chromium/chromeos/ash/components/network/onc/onc_certificate_importer_impl.h

// Copyright 2013 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef CHROMEOS_ASH_COMPONENTS_NETWORK_ONC_ONC_CERTIFICATE_IMPORTER_IMPL_H_
#define CHROMEOS_ASH_COMPONENTS_NETWORK_ONC_ONC_CERTIFICATE_IMPORTER_IMPL_H_

#include <map>
#include <memory>
#include <string>
#include <vector>

#include "base/component_export.h"
#include "base/memory/raw_ptr.h"
#include "base/memory/ref_counted.h"
#include "base/memory/weak_ptr.h"
#include "chromeos/ash/components/network/onc/onc_certificate_importer.h"
#include "chromeos/components/onc/onc_parsed_certificates.h"
#include "components/onc/onc_constants.h"

namespace base {
class SequencedTaskRunner;
}

namespace net {
class NSSCertDatabase;
}

namespace ash::onc {

// This class handles certificate imports from ONC (both policy and user
// imports) into a certificate store. The GUID of Client certificates is stored
// together with the certificate as Nickname. In contrast, Server and CA
// certificates are identified by their PEM and not by GUID.
// TODO(pneubeck): Replace Nickname by PEM for Client
// certificates. http://crbug.com/252119
class COMPONENT_EXPORT(CHROMEOS_NETWORK) CertificateImporterImpl
    : public CertificateImporter {
 public:
  // |io_task_runner| will be used for NSSCertDatabase accesses.
  CertificateImporterImpl(
      const scoped_refptr<base::SequencedTaskRunner>& io_task_runner,
      net::NSSCertDatabase* target_nssdb_);

  CertificateImporterImpl(const CertificateImporterImpl&) = delete;
  CertificateImporterImpl& operator=(const CertificateImporterImpl&) = delete;

  ~CertificateImporterImpl() override;

  // CertificateImporter overrides
  void ImportAllCertificatesUserInitiated(
      const std::vector<
          chromeos::onc::OncParsedCertificates::ServerOrAuthorityCertificate>&
          server_or_authority_certificates,
      const std::vector<
          chromeos::onc::OncParsedCertificates::ClientCertificate>&
          client_certificates,
      DoneCallback done_callback) override;

  void ImportClientCertificates(
      const std::vector<
          chromeos::onc::OncParsedCertificates::ClientCertificate>&
          client_certificates,
      DoneCallback done_callback) override;

 private:
  // Runs |task| on the |io_task_runner_|. Calls |done_callback| on the origin
  // loop if this |CertificateImporterImpl| has not been destroyed in the
  // meantime.
  void RunTaskOnIOTaskRunnerAndCallDoneCallback(base::OnceCallback<bool()> task,
                                                DoneCallback done_callback);

  // Calls |callback| with |success|. This is used to ensure that |callback| is
  // only called if this |CertificateImporterImpl| has not been destroyed yet.
  void RunDoneCallback(DoneCallback callback, bool success);

  // Synchronously imports |client_certificates| into |nssdb|. This will be
  // executed on the |io_task_runner_|.
  static bool StoreClientCertificates(
      const std::vector<
          chromeos::onc::OncParsedCertificates::ClientCertificate>&
          client_certificates,
      net::NSSCertDatabase* nssdb);

  // Synchronously imports all server/authority and client certificates from
  // |certificates| into |nssdb|. This will be executed on the
  // |io_task_runner_|.
  static bool StoreAllCertificatesUserInitiated(
      const std::vector<
          chromeos::onc::OncParsedCertificates::ServerOrAuthorityCertificate>&
          server_or_authority_certificates,
      const std::vector<
          chromeos::onc::OncParsedCertificates::ClientCertificate>&
          client_certificates,
      net::NSSCertDatabase* nssdb);

  // Imports the Server or CA certificate |certificate|. Web trust is only
  // applied if the certificate requests the TrustBits attribute "Web".
  static bool StoreServerOrCaCertificateUserInitiated(
      const chromeos::onc::OncParsedCertificates::ServerOrAuthorityCertificate&
          certificate,
      net::NSSCertDatabase* nssdb);

  static bool StoreClientCertificate(
      const chromeos::onc::OncParsedCertificates::ClientCertificate&
          certificate,
      net::NSSCertDatabase* nssdb);

  // The task runner to use for NSSCertDatabase accesses.
  scoped_refptr<base::SequencedTaskRunner> io_task_runner_;

  // The certificate database to which certificates are imported.
  raw_ptr<net::NSSCertDatabase> target_nssdb_;

  base::WeakPtrFactory<CertificateImporterImpl> weak_factory_{this};
};

}  // namespace ash::onc

#endif  // CHROMEOS_ASH_COMPONENTS_NETWORK_ONC_ONC_CERTIFICATE_IMPORTER_IMPL_H_