OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include <cryptohi.h> | 5 #include <cryptohi.h> |
6 | 6 |
| 7 #include <memory> |
| 8 |
7 #include "base/json/json_writer.h" | 9 #include "base/json/json_writer.h" |
8 #include "base/macros.h" | 10 #include "base/macros.h" |
9 #include "base/memory/scoped_ptr.h" | 11 #include "base/memory/ptr_util.h" |
10 #include "base/strings/stringprintf.h" | 12 #include "base/strings/stringprintf.h" |
11 #include "chrome/browser/chromeos/platform_keys/platform_keys_service.h" | 13 #include "chrome/browser/chromeos/platform_keys/platform_keys_service.h" |
12 #include "chrome/browser/chromeos/platform_keys/platform_keys_service_factory.h" | 14 #include "chrome/browser/chromeos/platform_keys/platform_keys_service_factory.h" |
13 #include "chrome/browser/chromeos/policy/device_policy_cros_browser_test.h" | 15 #include "chrome/browser/chromeos/policy/device_policy_cros_browser_test.h" |
14 #include "chrome/browser/chromeos/policy/user_policy_test_helper.h" | 16 #include "chrome/browser/chromeos/policy/user_policy_test_helper.h" |
15 #include "chrome/browser/extensions/extension_apitest.h" | 17 #include "chrome/browser/extensions/extension_apitest.h" |
16 #include "chrome/browser/net/nss_context.h" | 18 #include "chrome/browser/net/nss_context.h" |
17 #include "chrome/browser/policy/profile_policy_connector.h" | 19 #include "chrome/browser/policy/profile_policy_connector.h" |
18 #include "chrome/browser/policy/profile_policy_connector_factory.h" | 20 #include "chrome/browser/policy/profile_policy_connector_factory.h" |
19 #include "chrome/browser/profiles/profile.h" | 21 #include "chrome/browser/profiles/profile.h" |
(...skipping 163 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
183 policy_helper_->Init( | 185 policy_helper_->Init( |
184 base::DictionaryValue() /* empty mandatory policy */, | 186 base::DictionaryValue() /* empty mandatory policy */, |
185 base::DictionaryValue() /* empty recommended policy */); | 187 base::DictionaryValue() /* empty recommended policy */); |
186 } | 188 } |
187 | 189 |
188 void SetupKeyPermissionPolicy() { | 190 void SetupKeyPermissionPolicy() { |
189 // Set up the test policy that gives |extension_| the permission to access | 191 // Set up the test policy that gives |extension_| the permission to access |
190 // corporate keys. | 192 // corporate keys. |
191 base::DictionaryValue key_permissions_policy; | 193 base::DictionaryValue key_permissions_policy; |
192 { | 194 { |
193 scoped_ptr<base::DictionaryValue> cert1_key_permission( | 195 std::unique_ptr<base::DictionaryValue> cert1_key_permission( |
194 new base::DictionaryValue); | 196 new base::DictionaryValue); |
195 cert1_key_permission->SetBooleanWithoutPathExpansion( | 197 cert1_key_permission->SetBooleanWithoutPathExpansion( |
196 "allowCorporateKeyUsage", true); | 198 "allowCorporateKeyUsage", true); |
197 key_permissions_policy.SetWithoutPathExpansion( | 199 key_permissions_policy.SetWithoutPathExpansion( |
198 extension_->id(), cert1_key_permission.release()); | 200 extension_->id(), cert1_key_permission.release()); |
199 } | 201 } |
200 | 202 |
201 std::string key_permissions_policy_str; | 203 std::string key_permissions_policy_str; |
202 base::JSONWriter::WriteWithOptions(key_permissions_policy, | 204 base::JSONWriter::WriteWithOptions(key_permissions_policy, |
203 base::JSONWriter::OPTIONS_PRETTY_PRINT, | 205 base::JSONWriter::OPTIONS_PRETTY_PRINT, |
204 &key_permissions_policy_str); | 206 &key_permissions_policy_str); |
205 | 207 |
206 base::DictionaryValue user_policy; | 208 base::DictionaryValue user_policy; |
207 user_policy.SetStringWithoutPathExpansion(policy::key::kKeyPermissions, | 209 user_policy.SetStringWithoutPathExpansion(policy::key::kKeyPermissions, |
208 key_permissions_policy_str); | 210 key_permissions_policy_str); |
209 | 211 |
210 policy_helper_->UpdatePolicy( | 212 policy_helper_->UpdatePolicy( |
211 user_policy, base::DictionaryValue() /* empty recommended policy */, | 213 user_policy, base::DictionaryValue() /* empty recommended policy */, |
212 browser()->profile()); | 214 browser()->profile()); |
213 } | 215 } |
214 | 216 |
215 void GotPermissionsForExtension( | 217 void GotPermissionsForExtension( |
216 const base::Closure& done_callback, | 218 const base::Closure& done_callback, |
217 scoped_ptr<chromeos::KeyPermissions::PermissionsForExtension> | 219 std::unique_ptr<chromeos::KeyPermissions::PermissionsForExtension> |
218 permissions_for_ext) { | 220 permissions_for_ext) { |
219 std::string client_cert1_spki = | 221 std::string client_cert1_spki = |
220 chromeos::platform_keys::GetSubjectPublicKeyInfo(client_cert1_); | 222 chromeos::platform_keys::GetSubjectPublicKeyInfo(client_cert1_); |
221 permissions_for_ext->RegisterKeyForCorporateUsage(client_cert1_spki); | 223 permissions_for_ext->RegisterKeyForCorporateUsage(client_cert1_spki); |
222 done_callback.Run(); | 224 done_callback.Run(); |
223 } | 225 } |
224 | 226 |
225 void SetupTestCerts(const base::Closure& done_callback, | 227 void SetupTestCerts(const base::Closure& done_callback, |
226 net::NSSCertDatabase* cert_db) { | 228 net::NSSCertDatabase* cert_db) { |
227 SetupTestClientCerts(cert_db); | 229 SetupTestClientCerts(cert_db); |
(...skipping 36 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
264 | 266 |
265 void TearDownTestSystemSlotOnIO(const base::Closure& done_callback) { | 267 void TearDownTestSystemSlotOnIO(const base::Closure& done_callback) { |
266 DCHECK_CURRENTLY_ON(content::BrowserThread::IO); | 268 DCHECK_CURRENTLY_ON(content::BrowserThread::IO); |
267 test_system_slot_.reset(); | 269 test_system_slot_.reset(); |
268 | 270 |
269 content::BrowserThread::PostTask(content::BrowserThread::UI, FROM_HERE, | 271 content::BrowserThread::PostTask(content::BrowserThread::UI, FROM_HERE, |
270 done_callback); | 272 done_callback); |
271 } | 273 } |
272 | 274 |
273 const bool key_permission_policy_; | 275 const bool key_permission_policy_; |
274 scoped_ptr<policy::UserPolicyTestHelper> policy_helper_; | 276 std::unique_ptr<policy::UserPolicyTestHelper> policy_helper_; |
275 policy::DevicePolicyCrosTestHelper device_policy_test_helper_; | 277 policy::DevicePolicyCrosTestHelper device_policy_test_helper_; |
276 scoped_ptr<crypto::ScopedTestSystemNSSKeySlot> test_system_slot_; | 278 std::unique_ptr<crypto::ScopedTestSystemNSSKeySlot> test_system_slot_; |
277 }; | 279 }; |
278 | 280 |
279 class TestSelectDelegate | 281 class TestSelectDelegate |
280 : public chromeos::PlatformKeysService::SelectDelegate { | 282 : public chromeos::PlatformKeysService::SelectDelegate { |
281 public: | 283 public: |
282 // On each Select call, selects the next entry in |certs_to_select| from back | 284 // On each Select call, selects the next entry in |certs_to_select| from back |
283 // to front. Once the first entry is reached, that one will be selected | 285 // to front. Once the first entry is reached, that one will be selected |
284 // repeatedly. | 286 // repeatedly. |
285 // Entries of |certs_to_select| can be null in which case no certificate will | 287 // Entries of |certs_to_select| can be null in which case no certificate will |
286 // be selected. | 288 // be selected. |
(...skipping 73 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
360 // permissions and afterwards runs more basic tests. | 362 // permissions and afterwards runs more basic tests. |
361 // After the initial two interactive calls, the simulated user does not select | 363 // After the initial two interactive calls, the simulated user does not select |
362 // any cert. | 364 // any cert. |
363 IN_PROC_BROWSER_TEST_P(UnmanagedPlatformKeysTest, Basic) { | 365 IN_PROC_BROWSER_TEST_P(UnmanagedPlatformKeysTest, Basic) { |
364 net::CertificateList certs; | 366 net::CertificateList certs; |
365 certs.push_back(nullptr); | 367 certs.push_back(nullptr); |
366 certs.push_back(client_cert2_); | 368 certs.push_back(client_cert2_); |
367 certs.push_back(client_cert1_); | 369 certs.push_back(client_cert1_); |
368 | 370 |
369 GetPlatformKeysService()->SetSelectDelegate( | 371 GetPlatformKeysService()->SetSelectDelegate( |
370 make_scoped_ptr(new TestSelectDelegate(certs))); | 372 base::WrapUnique(new TestSelectDelegate(certs))); |
371 | 373 |
372 ASSERT_TRUE(RunExtensionTest("basicTests")) << message_; | 374 ASSERT_TRUE(RunExtensionTest("basicTests")) << message_; |
373 } | 375 } |
374 | 376 |
375 // On interactive calls, the simulated user always selects |client_cert1_| if | 377 // On interactive calls, the simulated user always selects |client_cert1_| if |
376 // matching. | 378 // matching. |
377 IN_PROC_BROWSER_TEST_P(UnmanagedPlatformKeysTest, Permissions) { | 379 IN_PROC_BROWSER_TEST_P(UnmanagedPlatformKeysTest, Permissions) { |
378 net::CertificateList certs; | 380 net::CertificateList certs; |
379 certs.push_back(client_cert1_); | 381 certs.push_back(client_cert1_); |
380 | 382 |
381 GetPlatformKeysService()->SetSelectDelegate( | 383 GetPlatformKeysService()->SetSelectDelegate( |
382 make_scoped_ptr(new TestSelectDelegate(certs))); | 384 base::WrapUnique(new TestSelectDelegate(certs))); |
383 | 385 |
384 ASSERT_TRUE(RunExtensionTest("permissionTests")) << message_; | 386 ASSERT_TRUE(RunExtensionTest("permissionTests")) << message_; |
385 } | 387 } |
386 | 388 |
387 INSTANTIATE_TEST_CASE_P(Unmanaged, | 389 INSTANTIATE_TEST_CASE_P(Unmanaged, |
388 UnmanagedPlatformKeysTest, | 390 UnmanagedPlatformKeysTest, |
389 ::testing::Values(DEVICE_STATUS_ENROLLED, | 391 ::testing::Values(DEVICE_STATUS_ENROLLED, |
390 DEVICE_STATUS_NOT_ENROLLED)); | 392 DEVICE_STATUS_NOT_ENROLLED)); |
391 | 393 |
392 IN_PROC_BROWSER_TEST_P(ManagedWithoutPermissionPlatformKeysTest, | 394 IN_PROC_BROWSER_TEST_P(ManagedWithoutPermissionPlatformKeysTest, |
393 UserPermissionsBlocked) { | 395 UserPermissionsBlocked) { |
394 // To verify that the user is not prompted for any certificate selection, | 396 // To verify that the user is not prompted for any certificate selection, |
395 // set up a delegate that fails on any invocation. | 397 // set up a delegate that fails on any invocation. |
396 GetPlatformKeysService()->SetSelectDelegate( | 398 GetPlatformKeysService()->SetSelectDelegate( |
397 make_scoped_ptr(new TestSelectDelegate(net::CertificateList()))); | 399 base::WrapUnique(new TestSelectDelegate(net::CertificateList()))); |
398 | 400 |
399 ASSERT_TRUE(RunExtensionTest("managedProfile")) << message_; | 401 ASSERT_TRUE(RunExtensionTest("managedProfile")) << message_; |
400 } | 402 } |
401 | 403 |
402 // A corporate key must not be useable if there is no policy permitting it. | 404 // A corporate key must not be useable if there is no policy permitting it. |
403 IN_PROC_BROWSER_TEST_P(ManagedWithoutPermissionPlatformKeysTest, | 405 IN_PROC_BROWSER_TEST_P(ManagedWithoutPermissionPlatformKeysTest, |
404 CorporateKeyAccessBlocked) { | 406 CorporateKeyAccessBlocked) { |
405 RegisterClient1AsCorporateKey(); | 407 RegisterClient1AsCorporateKey(); |
406 | 408 |
407 // To verify that the user is not prompted for any certificate selection, | 409 // To verify that the user is not prompted for any certificate selection, |
408 // set up a delegate that fails on any invocation. | 410 // set up a delegate that fails on any invocation. |
409 GetPlatformKeysService()->SetSelectDelegate( | 411 GetPlatformKeysService()->SetSelectDelegate( |
410 make_scoped_ptr(new TestSelectDelegate(net::CertificateList()))); | 412 base::WrapUnique(new TestSelectDelegate(net::CertificateList()))); |
411 | 413 |
412 ASSERT_TRUE(RunExtensionTest("corporateKeyWithoutPermissionTests")) | 414 ASSERT_TRUE(RunExtensionTest("corporateKeyWithoutPermissionTests")) |
413 << message_; | 415 << message_; |
414 } | 416 } |
415 | 417 |
416 INSTANTIATE_TEST_CASE_P( | 418 INSTANTIATE_TEST_CASE_P( |
417 ManagedWithoutPermission, | 419 ManagedWithoutPermission, |
418 ManagedWithoutPermissionPlatformKeysTest, | 420 ManagedWithoutPermissionPlatformKeysTest, |
419 ::testing::Values( | 421 ::testing::Values( |
420 Params(DEVICE_STATUS_ENROLLED, USER_STATUS_MANAGED_AFFILIATED_DOMAIN), | 422 Params(DEVICE_STATUS_ENROLLED, USER_STATUS_MANAGED_AFFILIATED_DOMAIN), |
421 Params(DEVICE_STATUS_ENROLLED, USER_STATUS_MANAGED_OTHER_DOMAIN), | 423 Params(DEVICE_STATUS_ENROLLED, USER_STATUS_MANAGED_OTHER_DOMAIN), |
422 Params(DEVICE_STATUS_NOT_ENROLLED, USER_STATUS_MANAGED_OTHER_DOMAIN))); | 424 Params(DEVICE_STATUS_NOT_ENROLLED, USER_STATUS_MANAGED_OTHER_DOMAIN))); |
423 | 425 |
424 IN_PROC_BROWSER_TEST_P(ManagedWithPermissionPlatformKeysTest, | 426 IN_PROC_BROWSER_TEST_P(ManagedWithPermissionPlatformKeysTest, |
425 PolicyGrantsAccessToCorporateKey) { | 427 PolicyGrantsAccessToCorporateKey) { |
426 RegisterClient1AsCorporateKey(); | 428 RegisterClient1AsCorporateKey(); |
427 | 429 |
428 // Set up the test SelectDelegate to select |client_cert1_| if available for | 430 // Set up the test SelectDelegate to select |client_cert1_| if available for |
429 // selection. | 431 // selection. |
430 net::CertificateList certs; | 432 net::CertificateList certs; |
431 certs.push_back(client_cert1_); | 433 certs.push_back(client_cert1_); |
432 | 434 |
433 GetPlatformKeysService()->SetSelectDelegate( | 435 GetPlatformKeysService()->SetSelectDelegate( |
434 make_scoped_ptr(new TestSelectDelegate(certs))); | 436 base::WrapUnique(new TestSelectDelegate(certs))); |
435 | 437 |
436 ASSERT_TRUE(RunExtensionTest("corporateKeyWithPermissionTests")) << message_; | 438 ASSERT_TRUE(RunExtensionTest("corporateKeyWithPermissionTests")) << message_; |
437 } | 439 } |
438 | 440 |
439 IN_PROC_BROWSER_TEST_P(ManagedWithPermissionPlatformKeysTest, | 441 IN_PROC_BROWSER_TEST_P(ManagedWithPermissionPlatformKeysTest, |
440 PolicyDoesGrantAccessToNonCorporateKey) { | 442 PolicyDoesGrantAccessToNonCorporateKey) { |
441 // The policy grants access to corporate keys but none are available. | 443 // The policy grants access to corporate keys but none are available. |
442 // As the profile is managed, the user must not be able to grant any | 444 // As the profile is managed, the user must not be able to grant any |
443 // certificate permission. Set up a delegate that fails on any invocation. | 445 // certificate permission. Set up a delegate that fails on any invocation. |
444 GetPlatformKeysService()->SetSelectDelegate( | 446 GetPlatformKeysService()->SetSelectDelegate( |
445 make_scoped_ptr(new TestSelectDelegate(net::CertificateList()))); | 447 base::WrapUnique(new TestSelectDelegate(net::CertificateList()))); |
446 | 448 |
447 ASSERT_TRUE(RunExtensionTest("policyDoesGrantAccessToNonCorporateKey")) | 449 ASSERT_TRUE(RunExtensionTest("policyDoesGrantAccessToNonCorporateKey")) |
448 << message_; | 450 << message_; |
449 } | 451 } |
450 | 452 |
451 INSTANTIATE_TEST_CASE_P( | 453 INSTANTIATE_TEST_CASE_P( |
452 ManagedWithPermission, | 454 ManagedWithPermission, |
453 ManagedWithPermissionPlatformKeysTest, | 455 ManagedWithPermissionPlatformKeysTest, |
454 ::testing::Values( | 456 ::testing::Values( |
455 Params(DEVICE_STATUS_ENROLLED, USER_STATUS_MANAGED_AFFILIATED_DOMAIN), | 457 Params(DEVICE_STATUS_ENROLLED, USER_STATUS_MANAGED_AFFILIATED_DOMAIN), |
456 Params(DEVICE_STATUS_ENROLLED, USER_STATUS_MANAGED_OTHER_DOMAIN), | 458 Params(DEVICE_STATUS_ENROLLED, USER_STATUS_MANAGED_OTHER_DOMAIN), |
457 Params(DEVICE_STATUS_NOT_ENROLLED, USER_STATUS_MANAGED_OTHER_DOMAIN))); | 459 Params(DEVICE_STATUS_NOT_ENROLLED, USER_STATUS_MANAGED_OTHER_DOMAIN))); |
OLD | NEW |