chromeos/network/client_cert_resolver_unittest.cc - Issue 22327005: Automatically resolve ClientCertificatePatterns.

Side by Side Diff: chromeos/network/client_cert_resolver_unittest.cc

Issue 22327005: Automatically resolve ClientCertificatePatterns. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src

Patch Set: Fixed comments. Created 7 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
(Empty)
	1 // Copyright 2013 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4 #include "chromeos/network/client_cert_resolver.h"

	5

	6 #include <cert.h>

	7 #include <pk11pub.h>

	8

	9 #include "base/file_util.h"

	10 #include "base/files/file_path.h"

	11 #include "base/json/json_reader.h"

	12 #include "base/run_loop.h"

	13 #include "base/strings/stringprintf.h"

	14 #include "chromeos/dbus/dbus_thread_manager.h"

	15 #include "chromeos/dbus/shill_profile_client.h"

	16 #include "chromeos/dbus/shill_service_client.h"

	17 #include "chromeos/login/login_state.h"

	18 #include "chromeos/network/managed_network_configuration_handler.h"

	19 #include "chromeos/network/network_configuration_handler.h"

	20 #include "chromeos/network/network_profile_handler.h"

	21 #include "chromeos/network/network_state_handler.h"

	22 #include "crypto/nss_util.h"

	23 #include "net/base/crypto_module.h"

	24 #include "net/base/net_errors.h"

	25 #include "net/base/test_data_directory.h"

	26 #include "net/cert/nss_cert_database.h"

	27 #include "net/cert/x509_certificate.h"

	28 #include "net/test/cert_test_util.h"

	29 #include "testing/gtest/include/gtest/gtest.h"

	30 #include "third_party/cros_system_api/dbus/service_constants.h"

	31

	32 namespace chromeos {

	33

	34 namespace {

	35

	36 const char* kWifiStub = "wifi_stub";

	37 const char* kWifiSSID = "wifi_ssid";

	38 //const char* kFakePEM = "pem";
	stevenjb 2013/08/10 00:11:58 remove until used remove until used pneubeck (no reviews) 2013/08/11 18:37:02 Done. Show quoted text On 2013/08/10 00:11:58, stevenjb (chromium) wrote: > remove until used Done.
	39 const char* kUserProfilePath = "user_profile";

	40 const char* kUserHash = "user_hash";

	41

	42 } // namespace

	43

	44 class ClientCertResolverTest : public testing::Test {

	45 public:

	46 ClientCertResolverTest() {}

	47 virtual ~ClientCertResolverTest() {}

	48

	49 virtual void SetUp() OVERRIDE {

	50 ASSERT_TRUE(test_nssdb_.is_open());

	51 slot_ = net::NSSCertDatabase::GetInstance()->GetPublicModule();

	52 ASSERT_TRUE(slot_->os_module_handle());

	53

	54 LoginState::Initialize();

	55

	56 DBusThreadManager::InitializeWithStub();

	57 service_test_ =

	58 DBusThreadManager::Get()->GetShillServiceClient()->GetTestInterface();

	59 profile_test_ =

	60 DBusThreadManager::Get()->GetShillProfileClient()->GetTestInterface();

	61 message_loop_.RunUntilIdle();

	62 service_test_->ClearServices();

	63 message_loop_.RunUntilIdle();

	64

	65 CertLoader::Initialize();

	66 CertLoader* cert_loader = CertLoader::Get();

	67 cert_loader->InitializeTPMForTest();

	68 cert_loader->SetSlowTaskRunnerForTest(

	69 message_loop_.message_loop_proxy());

	70 cert_loader->SetCryptoTaskRunner(message_loop_.message_loop_proxy());

	71 }

	72

	73 virtual void TearDown() OVERRIDE {

	74 client_cert_resolver_.reset();

	75 managed_config_handler_.reset();

	76 network_config_handler_.reset();

	77 network_profile_handler_.reset();

	78 network_state_handler_.reset();

	79 CertLoader::Shutdown();

	80 DBusThreadManager::Shutdown();

	81 LoginState::Shutdown();

	82 CleanupSlotContents();

	83 }

	84

	85 protected:

	86 void SetupTestCerts() {

	87 net::NSSCertDatabase* cert_db = net::NSSCertDatabase::GetInstance();

	88 net::CertificateList ca_cert_list =

	89 net::CreateCertificateListFromFile(net::GetTestCertsDirectory(),

	90 "websocket_cacert.pem",
	stevenjb 2013/08/10 00:11:58 FILE_PATH_LITERAL() ? Also, make this a const with FILE_PATH_LITERAL() ? Also, make this a const with a descriptive name (e.g. kTestCertsWebsocketCA"). Would be ideal if this were defined somewhere in net. pneubeck (no reviews) 2013/08/11 18:37:02 AFAIU, FILE_PATH_LITERAL helps for cross-platform Show quoted text On 2013/08/10 00:11:58, stevenjb (chromium) wrote: > FILE_PATH_LITERAL() ? > Also, make this a const with a descriptive name (e.g. kTestCertsWebsocketCA"). > Would be ideal if this were defined somewhere in net. AFAIU, FILE_PATH_LITERAL helps for cross-platform support. Since we're in chromeos it seems unnecessary. net::CreateCertificateListFromFile also has a std::string argument and not a file path. The filename is already a name of some object (the certificate in the file). What exactly does the globally named constant improve? Here the string itself is important. Any additional indirection seems more complicated. Added some clarifying comments instead.
	91 net::X509Certificate::FORMAT_AUTO);

	92 ASSERT_TRUE(!ca_cert_list.empty());

	93 net::NSSCertDatabase::ImportCertFailureList failures;

	94 EXPECT_TRUE(cert_db->ImportCACerts(

	95 ca_cert_list, net::NSSCertDatabase::TRUST_DEFAULT, &failures));

	96 ASSERT_TRUE(failures.empty()) << net::ErrorToString(failures[0].net_error);

	97

	98 net::X509Certificate::GetPEMEncoded(ca_cert_list[0]->os_cert_handle(),

	99 &test_ca_cert_pem_);

	100 ASSERT_TRUE(!test_ca_cert_pem_.empty());

	101

	102 scoped_refptr<net::CryptoModule> crypt_module = cert_db->GetPrivateModule();

	103 std::string pkcs12_data;

	104 ASSERT_TRUE(file_util::ReadFileToString(

	105 net::GetTestCertsDirectory().Append("websocket_client_cert.p12"),
	stevenjb 2013/08/10 00:11:58 named const named const pneubeck (no reviews) 2013/08/11 18:37:02 ditto. Show quoted text On 2013/08/10 00:11:58, stevenjb (chromium) wrote: > named const ditto.
	106 &pkcs12_data));

	107

	108 net::CertificateList client_cert_list;

	109 ASSERT_EQ(net::OK,

	110 cert_db->ImportFromPKCS12(crypt_module.get(),

	111 pkcs12_data,

	112 string16(),

	113 false,

	114 &client_cert_list));

	115 ASSERT_TRUE(!client_cert_list.empty());

	116 test_pkcs11_id_ = CertLoader::GetPkcs11IdForCert(*client_cert_list[0]);

	117 ASSERT_TRUE(!test_pkcs11_id_.empty());

	118 }

	119

	120 void SetupNetworkHandlers() {

	121 network_state_handler_.reset(NetworkStateHandler::InitializeForTest());

	122 network_profile_handler_.reset(new NetworkProfileHandler());

	123 network_config_handler_.reset(new NetworkConfigurationHandler());

	124 managed_config_handler_.reset(

	125 new ManagedNetworkConfigurationHandler());

	126 client_cert_resolver_.reset(new ClientCertResolver());

	127

	128 network_profile_handler_->Init(network_state_handler_.get());

	129 network_config_handler_->Init(network_state_handler_.get());

	130 managed_config_handler_->Init(network_state_handler_.get(),

	131 network_profile_handler_.get(),

	132 network_config_handler_.get());

	133 client_cert_resolver_->Init(network_state_handler_.get(),

	134 managed_config_handler_.get());

	135 client_cert_resolver_->SetSlowTaskRunnerForTest(

	136 message_loop_.message_loop_proxy());

	137 }

	138

	139 void SetupWifiWithPattern() {

	140 profile_test_->AddProfile(kUserProfilePath, kUserHash);

	141

	142 const bool add_to_visible = true;

	143 const bool add_to_watchlist = true;

	144 service_test_->AddService(kWifiStub,

	145 kWifiSSID,

	146 flimflam::kTypeWifi,

	147 flimflam::kStateOnline,

	148 add_to_visible,

	149 add_to_watchlist);

	150 service_test_->SetServiceProperty(kWifiStub,

	151 flimflam::kGuidProperty,

	152 base::StringValue(kWifiStub));

	153 profile_test_->AddService(kUserProfilePath, kWifiStub);

	154 }

	155

	156 void SetupPolicy() {

	157 const char* kTestPolicyTemplate =

	158 "[ { \"GUID\": \"wifi_stub\","

	159 " \"Name\": \"wifi_stub\","

	160 " \"Type\": \"WiFi\","

	161 " \"WiFi\": {"

	162 " \"Security\": \"WPA-EAP\","

	163 " \"SSID\": \"wifi_ssid\","

	164 " \"EAP\": {"

	165 " \"Outer\": \"EAP-TLS\","

	166 " \"ClientCertType\": \"Pattern\","

	167 " \"ClientCertPattern\": {"

	168 " \"IssuerCAPEMs\": [ \"%s\" ]"

	169 " }"

	170 " }"

	171 " }"

	172 "} ]";

	173 std::string policy_json =

	174 base::StringPrintf(kTestPolicyTemplate, test_ca_cert_pem_.c_str());

	175

	176 std::string error;

	177 scoped_ptr<base::Value> policy_value(base::JSONReader::ReadAndReturnError(

	178 policy_json, base::JSON_ALLOW_TRAILING_COMMAS, NULL, &error));

	179 ASSERT_TRUE(policy_value) << error;

	180

	181 base::ListValue* policy = NULL;

	182 ASSERT_TRUE(policy_value->GetAsList(&policy) && policy);
	stevenjb 2013/08/10 00:11:58 nit: && policy redundant; GetAsList only returns t nit: && policy redundant; GetAsList only returns true if policy != NULL pneubeck (no reviews) 2013/08/11 18:37:02 Done. Show quoted text On 2013/08/10 00:11:58, stevenjb (chromium) wrote: > nit: && policy redundant; GetAsList only returns true if policy != NULL Done.
	183

	184 managed_config_handler_->SetPolicy(

	185 onc::ONC_SOURCE_USER_POLICY, kUserHash, *policy);

	186 }

	187

	188 void GetClientCertProperties(std::string* pkcs11_id) {

	189 pkcs11_id->clear();

	190 const base::DictionaryValue* properties =

	191 service_test_->GetServiceProperties(kWifiStub);

	192 properties->GetStringWithoutPathExpansion(flimflam::kEapCertIdProperty,

	193 pkcs11_id);

	194 }

	195

	196 ShillServiceClient::TestInterface* service_test_;

	197 ShillProfileClient::TestInterface* profile_test_;

	198 std::string test_pkcs11_id_;

	199 scoped_refptr<net::X509Certificate> test_ca_cert_;

	200 std::string test_ca_cert_pem_;

	201 base::MessageLoop message_loop_;

	202

	203 private:

	204 void CleanupSlotContents() {

	205 CERTCertList* cert_list = PK11_ListCertsInSlot(slot_->os_module_handle());

	206 for (CERTCertListNode* node = CERT_LIST_HEAD(cert_list);

	207 !CERT_LIST_END(node, cert_list);

	208 node = CERT_LIST_NEXT(node)) {

	209 scoped_refptr<net::X509Certificate> cert(

	210 net::X509Certificate::CreateFromHandle(

	211 node->cert, net::X509Certificate::OSCertHandles()));

	212 net::NSSCertDatabase::GetInstance()->DeleteCertAndKey(cert.get());

	213 }

	214 CERT_DestroyCertList(cert_list);

	215 }

	216

	217 scoped_ptr<NetworkStateHandler> network_state_handler_;

	218 scoped_ptr<NetworkProfileHandler> network_profile_handler_;

	219 scoped_ptr<NetworkConfigurationHandler> network_config_handler_;

	220 scoped_ptr<ManagedNetworkConfigurationHandler>

	221 managed_config_handler_;

	222 scoped_ptr<ClientCertResolver> client_cert_resolver_;

	223 scoped_refptr<net::CryptoModule> slot_;

	224 crypto::ScopedTestNSSDB test_nssdb_;

	225

	226 DISALLOW_COPY_AND_ASSIGN(ClientCertResolverTest);

	227 };

	228

	229 TEST_F(ClientCertResolverTest, ResolveOnInitialization) {

	230 // Add a new network for migration before the handlers are initialized.

	231 SetupTestCerts();

	232 SetupNetworkHandlers();

	233 SetupPolicy();

	234

	235 message_loop_.RunUntilIdle();

	236

	237 SetupWifiWithPattern();

	238 message_loop_.RunUntilIdle();

	239

	240 std::string pkcs11_id;

	241 GetClientCertProperties(&pkcs11_id);

	242 EXPECT_EQ(test_pkcs11_id_, pkcs11_id);

	243 }

	244

	245 } // namespace chromeos

OLD	NEW