Chromium Code Reviews Chromium Code Reviews
Issue 135193007:
Use user specific NSSDatabase in CertLoader. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| Index: chromeos/network/network_connection_handler_unittest.cc |
| diff --git a/chromeos/network/network_connection_handler_unittest.cc b/chromeos/network/network_connection_handler_unittest.cc |
| index 0e991ef6f56034e09e3b0877e72fdf0df425ac2b..5a917af698664a9ef21f46f0d6f387a0ad15bd2f 100644 |
| --- a/chromeos/network/network_connection_handler_unittest.cc |
| +++ b/chromeos/network/network_connection_handler_unittest.cc |
| @@ -5,14 +5,27 @@ |
| #include "chromeos/network/network_connection_handler.h" |
| #include "base/bind.h" |
| +#include "base/callback.h" |
| +#include "base/file_util.h" |
| #include "base/memory/scoped_ptr.h" |
| #include "base/message_loop/message_loop.h" |
| +#include "base/run_loop.h" |
| +#include "base/strings/stringprintf.h" |
| +#include "chromeos/cert_loader.h" |
| #include "chromeos/dbus/dbus_thread_manager.h" |
| #include "chromeos/dbus/shill_manager_client.h" |
| #include "chromeos/dbus/shill_service_client.h" |
| #include "chromeos/network/network_configuration_handler.h" |
| #include "chromeos/network/network_state_handler.h" |
| #include "chromeos/network/onc/onc_utils.h" |
| +#include "chromeos/tpm_token_loader.h" |
| +#include "crypto/nss_util.h" |
| +#include "crypto/nss_util_internal.h" |
| +#include "net/base/net_errors.h" |
| +#include "net/base/test_data_directory.h" |
| +#include "net/cert/nss_cert_database_chromeos.h" |
| +#include "net/cert/x509_certificate.h" |
| +#include "net/test/cert_test_util.h" |
| #include "testing/gtest/include/gtest/gtest.h" |
| #include "third_party/cros_system_api/dbus/service_constants.h" |
| @@ -33,25 +46,41 @@ namespace chromeos { |
| class NetworkConnectionHandlerTest : public testing::Test { |
| public: |
| - NetworkConnectionHandlerTest() { |
| + NetworkConnectionHandlerTest() : user_("userhash") { |
| } |
| virtual ~NetworkConnectionHandlerTest() { |
| } |
| virtual void SetUp() OVERRIDE { |
| + ASSERT_TRUE(user_.constructed_successfully()); |
| + user_.FinishInit(); |
| + |
| + test_nssdb_.reset(new net::NSSCertDatabaseChromeOS( |
| + crypto::GetPublicSlotForChromeOSUser(user_.username_hash()), |
| + crypto::GetPrivateSlotForChromeOSUser( |
| + user_.username_hash(), |
| + base::Callback<void(crypto::ScopedPK11Slot)>()))); |
| + |
| + TPMTokenLoader::InitializeForTest(); |
| + |
| + CertLoader::Initialize(); |
|
pneubeck (no reviews)
2014/01/24 13:18:02
can then the
if (CertLoader::IsInitialized())
be
tbarzic
2014/01/25 00:26:27
I think so, I'll add it back if trybots start comp
|
| + CertLoader* cert_loader = CertLoader::Get(); |
| + cert_loader->SetSlowTaskRunnerForTest(message_loop_.message_loop_proxy()); |
| + cert_loader->set_hardware_backed_for_test(); |
| + |
| // Initialize DBusThreadManager with a stub implementation. |
| DBusThreadManager::InitializeWithStub(); |
| - message_loop_.RunUntilIdle(); |
| + base::RunLoop().RunUntilIdle(); |
| DBusThreadManager::Get()->GetShillServiceClient()->GetTestInterface() |
| ->ClearServices(); |
| - message_loop_.RunUntilIdle(); |
| + base::RunLoop().RunUntilIdle(); |
| LoginState::Initialize(); |
| network_state_handler_.reset(NetworkStateHandler::InitializeForTest()); |
| network_configuration_handler_.reset( |
| NetworkConfigurationHandler::InitializeForTest( |
| network_state_handler_.get())); |
| + |
| network_connection_handler_.reset(new NetworkConnectionHandler); |
| - // TODO(stevenjb): Test integration with CertLoader using a stub or mock. |
| network_connection_handler_->Init(network_state_handler_.get(), |
| network_configuration_handler_.get()); |
| } |
| @@ -60,6 +89,8 @@ class NetworkConnectionHandlerTest : public testing::Test { |
| network_connection_handler_.reset(); |
| network_configuration_handler_.reset(); |
| network_state_handler_.reset(); |
| + CertLoader::Shutdown(); |
| + TPMTokenLoader::Shutdown(); |
| LoginState::Shutdown(); |
| DBusThreadManager::Shutdown(); |
| } |
| @@ -76,7 +107,7 @@ class NetworkConnectionHandlerTest : public testing::Test { |
| *json_dict, |
| base::Bind(&ConfigureCallback), |
| base::Bind(&ConfigureErrorCallback)); |
| - message_loop_.RunUntilIdle(); |
| + base::RunLoop().RunUntilIdle(); |
| return true; |
| } |
| @@ -89,7 +120,7 @@ class NetworkConnectionHandlerTest : public testing::Test { |
| base::Bind(&NetworkConnectionHandlerTest::ErrorCallback, |
| base::Unretained(this)), |
| check_error_state); |
| - message_loop_.RunUntilIdle(); |
| + base::RunLoop().RunUntilIdle(); |
| } |
| void Disconnect(const std::string& service_path) { |
| @@ -99,7 +130,7 @@ class NetworkConnectionHandlerTest : public testing::Test { |
| base::Unretained(this)), |
| base::Bind(&NetworkConnectionHandlerTest::ErrorCallback, |
| base::Unretained(this))); |
| - message_loop_.RunUntilIdle(); |
| + base::RunLoop().RunUntilIdle(); |
| } |
| void SuccessCallback() { |
| @@ -128,9 +159,32 @@ class NetworkConnectionHandlerTest : public testing::Test { |
| return result; |
| } |
| + void StartCertLoader() { |
| + CertLoader::Get()->StartWithNSSDB(test_nssdb_.get()); |
| + base::RunLoop().RunUntilIdle(); |
| + } |
| + |
| + bool ImportClientCertAndKey(const std::string& pkcs12_file, |
| + net::NSSCertDatabase* nssdb, |
| + net::CertificateList* loaded_certs) { |
| + std::string pkcs12_data; |
| + base::FilePath pkcs12_path = |
| + net::GetTestCertsDirectory().Append(pkcs12_file); |
| + if (!base::ReadFileToString(pkcs12_path, &pkcs12_data)) |
| + return false; |
| + |
| + scoped_refptr<net::CryptoModule> module( |
| + net::CryptoModule::CreateFromHandle(nssdb->GetPrivateSlot().get())); |
| + return net::OK == |
| + nssdb->ImportFromPKCS12(module, pkcs12_data, base::string16(), false, |
| + loaded_certs); |
| + } |
| + |
| scoped_ptr<NetworkStateHandler> network_state_handler_; |
| scoped_ptr<NetworkConfigurationHandler> network_configuration_handler_; |
| scoped_ptr<NetworkConnectionHandler> network_connection_handler_; |
| + crypto::ScopedTestNSSChromeOSUser user_; |
| + scoped_ptr<net::NSSCertDatabaseChromeOS> test_nssdb_; |
| base::MessageLoopForUI message_loop_; |
| std::string result_; |
| @@ -191,28 +245,102 @@ TEST_F(NetworkConnectionHandlerTest, NetworkConnectionHandlerConnectFailure) { |
| namespace { |
| -const char* kConfigRequiresCertificate = |
| +const char* kConfigRequiresCertificateTemplate = |
| "{ \"GUID\": \"wifi4\", \"Type\": \"wifi\", \"Connectable\": false," |
| " \"Security\": \"802_1x\"," |
| " \"UIData\": \"{" |
| " \\\"certificate_type\\\": \\\"pattern\\\"," |
| " \\\"certificate_pattern\\\": {" |
| - " \\\"Subject\\\": { \\\"CommonName\\\": \\\"Foo\\\" }" |
| + " \\\"Subject\\\": {\\\"CommonName\\\": \\\"%s\\\" }" |
| " } }\" }"; |
| } // namespace |
| -// Handle certificates. TODO(stevenjb): Add certificate stubs to improve |
| -// test coverage. |
| -TEST_F(NetworkConnectionHandlerTest, |
| - NetworkConnectionHandlerConnectCertificate) { |
| - EXPECT_TRUE(Configure(kConfigRequiresCertificate)); |
| +// Handle certificates. |
| +TEST_F(NetworkConnectionHandlerTest, ConnectCertificateMissing) { |
| + StartCertLoader(); |
| + |
| + EXPECT_TRUE(Configure( |
| + base::StringPrintf(kConfigRequiresCertificateTemplate, "unknown"))); |
| + Connect("wifi4"); |
| + EXPECT_EQ(NetworkConnectionHandler::kErrorCertificateRequired, |
| + GetResultAndReset()); |
| +} |
| + |
| +TEST_F(NetworkConnectionHandlerTest, ConnectWithCertificateSuccess) { |
| + StartCertLoader(); |
| + |
| + net::CertificateList certs; |
| + ASSERT_TRUE(ImportClientCertAndKey( |
| + "websocket_client_cert.p12", test_nssdb_.get(), &certs)); |
| + ASSERT_EQ(1U, certs.size()); |
|
pneubeck (no reviews)
2014/01/24 13:18:02
could be moved to the import function
tbarzic
2014/01/25 00:26:27
Done.
|
| + |
| + EXPECT_TRUE(Configure( |
| + base::StringPrintf(kConfigRequiresCertificateTemplate, |
| + certs[0]->subject().common_name.c_str()))); |
| + |
| + Connect("wifi4"); |
| + EXPECT_EQ(kSuccessResult, GetResultAndReset()); |
| +} |
| + |
| +TEST_F(NetworkConnectionHandlerTest, ConnectCertificateFromSecondaryUserFails) { |
|
pneubeck (no reviews)
2014/01/24 13:18:02
I think this is sufficiently tested at the CertLoa
tbarzic
2014/01/25 00:26:27
OK, removed the test.
|
| + StartCertLoader(); |
| + |
| + // Create secondary user and get it's nssdb. |
| + crypto::ScopedTestNSSChromeOSUser secondary_user("secondary"); |
| + ASSERT_TRUE(secondary_user.constructed_successfully()); |
| + secondary_user.FinishInit(); |
| + |
| + scoped_ptr<net::NSSCertDatabaseChromeOS>secondary_nssdb( |
| + new net::NSSCertDatabaseChromeOS( |
| + crypto::GetPublicSlotForChromeOSUser(secondary_user.username_hash()), |
| + crypto::GetPrivateSlotForChromeOSUser( |
| + secondary_user.username_hash(), |
| + base::Callback<void(crypto::ScopedPK11Slot)>()))); |
| + |
| + // Import client cert to the secondary user's nssdb. The certificate should |
| + // not be visible to the cert loader, so the connection request should fail. |
| + net::CertificateList certs; |
| + ASSERT_TRUE(ImportClientCertAndKey( |
| + "websocket_client_cert.p12", secondary_nssdb.get(), &certs)); |
| + ASSERT_EQ(1U, certs.size()); |
| + |
| + EXPECT_TRUE(Configure( |
| + base::StringPrintf(kConfigRequiresCertificateTemplate, |
| + certs[0]->subject().common_name.c_str()))); |
| + |
| Connect("wifi4"); |
| EXPECT_EQ(NetworkConnectionHandler::kErrorCertificateRequired, |
| GetResultAndReset()); |
| } |
| TEST_F(NetworkConnectionHandlerTest, |
| + ConnectWithCertificateRequestedBeforeCertsAreLoaded) { |
| + net::CertificateList certs; |
| + ASSERT_TRUE(ImportClientCertAndKey( |
| + "websocket_client_cert.p12", test_nssdb_.get(), &certs)); |
| + ASSERT_EQ(1U, certs.size()); |
| + |
| + EXPECT_TRUE(Configure( |
| + base::StringPrintf(kConfigRequiresCertificateTemplate, |
| + certs[0]->subject().common_name.c_str()))); |
| + |
| + Connect("wifi4"); |
| + |
| + // Connect request came before the cert loader loaded certificates, so the |
| + // connect request should have been throttled until the certificates are |
| + // loaded. |
| + EXPECT_EQ("", GetResultAndReset()); |
| + |
| + StartCertLoader(); |
| + |
| + // |StartCertLoader| should have triggered certificate loading. |
| + // When the certificates got loaded, the connection request should have |
| + // proceeded and eventually succeeded. |
| + EXPECT_EQ(kSuccessResult, GetResultAndReset()); |
| +} |
| + |
| +TEST_F(NetworkConnectionHandlerTest, |
| NetworkConnectionHandlerDisconnectSuccess) { |
| EXPECT_TRUE(Configure(kConfigConnected)); |
| Disconnect("wifi1"); |
