Supervised user whitelists: Cleanup
[chromium-blink-merge.git] / sync / util / cryptographer_unittest.cc
blob49d149c8566cbad4835b5c34f27f0e4be402aa41
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "sync/util/cryptographer.h"
7 #include <string>
9 #include "base/memory/scoped_ptr.h"
10 #include "base/strings/string_util.h"
11 #include "sync/protocol/password_specifics.pb.h"
12 #include "sync/test/fake_encryptor.h"
13 #include "testing/gmock/include/gmock/gmock.h"
14 #include "testing/gtest/include/gtest/gtest.h"
16 namespace syncer {
18 namespace {
20 using ::testing::_;
22 } // namespace
24 class CryptographerTest : public ::testing::Test {
25 protected:
26 CryptographerTest() : cryptographer_(&encryptor_) {}
28 FakeEncryptor encryptor_;
29 Cryptographer cryptographer_;
32 TEST_F(CryptographerTest, EmptyCantDecrypt) {
33 EXPECT_FALSE(cryptographer_.is_ready());
35 sync_pb::EncryptedData encrypted;
36 encrypted.set_key_name("foo");
37 encrypted.set_blob("bar");
39 EXPECT_FALSE(cryptographer_.CanDecrypt(encrypted));
42 TEST_F(CryptographerTest, EmptyCantEncrypt) {
43 EXPECT_FALSE(cryptographer_.is_ready());
45 sync_pb::EncryptedData encrypted;
46 sync_pb::PasswordSpecificsData original;
47 EXPECT_FALSE(cryptographer_.Encrypt(original, &encrypted));
50 TEST_F(CryptographerTest, MissingCantDecrypt) {
51 KeyParams params = {"localhost", "dummy", "dummy"};
52 cryptographer_.AddKey(params);
53 EXPECT_TRUE(cryptographer_.is_ready());
55 sync_pb::EncryptedData encrypted;
56 encrypted.set_key_name("foo");
57 encrypted.set_blob("bar");
59 EXPECT_FALSE(cryptographer_.CanDecrypt(encrypted));
62 TEST_F(CryptographerTest, CanEncryptAndDecrypt) {
63 KeyParams params = {"localhost", "dummy", "dummy"};
64 EXPECT_TRUE(cryptographer_.AddKey(params));
65 EXPECT_TRUE(cryptographer_.is_ready());
67 sync_pb::PasswordSpecificsData original;
68 original.set_origin("http://example.com");
69 original.set_username_value("azure");
70 original.set_password_value("hunter2");
72 sync_pb::EncryptedData encrypted;
73 EXPECT_TRUE(cryptographer_.Encrypt(original, &encrypted));
75 sync_pb::PasswordSpecificsData decrypted;
76 EXPECT_TRUE(cryptographer_.Decrypt(encrypted, &decrypted));
78 EXPECT_EQ(original.SerializeAsString(), decrypted.SerializeAsString());
81 TEST_F(CryptographerTest, EncryptOnlyIfDifferent) {
82 KeyParams params = {"localhost", "dummy", "dummy"};
83 EXPECT_TRUE(cryptographer_.AddKey(params));
84 EXPECT_TRUE(cryptographer_.is_ready());
86 sync_pb::PasswordSpecificsData original;
87 original.set_origin("http://example.com");
88 original.set_username_value("azure");
89 original.set_password_value("hunter2");
91 sync_pb::EncryptedData encrypted;
92 EXPECT_TRUE(cryptographer_.Encrypt(original, &encrypted));
94 sync_pb::EncryptedData encrypted2, encrypted3;
95 encrypted2.CopyFrom(encrypted);
96 encrypted3.CopyFrom(encrypted);
97 EXPECT_TRUE(cryptographer_.Encrypt(original, &encrypted2));
99 // Now encrypt with a new default key. Should overwrite the old data.
100 KeyParams params_new = {"localhost", "dummy", "dummy2"};
101 cryptographer_.AddKey(params_new);
102 EXPECT_TRUE(cryptographer_.Encrypt(original, &encrypted3));
104 sync_pb::PasswordSpecificsData decrypted;
105 EXPECT_TRUE(cryptographer_.Decrypt(encrypted2, &decrypted));
106 // encrypted2 should match encrypted, encrypted3 should not (due to salting).
107 EXPECT_EQ(encrypted.SerializeAsString(), encrypted2.SerializeAsString());
108 EXPECT_NE(encrypted.SerializeAsString(), encrypted3.SerializeAsString());
109 EXPECT_EQ(original.SerializeAsString(), decrypted.SerializeAsString());
112 TEST_F(CryptographerTest, AddKeySetsDefault) {
113 KeyParams params1 = {"localhost", "dummy", "dummy1"};
114 EXPECT_TRUE(cryptographer_.AddKey(params1));
115 EXPECT_TRUE(cryptographer_.is_ready());
117 sync_pb::PasswordSpecificsData original;
118 original.set_origin("http://example.com");
119 original.set_username_value("azure");
120 original.set_password_value("hunter2");
122 sync_pb::EncryptedData encrypted1;
123 EXPECT_TRUE(cryptographer_.Encrypt(original, &encrypted1));
124 sync_pb::EncryptedData encrypted2;
125 EXPECT_TRUE(cryptographer_.Encrypt(original, &encrypted2));
127 KeyParams params2 = {"localhost", "dummy", "dummy2"};
128 EXPECT_TRUE(cryptographer_.AddKey(params2));
129 EXPECT_TRUE(cryptographer_.is_ready());
131 sync_pb::EncryptedData encrypted3;
132 EXPECT_TRUE(cryptographer_.Encrypt(original, &encrypted3));
133 sync_pb::EncryptedData encrypted4;
134 EXPECT_TRUE(cryptographer_.Encrypt(original, &encrypted4));
136 EXPECT_EQ(encrypted1.key_name(), encrypted2.key_name());
137 EXPECT_NE(encrypted1.key_name(), encrypted3.key_name());
138 EXPECT_EQ(encrypted3.key_name(), encrypted4.key_name());
141 TEST_F(CryptographerTest, EncryptExportDecrypt) {
142 sync_pb::EncryptedData nigori;
143 sync_pb::EncryptedData encrypted;
145 sync_pb::PasswordSpecificsData original;
146 original.set_origin("http://example.com");
147 original.set_username_value("azure");
148 original.set_password_value("hunter2");
151 Cryptographer cryptographer(&encryptor_);
153 KeyParams params = {"localhost", "dummy", "dummy"};
154 cryptographer.AddKey(params);
155 EXPECT_TRUE(cryptographer.is_ready());
157 EXPECT_TRUE(cryptographer.Encrypt(original, &encrypted));
158 EXPECT_TRUE(cryptographer.GetKeys(&nigori));
162 Cryptographer cryptographer(&encryptor_);
163 EXPECT_FALSE(cryptographer.CanDecrypt(nigori));
165 cryptographer.SetPendingKeys(nigori);
166 EXPECT_FALSE(cryptographer.is_ready());
167 EXPECT_TRUE(cryptographer.has_pending_keys());
169 KeyParams params = {"localhost", "dummy", "dummy"};
170 EXPECT_TRUE(cryptographer.DecryptPendingKeys(params));
171 EXPECT_TRUE(cryptographer.is_ready());
172 EXPECT_FALSE(cryptographer.has_pending_keys());
174 sync_pb::PasswordSpecificsData decrypted;
175 EXPECT_TRUE(cryptographer.Decrypt(encrypted, &decrypted));
176 EXPECT_EQ(original.SerializeAsString(), decrypted.SerializeAsString());
180 TEST_F(CryptographerTest, Bootstrap) {
181 KeyParams params = {"localhost", "dummy", "dummy"};
182 cryptographer_.AddKey(params);
184 std::string token;
185 EXPECT_TRUE(cryptographer_.GetBootstrapToken(&token));
186 EXPECT_TRUE(base::IsStringUTF8(token));
188 Cryptographer other_cryptographer(&encryptor_);
189 other_cryptographer.Bootstrap(token);
190 EXPECT_TRUE(other_cryptographer.is_ready());
192 const char secret[] = "secret";
193 sync_pb::EncryptedData encrypted;
194 EXPECT_TRUE(other_cryptographer.EncryptString(secret, &encrypted));
195 EXPECT_TRUE(cryptographer_.CanDecryptUsingDefaultKey(encrypted));
198 // Verifies that copied cryptographers are just as good as the original.
200 // Encrypt an item using the original cryptographer and two different sets of
201 // keys. Verify that it can decrypt them.
203 // Then copy the original cryptographer and ensure it can also decrypt these
204 // items and encrypt them with the most recent key.
205 TEST_F(CryptographerTest, CopyConstructor) {
206 sync_pb::PasswordSpecificsData original;
207 original.set_origin("http://example.com");
208 original.set_username_value("luser");
209 original.set_password_value("p4ssw0rd");
211 // Start by testing the original cryptogprapher.
212 KeyParams params1 = {"localhost", "dummy", "dummy"};
213 EXPECT_TRUE(cryptographer_.AddKey(params1));
214 EXPECT_TRUE(cryptographer_.is_ready());
216 sync_pb::EncryptedData encrypted_k1;
217 EXPECT_TRUE(cryptographer_.Encrypt(original, &encrypted_k1));
219 KeyParams params2 = {"localhost", "fatuous", "fatuous"};
220 EXPECT_TRUE(cryptographer_.AddKey(params2));
221 EXPECT_TRUE(cryptographer_.is_ready());
223 sync_pb::EncryptedData encrypted_k2;
224 EXPECT_TRUE(cryptographer_.Encrypt(original, &encrypted_k2));
226 sync_pb::PasswordSpecificsData decrypted_k1;
227 sync_pb::PasswordSpecificsData decrypted_k2;
228 EXPECT_TRUE(cryptographer_.Decrypt(encrypted_k1, &decrypted_k1));
229 EXPECT_TRUE(cryptographer_.Decrypt(encrypted_k2, &decrypted_k2));
231 EXPECT_EQ(original.SerializeAsString(), decrypted_k1.SerializeAsString());
232 EXPECT_EQ(original.SerializeAsString(), decrypted_k2.SerializeAsString());
234 // Clone the cryptographer and test that it behaves the same.
235 Cryptographer cryptographer_clone(cryptographer_);
237 // The clone should be able to decrypt with old and new keys.
238 sync_pb::PasswordSpecificsData decrypted_k1_clone;
239 sync_pb::PasswordSpecificsData decrypted_k2_clone;
240 EXPECT_TRUE(cryptographer_clone.Decrypt(encrypted_k1, &decrypted_k1_clone));
241 EXPECT_TRUE(cryptographer_clone.Decrypt(encrypted_k2, &decrypted_k2_clone));
243 EXPECT_EQ(original.SerializeAsString(),
244 decrypted_k1_clone.SerializeAsString());
245 EXPECT_EQ(original.SerializeAsString(),
246 decrypted_k2_clone.SerializeAsString());
248 // The old cryptographer should be able to decrypt things encrypted by the
249 // new.
250 sync_pb::EncryptedData encrypted_c;
251 EXPECT_TRUE(cryptographer_clone.Encrypt(original, &encrypted_c));
253 sync_pb::PasswordSpecificsData decrypted_c;
254 EXPECT_TRUE(cryptographer_.Decrypt(encrypted_c, &decrypted_c));
255 EXPECT_EQ(original.SerializeAsString(), decrypted_c.SerializeAsString());
257 // The cloned cryptographer should be using the latest key.
258 EXPECT_EQ(encrypted_c.key_name(), encrypted_k2.key_name());
261 // Test verifies that GetBootstrapToken/Bootstrap only transfers default
262 // key. Additional call to GetKeys/InstallKeys is needed to transfer keybag
263 // to decrypt messages encrypted with old keys.
264 TEST_F(CryptographerTest, GetKeysThenInstall) {
265 sync_pb::PasswordSpecificsData original;
266 original.set_origin("http://example.com");
267 original.set_username_value("luser");
268 original.set_password_value("p4ssw0rd");
270 // First, encrypt the same value using two different keys.
271 KeyParams params1 = {"localhost", "dummy", "dummy"};
272 EXPECT_TRUE(cryptographer_.AddKey(params1));
273 EXPECT_TRUE(cryptographer_.is_ready());
275 sync_pb::EncryptedData encrypted_k1;
276 EXPECT_TRUE(cryptographer_.Encrypt(original, &encrypted_k1));
278 KeyParams params2 = {"localhost", "dummy2", "dummy2"};
279 EXPECT_TRUE(cryptographer_.AddKey(params2));
280 EXPECT_TRUE(cryptographer_.is_ready());
282 sync_pb::EncryptedData encrypted_k2;
283 EXPECT_TRUE(cryptographer_.Encrypt(original, &encrypted_k2));
285 // Then construct second cryptographer and bootstrap it from the first one.
286 Cryptographer another_cryptographer(cryptographer_.encryptor());
287 std::string bootstrap_token;
288 EXPECT_TRUE(cryptographer_.GetBootstrapToken(&bootstrap_token));
289 another_cryptographer.Bootstrap(bootstrap_token);
291 // Before key installation, the second cryptographer should only be able
292 // to decrypt using the last key.
293 EXPECT_FALSE(another_cryptographer.CanDecrypt(encrypted_k1));
294 EXPECT_TRUE(another_cryptographer.CanDecrypt(encrypted_k2));
296 sync_pb::EncryptedData keys;
297 EXPECT_TRUE(cryptographer_.GetKeys(&keys));
298 ASSERT_TRUE(another_cryptographer.CanDecrypt(keys));
299 another_cryptographer.InstallKeys(keys);
301 // Verify that bootstrapped cryptographer decrypts succesfully using
302 // all the keys after key installation.
303 EXPECT_TRUE(another_cryptographer.CanDecrypt(encrypted_k1));
304 EXPECT_TRUE(another_cryptographer.CanDecrypt(encrypted_k2));
307 } // namespace syncer