| OLD | NEW |
|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 #include "chromeos/network/client_cert_resolver.h" | 4 #include "chromeos/network/client_cert_resolver.h" |
| 5 | 5 |
| 6 #include <cert.h> | 6 #include <cert.h> |
| 7 #include <pk11pub.h> | 7 #include <pk11pub.h> |
| 8 | 8 |
| 9 #include <memory> | 9 #include <memory> |
| 10 | 10 |
| (...skipping 35 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 46 const char* kWifiStub = "wifi_stub"; | 46 const char* kWifiStub = "wifi_stub"; |
| 47 const char* kWifiSSID = "wifi_ssid"; | 47 const char* kWifiSSID = "wifi_ssid"; |
| 48 const char* kUserProfilePath = "user_profile"; | 48 const char* kUserProfilePath = "user_profile"; |
| 49 const char* kUserHash = "user_hash"; | 49 const char* kUserHash = "user_hash"; |
| 50 | 50 |
| 51 } // namespace | 51 } // namespace |
| 52 | 52 |
| 53 class ClientCertResolverTest : public testing::Test, | 53 class ClientCertResolverTest : public testing::Test, |
| 54 public ClientCertResolver::Observer { | 54 public ClientCertResolver::Observer { |
| 55 public: | 55 public: |
| 56 ClientCertResolverTest() | 56 ClientCertResolverTest() : scoped_task_scheduler_(&message_loop_) {} |
| 57 : network_properties_changed_count_(0), | |
| 58 service_test_(nullptr), | |
| 59 profile_test_(nullptr), | |
| 60 cert_loader_(nullptr), | |
| 61 scoped_task_scheduler_(&message_loop_) {} | |
| 62 ~ClientCertResolverTest() override {} | 57 ~ClientCertResolverTest() override {} |
| 63 | 58 |
| 64 void SetUp() override { | 59 void SetUp() override { |
| 65 ASSERT_TRUE(test_nssdb_.is_open()); | 60 ASSERT_TRUE(test_nssdb_.is_open()); |
| 61 ASSERT_TRUE(test_system_nssdb_.is_open()); |
| 66 | 62 |
| 67 // Use the same DB for public and private slot. | 63 // Use the same DB for public and private slot. |
| 68 test_nsscertdb_.reset(new net::NSSCertDatabaseChromeOS( | 64 test_nsscertdb_.reset(new net::NSSCertDatabaseChromeOS( |
| 69 crypto::ScopedPK11Slot(PK11_ReferenceSlot(test_nssdb_.slot())), | 65 crypto::ScopedPK11Slot(PK11_ReferenceSlot(test_nssdb_.slot())), |
| 70 crypto::ScopedPK11Slot(PK11_ReferenceSlot(test_nssdb_.slot())))); | 66 crypto::ScopedPK11Slot(PK11_ReferenceSlot(test_nssdb_.slot())))); |
| 71 test_nsscertdb_->SetSlowTaskRunnerForTest(message_loop_.task_runner()); | 67 test_nsscertdb_->SetSlowTaskRunnerForTest(message_loop_.task_runner()); |
| 72 | 68 |
| 73 DBusThreadManager::Initialize(); | 69 DBusThreadManager::Initialize(); |
| 74 service_test_ = | 70 service_test_ = |
| 75 DBusThreadManager::Get()->GetShillServiceClient()->GetTestInterface(); | 71 DBusThreadManager::Get()->GetShillServiceClient()->GetTestInterface(); |
| 76 profile_test_ = | 72 profile_test_ = |
| 77 DBusThreadManager::Get()->GetShillProfileClient()->GetTestInterface(); | 73 DBusThreadManager::Get()->GetShillProfileClient()->GetTestInterface(); |
| 78 profile_test_->AddProfile(kUserProfilePath, kUserHash); | 74 profile_test_->AddProfile(kUserProfilePath, kUserHash); |
| 79 base::RunLoop().RunUntilIdle(); | 75 base::RunLoop().RunUntilIdle(); |
| 80 service_test_->ClearServices(); | 76 service_test_->ClearServices(); |
| 81 base::RunLoop().RunUntilIdle(); | 77 base::RunLoop().RunUntilIdle(); |
| 82 | 78 |
| 83 CertLoader::Initialize(); | 79 CertLoader::Initialize(); |
| 84 cert_loader_ = CertLoader::Get(); | 80 cert_loader_ = CertLoader::Get(); |
| 85 CertLoader::ForceHardwareBackedForTesting(); | 81 CertLoader::ForceHardwareBackedForTesting(); |
| 86 } | 82 } |
| 87 | 83 |
| 88 void TearDown() override { | 84 void TearDown() override { |
| 89 client_cert_resolver_->RemoveObserver(this); | 85 if (client_cert_resolver_) |
| 86 client_cert_resolver_->RemoveObserver(this); |
| 90 client_cert_resolver_.reset(); | 87 client_cert_resolver_.reset(); |
| 91 test_clock_.reset(); | 88 test_clock_.reset(); |
| 92 network_state_handler_->Shutdown(); | 89 if (network_state_handler_) |
| 90 network_state_handler_->Shutdown(); |
| 93 managed_config_handler_.reset(); | 91 managed_config_handler_.reset(); |
| 94 network_config_handler_.reset(); | 92 network_config_handler_.reset(); |
| 95 network_profile_handler_.reset(); | 93 network_profile_handler_.reset(); |
| 96 network_state_handler_.reset(); | 94 network_state_handler_.reset(); |
| 97 CertLoader::Shutdown(); | 95 CertLoader::Shutdown(); |
| 98 DBusThreadManager::Shutdown(); | 96 DBusThreadManager::Shutdown(); |
| 99 } | 97 } |
| 100 | 98 |
| 101 protected: | 99 protected: |
| 102 void StartCertLoader() { | 100 void StartCertLoader() { |
| (...skipping 27 matching lines...) Expand all Loading... |
| 130 << net::ErrorToString(failures[0].net_error); | 128 << net::ErrorToString(failures[0].net_error); |
| 131 } | 129 } |
| 132 | 130 |
| 133 // Import a client cert signed by that CA. | 131 // Import a client cert signed by that CA. |
| 134 test_client_cert_ = net::ImportClientCertAndKeyFromFile( | 132 test_client_cert_ = net::ImportClientCertAndKeyFromFile( |
| 135 net::GetTestCertsDirectory(), prefix + ".pem", prefix + ".pk8", | 133 net::GetTestCertsDirectory(), prefix + ".pem", prefix + ".pk8", |
| 136 test_nssdb_.slot()); | 134 test_nssdb_.slot()); |
| 137 ASSERT_TRUE(test_client_cert_.get()); | 135 ASSERT_TRUE(test_client_cert_.get()); |
| 138 } | 136 } |
| 139 | 137 |
| 138 void SetupTestCertInSystemToken(const std::string& prefix) { |
| 139 test_nsscertdb_->SetSystemSlot( |
| 140 crypto::ScopedPK11Slot(PK11_ReferenceSlot(test_system_nssdb_.slot()))); |
| 141 |
| 142 test_client_cert_ = net::ImportClientCertAndKeyFromFile( |
| 143 net::GetTestCertsDirectory(), prefix + ".pem", prefix + ".pk8", |
| 144 test_system_nssdb_.slot()); |
| 145 ASSERT_TRUE(test_client_cert_.get()); |
| 146 } |
| 147 |
| 140 void SetupNetworkHandlers() { | 148 void SetupNetworkHandlers() { |
| 141 network_state_handler_ = NetworkStateHandler::InitializeForTest(); | 149 network_state_handler_ = NetworkStateHandler::InitializeForTest(); |
| 142 network_profile_handler_.reset(new NetworkProfileHandler()); | 150 network_profile_handler_.reset(new NetworkProfileHandler()); |
| 143 network_config_handler_.reset(new NetworkConfigurationHandler()); | 151 network_config_handler_.reset(new NetworkConfigurationHandler()); |
| 144 managed_config_handler_.reset(new ManagedNetworkConfigurationHandlerImpl()); | 152 managed_config_handler_.reset(new ManagedNetworkConfigurationHandlerImpl()); |
| 145 client_cert_resolver_.reset(new ClientCertResolver()); | 153 client_cert_resolver_.reset(new ClientCertResolver()); |
| 146 | 154 |
| 147 test_clock_.reset(new base::SimpleTestClock); | 155 test_clock_.reset(new base::SimpleTestClock); |
| 148 test_clock_->SetNow(base::Time::Now()); | 156 test_clock_->SetNow(base::Time::Now()); |
| 149 client_cert_resolver_->SetClockForTesting(test_clock_.get()); | 157 client_cert_resolver_->SetClockForTesting(test_clock_.get()); |
| (...skipping 27 matching lines...) Expand all Loading... |
| 177 profile_test_->AddService(kUserProfilePath, kWifiStub); | 185 profile_test_->AddService(kUserProfilePath, kWifiStub); |
| 178 | 186 |
| 179 DBusThreadManager::Get() | 187 DBusThreadManager::Get() |
| 180 ->GetShillManagerClient() | 188 ->GetShillManagerClient() |
| 181 ->GetTestInterface() | 189 ->GetTestInterface() |
| 182 ->AddManagerService(kWifiStub, true); | 190 ->AddManagerService(kWifiStub, true); |
| 183 } | 191 } |
| 184 | 192 |
| 185 // Sets up a policy with a certificate pattern that matches any client cert | 193 // Sets up a policy with a certificate pattern that matches any client cert |
| 186 // with a certain Issuer CN. It will match the test client cert. | 194 // with a certain Issuer CN. It will match the test client cert. |
| 187 void SetupPolicyMatchingIssuerCN() { | 195 void SetupPolicyMatchingIssuerCN(onc::ONCSource onc_source) { |
| 188 const char* kTestPolicy = | 196 const char* kTestPolicy = |
| 189 "[ { \"GUID\": \"wifi_stub\"," | 197 "[ { \"GUID\": \"wifi_stub\"," |
| 190 " \"Name\": \"wifi_stub\"," | 198 " \"Name\": \"wifi_stub\"," |
| 191 " \"Type\": \"WiFi\"," | 199 " \"Type\": \"WiFi\"," |
| 192 " \"WiFi\": {" | 200 " \"WiFi\": {" |
| 193 " \"Security\": \"WPA-EAP\"," | 201 " \"Security\": \"WPA-EAP\"," |
| 194 " \"SSID\": \"wifi_ssid\"," | 202 " \"SSID\": \"wifi_ssid\"," |
| 195 " \"EAP\": {" | 203 " \"EAP\": {" |
| 196 " \"Outer\": \"EAP-TLS\"," | 204 " \"Outer\": \"EAP-TLS\"," |
| 197 " \"ClientCertType\": \"Pattern\"," | 205 " \"ClientCertType\": \"Pattern\"," |
| 198 " \"ClientCertPattern\": {" | 206 " \"ClientCertPattern\": {" |
| 199 " \"Issuer\": {" | 207 " \"Issuer\": {" |
| 200 " \"CommonName\": \"B CA\"" | 208 " \"CommonName\": \"B CA\"" |
| 201 " }" | 209 " }" |
| 202 " }" | 210 " }" |
| 203 " }" | 211 " }" |
| 204 " }" | 212 " }" |
| 205 "} ]"; | 213 "} ]"; |
| 206 | 214 |
| 207 std::string error; | 215 std::string error; |
| 208 std::unique_ptr<base::Value> policy_value = | 216 std::unique_ptr<base::Value> policy_value = |
| 209 base::JSONReader::ReadAndReturnError( | 217 base::JSONReader::ReadAndReturnError( |
| 210 kTestPolicy, base::JSON_ALLOW_TRAILING_COMMAS, nullptr, &error); | 218 kTestPolicy, base::JSON_ALLOW_TRAILING_COMMAS, nullptr, &error); |
| 211 ASSERT_TRUE(policy_value) << error; | 219 ASSERT_TRUE(policy_value) << error; |
| 212 | 220 |
| 213 base::ListValue* policy = nullptr; | 221 base::ListValue* policy = nullptr; |
| 214 ASSERT_TRUE(policy_value->GetAsList(&policy)); | 222 ASSERT_TRUE(policy_value->GetAsList(&policy)); |
| 215 | 223 |
| 224 std::string user_hash = |
| 225 onc_source == onc::ONC_SOURCE_USER_POLICY ? kUserHash : ""; |
| 216 managed_config_handler_->SetPolicy( | 226 managed_config_handler_->SetPolicy( |
| 217 onc::ONC_SOURCE_USER_POLICY, kUserHash, *policy, | 227 onc_source, user_hash, *policy, |
| 218 base::DictionaryValue() /* no global network config */); | 228 base::DictionaryValue() /* no global network config */); |
| 219 } | 229 } |
| 220 | 230 |
| 231 void SetupCertificateConfigMatchingIssuerCN( |
| 232 onc::ONCSource onc_source, |
| 233 client_cert::ClientCertConfig* client_cert_config) { |
| 234 const char* kTestOncPattern = |
| 235 "{" |
| 236 " \"Issuer\": {" |
| 237 " \"CommonName\": \"B CA\"" |
| 238 " }" |
| 239 "}"; |
| 240 std::string error; |
| 241 std::unique_ptr<base::Value> onc_pattern_value = |
| 242 base::JSONReader::ReadAndReturnError( |
| 243 kTestOncPattern, base::JSON_ALLOW_TRAILING_COMMAS, nullptr, &error); |
| 244 ASSERT_TRUE(onc_pattern_value) << error; |
| 245 |
| 246 base::DictionaryValue* onc_pattern_dict; |
| 247 onc_pattern_value->GetAsDictionary(&onc_pattern_dict); |
| 248 |
| 249 client_cert_config->onc_source = onc_source; |
| 250 client_cert_config->pattern.ReadFromONCDictionary(*onc_pattern_dict); |
| 251 } |
| 252 |
| 221 // Sets up a policy with a certificate pattern that matches any client cert | 253 // Sets up a policy with a certificate pattern that matches any client cert |
| 222 // that is signed by the test CA cert (stored in |test_ca_cert_pem_|). In | 254 // that is signed by the test CA cert (stored in |test_ca_cert_pem_|). In |
| 223 // particular it will match the test client cert. | 255 // particular it will match the test client cert. |
| 224 void SetupPolicyMatchingIssuerPEM(const std::string& identity) { | 256 void SetupPolicyMatchingIssuerPEM(onc::ONCSource onc_source, |
| 257 const std::string& identity) { |
| 225 const char* kTestPolicyTemplate = | 258 const char* kTestPolicyTemplate = |
| 226 "[ { \"GUID\": \"wifi_stub\"," | 259 "[ { \"GUID\": \"wifi_stub\"," |
| 227 " \"Name\": \"wifi_stub\"," | 260 " \"Name\": \"wifi_stub\"," |
| 228 " \"Type\": \"WiFi\"," | 261 " \"Type\": \"WiFi\"," |
| 229 " \"WiFi\": {" | 262 " \"WiFi\": {" |
| 230 " \"Security\": \"WPA-EAP\"," | 263 " \"Security\": \"WPA-EAP\"," |
| 231 " \"SSID\": \"wifi_ssid\"," | 264 " \"SSID\": \"wifi_ssid\"," |
| 232 " \"EAP\": {" | 265 " \"EAP\": {" |
| 233 " \"Identity\": \"%s\"," | 266 " \"Identity\": \"%s\"," |
| 234 " \"Outer\": \"EAP-TLS\"," | 267 " \"Outer\": \"EAP-TLS\"," |
| 235 " \"ClientCertType\": \"Pattern\"," | 268 " \"ClientCertType\": \"Pattern\"," |
| 236 " \"ClientCertPattern\": {" | 269 " \"ClientCertPattern\": {" |
| 237 " \"IssuerCAPEMs\": [ \"%s\" ]" | 270 " \"IssuerCAPEMs\": [ \"%s\" ]" |
| 238 " }" | 271 " }" |
| 239 " }" | 272 " }" |
| 240 " }" | 273 " }" |
| 241 "} ]"; | 274 "} ]"; |
| 242 std::string policy_json = base::StringPrintf( | 275 std::string policy_json = base::StringPrintf( |
| 243 kTestPolicyTemplate, identity.c_str(), test_ca_cert_pem_.c_str()); | 276 kTestPolicyTemplate, identity.c_str(), test_ca_cert_pem_.c_str()); |
| 244 | 277 |
| 245 std::string error; | 278 std::string error; |
| 246 std::unique_ptr<base::Value> policy_value = | 279 std::unique_ptr<base::Value> policy_value = |
| 247 base::JSONReader::ReadAndReturnError( | 280 base::JSONReader::ReadAndReturnError( |
| 248 policy_json, base::JSON_ALLOW_TRAILING_COMMAS, nullptr, &error); | 281 policy_json, base::JSON_ALLOW_TRAILING_COMMAS, nullptr, &error); |
| 249 ASSERT_TRUE(policy_value) << error; | 282 ASSERT_TRUE(policy_value) << error; |
| 250 | 283 |
| 251 base::ListValue* policy = nullptr; | 284 base::ListValue* policy = nullptr; |
| 252 ASSERT_TRUE(policy_value->GetAsList(&policy)); | 285 ASSERT_TRUE(policy_value->GetAsList(&policy)); |
| 253 | 286 |
| 287 std::string user_hash = |
| 288 onc_source == onc::ONC_SOURCE_USER_POLICY ? kUserHash : ""; |
| 254 managed_config_handler_->SetPolicy( | 289 managed_config_handler_->SetPolicy( |
| 255 onc::ONC_SOURCE_USER_POLICY, | 290 onc_source, user_hash, *policy, |
| 256 kUserHash, | |
| 257 *policy, | |
| 258 base::DictionaryValue() /* no global network config */); | 291 base::DictionaryValue() /* no global network config */); |
| 259 } | 292 } |
| 260 | 293 |
| 261 void SetWifiState(const std::string& state) { | 294 void SetWifiState(const std::string& state) { |
| 262 ASSERT_TRUE(service_test_->SetServiceProperty( | 295 ASSERT_TRUE(service_test_->SetServiceProperty( |
| 263 kWifiStub, shill::kStateProperty, base::Value(state))); | 296 kWifiStub, shill::kStateProperty, base::Value(state))); |
| 264 } | 297 } |
| 265 | 298 |
| 266 void GetServiceProperty(const std::string& prop_name, | 299 void GetServiceProperty(const std::string& prop_name, |
| 267 std::string* prop_value) { | 300 std::string* prop_value) { |
| 268 prop_value->clear(); | 301 prop_value->clear(); |
| 269 const base::DictionaryValue* properties = | 302 const base::DictionaryValue* properties = |
| 270 service_test_->GetServiceProperties(kWifiStub); | 303 service_test_->GetServiceProperties(kWifiStub); |
| 271 if (!properties) | 304 if (!properties) |
| 272 return; | 305 return; |
| 273 properties->GetStringWithoutPathExpansion(prop_name, prop_value); | 306 properties->GetStringWithoutPathExpansion(prop_name, prop_value); |
| 274 } | 307 } |
| 275 | 308 |
| 276 int network_properties_changed_count_; | 309 int network_properties_changed_count_ = 0; |
| 277 std::string test_cert_id_; | 310 std::string test_cert_id_; |
| 278 std::unique_ptr<base::SimpleTestClock> test_clock_; | 311 std::unique_ptr<base::SimpleTestClock> test_clock_; |
| 279 std::unique_ptr<ClientCertResolver> client_cert_resolver_; | 312 std::unique_ptr<ClientCertResolver> client_cert_resolver_; |
| 313 CertLoader* cert_loader_ = nullptr; |
| 280 | 314 |
| 281 private: | 315 private: |
| 282 // ClientCertResolver::Observer: | 316 // ClientCertResolver::Observer: |
| 283 void ResolveRequestCompleted(bool network_properties_changed) override { | 317 void ResolveRequestCompleted(bool network_properties_changed) override { |
| 284 if (network_properties_changed) | 318 if (network_properties_changed) |
| 285 ++network_properties_changed_count_; | 319 ++network_properties_changed_count_; |
| 286 } | 320 } |
| 287 | 321 |
| 288 ShillServiceClient::TestInterface* service_test_; | 322 ShillServiceClient::TestInterface* service_test_ = nullptr; |
| 289 ShillProfileClient::TestInterface* profile_test_; | 323 ShillProfileClient::TestInterface* profile_test_ = nullptr; |
| 290 CertLoader* cert_loader_; | |
| 291 std::unique_ptr<NetworkStateHandler> network_state_handler_; | 324 std::unique_ptr<NetworkStateHandler> network_state_handler_; |
| 292 std::unique_ptr<NetworkProfileHandler> network_profile_handler_; | 325 std::unique_ptr<NetworkProfileHandler> network_profile_handler_; |
| 293 std::unique_ptr<NetworkConfigurationHandler> network_config_handler_; | 326 std::unique_ptr<NetworkConfigurationHandler> network_config_handler_; |
| 294 std::unique_ptr<ManagedNetworkConfigurationHandlerImpl> | 327 std::unique_ptr<ManagedNetworkConfigurationHandlerImpl> |
| 295 managed_config_handler_; | 328 managed_config_handler_; |
| 296 base::MessageLoop message_loop_; | 329 base::MessageLoop message_loop_; |
| 297 base::test::ScopedTaskScheduler scoped_task_scheduler_; | 330 base::test::ScopedTaskScheduler scoped_task_scheduler_; |
| 298 scoped_refptr<net::X509Certificate> test_client_cert_; | 331 scoped_refptr<net::X509Certificate> test_client_cert_; |
| 299 std::string test_ca_cert_pem_; | 332 std::string test_ca_cert_pem_; |
| 300 crypto::ScopedTestNSSDB test_nssdb_; | 333 crypto::ScopedTestNSSDB test_nssdb_; |
| 334 crypto::ScopedTestNSSDB test_system_nssdb_; |
| 301 std::unique_ptr<net::NSSCertDatabaseChromeOS> test_nsscertdb_; | 335 std::unique_ptr<net::NSSCertDatabaseChromeOS> test_nsscertdb_; |
| 302 | 336 |
| 303 DISALLOW_COPY_AND_ASSIGN(ClientCertResolverTest); | 337 DISALLOW_COPY_AND_ASSIGN(ClientCertResolverTest); |
| 304 }; | 338 }; |
| 305 | 339 |
| 306 TEST_F(ClientCertResolverTest, NoMatchingCertificates) { | 340 TEST_F(ClientCertResolverTest, NoMatchingCertificates) { |
| 307 SetupTestCerts("client_1", false /* do not import the issuer */); | 341 SetupTestCerts("client_1", false /* do not import the issuer */); |
| 308 StartCertLoader(); | 342 StartCertLoader(); |
| 309 SetupWifi(); | 343 SetupWifi(); |
| 310 base::RunLoop().RunUntilIdle(); | 344 base::RunLoop().RunUntilIdle(); |
| 311 network_properties_changed_count_ = 0; | 345 network_properties_changed_count_ = 0; |
| 312 SetupNetworkHandlers(); | 346 SetupNetworkHandlers(); |
| 313 SetupPolicyMatchingIssuerPEM(""); | 347 SetupPolicyMatchingIssuerPEM(onc::ONC_SOURCE_USER_POLICY, ""); |
| 314 base::RunLoop().RunUntilIdle(); | 348 base::RunLoop().RunUntilIdle(); |
| 315 | 349 |
| 316 // Verify that no client certificate was configured. | 350 // Verify that no client certificate was configured. |
| 317 std::string pkcs11_id; | 351 std::string pkcs11_id; |
| 318 GetServiceProperty(shill::kEapCertIdProperty, &pkcs11_id); | 352 GetServiceProperty(shill::kEapCertIdProperty, &pkcs11_id); |
| 319 EXPECT_EQ(std::string(), pkcs11_id); | 353 EXPECT_EQ(std::string(), pkcs11_id); |
| 320 EXPECT_EQ(1, network_properties_changed_count_); | 354 EXPECT_EQ(1, network_properties_changed_count_); |
| 321 EXPECT_FALSE(client_cert_resolver_->IsAnyResolveTaskRunning()); | 355 EXPECT_FALSE(client_cert_resolver_->IsAnyResolveTaskRunning()); |
| 322 } | 356 } |
| 323 | 357 |
| 324 TEST_F(ClientCertResolverTest, MatchIssuerCNWithoutIssuerInstalled) { | 358 TEST_F(ClientCertResolverTest, MatchIssuerCNWithoutIssuerInstalled) { |
| 325 SetupTestCerts("client_1", false /* do not import the issuer */); | 359 SetupTestCerts("client_1", false /* do not import the issuer */); |
| 326 SetupWifi(); | 360 SetupWifi(); |
| 327 base::RunLoop().RunUntilIdle(); | 361 base::RunLoop().RunUntilIdle(); |
| 328 | 362 |
| 329 SetupNetworkHandlers(); | 363 SetupNetworkHandlers(); |
| 330 SetupPolicyMatchingIssuerCN(); | 364 SetupPolicyMatchingIssuerCN(onc::ONC_SOURCE_USER_POLICY); |
| 331 base::RunLoop().RunUntilIdle(); | 365 base::RunLoop().RunUntilIdle(); |
| 332 | 366 |
| 333 network_properties_changed_count_ = 0; | 367 network_properties_changed_count_ = 0; |
| 334 StartCertLoader(); | 368 StartCertLoader(); |
| 335 base::RunLoop().RunUntilIdle(); | 369 base::RunLoop().RunUntilIdle(); |
| 336 | 370 |
| 337 // Verify that the resolver positively matched the pattern in the policy with | 371 // Verify that the resolver positively matched the pattern in the policy with |
| 338 // the test client cert and configured the network. | 372 // the test client cert and configured the network. |
| 339 std::string pkcs11_id; | 373 std::string pkcs11_id; |
| 340 GetServiceProperty(shill::kEapCertIdProperty, &pkcs11_id); | 374 GetServiceProperty(shill::kEapCertIdProperty, &pkcs11_id); |
| 341 EXPECT_EQ(test_cert_id_, pkcs11_id); | 375 EXPECT_EQ(test_cert_id_, pkcs11_id); |
| 342 EXPECT_EQ(1, network_properties_changed_count_); | 376 EXPECT_EQ(1, network_properties_changed_count_); |
| 343 } | 377 } |
| 344 | 378 |
| 345 TEST_F(ClientCertResolverTest, ResolveOnCertificatesLoaded) { | 379 TEST_F(ClientCertResolverTest, ResolveOnCertificatesLoaded) { |
| 346 SetupTestCerts("client_1", true /* import issuer */); | 380 SetupTestCerts("client_1", true /* import issuer */); |
| 347 SetupWifi(); | 381 SetupWifi(); |
| 348 base::RunLoop().RunUntilIdle(); | 382 base::RunLoop().RunUntilIdle(); |
| 349 | 383 |
| 350 SetupNetworkHandlers(); | 384 SetupNetworkHandlers(); |
| 351 SetupPolicyMatchingIssuerPEM(""); | 385 SetupPolicyMatchingIssuerPEM(onc::ONC_SOURCE_USER_POLICY, ""); |
| 352 base::RunLoop().RunUntilIdle(); | 386 base::RunLoop().RunUntilIdle(); |
| 353 | 387 |
| 354 network_properties_changed_count_ = 0; | 388 network_properties_changed_count_ = 0; |
| 355 StartCertLoader(); | 389 StartCertLoader(); |
| 356 base::RunLoop().RunUntilIdle(); | 390 base::RunLoop().RunUntilIdle(); |
| 357 | 391 |
| 358 // Verify that the resolver positively matched the pattern in the policy with | 392 // Verify that the resolver positively matched the pattern in the policy with |
| 359 // the test client cert and configured the network. | 393 // the test client cert and configured the network. |
| 360 std::string pkcs11_id; | 394 std::string pkcs11_id; |
| 361 GetServiceProperty(shill::kEapCertIdProperty, &pkcs11_id); | 395 GetServiceProperty(shill::kEapCertIdProperty, &pkcs11_id); |
| 362 EXPECT_EQ(test_cert_id_, pkcs11_id); | 396 EXPECT_EQ(test_cert_id_, pkcs11_id); |
| 363 EXPECT_EQ(1, network_properties_changed_count_); | 397 EXPECT_EQ(1, network_properties_changed_count_); |
| 364 } | 398 } |
| 365 | 399 |
| 366 TEST_F(ClientCertResolverTest, ResolveAfterPolicyApplication) { | 400 TEST_F(ClientCertResolverTest, ResolveAfterPolicyApplication) { |
| 367 SetupTestCerts("client_1", true /* import issuer */); | 401 SetupTestCerts("client_1", true /* import issuer */); |
| 368 SetupWifi(); | 402 SetupWifi(); |
| 369 base::RunLoop().RunUntilIdle(); | 403 base::RunLoop().RunUntilIdle(); |
| 370 StartCertLoader(); | 404 StartCertLoader(); |
| 371 SetupNetworkHandlers(); | 405 SetupNetworkHandlers(); |
| 372 base::RunLoop().RunUntilIdle(); | 406 base::RunLoop().RunUntilIdle(); |
| 373 | 407 |
| 374 // Policy application will trigger the ClientCertResolver. | 408 // Policy application will trigger the ClientCertResolver. |
| 375 network_properties_changed_count_ = 0; | 409 network_properties_changed_count_ = 0; |
| 376 SetupPolicyMatchingIssuerPEM(""); | 410 SetupPolicyMatchingIssuerPEM(onc::ONC_SOURCE_USER_POLICY, ""); |
| 377 base::RunLoop().RunUntilIdle(); | 411 base::RunLoop().RunUntilIdle(); |
| 378 | 412 |
| 379 // Verify that the resolver positively matched the pattern in the policy with | 413 // Verify that the resolver positively matched the pattern in the policy with |
| 380 // the test client cert and configured the network. | 414 // the test client cert and configured the network. |
| 381 std::string pkcs11_id; | 415 std::string pkcs11_id; |
| 382 GetServiceProperty(shill::kEapCertIdProperty, &pkcs11_id); | 416 GetServiceProperty(shill::kEapCertIdProperty, &pkcs11_id); |
| 383 EXPECT_EQ(test_cert_id_, pkcs11_id); | 417 EXPECT_EQ(test_cert_id_, pkcs11_id); |
| 384 EXPECT_EQ(1, network_properties_changed_count_); | 418 EXPECT_EQ(1, network_properties_changed_count_); |
| 385 } | 419 } |
| 386 | 420 |
| 387 TEST_F(ClientCertResolverTest, ExpiringCertificate) { | 421 TEST_F(ClientCertResolverTest, ExpiringCertificate) { |
| 388 SetupTestCerts("client_1", true /* import issuer */); | 422 SetupTestCerts("client_1", true /* import issuer */); |
| 389 SetupWifi(); | 423 SetupWifi(); |
| 390 base::RunLoop().RunUntilIdle(); | 424 base::RunLoop().RunUntilIdle(); |
| 391 | 425 |
| 392 SetupNetworkHandlers(); | 426 SetupNetworkHandlers(); |
| 393 SetupPolicyMatchingIssuerPEM(""); | 427 SetupPolicyMatchingIssuerPEM(onc::ONC_SOURCE_USER_POLICY, ""); |
| 394 base::RunLoop().RunUntilIdle(); | 428 base::RunLoop().RunUntilIdle(); |
| 395 | 429 |
| 396 StartCertLoader(); | 430 StartCertLoader(); |
| 397 base::RunLoop().RunUntilIdle(); | 431 base::RunLoop().RunUntilIdle(); |
| 398 | 432 |
| 399 SetWifiState(shill::kStateOnline); | 433 SetWifiState(shill::kStateOnline); |
| 400 base::RunLoop().RunUntilIdle(); | 434 base::RunLoop().RunUntilIdle(); |
| 401 | 435 |
| 402 // Verify that the resolver positively matched the pattern in the policy with | 436 // Verify that the resolver positively matched the pattern in the policy with |
| 403 // the test client cert and configured the network. | 437 // the test client cert and configured the network. |
| 404 std::string pkcs11_id; | 438 std::string pkcs11_id; |
| 405 GetServiceProperty(shill::kEapCertIdProperty, &pkcs11_id); | 439 GetServiceProperty(shill::kEapCertIdProperty, &pkcs11_id); |
| 406 EXPECT_EQ(test_cert_id_, pkcs11_id); | 440 EXPECT_EQ(test_cert_id_, pkcs11_id); |
| 407 | 441 |
| 408 // Verify that, after the certificate expired and the network disconnection | 442 // Verify that, after the certificate expired and the network disconnection |
| 409 // happens, no client certificate was configured. | 443 // happens, no client certificate was configured. |
| 410 test_clock_->SetNow(base::Time::Max()); | 444 test_clock_->SetNow(base::Time::Max()); |
| 411 SetWifiState(shill::kStateOffline); | 445 SetWifiState(shill::kStateOffline); |
| 412 base::RunLoop().RunUntilIdle(); | 446 base::RunLoop().RunUntilIdle(); |
| 413 GetServiceProperty(shill::kEapCertIdProperty, &pkcs11_id); | 447 GetServiceProperty(shill::kEapCertIdProperty, &pkcs11_id); |
| 414 EXPECT_EQ(std::string(), pkcs11_id); | 448 EXPECT_EQ(std::string(), pkcs11_id); |
| 415 } | 449 } |
| 416 | 450 |
| 451 TEST_F(ClientCertResolverTest, UserPolicyUsesSystemToken) { |
| 452 SetupTestCertInSystemToken("client_1"); |
| 453 SetupWifi(); |
| 454 base::RunLoop().RunUntilIdle(); |
| 455 |
| 456 SetupNetworkHandlers(); |
| 457 SetupPolicyMatchingIssuerCN(onc::ONC_SOURCE_USER_POLICY); |
| 458 base::RunLoop().RunUntilIdle(); |
| 459 |
| 460 StartCertLoader(); |
| 461 base::RunLoop().RunUntilIdle(); |
| 462 EXPECT_EQ(1U, cert_loader_->system_certs().size()); |
| 463 |
| 464 // Verify that the resolver positively matched the pattern in the policy with |
| 465 // the test client cert and configured the network. |
| 466 std::string pkcs11_id; |
| 467 GetServiceProperty(shill::kEapCertIdProperty, &pkcs11_id); |
| 468 EXPECT_EQ(test_cert_id_, pkcs11_id); |
| 469 } |
| 470 |
| 471 TEST_F(ClientCertResolverTest, UserPolicyUsesSystemTokenSync) { |
| 472 SetupTestCertInSystemToken("client_1"); |
| 473 StartCertLoader(); |
| 474 base::RunLoop().RunUntilIdle(); |
| 475 |
| 476 client_cert::ClientCertConfig client_cert_config; |
| 477 SetupCertificateConfigMatchingIssuerCN(onc::ONC_SOURCE_USER_POLICY, |
| 478 &client_cert_config); |
| 479 |
| 480 base::DictionaryValue shill_properties; |
| 481 ClientCertResolver::ResolveCertificatePatternSync( |
| 482 client_cert::CONFIG_TYPE_EAP, client_cert_config, &shill_properties); |
| 483 std::string pkcs11_id; |
| 484 shill_properties.GetStringWithoutPathExpansion(shill::kEapCertIdProperty, |
| 485 &pkcs11_id); |
| 486 EXPECT_EQ(test_cert_id_, pkcs11_id); |
| 487 } |
| 488 |
| 489 TEST_F(ClientCertResolverTest, DevicePolicyUsesSystemToken) { |
| 490 SetupTestCertInSystemToken("client_1"); |
| 491 SetupWifi(); |
| 492 base::RunLoop().RunUntilIdle(); |
| 493 |
| 494 SetupNetworkHandlers(); |
| 495 SetupPolicyMatchingIssuerCN(onc::ONC_SOURCE_USER_POLICY); |
| 496 base::RunLoop().RunUntilIdle(); |
| 497 |
| 498 StartCertLoader(); |
| 499 base::RunLoop().RunUntilIdle(); |
| 500 EXPECT_EQ(1U, cert_loader_->system_certs().size()); |
| 501 |
| 502 // Verify that the resolver positively matched the pattern in the policy with |
| 503 // the test client cert and configured the network. |
| 504 std::string pkcs11_id; |
| 505 GetServiceProperty(shill::kEapCertIdProperty, &pkcs11_id); |
| 506 EXPECT_EQ(test_cert_id_, pkcs11_id); |
| 507 } |
| 508 |
| 509 TEST_F(ClientCertResolverTest, DevicePolicyUsesSystemTokenSync) { |
| 510 SetupTestCertInSystemToken("client_1"); |
| 511 StartCertLoader(); |
| 512 base::RunLoop().RunUntilIdle(); |
| 513 |
| 514 client_cert::ClientCertConfig client_cert_config; |
| 515 SetupCertificateConfigMatchingIssuerCN(onc::ONC_SOURCE_DEVICE_POLICY, |
| 516 &client_cert_config); |
| 517 |
| 518 base::DictionaryValue shill_properties; |
| 519 ClientCertResolver::ResolveCertificatePatternSync( |
| 520 client_cert::CONFIG_TYPE_EAP, client_cert_config, &shill_properties); |
| 521 std::string pkcs11_id; |
| 522 shill_properties.GetStringWithoutPathExpansion(shill::kEapCertIdProperty, |
| 523 &pkcs11_id); |
| 524 EXPECT_EQ(test_cert_id_, pkcs11_id); |
| 525 } |
| 526 |
| 527 TEST_F(ClientCertResolverTest, DevicePolicyDoesNotUseUserToken) { |
| 528 SetupTestCerts("client_1", false /* do not import the issuer */); |
| 529 SetupWifi(); |
| 530 base::RunLoop().RunUntilIdle(); |
| 531 |
| 532 SetupNetworkHandlers(); |
| 533 SetupPolicyMatchingIssuerCN(onc::ONC_SOURCE_DEVICE_POLICY); |
| 534 base::RunLoop().RunUntilIdle(); |
| 535 |
| 536 network_properties_changed_count_ = 0; |
| 537 StartCertLoader(); |
| 538 base::RunLoop().RunUntilIdle(); |
| 539 EXPECT_EQ(0U, cert_loader_->system_certs().size()); |
| 540 |
| 541 // Verify that no client certificate was configured. |
| 542 std::string pkcs11_id; |
| 543 GetServiceProperty(shill::kEapCertIdProperty, &pkcs11_id); |
| 544 EXPECT_EQ(std::string(), pkcs11_id); |
| 545 EXPECT_EQ(1, network_properties_changed_count_); |
| 546 EXPECT_FALSE(client_cert_resolver_->IsAnyResolveTaskRunning()); |
| 547 } |
| 548 |
| 549 TEST_F(ClientCertResolverTest, DevicePolicyDoesNotUseUserTokenSync) { |
| 550 SetupTestCerts("client_1", false /* do not import the issuer */); |
| 551 StartCertLoader(); |
| 552 base::RunLoop().RunUntilIdle(); |
| 553 |
| 554 client_cert::ClientCertConfig client_cert_config; |
| 555 SetupCertificateConfigMatchingIssuerCN(onc::ONC_SOURCE_DEVICE_POLICY, |
| 556 &client_cert_config); |
| 557 |
| 558 base::DictionaryValue shill_properties; |
| 559 ClientCertResolver::ResolveCertificatePatternSync( |
| 560 client_cert::CONFIG_TYPE_EAP, client_cert_config, &shill_properties); |
| 561 std::string pkcs11_id; |
| 562 shill_properties.GetStringWithoutPathExpansion(shill::kEapCertIdProperty, |
| 563 &pkcs11_id); |
| 564 EXPECT_EQ(std::string(), pkcs11_id); |
| 565 } |
| 566 |
| 417 TEST_F(ClientCertResolverTest, PopulateIdentityFromCert) { | 567 TEST_F(ClientCertResolverTest, PopulateIdentityFromCert) { |
| 418 SetupTestCerts("client_3", true /* import issuer */); | 568 SetupTestCerts("client_3", true /* import issuer */); |
| 419 SetupWifi(); | 569 SetupWifi(); |
| 420 base::RunLoop().RunUntilIdle(); | 570 base::RunLoop().RunUntilIdle(); |
| 421 | 571 |
| 422 SetupNetworkHandlers(); | 572 SetupNetworkHandlers(); |
| 423 SetupPolicyMatchingIssuerPEM("${CERT_SAN_EMAIL}"); | 573 SetupPolicyMatchingIssuerPEM(onc::ONC_SOURCE_USER_POLICY, |
| 574 "${CERT_SAN_EMAIL}"); |
| 424 base::RunLoop().RunUntilIdle(); | 575 base::RunLoop().RunUntilIdle(); |
| 425 | 576 |
| 426 network_properties_changed_count_ = 0; | 577 network_properties_changed_count_ = 0; |
| 427 StartCertLoader(); | 578 StartCertLoader(); |
| 428 base::RunLoop().RunUntilIdle(); | 579 base::RunLoop().RunUntilIdle(); |
| 429 | 580 |
| 430 // Verify that the resolver read the subjectAltName email field from the | 581 // Verify that the resolver read the subjectAltName email field from the |
| 431 // cert, and wrote it into the shill service entry. | 582 // cert, and wrote it into the shill service entry. |
| 432 std::string identity; | 583 std::string identity; |
| 433 GetServiceProperty(shill::kEapIdentityProperty, &identity); | 584 GetServiceProperty(shill::kEapIdentityProperty, &identity); |
| 434 EXPECT_EQ("santest@example.com", identity); | 585 EXPECT_EQ("santest@example.com", identity); |
| 435 EXPECT_EQ(1, network_properties_changed_count_); | 586 EXPECT_EQ(1, network_properties_changed_count_); |
| 436 | 587 |
| 437 // Verify that after changing the ONC policy to request a variant of the | 588 // Verify that after changing the ONC policy to request a variant of the |
| 438 // Microsoft Universal Principal Name field instead, the correct value is | 589 // Microsoft Universal Principal Name field instead, the correct value is |
| 439 // substituted into the shill service entry. | 590 // substituted into the shill service entry. |
| 440 SetupPolicyMatchingIssuerPEM("upn-${CERT_SAN_UPN}-suffix"); | 591 SetupPolicyMatchingIssuerPEM(onc::ONC_SOURCE_USER_POLICY, |
| 592 "upn-${CERT_SAN_UPN}-suffix"); |
| 441 base::RunLoop().RunUntilIdle(); | 593 base::RunLoop().RunUntilIdle(); |
| 442 | 594 |
| 443 GetServiceProperty(shill::kEapIdentityProperty, &identity); | 595 GetServiceProperty(shill::kEapIdentityProperty, &identity); |
| 444 EXPECT_EQ("upn-santest@ad.corp.example.com-suffix", identity); | 596 EXPECT_EQ("upn-santest@ad.corp.example.com-suffix", identity); |
| 445 EXPECT_EQ(2, network_properties_changed_count_); | 597 EXPECT_EQ(2, network_properties_changed_count_); |
| 446 } | 598 } |
| 447 | 599 |
| 448 } // namespace chromeos | 600 } // namespace chromeos |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2828713002:
Enable client certificate patterns in device ONC policy (Closed)
