| Index: remoting/host/policy_watcher_unittest.cc
|
| diff --git a/remoting/host/policy_watcher_unittest.cc b/remoting/host/policy_watcher_unittest.cc
|
| index c4a8084cbbe12356f334ccdb878a090fcd2dc7fb..843e4a37af07e6ec9545940415bb67fc45ef153c 100644
|
| --- a/remoting/host/policy_watcher_unittest.cc
|
| +++ b/remoting/host/policy_watcher_unittest.cc
|
| @@ -17,6 +17,8 @@
|
|
|
| namespace remoting {
|
|
|
| +namespace key = ::policy::key;
|
| +
|
| MATCHER_P(IsPolicies, dict, "") {
|
| bool equal = arg->Equals(dict);
|
| if (!equal) {
|
| @@ -56,6 +58,10 @@ class PolicyWatcherTest : public testing::Test {
|
| PolicyWatcherTest() : message_loop_(base::MessageLoop::TYPE_IO) {}
|
|
|
| void SetUp() override {
|
| + // We expect no callbacks unless explicitly specified by individual tests.
|
| + EXPECT_CALL(mock_policy_callback_, OnPolicyUpdatePtr(testing::_)).Times(0);
|
| + EXPECT_CALL(mock_policy_callback_, OnPolicyError()).Times(0);
|
| +
|
| message_loop_proxy_ = base::MessageLoopProxy::current();
|
|
|
| // Retaining a raw pointer to keep control over policy contents.
|
| @@ -63,96 +69,94 @@ class PolicyWatcherTest : public testing::Test {
|
| policy_watcher_ =
|
| PolicyWatcher::CreateFromPolicyLoader(make_scoped_ptr(policy_loader_));
|
|
|
| - nat_true_.SetBoolean(policy::key::kRemoteAccessHostFirewallTraversal, true);
|
| - nat_false_.SetBoolean(policy::key::kRemoteAccessHostFirewallTraversal,
|
| - false);
|
| - nat_one_.SetInteger(policy::key::kRemoteAccessHostFirewallTraversal, 1);
|
| - domain_empty_.SetString(policy::key::kRemoteAccessHostDomain,
|
| - std::string());
|
| - domain_full_.SetString(policy::key::kRemoteAccessHostDomain, kHostDomain);
|
| + nat_true_.SetBoolean(key::kRemoteAccessHostFirewallTraversal, true);
|
| + nat_false_.SetBoolean(key::kRemoteAccessHostFirewallTraversal, false);
|
| + nat_one_.SetInteger(key::kRemoteAccessHostFirewallTraversal, 1);
|
| + nat_one_domain_full_.SetInteger(key::kRemoteAccessHostFirewallTraversal, 1);
|
| + nat_one_domain_full_.SetString(key::kRemoteAccessHostDomain, kHostDomain);
|
| + domain_empty_.SetString(key::kRemoteAccessHostDomain, std::string());
|
| + domain_full_.SetString(key::kRemoteAccessHostDomain, kHostDomain);
|
| SetDefaults(nat_true_others_default_);
|
| - nat_true_others_default_.SetBoolean(
|
| - policy::key::kRemoteAccessHostFirewallTraversal, true);
|
| + nat_true_others_default_.SetBoolean(key::kRemoteAccessHostFirewallTraversal,
|
| + true);
|
| SetDefaults(nat_false_others_default_);
|
| nat_false_others_default_.SetBoolean(
|
| - policy::key::kRemoteAccessHostFirewallTraversal, false);
|
| + key::kRemoteAccessHostFirewallTraversal, false);
|
| SetDefaults(domain_empty_others_default_);
|
| - domain_empty_others_default_.SetString(policy::key::kRemoteAccessHostDomain,
|
| + domain_empty_others_default_.SetString(key::kRemoteAccessHostDomain,
|
| std::string());
|
| SetDefaults(domain_full_others_default_);
|
| - domain_full_others_default_.SetString(policy::key::kRemoteAccessHostDomain,
|
| + domain_full_others_default_.SetString(key::kRemoteAccessHostDomain,
|
| kHostDomain);
|
| - nat_true_domain_empty_.SetBoolean(
|
| - policy::key::kRemoteAccessHostFirewallTraversal, true);
|
| - nat_true_domain_empty_.SetString(policy::key::kRemoteAccessHostDomain,
|
| + nat_true_domain_empty_.SetBoolean(key::kRemoteAccessHostFirewallTraversal,
|
| + true);
|
| + nat_true_domain_empty_.SetString(key::kRemoteAccessHostDomain,
|
| std::string());
|
| - nat_true_domain_full_.SetBoolean(
|
| - policy::key::kRemoteAccessHostFirewallTraversal, true);
|
| - nat_true_domain_full_.SetString(policy::key::kRemoteAccessHostDomain,
|
| - kHostDomain);
|
| - nat_false_domain_empty_.SetBoolean(
|
| - policy::key::kRemoteAccessHostFirewallTraversal, false);
|
| - nat_false_domain_empty_.SetString(policy::key::kRemoteAccessHostDomain,
|
| + nat_true_domain_full_.SetBoolean(key::kRemoteAccessHostFirewallTraversal,
|
| + true);
|
| + nat_true_domain_full_.SetString(key::kRemoteAccessHostDomain, kHostDomain);
|
| + nat_false_domain_empty_.SetBoolean(key::kRemoteAccessHostFirewallTraversal,
|
| + false);
|
| + nat_false_domain_empty_.SetString(key::kRemoteAccessHostDomain,
|
| std::string());
|
| - nat_false_domain_full_.SetBoolean(
|
| - policy::key::kRemoteAccessHostFirewallTraversal, false);
|
| - nat_false_domain_full_.SetString(policy::key::kRemoteAccessHostDomain,
|
| - kHostDomain);
|
| + nat_false_domain_full_.SetBoolean(key::kRemoteAccessHostFirewallTraversal,
|
| + false);
|
| + nat_false_domain_full_.SetString(key::kRemoteAccessHostDomain, kHostDomain);
|
| SetDefaults(nat_true_domain_empty_others_default_);
|
| nat_true_domain_empty_others_default_.SetBoolean(
|
| - policy::key::kRemoteAccessHostFirewallTraversal, true);
|
| + key::kRemoteAccessHostFirewallTraversal, true);
|
| nat_true_domain_empty_others_default_.SetString(
|
| - policy::key::kRemoteAccessHostDomain, std::string());
|
| + key::kRemoteAccessHostDomain, std::string());
|
| unknown_policies_.SetString("UnknownPolicyOne", std::string());
|
| unknown_policies_.SetString("UnknownPolicyTwo", std::string());
|
| unknown_policies_.SetBoolean("RemoteAccessHostUnknownPolicyThree", true);
|
|
|
| const char kOverrideNatTraversalToFalse[] =
|
| "{ \"RemoteAccessHostFirewallTraversal\": false }";
|
| - nat_true_and_overridden_.SetBoolean(
|
| - policy::key::kRemoteAccessHostFirewallTraversal, true);
|
| + nat_true_and_overridden_.SetBoolean(key::kRemoteAccessHostFirewallTraversal,
|
| + true);
|
| nat_true_and_overridden_.SetString(
|
| - policy::key::kRemoteAccessHostDebugOverridePolicies,
|
| + key::kRemoteAccessHostDebugOverridePolicies,
|
| kOverrideNatTraversalToFalse);
|
| - pairing_true_.SetBoolean(policy::key::kRemoteAccessHostAllowClientPairing,
|
| - true);
|
| - pairing_false_.SetBoolean(policy::key::kRemoteAccessHostAllowClientPairing,
|
| - false);
|
| - gnubby_auth_true_.SetBoolean(policy::key::kRemoteAccessHostAllowGnubbyAuth,
|
| - true);
|
| - gnubby_auth_false_.SetBoolean(policy::key::kRemoteAccessHostAllowGnubbyAuth,
|
| - false);
|
| - relay_true_.SetBoolean(policy::key::kRemoteAccessHostAllowRelayedConnection,
|
| - true);
|
| - relay_false_.SetBoolean(
|
| - policy::key::kRemoteAccessHostAllowRelayedConnection, false);
|
| - port_range_full_.SetString(policy::key::kRemoteAccessHostUdpPortRange,
|
| - kPortRange);
|
| - port_range_empty_.SetString(policy::key::kRemoteAccessHostUdpPortRange,
|
| + pairing_true_.SetBoolean(key::kRemoteAccessHostAllowClientPairing, true);
|
| + pairing_false_.SetBoolean(key::kRemoteAccessHostAllowClientPairing, false);
|
| + gnubby_auth_true_.SetBoolean(key::kRemoteAccessHostAllowGnubbyAuth, true);
|
| + gnubby_auth_false_.SetBoolean(key::kRemoteAccessHostAllowGnubbyAuth, false);
|
| + relay_true_.SetBoolean(key::kRemoteAccessHostAllowRelayedConnection, true);
|
| + relay_false_.SetBoolean(key::kRemoteAccessHostAllowRelayedConnection,
|
| + false);
|
| + port_range_full_.SetString(key::kRemoteAccessHostUdpPortRange, kPortRange);
|
| + port_range_empty_.SetString(key::kRemoteAccessHostUdpPortRange,
|
| std::string());
|
| - curtain_true_.SetBoolean(policy::key::kRemoteAccessHostRequireCurtain,
|
| - true);
|
| - curtain_false_.SetBoolean(policy::key::kRemoteAccessHostRequireCurtain,
|
| - false);
|
| - username_true_.SetBoolean(policy::key::kRemoteAccessHostMatchUsername,
|
| - true);
|
| - username_false_.SetBoolean(policy::key::kRemoteAccessHostMatchUsername,
|
| - false);
|
| - talk_gadget_blah_.SetString(policy::key::kRemoteAccessHostTalkGadgetPrefix,
|
| - "blah");
|
| - token_url_https_.SetString(policy::key::kRemoteAccessHostTalkGadgetPrefix,
|
| - "https://example.com");
|
| - token_validation_url_https_.SetString(
|
| - policy::key::kRemoteAccessHostTalkGadgetPrefix, "https://example.com");
|
| - token_certificate_blah_.SetString(
|
| - policy::key::kRemoteAccessHostTokenValidationCertificateIssuer, "blah");
|
| + port_range_malformed_.SetString(key::kRemoteAccessHostUdpPortRange,
|
| + "malformed");
|
| + port_range_malformed_domain_full_.MergeDictionary(&port_range_malformed_);
|
| + port_range_malformed_domain_full_.SetString(key::kRemoteAccessHostDomain,
|
| + kHostDomain);
|
| +
|
| + curtain_true_.SetBoolean(key::kRemoteAccessHostRequireCurtain, true);
|
| + curtain_false_.SetBoolean(key::kRemoteAccessHostRequireCurtain, false);
|
| + username_true_.SetBoolean(key::kRemoteAccessHostMatchUsername, true);
|
| + username_false_.SetBoolean(key::kRemoteAccessHostMatchUsername, false);
|
| + talk_gadget_blah_.SetString(key::kRemoteAccessHostTalkGadgetPrefix, "blah");
|
| + third_party_auth_partial_.SetString(key::kRemoteAccessHostTokenUrl,
|
| + "https://token.com");
|
| + third_party_auth_partial_.SetString(
|
| + key::kRemoteAccessHostTokenValidationUrl, "https://validation.com");
|
| + third_party_auth_full_.MergeDictionary(&third_party_auth_partial_);
|
| + third_party_auth_full_.SetString(
|
| + key::kRemoteAccessHostTokenValidationCertificateIssuer,
|
| + "certificate subject");
|
| + third_party_auth_cert_empty_.MergeDictionary(&third_party_auth_partial_);
|
| + third_party_auth_cert_empty_.SetString(
|
| + key::kRemoteAccessHostTokenValidationCertificateIssuer, "");
|
|
|
| #if !defined(NDEBUG)
|
| SetDefaults(nat_false_overridden_others_default_);
|
| nat_false_overridden_others_default_.SetBoolean(
|
| - policy::key::kRemoteAccessHostFirewallTraversal, false);
|
| + key::kRemoteAccessHostFirewallTraversal, false);
|
| nat_false_overridden_others_default_.SetString(
|
| - policy::key::kRemoteAccessHostDebugOverridePolicies,
|
| + key::kRemoteAccessHostDebugOverridePolicies,
|
| kOverrideNatTraversalToFalse);
|
| #endif
|
| }
|
| @@ -214,6 +218,7 @@ class PolicyWatcherTest : public testing::Test {
|
| base::DictionaryValue nat_true_;
|
| base::DictionaryValue nat_false_;
|
| base::DictionaryValue nat_one_;
|
| + base::DictionaryValue nat_one_domain_full_;
|
| base::DictionaryValue domain_empty_;
|
| base::DictionaryValue domain_full_;
|
| base::DictionaryValue nat_true_others_default_;
|
| @@ -236,35 +241,34 @@ class PolicyWatcherTest : public testing::Test {
|
| base::DictionaryValue relay_false_;
|
| base::DictionaryValue port_range_full_;
|
| base::DictionaryValue port_range_empty_;
|
| + base::DictionaryValue port_range_malformed_;
|
| + base::DictionaryValue port_range_malformed_domain_full_;
|
| base::DictionaryValue curtain_true_;
|
| base::DictionaryValue curtain_false_;
|
| base::DictionaryValue username_true_;
|
| base::DictionaryValue username_false_;
|
| base::DictionaryValue talk_gadget_blah_;
|
| - base::DictionaryValue token_url_https_;
|
| - base::DictionaryValue token_validation_url_https_;
|
| - base::DictionaryValue token_certificate_blah_;
|
| + base::DictionaryValue third_party_auth_full_;
|
| + base::DictionaryValue third_party_auth_partial_;
|
| + base::DictionaryValue third_party_auth_cert_empty_;
|
|
|
| private:
|
| void SetDefaults(base::DictionaryValue& dict) {
|
| - dict.SetBoolean(policy::key::kRemoteAccessHostFirewallTraversal, true);
|
| - dict.SetBoolean(policy::key::kRemoteAccessHostAllowRelayedConnection, true);
|
| - dict.SetString(policy::key::kRemoteAccessHostUdpPortRange, "");
|
| - dict.SetString(policy::key::kRemoteAccessHostDomain, std::string());
|
| - dict.SetBoolean(policy::key::kRemoteAccessHostMatchUsername, false);
|
| - dict.SetString(policy::key::kRemoteAccessHostTalkGadgetPrefix,
|
| + dict.SetBoolean(key::kRemoteAccessHostFirewallTraversal, true);
|
| + dict.SetBoolean(key::kRemoteAccessHostAllowRelayedConnection, true);
|
| + dict.SetString(key::kRemoteAccessHostUdpPortRange, "");
|
| + dict.SetString(key::kRemoteAccessHostDomain, std::string());
|
| + dict.SetBoolean(key::kRemoteAccessHostMatchUsername, false);
|
| + dict.SetString(key::kRemoteAccessHostTalkGadgetPrefix,
|
| kDefaultHostTalkGadgetPrefix);
|
| - dict.SetBoolean(policy::key::kRemoteAccessHostRequireCurtain, false);
|
| - dict.SetString(policy::key::kRemoteAccessHostTokenUrl, std::string());
|
| - dict.SetString(policy::key::kRemoteAccessHostTokenValidationUrl,
|
| - std::string());
|
| - dict.SetString(
|
| - policy::key::kRemoteAccessHostTokenValidationCertificateIssuer,
|
| - std::string());
|
| - dict.SetBoolean(policy::key::kRemoteAccessHostAllowClientPairing, true);
|
| - dict.SetBoolean(policy::key::kRemoteAccessHostAllowGnubbyAuth, true);
|
| + dict.SetBoolean(key::kRemoteAccessHostRequireCurtain, false);
|
| + dict.SetString(key::kRemoteAccessHostTokenUrl, "");
|
| + dict.SetString(key::kRemoteAccessHostTokenValidationUrl, "");
|
| + dict.SetString(key::kRemoteAccessHostTokenValidationCertificateIssuer, "");
|
| + dict.SetBoolean(key::kRemoteAccessHostAllowClientPairing, true);
|
| + dict.SetBoolean(key::kRemoteAccessHostAllowGnubbyAuth, true);
|
| #if !defined(NDEBUG)
|
| - dict.SetString(policy::key::kRemoteAccessHostDebugOverridePolicies, "");
|
| + dict.SetString(key::kRemoteAccessHostDebugOverridePolicies, "");
|
| #endif
|
|
|
| ASSERT_THAT(&dict, IsPolicies(&GetDefaultValues()))
|
| @@ -307,6 +311,26 @@ TEST_F(PolicyWatcherTest, NatWrongType) {
|
| StartWatching();
|
| }
|
|
|
| +// This test verifies that a mistyped policy value is still detected
|
| +// even though it doesn't change during the second SetPolicies call.
|
| +TEST_F(PolicyWatcherTest, NatWrongTypeThenIrrelevantChange) {
|
| + EXPECT_CALL(mock_policy_callback_, OnPolicyError()).Times(2);
|
| +
|
| + SetPolicies(nat_one_);
|
| + StartWatching();
|
| + SetPolicies(nat_one_domain_full_);
|
| +}
|
| +
|
| +// This test verifies that a malformed policy value is still detected
|
| +// even though it doesn't change during the second SetPolicies call.
|
| +TEST_F(PolicyWatcherTest, PortRangeMalformedThenIrrelevantChange) {
|
| + EXPECT_CALL(mock_policy_callback_, OnPolicyError()).Times(2);
|
| +
|
| + SetPolicies(port_range_malformed_);
|
| + StartWatching();
|
| + SetPolicies(port_range_malformed_domain_full_);
|
| +}
|
| +
|
| TEST_F(PolicyWatcherTest, DomainEmpty) {
|
| EXPECT_CALL(mock_policy_callback_,
|
| OnPolicyUpdatePtr(IsPolicies(&domain_empty_others_default_)));
|
| @@ -521,40 +545,36 @@ TEST_F(PolicyWatcherTest, TalkGadgetPrefix) {
|
| SetPolicies(talk_gadget_blah_);
|
| }
|
|
|
| -TEST_F(PolicyWatcherTest, TokenUrl) {
|
| +TEST_F(PolicyWatcherTest, ThirdPartyAuthFull) {
|
| testing::InSequence sequence;
|
| EXPECT_CALL(mock_policy_callback_,
|
| OnPolicyUpdatePtr(IsPolicies(&nat_true_others_default_)));
|
| EXPECT_CALL(mock_policy_callback_,
|
| - OnPolicyUpdatePtr(IsPolicies(&token_url_https_)));
|
| + OnPolicyUpdatePtr(IsPolicies(&third_party_auth_full_)));
|
|
|
| SetPolicies(empty_);
|
| StartWatching();
|
| - SetPolicies(token_url_https_);
|
| + SetPolicies(third_party_auth_full_);
|
| }
|
|
|
| -TEST_F(PolicyWatcherTest, TokenValidationUrl) {
|
| +// This test verifies what happens when only 1 out of 3 third-party auth
|
| +// policies changes. Without the other 2 policy values such policy values
|
| +// combination is invalid (i.e. cannot have TokenUrl without
|
| +// TokenValidationUrl) and can trigger OnPolicyError unless PolicyWatcher
|
| +// implementation is careful around this scenario.
|
| +TEST_F(PolicyWatcherTest, ThirdPartyAuthPartialToFull) {
|
| testing::InSequence sequence;
|
| EXPECT_CALL(mock_policy_callback_,
|
| OnPolicyUpdatePtr(IsPolicies(&nat_true_others_default_)));
|
| EXPECT_CALL(mock_policy_callback_,
|
| - OnPolicyUpdatePtr(IsPolicies(&token_validation_url_https_)));
|
| -
|
| - SetPolicies(empty_);
|
| - StartWatching();
|
| - SetPolicies(token_validation_url_https_);
|
| -}
|
| -
|
| -TEST_F(PolicyWatcherTest, TokenValidationCertificateIssuer) {
|
| - testing::InSequence sequence;
|
| - EXPECT_CALL(mock_policy_callback_,
|
| - OnPolicyUpdatePtr(IsPolicies(&nat_true_others_default_)));
|
| + OnPolicyUpdatePtr(IsPolicies(&third_party_auth_cert_empty_)));
|
| EXPECT_CALL(mock_policy_callback_,
|
| - OnPolicyUpdatePtr(IsPolicies(&token_certificate_blah_)));
|
| + OnPolicyUpdatePtr(IsPolicies(&third_party_auth_full_)));
|
|
|
| SetPolicies(empty_);
|
| StartWatching();
|
| - SetPolicies(token_certificate_blah_);
|
| + SetPolicies(third_party_auth_partial_);
|
| + SetPolicies(third_party_auth_full_);
|
| }
|
|
|
| TEST_F(PolicyWatcherTest, UdpPortRange) {
|
| @@ -587,13 +607,13 @@ TEST_F(PolicyWatcherTest, PolicySchemaAndPolicyWatcherShouldBeInSync) {
|
| #if defined(OS_WIN)
|
| // RemoteAccessHostMatchUsername is marked in policy_templates.json as not
|
| // supported on Windows and therefore is (by design) excluded from the schema.
|
| - expected_schema.erase(policy::key::kRemoteAccessHostMatchUsername);
|
| + expected_schema.erase(key::kRemoteAccessHostMatchUsername);
|
| #endif
|
| #if defined(NDEBUG)
|
| // Policy schema / policy_templates.json cannot differ between debug and
|
| // release builds so we compensate below to account for the fact that
|
| // PolicyWatcher::default_values_ does differ between debug and release.
|
| - expected_schema[policy::key::kRemoteAccessHostDebugOverridePolicies] =
|
| + expected_schema[key::kRemoteAccessHostDebugOverridePolicies] =
|
| base::Value::TYPE_STRING;
|
| #endif
|
|
|
|
|
Chromium Code Reviews
Issue 966433002:
Malformed PortRange or ThirdPartyAuthConfig trigger OnPolicyError. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master