Implement component cloud policy signature validation

chrome/browser/policy/cloud/component_cloud_policy_browsertest.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <string>
 
 #include "base/base64url.h"
 #include "base/command_line.h"
 #include "base/files/file_path.h"
 #include "base/files/file_util.h"
 #include "base/memory/ref_counted.h"
 #include "base/path_service.h"
 #include "base/run_loop.h"
 #include "build/build_config.h"
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/extensions/extension_browsertest.h"
 #include "chrome/browser/policy/profile_policy_connector.h"
 #include "chrome/browser/policy/profile_policy_connector_factory.h"
 #include "chrome/browser/policy/test/local_policy_test_server.h"
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/browser/ui/browser.h"
 #include "chrome/common/chrome_paths.h"
 #include "components/policy/core/browser/browser_policy_connector.h"
+#include "components/policy/core/common/cloud/cloud_policy_client.h"
 #include "components/policy/core/common/cloud/cloud_policy_constants.h"
 #include "components/policy/core/common/cloud/mock_cloud_policy_client.h"
 #include "components/policy/core/common/cloud/policy_builder.h"
 #include "components/policy/core/common/policy_service.h"
 #include "components/policy/core/common/policy_switches.h"
 #include "components/policy/core/common/policy_test_utils.h"
 #include "components/policy/proto/chrome_extension_policy.pb.h"
 #include "components/policy/proto/cloud_policy.pb.h"
+#include "components/policy/proto/device_management_backend.pb.h"
 #include "extensions/common/extension.h"
 #include "extensions/test/extension_test_message_listener.h"
 #include "net/url_request/url_request_context_getter.h"
 #include "testing/gmock/include/gmock/gmock.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 #if defined(OS_CHROMEOS)
 #include "chrome/browser/chromeos/policy/user_cloud_policy_manager_chromeos.h"
 #include "chrome/browser/chromeos/policy/user_cloud_policy_manager_factory_chromeos.h"
 #include "chromeos/chromeos_switches.h"
@@ skipping 134 matching lines @@
     SigninManager* signin_manager =
         SigninManagerFactory::GetForProfile(browser()->profile());
     ASSERT_TRUE(signin_manager);
     signin_manager->SetAuthenticatedAccountInfo("12345",
                                                 PolicyBuilder::kFakeUsername);
 
     UserCloudPolicyManager* policy_manager =
         UserCloudPolicyManagerFactory::GetForBrowserContext(
             browser()->profile());
     ASSERT_TRUE(policy_manager);
+    policy_manager->SetSigninUsername(PolicyBuilder::kFakeUsername);
     policy_manager->Connect(g_browser_process->local_state(),
                             g_browser_process->system_request_context(),
                             UserCloudPolicyManager::CreateCloudPolicyClient(
                                 connector->device_management_service(),
                                 g_browser_process->system_request_context()));
 #endif  // defined(OS_CHROMEOS)
 
     // Register the cloud policy client.
-    ASSERT_TRUE(policy_manager->core()->client());
+    client_ = policy_manager->core()->client();
+    ASSERT_TRUE(client_);
     base::RunLoop run_loop;
     MockCloudPolicyClientObserver observer;
     EXPECT_CALL(observer, OnRegistrationStateChanged(_))
         .WillOnce(InvokeWithoutArgs(&run_loop, &base::RunLoop::Quit));
-    policy_manager->core()->client()->AddObserver(&observer);
-    policy_manager->core()->client()->SetupRegistration(kDMToken, kDeviceID);
+    client_->AddObserver(&observer);
+    client_->SetupRegistration(kDMToken, kDeviceID);
     run_loop.Run();
     Mock::VerifyAndClearExpectations(&observer);
-    policy_manager->core()->client()->RemoveObserver(&observer);
+    client_->RemoveObserver(&observer);
   }
 
 #if !defined(OS_CHROMEOS)
   void SignOut() {
     SigninManager* signin_manager =
         SigninManagerFactory::GetForProfile(browser()->profile());
     ASSERT_TRUE(signin_manager);
     signin_manager->SignOut(signin_metrics::SIGNOUT_TEST,
                             signin_metrics::SignoutDelete::IGNORE_METRIC);
   }
 #endif
 
   void RefreshPolicies() {
     ProfilePolicyConnector* profile_connector =
         ProfilePolicyConnectorFactory::GetForBrowserContext(
             browser()->profile());
     PolicyService* policy_service = profile_connector->policy_service();
     base::RunLoop run_loop;
     policy_service->RefreshPolicies(run_loop.QuitClosure());
     run_loop.Run();
   }
 
+  int GetFetchedPolicyPublicKeyVersion(const std::string& extension_id) {
+    const em::PolicyFetchResponse* fetched_policy = client_->GetPolicyFor(
+        dm_protocol::kChromeExtensionPolicyType, extension_id);
+    if (!fetched_policy || !fetched_policy->has_policy_data())
+      return -1;
+    em::PolicyData policy_data;
+    if (!policy_data.ParseFromString(fetched_policy->policy_data()) ||
+        !policy_data.has_public_key_version())
+      return -1;
+    return policy_data.public_key_version();
+  }
+
   LocalPolicyTestServer test_server_;
   scoped_refptr<const extensions::Extension> extension_;
   std::unique_ptr<ExtensionTestMessageListener> event_listener_;
+
+ private:
+  CloudPolicyClient* client_ = nullptr;
 };
 
 IN_PROC_BROWSER_TEST_F(ComponentCloudPolicyTest, FetchExtensionPolicy) {
   // Read the initial policy.
   ExtensionTestMessageListener policy_listener(kTestPolicyJSON, false);
   event_listener_->Reply("get-policy-Name");
   EXPECT_TRUE(policy_listener.WaitUntilSatisfied());
 }
 
 IN_PROC_BROWSER_TEST_F(ComponentCloudPolicyTest, UpdateExtensionPolicy) {
@@ skipping 40 matching lines @@
   scoped_refptr<const extensions::Extension> extension2 =
       LoadExtension(kTestExtension2Path);
   ASSERT_TRUE(extension2.get());
   ASSERT_EQ(kTestExtension2, extension2->id());
 
   // This extension only sends the 'policy' signal once it receives the policy,
   // and after verifying it has the expected value. Otherwise it sends 'fail'.
   EXPECT_TRUE(result_listener.WaitUntilSatisfied());
 }
 
+IN_PROC_BROWSER_TEST_F(ComponentCloudPolicyTest, KeyRotation) {
+  // Read the initial policy.
+  ExtensionTestMessageListener policy_listener(kTestPolicyJSON, true);
+  event_listener_->Reply("get-policy-Name");
+  EXPECT_TRUE(policy_listener.WaitUntilSatisfied());
+  const int public_key_version =
+      GetFetchedPolicyPublicKeyVersion(kTestExtension);
+  EXPECT_NE(-1, public_key_version);
+
+  // Update the policy at the server and reload the policy, causing also the key
+  // rotation to be performed by the policy test server.
+  event_listener_.reset(new ExtensionTestMessageListener("event", true));
+  policy_listener.Reply("idle");
+  EXPECT_TRUE(test_server_.UpdatePolicyData(
+      dm_protocol::kChromeExtensionPolicyType, kTestExtension, kTestPolicy2));
+  RefreshPolicies();
+
+  // Check that the update event was received, and verify that the policy has
+  // the new value and that the key rotation happened.
+  EXPECT_TRUE(event_listener_->WaitUntilSatisfied());
+  const int new_public_key_version =
+      GetFetchedPolicyPublicKeyVersion(kTestExtension);
+  EXPECT_LT(public_key_version, new_public_key_version);

[emaxx, 2016/11/09 22:16:56]

This new test is failing here due to the policy test server not performing key
rotation: http://crbug.com/663870 .
I'd like to leave this test in the review as is until there's a feedback for
that issue.

+
+  ExtensionTestMessageListener policy_listener1("{}", true);
+  event_listener_->Reply("get-policy-Name");
+  EXPECT_TRUE(policy_listener1.WaitUntilSatisfied());
+
+  ExtensionTestMessageListener policy_listener2(kTestPolicy2JSON, false);
+  policy_listener1.Reply("get-policy-Another");
+  EXPECT_TRUE(policy_listener2.WaitUntilSatisfied());
+}
+
 // Signing out on Chrome OS is a different process from signing out on the
 // Desktop platforms. On Chrome OS the session is ended, and the user goes back
 // to the sign-in screen; the Profile data is not affected. On the Desktop the
 // session goes on though, and all the signed-in services are disconnected;
 // in particular, the policy caches are dropped if the user signs out.
 // This test verifies that when the user signs out then any existing component
 // policy caches are dropped, and that it's still possible to sign back in and
 // get policy for components working again.
 #if !defined(OS_CHROMEOS)
 IN_PROC_BROWSER_TEST_F(ComponentCloudPolicyTest, SignOutAndBackIn) {
@@ skipping 42 matching lines @@
   ExtensionTestMessageListener signin_policy_listener(kTestPolicyJSON, false);
   event_listener2.Reply("get-policy-Name");
   EXPECT_TRUE(signin_policy_listener.WaitUntilSatisfied());
 
   // And the cache is back.
   EXPECT_TRUE(base::PathExists(cache_path));
 }
 #endif
 
 }  // namespace policy