cros: Added policies for screen unlock.

chrome/browser/chromeos/login/quick_unlock/pin_storage_unittest.cc

 // Copyright 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/login/quick_unlock/pin_storage.h"
 #include "chrome/browser/chromeos/login/quick_unlock/pin_storage_factory.h"
 #include "chrome/browser/chromeos/login/quick_unlock/quick_unlock_utils.h"
 #include "chrome/common/pref_names.h"
 #include "chrome/test/base/testing_profile.h"
 #include "components/prefs/pref_service.h"
+#include "components/prefs/scoped_user_pref_update.h"
 #include "content/public/test/test_browser_thread_bundle.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 namespace {
 
 class PinStorageUnitTest : public testing::Test {
  protected:
   PinStorageUnitTest() : profile_(new TestingProfile()) {}
   ~PinStorageUnitTest() override {}
 
   // testing::Test:
-  void SetUp() override { chromeos::EnableQuickUnlockForTesting(); }
+  void SetUp() override {
+    chromeos::EnableQuickUnlockForTesting();
+
+    // Pin is not allowed by default so we need to update it for this test.

[jdufault, 2016/10/25 17:39:50]

nit: Pin => PIN

What about

  // PIN is not enabled by default. Enable it for the test.

But PIN should be enabled by default if the device is not enterprise enrolled,
so this should not be needed.

[sammiequon, 2016/10/25 19:18:41]

Done.

+    ListPrefUpdate update(profile_->GetPrefs(),
+                          prefs::kQuickUnlockModeWhitelist);
+    update->Append(base::MakeUnique<base::StringValue>("pin"));
+  }
 
   content::TestBrowserThreadBundle thread_bundle_;
   std::unique_ptr<TestingProfile> profile_;
 
   DISALLOW_COPY_AND_ASSIGN(PinStorageUnitTest);
 };
 
 }  // namespace
 
 // Provides test-only PinStorage APIs.
 class PinStorageTestApi {
  public:
   // Does *not* take ownership over |pin_storage|.
   explicit PinStorageTestApi(chromeos::PinStorage* pin_storage)
       : pin_storage_(pin_storage) {}
 
   // Reduces the amount of strong auth time available by |time_delta|.
   void ReduceRemainingStrongAuthTimeBy(const base::TimeDelta& time_delta) {
     pin_storage_->last_strong_auth_ -= time_delta;
   }
 
+  bool IsLastStrongAuthAvaliable() {
+    return !pin_storage_->last_strong_auth_.is_null();
+  }
+
   std::string PinSalt() const { return pin_storage_->PinSalt(); }
 
   std::string PinSecret() const { return pin_storage_->PinSecret(); }
 
  private:
   chromeos::PinStorage* pin_storage_;
 
   DISALLOW_COPY_AND_ASSIGN(PinStorageTestApi);
 };
 
@@ skipping 45 matching lines @@
   EXPECT_EQ(0, pin_storage->unlock_attempt_count());
 }
 
 // Verifies that marking the strong auth makes TimeSinceLastStrongAuth a > zero
 // value.
 TEST_F(PinStorageUnitTest, TimeSinceLastStrongAuthReturnsPositiveValue) {
   chromeos::PinStorage* pin_storage =
       chromeos::PinStorageFactory::GetForProfile(profile_.get());
   PinStorageTestApi pin_storage_test(pin_storage);
 
-  EXPECT_FALSE(pin_storage->HasStrongAuth());
+  EXPECT_FALSE(pin_storage_test.IsLastStrongAuthAvaliable());
 
   pin_storage->MarkStrongAuth();
 
-  EXPECT_TRUE(pin_storage->HasStrongAuth());
+  EXPECT_TRUE(pin_storage_test.IsLastStrongAuthAvaliable());
   pin_storage_test.ReduceRemainingStrongAuthTimeBy(
       base::TimeDelta::FromSeconds(60));
 
   EXPECT_TRUE(pin_storage->TimeSinceLastStrongAuth() >=
               base::TimeDelta::FromSeconds(30));
 }
 
+// Verifies altering the password confirmation preference produces the expected
+// results.
+TEST_F(PinStorageUnitTest, PasswordConfirmationFrequencyPreference) {
+  chromeos::PinStorage* pin_storage =
+      chromeos::PinStorageFactory::GetForProfile(profile_.get());
+  PrefService* pref_service = profile_->GetPrefs();
+  PinStorageTestApi pin_storage_test(pin_storage);
+
+  // The default is one day, so verify moving time back 13 hours should not
+  // request strong auth.
+  pin_storage->MarkStrongAuth();
+  pin_storage_test.ReduceRemainingStrongAuthTimeBy(
+      base::TimeDelta::FromHours(13));
+  EXPECT_TRUE(pin_storage->HasStrongAuth());
+
+  // Verify moving time back another 13 hours should request strong auth.
+  pin_storage_test.ReduceRemainingStrongAuthTimeBy(
+      base::TimeDelta::FromHours(13));
+  EXPECT_FALSE(pin_storage->HasStrongAuth());
+
+  // Reset the time since last strong auth.
+  pin_storage->MarkStrongAuth();
+
+  // Verify that by changing the frequency of required password confirmation to
+  // six hours, moving interval by 4 hours will not trigger a request for strong
+  // auth, but moving interval by an additional 4 hours will.
+  pref_service->SetInteger(
+      prefs::kQuickUnlockTimeout,
+      static_cast<int>(chromeos::PasswordConfirmationFrequency::SIX_HOURS));
+  pin_storage_test.ReduceRemainingStrongAuthTimeBy(
+      base::TimeDelta::FromHours(4));
+  EXPECT_TRUE(pin_storage->HasStrongAuth());
+  pin_storage_test.ReduceRemainingStrongAuthTimeBy(
+      base::TimeDelta::FromHours(4));
+  EXPECT_FALSE(pin_storage->HasStrongAuth());
+
+  // Verify that by changing the frequency of required password confirmation to
+  // twelve hours, the current interval of 8 hours will not trigger a request
+  // for strong auth, but moving interval by an additional 5 hours will.
+  pref_service->SetInteger(
+      prefs::kQuickUnlockTimeout,
+      static_cast<int>(chromeos::PasswordConfirmationFrequency::TWELVE_HOURS));
+  EXPECT_TRUE(pin_storage->HasStrongAuth());
+  pin_storage_test.ReduceRemainingStrongAuthTimeBy(
+      base::TimeDelta::FromHours(5));
+  EXPECT_FALSE(pin_storage->HasStrongAuth());
+
+  pin_storage->MarkStrongAuth();
+  // Verify that by changing the frequency of required password confirmation to
+  // one week, moving interval by 3 days will not trigger a request for strong
+  // auth, but moving interval by an addition 5 days will.
+  pref_service->SetInteger(
+      prefs::kQuickUnlockTimeout,
+      static_cast<int>(chromeos::PasswordConfirmationFrequency::WEEK));
+  pin_storage_test.ReduceRemainingStrongAuthTimeBy(
+      base::TimeDelta::FromDays(3));
+  EXPECT_TRUE(pin_storage->HasStrongAuth());
+  pin_storage_test.ReduceRemainingStrongAuthTimeBy(
+      base::TimeDelta::FromDays(5));
+  EXPECT_FALSE(pin_storage->HasStrongAuth());
+}
+
 // Verifies that the correct pin can be used to authenticate.
 TEST_F(PinStorageUnitTest, AuthenticationSucceedsWithRightPin) {
   chromeos::PinStorage* pin_storage =
       chromeos::PinStorageFactory::GetForProfile(profile_.get());
 
   pin_storage->SetPin("1111");
 
   pin_storage->MarkStrongAuth();
   EXPECT_TRUE(pin_storage->TryAuthenticatePin("1111"));
 }
@@ skipping 23 matching lines @@
   chromeos::PinStorage* pin_storage =
       chromeos::PinStorageFactory::GetForProfile(profile_.get());
   PinStorageTestApi pin_storage_test(pin_storage);
 
   pin_storage->SetPin("1111");
   pin_storage->MarkStrongAuth();
   EXPECT_TRUE(pin_storage->IsPinAuthenticationAvailable());
 
   // Remove all of the strong auth time so that we have a strong auth timeout.
   pin_storage_test.ReduceRemainingStrongAuthTimeBy(
-      chromeos::PinStorage::kStrongAuthTimeout + base::TimeDelta::FromHours(1));
+      base::TimeDelta::FromDays(10));
 
   EXPECT_FALSE(pin_storage->IsPinAuthenticationAvailable());
 }
+
+TEST_F(PinStorageUnitTest, VerifyPinUnlockAgainstPolicy) {
+  ListPrefUpdate update(profile_->GetPrefs(), prefs::kQuickUnlockModeWhitelist);
+  // Verify that clearing the whitelist diables the pin.
+  update->Clear();
+  EXPECT_FALSE(chromeos::IsPinUnlockEnabled(profile_->GetPrefs()));
+
+  // Verify that by adding pin and another unlock mode, pin is enabled.
+  update->Append(base::MakeUnique<base::StringValue>("pin"));
+  EXPECT_TRUE(chromeos::IsPinUnlockEnabled(profile_->GetPrefs()));
+  update->Append(base::MakeUnique<base::StringValue>("password"));
+  EXPECT_TRUE(chromeos::IsPinUnlockEnabled(profile_->GetPrefs()));
+
+  // Verify that adding all to the whitelist enables the pin.
+  update->Append(base::MakeUnique<base::StringValue>("all"));
+  EXPECT_TRUE(chromeos::IsPinUnlockEnabled(profile_->GetPrefs()));
+}