Add 'AllowOnlyPolicyNetworksToConnectIfAvailable' policy to ONC

Added the 'AllowOnlyPolicyNetworksToConnectIfAvailable' policy to ONC.
If a managed network is available in the lsit of visible networks, all
unmanaged networks are considered as prohibited. However, we don't
remove network configurations for unmanaged networks because we might
want to re-connect with them, once we lose availability of the managed
network.
If this policy is enabled, we are currently connected to an unmanaged
network and a managed network is available, we automatically connect
to the available managed network when the network scan finishes.

Bug: 848719
Change-Id: I6da37d1b9d7813ff7bdfd52ab0e28081f9e48631
Reviewed-on: https://chromium-review.googlesource.com/1122979
Commit-Queue: Alexander Hendrich <hendrich@chromium.org>
Reviewed-by: Steven Bennetts <stevenjb@chromium.org>
Reviewed-by: Cait Phillips <caitkp@chromium.org>
Cr-Commit-Position: refs/heads/master@{#579769}

chromeos/network/auto_connect_handler.cc

@@ -57,6 +57,19 @@ void RemoveNetworkConfigurationErrorCallback(
                  << "Error data: " << error_data_ss.str();
 }
 
+void ConnectToNetworkErrorCallback(
+    const std::string& error_name,
+    std::unique_ptr<base::DictionaryValue> error_data) {
+  std::stringstream error_data_ss;
+  if (error_data)
+    error_data_ss << *error_data;
+  else
+    error_data_ss << "<none>";
+  NET_LOG(ERROR) << "AutoConnectHandler ConnectToNetwork failed. "
+                 << "Error name: \"" << error_name << "\", "
+                 << "Error data: " << error_data_ss.str();
+}
+
 void SetPropertiesErrorCallback(
     const std::string& error_name,
     std::unique_ptr<base::DictionaryValue> error_data) {
@@ -187,10 +200,30 @@ void AutoConnectHandler::PoliciesApplied(const std::string& userhash) {
 }
 
 void AutoConnectHandler::ScanCompleted(const DeviceState* device) {
-  if (!connect_to_best_services_after_scan_ ||
-      device->type() != shill::kTypeWifi) {
+  if (device->type() != shill::kTypeWifi)
     return;
+
+  // Enforce AllowOnlyPolicyNetworksToConnectIfAvailable policy if enabled.
+  const NetworkState* managed_network =
+      network_state_handler_->GetAvailableManagedWifiNetwork();
+  if (device_policy_applied_ && user_policy_applied_ && managed_network &&
+      managed_configuration_handler_
+          ->AllowOnlyPolicyNetworksToConnectIfAvailable()) {
+    const NetworkState* connected_network =
+        network_state_handler_->ConnectedNetworkByType(
+            NetworkTypePattern::WiFi());
+    if (connected_network && !connected_network->IsManagedByPolicy()) {
+      network_connection_handler_->ConnectToNetwork(
+          managed_network->path(), base::DoNothing(),
+          base::Bind(&ConnectToNetworkErrorCallback), false,
+          ConnectCallbackMode::ON_COMPLETED);
+      return;
+    }
   }
+
+  if (!connect_to_best_services_after_scan_)
+    return;
+
   connect_to_best_services_after_scan_ = false;
   // Request ConnectToBestServices after processing any pending DBus calls.
   base::ThreadTaskRunnerHandle::Get()->PostTask(
@@ -295,6 +328,10 @@ void AutoConnectHandler::DisconnectIfPolicyRequires() {
       managed_configuration_handler_->AllowOnlyPolicyNetworksToConnect();
   bool only_managed_autoconnect =
       managed_configuration_handler_->AllowOnlyPolicyNetworksToAutoconnect();
+  bool available_only =
+      managed_configuration_handler_
+          ->AllowOnlyPolicyNetworksToConnectIfAvailable() &&
+      network_state_handler_->GetAvailableManagedWifiNetwork();
 
   // Enforce the autoconnect-policy only once.
   if (applied_autoconnect_policy_)
@@ -304,7 +341,7 @@ void AutoConnectHandler::DisconnectIfPolicyRequires() {
 
   // Early exit if no policy is set that requires any disconnects.
   if (!only_managed && !only_managed_autoconnect &&
-      blacklisted_hex_ssids.empty()) {
+      blacklisted_hex_ssids.empty() && !available_only) {
     return;
   }
 
@@ -319,7 +356,7 @@ void AutoConnectHandler::DisconnectIfPolicyRequires() {
       // Disconnect & remove configuration.
       if (network->IsConnectingOrConnected())
         DisconnectNetwork(network->path());
-      if (network->IsInProfile())
+      if (network->IsInProfile() && !available_only)
         RemoveNetworkConfigurationForNetwork(network->path());
     } else if (only_managed_autoconnect) {
       // Disconnect & disable auto-connect.

chromeos/network/auto_connect_handler_unittest.cc

@@ -601,4 +601,46 @@ TEST_F(AutoConnectHandlerTest, DisconnectFromBlacklistedNetwork) {
   EXPECT_EQ(0, test_observer_->num_auto_connect_events());
 }
 
+TEST_F(AutoConnectHandlerTest, AllowOnlyPolicyNetworksToConnectIfAvailable) {
+  EXPECT_FALSE(ConfigureService(kConfigUnmanagedSharedConnected).empty());
+  EXPECT_FALSE(ConfigureService(kConfigManagedSharedConnectable).empty());
+
+  LoginToRegularUser();
+  StartCertLoader();
+  EXPECT_EQ(shill::kStateOnline, GetServiceState("wifi0"));
+  EXPECT_EQ(shill::kStateIdle, GetServiceState("wifi1"));
+  EXPECT_TRUE(DBusThreadManager::Get()
+                  ->GetShillProfileClient()
+                  ->GetTestInterface()
+                  ->HasService("wifi0"));
+
+  // Apply 'AllowOnlyPolicyNetworksToConnectIfAvailable' policy as a device
+  // policy and provide a network configuration for wifi1 to make it managed.
+  base::DictionaryValue global_config;
+  global_config.SetKey(::onc::global_network_config::
+                           kAllowOnlyPolicyNetworksToConnectIfAvailable,
+                       base::Value(true));
+  SetupPolicy(kPolicy, global_config, false /* load as device policy */);
+  EXPECT_EQ(shill::kStateOnline, GetServiceState("wifi0"));
+  EXPECT_EQ(shill::kStateIdle, GetServiceState("wifi1"));
+  EXPECT_TRUE(DBusThreadManager::Get()
+                  ->GetShillProfileClient()
+                  ->GetTestInterface()
+                  ->HasService("wifi0"));
+
+  // Apply an empty user policy (no whitelist for wifi0). Connection to wifi0
+  // should be disconnected due to being unmanaged and managed network wifi1
+  // being available. wifi0 configuration should not be removed.
+  SetupPolicy(std::string(), base::DictionaryValue(),
+              true /* load as user policy */);
+  EXPECT_EQ(shill::kStateIdle, GetServiceState("wifi0"));
+  EXPECT_EQ(shill::kStateIdle, GetServiceState("wifi1"));
+  EXPECT_TRUE(DBusThreadManager::Get()
+                  ->GetShillProfileClient()
+                  ->GetTestInterface()
+                  ->HasService("wifi0"));
+
+  EXPECT_EQ(0, test_observer_->num_auto_connect_events());
+}
+
 }  // namespace chromeos

chromeos/network/device_state.cc

@@ -24,8 +24,7 @@ DeviceState::DeviceState(const std::string& path)
       scanning_(false),
       sim_retries_left_(0),
       sim_present_(true),
-      eap_authentication_completed_(false) {
-}
+      eap_authentication_completed_(false) {}
 
 DeviceState::~DeviceState() = default;
 

chromeos/network/device_state.h

@@ -64,6 +64,15 @@ class CHROMEOS_EXPORT DeviceState : public ManagedState {
     return eap_authentication_completed_;
   }
 
+  // WiFi specific accessors
+  const std::string& available_managed_network_path() const {
+    return available_managed_network_path_;
+  }
+  void set_available_managed_network_path(
+      const std::string available_managed_network_path) {
+    available_managed_network_path_ = available_managed_network_path;
+  }
+
   // Returns a human readable string for the device.
   std::string GetName() const;
 
@@ -100,6 +109,9 @@ class CHROMEOS_EXPORT DeviceState : public ManagedState {
   // Ethernet specific properties
   bool eap_authentication_completed_;
 
+  // WiFi specific properties
+  std::string available_managed_network_path_;
+
   // Keep all Device properties in a dictionary for now. See comment above.
   base::DictionaryValue properties_;
 

chromeos/network/managed_network_configuration_handler.h

@@ -161,6 +161,10 @@ class CHROMEOS_EXPORT ManagedNetworkConfigurationHandler {
   // Return true if the AllowOnlyPolicyNetworksToConnect policy is enabled.
   virtual bool AllowOnlyPolicyNetworksToConnect() const = 0;
 
+  // Return true if the AllowOnlyPolicyNetworksToConnectIfAvailable policy is
+  // enabled.
+  virtual bool AllowOnlyPolicyNetworksToConnectIfAvailable() const = 0;
+
   // Return true if the AllowOnlyPolicyNetworksToAutoconnect policy is enabled.
   virtual bool AllowOnlyPolicyNetworksToAutoconnect() const = 0;
 

chromeos/network/managed_network_configuration_handler_impl.cc

@@ -722,8 +722,10 @@ void ManagedNetworkConfigurationHandlerImpl::OnPoliciesApplied(
       user_policy_applied_ = true;
 
     if (device_policy_applied_ && user_policy_applied_) {
-      network_state_handler_->UpdateBlockedNetworks(
-          AllowOnlyPolicyNetworksToConnect(), GetBlacklistedHexSSIDs());
+      network_state_handler_->UpdateBlockedWifiNetworks(
+          AllowOnlyPolicyNetworksToConnect(),
+          AllowOnlyPolicyNetworksToConnectIfAvailable(),
+          GetBlacklistedHexSSIDs());
     }
 
     for (auto& observer : observers_)
@@ -825,6 +827,23 @@ bool ManagedNetworkConfigurationHandlerImpl::AllowOnlyPolicyNetworksToConnect()
   return managed_only_value && managed_only_value->GetBool();
 }
 
+bool ManagedNetworkConfigurationHandlerImpl::
+    AllowOnlyPolicyNetworksToConnectIfAvailable() const {
+  const base::DictionaryValue* global_network_config =
+      GetGlobalConfigFromPolicy(
+          std::string() /* no username hash, device policy */);
+  if (!global_network_config)
+    return false;
+
+  // Check if policy is enabled.
+  const base::Value* available_only_value =
+      global_network_config->FindKeyOfType(
+          ::onc::global_network_config::
+              kAllowOnlyPolicyNetworksToConnectIfAvailable,
+          base::Value::Type::BOOLEAN);
+  return available_only_value && available_only_value->GetBool();
+}
+
 bool ManagedNetworkConfigurationHandlerImpl::
     AllowOnlyPolicyNetworksToAutoconnect() const {
   const base::DictionaryValue* global_network_config =

chromeos/network/managed_network_configuration_handler_impl.h

@@ -99,6 +99,7 @@ class CHROMEOS_EXPORT ManagedNetworkConfigurationHandlerImpl
       onc::ONCSource* onc_source) const override;
 
   bool AllowOnlyPolicyNetworksToConnect() const override;
+  bool AllowOnlyPolicyNetworksToConnectIfAvailable() const override;
   bool AllowOnlyPolicyNetworksToAutoconnect() const override;
   std::vector<std::string> GetBlacklistedHexSSIDs() const override;
 

chromeos/network/managed_network_configuration_handler_unittest.cc

@@ -696,8 +696,9 @@ TEST_F(ManagedNetworkConfigurationHandlerTest,
   InitializeStandardProfiles();
 
   // Check transfer to NetworkStateHandler
-  EXPECT_CALL(*network_state_handler_,
-              UpdateBlockedNetworks(true, std::vector<std::string>()))
+  EXPECT_CALL(
+      *network_state_handler_,
+      UpdateBlockedWifiNetworks(true, false, std::vector<std::string>()))
       .Times(1);
 
   // Set 'AllowOnlyPolicyNetworksToConnect' policy and a random user policy.
@@ -708,6 +709,32 @@ TEST_F(ManagedNetworkConfigurationHandlerTest,
 
   // Check ManagedNetworkConfigurationHandler policy accessors.
   EXPECT_TRUE(managed_handler()->AllowOnlyPolicyNetworksToConnect());
+  EXPECT_FALSE(
+      managed_handler()->AllowOnlyPolicyNetworksToConnectIfAvailable());
+  EXPECT_FALSE(managed_handler()->AllowOnlyPolicyNetworksToAutoconnect());
+  EXPECT_TRUE(managed_handler()->GetBlacklistedHexSSIDs().empty());
+}
+
+TEST_F(ManagedNetworkConfigurationHandlerTest,
+       AllowOnlyPolicyNetworksToConnectIfAvailable) {
+  InitializeStandardProfiles();
+
+  // Check transfer to NetworkStateHandler
+  EXPECT_CALL(
+      *network_state_handler_,
+      UpdateBlockedWifiNetworks(false, true, std::vector<std::string>()))
+      .Times(1);
+
+  // Set 'AllowOnlyPolicyNetworksToConnect' policy and a random user policy.
+  SetPolicy(
+      ::onc::ONC_SOURCE_DEVICE_POLICY, std::string(),
+      "policy/policy_allow_only_policy_networks_to_connect_if_available.onc");
+  SetPolicy(::onc::ONC_SOURCE_USER_POLICY, kUser1, "policy/policy_wifi1.onc");
+  base::RunLoop().RunUntilIdle();
+
+  // Check ManagedNetworkConfigurationHandler policy accessors.
+  EXPECT_FALSE(managed_handler()->AllowOnlyPolicyNetworksToConnect());
+  EXPECT_TRUE(managed_handler()->AllowOnlyPolicyNetworksToConnectIfAvailable());
   EXPECT_FALSE(managed_handler()->AllowOnlyPolicyNetworksToAutoconnect());
   EXPECT_TRUE(managed_handler()->GetBlacklistedHexSSIDs().empty());
 }
@@ -717,8 +744,9 @@ TEST_F(ManagedNetworkConfigurationHandlerTest,
   InitializeStandardProfiles();
 
   // Check transfer to NetworkStateHandler
-  EXPECT_CALL(*network_state_handler_,
-              UpdateBlockedNetworks(false, std::vector<std::string>()))
+  EXPECT_CALL(
+      *network_state_handler_,
+      UpdateBlockedWifiNetworks(false, false, std::vector<std::string>()))
       .Times(1);
 
   // Set 'AllowOnlyPolicyNetworksToAutoconnect' policy and a random user policy.
@@ -729,6 +757,8 @@ TEST_F(ManagedNetworkConfigurationHandlerTest,
 
   // Check ManagedNetworkConfigurationHandler policy accessors.
   EXPECT_FALSE(managed_handler()->AllowOnlyPolicyNetworksToConnect());
+  EXPECT_FALSE(
+      managed_handler()->AllowOnlyPolicyNetworksToConnectIfAvailable());
   EXPECT_TRUE(managed_handler()->AllowOnlyPolicyNetworksToAutoconnect());
   EXPECT_TRUE(managed_handler()->GetBlacklistedHexSSIDs().empty());
 }
@@ -738,7 +768,8 @@ TEST_F(ManagedNetworkConfigurationHandlerTest, GetBlacklistedHexSSIDs) {
   std::vector<std::string> blacklist = {"476F6F676C65477565737450534B"};
 
   // Check transfer to NetworkStateHandler
-  EXPECT_CALL(*network_state_handler_, UpdateBlockedNetworks(false, blacklist))
+  EXPECT_CALL(*network_state_handler_,
+              UpdateBlockedWifiNetworks(false, false, blacklist))
       .Times(1);
 
   // Set 'BlacklistedHexSSIDs' policy and a random user policy.
@@ -749,6 +780,8 @@ TEST_F(ManagedNetworkConfigurationHandlerTest, GetBlacklistedHexSSIDs) {
 
   // Check ManagedNetworkConfigurationHandler policy accessors.
   EXPECT_FALSE(managed_handler()->AllowOnlyPolicyNetworksToConnect());
+  EXPECT_FALSE(
+      managed_handler()->AllowOnlyPolicyNetworksToConnectIfAvailable());
   EXPECT_FALSE(managed_handler()->AllowOnlyPolicyNetworksToAutoconnect());
   EXPECT_EQ(blacklist, managed_handler()->GetBlacklistedHexSSIDs());
 }

chromeos/network/mock_managed_network_configuration_handler.h

@@ -76,6 +76,7 @@ class CHROMEOS_EXPORT MockManagedNetworkConfigurationHandler
                                    const std::string& profile_path,
                                    ::onc::ONCSource* onc_source));
   MOCK_CONST_METHOD0(AllowOnlyPolicyNetworksToConnect, bool());
+  MOCK_CONST_METHOD0(AllowOnlyPolicyNetworksToConnectIfAvailable, bool());
   MOCK_CONST_METHOD0(AllowOnlyPolicyNetworksToAutoconnect, bool());
   MOCK_CONST_METHOD0(GetBlacklistedHexSSIDs, std::vector<std::string>());
 

chromeos/network/mock_network_state_handler.h

@@ -19,8 +19,8 @@ class CHROMEOS_EXPORT MockNetworkStateHandler : public NetworkStateHandler {
   static std::unique_ptr<MockNetworkStateHandler> InitializeForTest();
 
   // NetworkStateHandler overrides
-  MOCK_METHOD2(UpdateBlockedNetworks,
-               void(bool, const std::vector<std::string>&));
+  MOCK_METHOD3(UpdateBlockedWifiNetworks,
+               void(bool, bool, const std::vector<std::string>&));
 
  private:
   DISALLOW_COPY_AND_ASSIGN(MockNetworkStateHandler);

chromeos/network/network_connection_handler_impl.cc

@@ -18,6 +18,7 @@
 #include "chromeos/network/certificate_pattern.h"
 #include "chromeos/network/client_cert_resolver.h"
 #include "chromeos/network/client_cert_util.h"
+#include "chromeos/network/device_state.h"
 #include "chromeos/network/managed_network_configuration_handler.h"
 #include "chromeos/network/network_configuration_handler.h"
 #include "chromeos/network/network_event_log.h"
@@ -473,11 +474,10 @@ void NetworkConnectionHandlerImpl::VerifyConfiguredAndConnect(
       ErrorCallbackForPendingRequest(service_path, kErrorHexSsidRequired);
       return;
     }
-    std::string hex_ssid = hex_ssid_value->GetString();
-    std::vector<std::string> blacklisted_hex_ssids =
-        managed_configuration_handler_->GetBlacklistedHexSSIDs();
-    if (managed_configuration_handler_->AllowOnlyPolicyNetworksToConnect() ||
-        base::ContainsValue(blacklisted_hex_ssids, hex_ssid)) {
+    if (network_state_handler_->OnlyManagedWifiNetworksAllowed() ||
+        base::ContainsValue(
+            managed_configuration_handler_->GetBlacklistedHexSSIDs(),
+            hex_ssid_value->GetString())) {
       ErrorCallbackForPendingRequest(service_path, kErrorBlockedByPolicy);
       return;
     }

chromeos/network/network_state_handler.cc

@@ -126,23 +126,37 @@ void NetworkStateHandler::InitShillPropertyHandler() {
   shill_property_handler_->Init();
 }
 
-void NetworkStateHandler::UpdateBlockedNetworks(
+void NetworkStateHandler::UpdateBlockedWifiNetworks(
     bool only_managed,
+    bool available_only,
     const std::vector<std::string>& blacklisted_hex_ssids) {
   if (allow_only_policy_networks_to_connect_ == only_managed &&
+      allow_only_policy_networks_to_connect_if_available_ == available_only &&
       blacklisted_hex_ssids_ == blacklisted_hex_ssids) {
     return;
   }
   allow_only_policy_networks_to_connect_ = only_managed;
+  allow_only_policy_networks_to_connect_if_available_ = available_only;
   blacklisted_hex_ssids_ = blacklisted_hex_ssids;
 
-  for (auto iter = network_list_.begin(); iter != network_list_.end(); ++iter) {
-    NetworkState* network = (*iter)->AsNetworkState();
-    if (!network->Matches(NetworkTypePattern::WiFi()))
-      continue;
-    if (UpdateBlockedByPolicy(network))
-      NotifyNetworkPropertiesUpdated(network);
-  }
+  UpdateBlockedWifiNetworksInternal();
+}
+
+const NetworkState* NetworkStateHandler::GetAvailableManagedWifiNetwork()
+    const {
+  DeviceState* device =
+      GetModifiableDeviceStateByType(NetworkTypePattern::WiFi());
+  const std::string& available_managed_network_path =
+      device->available_managed_network_path();
+  if (available_managed_network_path.empty())
+    return nullptr;
+  return GetNetworkState(available_managed_network_path);
+}
+
+bool NetworkStateHandler::OnlyManagedWifiNetworksAllowed() const {
+  return allow_only_policy_networks_to_connect_ ||
+         (allow_only_policy_networks_to_connect_if_available_ &&
+          GetAvailableManagedWifiNetwork());
 }
 
 // static
@@ -301,13 +315,10 @@ const DeviceState* NetworkStateHandler::GetDeviceState(
 
 const DeviceState* NetworkStateHandler::GetDeviceStateByType(
     const NetworkTypePattern& type) const {
-  for (const auto& device : device_list_) {
-    if (!device->update_received())
-      continue;
-    if (device->Matches(type))
-      return device->AsDeviceState();
-  }
-  return nullptr;
+  const DeviceState* device = GetModifiableDeviceStateByType(type);
+  if (device && !device->update_received())
+    return nullptr;
+  return device;
 }
 
 bool NetworkStateHandler::GetScanningByType(
@@ -892,16 +903,54 @@ void NetworkStateHandler::EnsureTetherDeviceState() {
 }
 
 bool NetworkStateHandler::UpdateBlockedByPolicy(NetworkState* network) const {
+  if (network->type().empty() || !network->Matches(NetworkTypePattern::WiFi()))
+    return false;
+
   bool prev_blocked_by_policy = network->blocked_by_policy();
   bool blocked_by_policy =
-      network->Matches(NetworkTypePattern::WiFi()) &&
       !network->IsManagedByPolicy() &&
-      (allow_only_policy_networks_to_connect_ ||
+      (OnlyManagedWifiNetworksAllowed() ||
        base::ContainsValue(blacklisted_hex_ssids_, network->GetHexSsid()));
   network->set_blocked_by_policy(blocked_by_policy);
   return prev_blocked_by_policy != blocked_by_policy;
 }
 
+void NetworkStateHandler::UpdateManagedWifiNetworkAvailable() {
+  DeviceState* device =
+      GetModifiableDeviceStateByType(NetworkTypePattern::WiFi());
+  if (!device || !device->update_received())
+    return;  // May be null in tests.
+
+  const std::string prev_available_managed_network_path =
+      device->available_managed_network_path();
+  std::string available_managed_network_path;
+
+  NetworkStateHandler::NetworkStateList networks;
+  GetNetworkListByType(NetworkTypePattern::WiFi(), true, true, 0, &networks);
+  for (const NetworkState* network : networks) {
+    if (network->IsManagedByPolicy()) {
+      available_managed_network_path = network->path();
+      break;
+    }
+  }
+
+  if (prev_available_managed_network_path != available_managed_network_path) {
+    device->set_available_managed_network_path(available_managed_network_path);
+    UpdateBlockedWifiNetworksInternal();
+    NotifyDevicePropertiesUpdated(device);
+  }
+}
+
+void NetworkStateHandler::UpdateBlockedWifiNetworksInternal() {
+  for (auto iter = network_list_.begin(); iter != network_list_.end(); ++iter) {
+    NetworkState* network = (*iter)->AsNetworkState();
+    if (!network->Matches(NetworkTypePattern::WiFi()))
+      continue;
+    if (UpdateBlockedByPolicy(network))
+      NotifyNetworkPropertiesUpdated(network);
+  }
+}
+
 void NetworkStateHandler::GetDeviceList(DeviceStateList* list) const {
   GetDeviceListByType(NetworkTypePattern::Default(), list);
 }
@@ -1126,6 +1175,8 @@ void NetworkStateHandler::UpdateManagedList(ManagedState::ManagedType type,
     }
   }
 
+  UpdateManagedWifiNetworkAvailable();
+
   if (type != ManagedState::ManagedType::MANAGED_TYPE_NETWORK)
     return;
 
@@ -1194,7 +1245,8 @@ void NetworkStateHandler::UpdateNetworkStateProperties(
     if (network->PropertyChanged(iter.key(), iter.value()))
       network_property_updated = true;
   }
-  network_property_updated |= UpdateBlockedByPolicy(network);
+  if (network->Matches(NetworkTypePattern::WiFi()))
+    network_property_updated |= UpdateBlockedByPolicy(network);
   network_property_updated |= network->InitialPropertiesReceived(properties);
 
   UpdateGuid(network);
@@ -1299,6 +1351,8 @@ void NetworkStateHandler::UpdateDeviceProperty(const std::string& device_path,
   NotifyDevicePropertiesUpdated(device);
 
   if (key == shill::kScanningProperty && device->scanning() == false) {
+    if (device->type() == shill::kTypeWifi)
+      UpdateManagedWifiNetworkAvailable();
     NotifyScanCompleted(device);
   }
   if (key == shill::kEapAuthenticationCompletedProperty) {
@@ -1367,6 +1421,7 @@ void NetworkStateHandler::ManagedStateListChanged(
     SortNetworkList(true /* ensure_cellular */);
     UpdateNetworkStats();
     NotifyNetworkListChanged();
+    UpdateManagedWifiNetworkAvailable();
   } else if (type == ManagedState::MANAGED_TYPE_DEVICE) {
     std::string devices;
     for (auto iter = device_list_.begin(); iter != device_list_.end(); ++iter) {
@@ -1622,6 +1677,15 @@ DeviceState* NetworkStateHandler::GetModifiableDeviceState(
   return managed->AsDeviceState();
 }
 
+DeviceState* NetworkStateHandler::GetModifiableDeviceStateByType(
+    const NetworkTypePattern& type) const {
+  for (const auto& device : device_list_) {
+    if (device->Matches(type))
+      return device->AsDeviceState();
+  }
+  return nullptr;
+}
+
 NetworkState* NetworkStateHandler::GetModifiableNetworkState(
     const std::string& service_path) const {
   ManagedState* managed =

chromeos/network/network_state_handler.h

@@ -355,12 +355,24 @@ class CHROMEOS_EXPORT NetworkStateHandler
   void SetLastErrorForTest(const std::string& service_path,
                            const std::string& error);
 
-  // Sets |allow_only_policy_networks_to_connect_| and |blacklisted_hex_ssids_|
-  // and calls |UpdateBlockedByPolicy()| for each network state.
-  virtual void UpdateBlockedNetworks(
+  // Sets |allow_only_policy_networks_to_connect_|,
+  // |allow_only_policy_networks_to_connect_if_available_| and
+  // |blacklisted_hex_ssids_| and calls |UpdateBlockedWifiNetworksInternal()|.
+  virtual void UpdateBlockedWifiNetworks(
       bool only_managed,
+      bool available_only,
       const std::vector<std::string>& blacklisted_hex_ssids);
 
+  // Returns the NetworkState associated to the wifi device's
+  // available_managed_network_path or |nullptr| if no managed network is
+  // available.
+  const NetworkState* GetAvailableManagedWifiNetwork() const;
+
+  // Returns true if the AllowOnlyPolicyNetworksToConnect policy is enabled or
+  // if the AllowOnlyPolicyNetworksToConnectIfAvailable policy is enabled and
+  // there is a managed wifi network available.
+  bool OnlyManagedWifiNetworksAllowed() const;
+
   // Constructs and initializes an instance for testing.
   static std::unique_ptr<NetworkStateHandler> InitializeForTest();
 
@@ -434,6 +446,8 @@ class CHROMEOS_EXPORT NetworkStateHandler
   FRIEND_TEST_ALL_PREFIXES(NetworkStateHandlerTest, NetworkStateHandlerStub);
   FRIEND_TEST_ALL_PREFIXES(NetworkStateHandlerTest, BlockedByPolicyBlacklisted);
   FRIEND_TEST_ALL_PREFIXES(NetworkStateHandlerTest, BlockedByPolicyOnlyManaged);
+  FRIEND_TEST_ALL_PREFIXES(NetworkStateHandlerTest,
+                           BlockedByPolicyOnlyManagedIfAvailable);
 
   // Sorts the network list. Called when all network updates have been received,
   // or when the network list is requested but the list is in an unsorted state.
@@ -477,6 +491,8 @@ class CHROMEOS_EXPORT NetworkStateHandler
   // be called by Get[Network|Device]State, even though they return non-const
   // pointers.
   DeviceState* GetModifiableDeviceState(const std::string& device_path) const;
+  DeviceState* GetModifiableDeviceStateByType(
+      const NetworkTypePattern& type) const;
   NetworkState* GetModifiableNetworkState(
       const std::string& service_path) const;
   NetworkState* GetModifiableNetworkStateFromGuid(
@@ -554,6 +570,14 @@ class CHROMEOS_EXPORT NetworkStateHandler
   // Returns true if the value changed.
   bool UpdateBlockedByPolicy(NetworkState* network) const;
 
+  // Updates the device's |managed_network_available_| depending on the list of
+  // networks associated with this device. Calls
+  // |UpdateBlockedWifiNetworksInternal()| if the availability changed.
+  void UpdateManagedWifiNetworkAvailable();
+
+  // Calls |UpdateBlockedByPolicy()| for each wifi network.
+  void UpdateBlockedWifiNetworksInternal();
+
   // Shill property handler instance, owned by this class.
   std::unique_ptr<internal::ShillPropertyHandler> shill_property_handler_;
 
@@ -606,6 +630,7 @@ class CHROMEOS_EXPORT NetworkStateHandler
   // Policies which control WiFi blocking (Controlled from
   // |ManagedNetworkConfigurationHandler| by calling |UpdateBlockedNetworks()|).
   bool allow_only_policy_networks_to_connect_ = false;
+  bool allow_only_policy_networks_to_connect_if_available_ = false;
   std::vector<std::string> blacklisted_hex_ssids_;
 
   SEQUENCE_CHECKER(sequence_checker_);

chromeos/network/network_state_handler_unittest.cc

@@ -68,6 +68,8 @@ const int kTetherSignalStrength2 = 80;
 const bool kTetherHasConnectedToHost1 = true;
 const bool kTetherHasConnectedToHost2 = false;
 
+const char kProfilePath[] = "/network/test";
+
 using chromeos::DeviceState;
 using chromeos::NetworkState;
 using chromeos::NetworkStateHandler;
@@ -1882,6 +1884,7 @@ TEST_F(NetworkStateHandlerTest, BlockedByPolicyBlacklisted) {
   NetworkState* wifi2 = network_state_handler_->GetModifiableNetworkState(
       kShillManagerClientStubWifi2);
 
+  EXPECT_FALSE(network_state_handler_->OnlyManagedWifiNetworksAllowed());
   EXPECT_FALSE(wifi1->IsManagedByPolicy());
   EXPECT_FALSE(wifi2->IsManagedByPolicy());
   EXPECT_FALSE(wifi1->blocked_by_policy());
@@ -1889,16 +1892,23 @@ TEST_F(NetworkStateHandlerTest, BlockedByPolicyBlacklisted) {
 
   std::vector<std::string> blacklist;
   blacklist.push_back(wifi1->GetHexSsid());
-  network_state_handler_->UpdateBlockedNetworks(false, blacklist);
+  network_state_handler_->UpdateBlockedWifiNetworks(false, false, blacklist);
 
+  EXPECT_FALSE(network_state_handler_->OnlyManagedWifiNetworksAllowed());
+  EXPECT_EQ(blacklist, network_state_handler_->blacklisted_hex_ssids_);
   EXPECT_TRUE(wifi1->blocked_by_policy());
   EXPECT_FALSE(wifi2->blocked_by_policy());
 
+  // Emulate 'wifi1' being a managed network.
   std::unique_ptr<NetworkUIData> ui_data =
       NetworkUIData::CreateFromONC(::onc::ONCSource::ONC_SOURCE_USER_POLICY);
-  network_state_handler_->UpdateNetworkServiceProperty(
-      wifi1->path(), shill::kUIDataProperty, base::Value(ui_data->GetAsJson()));
+  base::DictionaryValue properties;
+  properties.SetKey(shill::kProfileProperty, base::Value(kProfilePath));
+  properties.SetKey(shill::kUIDataProperty, base::Value(ui_data->GetAsJson()));
+  network_state_handler_->UpdateNetworkStateProperties(wifi1, properties);
 
+  EXPECT_FALSE(network_state_handler_->OnlyManagedWifiNetworksAllowed());
+  EXPECT_EQ(blacklist, network_state_handler_->blacklisted_hex_ssids_);
   EXPECT_TRUE(wifi1->IsManagedByPolicy());
   EXPECT_FALSE(wifi2->IsManagedByPolicy());
   EXPECT_FALSE(wifi1->blocked_by_policy());
@@ -1911,22 +1921,65 @@ TEST_F(NetworkStateHandlerTest, BlockedByPolicyOnlyManaged) {
   NetworkState* wifi2 = network_state_handler_->GetModifiableNetworkState(
       kShillManagerClientStubWifi2);
 
+  EXPECT_FALSE(network_state_handler_->OnlyManagedWifiNetworksAllowed());
   EXPECT_FALSE(wifi1->IsManagedByPolicy());
   EXPECT_FALSE(wifi2->IsManagedByPolicy());
   EXPECT_FALSE(wifi1->blocked_by_policy());
   EXPECT_FALSE(wifi2->blocked_by_policy());
 
-  network_state_handler_->UpdateBlockedNetworks(true,
-                                                std::vector<std::string>());
+  network_state_handler_->UpdateBlockedWifiNetworks(true, false,
+                                                    std::vector<std::string>());
 
+  EXPECT_TRUE(network_state_handler_->OnlyManagedWifiNetworksAllowed());
   EXPECT_TRUE(wifi1->blocked_by_policy());
   EXPECT_TRUE(wifi2->blocked_by_policy());
 
+  // Emulate 'wifi1' being a managed network.
   std::unique_ptr<NetworkUIData> ui_data =
       NetworkUIData::CreateFromONC(::onc::ONCSource::ONC_SOURCE_USER_POLICY);
-  network_state_handler_->UpdateNetworkServiceProperty(
-      wifi1->path(), shill::kUIDataProperty, base::Value(ui_data->GetAsJson()));
+  base::DictionaryValue properties;
+  properties.SetKey(shill::kProfileProperty, base::Value(kProfilePath));
+  properties.SetKey(shill::kUIDataProperty, base::Value(ui_data->GetAsJson()));
+  network_state_handler_->UpdateNetworkStateProperties(wifi1, properties);
+
+  EXPECT_TRUE(network_state_handler_->OnlyManagedWifiNetworksAllowed());
+  EXPECT_TRUE(wifi1->IsManagedByPolicy());
+  EXPECT_FALSE(wifi2->IsManagedByPolicy());
+  EXPECT_FALSE(wifi1->blocked_by_policy());
+  EXPECT_TRUE(wifi2->blocked_by_policy());
+}
+
+TEST_F(NetworkStateHandlerTest, BlockedByPolicyOnlyManagedIfAvailable) {
+  NetworkState* wifi1 = network_state_handler_->GetModifiableNetworkState(
+      kShillManagerClientStubDefaultWifi);
+  NetworkState* wifi2 = network_state_handler_->GetModifiableNetworkState(
+      kShillManagerClientStubWifi2);
 
+  EXPECT_FALSE(wifi1->IsManagedByPolicy());
+  EXPECT_FALSE(wifi2->IsManagedByPolicy());
+  EXPECT_FALSE(wifi1->blocked_by_policy());
+  EXPECT_FALSE(wifi2->blocked_by_policy());
+  EXPECT_FALSE(network_state_handler_->OnlyManagedWifiNetworksAllowed());
+
+  network_state_handler_->UpdateBlockedWifiNetworks(false, true,
+                                                    std::vector<std::string>());
+
+  EXPECT_EQ(nullptr, network_state_handler_->GetAvailableManagedWifiNetwork());
+  EXPECT_FALSE(wifi1->blocked_by_policy());
+  EXPECT_FALSE(wifi2->blocked_by_policy());
+  EXPECT_FALSE(network_state_handler_->OnlyManagedWifiNetworksAllowed());
+
+  // Emulate 'wifi1' being a managed network.
+  std::unique_ptr<NetworkUIData> ui_data =
+      NetworkUIData::CreateFromONC(::onc::ONCSource::ONC_SOURCE_USER_POLICY);
+  base::DictionaryValue properties;
+  properties.SetKey(shill::kProfileProperty, base::Value(kProfilePath));
+  properties.SetKey(shill::kUIDataProperty, base::Value(ui_data->GetAsJson()));
+  network_state_handler_->UpdateNetworkStateProperties(wifi1, properties);
+  network_state_handler_->UpdateManagedWifiNetworkAvailable();
+
+  EXPECT_EQ(wifi1, network_state_handler_->GetAvailableManagedWifiNetwork());
+  EXPECT_TRUE(network_state_handler_->OnlyManagedWifiNetworksAllowed());
   EXPECT_TRUE(wifi1->IsManagedByPolicy());
   EXPECT_FALSE(wifi2->IsManagedByPolicy());
   EXPECT_FALSE(wifi1->blocked_by_policy());

chromeos/network/onc/onc_signature.cc

@@ -366,6 +366,8 @@ const OncFieldSignature global_network_configuration_fields[] = {
      &kBoolSignature},
     {::onc::global_network_config::kAllowOnlyPolicyNetworksToConnect,
      &kBoolSignature},
+    {::onc::global_network_config::kAllowOnlyPolicyNetworksToConnectIfAvailable,
+     &kBoolSignature},
     {::onc::global_network_config::kBlacklistedHexSSIDs, &kStringListSignature},
     {::onc::global_network_config::kDisableNetworkTypes, &kStringListSignature},
     {NULL}};

chromeos/network/onc/onc_validator.cc

@@ -926,6 +926,7 @@ bool Validator::ValidateGlobalNetworkConfiguration(
   // kBlacklistedHexSSIDs are only allowed in device policy.
   if (!IsInDevicePolicy(result, kDisableNetworkTypes) ||
       !IsInDevicePolicy(result, kAllowOnlyPolicyNetworksToConnect) ||
+      !IsInDevicePolicy(result, kAllowOnlyPolicyNetworksToConnectIfAvailable) ||
       !IsInDevicePolicy(result, kBlacklistedHexSSIDs)) {
     return false;
   }

chromeos/test/data/network/policy/policy_allow_only_policy_networks_to_connect_if_available.onc

+{
+  "NetworkConfigurations": [
+  ],
+  "GlobalNetworkConfiguration": {
+    "AllowOnlyPolicyNetworksToConnectIfAvailable": true
+  },
+  "Type": "UnencryptedConfiguration"
+}

components/onc/onc_constants.cc

@@ -462,6 +462,8 @@ const char kAllowOnlyPolicyNetworksToAutoconnect[] =
     "AllowOnlyPolicyNetworksToAutoconnect";
 const char kAllowOnlyPolicyNetworksToConnect[] =
     "AllowOnlyPolicyNetworksToConnect";
+const char kAllowOnlyPolicyNetworksToConnectIfAvailable[] =
+    "AllowOnlyPolicyNetworksToConnectIfAvailable";
 const char kBlacklistedHexSSIDs[] = "BlacklistedHexSSIDs";
 const char kDisableNetworkTypes[] = "DisableNetworkTypes";
 }  // global_network_config

components/onc/onc_constants.h

@@ -467,6 +467,7 @@ ONC_EXPORT extern const char kWPAD[];
 namespace global_network_config {
 ONC_EXPORT extern const char kAllowOnlyPolicyNetworksToAutoconnect[];
 ONC_EXPORT extern const char kAllowOnlyPolicyNetworksToConnect[];
+ONC_EXPORT extern const char kAllowOnlyPolicyNetworksToConnectIfAvailable[];
 ONC_EXPORT extern const char kBlacklistedHexSSIDs[];
 ONC_EXPORT extern const char kDisableNetworkTypes[];
 }  // global_network_config

components/sync_wifi/wifi_config_delegate_chromeos_unittest.cc

@@ -117,6 +117,10 @@ class FakeManagedNetworkConfigurationHandler
     NOTIMPLEMENTED();
     return false;
   }
+  bool AllowOnlyPolicyNetworksToConnectIfAvailable() const override {
+    NOTIMPLEMENTED();
+    return false;
+  }
   bool AllowOnlyPolicyNetworksToAutoconnect() const override {
     NOTIMPLEMENTED();
     return false;