Use per-user nssdb in onc certificate importer

chrome/browser/chromeos/policy/network_configuration_updater_unittest.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/callback.h"
 #include "base/files/file_path.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/run_loop.h"
@@ skipping 130 matching lines @@
 
 }  // namespace
 
 class NetworkConfigurationUpdaterTest : public testing::Test {
  protected:
   NetworkConfigurationUpdaterTest() {
   }
 
   virtual void SetUp() OVERRIDE {
     EXPECT_CALL(provider_, IsInitializationComplete(_))
-        .WillRepeatedly(Return(true));
+        .WillRepeatedly(Return(false));
     provider_.Init();
     PolicyServiceImpl::Providers providers;
     providers.push_back(&provider_);
     policy_service_.reset(new PolicyServiceImpl(providers));
 
     scoped_ptr<base::DictionaryValue> fake_toplevel_onc =
         chromeos::onc::ReadDictionaryFromJson(kFakeONC);
 
     base::ListValue* network_configs = NULL;
     fake_toplevel_onc->GetListWithoutPathExpansion(
@@ skipping 14 matching lines @@
         new StrictMock<chromeos::onc::MockCertificateImporter>();
     certificate_importer_owned_.reset(certificate_importer_);
   }
 
   virtual void TearDown() OVERRIDE {
     network_configuration_updater_.reset();
     provider_.Shutdown();
     base::RunLoop().RunUntilIdle();
   }
 
+  void MarkPolicyProviderInitialized() {
+    Mock::VerifyAndClearExpectations(&provider_);
+    EXPECT_CALL(provider_, IsInitializationComplete(_))
+        .WillRepeatedly(Return(true));
+    provider_.SetAutoRefresh();
+    provider_.RefreshPolicies();
+    base::RunLoop().RunUntilIdle();
+  }
+
   void UpdateProviderPolicy(const PolicyMap& policy) {
     provider_.UpdateChromePolicy(policy);
     base::RunLoop().RunUntilIdle();
   }
 
   UserNetworkConfigurationUpdater*
   CreateNetworkConfigurationUpdaterForUserPolicy(
-      bool allow_trusted_certs_from_policy) {
+      bool allow_trusted_certs_from_policy,
+      bool set_cert_importer) {
     UserNetworkConfigurationUpdater* updater =
         UserNetworkConfigurationUpdater::CreateForUserPolicy(
             allow_trusted_certs_from_policy,
             fake_user_,
-            certificate_importer_owned_.Pass(),
             policy_service_.get(),
             &network_config_handler_).release();
+    if (set_cert_importer) {
+      EXPECT_TRUE(certificate_importer_owned_);
+      updater->SetCertificateImporter(certificate_importer_owned_.Pass());
+    }
     network_configuration_updater_.reset(updater);
     return updater;
   }
 
   void CreateNetworkConfigurationUpdaterForDevicePolicy() {
     network_configuration_updater_ =
         DeviceNetworkConfigurationUpdater::CreateForDevicePolicy(
-            certificate_importer_owned_.Pass(),
             policy_service_.get(),
             &network_config_handler_,
             &network_device_handler_,
             chromeos::CrosSettings::Get());
   }
 
   base::ListValue fake_network_configs_;
   base::DictionaryValue fake_global_network_config_;
   base::ListValue fake_certificates_;
   StrictMock<chromeos::MockManagedNetworkConfigurationHandler>
@@ skipping 13 matching lines @@
 
   StrictMock<MockConfigurationPolicyProvider> provider_;
   scoped_ptr<PolicyServiceImpl> policy_service_;
   FakeUser fake_user_;
 
   scoped_ptr<NetworkConfigurationUpdater> network_configuration_updater_;
   content::TestBrowserThreadBundle thread_bundle_;
 };
 
 TEST_F(NetworkConfigurationUpdaterTest, CellularAllowRoaming) {
-  // Ignore networ config updates.
+  // Ignore network config updates.
   EXPECT_CALL(network_config_handler_, SetPolicy(_, _, _, _)).Times(AtLeast(1));
-  EXPECT_CALL(*certificate_importer_, ImportCertificates(_, _, _))
-      .Times(AtLeast(1));
 
   // Setup the DataRoaming device setting.
   chromeos::CrosSettings* cros_settings = chromeos::CrosSettings::Get();
   chromeos::CrosSettingsProvider* device_settings_provider =
       cros_settings->GetProvider(chromeos::kSignedDataRoamingEnabled);
   cros_settings->RemoveSettingsProvider(device_settings_provider);
   delete device_settings_provider;
   chromeos::StubCrosSettingsProvider* stub_settings_provider =
       new chromeos::StubCrosSettingsProvider;
   cros_settings->AddSettingsProvider(stub_settings_provider);
 
   chromeos::CrosSettings::Get()->Set(chromeos::kSignedDataRoamingEnabled,
                                      base::FundamentalValue(false));
   EXPECT_FALSE(network_device_handler_.allow_roaming_);
 
   CreateNetworkConfigurationUpdaterForDevicePolicy();
+  MarkPolicyProviderInitialized();
   chromeos::CrosSettings::Get()->Set(chromeos::kSignedDataRoamingEnabled,
                                      base::FundamentalValue(true));
   EXPECT_TRUE(network_device_handler_.allow_roaming_);
 
   chromeos::CrosSettings::Get()->Set(chromeos::kSignedDataRoamingEnabled,
                                      base::FundamentalValue(false));
   EXPECT_FALSE(network_device_handler_.allow_roaming_);
 }
 
 TEST_F(NetworkConfigurationUpdaterTest, PolicyIsValidatedAndRepaired) {
@@ skipping 21 matching lines @@
              new base::StringValue(onc_policy),
              NULL);
   UpdateProviderPolicy(policy);
 
   EXPECT_CALL(network_config_handler_,
               SetPolicy(onc::ONC_SOURCE_USER_POLICY,
                         _,
                         IsEqualTo(network_configs_repaired),
                         IsEqualTo(global_config_repaired)));
   EXPECT_CALL(*certificate_importer_,
-              ImportCertificates(_, onc::ONC_SOURCE_USER_POLICY, _));
+              ImportCertificates(_, onc::ONC_SOURCE_USER_POLICY,  _));
 
   CreateNetworkConfigurationUpdaterForUserPolicy(
-      false /* do not allow trusted certs from policy */ );
+      false /* do not allow trusted certs from policy */,
+      true /* set certificate importer */);
+  MarkPolicyProviderInitialized();
 }
 
 TEST_F(NetworkConfigurationUpdaterTest,
        DoNotAllowTrustedCertificatesFromPolicy) {
   net::CertificateList cert_list;
   cert_list =
       net::CreateCertificateListFromFile(net::GetTestCertsDirectory(),
                                          "ok_cert.pem",
                                          net::X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(1u, cert_list.size());
 
   EXPECT_CALL(network_config_handler_,
               SetPolicy(onc::ONC_SOURCE_USER_POLICY, _, _, _));
   EXPECT_CALL(*certificate_importer_, ImportCertificates(_, _, _))
       .WillRepeatedly(SetCertificateList(cert_list));
 
   UserNetworkConfigurationUpdater* updater =
       CreateNetworkConfigurationUpdaterForUserPolicy(
-          false /* do not allow trusted certs from policy */);
+          false /* do not allow trusted certs from policy */,
+          true /* set certificate importer */);
+  MarkPolicyProviderInitialized();
 
   // Certificates with the "Web" trust flag set should not be forwarded to
   // observers.
   FakeWebTrustedCertsObserver observer;
   updater->AddTrustedCertsObserver(&observer);
 
   base::RunLoop().RunUntilIdle();
 
   net::CertificateList trust_anchors;
   updater->GetWebTrustedCertificates(&trust_anchors);
@@ skipping 15 matching lines @@
                                          "ok_cert.pem",
                                          net::X509Certificate::FORMAT_AUTO);
   ASSERT_EQ(1u, cert_list.size());
 
   EXPECT_CALL(*certificate_importer_,
               ImportCertificates(_, onc::ONC_SOURCE_USER_POLICY, _))
       .WillRepeatedly(SetCertificateList(cert_list));
 
   UserNetworkConfigurationUpdater* updater =
       CreateNetworkConfigurationUpdaterForUserPolicy(
-          true /* allow trusted certs from policy */);
+          true /* allow trusted certs from policy */,
+          true /* set certificate importer */);
+  MarkPolicyProviderInitialized();
 
   base::RunLoop().RunUntilIdle();
 
   // Certificates with the "Web" trust flag set will be returned.
   net::CertificateList trust_anchors;
   updater->GetWebTrustedCertificates(&trust_anchors);
   EXPECT_EQ(1u, trust_anchors.size());
 }
 
 TEST_F(NetworkConfigurationUpdaterTest,
        AllowTrustedCertificatesFromPolicyOnUpdate) {
   // Ignore network configuration changes.
   EXPECT_CALL(network_config_handler_, SetPolicy(_, _, _, _))
       .Times(AnyNumber());
 
   // Start with an empty certificate list.
   EXPECT_CALL(*certificate_importer_,
               ImportCertificates(_, onc::ONC_SOURCE_USER_POLICY, _))
       .WillRepeatedly(SetCertificateList(net::CertificateList()));
 
   UserNetworkConfigurationUpdater* updater =
       CreateNetworkConfigurationUpdaterForUserPolicy(
-          true /* allow trusted certs from policy */);
+          true /* allow trusted certs from policy */,
+          true /* set certificate importer */);
+  MarkPolicyProviderInitialized();
 
   FakeWebTrustedCertsObserver observer;
   updater->AddTrustedCertsObserver(&observer);
 
   base::RunLoop().RunUntilIdle();
 
   // Verify that the returned certificate list is empty.
   Mock::VerifyAndClearExpectations(certificate_importer_);
   {
     net::CertificateList trust_anchors;
@@ skipping 30 matching lines @@
   {
     net::CertificateList trust_anchors;
     updater->GetWebTrustedCertificates(&trust_anchors);
     EXPECT_EQ(1u, trust_anchors.size());
   }
   EXPECT_EQ(1u, observer.trust_anchors_.size());
 
   updater->RemoveTrustedCertsObserver(&observer);
 }
 
+TEST_F(NetworkConfigurationUpdaterTest,
+       DontImportCertificateBeforeCertificateImporterSet) {
+  PolicyMap policy;
+  policy.Set(key::kOpenNetworkConfiguration, POLICY_LEVEL_MANDATORY,
+             POLICY_SCOPE_USER, new base::StringValue(kFakeONC), NULL);
+  UpdateProviderPolicy(policy);
+
+  EXPECT_CALL(network_config_handler_,
+              SetPolicy(onc::ONC_SOURCE_USER_POLICY,
+                        kFakeUsernameHash,
+                        IsEqualTo(&fake_network_configs_),
+                        IsEqualTo(&fake_global_network_config_)));
+  EXPECT_CALL(*certificate_importer_, ImportCertificates(_, _ , _)).Times(0);
+
+  UserNetworkConfigurationUpdater* updater =
+      CreateNetworkConfigurationUpdaterForUserPolicy(
+          true /* allow trusted certs from policy */,
+          false /* do not set certificate importer */);
+  MarkPolicyProviderInitialized();
+
+  Mock::VerifyAndClearExpectations(&network_config_handler_);
+  Mock::VerifyAndClearExpectations(certificate_importer_);
+
+  EXPECT_CALL(network_config_handler_,
+              SetPolicy(onc::ONC_SOURCE_USER_POLICY,
+                        kFakeUsernameHash,
+                        IsEqualTo(&fake_network_configs_),
+                        IsEqualTo(&fake_global_network_config_)))
+      .Times(0);
+  EXPECT_CALL(*certificate_importer_,
+              ImportCertificates(IsEqualTo(&fake_certificates_),
+                                 onc::ONC_SOURCE_USER_POLICY,
+                                  _));
+
+  ASSERT_TRUE(certificate_importer_owned_);
+  updater->SetCertificateImporter(certificate_importer_owned_.Pass());
+}
+
 class NetworkConfigurationUpdaterTestWithParam
     : public NetworkConfigurationUpdaterTest,
       public testing::WithParamInterface<const char*> {
  protected:
   // Returns the currently tested ONC source.
   onc::ONCSource CurrentONCSource() {
     if (GetParam() == key::kOpenNetworkConfiguration)
       return onc::ONC_SOURCE_USER_POLICY;
     DCHECK(GetParam() == key::kDeviceOpenNetworkConfiguration);
     return onc::ONC_SOURCE_DEVICE_POLICY;
   }
 
   // Returns the expected username hash to push policies to
   // ManagedNetworkConfigurationHandler.
   std::string ExpectedUsernameHash() {
     if (GetParam() == key::kOpenNetworkConfiguration)
       return kFakeUsernameHash;
     return std::string();
   }
 
+  size_t ExpectedImportCertificatesCallCount() {
+    if (GetParam() == key::kOpenNetworkConfiguration)
+      return 1u;
+    return 0u;
+  }
+
   void CreateNetworkConfigurationUpdater() {
     if (GetParam() == key::kOpenNetworkConfiguration) {
       CreateNetworkConfigurationUpdaterForUserPolicy(
-          false /* do not allow trusted certs from policy */);
+          false /* do not allow trusted certs from policy */,
+          true /* set certificate importer */);
     } else {
       CreateNetworkConfigurationUpdaterForDevicePolicy();
     }
   }
 };
 
 TEST_P(NetworkConfigurationUpdaterTestWithParam, InitialUpdates) {
   PolicyMap policy;
   policy.Set(GetParam(), POLICY_LEVEL_MANDATORY, POLICY_SCOPE_USER,
              new base::StringValue(kFakeONC), NULL);
   UpdateProviderPolicy(policy);
 
   EXPECT_CALL(network_config_handler_,
               SetPolicy(CurrentONCSource(),
                         ExpectedUsernameHash(),
                         IsEqualTo(&fake_network_configs_),
                         IsEqualTo(&fake_global_network_config_)));
   EXPECT_CALL(*certificate_importer_,
-              ImportCertificates(
-                  IsEqualTo(&fake_certificates_), CurrentONCSource(), _));
+              ImportCertificates(IsEqualTo(&fake_certificates_),
+                                 CurrentONCSource(),
+                                  _))
+      .Times(ExpectedImportCertificatesCallCount());
+
+  CreateNetworkConfigurationUpdater();
+  MarkPolicyProviderInitialized();
+}
+
+TEST_P(NetworkConfigurationUpdaterTestWithParam,
+       PolicyNotSetBeforePolicyProviderInitialized) {
+  PolicyMap policy;
+  policy.Set(GetParam(), POLICY_LEVEL_MANDATORY, POLICY_SCOPE_USER,
+             new base::StringValue(kFakeONC), NULL);
+  UpdateProviderPolicy(policy);
+
+  EXPECT_CALL(network_config_handler_,
+              SetPolicy(CurrentONCSource(),
+                        ExpectedUsernameHash(),
+                        IsEqualTo(&fake_network_configs_),
+                        IsEqualTo(&fake_global_network_config_)))
+      .Times(0);
+  EXPECT_CALL(*certificate_importer_,
+              ImportCertificates(IsEqualTo(&fake_certificates_),
+                                 CurrentONCSource(),
+                                  _))
+      .Times(0);
+
+  CreateNetworkConfigurationUpdater();
+
+  Mock::VerifyAndClearExpectations(&network_config_handler_);
+  Mock::VerifyAndClearExpectations(certificate_importer_);
+
+  EXPECT_CALL(network_config_handler_,
+              SetPolicy(CurrentONCSource(),
+                        ExpectedUsernameHash(),
+                        IsEqualTo(&fake_network_configs_),
+                        IsEqualTo(&fake_global_network_config_)));
+  EXPECT_CALL(*certificate_importer_,
+              ImportCertificates(IsEqualTo(&fake_certificates_),
+                                 CurrentONCSource(),
+                                  _))
+      .Times(ExpectedImportCertificatesCallCount());
+
+  MarkPolicyProviderInitialized();
+}
+
+TEST_P(NetworkConfigurationUpdaterTestWithParam,
+       PolicyAppliedImidiatellyIfProvidersInitialized) {

[pneubeck (no reviews), 2014/02/06 09:37:46]

Imidiatelly -> Immediately

[tbarzic, 2014/02/06 23:02:36]

Done.

+  MarkPolicyProviderInitialized();
+
+  PolicyMap policy;
+  policy.Set(GetParam(), POLICY_LEVEL_MANDATORY, POLICY_SCOPE_USER,
+             new base::StringValue(kFakeONC), NULL);
+  UpdateProviderPolicy(policy);
+
+  EXPECT_CALL(network_config_handler_,
+              SetPolicy(CurrentONCSource(),
+                        ExpectedUsernameHash(),
+                        IsEqualTo(&fake_network_configs_),
+                        IsEqualTo(&fake_global_network_config_)));
+  EXPECT_CALL(*certificate_importer_,
+              ImportCertificates(IsEqualTo(&fake_certificates_),
+                                 CurrentONCSource(),
+                                  _))
+      .Times(ExpectedImportCertificatesCallCount());
 
   CreateNetworkConfigurationUpdater();
 }
 
-
 TEST_P(NetworkConfigurationUpdaterTestWithParam, PolicyChange) {
   // Ignore the initial updates.
   EXPECT_CALL(network_config_handler_, SetPolicy(_, _, _, _)).Times(AtLeast(1));
   EXPECT_CALL(*certificate_importer_, ImportCertificates(_, _, _))
-      .Times(AtLeast(1));
+      .Times(AtLeast(ExpectedImportCertificatesCallCount()));
+
   CreateNetworkConfigurationUpdater();
+  MarkPolicyProviderInitialized();
+
   Mock::VerifyAndClearExpectations(&network_config_handler_);
   Mock::VerifyAndClearExpectations(certificate_importer_);
 
   // The Updater should update if policy changes.
   EXPECT_CALL(network_config_handler_,
               SetPolicy(CurrentONCSource(),
                         _,
                         IsEqualTo(&fake_network_configs_),
                         IsEqualTo(&fake_global_network_config_)));
   EXPECT_CALL(*certificate_importer_,
-              ImportCertificates(
-                  IsEqualTo(&fake_certificates_), CurrentONCSource(), _));
+              ImportCertificates(IsEqualTo(&fake_certificates_),
+                                 CurrentONCSource(),
+                                  _))
+      .Times(ExpectedImportCertificatesCallCount());
 
   PolicyMap policy;
   policy.Set(GetParam(), POLICY_LEVEL_MANDATORY, POLICY_SCOPE_USER,
              new base::StringValue(kFakeONC), NULL);
   UpdateProviderPolicy(policy);
   Mock::VerifyAndClearExpectations(&network_config_handler_);
   Mock::VerifyAndClearExpectations(certificate_importer_);
 
   // Another update is expected if the policy goes away.
   EXPECT_CALL(network_config_handler_,
               SetPolicy(CurrentONCSource(), _, IsEmpty(), IsEmpty()));
   EXPECT_CALL(*certificate_importer_,
-              ImportCertificates(IsEmpty(), CurrentONCSource(), _));
+              ImportCertificates(IsEmpty(), CurrentONCSource(), _))
+      .Times(ExpectedImportCertificatesCallCount());
 
   policy.Erase(GetParam());
   UpdateProviderPolicy(policy);
 }
 
 INSTANTIATE_TEST_CASE_P(NetworkConfigurationUpdaterTestWithParamInstance,
                         NetworkConfigurationUpdaterTestWithParam,
                         testing::Values(key::kDeviceOpenNetworkConfiguration,
                                         key::kOpenNetworkConfiguration));
 
 }  // namespace policy