chrome/browser/chromeos/login/signin/oauth2_browsertest.cc - Issue 2903123002: cros: Terminate if merge session fails for online sign-in

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: chrome/browser/chromeos/login/signin/oauth2_browsertest.cc

Issue 2903123002: cros: Terminate if merge session fails for online sign-in (Closed)

Patch Set: add comments Created 3 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

Index: chrome/browser/chromeos/login/signin/oauth2_browsertest.cc

diff --git a/chrome/browser/chromeos/login/signin/oauth2_browsertest.cc b/chrome/browser/chromeos/login/signin/oauth2_browsertest.cc

index 46b7816dd6c021a7dd670443cedc1b99cf859dc5..d6a521c08f8ddb878a7f09da885a004e94d4b62c 100644

--- a/chrome/browser/chromeos/login/signin/oauth2_browsertest.cc

+++ b/chrome/browser/chromeos/login/signin/oauth2_browsertest.cc

@@ -587,6 +587,37 @@ IN_PROC_BROWSER_TEST_F(OAuth2Test, DISABLED_OverlappingContinueSessionRestore) {

EXPECT_TRUE(token_service->RefreshTokenIsAvailable(account_id));

}

+// Tests that user session is terminated if merge session fails for an online

+// sign-in. This is necessary to prevent policy exploit.

+// See http://crbug.com/677312

+IN_PROC_BROWSER_TEST_F(OAuth2Test, TerminateOnBadMergeSessionAfterOnlineAuth) {

+ SimulateNetworkOnline();

+ WaitForGaiaPageLoad();

+ content::WindowedNotificationObserver termination_waiter(

+ chrome::NOTIFICATION_APP_TERMINATING,

+ content::NotificationService::AllSources());

+ // Configure FakeGaia so that online auth succeeds but merge session fails.

+ FakeGaia::MergeSessionParams params;

+ params.auth_sid_cookie = kTestAuthSIDCookie;

+ params.auth_lsid_cookie = kTestAuthLSIDCookie;

+ params.auth_code = kTestAuthCode;

+ params.refresh_token = kTestRefreshToken;

+ params.access_token = kTestAuthLoginAccessToken;

+ fake_gaia_->SetMergeSessionParams(params);

+ // Simulate an online sign-in.

+ GetLoginDisplay()->ShowSigninScreenForCreds(kTestEmail, kTestAccountPassword);

+ // User session should be terminated.

+ termination_waiter.Wait();

+ // Merge session should fail. Check after |termination_waiter| to ensure

+ // user profile is initialized and there is an OAuth2LoginManage.

+ WaitForMergeSessionCompletion(OAuth2LoginManager::SESSION_RESTORE_FAILED);

const char kGooglePageContent[] =

"<html><title>Hello!</title><script>alert('hello');</script>"

"<body>Hello Google!</body></html>";