Chromium Code Reviews Chromium Code Reviews
Issue 2488573003:
Expose signing key from cloud policy stores (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.h" | 5 #include "chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.h" |
| 6 | 6 |
| 7 #include <stdint.h> | 7 #include <stdint.h> |
| 8 | 8 |
| 9 #include <memory> | 9 #include <memory> |
| 10 #include <string> | |
| 10 #include <vector> | 11 #include <vector> |
| 11 | 12 |
| 12 #include "base/bind.h" | 13 #include "base/bind.h" |
| 13 #include "base/files/file_util.h" | 14 #include "base/files/file_util.h" |
| 14 #include "base/files/scoped_temp_dir.h" | 15 #include "base/files/scoped_temp_dir.h" |
| 15 #include "base/location.h" | 16 #include "base/location.h" |
| 16 #include "base/macros.h" | 17 #include "base/macros.h" |
| 17 #include "base/memory/ptr_util.h" | 18 #include "base/memory/ptr_util.h" |
| 18 #include "base/message_loop/message_loop.h" | 19 #include "base/message_loop/message_loop.h" |
| 19 #include "base/run_loop.h" | 20 #include "base/run_loop.h" |
| 20 #include "base/single_thread_task_runner.h" | 21 #include "base/single_thread_task_runner.h" |
| 21 #include "base/threading/sequenced_worker_pool.h" | 22 #include "base/threading/sequenced_worker_pool.h" |
| 22 #include "base/threading/thread_task_runner_handle.h" | 23 #include "base/threading/thread_task_runner_handle.h" |
| 23 #include "chromeos/dbus/mock_cryptohome_client.h" | 24 #include "chromeos/dbus/mock_cryptohome_client.h" |
| 24 #include "chromeos/dbus/mock_session_manager_client.h" | 25 #include "chromeos/dbus/mock_session_manager_client.h" |
| 25 #include "components/policy/core/common/cloud/cloud_policy_constants.h" | 26 #include "components/policy/core/common/cloud/cloud_policy_constants.h" |
| 26 #include "components/policy/core/common/cloud/mock_cloud_policy_store.h" | 27 #include "components/policy/core/common/cloud/mock_cloud_policy_store.h" |
| 27 #include "components/policy/core/common/cloud/policy_builder.h" | 28 #include "components/policy/core/common/cloud/policy_builder.h" |
| 28 #include "components/policy/core/common/policy_types.h" | 29 #include "components/policy/core/common/policy_types.h" |
| 29 #include "components/policy/policy_constants.h" | 30 #include "components/policy/policy_constants.h" |
| 30 #include "components/policy/proto/cloud_policy.pb.h" | 31 #include "components/policy/proto/cloud_policy.pb.h" |
| 31 #include "components/policy/proto/device_management_local.pb.h" | 32 #include "components/policy/proto/device_management_local.pb.h" |
| 33 #include "crypto/rsa_private_key.h" | |
| 32 #include "testing/gmock/include/gmock/gmock.h" | 34 #include "testing/gmock/include/gmock/gmock.h" |
| 33 #include "testing/gtest/include/gtest/gtest.h" | 35 #include "testing/gtest/include/gtest/gtest.h" |
| 34 | 36 |
| 35 namespace em = enterprise_management; | 37 namespace em = enterprise_management; |
| 36 | 38 |
| 37 using testing::AllOf; | 39 using testing::AllOf; |
| 38 using testing::AnyNumber; | 40 using testing::AnyNumber; |
| 39 using testing::Eq; | 41 using testing::Eq; |
| 40 using testing::Mock; | 42 using testing::Mock; |
| 41 using testing::Property; | 43 using testing::Property; |
| (...skipping 25 matching lines...) Expand all Loading... | |
| 67 .Times(AnyNumber()) | 69 .Times(AnyNumber()) |
| 68 .WillRepeatedly(SendSanitizedUsername( | 70 .WillRepeatedly(SendSanitizedUsername( |
| 69 chromeos::DBUS_METHOD_CALL_SUCCESS, kSanitizedUsername)); | 71 chromeos::DBUS_METHOD_CALL_SUCCESS, kSanitizedUsername)); |
| 70 | 72 |
| 71 ASSERT_TRUE(tmp_dir_.CreateUniqueTempDir()); | 73 ASSERT_TRUE(tmp_dir_.CreateUniqueTempDir()); |
| 72 store_.reset(new UserCloudPolicyStoreChromeOS( | 74 store_.reset(new UserCloudPolicyStoreChromeOS( |
| 73 &cryptohome_client_, &session_manager_client_, loop_.task_runner(), | 75 &cryptohome_client_, &session_manager_client_, loop_.task_runner(), |
| 74 account_id_, user_policy_dir(), token_file(), policy_file())); | 76 account_id_, user_policy_dir(), token_file(), policy_file())); |
| 75 store_->AddObserver(&observer_); | 77 store_->AddObserver(&observer_); |
| 76 | 78 |
| 79 CHECK_EQ(PolicyBuilder::kFakeDomain, store_->owning_domain()); | |
| 80 | |
| 77 // Install the initial public key, so that by default the validation of | 81 // Install the initial public key, so that by default the validation of |
| 78 // the stored/loaded policy blob succeeds. | 82 // the stored/loaded policy blob succeeds. |
| 79 std::vector<uint8_t> public_key; | 83 std::vector<uint8_t> public_key; |
| 80 ASSERT_TRUE(policy_.GetSigningKey()->ExportPublicKey(&public_key)); | 84 ASSERT_TRUE(policy_.GetSigningKey()->ExportPublicKey(&public_key)); |
| 81 StoreUserPolicyKey(public_key); | 85 StoreUserPolicyKey(public_key); |
| 82 | 86 |
| 83 policy_.payload().mutable_homepagelocation()->set_value(kDefaultHomepage); | 87 policy_.payload().mutable_homepagelocation()->set_value(kDefaultHomepage); |
| 84 policy_.Build(); | 88 policy_.Build(); |
| 85 } | 89 } |
| 86 | 90 |
| (...skipping 105 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 192 VerifyPolicyMap(new_value); | 196 VerifyPolicyMap(new_value); |
| 193 EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status()); | 197 EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status()); |
| 194 } | 198 } |
| 195 | 199 |
| 196 void VerifyStoreHasValidationError() { | 200 void VerifyStoreHasValidationError() { |
| 197 EXPECT_FALSE(store_->policy()); | 201 EXPECT_FALSE(store_->policy()); |
| 198 EXPECT_TRUE(store_->policy_map().empty()); | 202 EXPECT_TRUE(store_->policy_map().empty()); |
| 199 EXPECT_EQ(CloudPolicyStore::STATUS_VALIDATION_ERROR, store_->status()); | 203 EXPECT_EQ(CloudPolicyStore::STATUS_VALIDATION_ERROR, store_->status()); |
| 200 } | 204 } |
| 201 | 205 |
| 206 static std::string ConvertPublicKeyToString( | |
| 207 const std::vector<uint8_t>& public_key) { | |
| 208 return std::string(reinterpret_cast<const char*>(public_key.data()), | |
| 209 public_key.size()); | |
| 210 } | |
| 211 | |
| 212 std::string GetPolicyPublicKeyAsString() { | |
| 213 std::vector<uint8_t> public_key; | |
| 214 EXPECT_TRUE(policy_.GetSigningKey()->ExportPublicKey(&public_key)); | |
| 215 return ConvertPublicKeyToString(public_key); | |
| 216 } | |
| 217 | |
| 218 std::string GetPolicyNewPublicKeyAsString() { | |
| 219 std::vector<uint8_t> new_public_key; | |
| 220 EXPECT_TRUE(policy_.GetNewSigningKey()->ExportPublicKey(&new_public_key)); | |
| 221 return ConvertPublicKeyToString(new_public_key); | |
| 222 } | |
| 223 | |
| 202 base::FilePath user_policy_dir() { | 224 base::FilePath user_policy_dir() { |
| 203 return tmp_dir_.GetPath().AppendASCII("var_run_user_policy"); | 225 return tmp_dir_.GetPath().AppendASCII("var_run_user_policy"); |
| 204 } | 226 } |
| 205 | 227 |
| 206 base::FilePath user_policy_key_file() { | 228 base::FilePath user_policy_key_file() { |
| 207 return user_policy_dir().AppendASCII(kSanitizedUsername) | 229 return user_policy_dir().AppendASCII(kSanitizedUsername) |
| 208 .AppendASCII("policy.pub"); | 230 .AppendASCII("policy.pub"); |
| 209 } | 231 } |
| 210 | 232 |
| 211 base::FilePath token_file() { | 233 base::FilePath token_file() { |
| (...skipping 24 matching lines...) Expand all Loading... | |
| 236 TEST_F(UserCloudPolicyStoreChromeOSTest, InitialStore) { | 258 TEST_F(UserCloudPolicyStoreChromeOSTest, InitialStore) { |
| 237 // Start without any public key to trigger the initial key checks. | 259 // Start without any public key to trigger the initial key checks. |
| 238 ASSERT_TRUE(base::DeleteFile(user_policy_key_file(), false)); | 260 ASSERT_TRUE(base::DeleteFile(user_policy_key_file(), false)); |
| 239 // Make the policy blob contain a new public key. | 261 // Make the policy blob contain a new public key. |
| 240 policy_.SetDefaultNewSigningKey(); | 262 policy_.SetDefaultNewSigningKey(); |
| 241 policy_.Build(); | 263 policy_.Build(); |
| 242 std::vector<uint8_t> new_public_key; | 264 std::vector<uint8_t> new_public_key; |
| 243 ASSERT_TRUE(policy_.GetNewSigningKey()->ExportPublicKey(&new_public_key)); | 265 ASSERT_TRUE(policy_.GetNewSigningKey()->ExportPublicKey(&new_public_key)); |
| 244 ASSERT_NO_FATAL_FAILURE( | 266 ASSERT_NO_FATAL_FAILURE( |
| 245 PerformStorePolicy(&new_public_key, NULL, kDefaultHomepage)); | 267 PerformStorePolicy(&new_public_key, NULL, kDefaultHomepage)); |
| 268 EXPECT_EQ(ConvertPublicKeyToString(new_public_key), store_->public_key()); | |
| 246 } | 269 } |
| 247 | 270 |
| 248 TEST_F(UserCloudPolicyStoreChromeOSTest, InitialStoreValidationFail) { | 271 TEST_F(UserCloudPolicyStoreChromeOSTest, InitialStoreValidationFail) { |
| 249 // Start without any public key to trigger the initial key checks. | 272 // Start without any public key to trigger the initial key checks. |
| 250 ASSERT_TRUE(base::DeleteFile(user_policy_key_file(), false)); | 273 ASSERT_TRUE(base::DeleteFile(user_policy_key_file(), false)); |
| 251 // Make the policy blob contain a new public key. | 274 // Make the policy blob contain a new public key. |
| 252 policy_.SetDefaultSigningKey(); | 275 policy_.SetDefaultSigningKey(); |
| 253 policy_.Build(); | 276 policy_.Build(); |
| 254 *policy_.policy().mutable_new_public_key_verification_signature_deprecated() = | 277 *policy_.policy().mutable_new_public_key_verification_signature_deprecated() = |
| 255 "garbage"; | 278 "garbage"; |
| 256 | 279 |
| 257 EXPECT_CALL(session_manager_client_, | 280 EXPECT_CALL(session_manager_client_, |
| 258 StorePolicyForUser(cryptohome_id_, policy_.GetBlob(), _)) | 281 StorePolicyForUser(cryptohome_id_, policy_.GetBlob(), _)) |
| 259 .Times(0); | 282 .Times(0); |
| 260 store_->Store(policy_.policy()); | 283 store_->Store(policy_.policy()); |
| 261 base::RunLoop().RunUntilIdle(); | 284 base::RunLoop().RunUntilIdle(); |
| 262 Mock::VerifyAndClearExpectations(&session_manager_client_); | 285 Mock::VerifyAndClearExpectations(&session_manager_client_); |
| 286 EXPECT_EQ(std::string(), store_->public_key()); | |
| 263 } | 287 } |
| 264 | 288 |
| 265 TEST_F(UserCloudPolicyStoreChromeOSTest, InitialStoreMissingSignatureFailure) { | 289 TEST_F(UserCloudPolicyStoreChromeOSTest, InitialStoreMissingSignatureFailure) { |
| 266 // Start without any public key to trigger the initial key checks. | 290 // Start without any public key to trigger the initial key checks. |
| 267 ASSERT_TRUE(base::DeleteFile(user_policy_key_file(), false)); | 291 ASSERT_TRUE(base::DeleteFile(user_policy_key_file(), false)); |
| 268 // Make the policy blob contain a new public key. | 292 // Make the policy blob contain a new public key. |
| 269 policy_.SetDefaultSigningKey(); | 293 policy_.SetDefaultSigningKey(); |
| 270 policy_.Build(); | 294 policy_.Build(); |
| 271 policy_.policy().clear_new_public_key_verification_signature_deprecated(); | 295 policy_.policy().clear_new_public_key_verification_signature_deprecated(); |
| 272 | 296 |
| 273 EXPECT_CALL(session_manager_client_, | 297 EXPECT_CALL(session_manager_client_, |
| 274 StorePolicyForUser(cryptohome_id_, policy_.GetBlob(), _)) | 298 StorePolicyForUser(cryptohome_id_, policy_.GetBlob(), _)) |
| 275 .Times(0); | 299 .Times(0); |
| 276 store_->Store(policy_.policy()); | 300 store_->Store(policy_.policy()); |
| 277 base::RunLoop().RunUntilIdle(); | 301 base::RunLoop().RunUntilIdle(); |
| 278 Mock::VerifyAndClearExpectations(&session_manager_client_); | 302 Mock::VerifyAndClearExpectations(&session_manager_client_); |
| 303 EXPECT_EQ(std::string(), store_->public_key()); | |
| 279 } | 304 } |
| 280 | 305 |
| 281 TEST_F(UserCloudPolicyStoreChromeOSTest, StoreWithExistingKey) { | 306 TEST_F(UserCloudPolicyStoreChromeOSTest, StoreWithExistingKey) { |
| 282 ASSERT_NO_FATAL_FAILURE( | 307 ASSERT_NO_FATAL_FAILURE( |
| 283 PerformStorePolicy(NULL, NULL, kDefaultHomepage)); | 308 PerformStorePolicy(NULL, NULL, kDefaultHomepage)); |
| 309 EXPECT_EQ(GetPolicyPublicKeyAsString(), store_->public_key()); | |
| 284 } | 310 } |
| 285 | 311 |
| 286 TEST_F(UserCloudPolicyStoreChromeOSTest, StoreWithRotation) { | 312 TEST_F(UserCloudPolicyStoreChromeOSTest, StoreWithRotation) { |
| 287 // Make the policy blob contain a new public key. | 313 // Make the policy blob contain a new public key. |
| 288 policy_.SetDefaultNewSigningKey(); | 314 policy_.SetDefaultNewSigningKey(); |
| 289 policy_.Build(); | 315 policy_.Build(); |
| 290 std::vector<uint8_t> new_public_key; | 316 std::vector<uint8_t> new_public_key; |
| 291 ASSERT_TRUE(policy_.GetNewSigningKey()->ExportPublicKey(&new_public_key)); | 317 ASSERT_TRUE(policy_.GetNewSigningKey()->ExportPublicKey(&new_public_key)); |
| 292 ASSERT_NO_FATAL_FAILURE( | 318 ASSERT_NO_FATAL_FAILURE( |
| 293 PerformStorePolicy(&new_public_key, NULL, kDefaultHomepage)); | 319 PerformStorePolicy(&new_public_key, NULL, kDefaultHomepage)); |
| 320 EXPECT_EQ(ConvertPublicKeyToString(new_public_key), store_->public_key()); | |
| 294 } | 321 } |
| 295 | 322 |
| 296 TEST_F(UserCloudPolicyStoreChromeOSTest, | 323 TEST_F(UserCloudPolicyStoreChromeOSTest, |
| 297 StoreWithRotationMissingSignatureError) { | 324 StoreWithRotationMissingSignatureError) { |
| 298 // Make the policy blob contain a new public key. | 325 // Make the policy blob contain a new public key. |
| 299 policy_.SetDefaultNewSigningKey(); | 326 policy_.SetDefaultNewSigningKey(); |
| 300 policy_.Build(); | 327 policy_.Build(); |
| 301 policy_.policy().clear_new_public_key_verification_signature_deprecated(); | 328 policy_.policy().clear_new_public_key_verification_signature_deprecated(); |
| 302 | 329 |
| 303 EXPECT_CALL(session_manager_client_, | 330 EXPECT_CALL(session_manager_client_, |
| 304 StorePolicyForUser(cryptohome_id_, policy_.GetBlob(), _)) | 331 StorePolicyForUser(cryptohome_id_, policy_.GetBlob(), _)) |
| 305 .Times(0); | 332 .Times(0); |
| 306 store_->Store(policy_.policy()); | 333 store_->Store(policy_.policy()); |
| 307 base::RunLoop().RunUntilIdle(); | 334 base::RunLoop().RunUntilIdle(); |
| 308 Mock::VerifyAndClearExpectations(&session_manager_client_); | 335 Mock::VerifyAndClearExpectations(&session_manager_client_); |
| 336 EXPECT_EQ(GetPolicyPublicKeyAsString(), store_->public_key()); | |
| 309 } | 337 } |
| 310 | 338 |
| 311 TEST_F(UserCloudPolicyStoreChromeOSTest, StoreWithRotationValidationError) { | 339 TEST_F(UserCloudPolicyStoreChromeOSTest, StoreWithRotationValidationError) { |
| 312 // Make the policy blob contain a new public key. | 340 // Make the policy blob contain a new public key. |
| 313 policy_.SetDefaultNewSigningKey(); | 341 policy_.SetDefaultNewSigningKey(); |
| 314 policy_.Build(); | 342 policy_.Build(); |
| 315 *policy_.policy().mutable_new_public_key_verification_signature_deprecated() = | 343 *policy_.policy().mutable_new_public_key_verification_signature_deprecated() = |
| 316 "garbage"; | 344 "garbage"; |
| 317 | 345 |
| 318 EXPECT_CALL(session_manager_client_, | 346 EXPECT_CALL(session_manager_client_, |
| 319 StorePolicyForUser(cryptohome_id_, policy_.GetBlob(), _)) | 347 StorePolicyForUser(cryptohome_id_, policy_.GetBlob(), _)) |
| 320 .Times(0); | 348 .Times(0); |
| 321 store_->Store(policy_.policy()); | 349 store_->Store(policy_.policy()); |
| 322 base::RunLoop().RunUntilIdle(); | 350 base::RunLoop().RunUntilIdle(); |
| 323 Mock::VerifyAndClearExpectations(&session_manager_client_); | 351 Mock::VerifyAndClearExpectations(&session_manager_client_); |
| 352 EXPECT_EQ(GetPolicyPublicKeyAsString(), store_->public_key()); | |
| 324 } | 353 } |
| 325 | 354 |
| 326 TEST_F(UserCloudPolicyStoreChromeOSTest, StoreFail) { | 355 TEST_F(UserCloudPolicyStoreChromeOSTest, StoreFail) { |
| 327 // Store policy. | 356 // Store policy. |
| 328 chromeos::SessionManagerClient::StorePolicyCallback store_callback; | 357 chromeos::SessionManagerClient::StorePolicyCallback store_callback; |
| 329 EXPECT_CALL(session_manager_client_, | 358 EXPECT_CALL(session_manager_client_, |
| 330 StorePolicyForUser(cryptohome_id_, policy_.GetBlob(), _)) | 359 StorePolicyForUser(cryptohome_id_, policy_.GetBlob(), _)) |
| 331 .WillOnce(SaveArg<2>(&store_callback)); | 360 .WillOnce(SaveArg<2>(&store_callback)); |
| 332 store_->Store(policy_.policy()); | 361 store_->Store(policy_.policy()); |
| 333 base::RunLoop().RunUntilIdle(); | 362 base::RunLoop().RunUntilIdle(); |
| 334 Mock::VerifyAndClearExpectations(&session_manager_client_); | 363 Mock::VerifyAndClearExpectations(&session_manager_client_); |
| 335 ASSERT_FALSE(store_callback.is_null()); | 364 ASSERT_FALSE(store_callback.is_null()); |
| 336 | 365 |
| 337 // Let the store operation complete. | 366 // Let the store operation complete. |
| 338 ExpectError(CloudPolicyStore::STATUS_STORE_ERROR); | 367 ExpectError(CloudPolicyStore::STATUS_STORE_ERROR); |
| 339 store_callback.Run(false); | 368 store_callback.Run(false); |
| 340 base::RunLoop().RunUntilIdle(); | 369 base::RunLoop().RunUntilIdle(); |
| 341 EXPECT_FALSE(store_->policy()); | 370 EXPECT_FALSE(store_->policy()); |
| 342 EXPECT_TRUE(store_->policy_map().empty()); | 371 EXPECT_TRUE(store_->policy_map().empty()); |
| 343 EXPECT_EQ(CloudPolicyStore::STATUS_STORE_ERROR, store_->status()); | 372 EXPECT_EQ(CloudPolicyStore::STATUS_STORE_ERROR, store_->status()); |
| 373 EXPECT_EQ(GetPolicyPublicKeyAsString(), store_->public_key()); | |
| 344 } | 374 } |
| 345 | 375 |
| 346 TEST_F(UserCloudPolicyStoreChromeOSTest, StoreValidationError) { | 376 TEST_F(UserCloudPolicyStoreChromeOSTest, StoreValidationError) { |
| 347 policy_.policy_data().clear_policy_type(); | 377 policy_.policy_data().clear_policy_type(); |
| 348 policy_.Build(); | 378 policy_.Build(); |
| 349 | 379 |
| 350 // Store policy. | 380 // Store policy. |
| 351 chromeos::SessionManagerClient::StorePolicyCallback store_callback; | 381 chromeos::SessionManagerClient::StorePolicyCallback store_callback; |
| 352 ExpectError(CloudPolicyStore::STATUS_VALIDATION_ERROR); | 382 ExpectError(CloudPolicyStore::STATUS_VALIDATION_ERROR); |
| 353 EXPECT_CALL(session_manager_client_, | 383 EXPECT_CALL(session_manager_client_, |
| 354 StorePolicyForUser(cryptohome_id_, policy_.GetBlob(), _)) | 384 StorePolicyForUser(cryptohome_id_, policy_.GetBlob(), _)) |
| 355 .Times(0); | 385 .Times(0); |
| 356 store_->Store(policy_.policy()); | 386 store_->Store(policy_.policy()); |
| 357 base::RunLoop().RunUntilIdle(); | 387 base::RunLoop().RunUntilIdle(); |
| 358 Mock::VerifyAndClearExpectations(&session_manager_client_); | 388 Mock::VerifyAndClearExpectations(&session_manager_client_); |
| 389 EXPECT_EQ(GetPolicyPublicKeyAsString(), store_->public_key()); | |
| 359 } | 390 } |
| 360 | 391 |
| 361 TEST_F(UserCloudPolicyStoreChromeOSTest, StoreWithoutPolicyKey) { | 392 TEST_F(UserCloudPolicyStoreChromeOSTest, StoreWithoutPolicyKey) { |
| 362 // Make the dbus call to cryptohome fail. | 393 // Make the dbus call to cryptohome fail. |
| 363 Mock::VerifyAndClearExpectations(&cryptohome_client_); | 394 Mock::VerifyAndClearExpectations(&cryptohome_client_); |
| 364 EXPECT_CALL(cryptohome_client_, GetSanitizedUsername(cryptohome_id_, _)) | 395 EXPECT_CALL(cryptohome_client_, GetSanitizedUsername(cryptohome_id_, _)) |
| 365 .Times(AnyNumber()) | 396 .Times(AnyNumber()) |
| 366 .WillRepeatedly(SendSanitizedUsername(chromeos::DBUS_METHOD_CALL_FAILURE, | 397 .WillRepeatedly(SendSanitizedUsername(chromeos::DBUS_METHOD_CALL_FAILURE, |
| 367 std::string())); | 398 std::string())); |
| 368 | 399 |
| 369 // Store policy. | 400 // Store policy. |
| 370 chromeos::SessionManagerClient::StorePolicyCallback store_callback; | 401 chromeos::SessionManagerClient::StorePolicyCallback store_callback; |
| 371 ExpectError(CloudPolicyStore::STATUS_VALIDATION_ERROR); | 402 ExpectError(CloudPolicyStore::STATUS_VALIDATION_ERROR); |
| 372 EXPECT_CALL(session_manager_client_, | 403 EXPECT_CALL(session_manager_client_, |
| 373 StorePolicyForUser(cryptohome_id_, policy_.GetBlob(), _)) | 404 StorePolicyForUser(cryptohome_id_, policy_.GetBlob(), _)) |
| 374 .Times(0); | 405 .Times(0); |
| 375 store_->Store(policy_.policy()); | 406 store_->Store(policy_.policy()); |
| 376 base::RunLoop().RunUntilIdle(); | 407 base::RunLoop().RunUntilIdle(); |
| 377 Mock::VerifyAndClearExpectations(&session_manager_client_); | 408 Mock::VerifyAndClearExpectations(&session_manager_client_); |
| 409 EXPECT_EQ(std::string(), store_->public_key()); | |
|
emaxx
2016/11/08 20:53:36
There's a tricky semantics here, and I'm not sure
| |
| 378 } | 410 } |
| 379 | 411 |
| 380 TEST_F(UserCloudPolicyStoreChromeOSTest, StoreWithInvalidSignature) { | 412 TEST_F(UserCloudPolicyStoreChromeOSTest, StoreWithInvalidSignature) { |
| 381 // Break the signature. | 413 // Break the signature. |
| 382 policy_.policy().mutable_policy_data_signature()->append("garbage"); | 414 policy_.policy().mutable_policy_data_signature()->append("garbage"); |
| 383 | 415 |
| 384 // Store policy. | 416 // Store policy. |
| 385 chromeos::SessionManagerClient::StorePolicyCallback store_callback; | 417 chromeos::SessionManagerClient::StorePolicyCallback store_callback; |
| 386 ExpectError(CloudPolicyStore::STATUS_VALIDATION_ERROR); | 418 ExpectError(CloudPolicyStore::STATUS_VALIDATION_ERROR); |
| 387 EXPECT_CALL(session_manager_client_, | 419 EXPECT_CALL(session_manager_client_, |
| 388 StorePolicyForUser(cryptohome_id_, policy_.GetBlob(), _)) | 420 StorePolicyForUser(cryptohome_id_, policy_.GetBlob(), _)) |
| 389 .Times(0); | 421 .Times(0); |
| 390 store_->Store(policy_.policy()); | 422 store_->Store(policy_.policy()); |
| 391 base::RunLoop().RunUntilIdle(); | 423 base::RunLoop().RunUntilIdle(); |
| 392 Mock::VerifyAndClearExpectations(&session_manager_client_); | 424 Mock::VerifyAndClearExpectations(&session_manager_client_); |
| 425 EXPECT_EQ(GetPolicyPublicKeyAsString(), store_->public_key()); | |
| 393 } | 426 } |
| 394 | 427 |
| 395 TEST_F(UserCloudPolicyStoreChromeOSTest, Load) { | 428 TEST_F(UserCloudPolicyStoreChromeOSTest, Load) { |
| 396 EXPECT_CALL(observer_, OnStoreLoaded(store_.get())); | 429 EXPECT_CALL(observer_, OnStoreLoaded(store_.get())); |
| 397 ASSERT_NO_FATAL_FAILURE(PerformPolicyLoad(policy_.GetBlob())); | 430 ASSERT_NO_FATAL_FAILURE(PerformPolicyLoad(policy_.GetBlob())); |
| 398 Mock::VerifyAndClearExpectations(&observer_); | 431 Mock::VerifyAndClearExpectations(&observer_); |
| 399 | 432 |
| 400 // Verify that the policy has been loaded. | 433 // Verify that the policy has been loaded. |
| 401 ASSERT_TRUE(store_->policy()); | 434 ASSERT_TRUE(store_->policy()); |
| 402 EXPECT_EQ(policy_.policy_data().SerializeAsString(), | 435 EXPECT_EQ(policy_.policy_data().SerializeAsString(), |
| 403 store_->policy()->SerializeAsString()); | 436 store_->policy()->SerializeAsString()); |
| 404 VerifyPolicyMap(kDefaultHomepage); | 437 VerifyPolicyMap(kDefaultHomepage); |
| 405 EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status()); | 438 EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status()); |
| 439 EXPECT_EQ(GetPolicyPublicKeyAsString(), store_->public_key()); | |
| 406 } | 440 } |
| 407 | 441 |
| 408 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadNoPolicy) { | 442 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadNoPolicy) { |
| 409 EXPECT_CALL(observer_, OnStoreLoaded(store_.get())); | 443 EXPECT_CALL(observer_, OnStoreLoaded(store_.get())); |
| 410 ASSERT_NO_FATAL_FAILURE(PerformPolicyLoad("")); | 444 ASSERT_NO_FATAL_FAILURE(PerformPolicyLoad("")); |
| 411 Mock::VerifyAndClearExpectations(&observer_); | 445 Mock::VerifyAndClearExpectations(&observer_); |
| 412 | 446 |
| 413 // Verify no policy has been installed. | 447 // Verify no policy has been installed. |
| 414 EXPECT_FALSE(store_->policy()); | 448 EXPECT_FALSE(store_->policy()); |
| 415 EXPECT_TRUE(store_->policy_map().empty()); | 449 EXPECT_TRUE(store_->policy_map().empty()); |
| 416 EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status()); | 450 EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status()); |
| 451 EXPECT_EQ(std::string(), store_->public_key()); | |
| 417 } | 452 } |
| 418 | 453 |
| 419 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadInvalidPolicy) { | 454 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadInvalidPolicy) { |
| 420 ExpectError(CloudPolicyStore::STATUS_PARSE_ERROR); | 455 ExpectError(CloudPolicyStore::STATUS_PARSE_ERROR); |
| 421 ASSERT_NO_FATAL_FAILURE(PerformPolicyLoad("invalid")); | 456 ASSERT_NO_FATAL_FAILURE(PerformPolicyLoad("invalid")); |
| 422 | 457 |
| 423 // Verify no policy has been installed. | 458 // Verify no policy has been installed. |
| 424 EXPECT_FALSE(store_->policy()); | 459 EXPECT_FALSE(store_->policy()); |
| 425 EXPECT_TRUE(store_->policy_map().empty()); | 460 EXPECT_TRUE(store_->policy_map().empty()); |
| 426 EXPECT_EQ(CloudPolicyStore::STATUS_PARSE_ERROR, store_->status()); | 461 EXPECT_EQ(CloudPolicyStore::STATUS_PARSE_ERROR, store_->status()); |
| 462 EXPECT_EQ(std::string(), store_->public_key()); | |
| 427 } | 463 } |
| 428 | 464 |
| 429 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadValidationError) { | 465 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadValidationError) { |
| 430 policy_.policy_data().clear_policy_type(); | 466 policy_.policy_data().clear_policy_type(); |
| 431 policy_.Build(); | 467 policy_.Build(); |
| 432 | 468 |
| 433 ExpectError(CloudPolicyStore::STATUS_VALIDATION_ERROR); | 469 ExpectError(CloudPolicyStore::STATUS_VALIDATION_ERROR); |
| 434 ASSERT_NO_FATAL_FAILURE(PerformPolicyLoad(policy_.GetBlob())); | 470 ASSERT_NO_FATAL_FAILURE(PerformPolicyLoad(policy_.GetBlob())); |
| 435 VerifyStoreHasValidationError(); | 471 VerifyStoreHasValidationError(); |
| 472 EXPECT_EQ(GetPolicyPublicKeyAsString(), store_->public_key()); | |
|
emaxx
2016/11/08 20:53:36
Here's another tricky case.
Here the policy was no
| |
| 436 } | 473 } |
| 437 | 474 |
| 438 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadNoKey) { | 475 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadNoKey) { |
| 439 // The loaded policy can't be verified without the public key. | 476 // The loaded policy can't be verified without the public key. |
| 440 ASSERT_TRUE(base::DeleteFile(user_policy_key_file(), false)); | 477 ASSERT_TRUE(base::DeleteFile(user_policy_key_file(), false)); |
| 441 ExpectError(CloudPolicyStore::STATUS_VALIDATION_ERROR); | 478 ExpectError(CloudPolicyStore::STATUS_VALIDATION_ERROR); |
| 442 ASSERT_NO_FATAL_FAILURE(PerformPolicyLoad(policy_.GetBlob())); | 479 ASSERT_NO_FATAL_FAILURE(PerformPolicyLoad(policy_.GetBlob())); |
| 443 VerifyStoreHasValidationError(); | 480 VerifyStoreHasValidationError(); |
| 481 EXPECT_EQ(std::string(), store_->public_key()); | |
| 444 } | 482 } |
| 445 | 483 |
| 446 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadInvalidSignature) { | 484 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadInvalidSignature) { |
| 447 // Break the signature. | 485 // Break the signature. |
| 448 policy_.policy().mutable_policy_data_signature()->append("garbage"); | 486 policy_.policy().mutable_policy_data_signature()->append("garbage"); |
| 449 ExpectError(CloudPolicyStore::STATUS_VALIDATION_ERROR); | 487 ExpectError(CloudPolicyStore::STATUS_VALIDATION_ERROR); |
| 450 ASSERT_NO_FATAL_FAILURE(PerformPolicyLoad(policy_.GetBlob())); | 488 ASSERT_NO_FATAL_FAILURE(PerformPolicyLoad(policy_.GetBlob())); |
| 451 VerifyStoreHasValidationError(); | 489 VerifyStoreHasValidationError(); |
| 490 EXPECT_EQ(GetPolicyPublicKeyAsString(), store_->public_key()); | |
| 452 } | 491 } |
| 453 | 492 |
| 454 TEST_F(UserCloudPolicyStoreChromeOSTest, MigrationFull) { | 493 TEST_F(UserCloudPolicyStoreChromeOSTest, MigrationFull) { |
| 455 std::string data; | 494 std::string data; |
| 456 | 495 |
| 457 em::DeviceCredentials credentials; | 496 em::DeviceCredentials credentials; |
| 458 credentials.set_device_token(kLegacyToken); | 497 credentials.set_device_token(kLegacyToken); |
| 459 credentials.set_device_id(kLegacyDeviceId); | 498 credentials.set_device_id(kLegacyDeviceId); |
| 460 ASSERT_TRUE(credentials.SerializeToString(&data)); | 499 ASSERT_TRUE(credentials.SerializeToString(&data)); |
| 461 ASSERT_NE(-1, base::WriteFile(token_file(), data.c_str(), data.size())); | 500 ASSERT_NE(-1, base::WriteFile(token_file(), data.c_str(), data.size())); |
| (...skipping 127 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 589 Mock::VerifyAndClearExpectations(&observer_); | 628 Mock::VerifyAndClearExpectations(&observer_); |
| 590 Mock::VerifyAndClearExpectations(&session_manager_client_); | 629 Mock::VerifyAndClearExpectations(&session_manager_client_); |
| 591 Mock::VerifyAndClearExpectations(&cryptohome_client_); | 630 Mock::VerifyAndClearExpectations(&cryptohome_client_); |
| 592 | 631 |
| 593 // The policy should become available without having to spin any loops. | 632 // The policy should become available without having to spin any loops. |
| 594 ASSERT_TRUE(store_->policy()); | 633 ASSERT_TRUE(store_->policy()); |
| 595 EXPECT_EQ(policy_.policy_data().SerializeAsString(), | 634 EXPECT_EQ(policy_.policy_data().SerializeAsString(), |
| 596 store_->policy()->SerializeAsString()); | 635 store_->policy()->SerializeAsString()); |
| 597 VerifyPolicyMap(kDefaultHomepage); | 636 VerifyPolicyMap(kDefaultHomepage); |
| 598 EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status()); | 637 EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status()); |
| 638 EXPECT_EQ(GetPolicyPublicKeyAsString(), store_->public_key()); | |
| 599 } | 639 } |
| 600 | 640 |
| 601 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadImmediatelyNoPolicy) { | 641 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadImmediatelyNoPolicy) { |
| 602 EXPECT_CALL(observer_, OnStoreLoaded(store_.get())); | 642 EXPECT_CALL(observer_, OnStoreLoaded(store_.get())); |
| 603 EXPECT_CALL(session_manager_client_, | 643 EXPECT_CALL(session_manager_client_, |
| 604 BlockingRetrievePolicyForUser(cryptohome_id_)) | 644 BlockingRetrievePolicyForUser(cryptohome_id_)) |
| 605 .WillOnce(Return("")); | 645 .WillOnce(Return("")); |
| 606 | 646 |
| 607 EXPECT_FALSE(store_->policy()); | 647 EXPECT_FALSE(store_->policy()); |
| 608 store_->LoadImmediately(); | 648 store_->LoadImmediately(); |
| 609 Mock::VerifyAndClearExpectations(&observer_); | 649 Mock::VerifyAndClearExpectations(&observer_); |
| 610 Mock::VerifyAndClearExpectations(&session_manager_client_); | 650 Mock::VerifyAndClearExpectations(&session_manager_client_); |
| 611 | 651 |
| 612 EXPECT_FALSE(store_->policy()); | 652 EXPECT_FALSE(store_->policy()); |
| 613 EXPECT_TRUE(store_->policy_map().empty()); | 653 EXPECT_TRUE(store_->policy_map().empty()); |
| 614 EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status()); | 654 EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status()); |
| 655 EXPECT_EQ(std::string(), store_->public_key()); | |
| 615 } | 656 } |
| 616 | 657 |
| 617 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadImmediatelyInvalidBlob) { | 658 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadImmediatelyInvalidBlob) { |
| 618 EXPECT_CALL(observer_, OnStoreError(store_.get())); | 659 EXPECT_CALL(observer_, OnStoreError(store_.get())); |
| 619 EXPECT_CALL(session_manager_client_, | 660 EXPECT_CALL(session_manager_client_, |
| 620 BlockingRetrievePolicyForUser(cryptohome_id_)) | 661 BlockingRetrievePolicyForUser(cryptohome_id_)) |
| 621 .WillOnce(Return("le blob")); | 662 .WillOnce(Return("le blob")); |
| 622 | 663 |
| 623 EXPECT_FALSE(store_->policy()); | 664 EXPECT_FALSE(store_->policy()); |
| 624 store_->LoadImmediately(); | 665 store_->LoadImmediately(); |
| 625 Mock::VerifyAndClearExpectations(&observer_); | 666 Mock::VerifyAndClearExpectations(&observer_); |
| 626 Mock::VerifyAndClearExpectations(&session_manager_client_); | 667 Mock::VerifyAndClearExpectations(&session_manager_client_); |
| 627 | 668 |
| 628 EXPECT_FALSE(store_->policy()); | 669 EXPECT_FALSE(store_->policy()); |
| 629 EXPECT_TRUE(store_->policy_map().empty()); | 670 EXPECT_TRUE(store_->policy_map().empty()); |
| 630 EXPECT_EQ(CloudPolicyStore::STATUS_PARSE_ERROR, store_->status()); | 671 EXPECT_EQ(CloudPolicyStore::STATUS_PARSE_ERROR, store_->status()); |
| 672 EXPECT_EQ(std::string(), store_->public_key()); | |
| 631 } | 673 } |
| 632 | 674 |
| 633 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadImmediatelyDBusFailure) { | 675 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadImmediatelyDBusFailure) { |
| 634 EXPECT_CALL(observer_, OnStoreError(store_.get())); | 676 EXPECT_CALL(observer_, OnStoreError(store_.get())); |
| 635 EXPECT_CALL(session_manager_client_, | 677 EXPECT_CALL(session_manager_client_, |
| 636 BlockingRetrievePolicyForUser(cryptohome_id_)) | 678 BlockingRetrievePolicyForUser(cryptohome_id_)) |
| 637 .WillOnce(Return(policy_.GetBlob())); | 679 .WillOnce(Return(policy_.GetBlob())); |
| 638 EXPECT_CALL(cryptohome_client_, BlockingGetSanitizedUsername(cryptohome_id_)) | 680 EXPECT_CALL(cryptohome_client_, BlockingGetSanitizedUsername(cryptohome_id_)) |
| 639 .WillOnce(Return("")); | 681 .WillOnce(Return("")); |
| 640 | 682 |
| 641 EXPECT_FALSE(store_->policy()); | 683 EXPECT_FALSE(store_->policy()); |
| 642 store_->LoadImmediately(); | 684 store_->LoadImmediately(); |
| 643 Mock::VerifyAndClearExpectations(&observer_); | 685 Mock::VerifyAndClearExpectations(&observer_); |
| 644 Mock::VerifyAndClearExpectations(&session_manager_client_); | 686 Mock::VerifyAndClearExpectations(&session_manager_client_); |
| 645 Mock::VerifyAndClearExpectations(&cryptohome_client_); | 687 Mock::VerifyAndClearExpectations(&cryptohome_client_); |
| 646 | 688 |
| 647 EXPECT_FALSE(store_->policy()); | 689 EXPECT_FALSE(store_->policy()); |
| 648 EXPECT_TRUE(store_->policy_map().empty()); | 690 EXPECT_TRUE(store_->policy_map().empty()); |
| 649 EXPECT_EQ(CloudPolicyStore::STATUS_LOAD_ERROR, store_->status()); | 691 EXPECT_EQ(CloudPolicyStore::STATUS_LOAD_ERROR, store_->status()); |
| 692 EXPECT_EQ(std::string(), store_->public_key()); | |
| 650 } | 693 } |
| 651 | 694 |
| 652 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadImmediatelyNoUserPolicyKey) { | 695 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadImmediatelyNoUserPolicyKey) { |
| 653 EXPECT_CALL(observer_, OnStoreError(store_.get())); | 696 EXPECT_CALL(observer_, OnStoreError(store_.get())); |
| 654 EXPECT_CALL(session_manager_client_, | 697 EXPECT_CALL(session_manager_client_, |
| 655 BlockingRetrievePolicyForUser(cryptohome_id_)) | 698 BlockingRetrievePolicyForUser(cryptohome_id_)) |
| 656 .WillOnce(Return(policy_.GetBlob())); | 699 .WillOnce(Return(policy_.GetBlob())); |
| 657 EXPECT_CALL(cryptohome_client_, BlockingGetSanitizedUsername(cryptohome_id_)) | 700 EXPECT_CALL(cryptohome_client_, BlockingGetSanitizedUsername(cryptohome_id_)) |
| 658 .WillOnce(Return("wrong@example.com")); | 701 .WillOnce(Return("wrong@example.com")); |
| 659 | 702 |
| 660 EXPECT_FALSE(store_->policy()); | 703 EXPECT_FALSE(store_->policy()); |
| 661 store_->LoadImmediately(); | 704 store_->LoadImmediately(); |
| 662 Mock::VerifyAndClearExpectations(&observer_); | 705 Mock::VerifyAndClearExpectations(&observer_); |
| 663 Mock::VerifyAndClearExpectations(&session_manager_client_); | 706 Mock::VerifyAndClearExpectations(&session_manager_client_); |
| 664 Mock::VerifyAndClearExpectations(&cryptohome_client_); | 707 Mock::VerifyAndClearExpectations(&cryptohome_client_); |
| 665 | 708 |
| 666 EXPECT_FALSE(store_->policy()); | 709 EXPECT_FALSE(store_->policy()); |
| 667 EXPECT_TRUE(store_->policy_map().empty()); | 710 EXPECT_TRUE(store_->policy_map().empty()); |
| 668 EXPECT_EQ(CloudPolicyStore::STATUS_VALIDATION_ERROR, store_->status()); | 711 EXPECT_EQ(CloudPolicyStore::STATUS_VALIDATION_ERROR, store_->status()); |
| 712 EXPECT_EQ(std::string(), store_->public_key()); | |
| 669 } | 713 } |
| 670 | 714 |
| 671 } // namespace | 715 } // namespace |
| 672 | 716 |
| 673 } // namespace policy | 717 } // namespace policy |
| OLD | NEW |
