We should reject incoming ONC policy if it contains validation errors instead of dropping all managed networks. Discussion: go/chromeos-robust-onc-policy
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/fd84044fcd84e48ac82511577e709a2914197131 commit fd84044fcd84e48ac82511577e709a2914197131 Author: Pavol Marko <pmarko@chromium.org> Date: Fri Apr 27 20:55:06 2018 Proto changes for policy validation reporting Introduce a new PolicyValidationReportRequest which will be used to upload the results of policy validation after policy fetches. BUG=794848, b:70641944 Change-Id: I21d9fc52c82ff865a0877254c3c09db61e410547 Reviewed-on: https://chromium-review.googlesource.com/913573 Commit-Queue: Pavol Marko <pmarko@chromium.org> Reviewed-by: Maksim Ivanov <emaxx@chromium.org> Reviewed-by: Drew Wilson <atwilson@chromium.org> Reviewed-by: Julian Pastarmov <pastarmovj@chromium.org> Cr-Commit-Position: refs/heads/master@{#554505} [modify] https://crrev.com/fd84044fcd84e48ac82511577e709a2914197131/components/policy/proto/device_management_backend.proto
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/f27ddf407afcfef726612fda7a20f8ada5fda880 commit f27ddf407afcfef726612fda7a20f8ada5fda880 Author: Alexander Hendrich <hendrich@chromium.org> Date: Fri Aug 10 09:17:13 2018 Detailed ONC value validation This CL updates the ONC Validator to not only log detailed errors/warning messages, but also collect them for later use (e.g., reporting to policy server or displaying in chrome://policy). DesignDoc: go/chromeos-robust-onc-policy Bug: 794848, 855057 Change-Id: Ie22ed887b3b298a8b7e92b175376f98d5f492dc3 Reviewed-on: https://chromium-review.googlesource.com/1116787 Commit-Queue: Alexander Hendrich <hendrich@chromium.org> Reviewed-by: Pavol Marko <pmarko@chromium.org> Reviewed-by: Steven Bennetts <stevenjb@chromium.org> Cr-Commit-Position: refs/heads/master@{#582099} [modify] https://crrev.com/f27ddf407afcfef726612fda7a20f8ada5fda880/chrome/browser/chromeos/policy/configuration_policy_handler_chromeos.cc [modify] https://crrev.com/f27ddf407afcfef726612fda7a20f8ada5fda880/chromeos/network/managed_network_configuration_handler_impl.cc [modify] https://crrev.com/f27ddf407afcfef726612fda7a20f8ada5fda880/chromeos/network/managed_network_configuration_handler_unittest.cc [modify] https://crrev.com/f27ddf407afcfef726612fda7a20f8ada5fda880/chromeos/network/onc/onc_utils.cc [modify] https://crrev.com/f27ddf407afcfef726612fda7a20f8ada5fda880/chromeos/network/onc/onc_validator.cc [modify] https://crrev.com/f27ddf407afcfef726612fda7a20f8ada5fda880/chromeos/network/onc/onc_validator.h [modify] https://crrev.com/f27ddf407afcfef726612fda7a20f8ada5fda880/chromeos/network/onc/onc_validator_unittest.cc [modify] https://crrev.com/f27ddf407afcfef726612fda7a20f8ada5fda880/chromeos/test/data/network/invalid_settings_with_repairs.json
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/ce3a5818fbbe129065a679bd5e779b890b58c77e commit ce3a5818fbbe129065a679bd5e779b890b58c77e Author: Alexander Hendrich <hendrich@chromium.org> Date: Fri Aug 10 16:53:31 2018 Add policy value validation and reporting This CL adds policy value validation to policy validators. For now, we only collect value validation errors/warnings and report them back to the DM server. In the future, the policy value validation can also reject entire policy blobs, if the value validation fails for a single policy. Right now only the values of ONC policies are validated and can generate warnings and errors. Bug: 794848 Test: unit_tests / components_unittests Change-Id: If4569075f698afd49e951794e78d53c0de73eeb2 Reviewed-on: https://chromium-review.googlesource.com/1127164 Reviewed-by: Lutz Justen <ljusten@chromium.org> Reviewed-by: Pavol Marko <pmarko@chromium.org> Commit-Queue: Alexander Hendrich <hendrich@chromium.org> Cr-Commit-Position: refs/heads/master@{#582208} [modify] https://crrev.com/ce3a5818fbbe129065a679bd5e779b890b58c77e/chrome/browser/chromeos/BUILD.gn [modify] https://crrev.com/ce3a5818fbbe129065a679bd5e779b890b58c77e/chrome/browser/chromeos/policy/configuration_policy_handler_chromeos.cc [modify] https://crrev.com/ce3a5818fbbe129065a679bd5e779b890b58c77e/chrome/browser/chromeos/policy/device_cloud_policy_store_chromeos.cc [modify] https://crrev.com/ce3a5818fbbe129065a679bd5e779b890b58c77e/chrome/browser/chromeos/policy/device_cloud_policy_store_chromeos_unittest.cc [modify] https://crrev.com/ce3a5818fbbe129065a679bd5e779b890b58c77e/chrome/browser/chromeos/policy/device_local_account_policy_store.cc [modify] https://crrev.com/ce3a5818fbbe129065a679bd5e779b890b58c77e/chrome/browser/chromeos/policy/device_local_account_policy_store.h [modify] https://crrev.com/ce3a5818fbbe129065a679bd5e779b890b58c77e/chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.cc [modify] https://crrev.com/ce3a5818fbbe129065a679bd5e779b890b58c77e/chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.h [modify] https://crrev.com/ce3a5818fbbe129065a679bd5e779b890b58c77e/chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos_unittest.cc [add] https://crrev.com/ce3a5818fbbe129065a679bd5e779b890b58c77e/chrome/browser/chromeos/policy/value_validation/onc_device_policy_value_validator.cc [add] https://crrev.com/ce3a5818fbbe129065a679bd5e779b890b58c77e/chrome/browser/chromeos/policy/value_validation/onc_device_policy_value_validator.h [add] https://crrev.com/ce3a5818fbbe129065a679bd5e779b890b58c77e/chrome/browser/chromeos/policy/value_validation/onc_policy_value_validator_base.h [add] https://crrev.com/ce3a5818fbbe129065a679bd5e779b890b58c77e/chrome/browser/chromeos/policy/value_validation/onc_user_policy_value_validator.cc [add] https://crrev.com/ce3a5818fbbe129065a679bd5e779b890b58c77e/chrome/browser/chromeos/policy/value_validation/onc_user_policy_value_validator.h [modify] https://crrev.com/ce3a5818fbbe129065a679bd5e779b890b58c77e/components/policy/core/browser/cloud/message_util.cc [modify] https://crrev.com/ce3a5818fbbe129065a679bd5e779b890b58c77e/components/policy/core/browser/policy_error_map.cc [modify] https://crrev.com/ce3a5818fbbe129065a679bd5e779b890b58c77e/components/policy/core/browser/policy_error_map.h [modify] https://crrev.com/ce3a5818fbbe129065a679bd5e779b890b58c77e/components/policy/core/common/BUILD.gn [modify] https://crrev.com/ce3a5818fbbe129065a679bd5e779b890b58c77e/components/policy/core/common/cloud/cloud_policy_client.cc [modify] https://crrev.com/ce3a5818fbbe129065a679bd5e779b890b58c77e/components/policy/core/common/cloud/cloud_policy_client.h [modify] https://crrev.com/ce3a5818fbbe129065a679bd5e779b890b58c77e/components/policy/core/common/cloud/cloud_policy_client_unittest.cc [modify] https://crrev.com/ce3a5818fbbe129065a679bd5e779b890b58c77e/components/policy/core/common/cloud/cloud_policy_constants.cc [modify] https://crrev.com/ce3a5818fbbe129065a679bd5e779b890b58c77e/components/policy/core/common/cloud/cloud_policy_constants.h [modify] https://crrev.com/ce3a5818fbbe129065a679bd5e779b890b58c77e/components/policy/core/common/cloud/cloud_policy_service.cc [modify] https://crrev.com/ce3a5818fbbe129065a679bd5e779b890b58c77e/components/policy/core/common/cloud/cloud_policy_service.h [modify] https://crrev.com/ce3a5818fbbe129065a679bd5e779b890b58c77e/components/policy/core/common/cloud/cloud_policy_service_unittest.cc [modify] https://crrev.com/ce3a5818fbbe129065a679bd5e779b890b58c77e/components/policy/core/common/cloud/cloud_policy_store.cc [modify] https://crrev.com/ce3a5818fbbe129065a679bd5e779b890b58c77e/components/policy/core/common/cloud/cloud_policy_store.h [modify] https://crrev.com/ce3a5818fbbe129065a679bd5e779b890b58c77e/components/policy/core/common/cloud/cloud_policy_validator.cc [modify] https://crrev.com/ce3a5818fbbe129065a679bd5e779b890b58c77e/components/policy/core/common/cloud/cloud_policy_validator.h [modify] https://crrev.com/ce3a5818fbbe129065a679bd5e779b890b58c77e/components/policy/core/common/cloud/cloud_policy_validator_unittest.cc [modify] https://crrev.com/ce3a5818fbbe129065a679bd5e779b890b58c77e/components/policy/core/common/cloud/device_management_service.cc [modify] https://crrev.com/ce3a5818fbbe129065a679bd5e779b890b58c77e/components/policy/core/common/cloud/device_management_service.h [modify] https://crrev.com/ce3a5818fbbe129065a679bd5e779b890b58c77e/components/policy/core/common/cloud/mock_cloud_policy_client.h [modify] https://crrev.com/ce3a5818fbbe129065a679bd5e779b890b58c77e/components/policy/core/common/cloud/mock_cloud_policy_store.h [add] https://crrev.com/ce3a5818fbbe129065a679bd5e779b890b58c77e/components/policy/core/common/cloud/policy_value_validator.h [modify] https://crrev.com/ce3a5818fbbe129065a679bd5e779b890b58c77e/components/policy/core/common/cloud/user_cloud_policy_store.cc [modify] https://crrev.com/ce3a5818fbbe129065a679bd5e779b890b58c77e/components/policy/core/common/cloud/user_cloud_policy_store.h [modify] https://crrev.com/ce3a5818fbbe129065a679bd5e779b890b58c77e/components/policy/proto/device_management_backend.proto [modify] https://crrev.com/ce3a5818fbbe129065a679bd5e779b890b58c77e/components/policy_strings.grdp
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/b6170513ec3ac3559618ed970f621be4540c61e1 commit b6170513ec3ac3559618ed970f621be4540c61e1 Author: Alexander Hendrich <hendrich@chromium.org> Date: Thu Aug 16 10:06:28 2018 Fix order of path_.pop_back() and AddValidationIssue() in ONC validator This CL fixes the order of path_.pop_back() and AddValidationIssue() on multiple occasions. The path is used in AddValidationIssue() and therefore, the current field name should only be removed from the path after the call to AddValidationIssue(). Bug: 794848, 855057 Change-Id: I94f0cb67501fdf7625b6ae1820d8c602d462598a Reviewed-on: https://chromium-review.googlesource.com/1174115 Reviewed-by: Steven Bennetts <stevenjb@chromium.org> Commit-Queue: Alexander Hendrich <hendrich@chromium.org> Cr-Commit-Position: refs/heads/master@{#583593} [modify] https://crrev.com/b6170513ec3ac3559618ed970f621be4540c61e1/chromeos/network/onc/onc_validator.cc
Comment 1 by pmarko@chromium.org
, Dec 14 2017