Switch to id-based affiliation determination

chrome/browser/extensions/api/enterprise_platform_keys/enterprise_platform_keys_apitest_nss.cc

Index: chrome/browser/extensions/api/enterprise_platform_keys/enterprise_platform_keys_apitest_nss.cc
diff --git a/chrome/browser/extensions/api/enterprise_platform_keys/enterprise_platform_keys_apitest_nss.cc b/chrome/browser/extensions/api/enterprise_platform_keys/enterprise_platform_keys_apitest_nss.cc
index ff92450ee32d7434c8df25757f7b758577b97f57..f8ef64afee3fc18ba1ff0c1543f941a84dd85c21 100644
--- a/chrome/browser/extensions/api/enterprise_platform_keys/enterprise_platform_keys_apitest_nss.cc
+++ b/chrome/browser/extensions/api/enterprise_platform_keys/enterprise_platform_keys_apitest_nss.cc
@@ -5,28 +5,51 @@
 #include <cryptohi.h>
 
 #include "base/macros.h"
+#include "base/memory/scoped_ptr.h"
+#include "base/path_service.h"
+#include "base/prefs/pref_service.h"
 #include "base/strings/stringprintf.h"
+#include "chrome/browser/browser_process.h"
+#include "chrome/browser/chromeos/login/test/https_forwarder.h"
+#include "chrome/browser/chromeos/policy/affiliation_test_helper.h"
 #include "chrome/browser/chromeos/policy/device_policy_cros_browser_test.h"
 #include "chrome/browser/extensions/extension_apitest.h"
 #include "chrome/browser/net/nss_context.h"
 #include "chrome/browser/net/url_request_mock_util.h"
+#include "chrome/common/chrome_paths.h"
+#include "chrome/test/base/ui_test_utils.h"
 #include "chromeos/chromeos_switches.h"
+#include "chromeos/dbus/dbus_thread_manager.h"
+#include "chromeos/dbus/fake_session_manager_client.h"
+#include "chromeos/dbus/session_manager_client.h"
 #include "chromeos/login/user_names.h"
 #include "components/policy/core/browser/browser_policy_connector.h"
 #include "components/policy/core/common/mock_configuration_policy_provider.h"
 #include "components/policy/core/common/policy_map.h"
+#include "components/user_manager/user_manager.h"
 #include "content/public/browser/notification_service.h"
 #include "content/public/common/content_switches.h"
-#include "content/public/test/test_utils.h"
 #include "crypto/nss_util_internal.h"
 #include "crypto/scoped_test_system_nss_key_slot.h"
 #include "extensions/browser/extension_registry.h"
 #include "extensions/browser/notification_types.h"
+#include "extensions/browser/test_extension_registry_observer.h"
+#include "extensions/test/result_catcher.h"
+#include "google_apis/gaia/fake_gaia.h"
+#include "google_apis/gaia/gaia_constants.h"
+#include "google_apis/gaia/gaia_switches.h"
+#include "google_apis/gaia/gaia_urls.h"
 #include "net/base/net_errors.h"
 #include "net/cert/nss_cert_database.h"
+#include "net/dns/mock_host_resolver.h"
+#include "net/test/embedded_test_server/embedded_test_server.h"
+#include "net/test/embedded_test_server/http_request.h"
+#include "net/test/embedded_test_server/http_response.h"
 #include "net/test/url_request/url_request_mock_http_job.h"
 #include "policy/policy_constants.h"
 #include "testing/gmock/include/gmock/gmock.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
 
 namespace {
 
@@ -133,6 +156,11 @@ void ImportPrivateKeyPKCS8ToSlot(const unsigned char* pkcs8_der,
 // its extension ID is well-known and the policy system can push policies for
 // the extension.
 const char kTestExtensionID[] = "aecpbnckhoppanpmefllkdkohionpmig";
+const char kAffiliationID[] = "some-affiliation-id";
+const char kTestUserinfoToken[] = "fake-userinfo-token";
+const char kGAIAHost[] = "accounts.google.com";
+
+using chromeos::affiliation_test_helper::kEnterpriseUser;
 
 enum SystemToken {
   SYSTEM_TOKEN_EXISTS,
@@ -166,7 +194,35 @@ class EnterprisePlatformKeysTest
     : public ExtensionApiTest,
       public ::testing::WithParamInterface<Params> {
  public:
-  EnterprisePlatformKeysTest() {}
+  EnterprisePlatformKeysTest() {
+    set_chromeos_user_ = false; // Command line should not be tweaked as if user

[Andrew T Wilson (Slow), 2015/09/16 15:02:06]

nit: move these comments so they start at the beginning of the line - having
them hang off the end is really only appropriate for one-line comments.

[peletskyi, 2015/09/21 14:17:25]

Done.

+                                // is already logged in.
+    set_exit_when_last_browser_closes(false); // We log in without running
+                                              // browser.
+  }
+
+  void SetUp() override {
+    base::FilePath test_data_dir;
+    PathService::Get(chrome::DIR_TEST_DATA, &test_data_dir);
+    embedded_test_server()->ServeFilesFromDirectory(test_data_dir);
+
+    embedded_test_server()->RegisterRequestHandler(
+        base::Bind(&FakeGaia::HandleRequest,
+                   base::Unretained(&fake_gaia_)));
+
+   ASSERT_TRUE(embedded_test_server()->InitializeAndWaitUntilReady());
+
+    // Start https wrapper here so that the URLs can be pointed at it in
+    // SetUpCommandLine().
+    ASSERT_TRUE(gaia_https_forwarder_.Initialize(
+        kGAIAHost, embedded_test_server()->base_url()));
+
+    // Stop IO thread here because no threads are allowed while
+    // spawning sandbox host process. See crbug.com/322732.
+    embedded_test_server()->StopThread();
+
+    ExtensionApiTest::SetUp();
+  }
 
   void SetUpCommandLine(base::CommandLine* command_line) override {
     ExtensionApiTest::SetUpCommandLine(command_line);
@@ -175,27 +231,48 @@ class EnterprisePlatformKeysTest
     command_line->AppendSwitch(
         switches::kEnableExperimentalWebPlatformFeatures);
 
-    std::string user_email = "someuser@anydomain.com";
+    chromeos::affiliation_test_helper::AppendCommandLineSwitches(command_line);
 
-    // The command line flag kLoginUser determines the user's email and thus
-    // his affiliation to the domain that the device is enrolled to.
-    if (GetParam().user_affiliation_ == USER_AFFILIATION_ENROLLED_DOMAIN)
-      user_email = chromeos::login::kStubUser;
+    const GURL gaia_url = gaia_https_forwarder_.GetURLForSSLHost(std::string());
+    command_line->AppendSwitchASCII(::switches::kGaiaUrl, gaia_url.spec());
+    command_line->AppendSwitchASCII(::switches::kLsoUrl, gaia_url.spec());
+    command_line->AppendSwitchASCII(::switches::kGoogleApisUrl,
+                                    gaia_url.spec());
 
-    command_line->AppendSwitchASCII(chromeos::switches::kLoginUser, user_email);
+    fake_gaia_.Initialize();
+    fake_gaia_.set_issue_oauth_code_cookie(true);
   }
 
   void SetUpInProcessBrowserTestFixture() override {
     ExtensionApiTest::SetUpInProcessBrowserTestFixture();
 
+    host_resolver()->AddRule("*", "127.0.0.1");
+
+    chromeos::FakeSessionManagerClient* fake_session_manager_client =
+        new chromeos::FakeSessionManagerClient;
+    chromeos::DBusThreadManager::GetSetterForTesting()->SetSessionManagerClient(
+        scoped_ptr<chromeos::SessionManagerClient>(
+            fake_session_manager_client));
+
     if (GetParam().device_status_ == DEVICE_STATUS_ENROLLED) {
-      device_policy_test_helper_.device_policy()->policy_data().set_username(
-          chromeos::login::kStubUser);
+      std::set<std::string> device_affiliation_ids;
+      device_affiliation_ids.insert(kAffiliationID);
+      chromeos::affiliation_test_helper::SetDeviceAffiliationID(
+          &device_policy_test_helper_, fake_session_manager_client,
+          device_affiliation_ids);
+    }
 
-      device_policy_test_helper_.device_policy()->Build();
-      device_policy_test_helper_.MarkAsEnterpriseOwned();
+
+    if (GetParam().user_affiliation_ == USER_AFFILIATION_ENROLLED_DOMAIN) {
+      std::set<std::string> user_affiliation_ids;
+      user_affiliation_ids.insert(kAffiliationID);
+      policy::UserPolicyBuilder user_policy;
+      chromeos::affiliation_test_helper::SetUserAffiliationIDs(
+          &user_policy, fake_session_manager_client, kEnterpriseUser,
+          user_affiliation_ids);
     }
 
+
     EXPECT_CALL(policy_provider_, IsInitializationComplete(testing::_))
         .WillRepeatedly(testing::Return(true));
     policy_provider_.SetAutoRefresh();
@@ -204,6 +281,25 @@ class EnterprisePlatformKeysTest
   }
 
   void SetUpOnMainThread() override {
+    // Restart the thread as the sandbox host process has already been spawned.
+    embedded_test_server()->RestartThreadAndListen();
+
+    FakeGaia::AccessTokenInfo token_info;
+    token_info.scopes.insert(GaiaConstants::kDeviceManagementServiceOAuth);
+    token_info.scopes.insert(GaiaConstants::kOAuthWrapBridgeUserInfoScope);
+    token_info.audience = GaiaUrls::GetInstance()->oauth2_chrome_client_id();
+    token_info.token = kTestUserinfoToken;
+    token_info.email = kEnterpriseUser;
+    fake_gaia_.IssueOAuthToken(
+        chromeos::affiliation_test_helper::kFakeRefreshToken,
+        token_info);
+
+    const base::ListValue* users =
+        g_browser_process->local_state()->GetList("LoggedInUsers");
+    if (!users->empty()) {
+      chromeos::affiliation_test_helper::LoginUser(kEnterpriseUser);

[Andrew T Wilson (Slow), 2015/09/16 15:02:06]

What is this doing? And how do we know that LoggedInUsers contains
kEnterpriseUser?

[peletskyi, 2015/09/21 14:17:25]

I've added the comment.

+    }
+
     if (GetParam().system_token_ == SYSTEM_TOKEN_EXISTS) {
       base::RunLoop loop;
       content::BrowserThread::PostTask(
@@ -211,31 +307,11 @@ class EnterprisePlatformKeysTest
           FROM_HERE,
           base::Bind(&EnterprisePlatformKeysTest::SetUpTestSystemSlotOnIO,
                      base::Unretained(this),
-                     browser()->profile()->GetResourceContext(),
                      loop.QuitClosure()));
       loop.Run();
     }
 
     ExtensionApiTest::SetUpOnMainThread();
-
-    // Enable the URLRequestMock, which is required for force-installing the
-    // test extension through policy.
-    content::BrowserThread::PostTask(
-        content::BrowserThread::IO,
-        FROM_HERE,
-        base::Bind(chrome_browser_net::SetUrlRequestMocksEnabled, true));
-
-    {
-      base::RunLoop loop;
-      GetNSSCertDatabaseForProfile(
-          browser()->profile(),
-          base::Bind(&EnterprisePlatformKeysTest::DidGetCertDatabase,
-                     base::Unretained(this),
-                     loop.QuitClosure()));
-      loop.Run();
-    }
-
-    SetPolicy();
   }
 
   void TearDownOnMainThread() override {
@@ -251,9 +327,9 @@ class EnterprisePlatformKeysTest
                      loop.QuitClosure()));
       loop.Run();
     }
+    EXPECT_TRUE(embedded_test_server()->ShutdownAndWaitUntilComplete());
   }
 
- private:
   void DidGetCertDatabase(const base::Closure& done_callback,
                           net::NSSCertDatabase* cert_db) {
     // In order to use a prepared certificate, import a private key to the
@@ -264,28 +340,6 @@ class EnterprisePlatformKeysTest
     done_callback.Run();
   }
 
-  void SetUpTestSystemSlotOnIO(content::ResourceContext* context,
-                               const base::Closure& done_callback) {
-    test_system_slot_.reset(new crypto::ScopedTestSystemNSSKeySlot());
-    ASSERT_TRUE(test_system_slot_->ConstructedSuccessfully());
-
-    // Import a private key to the system slot.  The Javascript part of this
-    // test has a prepared certificate for this key.
-    ImportPrivateKeyPKCS8ToSlot(privateKeyPkcs8System,
-                                arraysize(privateKeyPkcs8System),
-                                test_system_slot_->slot());
-
-    content::BrowserThread::PostTask(
-        content::BrowserThread::UI, FROM_HERE, done_callback);
-  }
-
-  void TearDownTestSystemSlotOnIO(const base::Closure& done_callback) {
-    test_system_slot_.reset();
-
-    content::BrowserThread::PostTask(
-        content::BrowserThread::UI, FROM_HERE, done_callback);
-  }
-
   void SetPolicy() {
     // Extensions that are force-installed come from an update URL, which
     // defaults to the webstore. Use a mock URL for this test with an update
@@ -307,21 +361,87 @@ class EnterprisePlatformKeysTest
                NULL);
 
     // Set the policy and wait until the extension is installed.
-    content::WindowedNotificationObserver observer(
-        extensions::NOTIFICATION_EXTENSION_WILL_BE_INSTALLED_DEPRECATED,
-        content::NotificationService::AllSources());
+    extensions::TestExtensionRegistryObserver observer(
+        extensions::ExtensionRegistry::Get(profile()));
     policy_provider_.UpdateChromePolicy(policy);
-    observer.Wait();
+    observer.WaitForExtensionLoaded();
+  }
+
+  // Load |page_url| in |browser| and wait for PASSED or FAILED notification.
+  // The functionality of this function is reduced functionality of
+  // RunExtensionSubtest(), but we don't use it here because it requires
+  // function browser() to return non-NULL pointer. It is not our case and we

[Andrew T Wilson (Slow), 2015/09/16 15:02:06]

again, not clear how we have a browser here, but browser() is null.

[peletskyi, 2015/09/21 14:17:25]

I've modified the comment.

+  // can not set that pointer to valid value. From another side we need only
+  // very little functionality from RunExtensionSubtest(). Thus so that don't
+  // make RunExtensionSubtest() to complex we just introduce a new function.
+  bool TestExtension(Browser* browser, const std::string& page_url) {
+    DCHECK(!page_url.empty()) <<"page_url cannot be empty";
+
+    extensions::ResultCatcher catcher;
+    ui_test_utils::NavigateToURL(browser, GURL(page_url));
+
+    if (!catcher.GetNextResult()) {
+      message_ = catcher.message();
+      return false;
+    }
+    return true;
+  }
+
+ private:
+
+  void SetUpTestSystemSlotOnIO(const base::Closure& done_callback) {
+    test_system_slot_.reset(new crypto::ScopedTestSystemNSSKeySlot());
+    ASSERT_TRUE(test_system_slot_->ConstructedSuccessfully());
+
+    // Import a private key to the system slot.  The Javascript part of this
+    // test has a prepared certificate for this key.
+    ImportPrivateKeyPKCS8ToSlot(privateKeyPkcs8System,
+                                arraysize(privateKeyPkcs8System),
+                                test_system_slot_->slot());
+
+    content::BrowserThread::PostTask(
+        content::BrowserThread::UI, FROM_HERE, done_callback);
+  }
+
+  void TearDownTestSystemSlotOnIO(const base::Closure& done_callback) {
+    test_system_slot_.reset();
+
+    content::BrowserThread::PostTask(
+        content::BrowserThread::UI, FROM_HERE, done_callback);
   }
 
   policy::DevicePolicyCrosTestHelper device_policy_test_helper_;
   scoped_ptr<crypto::ScopedTestSystemNSSKeySlot> test_system_slot_;
   policy::MockConfigurationPolicyProvider policy_provider_;
+  FakeGaia fake_gaia_;
+  chromeos::HTTPSForwarder gaia_https_forwarder_;
 };
 
 }  // namespace
 
+IN_PROC_BROWSER_TEST_P(EnterprisePlatformKeysTest, PRE_Basic) {
+  chromeos::affiliation_test_helper::PreLoginUser(kEnterpriseUser);
+}
+
 IN_PROC_BROWSER_TEST_P(EnterprisePlatformKeysTest, Basic) {
+  // Enable the URLRequestMock, which is required for force-installing the
+  // test extension through policy.
+  content::BrowserThread::PostTask(
+     content::BrowserThread::IO,
+     FROM_HERE,
+     base::Bind(chrome_browser_net::SetUrlRequestMocksEnabled, true));
+
+  {
+   base::RunLoop loop;
+   GetNSSCertDatabaseForProfile(
+       profile(),
+       base::Bind(&EnterprisePlatformKeysTest::DidGetCertDatabase,
+                  base::Unretained(this),
+                  loop.QuitClosure()));
+   loop.Run();
+  }
+  SetPolicy();
+
   // By default, the system token is disabled.
   std::string system_token_availability = "";
 
@@ -334,8 +454,7 @@ IN_PROC_BROWSER_TEST_P(EnterprisePlatformKeysTest, Basic) {
     system_token_availability = "systemTokenEnabled";
   }
 
-  ASSERT_TRUE(RunExtensionSubtest(
-      "",
+  ASSERT_TRUE(TestExtension(CreateBrowser(profile()),
       base::StringPrintf("chrome-extension://%s/basic.html?%s",
                          kTestExtensionID,
                          system_token_availability.c_str())))