Allow dynamic updating of authentication policies

chrome/browser/io_thread_unittest.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "base/command_line.h"
 #include "base/metrics/field_trial.h"
+#include "base/prefs/pref_registry_simple.h"
+#include "base/prefs/pref_service.h"
+#include "base/prefs/testing_pref_service.h"
 #include "base/test/mock_entropy_provider.h"
+#include "chrome/browser/extensions/event_router_forwarder.h"
 #include "chrome/browser/io_thread.h"
 #include "chrome/common/chrome_switches.h"
+#include "chrome/common/pref_names.h"
 #include "components/data_reduction_proxy/core/common/data_reduction_proxy_params.h"
+#include "components/policy/core/common/mock_policy_service.h"
+#include "components/proxy_config/pref_proxy_config_tracker_impl.h"
+#include "components/proxy_config/proxy_config_pref_names.h"
+#include "content/public/test/test_browser_thread_bundle.h"
+#include "net/http/http_auth_handler_negotiate.h"
 #include "net/http/http_network_session.h"
 #include "net/http/http_server_properties_impl.h"
 #include "net/quic/quic_protocol.h"
 #include "testing/gmock/include/gmock/gmock.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
+#if defined(OS_CHROMEOS)
+#include "chromeos/dbus/dbus_thread_manager.h"
+#include "chromeos/network/network_handler.h"
+#endif
+
+
 namespace test {
 
 using ::testing::ElementsAre;
+using ::testing::ReturnRef;
 
+// Class used for accessing IOThread methods (friend of IOThread). Creating
+// an IOThreadPeer creates and initializes an IOThread instance set up for
+// testing, deleting it cleanly closes down and deletes the IOThread instance.
 class IOThreadPeer {

[asanka, 2015/11/04 16:05:44]

Shall we maintain IOThreadPeer as a pure peer? It currently owns a thread bundle
and an IOThread object, which are better off being owned by the test fixture.

[aberent, 2015/11/06 13:57:34]

Done.

  public:
+  IOThreadPeer() {
+#if defined(ENABLE_EXTENSIONS)
+    event_router_forwarder_ = new extensions::EventRouterForwarder;
+#endif
+    PrefRegistrySimple* pref_registry = pref_service_.registry();
+    IOThread::RegisterPrefs(pref_registry);
+    PrefProxyConfigTrackerImpl::RegisterPrefs(pref_registry);
+    ssl_config::SSLConfigServiceManager::RegisterPrefs(pref_registry);
+
+    // Set up default function behaviour.
+    EXPECT_CALL(policy_service_,
+                GetPolicies(policy::PolicyNamespace(
+                    policy::POLICY_DOMAIN_CHROME, std::string())))
+        .WillRepeatedly(ReturnRef(policy_map_));
+
+#if defined(OS_CHROMEOS)
+    // Needed by IOThread constructor.
+    chromeos::DBusThreadManager::Initialize();
+    chromeos::NetworkHandler::Initialize();
+#endif
+    io_thread_.reset(new IOThread(&pref_service_, &policy_service_, nullptr,
+                                  event_router_forwarder_.get()));
+    // Sadly the test can't call IOThread::Init here, since on Mac the IOThread
+    // constructor has to run on the UI thread, and will DCHECK if it doesn't;
+    // but on all platforms IOThread::Init will DCHECK if it isn't on the IO
+    // Thread.
+    io_thread_->SetGlobalsForTesting(&globals_);
+    io_thread_->CreateDefaultAuthHandlerFactory();
+  }
+
+  ~IOThreadPeer() {
+    io_thread_->SetGlobalsForTesting(nullptr);
+#if defined(OS_CHROMEOS)
+    chromeos::NetworkHandler::Shutdown();
+    chromeos::DBusThreadManager::Shutdown();
+#endif
+  }
+
   static void ConfigureQuicGlobals(
       const base::CommandLine& command_line,
       base::StringPiece quic_trial_group,
       const std::map<std::string, std::string>& quic_trial_params,
       bool is_quic_allowed_by_policy,
       IOThread::Globals* globals) {
     IOThread::ConfigureQuicGlobals(command_line, quic_trial_group,
                                    quic_trial_params, is_quic_allowed_by_policy,
                                    globals);
   }
 
   static void ConfigureSpdyGlobals(
       const base::CommandLine& command_line,
       base::StringPiece spdy_trial_group,
       const std::map<std::string, std::string>& spdy_trial_params,
       IOThread::Globals* globals) {
     IOThread::ConfigureSpdyGlobals(command_line, spdy_trial_group,
                                    spdy_trial_params, globals);
   }
 
   static void InitializeNetworkSessionParamsFromGlobals(
       const IOThread::Globals& globals,
       net::HttpNetworkSession::Params* params) {
     IOThread::InitializeNetworkSessionParamsFromGlobals(globals, params);
   }
+
+  IOThread* io_thread() { return io_thread_.get(); }
+
+  TestingPrefServiceSimple* pref_service() { return &pref_service_; }
+
+ private:
+  content::TestBrowserThreadBundle thread_bundle_;
+  TestingPrefServiceSimple pref_service_;
+  scoped_refptr<extensions::EventRouterForwarder> event_router_forwarder_;
+  policy::PolicyMap policy_map_;
+  policy::MockPolicyService policy_service_;
+  scoped_ptr<IOThread> io_thread_;
+  IOThread::Globals globals_;
+
+  DISALLOW_COPY_AND_ASSIGN(IOThreadPeer);
 };
 
 class IOThreadTest : public testing::Test {
  public:
   IOThreadTest()
       : command_line_(base::CommandLine::NO_PROGRAM),
         is_quic_allowed_by_policy_(true) {
     globals_.http_server_properties.reset(new net::HttpServerPropertiesImpl());
   }
 
@@ skipping 433 matching lines @@
 TEST_F(IOThreadTest, QuicDisallowedByPolicy) {
   command_line_.AppendSwitch(switches::kEnableQuic);
   is_quic_allowed_by_policy_ = false;
   ConfigureQuicGlobals();
 
   net::HttpNetworkSession::Params params;
   InitializeNetworkSessionParams(&params);
   EXPECT_FALSE(params.enable_quic);
 }
 
+TEST_F(IOThreadTest, UpdateNegotiateDisableCnameLookup) {
+  IOThreadPeer peer;

[asanka, 2015/11/04 16:05:44]

Exercising the thread restrictions is important given the behavior that's being
introduced in this CL. Pref changes on the UI thread should propagate to auth
stack changes on the IO thread. Regression in this area might not be caught by
any other test since it requires specifically changing the auth related prefs in
the presence of real threads.

Let's use a real IO thread instead of one that's tied to the same message loop
as the UI thread. I.e. use the REAL_IO_THREAD option when initializing the
thread bundle. You may need to flush the IO thread before the changes become
visible.

[aberent, 2015/11/06 13:57:34]

Done.

+
+  auto factory = static_cast<net::HttpAuthHandlerRegistryFactory*>(
+      peer.io_thread()->globals()->http_auth_handler_factory.get());
+
+  auto negotiate_factory = static_cast<net::HttpAuthHandlerNegotiate::Factory*>(
+      factory->GetSchemeFactory(net::kNegotiateAuthScheme));
+  // If we don't have a negotiate factory (net wasn't built with Kerberos) the
+  // policy does nothing so we can't test anything.
+  if (!negotiate_factory)
+    return;
+
+  peer.pref_service()->SetBoolean(prefs::kDisableAuthNegotiateCnameLookup,
+                                  false);
+  EXPECT_FALSE(negotiate_factory->disable_cname_lookup());
+  peer.pref_service()->SetBoolean(prefs::kDisableAuthNegotiateCnameLookup,
+                                  true);
+  EXPECT_TRUE(negotiate_factory->disable_cname_lookup());
+}
+
+TEST_F(IOThreadTest, UpdateEnableAuthNegotiatePort) {
+  IOThreadPeer peer;
+
+  auto factory = static_cast<net::HttpAuthHandlerRegistryFactory*>(
+      peer.io_thread()->globals()->http_auth_handler_factory.get());
+
+  auto negotiate_factory = static_cast<net::HttpAuthHandlerNegotiate::Factory*>(
+      factory->GetSchemeFactory(net::kNegotiateAuthScheme));
+  // If we don't have a negotiate factory (net wasn't built with Kerberos) the
+  // policy does nothing so we can't test anything.
+  if (!negotiate_factory)
+    return;
+
+  peer.pref_service()->SetBoolean(prefs::kEnableAuthNegotiatePort, false);
+  EXPECT_FALSE(negotiate_factory->use_port());
+  peer.pref_service()->SetBoolean(prefs::kEnableAuthNegotiatePort, true);
+  EXPECT_TRUE(negotiate_factory->use_port());
+}
+
+TEST_F(IOThreadTest, UpdateServerWhitelist) {
+  IOThreadPeer peer;
+
+  GURL url("http://test.example.com");
+
+  peer.pref_service()->SetString(prefs::kAuthServerWhitelist, "");
+  net::URLSecurityManager* security_manager =
+      peer.io_thread()->globals()->url_security_manager.get();
+  EXPECT_FALSE(security_manager->CanUseDefaultCredentials(url));
+
+  peer.pref_service()->SetString(prefs::kAuthServerWhitelist, "*");
+  security_manager = peer.io_thread()->globals()->url_security_manager.get();
+  EXPECT_TRUE(security_manager->CanUseDefaultCredentials(url));
+}
+
+TEST_F(IOThreadTest, UpdateDelegateWhitelist) {
+  IOThreadPeer peer;
+
+  GURL url("http://test.example.com");
+
+  peer.pref_service()->SetString(prefs::kAuthNegotiateDelegateWhitelist, "");
+  net::URLSecurityManager* security_manager =
+      peer.io_thread()->globals()->url_security_manager.get();
+  EXPECT_FALSE(security_manager->CanDelegate(url));
+
+  peer.pref_service()->SetString(prefs::kAuthNegotiateDelegateWhitelist, "*");
+  security_manager = peer.io_thread()->globals()->url_security_manager.get();
+  EXPECT_TRUE(security_manager->CanDelegate(url));
+}
+
+#if defined(OS_ANDROID)
+// AuthAndroidNegotiateAccountType is only used on Android.
+TEST_F(IOThreadTest, UpdateAuthAndroidNegotiateAccountType) {
+  IOThreadPeer peer;
+
+  auto factory = static_cast<net::HttpAuthHandlerRegistryFactory*>(
+      peer.io_thread()->globals()->http_auth_handler_factory.get());
+
+  auto negotiate_factory = static_cast<net::HttpAuthHandlerNegotiate::Factory*>(
+      factory->GetSchemeFactory(net::kNegotiateAuthScheme));
+  // If we don't have a negotiate factory (net wasn't built with Kerberos) the
+  // policy does nothing so we can't test anything.
+  if (!negotiate_factory)
+    return;
+
+  peer.pref_service()->SetString(prefs::kAuthAndroidNegotiateAccountType,
+                                 "acc1");
+  EXPECT_EQ("acc1", *(negotiate_factory->library()));
+  peer.pref_service()->SetString(prefs::kAuthAndroidNegotiateAccountType,
+                                 "acc2");
+  EXPECT_EQ("acc2", *(negotiate_factory->library()));
+}
+#endif
+
 }  // namespace test