chrome/browser/chromeos/policy/network_configuration_updater_unittest.cc

   1 // Copyright 2013 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "base/bind.h"
   6 #include "base/bind_helpers.h"
   7 #include "base/callback.h"
   8 #include "base/files/file_path.h"
   9 #include "base/memory/scoped_ptr.h"
  10 #include "base/run_loop.h"
  11 #include "base/values.h"
  12 #include "chrome/browser/chromeos/policy/device_network_configuration_updater.h"
  13 #include "chrome/browser/chromeos/policy/user_network_configuration_updater.h"
  14 #include "chrome/browser/chromeos/settings/cros_settings.h"
  15 #include "chrome/browser/chromeos/settings/device_settings_service.h"
  16 #include "chrome/browser/chromeos/settings/stub_cros_settings_provider.h"
  17 #include "chrome/test/base/testing_profile.h"
  18 #include "chromeos/network/fake_network_device_handler.h"
  19 #include "chromeos/network/mock_managed_network_configuration_handler.h"
  20 #include "chromeos/network/onc/onc_certificate_importer.h"
  21 #include "chromeos/network/onc/onc_test_utils.h"
  22 #include "chromeos/network/onc/onc_utils.h"
  23 #include "components/onc/onc_constants.h"
  24 #include "components/policy/core/common/external_data_fetcher.h"
  25 #include "components/policy/core/common/mock_configuration_policy_provider.h"
  26 #include "components/policy/core/common/policy_map.h"
  27 #include "components/policy/core/common/policy_service_impl.h"
  28 #include "components/user_manager/user.h"
  29 #include "components/user_manager/user_type.h"
  30 #include "content/public/test/test_browser_thread_bundle.h"
  31 #include "content/public/test/test_utils.h"
  32 #include "net/base/test_data_directory.h"
  33 #include "net/cert/x509_certificate.h"
  34 #include "net/test/cert_test_util.h"
  35 #include "policy/policy_constants.h"
  36 #include "testing/gmock/include/gmock/gmock.h"
  37 #include "testing/gtest/include/gtest/gtest.h"
  38
  39 using testing::AnyNumber;
  40 using testing::AtLeast;
  41 using testing::Mock;
  42 using testing::Ne;
  43 using testing::Return;
  44 using testing::StrictMock;
  45 using testing::_;
  46
  47 namespace policy {
  48
  49 namespace {
  50
  51 const char kFakeUserEmail[] = "fake email";
  52 const char kFakeUsernameHash[] = "fake hash";
  53
  54 class FakeUser : public user_manager::User {
  55  public:
  56   FakeUser() : User(kFakeUserEmail) {
  57     set_display_email(kFakeUserEmail);
  58     set_username_hash(kFakeUsernameHash);
  59   }
  60   ~FakeUser() override {}
  61
  62   // User overrides
  63   user_manager::UserType GetType() const override {
  64     return user_manager::USER_TYPE_REGULAR;
  65   }
  66
  67  private:
  68   DISALLOW_COPY_AND_ASSIGN(FakeUser);
  69 };
  70
  71 class FakeWebTrustedCertsObserver
  72     : public UserNetworkConfigurationUpdater::WebTrustedCertsObserver {
  73  public:
  74   FakeWebTrustedCertsObserver() {}
  75
  76   void OnTrustAnchorsChanged(
  77       const net::CertificateList& trust_anchors) override {
  78     trust_anchors_ = trust_anchors;
  79   }
  80   net::CertificateList trust_anchors_;
  81
  82  private:
  83   DISALLOW_COPY_AND_ASSIGN(FakeWebTrustedCertsObserver);
  84 };
  85
  86 class FakeNetworkDeviceHandler : public chromeos::FakeNetworkDeviceHandler {
  87  public:
  88   FakeNetworkDeviceHandler() : allow_roaming_(false) {}
  89
  90   void SetCellularAllowRoaming(bool allow_roaming) override {
  91     allow_roaming_ = allow_roaming;
  92   }
  93
  94   bool allow_roaming_;
  95
  96  private:
  97   DISALLOW_COPY_AND_ASSIGN(FakeNetworkDeviceHandler);
  98 };
  99
 100 class FakeCertificateImporter : public chromeos::onc::CertificateImporter {
 101  public:
 102   FakeCertificateImporter()
 103       : expected_onc_source_(::onc::ONC_SOURCE_UNKNOWN), call_count_(0) {}
 104   ~FakeCertificateImporter() override {}
 105
 106   void SetTrustedCertificatesResult(
 107       net::CertificateList onc_trusted_certificates) {
 108     onc_trusted_certificates_ = onc_trusted_certificates;
 109   }
 110
 111   void SetExpectedONCCertificates(const base::ListValue& certificates) {
 112     expected_onc_certificates_.reset(certificates.DeepCopy());
 113   }
 114
 115   void SetExpectedONCSource(::onc::ONCSource source) {
 116     expected_onc_source_ = source;
 117   }
 118
 119   unsigned int GetAndResetImportCount() {
 120     unsigned int count = call_count_;
 121     call_count_ = 0;
 122     return count;
 123   }
 124
 125   void ImportCertificates(const base::ListValue& certificates,
 126                           ::onc::ONCSource source,
 127                           const DoneCallback& done_callback) override {
 128     if (expected_onc_source_ != ::onc::ONC_SOURCE_UNKNOWN)
 129       EXPECT_EQ(expected_onc_source_, source);
 130     if (expected_onc_certificates_) {
 131       EXPECT_TRUE(chromeos::onc::test_utils::Equals(
 132           expected_onc_certificates_.get(), &certificates));
 133     }
 134     ++call_count_;
 135     done_callback.Run(true, onc_trusted_certificates_);
 136   }
 137
 138  private:
 139   ::onc::ONCSource expected_onc_source_;
 140   scoped_ptr<base::ListValue> expected_onc_certificates_;
 141   net::CertificateList onc_trusted_certificates_;
 142   unsigned int call_count_;
 143
 144   DISALLOW_COPY_AND_ASSIGN(FakeCertificateImporter);
 145 };
 146
 147 const char kFakeONC[] =
 148     "{ \"NetworkConfigurations\": ["
 149     "    { \"GUID\": \"{485d6076-dd44-6b6d-69787465725f5040}\","
 150     "      \"Type\": \"WiFi\","
 151     "      \"Name\": \"My WiFi Network\","
 152     "      \"WiFi\": {"
 153     "        \"HexSSID\": \"737369642D6E6F6E65\","  // "ssid-none"
 154     "        \"Security\": \"None\" }"
 155     "    }"
 156     "  ],"
 157     "  \"GlobalNetworkConfiguration\": {"
 158     "    \"AllowOnlyPolicyNetworksToAutoconnect\": true,"
 159     "  },"
 160     "  \"Certificates\": ["
 161     "    { \"GUID\": \"{f998f760-272b-6939-4c2beffe428697ac}\","
 162     "      \"PKCS12\": \"abc\","
 163     "      \"Type\": \"Client\" }"
 164     "  ],"
 165     "  \"Type\": \"UnencryptedConfiguration\""
 166     "}";
 167
 168 std::string ValueToString(const base::Value& value) {
 169   std::stringstream str;
 170   str << value;
 171   return str.str();
 172 }
 173
 174 void AppendAll(const base::ListValue& from, base::ListValue* to) {
 175   for (base::ListValue::const_iterator it = from.begin(); it != from.end();
 176        ++it) {
 177     to->Append((*it)->DeepCopy());
 178   }
 179 }
 180
 181 // Matcher to match base::Value.
 182 MATCHER_P(IsEqualTo,
 183           value,
 184           std::string(negation ? "isn't" : "is") + " equal to " +
 185               ValueToString(*value)) {
 186   return value->Equals(&arg);
 187 }
 188
 189 MATCHER(IsEmpty, std::string(negation ? "isn't" : "is") + " empty.") {
 190   return arg.empty();
 191 }
 192
 193 ACTION_P(SetCertificateList, list) {
 194   if (arg2)
 195     *arg2 = list;
 196   return true;
 197 }
 198
 199 }  // namespace
 200
 201 class NetworkConfigurationUpdaterTest : public testing::Test {
 202  protected:
 203   NetworkConfigurationUpdaterTest() : certificate_importer_(NULL) {}
 204
 205   virtual void SetUp() override {
 206     EXPECT_CALL(provider_, IsInitializationComplete(_))
 207         .WillRepeatedly(Return(false));
 208     provider_.Init();
 209     PolicyServiceImpl::Providers providers;
 210     providers.push_back(&provider_);
 211     policy_service_.reset(new PolicyServiceImpl(providers));
 212
 213     scoped_ptr<base::DictionaryValue> fake_toplevel_onc =
 214         chromeos::onc::ReadDictionaryFromJson(kFakeONC);
 215
 216     base::ListValue* network_configs = NULL;
 217     fake_toplevel_onc->GetListWithoutPathExpansion(
 218         onc::toplevel_config::kNetworkConfigurations, &network_configs);
 219     AppendAll(*network_configs, &fake_network_configs_);
 220
 221     base::DictionaryValue* global_config = NULL;
 222     fake_toplevel_onc->GetDictionaryWithoutPathExpansion(
 223         onc::toplevel_config::kGlobalNetworkConfiguration, &global_config);
 224     fake_global_network_config_.MergeDictionary(global_config);
 225
 226     base::ListValue* certs = NULL;
 227     fake_toplevel_onc->GetListWithoutPathExpansion(
 228         onc::toplevel_config::kCertificates, &certs);
 229     AppendAll(*certs, &fake_certificates_);
 230
 231     certificate_importer_ = new FakeCertificateImporter;
 232     certificate_importer_owned_.reset(certificate_importer_);
 233   }
 234
 235   virtual void TearDown() override {
 236     network_configuration_updater_.reset();
 237     provider_.Shutdown();
 238     base::RunLoop().RunUntilIdle();
 239   }
 240
 241   void MarkPolicyProviderInitialized() {
 242     Mock::VerifyAndClearExpectations(&provider_);
 243     EXPECT_CALL(provider_, IsInitializationComplete(_))
 244         .WillRepeatedly(Return(true));
 245     provider_.SetAutoRefresh();
 246     provider_.RefreshPolicies();
 247     base::RunLoop().RunUntilIdle();
 248   }
 249
 250   void UpdateProviderPolicy(const PolicyMap& policy) {
 251     provider_.UpdateChromePolicy(policy);
 252     base::RunLoop().RunUntilIdle();
 253   }
 254
 255   UserNetworkConfigurationUpdater*
 256   CreateNetworkConfigurationUpdaterForUserPolicy(
 257       bool allow_trusted_certs_from_policy,
 258       bool set_cert_importer) {
 259     UserNetworkConfigurationUpdater* updater =
 260         UserNetworkConfigurationUpdater::CreateForUserPolicy(
 261             &profile_,
 262             allow_trusted_certs_from_policy,
 263             fake_user_,
 264             policy_service_.get(),
 265             &network_config_handler_).release();
 266     if (set_cert_importer) {
 267       EXPECT_TRUE(certificate_importer_owned_);
 268       updater->SetCertificateImporterForTest(
 269           certificate_importer_owned_.Pass());
 270     }
 271     network_configuration_updater_.reset(updater);
 272     return updater;
 273   }
 274
 275   void CreateNetworkConfigurationUpdaterForDevicePolicy() {
 276     network_configuration_updater_ =
 277         DeviceNetworkConfigurationUpdater::CreateForDevicePolicy(
 278             policy_service_.get(),
 279             &network_config_handler_,
 280             &network_device_handler_,
 281             chromeos::CrosSettings::Get());
 282   }
 283
 284   base::ListValue fake_network_configs_;
 285   base::DictionaryValue fake_global_network_config_;
 286   base::ListValue fake_certificates_;
 287   StrictMock<chromeos::MockManagedNetworkConfigurationHandler>
 288       network_config_handler_;
 289   FakeNetworkDeviceHandler network_device_handler_;
 290
 291   // Not used directly. Required for CrosSettings.
 292   chromeos::ScopedTestDeviceSettingsService scoped_device_settings_service_;
 293   chromeos::ScopedTestCrosSettings scoped_cros_settings_;
 294
 295   // Ownership of certificate_importer_owned_ is passed to the
 296   // NetworkConfigurationUpdater. When that happens, |certificate_importer_|
 297   // continues to point to that instance but |certificate_importer_owned_| is
 298   // released.
 299   FakeCertificateImporter* certificate_importer_;
 300   scoped_ptr<chromeos::onc::CertificateImporter> certificate_importer_owned_;
 301
 302   StrictMock<MockConfigurationPolicyProvider> provider_;
 303   scoped_ptr<PolicyServiceImpl> policy_service_;
 304   FakeUser fake_user_;
 305
 306   TestingProfile profile_;
 307
 308   scoped_ptr<NetworkConfigurationUpdater> network_configuration_updater_;
 309   content::TestBrowserThreadBundle thread_bundle_;
 310 };
 311
 312 TEST_F(NetworkConfigurationUpdaterTest, CellularAllowRoaming) {
 313   // Ignore network config updates.
 314   EXPECT_CALL(network_config_handler_, SetPolicy(_, _, _, _)).Times(AtLeast(1));
 315
 316   // Setup the DataRoaming device setting.
 317   chromeos::CrosSettings* cros_settings = chromeos::CrosSettings::Get();
 318   chromeos::CrosSettingsProvider* device_settings_provider =
 319       cros_settings->GetProvider(chromeos::kSignedDataRoamingEnabled);
 320   cros_settings->RemoveSettingsProvider(device_settings_provider);
 321   delete device_settings_provider;
 322   chromeos::StubCrosSettingsProvider* stub_settings_provider =
 323       new chromeos::StubCrosSettingsProvider;
 324   cros_settings->AddSettingsProvider(stub_settings_provider);
 325
 326   chromeos::CrosSettings::Get()->Set(chromeos::kSignedDataRoamingEnabled,
 327                                      base::FundamentalValue(false));
 328   EXPECT_FALSE(network_device_handler_.allow_roaming_);
 329
 330   CreateNetworkConfigurationUpdaterForDevicePolicy();
 331   MarkPolicyProviderInitialized();
 332   chromeos::CrosSettings::Get()->Set(chromeos::kSignedDataRoamingEnabled,
 333                                      base::FundamentalValue(true));
 334   EXPECT_TRUE(network_device_handler_.allow_roaming_);
 335
 336   chromeos::CrosSettings::Get()->Set(chromeos::kSignedDataRoamingEnabled,
 337                                      base::FundamentalValue(false));
 338   EXPECT_FALSE(network_device_handler_.allow_roaming_);
 339 }
 340
 341 TEST_F(NetworkConfigurationUpdaterTest, PolicyIsValidatedAndRepaired) {
 342   scoped_ptr<base::DictionaryValue> onc_repaired =
 343       chromeos::onc::test_utils::ReadTestDictionary(
 344           "repaired_toplevel_partially_invalid.onc");
 345
 346   base::ListValue* network_configs_repaired = NULL;
 347   onc_repaired->GetListWithoutPathExpansion(
 348       onc::toplevel_config::kNetworkConfigurations, &network_configs_repaired);
 349   ASSERT_TRUE(network_configs_repaired);
 350
 351   base::DictionaryValue* global_config_repaired = NULL;
 352   onc_repaired->GetDictionaryWithoutPathExpansion(
 353       onc::toplevel_config::kGlobalNetworkConfiguration,
 354       &global_config_repaired);
 355   ASSERT_TRUE(global_config_repaired);
 356
 357   std::string onc_policy =
 358       chromeos::onc::test_utils::ReadTestData("toplevel_partially_invalid.onc");
 359   PolicyMap policy;
 360   policy.Set(key::kOpenNetworkConfiguration,
 361              POLICY_LEVEL_MANDATORY,
 362              POLICY_SCOPE_USER,
 363              new base::StringValue(onc_policy),
 364              NULL);
 365   UpdateProviderPolicy(policy);
 366
 367   EXPECT_CALL(network_config_handler_,
 368               SetPolicy(onc::ONC_SOURCE_USER_POLICY,
 369                         _,
 370                         IsEqualTo(network_configs_repaired),
 371                         IsEqualTo(global_config_repaired)));
 372   certificate_importer_->SetExpectedONCSource(onc::ONC_SOURCE_USER_POLICY);
 373
 374   CreateNetworkConfigurationUpdaterForUserPolicy(
 375       false /* do not allow trusted certs from policy */,
 376       true /* set certificate importer */);
 377   MarkPolicyProviderInitialized();
 378   EXPECT_EQ(1u, certificate_importer_->GetAndResetImportCount());
 379 }
 380
 381 TEST_F(NetworkConfigurationUpdaterTest,
 382        DoNotAllowTrustedCertificatesFromPolicy) {
 383   net::CertificateList cert_list;
 384   cert_list =
 385       net::CreateCertificateListFromFile(net::GetTestCertsDirectory(),
 386                                          "ok_cert.pem",
 387                                          net::X509Certificate::FORMAT_AUTO);
 388   ASSERT_EQ(1u, cert_list.size());
 389
 390   EXPECT_CALL(network_config_handler_,
 391               SetPolicy(onc::ONC_SOURCE_USER_POLICY, _, _, _));
 392   certificate_importer_->SetTrustedCertificatesResult(cert_list);
 393
 394   UserNetworkConfigurationUpdater* updater =
 395       CreateNetworkConfigurationUpdaterForUserPolicy(
 396           false /* do not allow trusted certs from policy */,
 397           true /* set certificate importer */);
 398   MarkPolicyProviderInitialized();
 399
 400   // Certificates with the "Web" trust flag set should not be forwarded to
 401   // observers.
 402   FakeWebTrustedCertsObserver observer;
 403   updater->AddTrustedCertsObserver(&observer);
 404
 405   base::RunLoop().RunUntilIdle();
 406
 407   net::CertificateList trust_anchors;
 408   updater->GetWebTrustedCertificates(&trust_anchors);
 409   EXPECT_TRUE(trust_anchors.empty());
 410
 411   EXPECT_TRUE(observer.trust_anchors_.empty());
 412   updater->RemoveTrustedCertsObserver(&observer);
 413 }
 414
 415 TEST_F(NetworkConfigurationUpdaterTest,
 416        AllowTrustedCertificatesFromPolicyInitially) {
 417   // Ignore network configuration changes.
 418   EXPECT_CALL(network_config_handler_, SetPolicy(_, _, _, _))
 419       .Times(AnyNumber());
 420
 421   net::CertificateList cert_list;
 422   cert_list =
 423       net::CreateCertificateListFromFile(net::GetTestCertsDirectory(),
 424                                          "ok_cert.pem",
 425                                          net::X509Certificate::FORMAT_AUTO);
 426   ASSERT_EQ(1u, cert_list.size());
 427
 428   certificate_importer_->SetExpectedONCSource(onc::ONC_SOURCE_USER_POLICY);
 429   certificate_importer_->SetTrustedCertificatesResult(cert_list);
 430
 431   UserNetworkConfigurationUpdater* updater =
 432       CreateNetworkConfigurationUpdaterForUserPolicy(
 433           true /* allow trusted certs from policy */,
 434           true /* set certificate importer */);
 435   MarkPolicyProviderInitialized();
 436
 437   base::RunLoop().RunUntilIdle();
 438
 439   // Certificates with the "Web" trust flag set will be returned.
 440   net::CertificateList trust_anchors;
 441   updater->GetWebTrustedCertificates(&trust_anchors);
 442   EXPECT_EQ(1u, trust_anchors.size());
 443 }
 444
 445 TEST_F(NetworkConfigurationUpdaterTest,
 446        AllowTrustedCertificatesFromPolicyOnUpdate) {
 447   // Ignore network configuration changes.
 448   EXPECT_CALL(network_config_handler_, SetPolicy(_, _, _, _))
 449       .Times(AnyNumber());
 450
 451   // Start with an empty certificate list.
 452   UserNetworkConfigurationUpdater* updater =
 453       CreateNetworkConfigurationUpdaterForUserPolicy(
 454           true /* allow trusted certs from policy */,
 455           true /* set certificate importer */);
 456   MarkPolicyProviderInitialized();
 457
 458   FakeWebTrustedCertsObserver observer;
 459   updater->AddTrustedCertsObserver(&observer);
 460
 461   base::RunLoop().RunUntilIdle();
 462
 463   // Verify that the returned certificate list is empty.
 464   {
 465     net::CertificateList trust_anchors;
 466     updater->GetWebTrustedCertificates(&trust_anchors);
 467     EXPECT_TRUE(trust_anchors.empty());
 468   }
 469   EXPECT_TRUE(observer.trust_anchors_.empty());
 470
 471   // Now use a non-empty certificate list to test the observer notification.
 472   net::CertificateList cert_list;
 473   cert_list =
 474       net::CreateCertificateListFromFile(net::GetTestCertsDirectory(),
 475                                          "ok_cert.pem",
 476                                          net::X509Certificate::FORMAT_AUTO);
 477   ASSERT_EQ(1u, cert_list.size());
 478   certificate_importer_->SetTrustedCertificatesResult(cert_list);
 479
 480   // Change to any non-empty policy, so that updates are triggered. The actual
 481   // content of the policy is irrelevant.
 482   PolicyMap policy;
 483   policy.Set(key::kOpenNetworkConfiguration,
 484              POLICY_LEVEL_MANDATORY,
 485              POLICY_SCOPE_USER,
 486              new base::StringValue(kFakeONC),
 487              NULL);
 488   UpdateProviderPolicy(policy);
 489   base::RunLoop().RunUntilIdle();
 490
 491   // Certificates with the "Web" trust flag set will be returned and forwarded
 492   // to observers.
 493   {
 494     net::CertificateList trust_anchors;
 495     updater->GetWebTrustedCertificates(&trust_anchors);
 496     EXPECT_EQ(1u, trust_anchors.size());
 497   }
 498   EXPECT_EQ(1u, observer.trust_anchors_.size());
 499
 500   updater->RemoveTrustedCertsObserver(&observer);
 501 }
 502
 503 TEST_F(NetworkConfigurationUpdaterTest,
 504        DontImportCertificateBeforeCertificateImporterSet) {
 505   PolicyMap policy;
 506   policy.Set(key::kOpenNetworkConfiguration, POLICY_LEVEL_MANDATORY,
 507              POLICY_SCOPE_USER, new base::StringValue(kFakeONC), NULL);
 508   UpdateProviderPolicy(policy);
 509
 510   EXPECT_CALL(network_config_handler_,
 511               SetPolicy(onc::ONC_SOURCE_USER_POLICY,
 512                         kFakeUsernameHash,
 513                         IsEqualTo(&fake_network_configs_),
 514                         IsEqualTo(&fake_global_network_config_)));
 515
 516   UserNetworkConfigurationUpdater* updater =
 517       CreateNetworkConfigurationUpdaterForUserPolicy(
 518           true /* allow trusted certs from policy */,
 519           false /* do not set certificate importer */);
 520   MarkPolicyProviderInitialized();
 521
 522   Mock::VerifyAndClearExpectations(&network_config_handler_);
 523   EXPECT_EQ(0u, certificate_importer_->GetAndResetImportCount());
 524
 525   certificate_importer_->SetExpectedONCCertificates(fake_certificates_);
 526   certificate_importer_->SetExpectedONCSource(onc::ONC_SOURCE_USER_POLICY);
 527
 528   ASSERT_TRUE(certificate_importer_owned_);
 529   updater->SetCertificateImporterForTest(certificate_importer_owned_.Pass());
 530   EXPECT_EQ(1u, certificate_importer_->GetAndResetImportCount());
 531 }
 532
 533 class NetworkConfigurationUpdaterTestWithParam
 534     : public NetworkConfigurationUpdaterTest,
 535       public testing::WithParamInterface<const char*> {
 536  protected:
 537   // Returns the currently tested ONC source.
 538   onc::ONCSource CurrentONCSource() {
 539     if (GetParam() == key::kOpenNetworkConfiguration)
 540       return onc::ONC_SOURCE_USER_POLICY;
 541     DCHECK(GetParam() == key::kDeviceOpenNetworkConfiguration);
 542     return onc::ONC_SOURCE_DEVICE_POLICY;
 543   }
 544
 545   // Returns the expected username hash to push policies to
 546   // ManagedNetworkConfigurationHandler.
 547   std::string ExpectedUsernameHash() {
 548     if (GetParam() == key::kOpenNetworkConfiguration)
 549       return kFakeUsernameHash;
 550     return std::string();
 551   }
 552
 553   size_t ExpectedImportCertificatesCallCount() {
 554     if (GetParam() == key::kOpenNetworkConfiguration)
 555       return 1u;
 556     return 0u;
 557   }
 558
 559   void CreateNetworkConfigurationUpdater() {
 560     if (GetParam() == key::kOpenNetworkConfiguration) {
 561       CreateNetworkConfigurationUpdaterForUserPolicy(
 562           false /* do not allow trusted certs from policy */,
 563           true /* set certificate importer */);
 564     } else {
 565       CreateNetworkConfigurationUpdaterForDevicePolicy();
 566     }
 567   }
 568 };
 569
 570 TEST_P(NetworkConfigurationUpdaterTestWithParam, InitialUpdates) {
 571   PolicyMap policy;
 572   policy.Set(GetParam(), POLICY_LEVEL_MANDATORY, POLICY_SCOPE_USER,
 573              new base::StringValue(kFakeONC), NULL);
 574   UpdateProviderPolicy(policy);
 575
 576   EXPECT_CALL(network_config_handler_,
 577               SetPolicy(CurrentONCSource(),
 578                         ExpectedUsernameHash(),
 579                         IsEqualTo(&fake_network_configs_),
 580                         IsEqualTo(&fake_global_network_config_)));
 581   certificate_importer_->SetExpectedONCCertificates(fake_certificates_);
 582   certificate_importer_->SetExpectedONCSource(CurrentONCSource());
 583
 584   CreateNetworkConfigurationUpdater();
 585   MarkPolicyProviderInitialized();
 586   EXPECT_EQ(ExpectedImportCertificatesCallCount(),
 587             certificate_importer_->GetAndResetImportCount());
 588 }
 589
 590 TEST_P(NetworkConfigurationUpdaterTestWithParam,
 591        PolicyNotSetBeforePolicyProviderInitialized) {
 592   PolicyMap policy;
 593   policy.Set(GetParam(), POLICY_LEVEL_MANDATORY, POLICY_SCOPE_USER,
 594              new base::StringValue(kFakeONC), NULL);
 595   UpdateProviderPolicy(policy);
 596
 597   CreateNetworkConfigurationUpdater();
 598
 599   Mock::VerifyAndClearExpectations(&network_config_handler_);
 600   EXPECT_EQ(0u, certificate_importer_->GetAndResetImportCount());
 601
 602   EXPECT_CALL(network_config_handler_,
 603               SetPolicy(CurrentONCSource(),
 604                         ExpectedUsernameHash(),
 605                         IsEqualTo(&fake_network_configs_),
 606                         IsEqualTo(&fake_global_network_config_)));
 607   certificate_importer_->SetExpectedONCSource(CurrentONCSource());
 608   certificate_importer_->SetExpectedONCCertificates(fake_certificates_);
 609
 610   MarkPolicyProviderInitialized();
 611   EXPECT_EQ(ExpectedImportCertificatesCallCount(),
 612             certificate_importer_->GetAndResetImportCount());
 613 }
 614
 615 TEST_P(NetworkConfigurationUpdaterTestWithParam,
 616        PolicyAppliedImmediatelyIfProvidersInitialized) {
 617   MarkPolicyProviderInitialized();
 618
 619   PolicyMap policy;
 620   policy.Set(GetParam(), POLICY_LEVEL_MANDATORY, POLICY_SCOPE_USER,
 621              new base::StringValue(kFakeONC), NULL);
 622   UpdateProviderPolicy(policy);
 623
 624   EXPECT_CALL(network_config_handler_,
 625               SetPolicy(CurrentONCSource(),
 626                         ExpectedUsernameHash(),
 627                         IsEqualTo(&fake_network_configs_),
 628                         IsEqualTo(&fake_global_network_config_)));
 629   certificate_importer_->SetExpectedONCSource(CurrentONCSource());
 630   certificate_importer_->SetExpectedONCCertificates(fake_certificates_);
 631
 632   CreateNetworkConfigurationUpdater();
 633
 634   EXPECT_EQ(ExpectedImportCertificatesCallCount(),
 635             certificate_importer_->GetAndResetImportCount());
 636 }
 637
 638 TEST_P(NetworkConfigurationUpdaterTestWithParam, PolicyChange) {
 639   // Ignore the initial updates.
 640   EXPECT_CALL(network_config_handler_, SetPolicy(_, _, _, _)).Times(AtLeast(1));
 641
 642   CreateNetworkConfigurationUpdater();
 643   MarkPolicyProviderInitialized();
 644
 645   Mock::VerifyAndClearExpectations(&network_config_handler_);
 646   EXPECT_LE(ExpectedImportCertificatesCallCount(),
 647             certificate_importer_->GetAndResetImportCount());
 648
 649   // The Updater should update if policy changes.
 650   EXPECT_CALL(network_config_handler_,
 651               SetPolicy(CurrentONCSource(),
 652                         _,
 653                         IsEqualTo(&fake_network_configs_),
 654                         IsEqualTo(&fake_global_network_config_)));
 655   certificate_importer_->SetExpectedONCSource(CurrentONCSource());
 656   certificate_importer_->SetExpectedONCCertificates(fake_certificates_);
 657
 658   PolicyMap policy;
 659   policy.Set(GetParam(), POLICY_LEVEL_MANDATORY, POLICY_SCOPE_USER,
 660              new base::StringValue(kFakeONC), NULL);
 661   UpdateProviderPolicy(policy);
 662   Mock::VerifyAndClearExpectations(&network_config_handler_);
 663   EXPECT_EQ(ExpectedImportCertificatesCallCount(),
 664             certificate_importer_->GetAndResetImportCount());
 665
 666   // Another update is expected if the policy goes away.
 667   EXPECT_CALL(network_config_handler_,
 668               SetPolicy(CurrentONCSource(), _, IsEmpty(), IsEmpty()));
 669   certificate_importer_->SetExpectedONCCertificates(base::ListValue());
 670
 671   policy.Erase(GetParam());
 672   UpdateProviderPolicy(policy);
 673   EXPECT_EQ(ExpectedImportCertificatesCallCount(),
 674             certificate_importer_->GetAndResetImportCount());
 675 }
 676
 677 INSTANTIATE_TEST_CASE_P(NetworkConfigurationUpdaterTestWithParamInstance,
 678                         NetworkConfigurationUpdaterTestWithParam,
 679                         testing::Values(key::kDeviceOpenNetworkConfiguration,
 680                                         key::kOpenNetworkConfiguration));
 681
 682 }  // namespace policy