Enable system token in platformKeys api.

chrome/browser/extensions/api/enterprise_platform_keys/enterprise_platform_keys_apitest_nss.cc

Index: chrome/browser/extensions/api/enterprise_platform_keys/enterprise_platform_keys_apitest_nss.cc
diff --git a/chrome/browser/extensions/api/enterprise_platform_keys/enterprise_platform_keys_apitest_nss.cc b/chrome/browser/extensions/api/enterprise_platform_keys/enterprise_platform_keys_apitest_nss.cc
index db6e0af7d6576c37c4bb0c2e302cd1d69dc0a5ab..1eb57c3efbed214b32d6dd2721dc1cf3c071af8c 100644
--- a/chrome/browser/extensions/api/enterprise_platform_keys/enterprise_platform_keys_apitest_nss.cc
+++ b/chrome/browser/extensions/api/enterprise_platform_keys/enterprise_platform_keys_apitest_nss.cc
@@ -7,10 +7,13 @@
 #include "base/macros.h"
 #include "base/strings/stringprintf.h"
 #include "chrome/browser/chrome_notification_types.h"
+#include "chrome/browser/chromeos/policy/device_policy_cros_browser_test.h"
 #include "chrome/browser/extensions/extension_apitest.h"
 #include "chrome/browser/extensions/extension_service.h"
 #include "chrome/browser/net/nss_context.h"
 #include "chrome/browser/net/url_request_mock_util.h"
+#include "chromeos/chromeos_switches.h"
+#include "chromeos/login/user_names.h"
 #include "components/policy/core/browser/browser_policy_connector.h"
 #include "components/policy/core/common/mock_configuration_policy_provider.h"
 #include "components/policy/core/common/policy_map.h"
@@ -18,20 +21,24 @@
 #include "content/public/common/content_switches.h"
 #include "content/public/test/test_utils.h"
 #include "content/test/net/url_request_mock_http_job.h"
+#include "crypto/nss_util_internal.h"
+#include "crypto/scoped_test_system_nss_key_slot.h"
 #include "net/base/net_errors.h"
 #include "net/cert/nss_cert_database.h"
 #include "policy/policy_constants.h"
 #include "testing/gmock/include/gmock/gmock.h"
 
+

[Joao da Silva, 2014/07/30 08:46:39]

single newline

[pneubeck (no reviews), 2014/07/30 13:53:45]

Done.

 namespace {
 
-// The test extension has a certificate referencing this private key.
+// The test extension has a certificate referencing this private key which will
+// be stored in the user's token in the test setup.
 //
 // openssl genrsa > privkey.pem
-// openssl pkcs8 -inform pem -in privkey.pem -topk8
+// openssl pkcs8 -inform pem -in privkey.pem -topk8 \
 //   -outform der -out privkey8.der -nocrypt
 // xxd -i privkey8.der
-const unsigned char privateKeyPkcs8[] = {
+const unsigned char privateKeyPkcs8User[] = {
     0x30, 0x82, 0x01, 0x55, 0x02, 0x01, 0x00, 0x30, 0x0d, 0x06, 0x09, 0x2a,
     0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82,
     0x01, 0x3f, 0x30, 0x82, 0x01, 0x3b, 0x02, 0x01, 0x00, 0x02, 0x41, 0x00,
@@ -62,6 +69,40 @@ const unsigned char privateKeyPkcs8[] = {
     0x7a, 0x09, 0xfb, 0xe9, 0x9e, 0xc7, 0x7a, 0x1f, 0x53, 0x1a, 0xb8, 0xd5,
     0x88, 0x9d, 0xd4, 0x79, 0x57, 0x88, 0x68, 0x72, 0x6f};
 
+// The test extension has a certificate referencing this private key which will
+// be stored in the system token in the test setup.
+const unsigned char privateKeyPkcs8System[] = {
+  0x30, 0x82, 0x01, 0x54, 0x02, 0x01, 0x00, 0x30, 0x0d, 0x06, 0x09, 0x2a,

[Joao da Silva, 2014/07/30 08:46:39]

nit: 4 spaces for consistency with privateKeyPkcs8User

[pneubeck (no reviews), 2014/07/30 13:53:45]

Done.

+  0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x04, 0x82,
+  0x01, 0x3e, 0x30, 0x82, 0x01, 0x3a, 0x02, 0x01, 0x00, 0x02, 0x41, 0x00,
+  0xe8, 0xb3, 0x04, 0xb1, 0xad, 0xef, 0x6b, 0xe5, 0xbe, 0xc9, 0x05, 0x75,
+  0x07, 0x41, 0xf5, 0x70, 0x50, 0xc2, 0xe8, 0xee, 0xeb, 0x09, 0x9d, 0x49,
+  0x64, 0x4c, 0x60, 0x61, 0x80, 0xbe, 0xc5, 0x41, 0xf3, 0x8c, 0x57, 0x90,
+  0x3a, 0x44, 0x62, 0x6d, 0x51, 0xb8, 0xbb, 0xc6, 0x9a, 0x16, 0xdf, 0xf9,
+  0xce, 0xe3, 0xb8, 0x8c, 0x2e, 0xa2, 0x16, 0xc8, 0xed, 0xc7, 0xf8, 0x4f,
+  0xbd, 0xd3, 0x6e, 0x63, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, 0x40, 0x76,
+  0xc9, 0x83, 0xf8, 0xeb, 0xd0, 0x8f, 0xa4, 0xdd, 0x4a, 0xa2, 0xe5, 0x85,
+  0xc9, 0xee, 0xef, 0xe1, 0xda, 0x4d, 0xac, 0x41, 0x01, 0x4c, 0x70, 0x7d,
+  0xa9, 0xdb, 0x7d, 0x8a, 0x8a, 0x58, 0x09, 0x04, 0x45, 0x43, 0xa4, 0xf3,
+  0xb4, 0x98, 0xf6, 0x34, 0x68, 0x5f, 0xc1, 0xc2, 0xa7, 0x86, 0x3e, 0xec,
+  0x84, 0x0b, 0x18, 0xbc, 0xb1, 0xee, 0x6f, 0x3f, 0xb1, 0x6d, 0xbc, 0x3e,
+  0xbf, 0x6d, 0x31, 0x02, 0x21, 0x00, 0xff, 0x9d, 0x90, 0x4f, 0x0e, 0xe8,
+  0x7e, 0xf3, 0x38, 0xa7, 0xec, 0x73, 0x80, 0xf9, 0x39, 0x2c, 0xaa, 0x33,
+  0x91, 0x72, 0x10, 0x7c, 0x8b, 0xc3, 0x61, 0x6d, 0x40, 0x96, 0xac, 0xb3,
+  0x5e, 0xc9, 0x02, 0x21, 0x00, 0xe9, 0x0c, 0xa1, 0x34, 0xf2, 0x43, 0x3c,
+  0x74, 0xec, 0x1a, 0xf6, 0x80, 0x8e, 0x50, 0x10, 0x6d, 0x55, 0x64, 0xce,
+  0x47, 0x4a, 0x1e, 0x34, 0x27, 0x6c, 0x49, 0x79, 0x6a, 0x23, 0xc6, 0x9d,
+  0xcb, 0x02, 0x20, 0x48, 0xda, 0xa8, 0xc1, 0xcf, 0xb6, 0xf6, 0x4f, 0xee,
+  0x4a, 0xf6, 0x3a, 0xa9, 0x7c, 0xdf, 0x0d, 0xda, 0xe8, 0xdd, 0xc0, 0x8b,
+  0xf0, 0x63, 0x89, 0x69, 0x60, 0x51, 0x33, 0x60, 0xbf, 0xb2, 0xf9, 0x02,
+  0x21, 0x00, 0xb4, 0x77, 0x81, 0x46, 0x7c, 0xec, 0x30, 0x1e, 0xe2, 0xcf,
+  0x26, 0x5f, 0xfa, 0xd4, 0x69, 0x44, 0x21, 0x42, 0x84, 0xb2, 0x93, 0xe4,
+  0xbb, 0xc2, 0x63, 0x8a, 0xaa, 0x28, 0xd5, 0x37, 0x72, 0xed, 0x02, 0x20,
+  0x16, 0xde, 0x3d, 0x57, 0xc5, 0xd5, 0x3d, 0x90, 0x8b, 0xfd, 0x90, 0x3b,
+  0xd8, 0x71, 0x69, 0x5e, 0x8d, 0xb4, 0x48, 0x1c, 0xa4, 0x01, 0xce, 0xc1,
+  0xb5, 0x6f, 0xe9, 0x1b, 0x32, 0x91, 0x34, 0x38
+};
+
 const base::FilePath::CharType kTestExtensionDir[] =
     FILE_PATH_LITERAL("extensions/api_test/enterprise_platform_keys");
 const base::FilePath::CharType kUpdateManifestFileName[] =
@@ -72,43 +113,30 @@ const base::FilePath::CharType kUpdateManifestFileName[] =
 // the extension.
 const char kTestExtensionID[] = "aecpbnckhoppanpmefllkdkohionpmig";
 
-void DidGetCertDatabase(base::RunLoop* loop, net::NSSCertDatabase* cert_db) {
-  // In order to use a prepared certificate, import a private key at first for
-  // which the Javscript test will import the certificate.
-  SECItem pki_der = {
-      siBuffer,
-      // NSS requires non-const data even though it is just for input.
-      const_cast<unsigned char*>((const unsigned char*)privateKeyPkcs8),
-      arraysize(privateKeyPkcs8)};
-
-  crypto::ScopedPK11Slot private_slot(cert_db->GetPrivateSlot());
-  SECKEYPrivateKey* seckey_private_key = NULL;
-  ASSERT_EQ(SECSuccess,
-            PK11_ImportDERPrivateKeyInfoAndReturnKey(private_slot.get(),
-                                                     &pki_der,
-                                                     NULL,    // nickname
-                                                     NULL,    // publicValue
-                                                     true,    // isPerm
-                                                     true,    // isPrivate
-                                                     KU_ALL,  // usage
-                                                     &seckey_private_key,
-                                                     NULL));
-  loop->Quit();
-}
-
 class EnterprisePlatformKeysTest : public ExtensionApiTest {
  public:
+  EnterprisePlatformKeysTest() : nss_db_(NULL) {}
+
   virtual void SetUpCommandLine(CommandLine* command_line) OVERRIDE {
     ExtensionApiTest::SetUpCommandLine(command_line);
 
     // Enable the WebCrypto API.
     command_line->AppendSwitch(
         switches::kEnableExperimentalWebPlatformFeatures);
+
+    command_line->AppendSwitchASCII(chromeos::switches::kLoginUser,
+                                    chromeos::login::kStubUser);
   }
 
   virtual void SetUpInProcessBrowserTestFixture() OVERRIDE {
     ExtensionApiTest::SetUpInProcessBrowserTestFixture();
 
+    device_policy_test_helper_.device_policy()->policy_data().set_username(
+        chromeos::login::kStubUser);
+
+    device_policy_test_helper_.device_policy()->Build();
+    device_policy_test_helper_.MarkAsEnterpriseOwned();
+
     EXPECT_CALL(policy_provider_, IsInitializationComplete(testing::_))
         .WillRepeatedly(testing::Return(true));
     policy_provider_.SetAutoRefresh();
@@ -126,18 +154,110 @@ class EnterprisePlatformKeysTest : public ExtensionApiTest {
         FROM_HERE,
         base::Bind(chrome_browser_net::SetUrlRequestMocksEnabled, true));
 
+    {
+      base::RunLoop loop;
+      GetNSSCertDatabaseForProfile(
+          browser()->profile(),
+          base::Bind(&EnterprisePlatformKeysTest::DidGetCertDatabase,
+                     base::Unretained(this),
+                     &loop));

[Joao da Silva, 2014/07/30 08:46:39]

It's more common to pass loop.QuitClosure() and then invoke that callback when
the task is done to unblock loop.Run()

[pneubeck (no reviews), 2014/07/30 13:53:45]

Done.

+      loop.Run();
+    }
 
     {
       base::RunLoop loop;
-      GetNSSCertDatabaseForProfile(browser()->profile(),
-                                   base::Bind(&DidGetCertDatabase, &loop));
+      content::BrowserThread::PostTask(
+          content::BrowserThread::IO,
+          FROM_HERE,
+          base::Bind(&EnterprisePlatformKeysTest::SetUpTestSystemSlot,
+                     base::Unretained(this),
+                     browser()->profile()->GetResourceContext(),
+                     &loop));

[Joao da Silva, 2014/07/30 08:46:39]

Same here

[pneubeck (no reviews), 2014/07/30 13:53:45]

Done.

       loop.Run();
     }
 
     SetPolicy();
   }
 
+  virtual void TearDownOnMainThread() OVERRIDE {
+    base::RunLoop loop;
+    content::BrowserThread::PostTask(
+        content::BrowserThread::IO,
+        FROM_HERE,
+        base::Bind(&EnterprisePlatformKeysTest::TearDownTestSystemSlot,
+                   base::Unretained(this),
+                   &loop));

[Joao da Silva, 2014/07/30 08:46:39]

And here

[pneubeck (no reviews), 2014/07/30 13:53:45]

Done.

+    loop.Run();
+
+    ExtensionApiTest::TearDownOnMainThread();
+  }
+
  private:
+  void DidGetCertDatabase(base::RunLoop* loop, net::NSSCertDatabase* cert_db) {
+    nss_db_ = cert_db;
+
+    // In order to use a prepared certificate, import a private key to the
+    // user's
+    // token for which the Javscript test will import the certificate.

[Joao da Silva, 2014/07/30 08:46:39]

merge these 2 lines

[pneubeck (no reviews), 2014/07/30 13:53:45]

Done.

+    SECItem pki_der_user = {
+        siBuffer,
+        // NSS requires non-const data even though it is just for input.
+        const_cast<unsigned char*>((const unsigned char*)privateKeyPkcs8User),
+        arraysize(privateKeyPkcs8User)};
+
+    crypto::ScopedPK11Slot private_slot(cert_db->GetPrivateSlot());
+    SECKEYPrivateKey* seckey_private_key_user = NULL;
+    ASSERT_EQ(SECSuccess,
+              PK11_ImportDERPrivateKeyInfoAndReturnKey(private_slot.get(),
+                                                       &pki_der_user,
+                                                       NULL,    // nickname
+                                                       NULL,    // publicValue
+                                                       true,    // isPerm
+                                                       true,    // isPrivate
+                                                       KU_ALL,  // usage
+                                                       &seckey_private_key_user,
+                                                       NULL));
+
+    loop->Quit();
+  }
+
+  void SetUpTestSystemSlot(content::ResourceContext* context,
+                           base::RunLoop* loop) {
+    test_system_slot_.reset(new crypto::ScopedTestSystemNSSKeySlot());
+    ASSERT_TRUE(test_system_slot_->ConstructedSuccessfully());
+
+    SECItem pki_der_system = {
+        siBuffer,
+        // NSS requires non-const data even though it is just for input.
+        const_cast<unsigned char*>((const unsigned char*)privateKeyPkcs8System),
+        arraysize(privateKeyPkcs8System)};
+
+    SECKEYPrivateKey* seckey_private_key_system = NULL;
+    ASSERT_EQ(
+        SECSuccess,
+        PK11_ImportDERPrivateKeyInfoAndReturnKey(test_system_slot_->slot(),
+                                                 &pki_der_system,
+                                                 NULL,    // nickname
+                                                 NULL,    // publicValue
+                                                 true,    // isPerm
+                                                 true,    // isPrivate
+                                                 KU_ALL,  // usage
+                                                 &seckey_private_key_system,
+                                                 NULL));

[Joao da Silva, 2014/07/30 08:46:39]

These lines are shared with DidGetCertDatabase() (from lines 229 to 246), move
to a helper method?

[pneubeck (no reviews), 2014/07/30 13:53:45]

Done.

+
+    EnableNSSSystemKeySlotForResourceContext(context);
+
+    content::BrowserThread::PostTask(
+        content::BrowserThread::UI, FROM_HERE, loop->QuitClosure());
+  }
+
+  void TearDownTestSystemSlot(base::RunLoop* loop) {
+    test_system_slot_.reset();
+
+    content::BrowserThread::PostTask(
+        content::BrowserThread::UI, FROM_HERE, loop->QuitClosure());
+  }
+
   void SetPolicy() {
     // Extensions that are force-installed come from an update URL, which
     // defaults to the webstore. Use a mock URL for this test with an update
@@ -166,6 +286,9 @@ class EnterprisePlatformKeysTest : public ExtensionApiTest {
     observer.Wait();
   }
 
+  net::NSSCertDatabase* nss_db_;
+  policy::DevicePolicyCrosTestHelper device_policy_test_helper_;
+  scoped_ptr<crypto::ScopedTestSystemNSSKeySlot> test_system_slot_;
   policy::MockConfigurationPolicyProvider policy_provider_;
 };