1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "chrome/browser/chromeos/policy/device_cloud_policy_store_chromeos.h"
10 #include "base/basictypes.h"
11 #include "base/compiler_specific.h"
12 #include "base/memory/scoped_ptr.h"
13 #include "base/message_loop/message_loop_proxy.h"
14 #include "base/run_loop.h"
15 #include "chrome/browser/chromeos/policy/enterprise_install_attributes.h"
16 #include "chrome/browser/chromeos/policy/proto/chrome_device_policy.pb.h"
17 #include "chrome/browser/chromeos/settings/device_settings_test_helper.h"
18 #include "chrome/test/base/scoped_testing_local_state.h"
19 #include "chrome/test/base/testing_browser_process.h"
20 #include "chromeos/cryptohome/cryptohome_util.h"
21 #include "chromeos/dbus/dbus_thread_manager.h"
22 #include "chromeos/dbus/fake_cryptohome_client.h"
23 #include "components/policy/core/common/cloud/cloud_policy_constants.h"
24 #include "content/public/test/test_utils.h"
25 #include "policy/policy_constants.h"
26 #include "policy/proto/device_management_backend.pb.h"
27 #include "testing/gtest/include/gtest/gtest.h"
29 namespace em
= enterprise_management
;
35 void CopyLockResult(base::RunLoop
* loop
,
36 EnterpriseInstallAttributes::LockResult
* out
,
37 EnterpriseInstallAttributes::LockResult result
) {
44 class DeviceCloudPolicyStoreChromeOSTest
45 : public chromeos::DeviceSettingsTestBase
{
47 DeviceCloudPolicyStoreChromeOSTest()
48 : local_state_(TestingBrowserProcess::GetGlobal()),
49 fake_cryptohome_client_(new chromeos::FakeCryptohomeClient()),
51 new EnterpriseInstallAttributes(fake_cryptohome_client_
)),
52 store_(new DeviceCloudPolicyStoreChromeOS(
53 &device_settings_service_
,
54 install_attributes_
.get(),
55 base::MessageLoopProxy::current())) {
58 void SetUp() override
{
59 DeviceSettingsTestBase::SetUp();
61 dbus_setter_
->SetCryptohomeClient(
62 scoped_ptr
<chromeos::CryptohomeClient
>(fake_cryptohome_client_
));
65 EnterpriseInstallAttributes::LockResult result
;
66 install_attributes_
->LockDevice(
67 PolicyBuilder::kFakeUsername
,
68 DEVICE_MODE_ENTERPRISE
,
69 PolicyBuilder::kFakeDeviceId
,
70 base::Bind(&CopyLockResult
, &loop
, &result
));
72 ASSERT_EQ(EnterpriseInstallAttributes::LOCK_SUCCESS
, result
);
75 void SetManagementModeAndLoad(em::PolicyData::ManagementMode mode
) {
76 device_policy_
.policy_data().set_management_mode(mode
);
77 device_policy_
.Build();
78 device_settings_test_helper_
.set_policy_blob(device_policy_
.GetBlob());
79 device_settings_service_
.Load();
80 FlushDeviceSettings();
81 EXPECT_EQ(chromeos::DeviceSettingsService::STORE_SUCCESS
,
82 device_settings_service_
.status());
85 void ExpectFailure(CloudPolicyStore::Status expected_status
) {
86 EXPECT_EQ(expected_status
, store_
->status());
87 EXPECT_TRUE(store_
->is_initialized());
88 EXPECT_FALSE(store_
->has_policy());
89 EXPECT_FALSE(store_
->is_managed());
92 void ExpectSuccessWithManagementMode(ManagementMode mode
) {
93 EXPECT_EQ(CloudPolicyStore::STATUS_OK
, store_
->status());
94 EXPECT_TRUE(store_
->is_initialized());
95 EXPECT_TRUE(store_
->has_policy());
96 EXPECT_TRUE(store_
->is_managed());
97 EXPECT_TRUE(store_
->policy());
98 EXPECT_TRUE(store_
->policy_map().empty());
100 EXPECT_EQ(mode
, GetManagementMode(*store_
->policy()));
103 void ExpectSuccess() {
104 EXPECT_EQ(CloudPolicyStore::STATUS_OK
, store_
->status());
105 EXPECT_TRUE(store_
->is_initialized());
106 EXPECT_TRUE(store_
->has_policy());
107 EXPECT_TRUE(store_
->is_managed());
108 EXPECT_TRUE(store_
->policy());
109 base::FundamentalValue
expected(false);
111 base::Value::Equals(&expected
,
112 store_
->policy_map().GetValue(
113 key::kDeviceMetricsReportingEnabled
)));
116 void PrepareExistingPolicy() {
118 FlushDeviceSettings();
121 device_policy_
.UnsetNewSigningKey();
122 device_policy_
.Build();
125 void PrepareNewSigningKey() {
126 device_policy_
.SetDefaultNewSigningKey();
127 device_policy_
.Build();
128 owner_key_util_
->SetPublicKeyFromPrivateKey(
129 *device_policy_
.GetNewSigningKey());
132 void ResetToNonEnterprise() {
134 chromeos::cryptohome_util::InstallAttributesSet("enterprise.owned",
136 install_attributes_
.reset(
137 new EnterpriseInstallAttributes(fake_cryptohome_client_
));
139 new DeviceCloudPolicyStoreChromeOS(&device_settings_service_
,
140 install_attributes_
.get(),
141 base::MessageLoopProxy::current()));
144 ScopedTestingLocalState local_state_
;
145 chromeos::FakeCryptohomeClient
* fake_cryptohome_client_
;
146 scoped_ptr
<EnterpriseInstallAttributes
> install_attributes_
;
148 scoped_ptr
<DeviceCloudPolicyStoreChromeOS
> store_
;
151 DISALLOW_COPY_AND_ASSIGN(DeviceCloudPolicyStoreChromeOSTest
);
154 TEST_F(DeviceCloudPolicyStoreChromeOSTest
, LoadNoKey
) {
155 owner_key_util_
->Clear();
157 FlushDeviceSettings();
158 ExpectFailure(CloudPolicyStore::STATUS_BAD_STATE
);
161 TEST_F(DeviceCloudPolicyStoreChromeOSTest
, LoadNoPolicy
) {
162 device_settings_test_helper_
.set_policy_blob(std::string());
164 FlushDeviceSettings();
165 ExpectFailure(CloudPolicyStore::STATUS_LOAD_ERROR
);
168 TEST_F(DeviceCloudPolicyStoreChromeOSTest
, LoadNotEnterprise
) {
169 ResetToNonEnterprise();
171 FlushDeviceSettings();
172 ExpectFailure(CloudPolicyStore::STATUS_BAD_STATE
);
175 TEST_F(DeviceCloudPolicyStoreChromeOSTest
, LoadSuccess
) {
177 FlushDeviceSettings();
181 TEST_F(DeviceCloudPolicyStoreChromeOSTest
, UpdateFromServiceOnConsumerDevices
) {
182 ResetToNonEnterprise();
184 SetManagementModeAndLoad(em::PolicyData::CONSUMER_MANAGED
);
185 ExpectSuccessWithManagementMode(MANAGEMENT_MODE_CONSUMER_MANAGED
);
187 // Unenroll from consumer management.
188 SetManagementModeAndLoad(em::PolicyData::LOCAL_OWNER
);
189 ExpectSuccessWithManagementMode(MANAGEMENT_MODE_LOCAL_OWNER
);
192 TEST_F(DeviceCloudPolicyStoreChromeOSTest
, StoreSuccess
) {
193 PrepareExistingPolicy();
194 store_
->Store(device_policy_
.policy());
195 FlushDeviceSettings();
199 TEST_F(DeviceCloudPolicyStoreChromeOSTest
, StoreNoSignature
) {
200 PrepareExistingPolicy();
201 device_policy_
.policy().clear_policy_data_signature();
202 store_
->Store(device_policy_
.policy());
203 FlushDeviceSettings();
204 EXPECT_EQ(CloudPolicyStore::STATUS_VALIDATION_ERROR
, store_
->status());
205 EXPECT_EQ(CloudPolicyValidatorBase::VALIDATION_BAD_SIGNATURE
,
206 store_
->validation_status());
209 TEST_F(DeviceCloudPolicyStoreChromeOSTest
, StoreBadSignature
) {
210 PrepareExistingPolicy();
211 device_policy_
.policy().set_policy_data_signature("invalid");
212 store_
->Store(device_policy_
.policy());
213 FlushDeviceSettings();
214 EXPECT_EQ(CloudPolicyStore::STATUS_VALIDATION_ERROR
, store_
->status());
215 EXPECT_EQ(CloudPolicyValidatorBase::VALIDATION_BAD_SIGNATURE
,
216 store_
->validation_status());
219 TEST_F(DeviceCloudPolicyStoreChromeOSTest
, StoreKeyRotation
) {
220 PrepareExistingPolicy();
221 device_policy_
.SetDefaultNewSigningKey();
222 device_policy_
.Build();
223 store_
->Store(device_policy_
.policy());
224 content::RunAllBlockingPoolTasksUntilIdle();
225 device_settings_test_helper_
.FlushStore();
226 owner_key_util_
->SetPublicKeyFromPrivateKey(
227 *device_policy_
.GetNewSigningKey());
228 ReloadDeviceSettings();
232 TEST_F(DeviceCloudPolicyStoreChromeOSTest
,
233 StoreKeyRotationVerificationFailure
) {
234 PrepareExistingPolicy();
235 device_policy_
.SetDefaultNewSigningKey();
236 device_policy_
.Build();
237 *device_policy_
.policy().mutable_new_public_key_verification_signature() =
239 store_
->Store(device_policy_
.policy());
240 FlushDeviceSettings();
241 EXPECT_EQ(CloudPolicyStore::STATUS_VALIDATION_ERROR
, store_
->status());
242 EXPECT_EQ(CloudPolicyValidatorBase::VALIDATION_BAD_KEY_VERIFICATION_SIGNATURE
,
243 store_
->validation_status());
246 TEST_F(DeviceCloudPolicyStoreChromeOSTest
,
247 StoreKeyRotationMissingSignatureFailure
) {
248 PrepareExistingPolicy();
249 device_policy_
.SetDefaultNewSigningKey();
250 device_policy_
.Build();
251 device_policy_
.policy().clear_new_public_key_verification_signature();
252 store_
->Store(device_policy_
.policy());
253 FlushDeviceSettings();
254 EXPECT_EQ(CloudPolicyStore::STATUS_VALIDATION_ERROR
, store_
->status());
255 EXPECT_EQ(CloudPolicyValidatorBase::VALIDATION_BAD_KEY_VERIFICATION_SIGNATURE
,
256 store_
->validation_status());
259 TEST_F(DeviceCloudPolicyStoreChromeOSTest
, InstallInitialPolicySuccess
) {
260 PrepareNewSigningKey();
261 store_
->InstallInitialPolicy(device_policy_
.policy());
262 FlushDeviceSettings();
266 TEST_F(DeviceCloudPolicyStoreChromeOSTest
, InstallInitialPolicyNoSignature
) {
267 PrepareNewSigningKey();
268 device_policy_
.policy().clear_policy_data_signature();
269 store_
->InstallInitialPolicy(device_policy_
.policy());
270 FlushDeviceSettings();
271 ExpectFailure(CloudPolicyStore::STATUS_VALIDATION_ERROR
);
272 EXPECT_EQ(CloudPolicyValidatorBase::VALIDATION_BAD_INITIAL_SIGNATURE
,
273 store_
->validation_status());
276 TEST_F(DeviceCloudPolicyStoreChromeOSTest
,
277 InstallInitialPolicyVerificationFailure
) {
278 PrepareNewSigningKey();
279 *device_policy_
.policy().mutable_new_public_key_verification_signature() =
281 store_
->InstallInitialPolicy(device_policy_
.policy());
282 FlushDeviceSettings();
283 ExpectFailure(CloudPolicyStore::STATUS_VALIDATION_ERROR
);
284 EXPECT_EQ(CloudPolicyValidatorBase::VALIDATION_BAD_KEY_VERIFICATION_SIGNATURE
,
285 store_
->validation_status());
288 TEST_F(DeviceCloudPolicyStoreChromeOSTest
,
289 InstallInitialPolicyMissingSignatureFailure
) {
290 PrepareNewSigningKey();
291 device_policy_
.policy().clear_new_public_key_verification_signature();
292 store_
->InstallInitialPolicy(device_policy_
.policy());
293 FlushDeviceSettings();
294 ExpectFailure(CloudPolicyStore::STATUS_VALIDATION_ERROR
);
295 EXPECT_EQ(CloudPolicyValidatorBase::VALIDATION_BAD_KEY_VERIFICATION_SIGNATURE
,
296 store_
->validation_status());
299 TEST_F(DeviceCloudPolicyStoreChromeOSTest
, InstallInitialPolicyNoKey
) {
300 PrepareNewSigningKey();
301 device_policy_
.policy().clear_new_public_key();
302 store_
->InstallInitialPolicy(device_policy_
.policy());
303 FlushDeviceSettings();
304 ExpectFailure(CloudPolicyStore::STATUS_VALIDATION_ERROR
);
305 EXPECT_EQ(CloudPolicyValidatorBase::VALIDATION_BAD_INITIAL_SIGNATURE
,
306 store_
->validation_status());
309 TEST_F(DeviceCloudPolicyStoreChromeOSTest
, InstallInitialPolicyNotEnterprise
) {
310 PrepareNewSigningKey();
311 ResetToNonEnterprise();
312 store_
->InstallInitialPolicy(device_policy_
.policy());
313 FlushDeviceSettings();
314 ExpectFailure(CloudPolicyStore::STATUS_BAD_STATE
);
317 } // namespace policy
