Add test for showing confirmation dialog for unsecure signin

chrome/browser/ui/webui/signin/inline_login_ui_browsertest.cc

Index: chrome/browser/ui/webui/signin/inline_login_ui_browsertest.cc
diff --git a/chrome/browser/ui/webui/signin/inline_login_ui_browsertest.cc b/chrome/browser/ui/webui/signin/inline_login_ui_browsertest.cc
index 13a9a096b0c34ae0c29970534a60e13aa5233627..02493dff2533521a8fe60d0a3fa2aaf64cfe75a3 100644
--- a/chrome/browser/ui/webui/signin/inline_login_ui_browsertest.cc
+++ b/chrome/browser/ui/webui/signin/inline_login_ui_browsertest.cc
@@ -2,15 +2,21 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
+#include "base/command_line.h"
 #include "chrome/browser/signin/signin_promo.h"
 #include "chrome/browser/ui/browser.h"
 #include "chrome/browser/ui/tabs/tab_strip_model.h"
+#include "chrome/browser/ui/webui/signin/inline_login_ui.h"
+#include "chrome/browser/ui/webui/signin/login_ui_service.h"
+#include "chrome/browser/ui/webui/signin/login_ui_service_factory.h"
 #include "chrome/common/chrome_switches.h"
 #include "chrome/common/url_constants.h"
 #include "chrome/test/base/in_process_browser_test.h"
+#include "chrome/test/base/test_browser_window.h"
 #include "chrome/test/base/test_chrome_web_ui_controller_factory.h"
 #include "chrome/test/base/testing_browser_process.h"
 #include "chrome/test/base/ui_test_utils.h"
+#include "content/public/browser/render_frame_host.h"
 #include "content/public/browser/render_process_host.h"
 #include "content/public/browser/session_storage_namespace.h"
 #include "content/public/browser/storage_partition.h"
@@ -19,12 +25,18 @@
 #include "content/public/common/url_constants.h"
 #include "content/public/test/browser_test_utils.h"
 #include "content/public/test/test_navigation_observer.h"
+#include "google_apis/gaia/fake_gaia.h"
+#include "google_apis/gaia/gaia_switches.h"
 #include "net/base/url_util.h"
 #include "net/test/embedded_test_server/embedded_test_server.h"
+#include "net/test/embedded_test_server/http_request.h"
+#include "net/test/embedded_test_server/http_response.h"
 #include "testing/gmock/include/gmock/gmock.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 using ::testing::_;
+using ::testing::Invoke;
+using ::testing::InvokeWithoutArgs;
 
 namespace {
 
@@ -65,6 +77,11 @@ class FooWebUIProvider
                                                    const GURL& url));
 };
 
+class MockLoginUIObserver : public LoginUIService::Observer {
+ public:
+  MOCK_METHOD0(UntrustedSigninUIShown, void());
+};
+
 const char kFooWebUIURL[] = "chrome://foo/";
 
 }  // namespace
@@ -147,8 +164,27 @@ class InlineLoginUISafeIframeBrowserTest : public InProcessBrowserTest {
     } while (message != "\"ready\"");
   }
 
+ // Executes JavaScript code in the auth iframe hosted by gaia_auth extension.
+  void ExecuteJsInSigninFrame(const std::string& js) {
+    content::WebContents* web_contents =
+        browser()->tab_strip_model()->GetActiveWebContents();
+    ASSERT_TRUE(content::ExecuteScript(InlineLoginUI::GetAuthIframe(
+        web_contents, GURL(), "signin-frame"), js));
+  }
+
+ protected:
+  FakeGaia fake_gaia_;
+
  private:
+  virtual void SetUp() OVERRIDE {
+    ASSERT_TRUE(embedded_test_server()->InitializeAndWaitUntilReady());
+    InProcessBrowserTest::SetUp();
+  }
+
   virtual void SetUpOnMainThread() OVERRIDE {
+    embedded_test_server()->RegisterRequestHandler(
+        base::Bind(&FakeGaia::HandleRequest, base::Unretained(&fake_gaia_)));
+
     content::WebUIControllerFactory::UnregisterFactoryForTesting(
         ChromeWebUIControllerFactory::GetInstance());
     test_factory_.reset(new TestChromeWebUIControllerFactory);
@@ -164,7 +200,17 @@ class InlineLoginUISafeIframeBrowserTest : public InProcessBrowserTest {
     test_factory_.reset();
   }
 
+  virtual void SetUpCommandLine(CommandLine* command_line) OVERRIDE {
+    const GURL& base_url = embedded_test_server()->base_url();
+    command_line->AppendSwitchASCII(::switches::kGaiaUrl, base_url.spec());
+    command_line->AppendSwitchASCII(::switches::kLsoUrl, base_url.spec());
+    command_line->AppendSwitchASCII(::switches::kGoogleApisUrl,
+                                    base_url.spec());
+    fake_gaia_.Initialize();
+  }
+
   FooWebUIProvider foo_provider_;
+  // MockBrowserWindow mock_browser_window_;

[Charlie Reis, 2014/07/24 18:14:38]

nit: Remove commented out code.

[guohui, 2014/07/24 19:37:18]

Done.

   scoped_ptr<TestChromeWebUIControllerFactory> test_factory_;
 };
 
@@ -197,7 +243,6 @@ IN_PROC_BROWSER_TEST_F(InlineLoginUISafeIframeBrowserTest, NoWebUIInIframe) {
 // TODO(guohui): flaky on trybot crbug/364759.
 IN_PROC_BROWSER_TEST_F(InlineLoginUISafeIframeBrowserTest,
     MAYBE_TopFrameNavigationDisallowed) {
-  ASSERT_TRUE(embedded_test_server()->InitializeAndWaitUntilReady());
   // Loads into gaia iframe a web page that attempts to deframe on load.
   GURL deframe_url(embedded_test_server()->GetURL("/login/deframe.html"));
   GURL url(net::AppendOrReplaceQueryParameter(
@@ -239,3 +284,31 @@ IN_PROC_BROWSER_TEST_F(InlineLoginUISafeIframeBrowserTest,
 
   EXPECT_EQ(GURL("about:blank"), contents->GetVisibleURL());
 }
+
+#if !defined(OS_CHROMEOS)

[Charlie Reis, 2014/07/24 18:14:38]

Why doesn't this run on ChromeOS?  Do we show the prompt there?

[guohui, 2014/07/24 18:31:21]

Because the confirmation dialog path in inline_login_handler_impl.cc is only
executed on desktop. I suspect CrOS has similar issues as Chrome desktop, but
their implementation is slightly different, thus I will delegate to CrOS team to
fix it.

+xiyuan@ to confirm.

[xiyuan, 2014/07/25 18:07:22]

Cros mirror uses inline_login_handler_chromeos.cc. It should probably be
consistent with Cros login and just block all insecure content.

hui@, do you mind adding "/CrOS/.test(navigator.userAgent)" check in initSAML_
in main.js to do that?

[guohui, 2014/08/07 19:53:34]

i think for CrOS there is more to clean up, currently CrOS is filtering unsecure
requests from JS, as suggested by nasko@, it is not secure to do it in JS, thus
all http-filtering related code in JS should be removed. Also desktop has
different treatment for unsecure signin than CrOS, instead of blocking the
content or showing some banner, desktop shows a native confirmation dialog
afterwards. Not sure what CrOS want to do here, thus I prefer to leave the code
as it is and fix CrOS implementation separately.

+IN_PROC_BROWSER_TEST_F(InlineLoginUISafeIframeBrowserTest,
+    ConfirmationRequiredForNonsecureSignin) {

[Charlie Reis, 2014/07/24 18:14:38]

Which part of the test goes to an insecure page in the sign-in process?  I just
see the navigation to the SOURCE_START_PAGE promo URL.

[guohui, 2014/07/24 18:31:21]

Signin page has an embedded gaia iframe, which loads the gaia signin page. Above
I set the gaia URL to the embedded test server, which runs on HTTP by default.

[Charlie Reis, 2014/07/24 18:47:11]

Ah, ok. Please explain that in a comment here, since it's not easy to spot.

[guohui, 2014/07/24 19:37:18]

Done.

+  fake_gaia_.SetFakeMergeSessionParamsForEmail("email");
+
+  ui_test_utils::NavigateToURL(
+      browser(), signin::GetPromoURL(signin::SOURCE_START_PAGE, false));
+  WaitUntilUIReady();
+
+  MockLoginUIObserver observer;
+  LoginUIServiceFactory::GetForProfile(browser()->profile())
+      ->AddObserver(&observer);
+  base::RunLoop run_loop;
+  EXPECT_CALL(observer, UntrustedSigninUIShown())
+      .WillOnce(InvokeWithoutArgs(&run_loop, &base::RunLoop::Quit));
+
+  content::WebContents* contents =
+      browser()->tab_strip_model()->GetActiveWebContents();
+  std::string js =
+      "document.getElementById('Email').value = 'email';"
+      "document.getElementById('Passwd').value = 'password';"
+      "document.getElementById('signIn').click();";
+  ExecuteJsInSigninFrame(js);
+
+  run_loop.Run();
+}
+#endif // OS_CHROMEOS