Public Sessions: fetch device robot api token during enterprise enrollment.

chrome/browser/chromeos/policy/device_cloud_policy_manager_chromeos_unittest.cc

Index: chrome/browser/chromeos/policy/device_cloud_policy_manager_chromeos_unittest.cc
diff --git a/chrome/browser/chromeos/policy/device_cloud_policy_manager_chromeos_unittest.cc b/chrome/browser/chromeos/policy/device_cloud_policy_manager_chromeos_unittest.cc
index 240030a7374d363ca6dcfcd3cb3c5d2b440484f7..d4f25f28bbba2a07dfa9d031462ef4e2dbc3a70c 100644
--- a/chrome/browser/chromeos/policy/device_cloud_policy_manager_chromeos_unittest.cc
+++ b/chrome/browser/chromeos/policy/device_cloud_policy_manager_chromeos_unittest.cc
@@ -7,21 +7,28 @@
 #include "base/basictypes.h"
 #include "base/compiler_specific.h"
 #include "base/memory/scoped_ptr.h"
+#include "base/message_loop.h"
 #include "base/prefs/pref_registry_simple.h"
 #include "base/prefs/testing_pref_service.h"
 #include "base/run_loop.h"
+#include "chrome/browser/chromeos/cros/cros_library.h"
 #include "chrome/browser/chromeos/cros/cryptohome_library.h"
 #include "chrome/browser/chromeos/policy/device_cloud_policy_store_chromeos.h"
 #include "chrome/browser/chromeos/policy/enterprise_install_attributes.h"
 #include "chrome/browser/chromeos/policy/proto/chrome_device_policy.pb.h"
 #include "chrome/browser/chromeos/settings/cros_settings.h"
+#include "chrome/browser/chromeos/settings/device_oauth2_token_service.h"
+#include "chrome/browser/chromeos/settings/device_oauth2_token_service_factory.h"
 #include "chrome/browser/chromeos/settings/device_settings_test_helper.h"
 #include "chrome/browser/policy/cloud/cloud_policy_client.h"
 #include "chrome/browser/policy/cloud/mock_device_management_service.h"
 #include "chrome/browser/policy/cloud/proto/device_management_backend.pb.h"
 #include "chrome/browser/prefs/browser_prefs.h"
+#include "chrome/test/base/testing_browser_process.h"
 #include "chromeos/dbus/cryptohome_client.h"
 #include "chromeos/dbus/dbus_client_implementation_type.h"
+#include "net/url_request/test_url_fetcher_factory.h"
+#include "net/url_request/url_request_test_util.h"
 #include "policy/policy_constants.h"
 #include "testing/gmock/include/gmock/gmock.h"
 #include "testing/gtest/include/gtest/gtest.h"
@@ -62,17 +69,40 @@ class DeviceCloudPolicyManagerChromeOSTest
     DeviceSettingsTestBase::SetUp();
     chrome::RegisterLocalState(local_state_.registry());
     manager_.Init();
+
+    // DeviceOAuth2TokenService uses the system request context to fetch
+    // OAuth tokens, then writes the token to local state, encrypting it
+    // first with methods in CrosLibrary.
+    request_context_getter_ = new net::TestURLRequestContextGetter(
+        loop_.message_loop_proxy());
+    TestingBrowserProcess::GetGlobal()->SetSystemRequestContext(
+        request_context_getter_);
+    TestingBrowserProcess::GetGlobal()->SetLocalState(&local_state_);
+    chromeos::DeviceOAuth2TokenServiceFactory::Initialize();
+    chromeos::CrosLibrary::Initialize(true);
+    url_fetcher_response_code_ = 200;
+    url_fetcher_response_string_ = "{\"access_token\":\"accessToken4Test\","
+                                   "\"expires_in\":1234,"
+                                   "\"refresh_token\":\"refreshToken4Test\"}";
   }
 
   virtual void TearDown() OVERRIDE {
     manager_.Shutdown();
     DeviceSettingsTestBase::TearDown();
+
+    chromeos::DeviceOAuth2TokenServiceFactory::Shutdown();
+    chromeos::CrosLibrary::Shutdown();
+    TestingBrowserProcess::GetGlobal()->SetLocalState(NULL);
   }
 
   scoped_ptr<chromeos::CryptohomeLibrary> cryptohome_library_;
   scoped_ptr<chromeos::CryptohomeClient> stub_cryptohome_client_;
   EnterpriseInstallAttributes install_attributes_;
 
+  scoped_refptr<net::URLRequestContextGetter> request_context_getter_;
+  net::TestURLFetcherFactory url_fetcher_factory_;
+  int url_fetcher_response_code_;
+  string url_fetcher_response_string_;
   TestingPrefServiceSimple local_state_;
   MockDeviceManagementService device_management_service_;
   chromeos::ScopedTestCrosSettings test_cros_settings_;
@@ -154,7 +184,8 @@ class DeviceCloudPolicyManagerChromeOSEnrollmentTest
   DeviceCloudPolicyManagerChromeOSEnrollmentTest()
       : is_auto_enrollment_(false),
         register_status_(DM_STATUS_SUCCESS),
-        fetch_status_(DM_STATUS_SUCCESS),
+        policy_fetch_status_(DM_STATUS_SUCCESS),
+        robot_auth_fetch_status_(DM_STATUS_SUCCESS),
         store_result_(true),
         status_(EnrollmentStatus::ForStatus(EnrollmentStatus::STATUS_SUCCESS)),
         done_(false) {}
@@ -172,8 +203,10 @@ class DeviceCloudPolicyManagerChromeOSEnrollmentTest
 
     register_response_.mutable_register_response()->set_device_management_token(
         PolicyBuilder::kFakeToken);
-    fetch_response_.mutable_policy_response()->add_response()->CopyFrom(
+    policy_fetch_response_.mutable_policy_response()->add_response()->CopyFrom(
         device_policy_.policy());
+    robot_auth_fetch_response_.mutable_service_api_access_response()
+        ->set_auth_code("auth_code_for_test");
     loaded_blob_ = device_policy_.GetBlob();
 
     // Initialize the manager.
@@ -236,11 +269,11 @@ class DeviceCloudPolicyManagerChromeOSEnrollmentTest
 
     // Process registration.
     ASSERT_TRUE(register_job);
-    MockDeviceManagementJob* fetch_job = NULL;
+    MockDeviceManagementJob* policy_fetch_job = NULL;
     EXPECT_CALL(device_management_service_,
                 CreateJob(DeviceManagementRequestJob::TYPE_POLICY_FETCH))
         .Times(AtMost(1))
-        .WillOnce(device_management_service_.CreateAsyncJob(&fetch_job));
+        .WillOnce(device_management_service_.CreateAsyncJob(&policy_fetch_job));
     EXPECT_CALL(device_management_service_, StartJob(_, _, _, _, _, _, _))
         .Times(AtMost(1));
     register_job->SendResponse(register_status_, register_response_);
@@ -250,18 +283,56 @@ class DeviceCloudPolicyManagerChromeOSEnrollmentTest
       return;
 
     // Process policy fetch.
-    ASSERT_TRUE(fetch_job);
-    fetch_job->SendResponse(fetch_status_, fetch_response_);
+    ASSERT_TRUE(policy_fetch_job);
+    policy_fetch_job->SendResponse(policy_fetch_status_,
+                                   policy_fetch_response_);
 
     if (done_)
       return;
 
     // Process verification.
+    MockDeviceManagementJob* robot_auth_fetch_job = NULL;
+    EXPECT_CALL(device_management_service_,
+                CreateJob(DeviceManagementRequestJob::TYPE_API_AUTH_CODE_FETCH))
+        .Times(AtMost(1))
+        .WillOnce(device_management_service_.CreateAsyncJob(
+            &robot_auth_fetch_job));
+    EXPECT_CALL(device_management_service_, StartJob(_, _, _, _, _, _, _))
+        .Times(AtMost(1));
     base::RunLoop().RunUntilIdle();
+    Mock::VerifyAndClearExpectations(&device_management_service_);
+
+    if (done_)
+      return;
+
+    // Process robot auth token fetch.
+    ASSERT_TRUE(robot_auth_fetch_job);
+    robot_auth_fetch_job->SendResponse(robot_auth_fetch_status_,
+                                       robot_auth_fetch_response_);
+    Mock::VerifyAndClearExpectations(&device_management_service_);
 
     if (done_)
       return;
 
+    // Process robot refresh token fetch if the auth code fetch succeeded.
+    // DeviceCloudPolicyManagerChromeOS holds an EnrollmentHandlerChromeOS which
+    // holds a GaiaOAuthClient that fetches the refresh token during enrollment.
+    // We return a successful OAuth response via a TestURLFetcher to trigger the
+    // happy path for these classes so that enrollment can continue.
+    if (robot_auth_fetch_status_ == DM_STATUS_SUCCESS) {
+      net::TestURLFetcher* url_fetcher = url_fetcher_factory_.GetFetcherByID(0);
+      ASSERT_TRUE(url_fetcher);
+      // The logic in GaiaOAuthClient seems broken, it always retries 1x on
+      // non-200 response codes, even if the retries are set to 0.  Seems like
+      // its num_retries_ > source->GetMaxRetriesOn5xx() should have a >=?

[Mattias Nissler (ping if slow), 2013/04/24 13:43:13]

You shouldn't just dump this in a comment, but pass this on to the author and/or
file a bug :)

[David Roche, 2013/04/24 15:34:21]

I added this to my todo list to do in another CL.  Sorry, I was going to mention
that in the codereview mail and I forgot.

I just created another branch with the retry fix in it, so I won't forget to
follow up on this (can't stand to have old branches with changes in them lying
about forever).  I'm running the unit tests now and will ping an OWNER to see if
they're worried about changing this accidental default from retrying to
[properly] not retrying.

[Mattias Nissler (ping if slow), 2013/04/24 17:58:52]

Can you just ask the author of that line whether it's wrong or not and update
the comment accordingly here?

+      url_fetcher->SetMaxRetriesOn5xx(-2);
+      url_fetcher->set_status(net::URLRequestStatus());
+      url_fetcher->set_response_code(url_fetcher_response_code_);
+      url_fetcher->SetResponseString(url_fetcher_response_string_);
+      url_fetcher->delegate()->OnURLFetchComplete(url_fetcher);
+    }
+    base::RunLoop().RunUntilIdle();
+
     // Process policy store.
     device_settings_test_helper_.set_store_result(store_result_);
     device_settings_test_helper_.FlushStore();
@@ -271,11 +342,19 @@ class DeviceCloudPolicyManagerChromeOSEnrollmentTest
     if (done_)
       return;
 
-    // Key installation and policy load.
+    // Key installation, policy load and refresh token save.
     device_settings_test_helper_.set_policy_blob(loaded_blob_);
     owner_key_util_->SetPublicKeyFromPrivateKey(
         device_policy_.new_signing_key());
     ReloadDeviceSettings();
+
+    if (done_)
+      return;
+
+    // Process robot refresh token store.
+    EXPECT_EQ(
+        "refreshToken4Test",
+        chromeos::DeviceOAuth2TokenServiceFactory::Get()->GetRefreshToken());
   }
 
   bool is_auto_enrollment_;
@@ -283,8 +362,11 @@ class DeviceCloudPolicyManagerChromeOSEnrollmentTest
   DeviceManagementStatus register_status_;
   em::DeviceManagementResponse register_response_;
 
-  DeviceManagementStatus fetch_status_;
-  em::DeviceManagementResponse fetch_response_;
+  DeviceManagementStatus policy_fetch_status_;
+  em::DeviceManagementResponse policy_fetch_response_;
+
+  DeviceManagementStatus robot_auth_fetch_status_;
+  em::DeviceManagementResponse robot_auth_fetch_response_;
 
   bool store_result_;
   std::string loaded_blob_;
@@ -334,8 +416,38 @@ TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, RegistrationFailed) {
   EXPECT_EQ(DM_STATUS_REQUEST_FAILED, status_.client_status());
 }
 
+// Currently, robot auth tokens are optional.  When DMServer support is in
+// producion, thes next 4 tests will be changed.

[Mattias Nissler (ping if slow), 2013/04/24 13:43:13]

production
the

[Mattias Nissler (ping if slow), 2013/04/24 13:43:13]

Maybe avoid Google-isms like "production" and "DMServer" here? Something like
"Policy server implementations are not required support robot auth tokens, so
allow enrollment to succeed if the robot auth token fetch fails."

[David Roche, 2013/04/24 15:34:21]

Done.

+TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest,
+       RobotAuthCodeFetchFailed) {
+  robot_auth_fetch_status_ = DM_STATUS_REQUEST_FAILED;
+  RunTest();
+  ExpectSuccessfulEnrollment();
+}
+
+TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest,
+       RobotRefreshTokenFetchResponseCodeFailed) {
+  url_fetcher_response_code_ = 400;
+  RunTest();
+  ExpectSuccessfulEnrollment();
+}
+
+TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest,
+       RobotRefreshTokenFetchResponseStringFailed) {
+  url_fetcher_response_string_ = "invalid response json";
+  RunTest();
+  ExpectSuccessfulEnrollment();
+}
+
+TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, RobotRefreshSaveFailed) {
+  // Without a DeviceOAuth2TokenService, the refresh token can't be saved.
+  chromeos::DeviceOAuth2TokenServiceFactory::Shutdown();
+  RunTest();
+  ExpectSuccessfulEnrollment();
+}
+
 TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, PolicyFetchFailed) {
-  fetch_status_ = DM_STATUS_REQUEST_FAILED;
+  policy_fetch_status_ = DM_STATUS_REQUEST_FAILED;
   RunTest();
   ExpectFailedEnrollment(EnrollmentStatus::STATUS_POLICY_FETCH_FAILED);
   EXPECT_EQ(DM_STATUS_REQUEST_FAILED, status_.client_status());
@@ -343,8 +455,8 @@ TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, PolicyFetchFailed) {
 
 TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, ValidationFailed) {
   device_policy_.policy().set_policy_data_signature("bad");
-  fetch_response_.clear_policy_response();
-  fetch_response_.mutable_policy_response()->add_response()->CopyFrom(
+  policy_fetch_response_.clear_policy_response();
+  policy_fetch_response_.mutable_policy_response()->add_response()->CopyFrom(
       device_policy_.policy());
   RunTest();
   ExpectFailedEnrollment(EnrollmentStatus::STATUS_VALIDATION_FAILED);
@@ -368,5 +480,5 @@ TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, LoadError) {
             status_.store_status());
 }
 
-}  // namespace
+}  // namespace test
 }  // namespace policy