NSSCertDatabaseChromeOS

net/cert/nss_cert_database_chromeos_unittest.cc

Index: net/cert/nss_cert_database_chromeos_unittest.cc
diff --git a/net/cert/nss_cert_database_chromeos_unittest.cc b/net/cert/nss_cert_database_chromeos_unittest.cc
new file mode 100644
index 0000000000000000000000000000000000000000..6ad9bbd0b3f7c262dc9aeaf59e24fa855f1898cc
--- /dev/null
+++ b/net/cert/nss_cert_database_chromeos_unittest.cc
@@ -0,0 +1,244 @@
+// Copyright (c) 2013 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "base/bind.h"
+#include "base/callback.h"
+#include "base/run_loop.h"
+#include "net/base/test_data_directory.h"
+#include "net/cert/cert_database.h"
+#include "net/cert/nss_cert_database_chromeos.h"
+#include "net/cert/nss_cert_database_chromeos_test_utils.h"
+#include "net/test/cert_test_util.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+// XXX clang-format this file
+
+namespace net {
+
+namespace {
+
+void SetDbCallback(
+    NSSCertDatabase** out_db, base::RunLoop* runloop, NSSCertDatabase* db) {
+  *out_db = db;
+  runloop->Quit();
+}
+
+void NotCalledDbCallback(NSSCertDatabase* db) {
+  ASSERT_TRUE(false);
+}
+
+bool IsCertInCertificateList(
+    const X509Certificate* cert, const CertificateList& cert_list) {
+  for (CertificateList::const_iterator it=cert_list.begin();
+       it!=cert_list.end();
+       ++it) {
+    if ((*it)->os_cert_handle() == cert->os_cert_handle())
+      return true;
+  }
+  return false;
+}
+
+}  // namespace
+
+TEST(NSSCertDatabaseChromeOSInitializationTest, Initialization) {
+  ScopedTestNSSCertDatabaseChromeOS user_1("user1");
+  ScopedTestNSSCertDatabaseChromeOS user_2("user2");
+  ASSERT_TRUE(user_1.constructed_successfully());
+  ASSERT_TRUE(user_2.constructed_successfully());
+
+  base::RunLoop runloop_1;
+  base::RunLoop runloop_2;
+  NSSCertDatabase* db_1 = NULL;
+  NSSCertDatabase* db_2 = NULL;
+
+  // Getting DB should be async since nss_util private slots haven't been set
+  // yet.
+  ASSERT_FALSE(NSSCertDatabaseChromeOS::GetForUser(user_1.username_hash(),
+        base::Bind(&SetDbCallback, &db_1, &runloop_1)));
+  ASSERT_FALSE(NSSCertDatabaseChromeOS::GetForUser(user_2.username_hash(),
+        base::Bind(&SetDbCallback, &db_2, &runloop_2)));
+
+  // Set private slots, check that callbacks got run, and that the slots are
+  // returned from the NSSCertDatabaseChromeOS.
+  user_1.FinishInit();
+  runloop_1.Run();
+  ASSERT_TRUE(db_1);
+  EXPECT_FALSE(db_2);
+  EXPECT_TRUE(db_1->GetPublicSlot().get());
+  // Public and private slot are the same in unittests.
+  EXPECT_EQ(db_1->GetPublicSlot().get(), db_1->GetPrivateSlot().get());
+
+  // Same as above, for user 2.
+  user_2.FinishInit();
+  runloop_2.Run();
+  ASSERT_TRUE(db_2);
+  EXPECT_TRUE(db_2->GetPublicSlot().get());
+  EXPECT_EQ(db_2->GetPublicSlot().get(), db_2->GetPrivateSlot().get());
+
+  EXPECT_NE(db_1->GetPublicSlot().get(), db_2->GetPublicSlot().get());
+
+  // Now getting the DB should be synchronous.
+  NSSCertDatabase* sync_returned_db_1 =
+    NSSCertDatabaseChromeOS::GetForUser(user_1.username_hash(),
+        base::Bind(&NotCalledDbCallback));
+  NSSCertDatabase* sync_returned_db_2 =
+    NSSCertDatabaseChromeOS::GetForUser(user_2.username_hash(),
+        base::Bind(&NotCalledDbCallback));
+  ASSERT_EQ(db_1, sync_returned_db_1);
+  ASSERT_EQ(db_2, sync_returned_db_2);
+}
+
+class NSSCertDatabaseChromeOSTest : public testing::Test,
+                                    public CertDatabase::Observer {
+  public:
+    NSSCertDatabaseChromeOSTest()
+        : user_1_("user1"), user_2_("user2"), db_1_(NULL), db_2_(NULL) {}
+
+    virtual void SetUp() OVERRIDE {
+      ASSERT_TRUE(user_1_.constructed_successfully());
+      ASSERT_TRUE(user_2_.constructed_successfully());
+      user_1_.FinishInit();
+      user_2_.FinishInit();
+      db_1_ = NSSCertDatabaseChromeOS::GetForUser(
+          user_1_.username_hash(), base::Bind(&NotCalledDbCallback));
+      db_2_ = NSSCertDatabaseChromeOS::GetForUser(
+          user_2_.username_hash(), base::Bind(&NotCalledDbCallback));
+      ASSERT_TRUE(db_1_);
+      ASSERT_TRUE(db_2_);
+      CertDatabase::GetInstance()->AddObserver(this);
+    }
+    virtual void TearDown() OVERRIDE {
+      CertDatabase::GetInstance()->RemoveObserver(this);
+    }
+
+    // CertDatabase::Observer:
+    virtual void OnCertAdded(const X509Certificate* cert) OVERRIDE {
+      added_.push_back(cert ? cert->os_cert_handle() : NULL);
+    }
+    virtual void OnCertRemoved(const X509Certificate* cert) OVERRIDE {}
+    virtual void OnCACertChanged(const X509Certificate* cert) OVERRIDE {
+      added_ca_.push_back(cert ? cert->os_cert_handle() : NULL);
+    }
+
+  protected:
+    std::vector<CERTCertificate*> added_ca_;
+    std::vector<CERTCertificate*> added_;
+    ScopedTestNSSCertDatabaseChromeOS user_1_;
+    ScopedTestNSSCertDatabaseChromeOS user_2_;
+    NSSCertDatabase* db_1_;
+    NSSCertDatabase* db_2_;
+};
+
+TEST_F(NSSCertDatabaseChromeOSTest, ListModules) {
+  CryptoModuleList modules_1;
+  CryptoModuleList modules_2;
+
+  db_1_->ListModules(&modules_1, false /* need_rw */);
+  db_2_->ListModules(&modules_2, false /* need_rw */);
+
+  bool found_1 = false;
+  for (CryptoModuleList::iterator it=modules_1.begin();
+       it!=modules_1.end();
+       ++it) {
+    EXPECT_NE(db_2_->GetPublicSlot().get(), (*it)->os_module_handle());
+    if ((*it)->os_module_handle() == db_1_->GetPublicSlot().get())
+        found_1 = true;
+  }
+  EXPECT_TRUE(found_1);
+
+  bool found_2 = false;
+  for (CryptoModuleList::iterator it=modules_2.begin();
+       it!=modules_2.end();
+       ++it) {
+    EXPECT_NE(db_1_->GetPublicSlot().get(), (*it)->os_module_handle());
+    if ((*it)->os_module_handle() == db_2_->GetPublicSlot().get())
+        found_2 = true;
+  }
+  EXPECT_TRUE(found_2);
+}
+
+TEST_F(NSSCertDatabaseChromeOSTest, ImportCACerts) {
+  CertificateList certs_1 = CreateCertificateListFromFile(
+      GetTestCertsDirectory(), "root_ca_cert.pem",
+      X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(1U, certs_1.size());
+  EXPECT_FALSE(certs_1[0]->os_cert_handle()->isperm);
+
+  CertificateList certs_2 = CreateCertificateListFromFile(
+      GetTestCertsDirectory(), "2048-rsa-root.pem",
+      X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(1U, certs_2.size());
+  EXPECT_FALSE(certs_2[0]->os_cert_handle()->isperm);
+
+
+  NSSCertDatabase::ImportCertFailureList failed;
+  EXPECT_TRUE(db_1_->ImportCACerts(certs_1, NSSCertDatabase::TRUSTED_SSL,
+                                      &failed));
+  EXPECT_EQ(0U, failed.size());
+  failed.clear();
+  EXPECT_TRUE(db_2_->ImportCACerts(certs_2, NSSCertDatabase::TRUSTED_SSL,
+                                      &failed));
+  EXPECT_EQ(0U, failed.size());
+
+  CertificateList user_1_certlist;
+  CertificateList user_2_certlist;
+  db_1_->ListCerts(&user_1_certlist);
+  db_2_->ListCerts(&user_2_certlist);
+
+  EXPECT_TRUE(IsCertInCertificateList(certs_1[0], user_1_certlist));
+  EXPECT_FALSE(IsCertInCertificateList(certs_1[0], user_2_certlist));
+
+  EXPECT_TRUE(IsCertInCertificateList(certs_2[0], user_2_certlist));
+  EXPECT_FALSE(IsCertInCertificateList(certs_2[0], user_1_certlist));
+
+  base::RunLoop().RunUntilIdle();
+  ASSERT_EQ(2U, added_ca_.size());
+  // TODO(mattm): make NSSCertDatabase actually pass the cert to the callback,
+  // and enable these checks:
+  //EXPECT_EQ(certs_1[0]->os_cert_handle(), added_ca_[0]);
+  //EXPECT_EQ(certs_2[0]->os_cert_handle(), added_ca_[1]);
+  EXPECT_EQ(0U, added_.size());
+}
+
+TEST_F(NSSCertDatabaseChromeOSTest, ImportServerCert) {
+  CertificateList certs_1 = CreateCertificateListFromFile(
+      GetTestCertsDirectory(), "ok_cert.pem",
+      X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(1U, certs_1.size());
+  EXPECT_FALSE(certs_1[0]->os_cert_handle()->isperm);
+
+  CertificateList certs_2 = CreateCertificateListFromFile(
+      GetTestCertsDirectory(), "2048-rsa-ee-by-2048-rsa-intermediate.pem",
+      X509Certificate::FORMAT_AUTO);
+  ASSERT_EQ(1U, certs_2.size());
+  EXPECT_FALSE(certs_2[0]->os_cert_handle()->isperm);
+
+  NSSCertDatabase::ImportCertFailureList failed;
+  EXPECT_TRUE(db_1_->ImportServerCert(certs_1, NSSCertDatabase::TRUSTED_SSL,
+                                      &failed));
+  EXPECT_EQ(0U, failed.size());
+  failed.clear();
+  EXPECT_TRUE(db_2_->ImportServerCert(certs_2, NSSCertDatabase::TRUSTED_SSL,
+                                      &failed));
+  EXPECT_EQ(0U, failed.size());
+
+  CertificateList user_1_certlist;
+  CertificateList user_2_certlist;
+  db_1_->ListCerts(&user_1_certlist);
+  db_2_->ListCerts(&user_2_certlist);
+
+  EXPECT_TRUE(IsCertInCertificateList(certs_1[0], user_1_certlist));
+  EXPECT_FALSE(IsCertInCertificateList(certs_1[0], user_2_certlist));
+
+  EXPECT_TRUE(IsCertInCertificateList(certs_2[0], user_2_certlist));
+  EXPECT_FALSE(IsCertInCertificateList(certs_2[0], user_1_certlist));
+
+  base::RunLoop().RunUntilIdle();
+  // TODO(mattm): ImportServerCert doesn't actually cause any observers to
+  // fire. Is that correct?
+  EXPECT_EQ(0U, added_ca_.size());
+  EXPECT_EQ(0U, added_.size());
+}
+
+}  // namespace net