| OLD | NEW |
|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 #include "chromeos/network/client_cert_resolver.h" | 4 #include "chromeos/network/client_cert_resolver.h" |
| 5 | 5 |
| 6 #include <cert.h> | 6 #include <cert.h> |
| 7 #include <pk11pub.h> | 7 #include <pk11pub.h> |
| 8 | 8 |
| 9 #include "base/bind.h" | 9 #include "base/bind.h" |
| 10 #include "base/bind_helpers.h" | 10 #include "base/bind_helpers.h" |
| 11 #include "base/files/file_path.h" | 11 #include "base/files/file_path.h" |
| 12 #include "base/files/file_util.h" | 12 #include "base/files/file_util.h" |
| 13 #include "base/json/json_reader.h" | 13 #include "base/json/json_reader.h" |
| 14 #include "base/memory/scoped_ptr.h" |
| 14 #include "base/run_loop.h" | 15 #include "base/run_loop.h" |
| 15 #include "base/strings/stringprintf.h" | 16 #include "base/strings/stringprintf.h" |
| 17 #include "base/test/simple_test_clock.h" |
| 16 #include "base/values.h" | 18 #include "base/values.h" |
| 17 #include "chromeos/cert_loader.h" | 19 #include "chromeos/cert_loader.h" |
| 18 #include "chromeos/dbus/dbus_thread_manager.h" | 20 #include "chromeos/dbus/dbus_thread_manager.h" |
| 19 #include "chromeos/dbus/shill_manager_client.h" | 21 #include "chromeos/dbus/shill_manager_client.h" |
| 20 #include "chromeos/dbus/shill_profile_client.h" | 22 #include "chromeos/dbus/shill_profile_client.h" |
| 21 #include "chromeos/dbus/shill_service_client.h" | 23 #include "chromeos/dbus/shill_service_client.h" |
| 22 #include "chromeos/network/managed_network_configuration_handler_impl.h" | 24 #include "chromeos/network/managed_network_configuration_handler_impl.h" |
| 23 #include "chromeos/network/network_configuration_handler.h" | 25 #include "chromeos/network/network_configuration_handler.h" |
| 24 #include "chromeos/network/network_profile_handler.h" | 26 #include "chromeos/network/network_profile_handler.h" |
| 25 #include "chromeos/network/network_state_handler.h" | 27 #include "chromeos/network/network_state_handler.h" |
| (...skipping 17 matching lines...) Expand all Loading... |
| 43 const char* kUserProfilePath = "user_profile"; | 45 const char* kUserProfilePath = "user_profile"; |
| 44 const char* kUserHash = "user_hash"; | 46 const char* kUserHash = "user_hash"; |
| 45 | 47 |
| 46 } // namespace | 48 } // namespace |
| 47 | 49 |
| 48 class ClientCertResolverTest : public testing::Test, | 50 class ClientCertResolverTest : public testing::Test, |
| 49 public ClientCertResolver::Observer { | 51 public ClientCertResolver::Observer { |
| 50 public: | 52 public: |
| 51 ClientCertResolverTest() | 53 ClientCertResolverTest() |
| 52 : network_properties_changed_count_(0), | 54 : network_properties_changed_count_(0), |
| 53 service_test_(NULL), | 55 service_test_(nullptr), |
| 54 profile_test_(NULL), | 56 profile_test_(nullptr), |
| 55 cert_loader_(NULL) {} | 57 cert_loader_(nullptr) {} |
| 56 ~ClientCertResolverTest() override {} | 58 ~ClientCertResolverTest() override {} |
| 57 | 59 |
| 58 void SetUp() override { | 60 void SetUp() override { |
| 59 ASSERT_TRUE(test_nssdb_.is_open()); | 61 ASSERT_TRUE(test_nssdb_.is_open()); |
| 60 | 62 |
| 61 // Use the same DB for public and private slot. | 63 // Use the same DB for public and private slot. |
| 62 test_nsscertdb_.reset(new net::NSSCertDatabaseChromeOS( | 64 test_nsscertdb_.reset(new net::NSSCertDatabaseChromeOS( |
| 63 crypto::ScopedPK11Slot(PK11_ReferenceSlot(test_nssdb_.slot())), | 65 crypto::ScopedPK11Slot(PK11_ReferenceSlot(test_nssdb_.slot())), |
| 64 crypto::ScopedPK11Slot(PK11_ReferenceSlot(test_nssdb_.slot())))); | 66 crypto::ScopedPK11Slot(PK11_ReferenceSlot(test_nssdb_.slot())))); |
| 65 test_nsscertdb_->SetSlowTaskRunnerForTest(message_loop_.task_runner()); | 67 test_nsscertdb_->SetSlowTaskRunnerForTest(message_loop_.task_runner()); |
| 66 | 68 |
| 67 DBusThreadManager::Initialize(); | 69 DBusThreadManager::Initialize(); |
| 68 service_test_ = | 70 service_test_ = |
| 69 DBusThreadManager::Get()->GetShillServiceClient()->GetTestInterface(); | 71 DBusThreadManager::Get()->GetShillServiceClient()->GetTestInterface(); |
| 70 profile_test_ = | 72 profile_test_ = |
| 71 DBusThreadManager::Get()->GetShillProfileClient()->GetTestInterface(); | 73 DBusThreadManager::Get()->GetShillProfileClient()->GetTestInterface(); |
| 72 profile_test_->AddProfile(kUserProfilePath, kUserHash); | 74 profile_test_->AddProfile(kUserProfilePath, kUserHash); |
| 73 base::RunLoop().RunUntilIdle(); | 75 base::RunLoop().RunUntilIdle(); |
| 74 service_test_->ClearServices(); | 76 service_test_->ClearServices(); |
| 75 base::RunLoop().RunUntilIdle(); | 77 base::RunLoop().RunUntilIdle(); |
| 76 | 78 |
| 77 CertLoader::Initialize(); | 79 CertLoader::Initialize(); |
| 78 cert_loader_ = CertLoader::Get(); | 80 cert_loader_ = CertLoader::Get(); |
| 79 CertLoader::ForceHardwareBackedForTesting(); | 81 CertLoader::ForceHardwareBackedForTesting(); |
| 80 } | 82 } |
| 81 | 83 |
| 82 void TearDown() override { | 84 void TearDown() override { |
| 83 client_cert_resolver_->RemoveObserver(this); | 85 client_cert_resolver_->RemoveObserver(this); |
| 84 client_cert_resolver_.reset(); | 86 client_cert_resolver_.reset(); |
| 87 test_clock_.reset(); |
| 85 managed_config_handler_.reset(); | 88 managed_config_handler_.reset(); |
| 86 network_config_handler_.reset(); | 89 network_config_handler_.reset(); |
| 87 network_profile_handler_.reset(); | 90 network_profile_handler_.reset(); |
| 88 network_state_handler_.reset(); | 91 network_state_handler_.reset(); |
| 89 CertLoader::Shutdown(); | 92 CertLoader::Shutdown(); |
| 90 DBusThreadManager::Shutdown(); | 93 DBusThreadManager::Shutdown(); |
| 91 } | 94 } |
| 92 | 95 |
| 93 protected: | 96 protected: |
| 94 void StartCertLoader() { | 97 void StartCertLoader() { |
| (...skipping 36 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 131 ASSERT_TRUE(test_client_cert_.get()); | 134 ASSERT_TRUE(test_client_cert_.get()); |
| 132 } | 135 } |
| 133 | 136 |
| 134 void SetupNetworkHandlers() { | 137 void SetupNetworkHandlers() { |
| 135 network_state_handler_.reset(NetworkStateHandler::InitializeForTest()); | 138 network_state_handler_.reset(NetworkStateHandler::InitializeForTest()); |
| 136 network_profile_handler_.reset(new NetworkProfileHandler()); | 139 network_profile_handler_.reset(new NetworkProfileHandler()); |
| 137 network_config_handler_.reset(new NetworkConfigurationHandler()); | 140 network_config_handler_.reset(new NetworkConfigurationHandler()); |
| 138 managed_config_handler_.reset(new ManagedNetworkConfigurationHandlerImpl()); | 141 managed_config_handler_.reset(new ManagedNetworkConfigurationHandlerImpl()); |
| 139 client_cert_resolver_.reset(new ClientCertResolver()); | 142 client_cert_resolver_.reset(new ClientCertResolver()); |
| 140 | 143 |
| 144 test_clock_.reset(new base::SimpleTestClock); |
| 145 test_clock_->SetNow(base::Time::Now()); |
| 146 client_cert_resolver_->SetClockForTesting(test_clock_.get()); |
| 147 |
| 141 network_profile_handler_->Init(); | 148 network_profile_handler_->Init(); |
| 142 network_config_handler_->Init(network_state_handler_.get(), | 149 network_config_handler_->Init(network_state_handler_.get(), |
| 143 nullptr /* network_device_handler */); | 150 nullptr /* network_device_handler */); |
| 144 managed_config_handler_->Init( | 151 managed_config_handler_->Init( |
| 145 network_state_handler_.get(), network_profile_handler_.get(), | 152 network_state_handler_.get(), network_profile_handler_.get(), |
| 146 network_config_handler_.get(), nullptr /* network_device_handler */, | 153 network_config_handler_.get(), nullptr /* network_device_handler */, |
| 147 nullptr /* prohibited_technologies_handler */); | 154 nullptr /* prohibited_technologies_handler */); |
| 148 // Run all notifications before starting the cert loader to reduce run time. | 155 // Run all notifications before starting the cert loader to reduce run time. |
| 149 base::RunLoop().RunUntilIdle(); | 156 base::RunLoop().RunUntilIdle(); |
| 150 | 157 |
| (...skipping 40 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 191 " \"Issuer\": {" | 198 " \"Issuer\": {" |
| 192 " \"CommonName\": \"B CA\"" | 199 " \"CommonName\": \"B CA\"" |
| 193 " }" | 200 " }" |
| 194 " }" | 201 " }" |
| 195 " }" | 202 " }" |
| 196 " }" | 203 " }" |
| 197 "} ]"; | 204 "} ]"; |
| 198 | 205 |
| 199 std::string error; | 206 std::string error; |
| 200 scoped_ptr<base::Value> policy_value = base::JSONReader::ReadAndReturnError( | 207 scoped_ptr<base::Value> policy_value = base::JSONReader::ReadAndReturnError( |
| 201 kTestPolicy, base::JSON_ALLOW_TRAILING_COMMAS, NULL, &error); | 208 kTestPolicy, base::JSON_ALLOW_TRAILING_COMMAS, nullptr, &error); |
| 202 ASSERT_TRUE(policy_value) << error; | 209 ASSERT_TRUE(policy_value) << error; |
| 203 | 210 |
| 204 base::ListValue* policy = NULL; | 211 base::ListValue* policy = nullptr; |
| 205 ASSERT_TRUE(policy_value->GetAsList(&policy)); | 212 ASSERT_TRUE(policy_value->GetAsList(&policy)); |
| 206 | 213 |
| 207 managed_config_handler_->SetPolicy( | 214 managed_config_handler_->SetPolicy( |
| 208 onc::ONC_SOURCE_USER_POLICY, kUserHash, *policy, | 215 onc::ONC_SOURCE_USER_POLICY, kUserHash, *policy, |
| 209 base::DictionaryValue() /* no global network config */); | 216 base::DictionaryValue() /* no global network config */); |
| 210 } | 217 } |
| 211 | 218 |
| 212 // Sets up a policy with a certificate pattern that matches any client cert | 219 // Sets up a policy with a certificate pattern that matches any client cert |
| 213 // that is signed by the test CA cert (stored in |test_ca_cert_pem_|). In | 220 // that is signed by the test CA cert (stored in |test_ca_cert_pem_|). In |
| 214 // particular it will match the test client cert. | 221 // particular it will match the test client cert. |
| (...skipping 12 matching lines...) Expand all Loading... |
| 227 " \"IssuerCAPEMs\": [ \"%s\" ]" | 234 " \"IssuerCAPEMs\": [ \"%s\" ]" |
| 228 " }" | 235 " }" |
| 229 " }" | 236 " }" |
| 230 " }" | 237 " }" |
| 231 "} ]"; | 238 "} ]"; |
| 232 std::string policy_json = | 239 std::string policy_json = |
| 233 base::StringPrintf(kTestPolicyTemplate, test_ca_cert_pem_.c_str()); | 240 base::StringPrintf(kTestPolicyTemplate, test_ca_cert_pem_.c_str()); |
| 234 | 241 |
| 235 std::string error; | 242 std::string error; |
| 236 scoped_ptr<base::Value> policy_value = base::JSONReader::ReadAndReturnError( | 243 scoped_ptr<base::Value> policy_value = base::JSONReader::ReadAndReturnError( |
| 237 policy_json, base::JSON_ALLOW_TRAILING_COMMAS, NULL, &error); | 244 policy_json, base::JSON_ALLOW_TRAILING_COMMAS, nullptr, &error); |
| 238 ASSERT_TRUE(policy_value) << error; | 245 ASSERT_TRUE(policy_value) << error; |
| 239 | 246 |
| 240 base::ListValue* policy = NULL; | 247 base::ListValue* policy = nullptr; |
| 241 ASSERT_TRUE(policy_value->GetAsList(&policy)); | 248 ASSERT_TRUE(policy_value->GetAsList(&policy)); |
| 242 | 249 |
| 243 managed_config_handler_->SetPolicy( | 250 managed_config_handler_->SetPolicy( |
| 244 onc::ONC_SOURCE_USER_POLICY, | 251 onc::ONC_SOURCE_USER_POLICY, |
| 245 kUserHash, | 252 kUserHash, |
| 246 *policy, | 253 *policy, |
| 247 base::DictionaryValue() /* no global network config */); | 254 base::DictionaryValue() /* no global network config */); |
| 248 } | 255 } |
| 249 | 256 |
| 257 void SetWifiState(const std::string& state) { |
| 258 ASSERT_TRUE(service_test_->SetServiceProperty( |
| 259 kWifiStub, shill::kStateProperty, base::StringValue(state))); |
| 260 } |
| 261 |
| 250 void GetClientCertProperties(std::string* pkcs11_id) { | 262 void GetClientCertProperties(std::string* pkcs11_id) { |
| 251 pkcs11_id->clear(); | 263 pkcs11_id->clear(); |
| 252 const base::DictionaryValue* properties = | 264 const base::DictionaryValue* properties = |
| 253 service_test_->GetServiceProperties(kWifiStub); | 265 service_test_->GetServiceProperties(kWifiStub); |
| 254 if (!properties) | 266 if (!properties) |
| 255 return; | 267 return; |
| 256 properties->GetStringWithoutPathExpansion(shill::kEapCertIdProperty, | 268 properties->GetStringWithoutPathExpansion(shill::kEapCertIdProperty, |
| 257 pkcs11_id); | 269 pkcs11_id); |
| 258 } | 270 } |
| 259 | 271 |
| 260 int network_properties_changed_count_; | 272 int network_properties_changed_count_; |
| 261 std::string test_cert_id_; | 273 std::string test_cert_id_; |
| 274 scoped_ptr<base::SimpleTestClock> test_clock_; |
| 262 scoped_ptr<ClientCertResolver> client_cert_resolver_; | 275 scoped_ptr<ClientCertResolver> client_cert_resolver_; |
| 263 | 276 |
| 264 private: | 277 private: |
| 265 // ClientCertResolver::Observer: | 278 // ClientCertResolver::Observer: |
| 266 void ResolveRequestCompleted(bool network_properties_changed) override { | 279 void ResolveRequestCompleted(bool network_properties_changed) override { |
| 267 if (network_properties_changed) | 280 if (network_properties_changed) |
| 268 ++network_properties_changed_count_; | 281 ++network_properties_changed_count_; |
| 269 } | 282 } |
| 270 | 283 |
| 271 ShillServiceClient::TestInterface* service_test_; | 284 ShillServiceClient::TestInterface* service_test_; |
| (...skipping 86 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 358 base::RunLoop().RunUntilIdle(); | 371 base::RunLoop().RunUntilIdle(); |
| 359 | 372 |
| 360 // Verify that the resolver positively matched the pattern in the policy with | 373 // Verify that the resolver positively matched the pattern in the policy with |
| 361 // the test client cert and configured the network. | 374 // the test client cert and configured the network. |
| 362 std::string pkcs11_id; | 375 std::string pkcs11_id; |
| 363 GetClientCertProperties(&pkcs11_id); | 376 GetClientCertProperties(&pkcs11_id); |
| 364 EXPECT_EQ(test_cert_id_, pkcs11_id); | 377 EXPECT_EQ(test_cert_id_, pkcs11_id); |
| 365 EXPECT_EQ(1, network_properties_changed_count_); | 378 EXPECT_EQ(1, network_properties_changed_count_); |
| 366 } | 379 } |
| 367 | 380 |
| 381 TEST_F(ClientCertResolverTest, ExpiringCertificate) { |
| 382 SetupTestCerts(true /* import issuer */); |
| 383 SetupWifi(); |
| 384 base::RunLoop().RunUntilIdle(); |
| 385 |
| 386 SetupNetworkHandlers(); |
| 387 SetupPolicyMatchingIssuerPEM(); |
| 388 base::RunLoop().RunUntilIdle(); |
| 389 |
| 390 StartCertLoader(); |
| 391 base::RunLoop().RunUntilIdle(); |
| 392 |
| 393 SetWifiState(shill::kStateOnline); |
| 394 base::RunLoop().RunUntilIdle(); |
| 395 |
| 396 // Verify that the resolver positively matched the pattern in the policy with |
| 397 // the test client cert and configured the network. |
| 398 std::string pkcs11_id; |
| 399 GetClientCertProperties(&pkcs11_id); |
| 400 EXPECT_EQ(test_cert_id_, pkcs11_id); |
| 401 |
| 402 // Verify that, after the certificate expired and the network disconnection |
| 403 // happens, no client certificate was configured. |
| 404 test_clock_->SetNow(base::Time::Max()); |
| 405 SetWifiState(shill::kStateOffline); |
| 406 base::RunLoop().RunUntilIdle(); |
| 407 GetClientCertProperties(&pkcs11_id); |
| 408 EXPECT_EQ(std::string(), pkcs11_id); |
| 409 } |
| 410 |
| 368 } // namespace chromeos | 411 } // namespace chromeos |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1443043002:
Execute ClientCertResolver on network disconnection. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master