search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge Chromium + Blink git repositories
[chromium-blink-merge.git] / chrome / browser / chromeos / policy / blocking_login_browsertest.cc
blob768bb466c1be66451b8066c8218984ded68c47b7
1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include <string>
6 #include <vector>
7
8 #include "base/bind.h"
9 #include "base/command_line.h"
10 #include "base/run_loop.h"
11 #include "base/stl_util.h"
12 #include "chrome/browser/browser_process.h"
13 #include "chrome/browser/chrome_notification_types.h"
14 #include "chrome/browser/chromeos/login/existing_user_controller.h"
15 #include "chrome/browser/chromeos/login/test/oobe_base_test.h"
16 #include "chrome/browser/chromeos/login/ui/webui_login_display.h"
17 #include "chrome/browser/chromeos/login/wizard_controller.h"
18 #include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h"
19 #include "chrome/browser/chromeos/policy/enterprise_install_attributes.h"
20 #include "chrome/browser/ui/webui/chromeos/login/signin_screen_handler.h"
21 #include "chrome/common/chrome_switches.h"
22 #include "chrome/test/base/in_process_browser_test.h"
23 #include "chromeos/chromeos_switches.h"
24 #include "components/policy/core/common/cloud/device_management_service.h"
25 #include "components/policy/core/common/policy_switches.h"
26 #include "components/user_manager/user_manager.h"
27 #include "content/public/browser/notification_observer.h"
28 #include "content/public/browser/notification_registrar.h"
29 #include "content/public/browser/notification_service.h"
30 #include "content/public/test/test_utils.h"
31 #include "google_apis/gaia/gaia_switches.h"
32 #include "google_apis/gaia/gaia_urls.h"
33 #include "net/http/http_status_code.h"
34 #include "net/test/embedded_test_server/embedded_test_server.h"
35 #include "net/test/embedded_test_server/http_request.h"
36 #include "net/test/embedded_test_server/http_response.h"
37 #include "policy/proto/device_management_backend.pb.h"
38 #include "testing/gtest/include/gtest/gtest.h"
39
40 namespace chromeos {
41
42 namespace {
43
44 namespace em = enterprise_management;
45
46 const char kDomain[] = "domain.com";
47 const char kUsername[] = "user@domain.com";
48 const char kUsernameOtherDomain[] = "user@other.com";
49
50 const char kOAuthCodeCookie[] = "oauth_code=1234; Secure; HttpOnly";
51
52 const char kOAuth2TokenPairData[] =
53 "{"
54 " \"refresh_token\": \"1234\","
55 " \"access_token\": \"5678\","
56 " \"expires_in\": 3600"
57 "}";
58
59 const char kOAuth2AccessTokenData[] =
60 "{"
61 " \"access_token\": \"5678\","
62 " \"expires_in\": 3600"
63 "}";
64
65 const char kDMRegisterRequest[] = "/device_management?request=register";
66 const char kDMPolicyRequest[] = "/device_management?request=policy";
67
68 void CopyLockResult(base::RunLoop* loop,
69 policy::EnterpriseInstallAttributes::LockResult* out,
70 policy::EnterpriseInstallAttributes::LockResult result) {
71 *out = result;
72 loop->Quit();
73 }
74
75 } // namespace
76
77 struct BlockingLoginTestParam {
78 const int steps;
79 const char* username;
80 const bool enroll_device;
81 };
82
83 class BlockingLoginTest
84 : public OobeBaseTest,
85 public content::NotificationObserver,
86 public testing::WithParamInterface<BlockingLoginTestParam> {
87 public:
88 BlockingLoginTest() : profile_added_(NULL) {
89 }
90
91 void SetUpCommandLine(base::CommandLine* command_line) override {
92 OobeBaseTest::SetUpCommandLine(command_line);
93
94 command_line->AppendSwitchASCII(
95 policy::switches::kDeviceManagementUrl,
96 embedded_test_server()->GetURL("/device_management").spec());
97 }
98
99 void SetUpOnMainThread() override {
100 registrar_.Add(this,
101 chrome::NOTIFICATION_PROFILE_ADDED,
102 content::NotificationService::AllSources());
103
104 OobeBaseTest::SetUpOnMainThread();
105 }
106
107 void TearDownOnMainThread() override {
108 RunUntilIdle();
109 EXPECT_TRUE(responses_.empty());
110 STLDeleteElements(&responses_);
111 OobeBaseTest::TearDownOnMainThread();
112 }
113
114 void Observe(int type,
115 const content::NotificationSource& source,
116 const content::NotificationDetails& details) override {
117 ASSERT_EQ(chrome::NOTIFICATION_PROFILE_ADDED, type);
118 ASSERT_FALSE(profile_added_);
119 profile_added_ = content::Source<Profile>(source).ptr();
120 }
121
122 void RunUntilIdle() {
123 base::RunLoop().RunUntilIdle();
124 }
125
126 policy::BrowserPolicyConnectorChromeOS* browser_policy_connector() {
127 return g_browser_process->platform_part()
128 ->browser_policy_connector_chromeos();
129 }
130
131 void EnrollDevice(const std::string& username) {
132 base::RunLoop loop;
133 policy::EnterpriseInstallAttributes::LockResult result;
134 browser_policy_connector()->GetInstallAttributes()->LockDevice(
135 username, policy::DEVICE_MODE_ENTERPRISE, "100200300",
136 base::Bind(&CopyLockResult, &loop, &result));
137 loop.Run();
138 EXPECT_EQ(policy::EnterpriseInstallAttributes::LOCK_SUCCESS, result);
139 RunUntilIdle();
140 }
141
142 void Login(const std::string& username) {
143 content::WindowedNotificationObserver session_started_observer(
144 chrome::NOTIFICATION_SESSION_STARTED,
145 content::NotificationService::AllSources());
146
147 ExistingUserController* controller =
148 ExistingUserController::current_controller();
149 ASSERT_TRUE(controller);
150 WebUILoginDisplay* login_display =
151 static_cast<WebUILoginDisplay*>(controller->login_display());
152 ASSERT_TRUE(login_display);
153
154 login_display->ShowSigninScreenForCreds(username, "password");
155
156 // Wait for the session to start after submitting the credentials. This
157 // will wait until all the background requests are done.
158 session_started_observer.Wait();
159 }
160
161 // Handles an HTTP request sent to the test server. This handler either
162 // uses a canned response in |responses_| if the request path matches one
163 // of the URLs that we mock, otherwise this handler delegates to |fake_gaia_|.
164 scoped_ptr<net::test_server::HttpResponse> HandleRequest(
165 const net::test_server::HttpRequest& request) {
166 scoped_ptr<net::test_server::HttpResponse> response;
167
168 GaiaUrls* gaia = GaiaUrls::GetInstance();
169 if (request.relative_url == gaia->client_login_to_oauth2_url().path() ||
170 request.relative_url == gaia->oauth2_token_url().path() ||
171 request.relative_url.find(kDMRegisterRequest) == 0 ||
172 request.relative_url.find(kDMPolicyRequest) == 0) {
173 if (!responses_.empty()) {
174 response.reset(responses_.back());
175 responses_.pop_back();
176 }
177 }
178
179 return response.Pass();
180 }
181
182 // Creates a new canned response that will respond with the given HTTP
183 // status |code|. That response is appended to |responses_| and will be the
184 // next response used.
185 // Returns a reference to that response, so that it can be further customized.
186 net::test_server::BasicHttpResponse& PushResponse(net::HttpStatusCode code) {
187 net::test_server::BasicHttpResponse* response =
188 new net::test_server::BasicHttpResponse();
189 response->set_code(code);
190 responses_.push_back(response);
191 return *response;
192 }
193
194 // Returns the body of the register response from the policy server.
195 std::string GetRegisterResponse() {
196 em::DeviceManagementResponse response;
197 em::DeviceRegisterResponse* register_response =
198 response.mutable_register_response();
199 register_response->set_device_management_token("1234");
200 register_response->set_enrollment_type(
201 em::DeviceRegisterResponse::ENTERPRISE);
202 std::string data;
203 EXPECT_TRUE(response.SerializeToString(&data));
204 return data;
205 }
206
207 // Returns the body of the fetch response from the policy server.
208 std::string GetPolicyResponse() {
209 em::DeviceManagementResponse response;
210 response.mutable_policy_response()->add_response();
211 std::string data;
212 EXPECT_TRUE(response.SerializeToString(&data));
213 return data;
214 }
215
216 protected:
217 void RegisterAdditionalRequestHandlers() override {
218 embedded_test_server()->RegisterRequestHandler(
219 base::Bind(&BlockingLoginTest::HandleRequest, base::Unretained(this)));
220 }
221
222 Profile* profile_added_;
223
224 private:
225 std::vector<net::test_server::HttpResponse*> responses_;
226 content::NotificationRegistrar registrar_;
227
228 DISALLOW_COPY_AND_ASSIGN(BlockingLoginTest);
229 };
230
231 IN_PROC_BROWSER_TEST_P(BlockingLoginTest, LoginBlocksForUser) {
232 // Verify that there isn't a logged in user when the test starts.
233 user_manager::UserManager* user_manager = user_manager::UserManager::Get();
234 EXPECT_FALSE(user_manager->IsUserLoggedIn());
235 EXPECT_FALSE(browser_policy_connector()->IsEnterpriseManaged());
236 EXPECT_FALSE(profile_added_);
237
238 // Enroll the device, if enrollment is enabled for this test instance.
239 if (GetParam().enroll_device) {
240 EnrollDevice(kUsername);
241
242 EXPECT_FALSE(user_manager->IsUserLoggedIn());
243 EXPECT_TRUE(browser_policy_connector()->IsEnterpriseManaged());
244 EXPECT_EQ(kDomain, browser_policy_connector()->GetEnterpriseDomain());
245 EXPECT_FALSE(profile_added_);
246 EXPECT_EQ(policy::USER_AFFILIATION_MANAGED,
247 browser_policy_connector()->GetUserAffiliation(kUsername));
248 RunUntilIdle();
249 EXPECT_FALSE(user_manager->IsKnownUser(kUsername));
250 }
251
252 // Skip the OOBE, go to the sign-in screen, and wait for the login screen to
253 // become visible.
254 WaitForSigninScreen();
255 EXPECT_FALSE(profile_added_);
256
257 // Prepare the fake HTTP responses.
258 if (GetParam().steps < 5) {
259 // If this instance is not going to complete the entire flow successfully
260 // then the last step will fail.
261
262 // This response body is important to make the gaia fetcher skip its delayed
263 // retry behavior, which makes testing harder. If this is sent to the policy
264 // fetchers then it will make them fail too.
265 PushResponse(net::HTTP_UNAUTHORIZED).set_content("Error=AccountDeleted");
266 }
267
268 // Push a response for each step that is going to succeed, in reverse order.
269 switch (GetParam().steps) {
270 default:
271 ADD_FAILURE() << "Invalid step number: " << GetParam().steps;
272 return;
273
274 case 5:
275 PushResponse(net::HTTP_OK).set_content(GetPolicyResponse());
276
277 case 4:
278 PushResponse(net::HTTP_OK).set_content(GetRegisterResponse());
279
280 case 3:
281 PushResponse(net::HTTP_OK).set_content(kOAuth2AccessTokenData);
282
283 case 2:
284 PushResponse(net::HTTP_OK).set_content(kOAuth2TokenPairData);
285
286 case 1:
287 PushResponse(net::HTTP_OK)
288 .AddCustomHeader("Set-Cookie", kOAuthCodeCookie);
289 break;
290
291 case 0:
292 break;
293 }
294
295 // Login now. This verifies that logging in with the canned responses (which
296 // may include failures) won't be blocked due to the potential failures.
297 EXPECT_FALSE(profile_added_);
298 Login(GetParam().username);
299 EXPECT_TRUE(profile_added_);
300 ASSERT_TRUE(user_manager->IsUserLoggedIn());
301 EXPECT_TRUE(user_manager->IsCurrentUserNew());
302 }
303
304 const BlockingLoginTestParam kBlockinLoginTestCases[] = {
305 {0, kUsername, true},
306 {1, kUsername, true},
307 {2, kUsername, true},
308 {3, kUsername, true},
309 {4, kUsername, true},
310 {5, kUsername, true},
311 {0, kUsername, false},
312 {1, kUsername, false},
313 {2, kUsername, false},
314 {3, kUsername, false},
315 {4, kUsername, false},
316 {5, kUsername, false},
317 {0, kUsernameOtherDomain, true},
318 {1, kUsernameOtherDomain, true},
319 {2, kUsernameOtherDomain, true},
320 {3, kUsernameOtherDomain, true},
321 {4, kUsernameOtherDomain, true},
322 {5, kUsernameOtherDomain, true},
323 };
324
325 INSTANTIATE_TEST_CASE_P(BlockingLoginTestInstance,
326 BlockingLoginTest,
327 testing::ValuesIn(kBlockinLoginTestCases));
328
329 } // namespace chromeos