| OLD | NEW |
|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 #include "chromeos/network/client_cert_resolver.h" | 4 #include "chromeos/network/client_cert_resolver.h" |
| 5 | 5 |
| 6 #include <cert.h> | 6 #include <cert.h> |
| 7 #include <pk11pub.h> | 7 #include <pk11pub.h> |
| 8 | 8 |
| 9 #include <memory> | 9 #include <memory> |
| 10 | 10 |
| (...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 46 const char* kWifiStub = "wifi_stub"; | 46 const char* kWifiStub = "wifi_stub"; |
| 47 const char* kWifiSSID = "wifi_ssid"; | 47 const char* kWifiSSID = "wifi_ssid"; |
| 48 const char* kUserProfilePath = "user_profile"; | 48 const char* kUserProfilePath = "user_profile"; |
| 49 const char* kUserHash = "user_hash"; | 49 const char* kUserHash = "user_hash"; |
| 50 | 50 |
| 51 } // namespace | 51 } // namespace |
| 52 | 52 |
| 53 class ClientCertResolverTest : public testing::Test, | 53 class ClientCertResolverTest : public testing::Test, |
| 54 public ClientCertResolver::Observer { | 54 public ClientCertResolver::Observer { |
| 55 public: | 55 public: |
| 56 ClientCertResolverTest() | 56 ClientCertResolverTest() : scoped_task_scheduler_(&message_loop_) {} |
| 57 : network_properties_changed_count_(0), | |
| 58 service_test_(nullptr), | |
| 59 profile_test_(nullptr), | |
| 60 cert_loader_(nullptr), | |
| 61 scoped_task_scheduler_(&message_loop_) {} | |
| 62 ~ClientCertResolverTest() override {} | 57 ~ClientCertResolverTest() override {} |
| 63 | 58 |
| 64 void SetUp() override { | 59 void SetUp() override { |
| 65 ASSERT_TRUE(test_nssdb_.is_open()); | 60 ASSERT_TRUE(test_nssdb_.is_open()); |
| 61 ASSERT_TRUE(test_system_nssdb_.is_open()); |
| 66 | 62 |
| 67 // Use the same DB for public and private slot. | 63 // Use the same DB for public and private slot. |
| 68 test_nsscertdb_.reset(new net::NSSCertDatabaseChromeOS( | 64 test_nsscertdb_.reset(new net::NSSCertDatabaseChromeOS( |
| 69 crypto::ScopedPK11Slot(PK11_ReferenceSlot(test_nssdb_.slot())), | 65 crypto::ScopedPK11Slot(PK11_ReferenceSlot(test_nssdb_.slot())), |
| 70 crypto::ScopedPK11Slot(PK11_ReferenceSlot(test_nssdb_.slot())))); | 66 crypto::ScopedPK11Slot(PK11_ReferenceSlot(test_nssdb_.slot())))); |
| 71 test_nsscertdb_->SetSlowTaskRunnerForTest(message_loop_.task_runner()); | 67 test_nsscertdb_->SetSlowTaskRunnerForTest(message_loop_.task_runner()); |
| 72 | 68 |
| 73 DBusThreadManager::Initialize(); | 69 DBusThreadManager::Initialize(); |
| 74 service_test_ = | 70 service_test_ = |
| 75 DBusThreadManager::Get()->GetShillServiceClient()->GetTestInterface(); | 71 DBusThreadManager::Get()->GetShillServiceClient()->GetTestInterface(); |
| 76 profile_test_ = | 72 profile_test_ = |
| 77 DBusThreadManager::Get()->GetShillProfileClient()->GetTestInterface(); | 73 DBusThreadManager::Get()->GetShillProfileClient()->GetTestInterface(); |
| 78 profile_test_->AddProfile(kUserProfilePath, kUserHash); | 74 profile_test_->AddProfile(kUserProfilePath, kUserHash); |
| 79 base::RunLoop().RunUntilIdle(); | 75 base::RunLoop().RunUntilIdle(); |
| 80 service_test_->ClearServices(); | 76 service_test_->ClearServices(); |
| 81 base::RunLoop().RunUntilIdle(); | 77 base::RunLoop().RunUntilIdle(); |
| 82 | 78 |
| 83 CertLoader::Initialize(); | 79 CertLoader::Initialize(); |
| 80 CertLoader::Get()->SetSlowTaskRunnerForTest(message_loop_.task_runner()); |
| 84 cert_loader_ = CertLoader::Get(); | 81 cert_loader_ = CertLoader::Get(); |
| 85 CertLoader::ForceHardwareBackedForTesting(); | 82 CertLoader::ForceHardwareBackedForTesting(); |
| 86 } | 83 } |
| 87 | 84 |
| 88 void TearDown() override { | 85 void TearDown() override { |
| 89 client_cert_resolver_->RemoveObserver(this); | 86 if (client_cert_resolver_) |
| 87 client_cert_resolver_->RemoveObserver(this); |
| 90 client_cert_resolver_.reset(); | 88 client_cert_resolver_.reset(); |
| 91 test_clock_.reset(); | 89 test_clock_.reset(); |
| 92 network_state_handler_->Shutdown(); | 90 if (network_state_handler_) |
| 91 network_state_handler_->Shutdown(); |
| 93 managed_config_handler_.reset(); | 92 managed_config_handler_.reset(); |
| 94 network_config_handler_.reset(); | 93 network_config_handler_.reset(); |
| 95 network_profile_handler_.reset(); | 94 network_profile_handler_.reset(); |
| 96 network_state_handler_.reset(); | 95 network_state_handler_.reset(); |
| 97 CertLoader::Shutdown(); | 96 CertLoader::Shutdown(); |
| 98 DBusThreadManager::Shutdown(); | 97 DBusThreadManager::Shutdown(); |
| 99 } | 98 } |
| 100 | 99 |
| 101 protected: | 100 protected: |
| 102 void StartCertLoader() { | 101 void StartCertLoader() { |
| (...skipping 27 matching lines...) Expand all Loading... |
| 130 << net::ErrorToString(failures[0].net_error); | 129 << net::ErrorToString(failures[0].net_error); |
| 131 } | 130 } |
| 132 | 131 |
| 133 // Import a client cert signed by that CA. | 132 // Import a client cert signed by that CA. |
| 134 test_client_cert_ = net::ImportClientCertAndKeyFromFile( | 133 test_client_cert_ = net::ImportClientCertAndKeyFromFile( |
| 135 net::GetTestCertsDirectory(), prefix + ".pem", prefix + ".pk8", | 134 net::GetTestCertsDirectory(), prefix + ".pem", prefix + ".pk8", |
| 136 test_nssdb_.slot()); | 135 test_nssdb_.slot()); |
| 137 ASSERT_TRUE(test_client_cert_.get()); | 136 ASSERT_TRUE(test_client_cert_.get()); |
| 138 } | 137 } |
| 139 | 138 |
| 139 void SetupTestCertInSystemToken(const std::string& prefix) { |
| 140 test_nsscertdb_->SetSystemSlot( |
| 141 crypto::ScopedPK11Slot(PK11_ReferenceSlot(test_system_nssdb_.slot()))); |
| 142 |
| 143 test_client_cert_ = net::ImportClientCertAndKeyFromFile( |
| 144 net::GetTestCertsDirectory(), prefix + ".pem", prefix + ".pk8", |
| 145 test_system_nssdb_.slot()); |
| 146 ASSERT_TRUE(test_client_cert_.get()); |
| 147 } |
| 148 |
| 140 void SetupNetworkHandlers() { | 149 void SetupNetworkHandlers() { |
| 141 network_state_handler_ = NetworkStateHandler::InitializeForTest(); | 150 network_state_handler_ = NetworkStateHandler::InitializeForTest(); |
| 142 network_profile_handler_.reset(new NetworkProfileHandler()); | 151 network_profile_handler_.reset(new NetworkProfileHandler()); |
| 143 network_config_handler_.reset(new NetworkConfigurationHandler()); | 152 network_config_handler_.reset(new NetworkConfigurationHandler()); |
| 144 managed_config_handler_.reset(new ManagedNetworkConfigurationHandlerImpl()); | 153 managed_config_handler_.reset(new ManagedNetworkConfigurationHandlerImpl()); |
| 145 client_cert_resolver_.reset(new ClientCertResolver()); | 154 client_cert_resolver_.reset(new ClientCertResolver()); |
| 146 | 155 |
| 147 test_clock_.reset(new base::SimpleTestClock); | 156 test_clock_.reset(new base::SimpleTestClock); |
| 148 test_clock_->SetNow(base::Time::Now()); | 157 test_clock_->SetNow(base::Time::Now()); |
| 149 client_cert_resolver_->SetClockForTesting(test_clock_.get()); | 158 client_cert_resolver_->SetClockForTesting(test_clock_.get()); |
| (...skipping 27 matching lines...) Expand all Loading... |
| 177 profile_test_->AddService(kUserProfilePath, kWifiStub); | 186 profile_test_->AddService(kUserProfilePath, kWifiStub); |
| 178 | 187 |
| 179 DBusThreadManager::Get() | 188 DBusThreadManager::Get() |
| 180 ->GetShillManagerClient() | 189 ->GetShillManagerClient() |
| 181 ->GetTestInterface() | 190 ->GetTestInterface() |
| 182 ->AddManagerService(kWifiStub, true); | 191 ->AddManagerService(kWifiStub, true); |
| 183 } | 192 } |
| 184 | 193 |
| 185 // Sets up a policy with a certificate pattern that matches any client cert | 194 // Sets up a policy with a certificate pattern that matches any client cert |
| 186 // with a certain Issuer CN. It will match the test client cert. | 195 // with a certain Issuer CN. It will match the test client cert. |
| 187 void SetupPolicyMatchingIssuerCN() { | 196 void SetupPolicyMatchingIssuerCN(onc::ONCSource onc_source) { |
| 188 const char* kTestPolicy = | 197 const char* kTestPolicy = |
| 189 "[ { \"GUID\": \"wifi_stub\"," | 198 "[ { \"GUID\": \"wifi_stub\"," |
| 190 " \"Name\": \"wifi_stub\"," | 199 " \"Name\": \"wifi_stub\"," |
| 191 " \"Type\": \"WiFi\"," | 200 " \"Type\": \"WiFi\"," |
| 192 " \"WiFi\": {" | 201 " \"WiFi\": {" |
| 193 " \"Security\": \"WPA-EAP\"," | 202 " \"Security\": \"WPA-EAP\"," |
| 194 " \"SSID\": \"wifi_ssid\"," | 203 " \"SSID\": \"wifi_ssid\"," |
| 195 " \"EAP\": {" | 204 " \"EAP\": {" |
| 196 " \"Outer\": \"EAP-TLS\"," | 205 " \"Outer\": \"EAP-TLS\"," |
| 197 " \"ClientCertType\": \"Pattern\"," | 206 " \"ClientCertType\": \"Pattern\"," |
| 198 " \"ClientCertPattern\": {" | 207 " \"ClientCertPattern\": {" |
| 199 " \"Issuer\": {" | 208 " \"Issuer\": {" |
| 200 " \"CommonName\": \"B CA\"" | 209 " \"CommonName\": \"B CA\"" |
| 201 " }" | 210 " }" |
| 202 " }" | 211 " }" |
| 203 " }" | 212 " }" |
| 204 " }" | 213 " }" |
| 205 "} ]"; | 214 "} ]"; |
| 206 | 215 |
| 207 std::string error; | 216 std::string error; |
| 208 std::unique_ptr<base::Value> policy_value = | 217 std::unique_ptr<base::Value> policy_value = |
| 209 base::JSONReader::ReadAndReturnError( | 218 base::JSONReader::ReadAndReturnError( |
| 210 kTestPolicy, base::JSON_ALLOW_TRAILING_COMMAS, nullptr, &error); | 219 kTestPolicy, base::JSON_ALLOW_TRAILING_COMMAS, nullptr, &error); |
| 211 ASSERT_TRUE(policy_value) << error; | 220 ASSERT_TRUE(policy_value) << error; |
| 212 | 221 |
| 213 base::ListValue* policy = nullptr; | 222 base::ListValue* policy = nullptr; |
| 214 ASSERT_TRUE(policy_value->GetAsList(&policy)); | 223 ASSERT_TRUE(policy_value->GetAsList(&policy)); |
| 215 | 224 |
| 225 std::string user_hash = |
| 226 onc_source == onc::ONC_SOURCE_USER_POLICY ? kUserHash : ""; |
| 216 managed_config_handler_->SetPolicy( | 227 managed_config_handler_->SetPolicy( |
| 217 onc::ONC_SOURCE_USER_POLICY, kUserHash, *policy, | 228 onc_source, user_hash, *policy, |
| 218 base::DictionaryValue() /* no global network config */); | 229 base::DictionaryValue() /* no global network config */); |
| 219 } | 230 } |
| 220 | 231 |
| 232 void SetupCertificateConfigMatchingIssuerCN( |
| 233 onc::ONCSource onc_source, |
| 234 client_cert::ClientCertConfig* client_cert_config) { |
| 235 const char* kTestOncPattern = |
| 236 "{" |
| 237 " \"Issuer\": {" |
| 238 " \"CommonName\": \"B CA\"" |
| 239 " }" |
| 240 "}"; |
| 241 std::string error; |
| 242 std::unique_ptr<base::Value> onc_pattern_value = |
| 243 base::JSONReader::ReadAndReturnError( |
| 244 kTestOncPattern, base::JSON_ALLOW_TRAILING_COMMAS, nullptr, &error); |
| 245 ASSERT_TRUE(onc_pattern_value) << error; |
| 246 |
| 247 base::DictionaryValue* onc_pattern_dict; |
| 248 onc_pattern_value->GetAsDictionary(&onc_pattern_dict); |
| 249 |
| 250 client_cert_config->onc_source = onc_source; |
| 251 client_cert_config->pattern.ReadFromONCDictionary(*onc_pattern_dict); |
| 252 } |
| 253 |
| 221 // Sets up a policy with a certificate pattern that matches any client cert | 254 // Sets up a policy with a certificate pattern that matches any client cert |
| 222 // that is signed by the test CA cert (stored in |test_ca_cert_pem_|). In | 255 // that is signed by the test CA cert (stored in |test_ca_cert_pem_|). In |
| 223 // particular it will match the test client cert. | 256 // particular it will match the test client cert. |
| 224 void SetupPolicyMatchingIssuerPEM(const std::string& identity) { | 257 void SetupPolicyMatchingIssuerPEM(onc::ONCSource onc_source, |
| 258 const std::string& identity) { |
| 225 const char* kTestPolicyTemplate = | 259 const char* kTestPolicyTemplate = |
| 226 "[ { \"GUID\": \"wifi_stub\"," | 260 "[ { \"GUID\": \"wifi_stub\"," |
| 227 " \"Name\": \"wifi_stub\"," | 261 " \"Name\": \"wifi_stub\"," |
| 228 " \"Type\": \"WiFi\"," | 262 " \"Type\": \"WiFi\"," |
| 229 " \"WiFi\": {" | 263 " \"WiFi\": {" |
| 230 " \"Security\": \"WPA-EAP\"," | 264 " \"Security\": \"WPA-EAP\"," |
| 231 " \"SSID\": \"wifi_ssid\"," | 265 " \"SSID\": \"wifi_ssid\"," |
| 232 " \"EAP\": {" | 266 " \"EAP\": {" |
| 233 " \"Identity\": \"%s\"," | 267 " \"Identity\": \"%s\"," |
| 234 " \"Outer\": \"EAP-TLS\"," | 268 " \"Outer\": \"EAP-TLS\"," |
| 235 " \"ClientCertType\": \"Pattern\"," | 269 " \"ClientCertType\": \"Pattern\"," |
| 236 " \"ClientCertPattern\": {" | 270 " \"ClientCertPattern\": {" |
| 237 " \"IssuerCAPEMs\": [ \"%s\" ]" | 271 " \"IssuerCAPEMs\": [ \"%s\" ]" |
| 238 " }" | 272 " }" |
| 239 " }" | 273 " }" |
| 240 " }" | 274 " }" |
| 241 "} ]"; | 275 "} ]"; |
| 242 std::string policy_json = base::StringPrintf( | 276 std::string policy_json = base::StringPrintf( |
| 243 kTestPolicyTemplate, identity.c_str(), test_ca_cert_pem_.c_str()); | 277 kTestPolicyTemplate, identity.c_str(), test_ca_cert_pem_.c_str()); |
| 244 | 278 |
| 245 std::string error; | 279 std::string error; |
| 246 std::unique_ptr<base::Value> policy_value = | 280 std::unique_ptr<base::Value> policy_value = |
| 247 base::JSONReader::ReadAndReturnError( | 281 base::JSONReader::ReadAndReturnError( |
| 248 policy_json, base::JSON_ALLOW_TRAILING_COMMAS, nullptr, &error); | 282 policy_json, base::JSON_ALLOW_TRAILING_COMMAS, nullptr, &error); |
| 249 ASSERT_TRUE(policy_value) << error; | 283 ASSERT_TRUE(policy_value) << error; |
| 250 | 284 |
| 251 base::ListValue* policy = nullptr; | 285 base::ListValue* policy = nullptr; |
| 252 ASSERT_TRUE(policy_value->GetAsList(&policy)); | 286 ASSERT_TRUE(policy_value->GetAsList(&policy)); |
| 253 | 287 |
| 288 std::string user_hash = |
| 289 onc_source == onc::ONC_SOURCE_USER_POLICY ? kUserHash : ""; |
| 254 managed_config_handler_->SetPolicy( | 290 managed_config_handler_->SetPolicy( |
| 255 onc::ONC_SOURCE_USER_POLICY, | 291 onc_source, user_hash, *policy, |
| 256 kUserHash, | |
| 257 *policy, | |
| 258 base::DictionaryValue() /* no global network config */); | 292 base::DictionaryValue() /* no global network config */); |
| 259 } | 293 } |
| 260 | 294 |
| 261 void SetWifiState(const std::string& state) { | 295 void SetWifiState(const std::string& state) { |
| 262 ASSERT_TRUE(service_test_->SetServiceProperty( | 296 ASSERT_TRUE(service_test_->SetServiceProperty( |
| 263 kWifiStub, shill::kStateProperty, base::Value(state))); | 297 kWifiStub, shill::kStateProperty, base::Value(state))); |
| 264 } | 298 } |
| 265 | 299 |
| 266 void GetServiceProperty(const std::string& prop_name, | 300 void GetServiceProperty(const std::string& prop_name, |
| 267 std::string* prop_value) { | 301 std::string* prop_value) { |
| 268 prop_value->clear(); | 302 prop_value->clear(); |
| 269 const base::DictionaryValue* properties = | 303 const base::DictionaryValue* properties = |
| 270 service_test_->GetServiceProperties(kWifiStub); | 304 service_test_->GetServiceProperties(kWifiStub); |
| 271 if (!properties) | 305 if (!properties) |
| 272 return; | 306 return; |
| 273 properties->GetStringWithoutPathExpansion(prop_name, prop_value); | 307 properties->GetStringWithoutPathExpansion(prop_name, prop_value); |
| 274 } | 308 } |
| 275 | 309 |
| 276 int network_properties_changed_count_; | 310 int network_properties_changed_count_ = 0; |
| 277 std::string test_cert_id_; | 311 std::string test_cert_id_; |
| 278 std::unique_ptr<base::SimpleTestClock> test_clock_; | 312 std::unique_ptr<base::SimpleTestClock> test_clock_; |
| 279 std::unique_ptr<ClientCertResolver> client_cert_resolver_; | 313 std::unique_ptr<ClientCertResolver> client_cert_resolver_; |
| 314 CertLoader* cert_loader_ = nullptr; |
| 280 | 315 |
| 281 private: | 316 private: |
| 282 // ClientCertResolver::Observer: | 317 // ClientCertResolver::Observer: |
| 283 void ResolveRequestCompleted(bool network_properties_changed) override { | 318 void ResolveRequestCompleted(bool network_properties_changed) override { |
| 284 if (network_properties_changed) | 319 if (network_properties_changed) |
| 285 ++network_properties_changed_count_; | 320 ++network_properties_changed_count_; |
| 286 } | 321 } |
| 287 | 322 |
| 288 ShillServiceClient::TestInterface* service_test_; | 323 ShillServiceClient::TestInterface* service_test_ = nullptr; |
| 289 ShillProfileClient::TestInterface* profile_test_; | 324 ShillProfileClient::TestInterface* profile_test_ = nullptr; |
| 290 CertLoader* cert_loader_; | |
| 291 std::unique_ptr<NetworkStateHandler> network_state_handler_; | 325 std::unique_ptr<NetworkStateHandler> network_state_handler_; |
| 292 std::unique_ptr<NetworkProfileHandler> network_profile_handler_; | 326 std::unique_ptr<NetworkProfileHandler> network_profile_handler_; |
| 293 std::unique_ptr<NetworkConfigurationHandler> network_config_handler_; | 327 std::unique_ptr<NetworkConfigurationHandler> network_config_handler_; |
| 294 std::unique_ptr<ManagedNetworkConfigurationHandlerImpl> | 328 std::unique_ptr<ManagedNetworkConfigurationHandlerImpl> |
| 295 managed_config_handler_; | 329 managed_config_handler_; |
| 296 base::MessageLoop message_loop_; | 330 base::MessageLoop message_loop_; |
| 297 base::test::ScopedTaskScheduler scoped_task_scheduler_; | 331 base::test::ScopedTaskScheduler scoped_task_scheduler_; |
| 298 scoped_refptr<net::X509Certificate> test_client_cert_; | 332 scoped_refptr<net::X509Certificate> test_client_cert_; |
| 299 std::string test_ca_cert_pem_; | 333 std::string test_ca_cert_pem_; |
| 300 crypto::ScopedTestNSSDB test_nssdb_; | 334 crypto::ScopedTestNSSDB test_nssdb_; |
| 335 crypto::ScopedTestNSSDB test_system_nssdb_; |
| 301 std::unique_ptr<net::NSSCertDatabaseChromeOS> test_nsscertdb_; | 336 std::unique_ptr<net::NSSCertDatabaseChromeOS> test_nsscertdb_; |
| 302 | 337 |
| 303 DISALLOW_COPY_AND_ASSIGN(ClientCertResolverTest); | 338 DISALLOW_COPY_AND_ASSIGN(ClientCertResolverTest); |
| 304 }; | 339 }; |
| 305 | 340 |
| 306 TEST_F(ClientCertResolverTest, NoMatchingCertificates) { | 341 TEST_F(ClientCertResolverTest, NoMatchingCertificates) { |
| 307 SetupTestCerts("client_1", false /* do not import the issuer */); | 342 SetupTestCerts("client_1", false /* do not import the issuer */); |
| 308 StartCertLoader(); | 343 StartCertLoader(); |
| 309 SetupWifi(); | 344 SetupWifi(); |
| 310 base::RunLoop().RunUntilIdle(); | 345 base::RunLoop().RunUntilIdle(); |
| 311 network_properties_changed_count_ = 0; | 346 network_properties_changed_count_ = 0; |
| 312 SetupNetworkHandlers(); | 347 SetupNetworkHandlers(); |
| 313 SetupPolicyMatchingIssuerPEM(""); | 348 SetupPolicyMatchingIssuerPEM(onc::ONC_SOURCE_USER_POLICY, ""); |
| 314 base::RunLoop().RunUntilIdle(); | 349 base::RunLoop().RunUntilIdle(); |
| 315 | 350 |
| 316 // Verify that no client certificate was configured. | 351 // Verify that no client certificate was configured. |
| 317 std::string pkcs11_id; | 352 std::string pkcs11_id; |
| 318 GetServiceProperty(shill::kEapCertIdProperty, &pkcs11_id); | 353 GetServiceProperty(shill::kEapCertIdProperty, &pkcs11_id); |
| 319 EXPECT_EQ(std::string(), pkcs11_id); | 354 EXPECT_EQ(std::string(), pkcs11_id); |
| 320 EXPECT_EQ(1, network_properties_changed_count_); | 355 EXPECT_EQ(1, network_properties_changed_count_); |
| 321 EXPECT_FALSE(client_cert_resolver_->IsAnyResolveTaskRunning()); | 356 EXPECT_FALSE(client_cert_resolver_->IsAnyResolveTaskRunning()); |
| 322 } | 357 } |
| 323 | 358 |
| 324 TEST_F(ClientCertResolverTest, MatchIssuerCNWithoutIssuerInstalled) { | 359 TEST_F(ClientCertResolverTest, MatchIssuerCNWithoutIssuerInstalled) { |
| 325 SetupTestCerts("client_1", false /* do not import the issuer */); | 360 SetupTestCerts("client_1", false /* do not import the issuer */); |
| 326 SetupWifi(); | 361 SetupWifi(); |
| 327 base::RunLoop().RunUntilIdle(); | 362 base::RunLoop().RunUntilIdle(); |
| 328 | 363 |
| 329 SetupNetworkHandlers(); | 364 SetupNetworkHandlers(); |
| 330 SetupPolicyMatchingIssuerCN(); | 365 SetupPolicyMatchingIssuerCN(onc::ONC_SOURCE_USER_POLICY); |
| 331 base::RunLoop().RunUntilIdle(); | 366 base::RunLoop().RunUntilIdle(); |
| 332 | 367 |
| 333 network_properties_changed_count_ = 0; | 368 network_properties_changed_count_ = 0; |
| 334 StartCertLoader(); | 369 StartCertLoader(); |
| 335 base::RunLoop().RunUntilIdle(); | 370 base::RunLoop().RunUntilIdle(); |
| 336 | 371 |
| 337 // Verify that the resolver positively matched the pattern in the policy with | 372 // Verify that the resolver positively matched the pattern in the policy with |
| 338 // the test client cert and configured the network. | 373 // the test client cert and configured the network. |
| 339 std::string pkcs11_id; | 374 std::string pkcs11_id; |
| 340 GetServiceProperty(shill::kEapCertIdProperty, &pkcs11_id); | 375 GetServiceProperty(shill::kEapCertIdProperty, &pkcs11_id); |
| 341 EXPECT_EQ(test_cert_id_, pkcs11_id); | 376 EXPECT_EQ(test_cert_id_, pkcs11_id); |
| 342 EXPECT_EQ(1, network_properties_changed_count_); | 377 EXPECT_EQ(1, network_properties_changed_count_); |
| 343 } | 378 } |
| 344 | 379 |
| 345 TEST_F(ClientCertResolverTest, ResolveOnCertificatesLoaded) { | 380 TEST_F(ClientCertResolverTest, ResolveOnCertificatesLoaded) { |
| 346 SetupTestCerts("client_1", true /* import issuer */); | 381 SetupTestCerts("client_1", true /* import issuer */); |
| 347 SetupWifi(); | 382 SetupWifi(); |
| 348 base::RunLoop().RunUntilIdle(); | 383 base::RunLoop().RunUntilIdle(); |
| 349 | 384 |
| 350 SetupNetworkHandlers(); | 385 SetupNetworkHandlers(); |
| 351 SetupPolicyMatchingIssuerPEM(""); | 386 SetupPolicyMatchingIssuerPEM(onc::ONC_SOURCE_USER_POLICY, ""); |
| 352 base::RunLoop().RunUntilIdle(); | 387 base::RunLoop().RunUntilIdle(); |
| 353 | 388 |
| 354 network_properties_changed_count_ = 0; | 389 network_properties_changed_count_ = 0; |
| 355 StartCertLoader(); | 390 StartCertLoader(); |
| 356 base::RunLoop().RunUntilIdle(); | 391 base::RunLoop().RunUntilIdle(); |
| 357 | 392 |
| 358 // Verify that the resolver positively matched the pattern in the policy with | 393 // Verify that the resolver positively matched the pattern in the policy with |
| 359 // the test client cert and configured the network. | 394 // the test client cert and configured the network. |
| 360 std::string pkcs11_id; | 395 std::string pkcs11_id; |
| 361 GetServiceProperty(shill::kEapCertIdProperty, &pkcs11_id); | 396 GetServiceProperty(shill::kEapCertIdProperty, &pkcs11_id); |
| 362 EXPECT_EQ(test_cert_id_, pkcs11_id); | 397 EXPECT_EQ(test_cert_id_, pkcs11_id); |
| 363 EXPECT_EQ(1, network_properties_changed_count_); | 398 EXPECT_EQ(1, network_properties_changed_count_); |
| 364 } | 399 } |
| 365 | 400 |
| 366 TEST_F(ClientCertResolverTest, ResolveAfterPolicyApplication) { | 401 TEST_F(ClientCertResolverTest, ResolveAfterPolicyApplication) { |
| 367 SetupTestCerts("client_1", true /* import issuer */); | 402 SetupTestCerts("client_1", true /* import issuer */); |
| 368 SetupWifi(); | 403 SetupWifi(); |
| 369 base::RunLoop().RunUntilIdle(); | 404 base::RunLoop().RunUntilIdle(); |
| 370 StartCertLoader(); | 405 StartCertLoader(); |
| 371 SetupNetworkHandlers(); | 406 SetupNetworkHandlers(); |
| 372 base::RunLoop().RunUntilIdle(); | 407 base::RunLoop().RunUntilIdle(); |
| 373 | 408 |
| 374 // Policy application will trigger the ClientCertResolver. | 409 // Policy application will trigger the ClientCertResolver. |
| 375 network_properties_changed_count_ = 0; | 410 network_properties_changed_count_ = 0; |
| 376 SetupPolicyMatchingIssuerPEM(""); | 411 SetupPolicyMatchingIssuerPEM(onc::ONC_SOURCE_USER_POLICY, ""); |
| 377 base::RunLoop().RunUntilIdle(); | 412 base::RunLoop().RunUntilIdle(); |
| 378 | 413 |
| 379 // Verify that the resolver positively matched the pattern in the policy with | 414 // Verify that the resolver positively matched the pattern in the policy with |
| 380 // the test client cert and configured the network. | 415 // the test client cert and configured the network. |
| 381 std::string pkcs11_id; | 416 std::string pkcs11_id; |
| 382 GetServiceProperty(shill::kEapCertIdProperty, &pkcs11_id); | 417 GetServiceProperty(shill::kEapCertIdProperty, &pkcs11_id); |
| 383 EXPECT_EQ(test_cert_id_, pkcs11_id); | 418 EXPECT_EQ(test_cert_id_, pkcs11_id); |
| 384 EXPECT_EQ(1, network_properties_changed_count_); | 419 EXPECT_EQ(1, network_properties_changed_count_); |
| 385 } | 420 } |
| 386 | 421 |
| 387 TEST_F(ClientCertResolverTest, ExpiringCertificate) { | 422 TEST_F(ClientCertResolverTest, ExpiringCertificate) { |
| 388 SetupTestCerts("client_1", true /* import issuer */); | 423 SetupTestCerts("client_1", true /* import issuer */); |
| 389 SetupWifi(); | 424 SetupWifi(); |
| 390 base::RunLoop().RunUntilIdle(); | 425 base::RunLoop().RunUntilIdle(); |
| 391 | 426 |
| 392 SetupNetworkHandlers(); | 427 SetupNetworkHandlers(); |
| 393 SetupPolicyMatchingIssuerPEM(""); | 428 SetupPolicyMatchingIssuerPEM(onc::ONC_SOURCE_USER_POLICY, ""); |
| 394 base::RunLoop().RunUntilIdle(); | 429 base::RunLoop().RunUntilIdle(); |
| 395 | 430 |
| 396 StartCertLoader(); | 431 StartCertLoader(); |
| 397 base::RunLoop().RunUntilIdle(); | 432 base::RunLoop().RunUntilIdle(); |
| 398 | 433 |
| 399 SetWifiState(shill::kStateOnline); | 434 SetWifiState(shill::kStateOnline); |
| 400 base::RunLoop().RunUntilIdle(); | 435 base::RunLoop().RunUntilIdle(); |
| 401 | 436 |
| 402 // Verify that the resolver positively matched the pattern in the policy with | 437 // Verify that the resolver positively matched the pattern in the policy with |
| 403 // the test client cert and configured the network. | 438 // the test client cert and configured the network. |
| 404 std::string pkcs11_id; | 439 std::string pkcs11_id; |
| 405 GetServiceProperty(shill::kEapCertIdProperty, &pkcs11_id); | 440 GetServiceProperty(shill::kEapCertIdProperty, &pkcs11_id); |
| 406 EXPECT_EQ(test_cert_id_, pkcs11_id); | 441 EXPECT_EQ(test_cert_id_, pkcs11_id); |
| 407 | 442 |
| 408 // Verify that, after the certificate expired and the network disconnection | 443 // Verify that, after the certificate expired and the network disconnection |
| 409 // happens, no client certificate was configured. | 444 // happens, no client certificate was configured. |
| 410 test_clock_->SetNow(base::Time::Max()); | 445 test_clock_->SetNow(base::Time::Max()); |
| 411 SetWifiState(shill::kStateOffline); | 446 SetWifiState(shill::kStateOffline); |
| 412 base::RunLoop().RunUntilIdle(); | 447 base::RunLoop().RunUntilIdle(); |
| 413 GetServiceProperty(shill::kEapCertIdProperty, &pkcs11_id); | 448 GetServiceProperty(shill::kEapCertIdProperty, &pkcs11_id); |
| 414 EXPECT_EQ(std::string(), pkcs11_id); | 449 EXPECT_EQ(std::string(), pkcs11_id); |
| 415 } | 450 } |
| 416 | 451 |
| 452 TEST_F(ClientCertResolverTest, UserPolicyUsesSystemToken) { |
| 453 SetupTestCertInSystemToken("client_1"); |
| 454 SetupWifi(); |
| 455 base::RunLoop().RunUntilIdle(); |
| 456 |
| 457 SetupNetworkHandlers(); |
| 458 SetupPolicyMatchingIssuerCN(onc::ONC_SOURCE_USER_POLICY); |
| 459 base::RunLoop().RunUntilIdle(); |
| 460 |
| 461 StartCertLoader(); |
| 462 base::RunLoop().RunUntilIdle(); |
| 463 EXPECT_EQ(1U, cert_loader_->system_cert_list().size()); |
| 464 |
| 465 // Verify that the resolver positively matched the pattern in the policy with |
| 466 // the test client cert and configured the network. |
| 467 std::string pkcs11_id; |
| 468 GetServiceProperty(shill::kEapCertIdProperty, &pkcs11_id); |
| 469 EXPECT_EQ(test_cert_id_, pkcs11_id); |
| 470 } |
| 471 |
| 472 TEST_F(ClientCertResolverTest, UserPolicyUsesSystemTokenSync) { |
| 473 SetupTestCertInSystemToken("client_1"); |
| 474 StartCertLoader(); |
| 475 base::RunLoop().RunUntilIdle(); |
| 476 |
| 477 client_cert::ClientCertConfig client_cert_config; |
| 478 SetupCertificateConfigMatchingIssuerCN(onc::ONC_SOURCE_USER_POLICY, |
| 479 &client_cert_config); |
| 480 |
| 481 base::DictionaryValue shill_properties; |
| 482 ClientCertResolver::ResolveCertificatePatternSync( |
| 483 client_cert::CONFIG_TYPE_EAP, client_cert_config, &shill_properties); |
| 484 std::string pkcs11_id; |
| 485 shill_properties.GetStringWithoutPathExpansion(shill::kEapCertIdProperty, |
| 486 &pkcs11_id); |
| 487 EXPECT_EQ(test_cert_id_, pkcs11_id); |
| 488 } |
| 489 |
| 490 TEST_F(ClientCertResolverTest, DevicePolicyUsesSystemToken) { |
| 491 SetupTestCertInSystemToken("client_1"); |
| 492 SetupWifi(); |
| 493 base::RunLoop().RunUntilIdle(); |
| 494 |
| 495 SetupNetworkHandlers(); |
| 496 SetupPolicyMatchingIssuerCN(onc::ONC_SOURCE_USER_POLICY); |
| 497 base::RunLoop().RunUntilIdle(); |
| 498 |
| 499 StartCertLoader(); |
| 500 base::RunLoop().RunUntilIdle(); |
| 501 EXPECT_EQ(1U, cert_loader_->system_cert_list().size()); |
| 502 |
| 503 // Verify that the resolver positively matched the pattern in the policy with |
| 504 // the test client cert and configured the network. |
| 505 std::string pkcs11_id; |
| 506 GetServiceProperty(shill::kEapCertIdProperty, &pkcs11_id); |
| 507 EXPECT_EQ(test_cert_id_, pkcs11_id); |
| 508 } |
| 509 |
| 510 TEST_F(ClientCertResolverTest, DevicePolicyUsesSystemTokenSync) { |
| 511 SetupTestCertInSystemToken("client_1"); |
| 512 StartCertLoader(); |
| 513 base::RunLoop().RunUntilIdle(); |
| 514 |
| 515 client_cert::ClientCertConfig client_cert_config; |
| 516 SetupCertificateConfigMatchingIssuerCN(onc::ONC_SOURCE_DEVICE_POLICY, |
| 517 &client_cert_config); |
| 518 |
| 519 base::DictionaryValue shill_properties; |
| 520 ClientCertResolver::ResolveCertificatePatternSync( |
| 521 client_cert::CONFIG_TYPE_EAP, client_cert_config, &shill_properties); |
| 522 std::string pkcs11_id; |
| 523 shill_properties.GetStringWithoutPathExpansion(shill::kEapCertIdProperty, |
| 524 &pkcs11_id); |
| 525 EXPECT_EQ(test_cert_id_, pkcs11_id); |
| 526 } |
| 527 |
| 528 TEST_F(ClientCertResolverTest, DevicePolicyDoesNotUseUserToken) { |
| 529 SetupTestCerts("client_1", false /* do not import the issuer */); |
| 530 SetupWifi(); |
| 531 base::RunLoop().RunUntilIdle(); |
| 532 |
| 533 SetupNetworkHandlers(); |
| 534 SetupPolicyMatchingIssuerCN(onc::ONC_SOURCE_DEVICE_POLICY); |
| 535 base::RunLoop().RunUntilIdle(); |
| 536 |
| 537 network_properties_changed_count_ = 0; |
| 538 StartCertLoader(); |
| 539 base::RunLoop().RunUntilIdle(); |
| 540 EXPECT_EQ(0U, cert_loader_->system_cert_list().size()); |
| 541 |
| 542 // Verify that no client certificate was configured. |
| 543 std::string pkcs11_id; |
| 544 GetServiceProperty(shill::kEapCertIdProperty, &pkcs11_id); |
| 545 EXPECT_EQ(std::string(), pkcs11_id); |
| 546 EXPECT_EQ(1, network_properties_changed_count_); |
| 547 EXPECT_FALSE(client_cert_resolver_->IsAnyResolveTaskRunning()); |
| 548 } |
| 549 |
| 550 TEST_F(ClientCertResolverTest, DevicePolicyDoesNotUseUserTokenSync) { |
| 551 SetupTestCerts("client_1", false /* do not import the issuer */); |
| 552 StartCertLoader(); |
| 553 base::RunLoop().RunUntilIdle(); |
| 554 |
| 555 client_cert::ClientCertConfig client_cert_config; |
| 556 SetupCertificateConfigMatchingIssuerCN(onc::ONC_SOURCE_DEVICE_POLICY, |
| 557 &client_cert_config); |
| 558 |
| 559 base::DictionaryValue shill_properties; |
| 560 ClientCertResolver::ResolveCertificatePatternSync( |
| 561 client_cert::CONFIG_TYPE_EAP, client_cert_config, &shill_properties); |
| 562 std::string pkcs11_id; |
| 563 shill_properties.GetStringWithoutPathExpansion(shill::kEapCertIdProperty, |
| 564 &pkcs11_id); |
| 565 EXPECT_EQ(std::string(), pkcs11_id); |
| 566 } |
| 567 |
| 417 TEST_F(ClientCertResolverTest, PopulateIdentityFromCert) { | 568 TEST_F(ClientCertResolverTest, PopulateIdentityFromCert) { |
| 418 SetupTestCerts("client_3", true /* import issuer */); | 569 SetupTestCerts("client_3", true /* import issuer */); |
| 419 SetupWifi(); | 570 SetupWifi(); |
| 420 base::RunLoop().RunUntilIdle(); | 571 base::RunLoop().RunUntilIdle(); |
| 421 | 572 |
| 422 SetupNetworkHandlers(); | 573 SetupNetworkHandlers(); |
| 423 SetupPolicyMatchingIssuerPEM("${CERT_SAN_EMAIL}"); | 574 SetupPolicyMatchingIssuerPEM(onc::ONC_SOURCE_USER_POLICY, |
| 575 "${CERT_SAN_EMAIL}"); |
| 424 base::RunLoop().RunUntilIdle(); | 576 base::RunLoop().RunUntilIdle(); |
| 425 | 577 |
| 426 network_properties_changed_count_ = 0; | 578 network_properties_changed_count_ = 0; |
| 427 StartCertLoader(); | 579 StartCertLoader(); |
| 428 base::RunLoop().RunUntilIdle(); | 580 base::RunLoop().RunUntilIdle(); |
| 429 | 581 |
| 430 // Verify that the resolver read the subjectAltName email field from the | 582 // Verify that the resolver read the subjectAltName email field from the |
| 431 // cert, and wrote it into the shill service entry. | 583 // cert, and wrote it into the shill service entry. |
| 432 std::string identity; | 584 std::string identity; |
| 433 GetServiceProperty(shill::kEapIdentityProperty, &identity); | 585 GetServiceProperty(shill::kEapIdentityProperty, &identity); |
| 434 EXPECT_EQ("santest@example.com", identity); | 586 EXPECT_EQ("santest@example.com", identity); |
| 435 EXPECT_EQ(1, network_properties_changed_count_); | 587 EXPECT_EQ(1, network_properties_changed_count_); |
| 436 | 588 |
| 437 // Verify that after changing the ONC policy to request a variant of the | 589 // Verify that after changing the ONC policy to request a variant of the |
| 438 // Microsoft Universal Principal Name field instead, the correct value is | 590 // Microsoft Universal Principal Name field instead, the correct value is |
| 439 // substituted into the shill service entry. | 591 // substituted into the shill service entry. |
| 440 SetupPolicyMatchingIssuerPEM("upn-${CERT_SAN_UPN}-suffix"); | 592 SetupPolicyMatchingIssuerPEM(onc::ONC_SOURCE_USER_POLICY, |
| 593 "upn-${CERT_SAN_UPN}-suffix"); |
| 441 base::RunLoop().RunUntilIdle(); | 594 base::RunLoop().RunUntilIdle(); |
| 442 | 595 |
| 443 GetServiceProperty(shill::kEapIdentityProperty, &identity); | 596 GetServiceProperty(shill::kEapIdentityProperty, &identity); |
| 444 EXPECT_EQ("upn-santest@ad.corp.example.com-suffix", identity); | 597 EXPECT_EQ("upn-santest@ad.corp.example.com-suffix", identity); |
| 445 EXPECT_EQ(2, network_properties_changed_count_); | 598 EXPECT_EQ(2, network_properties_changed_count_); |
| 446 } | 599 } |
| 447 | 600 |
| 448 } // namespace chromeos | 601 } // namespace chromeos |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2828713002:
Enable client certificate patterns in device ONC policy (Closed)
