Fix policy test server key rotation feature

This introduces a special command line flag for the
local policy test server that enables the automatic
rotation of the signing keys with each received policy
fetch request.

The LocalPolicyTestServer class is extended to provide
ability to trigger this feature.

Also the existing documentation for the local policy test
server is corrected to correctly describe the default
behavior in which there are no cyclic key rotations.

BUG=663870
TEST=existing tests

Committed: https://crrev.com/26aa638c5ccdd27549493df2d2aff78db8fa8382
Cr-Commit-Position: refs/heads/master@{#434519}

[emaxx, 2016-11-24 18:49:26]

The CQ bit was checked by emaxx@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-11-24 18:49:40]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[emaxx, 2016-11-24 18:56:52]

The CQ bit was checked by emaxx@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-11-24 18:56:55]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-11-24 19:37:38]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-11-24 19:37:39]

Dry run: This issue passed the CQ dry run.

[emaxx, 2016-11-24 19:59:03]

The CQ bit was checked by emaxx@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-11-24 19:59:12]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[emaxx, 2016-11-24 20:06:22]

Description was changed from

==========
[DONT REVIEW] Policy test server works

BUG=663870
==========

to

==========
This introduces a special command line flag for the
local policy test server that enables the automatic
rotation of the signing keys with each received policy
fetch request.

The LocalPolicyTestServer class is extended to provide
ability to trigger this feature.

Also the existing documentation for the local policy test
server is corrected to correctly describe the default
behavior in which there are no cyclic key rotations.

BUG=663870
==========

[commit-bot: I haz the power, 2016-11-24 20:30:45]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-11-24 20:30:46]

Dry run: Try jobs failed on following builders:
  linux_chromium_chromeos_rel_ng on master.tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)

[emaxx, 2016-11-24 20:33:15]

Description was changed from

==========
This introduces a special command line flag for the
local policy test server that enables the automatic
rotation of the signing keys with each received policy
fetch request.

The LocalPolicyTestServer class is extended to provide
ability to trigger this feature.

Also the existing documentation for the local policy test
server is corrected to correctly describe the default
behavior in which there are no cyclic key rotations.

BUG=663870
==========

to

==========
This introduces a special command line flag for the
local policy test server that enables the automatic
rotation of the signing keys with each received policy
fetch request.

The LocalPolicyTestServer class is extended to provide
ability to trigger this feature.

Also the existing documentation for the local policy test
server is corrected to correctly describe the default
behavior in which there are no cyclic key rotations.

BUG=663870
TEST=existing tests
==========

[emaxx, 2016-11-24 20:33:23]

The CQ bit was checked by emaxx@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-11-24 20:33:44]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[emaxx, 2016-11-24 21:07:43]

The CQ bit was checked by emaxx@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-11-24 21:07:50]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-11-24 21:50:33]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-11-24 21:50:33]

Dry run: Try jobs failed on following builders:
  linux_chromium_clobber_rel_ng on master.tryserver.chromium.linux (JOB_FAILED,
http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)

[emaxx, 2016-11-24 22:02:52]

The CQ bit was checked by emaxx@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-11-24 22:03:00]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-11-24 22:36:39]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-11-24 22:36:40]

Dry run: This issue passed the CQ dry run.

[emaxx, 2016-11-24 23:25:46]

emaxx@chromium.org changed reviewers:
+ atwilson@chromium.org

[emaxx, 2016-11-24 23:25:47]

Drew, PTAL.

[Andrew T Wilson (Slow), 2016-11-25 14:50:09]

LGTM with a couple naming/other nits which you can fix or ignore at your
discretion.

https://codereview.chromium.org/2530023002/diff/40001/chrome/browser/policy/t...
File chrome/browser/policy/test/local_policy_test_server.h (right):

https://codereview.chromium.org/2530023002/diff/40001/chrome/browser/policy/t...
chrome/browser/policy/test/local_policy_test_server.h:50: void
SetSigningKeysAutomaticRotation();
I think "EnableAutomaticRotationOfSigningKeys()" is probably clearer than
"SetXXXX".

https://codereview.chromium.org/2530023002/diff/40001/chrome/browser/policy/t...
File chrome/browser/policy/test/policy_testserver.py (right):

https://codereview.chromium.org/2530023002/diff/40001/chrome/browser/policy/t...
chrome/browser/policy/test/policy_testserver.py:1042: key specified in the
config or the first key will be used for all
This is fine. As we discussed, we might get slightly more robust test coverage
if we rotate every time by default, but I'm OK with however you want to do it.

[emaxx, 2016-11-25 15:26:34]

The CQ bit was checked by emaxx@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-11-25 15:26:42]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-11-25 16:16:23]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-11-25 16:16:24]

Dry run: This issue passed the CQ dry run.

[emaxx, 2016-11-25 16:17:38]

Thanks for the review!

I've fixed the nits and added a couple of more comments into the source code.

https://codereview.chromium.org/2530023002/diff/40001/chrome/browser/policy/t...
File chrome/browser/policy/test/local_policy_test_server.h (right):

https://codereview.chromium.org/2530023002/diff/40001/chrome/browser/policy/t...
chrome/browser/policy/test/local_policy_test_server.h:50: void
SetSigningKeysAutomaticRotation();
On 2016/11/25 14:50:09, Andrew T Wilson (Slow) wrote:
> I think "EnableAutomaticRotationOfSigningKeys()" is probably clearer than
> "SetXXXX".

Done.

https://codereview.chromium.org/2530023002/diff/40001/chrome/browser/policy/t...
File chrome/browser/policy/test/policy_testserver.py (right):

https://codereview.chromium.org/2530023002/diff/40001/chrome/browser/policy/t...
chrome/browser/policy/test/policy_testserver.py:1042: key specified in the
config or the first key will be used for all
On 2016/11/25 14:50:09, Andrew T Wilson (Slow) wrote:
> This is fine. As we discussed, we might get slightly more robust test coverage
> if we rotate every time by default, but I'm OK with however you want to do it.

This is a valid concern.
I think ideally it should be tackled from this perspective: the existing tests
should test what they were intended for, while the gaps in the test coverage
with regard to key rotation should be filled with new tests.
I've filed a bug http://crbug.com/668716 to track this.

[emaxx, 2016-11-25 16:17:49]

The CQ bit was checked by emaxx@chromium.org

[emaxx, 2016-11-25 16:17:49]

The patchset sent to the CQ was uploaded after l-g-t-m from
atwilson@chromium.org
Link to the patchset: https://codereview.chromium.org/2530023002/#ps60001
(title: "Rename, add comments")

[commit-bot: I haz the power, 2016-11-25 16:18:04]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-11-25 16:21:35]

CQ is committing da patch.

Bot data: {"patchset_id": 60001, "attempt_start_ts": 1480090669041630,
"parent_rev": "3b464e482fd75e5be2cd06bba97f96a1a3cdd858", "commit_rev":
"e6498fdcf70548cf652aa08214799d96717a8cbb"}

[commit-bot: I haz the power, 2016-11-25 16:22:05]

Description was changed from

==========
This introduces a special command line flag for the
local policy test server that enables the automatic
rotation of the signing keys with each received policy
fetch request.

The LocalPolicyTestServer class is extended to provide
ability to trigger this feature.

Also the existing documentation for the local policy test
server is corrected to correctly describe the default
behavior in which there are no cyclic key rotations.

BUG=663870
TEST=existing tests
==========

to

==========
This introduces a special command line flag for the
local policy test server that enables the automatic
rotation of the signing keys with each received policy
fetch request.

The LocalPolicyTestServer class is extended to provide
ability to trigger this feature.

Also the existing documentation for the local policy test
server is corrected to correctly describe the default
behavior in which there are no cyclic key rotations.

BUG=663870
TEST=existing tests
==========

[commit-bot: I haz the power, 2016-11-25 16:22:06]

Committed patchset #4 (id:60001)

[commit-bot: I haz the power, 2016-11-25 16:25:01]

Description was changed from

==========
This introduces a special command line flag for the
local policy test server that enables the automatic
rotation of the signing keys with each received policy
fetch request.

The LocalPolicyTestServer class is extended to provide
ability to trigger this feature.

Also the existing documentation for the local policy test
server is corrected to correctly describe the default
behavior in which there are no cyclic key rotations.

BUG=663870
TEST=existing tests
==========

to

==========
This introduces a special command line flag for the
local policy test server that enables the automatic
rotation of the signing keys with each received policy
fetch request.

The LocalPolicyTestServer class is extended to provide
ability to trigger this feature.

Also the existing documentation for the local policy test
server is corrected to correctly describe the default
behavior in which there are no cyclic key rotations.

BUG=663870
TEST=existing tests

Committed: https://crrev.com/26aa638c5ccdd27549493df2d2aff78db8fa8382
Cr-Commit-Position: refs/heads/master@{#434519}
==========

[commit-bot: I haz the power, 2016-11-25 16:25:02]

Patchset 4 (id:??) landed as
https://crrev.com/26aa638c5ccdd27549493df2d2aff78db8fa8382
Cr-Commit-Position: refs/heads/master@{#434519}