| OLD | NEW |
|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "components/policy/core/common/cloud/user_cloud_policy_store.h" | 5 #include "components/policy/core/common/cloud/user_cloud_policy_store.h" |
| 6 | 6 |
| 7 #include "base/file_util.h" | 7 #include "base/file_util.h" |
| 8 #include "base/files/scoped_temp_dir.h" | 8 #include "base/files/scoped_temp_dir.h" |
| 9 #include "base/message_loop/message_loop.h" | 9 #include "base/message_loop/message_loop.h" |
| 10 #include "base/message_loop/message_loop_proxy.h" | 10 #include "base/message_loop/message_loop_proxy.h" |
| 11 #include "base/run_loop.h" | 11 #include "base/run_loop.h" |
| 12 #include "components/policy/core/common/cloud/cloud_policy_constants.h" |
| 12 #include "components/policy/core/common/cloud/mock_cloud_external_data_manager.h
" | 13 #include "components/policy/core/common/cloud/mock_cloud_external_data_manager.h
" |
| 13 #include "components/policy/core/common/cloud/mock_cloud_policy_store.h" | 14 #include "components/policy/core/common/cloud/mock_cloud_policy_store.h" |
| 14 #include "components/policy/core/common/cloud/policy_builder.h" | 15 #include "components/policy/core/common/cloud/policy_builder.h" |
| 15 #include "net/url_request/url_request_context_getter.h" | 16 #include "net/url_request/url_request_context_getter.h" |
| 16 #include "policy/policy_constants.h" | 17 #include "policy/policy_constants.h" |
| 17 #include "testing/gmock/include/gmock/gmock.h" | 18 #include "testing/gmock/include/gmock/gmock.h" |
| 18 #include "testing/gtest/include/gtest/gtest.h" | 19 #include "testing/gtest/include/gtest/gtest.h" |
| 19 | 20 |
| 20 using testing::AllOf; | 21 using testing::AllOf; |
| 21 using testing::Eq; | 22 using testing::Eq; |
| 22 using testing::Mock; | 23 using testing::Mock; |
| 23 using testing::Property; | 24 using testing::Property; |
| 24 using testing::Sequence; | 25 using testing::Sequence; |
| 25 | 26 |
| 26 namespace policy { | 27 namespace policy { |
| 27 | 28 |
| 28 namespace { | 29 namespace { |
| 29 | 30 |
| 30 void RunUntilIdle() { | 31 void RunUntilIdle() { |
| 31 base::RunLoop run_loop; | 32 base::RunLoop run_loop; |
| 32 run_loop.RunUntilIdle(); | 33 run_loop.RunUntilIdle(); |
| 33 } | 34 } |
| 34 | 35 |
| 36 } // namespace |
| 37 |
| 35 class UserCloudPolicyStoreTest : public testing::Test { | 38 class UserCloudPolicyStoreTest : public testing::Test { |
| 36 public: | 39 public: |
| 37 UserCloudPolicyStoreTest() {} | 40 UserCloudPolicyStoreTest() {} |
| 38 | 41 |
| 39 virtual void SetUp() OVERRIDE { | 42 virtual void SetUp() OVERRIDE { |
| 40 ASSERT_TRUE(tmp_dir_.CreateUniqueTempDir()); | 43 ASSERT_TRUE(tmp_dir_.CreateUniqueTempDir()); |
| 41 store_.reset( | 44 store_.reset( |
| 42 new UserCloudPolicyStore(policy_file(), loop_.message_loop_proxy())); | 45 new UserCloudPolicyStore(policy_file(), |
| 46 key_file(), |
| 47 GetPolicyVerificationKey(), |
| 48 loop_.message_loop_proxy())); |
| 43 external_data_manager_.reset(new MockCloudExternalDataManager); | 49 external_data_manager_.reset(new MockCloudExternalDataManager); |
| 44 external_data_manager_->SetPolicyStore(store_.get()); | 50 external_data_manager_->SetPolicyStore(store_.get()); |
| 45 store_->SetSigninUsername(PolicyBuilder::kFakeUsername); | 51 store_->SetSigninUsername(PolicyBuilder::kFakeUsername); |
| 46 store_->AddObserver(&observer_); | 52 store_->AddObserver(&observer_); |
| 47 | 53 |
| 48 policy_.payload().mutable_passwordmanagerenabled()->set_value(true); | 54 // Install an initial public key, so that by default the validation of |
| 49 policy_.payload().mutable_urlblacklist()->mutable_value()->add_entries( | 55 // the stored/loaded policy blob succeeds (it looks like a new key |
| 50 "chromium.org"); | 56 // provision). |
| 57 policy_.SetDefaultInitialSigningKey(); |
| 58 |
| 59 InitPolicyPayload(&policy_.payload()); |
| 51 | 60 |
| 52 policy_.Build(); | 61 policy_.Build(); |
| 53 } | 62 } |
| 54 | 63 |
| 55 virtual void TearDown() OVERRIDE { | 64 virtual void TearDown() OVERRIDE { |
| 56 store_->RemoveObserver(&observer_); | 65 store_->RemoveObserver(&observer_); |
| 57 external_data_manager_.reset(); | 66 external_data_manager_.reset(); |
| 58 store_.reset(); | 67 store_.reset(); |
| 59 RunUntilIdle(); | 68 RunUntilIdle(); |
| 60 } | 69 } |
| 61 | 70 |
| 71 void InitPolicyPayload(enterprise_management::CloudPolicySettings* payload) { |
| 72 payload->mutable_passwordmanagerenabled()->set_value(true); |
| 73 payload->mutable_urlblacklist()->mutable_value()->add_entries( |
| 74 "chromium.org"); |
| 75 } |
| 76 |
| 62 base::FilePath policy_file() { | 77 base::FilePath policy_file() { |
| 63 return tmp_dir_.path().AppendASCII("policy"); | 78 return tmp_dir_.path().AppendASCII("policy"); |
| 64 } | 79 } |
| 65 | 80 |
| 81 base::FilePath key_file() { |
| 82 return tmp_dir_.path().AppendASCII("policy_key"); |
| 83 } |
| 84 |
| 66 // Verifies that store_->policy_map() has the appropriate entries. | 85 // Verifies that store_->policy_map() has the appropriate entries. |
| 67 void VerifyPolicyMap(CloudPolicyStore* store) { | 86 void VerifyPolicyMap(CloudPolicyStore* store) { |
| 68 EXPECT_EQ(2U, store->policy_map().size()); | 87 EXPECT_EQ(2U, store->policy_map().size()); |
| 69 const PolicyMap::Entry* entry = | 88 const PolicyMap::Entry* entry = |
| 70 store->policy_map().Get(key::kPasswordManagerEnabled); | 89 store->policy_map().Get(key::kPasswordManagerEnabled); |
| 71 ASSERT_TRUE(entry); | 90 ASSERT_TRUE(entry); |
| 72 EXPECT_TRUE(base::FundamentalValue(true).Equals(entry->value)); | 91 EXPECT_TRUE(base::FundamentalValue(true).Equals(entry->value)); |
| 73 ASSERT_TRUE(store->policy_map().Get(key::kURLBlacklist)); | 92 ASSERT_TRUE(store->policy_map().Get(key::kURLBlacklist)); |
| 74 } | 93 } |
| 75 | 94 |
| 76 // Install an expectation on |observer_| for an error code. | 95 // Install an expectation on |observer_| for an error code. |
| 77 void ExpectError(CloudPolicyStore* store, CloudPolicyStore::Status error) { | 96 void ExpectError(CloudPolicyStore* store, CloudPolicyStore::Status error) { |
| 78 EXPECT_CALL(observer_, | 97 EXPECT_CALL(observer_, |
| 79 OnStoreError(AllOf(Eq(store), | 98 OnStoreError(AllOf(Eq(store), |
| 80 Property(&CloudPolicyStore::status, | 99 Property(&CloudPolicyStore::status, |
| 81 Eq(error))))); | 100 Eq(error))))); |
| 82 } | 101 } |
| 83 | 102 |
| 103 void StorePolicyAndEnsureLoaded( |
| 104 const enterprise_management::PolicyFetchResponse& policy) { |
| 105 Sequence s; |
| 106 EXPECT_CALL(*external_data_manager_, OnPolicyStoreLoaded()).InSequence(s); |
| 107 EXPECT_CALL(observer_, OnStoreLoaded(store_.get())).InSequence(s); |
| 108 store_->Store(policy); |
| 109 RunUntilIdle(); |
| 110 Mock::VerifyAndClearExpectations(external_data_manager_.get()); |
| 111 Mock::VerifyAndClearExpectations(&observer_); |
| 112 ASSERT_TRUE(store_->policy()); |
| 113 } |
| 114 |
| 84 UserPolicyBuilder policy_; | 115 UserPolicyBuilder policy_; |
| 85 MockCloudPolicyStoreObserver observer_; | 116 MockCloudPolicyStoreObserver observer_; |
| 86 scoped_ptr<UserCloudPolicyStore> store_; | 117 scoped_ptr<UserCloudPolicyStore> store_; |
| 87 scoped_ptr<MockCloudExternalDataManager> external_data_manager_; | 118 scoped_ptr<MockCloudExternalDataManager> external_data_manager_; |
| 88 | 119 |
| 89 // CloudPolicyValidator() requires a FILE thread so declare one here. Both | 120 // CloudPolicyValidator() requires a FILE thread so declare one here. Both |
| 90 // |ui_thread_| and |file_thread_| share the same MessageLoop |loop_| so | 121 // |ui_thread_| and |file_thread_| share the same MessageLoop |loop_| so |
| 91 // callers can use RunLoop to manage both virtual threads. | 122 // callers can use RunLoop to manage both virtual threads. |
| 92 base::MessageLoopForUI loop_; | 123 base::MessageLoopForUI loop_; |
| 93 | 124 |
| (...skipping 61 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 155 bogus_data.c_str(), | 186 bogus_data.c_str(), |
| 156 bogus_data.size())); | 187 bogus_data.size())); |
| 157 | 188 |
| 158 ExpectError(store_.get(), CloudPolicyStore::STATUS_LOAD_ERROR); | 189 ExpectError(store_.get(), CloudPolicyStore::STATUS_LOAD_ERROR); |
| 159 store_->LoadImmediately(); // Should load without running the message loop. | 190 store_->LoadImmediately(); // Should load without running the message loop. |
| 160 | 191 |
| 161 EXPECT_FALSE(store_->policy()); | 192 EXPECT_FALSE(store_->policy()); |
| 162 EXPECT_TRUE(store_->policy_map().empty()); | 193 EXPECT_TRUE(store_->policy_map().empty()); |
| 163 } | 194 } |
| 164 | 195 |
| 196 // Load file from cache with no key data, then migrate to have a key. |
| 197 TEST_F(UserCloudPolicyStoreTest, Migration) { |
| 198 UserPolicyBuilder unsigned_builder; |
| 199 unsigned_builder.UnsetSigningKey(); |
| 200 InitPolicyPayload(&unsigned_builder.payload()); |
| 201 unsigned_builder.Build(); |
| 202 // Policy should be unsigned. |
| 203 EXPECT_FALSE(unsigned_builder.policy().has_policy_data_signature()); |
| 204 |
| 205 // Write policy to disk. |
| 206 std::string data; |
| 207 ASSERT_TRUE(unsigned_builder.policy().SerializeToString(&data)); |
| 208 ASSERT_TRUE(base::CreateDirectory(policy_file().DirName())); |
| 209 int size = data.size(); |
| 210 ASSERT_EQ(size, file_util::WriteFile(policy_file(), data.c_str(), size)); |
| 211 |
| 212 // Now make sure the data can get loaded. |
| 213 Sequence s; |
| 214 EXPECT_CALL(*external_data_manager_, OnPolicyStoreLoaded()).InSequence(s); |
| 215 EXPECT_CALL(observer_, OnStoreLoaded(store_.get())).InSequence(s); |
| 216 store_->LoadImmediately(); // Should load without running the message loop. |
| 217 Mock::VerifyAndClearExpectations(external_data_manager_.get()); |
| 218 Mock::VerifyAndClearExpectations(&observer_); |
| 219 |
| 220 ASSERT_TRUE(store_->policy()); |
| 221 EXPECT_EQ(unsigned_builder.policy_data().SerializeAsString(), |
| 222 store_->policy()->SerializeAsString()); |
| 223 VerifyPolicyMap(store_.get()); |
| 224 EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status()); |
| 225 EXPECT_TRUE(store_->policy_key().empty()); |
| 226 EXPECT_FALSE(base::PathExists(key_file())); |
| 227 |
| 228 // Now mimic a new policy coming down - this should result in a new key |
| 229 // being installed. |
| 230 StorePolicyAndEnsureLoaded(policy_.policy()); |
| 231 EXPECT_EQ(policy_.policy().new_public_key(), store_->policy_key()); |
| 232 EXPECT_TRUE(base::PathExists(key_file())); |
| 233 } |
| 234 |
| 165 TEST_F(UserCloudPolicyStoreTest, Store) { | 235 TEST_F(UserCloudPolicyStoreTest, Store) { |
| 166 EXPECT_FALSE(store_->policy()); | 236 EXPECT_FALSE(store_->policy()); |
| 167 EXPECT_TRUE(store_->policy_map().empty()); | 237 EXPECT_TRUE(store_->policy_map().empty()); |
| 168 | 238 |
| 169 // Store a simple policy and make sure it ends up as the currently active | 239 // Store a simple policy and make sure it ends up as the currently active |
| 170 // policy. | 240 // policy. |
| 171 Sequence s; | 241 StorePolicyAndEnsureLoaded(policy_.policy()); |
| 172 EXPECT_CALL(*external_data_manager_, OnPolicyStoreLoaded()).InSequence(s); | |
| 173 EXPECT_CALL(observer_, OnStoreLoaded(store_.get())).InSequence(s); | |
| 174 store_->Store(policy_.policy()); | |
| 175 RunUntilIdle(); | |
| 176 | 242 |
| 177 // Policy should be decoded and stored. | 243 // Policy should be decoded and stored. |
| 178 ASSERT_TRUE(store_->policy()); | |
| 179 EXPECT_EQ(policy_.policy_data().SerializeAsString(), | 244 EXPECT_EQ(policy_.policy_data().SerializeAsString(), |
| 180 store_->policy()->SerializeAsString()); | 245 store_->policy()->SerializeAsString()); |
| 181 VerifyPolicyMap(store_.get()); | 246 VerifyPolicyMap(store_.get()); |
| 182 EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status()); | 247 EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status()); |
| 183 } | 248 } |
| 184 | 249 |
| 185 TEST_F(UserCloudPolicyStoreTest, StoreThenClear) { | 250 TEST_F(UserCloudPolicyStoreTest, StoreThenClear) { |
| 186 EXPECT_FALSE(store_->policy()); | 251 EXPECT_FALSE(store_->policy()); |
| 187 EXPECT_TRUE(store_->policy_map().empty()); | 252 EXPECT_TRUE(store_->policy_map().empty()); |
| 188 | 253 |
| 189 // Store a simple policy and make sure the file exists. | 254 // Store a simple policy and make sure the file exists. |
| 190 // policy. | 255 // policy. |
| 191 Sequence s1; | 256 StorePolicyAndEnsureLoaded(policy_.policy()); |
| 192 EXPECT_CALL(*external_data_manager_, OnPolicyStoreLoaded()).InSequence(s1); | |
| 193 EXPECT_CALL(observer_, OnStoreLoaded(store_.get())).InSequence(s1); | |
| 194 store_->Store(policy_.policy()); | |
| 195 RunUntilIdle(); | |
| 196 | |
| 197 EXPECT_TRUE(store_->policy()); | |
| 198 EXPECT_FALSE(store_->policy_map().empty()); | 257 EXPECT_FALSE(store_->policy_map().empty()); |
| 199 | 258 |
| 200 Mock::VerifyAndClearExpectations(external_data_manager_.get()); | |
| 201 Mock::VerifyAndClearExpectations(&observer_); | |
| 202 | |
| 203 // Policy file should exist. | 259 // Policy file should exist. |
| 204 ASSERT_TRUE(base::PathExists(policy_file())); | 260 ASSERT_TRUE(base::PathExists(policy_file())); |
| 205 | 261 |
| 206 Sequence s2; | 262 Sequence s2; |
| 207 EXPECT_CALL(*external_data_manager_, OnPolicyStoreLoaded()).InSequence(s2); | 263 EXPECT_CALL(*external_data_manager_, OnPolicyStoreLoaded()).InSequence(s2); |
| 208 EXPECT_CALL(observer_, OnStoreLoaded(store_.get())).InSequence(s2); | 264 EXPECT_CALL(observer_, OnStoreLoaded(store_.get())).InSequence(s2); |
| 209 store_->Clear(); | 265 store_->Clear(); |
| 210 RunUntilIdle(); | 266 RunUntilIdle(); |
| 211 | 267 |
| 212 // Policy file should not exist. | 268 // Policy file should not exist. |
| 213 ASSERT_TRUE(!base::PathExists(policy_file())); | 269 ASSERT_TRUE(!base::PathExists(policy_file())); |
| 214 | 270 |
| 215 // Policy should be gone. | 271 // Policy should be gone. |
| 216 EXPECT_FALSE(store_->policy()); | 272 EXPECT_FALSE(store_->policy()); |
| 217 EXPECT_TRUE(store_->policy_map().empty()); | 273 EXPECT_TRUE(store_->policy_map().empty()); |
| 218 EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status()); | 274 EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status()); |
| 219 } | 275 } |
| 220 | 276 |
| 277 TEST_F(UserCloudPolicyStoreTest, StoreRotatedKey) { |
| 278 EXPECT_FALSE(store_->policy()); |
| 279 EXPECT_TRUE(store_->policy_map().empty()); |
| 280 |
| 281 // Store a simple policy and make sure it ends up as the currently active |
| 282 // policy. |
| 283 StorePolicyAndEnsureLoaded(policy_.policy()); |
| 284 EXPECT_FALSE(policy_.policy().has_new_public_key_signature()); |
| 285 std::string original_policy_key = policy_.policy().new_public_key(); |
| 286 EXPECT_EQ(original_policy_key, store_->policy_key()); |
| 287 |
| 288 // Now do key rotation. |
| 289 policy_.SetDefaultSigningKey(); |
| 290 policy_.SetDefaultNewSigningKey(); |
| 291 policy_.Build(); |
| 292 EXPECT_TRUE(policy_.policy().has_new_public_key_signature()); |
| 293 EXPECT_NE(original_policy_key, policy_.policy().new_public_key()); |
| 294 StorePolicyAndEnsureLoaded(policy_.policy()); |
| 295 EXPECT_EQ(policy_.policy().new_public_key(), store_->policy_key()); |
| 296 } |
| 297 |
| 298 TEST_F(UserCloudPolicyStoreTest, ProvisionKeyTwice) { |
| 299 EXPECT_FALSE(store_->policy()); |
| 300 EXPECT_TRUE(store_->policy_map().empty()); |
| 301 |
| 302 // Store a simple policy and make sure it ends up as the currently active |
| 303 // policy. |
| 304 StorePolicyAndEnsureLoaded(policy_.policy()); |
| 305 |
| 306 // Now try sending down policy signed with a different key (i.e. do key |
| 307 // rotation with a key not signed with the original signing key). |
| 308 policy_.UnsetSigningKey(); |
| 309 policy_.SetDefaultNewSigningKey(); |
| 310 policy_.Build(); |
| 311 EXPECT_FALSE(policy_.policy().has_new_public_key_signature()); |
| 312 |
| 313 ExpectError(store_.get(), CloudPolicyStore::STATUS_VALIDATION_ERROR); |
| 314 store_->Store(policy_.policy()); |
| 315 RunUntilIdle(); |
| 316 } |
| 317 |
| 221 TEST_F(UserCloudPolicyStoreTest, StoreTwoTimes) { | 318 TEST_F(UserCloudPolicyStoreTest, StoreTwoTimes) { |
| 222 EXPECT_FALSE(store_->policy()); | 319 EXPECT_FALSE(store_->policy()); |
| 223 EXPECT_TRUE(store_->policy_map().empty()); | 320 EXPECT_TRUE(store_->policy_map().empty()); |
| 224 | 321 |
| 225 // Store a simple policy then store a second policy before the first one | 322 // Store a simple policy then store a second policy before the first one |
| 226 // finishes validating, and make sure the second policy ends up as the active | 323 // finishes validating, and make sure the second policy ends up as the active |
| 227 // policy. | 324 // policy. |
| 228 Sequence s1; | |
| 229 EXPECT_CALL(*external_data_manager_, OnPolicyStoreLoaded()).InSequence(s1); | |
| 230 EXPECT_CALL(observer_, OnStoreLoaded(store_.get())).InSequence(s1); | |
| 231 | |
| 232 UserPolicyBuilder first_policy; | 325 UserPolicyBuilder first_policy; |
| 326 first_policy.SetDefaultInitialSigningKey(); |
| 233 first_policy.payload().mutable_passwordmanagerenabled()->set_value(false); | 327 first_policy.payload().mutable_passwordmanagerenabled()->set_value(false); |
| 234 first_policy.Build(); | 328 first_policy.Build(); |
| 235 store_->Store(first_policy.policy()); | 329 StorePolicyAndEnsureLoaded(first_policy.policy()); |
| 236 RunUntilIdle(); | |
| 237 | 330 |
| 238 Mock::VerifyAndClearExpectations(external_data_manager_.get()); | 331 // Rebuild policy with the same signing key as |first_policy| (no rotation). |
| 239 Mock::VerifyAndClearExpectations(&observer_); | 332 policy_.UnsetNewSigningKey(); |
| 240 | 333 policy_.SetDefaultSigningKey(); |
| 241 Sequence s2; | 334 policy_.Build(); |
| 242 EXPECT_CALL(*external_data_manager_, OnPolicyStoreLoaded()).InSequence(s2); | 335 ASSERT_FALSE(policy_.policy().has_new_public_key()); |
| 243 EXPECT_CALL(observer_, OnStoreLoaded(store_.get())).InSequence(s2); | 336 StorePolicyAndEnsureLoaded(policy_.policy()); |
| 244 | |
| 245 store_->Store(policy_.policy()); | |
| 246 RunUntilIdle(); | |
| 247 | 337 |
| 248 // Policy should be decoded and stored. | 338 // Policy should be decoded and stored. |
| 249 ASSERT_TRUE(store_->policy()); | |
| 250 EXPECT_EQ(policy_.policy_data().SerializeAsString(), | 339 EXPECT_EQ(policy_.policy_data().SerializeAsString(), |
| 251 store_->policy()->SerializeAsString()); | 340 store_->policy()->SerializeAsString()); |
| 252 VerifyPolicyMap(store_.get()); | 341 VerifyPolicyMap(store_.get()); |
| 253 EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status()); | 342 EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status()); |
| 254 } | 343 } |
| 255 | 344 |
| 256 TEST_F(UserCloudPolicyStoreTest, StoreThenLoad) { | 345 TEST_F(UserCloudPolicyStoreTest, StoreThenLoad) { |
| 257 // Store a simple policy and make sure it can be read back in. | 346 // Store a simple policy and make sure it can be read back in. |
| 258 // policy. | 347 // policy. |
| 259 Sequence s; | 348 StorePolicyAndEnsureLoaded(policy_.policy()); |
| 260 EXPECT_CALL(*external_data_manager_, OnPolicyStoreLoaded()).InSequence(s); | 349 EXPECT_FALSE(store_->policy_key().empty()); |
| 261 EXPECT_CALL(observer_, OnStoreLoaded(store_.get())).InSequence(s); | |
| 262 store_->Store(policy_.policy()); | |
| 263 RunUntilIdle(); | |
| 264 | 350 |
| 265 // Now, make sure the policy can be read back in from a second store. | 351 // Now, make sure the policy can be read back in from a second store. |
| 266 scoped_ptr<UserCloudPolicyStore> store2( | 352 scoped_ptr<UserCloudPolicyStore> store2( |
| 267 new UserCloudPolicyStore(policy_file(), loop_.message_loop_proxy())); | 353 new UserCloudPolicyStore(policy_file(), |
| 354 key_file(), |
| 355 GetPolicyVerificationKey(), |
| 356 loop_.message_loop_proxy())); |
| 268 store2->SetSigninUsername(PolicyBuilder::kFakeUsername); | 357 store2->SetSigninUsername(PolicyBuilder::kFakeUsername); |
| 269 store2->AddObserver(&observer_); | 358 store2->AddObserver(&observer_); |
| 270 EXPECT_CALL(observer_, OnStoreLoaded(store2.get())); | 359 EXPECT_CALL(observer_, OnStoreLoaded(store2.get())); |
| 271 store2->Load(); | 360 store2->Load(); |
| 272 RunUntilIdle(); | 361 RunUntilIdle(); |
| 273 | 362 |
| 274 ASSERT_TRUE(store2->policy()); | 363 ASSERT_TRUE(store2->policy()); |
| 275 EXPECT_EQ(policy_.policy_data().SerializeAsString(), | 364 EXPECT_EQ(policy_.policy_data().SerializeAsString(), |
| 276 store2->policy()->SerializeAsString()); | 365 store2->policy()->SerializeAsString()); |
| 277 VerifyPolicyMap(store2.get()); | 366 VerifyPolicyMap(store2.get()); |
| 278 EXPECT_EQ(CloudPolicyStore::STATUS_OK, store2->status()); | 367 EXPECT_EQ(CloudPolicyStore::STATUS_OK, store2->status()); |
| 279 store2->RemoveObserver(&observer_); | 368 store2->RemoveObserver(&observer_); |
| 369 // Make sure that we properly resurrected the keys. |
| 370 EXPECT_EQ(store2->policy_key(), store_->policy_key()); |
| 280 } | 371 } |
| 281 | 372 |
| 282 TEST_F(UserCloudPolicyStoreTest, StoreThenLoadImmediately) { | 373 TEST_F(UserCloudPolicyStoreTest, StoreThenLoadImmediately) { |
| 283 // Store a simple policy and make sure it can be read back in. | 374 // Store a simple policy and make sure it can be read back in. |
| 284 // policy. | 375 // policy. |
| 285 Sequence s; | 376 StorePolicyAndEnsureLoaded(policy_.policy()); |
| 286 EXPECT_CALL(*external_data_manager_, OnPolicyStoreLoaded()).InSequence(s); | |
| 287 EXPECT_CALL(observer_, OnStoreLoaded(store_.get())).InSequence(s); | |
| 288 store_->Store(policy_.policy()); | |
| 289 RunUntilIdle(); | |
| 290 | 377 |
| 291 // Now, make sure the policy can be read back in from a second store. | 378 // Now, make sure the policy can be read back in from a second store. |
| 292 scoped_ptr<UserCloudPolicyStore> store2( | 379 scoped_ptr<UserCloudPolicyStore> store2( |
| 293 new UserCloudPolicyStore(policy_file(), loop_.message_loop_proxy())); | 380 new UserCloudPolicyStore(policy_file(), |
| 381 key_file(), |
| 382 GetPolicyVerificationKey(), |
| 383 loop_.message_loop_proxy())); |
| 294 store2->SetSigninUsername(PolicyBuilder::kFakeUsername); | 384 store2->SetSigninUsername(PolicyBuilder::kFakeUsername); |
| 295 store2->AddObserver(&observer_); | 385 store2->AddObserver(&observer_); |
| 296 EXPECT_CALL(observer_, OnStoreLoaded(store2.get())); | 386 EXPECT_CALL(observer_, OnStoreLoaded(store2.get())); |
| 297 store2->LoadImmediately(); // Should load without running the message loop. | 387 store2->LoadImmediately(); // Should load without running the message loop. |
| 298 | 388 |
| 299 ASSERT_TRUE(store2->policy()); | 389 ASSERT_TRUE(store2->policy()); |
| 300 EXPECT_EQ(policy_.policy_data().SerializeAsString(), | 390 EXPECT_EQ(policy_.policy_data().SerializeAsString(), |
| 301 store2->policy()->SerializeAsString()); | 391 store2->policy()->SerializeAsString()); |
| 302 VerifyPolicyMap(store2.get()); | 392 VerifyPolicyMap(store2.get()); |
| 303 EXPECT_EQ(CloudPolicyStore::STATUS_OK, store2->status()); | 393 EXPECT_EQ(CloudPolicyStore::STATUS_OK, store2->status()); |
| 304 store2->RemoveObserver(&observer_); | 394 store2->RemoveObserver(&observer_); |
| 305 } | 395 } |
| 306 | 396 |
| 307 TEST_F(UserCloudPolicyStoreTest, StoreValidationError) { | 397 TEST_F(UserCloudPolicyStoreTest, StoreValidationError) { |
| 308 // Create an invalid policy (no policy type). | 398 // Create an invalid policy (no policy type). |
| 309 policy_.policy_data().clear_policy_type(); | 399 policy_.policy_data().clear_policy_type(); |
| 310 policy_.Build(); | 400 policy_.Build(); |
| 311 | 401 |
| 312 // Store policy. | 402 // Store policy. |
| 313 ExpectError(store_.get(), CloudPolicyStore::STATUS_VALIDATION_ERROR); | 403 ExpectError(store_.get(), CloudPolicyStore::STATUS_VALIDATION_ERROR); |
| 314 store_->Store(policy_.policy()); | 404 store_->Store(policy_.policy()); |
| 315 RunUntilIdle(); | 405 RunUntilIdle(); |
| 316 ASSERT_FALSE(store_->policy()); | 406 ASSERT_FALSE(store_->policy()); |
| 317 } | 407 } |
| 318 | 408 |
| 409 TEST_F(UserCloudPolicyStoreTest, StoreUnsigned) { |
| 410 // Create unsigned policy, try to store it, should get a validation error. |
| 411 policy_.policy().mutable_policy_data_signature()->clear(); |
| 412 |
| 413 // Store policy. |
| 414 ExpectError(store_.get(), CloudPolicyStore::STATUS_VALIDATION_ERROR); |
| 415 store_->Store(policy_.policy()); |
| 416 RunUntilIdle(); |
| 417 ASSERT_FALSE(store_->policy()); |
| 418 } |
| 419 |
| 319 TEST_F(UserCloudPolicyStoreTest, LoadValidationError) { | 420 TEST_F(UserCloudPolicyStoreTest, LoadValidationError) { |
| 320 // Force a validation error by changing the username after policy is stored. | 421 // Force a validation error by changing the username after policy is stored. |
| 321 Sequence s; | 422 StorePolicyAndEnsureLoaded(policy_.policy()); |
| 322 EXPECT_CALL(*external_data_manager_, OnPolicyStoreLoaded()).InSequence(s); | |
| 323 EXPECT_CALL(observer_, OnStoreLoaded(store_.get())).InSequence(s); | |
| 324 store_->Store(policy_.policy()); | |
| 325 RunUntilIdle(); | |
| 326 | 423 |
| 327 // Sign out, and sign back in as a different user, and try to load the profile | 424 // Sign out, and sign back in as a different user, and try to load the profile |
| 328 // data (should fail due to mismatched username). | 425 // data (should fail due to mismatched username). |
| 329 scoped_ptr<UserCloudPolicyStore> store2( | 426 scoped_ptr<UserCloudPolicyStore> store2( |
| 330 new UserCloudPolicyStore(policy_file(), loop_.message_loop_proxy())); | 427 new UserCloudPolicyStore(policy_file(), |
| 428 key_file(), |
| 429 GetPolicyVerificationKey(), |
| 430 loop_.message_loop_proxy())); |
| 331 store2->SetSigninUsername("foobar@foobar.com"); | 431 store2->SetSigninUsername("foobar@foobar.com"); |
| 332 store2->AddObserver(&observer_); | 432 store2->AddObserver(&observer_); |
| 333 ExpectError(store2.get(), CloudPolicyStore::STATUS_VALIDATION_ERROR); | 433 ExpectError(store2.get(), CloudPolicyStore::STATUS_VALIDATION_ERROR); |
| 334 store2->Load(); | 434 store2->Load(); |
| 335 RunUntilIdle(); | 435 RunUntilIdle(); |
| 336 | 436 |
| 337 ASSERT_FALSE(store2->policy()); | 437 ASSERT_FALSE(store2->policy()); |
| 338 store2->RemoveObserver(&observer_); | 438 store2->RemoveObserver(&observer_); |
| 339 | 439 |
| 340 // Sign out - we should be able to load the policy (don't check usernames | 440 // Sign out - we should be able to load the policy (don't check usernames |
| 341 // when signed out). | 441 // when signed out). |
| 342 scoped_ptr<UserCloudPolicyStore> store3( | 442 scoped_ptr<UserCloudPolicyStore> store3( |
| 343 new UserCloudPolicyStore(policy_file(), loop_.message_loop_proxy())); | 443 new UserCloudPolicyStore(policy_file(), |
| 444 key_file(), |
| 445 GetPolicyVerificationKey(), |
| 446 loop_.message_loop_proxy())); |
| 344 store3->AddObserver(&observer_); | 447 store3->AddObserver(&observer_); |
| 345 EXPECT_CALL(observer_, OnStoreLoaded(store3.get())); | 448 EXPECT_CALL(observer_, OnStoreLoaded(store3.get())); |
| 346 store3->Load(); | 449 store3->Load(); |
| 347 RunUntilIdle(); | 450 RunUntilIdle(); |
| 348 | 451 |
| 349 ASSERT_TRUE(store3->policy()); | 452 ASSERT_TRUE(store3->policy()); |
| 350 store3->RemoveObserver(&observer_); | 453 store3->RemoveObserver(&observer_); |
| 351 | 454 |
| 352 // Now start a signin as a different user - this should fail validation. | 455 // Now start a signin as a different user - this should fail validation. |
| 353 scoped_ptr<UserCloudPolicyStore> store4( | 456 scoped_ptr<UserCloudPolicyStore> store4( |
| 354 new UserCloudPolicyStore(policy_file(), loop_.message_loop_proxy())); | 457 new UserCloudPolicyStore(policy_file(), |
| 458 key_file(), |
| 459 GetPolicyVerificationKey(), |
| 460 loop_.message_loop_proxy())); |
| 355 store4->SetSigninUsername("foobar@foobar.com"); | 461 store4->SetSigninUsername("foobar@foobar.com"); |
| 356 store4->AddObserver(&observer_); | 462 store4->AddObserver(&observer_); |
| 357 ExpectError(store4.get(), CloudPolicyStore::STATUS_VALIDATION_ERROR); | 463 ExpectError(store4.get(), CloudPolicyStore::STATUS_VALIDATION_ERROR); |
| 358 store4->Load(); | 464 store4->Load(); |
| 359 RunUntilIdle(); | 465 RunUntilIdle(); |
| 360 | 466 |
| 361 ASSERT_FALSE(store4->policy()); | 467 ASSERT_FALSE(store4->policy()); |
| 362 store4->RemoveObserver(&observer_); | 468 store4->RemoveObserver(&observer_); |
| 363 } | 469 } |
| 364 | 470 |
| 365 } // namespace | 471 // TODO(atwilson): Add a test to detect tampered policy |
| 472 // (new_public_key_verification_signature() doesn't match the right key - |
| 473 // http://crbug.com/275291). |
| 366 | 474 |
| 367 } // namespace policy | 475 } // namespace policy |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 116273002:
Added support for signed policy blobs on desktop. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src