Use GAIA headers to distinguish between GAIA and SAML IdP cookies

chrome/browser/chromeos/login/saml/saml_browsertest.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/callback.h"
 #include "base/command_line.h"
 #include "base/file_util.h"
 #include "base/files/file_path.h"
@@ skipping 65 matching lines @@
 using net::test_server::BasicHttpResponse;
 using net::test_server::HttpRequest;
 using net::test_server::HttpResponse;
 using testing::_;
 using testing::Return;
 
 namespace chromeos {
 
 namespace {
 
-const char kTestAuthSIDCookie[] = "fake-auth-SID-cookie";
-const char kTestAuthLSIDCookie[] = "fake-auth-LSID-cookie";
+const char kGAIASIDCookieName[] = "SID";
+const char kGAIALSIDCookieName[] = "LSID";
+
+const char kTestAuthSIDCookie1[] = "fake-auth-SID-cookie-1";
+const char kTestAuthSIDCookie2[] = "fake-auth-SID-cookie-2";
+const char kTestAuthLSIDCookie1[] = "fake-auth-LSID-cookie-1";
+const char kTestAuthLSIDCookie2[] = "fake-auth-LSID-cookie-2";
 const char kTestAuthCode[] = "fake-auth-code";
 const char kTestGaiaUberToken[] = "fake-uber-token";
 const char kTestAuthLoginAccessToken[] = "fake-access-token";
 const char kTestRefreshToken[] = "fake-refresh-token";
 const char kTestSessionSIDCookie[] = "fake-session-SID-cookie";
 const char kTestSessionLSIDCookie[] = "fake-session-LSID-cookie";
 
 const char kFirstSAMLUserEmail[] = "bob@example.com";
 const char kSecondSAMLUserEmail[] = "alice@example.com";
 const char kHTTPSAMLUserEmail[] = "carol@example.com";
 const char kNonSAMLUserEmail[] = "dan@example.com";
 const char kDifferentDomainSAMLUserEmail[] = "eve@example.test";
 
+const char kSAMLIdPCookieName[] = "saml";
 const char kSAMLIdPCookieValue1[] = "value-1";
 const char kSAMLIdPCookieValue2[] = "value-2";
 
 const char kRelayState[] = "RelayState";
 
 // FakeSamlIdp serves IdP auth form and the form submission. The form is
 // served with the template's RelayState placeholder expanded to the real
 // RelayState parameter from request. The form submission redirects back to
 // FakeGaia with the same RelayState.
 class FakeSamlIdp {
@@ skipping 178 matching lines @@
     fake_gaia_.RegisterSamlUser(kSecondSAMLUserEmail, saml_idp_url);
     fake_gaia_.RegisterSamlUser(
         kHTTPSAMLUserEmail,
         embedded_test_server()->base_url().Resolve("/SAML"));
     fake_gaia_.RegisterSamlUser(kDifferentDomainSAMLUserEmail, saml_idp_url);
 
     fake_gaia_.Initialize();
   }
 
   virtual void SetUpOnMainThread() OVERRIDE {
-    SetMergeSessionParams(kFirstSAMLUserEmail);
+    SetMergeSessionParams(kFirstSAMLUserEmail,
+                          kTestAuthSIDCookie1,
+                          kTestAuthLSIDCookie1);
 
     embedded_test_server()->RegisterRequestHandler(
         base::Bind(&FakeGaia::HandleRequest, base::Unretained(&fake_gaia_)));
     embedded_test_server()->RegisterRequestHandler(base::Bind(
         &FakeSamlIdp::HandleRequest, base::Unretained(&fake_saml_idp_)));
 
     // Restart the thread as the sandbox host process has already been spawned.
     embedded_test_server()->RestartThreadAndListen();
 
     login_screen_load_observer_.reset(new content::WindowedNotificationObserver(
         chrome::NOTIFICATION_LOGIN_OR_LOCK_WEBUI_VISIBLE,
         content::NotificationService::AllSources()));
   }
 
   virtual void TearDownOnMainThread() OVERRIDE {
     // If the login display is still showing, exit gracefully.
     if (LoginDisplayHostImpl::default_host()) {
       base::MessageLoop::current()->PostTask(FROM_HERE,
                                              base::Bind(&chrome::AttemptExit));
       content::RunMessageLoop();
     }
   }
 
-  void SetMergeSessionParams(const std::string& email) {
+  void SetMergeSessionParams(const std::string& email,
+                             const std::string& auth_sid_cookie,
+                             const std::string& auth_lsid_cookie) {
     FakeGaia::MergeSessionParams params;
-    params.auth_sid_cookie = kTestAuthSIDCookie;
-    params.auth_lsid_cookie = kTestAuthLSIDCookie;
+    params.auth_sid_cookie = auth_sid_cookie;
+    params.auth_lsid_cookie = auth_lsid_cookie;
     params.auth_code = kTestAuthCode;
     params.refresh_token = kTestRefreshToken;
     params.access_token = kTestAuthLoginAccessToken;
     params.gaia_uber_token = kTestGaiaUberToken;
     params.session_sid_cookie = kTestSessionSIDCookie;
     params.session_lsid_cookie = kTestSessionLSIDCookie;
     params.email = email;
     fake_gaia_.SetMergeSessionParams(params);
   }
 
@@ skipping 236 matching lines @@
   ASSERT_TRUE(user);
   EXPECT_EQ(kFirstSAMLUserEmail, user->email());
 }
 
 // Verifies that if the authenticated user's e-mail address cannot be retrieved,
 // an error message is shown.
 IN_PROC_BROWSER_TEST_F(SamlTest, FailToRetrieveAutenticatedUserEmailAddress) {
   fake_saml_idp()->SetLoginHTMLTemplate("saml_login.html");
   StartSamlAndWaitForIdpPageLoad(kFirstSAMLUserEmail);
 
-  SetMergeSessionParams("");
+  SetMergeSessionParams("", kTestAuthSIDCookie1, kTestAuthLSIDCookie1);
   SetSignFormField("Email", "fake_user");
   SetSignFormField("Password", "fake_password");
   ExecuteJsInSigninFrame("document.getElementById('Submit').click();");
 
   EXPECT_EQ(l10n_util::GetStringUTF8(IDS_LOGIN_FATAL_ERROR_NO_EMAIL),
             WaitForAndGetFatalErrorMessage());
 }
 
 // Tests the password confirm flow: show error on the first failure and
 // fatal error on the second failure.
@@ skipping 61 matching lines @@
   virtual ~SAMLPolicyTest();
 
   // SamlTest:
   virtual void SetUpInProcessBrowserTestFixture() OVERRIDE;
   virtual void SetUpOnMainThread() OVERRIDE;
 
   void SetSAMLOfflineSigninTimeLimitPolicy(int limit);
   void EnableTransferSAMLCookiesPolicy();
 
   void ShowGAIALoginForm();
-  void LogInWithSAML(const std::string& user_id);
-  void VerifySAMLIdPCookieValue(const std::string& expected_cookie_value);
+  void LogInWithSAML(const std::string& user_id,
+                     const std::string& auth_sid_cookie,
+                     const std::string& auth_lsid_cookie);
 
+  std::string GetCookieValue(const std::string& name);
+
+  void GetCookies();
+
+ protected:
   void GetCookiesOnIOThread(
       const scoped_refptr<net::URLRequestContextGetter>& request_context,
       const base::Closure& callback);
   void StoreCookieList(const base::Closure& callback,
                        const net::CookieList& cookie_list);
 
- protected:
   policy::DevicePolicyCrosTestHelper test_helper_;
 
   // FakeDBusThreadManager uses FakeSessionManagerClient.
   FakeDBusThreadManager* fake_dbus_thread_manager_;
   FakeSessionManagerClient* fake_session_manager_client_;
   policy::DevicePolicyBuilder* device_policy_;
 
   policy::MockConfigurationPolicyProvider provider_;
 
   net::CookieList cookie_list_;
@@ skipping 80 matching lines @@
       "  window.domAutomationController.setAutomationId(0);"
       "  window.domAutomationController.send('ready');"
       "});"
       "$('add-user-button').click();"));
   content::DOMMessageQueue message_queue;
   std::string message;
   ASSERT_TRUE(message_queue.WaitForMessage(&message));
   EXPECT_EQ("\"ready\"", message);
 }
 
-void SAMLPolicyTest::LogInWithSAML(const std::string& user_id) {
+void SAMLPolicyTest::LogInWithSAML(const std::string& user_id,
+                                   const std::string& auth_sid_cookie,
+                                   const std::string& auth_lsid_cookie) {
   fake_saml_idp()->SetLoginHTMLTemplate("saml_login.html");
   StartSamlAndWaitForIdpPageLoad(user_id);
 
-  SetMergeSessionParams(user_id);
+  SetMergeSessionParams(user_id, auth_sid_cookie, auth_lsid_cookie);
   SetSignFormField("Email", "fake_user");
   SetSignFormField("Password", "fake_password");
   ExecuteJsInSigninFrame("document.getElementById('Submit').click();");
 
   OobeScreenWaiter(OobeDisplay::SCREEN_CONFIRM_PASSWORD).Wait();
 
   SendConfirmPassword("fake_password");
   content::WindowedNotificationObserver(
       chrome::NOTIFICATION_SESSION_STARTED,
       content::NotificationService::AllSources()).Wait();
 }
 
-void SAMLPolicyTest::VerifySAMLIdPCookieValue(
-    const std::string& expected_cookie_value) {
+std::string SAMLPolicyTest::GetCookieValue(const std::string& name) {
+  for (net::CookieList::const_iterator it = cookie_list_.begin();
+       it != cookie_list_.end(); ++it) {
+    if (it->Name() == name)
+      return it->Value();
+  }
+  return std::string();
+}
+
+void SAMLPolicyTest::GetCookies() {
   Profile* profile =chromeos::ProfileHelper::Get()->GetProfileByUser(
       UserManager::Get()->GetActiveUser());
   ASSERT_TRUE(profile);
   base::RunLoop run_loop;
   content::BrowserThread::PostTask(
       content::BrowserThread::IO,
       FROM_HERE,
       base::Bind(&SAMLPolicyTest::GetCookiesOnIOThread,
                  base::Unretained(this),
                  scoped_refptr<net::URLRequestContextGetter>(
                      profile->GetRequestContext()),
                  run_loop.QuitClosure()));
   run_loop.Run();
-
-  net::CanonicalCookie const* saml_cookie = NULL;
-  for (net::CookieList::const_iterator it = cookie_list_.begin();
-       it != cookie_list_.end(); ++it) {
-    if (it->Name() == "saml") {
-      saml_cookie = &*it;
-      break;
-    }
-  }
-  ASSERT_TRUE(saml_cookie);
-  EXPECT_EQ(expected_cookie_value, saml_cookie->Value());
 }
 
 void SAMLPolicyTest::GetCookiesOnIOThread(
     const scoped_refptr<net::URLRequestContextGetter>& request_context,
     const base::Closure& callback) {
   request_context->GetURLRequestContext()->cookie_store()->
       GetCookieMonster()->GetAllCookiesAsync(base::Bind(
           &SAMLPolicyTest::StoreCookieList,
           base::Unretained(this),
           callback));
 }
 
 void SAMLPolicyTest::StoreCookieList(
     const base::Closure& callback,
     const net::CookieList& cookie_list) {
   cookie_list_ = cookie_list;
   content::BrowserThread::PostTask(content::BrowserThread::UI,
                                    FROM_HERE,
                                    callback);
 }
 
-IN_PROC_BROWSER_TEST_F(SAMLPolicyTest, DISABLED_PRE_NoSAML) {
+IN_PROC_BROWSER_TEST_F(SAMLPolicyTest, PRE_NoSAML) {
   // Set the offline login time limit for SAML users to zero.
   SetSAMLOfflineSigninTimeLimitPolicy(0);
 
   WaitForSigninScreen();
 
   // Log in without SAML.
   GetLoginDisplay()->ShowSigninScreenForCreds(kNonSAMLUserEmail, "password");
 
   content::WindowedNotificationObserver(
     chrome::NOTIFICATION_SESSION_STARTED,
     content::NotificationService::AllSources()).Wait();
 }
 
 // Verifies that the offline login time limit does not affect a user who
 // authenticated without SAML.
-IN_PROC_BROWSER_TEST_F(SAMLPolicyTest, DISABLED_NoSAML) {
+IN_PROC_BROWSER_TEST_F(SAMLPolicyTest, NoSAML) {
   login_screen_load_observer_->Wait();
   // Verify that offline login is allowed.
   JsExpect("window.getComputedStyle(document.querySelector("
            "    '#pod-row .signin-button-container')).display == 'none'");
 }
 
 IN_PROC_BROWSER_TEST_F(SAMLPolicyTest, PRE_SAMLNoLimit) {
   // Remove the offline login time limit for SAML users.
   SetSAMLOfflineSigninTimeLimitPolicy(-1);
 
-  LogInWithSAML(kFirstSAMLUserEmail);
+  LogInWithSAML(kFirstSAMLUserEmail, kTestAuthSIDCookie1, kTestAuthLSIDCookie1);
 }
 
 // Verifies that when no offline login time limit is set, a user who
 // authenticated with SAML is allowed to log in offline.
 IN_PROC_BROWSER_TEST_F(SAMLPolicyTest, SAMLNoLimit) {
   login_screen_load_observer_->Wait();
   // Verify that offline login is allowed.
   JsExpect("window.getComputedStyle(document.querySelector("
            "    '#pod-row .signin-button-container')).display == 'none'");
 }
 
 IN_PROC_BROWSER_TEST_F(SAMLPolicyTest, PRE_SAMLZeroLimit) {
   // Set the offline login time limit for SAML users to zero.
   SetSAMLOfflineSigninTimeLimitPolicy(0);
 
-  LogInWithSAML(kFirstSAMLUserEmail);
+  LogInWithSAML(kFirstSAMLUserEmail, kTestAuthSIDCookie1, kTestAuthLSIDCookie1);
 }
 
 // Verifies that when the offline login time limit is exceeded for a user who
 // authenticated via SAML, that user is forced to log in online the next time.
 IN_PROC_BROWSER_TEST_F(SAMLPolicyTest, SAMLZeroLimit) {
   login_screen_load_observer_->Wait();
   // Verify that offline login is not allowed.
   JsExpect("window.getComputedStyle(document.querySelector("
            "    '#pod-row .signin-button-container')).display != 'none'");
 }
 
-IN_PROC_BROWSER_TEST_F(SAMLPolicyTest, DISABLED_PRE_PRE_TransferCookiesAffiliated) {
+IN_PROC_BROWSER_TEST_F(SAMLPolicyTest, PRE_PRE_TransferCookiesAffiliated) {
   fake_saml_idp()->SetCookieValue(kSAMLIdPCookieValue1);
-  LogInWithSAML(kFirstSAMLUserEmail);
-  VerifySAMLIdPCookieValue(kSAMLIdPCookieValue1);
+  LogInWithSAML(kFirstSAMLUserEmail, kTestAuthSIDCookie1, kTestAuthLSIDCookie1);
+
+  GetCookies();
+  EXPECT_EQ(kTestAuthSIDCookie1, GetCookieValue(kGAIASIDCookieName));
+  EXPECT_EQ(kTestAuthLSIDCookie1, GetCookieValue(kGAIALSIDCookieName));
+  EXPECT_EQ(kSAMLIdPCookieValue1, GetCookieValue(kSAMLIdPCookieName));
 }
 
 // Verifies that when the DeviceTransferSAMLCookies policy is not enabled, SAML
 // IdP cookies are not transferred to a user's profile on subsequent login, even
-// if the user belongs to the domain that the device is enrolled into.
-IN_PROC_BROWSER_TEST_F(SAMLPolicyTest, DISABLED_PRE_TransferCookiesAffiliated) {
+// if the user belongs to the domain that the device is enrolled into. Also
+// verifies that GAIA cookies are not transferred.
+IN_PROC_BROWSER_TEST_F(SAMLPolicyTest, PRE_TransferCookiesAffiliated) {
   fake_saml_idp()->SetCookieValue(kSAMLIdPCookieValue2);
   fake_saml_idp()->SetLoginHTMLTemplate("saml_login.html");
   ShowGAIALoginForm();
+  LogInWithSAML(kFirstSAMLUserEmail, kTestAuthSIDCookie2, kTestAuthLSIDCookie2);
 
-  LogInWithSAML(kFirstSAMLUserEmail);
-  VerifySAMLIdPCookieValue(kSAMLIdPCookieValue1);
+  GetCookies();
+  EXPECT_EQ(kTestAuthSIDCookie1, GetCookieValue(kGAIASIDCookieName));
+  EXPECT_EQ(kTestAuthLSIDCookie1, GetCookieValue(kGAIALSIDCookieName));
+  EXPECT_EQ(kSAMLIdPCookieValue1, GetCookieValue(kSAMLIdPCookieName));
 }
 
 // Verifies that when the DeviceTransferSAMLCookies policy is enabled, SAML IdP
 // cookies are transferred to a user's profile on subsequent login when the user
-// belongs to the domain that the device is enrolled into.
-IN_PROC_BROWSER_TEST_F(SAMLPolicyTest, DISABLED_TransferCookiesAffiliated) {
+// belongs to the domain that the device is enrolled into. Also verifies that
+// GAIA cookies are not transferred.
+IN_PROC_BROWSER_TEST_F(SAMLPolicyTest, TransferCookiesAffiliated) {
   fake_saml_idp()->SetCookieValue(kSAMLIdPCookieValue2);
   fake_saml_idp()->SetLoginHTMLTemplate("saml_login.html");
   ShowGAIALoginForm();
 
   EnableTransferSAMLCookiesPolicy();
+  LogInWithSAML(kFirstSAMLUserEmail, kTestAuthSIDCookie2, kTestAuthLSIDCookie2);
 
-  LogInWithSAML(kFirstSAMLUserEmail);
-  VerifySAMLIdPCookieValue(kSAMLIdPCookieValue2);
+  GetCookies();
+  EXPECT_EQ(kTestAuthSIDCookie1, GetCookieValue(kGAIASIDCookieName));
+  EXPECT_EQ(kTestAuthLSIDCookie1, GetCookieValue(kGAIALSIDCookieName));
+  EXPECT_EQ(kSAMLIdPCookieValue2, GetCookieValue(kSAMLIdPCookieName));
 }
 
 IN_PROC_BROWSER_TEST_F(SAMLPolicyTest, PRE_TransferCookiesUnaffiliated) {
   fake_saml_idp()->SetCookieValue(kSAMLIdPCookieValue1);
-  LogInWithSAML(kDifferentDomainSAMLUserEmail);
-  VerifySAMLIdPCookieValue(kSAMLIdPCookieValue1);
+  LogInWithSAML(kDifferentDomainSAMLUserEmail,
+                kTestAuthSIDCookie1,
+                kTestAuthLSIDCookie1);
+
+  GetCookies();
+  EXPECT_EQ(kTestAuthSIDCookie1, GetCookieValue(kGAIASIDCookieName));
+  EXPECT_EQ(kTestAuthLSIDCookie1, GetCookieValue(kGAIALSIDCookieName));
+  EXPECT_EQ(kSAMLIdPCookieValue1, GetCookieValue(kSAMLIdPCookieName));
 }
 
 // Verifies that even if the DeviceTransferSAMLCookies policy is enabled, SAML
 // IdP are not transferred to a user's profile on subsequent login if the user
-// does not belong to the domain that the device is enrolled into.
+// does not belong to the domain that the device is enrolled into. Also verifies
+// that GAIA cookies are not transferred.
 IN_PROC_BROWSER_TEST_F(SAMLPolicyTest, TransferCookiesUnaffiliated) {
   fake_saml_idp()->SetCookieValue(kSAMLIdPCookieValue2);
   fake_saml_idp()->SetLoginHTMLTemplate("saml_login.html");
   ShowGAIALoginForm();
 
   EnableTransferSAMLCookiesPolicy();
+  LogInWithSAML(kDifferentDomainSAMLUserEmail,
+                kTestAuthSIDCookie1,
+                kTestAuthLSIDCookie1);
 
-  LogInWithSAML(kDifferentDomainSAMLUserEmail);
-  VerifySAMLIdPCookieValue(kSAMLIdPCookieValue1);
+  GetCookies();
+  EXPECT_EQ(kTestAuthSIDCookie1, GetCookieValue(kGAIASIDCookieName));
+  EXPECT_EQ(kTestAuthLSIDCookie1, GetCookieValue(kGAIALSIDCookieName));
+  EXPECT_EQ(kSAMLIdPCookieValue1, GetCookieValue(kSAMLIdPCookieName));
 }
 
 }  // namespace chromeos