Extract certificate policy application from NetworkLibrary.

chrome/browser/chromeos/cros/network_library_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include <cert.h>
 #include <pk11pub.h>
 
 #include <map>
 #include <string>
 #include <vector>
 
 #include "base/at_exit.h"
 #include "base/callback.h"
 #include "base/file_util.h"
 #include "base/files/scoped_temp_dir.h"
 #include "base/json/json_reader.h"
 #include "base/lazy_instance.h"
 #include "base/path_service.h"
 #include "chrome/browser/chromeos/cros/cros_library.h"
 #include "chrome/browser/chromeos/cros/network_library.h"
 #include "chrome/browser/chromeos/cros/network_library_impl_stub.h"
 #include "chrome/browser/chromeos/login/mock_user_manager.h"
 #include "chrome/browser/google_apis/test_util.h"
 #include "chrome/common/chrome_paths.h"
 #include "chromeos/network/onc/onc_certificate_importer.h"
 #include "chromeos/network/onc/onc_constants.h"
 #include "chromeos/network/onc/onc_test_utils.h"
 #include "chromeos/network/onc/onc_utils.h"
 #include "crypto/nss_util.h"
 #include "net/base/crypto_module.h"
-#include "net/cert/nss_cert_database.h"
-#include "net/cert/x509_certificate.h"
 #include "testing/gmock/include/gmock/gmock.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 using ::testing::AnyNumber;
 using ::testing::Return;
 
 namespace chromeos {
 
 namespace {
 
@@ skipping 92 matching lines @@
 // predefined values, e.g. ethernet_available(). However, many other functions
 // such as connected_network() return values which are set indirectly and thus
 // we can test the logic of those setters.
 
 class NetworkLibraryStubTest : public ::testing::Test {
  public:
   NetworkLibraryStubTest() : cros_(NULL) {}
 
  protected:
   virtual void SetUp() {
-    ASSERT_TRUE(test_nssdb_.is_open());
-
-    slot_ = net::NSSCertDatabase::GetInstance()->GetPublicModule();
     cros_ = static_cast<NetworkLibraryImplStub*>(
         CrosLibrary::Get()->GetNetworkLibrary());
     ASSERT_TRUE(cros_) << "GetNetworkLibrary() Failed!";
-
-    // Test db should be empty at start of test.
-    EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
   }
 
   virtual void TearDown() {
     cros_ = NULL;
-    EXPECT_TRUE(CleanupSlotContents(slot_->os_module_handle()));
-    EXPECT_EQ(0U, ListCertsInSlot(slot_->os_module_handle()).size());
   }
 
   // Load the ONC from |onc_file| using NetworkLibrary::LoadOncNetworks. Check
   // that return value matches |expect_successful_import| and the configuration
   // that would be sent to Shill matches |shill_json|.
   void LoadOncAndVerifyNetworks(std::string onc_file,
                                 std::string shill_json,
                                 onc::ONCSource source,
                                 bool expect_successful_import) {
     ScopedMockUserManagerEnabler mock_user_manager;
     mock_user_manager.user_manager()->SetActiveUser("madmax@my.domain.com");
     EXPECT_CALL(*mock_user_manager.user_manager(), IsUserLoggedIn())
         .Times(AnyNumber())
         .WillRepeatedly(Return(true));
 
-    std::string onc_blob = onc::test_utils::ReadTestData(onc_file);
+    scoped_ptr<base::DictionaryValue> onc_blob =
+        onc::test_utils::ReadTestDictionary(onc_file);
+    base::ListValue* onc_network_configs;
+    onc_blob->GetListWithoutPathExpansion(
+        onc::toplevel_config::kNetworkConfigurations,
+        &onc_network_configs);
+    ASSERT_TRUE(onc_network_configs);
 
     scoped_ptr<base::Value> expected_value =
         google_apis::test_util::LoadJSONFile(shill_json);
     base::DictionaryValue* expected_configs;
     expected_value->GetAsDictionary(&expected_configs);
 
-    net::CertificateList cert_list;
-    EXPECT_EQ(expect_successful_import,
-              cros_->LoadOncNetworks(onc_blob, "", source, &cert_list));
+    cros_->LoadOncNetworks(*onc_network_configs, source);
 
     const std::map<std::string, base::DictionaryValue*>& configs =
         cros_->GetConfigurations();
 
     EXPECT_EQ(expected_configs->size(), configs.size());
 
     for (base::DictionaryValue::Iterator it(*expected_configs); !it.IsAtEnd();
          it.Advance()) {
       const base::DictionaryValue* expected_config;
       it.value().GetAsDictionary(&expected_config);
 
       std::map<std::string, base::DictionaryValue*>::const_iterator entry =
           configs.find(it.key());
       EXPECT_NE(entry, configs.end());
       base::DictionaryValue* actual_config = entry->second;
       EXPECT_TRUE(onc::test_utils::Equals(expected_config, actual_config));
     }
   }
 
   ScopedStubCrosEnabler cros_stub_;
   NetworkLibraryImplStub* cros_;
  protected:
-  net::CertificateList ListCertsInSlot(PK11SlotInfo* slot) {
-    net::CertificateList result;
-    CERTCertList* cert_list = PK11_ListCertsInSlot(slot);
-    for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);
-         !CERT_LIST_END(node, cert_list);
-         node = CERT_LIST_NEXT(node)) {
-      result.push_back(net::X509Certificate::CreateFromHandle(
-          node->cert, net::X509Certificate::OSCertHandles()));
-    }
-    CERT_DestroyCertList(cert_list);
-
-    // Sort the result so that test comparisons can be deterministic.
-    std::sort(result.begin(), result.end(), net::X509Certificate::LessThan());
-    return result;
-  }
-
-  bool CleanupSlotContents(PK11SlotInfo* slot) {
-    bool ok = true;
-    net::CertificateList certs = ListCertsInSlot(slot);
-    for (size_t i = 0; i < certs.size(); ++i) {
-      if (!net::NSSCertDatabase::GetInstance()->DeleteCertAndKey(certs[i]))
-        ok = false;
-    }
-    return ok;
-  }
-
   scoped_refptr<net::CryptoModule> slot_;
   crypto::ScopedTestNSSDB test_nssdb_;
 };
 
 // Default stub state:
 // vpn1: disconnected, L2TP/IPsec + PSK
 // vpn2: disconnected, L2TP/IPsec + user cert
 // vpn3: disconnected, OpenVpn
 // eth1: connected (active network)
 // wifi1: connected
@@ skipping 76 matching lines @@
 }
 
 TEST_F(NetworkLibraryStubTest, NetworkConnectWifiWithCertPattern) {
   scoped_ptr<base::DictionaryValue> onc_root =
       onc::test_utils::ReadTestDictionary("toplevel_wifi_eap_clientcert.onc");
   base::ListValue* certificates;
   onc_root->GetListWithoutPathExpansion(onc::toplevel_config::kCertificates,
                                         &certificates);
 
   onc::CertificateImporter importer(true /* allow trust imports */);
-  net::CertificateList cert_list;
   ASSERT_EQ(onc::CertificateImporter::IMPORT_OK,
-            importer.ParseAndStoreCertificates(*certificates, &cert_list));
+            importer.ParseAndStoreCertificates(*certificates, NULL));
 
   WifiNetwork* wifi = cros_->FindWifiNetworkByPath("wifi_cert_pattern");
 
   StubEnrollmentDelegate* enrollment_delegate = new StubEnrollmentDelegate();
   wifi->SetEnrollmentDelegate(enrollment_delegate);
   EXPECT_FALSE(enrollment_delegate->did_enroll);
   EXPECT_FALSE(enrollment_delegate->correct_args);
 
   ASSERT_NE(static_cast<const WifiNetwork*>(NULL), wifi);
   EXPECT_FALSE(wifi->connected());
   EXPECT_TRUE(cros_->CanConnectToNetwork(wifi));
   EXPECT_FALSE(wifi->connected());
   wifi->AttemptConnection(
       base::Bind(&WifiNetworkConnectCallback, cros_, wifi));
   EXPECT_TRUE(wifi->connected());
   EXPECT_TRUE(enrollment_delegate->did_enroll);
   EXPECT_TRUE(enrollment_delegate->correct_args);
 }
 
 TEST_F(NetworkLibraryStubTest, NetworkConnectVPNWithCertPattern) {
   scoped_ptr<base::DictionaryValue> onc_root =
       onc::test_utils::ReadTestDictionary("toplevel_openvpn_clientcert.onc");
   base::ListValue* certificates;
   onc_root->GetListWithoutPathExpansion(onc::toplevel_config::kCertificates,
                                         &certificates);
 
   onc::CertificateImporter importer(true /* allow trust imports */);
-  net::CertificateList cert_list;
   ASSERT_EQ(onc::CertificateImporter::IMPORT_OK,
-            importer.ParseAndStoreCertificates(*certificates, &cert_list));
+            importer.ParseAndStoreCertificates(*certificates, NULL));
 
   VirtualNetwork* vpn = cros_->FindVirtualNetworkByPath("vpn_cert_pattern");
 
   StubEnrollmentDelegate* enrollment_delegate = new StubEnrollmentDelegate();
   vpn->SetEnrollmentDelegate(enrollment_delegate);
   EXPECT_FALSE(enrollment_delegate->did_enroll);
   EXPECT_FALSE(enrollment_delegate->correct_args);
 
   ASSERT_NE(static_cast<const VirtualNetwork*>(NULL), vpn);
   EXPECT_FALSE(vpn->connected());
@@ skipping 10 matching lines @@
   VirtualNetwork* vpn1 = cros_->FindVirtualNetworkByPath("vpn1");
   EXPECT_NE(static_cast<const VirtualNetwork*>(NULL), vpn1);
   EXPECT_FALSE(vpn1->connected());
   EXPECT_TRUE(cros_->CanConnectToNetwork(vpn1));
   cros_->ConnectToVirtualNetwork(vpn1);
   EXPECT_TRUE(vpn1->connected());
   ASSERT_NE(static_cast<const VirtualNetwork*>(NULL), cros_->virtual_network());
   EXPECT_EQ("vpn1", cros_->virtual_network()->service_path());
 }
 
-TEST_F(NetworkLibraryStubTest, LoadOncNetworksWithInvalidConfig) {
-  LoadOncAndVerifyNetworks(
-      "toplevel_partially_invalid.onc",
-      "chromeos/net/shill_for_toplevel_partially_invalid.json",
-      onc::ONC_SOURCE_USER_POLICY,
-      false  /* expect import to fail */);
-
-  EXPECT_EQ(ListCertsInSlot(slot_->os_module_handle()).size(), 1U);
-}
-
 namespace {
 
 struct ImportParams {
   // |onc_file|: Filename of source ONC, relative to
   //             chromeos/test/data/network.
   // |shill_file|: Filename of expected Shill config, relative to
   //               chrome/test/data).
   // |onc_source|: The source of the ONC.
   // |expect_import_result|: The expected return value of LoadOncNetworks.
   ImportParams(const std::string& onc_file,
@@ skipping 22 matching lines @@
 class LoadOncNetworksTest
     : public NetworkLibraryStubTest,
       public ::testing::WithParamInterface<ImportParams> {
 };
 
 TEST_P(LoadOncNetworksTest, VerifyNetworksAndCertificates) {
   LoadOncAndVerifyNetworks(GetParam().onc_file,
                            GetParam().shill_file,
                            GetParam().onc_source,
                            GetParam().expect_import_result);
-
-  scoped_ptr<base::DictionaryValue> onc_dict =
-      onc::test_utils::ReadTestDictionary(GetParam().onc_file);
-  base::ListValue* onc_certs;
-  onc_dict->GetListWithoutPathExpansion(onc::toplevel_config::kCertificates,
-                                        &onc_certs);
-
-  EXPECT_EQ(onc_certs->GetSize(),
-            ListCertsInSlot(slot_->os_module_handle()).size());
 }
 
 INSTANTIATE_TEST_CASE_P(
     LoadOncNetworksTest,
     LoadOncNetworksTest,
     ::testing::Values(
          ImportParams("managed_toplevel1.onc",
                       "chromeos/net/shill_for_managed_toplevel1.json",
                       onc::ONC_SOURCE_USER_POLICY),
          ImportParams("managed_toplevel2.onc",
@@ skipping 37 matching lines @@
 
 // TODO(stevenjb): Test network profiles.
 
 // TODO(stevenjb): Test network devices.
 
 // TODO(stevenjb): Test data plans.
 
 // TODO(stevenjb): Test monitor network / device.
 
 }  // namespace chromeos