Public Sessions: fetch device robot api token during enterprise enrollment.

chrome/browser/chromeos/policy/device_cloud_policy_manager_chromeos_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/policy/device_cloud_policy_manager_chromeos.h"
 
 #include "base/basictypes.h"
 #include "base/compiler_specific.h"
 #include "base/memory/scoped_ptr.h"
+#include "base/message_loop.h"
 #include "base/prefs/pref_registry_simple.h"
 #include "base/prefs/testing_pref_service.h"
 #include "base/run_loop.h"
+#include "chrome/browser/chromeos/cros/cros_library.h"
 #include "chrome/browser/chromeos/cros/cryptohome_library.h"
 #include "chrome/browser/chromeos/policy/device_cloud_policy_store_chromeos.h"
 #include "chrome/browser/chromeos/policy/enterprise_install_attributes.h"
 #include "chrome/browser/chromeos/policy/proto/chrome_device_policy.pb.h"
 #include "chrome/browser/chromeos/settings/cros_settings.h"
+#include "chrome/browser/chromeos/settings/device_oauth2_token_service.h"
+#include "chrome/browser/chromeos/settings/device_oauth2_token_service_factory.h"
 #include "chrome/browser/chromeos/settings/device_settings_test_helper.h"
 #include "chrome/browser/policy/cloud/cloud_policy_client.h"
 #include "chrome/browser/policy/cloud/mock_device_management_service.h"
 #include "chrome/browser/policy/cloud/proto/device_management_backend.pb.h"
 #include "chrome/browser/prefs/browser_prefs.h"
+#include "chrome/test/base/testing_browser_process.h"
 #include "chromeos/dbus/cryptohome_client.h"
 #include "chromeos/dbus/dbus_client_implementation_type.h"
+#include "net/url_request/test_url_fetcher_factory.h"
+#include "net/url_request/url_request_test_util.h"
 #include "policy/policy_constants.h"
 #include "testing/gmock/include/gmock/gmock.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 using testing::AnyNumber;
 using testing::AtMost;
 using testing::DoAll;
 using testing::Mock;
 using testing::SaveArg;
 using testing::_;
@@ skipping 20 matching lines @@
         install_attributes_(cryptohome_library_.get(),
                             stub_cryptohome_client_.get()),
         store_(new DeviceCloudPolicyStoreChromeOS(&device_settings_service_,
                                                   &install_attributes_)),
         manager_(make_scoped_ptr(store_), &install_attributes_) {}
 
   virtual void SetUp() OVERRIDE {
     DeviceSettingsTestBase::SetUp();
     chrome::RegisterLocalState(local_state_.registry());
     manager_.Init();
+
+    // DeviceOAuth2TokenService uses the system request context to fetch
+    // OAuth tokens, then writes the token to local state, encrypting it
+    // first with methods in CrosLibrary.
+    request_context_getter_ = new net::TestURLRequestContextGetter(
+        loop_.message_loop_proxy());
+    TestingBrowserProcess::GetGlobal()->SetSystemRequestContext(
+        request_context_getter_);
+    TestingBrowserProcess::GetGlobal()->SetLocalState(&local_state_);
+    chromeos::DeviceOAuth2TokenServiceFactory::Initialize();
+    chromeos::CrosLibrary::Initialize(true);
+    url_fetcher_response_code_ = 200;
+    url_fetcher_response_string_ = "{\"access_token\":\"accessToken4Test\","
+                                   "\"expires_in\":1234,"
+                                   "\"refresh_token\":\"refreshToken4Test\"}";
   }
 
   virtual void TearDown() OVERRIDE {
     manager_.Shutdown();
     DeviceSettingsTestBase::TearDown();
+
+    chromeos::DeviceOAuth2TokenServiceFactory::Shutdown();
+    chromeos::CrosLibrary::Shutdown();
+    TestingBrowserProcess::GetGlobal()->SetLocalState(NULL);
   }
 
   scoped_ptr<chromeos::CryptohomeLibrary> cryptohome_library_;
   scoped_ptr<chromeos::CryptohomeClient> stub_cryptohome_client_;
   EnterpriseInstallAttributes install_attributes_;
 
+  scoped_refptr<net::URLRequestContextGetter> request_context_getter_;
+  net::TestURLFetcherFactory url_fetcher_factory_;
+  int url_fetcher_response_code_;
+  string url_fetcher_response_string_;
   TestingPrefServiceSimple local_state_;
   MockDeviceManagementService device_management_service_;
   chromeos::ScopedTestCrosSettings test_cros_settings_;
 
   DeviceCloudPolicyStoreChromeOS* store_;
   DeviceCloudPolicyManagerChromeOS manager_;
 
  private:
   DISALLOW_COPY_AND_ASSIGN(DeviceCloudPolicyManagerChromeOSTest);
 };
@@ skipping 61 matching lines @@
  public:
   void Done(EnrollmentStatus status) {
     status_ = status;
     done_ = true;
   }
 
  protected:
   DeviceCloudPolicyManagerChromeOSEnrollmentTest()
       : is_auto_enrollment_(false),
         register_status_(DM_STATUS_SUCCESS),
-        fetch_status_(DM_STATUS_SUCCESS),
+        policy_fetch_status_(DM_STATUS_SUCCESS),
+        robot_auth_fetch_status_(DM_STATUS_SUCCESS),
         store_result_(true),
         status_(EnrollmentStatus::ForStatus(EnrollmentStatus::STATUS_SUCCESS)),
         done_(false) {}
 
   virtual void SetUp() OVERRIDE {
     DeviceCloudPolicyManagerChromeOSTest::SetUp();
 
     // Set up test data.
     device_policy_.set_new_signing_key(
         PolicyBuilder::CreateTestNewSigningKey());
     device_policy_.policy_data().set_timestamp(
         (base::Time::NowFromSystemTime() -
          base::Time::UnixEpoch()).InMilliseconds());
     device_policy_.Build();
 
     register_response_.mutable_register_response()->set_device_management_token(
         PolicyBuilder::kFakeToken);
-    fetch_response_.mutable_policy_response()->add_response()->CopyFrom(
+    policy_fetch_response_.mutable_policy_response()->add_response()->CopyFrom(
         device_policy_.policy());
+    robot_auth_fetch_response_.mutable_service_api_access_response()
+        ->set_auth_code("auth_code_for_test");
     loaded_blob_ = device_policy_.GetBlob();
 
     // Initialize the manager.
     FlushDeviceSettings();
     EXPECT_EQ(CloudPolicyStore::STATUS_BAD_STATE, store_->status());
     EXPECT_TRUE(manager_.IsInitializationComplete(POLICY_DOMAIN_CHROME));
 
     PolicyBundle bundle;
     EXPECT_TRUE(manager_.policies().Equals(bundle));
 
@@ skipping 42 matching lines @@
         "auth token", is_auto_enrollment_, modes,
         base::Bind(&DeviceCloudPolicyManagerChromeOSEnrollmentTest::Done,
                    base::Unretained(this)));
     Mock::VerifyAndClearExpectations(&device_management_service_);
 
     if (done_)
       return;
 
     // Process registration.
     ASSERT_TRUE(register_job);
-    MockDeviceManagementJob* fetch_job = NULL;
+    MockDeviceManagementJob* policy_fetch_job = NULL;
     EXPECT_CALL(device_management_service_,
                 CreateJob(DeviceManagementRequestJob::TYPE_POLICY_FETCH))
         .Times(AtMost(1))
-        .WillOnce(device_management_service_.CreateAsyncJob(&fetch_job));
+        .WillOnce(device_management_service_.CreateAsyncJob(&policy_fetch_job));
     EXPECT_CALL(device_management_service_, StartJob(_, _, _, _, _, _, _))
         .Times(AtMost(1));
     register_job->SendResponse(register_status_, register_response_);
     Mock::VerifyAndClearExpectations(&device_management_service_);
 
     if (done_)
       return;
 
     // Process policy fetch.
-    ASSERT_TRUE(fetch_job);
-    fetch_job->SendResponse(fetch_status_, fetch_response_);
+    ASSERT_TRUE(policy_fetch_job);
+    policy_fetch_job->SendResponse(policy_fetch_status_,
+                                   policy_fetch_response_);
 
     if (done_)
       return;
 
     // Process verification.
+    MockDeviceManagementJob* robot_auth_fetch_job = NULL;
+    EXPECT_CALL(device_management_service_,
+                CreateJob(DeviceManagementRequestJob::TYPE_API_AUTH_CODE_FETCH))
+        .Times(AtMost(1))
+        .WillOnce(device_management_service_.CreateAsyncJob(
+            &robot_auth_fetch_job));
+    EXPECT_CALL(device_management_service_, StartJob(_, _, _, _, _, _, _))
+        .Times(AtMost(1));
     base::RunLoop().RunUntilIdle();
+    Mock::VerifyAndClearExpectations(&device_management_service_);
 
     if (done_)
       return;
 
+    // Process robot auth token fetch.
+    ASSERT_TRUE(robot_auth_fetch_job);
+    robot_auth_fetch_job->SendResponse(robot_auth_fetch_status_,
+                                       robot_auth_fetch_response_);
+    Mock::VerifyAndClearExpectations(&device_management_service_);
+
+    if (done_)
+      return;
+
+    // Process robot refresh token fetch if the auth code fetch succeeded.
+    // DeviceCloudPolicyManagerChromeOS holds an EnrollmentHandlerChromeOS which
+    // holds a GaiaOAuthClient that fetches the refresh token during enrollment.
+    // We return a successful OAuth response via a TestURLFetcher to trigger the
+    // happy path for these classes so that enrollment can continue.
+    if (robot_auth_fetch_status_ == DM_STATUS_SUCCESS) {
+      net::TestURLFetcher* url_fetcher = url_fetcher_factory_.GetFetcherByID(0);
+      ASSERT_TRUE(url_fetcher);
+      // The logic in GaiaOAuthClient seems broken, it always retries 1x on
+      // non-200 response codes, even if the retries are set to 0.  Seems like
+      // its num_retries_ > source->GetMaxRetriesOn5xx() should have a >=?

[Mattias Nissler (ping if slow), 2013/04/24 13:43:13]

You shouldn't just dump this in a comment, but pass this on to the author and/or
file a bug :)

[David Roche, 2013/04/24 15:34:21]

I added this to my todo list to do in another CL.  Sorry, I was going to mention
that in the codereview mail and I forgot.

I just created another branch with the retry fix in it, so I won't forget to
follow up on this (can't stand to have old branches with changes in them lying
about forever).  I'm running the unit tests now and will ping an OWNER to see if
they're worried about changing this accidental default from retrying to
[properly] not retrying.

[Mattias Nissler (ping if slow), 2013/04/24 17:58:52]

Can you just ask the author of that line whether it's wrong or not and update
the comment accordingly here?

+      url_fetcher->SetMaxRetriesOn5xx(-2);
+      url_fetcher->set_status(net::URLRequestStatus());
+      url_fetcher->set_response_code(url_fetcher_response_code_);
+      url_fetcher->SetResponseString(url_fetcher_response_string_);
+      url_fetcher->delegate()->OnURLFetchComplete(url_fetcher);
+    }
+    base::RunLoop().RunUntilIdle();
+
     // Process policy store.
     device_settings_test_helper_.set_store_result(store_result_);
     device_settings_test_helper_.FlushStore();
     EXPECT_EQ(device_policy_.GetBlob(),
               device_settings_test_helper_.policy_blob());
 
     if (done_)
       return;
 
-    // Key installation and policy load.
+    // Key installation, policy load and refresh token save.
     device_settings_test_helper_.set_policy_blob(loaded_blob_);
     owner_key_util_->SetPublicKeyFromPrivateKey(
         device_policy_.new_signing_key());
     ReloadDeviceSettings();
+
+    if (done_)
+      return;
+
+    // Process robot refresh token store.
+    EXPECT_EQ(
+        "refreshToken4Test",
+        chromeos::DeviceOAuth2TokenServiceFactory::Get()->GetRefreshToken());
   }
 
   bool is_auto_enrollment_;
 
   DeviceManagementStatus register_status_;
   em::DeviceManagementResponse register_response_;
 
-  DeviceManagementStatus fetch_status_;
-  em::DeviceManagementResponse fetch_response_;
+  DeviceManagementStatus policy_fetch_status_;
+  em::DeviceManagementResponse policy_fetch_response_;
+
+  DeviceManagementStatus robot_auth_fetch_status_;
+  em::DeviceManagementResponse robot_auth_fetch_response_;
 
   bool store_result_;
   std::string loaded_blob_;
 
   em::DeviceManagementRequest register_request_;
   std::string client_id_;
   EnrollmentStatus status_;
 
   bool done_;
 
@@ skipping 29 matching lines @@
   EXPECT_EQ(PolicyBuilder::kFakeDeviceId, client_id_);
 }
 
 TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, RegistrationFailed) {
   register_status_ = DM_STATUS_REQUEST_FAILED;
   RunTest();
   ExpectFailedEnrollment(EnrollmentStatus::STATUS_REGISTRATION_FAILED);
   EXPECT_EQ(DM_STATUS_REQUEST_FAILED, status_.client_status());
 }
 
+// Currently, robot auth tokens are optional.  When DMServer support is in
+// producion, thes next 4 tests will be changed.

[Mattias Nissler (ping if slow), 2013/04/24 13:43:13]

production
the

[Mattias Nissler (ping if slow), 2013/04/24 13:43:13]

Maybe avoid Google-isms like "production" and "DMServer" here? Something like
"Policy server implementations are not required support robot auth tokens, so
allow enrollment to succeed if the robot auth token fetch fails."

[David Roche, 2013/04/24 15:34:21]

Done.

+TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest,
+       RobotAuthCodeFetchFailed) {
+  robot_auth_fetch_status_ = DM_STATUS_REQUEST_FAILED;
+  RunTest();
+  ExpectSuccessfulEnrollment();
+}
+
+TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest,
+       RobotRefreshTokenFetchResponseCodeFailed) {
+  url_fetcher_response_code_ = 400;
+  RunTest();
+  ExpectSuccessfulEnrollment();
+}
+
+TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest,
+       RobotRefreshTokenFetchResponseStringFailed) {
+  url_fetcher_response_string_ = "invalid response json";
+  RunTest();
+  ExpectSuccessfulEnrollment();
+}
+
+TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, RobotRefreshSaveFailed) {
+  // Without a DeviceOAuth2TokenService, the refresh token can't be saved.
+  chromeos::DeviceOAuth2TokenServiceFactory::Shutdown();
+  RunTest();
+  ExpectSuccessfulEnrollment();
+}
+
 TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, PolicyFetchFailed) {
-  fetch_status_ = DM_STATUS_REQUEST_FAILED;
+  policy_fetch_status_ = DM_STATUS_REQUEST_FAILED;
   RunTest();
   ExpectFailedEnrollment(EnrollmentStatus::STATUS_POLICY_FETCH_FAILED);
   EXPECT_EQ(DM_STATUS_REQUEST_FAILED, status_.client_status());
 }
 
 TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, ValidationFailed) {
   device_policy_.policy().set_policy_data_signature("bad");
-  fetch_response_.clear_policy_response();
-  fetch_response_.mutable_policy_response()->add_response()->CopyFrom(
+  policy_fetch_response_.clear_policy_response();
+  policy_fetch_response_.mutable_policy_response()->add_response()->CopyFrom(
       device_policy_.policy());
   RunTest();
   ExpectFailedEnrollment(EnrollmentStatus::STATUS_VALIDATION_FAILED);
   EXPECT_EQ(CloudPolicyValidatorBase::VALIDATION_BAD_INITIAL_SIGNATURE,
             status_.validation_status());
 }
 
 TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, StoreError) {
   store_result_ = false;
   RunTest();
   ExpectFailedEnrollment(EnrollmentStatus::STATUS_STORE_ERROR);
   EXPECT_EQ(CloudPolicyStore::STATUS_STORE_ERROR,
             status_.store_status());
 }
 
 TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, LoadError) {
   loaded_blob_.clear();
   RunTest();
   ExpectFailedEnrollment(EnrollmentStatus::STATUS_STORE_ERROR);
   EXPECT_EQ(CloudPolicyStore::STATUS_LOAD_ERROR,
             status_.store_status());
 }
 
-}  // namespace
+}  // namespace test
 }  // namespace policy