| Index: chrome/browser/chromeos/policy/network_configuration_updater_unittest.cc
|
| diff --git a/chrome/browser/chromeos/policy/network_configuration_updater_unittest.cc b/chrome/browser/chromeos/policy/network_configuration_updater_unittest.cc
|
| index dcb55edfac60dcb38eb1b4b80a453594935e220a..357f817d9c0041559a8efd9d874fc74e1ee0e7a7 100644
|
| --- a/chrome/browser/chromeos/policy/network_configuration_updater_unittest.cc
|
| +++ b/chrome/browser/chromeos/policy/network_configuration_updater_unittest.cc
|
| @@ -27,7 +27,9 @@
|
| #include "components/policy/core/common/policy_service_impl.h"
|
| #include "content/public/test/test_browser_thread_bundle.h"
|
| #include "content/public/test/test_utils.h"
|
| +#include "crypto/scoped_nss_types.h"
|
| #include "net/base/test_data_directory.h"
|
| +#include "net/cert/nss_cert_database_chromeos.h"
|
| #include "net/cert/x509_certificate.h"
|
| #include "net/test/cert_test_util.h"
|
| #include "policy/policy_constants.h"
|
| @@ -134,8 +136,8 @@ MATCHER(IsEmpty, std::string(negation ? "isn't" : "is") + " empty.") {
|
| }
|
|
|
| ACTION_P(SetCertificateList, list) {
|
| - if (arg2)
|
| - *arg2 = list;
|
| + if (arg3)
|
| + *arg3 = list;
|
| return true;
|
| }
|
|
|
| @@ -148,7 +150,7 @@ class NetworkConfigurationUpdaterTest : public testing::Test {
|
|
|
| virtual void SetUp() OVERRIDE {
|
| EXPECT_CALL(provider_, IsInitializationComplete(_))
|
| - .WillRepeatedly(Return(true));
|
| + .WillRepeatedly(Return(false));
|
| provider_.Init();
|
| PolicyServiceImpl::Providers providers;
|
| providers.push_back(&provider_);
|
| @@ -175,6 +177,12 @@ class NetworkConfigurationUpdaterTest : public testing::Test {
|
| certificate_importer_ =
|
| new StrictMock<chromeos::onc::MockCertificateImporter>();
|
| certificate_importer_owned_.reset(certificate_importer_);
|
| +
|
| + // The database will not acutally be used for importing certificates, so
|
| + // it's OK to have empty slots.
|
| + test_nssdb_.reset(new net::NSSCertDatabaseChromeOS(
|
| + crypto::ScopedPK11Slot(),
|
| + crypto::ScopedPK11Slot()));
|
| }
|
|
|
| virtual void TearDown() OVERRIDE {
|
| @@ -183,6 +191,15 @@ class NetworkConfigurationUpdaterTest : public testing::Test {
|
| base::RunLoop().RunUntilIdle();
|
| }
|
|
|
| + void MarkPolicyProviderInitialized() {
|
| + Mock::VerifyAndClearExpectations(&provider_);
|
| + EXPECT_CALL(provider_, IsInitializationComplete(_))
|
| + .WillRepeatedly(Return(true));
|
| + provider_.SetAutoRefresh();
|
| + provider_.RefreshPolicies();
|
| + base::RunLoop().RunUntilIdle();
|
| + }
|
| +
|
| void UpdateProviderPolicy(const PolicyMap& policy) {
|
| provider_.UpdateChromePolicy(policy);
|
| base::RunLoop().RunUntilIdle();
|
| @@ -190,7 +207,8 @@ class NetworkConfigurationUpdaterTest : public testing::Test {
|
|
|
| UserNetworkConfigurationUpdater*
|
| CreateNetworkConfigurationUpdaterForUserPolicy(
|
| - bool allow_trusted_certs_from_policy) {
|
| + bool allow_trusted_certs_from_policy,
|
| + bool set_cert_database) {
|
| UserNetworkConfigurationUpdater* updater =
|
| UserNetworkConfigurationUpdater::CreateForUserPolicy(
|
| allow_trusted_certs_from_policy,
|
| @@ -198,6 +216,8 @@ class NetworkConfigurationUpdaterTest : public testing::Test {
|
| certificate_importer_owned_.Pass(),
|
| policy_service_.get(),
|
| &network_config_handler_).release();
|
| + if (set_cert_database)
|
| + updater->SetCertDatabase(test_nssdb_.get());
|
| network_configuration_updater_.reset(updater);
|
| return updater;
|
| }
|
| @@ -236,13 +256,15 @@ class NetworkConfigurationUpdaterTest : public testing::Test {
|
|
|
| scoped_ptr<NetworkConfigurationUpdater> network_configuration_updater_;
|
| content::TestBrowserThreadBundle thread_bundle_;
|
| +
|
| + scoped_ptr<net::NSSCertDatabaseChromeOS> test_nssdb_;
|
| };
|
|
|
| TEST_F(NetworkConfigurationUpdaterTest, CellularAllowRoaming) {
|
| // Ignore networ config updates.
|
| EXPECT_CALL(network_config_handler_, SetPolicy(_, _, _, _)).Times(AtLeast(1));
|
| - EXPECT_CALL(*certificate_importer_, ImportCertificates(_, _, _))
|
| - .Times(AtLeast(1));
|
| + EXPECT_CALL(*certificate_importer_, ImportCertificates(_, _, _, _))
|
| + .Times(AnyNumber());
|
|
|
| // Setup the DataRoaming device setting.
|
| chromeos::CrosSettings* cros_settings = chromeos::CrosSettings::Get();
|
| @@ -259,6 +281,7 @@ TEST_F(NetworkConfigurationUpdaterTest, CellularAllowRoaming) {
|
| EXPECT_FALSE(network_device_handler_.allow_roaming_);
|
|
|
| CreateNetworkConfigurationUpdaterForDevicePolicy();
|
| + MarkPolicyProviderInitialized();
|
| chromeos::CrosSettings::Get()->Set(chromeos::kSignedDataRoamingEnabled,
|
| base::FundamentalValue(true));
|
| EXPECT_TRUE(network_device_handler_.allow_roaming_);
|
| @@ -286,6 +309,7 @@ TEST_F(NetworkConfigurationUpdaterTest, PolicyIsValidatedAndRepaired) {
|
|
|
| std::string onc_policy =
|
| chromeos::onc::test_utils::ReadTestData("toplevel_partially_invalid.onc");
|
| +
|
| PolicyMap policy;
|
| policy.Set(key::kOpenNetworkConfiguration,
|
| POLICY_LEVEL_MANDATORY,
|
| @@ -299,11 +323,14 @@ TEST_F(NetworkConfigurationUpdaterTest, PolicyIsValidatedAndRepaired) {
|
| _,
|
| IsEqualTo(network_configs_repaired),
|
| IsEqualTo(global_config_repaired)));
|
| - EXPECT_CALL(*certificate_importer_,
|
| - ImportCertificates(_, onc::ONC_SOURCE_USER_POLICY, _));
|
| + EXPECT_CALL(
|
| + *certificate_importer_,
|
| + ImportCertificates(_, onc::ONC_SOURCE_USER_POLICY, test_nssdb_.get(), _));
|
|
|
| CreateNetworkConfigurationUpdaterForUserPolicy(
|
| - false /* do not allow trusted certs from policy */ );
|
| + false /* do not allow trusted certs from policy */,
|
| + true /* set certificate database */);
|
| + MarkPolicyProviderInitialized();
|
| }
|
|
|
| TEST_F(NetworkConfigurationUpdaterTest,
|
| @@ -317,12 +344,15 @@ TEST_F(NetworkConfigurationUpdaterTest,
|
|
|
| EXPECT_CALL(network_config_handler_,
|
| SetPolicy(onc::ONC_SOURCE_USER_POLICY, _, _, _));
|
| - EXPECT_CALL(*certificate_importer_, ImportCertificates(_, _, _))
|
| + EXPECT_CALL(*certificate_importer_,
|
| + ImportCertificates(_, _, test_nssdb_.get(), _))
|
| .WillRepeatedly(SetCertificateList(cert_list));
|
|
|
| UserNetworkConfigurationUpdater* updater =
|
| CreateNetworkConfigurationUpdaterForUserPolicy(
|
| - false /* do not allow trusted certs from policy */);
|
| + false /* do not allow trusted certs from policy */,
|
| + true /* set certificate database */);
|
| + MarkPolicyProviderInitialized();
|
|
|
| // Certificates with the "Web" trust flag set should not be forwarded to
|
| // observers.
|
| @@ -352,13 +382,16 @@ TEST_F(NetworkConfigurationUpdaterTest,
|
| net::X509Certificate::FORMAT_AUTO);
|
| ASSERT_EQ(1u, cert_list.size());
|
|
|
| - EXPECT_CALL(*certificate_importer_,
|
| - ImportCertificates(_, onc::ONC_SOURCE_USER_POLICY, _))
|
| - .WillRepeatedly(SetCertificateList(cert_list));
|
| + EXPECT_CALL(
|
| + *certificate_importer_,
|
| + ImportCertificates(_, onc::ONC_SOURCE_USER_POLICY, test_nssdb_.get(), _))
|
| + .WillRepeatedly(SetCertificateList(cert_list));
|
|
|
| UserNetworkConfigurationUpdater* updater =
|
| CreateNetworkConfigurationUpdaterForUserPolicy(
|
| - true /* allow trusted certs from policy */);
|
| + true /* allow trusted certs from policy */,
|
| + true /* set certificate database */);
|
| + MarkPolicyProviderInitialized();
|
|
|
| base::RunLoop().RunUntilIdle();
|
|
|
| @@ -368,6 +401,44 @@ TEST_F(NetworkConfigurationUpdaterTest,
|
| EXPECT_EQ(1u, trust_anchors.size());
|
| }
|
|
|
| +TEST_F(NetworkConfigurationUpdaterTest, ReapplyUserPolicyWhenCertDBSet) {
|
| + PolicyMap policy;
|
| + policy.Set(key::kOpenNetworkConfiguration, POLICY_LEVEL_MANDATORY,
|
| + POLICY_SCOPE_USER, new base::StringValue(kFakeONC), NULL);
|
| + UpdateProviderPolicy(policy);
|
| +
|
| + EXPECT_CALL(network_config_handler_,
|
| + SetPolicy(onc::ONC_SOURCE_USER_POLICY,
|
| + kFakeUsernameHash,
|
| + IsEqualTo(&fake_network_configs_),
|
| + IsEqualTo(&fake_global_network_config_)));
|
| + EXPECT_CALL(*certificate_importer_, ImportCertificates(_, _ ,_ , _)).Times(0);
|
| +
|
| + UserNetworkConfigurationUpdater* updater =
|
| + CreateNetworkConfigurationUpdaterForUserPolicy(
|
| + true /* allow trusted certs from policy */,
|
| + false /* do not set certificate database */);
|
| + MarkPolicyProviderInitialized();
|
| +
|
| + // If cert loader does not have its database set, Certificate import should
|
| + // be skipped.
|
| + Mock::VerifyAndClearExpectations(&network_config_handler_);
|
| + Mock::VerifyAndClearExpectations(certificate_importer_);
|
| +
|
| + EXPECT_CALL(network_config_handler_,
|
| + SetPolicy(onc::ONC_SOURCE_USER_POLICY,
|
| + kFakeUsernameHash,
|
| + IsEqualTo(&fake_network_configs_),
|
| + IsEqualTo(&fake_global_network_config_)));
|
| + EXPECT_CALL(*certificate_importer_,
|
| + ImportCertificates(IsEqualTo(&fake_certificates_),
|
| + onc::ONC_SOURCE_USER_POLICY,
|
| + test_nssdb_.get(),
|
| + _));
|
| +
|
| + updater->SetCertDatabase(test_nssdb_.get());
|
| +}
|
| +
|
| TEST_F(NetworkConfigurationUpdaterTest,
|
| AllowTrustedCertificatesFromPolicyOnUpdate) {
|
| // Ignore network configuration changes.
|
| @@ -375,13 +446,16 @@ TEST_F(NetworkConfigurationUpdaterTest,
|
| .Times(AnyNumber());
|
|
|
| // Start with an empty certificate list.
|
| - EXPECT_CALL(*certificate_importer_,
|
| - ImportCertificates(_, onc::ONC_SOURCE_USER_POLICY, _))
|
| - .WillRepeatedly(SetCertificateList(net::CertificateList()));
|
| + EXPECT_CALL(
|
| + *certificate_importer_,
|
| + ImportCertificates(_, onc::ONC_SOURCE_USER_POLICY, test_nssdb_.get(), _))
|
| + .WillRepeatedly(SetCertificateList(net::CertificateList()));
|
|
|
| UserNetworkConfigurationUpdater* updater =
|
| CreateNetworkConfigurationUpdaterForUserPolicy(
|
| - true /* allow trusted certs from policy */);
|
| + true /* allow trusted certs from policy */,
|
| + true /* set certificate database */);
|
| + MarkPolicyProviderInitialized();
|
|
|
| FakeWebTrustedCertsObserver observer;
|
| updater->AddTrustedCertsObserver(&observer);
|
| @@ -405,9 +479,10 @@ TEST_F(NetworkConfigurationUpdaterTest,
|
| net::X509Certificate::FORMAT_AUTO);
|
| ASSERT_EQ(1u, cert_list.size());
|
|
|
| - EXPECT_CALL(*certificate_importer_,
|
| - ImportCertificates(_, onc::ONC_SOURCE_USER_POLICY, _))
|
| - .WillOnce(SetCertificateList(cert_list));
|
| + EXPECT_CALL(
|
| + *certificate_importer_,
|
| + ImportCertificates(_, onc::ONC_SOURCE_USER_POLICY, test_nssdb_.get(), _))
|
| + .WillOnce(SetCertificateList(cert_list));
|
|
|
| // Change to any non-empty policy, so that updates are triggered. The actual
|
| // content of the policy is irrelevant.
|
| @@ -452,10 +527,17 @@ class NetworkConfigurationUpdaterTestWithParam
|
| return std::string();
|
| }
|
|
|
| + size_t ExpectedImportCertificatesCallCount() {
|
| + if (GetParam() == key::kOpenNetworkConfiguration)
|
| + return 1u;
|
| + return 0u;
|
| + }
|
| +
|
| void CreateNetworkConfigurationUpdater() {
|
| if (GetParam() == key::kOpenNetworkConfiguration) {
|
| CreateNetworkConfigurationUpdaterForUserPolicy(
|
| - false /* do not allow trusted certs from policy */);
|
| + false /* do not allow trusted certs from policy */,
|
| + true /* do not set certificate database */);
|
| } else {
|
| CreateNetworkConfigurationUpdaterForDevicePolicy();
|
| }
|
| @@ -474,19 +556,89 @@ TEST_P(NetworkConfigurationUpdaterTestWithParam, InitialUpdates) {
|
| IsEqualTo(&fake_network_configs_),
|
| IsEqualTo(&fake_global_network_config_)));
|
| EXPECT_CALL(*certificate_importer_,
|
| - ImportCertificates(
|
| - IsEqualTo(&fake_certificates_), CurrentONCSource(), _));
|
| + ImportCertificates(IsEqualTo(&fake_certificates_),
|
| + CurrentONCSource(),
|
| + test_nssdb_.get(),
|
| + _))
|
| + .Times(ExpectedImportCertificatesCallCount());
|
| +
|
| + CreateNetworkConfigurationUpdater();
|
| + MarkPolicyProviderInitialized();
|
| +}
|
| +
|
| +TEST_P(NetworkConfigurationUpdaterTestWithParam,
|
| + PolicyNotSetBeforePolicyProviderInitialized) {
|
| + PolicyMap policy;
|
| + policy.Set(GetParam(), POLICY_LEVEL_MANDATORY, POLICY_SCOPE_USER,
|
| + new base::StringValue(kFakeONC), NULL);
|
| + UpdateProviderPolicy(policy);
|
| +
|
| + EXPECT_CALL(network_config_handler_,
|
| + SetPolicy(CurrentONCSource(),
|
| + ExpectedUsernameHash(),
|
| + IsEqualTo(&fake_network_configs_),
|
| + IsEqualTo(&fake_global_network_config_)))
|
| + .Times(0);
|
| + EXPECT_CALL(*certificate_importer_,
|
| + ImportCertificates(IsEqualTo(&fake_certificates_),
|
| + CurrentONCSource(),
|
| + test_nssdb_.get(),
|
| + _))
|
| + .Times(0);
|
|
|
| CreateNetworkConfigurationUpdater();
|
| +
|
| + Mock::VerifyAndClearExpectations(&network_config_handler_);
|
| + Mock::VerifyAndClearExpectations(certificate_importer_);
|
| +
|
| + EXPECT_CALL(network_config_handler_,
|
| + SetPolicy(CurrentONCSource(),
|
| + ExpectedUsernameHash(),
|
| + IsEqualTo(&fake_network_configs_),
|
| + IsEqualTo(&fake_global_network_config_)));
|
| + EXPECT_CALL(*certificate_importer_,
|
| + ImportCertificates(IsEqualTo(&fake_certificates_),
|
| + CurrentONCSource(),
|
| + test_nssdb_.get(),
|
| + _))
|
| + .Times(ExpectedImportCertificatesCallCount());
|
| +
|
| + MarkPolicyProviderInitialized();
|
| }
|
|
|
| +TEST_P(NetworkConfigurationUpdaterTestWithParam,
|
| + PolicyProviderInitializedBeforeUpdater) {
|
| + MarkPolicyProviderInitialized();
|
| + PolicyMap policy;
|
| + policy.Set(GetParam(), POLICY_LEVEL_MANDATORY, POLICY_SCOPE_USER,
|
| + new base::StringValue(kFakeONC), NULL);
|
| + UpdateProviderPolicy(policy);
|
| +
|
| + // Should be called when network configuration updater is created and
|
| + // initialized and when the updater database gets set (if it gets set).
|
| + EXPECT_CALL(network_config_handler_,
|
| + SetPolicy(CurrentONCSource(),
|
| + ExpectedUsernameHash(),
|
| + IsEqualTo(&fake_network_configs_),
|
| + IsEqualTo(&fake_global_network_config_)))
|
| + .Times(ExpectedImportCertificatesCallCount() + 1);
|
| + EXPECT_CALL(*certificate_importer_,
|
| + ImportCertificates(IsEqualTo(&fake_certificates_),
|
| + CurrentONCSource(),
|
| + test_nssdb_.get(),
|
| + _))
|
| + .Times(ExpectedImportCertificatesCallCount());
|
| +
|
| + CreateNetworkConfigurationUpdater();
|
| +}
|
|
|
| TEST_P(NetworkConfigurationUpdaterTestWithParam, PolicyChange) {
|
| // Ignore the initial updates.
|
| EXPECT_CALL(network_config_handler_, SetPolicy(_, _, _, _)).Times(AtLeast(1));
|
| - EXPECT_CALL(*certificate_importer_, ImportCertificates(_, _, _))
|
| - .Times(AtLeast(1));
|
| + EXPECT_CALL(*certificate_importer_, ImportCertificates(_, _, _, _))
|
| + .Times(AtLeast(ExpectedImportCertificatesCallCount()));
|
| CreateNetworkConfigurationUpdater();
|
| + MarkPolicyProviderInitialized();
|
| Mock::VerifyAndClearExpectations(&network_config_handler_);
|
| Mock::VerifyAndClearExpectations(certificate_importer_);
|
|
|
| @@ -497,8 +649,11 @@ TEST_P(NetworkConfigurationUpdaterTestWithParam, PolicyChange) {
|
| IsEqualTo(&fake_network_configs_),
|
| IsEqualTo(&fake_global_network_config_)));
|
| EXPECT_CALL(*certificate_importer_,
|
| - ImportCertificates(
|
| - IsEqualTo(&fake_certificates_), CurrentONCSource(), _));
|
| + ImportCertificates(IsEqualTo(&fake_certificates_),
|
| + CurrentONCSource(),
|
| + test_nssdb_.get(),
|
| + _))
|
| + .Times(ExpectedImportCertificatesCallCount());
|
|
|
| PolicyMap policy;
|
| policy.Set(GetParam(), POLICY_LEVEL_MANDATORY, POLICY_SCOPE_USER,
|
| @@ -510,8 +665,10 @@ TEST_P(NetworkConfigurationUpdaterTestWithParam, PolicyChange) {
|
| // Another update is expected if the policy goes away.
|
| EXPECT_CALL(network_config_handler_,
|
| SetPolicy(CurrentONCSource(), _, IsEmpty(), IsEmpty()));
|
| - EXPECT_CALL(*certificate_importer_,
|
| - ImportCertificates(IsEmpty(), CurrentONCSource(), _));
|
| + EXPECT_CALL(
|
| + *certificate_importer_,
|
| + ImportCertificates(IsEmpty(), CurrentONCSource(), test_nssdb_.get(), _))
|
| + .Times(ExpectedImportCertificatesCallCount());
|
|
|
| policy.Erase(GetParam());
|
| UpdateProviderPolicy(policy);
|
|
|
Chromium Code Reviews
Issue 148183013:
Use per-user nssdb in onc certificate importer (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src