chromium/chrome/browser/policy/networking/network_configuration_updater.h

// Copyright 2012 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef CHROME_BROWSER_POLICY_NETWORKING_NETWORK_CONFIGURATION_UPDATER_H_
#define CHROME_BROWSER_POLICY_NETWORKING_NETWORK_CONFIGURATION_UPDATER_H_

#include <memory>
#include <set>
#include <string>
#include <vector>

#include "base/memory/raw_ptr.h"
#include "base/observer_list.h"
#include "base/sequence_checker.h"
#include "base/values.h"
#include "chromeos/ash/components/network/policy_certificate_provider.h"
#include "chromeos/components/onc/certificate_scope.h"
#include "chromeos/components/onc/onc_parsed_certificates.h"
#include "components/onc/onc_constants.h"
#include "components/policy/core/common/policy_service.h"

namespace policy {

class PolicyMap;

// Implements the common part of tracking the OpenNetworkConfiguration device
// and user policy. Implements the handling of server and authority certificates
// (that will be propagated to the network service). Provides entry points for
// handling client certificates and network configurations in subclasses.
// Does not handle proxy settings.
class NetworkConfigurationUpdater : public ash::PolicyCertificateProvider,
                                    public PolicyService::Observer {
 public:
  NetworkConfigurationUpdater(const NetworkConfigurationUpdater&) = delete;
  NetworkConfigurationUpdater& operator=(const NetworkConfigurationUpdater&) =
      delete;

  ~NetworkConfigurationUpdater() override;

  // PolicyService::Observer overrides
  void OnPolicyUpdated(const PolicyNamespace& ns,
                       const PolicyMap& previous,
                       const PolicyMap& current) override;
  void OnPolicyServiceInitialized(PolicyDomain domain) override;

  // The observer interface sends notifications about changes in server and
  // authority certificates.
  // ash::PolicyCertificateProvider:
  void AddPolicyProvidedCertsObserver(
      ash::PolicyCertificateProvider::Observer* observer) override;
  void RemovePolicyProvidedCertsObserver(
      ash::PolicyCertificateProvider::Observer* observer) override;
  net::CertificateList GetAllServerAndAuthorityCertificates(
      const chromeos::onc::CertificateScope& scope) const override;
  net::CertificateList GetAllAuthorityCertificates(
      const chromeos::onc::CertificateScope& scope) const override;
  net::CertificateList GetWebTrustedCertificates(
      const chromeos::onc::CertificateScope& scope) const override;
  net::CertificateList GetCertificatesWithoutWebTrust(
      const chromeos::onc::CertificateScope& scope) const override;

  const std::set<std::string>& GetExtensionIdsWithPolicyCertificates()
      const override;

 protected:
  NetworkConfigurationUpdater(onc::ONCSource onc_source,
                              std::string policy_key,
                              PolicyService* policy_service);

  virtual void Init();

  // Called in the subclass to import client certificates provided by the ONC
  // policy. The client certificates to be imported can be obtained using
  // |GetClientcertificates()|.
  virtual void ImportClientCertificates() = 0;

  // Parses the incoming policy, applies server and authority certificates.
  // Calls the specialized methods from subclasses to handle client certificates
  // and network configs.
  virtual void ApplyNetworkPolicy(
      const base::Value::List& network_configs_onc,
      const base::Value::Dict& global_network_config) = 0;

  // Parses the current value of the ONC policy. Clears |network_configs|,
  // |global_network_config| and |certificates| and fills them with the
  // validated NetworkConfigurations, GlobalNetworkConfiguration and
  // Certificates of the current policy. Callers can pass nullptr to any of
  // |network_configs|, |global_network_config|, |certificates| if they don't
  // need that specific part of the ONC policy.
  void ParseCurrentPolicy(base::Value::List* network_configs,
                          base::Value::Dict* global_network_config,
                          base::Value::List* certificates);

  const std::vector<chromeos::onc::OncParsedCertificates::ClientCertificate>&
  GetClientCertificates() const;

  onc::ONCSource onc_source_;

  SEQUENCE_CHECKER(sequence_checker_);

 private:
  // Called if the ONC policy changed.
  void OnPolicyChanged(const base::Value* previous, const base::Value* current);

  // Apply the observed policy, i.e. both networks and certificates.
  void ApplyPolicy();

  std::string LogHeader() const;

  // Imports the certificates part of the policy.
  void ImportCertificates(base::Value::List certificates_onc);

  void NotifyPolicyProvidedCertsChanged();

  std::string policy_key_;

  // Used to register for notifications from the |policy_service_|.
  PolicyChangeRegistrar policy_change_registrar_;

  // Used to retrieve the policies.
  raw_ptr<PolicyService> policy_service_;

  // Holds certificates from the last parsed ONC policy.
  std::unique_ptr<chromeos::onc::OncParsedCertificates> certs_;
  std::set<std::string> extension_ids_with_policy_certificates_;

  // Observer list for notifying about ONC-provided server and CA certificate
  // changes.
  base::ObserverList<ash::PolicyCertificateProvider::Observer, true>::Unchecked
      observer_list_;
};

}  // namespace policy

#endif  // CHROME_BROWSER_POLICY_NETWORKING_NETWORK_CONFIGURATION_UPDATER_H_