Enable client certificate patterns in device ONC policy

chromeos/network/client_cert_resolver_unittest.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 #include "chromeos/network/client_cert_resolver.h"
 
 #include <cert.h>
 #include <pk11pub.h>
 
 #include <memory>
 
@@ skipping 37 matching lines @@
 const char* kUserProfilePath = "user_profile";
 const char* kUserHash = "user_hash";
 
 }  // namespace
 
 class ClientCertResolverTest : public testing::Test,
                                public ClientCertResolver::Observer {
  public:
   ClientCertResolverTest()
       : network_properties_changed_count_(0),
+        cert_loader_(nullptr),

[emaxx, 2017/04/20 20:10:39]

nit: It's generally advisable to move onto C++11 in-class initializers in such
straightforward cases. (If you take this change on, please also update other
members that are initialized here.)

[pmarko, 2017/04/24 14:49:56]

Done. I've left scoped_task_scheduler(&message_loop) in the initializer list
because it's the only non-trivial one.

         service_test_(nullptr),
         profile_test_(nullptr),
-        cert_loader_(nullptr),
         scoped_task_scheduler_(&message_loop_) {}
   ~ClientCertResolverTest() override {}
 
   void SetUp() override {
     ASSERT_TRUE(test_nssdb_.is_open());
+    ASSERT_TRUE(test_system_nssdb_.is_open());
 
     // Use the same DB for public and private slot.
     test_nsscertdb_.reset(new net::NSSCertDatabaseChromeOS(
         crypto::ScopedPK11Slot(PK11_ReferenceSlot(test_nssdb_.slot())),
         crypto::ScopedPK11Slot(PK11_ReferenceSlot(test_nssdb_.slot()))));
     test_nsscertdb_->SetSlowTaskRunnerForTest(message_loop_.task_runner());
 
     DBusThreadManager::Initialize();
     service_test_ =
         DBusThreadManager::Get()->GetShillServiceClient()->GetTestInterface();
@@ skipping 54 matching lines @@
           << net::ErrorToString(failures[0].net_error);
     }
 
     // Import a client cert signed by that CA.
     test_client_cert_ = net::ImportClientCertAndKeyFromFile(
         net::GetTestCertsDirectory(), prefix + ".pem", prefix + ".pk8",
         test_nssdb_.slot());
     ASSERT_TRUE(test_client_cert_.get());
   }
 
+  void SetupTestCertInSystemToken(const std::string& prefix) {
+    test_nsscertdb_->SetSystemSlot(
+        crypto::ScopedPK11Slot(PK11_ReferenceSlot(test_system_nssdb_.slot())));
+
+    test_client_cert_ = net::ImportClientCertAndKeyFromFile(
+        net::GetTestCertsDirectory(), prefix + ".pem", prefix + ".pk8",
+        test_system_nssdb_.slot());
+    ASSERT_TRUE(test_client_cert_.get());
+  }
+
   void SetupNetworkHandlers() {
     network_state_handler_ = NetworkStateHandler::InitializeForTest();
     network_profile_handler_.reset(new NetworkProfileHandler());
     network_config_handler_.reset(new NetworkConfigurationHandler());
     managed_config_handler_.reset(new ManagedNetworkConfigurationHandlerImpl());
     client_cert_resolver_.reset(new ClientCertResolver());
 
     test_clock_.reset(new base::SimpleTestClock);
     test_clock_->SetNow(base::Time::Now());
     client_cert_resolver_->SetClockForTesting(test_clock_.get());
@@ skipping 64 matching lines @@
     ASSERT_TRUE(policy_value->GetAsList(&policy));
 
     managed_config_handler_->SetPolicy(
         onc::ONC_SOURCE_USER_POLICY, kUserHash, *policy,
         base::DictionaryValue() /* no global network config */);
   }
 
   // Sets up a policy with a certificate pattern that matches any client cert
   // that is signed by the test CA cert (stored in |test_ca_cert_pem_|). In
   // particular it will match the test client cert.
-  void SetupPolicyMatchingIssuerPEM(const std::string& identity) {
+  void SetupPolicyMatchingIssuerPEM(onc::ONCSource onc_source,
+                                    const std::string& identity) {
     const char* kTestPolicyTemplate =
         "[ { \"GUID\": \"wifi_stub\","
         "    \"Name\": \"wifi_stub\","
         "    \"Type\": \"WiFi\","
         "    \"WiFi\": {"
         "      \"Security\": \"WPA-EAP\","
         "      \"SSID\": \"wifi_ssid\","
         "      \"EAP\": {"
         "        \"Identity\": \"%s\","
         "        \"Outer\": \"EAP-TLS\","
         "        \"ClientCertType\": \"Pattern\","
         "        \"ClientCertPattern\": {"
         "          \"IssuerCAPEMs\": [ \"%s\" ]"
         "        }"
         "      }"
         "    }"
         "} ]";
     std::string policy_json = base::StringPrintf(
         kTestPolicyTemplate, identity.c_str(), test_ca_cert_pem_.c_str());
 
     std::string error;
     std::unique_ptr<base::Value> policy_value =
         base::JSONReader::ReadAndReturnError(
             policy_json, base::JSON_ALLOW_TRAILING_COMMAS, nullptr, &error);
     ASSERT_TRUE(policy_value) << error;
 
     base::ListValue* policy = nullptr;
     ASSERT_TRUE(policy_value->GetAsList(&policy));
 
+    std::string user_hash =
+        onc_source == onc::ONC_SOURCE_USER_POLICY ? kUserHash : "";
     managed_config_handler_->SetPolicy(
-        onc::ONC_SOURCE_USER_POLICY,
-        kUserHash,
-        *policy,
+        onc_source, user_hash, *policy,
         base::DictionaryValue() /* no global network config */);
   }
 
   void SetWifiState(const std::string& state) {
     ASSERT_TRUE(service_test_->SetServiceProperty(
         kWifiStub, shill::kStateProperty, base::Value(state)));
   }
 
   void GetServiceProperty(const std::string& prop_name,
                           std::string* prop_value) {
     prop_value->clear();
     const base::DictionaryValue* properties =
         service_test_->GetServiceProperties(kWifiStub);
     if (!properties)
       return;
     properties->GetStringWithoutPathExpansion(prop_name, prop_value);
   }
 
   int network_properties_changed_count_;
   std::string test_cert_id_;
   std::unique_ptr<base::SimpleTestClock> test_clock_;
   std::unique_ptr<ClientCertResolver> client_cert_resolver_;
+  CertLoader* cert_loader_;
 
  private:
   // ClientCertResolver::Observer:
   void ResolveRequestCompleted(bool network_properties_changed) override {
     if (network_properties_changed)
       ++network_properties_changed_count_;
   }
 
   ShillServiceClient::TestInterface* service_test_;
   ShillProfileClient::TestInterface* profile_test_;
-  CertLoader* cert_loader_;
   std::unique_ptr<NetworkStateHandler> network_state_handler_;
   std::unique_ptr<NetworkProfileHandler> network_profile_handler_;
   std::unique_ptr<NetworkConfigurationHandler> network_config_handler_;
   std::unique_ptr<ManagedNetworkConfigurationHandlerImpl>
       managed_config_handler_;
   base::MessageLoop message_loop_;
   base::test::ScopedTaskScheduler scoped_task_scheduler_;
   scoped_refptr<net::X509Certificate> test_client_cert_;
   std::string test_ca_cert_pem_;
   crypto::ScopedTestNSSDB test_nssdb_;
+  crypto::ScopedTestNSSDB test_system_nssdb_;
   std::unique_ptr<net::NSSCertDatabaseChromeOS> test_nsscertdb_;
 
   DISALLOW_COPY_AND_ASSIGN(ClientCertResolverTest);
 };
 
 TEST_F(ClientCertResolverTest, NoMatchingCertificates) {
   SetupTestCerts("client_1", false /* do not import the issuer */);
   StartCertLoader();
   SetupWifi();
   base::RunLoop().RunUntilIdle();
   network_properties_changed_count_ = 0;
   SetupNetworkHandlers();
-  SetupPolicyMatchingIssuerPEM("");
+  SetupPolicyMatchingIssuerPEM(onc::ONC_SOURCE_USER_POLICY, "");
   base::RunLoop().RunUntilIdle();
 
   // Verify that no client certificate was configured.
   std::string pkcs11_id;
   GetServiceProperty(shill::kEapCertIdProperty, &pkcs11_id);
   EXPECT_EQ(std::string(), pkcs11_id);
   EXPECT_EQ(1, network_properties_changed_count_);
   EXPECT_FALSE(client_cert_resolver_->IsAnyResolveTaskRunning());
 }
 
@@ skipping 17 matching lines @@
   EXPECT_EQ(test_cert_id_, pkcs11_id);
   EXPECT_EQ(1, network_properties_changed_count_);
 }
 
 TEST_F(ClientCertResolverTest, ResolveOnCertificatesLoaded) {
   SetupTestCerts("client_1", true /* import issuer */);
   SetupWifi();
   base::RunLoop().RunUntilIdle();
 
   SetupNetworkHandlers();
-  SetupPolicyMatchingIssuerPEM("");
+  SetupPolicyMatchingIssuerPEM(onc::ONC_SOURCE_USER_POLICY, "");
   base::RunLoop().RunUntilIdle();
 
   network_properties_changed_count_ = 0;
   StartCertLoader();
   base::RunLoop().RunUntilIdle();
 
   // Verify that the resolver positively matched the pattern in the policy with
   // the test client cert and configured the network.
   std::string pkcs11_id;
   GetServiceProperty(shill::kEapCertIdProperty, &pkcs11_id);
   EXPECT_EQ(test_cert_id_, pkcs11_id);
   EXPECT_EQ(1, network_properties_changed_count_);
 }
 
 TEST_F(ClientCertResolverTest, ResolveAfterPolicyApplication) {
   SetupTestCerts("client_1", true /* import issuer */);
   SetupWifi();
   base::RunLoop().RunUntilIdle();
   StartCertLoader();
   SetupNetworkHandlers();
   base::RunLoop().RunUntilIdle();
 
   // Policy application will trigger the ClientCertResolver.
   network_properties_changed_count_ = 0;
-  SetupPolicyMatchingIssuerPEM("");
+  SetupPolicyMatchingIssuerPEM(onc::ONC_SOURCE_USER_POLICY, "");
   base::RunLoop().RunUntilIdle();
 
   // Verify that the resolver positively matched the pattern in the policy with
   // the test client cert and configured the network.
   std::string pkcs11_id;
   GetServiceProperty(shill::kEapCertIdProperty, &pkcs11_id);
   EXPECT_EQ(test_cert_id_, pkcs11_id);
   EXPECT_EQ(1, network_properties_changed_count_);
 }
 
 TEST_F(ClientCertResolverTest, ExpiringCertificate) {
   SetupTestCerts("client_1", true /* import issuer */);
   SetupWifi();
   base::RunLoop().RunUntilIdle();
 
   SetupNetworkHandlers();
-  SetupPolicyMatchingIssuerPEM("");
+  SetupPolicyMatchingIssuerPEM(onc::ONC_SOURCE_USER_POLICY, "");
   base::RunLoop().RunUntilIdle();
 
   StartCertLoader();
   base::RunLoop().RunUntilIdle();
 
   SetWifiState(shill::kStateOnline);
   base::RunLoop().RunUntilIdle();
 
   // Verify that the resolver positively matched the pattern in the policy with
   // the test client cert and configured the network.
   std::string pkcs11_id;
   GetServiceProperty(shill::kEapCertIdProperty, &pkcs11_id);
   EXPECT_EQ(test_cert_id_, pkcs11_id);
 
   // Verify that, after the certificate expired and the network disconnection
   // happens, no client certificate was configured.
   test_clock_->SetNow(base::Time::Max());
   SetWifiState(shill::kStateOffline);
   base::RunLoop().RunUntilIdle();
   GetServiceProperty(shill::kEapCertIdProperty, &pkcs11_id);
   EXPECT_EQ(std::string(), pkcs11_id);
 }
 
+TEST_F(ClientCertResolverTest, UserPolicyUsesSystemToken) {
+  SetupTestCertInSystemToken("client_1");
+  SetupWifi();
+  base::RunLoop().RunUntilIdle();
+
+  SetupNetworkHandlers();
+  SetupPolicyMatchingIssuerPEM(onc::ONC_SOURCE_USER_POLICY, "");
+  base::RunLoop().RunUntilIdle();
+
+  StartCertLoader();
+  base::RunLoop().RunUntilIdle();
+  EXPECT_EQ(1U, cert_loader_->system_cert_list().size());
+
+  // Verify that the resolver positively matched the pattern in the policy with
+  // the test client cert and configured the network.
+  std::string pkcs11_id;
+  GetServiceProperty(shill::kEapCertIdProperty, &pkcs11_id);
+  EXPECT_EQ(test_cert_id_, pkcs11_id);
+}
+
+TEST_F(ClientCertResolverTest, DevicePolicyUsesSystemToken) {
+  SetupTestCertInSystemToken("client_1");
+  SetupWifi();
+  base::RunLoop().RunUntilIdle();
+
+  SetupNetworkHandlers();
+  SetupPolicyMatchingIssuerPEM(onc::ONC_SOURCE_DEVICE_POLICY, "");
+  base::RunLoop().RunUntilIdle();
+
+  StartCertLoader();
+  base::RunLoop().RunUntilIdle();
+  EXPECT_EQ(1U, cert_loader_->system_cert_list().size());
+
+  // Verify that the resolver positively matched the pattern in the policy with
+  // the test client cert and configured the network.
+  std::string pkcs11_id;
+  GetServiceProperty(shill::kEapCertIdProperty, &pkcs11_id);
+  EXPECT_EQ(test_cert_id_, pkcs11_id);
+}
+
+TEST_F(ClientCertResolverTest, DevicePolicyDoesNotUseUserToken) {
+  SetupTestCerts("client_1", false /* import issuer */);
+  SetupWifi();
+  base::RunLoop().RunUntilIdle();
+
+  SetupNetworkHandlers();
+  SetupPolicyMatchingIssuerPEM(onc::ONC_SOURCE_DEVICE_POLICY, "");
+  base::RunLoop().RunUntilIdle();
+
+  network_properties_changed_count_ = 0;
+  StartCertLoader();
+  base::RunLoop().RunUntilIdle();
+  EXPECT_EQ(0U, cert_loader_->system_cert_list().size());
+
+  // Verify that no client certificate was configured.
+  std::string pkcs11_id;
+  GetServiceProperty(shill::kEapCertIdProperty, &pkcs11_id);
+  EXPECT_EQ(std::string(), pkcs11_id);
+  EXPECT_EQ(1, network_properties_changed_count_);
+  EXPECT_FALSE(client_cert_resolver_->IsAnyResolveTaskRunning());
+}
+
 TEST_F(ClientCertResolverTest, PopulateIdentityFromCert) {
   SetupTestCerts("client_3", true /* import issuer */);
   SetupWifi();
   base::RunLoop().RunUntilIdle();
 
   SetupNetworkHandlers();
-  SetupPolicyMatchingIssuerPEM("${CERT_SAN_EMAIL}");
+  SetupPolicyMatchingIssuerPEM(onc::ONC_SOURCE_USER_POLICY,
+                               "${CERT_SAN_EMAIL}");
   base::RunLoop().RunUntilIdle();
 
   network_properties_changed_count_ = 0;
   StartCertLoader();
   base::RunLoop().RunUntilIdle();
 
   // Verify that the resolver read the subjectAltName email field from the
   // cert, and wrote it into the shill service entry.
   std::string identity;
   GetServiceProperty(shill::kEapIdentityProperty, &identity);
   EXPECT_EQ("santest@example.com", identity);
   EXPECT_EQ(1, network_properties_changed_count_);
 
   // Verify that after changing the ONC policy to request a variant of the
   // Microsoft Universal Principal Name field instead, the correct value is
   // substituted into the shill service entry.
-  SetupPolicyMatchingIssuerPEM("upn-${CERT_SAN_UPN}-suffix");
+  SetupPolicyMatchingIssuerPEM(onc::ONC_SOURCE_USER_POLICY,
+                               "upn-${CERT_SAN_UPN}-suffix");
   base::RunLoop().RunUntilIdle();
 
   GetServiceProperty(shill::kEapIdentityProperty, &identity);
   EXPECT_EQ("upn-santest@ad.corp.example.com-suffix", identity);
   EXPECT_EQ(2, network_properties_changed_count_);
 }
 
 }  // namespace chromeos