Expose signing key from cloud policy stores

chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos_unittest.cc

Index: chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos_unittest.cc
diff --git a/chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos_unittest.cc b/chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos_unittest.cc
index bad7097c7f61b304a1c263df039154e5ec048642..853fa1c065dcc3e5e361bad320e48e5ad2667f5a 100644
--- a/chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos_unittest.cc
+++ b/chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos_unittest.cc
@@ -7,6 +7,7 @@
 #include <stdint.h>
 
 #include <memory>
+#include <string>
 #include <vector>
 
 #include "base/bind.h"
@@ -29,6 +30,7 @@
 #include "components/policy/policy_constants.h"
 #include "components/policy/proto/cloud_policy.pb.h"
 #include "components/policy/proto/device_management_local.pb.h"
+#include "crypto/rsa_private_key.h"
 #include "testing/gmock/include/gmock/gmock.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
@@ -74,6 +76,8 @@ class UserCloudPolicyStoreChromeOSTest : public testing::Test {
         account_id_, user_policy_dir(), token_file(), policy_file()));
     store_->AddObserver(&observer_);
 
+    CHECK_EQ(PolicyBuilder::kFakeDomain, store_->owning_domain());
+
     // Install the initial public key, so that by default the validation of
     // the stored/loaded policy blob succeeds.
     std::vector<uint8_t> public_key;
@@ -199,6 +203,24 @@ class UserCloudPolicyStoreChromeOSTest : public testing::Test {
     EXPECT_EQ(CloudPolicyStore::STATUS_VALIDATION_ERROR, store_->status());
   }
 
+  static std::string ConvertPublicKeyToString(
+      const std::vector<uint8_t>& public_key) {
+    return std::string(reinterpret_cast<const char*>(public_key.data()),
+                       public_key.size());
+  }
+
+  std::string GetPolicyPublicKeyAsString() {
+    std::vector<uint8_t> public_key;
+    EXPECT_TRUE(policy_.GetSigningKey()->ExportPublicKey(&public_key));
+    return ConvertPublicKeyToString(public_key);
+  }
+
+  std::string GetPolicyNewPublicKeyAsString() {
+    std::vector<uint8_t> new_public_key;
+    EXPECT_TRUE(policy_.GetNewSigningKey()->ExportPublicKey(&new_public_key));
+    return ConvertPublicKeyToString(new_public_key);
+  }
+
   base::FilePath user_policy_dir() {
     return tmp_dir_.GetPath().AppendASCII("var_run_user_policy");
   }
@@ -243,6 +265,7 @@ TEST_F(UserCloudPolicyStoreChromeOSTest, InitialStore) {
   ASSERT_TRUE(policy_.GetNewSigningKey()->ExportPublicKey(&new_public_key));
   ASSERT_NO_FATAL_FAILURE(
       PerformStorePolicy(&new_public_key, NULL, kDefaultHomepage));
+  EXPECT_EQ(ConvertPublicKeyToString(new_public_key), store_->public_key());
 }
 
 TEST_F(UserCloudPolicyStoreChromeOSTest, InitialStoreValidationFail) {
@@ -260,6 +283,7 @@ TEST_F(UserCloudPolicyStoreChromeOSTest, InitialStoreValidationFail) {
   store_->Store(policy_.policy());
   base::RunLoop().RunUntilIdle();
   Mock::VerifyAndClearExpectations(&session_manager_client_);
+  EXPECT_EQ(std::string(), store_->public_key());
 }
 
 TEST_F(UserCloudPolicyStoreChromeOSTest, InitialStoreMissingSignatureFailure) {
@@ -276,11 +300,13 @@ TEST_F(UserCloudPolicyStoreChromeOSTest, InitialStoreMissingSignatureFailure) {
   store_->Store(policy_.policy());
   base::RunLoop().RunUntilIdle();
   Mock::VerifyAndClearExpectations(&session_manager_client_);
+  EXPECT_EQ(std::string(), store_->public_key());
 }
 
 TEST_F(UserCloudPolicyStoreChromeOSTest, StoreWithExistingKey) {
   ASSERT_NO_FATAL_FAILURE(
       PerformStorePolicy(NULL, NULL, kDefaultHomepage));
+  EXPECT_EQ(GetPolicyPublicKeyAsString(), store_->public_key());
 }
 
 TEST_F(UserCloudPolicyStoreChromeOSTest, StoreWithRotation) {
@@ -291,6 +317,7 @@ TEST_F(UserCloudPolicyStoreChromeOSTest, StoreWithRotation) {
   ASSERT_TRUE(policy_.GetNewSigningKey()->ExportPublicKey(&new_public_key));
   ASSERT_NO_FATAL_FAILURE(
       PerformStorePolicy(&new_public_key, NULL, kDefaultHomepage));
+  EXPECT_EQ(ConvertPublicKeyToString(new_public_key), store_->public_key());
 }
 
 TEST_F(UserCloudPolicyStoreChromeOSTest,
@@ -306,6 +333,7 @@ TEST_F(UserCloudPolicyStoreChromeOSTest,
   store_->Store(policy_.policy());
   base::RunLoop().RunUntilIdle();
   Mock::VerifyAndClearExpectations(&session_manager_client_);
+  EXPECT_EQ(GetPolicyPublicKeyAsString(), store_->public_key());
 }
 
 TEST_F(UserCloudPolicyStoreChromeOSTest, StoreWithRotationValidationError) {
@@ -321,6 +349,7 @@ TEST_F(UserCloudPolicyStoreChromeOSTest, StoreWithRotationValidationError) {
   store_->Store(policy_.policy());
   base::RunLoop().RunUntilIdle();
   Mock::VerifyAndClearExpectations(&session_manager_client_);
+  EXPECT_EQ(GetPolicyPublicKeyAsString(), store_->public_key());
 }
 
 TEST_F(UserCloudPolicyStoreChromeOSTest, StoreFail) {
@@ -341,6 +370,7 @@ TEST_F(UserCloudPolicyStoreChromeOSTest, StoreFail) {
   EXPECT_FALSE(store_->policy());
   EXPECT_TRUE(store_->policy_map().empty());
   EXPECT_EQ(CloudPolicyStore::STATUS_STORE_ERROR, store_->status());
+  EXPECT_EQ(GetPolicyPublicKeyAsString(), store_->public_key());
 }
 
 TEST_F(UserCloudPolicyStoreChromeOSTest, StoreValidationError) {
@@ -356,6 +386,7 @@ TEST_F(UserCloudPolicyStoreChromeOSTest, StoreValidationError) {
   store_->Store(policy_.policy());
   base::RunLoop().RunUntilIdle();
   Mock::VerifyAndClearExpectations(&session_manager_client_);
+  EXPECT_EQ(GetPolicyPublicKeyAsString(), store_->public_key());
 }
 
 TEST_F(UserCloudPolicyStoreChromeOSTest, StoreWithoutPolicyKey) {
@@ -375,6 +406,7 @@ TEST_F(UserCloudPolicyStoreChromeOSTest, StoreWithoutPolicyKey) {
   store_->Store(policy_.policy());
   base::RunLoop().RunUntilIdle();
   Mock::VerifyAndClearExpectations(&session_manager_client_);
+  EXPECT_EQ(std::string(), store_->public_key());

[emaxx, 2016/11/08 20:53:36]

There's a tricky semantics here, and I'm not sure whether it's reasonable.
Short explanation:
In this test the public_key_ member got cleared due to the failed session
manager operation. Meanwhile, in several tests above and below the public_key_
was kept after attempts to store invalid policy. So the difference was caused by
the point of the failure: in a pre-validation or during the session manager
operation.
Thiemo, WDYT?

 }
 
 TEST_F(UserCloudPolicyStoreChromeOSTest, StoreWithInvalidSignature) {
@@ -390,6 +422,7 @@ TEST_F(UserCloudPolicyStoreChromeOSTest, StoreWithInvalidSignature) {
   store_->Store(policy_.policy());
   base::RunLoop().RunUntilIdle();
   Mock::VerifyAndClearExpectations(&session_manager_client_);
+  EXPECT_EQ(GetPolicyPublicKeyAsString(), store_->public_key());
 }
 
 TEST_F(UserCloudPolicyStoreChromeOSTest, Load) {
@@ -403,6 +436,7 @@ TEST_F(UserCloudPolicyStoreChromeOSTest, Load) {
             store_->policy()->SerializeAsString());
   VerifyPolicyMap(kDefaultHomepage);
   EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status());
+  EXPECT_EQ(GetPolicyPublicKeyAsString(), store_->public_key());
 }
 
 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadNoPolicy) {
@@ -414,6 +448,7 @@ TEST_F(UserCloudPolicyStoreChromeOSTest, LoadNoPolicy) {
   EXPECT_FALSE(store_->policy());
   EXPECT_TRUE(store_->policy_map().empty());
   EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status());
+  EXPECT_EQ(std::string(), store_->public_key());
 }
 
 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadInvalidPolicy) {
@@ -424,6 +459,7 @@ TEST_F(UserCloudPolicyStoreChromeOSTest, LoadInvalidPolicy) {
   EXPECT_FALSE(store_->policy());
   EXPECT_TRUE(store_->policy_map().empty());
   EXPECT_EQ(CloudPolicyStore::STATUS_PARSE_ERROR, store_->status());
+  EXPECT_EQ(std::string(), store_->public_key());
 }
 
 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadValidationError) {
@@ -433,6 +469,7 @@ TEST_F(UserCloudPolicyStoreChromeOSTest, LoadValidationError) {
   ExpectError(CloudPolicyStore::STATUS_VALIDATION_ERROR);
   ASSERT_NO_FATAL_FAILURE(PerformPolicyLoad(policy_.GetBlob()));
   VerifyStoreHasValidationError();
+  EXPECT_EQ(GetPolicyPublicKeyAsString(), store_->public_key());

[emaxx, 2016/11/08 20:53:36]

Here's another tricky case.
Here the policy was not loaded (because it's invalid), but the public key was
loaded and exposed. Meanwhile in the two previous tests the key was not exposed
(because it's loaded by UserCloudPolicyStoreChromeOS only _after_ querying
session manager).

 }
 
 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadNoKey) {
@@ -441,6 +478,7 @@ TEST_F(UserCloudPolicyStoreChromeOSTest, LoadNoKey) {
   ExpectError(CloudPolicyStore::STATUS_VALIDATION_ERROR);
   ASSERT_NO_FATAL_FAILURE(PerformPolicyLoad(policy_.GetBlob()));
   VerifyStoreHasValidationError();
+  EXPECT_EQ(std::string(), store_->public_key());
 }
 
 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadInvalidSignature) {
@@ -449,6 +487,7 @@ TEST_F(UserCloudPolicyStoreChromeOSTest, LoadInvalidSignature) {
   ExpectError(CloudPolicyStore::STATUS_VALIDATION_ERROR);
   ASSERT_NO_FATAL_FAILURE(PerformPolicyLoad(policy_.GetBlob()));
   VerifyStoreHasValidationError();
+  EXPECT_EQ(GetPolicyPublicKeyAsString(), store_->public_key());
 }
 
 TEST_F(UserCloudPolicyStoreChromeOSTest, MigrationFull) {
@@ -596,6 +635,7 @@ TEST_F(UserCloudPolicyStoreChromeOSTest, LoadImmediately) {
             store_->policy()->SerializeAsString());
   VerifyPolicyMap(kDefaultHomepage);
   EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status());
+  EXPECT_EQ(GetPolicyPublicKeyAsString(), store_->public_key());
 }
 
 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadImmediatelyNoPolicy) {
@@ -612,6 +652,7 @@ TEST_F(UserCloudPolicyStoreChromeOSTest, LoadImmediatelyNoPolicy) {
   EXPECT_FALSE(store_->policy());
   EXPECT_TRUE(store_->policy_map().empty());
   EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status());
+  EXPECT_EQ(std::string(), store_->public_key());
 }
 
 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadImmediatelyInvalidBlob) {
@@ -628,6 +669,7 @@ TEST_F(UserCloudPolicyStoreChromeOSTest, LoadImmediatelyInvalidBlob) {
   EXPECT_FALSE(store_->policy());
   EXPECT_TRUE(store_->policy_map().empty());
   EXPECT_EQ(CloudPolicyStore::STATUS_PARSE_ERROR, store_->status());
+  EXPECT_EQ(std::string(), store_->public_key());
 }
 
 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadImmediatelyDBusFailure) {
@@ -647,6 +689,7 @@ TEST_F(UserCloudPolicyStoreChromeOSTest, LoadImmediatelyDBusFailure) {
   EXPECT_FALSE(store_->policy());
   EXPECT_TRUE(store_->policy_map().empty());
   EXPECT_EQ(CloudPolicyStore::STATUS_LOAD_ERROR, store_->status());
+  EXPECT_EQ(std::string(), store_->public_key());
 }
 
 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadImmediatelyNoUserPolicyKey) {
@@ -666,6 +709,7 @@ TEST_F(UserCloudPolicyStoreChromeOSTest, LoadImmediatelyNoUserPolicyKey) {
   EXPECT_FALSE(store_->policy());
   EXPECT_TRUE(store_->policy_map().empty());
   EXPECT_EQ(CloudPolicyStore::STATUS_VALIDATION_ERROR, store_->status());
+  EXPECT_EQ(std::string(), store_->public_key());
 }
 
 }  // namespace