Chromium Code Reviews Chromium Code Reviews
Issue 2493603002:
Implement component cloud policy signature validation (Closed)
| Index: chrome/browser/policy/cloud/component_cloud_policy_browsertest.cc |
| diff --git a/chrome/browser/policy/cloud/component_cloud_policy_browsertest.cc b/chrome/browser/policy/cloud/component_cloud_policy_browsertest.cc |
| index 5e9106683509bfe9d025dcba808f078182aaab73..44522d6a436a5055a815c85060ddc2e8018a8f07 100644 |
| --- a/chrome/browser/policy/cloud/component_cloud_policy_browsertest.cc |
| +++ b/chrome/browser/policy/cloud/component_cloud_policy_browsertest.cc |
| @@ -21,6 +21,7 @@ |
| #include "chrome/browser/ui/browser.h" |
| #include "chrome/common/chrome_paths.h" |
| #include "components/policy/core/browser/browser_policy_connector.h" |
| +#include "components/policy/core/common/cloud/cloud_policy_client.h" |
| #include "components/policy/core/common/cloud/cloud_policy_constants.h" |
| #include "components/policy/core/common/cloud/mock_cloud_policy_client.h" |
| #include "components/policy/core/common/cloud/policy_builder.h" |
| @@ -29,6 +30,7 @@ |
| #include "components/policy/core/common/policy_test_utils.h" |
| #include "components/policy/proto/chrome_extension_policy.pb.h" |
| #include "components/policy/proto/cloud_policy.pb.h" |
| +#include "components/policy/proto/device_management_backend.pb.h" |
| #include "extensions/common/extension.h" |
| #include "extensions/test/extension_test_message_listener.h" |
| #include "net/url_request/url_request_context_getter.h" |
| @@ -183,6 +185,7 @@ class ComponentCloudPolicyTest : public ExtensionBrowserTest { |
| UserCloudPolicyManagerFactory::GetForBrowserContext( |
| browser()->profile()); |
| ASSERT_TRUE(policy_manager); |
| + policy_manager->SetSigninUsername(PolicyBuilder::kFakeUsername); |
| policy_manager->Connect(g_browser_process->local_state(), |
| g_browser_process->system_request_context(), |
| UserCloudPolicyManager::CreateCloudPolicyClient( |
| @@ -191,16 +194,17 @@ class ComponentCloudPolicyTest : public ExtensionBrowserTest { |
| #endif // defined(OS_CHROMEOS) |
| // Register the cloud policy client. |
| - ASSERT_TRUE(policy_manager->core()->client()); |
| + client_ = policy_manager->core()->client(); |
| + ASSERT_TRUE(client_); |
| base::RunLoop run_loop; |
| MockCloudPolicyClientObserver observer; |
| EXPECT_CALL(observer, OnRegistrationStateChanged(_)) |
| .WillOnce(InvokeWithoutArgs(&run_loop, &base::RunLoop::Quit)); |
| - policy_manager->core()->client()->AddObserver(&observer); |
| - policy_manager->core()->client()->SetupRegistration(kDMToken, kDeviceID); |
| + client_->AddObserver(&observer); |
| + client_->SetupRegistration(kDMToken, kDeviceID); |
| run_loop.Run(); |
| Mock::VerifyAndClearExpectations(&observer); |
| - policy_manager->core()->client()->RemoveObserver(&observer); |
| + client_->RemoveObserver(&observer); |
| } |
| #if !defined(OS_CHROMEOS) |
| @@ -223,9 +227,24 @@ class ComponentCloudPolicyTest : public ExtensionBrowserTest { |
| run_loop.Run(); |
| } |
| + int GetFetchedPolicyPublicKeyVersion(const std::string& extension_id) { |
| + const em::PolicyFetchResponse* fetched_policy = client_->GetPolicyFor( |
| + dm_protocol::kChromeExtensionPolicyType, extension_id); |
| + if (!fetched_policy || !fetched_policy->has_policy_data()) |
| + return -1; |
| + em::PolicyData policy_data; |
| + if (!policy_data.ParseFromString(fetched_policy->policy_data()) || |
| + !policy_data.has_public_key_version()) |
| + return -1; |
| + return policy_data.public_key_version(); |
| + } |
| + |
| LocalPolicyTestServer test_server_; |
| scoped_refptr<const extensions::Extension> extension_; |
| std::unique_ptr<ExtensionTestMessageListener> event_listener_; |
| + |
| + private: |
| + CloudPolicyClient* client_ = nullptr; |
| }; |
| IN_PROC_BROWSER_TEST_F(ComponentCloudPolicyTest, FetchExtensionPolicy) { |
| @@ -286,6 +305,39 @@ IN_PROC_BROWSER_TEST_F(ComponentCloudPolicyTest, InstallNewExtension) { |
| EXPECT_TRUE(result_listener.WaitUntilSatisfied()); |
| } |
| +IN_PROC_BROWSER_TEST_F(ComponentCloudPolicyTest, KeyRotation) { |
| + // Read the initial policy. |
| + ExtensionTestMessageListener policy_listener(kTestPolicyJSON, true); |
| + event_listener_->Reply("get-policy-Name"); |
| + EXPECT_TRUE(policy_listener.WaitUntilSatisfied()); |
| + const int public_key_version = |
| + GetFetchedPolicyPublicKeyVersion(kTestExtension); |
| + EXPECT_NE(-1, public_key_version); |
| + |
| + // Update the policy at the server and reload the policy, causing also the key |
| + // rotation to be performed by the policy test server. |
| + event_listener_.reset(new ExtensionTestMessageListener("event", true)); |
| + policy_listener.Reply("idle"); |
| + EXPECT_TRUE(test_server_.UpdatePolicyData( |
| + dm_protocol::kChromeExtensionPolicyType, kTestExtension, kTestPolicy2)); |
| + RefreshPolicies(); |
| + |
| + // Check that the update event was received, and verify that the policy has |
| + // the new value and that the key rotation happened. |
| + EXPECT_TRUE(event_listener_->WaitUntilSatisfied()); |
| + const int new_public_key_version = |
| + GetFetchedPolicyPublicKeyVersion(kTestExtension); |
| + EXPECT_LT(public_key_version, new_public_key_version); |
|
emaxx
2016/11/09 22:16:56
This new test is failing here due to the policy te
|
| + |
| + ExtensionTestMessageListener policy_listener1("{}", true); |
| + event_listener_->Reply("get-policy-Name"); |
| + EXPECT_TRUE(policy_listener1.WaitUntilSatisfied()); |
| + |
| + ExtensionTestMessageListener policy_listener2(kTestPolicy2JSON, false); |
| + policy_listener1.Reply("get-policy-Another"); |
| + EXPECT_TRUE(policy_listener2.WaitUntilSatisfied()); |
| +} |
| + |
| // Signing out on Chrome OS is a different process from signing out on the |
| // Desktop platforms. On Chrome OS the session is ended, and the user goes back |
| // to the sign-in screen; the Profile data is not affected. On the Desktop the |
