| Index: chrome/browser/chromeos/login/existing_user_controller_browsertest.cc
|
| diff --git a/chrome/browser/chromeos/login/existing_user_controller_browsertest.cc b/chrome/browser/chromeos/login/existing_user_controller_browsertest.cc
|
| index a9e52ea72b33e219d7ae0798852c91b262e55949..dc0a82edd0b284a73de6f9f921b1688b02f51b52 100644
|
| --- a/chrome/browser/chromeos/login/existing_user_controller_browsertest.cc
|
| +++ b/chrome/browser/chromeos/login/existing_user_controller_browsertest.cc
|
| @@ -2,6 +2,7 @@
|
| // Use of this source code is governed by a BSD-style license that can be
|
| // found in the LICENSE file.
|
|
|
| +#include <string>
|
| #include <vector>
|
|
|
| #include "base/bind.h"
|
| @@ -13,8 +14,11 @@
|
| #include "base/run_loop.h"
|
| #include "chrome/browser/chrome_notification_types.h"
|
| #include "chrome/browser/chromeos/login/existing_user_controller.h"
|
| +#include "chrome/browser/chromeos/login/help_app_launcher.h"
|
| #include "chrome/browser/chromeos/login/helper.h"
|
| #include "chrome/browser/chromeos/login/mock_login_utils.h"
|
| +#include "chrome/browser/chromeos/login/screens/mock_base_screen_delegate.h"
|
| +#include "chrome/browser/chromeos/login/supervised/supervised_user_creation_screen.h"
|
| #include "chrome/browser/chromeos/login/ui/mock_login_display.h"
|
| #include "chrome/browser/chromeos/login/ui/mock_login_display_host.h"
|
| #include "chrome/browser/chromeos/login/users/mock_user_manager.h"
|
| @@ -26,6 +30,8 @@
|
| #include "chrome/browser/chromeos/policy/device_policy_cros_browser_test.h"
|
| #include "chrome/browser/chromeos/policy/proto/chrome_device_policy.pb.h"
|
| #include "chrome/browser/chromeos/settings/cros_settings.h"
|
| +#include "chrome/browser/ui/webui/chromeos/login/supervised_user_creation_screen_handler.h"
|
| +#include "chrome/grit/generated_resources.h"
|
| #include "chrome/test/base/testing_browser_process.h"
|
| #include "chrome/test/base/testing_profile.h"
|
| #include "chromeos/chromeos_switches.h"
|
| @@ -35,7 +41,9 @@
|
| #include "chromeos/login/auth/mock_authenticator.h"
|
| #include "chromeos/login/auth/mock_url_fetchers.h"
|
| #include "chromeos/login/auth/user_context.h"
|
| +#include "chromeos/login/user_names.h"
|
| #include "chromeos/settings/cros_settings_names.h"
|
| +#include "chromeos/settings/cros_settings_provider.h"
|
| #include "components/policy/core/common/cloud/cloud_policy_constants.h"
|
| #include "components/policy/core/common/cloud/cloud_policy_core.h"
|
| #include "components/policy/core/common/cloud/cloud_policy_store.h"
|
| @@ -47,6 +55,7 @@
|
| #include "content/public/test/mock_notification_observer.h"
|
| #include "content/public/test/test_utils.h"
|
| #include "google_apis/gaia/mock_url_fetcher_factory.h"
|
| +#include "policy/proto/device_management_backend.pb.h"
|
| #include "testing/gmock/include/gmock/gmock.h"
|
| #include "testing/gtest/include/gtest/gtest.h"
|
|
|
| @@ -67,6 +76,7 @@ namespace {
|
|
|
| const char kUsername[] = "test_user@gmail.com";
|
| const char kNewUsername[] = "test_new_user@gmail.com";
|
| +const char kSupervisedUserID[] = "supervised_user@locally-managed.localhost";
|
| const char kPassword[] = "test_password";
|
|
|
| const char kPublicSessionAccountId[] = "public_session_user@localhost";
|
| @@ -78,6 +88,26 @@ ACTION_P(CreateAuthenticator, user_context) {
|
| return new MockAuthenticator(arg0, user_context);
|
| }
|
|
|
| +// Wait for cros settings to become permanently untrusted and run |callback|.
|
| +void WaitForPermanentlyUntrustedStatusAndRun(const base::Closure& callback) {
|
| + while (true) {
|
| + const CrosSettingsProvider::TrustedStatus status =
|
| + CrosSettings::Get()->PrepareTrustedValues(base::Bind(
|
| + &WaitForPermanentlyUntrustedStatusAndRun,
|
| + callback));
|
| + switch (status) {
|
| + case CrosSettingsProvider::PERMANENTLY_UNTRUSTED:
|
| + callback.Run();
|
| + return;
|
| + case CrosSettingsProvider::TEMPORARILY_UNTRUSTED:
|
| + return;
|
| + case CrosSettingsProvider::TRUSTED:
|
| + content::RunAllPendingInMessageLoop();
|
| + break;
|
| + }
|
| + }
|
| +}
|
| +
|
| } // namespace
|
|
|
| class ExistingUserControllerTest : public policy::DevicePolicyCrosBrowserTest {
|
| @@ -193,6 +223,18 @@ class ExistingUserControllerTest : public policy::DevicePolicyCrosBrowserTest {
|
| user_manager_enabler_.reset();
|
| }
|
|
|
| + void ExpectLoginFailure() {
|
| + EXPECT_CALL(*mock_login_display_, SetUIEnabled(false))
|
| + .Times(1);
|
| + EXPECT_CALL(*mock_login_display_,
|
| + ShowError(IDS_LOGIN_ERROR_OWNER_KEY_LOST,
|
| + 1,
|
| + HelpAppLauncher::HELP_CANT_ACCESS_ACCOUNT))
|
| + .Times(1);
|
| + EXPECT_CALL(*mock_login_display_, SetUIEnabled(true))
|
| + .Times(1);
|
| + }
|
| +
|
| // ExistingUserController private member accessors.
|
| base::OneShotTimer<ExistingUserController>* auto_login_timer() {
|
| return existing_user_controller()->auto_login_timer_.get();
|
| @@ -236,7 +278,7 @@ class ExistingUserControllerTest : public policy::DevicePolicyCrosBrowserTest {
|
|
|
| IN_PROC_BROWSER_TEST_F(ExistingUserControllerTest, ExistingUserLogin) {
|
| EXPECT_CALL(*mock_login_display_, SetUIEnabled(false))
|
| - .Times(1);
|
| + .Times(2);
|
| UserContext user_context(kUsername);
|
| user_context.SetKey(Key(kPassword));
|
| user_context.SetUserIDHash(kUsername);
|
| @@ -330,6 +372,81 @@ IN_PROC_BROWSER_TEST_F(ExistingUserControllerTest,
|
| content::RunAllPendingInMessageLoop();
|
| }
|
|
|
| +// Verifies that when the cros settings are untrusted, no new session can be
|
| +// started.
|
| +class ExistingUserControllerUntrustedTest : public ExistingUserControllerTest {
|
| + public:
|
| + ExistingUserControllerUntrustedTest();
|
| +
|
| + void SetUpInProcessBrowserTestFixture() override;
|
| +
|
| + void SetUpSessionManager() override;
|
| +
|
| + private:
|
| + DISALLOW_COPY_AND_ASSIGN(ExistingUserControllerUntrustedTest);
|
| +};
|
| +
|
| +ExistingUserControllerUntrustedTest::ExistingUserControllerUntrustedTest() {
|
| +}
|
| +
|
| +void ExistingUserControllerUntrustedTest::SetUpInProcessBrowserTestFixture() {
|
| + ExistingUserControllerTest::SetUpInProcessBrowserTestFixture();
|
| +
|
| + ExpectLoginFailure();
|
| +}
|
| +
|
| +void ExistingUserControllerUntrustedTest::SetUpSessionManager() {
|
| + InstallOwnerKey();
|
| +}
|
| +
|
| +IN_PROC_BROWSER_TEST_F(ExistingUserControllerUntrustedTest,
|
| + UserLoginForbidden) {
|
| + UserContext user_context(kUsername);
|
| + user_context.SetKey(Key(kPassword));
|
| + user_context.SetUserIDHash(kUsername);
|
| + existing_user_controller()->Login(user_context, SigninSpecifics());
|
| +}
|
| +
|
| +IN_PROC_BROWSER_TEST_F(ExistingUserControllerUntrustedTest,
|
| + CreateAccountForbidden) {
|
| + existing_user_controller()->CreateAccount();
|
| +}
|
| +
|
| +IN_PROC_BROWSER_TEST_F(ExistingUserControllerUntrustedTest,
|
| + GuestLoginForbidden) {
|
| + existing_user_controller()->Login(
|
| + UserContext(user_manager::USER_TYPE_GUEST, std::string()),
|
| + SigninSpecifics());
|
| +}
|
| +
|
| +IN_PROC_BROWSER_TEST_F(ExistingUserControllerUntrustedTest,
|
| + RetailModeLoginForbidden) {
|
| + existing_user_controller()->Login(
|
| + UserContext(user_manager::USER_TYPE_RETAIL_MODE,
|
| + chromeos::login::kRetailModeUserName),
|
| + SigninSpecifics());
|
| +}
|
| +
|
| +IN_PROC_BROWSER_TEST_F(ExistingUserControllerUntrustedTest,
|
| + SupervisedUserLoginForbidden) {
|
| + UserContext user_context(kSupervisedUserID);
|
| + user_context.SetKey(Key(kPassword));
|
| + user_context.SetUserIDHash(kUsername);
|
| + existing_user_controller()->Login(user_context, SigninSpecifics());
|
| +}
|
| +
|
| +IN_PROC_BROWSER_TEST_F(ExistingUserControllerUntrustedTest,
|
| + SupervisedUserCreationForbidden) {
|
| + MockBaseScreenDelegate mock_base_screen_delegate;
|
| + SupervisedUserCreationScreenHandler supervised_user_creation_screen_handler;
|
| + SupervisedUserCreationScreen supervised_user_creation_screen(
|
| + &mock_base_screen_delegate,
|
| + &supervised_user_creation_screen_handler);
|
| +
|
| + EXPECT_CALL(*mock_user_manager_, SetUserFlow(kUsername, _)).Times(1);
|
| + supervised_user_creation_screen.AuthenticateManager(kUsername, kPassword);
|
| +}
|
| +
|
| MATCHER_P(HasDetails, expected, "") {
|
| return expected == *content::Details<const std::string>(arg).ptr();
|
| }
|
| @@ -488,6 +605,16 @@ class ExistingUserControllerPublicSessionTest
|
| existing_user_controller()->OnPublicSessionAutoLoginTimerFire();
|
| }
|
|
|
| + void MakeCrosSettingsPermanentlyUntrusted() {
|
| + device_policy()->policy().set_policy_data_signature("bad signature");
|
| + session_manager_client()->set_device_policy(device_policy()->GetBlob());
|
| + session_manager_client()->OnPropertyChangeComplete(true);
|
| +
|
| + base::RunLoop run_loop;
|
| + WaitForPermanentlyUntrustedStatusAndRun(run_loop.QuitClosure());
|
| + run_loop.Run();
|
| + }
|
| +
|
| const std::string public_session_user_id_;
|
|
|
| private:
|
| @@ -566,7 +693,7 @@ IN_PROC_BROWSER_TEST_F(ExistingUserControllerPublicSessionTest,
|
|
|
| existing_user_controller()->OnSigninScreenReady();
|
| SetAutoLoginPolicy(kPublicSessionAccountId, kAutoLoginLongDelay);
|
| - ASSERT_TRUE(auto_login_timer());
|
| + EXPECT_TRUE(auto_login_timer());
|
|
|
| // Log in and check that it stopped the timer.
|
| existing_user_controller()->Login(user_context, SigninSpecifics());
|
| @@ -585,7 +712,7 @@ IN_PROC_BROWSER_TEST_F(ExistingUserControllerPublicSessionTest,
|
| IN_PROC_BROWSER_TEST_F(ExistingUserControllerPublicSessionTest,
|
| GuestModeLoginStopsAutoLogin) {
|
| EXPECT_CALL(*mock_login_display_, SetUIEnabled(false))
|
| - .Times(1);
|
| + .Times(2);
|
| UserContext user_context(kUsername);
|
| user_context.SetKey(Key(kPassword));
|
| EXPECT_CALL(*mock_login_utils_, CreateAuthenticator(_))
|
| @@ -594,10 +721,12 @@ IN_PROC_BROWSER_TEST_F(ExistingUserControllerPublicSessionTest,
|
|
|
| existing_user_controller()->OnSigninScreenReady();
|
| SetAutoLoginPolicy(kPublicSessionAccountId, kAutoLoginLongDelay);
|
| - ASSERT_TRUE(auto_login_timer());
|
| + EXPECT_TRUE(auto_login_timer());
|
|
|
| // Login and check that it stopped the timer.
|
| - existing_user_controller()->LoginAsGuest();
|
| + existing_user_controller()->Login(UserContext(user_manager::USER_TYPE_GUEST,
|
| + std::string()),
|
| + SigninSpecifics());
|
| EXPECT_TRUE(is_login_in_progress());
|
| ASSERT_TRUE(auto_login_timer());
|
| EXPECT_FALSE(auto_login_timer()->IsRunning());
|
| @@ -622,7 +751,7 @@ IN_PROC_BROWSER_TEST_F(ExistingUserControllerPublicSessionTest,
|
|
|
| existing_user_controller()->OnSigninScreenReady();
|
| SetAutoLoginPolicy(kPublicSessionAccountId, kAutoLoginLongDelay);
|
| - ASSERT_TRUE(auto_login_timer());
|
| + EXPECT_TRUE(auto_login_timer());
|
|
|
| // Check that login completes and stops the timer.
|
| existing_user_controller()->CompleteLogin(user_context);
|
| @@ -646,12 +775,13 @@ IN_PROC_BROWSER_TEST_F(ExistingUserControllerPublicSessionTest,
|
| ExpectSuccessfulLogin(user_context);
|
| existing_user_controller()->OnSigninScreenReady();
|
| SetAutoLoginPolicy(kPublicSessionAccountId, kAutoLoginLongDelay);
|
| - ASSERT_TRUE(auto_login_timer());
|
| + EXPECT_TRUE(auto_login_timer());
|
|
|
| // Login and check that it stopped the timer.
|
| - existing_user_controller()->LoginAsPublicSession(UserContext(
|
| - user_manager::USER_TYPE_PUBLIC_ACCOUNT,
|
| - public_session_user_id_));
|
| + existing_user_controller()->Login(
|
| + UserContext(user_manager::USER_TYPE_PUBLIC_ACCOUNT,
|
| + public_session_user_id_),
|
| + SigninSpecifics());
|
|
|
| EXPECT_TRUE(is_login_in_progress());
|
| ASSERT_TRUE(auto_login_timer());
|
| @@ -666,6 +796,34 @@ IN_PROC_BROWSER_TEST_F(ExistingUserControllerPublicSessionTest,
|
| }
|
|
|
| IN_PROC_BROWSER_TEST_F(ExistingUserControllerPublicSessionTest,
|
| + LoginForbiddenWhenUntrusted) {
|
| + // Make cros settings untrusted.
|
| + MakeCrosSettingsPermanentlyUntrusted();
|
| +
|
| + // Check that the attempt to start a public session fails with an error.
|
| + ExpectLoginFailure();
|
| + UserContext user_context(kUsername);
|
| + user_context.SetKey(Key(kPassword));
|
| + user_context.SetUserIDHash(user_context.GetUserID());
|
| + existing_user_controller()->Login(user_context, SigninSpecifics());
|
| +}
|
| +
|
| +IN_PROC_BROWSER_TEST_F(ExistingUserControllerPublicSessionTest,
|
| + NoAutoLoginWhenUntrusted) {
|
| + // Start the public session timer.
|
| + SetAutoLoginPolicy(kPublicSessionAccountId, kAutoLoginLongDelay);
|
| + existing_user_controller()->OnSigninScreenReady();
|
| + EXPECT_TRUE(auto_login_timer());
|
| +
|
| + // Make cros settings untrusted.
|
| + MakeCrosSettingsPermanentlyUntrusted();
|
| +
|
| + // Check that when the timer fires, auto-login fails with an error.
|
| + ExpectLoginFailure();
|
| + FireAutoLogin();
|
| +}
|
| +
|
| +IN_PROC_BROWSER_TEST_F(ExistingUserControllerPublicSessionTest,
|
| PRE_TestLoadingPublicUsersFromLocalState) {
|
| // First run propagates public accounts and stores them in Local State.
|
| }
|
|
|
Chromium Code Reviews
Issue 696263003:
Prevent login while cros settings are untrusted (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@f_2_425574_add_protos_for_device_disabling_in_steady_state