| Index: chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos_unittest.cc
|
| diff --git a/chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos_unittest.cc b/chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos_unittest.cc
|
| index bad7097c7f61b304a1c263df039154e5ec048642..0ba135de1fe97d5dd63c692a63bce4561062c5fe 100644
|
| --- a/chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos_unittest.cc
|
| +++ b/chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos_unittest.cc
|
| @@ -7,6 +7,7 @@
|
| #include <stdint.h>
|
|
|
| #include <memory>
|
| +#include <string>
|
| #include <vector>
|
|
|
| #include "base/bind.h"
|
| @@ -29,6 +30,7 @@
|
| #include "components/policy/policy_constants.h"
|
| #include "components/policy/proto/cloud_policy.pb.h"
|
| #include "components/policy/proto/device_management_local.pb.h"
|
| +#include "crypto/rsa_private_key.h"
|
| #include "testing/gmock/include/gmock/gmock.h"
|
| #include "testing/gtest/include/gtest/gtest.h"
|
|
|
| @@ -144,6 +146,8 @@ class UserCloudPolicyStoreChromeOSTest : public testing::Test {
|
| void PerformStorePolicy(const std::vector<uint8_t>* new_public_key,
|
| const char* previous_value,
|
| const char* new_value) {
|
| + const CloudPolicyStore::Status initial_status = store_->status();
|
| +
|
| chromeos::SessionManagerClient::StorePolicyCallback store_callback;
|
| EXPECT_CALL(session_manager_client_,
|
| StorePolicyForUser(cryptohome_id_, policy_.GetBlob(), _))
|
| @@ -155,7 +159,7 @@ class UserCloudPolicyStoreChromeOSTest : public testing::Test {
|
|
|
| // The new policy shouldn't be present yet.
|
| PolicyMap previous_policy;
|
| - EXPECT_EQ(previous_value != NULL, store_->policy() != NULL);
|
| + EXPECT_EQ(previous_value != nullptr, store_->policy() != nullptr);
|
| if (previous_value) {
|
| previous_policy.Set(key::kHomepageLocation, POLICY_LEVEL_MANDATORY,
|
| POLICY_SCOPE_USER, POLICY_SOURCE_CLOUD,
|
| @@ -163,7 +167,7 @@ class UserCloudPolicyStoreChromeOSTest : public testing::Test {
|
| nullptr);
|
| }
|
| EXPECT_TRUE(previous_policy.Equals(store_->policy_map()));
|
| - EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status());
|
| + EXPECT_EQ(initial_status, store_->status());
|
|
|
| // Store the new public key so that the validation after the retrieve
|
| // operation completes can verify the signature.
|
| @@ -178,7 +182,7 @@ class UserCloudPolicyStoreChromeOSTest : public testing::Test {
|
| store_callback.Run(true);
|
| base::RunLoop().RunUntilIdle();
|
| EXPECT_TRUE(previous_policy.Equals(store_->policy_map()));
|
| - EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status());
|
| + EXPECT_EQ(initial_status, store_->status());
|
| Mock::VerifyAndClearExpectations(&session_manager_client_);
|
| ASSERT_FALSE(retrieve_callback.is_null());
|
|
|
| @@ -199,6 +203,24 @@ class UserCloudPolicyStoreChromeOSTest : public testing::Test {
|
| EXPECT_EQ(CloudPolicyStore::STATUS_VALIDATION_ERROR, store_->status());
|
| }
|
|
|
| + static std::string ConvertPublicKeyToString(
|
| + const std::vector<uint8_t>& public_key) {
|
| + return std::string(reinterpret_cast<const char*>(public_key.data()),
|
| + public_key.size());
|
| + }
|
| +
|
| + std::string GetPolicyPublicKeyAsString() {
|
| + std::vector<uint8_t> public_key;
|
| + EXPECT_TRUE(policy_.GetSigningKey()->ExportPublicKey(&public_key));
|
| + return ConvertPublicKeyToString(public_key);
|
| + }
|
| +
|
| + std::string GetPolicyNewPublicKeyAsString() {
|
| + std::vector<uint8_t> new_public_key;
|
| + EXPECT_TRUE(policy_.GetNewSigningKey()->ExportPublicKey(&new_public_key));
|
| + return ConvertPublicKeyToString(new_public_key);
|
| + }
|
| +
|
| base::FilePath user_policy_dir() {
|
| return tmp_dir_.GetPath().AppendASCII("var_run_user_policy");
|
| }
|
| @@ -208,12 +230,16 @@ class UserCloudPolicyStoreChromeOSTest : public testing::Test {
|
| .AppendASCII("policy.pub");
|
| }
|
|
|
| + base::FilePath legacy_cache_dir() {
|
| + return tmp_dir_.GetPath().AppendASCII("legacy_cache");
|
| + }
|
| +
|
| base::FilePath token_file() {
|
| - return tmp_dir_.GetPath().AppendASCII("token");
|
| + return legacy_cache_dir().AppendASCII("token");
|
| }
|
|
|
| base::FilePath policy_file() {
|
| - return tmp_dir_.GetPath().AppendASCII("policy");
|
| + return legacy_cache_dir().AppendASCII("policy");
|
| }
|
|
|
| base::MessageLoopForUI loop_;
|
| @@ -242,7 +268,9 @@ TEST_F(UserCloudPolicyStoreChromeOSTest, InitialStore) {
|
| std::vector<uint8_t> new_public_key;
|
| ASSERT_TRUE(policy_.GetNewSigningKey()->ExportPublicKey(&new_public_key));
|
| ASSERT_NO_FATAL_FAILURE(
|
| - PerformStorePolicy(&new_public_key, NULL, kDefaultHomepage));
|
| + PerformStorePolicy(&new_public_key, nullptr, kDefaultHomepage));
|
| + EXPECT_EQ(ConvertPublicKeyToString(new_public_key),
|
| + store_->policy_signature_public_key());
|
| }
|
|
|
| TEST_F(UserCloudPolicyStoreChromeOSTest, InitialStoreValidationFail) {
|
| @@ -260,6 +288,7 @@ TEST_F(UserCloudPolicyStoreChromeOSTest, InitialStoreValidationFail) {
|
| store_->Store(policy_.policy());
|
| base::RunLoop().RunUntilIdle();
|
| Mock::VerifyAndClearExpectations(&session_manager_client_);
|
| + EXPECT_EQ(std::string(), store_->policy_signature_public_key());
|
| }
|
|
|
| TEST_F(UserCloudPolicyStoreChromeOSTest, InitialStoreMissingSignatureFailure) {
|
| @@ -276,11 +305,14 @@ TEST_F(UserCloudPolicyStoreChromeOSTest, InitialStoreMissingSignatureFailure) {
|
| store_->Store(policy_.policy());
|
| base::RunLoop().RunUntilIdle();
|
| Mock::VerifyAndClearExpectations(&session_manager_client_);
|
| + EXPECT_EQ(std::string(), store_->policy_signature_public_key());
|
| }
|
|
|
| TEST_F(UserCloudPolicyStoreChromeOSTest, StoreWithExistingKey) {
|
| ASSERT_NO_FATAL_FAILURE(
|
| - PerformStorePolicy(NULL, NULL, kDefaultHomepage));
|
| + PerformStorePolicy(nullptr, nullptr, kDefaultHomepage));
|
| + EXPECT_EQ(GetPolicyPublicKeyAsString(),
|
| + store_->policy_signature_public_key());
|
| }
|
|
|
| TEST_F(UserCloudPolicyStoreChromeOSTest, StoreWithRotation) {
|
| @@ -290,7 +322,9 @@ TEST_F(UserCloudPolicyStoreChromeOSTest, StoreWithRotation) {
|
| std::vector<uint8_t> new_public_key;
|
| ASSERT_TRUE(policy_.GetNewSigningKey()->ExportPublicKey(&new_public_key));
|
| ASSERT_NO_FATAL_FAILURE(
|
| - PerformStorePolicy(&new_public_key, NULL, kDefaultHomepage));
|
| + PerformStorePolicy(&new_public_key, nullptr, kDefaultHomepage));
|
| + EXPECT_EQ(ConvertPublicKeyToString(new_public_key),
|
| + store_->policy_signature_public_key());
|
| }
|
|
|
| TEST_F(UserCloudPolicyStoreChromeOSTest,
|
| @@ -306,6 +340,7 @@ TEST_F(UserCloudPolicyStoreChromeOSTest,
|
| store_->Store(policy_.policy());
|
| base::RunLoop().RunUntilIdle();
|
| Mock::VerifyAndClearExpectations(&session_manager_client_);
|
| + EXPECT_EQ(std::string(), store_->policy_signature_public_key());
|
| }
|
|
|
| TEST_F(UserCloudPolicyStoreChromeOSTest, StoreWithRotationValidationError) {
|
| @@ -321,6 +356,7 @@ TEST_F(UserCloudPolicyStoreChromeOSTest, StoreWithRotationValidationError) {
|
| store_->Store(policy_.policy());
|
| base::RunLoop().RunUntilIdle();
|
| Mock::VerifyAndClearExpectations(&session_manager_client_);
|
| + EXPECT_EQ(std::string(), store_->policy_signature_public_key());
|
| }
|
|
|
| TEST_F(UserCloudPolicyStoreChromeOSTest, StoreFail) {
|
| @@ -341,6 +377,7 @@ TEST_F(UserCloudPolicyStoreChromeOSTest, StoreFail) {
|
| EXPECT_FALSE(store_->policy());
|
| EXPECT_TRUE(store_->policy_map().empty());
|
| EXPECT_EQ(CloudPolicyStore::STATUS_STORE_ERROR, store_->status());
|
| + EXPECT_EQ(std::string(), store_->policy_signature_public_key());
|
| }
|
|
|
| TEST_F(UserCloudPolicyStoreChromeOSTest, StoreValidationError) {
|
| @@ -356,6 +393,7 @@ TEST_F(UserCloudPolicyStoreChromeOSTest, StoreValidationError) {
|
| store_->Store(policy_.policy());
|
| base::RunLoop().RunUntilIdle();
|
| Mock::VerifyAndClearExpectations(&session_manager_client_);
|
| + EXPECT_EQ(std::string(), store_->policy_signature_public_key());
|
| }
|
|
|
| TEST_F(UserCloudPolicyStoreChromeOSTest, StoreWithoutPolicyKey) {
|
| @@ -375,6 +413,7 @@ TEST_F(UserCloudPolicyStoreChromeOSTest, StoreWithoutPolicyKey) {
|
| store_->Store(policy_.policy());
|
| base::RunLoop().RunUntilIdle();
|
| Mock::VerifyAndClearExpectations(&session_manager_client_);
|
| + EXPECT_EQ(std::string(), store_->policy_signature_public_key());
|
| }
|
|
|
| TEST_F(UserCloudPolicyStoreChromeOSTest, StoreWithInvalidSignature) {
|
| @@ -390,6 +429,35 @@ TEST_F(UserCloudPolicyStoreChromeOSTest, StoreWithInvalidSignature) {
|
| store_->Store(policy_.policy());
|
| base::RunLoop().RunUntilIdle();
|
| Mock::VerifyAndClearExpectations(&session_manager_client_);
|
| + EXPECT_EQ(std::string(), store_->policy_signature_public_key());
|
| +}
|
| +
|
| +TEST_F(UserCloudPolicyStoreChromeOSTest, MultipleStoresWithRotation) {
|
| + // Store initial policy signed with the initial public key.
|
| + ASSERT_NO_FATAL_FAILURE(
|
| + PerformStorePolicy(nullptr, nullptr, kDefaultHomepage));
|
| + const std::string initial_public_key = GetPolicyPublicKeyAsString();
|
| + EXPECT_EQ(initial_public_key, store_->policy_signature_public_key());
|
| +
|
| + // Try storing an invalid policy signed with the new public key.
|
| + policy_.SetDefaultNewSigningKey();
|
| + policy_.policy_data().clear_policy_type();
|
| + policy_.Build();
|
| + ExpectError(CloudPolicyStore::STATUS_VALIDATION_ERROR);
|
| + store_->Store(policy_.policy());
|
| + base::RunLoop().RunUntilIdle();
|
| + // Still the initial public key is exposed.
|
| + EXPECT_EQ(initial_public_key, store_->policy_signature_public_key());
|
| +
|
| + // Store the correct policy signed with the new public key.
|
| + policy_.policy_data().set_policy_type(dm_protocol::kChromeUserPolicyType);
|
| + policy_.Build();
|
| + std::vector<uint8_t> new_public_key;
|
| + ASSERT_TRUE(policy_.GetNewSigningKey()->ExportPublicKey(&new_public_key));
|
| + ASSERT_NO_FATAL_FAILURE(
|
| + PerformStorePolicy(&new_public_key, kDefaultHomepage, kDefaultHomepage));
|
| + EXPECT_EQ(GetPolicyNewPublicKeyAsString(),
|
| + store_->policy_signature_public_key());
|
| }
|
|
|
| TEST_F(UserCloudPolicyStoreChromeOSTest, Load) {
|
| @@ -403,6 +471,8 @@ TEST_F(UserCloudPolicyStoreChromeOSTest, Load) {
|
| store_->policy()->SerializeAsString());
|
| VerifyPolicyMap(kDefaultHomepage);
|
| EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status());
|
| + EXPECT_EQ(GetPolicyPublicKeyAsString(),
|
| + store_->policy_signature_public_key());
|
| }
|
|
|
| TEST_F(UserCloudPolicyStoreChromeOSTest, LoadNoPolicy) {
|
| @@ -414,6 +484,7 @@ TEST_F(UserCloudPolicyStoreChromeOSTest, LoadNoPolicy) {
|
| EXPECT_FALSE(store_->policy());
|
| EXPECT_TRUE(store_->policy_map().empty());
|
| EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status());
|
| + EXPECT_EQ(std::string(), store_->policy_signature_public_key());
|
| }
|
|
|
| TEST_F(UserCloudPolicyStoreChromeOSTest, LoadInvalidPolicy) {
|
| @@ -424,6 +495,7 @@ TEST_F(UserCloudPolicyStoreChromeOSTest, LoadInvalidPolicy) {
|
| EXPECT_FALSE(store_->policy());
|
| EXPECT_TRUE(store_->policy_map().empty());
|
| EXPECT_EQ(CloudPolicyStore::STATUS_PARSE_ERROR, store_->status());
|
| + EXPECT_EQ(std::string(), store_->policy_signature_public_key());
|
| }
|
|
|
| TEST_F(UserCloudPolicyStoreChromeOSTest, LoadValidationError) {
|
| @@ -433,6 +505,7 @@ TEST_F(UserCloudPolicyStoreChromeOSTest, LoadValidationError) {
|
| ExpectError(CloudPolicyStore::STATUS_VALIDATION_ERROR);
|
| ASSERT_NO_FATAL_FAILURE(PerformPolicyLoad(policy_.GetBlob()));
|
| VerifyStoreHasValidationError();
|
| + EXPECT_EQ(std::string(), store_->policy_signature_public_key());
|
| }
|
|
|
| TEST_F(UserCloudPolicyStoreChromeOSTest, LoadNoKey) {
|
| @@ -441,6 +514,7 @@ TEST_F(UserCloudPolicyStoreChromeOSTest, LoadNoKey) {
|
| ExpectError(CloudPolicyStore::STATUS_VALIDATION_ERROR);
|
| ASSERT_NO_FATAL_FAILURE(PerformPolicyLoad(policy_.GetBlob()));
|
| VerifyStoreHasValidationError();
|
| + EXPECT_EQ(std::string(), store_->policy_signature_public_key());
|
| }
|
|
|
| TEST_F(UserCloudPolicyStoreChromeOSTest, LoadInvalidSignature) {
|
| @@ -449,11 +523,14 @@ TEST_F(UserCloudPolicyStoreChromeOSTest, LoadInvalidSignature) {
|
| ExpectError(CloudPolicyStore::STATUS_VALIDATION_ERROR);
|
| ASSERT_NO_FATAL_FAILURE(PerformPolicyLoad(policy_.GetBlob()));
|
| VerifyStoreHasValidationError();
|
| + EXPECT_EQ(std::string(), store_->policy_signature_public_key());
|
| }
|
|
|
| TEST_F(UserCloudPolicyStoreChromeOSTest, MigrationFull) {
|
| std::string data;
|
|
|
| + ASSERT_TRUE(base::CreateDirectory(legacy_cache_dir()));
|
| +
|
| em::DeviceCredentials credentials;
|
| credentials.set_device_token(kLegacyToken);
|
| credentials.set_device_id(kLegacyDeviceId);
|
| @@ -487,6 +564,8 @@ TEST_F(UserCloudPolicyStoreChromeOSTest, MigrationNoToken) {
|
| std::string data;
|
| testing::Sequence seq;
|
|
|
| + ASSERT_TRUE(base::CreateDirectory(legacy_cache_dir()));
|
| +
|
| em::CachedCloudPolicyResponse cached_policy;
|
| cached_policy.mutable_cloud_policy()->CopyFrom(policy_.policy());
|
| ASSERT_TRUE(cached_policy.SerializeToString(&data));
|
| @@ -511,6 +590,8 @@ TEST_F(UserCloudPolicyStoreChromeOSTest, MigrationNoToken) {
|
| TEST_F(UserCloudPolicyStoreChromeOSTest, MigrationNoPolicy) {
|
| std::string data;
|
|
|
| + ASSERT_TRUE(base::CreateDirectory(legacy_cache_dir()));
|
| +
|
| em::DeviceCredentials credentials;
|
| credentials.set_device_token(kLegacyToken);
|
| credentials.set_device_id(kLegacyDeviceId);
|
| @@ -536,6 +617,8 @@ TEST_F(UserCloudPolicyStoreChromeOSTest, MigrationAndStoreNew) {
|
| // Start without an existing public key.
|
| ASSERT_TRUE(base::DeleteFile(user_policy_key_file(), false));
|
|
|
| + ASSERT_TRUE(base::CreateDirectory(legacy_cache_dir()));
|
| +
|
| std::string data;
|
| em::CachedCloudPolicyResponse cached_policy;
|
| cached_policy.mutable_cloud_policy()->CopyFrom(policy_.policy());
|
| @@ -596,6 +679,8 @@ TEST_F(UserCloudPolicyStoreChromeOSTest, LoadImmediately) {
|
| store_->policy()->SerializeAsString());
|
| VerifyPolicyMap(kDefaultHomepage);
|
| EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status());
|
| + EXPECT_EQ(GetPolicyPublicKeyAsString(),
|
| + store_->policy_signature_public_key());
|
| }
|
|
|
| TEST_F(UserCloudPolicyStoreChromeOSTest, LoadImmediatelyNoPolicy) {
|
| @@ -612,6 +697,7 @@ TEST_F(UserCloudPolicyStoreChromeOSTest, LoadImmediatelyNoPolicy) {
|
| EXPECT_FALSE(store_->policy());
|
| EXPECT_TRUE(store_->policy_map().empty());
|
| EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status());
|
| + EXPECT_EQ(std::string(), store_->policy_signature_public_key());
|
| }
|
|
|
| TEST_F(UserCloudPolicyStoreChromeOSTest, LoadImmediatelyInvalidBlob) {
|
| @@ -628,6 +714,7 @@ TEST_F(UserCloudPolicyStoreChromeOSTest, LoadImmediatelyInvalidBlob) {
|
| EXPECT_FALSE(store_->policy());
|
| EXPECT_TRUE(store_->policy_map().empty());
|
| EXPECT_EQ(CloudPolicyStore::STATUS_PARSE_ERROR, store_->status());
|
| + EXPECT_EQ(std::string(), store_->policy_signature_public_key());
|
| }
|
|
|
| TEST_F(UserCloudPolicyStoreChromeOSTest, LoadImmediatelyDBusFailure) {
|
| @@ -647,6 +734,7 @@ TEST_F(UserCloudPolicyStoreChromeOSTest, LoadImmediatelyDBusFailure) {
|
| EXPECT_FALSE(store_->policy());
|
| EXPECT_TRUE(store_->policy_map().empty());
|
| EXPECT_EQ(CloudPolicyStore::STATUS_LOAD_ERROR, store_->status());
|
| + EXPECT_EQ(std::string(), store_->policy_signature_public_key());
|
| }
|
|
|
| TEST_F(UserCloudPolicyStoreChromeOSTest, LoadImmediatelyNoUserPolicyKey) {
|
| @@ -666,6 +754,7 @@ TEST_F(UserCloudPolicyStoreChromeOSTest, LoadImmediatelyNoUserPolicyKey) {
|
| EXPECT_FALSE(store_->policy());
|
| EXPECT_TRUE(store_->policy_map().empty());
|
| EXPECT_EQ(CloudPolicyStore::STATUS_VALIDATION_ERROR, store_->status());
|
| + EXPECT_EQ(std::string(), store_->policy_signature_public_key());
|
| }
|
|
|
| } // namespace
|
|
|
Chromium Code Reviews
Issue 2488573003:
Expose signing key from cloud policy stores (Closed)
