Blimp: add support for SSL connections.

blimp/client/session/assignment_source_unittest.cc

Index: blimp/client/session/assignment_source_unittest.cc
diff --git a/blimp/client/session/assignment_source_unittest.cc b/blimp/client/session/assignment_source_unittest.cc
index d893ae3d3a79b4e342b233957b7215cd212e7e16..8d12f5953d019225b190d7c6ed1c63e1e9589f79 100644
--- a/blimp/client/session/assignment_source_unittest.cc
+++ b/blimp/client/session/assignment_source_unittest.cc
@@ -5,56 +5,60 @@
 #include "blimp/client/session/assignment_source.h"
 
 #include "base/command_line.h"
+#include "base/files/file_path.h"
+#include "base/files/file_util.h"
+#include "base/files/scoped_temp_dir.h"
 #include "base/json/json_reader.h"
 #include "base/json/json_writer.h"
+#include "base/message_loop/message_loop.h"
+#include "base/run_loop.h"
 #include "base/test/test_simple_task_runner.h"
 #include "base/thread_task_runner_handle.h"
 #include "base/values.h"
 #include "blimp/client/app/blimp_client_switches.h"
 #include "blimp/common/protocol_version.h"
+#include "components/safe_json/testing_json_parser.h"
+#include "net/base/test_data_directory.h"
 #include "net/url_request/test_url_fetcher_factory.h"
 #include "testing/gmock/include/gmock/gmock.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 using testing::_;
+using testing::DoAll;
 using testing::InSequence;
+using testing::NotNull;
+using testing::Return;
+using testing::SetArgPointee;
 
 namespace blimp {
 namespace client {
 namespace {
 
+const uint8_t kTestIPAddress[] = {127, 0, 0, 1};
+const uint16_t kTestPort = 8086;
+const char kTCPEndpointURL[] = "tcp://127.0.0.1:8086";
+const char kQUICEndpointURL[] = "quic://127.0.0.1:8086";
+const char kSSLEndpointURL[] = "ssl://127.0.0.1:8086";
+
 MATCHER_P(AssignmentEquals, assignment, "") {
   return arg.transport_protocol == assignment.transport_protocol &&
          arg.ip_endpoint == assignment.ip_endpoint &&
          arg.client_token == assignment.client_token &&
-         arg.certificate == assignment.certificate &&
-         arg.certificate_fingerprint == assignment.certificate_fingerprint;
-}
-
-net::IPEndPoint BuildIPEndPoint(const std::string& ip, int port) {
-  net::IPAddress ip_address;
-  EXPECT_TRUE(ip_address.AssignFromIPLiteral(ip));
-
-  return net::IPEndPoint(ip_address, port);
+         ((!assignment.cert && !arg.cert) ||
+          (arg.cert && assignment.cert &&
+           arg.cert->Equals(assignment.cert.get())));
 }
 
-Assignment BuildValidAssignment() {
-  Assignment assignment;
-  assignment.transport_protocol = Assignment::TransportProtocol::SSL;
-  assignment.ip_endpoint = BuildIPEndPoint("100.150.200.250", 500);
-  assignment.client_token = "SecretT0kenz";
-  assignment.certificate_fingerprint = "WhaleWhaleWhale";
-  assignment.certificate = "whaaaaaaaaaaaaale";
-  return assignment;
-}
-
-std::string BuildResponseFromAssignment(const Assignment& assignment) {
+// Builds simulated JSON response from the Assigner service.
+// |assignment|: The Assignment to convert.
+// |expected_cert_str|: The PEM encoded certificate to include in the response.
+std::string BuildResponseFromAssignment(const Assignment& assignment,
+                                        const std::string& expected_cert_str) {
   base::DictionaryValue dict;
   dict.SetString("clientToken", assignment.client_token);
   dict.SetString("host", assignment.ip_endpoint.address().ToString());
   dict.SetInteger("port", assignment.ip_endpoint.port());
-  dict.SetString("certificateFingerprint", assignment.certificate_fingerprint);
-  dict.SetString("certificate", assignment.certificate);
+  dict.SetString("certificate", expected_cert_str);
 
   std::string json;
   base::JSONWriter::Write(dict, &json);
@@ -63,10 +67,16 @@ std::string BuildResponseFromAssignment(const Assignment& assignment) {
 
 class AssignmentSourceTest : public testing::Test {
  public:
-  AssignmentSourceTest()
-      : task_runner_(new base::TestSimpleTaskRunner),
-        task_runner_handle_(task_runner_),
-        source_(task_runner_, task_runner_) {}
+  AssignmentSourceTest() : source_(message_loop_.task_runner()) {}
+
+  void SetUp() override {
+    cert_path_ =
+        net::GetTestCertsDirectory().AppendASCII("unittest.selfsigned.pem");
+    ASSERT_TRUE(base::ReadFileToString(cert_path_, &cert_pem_));
+    cert_ = std::move(net::X509Certificate::CreateCertificateListFromBytes(
+        cert_pem_.data(), cert_pem_.size(),
+        net::X509Certificate::FORMAT_PEM_CERT_SEQUENCE)[0]);
+  }
 
   // This expects the AssignmentSource::GetAssignment to return a custom
   // endpoint without having to hit the network.  This will typically be used
@@ -77,7 +87,7 @@ class AssignmentSourceTest : public testing::Test {
                           base::Bind(&AssignmentSourceTest::AssignmentResponse,
                                      base::Unretained(this)));
     EXPECT_EQ(nullptr, factory_.GetFetcherByID(0));
-    task_runner_->RunUntilIdle();
+    base::RunLoop().RunUntilIdle();
   }
 
   // See net/base/net_errors.h for possible status errors.
@@ -90,11 +100,10 @@ class AssignmentSourceTest : public testing::Test {
     source_.GetAssignment(client_auth_token,
                           base::Bind(&AssignmentSourceTest::AssignmentResponse,
                                      base::Unretained(this)));
+    base::RunLoop().RunUntilIdle();
 
     net::TestURLFetcher* fetcher = factory_.GetFetcherByID(0);
 
-    task_runner_->RunUntilIdle();
-
     EXPECT_NE(nullptr, fetcher);
     EXPECT_EQ(kDefaultAssignerURL, fetcher->GetOriginalURL().spec());
 
@@ -125,30 +134,55 @@ class AssignmentSourceTest : public testing::Test {
     fetcher->SetResponseString(response);
     fetcher->delegate()->OnURLFetchComplete(fetcher);
 
-    task_runner_->RunUntilIdle();
+    base::RunLoop().RunUntilIdle();
   }
 
   MOCK_METHOD2(AssignmentResponse,
                void(AssignmentSource::Result, const Assignment&));
 
  protected:
+  Assignment BuildValidAssignment();
+
   // Used to drive all AssignmentSource tasks.
-  scoped_refptr<base::TestSimpleTaskRunner> task_runner_;
-  base::ThreadTaskRunnerHandle task_runner_handle_;
+  // MessageLoop is required by TestingJsonParser's self-deletion logic.
+  base::MessageLoop message_loop_;
 
   net::TestURLFetcherFactory factory_;
 
+  base::ScopedTempDir temp_dir_;
+
+  // Path to the PEM-encoded certificate chain.
+  base::FilePath cert_path_;
+
+  // Payload of PEM certificate chain at |cert_path_|.
+  std::string cert_pem_;
+
+  // X509 certificate decoded from |cert_path_|.
+  scoped_refptr<net::X509Certificate> cert_;
+
   AssignmentSource source_;
+
+  safe_json::TestingJsonParser::ScopedFactoryOverride json_parsing_factory_;
 };
 
+Assignment AssignmentSourceTest::BuildValidAssignment() {
+  Assignment assignment;
+  assignment.transport_protocol = Assignment::TransportProtocol::SSL;
+  assignment.ip_endpoint = net::IPEndPoint(kTestIPAddress, kTestPort);
+  assignment.client_token = "SecretT0kenz";
+  assignment.cert = cert_;
+  return assignment;
+}
+
 TEST_F(AssignmentSourceTest, TestTCPAlternateEndpointSuccess) {
   Assignment assignment;
   assignment.transport_protocol = Assignment::TransportProtocol::TCP;
-  assignment.ip_endpoint = BuildIPEndPoint("100.150.200.250", 500);
+  assignment.ip_endpoint = net::IPEndPoint(kTestIPAddress, kTestPort);
   assignment.client_token = kDummyClientToken;
+  assignment.cert = scoped_refptr<net::X509Certificate>(nullptr);
 
   base::CommandLine::ForCurrentProcess()->AppendSwitchASCII(
-      switches::kBlimpletEndpoint, "tcp:100.150.200.250:500");
+      switches::kEngineEndpoint, kTCPEndpointURL);
 
   EXPECT_CALL(*this, AssignmentResponse(AssignmentSource::Result::RESULT_OK,
                                         AssignmentEquals(assignment)))
@@ -160,11 +194,14 @@ TEST_F(AssignmentSourceTest, TestTCPAlternateEndpointSuccess) {
 TEST_F(AssignmentSourceTest, TestSSLAlternateEndpointSuccess) {
   Assignment assignment;
   assignment.transport_protocol = Assignment::TransportProtocol::SSL;
-  assignment.ip_endpoint = BuildIPEndPoint("100.150.200.250", 500);
+  assignment.ip_endpoint = net::IPEndPoint(kTestIPAddress, kTestPort);
   assignment.client_token = kDummyClientToken;
+  assignment.cert = cert_;
 
   base::CommandLine::ForCurrentProcess()->AppendSwitchASCII(
-      switches::kBlimpletEndpoint, "ssl:100.150.200.250:500");
+      switches::kEngineEndpoint, kSSLEndpointURL);
+  base::CommandLine::ForCurrentProcess()->AppendSwitchASCII(
+      switches::kEngineCertPath, cert_path_.value());
 
   EXPECT_CALL(*this, AssignmentResponse(AssignmentSource::Result::RESULT_OK,
                                         AssignmentEquals(assignment)))
@@ -176,11 +213,14 @@ TEST_F(AssignmentSourceTest, TestSSLAlternateEndpointSuccess) {
 TEST_F(AssignmentSourceTest, TestQUICAlternateEndpointSuccess) {
   Assignment assignment;
   assignment.transport_protocol = Assignment::TransportProtocol::QUIC;
-  assignment.ip_endpoint = BuildIPEndPoint("100.150.200.250", 500);
+  assignment.ip_endpoint = net::IPEndPoint(kTestIPAddress, kTestPort);
   assignment.client_token = kDummyClientToken;
+  assignment.cert = cert_;
 
   base::CommandLine::ForCurrentProcess()->AppendSwitchASCII(
-      switches::kBlimpletEndpoint, "quic:100.150.200.250:500");
+      switches::kEngineEndpoint, kQUICEndpointURL);
+  base::CommandLine::ForCurrentProcess()->AppendSwitchASCII(
+      switches::kEngineCertPath, cert_path_.value());
 
   EXPECT_CALL(*this, AssignmentResponse(AssignmentSource::Result::RESULT_OK,
                                         AssignmentEquals(assignment)))
@@ -197,8 +237,9 @@ TEST_F(AssignmentSourceTest, TestSuccess) {
       .Times(1);
 
   GetNetworkAssignmentAndWaitForResponse(
-      net::HTTP_OK, net::Error::OK, BuildResponseFromAssignment(assignment),
-      "UserAuthT0kenz", kEngineVersion);
+      net::HTTP_OK, net::Error::OK,
+      BuildResponseFromAssignment(assignment, cert_pem_), "UserAuthT0kenz",
+      kEngineVersion);
 }
 
 TEST_F(AssignmentSourceTest, TestSecondRequestInterruptsFirst) {
@@ -221,8 +262,9 @@ TEST_F(AssignmentSourceTest, TestSecondRequestInterruptsFirst) {
       .RetiresOnSaturation();
 
   GetNetworkAssignmentAndWaitForResponse(
-      net::HTTP_OK, net::Error::OK, BuildResponseFromAssignment(assignment),
-      "UserAuthT0kenz", kEngineVersion);
+      net::HTTP_OK, net::Error::OK,
+      BuildResponseFromAssignment(assignment, cert_pem_), "UserAuthT0kenz",
+      kEngineVersion);
 }
 
 TEST_F(AssignmentSourceTest, TestValidAfterError) {
@@ -244,8 +286,9 @@ TEST_F(AssignmentSourceTest, TestValidAfterError) {
                                          "", "UserAuthT0kenz", kEngineVersion);
 
   GetNetworkAssignmentAndWaitForResponse(
-      net::HTTP_OK, net::Error::OK, BuildResponseFromAssignment(assignment),
-      "UserAuthT0kenz", kEngineVersion);
+      net::HTTP_OK, net::Error::OK,
+      BuildResponseFromAssignment(assignment, cert_pem_), "UserAuthT0kenz",
+      kEngineVersion);
 }
 
 TEST_F(AssignmentSourceTest, TestNetworkFailure) {
@@ -306,7 +349,7 @@ TEST_F(AssignmentSourceTest, TestInvalidJsonResponse) {
   Assignment assignment = BuildValidAssignment();
 
   // Remove half the response.
-  std::string response = BuildResponseFromAssignment(assignment);
+  std::string response = BuildResponseFromAssignment(assignment, cert_pem_);
   response = response.substr(response.size() / 2);
 
   EXPECT_CALL(*this, AssignmentResponse(
@@ -320,7 +363,6 @@ TEST_F(AssignmentSourceTest, TestMissingResponsePort) {
   base::DictionaryValue dict;
   dict.SetString("clientToken", "SecretT0kenz");
   dict.SetString("host", "happywhales");
-  dict.SetString("certificateFingerprint", "WhaleWhaleWhale");
   dict.SetString("certificate", "whaaaaaaaaaaaaale");
 
   std::string response;
@@ -338,7 +380,6 @@ TEST_F(AssignmentSourceTest, TestInvalidIPAddress) {
   dict.SetString("clientToken", "SecretT0kenz");
   dict.SetString("host", "happywhales");
   dict.SetInteger("port", 500);
-  dict.SetString("certificateFingerprint", "WhaleWhaleWhale");
   dict.SetString("certificate", "whaaaaaaaaaaaaale");
 
   std::string response;
@@ -350,6 +391,37 @@ TEST_F(AssignmentSourceTest, TestInvalidIPAddress) {
                                          "UserAuthT0kenz", kEngineVersion);
 }
 
+TEST_F(AssignmentSourceTest, TestMissingCert) {
+  base::DictionaryValue dict;
+  dict.SetString("clientToken", "SecretT0kenz");
+  dict.SetString("host", "127.0.0.1");
+  dict.SetInteger("port", 500);
+
+  std::string response;
+  base::JSONWriter::Write(dict, &response);
+
+  EXPECT_CALL(*this, AssignmentResponse(
+                         AssignmentSource::Result::RESULT_BAD_RESPONSE, _));
+  GetNetworkAssignmentAndWaitForResponse(net::HTTP_OK, net::Error::OK, response,
+                                         "UserAuthT0kenz", kEngineVersion);
+}
+
+TEST_F(AssignmentSourceTest, TestInvalidCert) {
+  base::DictionaryValue dict;
+  dict.SetString("clientToken", "SecretT0kenz");
+  dict.SetString("host", "127.0.0.1");
+  dict.SetInteger("port", 500);
+  dict.SetString("certificate", "h4x0r c3r7");
+
+  std::string response;
+  base::JSONWriter::Write(dict, &response);
+
+  EXPECT_CALL(*this, AssignmentResponse(
+                         AssignmentSource::Result::RESULT_INVALID_CERT, _));
+  GetNetworkAssignmentAndWaitForResponse(net::HTTP_OK, net::Error::OK, response,
+                                         "UserAuthT0kenz", kEngineVersion);
+}
+
 }  // namespace
 }  // namespace client
 }  // namespace blimp