Fix Chrome OS enrollment with SAML accounts

chrome/browser/chromeos/login/saml/saml_browsertest.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
+#include <cstring>
+
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/callback.h"
 #include "base/command_line.h"
 #include "base/files/file_path.h"
 #include "base/files/file_util.h"
+#include "base/files/scoped_temp_dir.h"
 #include "base/location.h"
+#include "base/macros.h"
 #include "base/memory/ref_counted.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/path_service.h"
 #include "base/run_loop.h"
 #include "base/strings/string16.h"
 #include "base/strings/string_util.h"
 #include "base/strings/stringprintf.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/values.h"
 #include "chrome/browser/chrome_notification_types.h"
 #include "chrome/browser/chromeos/login/existing_user_controller.h"
 #include "chrome/browser/chromeos/login/test/https_forwarder.h"
 #include "chrome/browser/chromeos/login/test/oobe_screen_waiter.h"
 #include "chrome/browser/chromeos/login/ui/login_display_host_impl.h"
 #include "chrome/browser/chromeos/login/ui/webui_login_display.h"
 #include "chrome/browser/chromeos/login/wizard_controller.h"
 #include "chrome/browser/chromeos/policy/device_policy_builder.h"
 #include "chrome/browser/chromeos/policy/device_policy_cros_browser_test.h"
 #include "chrome/browser/chromeos/policy/proto/chrome_device_policy.pb.h"
 #include "chrome/browser/chromeos/profiles/profile_helper.h"
 #include "chrome/browser/chromeos/settings/cros_settings.h"
 #include "chrome/browser/lifetime/application_lifetime.h"
+#include "chrome/browser/policy/test/local_policy_test_server.h"
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/browser/ui/webui/signin/inline_login_ui.h"
 #include "chrome/common/chrome_paths.h"
 #include "chrome/common/chrome_switches.h"
 #include "chrome/grit/generated_resources.h"
 #include "chrome/test/base/in_process_browser_test.h"
 #include "chromeos/chromeos_switches.h"
 #include "chromeos/dbus/dbus_thread_manager.h"
 #include "chromeos/dbus/fake_session_manager_client.h"
 #include "chromeos/dbus/session_manager_client.h"
 #include "chromeos/settings/cros_settings_names.h"
 #include "components/policy/core/browser/browser_policy_connector.h"
 #include "components/policy/core/common/mock_configuration_policy_provider.h"
 #include "components/policy/core/common/policy_map.h"
+#include "components/policy/core/common/policy_switches.h"
 #include "components/policy/core/common/policy_types.h"
 #include "components/user_manager/user.h"
 #include "components/user_manager/user_manager.h"
 #include "content/public/browser/browser_thread.h"
+#include "content/public/browser/render_frame_host.h"
 #include "content/public/browser/web_contents.h"
+#include "content/public/browser/web_contents_observer.h"
 #include "content/public/test/browser_test_utils.h"
 #include "content/public/test/test_utils.h"
 #include "google_apis/gaia/fake_gaia.h"
+#include "google_apis/gaia/gaia_constants.h"
 #include "google_apis/gaia/gaia_switches.h"
+#include "google_apis/gaia/gaia_urls.h"
 #include "net/base/url_util.h"
 #include "net/cookies/canonical_cookie.h"
 #include "net/cookies/cookie_monster.h"
 #include "net/cookies/cookie_store.h"
 #include "net/dns/mock_host_resolver.h"
 #include "net/test/embedded_test_server/embedded_test_server.h"
 #include "net/test/embedded_test_server/http_request.h"
 #include "net/test/embedded_test_server/http_response.h"
 #include "net/url_request/url_request_context.h"
 #include "net/url_request/url_request_context_getter.h"
@@ skipping 29 matching lines @@
 const char kHTTPSAMLUserEmail[] = "carol@example.com";
 const char kNonSAMLUserEmail[] = "dan@example.com";
 const char kDifferentDomainSAMLUserEmail[] = "eve@example.test";
 
 const char kSAMLIdPCookieName[] = "saml";
 const char kSAMLIdPCookieValue1[] = "value-1";
 const char kSAMLIdPCookieValue2[] = "value-2";
 
 const char kRelayState[] = "RelayState";
 
+const char kTestUserinfoToken[] = "fake-userinfo-token";
+const char kTestRefreshToken[] = "fake-refresh-token";
+const char kPolicy[] = "{\"managed_users\": [\"*\"]}";
+
 // FakeSamlIdp serves IdP auth form and the form submission. The form is
 // served with the template's RelayState placeholder expanded to the real
 // RelayState parameter from request. The form submission redirects back to
 // FakeGaia with the same RelayState.
 class FakeSamlIdp {
  public:
   FakeSamlIdp();
   ~FakeSamlIdp();
 
   void SetUp(const std::string& base_path, const GURL& gaia_url);
@@ skipping 119 matching lines @@
   http_response->set_content(response_html);
   http_response->set_content_type("text/html");
 
   return http_response.Pass();
 }
 
 }  // namespace
 
 class SamlTest : public InProcessBrowserTest {
  public:
-  SamlTest() : saml_load_injected_(false) {}
+  SamlTest() : gaia_frame_parent_("signin-frame"), saml_load_injected_(false) {}
   virtual ~SamlTest() {}
 
   virtual void SetUp() override {
     ASSERT_TRUE(embedded_test_server()->InitializeAndWaitUntilReady());
 
     // Start the GAIA https wrapper here so that the GAIA URLs can be pointed at
     // it in SetUpCommandLine().
     gaia_https_forwarder_.reset(
         new HTTPSForwarder(embedded_test_server()->base_url()));
     ASSERT_TRUE(gaia_https_forwarder_->Start());
@@ skipping 77 matching lines @@
     WizardController* wizard_controller =
         WizardController::default_controller();
     if (wizard_controller) {
       WizardController::SkipPostLoginScreensForTesting();
       wizard_controller->SkipToLoginForTesting(LoginScreenContext());
     }
 
     login_screen_load_observer_->Wait();
   }
 
-  void StartSamlAndWaitForIdpPageLoad(const std::string& gaia_email) {
+  virtual void StartSamlAndWaitForIdpPageLoad(const std::string& gaia_email) {
     WaitForSigninScreen();
 
     if (!saml_load_injected_) {
       saml_load_injected_ = true;
 
       ASSERT_TRUE(content::ExecuteScript(
           GetLoginUI()->GetWebContents(),
           "$('gaia-signin').gaiaAuthHost_.addEventListener('authFlowChange',"
               "function() {"
                 "window.domAutomationController.setAutomationId(0);"
@@ skipping 54 matching lines @@
   }
 
   content::WebUI* GetLoginUI() {
     return static_cast<LoginDisplayHostImpl*>(
         LoginDisplayHostImpl::default_host())->GetOobeUI()->web_ui();
   }
 
   // Executes JavaScript code in the auth iframe hosted by gaia_auth extension.
   void ExecuteJsInSigninFrame(const std::string& js) {
     content::RenderFrameHost* frame = InlineLoginUI::GetAuthIframe(
-        GetLoginUI()->GetWebContents(), GURL(), "signin-frame");
+        GetLoginUI()->GetWebContents(), GURL(), gaia_frame_parent_);
     ASSERT_TRUE(content::ExecuteScript(frame, js));
   }
 
   FakeSamlIdp* fake_saml_idp() { return &fake_saml_idp_; }
 
  protected:
   scoped_ptr<content::WindowedNotificationObserver> login_screen_load_observer_;
   FakeGaia fake_gaia_;
 
+  std::string gaia_frame_parent_;
+
+  scoped_ptr<HTTPSForwarder> gaia_https_forwarder_;
+  scoped_ptr<HTTPSForwarder> saml_https_forwarder_;
+
  private:
   FakeSamlIdp fake_saml_idp_;
-  scoped_ptr<HTTPSForwarder> gaia_https_forwarder_;
-  scoped_ptr<HTTPSForwarder> saml_https_forwarder_;
 
   bool saml_load_injected_;
 
   DISALLOW_COPY_AND_ASSIGN(SamlTest);
 };
 
 // Tests that signin frame should have 'saml' class and 'cancel' button is
 // visible when SAML IdP page is loaded. And 'cancel' button goes back to
 // gaia on clicking.
 IN_PROC_BROWSER_TEST_F(SamlTest, SamlUI) {
@@ skipping 190 matching lines @@
 
   WaitForSigninScreen();
   GetLoginDisplay()->ShowSigninScreenForCreds(kFirstSAMLUserEmail, "");
 
   EXPECT_EQ(l10n_util::GetStringFUTF8(
                 IDS_LOGIN_FATAL_ERROR_TEXT_INSECURE_URL,
                 base::UTF8ToUTF16(url.spec())),
             WaitForAndGetFatalErrorMessage());
 }
 
+class SAMLEnrollmentTest : public SamlTest,
+                           public content::WebContentsObserver {
+ public:
+  SAMLEnrollmentTest();
+  ~SAMLEnrollmentTest() override;
+
+  // SamlTest:
+  void SetUp() override;
+  void SetUpCommandLine(CommandLine* command_line) override;
+  void SetUpOnMainThread() override;
+  void StartSamlAndWaitForIdpPageLoad(const std::string& gaia_email) override;
+
+  // content::WebContentsObserver:
+  void RenderFrameCreated(content::RenderFrameHost* render_frame_host) override;
+  void DidFinishLoad(content::RenderFrameHost* render_frame_host,
+                     const GURL& validated_url) override;
+
+  void WaitForEnrollmentSuccess();
+
+ private:
+  scoped_ptr<policy::LocalPolicyTestServer> test_server_;
+  base::ScopedTempDir temp_dir_;
+
+  scoped_ptr<base::RunLoop> run_loop_;
+  content::RenderFrameHost* auth_frame_;
+
+  DISALLOW_COPY_AND_ASSIGN(SAMLEnrollmentTest);
+};
+
+SAMLEnrollmentTest::SAMLEnrollmentTest() : auth_frame_(nullptr) {
+  gaia_frame_parent_ = "oauth-enroll-signin-frame";
+}
+
+SAMLEnrollmentTest::~SAMLEnrollmentTest() {
+}
+
+void SAMLEnrollmentTest::SetUp() {
+  ASSERT_TRUE(temp_dir_.CreateUniqueTempDir());
+  const base::FilePath policy_file =
+      temp_dir_.path().AppendASCII("policy.json");
+  ASSERT_EQ(static_cast<int>(strlen(kPolicy)),

[Mattias Nissler (ping if slow), 2014/12/04 19:46:02]

If I'm not mistaken, you can just use sizeof instead of strlen.

[bartfab (slow), 2014/12/05 12:34:36]

I can use |sizeof(kPolicy) - 1| but that feels more clunky and brittle as the |-
1| could easily get lost in some refactor.

[Mattias Nissler (ping if slow), 2014/12/05 13:07:09]

Well, then the test would fail. Anyhow, fair enough.

+            base::WriteFile(policy_file, kPolicy, strlen(kPolicy)));
+
+  test_server_.reset(new policy::LocalPolicyTestServer(policy_file));
+  ASSERT_TRUE(test_server_->Start());
+
+  SamlTest::SetUp();
+}
+
+void SAMLEnrollmentTest::SetUpCommandLine(CommandLine* command_line) {
+  command_line->AppendSwitchASCII(policy::switches::kDeviceManagementUrl,
+                                  test_server_->GetServiceURL().spec());
+  command_line->AppendSwitch(policy::switches::kDisablePolicyKeyVerification);
+  command_line->AppendSwitch(switches::kEnterpriseEnrollmentSkipRobotAuth);

[Mattias Nissler (ping if slow), 2014/12/04 19:46:02]

Any good reason for this?

[bartfab (slow), 2014/12/05 12:34:36]

The robot account generation code causes an OAuth token fetch with a |code|
parameter that FakeGaia does not expect. I have two options: Set up FakeGaia to
expect this |code| or skip the robot account setup. I chose the latter because
it is easier and simpler. If you prefer, I am happy to set up FakeGaia to handle
the robot account instead.

[Mattias Nissler (ping if slow), 2014/12/05 13:07:09]

If I ever get to write an end-to-end FRE/enrollment browser test, robot auth
token fetching should be tested as well. I'm fine with leaving it out for now
though. Can you add a comment and/or TODO saying that this is only a shortcut
that can (and perhaps should be?) removed once we have the code infrastructure
to deal with the robot auth requests?

[bartfab (slow), 2014/12/15 17:10:21]

Done.

+
+  SamlTest::SetUpCommandLine(command_line);
+}
+
+void SAMLEnrollmentTest::SetUpOnMainThread() {
+  Observe(GetLoginUI()->GetWebContents());
+
+  FakeGaia::AccessTokenInfo token_info;
+  token_info.token = kTestUserinfoToken;
+  token_info.scopes.insert(GaiaConstants::kDeviceManagementServiceOAuth);
+  token_info.scopes.insert(GaiaConstants::kOAuthWrapBridgeUserInfoScope);
+  token_info.audience = GaiaUrls::GetInstance()->oauth2_chrome_client_id();
+  token_info.email = kFirstSAMLUserEmail;
+  fake_gaia_.IssueOAuthToken(kTestRefreshToken, token_info);
+
+  SamlTest::SetUpOnMainThread();
+}
+
+void SAMLEnrollmentTest::StartSamlAndWaitForIdpPageLoad(
+    const std::string& gaia_email) {
+  WaitForSigninScreen();
+  run_loop_.reset(new base::RunLoop);
+  ExistingUserController::current_controller()->OnStartEnterpriseEnrollment();
+  run_loop_->Run();
+
+  SetSignFormField("Email", gaia_email);
+
+  run_loop_.reset(new base::RunLoop);
+  ExecuteJsInSigninFrame("document.getElementById('signIn').click();");
+  run_loop_->Run();
+}
+
+void SAMLEnrollmentTest::RenderFrameCreated(
+    content::RenderFrameHost* render_frame_host) {
+  content::RenderFrameHost* parent = render_frame_host->GetParent();
+  if (!parent || parent->GetFrameName() != gaia_frame_parent_)
+    return;
+
+  // The GAIA extension created the iframe in which the login form will be
+  // shown. Now wait for the login form to finish loading.
+  auth_frame_ = render_frame_host;
+  Observe(content::WebContents::FromRenderFrameHost(auth_frame_));
+}
+
+void SAMLEnrollmentTest::DidFinishLoad(
+    content::RenderFrameHost* render_frame_host,
+    const GURL& validated_url) {
+  if (render_frame_host != auth_frame_)
+    return;
+
+  const GURL origin = validated_url.GetOrigin();
+  if (origin != gaia_https_forwarder_->GetURL("") &&
+      origin != saml_https_forwarder_->GetURL("")) {
+    return;
+  }
+
+  // The GAIA or SAML IdP login form finished loading.
+  if (run_loop_)
+    run_loop_->Quit();
+}
+
+// Waits until the class |oauth-enroll-state-success| becomes set for the
+// enrollment screen, indicating enrollment success.
+void SAMLEnrollmentTest::WaitForEnrollmentSuccess() {

[Mattias Nissler (ping if slow), 2014/12/04 19:46:02]

Instead of this, why not just observe DeviceCloudPolicyStoreChromeOS? That'd
give you a simple C++ observer way of learning about successful enrollment.

[bartfab (slow), 2014/12/05 12:34:36]

This verifies that the enrollment success reaches the UI. I am adding this test
to protect against a regression that manifested itself in the UI getting stuck.
I think it is nice to verify that after enrollment, the UI reaches a valid
state.

[Mattias Nissler (ping if slow), 2014/12/05 13:07:09]

OK, fair enough. Might additionally want to click the OK button then and check
for the enrollment success exit code to WizardController? That's perhaps out of
scope of this test though.

[bartfab (slow), 2014/12/15 17:10:21]

I had a look. We cannot get at the exit code because this test uses the real
WizardController that has no hooks for screen exit codes. We would need to
inject some mock/fake that extracts the code.

+  bool done = false;
+  ASSERT_TRUE(content::ExecuteScriptAndExtractBool(
+      GetLoginUI()->GetWebContents(),
+      "var enrollmentScreen = document.getElementById('oauth-enrollment');"
+      "function SendReplyIfEnrollmentDone() {"
+      "  if (!enrollmentScreen.classList.contains("
+      "           'oauth-enroll-state-success')) {"
+      "    return false;"
+      "  }"
+      "  domAutomationController.send(true);"
+      "  observer.disconnect();"
+      "  return true;"
+      "}"
+      "var observer = new MutationObserver(SendReplyIfEnrollmentDone);"
+      "if (!SendReplyIfEnrollmentDone()) {"
+      "  var options = { attributes: true, attributeFilter: [ 'class' ] };"
+      "  observer.observe(enrollmentScreen, options);"
+      "}",
+      &done));
+}
+
+IN_PROC_BROWSER_TEST_F(SAMLEnrollmentTest, WithoutCredentialsPassingAPI) {
+  fake_saml_idp()->SetLoginHTMLTemplate("saml_login.html");
+  StartSamlAndWaitForIdpPageLoad(kFirstSAMLUserEmail);
+
+  // Fill-in the SAML IdP form and submit.
+  SetSignFormField("Email", "fake_user");
+  SetSignFormField("Password", "fake_password");
+  ExecuteJsInSigninFrame("document.getElementById('Submit').click();");
+
+  WaitForEnrollmentSuccess();
+}
+
+IN_PROC_BROWSER_TEST_F(SAMLEnrollmentTest, WithCredentialsPassingAPI) {
+  fake_saml_idp()->SetLoginHTMLTemplate("saml_api_login.html");
+  fake_saml_idp()->SetLoginAuthHTMLTemplate("saml_api_login_auth.html");
+  StartSamlAndWaitForIdpPageLoad(kFirstSAMLUserEmail);
+
+  // Fill-in the SAML IdP form and submit.
+  SetSignFormField("Email", "fake_user");
+  SetSignFormField("Password", "fake_password");
+  ExecuteJsInSigninFrame("document.getElementById('Submit').click();");
+
+  WaitForEnrollmentSuccess();
+}
+
 class SAMLPolicyTest : public SamlTest {
  public:
   SAMLPolicyTest();
   virtual ~SAMLPolicyTest();
 
   // SamlTest:
   virtual void SetUpInProcessBrowserTestFixture() override;
   virtual void SetUpOnMainThread() override;
 
   void SetSAMLOfflineSigninTimeLimitPolicy(int limit);
@@ skipping 301 matching lines @@
                 kTestAuthSIDCookie1,
                 kTestAuthLSIDCookie1);
 
   GetCookies();
   EXPECT_EQ(kTestAuthSIDCookie1, GetCookieValue(kGAIASIDCookieName));
   EXPECT_EQ(kTestAuthLSIDCookie1, GetCookieValue(kGAIALSIDCookieName));
   EXPECT_EQ(kSAMLIdPCookieValue1, GetCookieValue(kSAMLIdPCookieName));
 }
 
 }  // namespace chromeos