| OLD | NEW |
|---|
| (Empty) | |
| 1 // Copyright 2017 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. |
| 4 |
| 5 #include "chrome/browser/chromeos/policy/active_directory_policy_manager.h" |
| 6 |
| 7 #include <memory> |
| 8 #include <string> |
| 9 #include <utility> |
| 10 |
| 11 #include "base/bind.h" |
| 12 #include "base/logging.h" |
| 13 #include "base/memory/ptr_util.h" |
| 14 #include "base/run_loop.h" |
| 15 #include "base/test/scoped_task_environment.h" |
| 16 #include "base/threading/thread_task_runner_handle.h" |
| 17 #include "base/time/time.h" |
| 18 #include "chromeos/dbus/auth_policy_client.h" |
| 19 #include "chromeos/dbus/dbus_thread_manager.h" |
| 20 #include "components/policy/core/common/cloud/mock_cloud_policy_store.h" |
| 21 #include "components/policy/core/common/schema_registry.h" |
| 22 #include "components/signin/core/account_id/account_id.h" |
| 23 #include "testing/gtest/include/gtest/gtest.h" |
| 24 |
| 25 namespace { |
| 26 |
| 27 class TestAuthPolicyClient : public chromeos::AuthPolicyClient { |
| 28 public: |
| 29 void Init(dbus::Bus* bus) override { NOTIMPLEMENTED(); } |
| 30 |
| 31 void JoinAdDomain(const std::string& machine_name, |
| 32 const std::string& user_principal_name, |
| 33 int password_fd, |
| 34 JoinCallback callback) override { |
| 35 NOTIMPLEMENTED(); |
| 36 } |
| 37 |
| 38 void AuthenticateUser(const std::string& user_principal_name, |
| 39 const std::string& object_guid, |
| 40 int password_fd, |
| 41 AuthCallback callback) override { |
| 42 NOTIMPLEMENTED(); |
| 43 } |
| 44 |
| 45 void GetUserStatus(const std::string& object_guid, |
| 46 GetUserStatusCallback callback) override { |
| 47 NOTIMPLEMENTED(); |
| 48 } |
| 49 |
| 50 void RefreshDevicePolicy(RefreshPolicyCallback callback) override { |
| 51 NOTIMPLEMENTED(); |
| 52 } |
| 53 |
| 54 void RefreshUserPolicy(const AccountId& account_id, |
| 55 RefreshPolicyCallback callback) override { |
| 56 base::ThreadTaskRunnerHandle::Get()->PostTask( |
| 57 FROM_HERE, base::BindOnce(std::move(callback), |
| 58 refresh_user_policy_callback_success_)); |
| 59 } |
| 60 |
| 61 void SetRefreshUserPolicyCallbackSuccess(bool success) { |
| 62 refresh_user_policy_callback_success_ = success; |
| 63 } |
| 64 |
| 65 private: |
| 66 bool refresh_user_policy_callback_success_ = true; |
| 67 }; |
| 68 |
| 69 } // namespace |
| 70 |
| 71 namespace policy { |
| 72 |
| 73 // Note that session exit is asynchronous and thus ActiveDirectoryPolicyManager |
| 74 // still needs to react reasonably to events happening after session exit has |
| 75 // been fired. |
| 76 class ActiveDirectoryPolicyManagerTest : public testing::Test { |
| 77 public: |
| 78 ActiveDirectoryPolicyManagerTest() { |
| 79 auto mock_client_unique_ptr = base::MakeUnique<TestAuthPolicyClient>(); |
| 80 mock_client_ = mock_client_unique_ptr.get(); |
| 81 chromeos::DBusThreadManager::GetSetterForTesting()->SetAuthPolicyClient( |
| 82 std::move(mock_client_unique_ptr)); |
| 83 } |
| 84 |
| 85 ~ActiveDirectoryPolicyManagerTest() override { |
| 86 EXPECT_EQ(session_exit_expected_, session_exited_); |
| 87 policy_manager_->Shutdown(); |
| 88 } |
| 89 |
| 90 protected: |
| 91 // Expect that session exit will be called below. (Must only be called once.) |
| 92 void ExpectSessionExit() { |
| 93 ASSERT_FALSE(session_exit_expected_); |
| 94 EXPECT_FALSE(session_exited_); |
| 95 session_exit_expected_ = true; |
| 96 } |
| 97 |
| 98 // Expect that session exit has been called above. (Must only be called after |
| 99 // ExpectSessionExit().) |
| 100 void ExpectSessionExited() { |
| 101 ASSERT_TRUE(session_exit_expected_); |
| 102 EXPECT_TRUE(session_exited_); |
| 103 } |
| 104 |
| 105 // Closure to exit the session. |
| 106 void ExitSession() { |
| 107 EXPECT_TRUE(session_exit_expected_); |
| 108 session_exited_ = true; |
| 109 } |
| 110 |
| 111 bool session_exited_ = false; |
| 112 bool session_exit_expected_ = false; |
| 113 |
| 114 // To be handed over to ActiveDirectoryPolicyManager. |
| 115 base::OnceClosure exit_session_{ |
| 116 base::BindOnce(&ActiveDirectoryPolicyManagerTest::ExitSession, |
| 117 base::Unretained(this))}; |
| 118 |
| 119 // To be handed over to ActiveDirectoryPolicyManager ... |
| 120 std::unique_ptr<MockCloudPolicyStore> mock_store_unique_ptr_{ |
| 121 base::MakeUnique<MockCloudPolicyStore>()}; |
| 122 |
| 123 // ... but keeping a non-owned pointer. |
| 124 MockCloudPolicyStore* mock_store_{mock_store_unique_ptr_.get()}; |
| 125 |
| 126 // Owned by DBusThreadManager. |
| 127 TestAuthPolicyClient* mock_client_; |
| 128 |
| 129 SchemaRegistry schema_registry_; |
| 130 |
| 131 // Initialized by the individual tests but owned by the test class so that it |
| 132 // can be shut down automatically after the test has run. |
| 133 std::unique_ptr<ActiveDirectoryPolicyManager> policy_manager_; |
| 134 |
| 135 private: |
| 136 base::test::ScopedTaskEnvironment scoped_task_environment_; |
| 137 }; |
| 138 |
| 139 TEST_F(ActiveDirectoryPolicyManagerTest, DontWait) { |
| 140 policy_manager_ = ActiveDirectoryPolicyManager::CreateForUserPolicy( |
| 141 AccountId::AdFromUserEmailObjGuid("bla", "ble"), base::TimeDelta(), |
| 142 std::move(exit_session_), std::move(mock_store_unique_ptr_)); |
| 143 EXPECT_TRUE(policy_manager_); |
| 144 EXPECT_FALSE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME)); |
| 145 |
| 146 // Configure mock policy fetch to fail. |
| 147 mock_client_->SetRefreshUserPolicyCallbackSuccess(false); |
| 148 |
| 149 // Trigger mock policy fetch from authpolicyd. |
| 150 policy_manager_->Init(&schema_registry_); |
| 151 EXPECT_FALSE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME)); |
| 152 |
| 153 // Simulate failed store load. Initialization is reported complete at this |
| 154 // point. |
| 155 mock_store_->NotifyStoreError(); |
| 156 EXPECT_TRUE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME)); |
| 157 |
| 158 // Process reply for mock policy fetch. |
| 159 base::RunLoop().RunUntilIdle(); |
| 160 EXPECT_TRUE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME)); |
| 161 |
| 162 // Simulate failed store load. |
| 163 mock_store_->NotifyStoreError(); |
| 164 EXPECT_TRUE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME)); |
| 165 } |
| 166 |
| 167 // If the initial fetch timeout is infinite, initialization is only complete |
| 168 // after policy has been fetched and after that has been loaded. |
| 169 TEST_F(ActiveDirectoryPolicyManagerTest, |
| 170 WaitInfinite_LoadSuccess_FetchSuccess) { |
| 171 policy_manager_ = ActiveDirectoryPolicyManager::CreateForUserPolicy( |
| 172 AccountId::AdFromUserEmailObjGuid("bla", "ble"), base::TimeDelta::Max(), |
| 173 std::move(exit_session_), std::move(mock_store_unique_ptr_)); |
| 174 ASSERT_TRUE(policy_manager_); |
| 175 EXPECT_FALSE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME)); |
| 176 |
| 177 // Configure mock policy fetch to succeed. |
| 178 mock_client_->SetRefreshUserPolicyCallbackSuccess(true); |
| 179 |
| 180 // Trigger mock policy fetch from authpolicyd. |
| 181 policy_manager_->Init(&schema_registry_); |
| 182 |
| 183 // Simulate successful store load. |
| 184 mock_store_->policy_ = base::MakeUnique<enterprise_management::PolicyData>(); |
| 185 mock_store_->NotifyStoreLoaded(); |
| 186 EXPECT_FALSE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME)); |
| 187 |
| 188 // Process reply for mock policy fetch. |
| 189 base::RunLoop().RunUntilIdle(); |
| 190 EXPECT_FALSE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME)); |
| 191 |
| 192 // Simulate successful store load. At this point initialization is complete. |
| 193 mock_store_->NotifyStoreLoaded(); |
| 194 EXPECT_TRUE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME)); |
| 195 } |
| 196 |
| 197 // If the initial fetch timeout is infinite, initialization does not complete if |
| 198 // load after fetch fails. |
| 199 TEST_F(ActiveDirectoryPolicyManagerTest, |
| 200 WaitInfinite_LoadSuccess_FetchSuccess_LoadFail) { |
| 201 policy_manager_ = ActiveDirectoryPolicyManager::CreateForUserPolicy( |
| 202 AccountId::AdFromUserEmailObjGuid("bla", "ble"), base::TimeDelta::Max(), |
| 203 std::move(exit_session_), std::move(mock_store_unique_ptr_)); |
| 204 ASSERT_TRUE(policy_manager_); |
| 205 EXPECT_FALSE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME)); |
| 206 |
| 207 // Configure mock policy fetch to succeed. |
| 208 mock_client_->SetRefreshUserPolicyCallbackSuccess(true); |
| 209 |
| 210 // Trigger mock policy fetch from authpolicyd. |
| 211 policy_manager_->Init(&schema_registry_); |
| 212 |
| 213 // Simulate successful store load. |
| 214 mock_store_->policy_ = base::MakeUnique<enterprise_management::PolicyData>(); |
| 215 mock_store_->NotifyStoreLoaded(); |
| 216 EXPECT_FALSE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME)); |
| 217 |
| 218 // Process reply for mock policy fetch. |
| 219 base::RunLoop().RunUntilIdle(); |
| 220 EXPECT_FALSE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME)); |
| 221 |
| 222 ExpectSessionExit(); |
| 223 |
| 224 // Simulate failed store load. |
| 225 mock_store_->NotifyStoreError(); |
| 226 EXPECT_FALSE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME)); |
| 227 |
| 228 ExpectSessionExited(); |
| 229 |
| 230 // Simulate successful store load. |
| 231 mock_store_->NotifyStoreLoaded(); |
| 232 EXPECT_TRUE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME)); |
| 233 } |
| 234 |
| 235 // If the initial fetch timeout is infinite, failure in policy fetch prevents |
| 236 // initialization from finishing, ever. |
| 237 TEST_F(ActiveDirectoryPolicyManagerTest, WaitInfinite_LoadSuccess_FetchFail) { |
| 238 policy_manager_ = ActiveDirectoryPolicyManager::CreateForUserPolicy( |
| 239 AccountId::AdFromUserEmailObjGuid("bla", "ble"), base::TimeDelta::Max(), |
| 240 std::move(exit_session_), std::move(mock_store_unique_ptr_)); |
| 241 ASSERT_TRUE(policy_manager_); |
| 242 EXPECT_FALSE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME)); |
| 243 |
| 244 // Configure mock policy fetch to fail. |
| 245 mock_client_->SetRefreshUserPolicyCallbackSuccess(false); |
| 246 |
| 247 // Trigger mock policy fetch from authpolicyd. |
| 248 policy_manager_->Init(&schema_registry_); |
| 249 |
| 250 // Simulate successful store load. |
| 251 mock_store_->policy_ = base::MakeUnique<enterprise_management::PolicyData>(); |
| 252 mock_store_->NotifyStoreLoaded(); |
| 253 EXPECT_FALSE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME)); |
| 254 |
| 255 ExpectSessionExit(); |
| 256 |
| 257 // Process reply for mock policy fetch. |
| 258 base::RunLoop().RunUntilIdle(); |
| 259 EXPECT_FALSE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME)); |
| 260 |
| 261 ExpectSessionExited(); |
| 262 |
| 263 // Simulate successful store load. |
| 264 mock_store_->NotifyStoreLoaded(); |
| 265 EXPECT_FALSE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME)); |
| 266 } |
| 267 |
| 268 // If the initial fetch timeout is not infinite, we're in best-effort mode but |
| 269 // still require the policy load to succeed so that there's *some* policy |
| 270 // present (though possibly outdated). |
| 271 TEST_F(ActiveDirectoryPolicyManagerTest, WaitFinite_LoadSuccess_FetchFail) { |
| 272 policy_manager_ = ActiveDirectoryPolicyManager::CreateForUserPolicy( |
| 273 AccountId::AdFromUserEmailObjGuid("bla", "ble"), |
| 274 base::TimeDelta::FromDays(365), std::move(exit_session_), |
| 275 std::move(mock_store_unique_ptr_)); |
| 276 ASSERT_TRUE(policy_manager_); |
| 277 EXPECT_FALSE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME)); |
| 278 |
| 279 // Configure mock policy fetch to fail. |
| 280 mock_client_->SetRefreshUserPolicyCallbackSuccess(false); |
| 281 |
| 282 // Trigger mock policy fetch from authpolicyd. |
| 283 policy_manager_->Init(&schema_registry_); |
| 284 |
| 285 // Simulate successful store load. |
| 286 mock_store_->policy_ = base::MakeUnique<enterprise_management::PolicyData>(); |
| 287 mock_store_->NotifyStoreLoaded(); |
| 288 EXPECT_FALSE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME)); |
| 289 |
| 290 // Process reply for mock policy fetch. At this point initialization is |
| 291 // complete (we have waited for the fetch but now that we know it has failed |
| 292 // we continue). |
| 293 base::RunLoop().RunUntilIdle(); |
| 294 EXPECT_TRUE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME)); |
| 295 |
| 296 // Simulate successful store load. |
| 297 mock_store_->NotifyStoreLoaded(); |
| 298 EXPECT_TRUE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME)); |
| 299 } |
| 300 |
| 301 // If the initial fetch timeout is not infinite, we're in best-effort mode but |
| 302 // still require the policy load to succeed so that there's *some* policy |
| 303 // present (though possibly outdated). Here the sequence is inverted: Fetch |
| 304 // returns before load. |
| 305 TEST_F(ActiveDirectoryPolicyManagerTest, WaitFinite_FetchFail_LoadSuccess) { |
| 306 policy_manager_ = ActiveDirectoryPolicyManager::CreateForUserPolicy( |
| 307 AccountId::AdFromUserEmailObjGuid("bla", "ble"), |
| 308 base::TimeDelta::FromDays(365), std::move(exit_session_), |
| 309 std::move(mock_store_unique_ptr_)); |
| 310 ASSERT_TRUE(policy_manager_); |
| 311 EXPECT_FALSE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME)); |
| 312 |
| 313 // Configure mock policy fetch to fail. |
| 314 mock_client_->SetRefreshUserPolicyCallbackSuccess(false); |
| 315 |
| 316 // Trigger mock policy fetch from authpolicyd. |
| 317 policy_manager_->Init(&schema_registry_); |
| 318 |
| 319 // Process reply for mock policy fetch. |
| 320 base::RunLoop().RunUntilIdle(); |
| 321 EXPECT_FALSE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME)); |
| 322 |
| 323 // Simulate successful store load. |
| 324 mock_store_->policy_ = base::MakeUnique<enterprise_management::PolicyData>(); |
| 325 mock_store_->NotifyStoreLoaded(); |
| 326 EXPECT_TRUE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME)); |
| 327 } |
| 328 |
| 329 // If the initial fetch timeout is not infinite, we're in best-effort mode but |
| 330 // if we can't load existing policy from disk we have to give up. |
| 331 TEST_F(ActiveDirectoryPolicyManagerTest, WaitFinite_LoadFail_FetchFail) { |
| 332 policy_manager_ = ActiveDirectoryPolicyManager::CreateForUserPolicy( |
| 333 AccountId::AdFromUserEmailObjGuid("bla", "ble"), |
| 334 base::TimeDelta::FromDays(365), std::move(exit_session_), |
| 335 std::move(mock_store_unique_ptr_)); |
| 336 ASSERT_TRUE(policy_manager_); |
| 337 EXPECT_FALSE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME)); |
| 338 |
| 339 // Configure mock policy fetch to fail. |
| 340 mock_client_->SetRefreshUserPolicyCallbackSuccess(false); |
| 341 |
| 342 // Trigger mock policy fetch from authpolicyd. |
| 343 policy_manager_->Init(&schema_registry_); |
| 344 |
| 345 // Simulate failed store load. |
| 346 mock_store_->NotifyStoreError(); |
| 347 EXPECT_FALSE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME)); |
| 348 |
| 349 ExpectSessionExit(); |
| 350 |
| 351 // Process reply for mock policy fetch. |
| 352 base::RunLoop().RunUntilIdle(); |
| 353 EXPECT_FALSE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME)); |
| 354 |
| 355 ExpectSessionExited(); |
| 356 |
| 357 // Simulate successful store load. |
| 358 mock_store_->policy_ = base::MakeUnique<enterprise_management::PolicyData>(); |
| 359 mock_store_->NotifyStoreLoaded(); |
| 360 EXPECT_TRUE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME)); |
| 361 } |
| 362 |
| 363 // If the initial fetch timeout is not infinite, we're in best-effort mode and |
| 364 // upon timeout initialization is complete if any policy could be loaded from |
| 365 // disk. |
| 366 TEST_F(ActiveDirectoryPolicyManagerTest, WaitFinite_LoadSuccess_FetchTimeout) { |
| 367 policy_manager_ = ActiveDirectoryPolicyManager::CreateForUserPolicy( |
| 368 AccountId::AdFromUserEmailObjGuid("bla", "ble"), |
| 369 base::TimeDelta::FromDays(365), std::move(exit_session_), |
| 370 std::move(mock_store_unique_ptr_)); |
| 371 ASSERT_TRUE(policy_manager_); |
| 372 EXPECT_FALSE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME)); |
| 373 |
| 374 // Configure mock policy fetch to fail. |
| 375 mock_client_->SetRefreshUserPolicyCallbackSuccess(false); |
| 376 |
| 377 // Trigger mock policy fetch from authpolicyd. |
| 378 policy_manager_->Init(&schema_registry_); |
| 379 |
| 380 // Simulate successful store load. |
| 381 mock_store_->policy_ = base::MakeUnique<enterprise_management::PolicyData>(); |
| 382 mock_store_->NotifyStoreLoaded(); |
| 383 EXPECT_FALSE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME)); |
| 384 |
| 385 // Simulate policy fetch timeout. |
| 386 policy_manager_->ForceTimeoutForTest(); |
| 387 EXPECT_TRUE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME)); |
| 388 |
| 389 // Process reply for mock policy fetch. |
| 390 base::RunLoop().RunUntilIdle(); |
| 391 EXPECT_TRUE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME)); |
| 392 |
| 393 // Simulate failed store load. |
| 394 mock_store_->NotifyStoreError(); |
| 395 EXPECT_TRUE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME)); |
| 396 } |
| 397 |
| 398 // If the initial fetch timeout is not infinite, we're in best-effort mode but |
| 399 // without a successful policy load we still can't continue. |
| 400 TEST_F(ActiveDirectoryPolicyManagerTest, WaitFinite_LoadTimeout_FetchTimeout) { |
| 401 policy_manager_ = ActiveDirectoryPolicyManager::CreateForUserPolicy( |
| 402 AccountId::AdFromUserEmailObjGuid("bla", "ble"), |
| 403 base::TimeDelta::FromDays(365), std::move(exit_session_), |
| 404 std::move(mock_store_unique_ptr_)); |
| 405 ASSERT_TRUE(policy_manager_); |
| 406 EXPECT_FALSE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME)); |
| 407 |
| 408 // Configure mock policy fetch to fail. |
| 409 mock_client_->SetRefreshUserPolicyCallbackSuccess(false); |
| 410 |
| 411 // Trigger mock policy fetch from authpolicyd. |
| 412 policy_manager_->Init(&schema_registry_); |
| 413 |
| 414 ExpectSessionExit(); |
| 415 |
| 416 // Simulate policy fetch timeout. |
| 417 policy_manager_->ForceTimeoutForTest(); |
| 418 EXPECT_FALSE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME)); |
| 419 |
| 420 ExpectSessionExited(); |
| 421 |
| 422 // Process reply for mock policy fetch. |
| 423 base::RunLoop().RunUntilIdle(); |
| 424 EXPECT_FALSE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME)); |
| 425 |
| 426 // Simulate successful store load. |
| 427 mock_store_->policy_ = base::MakeUnique<enterprise_management::PolicyData>(); |
| 428 mock_store_->NotifyStoreLoaded(); |
| 429 EXPECT_TRUE(policy_manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME)); |
| 430 } |
| 431 |
| 432 } // namespace policy |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2954293002:
Chromad: Prevent session from starting without policy (Closed)
