Allow dynamic updating of authentication policies

chrome/browser/io_thread_unittest.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "base/command_line.h"
 #include "base/metrics/field_trial.h"
+#include "base/prefs/pref_registry_simple.h"
+#include "base/prefs/pref_service.h"
+#include "base/prefs/testing_pref_service.h"
 #include "base/test/mock_entropy_provider.h"
+#include "chrome/browser/extensions/event_router_forwarder.h"
 #include "chrome/browser/io_thread.h"
 #include "chrome/common/chrome_switches.h"
+#include "chrome/common/pref_names.h"
 #include "components/data_reduction_proxy/core/common/data_reduction_proxy_params.h"
+#include "components/policy/core/common/mock_policy_service.h"
+#include "components/proxy_config/pref_proxy_config_tracker_impl.h"
+#include "components/proxy_config/proxy_config_pref_names.h"
+#include "content/public/test/test_browser_thread_bundle.h"
+#include "net/http/http_auth_handler_negotiate.h"
 #include "net/http/http_network_session.h"
 #include "net/http/http_server_properties_impl.h"
 #include "net/quic/quic_protocol.h"
 #include "testing/gmock/include/gmock/gmock.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 namespace test {
 
 using ::testing::ElementsAre;
+using ::testing::ReturnRef;
 
+// Class used for accessing IOThread methods (friend of IOThread). Creating
+// an IOThreadPeer creates and initializes an IOThread instance set up for
+// testing, deleting it cleanly closes down and deletes the IOThread instance.
 class IOThreadPeer {
  public:
+  IOThreadPeer()
+      : thread_bundle_(content::TestBrowserThreadBundle::IO_MAINLOOP)
+#if defined(ENABLE_EXTENSIONS)

[asanka, 2015/10/28 03:27:43]

Not an owner here, but this looks bad enough that I'd consider initializing this
in the constructor body.

[aberent, 2015/11/02 18:52:50]

Done.

+        ,
+        event_router_forwarder_(new extensions::EventRouterForwarder)
+#endif
+  {
+    PrefRegistrySimple* pref_registry = pref_service_.registry();
+    IOThread::RegisterPrefs(pref_registry);
+    PrefProxyConfigTrackerImpl::RegisterPrefs(pref_registry);
+    ssl_config::SSLConfigServiceManager::RegisterPrefs(pref_registry);
+
+    // Set up default function behaviour.
+    EXPECT_CALL(policy_service_,
+                GetPolicies(policy::PolicyNamespace(
+                    policy::POLICY_DOMAIN_CHROME, std::string())))
+        .WillRepeatedly(ReturnRef(policy_map_));
+    io_thread_.reset(new IOThread(&pref_service_, &policy_service_, nullptr,
+                                  event_router_forwarder_.get()));
+    io_thread_->Init();
+  }
+
+  ~IOThreadPeer() { io_thread_->CleanUp(); }
+
   static void ConfigureQuicGlobals(
       const base::CommandLine& command_line,
       base::StringPiece quic_trial_group,
       const std::map<std::string, std::string>& quic_trial_params,
       bool is_quic_allowed_by_policy,
       IOThread::Globals* globals) {
     IOThread::ConfigureQuicGlobals(command_line, quic_trial_group,
                                    quic_trial_params, is_quic_allowed_by_policy,
                                    globals);
   }
 
   static void ConfigureSpdyGlobals(
       const base::CommandLine& command_line,
       base::StringPiece spdy_trial_group,
       const std::map<std::string, std::string>& spdy_trial_params,
       IOThread::Globals* globals) {
     IOThread::ConfigureSpdyGlobals(command_line, spdy_trial_group,
                                    spdy_trial_params, globals);
   }
 
   static void InitializeNetworkSessionParamsFromGlobals(
       const IOThread::Globals& globals,
       net::HttpNetworkSession::Params* params) {
     IOThread::InitializeNetworkSessionParamsFromGlobals(globals, params);
   }
+
+  IOThread* io_thread() { return io_thread_.get(); }
+
+  TestingPrefServiceSimple* pref_service() { return &pref_service_; }
+
+ private:
+  content::TestBrowserThreadBundle thread_bundle_;
+  TestingPrefServiceSimple pref_service_;
+  scoped_refptr<extensions::EventRouterForwarder> event_router_forwarder_;

[asanka, 2015/10/28 03:27:43]

Guard with #if defined(ENABLE_EXTENSIONS)

[aberent, 2015/11/02 18:52:50]

Doing so means that one needs #ifs in the IOThread constructor call, so simpler
to leave it unguarded. The class EventRouteForwarder must exist unconditionally,
since the IO thread constructor has an argument of this type.

+  policy::PolicyMap policy_map_;
+  policy::MockPolicyService policy_service_;
+  scoped_ptr<IOThread> io_thread_;
+
+  DISALLOW_COPY_AND_ASSIGN(IOThreadPeer);
 };
 
 class IOThreadTest : public testing::Test {
  public:
   IOThreadTest()
       : command_line_(base::CommandLine::NO_PROGRAM),
         is_quic_allowed_by_policy_(true) {
     globals_.http_server_properties.reset(new net::HttpServerPropertiesImpl());
   }
 
@@ skipping 433 matching lines @@
 TEST_F(IOThreadTest, QuicDisallowedByPolicy) {
   command_line_.AppendSwitch(switches::kEnableQuic);
   is_quic_allowed_by_policy_ = false;
   ConfigureQuicGlobals();
 
   net::HttpNetworkSession::Params params;
   InitializeNetworkSessionParams(&params);
   EXPECT_FALSE(params.enable_quic);
 }
 
+TEST_F(IOThreadTest, UpdateNegotiateDisableCnameLookup) {
+  IOThreadPeer peer;
+
+  net::HttpAuthHandlerRegistryFactory* factory =
+      peer.io_thread()->globals()->http_auth_handler_factory.get();
+
+  auto negotiate_factory = static_cast<net::HttpAuthHandlerNegotiate::Factory*>(
+      factory->GetSchemeFactory("negotiate"));
+  // If we don't have a negotiate factory (net wasn't built with Kerberos) the
+  // policy does nothing so we can't test anything.
+  if (!negotiate_factory)
+    return;
+
+  peer.pref_service()->SetBoolean(prefs::kDisableAuthNegotiateCnameLookup,
+                                  false);
+  EXPECT_FALSE(negotiate_factory->disable_cname_lookup());
+  peer.pref_service()->SetBoolean(prefs::kDisableAuthNegotiateCnameLookup,
+                                  true);
+  EXPECT_TRUE(negotiate_factory->disable_cname_lookup());
+}
+
+TEST_F(IOThreadTest, UpdateEnableAuthNegotiatePort) {
+  IOThreadPeer peer;
+
+  net::HttpAuthHandlerRegistryFactory* factory =
+      peer.io_thread()->globals()->http_auth_handler_factory.get();
+
+  auto negotiate_factory = static_cast<net::HttpAuthHandlerNegotiate::Factory*>(
+      factory->GetSchemeFactory("negotiate"));
+  // If we don't have a negotiate factory (net wasn't built with Kerberos) the
+  // policy does nothing so we can't test anything.
+  if (!negotiate_factory)
+    return;
+
+  peer.pref_service()->SetBoolean(prefs::kEnableAuthNegotiatePort, false);
+  EXPECT_FALSE(negotiate_factory->use_port());
+  peer.pref_service()->SetBoolean(prefs::kEnableAuthNegotiatePort, true);
+  EXPECT_TRUE(negotiate_factory->use_port());
+}
+
+TEST_F(IOThreadTest, UpdateServerWhitelist) {
+  IOThreadPeer peer;
+
+  GURL url("http://test.example.com");
+
+  peer.pref_service()->SetString(prefs::kAuthServerWhitelist, "");
+  net::URLSecurityManager* security_manager =
+      peer.io_thread()->globals()->url_security_manager.get();
+  EXPECT_FALSE(security_manager->CanUseDefaultCredentials(url));
+
+  peer.pref_service()->SetString(prefs::kAuthServerWhitelist, "*");
+  security_manager = peer.io_thread()->globals()->url_security_manager.get();
+  EXPECT_TRUE(security_manager->CanUseDefaultCredentials(url));
+}
+
+TEST_F(IOThreadTest, UpdateDelegateWhitelist) {
+  IOThreadPeer peer;
+
+  GURL url("http://test.example.com");
+
+  peer.pref_service()->SetString(prefs::kAuthNegotiateDelegateWhitelist, "");
+  net::URLSecurityManager* security_manager =
+      peer.io_thread()->globals()->url_security_manager.get();
+  EXPECT_FALSE(security_manager->CanDelegate(url));
+
+  peer.pref_service()->SetString(prefs::kAuthNegotiateDelegateWhitelist, "*");
+  security_manager = peer.io_thread()->globals()->url_security_manager.get();
+  EXPECT_TRUE(security_manager->CanDelegate(url));
+}
+
+#if defined(OS_ANDROID)
+// AuthAndroidNegotiateAccountType is only used on Android.
+TEST_F(IOThreadTest, UpdateAuthAndroidNegotiateAccountType) {
+  IOThreadPeer peer;
+
+  net::HttpAuthHandlerRegistryFactory* factory =
+      peer.io_thread()->globals()->http_auth_handler_factory.get();
+
+  auto negotiate_factory = static_cast<net::HttpAuthHandlerNegotiate::Factory*>(
+      factory->GetSchemeFactory("negotiate"));
+  // If we don't have a negotiate factory (net wasn't built with Kerberos) the
+  // policy does nothing so we can't test anything.
+  if (!negotiate_factory)
+    return;
+
+  peer.pref_service()->SetString(prefs::kAuthAndroidNegotiateAccountType,
+                                 "acc1");
+  EXPECT_EQ("acc1", *(negotiate_factory->library()));
+  peer.pref_service()->SetString(prefs::kAuthAndroidNegotiateAccountType,
+                                 "acc2");
+  EXPECT_EQ("acc2", *(negotiate_factory->library()));
+}
+#endif
+
 }  // namespace test