cert_loader = CertLoader::Get();
+ cert_loader->InitializeTPMForTest();
+ cert_loader->SetSlowTaskRunnerForTest(message_loop_.message_loop_proxy());
+ cert_loader->SetCryptoTaskRunner(message_loop_.message_loop_proxy());
+ }
+
+ virtual void TearDown() OVERRIDE {
+ client_cert_resolver_.reset();
+ managed_config_handler_.reset();
+ network_config_handler_.reset();
+ network_profile_handler_.reset();
+ network_state_handler_.reset();
+ CertLoader::Shutdown();
+ DBusThreadManager::Shutdown();
+ LoginState::Shutdown();
+ CleanupSlotContents();
+ }
+
+ protected:
+ // Imports a CA cert (stored as PEM in test_ca_cert_pem_) and a client
+ // certificate signed by that CA. Its PKCS#11 ID is stored in
+ // |test_pkcs11_id_|.
+ void SetupTestCerts() {
+ // Import a CA cert.
+ net::NSSCertDatabase* cert_db = net::NSSCertDatabase::GetInstance();
+ net::CertificateList ca_cert_list =
+ net::CreateCertificateListFromFile(net::GetTestCertsDirectory(),
+ "websocket_cacert.pem",
+ net::X509Certificate::FORMAT_AUTO);
+ ASSERT_TRUE(!ca_cert_list.empty());
+ net::NSSCertDatabase::ImportCertFailureList failures;
+ EXPECT_TRUE(cert_db->ImportCACerts(
+ ca_cert_list, net::NSSCertDatabase::TRUST_DEFAULT, &failures));
+ ASSERT_TRUE(failures.empty()) << net::ErrorToString(failures[0].net_error);
+
+ net::X509Certificate::GetPEMEncoded(ca_cert_list[0]->os_cert_handle(),
+ &test_ca_cert_pem_);
+ ASSERT_TRUE(!test_ca_cert_pem_.empty());
+
+ // Import a client cert signed by that CA.
+ scoped_refptr<net::CryptoModule> crypt_module = cert_db->GetPrivateModule();
+ std::string pkcs12_data;
+ ASSERT_TRUE(file_util::ReadFileToString(
+ net::GetTestCertsDirectory().Append("websocket_client_cert.p12"),
+ &pkcs12_data));
+
+ net::CertificateList client_cert_list;
+ ASSERT_EQ(net::OK,
+ cert_db->ImportFromPKCS12(crypt_module.get(),
+ pkcs12_data,
+ string16(),
+ false,
+ &client_cert_list));
+ ASSERT_TRUE(!client_cert_list.empty());
+ test_pkcs11_id_ = CertLoader::GetPkcs11IdForCert(*client_cert_list[0]);
+ ASSERT_TRUE(!test_pkcs11_id_.empty());
+ }
+
+ void SetupNetworkHandlers() {
+ network_state_handler_.reset(NetworkStateHandler::InitializeForTest());
+ network_profile_handler_.reset(new NetworkProfileHandler());
+ network_config_handler_.reset(new NetworkConfigurationHandler());
+ managed_config_handler_.reset(new ManagedNetworkConfigurationHandler());
+ client_cert_resolver_.reset(new ClientCertResolver());
+
+ network_profile_handler_->Init(network_state_handler_.get());
+ network_config_handler_->Init(network_state_handler_.get());
+ managed_config_handler_->Init(network_state_handler_.get(),
+ network_profile_handler_.get(),
+ network_config_handler_.get());
+ client_cert_resolver_->Init(network_state_handler_.get(),
+ managed_config_handler_.get());
+ client_cert_resolver_->SetSlowTaskRunnerForTest(
+ message_loop_.message_loop_proxy());
+
+ profile_test_->AddProfile(kUserProfilePath, kUserHash);
+ }
+
+ void SetupWifi() {
+ const bool add_to_visible = true;
+ const bool add_to_watchlist = true;
+ service_test_->AddService(kWifiStub,
+ kWifiSSID,
+ flimflam::kTypeWifi,
+ flimflam::kStateOnline,
+ add_to_visible,
+ add_to_watchlist);
+ service_test_->SetServiceProperty(
+ kWifiStub, flimflam::kGuidProperty, base::StringValue(kWifiStub));
+
+ profile_test_->AddService(kUserProfilePath, kWifiStub);
+ }
+
+ // Setup a policy with a certificate pattern that matches any client cert that
+ // is signed by the test CA cert (stored in |test_ca_cert_pem_|). In
+ // particular it will match the test client cert.
+ void SetupPolicy() {
+ const char* kTestPolicyTemplate =
+ "[ { \"GUID\": \"wifi_stub\","
+ " \"Name\": \"wifi_stub\","
+ " \"Type\": \"WiFi\","
+ " \"WiFi\": {"
+ " \"Security\": \"WPA-EAP\","
+ " \"SSID\": \"wifi_ssid\","
+ " \"EAP\": {"
+ " \"Outer\": \"EAP-TLS\","
+ " \"ClientCertType\": \"Pattern\","
+ " \"ClientCertPattern\": {"
+ " \"IssuerCAPEMs\": [ \"%s\" ]"
+ " }"
+ " }"
+ " }"
+ "} ]";
+ std::string policy_json =
+ base::StringPrintf(kTestPolicyTemplate, test_ca_cert_pem_.c_str());
+
+ std::string error;
+ scoped_ptr<base::Value> policy_value(base::JSONReader::ReadAndReturnError(
+ policy_json, base::JSON_ALLOW_TRAILING_COMMAS, NULL, &error));
+ ASSERT_TRUE(policy_value) << error;
+
+ base::ListValue* policy = NULL;
+ ASSERT_TRUE(policy_value->GetAsList(&policy));
+
+ managed_config_handler_->SetPolicy(
+ onc::ONC_SOURCE_USER_POLICY, kUserHash, *policy);
+ }
+
+ void GetClientCertProperties(std::string* pkcs11_id) {
+ pkcs11_id->clear();
+ const base::DictionaryValue* properties =
+ service_test_->GetServiceProperties(kWifiStub);
+ if (!properties)
+ return;
+ properties->GetStringWithoutPathExpansion(flimflam::kEapCertIdProperty,
+ pkcs11_id);
+ }
+
+ ShillServiceClient::TestInterface* service_test_;
+ ShillProfileClient::TestInterface* profile_test_;
+ std::string test_pkcs11_id_;
+ scoped_refptr<net::X509Certificate> test_ca_cert_;
+ std::string test_ca_cert_pem_;
+ base::MessageLoop message_loop_;
+
+ private:
+ void CleanupSlotContents() {
+ CERTCertList* cert_list = PK11_ListCertsInSlot(slot_->os_module_handle());
+ for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
+ !CERT_LIST_END(node, cert_list);
+ node = CERT_LIST_NEXT(node)) {
+ scoped_refptr<net::X509Certificate> cert(
+ net::X509Certificate::CreateFromHandle(
+ node->cert, net::X509Certificate::OSCertHandles()));
+ net::NSSCertDatabase::GetInstance()->DeleteCertAndKey(cert.get());
+ }
+ CERT_DestroyCertList(cert_list);
+ }
+
+ scoped_ptr<NetworkStateHandler> network_state_handler_;
+ scoped_ptr<NetworkProfileHandler> network_profile_handler_;
+ scoped_ptr<NetworkConfigurationHandler> network_config_handler_;
+ scoped_ptr<ManagedNetworkConfigurationHandler> managed_config_handler_;
+ scoped_ptr<ClientCertResolver> client_cert_resolver_;
+ scoped_refptr<net::CryptoModule> slot_;
+ crypto::ScopedTestNSSDB test_nssdb_;
+
+ DISALLOW_COPY_AND_ASSIGN(ClientCertResolverTest);
+};
+
+TEST_F(ClientCertResolverTest, NoMatchingCertificates) {
+ SetupNetworkHandlers();
+ SetupPolicy();
+ message_loop_.RunUntilIdle();
+
+ SetupWifi();
+ message_loop_.RunUntilIdle();
+
+ // Verify that no client certificate was configured.
+ std::string pkcs11_id;
+ GetClientCertProperties(&pkcs11_id);
+ EXPECT_TRUE(pkcs11_id.empty());
+}
+
+TEST_F(ClientCertResolverTest, ResolveOnInitialization) {
+ SetupTestCerts();
+ SetupNetworkHandlers();
+ SetupPolicy();
+ message_loop_.RunUntilIdle();
+
+ SetupWifi();
+ message_loop_.RunUntilIdle();
+
+ // Verify that the resolver positively matched the pattern in the policy with
+ // the test client cert and configured the network.
+ std::string pkcs11_id;
+ GetClientCertProperties(&pkcs11_id);
+ EXPECT_EQ(test_pkcs11_id_, pkcs11_id);
+}
+
+TEST_F(ClientCertResolverTest, ResolveAfterPolicyApplication) {
+ SetupTestCerts();
+ SetupNetworkHandlers();
+ message_loop_.RunUntilIdle();
+
+ // The policy will trigger the creation of a new wifi service.
+ SetupPolicy();
+ message_loop_.RunUntilIdle();
+
+ // Verify that the resolver positively matched the pattern in the policy with
+ // the test client cert and configured the network.
+ std::string pkcs11_id;
+ GetClientCertProperties(&pkcs11_id);
+ EXPECT_EQ(test_pkcs11_id_, pkcs11_id);
+}
+
+} // namespace chromeos
diff --git a/chromeos/network/managed_network_configuration_handler.cc b/chromeos/network/managed_network_configuration_handler.cc
index 5ee791fb3b24d..e7dd0b68a0dd7 100644
--- a/chromeos/network/managed_network_configuration_handler.cc
+++ b/chromeos/network/managed_network_configuration_handler.cc
@@ -25,6 +25,7 @@
#include "chromeos/network/network_configuration_handler.h"
#include "chromeos/network/network_event_log.h"
#include "chromeos/network/network_handler_callbacks.h"
+#include "chromeos/network/network_policy_observer.h"
#include "chromeos/network/network_profile.h"
#include "chromeos/network/network_profile_handler.h"
#include "chromeos/network/network_state.h"
@@ -98,10 +99,6 @@ void SetUIData(const NetworkUIData& ui_data,
ui_data_blob);
}
-// A dummy callback to ignore the result of Shill calls.
-void IgnoreString(const std::string& str) {
-}
-
void LogErrorWithDict(const tracked_objects::Location& from_where,
const std::string& error_name,
scoped_ptr<base::DictionaryValue> error_data) {
@@ -374,6 +371,16 @@ scoped_ptr<NetworkUIData> ManagedNetworkConfigurationHandler::GetUIData(
return scoped_ptr<NetworkUIData>();
}
+void ManagedNetworkConfigurationHandler::AddObserver(
+ NetworkPolicyObserver* observer) {
+ observers_.AddObserver(observer);
+}
+
+void ManagedNetworkConfigurationHandler::RemoveObserver(
+ NetworkPolicyObserver* observer) {
+ observers_.RemoveObserver(observer);
+}
+
void ManagedNetworkConfigurationHandler::GetManagedProperties(
const std::string& userhash,
const std::string& service_path,
@@ -734,6 +741,27 @@ ManagedNetworkConfigurationHandler::FindPolicyByGUID(
return NULL;
}
+const base::DictionaryValue*
+ManagedNetworkConfigurationHandler::FindPolicyByGuidAndProfile(
+ const std::string& guid,
+ const std::string& profile_path) const {
+ const NetworkProfile* profile =
+ network_profile_handler_->GetProfileForPath(profile_path);
+ if (!profile) {
+ LOG(ERROR) << "Profile path unknown: " << profile_path;
+ return NULL;
+ }
+
+ const GuidToPolicyMap* policies = GetPoliciesForProfile(*profile);
+ if (!policies)
+ return NULL;
+
+ GuidToPolicyMap::const_iterator it = policies->find(guid);
+ if (it == policies->end())
+ return NULL;
+ return it->second;
+}
+
void ManagedNetworkConfigurationHandler::OnProfileRemoved(
const NetworkProfile& profile) {
// Nothing to do in this case.
@@ -781,6 +809,14 @@ void ManagedNetworkConfigurationHandler::Init(
network_profile_handler_->AddObserver(this);
}
+void ManagedNetworkConfigurationHandler::OnPolicyApplied(
+ const std::string& service_path) {
+ if (service_path.empty())
+ return;
+ FOR_EACH_OBSERVER(
+ NetworkPolicyObserver, observers_, PolicyApplied(service_path));
+}
+
ManagedNetworkConfigurationHandler::PolicyApplicator::PolicyApplicator(
base::WeakPtr<ManagedNetworkConfigurationHandler> handler,
const NetworkProfile& profile,
@@ -921,10 +957,11 @@ void ManagedNetworkConfigurationHandler::PolicyApplicator::GetEntryCallback(
scoped_ptr<base::DictionaryValue> shill_dictionary =
CreateShillConfiguration(
profile_, new_guid, new_policy, user_settings);
- handler_->network_configuration_handler()
- ->CreateConfiguration(*shill_dictionary,
- base::Bind(&IgnoreString),
- base::Bind(&LogErrorWithDict, FROM_HERE));
+ handler_->network_configuration_handler()->CreateConfiguration(
+ *shill_dictionary,
+ base::Bind(&ManagedNetworkConfigurationHandler::OnPolicyApplied,
+ handler_),
+ base::Bind(&LogErrorWithDict, FROM_HERE));
remaining_policies_.erase(new_guid);
}
} else if (was_managed) {
@@ -987,10 +1024,11 @@ ManagedNetworkConfigurationHandler::PolicyApplicator::~PolicyApplicator() {
scoped_ptr<base::DictionaryValue> shill_dictionary =
CreateShillConfiguration(
profile_, *it, policy, NULL /* no user settings */);
- handler_->network_configuration_handler()
- ->CreateConfiguration(*shill_dictionary,
- base::Bind(&IgnoreString),
- base::Bind(&LogErrorWithDict, FROM_HERE));
+ handler_->network_configuration_handler()->CreateConfiguration(
+ *shill_dictionary,
+ base::Bind(&ManagedNetworkConfigurationHandler::OnPolicyApplied,
+ handler_),
+ base::Bind(&LogErrorWithDict, FROM_HERE));
}
}
diff --git a/chromeos/network/managed_network_configuration_handler.h b/chromeos/network/managed_network_configuration_handler.h
index 0ac1e6e691111..357a0f3fca54b 100644
--- a/chromeos/network/managed_network_configuration_handler.h
+++ b/chromeos/network/managed_network_configuration_handler.h
@@ -12,6 +12,7 @@
#include "base/callback.h"
#include "base/gtest_prod_util.h"
#include "base/memory/weak_ptr.h"
+#include "base/observer_list.h"
#include "chromeos/chromeos_export.h"
#include "chromeos/network/network_handler.h"
#include "chromeos/network/network_handler_callbacks.h"
@@ -26,6 +27,7 @@ class ListValue;
namespace chromeos {
class NetworkConfigurationHandler;
+class NetworkPolicyObserver;
class NetworkProfileHandler;
class NetworkStateHandler;
class NetworkUIData;
@@ -69,6 +71,9 @@ class CHROMEOS_EXPORT ManagedNetworkConfigurationHandler
static scoped_ptr<NetworkUIData> GetUIData(
const base::DictionaryValue& shill_dictionary);
+ void AddObserver(NetworkPolicyObserver* observer);
+ void RemoveObserver(NetworkPolicyObserver* observer);
+
// Provides the properties of the network with |service_path| to |callback|.
void GetProperties(
const std::string& service_path,
@@ -132,7 +137,13 @@ class CHROMEOS_EXPORT ManagedNetworkConfigurationHandler
const std::string& guid,
onc::ONCSource* onc_source) const;
- // NetworkProfileObserver overrides
+ // Returns the policy with |guid| for profile |profile_path|. If such
+ // doesn't exist, returns NULL.
+ const base::DictionaryValue* FindPolicyByGuidAndProfile(
+ const std::string& guid,
+ const std::string& profile_path) const;
+
+ // NetworkProfileObserver overrides
virtual void OnProfileAdded(const NetworkProfile& profile) OVERRIDE;
virtual void OnProfileRemoved(const NetworkProfile& profile) OVERRIDE;
@@ -141,6 +152,7 @@ class CHROMEOS_EXPORT ManagedNetworkConfigurationHandler
}
private:
+ friend class ClientCertResolverTest;
friend class NetworkHandler;
friend class ManagedNetworkConfigurationHandlerTest;
class PolicyApplicator;
@@ -151,7 +163,6 @@ class CHROMEOS_EXPORT ManagedNetworkConfigurationHandler
NetworkProfileHandler* network_profile_handler,
NetworkConfigurationHandler* network_configuration_handler);
-
void GetManagedPropertiesCallback(
const network_handler::DictionaryResultCallback& callback,
const network_handler::ErrorCallback& error_callback,
@@ -162,6 +173,8 @@ class CHROMEOS_EXPORT ManagedNetworkConfigurationHandler
const GuidToPolicyMap* GetPoliciesForProfile(
const NetworkProfile& profile) const;
+ void OnPolicyApplied(const std::string& service_path);
+
// The DictionaryValues of the nested maps are owned by this class and are
// explicitly deleted where necessary. If present, the empty string maps to
// the device policy.
@@ -172,6 +185,8 @@ class CHROMEOS_EXPORT ManagedNetworkConfigurationHandler
NetworkProfileHandler* network_profile_handler_;
NetworkConfigurationHandler* network_configuration_handler_;
+ ObserverList<NetworkPolicyObserver> observers_;
+
// For Shill client callbacks
base::WeakPtrFactory<ManagedNetworkConfigurationHandler> weak_ptr_factory_;
diff --git a/chromeos/network/managed_network_configuration_handler_unittest.cc b/chromeos/network/managed_network_configuration_handler_unittest.cc
index 4b0a1c7e693b9..21ccec18aea26 100644
--- a/chromeos/network/managed_network_configuration_handler_unittest.cc
+++ b/chromeos/network/managed_network_configuration_handler_unittest.cc
@@ -13,7 +13,6 @@
#include "chromeos/dbus/mock_shill_manager_client.h"
#include "chromeos/dbus/mock_shill_profile_client.h"
#include "chromeos/dbus/mock_shill_service_client.h"
-#include "chromeos/dbus/shill_profile_client_stub.h"
#include "chromeos/network/network_configuration_handler.h"
#include "chromeos/network/network_profile_handler.h"
#include "chromeos/network/onc/onc_test_utils.h"
diff --git a/chromeos/network/network_configuration_handler.h b/chromeos/network/network_configuration_handler.h
index f1ee8561f9c4f..c8a0b5b03d8d1 100644
--- a/chromeos/network/network_configuration_handler.h
+++ b/chromeos/network/network_configuration_handler.h
@@ -111,6 +111,7 @@ class CHROMEOS_EXPORT NetworkConfigurationHandler
NetworkStateHandler* network_state_handler);
protected:
+ friend class ClientCertResolverTest;
friend class NetworkHandler;
friend class NetworkConfigurationHandlerTest;
friend class NetworkConfigurationHandlerStubTest;
diff --git a/chromeos/network/network_handler.cc b/chromeos/network/network_handler.cc
index ae272faeba933..b1aac2642f14d 100644
--- a/chromeos/network/network_handler.cc
+++ b/chromeos/network/network_handler.cc
@@ -6,6 +6,7 @@
#include "base/threading/worker_pool.h"
#include "chromeos/dbus/dbus_thread_manager.h"
+#include "chromeos/network/client_cert_resolver.h"
#include "chromeos/network/geolocation_handler.h"
#include "chromeos/network/managed_network_configuration_handler.h"
#include "chromeos/network/network_cert_migrator.h"
@@ -31,11 +32,13 @@ NetworkHandler::NetworkHandler() {
network_state_handler_.reset(new NetworkStateHandler());
network_device_handler_.reset(new NetworkDeviceHandler());
network_profile_handler_.reset(new NetworkProfileHandler());
- if (CertLoader::IsInitialized())
- network_cert_migrator_.reset(new NetworkCertMigrator());
network_configuration_handler_.reset(new NetworkConfigurationHandler());
managed_network_configuration_handler_.reset(
new ManagedNetworkConfigurationHandler());
+ if (CertLoader::IsInitialized()) {
+ network_cert_migrator_.reset(new NetworkCertMigrator());
+ client_cert_resolver_.reset(new ClientCertResolver());
+ }
network_connection_handler_.reset(new NetworkConnectionHandler());
network_sms_handler_.reset(new NetworkSmsHandler());
geolocation_handler_.reset(new GeolocationHandler());
@@ -48,8 +51,6 @@ NetworkHandler::~NetworkHandler() {
void NetworkHandler::Init() {
network_state_handler_->InitShillPropertyHandler();
network_profile_handler_->Init(network_state_handler_.get());
- if (network_cert_migrator_)
- network_cert_migrator_->Init(network_state_handler_.get());
network_configuration_handler_->Init(network_state_handler_.get());
managed_network_configuration_handler_->Init(
network_state_handler_.get(),
@@ -57,6 +58,12 @@ void NetworkHandler::Init() {
network_configuration_handler_.get());
network_connection_handler_->Init(network_state_handler_.get(),
network_configuration_handler_.get());
+ if (network_cert_migrator_)
+ network_cert_migrator_->Init(network_state_handler_.get());
+ if (client_cert_resolver_) {
+ client_cert_resolver_->Init(network_state_handler_.get(),
+ managed_network_configuration_handler_.get());
+ }
network_sms_handler_->Init();
geolocation_handler_->Init();
}
diff --git a/chromeos/network/network_handler.h b/chromeos/network/network_handler.h
index a791f9e89dcb6..9924dea3ef11d 100644
--- a/chromeos/network/network_handler.h
+++ b/chromeos/network/network_handler.h
@@ -11,6 +11,7 @@
namespace chromeos {
+class ClientCertResolver;
class GeolocationHandler;
class ManagedNetworkConfigurationHandler;
class NetworkCertMigrator;
@@ -60,10 +61,11 @@ class CHROMEOS_EXPORT NetworkHandler {
scoped_ptr<NetworkStateHandler> network_state_handler_;
scoped_ptr<NetworkDeviceHandler> network_device_handler_;
scoped_ptr<NetworkProfileHandler> network_profile_handler_;
- scoped_ptr<NetworkCertMigrator> network_cert_migrator_;
scoped_ptr<NetworkConfigurationHandler> network_configuration_handler_;
scoped_ptr<ManagedNetworkConfigurationHandler>
managed_network_configuration_handler_;
+ scoped_ptr<NetworkCertMigrator> network_cert_migrator_;
+ scoped_ptr<ClientCertResolver> client_cert_resolver_;
scoped_ptr<NetworkConnectionHandler> network_connection_handler_;
scoped_ptr<NetworkSmsHandler> network_sms_handler_;
scoped_ptr<GeolocationHandler> geolocation_handler_;
diff --git a/chromeos/network/network_policy_observer.h b/chromeos/network/network_policy_observer.h
new file mode 100644
index 0000000000000..c51982ebe7b9a
--- /dev/null
+++ b/chromeos/network/network_policy_observer.h
@@ -0,0 +1,27 @@
+// Copyright 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROMEOS_NETWORK_NETWORK_POLICY_OBSERVER_H_
+#define CHROMEOS_NETWORK_NETWORK_POLICY_OBSERVER_H_
+
+#include <string>
+
+#include "base/basictypes.h"
+
+namespace chromeos {
+
+class NetworkPolicyObserver {
+ public:
+ virtual void PolicyApplied(const std::string& service_path) = 0;
+
+ protected:
+ virtual ~NetworkPolicyObserver() {};
+
+ private:
+ DISALLOW_ASSIGN(NetworkPolicyObserver);
+};
+
+} // namespace chromeos
+
+#endif // CHROMEOS_NETWORK_NETWORK_POLICY_OBSERVER_H_
diff --git a/chromeos/network/network_profile_handler.h b/chromeos/network/network_profile_handler.h
index 15bb0fd3c61e8..15f5228973e6e 100644
--- a/chromeos/network/network_profile_handler.h
+++ b/chromeos/network/network_profile_handler.h
@@ -60,6 +60,7 @@ class CHROMEOS_EXPORT NetworkProfileHandler
static const char kSharedProfilePath[];
protected:
+ friend class ClientCertResolverTest;
friend class NetworkHandler;
NetworkProfileHandler();