cros: Added policies for screen unlock.

chrome/browser/chromeos/login/quick_unlock/pin_storage_unittest.cc

Index: chrome/browser/chromeos/login/quick_unlock/pin_storage_unittest.cc
diff --git a/chrome/browser/chromeos/login/quick_unlock/pin_storage_unittest.cc b/chrome/browser/chromeos/login/quick_unlock/pin_storage_unittest.cc
index d0266f8f59eb96504b8a62f03f17a92a790002c5..6b3e9f6c1521dd21991e648dc084a80a9c023ece 100644
--- a/chrome/browser/chromeos/login/quick_unlock/pin_storage_unittest.cc
+++ b/chrome/browser/chromeos/login/quick_unlock/pin_storage_unittest.cc
@@ -8,6 +8,7 @@
 #include "chrome/common/pref_names.h"
 #include "chrome/test/base/testing_profile.h"
 #include "components/prefs/pref_service.h"
+#include "components/prefs/scoped_user_pref_update.h"
 #include "content/public/test/test_browser_thread_bundle.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
@@ -19,7 +20,13 @@ class PinStorageUnitTest : public testing::Test {
   ~PinStorageUnitTest() override {}
 
   // testing::Test:
-  void SetUp() override { chromeos::EnableQuickUnlockForTesting(); }
+  void SetUp() override {
+    chromeos::EnableQuickUnlockForTesting();
+
+    // Pin is not allowed by default so we need to update it for this test.
+    ListPrefUpdate update(profile_->GetPrefs(), prefs::kScreenUnlockWhitelist);
+    update->Append(base::MakeUnique<base::StringValue>("pin"));

[jdufault, 2016/10/04 17:55:06]

If the device is *not* enterprise enrolled, PIN should be allowed. However, the
default policy value may be to disallow PIN - but this seems like a server-side
change and not a client-side one.

+  }
 
   content::TestBrowserThreadBundle thread_bundle_;
   std::unique_ptr<TestingProfile> profile_;
@@ -118,6 +125,68 @@ TEST_F(PinStorageUnitTest, TimeSinceLastStrongAuthReturnsPositiveValue) {
               base::TimeDelta::FromSeconds(30));
 }
 
+// Verifies altering the Password confirmation preference produces the expected

[jdufault, 2016/10/04 17:55:06]

Password => password

[sammiequon, 2016/10/18 22:47:49]

Done.

+// results.
+TEST_F(PinStorageUnitTest, PasswordConfirmationPreference) {
+  chromeos::PinStorage* pin_storage =
+      chromeos::PinStorageFactory::GetForProfile(profile_.get());
+  PrefService* pref_service = profile_->GetPrefs();
+  PinStorageTestApi pin_storage_test(pin_storage);
+
+  // The default is one day, so verify moving time back 13 hours should not
+  // request strong auth.
+  pin_storage->MarkStrongAuth();
+  pin_storage_test.ReduceRemainingStrongAuthTimeBy(
+      base::TimeDelta::FromHours(13));
+  EXPECT_FALSE(pin_storage->NeedsStrongAuth());
+
+  // Verify moving time back another 13 hours should request strong auth.
+  pin_storage_test.ReduceRemainingStrongAuthTimeBy(
+      base::TimeDelta::FromHours(13));
+  EXPECT_TRUE(pin_storage->NeedsStrongAuth());
+
+  // Reset the time since last strong auth.
+  pin_storage->MarkStrongAuth();
+
+  // Verify that by changing the frequency of required password confirmation to
+  // six hours, moving interval by 4 hours will not trigger a request for strong
+  // auth, but moving interval by an additional 4 hours will.
+  pref_service->SetInteger(
+      prefs::kScreenUnlockPasswordConfirmationFrequency,
+      static_cast<int>(chromeos::PasswordConfirmation::SIX_HOURS));

[jdufault, 2016/10/04 17:55:06]

int{}

[sammiequon, 2016/10/18 22:47:49]

int{} will cause a compiler error.

+  pin_storage_test.ReduceRemainingStrongAuthTimeBy(
+      base::TimeDelta::FromHours(4));
+  EXPECT_FALSE(pin_storage->NeedsStrongAuth());
+  pin_storage_test.ReduceRemainingStrongAuthTimeBy(
+      base::TimeDelta::FromHours(4));
+  EXPECT_TRUE(pin_storage->NeedsStrongAuth());
+
+  // Verify that by changing the frequency of required password confirmation to
+  // twelve hours, the current interval of 8 hours will not trigger a request
+  // for strong auth, but moving interval by an additional 5 hours will.
+  pref_service->SetInteger(
+      prefs::kScreenUnlockPasswordConfirmationFrequency,
+      static_cast<int>(chromeos::PasswordConfirmation::TWELVE_HOURS));
+  EXPECT_FALSE(pin_storage->NeedsStrongAuth());
+  pin_storage_test.ReduceRemainingStrongAuthTimeBy(
+      base::TimeDelta::FromHours(5));
+  EXPECT_TRUE(pin_storage->NeedsStrongAuth());
+
+  pin_storage->MarkStrongAuth();
+  // Verify that by changing the frequency of required password confirmation to
+  // one week, moving interval by 3 days will not trigger a request for strong
+  // auth, but moving interval by an addition 5 days will.
+  pref_service->SetInteger(
+      prefs::kScreenUnlockPasswordConfirmationFrequency,
+      static_cast<int>(chromeos::PasswordConfirmation::WEEK));
+  pin_storage_test.ReduceRemainingStrongAuthTimeBy(
+      base::TimeDelta::FromDays(3));
+  EXPECT_FALSE(pin_storage->NeedsStrongAuth());
+  pin_storage_test.ReduceRemainingStrongAuthTimeBy(
+      base::TimeDelta::FromDays(5));
+  EXPECT_TRUE(pin_storage->NeedsStrongAuth());
+}
+
 // Verifies that the correct pin can be used to authenticate.
 TEST_F(PinStorageUnitTest, AuthenticationSucceedsWithRightPin) {
   chromeos::PinStorage* pin_storage =
@@ -161,7 +230,27 @@ TEST_F(PinStorageUnitTest, AuthenticationFailsFromTimeout) {
 
   // Remove all of the strong auth time so that we have a strong auth timeout.
   pin_storage_test.ReduceRemainingStrongAuthTimeBy(
-      chromeos::PinStorage::kStrongAuthTimeout + base::TimeDelta::FromHours(1));
+      base::TimeDelta::FromDays(10));
 
   EXPECT_FALSE(pin_storage->IsPinAuthenticationAvailable());
 }
+
+TEST_F(PinStorageUnitTest, VerifyPinUnlockAgainstPolicy) {
+  chromeos::PinStorage* pin_storage =
+      chromeos::PinStorageFactory::GetForProfile(profile_.get());
+
+  ListPrefUpdate update(profile_->GetPrefs(), prefs::kScreenUnlockWhitelist);
+  // Verify that clearing the whitelist diables the pin.
+  update->Clear();
+  EXPECT_FALSE(pin_storage->IsPinUnlockEnabled());
+
+  // Verify that by adding pin and another unlock mode, pin is enabled.
+  update->Append(base::MakeUnique<base::StringValue>("pin"));
+  EXPECT_TRUE(pin_storage->IsPinUnlockEnabled());
+  update->Append(base::MakeUnique<base::StringValue>("password"));
+  EXPECT_TRUE(pin_storage->IsPinUnlockEnabled());
+
+  // Verify that adding all to the whitelist enables the pin.
+  update->Append(base::MakeUnique<base::StringValue>("all"));
+  EXPECT_TRUE(pin_storage->IsPinUnlockEnabled());
+}