1 // Copyright 2013 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef CHROME_BROWSER_CHROMEOS_POLICY_USER_NETWORK_CONFIGURATION_UPDATER_H_ 6 #define CHROME_BROWSER_CHROMEOS_POLICY_USER_NETWORK_CONFIGURATION_UPDATER_H_ 7 8 #include <vector> 9 10 #include "base/basictypes.h" 11 #include "base/compiler_specific.h" 12 #include "base/memory/ref_counted.h" 13 #include "base/memory/scoped_ptr.h" 14 #include "base/memory/weak_ptr.h" 15 #include "base/observer_list.h" 16 #include "chrome/browser/chromeos/policy/network_configuration_updater.h" 17 #include "components/keyed_service/core/keyed_service.h" 18 #include "content/public/browser/notification_observer.h" 19 #include "content/public/browser/notification_registrar.h" 20 21 class Profile; 22 23 namespace base { 24 class ListValue; 25 } 26 27 namespace chromeos { 28 class User; 29 30 namespace onc { 31 class CertificateImporter; 32 } 33 } 34 35 namespace net { 36 class NSSCertDatabase; 37 class X509Certificate; 38 typedef std::vector<scoped_refptr<X509Certificate> > CertificateList; 39 } 40 41 namespace policy { 42 43 class PolicyService; 44 45 // Implements additional special handling of ONC user policies. Namely string 46 // expansion with the user's name (or email address, etc.) and handling of "Web" 47 // trust of certificates. 48 class UserNetworkConfigurationUpdater : public NetworkConfigurationUpdater, 49 public KeyedService, 50 public content::NotificationObserver { 51 public: 52 class WebTrustedCertsObserver { 53 public: 54 // Is called everytime the list of imported certificates with Web trust is 55 // changed. 56 virtual void OnTrustAnchorsChanged( 57 const net::CertificateList& trust_anchors) = 0; 58 }; 59 60 virtual ~UserNetworkConfigurationUpdater(); 61 62 // Creates an updater that applies the ONC user policy from |policy_service| 63 // for user |user| once the policy service is completely initialized and on 64 // each policy change. Imported certificates, that request it, are only 65 // granted Web trust if |allow_trusted_certs_from_policy| is true. A reference 66 // to |user| is stored. It must outlive the returned updater. 67 static scoped_ptr<UserNetworkConfigurationUpdater> CreateForUserPolicy( 68 Profile* profile, 69 bool allow_trusted_certs_from_policy, 70 const chromeos::User& user, 71 PolicyService* policy_service, 72 chromeos::ManagedNetworkConfigurationHandler* network_config_handler); 73 74 void AddTrustedCertsObserver(WebTrustedCertsObserver* observer); 75 void RemoveTrustedCertsObserver(WebTrustedCertsObserver* observer); 76 77 // Sets |certs| to the list of Web trusted server and CA certificates from the 78 // last received policy. 79 void GetWebTrustedCertificates(net::CertificateList* certs) const; 80 81 // Helper method to expose |SetCertificateImporter| for usage in tests. 82 void SetCertificateImporterForTest( 83 scoped_ptr<chromeos::onc::CertificateImporter> certificate_importer); 84 85 // Used in test to delay CertificateImporter creation until the NSSDatabase is 86 // ready. This is needed in some tests as the user's certificate database may 87 // not get initialized in time. 88 // TODO(tbarzic): Remove this when it's not needed. 89 static void SetSkipCertificateImporterCreationForTest(bool skip); 90 91 private: 92 class CrosTrustAnchorProvider; 93 94 UserNetworkConfigurationUpdater( 95 Profile* profile, 96 bool allow_trusted_certs_from_policy, 97 const chromeos::User& user, 98 PolicyService* policy_service, 99 chromeos::ManagedNetworkConfigurationHandler* network_config_handler); 100 101 // NetworkConfigurationUpdater: 102 virtual void ImportCertificates( 103 const base::ListValue& certificates_onc) OVERRIDE; 104 virtual void ApplyNetworkPolicy( 105 base::ListValue* network_configs_onc, 106 base::DictionaryValue* global_network_config) OVERRIDE; 107 108 // content::NotificationObserver implementation. Observes the profile to which 109 // |this| belongs to for PROFILE_ADDED notification. 110 virtual void Observe(int type, 111 const content::NotificationSource& source, 112 const content::NotificationDetails& details) OVERRIDE; 113 114 // Creates onc::CertImporter with |database| and passes it to 115 // |SetCertificateImporter|. 116 void CreateAndSetCertificateImporter(net::NSSCertDatabase* database); 117 118 // Sets the certificate importer that should be used to import certificate 119 // policies. If there is |pending_certificates_onc_|, it gets imported. 120 void SetCertificateImporter( 121 scoped_ptr<chromeos::onc::CertificateImporter> certificate_importer); 122 123 void NotifyTrustAnchorsChanged(); 124 125 // Whether Web trust is allowed or not. 126 bool allow_trusted_certificates_from_policy_; 127 128 // The user for whom the user policy will be applied. 129 const chromeos::User* user_; 130 131 ObserverList<WebTrustedCertsObserver, true> observer_list_; 132 133 // Contains the certificates of the last import that requested web trust. Must 134 // be empty if Web trust from policy is not allowed. 135 net::CertificateList web_trust_certs_; 136 137 // If |ImportCertificates| is called before |SetCertificateImporter|, gets set 138 // to a copy of the policy for which the import was requested. 139 // The policy will be processed when the certificate importer is set. 140 scoped_ptr<base::ListValue> pending_certificates_onc_; 141 142 // Certificate importer to be used for importing policy defined certificates. 143 // Set by |SetCertificateImporter|. 144 scoped_ptr<chromeos::onc::CertificateImporter> certificate_importer_; 145 146 content::NotificationRegistrar registrar_; 147 148 base::WeakPtrFactory<UserNetworkConfigurationUpdater> weak_factory_; 149 150 DISALLOW_COPY_AND_ASSIGN(UserNetworkConfigurationUpdater); 151 }; 152 153 } // namespace policy 154 155 #endif // CHROME_BROWSER_CHROMEOS_POLICY_USER_NETWORK_CONFIGURATION_UPDATER_H_ 156