Providing more information on why certain users can't be added to multi-profile

chrome/browser/ui/ash/session_state_delegate_chromeos_unittest.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/ui/ash/session_state_delegate_chromeos.h"
 
 #include <string>
 #include <vector>
 
 #include "chrome/browser/chromeos/login/users/fake_user_manager.h"
+#include "chrome/browser/chromeos/login/users/multi_profile_user_controller.h"
+#include "chrome/browser/chromeos/policy/policy_cert_service.h"
+#include "chrome/browser/chromeos/policy/policy_cert_service_factory.h"
+#include "chrome/browser/chromeos/policy/policy_cert_verifier.h"
+#include "chrome/browser/chromeos/profiles/profile_helper.h"
+#include "chrome/common/pref_names.h"
+#include "chrome/test/base/testing_browser_process.h"
 #include "chrome/test/base/testing_profile_manager.h"
+#include "net/cert/x509_certificate.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
+namespace {
+
+const char* kUser = "user@test.com";
+
+// Weak ptr to PolicyCertVerifier - object is freed in test destructor once
+// we've ensured the profile has been shut down.
+policy::PolicyCertVerifier* g_policy_cert_verifier_for_factory = NULL;
+
+KeyedService* TestPolicyCertServiceFactory(content::BrowserContext* context) {

[James Cook, 2014/08/12 20:08:30]

nit: I would name this CreatePolicyCertServiceForTest or
CreateTestPolicyCertService -- it needs a verb.

[Roman Sorokin (ftl), 2014/08/13 09:11:52]

Done.

+  return policy::PolicyCertService::CreateForTesting(
+             kUser,
+             g_policy_cert_verifier_for_factory,
+             chromeos::UserManager::Get()).release();
+}
+
+}  // namespace
 
 class SessionStateDelegateChromeOSTest : public testing::Test {
  protected:
   SessionStateDelegateChromeOSTest() : user_manager_(NULL) {
   }
 
   virtual ~SessionStateDelegateChromeOSTest() {
   }
 
   virtual void SetUp() OVERRIDE {
     // Initialize the UserManager singleton to a fresh FakeUserManager instance.
     user_manager_ = new chromeos::FakeUserManager;
     user_manager_enabler_.reset(
         new chromeos::ScopedUserManagerEnabler(user_manager_));
 
     // Create our SessionStateDelegate to experiment with.
     session_state_delegate_.reset(new SessionStateDelegateChromeos());
     testing::Test::SetUp();
   }
 
   virtual void TearDown() OVERRIDE {
     testing::Test::TearDown();
     session_state_delegate_.reset();
     user_manager_enabler_.reset();
     user_manager_ = NULL;
+    // Clear our cached pointer to the PolicyCertVerifier.
+    g_policy_cert_verifier_for_factory = NULL;
   }
 
   // Add and log in a user to the session.
   void UserAddedToSession(std::string user) {
     user_manager()->AddUser(user);
     user_manager()->LoginUser(user);
   }
 
   // Get the active user.
   const std::string& GetActiveUser() {
     return chromeos::UserManager::Get()->GetActiveUser()->email();
   }
 
   chromeos::FakeUserManager* user_manager() { return user_manager_; }
   SessionStateDelegateChromeos* session_state_delegate() {
     return session_state_delegate_.get();
   }
 
+  void InitForMultiProfile() {
+    profile_manager_.reset(
+        new TestingProfileManager(TestingBrowserProcess::GetGlobal()));
+    ASSERT_TRUE(profile_manager_->SetUp());
+
+    const std::string user_email(kUser);
+    const user_manager::User* user = user_manager()->AddUser(user_email);
+
+    // Note that user profiles are created after user login in reality.
+    user_profile_ = profile_manager_->CreateTestingProfile(user_email);
+    user_profile_->set_profile_name(user_email);
+    chromeos::ProfileHelper::Get()->SetUserToProfileMappingForTesting(
+        user, user_profile_);
+  }
+
+  TestingProfile* user_profile() { return user_profile_; }
+
  private:
   scoped_ptr<chromeos::ScopedUserManagerEnabler> user_manager_enabler_;
   scoped_ptr<SessionStateDelegateChromeos> session_state_delegate_;
 
   // Not owned.
   chromeos::FakeUserManager* user_manager_;
 
+  scoped_ptr<TestingProfileManager> profile_manager_;
+  TestingProfile* user_profile_;
+
   DISALLOW_COPY_AND_ASSIGN(SessionStateDelegateChromeOSTest);
 };
 
 // Make sure that cycling one user does not cause any harm.
 TEST_F(SessionStateDelegateChromeOSTest, CyclingOneUser) {
   UserAddedToSession("firstuser@test.com");
 
   EXPECT_EQ("firstuser@test.com", GetActiveUser());
   session_state_delegate()->CycleActiveUser(
       ash::SessionStateDelegate::CYCLE_TO_NEXT_USER);
@@ skipping 23 matching lines @@
   // Cycle backwards.
   const ash::SessionStateDelegate::CycleUser backward =
       ash::SessionStateDelegate::CYCLE_TO_PREVIOUS_USER;
   session_state_delegate()->CycleActiveUser(backward);
   EXPECT_EQ("thirduser@test.com", GetActiveUser());
   session_state_delegate()->CycleActiveUser(backward);
   EXPECT_EQ("seconduser@test.com", GetActiveUser());
   session_state_delegate()->CycleActiveUser(backward);
   EXPECT_EQ("firstuser@test.com", GetActiveUser());
 }
+
+// Make sure MultiProfile disabled by primary user policy.
+TEST_F(SessionStateDelegateChromeOSTest, MultiProfileDisallowedByUserPolicy) {
+  InitForMultiProfile();
+  EXPECT_TRUE(
+      session_state_delegate()->IsMultiProfileAllowedByPrimaryUserPolicy());
+  const std::string user_email(kUser);
+  user_manager()->LoginUser(user_email);
+  EXPECT_TRUE(
+      session_state_delegate()->IsMultiProfileAllowedByPrimaryUserPolicy());
+
+  user_profile()->GetPrefs()->SetString(
+      prefs::kMultiProfileUserBehavior,
+      chromeos::MultiProfileUserController::kBehaviorNotAllowed);
+  EXPECT_FALSE(
+      session_state_delegate()->IsMultiProfileAllowedByPrimaryUserPolicy());
+}
+
+// Make sure MultiProfile disabled by primary user policy certificates.
+TEST_F(SessionStateDelegateChromeOSTest,
+       MultiProfileDisallowedByPolicyCertificates) {
+  InitForMultiProfile();
+  const std::string user_email(kUser);
+  user_manager()->LoginUser(user_email);
+  EXPECT_TRUE(
+      session_state_delegate()->IsMultiProfileAllowedByPrimaryUserPolicy());
+  policy::PolicyCertServiceFactory::SetUsedPolicyCertificates(user_email);
+  EXPECT_FALSE(
+      session_state_delegate()->IsMultiProfileAllowedByPrimaryUserPolicy());
+}
+
+// Make sure MultiProfile disabled by primary user certificates in memory.
+TEST_F(SessionStateDelegateChromeOSTest,
+       MultiProfileDisallowedByPrimaryUserCertificatesInMemory) {
+  InitForMultiProfile();
+  const std::string user_email(kUser);
+  user_manager()->LoginUser(user_email);
+  EXPECT_TRUE(
+      session_state_delegate()->IsMultiProfileAllowedByPrimaryUserPolicy());
+  scoped_ptr<policy::PolicyCertVerifier> cert_verifier;
+  cert_verifier.reset(new policy::PolicyCertVerifier(base::Closure()));
+  g_policy_cert_verifier_for_factory = cert_verifier.get();
+  ASSERT_TRUE(
+      policy::PolicyCertServiceFactory::GetInstance()->SetTestingFactoryAndUse(
+          user_profile(), TestPolicyCertServiceFactory));
+  policy::PolicyCertService* service =
+      policy::PolicyCertServiceFactory::GetForProfile(user_profile());
+  ASSERT_TRUE(service);
+
+  EXPECT_FALSE(service->has_policy_certificates());
+  net::CertificateList certificates;
+  certificates.push_back(new net::X509Certificate(
+      "subject", "issuer", base::Time(), base::Time()));
+  service->OnTrustAnchorsChanged(certificates);
+  EXPECT_TRUE(service->has_policy_certificates());
+  EXPECT_FALSE(
+      session_state_delegate()->IsMultiProfileAllowedByPrimaryUserPolicy());
+}

[James Cook, 2014/08/12 20:08:30]

Nice test suite. Good coverage, and helps me as a reader understand the
multi-profile/certificate interactions.