Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(698)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: components/policy/core/common/cloud/component_cloud_policy_store_unittest.cc

Issue 2493603002: Implement component cloud policy signature validation (Closed)
Patch Set: Created 4 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« components/policy/core/common/cloud/component_cloud_policy_service.cc ('K') | « components/policy/core/common/cloud/component_cloud_policy_store.cc ('k') | components/policy/core/common/cloud/component_cloud_policy_updater.h » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: components/policy/core/common/cloud/component_cloud_policy_store_unittest.cc
diff --git a/components/policy/core/common/cloud/component_cloud_policy_store_unittest.cc b/components/policy/core/common/cloud/component_cloud_policy_store_unittest.cc
index d288e4bfb76d52f12445f940b21229187d0ef0f8..3684b05701216382d30f6f9fd416b011589252ac 100644
--- a/components/policy/core/common/cloud/component_cloud_policy_store_unittest.cc
+++ b/components/policy/core/common/cloud/component_cloud_policy_store_unittest.cc
@@ -4,8 +4,11 @@
#include "components/policy/core/common/cloud/component_cloud_policy_store.h"
+#include <stdint.h>
#include <map>
+#include <memory>
#include <string>
+#include <vector>
#include "base/bind.h"
#include "base/callback.h"
@@ -13,13 +16,16 @@
#include "base/memory/ptr_util.h"
#include "base/memory/ref_counted.h"
#include "base/test/test_simple_task_runner.h"
+#include "base/time/time.h"
#include "components/policy/core/common/cloud/cloud_policy_constants.h"
#include "components/policy/core/common/cloud/policy_builder.h"
#include "components/policy/core/common/cloud/resource_cache.h"
#include "components/policy/core/common/external_data_fetcher.h"
+#include "components/policy/core/common/policy_namespace.h"
#include "components/policy/core/common/policy_types.h"
#include "components/policy/proto/chrome_extension_policy.pb.h"
#include "components/policy/proto/device_management_backend.pb.h"
+#include "crypto/rsa_private_key.h"
#include "crypto/sha2.h"
#include "testing/gmock/include/gmock/gmock.h"
#include "testing/gtest/include/gtest/gtest.h"
@@ -69,23 +75,21 @@ class MockComponentCloudPolicyStoreDelegate
class ComponentCloudPolicyStoreTest : public testing::Test {
protected:
- void SetUp() override {
- ASSERT_TRUE(temp_dir_.CreateUniqueTempDir());
- cache_.reset(
- new ResourceCache(temp_dir_.GetPath(),
- make_scoped_refptr(new base::TestSimpleTaskRunner)));
- store_.reset(new ComponentCloudPolicyStore(&store_delegate_, cache_.get()));
- store_->SetCredentials(ComponentPolicyBuilder::kFakeUsername,
- ComponentPolicyBuilder::kFakeToken);
-
+ ComponentCloudPolicyStoreTest()
+ : kTestPolicyNS(POLICY_DOMAIN_EXTENSIONS, kTestExtension) {
+ builder_.SetDefaultSigningKey();
builder_.policy_data().set_policy_type(
dm_protocol::kChromeExtensionPolicyType);
builder_.policy_data().set_settings_entity_id(kTestExtension);
builder_.payload().set_download_url(kTestDownload);
builder_.payload().set_secure_hash(TestPolicyHash());
- PolicyNamespace ns(POLICY_DOMAIN_EXTENSIONS, kTestExtension);
- PolicyMap& policy = expected_bundle_.Get(ns);
+ std::vector<uint8_t> public_key_bits;
+ builder_.GetSigningKey()->ExportPublicKey(&public_key_bits);
+ public_key_.assign(reinterpret_cast<const char*>(public_key_bits.data()),
+ public_key_bits.size());
+
+ PolicyMap& policy = expected_bundle_.Get(kTestPolicyNS);
policy.Set("Name", POLICY_LEVEL_MANDATORY, POLICY_SCOPE_USER,
POLICY_SOURCE_CLOUD,
base::MakeUnique<base::StringValue>("disabled"), nullptr);
@@ -94,6 +98,19 @@ class ComponentCloudPolicyStoreTest : public testing::Test {
base::MakeUnique<base::StringValue>("maybe"), nullptr);
}
+ void SetUp() override {
+ ASSERT_TRUE(temp_dir_.CreateUniqueTempDir());
+ cache_.reset(
+ new ResourceCache(temp_dir_.GetPath(),
+ make_scoped_refptr(new base::TestSimpleTaskRunner)));
+ store_.reset(new ComponentCloudPolicyStore(&store_delegate_, cache_.get()));
+ store_->SetCredentials(ComponentPolicyBuilder::kFakeUsername,
+ ComponentPolicyBuilder::kFakeToken,
+ ComponentPolicyBuilder::kFakeDeviceId,
+ ComponentPolicyBuilder::kFakeDomain, public_key_,
+ ComponentPolicyBuilder::kFakePublicKeyVersion);
+ }
+
// Returns true if the policy exposed by the |store_| is empty.
bool IsEmpty() {
return store_->policy().begin() == store_->policy().end();
@@ -104,90 +121,163 @@ class ComponentCloudPolicyStoreTest : public testing::Test {
return base::MakeUnique<em::PolicyFetchResponse>(builder_.policy());
}
+ std::unique_ptr<em::PolicyData> CreatePolicyData() {
+ builder_.Build();
+ return base::MakeUnique<em::PolicyData>(builder_.policy_data());
+ }
+
std::string CreateSerializedResponse() {
builder_.Build();
return builder_.GetBlob();
}
+ const PolicyNamespace kTestPolicyNS;
base::ScopedTempDir temp_dir_;
std::unique_ptr<ResourceCache> cache_;
std::unique_ptr<ComponentCloudPolicyStore> store_;
MockComponentCloudPolicyStoreDelegate store_delegate_;
ComponentPolicyBuilder builder_;
PolicyBundle expected_bundle_;
+ std::string public_key_;
};
TEST_F(ComponentCloudPolicyStoreTest, ValidatePolicy) {
+ em::PolicyData policy_data;
em::ExternalPolicyData payload;
- PolicyNamespace ns;
- EXPECT_TRUE(store_->ValidatePolicy(CreateResponse(), &ns, &payload));
- EXPECT_EQ(POLICY_DOMAIN_EXTENSIONS, ns.domain);
- EXPECT_EQ(kTestExtension, ns.component_id);
+ EXPECT_TRUE(store_->ValidatePolicy(kTestPolicyNS, CreateResponse(),
+ &policy_data, &payload));
+ EXPECT_EQ(dm_protocol::kChromeExtensionPolicyType, policy_data.policy_type());
+ EXPECT_EQ(kTestExtension, policy_data.settings_entity_id());
EXPECT_EQ(kTestDownload, payload.download_url());
EXPECT_EQ(TestPolicyHash(), payload.secure_hash());
}
+TEST_F(ComponentCloudPolicyStoreTest, ValidatePolicyWrongTimestamp) {
+ EXPECT_CALL(store_delegate_, OnComponentCloudPolicyStoreUpdated());
+ EXPECT_TRUE(store_->Store(kTestPolicyNS, CreateSerializedResponse(),
+ CreatePolicyData(), TestPolicyHash(), kTestPolicy));
+
+ const int64_t kPastTimestamp = base::TimeDelta::FromDays(1).InMilliseconds();
+ CHECK_GT(ComponentPolicyBuilder::kFakeTimestamp, kPastTimestamp);
+ builder_.policy_data().set_timestamp(kPastTimestamp);
+ EXPECT_FALSE(store_->ValidatePolicy(kTestPolicyNS, CreateResponse(),
+ nullptr /* policy_data */,
+ nullptr /* payload */));
+
+ const int64_t kFutureTimestamp =
+ (base::Time::NowFromSystemTime() + base::TimeDelta::FromDays(1) -
+ base::Time::UnixEpoch())
+ .InMilliseconds();
+ builder_.policy_data().set_timestamp(kFutureTimestamp);
+ EXPECT_FALSE(store_->ValidatePolicy(kTestPolicyNS, CreateResponse(),
+ nullptr /* policy_data */,
+ nullptr /* payload */));
+}
+
TEST_F(ComponentCloudPolicyStoreTest, ValidatePolicyWrongUsername) {
builder_.policy_data().set_username("anotheruser@example.com");
- em::ExternalPolicyData payload;
- PolicyNamespace ns;
- EXPECT_FALSE(store_->ValidatePolicy(CreateResponse(), &ns, &payload));
+ EXPECT_FALSE(store_->ValidatePolicy(kTestPolicyNS, CreateResponse(),
+ nullptr /* policy_data */,
+ nullptr /* payload */));
}
TEST_F(ComponentCloudPolicyStoreTest, ValidatePolicyWrongDMToken) {
builder_.policy_data().set_request_token("notmytoken");
- em::ExternalPolicyData payload;
- PolicyNamespace ns;
- EXPECT_FALSE(store_->ValidatePolicy(CreateResponse(), &ns, &payload));
+ EXPECT_FALSE(store_->ValidatePolicy(kTestPolicyNS, CreateResponse(),
+ nullptr /* policy_data */,
+ nullptr /* payload */));
+}
+
+TEST_F(ComponentCloudPolicyStoreTest, ValidatePolicyWrongDeviceId) {
+ builder_.policy_data().set_device_id("invalid");
+ EXPECT_FALSE(store_->ValidatePolicy(kTestPolicyNS, CreateResponse(),
+ nullptr /* policy_data */,
+ nullptr /* payload */));
}
TEST_F(ComponentCloudPolicyStoreTest, ValidatePolicyBadType) {
builder_.policy_data().set_policy_type(dm_protocol::kChromeUserPolicyType);
- em::ExternalPolicyData payload;
- PolicyNamespace ns;
- EXPECT_FALSE(store_->ValidatePolicy(CreateResponse(), &ns, &payload));
+ EXPECT_FALSE(store_->ValidatePolicy(kTestPolicyNS, CreateResponse(),
+ nullptr /* policy_data */,
+ nullptr /* payload */));
+}
+
+TEST_F(ComponentCloudPolicyStoreTest, ValidatePolicyWrongNamespace) {
+ EXPECT_FALSE(store_->ValidatePolicy(
+ PolicyNamespace(POLICY_DOMAIN_EXTENSIONS, "nosuchid"), CreateResponse(),
+ nullptr /* policy_data */, nullptr /* payload */));
+}
+
+TEST_F(ComponentCloudPolicyStoreTest, ValidatePolicyNoSignature) {
+ builder_.UnsetSigningKey();
+ EXPECT_FALSE(store_->ValidatePolicy(kTestPolicyNS, CreateResponse(),
+ nullptr /* policy_data */,
+ nullptr /* payload */));
+}
+
+TEST_F(ComponentCloudPolicyStoreTest, ValidatePolicyBadSignature) {
+ std::unique_ptr<em::PolicyFetchResponse> response = CreateResponse();
+ response->set_policy_data_signature("invalid");
+ EXPECT_FALSE(store_->ValidatePolicy(kTestPolicyNS, std::move(response),
+ nullptr /* policy_data */,
+ nullptr /* payload */));
+}
+
+TEST_F(ComponentCloudPolicyStoreTest, ValidatePolicyWrongPublicKey) {
+ builder_.SetSigningKey(*ComponentPolicyBuilder::CreateTestOtherSigningKey());
+ EXPECT_FALSE(store_->ValidatePolicy(kTestPolicyNS, CreateResponse(),
+ nullptr /* policy_data */,
+ nullptr /* payload */));
+}
+
+TEST_F(ComponentCloudPolicyStoreTest, ValidatePolicyWrongPublicKeyVersion) {
+ builder_.policy_data().set_public_key_version(
+ ComponentPolicyBuilder::kFakePublicKeyVersion + 1);
+ EXPECT_FALSE(store_->ValidatePolicy(kTestPolicyNS, CreateResponse(),
+ nullptr /* policy_data */,
+ nullptr /* payload */));
}
TEST_F(ComponentCloudPolicyStoreTest, ValidatePolicyBadDownloadUrl) {
builder_.payload().set_download_url("invalidurl");
- em::ExternalPolicyData payload;
- PolicyNamespace ns;
- EXPECT_FALSE(store_->ValidatePolicy(CreateResponse(), &ns, &payload));
+ EXPECT_FALSE(store_->ValidatePolicy(kTestPolicyNS, CreateResponse(),
+ nullptr /* policy_data */,
+ nullptr /* payload */));
}
TEST_F(ComponentCloudPolicyStoreTest, ValidatePolicyEmptyDownloadUrl) {
builder_.payload().clear_download_url();
builder_.payload().clear_secure_hash();
- em::ExternalPolicyData payload;
- PolicyNamespace ns;
// This is valid; it's how "no policy" is signalled to the client.
- EXPECT_TRUE(store_->ValidatePolicy(CreateResponse(), &ns, &payload));
+ EXPECT_TRUE(store_->ValidatePolicy(kTestPolicyNS, CreateResponse(),
+ nullptr /* policy_data */,
+ nullptr /* payload */));
}
TEST_F(ComponentCloudPolicyStoreTest, ValidatePolicyBadPayload) {
builder_.clear_payload();
builder_.policy_data().set_policy_value("broken");
- em::ExternalPolicyData payload;
- PolicyNamespace ns;
- EXPECT_FALSE(store_->ValidatePolicy(CreateResponse(), &ns, &payload));
+ EXPECT_FALSE(store_->ValidatePolicy(kTestPolicyNS, CreateResponse(),
+ nullptr /* policy_data */,
+ nullptr /* payload */));
}
TEST_F(ComponentCloudPolicyStoreTest, ValidateNoCredentials) {
store_.reset(new ComponentCloudPolicyStore(&store_delegate_, cache_.get()));
- em::ExternalPolicyData payload;
- PolicyNamespace ns;
- EXPECT_FALSE(store_->ValidatePolicy(CreateResponse(), &ns, &payload));
+ EXPECT_FALSE(store_->ValidatePolicy(kTestPolicyNS, CreateResponse(),
+ nullptr /* policy_data */,
+ nullptr /* payload */));
}
TEST_F(ComponentCloudPolicyStoreTest, ValidateWrongCredentials) {
- em::ExternalPolicyData payload;
- PolicyNamespace ns;
// Verify that the default response validates with the right credentials.
- EXPECT_TRUE(store_->ValidatePolicy(CreateResponse(), &ns, &payload));
+ EXPECT_TRUE(store_->ValidatePolicy(kTestPolicyNS, CreateResponse(),
+ nullptr /* policy_data */,
+ nullptr /* payload */));
// Now store that response.
EXPECT_CALL(store_delegate_, OnComponentCloudPolicyStoreUpdated());
- EXPECT_TRUE(store_->Store(
- ns, CreateSerializedResponse(), TestPolicyHash(), kTestPolicy));
+ EXPECT_TRUE(store_->Store(kTestPolicyNS, CreateSerializedResponse(),
+ CreatePolicyData(), TestPolicyHash(), kTestPolicy));
Mock::VerifyAndClearExpectations(&store_delegate_);
EXPECT_TRUE(store_->policy().Equals(expected_bundle_));
// And verify that the response data in the cache.
@@ -197,7 +287,9 @@ TEST_F(ComponentCloudPolicyStoreTest, ValidateWrongCredentials) {
// Try loading the cached response data with wrong credentials.
ComponentCloudPolicyStore another_store(&store_delegate_, cache_.get());
- another_store.SetCredentials("wrongdude@example.com", "wrongtoken");
+ another_store.SetCredentials(
+ "wrongdude@example.com", "wrongtoken", "wrongdeviceid", "wrongdomain",
+ "wrongkey", ComponentPolicyBuilder::kFakePublicKeyVersion + 1);
another_store.Load();
const PolicyBundle empty_bundle;
EXPECT_TRUE(another_store.policy().Equals(empty_bundle));
@@ -214,60 +306,63 @@ TEST_F(ComponentCloudPolicyStoreTest, StoreAndLoad) {
EXPECT_TRUE(IsEmpty());
// Store policy for an unsupported domain.
- PolicyNamespace ns(POLICY_DOMAIN_CHROME, kTestExtension);
builder_.policy_data().set_policy_type(dm_protocol::kChromeUserPolicyType);
- EXPECT_FALSE(store_->Store(
- ns, CreateSerializedResponse(), TestPolicyHash(), kTestPolicy));
+ EXPECT_FALSE(
+ store_->Store(PolicyNamespace(POLICY_DOMAIN_CHROME, kTestExtension),
+ CreateSerializedResponse(), CreatePolicyData(),
+ TestPolicyHash(), kTestPolicy));
// Store policy with the wrong hash.
builder_.policy_data().set_policy_type(
dm_protocol::kChromeExtensionPolicyType);
- ns.domain = POLICY_DOMAIN_EXTENSIONS;
builder_.payload().set_secure_hash("badash");
- EXPECT_FALSE(store_->Store(
- ns, CreateSerializedResponse(), "badash", kTestPolicy));
+ EXPECT_FALSE(store_->Store(kTestPolicyNS, CreateSerializedResponse(),
+ CreatePolicyData(), "badash", kTestPolicy));
// Store policy without a hash.
builder_.payload().clear_secure_hash();
- EXPECT_FALSE(store_->Store(
- ns, CreateSerializedResponse(), std::string(), kTestPolicy));
+ EXPECT_FALSE(store_->Store(kTestPolicyNS, CreateSerializedResponse(),
+ CreatePolicyData(), std::string(), kTestPolicy));
// Store policy with invalid JSON data.
static const char kInvalidData[] = "{ not json }";
const std::string invalid_data_hash = crypto::SHA256HashString(kInvalidData);
builder_.payload().set_secure_hash(invalid_data_hash);
- EXPECT_FALSE(store_->Store(
- ns, CreateSerializedResponse(), invalid_data_hash, kInvalidData));
+ EXPECT_FALSE(store_->Store(kTestPolicyNS, CreateSerializedResponse(),
+ CreatePolicyData(), invalid_data_hash,
+ kInvalidData));
// All of those failed.
EXPECT_TRUE(IsEmpty());
- EXPECT_EQ(std::string(), store_->GetCachedHash(ns));
+ EXPECT_EQ(std::string(), store_->GetCachedHash(kTestPolicyNS));
// Now store a valid policy.
builder_.payload().set_secure_hash(TestPolicyHash());
EXPECT_CALL(store_delegate_, OnComponentCloudPolicyStoreUpdated());
- EXPECT_TRUE(store_->Store(
- ns, CreateSerializedResponse(), TestPolicyHash(), kTestPolicy));
+ EXPECT_TRUE(store_->Store(kTestPolicyNS, CreateSerializedResponse(),
+ CreatePolicyData(), TestPolicyHash(), kTestPolicy));
Mock::VerifyAndClearExpectations(&store_delegate_);
EXPECT_FALSE(IsEmpty());
EXPECT_TRUE(store_->policy().Equals(expected_bundle_));
- EXPECT_EQ(TestPolicyHash(), store_->GetCachedHash(ns));
+ EXPECT_EQ(TestPolicyHash(), store_->GetCachedHash(kTestPolicyNS));
// Loading from the cache validates the policy data again.
ComponentCloudPolicyStore another_store(&store_delegate_, cache_.get());
another_store.SetCredentials(ComponentPolicyBuilder::kFakeUsername,
- ComponentPolicyBuilder::kFakeToken);
+ ComponentPolicyBuilder::kFakeToken,
+ ComponentPolicyBuilder::kFakeDeviceId,
+ ComponentPolicyBuilder::kFakeDomain, public_key_,
+ ComponentPolicyBuilder::kFakePublicKeyVersion);
another_store.Load();
EXPECT_TRUE(another_store.policy().Equals(expected_bundle_));
- EXPECT_EQ(TestPolicyHash(), another_store.GetCachedHash(ns));
+ EXPECT_EQ(TestPolicyHash(), another_store.GetCachedHash(kTestPolicyNS));
}
TEST_F(ComponentCloudPolicyStoreTest, Updates) {
// Store some policies.
- PolicyNamespace ns(POLICY_DOMAIN_EXTENSIONS, kTestExtension);
EXPECT_CALL(store_delegate_, OnComponentCloudPolicyStoreUpdated());
- EXPECT_TRUE(store_->Store(
- ns, CreateSerializedResponse(), TestPolicyHash(), kTestPolicy));
+ EXPECT_TRUE(store_->Store(kTestPolicyNS, CreateSerializedResponse(),
+ CreatePolicyData(), TestPolicyHash(), kTestPolicy));
Mock::VerifyAndClearExpectations(&store_delegate_);
EXPECT_FALSE(IsEmpty());
EXPECT_TRUE(store_->policy().Equals(expected_bundle_));
@@ -279,16 +374,15 @@ TEST_F(ComponentCloudPolicyStoreTest, Updates) {
// Deleting a namespace that has policies triggers an update.
EXPECT_CALL(store_delegate_, OnComponentCloudPolicyStoreUpdated());
- store_->Delete(ns);
+ store_->Delete(kTestPolicyNS);
Mock::VerifyAndClearExpectations(&store_delegate_);
}
TEST_F(ComponentCloudPolicyStoreTest, Purge) {
// Store a valid policy.
EXPECT_CALL(store_delegate_, OnComponentCloudPolicyStoreUpdated());
- PolicyNamespace ns(POLICY_DOMAIN_EXTENSIONS, kTestExtension);
- EXPECT_TRUE(store_->Store(
- ns, CreateSerializedResponse(), TestPolicyHash(), kTestPolicy));
+ EXPECT_TRUE(store_->Store(kTestPolicyNS, CreateSerializedResponse(),
+ CreatePolicyData(), TestPolicyHash(), kTestPolicy));
Mock::VerifyAndClearExpectations(&store_delegate_);
EXPECT_FALSE(IsEmpty());
EXPECT_TRUE(store_->policy().Equals(expected_bundle_));
@@ -297,15 +391,18 @@ TEST_F(ComponentCloudPolicyStoreTest, Purge) {
store_->Purge(POLICY_DOMAIN_EXTENSIONS,
base::Bind(&NotEqual, kTestExtension));
- // The policy for |ns| is still served.
+ // The policy for |kTestPolicyNS| is still served.
EXPECT_TRUE(store_->policy().Equals(expected_bundle_));
- // Loading the store again will still see |ns|.
+ // Loading the store again will still see |kTestPolicyNS|.
ComponentCloudPolicyStore another_store(&store_delegate_, cache_.get());
const PolicyBundle empty_bundle;
EXPECT_TRUE(another_store.policy().Equals(empty_bundle));
another_store.SetCredentials(ComponentPolicyBuilder::kFakeUsername,
- ComponentPolicyBuilder::kFakeToken);
+ ComponentPolicyBuilder::kFakeToken,
+ ComponentPolicyBuilder::kFakeDeviceId,
+ ComponentPolicyBuilder::kFakeDomain, public_key_,
+ ComponentPolicyBuilder::kFakePublicKeyVersion);
another_store.Load();
EXPECT_TRUE(another_store.policy().Equals(expected_bundle_));
@@ -319,8 +416,11 @@ TEST_F(ComponentCloudPolicyStoreTest, Purge) {
// And they aren't loaded anymore either.
ComponentCloudPolicyStore yet_another_store(&store_delegate_, cache_.get());
- yet_another_store.SetCredentials(ComponentPolicyBuilder::kFakeUsername,
- ComponentPolicyBuilder::kFakeToken);
+ yet_another_store.SetCredentials(
+ ComponentPolicyBuilder::kFakeUsername, ComponentPolicyBuilder::kFakeToken,
+ ComponentPolicyBuilder::kFakeDeviceId,
+ ComponentPolicyBuilder::kFakeDomain, public_key_,
+ ComponentPolicyBuilder::kFakePublicKeyVersion);
yet_another_store.Load();
EXPECT_TRUE(yet_another_store.policy().Equals(empty_bundle));
}
« components/policy/core/common/cloud/component_cloud_policy_service.cc ('K') | « components/policy/core/common/cloud/component_cloud_policy_store.cc ('k') | components/policy/core/common/cloud/component_cloud_policy_updater.h » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698