cros: Added policies for screen unlock.

chrome/browser/chromeos/login/quick_unlock/pin_storage_unittest.cc

 // Copyright 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/chromeos/login/quick_unlock/pin_storage.h"
 #include "chrome/browser/chromeos/login/quick_unlock/pin_storage_factory.h"
 #include "chrome/browser/chromeos/login/quick_unlock/quick_unlock_utils.h"
 #include "chrome/common/pref_names.h"
 #include "chrome/test/base/testing_profile.h"
 #include "components/prefs/pref_service.h"
+#include "components/prefs/scoped_user_pref_update.h"
 #include "content/public/test/test_browser_thread_bundle.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 namespace {
 
 class PinStorageUnitTest : public testing::Test {
  protected:
   PinStorageUnitTest() : profile_(new TestingProfile()) {}
   ~PinStorageUnitTest() override {}
 
   // testing::Test:
-  void SetUp() override { chromeos::EnableQuickUnlockForTesting(); }
+  void SetUp() override {
+    chromeos::quick_unlock::EnableQuickUnlockForTesting();
+  }
 
   content::TestBrowserThreadBundle thread_bundle_;
   std::unique_ptr<TestingProfile> profile_;
 
   DISALLOW_COPY_AND_ASSIGN(PinStorageUnitTest);
 };
 
 }  // namespace
 
 // Provides test-only PinStorage APIs.
 class PinStorageTestApi {
  public:
   // Does *not* take ownership over |pin_storage|.
   explicit PinStorageTestApi(chromeos::PinStorage* pin_storage)
       : pin_storage_(pin_storage) {}
 
   // Reduces the amount of strong auth time available by |time_delta|.
   void ReduceRemainingStrongAuthTimeBy(const base::TimeDelta& time_delta) {
     pin_storage_->last_strong_auth_ -= time_delta;
   }
 
+  bool HasStrongAuthInfo() {
+    return !pin_storage_->last_strong_auth_.is_null();
+  }
+
   std::string PinSalt() const { return pin_storage_->PinSalt(); }
 
   std::string PinSecret() const { return pin_storage_->PinSecret(); }
 
  private:
   chromeos::PinStorage* pin_storage_;
 
   DISALLOW_COPY_AND_ASSIGN(PinStorageTestApi);
 };
 
@@ skipping 45 matching lines @@
   EXPECT_EQ(0, pin_storage->unlock_attempt_count());
 }
 
 // Verifies that marking the strong auth makes TimeSinceLastStrongAuth a > zero
 // value.
 TEST_F(PinStorageUnitTest, TimeSinceLastStrongAuthReturnsPositiveValue) {
   chromeos::PinStorage* pin_storage =
       chromeos::PinStorageFactory::GetForProfile(profile_.get());
   PinStorageTestApi pin_storage_test(pin_storage);
 
-  EXPECT_FALSE(pin_storage->HasStrongAuth());
+  EXPECT_FALSE(pin_storage_test.HasStrongAuthInfo());
 
   pin_storage->MarkStrongAuth();
 
-  EXPECT_TRUE(pin_storage->HasStrongAuth());
+  EXPECT_TRUE(pin_storage_test.HasStrongAuthInfo());
   pin_storage_test.ReduceRemainingStrongAuthTimeBy(
       base::TimeDelta::FromSeconds(60));
 
   EXPECT_TRUE(pin_storage->TimeSinceLastStrongAuth() >=
               base::TimeDelta::FromSeconds(30));
 }
 
+// Verifies altering the password confirmation preference produces the expected
+// results.

[jdufault, 2016/10/31 22:22:01]

What are the expected results?

[sammiequon, 2016/11/01 04:33:17]

Done.

+TEST_F(PinStorageUnitTest, PasswordConfirmationFrequencyPreference) {
+  chromeos::PinStorage* pin_storage =
+      chromeos::PinStorageFactory::GetForProfile(profile_.get());
+  PrefService* pref_service = profile_->GetPrefs();
+  PinStorageTestApi pin_storage_test(pin_storage);
+
+  // The default is one day, so verify moving time back 13 hours should not
+  // request strong auth.
+  pin_storage->MarkStrongAuth();
+  pin_storage_test.ReduceRemainingStrongAuthTimeBy(
+      base::TimeDelta::FromHours(13));
+  EXPECT_TRUE(pin_storage->HasStrongAuth());
+
+  // Verify moving time back another 13 hours should request strong auth.
+  pin_storage_test.ReduceRemainingStrongAuthTimeBy(
+      base::TimeDelta::FromHours(13));
+  EXPECT_FALSE(pin_storage->HasStrongAuth());
+
+  // Reset the time since last strong auth.
+  pin_storage->MarkStrongAuth();
+
+  // Verify that by changing the frequency of required password confirmation to
+  // six hours, moving interval by 4 hours will not trigger a request for strong
+  // auth, but moving interval by an additional 4 hours will.
+  pref_service->SetInteger(

[jdufault, 2016/10/31 22:22:02]

Write a helper method to do this.

SetConfirmationFrequency(PasswordConfirmationFrequency::SIX_HOURS)

[sammiequon, 2016/11/01 04:33:17]

Done.

+      prefs::kQuickUnlockTimeout,
+      static_cast<int>(
+          chromeos::quick_unlock::PasswordConfirmationFrequency::SIX_HOURS));
+  pin_storage_test.ReduceRemainingStrongAuthTimeBy(
+      base::TimeDelta::FromHours(4));
+  EXPECT_TRUE(pin_storage->HasStrongAuth());
+  pin_storage_test.ReduceRemainingStrongAuthTimeBy(
+      base::TimeDelta::FromHours(4));
+  EXPECT_FALSE(pin_storage->HasStrongAuth());
+
+  // Verify that by changing the frequency of required password confirmation to
+  // twelve hours, the current interval of 8 hours will not trigger a request
+  // for strong auth, but moving interval by an additional 5 hours will.
+  pref_service->SetInteger(
+      prefs::kQuickUnlockTimeout,
+      static_cast<int>(
+          chromeos::quick_unlock::PasswordConfirmationFrequency::TWELVE_HOURS));
+  EXPECT_TRUE(pin_storage->HasStrongAuth());
+  pin_storage_test.ReduceRemainingStrongAuthTimeBy(

[jdufault, 2016/10/31 22:22:01]

What about renaming pin_storage_test to test_api?

[sammiequon, 2016/11/01 04:33:17]

Done.

+      base::TimeDelta::FromHours(5));
+  EXPECT_FALSE(pin_storage->HasStrongAuth());
+
+  pin_storage->MarkStrongAuth();
+  // Verify that by changing the frequency of required password confirmation to
+  // one week, moving interval by 3 days will not trigger a request for strong

[jdufault, 2016/10/31 22:22:01]

This is the same test four times over. I would eliminate 3 of them and keep your
favorite.

I think there are some other interesting test cases:

- Current auth time at 8 hours elapsed, 12 hour timeout. Policy changes to 4
hours (so now timeout has happened from policy change). What happens?

- Same thing in reverse (8 hour elapsed, 4 hour timeout, timeout changes to 12
hours).

[sammiequon, 2016/11/01 04:33:17]

Done.

+  // auth, but moving interval by an addition 5 days will.
+  pref_service->SetInteger(
+      prefs::kQuickUnlockTimeout,
+      static_cast<int>(
+          chromeos::quick_unlock::PasswordConfirmationFrequency::WEEK));
+  pin_storage_test.ReduceRemainingStrongAuthTimeBy(
+      base::TimeDelta::FromDays(3));
+  EXPECT_TRUE(pin_storage->HasStrongAuth());
+  pin_storage_test.ReduceRemainingStrongAuthTimeBy(
+      base::TimeDelta::FromDays(5));
+  EXPECT_FALSE(pin_storage->HasStrongAuth());
+}
+
 // Verifies that the correct pin can be used to authenticate.
 TEST_F(PinStorageUnitTest, AuthenticationSucceedsWithRightPin) {
   chromeos::PinStorage* pin_storage =
       chromeos::PinStorageFactory::GetForProfile(profile_.get());
 
   pin_storage->SetPin("1111");
 
   pin_storage->MarkStrongAuth();
   EXPECT_TRUE(pin_storage->TryAuthenticatePin("1111"));
 }
@@ skipping 23 matching lines @@
   chromeos::PinStorage* pin_storage =
       chromeos::PinStorageFactory::GetForProfile(profile_.get());
   PinStorageTestApi pin_storage_test(pin_storage);
 
   pin_storage->SetPin("1111");
   pin_storage->MarkStrongAuth();
   EXPECT_TRUE(pin_storage->IsPinAuthenticationAvailable());
 
   // Remove all of the strong auth time so that we have a strong auth timeout.
   pin_storage_test.ReduceRemainingStrongAuthTimeBy(
-      chromeos::PinStorage::kStrongAuthTimeout + base::TimeDelta::FromHours(1));
+      base::TimeDelta::FromDays(10));
 
   EXPECT_FALSE(pin_storage->IsPinAuthenticationAvailable());
 }