search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge Chromium + Blink git repositories
[chromium-blink-merge.git] / chrome / browser / chromeos / policy / network_configuration_updater_unittest.cc
blob8f75d38544ba1c9afee93274981b6c57ecadcb50
1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "base/bind.h"
6 #include "base/bind_helpers.h"
7 #include "base/callback.h"
8 #include "base/files/file_path.h"
9 #include "base/memory/scoped_ptr.h"
10 #include "base/run_loop.h"
11 #include "base/values.h"
12 #include "chrome/browser/chromeos/policy/device_network_configuration_updater.h"
13 #include "chrome/browser/chromeos/policy/user_network_configuration_updater.h"
14 #include "chrome/browser/chromeos/settings/cros_settings.h"
15 #include "chrome/browser/chromeos/settings/scoped_cros_settings_test_helper.h"
16 #include "chrome/test/base/testing_profile.h"
17 #include "chromeos/network/fake_network_device_handler.h"
18 #include "chromeos/network/mock_managed_network_configuration_handler.h"
19 #include "chromeos/network/onc/onc_certificate_importer.h"
20 #include "chromeos/network/onc/onc_test_utils.h"
21 #include "chromeos/network/onc/onc_utils.h"
22 #include "components/onc/onc_constants.h"
23 #include "components/policy/core/common/external_data_fetcher.h"
24 #include "components/policy/core/common/mock_configuration_policy_provider.h"
25 #include "components/policy/core/common/policy_map.h"
26 #include "components/policy/core/common/policy_service_impl.h"
27 #include "components/policy/core/common/policy_types.h"
28 #include "components/user_manager/user.h"
29 #include "components/user_manager/user_type.h"
30 #include "content/public/test/test_browser_thread_bundle.h"
31 #include "content/public/test/test_utils.h"
32 #include "net/base/test_data_directory.h"
33 #include "net/cert/x509_certificate.h"
34 #include "net/test/cert_test_util.h"
35 #include "policy/policy_constants.h"
36 #include "testing/gmock/include/gmock/gmock.h"
37 #include "testing/gtest/include/gtest/gtest.h"
38
39 using testing::AnyNumber;
40 using testing::AtLeast;
41 using testing::Mock;
42 using testing::Ne;
43 using testing::Return;
44 using testing::StrictMock;
45 using testing::_;
46
47 namespace policy {
48
49 namespace {
50
51 const char kFakeUserEmail[] = "fake email";
52 const char kFakeUsernameHash[] = "fake hash";
53
54 class FakeUser : public user_manager::User {
55 public:
56 FakeUser() : User(kFakeUserEmail) {
57 set_display_email(kFakeUserEmail);
58 set_username_hash(kFakeUsernameHash);
59 }
60 ~FakeUser() override {}
61
62 // User overrides
63 user_manager::UserType GetType() const override {
64 return user_manager::USER_TYPE_REGULAR;
65 }
66
67 private:
68 DISALLOW_COPY_AND_ASSIGN(FakeUser);
69 };
70
71 class FakeWebTrustedCertsObserver
72 : public UserNetworkConfigurationUpdater::WebTrustedCertsObserver {
73 public:
74 FakeWebTrustedCertsObserver() {}
75
76 void OnTrustAnchorsChanged(
77 const net::CertificateList& trust_anchors) override {
78 trust_anchors_ = trust_anchors;
79 }
80 net::CertificateList trust_anchors_;
81
82 private:
83 DISALLOW_COPY_AND_ASSIGN(FakeWebTrustedCertsObserver);
84 };
85
86 class FakeNetworkDeviceHandler : public chromeos::FakeNetworkDeviceHandler {
87 public:
88 FakeNetworkDeviceHandler() : allow_roaming_(false) {}
89
90 void SetCellularAllowRoaming(bool allow_roaming) override {
91 allow_roaming_ = allow_roaming;
92 }
93
94 bool allow_roaming_;
95
96 private:
97 DISALLOW_COPY_AND_ASSIGN(FakeNetworkDeviceHandler);
98 };
99
100 class FakeCertificateImporter : public chromeos::onc::CertificateImporter {
101 public:
102 FakeCertificateImporter()
103 : expected_onc_source_(::onc::ONC_SOURCE_UNKNOWN), call_count_(0) {}
104 ~FakeCertificateImporter() override {}
105
106 void SetTrustedCertificatesResult(
107 net::CertificateList onc_trusted_certificates) {
108 onc_trusted_certificates_ = onc_trusted_certificates;
109 }
110
111 void SetExpectedONCCertificates(const base::ListValue& certificates) {
112 expected_onc_certificates_.reset(certificates.DeepCopy());
113 }
114
115 void SetExpectedONCSource(::onc::ONCSource source) {
116 expected_onc_source_ = source;
117 }
118
119 unsigned int GetAndResetImportCount() {
120 unsigned int count = call_count_;
121 call_count_ = 0;
122 return count;
123 }
124
125 void ImportCertificates(const base::ListValue& certificates,
126 ::onc::ONCSource source,
127 const DoneCallback& done_callback) override {
128 if (expected_onc_source_ != ::onc::ONC_SOURCE_UNKNOWN)
129 EXPECT_EQ(expected_onc_source_, source);
130 if (expected_onc_certificates_) {
131 EXPECT_TRUE(chromeos::onc::test_utils::Equals(
132 expected_onc_certificates_.get(), &certificates));
133 }
134 ++call_count_;
135 done_callback.Run(true, onc_trusted_certificates_);
136 }
137
138 private:
139 ::onc::ONCSource expected_onc_source_;
140 scoped_ptr<base::ListValue> expected_onc_certificates_;
141 net::CertificateList onc_trusted_certificates_;
142 unsigned int call_count_;
143
144 DISALLOW_COPY_AND_ASSIGN(FakeCertificateImporter);
145 };
146
147 const char kFakeONC[] =
148 "{ \"NetworkConfigurations\": ["
149 " { \"GUID\": \"{485d6076-dd44-6b6d-69787465725f5040}\","
150 " \"Type\": \"WiFi\","
151 " \"Name\": \"My WiFi Network\","
152 " \"WiFi\": {"
153 " \"HexSSID\": \"737369642D6E6F6E65\"," // "ssid-none"
154 " \"Security\": \"None\" }"
155 " }"
156 " ],"
157 " \"GlobalNetworkConfiguration\": {"
158 " \"AllowOnlyPolicyNetworksToAutoconnect\": true,"
159 " },"
160 " \"Certificates\": ["
161 " { \"GUID\": \"{f998f760-272b-6939-4c2beffe428697ac}\","
162 " \"PKCS12\": \"abc\","
163 " \"Type\": \"Client\" }"
164 " ],"
165 " \"Type\": \"UnencryptedConfiguration\""
166 "}";
167
168 std::string ValueToString(const base::Value& value) {
169 std::stringstream str;
170 str << value;
171 return str.str();
172 }
173
174 void AppendAll(const base::ListValue& from, base::ListValue* to) {
175 for (base::ListValue::const_iterator it = from.begin(); it != from.end();
176 ++it) {
177 to->Append((*it)->DeepCopy());
178 }
179 }
180
181 // Matcher to match base::Value.
182 MATCHER_P(IsEqualTo,
183 value,
184 std::string(negation ? "isn't" : "is") + " equal to " +
185 ValueToString(*value)) {
186 return value->Equals(&arg);
187 }
188
189 MATCHER(IsEmpty, std::string(negation ? "isn't" : "is") + " empty.") {
190 return arg.empty();
191 }
192
193 ACTION_P(SetCertificateList, list) {
194 if (arg2)
195 *arg2 = list;
196 return true;
197 }
198
199 } // namespace
200
201 class NetworkConfigurationUpdaterTest : public testing::Test {
202 protected:
203 NetworkConfigurationUpdaterTest() : certificate_importer_(NULL) {}
204
205 void SetUp() override {
206 EXPECT_CALL(provider_, IsInitializationComplete(_))
207 .WillRepeatedly(Return(false));
208 provider_.Init();
209 PolicyServiceImpl::Providers providers;
210 providers.push_back(&provider_);
211 policy_service_.reset(new PolicyServiceImpl(providers));
212
213 scoped_ptr<base::DictionaryValue> fake_toplevel_onc =
214 chromeos::onc::ReadDictionaryFromJson(kFakeONC);
215
216 base::ListValue* network_configs = NULL;
217 fake_toplevel_onc->GetListWithoutPathExpansion(
218 onc::toplevel_config::kNetworkConfigurations, &network_configs);
219 AppendAll(*network_configs, &fake_network_configs_);
220
221 base::DictionaryValue* global_config = NULL;
222 fake_toplevel_onc->GetDictionaryWithoutPathExpansion(
223 onc::toplevel_config::kGlobalNetworkConfiguration, &global_config);
224 fake_global_network_config_.MergeDictionary(global_config);
225
226 base::ListValue* certs = NULL;
227 fake_toplevel_onc->GetListWithoutPathExpansion(
228 onc::toplevel_config::kCertificates, &certs);
229 AppendAll(*certs, &fake_certificates_);
230
231 certificate_importer_ = new FakeCertificateImporter;
232 certificate_importer_owned_.reset(certificate_importer_);
233 }
234
235 void TearDown() override {
236 network_configuration_updater_.reset();
237 provider_.Shutdown();
238 base::RunLoop().RunUntilIdle();
239 }
240
241 void MarkPolicyProviderInitialized() {
242 Mock::VerifyAndClearExpectations(&provider_);
243 EXPECT_CALL(provider_, IsInitializationComplete(_))
244 .WillRepeatedly(Return(true));
245 provider_.SetAutoRefresh();
246 provider_.RefreshPolicies();
247 base::RunLoop().RunUntilIdle();
248 }
249
250 void UpdateProviderPolicy(const PolicyMap& policy) {
251 provider_.UpdateChromePolicy(policy);
252 base::RunLoop().RunUntilIdle();
253 }
254
255 UserNetworkConfigurationUpdater*
256 CreateNetworkConfigurationUpdaterForUserPolicy(
257 bool allow_trusted_certs_from_policy,
258 bool set_cert_importer) {
259 UserNetworkConfigurationUpdater* updater =
260 UserNetworkConfigurationUpdater::CreateForUserPolicy(
261 &profile_,
262 allow_trusted_certs_from_policy,
263 fake_user_,
264 policy_service_.get(),
265 &network_config_handler_).release();
266 if (set_cert_importer) {
267 EXPECT_TRUE(certificate_importer_owned_);
268 updater->SetCertificateImporterForTest(
269 certificate_importer_owned_.Pass());
270 }
271 network_configuration_updater_.reset(updater);
272 return updater;
273 }
274
275 void CreateNetworkConfigurationUpdaterForDevicePolicy() {
276 network_configuration_updater_ =
277 DeviceNetworkConfigurationUpdater::CreateForDevicePolicy(
278 policy_service_.get(),
279 &network_config_handler_,
280 &network_device_handler_,
281 chromeos::CrosSettings::Get());
282 }
283
284 base::ListValue fake_network_configs_;
285 base::DictionaryValue fake_global_network_config_;
286 base::ListValue fake_certificates_;
287 StrictMock<chromeos::MockManagedNetworkConfigurationHandler>
288 network_config_handler_;
289 FakeNetworkDeviceHandler network_device_handler_;
290 chromeos::ScopedCrosSettingsTestHelper settings_helper_;
291
292 // Ownership of certificate_importer_owned_ is passed to the
293 // NetworkConfigurationUpdater. When that happens, |certificate_importer_|
294 // continues to point to that instance but |certificate_importer_owned_| is
295 // released.
296 FakeCertificateImporter* certificate_importer_;
297 scoped_ptr<chromeos::onc::CertificateImporter> certificate_importer_owned_;
298
299 StrictMock<MockConfigurationPolicyProvider> provider_;
300 scoped_ptr<PolicyServiceImpl> policy_service_;
301 FakeUser fake_user_;
302
303 TestingProfile profile_;
304
305 scoped_ptr<NetworkConfigurationUpdater> network_configuration_updater_;
306 content::TestBrowserThreadBundle thread_bundle_;
307 };
308
309 TEST_F(NetworkConfigurationUpdaterTest, CellularAllowRoaming) {
310 // Ignore network config updates.
311 EXPECT_CALL(network_config_handler_, SetPolicy(_, _, _, _)).Times(AtLeast(1));
312
313 settings_helper_.ReplaceProvider(chromeos::kSignedDataRoamingEnabled);
314 settings_helper_.SetBoolean(chromeos::kSignedDataRoamingEnabled, false);
315 EXPECT_FALSE(network_device_handler_.allow_roaming_);
316
317 CreateNetworkConfigurationUpdaterForDevicePolicy();
318 MarkPolicyProviderInitialized();
319 settings_helper_.SetBoolean(chromeos::kSignedDataRoamingEnabled, true);
320 EXPECT_TRUE(network_device_handler_.allow_roaming_);
321
322 settings_helper_.SetBoolean(chromeos::kSignedDataRoamingEnabled, false);
323 EXPECT_FALSE(network_device_handler_.allow_roaming_);
324 }
325
326 TEST_F(NetworkConfigurationUpdaterTest, PolicyIsValidatedAndRepaired) {
327 scoped_ptr<base::DictionaryValue> onc_repaired =
328 chromeos::onc::test_utils::ReadTestDictionary(
329 "repaired_toplevel_partially_invalid.onc");
330
331 base::ListValue* network_configs_repaired = NULL;
332 onc_repaired->GetListWithoutPathExpansion(
333 onc::toplevel_config::kNetworkConfigurations, &network_configs_repaired);
334 ASSERT_TRUE(network_configs_repaired);
335
336 base::DictionaryValue* global_config_repaired = NULL;
337 onc_repaired->GetDictionaryWithoutPathExpansion(
338 onc::toplevel_config::kGlobalNetworkConfiguration,
339 &global_config_repaired);
340 ASSERT_TRUE(global_config_repaired);
341
342 std::string onc_policy =
343 chromeos::onc::test_utils::ReadTestData("toplevel_partially_invalid.onc");
344 PolicyMap policy;
345 policy.Set(key::kOpenNetworkConfiguration,
346 POLICY_LEVEL_MANDATORY,
347 POLICY_SCOPE_USER,
348 POLICY_SOURCE_CLOUD,
349 new base::StringValue(onc_policy),
350 NULL);
351 UpdateProviderPolicy(policy);
352
353 EXPECT_CALL(network_config_handler_,
354 SetPolicy(onc::ONC_SOURCE_USER_POLICY,
355 _,
356 IsEqualTo(network_configs_repaired),
357 IsEqualTo(global_config_repaired)));
358 certificate_importer_->SetExpectedONCSource(onc::ONC_SOURCE_USER_POLICY);
359
360 CreateNetworkConfigurationUpdaterForUserPolicy(
361 false /* do not allow trusted certs from policy */,
362 true /* set certificate importer */);
363 MarkPolicyProviderInitialized();
364 EXPECT_EQ(1u, certificate_importer_->GetAndResetImportCount());
365 }
366
367 TEST_F(NetworkConfigurationUpdaterTest,
368 DoNotAllowTrustedCertificatesFromPolicy) {
369 net::CertificateList cert_list;
370 cert_list =
371 net::CreateCertificateListFromFile(net::GetTestCertsDirectory(),
372 "ok_cert.pem",
373 net::X509Certificate::FORMAT_AUTO);
374 ASSERT_EQ(1u, cert_list.size());
375
376 EXPECT_CALL(network_config_handler_,
377 SetPolicy(onc::ONC_SOURCE_USER_POLICY, _, _, _));
378 certificate_importer_->SetTrustedCertificatesResult(cert_list);
379
380 UserNetworkConfigurationUpdater* updater =
381 CreateNetworkConfigurationUpdaterForUserPolicy(
382 false /* do not allow trusted certs from policy */,
383 true /* set certificate importer */);
384 MarkPolicyProviderInitialized();
385
386 // Certificates with the "Web" trust flag set should not be forwarded to
387 // observers.
388 FakeWebTrustedCertsObserver observer;
389 updater->AddTrustedCertsObserver(&observer);
390
391 base::RunLoop().RunUntilIdle();
392
393 net::CertificateList trust_anchors;
394 updater->GetWebTrustedCertificates(&trust_anchors);
395 EXPECT_TRUE(trust_anchors.empty());
396
397 EXPECT_TRUE(observer.trust_anchors_.empty());
398 updater->RemoveTrustedCertsObserver(&observer);
399 }
400
401 TEST_F(NetworkConfigurationUpdaterTest,
402 AllowTrustedCertificatesFromPolicyInitially) {
403 // Ignore network configuration changes.
404 EXPECT_CALL(network_config_handler_, SetPolicy(_, _, _, _))
405 .Times(AnyNumber());
406
407 net::CertificateList cert_list;
408 cert_list =
409 net::CreateCertificateListFromFile(net::GetTestCertsDirectory(),
410 "ok_cert.pem",
411 net::X509Certificate::FORMAT_AUTO);
412 ASSERT_EQ(1u, cert_list.size());
413
414 certificate_importer_->SetExpectedONCSource(onc::ONC_SOURCE_USER_POLICY);
415 certificate_importer_->SetTrustedCertificatesResult(cert_list);
416
417 UserNetworkConfigurationUpdater* updater =
418 CreateNetworkConfigurationUpdaterForUserPolicy(
419 true /* allow trusted certs from policy */,
420 true /* set certificate importer */);
421 MarkPolicyProviderInitialized();
422
423 base::RunLoop().RunUntilIdle();
424
425 // Certificates with the "Web" trust flag set will be returned.
426 net::CertificateList trust_anchors;
427 updater->GetWebTrustedCertificates(&trust_anchors);
428 EXPECT_EQ(1u, trust_anchors.size());
429 }
430
431 TEST_F(NetworkConfigurationUpdaterTest,
432 AllowTrustedCertificatesFromPolicyOnUpdate) {
433 // Ignore network configuration changes.
434 EXPECT_CALL(network_config_handler_, SetPolicy(_, _, _, _))
435 .Times(AnyNumber());
436
437 // Start with an empty certificate list.
438 UserNetworkConfigurationUpdater* updater =
439 CreateNetworkConfigurationUpdaterForUserPolicy(
440 true /* allow trusted certs from policy */,
441 true /* set certificate importer */);
442 MarkPolicyProviderInitialized();
443
444 FakeWebTrustedCertsObserver observer;
445 updater->AddTrustedCertsObserver(&observer);
446
447 base::RunLoop().RunUntilIdle();
448
449 // Verify that the returned certificate list is empty.
450 {
451 net::CertificateList trust_anchors;
452 updater->GetWebTrustedCertificates(&trust_anchors);
453 EXPECT_TRUE(trust_anchors.empty());
454 }
455 EXPECT_TRUE(observer.trust_anchors_.empty());
456
457 // Now use a non-empty certificate list to test the observer notification.
458 net::CertificateList cert_list;
459 cert_list =
460 net::CreateCertificateListFromFile(net::GetTestCertsDirectory(),
461 "ok_cert.pem",
462 net::X509Certificate::FORMAT_AUTO);
463 ASSERT_EQ(1u, cert_list.size());
464 certificate_importer_->SetTrustedCertificatesResult(cert_list);
465
466 // Change to any non-empty policy, so that updates are triggered. The actual
467 // content of the policy is irrelevant.
468 PolicyMap policy;
469 policy.Set(key::kOpenNetworkConfiguration,
470 POLICY_LEVEL_MANDATORY,
471 POLICY_SCOPE_USER,
472 POLICY_SOURCE_CLOUD,
473 new base::StringValue(kFakeONC),
474 NULL);
475 UpdateProviderPolicy(policy);
476 base::RunLoop().RunUntilIdle();
477
478 // Certificates with the "Web" trust flag set will be returned and forwarded
479 // to observers.
480 {
481 net::CertificateList trust_anchors;
482 updater->GetWebTrustedCertificates(&trust_anchors);
483 EXPECT_EQ(1u, trust_anchors.size());
484 }
485 EXPECT_EQ(1u, observer.trust_anchors_.size());
486
487 updater->RemoveTrustedCertsObserver(&observer);
488 }
489
490 TEST_F(NetworkConfigurationUpdaterTest,
491 DontImportCertificateBeforeCertificateImporterSet) {
492 PolicyMap policy;
493 policy.Set(key::kOpenNetworkConfiguration, POLICY_LEVEL_MANDATORY,
494 POLICY_SCOPE_USER, POLICY_SOURCE_CLOUD,
495 new base::StringValue(kFakeONC), nullptr);
496 UpdateProviderPolicy(policy);
497
498 EXPECT_CALL(network_config_handler_,
499 SetPolicy(onc::ONC_SOURCE_USER_POLICY,
500 kFakeUsernameHash,
501 IsEqualTo(&fake_network_configs_),
502 IsEqualTo(&fake_global_network_config_)));
503
504 UserNetworkConfigurationUpdater* updater =
505 CreateNetworkConfigurationUpdaterForUserPolicy(
506 true /* allow trusted certs from policy */,
507 false /* do not set certificate importer */);
508 MarkPolicyProviderInitialized();
509
510 Mock::VerifyAndClearExpectations(&network_config_handler_);
511 EXPECT_EQ(0u, certificate_importer_->GetAndResetImportCount());
512
513 certificate_importer_->SetExpectedONCCertificates(fake_certificates_);
514 certificate_importer_->SetExpectedONCSource(onc::ONC_SOURCE_USER_POLICY);
515
516 ASSERT_TRUE(certificate_importer_owned_);
517 updater->SetCertificateImporterForTest(certificate_importer_owned_.Pass());
518 EXPECT_EQ(1u, certificate_importer_->GetAndResetImportCount());
519 }
520
521 class NetworkConfigurationUpdaterTestWithParam
522 : public NetworkConfigurationUpdaterTest,
523 public testing::WithParamInterface<const char*> {
524 protected:
525 // Returns the currently tested ONC source.
526 onc::ONCSource CurrentONCSource() {
527 if (GetParam() == key::kOpenNetworkConfiguration)
528 return onc::ONC_SOURCE_USER_POLICY;
529 DCHECK(GetParam() == key::kDeviceOpenNetworkConfiguration);
530 return onc::ONC_SOURCE_DEVICE_POLICY;
531 }
532
533 // Returns the expected username hash to push policies to
534 // ManagedNetworkConfigurationHandler.
535 std::string ExpectedUsernameHash() {
536 if (GetParam() == key::kOpenNetworkConfiguration)
537 return kFakeUsernameHash;
538 return std::string();
539 }
540
541 size_t ExpectedImportCertificatesCallCount() {
542 if (GetParam() == key::kOpenNetworkConfiguration)
543 return 1u;
544 return 0u;
545 }
546
547 void CreateNetworkConfigurationUpdater() {
548 if (GetParam() == key::kOpenNetworkConfiguration) {
549 CreateNetworkConfigurationUpdaterForUserPolicy(
550 false /* do not allow trusted certs from policy */,
551 true /* set certificate importer */);
552 } else {
553 CreateNetworkConfigurationUpdaterForDevicePolicy();
554 }
555 }
556 };
557
558 TEST_P(NetworkConfigurationUpdaterTestWithParam, InitialUpdates) {
559 PolicyMap policy;
560 policy.Set(GetParam(), POLICY_LEVEL_MANDATORY, POLICY_SCOPE_USER,
561 POLICY_SOURCE_CLOUD, new base::StringValue(kFakeONC), nullptr);
562 UpdateProviderPolicy(policy);
563
564 EXPECT_CALL(network_config_handler_,
565 SetPolicy(CurrentONCSource(),
566 ExpectedUsernameHash(),
567 IsEqualTo(&fake_network_configs_),
568 IsEqualTo(&fake_global_network_config_)));
569 certificate_importer_->SetExpectedONCCertificates(fake_certificates_);
570 certificate_importer_->SetExpectedONCSource(CurrentONCSource());
571
572 CreateNetworkConfigurationUpdater();
573 MarkPolicyProviderInitialized();
574 EXPECT_EQ(ExpectedImportCertificatesCallCount(),
575 certificate_importer_->GetAndResetImportCount());
576 }
577
578 TEST_P(NetworkConfigurationUpdaterTestWithParam,
579 PolicyNotSetBeforePolicyProviderInitialized) {
580 PolicyMap policy;
581 policy.Set(GetParam(), POLICY_LEVEL_MANDATORY, POLICY_SCOPE_USER,
582 POLICY_SOURCE_CLOUD, new base::StringValue(kFakeONC), nullptr);
583 UpdateProviderPolicy(policy);
584
585 CreateNetworkConfigurationUpdater();
586
587 Mock::VerifyAndClearExpectations(&network_config_handler_);
588 EXPECT_EQ(0u, certificate_importer_->GetAndResetImportCount());
589
590 EXPECT_CALL(network_config_handler_,
591 SetPolicy(CurrentONCSource(),
592 ExpectedUsernameHash(),
593 IsEqualTo(&fake_network_configs_),
594 IsEqualTo(&fake_global_network_config_)));
595 certificate_importer_->SetExpectedONCSource(CurrentONCSource());
596 certificate_importer_->SetExpectedONCCertificates(fake_certificates_);
597
598 MarkPolicyProviderInitialized();
599 EXPECT_EQ(ExpectedImportCertificatesCallCount(),
600 certificate_importer_->GetAndResetImportCount());
601 }
602
603 TEST_P(NetworkConfigurationUpdaterTestWithParam,
604 PolicyAppliedImmediatelyIfProvidersInitialized) {
605 MarkPolicyProviderInitialized();
606
607 PolicyMap policy;
608 policy.Set(GetParam(), POLICY_LEVEL_MANDATORY, POLICY_SCOPE_USER,
609 POLICY_SOURCE_CLOUD, new base::StringValue(kFakeONC), nullptr);
610 UpdateProviderPolicy(policy);
611
612 EXPECT_CALL(network_config_handler_,
613 SetPolicy(CurrentONCSource(),
614 ExpectedUsernameHash(),
615 IsEqualTo(&fake_network_configs_),
616 IsEqualTo(&fake_global_network_config_)));
617 certificate_importer_->SetExpectedONCSource(CurrentONCSource());
618 certificate_importer_->SetExpectedONCCertificates(fake_certificates_);
619
620 CreateNetworkConfigurationUpdater();
621
622 EXPECT_EQ(ExpectedImportCertificatesCallCount(),
623 certificate_importer_->GetAndResetImportCount());
624 }
625
626 TEST_P(NetworkConfigurationUpdaterTestWithParam, PolicyChange) {
627 // Ignore the initial updates.
628 EXPECT_CALL(network_config_handler_, SetPolicy(_, _, _, _)).Times(AtLeast(1));
629
630 CreateNetworkConfigurationUpdater();
631 MarkPolicyProviderInitialized();
632
633 Mock::VerifyAndClearExpectations(&network_config_handler_);
634 EXPECT_LE(ExpectedImportCertificatesCallCount(),
635 certificate_importer_->GetAndResetImportCount());
636
637 // The Updater should update if policy changes.
638 EXPECT_CALL(network_config_handler_,
639 SetPolicy(CurrentONCSource(),
640 _,
641 IsEqualTo(&fake_network_configs_),
642 IsEqualTo(&fake_global_network_config_)));
643 certificate_importer_->SetExpectedONCSource(CurrentONCSource());
644 certificate_importer_->SetExpectedONCCertificates(fake_certificates_);
645
646 PolicyMap policy;
647 policy.Set(GetParam(), POLICY_LEVEL_MANDATORY, POLICY_SCOPE_USER,
648 POLICY_SOURCE_CLOUD, new base::StringValue(kFakeONC), nullptr);
649 UpdateProviderPolicy(policy);
650 Mock::VerifyAndClearExpectations(&network_config_handler_);
651 EXPECT_EQ(ExpectedImportCertificatesCallCount(),
652 certificate_importer_->GetAndResetImportCount());
653
654 // Another update is expected if the policy goes away.
655 EXPECT_CALL(network_config_handler_,
656 SetPolicy(CurrentONCSource(), _, IsEmpty(), IsEmpty()));
657 certificate_importer_->SetExpectedONCCertificates(base::ListValue());
658
659 policy.Erase(GetParam());
660 UpdateProviderPolicy(policy);
661 EXPECT_EQ(ExpectedImportCertificatesCallCount(),
662 certificate_importer_->GetAndResetImportCount());
663 }
664
665 INSTANTIATE_TEST_CASE_P(NetworkConfigurationUpdaterTestWithParamInstance,
666 NetworkConfigurationUpdaterTestWithParam,
667 testing::Values(key::kDeviceOpenNetworkConfiguration,
668 key::kOpenNetworkConfiguration));
669
670 } // namespace policy