Fix cert DB usage in PolicyCertVerifier test.

chrome/browser/chromeos/policy/policy_cert_verifier_browsertest.cc

Index: chrome/browser/chromeos/policy/policy_cert_verifier_browsertest.cc
diff --git a/chrome/browser/chromeos/policy/policy_cert_verifier_browsertest.cc b/chrome/browser/chromeos/policy/policy_cert_verifier_browsertest.cc
deleted file mode 100644
index 8c74ff44de08aa3f137c6de11a07c1bf6013b6a8..0000000000000000000000000000000000000000
--- a/chrome/browser/chromeos/policy/policy_cert_verifier_browsertest.cc
+++ /dev/null
@@ -1,233 +0,0 @@
-// Copyright (c) 2013 The Chromium Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style license that can be
-// found in the LICENSE file.
-
-#include "chrome/browser/chromeos/policy/policy_cert_verifier.h"
-
-#include "base/bind.h"
-#include "base/bind_helpers.h"
-#include "base/callback.h"
-#include "base/memory/ref_counted.h"
-#include "base/memory/scoped_ptr.h"
-#include "base/run_loop.h"
-#include "chrome/browser/chromeos/net/cert_verify_proc_chromeos.h"
-#include "content/public/browser/browser_thread.h"
-#include "content/public/test/test_browser_thread_bundle.h"
-#include "crypto/nss_util.h"
-#include "crypto/nss_util_internal.h"
-#include "net/base/net_log.h"
-#include "net/base/test_completion_callback.h"
-#include "net/base/test_data_directory.h"
-#include "net/cert/cert_trust_anchor_provider.h"
-#include "net/cert/cert_verify_result.h"
-#include "net/cert/nss_cert_database.h"
-#include "net/cert/x509_certificate.h"
-#include "net/test/cert_test_util.h"
-#include "testing/gtest/include/gtest/gtest.h"
-
-namespace policy {
-
-// This is actually a unit test, but is linked with browser_tests because
-// importing a certificate into the NSS test database persists for the duration
-// of a process; since each browser_test runs in a separate process then this
-// won't affect subsequent tests.
-// This can be moved to the unittests target once the TODO in ~ScopedTestNSSDB
-// is fixed.
-class PolicyCertVerifierTest : public testing::Test {
- public:
-  PolicyCertVerifierTest() : cert_db_(NULL), trust_anchor_used_(false) {}
-
-  virtual ~PolicyCertVerifierTest() {}
-
-  virtual void SetUp() OVERRIDE {
-    ASSERT_TRUE(test_nssdb_.is_open());
-    cert_db_ = net::NSSCertDatabase::GetInstance();
-
-    cert_verifier_.reset(new PolicyCertVerifier(base::Bind(
-        &PolicyCertVerifierTest::OnTrustAnchorUsed, base::Unretained(this))));
-    cert_verifier_->InitializeOnIOThread(new chromeos::CertVerifyProcChromeOS(
-        crypto::ScopedPK11Slot(crypto::GetPersistentNSSKeySlot())));
-
-    test_ca_cert_ = LoadCertificate("root_ca_cert.pem", net::CA_CERT);
-    ASSERT_TRUE(test_ca_cert_);
-    test_server_cert_ = LoadCertificate("ok_cert.pem", net::SERVER_CERT);
-    ASSERT_TRUE(test_server_cert_);
-    test_ca_cert_list_.push_back(test_ca_cert_);
-  }
-
-  virtual void TearDown() OVERRIDE {
-    // Destroy |cert_verifier_| before destroying the ThreadBundle, otherwise
-    // BrowserThread::CurrentlyOn checks fail.
-    cert_verifier_.reset();
-  }
-
- protected:
-  int VerifyTestServerCert(const net::TestCompletionCallback& test_callback,
-                           net::CertVerifyResult* verify_result,
-                           net::CertVerifier::RequestHandle* request_handle) {
-    return cert_verifier_->Verify(test_server_cert_.get(),
-                                  "127.0.0.1",
-                                  0,
-                                  NULL,
-                                  verify_result,
-                                  test_callback.callback(),
-                                  request_handle,
-                                  net::BoundNetLog());
-  }
-
-  bool SupportsAdditionalTrustAnchors() {
-    scoped_refptr<net::CertVerifyProc> proc =
-        net::CertVerifyProc::CreateDefault();
-    return proc->SupportsAdditionalTrustAnchors();
-  }
-
-  // Returns whether |cert_verifier| signalled usage of one of the additional
-  // trust anchors (i.e. of |test_ca_cert_|) for the first time or since the
-  // last call of this function.
-  bool WasTrustAnchorUsedAndReset() {
-    base::RunLoop().RunUntilIdle();
-    bool result = trust_anchor_used_;
-    trust_anchor_used_ = false;
-    return result;
-  }
-
-  // |test_ca_cert_| is the issuer of |test_server_cert_|.
-  scoped_refptr<net::X509Certificate> test_ca_cert_;
-  scoped_refptr<net::X509Certificate> test_server_cert_;
-  net::CertificateList test_ca_cert_list_;
-  net::NSSCertDatabase* cert_db_;
-  scoped_ptr<PolicyCertVerifier> cert_verifier_;
-
- private:
-  void OnTrustAnchorUsed() {
-    trust_anchor_used_ = true;
-  }
-
-  scoped_refptr<net::X509Certificate> LoadCertificate(const std::string& name,
-                                                      net::CertType type) {
-    scoped_refptr<net::X509Certificate> cert =
-        net::ImportCertFromFile(net::GetTestCertsDirectory(), name);
-
-    // No certificate is trusted right after it's loaded.
-    net::NSSCertDatabase::TrustBits trust =
-        cert_db_->GetCertTrust(cert.get(), type);
-    EXPECT_EQ(net::NSSCertDatabase::TRUST_DEFAULT, trust);
-
-    return cert;
-  }
-
-  bool trust_anchor_used_;
-  crypto::ScopedTestNSSDB test_nssdb_;
-  content::TestBrowserThreadBundle thread_bundle_;
-};
-
-TEST_F(PolicyCertVerifierTest, VerifyUntrustedCert) {
-  // |test_server_cert_| is untrusted, so Verify() fails.
-  {
-    net::CertVerifyResult verify_result;
-    net::TestCompletionCallback callback;
-    net::CertVerifier::RequestHandle request_handle = NULL;
-    int error = VerifyTestServerCert(callback, &verify_result, &request_handle);
-    ASSERT_EQ(net::ERR_IO_PENDING, error);
-    EXPECT_TRUE(request_handle);
-    error = callback.WaitForResult();
-    EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error);
-  }
-
-  // Issuing the same request again hits the cache. This tests the synchronous
-  // path.
-  {
-    net::CertVerifyResult verify_result;
-    net::TestCompletionCallback callback;
-    net::CertVerifier::RequestHandle request_handle = NULL;
-    int error = VerifyTestServerCert(callback, &verify_result, &request_handle);
-    EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error);
-  }
-
-  EXPECT_FALSE(WasTrustAnchorUsedAndReset());
-}
-
-TEST_F(PolicyCertVerifierTest, VerifyTrustedCert) {
-  // Make the database trust |test_ca_cert_|.
-  net::NSSCertDatabase::ImportCertFailureList failure_list;
-  ASSERT_TRUE(cert_db_->ImportCACerts(
-      test_ca_cert_list_, net::NSSCertDatabase::TRUSTED_SSL, &failure_list));
-  ASSERT_TRUE(failure_list.empty());
-
-  // Verify that it is now trusted.
-  net::NSSCertDatabase::TrustBits trust =
-      cert_db_->GetCertTrust(test_ca_cert_.get(), net::CA_CERT);
-  EXPECT_EQ(net::NSSCertDatabase::TRUSTED_SSL, trust);
-
-  // Verify() successfully verifies |test_server_cert_| after it was imported.
-  net::CertVerifyResult verify_result;
-  net::TestCompletionCallback callback;
-  net::CertVerifier::RequestHandle request_handle = NULL;
-  int error = VerifyTestServerCert(callback, &verify_result, &request_handle);
-  ASSERT_EQ(net::ERR_IO_PENDING, error);
-  EXPECT_TRUE(request_handle);
-  error = callback.WaitForResult();
-  EXPECT_EQ(net::OK, error);
-
-  // The additional trust anchors were not used, since the certificate is
-  // trusted from the database.
-  EXPECT_FALSE(WasTrustAnchorUsedAndReset());
-}
-
-TEST_F(PolicyCertVerifierTest, VerifyUsingAdditionalTrustAnchor) {
-  ASSERT_TRUE(SupportsAdditionalTrustAnchors());
-
-  // |test_server_cert_| is untrusted, so Verify() fails.
-  {
-    net::CertVerifyResult verify_result;
-    net::TestCompletionCallback callback;
-    net::CertVerifier::RequestHandle request_handle = NULL;
-    int error = VerifyTestServerCert(callback, &verify_result, &request_handle);
-    ASSERT_EQ(net::ERR_IO_PENDING, error);
-    EXPECT_TRUE(request_handle);
-    error = callback.WaitForResult();
-    EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error);
-  }
-  EXPECT_FALSE(WasTrustAnchorUsedAndReset());
-
-  // Verify() again with the additional trust anchors.
-  cert_verifier_->SetTrustAnchors(test_ca_cert_list_);
-  {
-    net::CertVerifyResult verify_result;
-    net::TestCompletionCallback callback;
-    net::CertVerifier::RequestHandle request_handle = NULL;
-    int error = VerifyTestServerCert(callback, &verify_result, &request_handle);
-    ASSERT_EQ(net::ERR_IO_PENDING, error);
-    EXPECT_TRUE(request_handle);
-    error = callback.WaitForResult();
-    EXPECT_EQ(net::OK, error);
-  }
-  EXPECT_TRUE(WasTrustAnchorUsedAndReset());
-
-  // Verify() again with the additional trust anchors will hit the cache.
-  cert_verifier_->SetTrustAnchors(test_ca_cert_list_);
-  {
-    net::CertVerifyResult verify_result;
-    net::TestCompletionCallback callback;
-    net::CertVerifier::RequestHandle request_handle = NULL;
-    int error = VerifyTestServerCert(callback, &verify_result, &request_handle);
-    EXPECT_EQ(net::OK, error);
-  }
-  EXPECT_TRUE(WasTrustAnchorUsedAndReset());
-
-  // Verifying after removing the trust anchors should now fail.
-  cert_verifier_->SetTrustAnchors(net::CertificateList());
-  {
-    net::CertVerifyResult verify_result;
-    net::TestCompletionCallback callback;
-    net::CertVerifier::RequestHandle request_handle = NULL;
-    int error = VerifyTestServerCert(callback, &verify_result, &request_handle);
-    // Note: this hits the cached result from the first Verify() in this test.
-    EXPECT_EQ(net::ERR_CERT_AUTHORITY_INVALID, error);
-  }
-  // The additional trust anchors were reset, thus |cert_verifier_| should not
-  // signal it's usage anymore.
-  EXPECT_FALSE(WasTrustAnchorUsedAndReset());
-}
-
-}  // namespace policy