Supervised user SafeSites: Ignore trailing slash in URL path
[chromium-blink-merge.git] / chromeos / cert_loader_unittest.cc
blobf4366d4fd92f9d3d0e9be533b255d5ffa56b7290
1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "chromeos/cert_loader.h"
7 #include "base/bind.h"
8 #include "base/files/file_util.h"
9 #include "base/memory/scoped_ptr.h"
10 #include "base/message_loop/message_loop.h"
11 #include "base/run_loop.h"
12 #include "crypto/nss_util_internal.h"
13 #include "crypto/scoped_nss_types.h"
14 #include "crypto/scoped_test_nss_chromeos_user.h"
15 #include "net/base/net_errors.h"
16 #include "net/base/test_data_directory.h"
17 #include "net/cert/nss_cert_database_chromeos.h"
18 #include "net/cert/x509_certificate.h"
19 #include "net/test/cert_test_util.h"
20 #include "testing/gtest/include/gtest/gtest.h"
22 // http://crbug.com/418369
23 #ifdef NDEBUG
25 namespace chromeos {
26 namespace {
28 bool IsCertInCertificateList(const net::X509Certificate* cert,
29 const net::CertificateList& cert_list) {
30 for (net::CertificateList::const_iterator it = cert_list.begin();
31 it != cert_list.end();
32 ++it) {
33 if (net::X509Certificate::IsSameOSCert((*it)->os_cert_handle(),
34 cert->os_cert_handle())) {
35 return true;
38 return false;
41 void FailOnPrivateSlotCallback(crypto::ScopedPK11Slot slot) {
42 EXPECT_FALSE(true) << "GetPrivateSlotForChromeOSUser callback called even "
43 << "though the private slot had been initialized.";
46 class CertLoaderTest : public testing::Test,
47 public CertLoader::Observer {
48 public:
49 CertLoaderTest() : cert_loader_(NULL),
50 primary_user_("primary"),
51 certificates_loaded_events_count_(0U) {
54 virtual ~CertLoaderTest() {}
56 virtual void SetUp() override {
57 ASSERT_TRUE(primary_user_.constructed_successfully());
58 ASSERT_TRUE(
59 crypto::GetPublicSlotForChromeOSUser(primary_user_.username_hash()));
61 CertLoader::Initialize();
62 cert_loader_ = CertLoader::Get();
63 cert_loader_->AddObserver(this);
66 virtual void TearDown() {
67 cert_loader_->RemoveObserver(this);
68 CertLoader::Shutdown();
71 protected:
72 void StartCertLoaderWithPrimaryUser() {
73 FinishUserInitAndGetDatabase(&primary_user_, &primary_db_);
74 cert_loader_->StartWithNSSDB(primary_db_.get());
76 base::RunLoop().RunUntilIdle();
77 GetAndResetCertificatesLoadedEventsCount();
80 // CertLoader::Observer:
81 // The test keeps count of times the observer method was called.
82 virtual void OnCertificatesLoaded(const net::CertificateList& cert_list,
83 bool initial_load) override {
84 EXPECT_TRUE(certificates_loaded_events_count_ == 0 || !initial_load);
85 certificates_loaded_events_count_++;
88 // Returns the number of |OnCertificatesLoaded| calls observed since the
89 // last call to this method equals |value|.
90 size_t GetAndResetCertificatesLoadedEventsCount() {
91 size_t result = certificates_loaded_events_count_;
92 certificates_loaded_events_count_ = 0;
93 return result;
96 // Finishes initialization for the |user| and returns a user's NSS database
97 // instance.
98 void FinishUserInitAndGetDatabase(
99 crypto::ScopedTestNSSChromeOSUser* user,
100 scoped_ptr<net::NSSCertDatabaseChromeOS>* database) {
101 ASSERT_TRUE(user->constructed_successfully());
103 user->FinishInit();
105 crypto::ScopedPK11Slot private_slot(
106 crypto::GetPrivateSlotForChromeOSUser(
107 user->username_hash(),
108 base::Bind(&FailOnPrivateSlotCallback)));
109 ASSERT_TRUE(private_slot);
111 database->reset(new net::NSSCertDatabaseChromeOS(
112 crypto::GetPublicSlotForChromeOSUser(user->username_hash()),
113 private_slot.Pass()));
114 (*database)->SetSlowTaskRunnerForTest(message_loop_.message_loop_proxy());
117 int GetDbPrivateSlotId(net::NSSCertDatabase* db) {
118 return static_cast<int>(PK11_GetSlotID(db->GetPrivateSlot().get()));
121 void ImportCACert(const std::string& cert_file,
122 net::NSSCertDatabase* database,
123 net::CertificateList* imported_certs) {
124 ASSERT_TRUE(database);
125 ASSERT_TRUE(imported_certs);
127 // Add a certificate to the user's db.
128 *imported_certs = net::CreateCertificateListFromFile(
129 net::GetTestCertsDirectory(),
130 cert_file,
131 net::X509Certificate::FORMAT_AUTO);
132 ASSERT_EQ(1U, imported_certs->size());
134 net::NSSCertDatabase::ImportCertFailureList failed;
135 ASSERT_TRUE(database->ImportCACerts(*imported_certs,
136 net::NSSCertDatabase::TRUST_DEFAULT,
137 &failed));
138 ASSERT_TRUE(failed.empty());
141 void ImportClientCertAndKey(const std::string& pkcs12_file,
142 net::NSSCertDatabase* database,
143 net::CertificateList* imported_certs) {
144 ASSERT_TRUE(database);
145 ASSERT_TRUE(imported_certs);
147 std::string pkcs12_data;
148 base::FilePath pkcs12_file_path =
149 net::GetTestCertsDirectory().Append(pkcs12_file);
150 ASSERT_TRUE(base::ReadFileToString(pkcs12_file_path, &pkcs12_data));
152 net::CertificateList client_cert_list;
153 scoped_refptr<net::CryptoModule> module(net::CryptoModule::CreateFromHandle(
154 database->GetPrivateSlot().get()));
155 ASSERT_EQ(net::OK,
156 database->ImportFromPKCS12(module.get(),
157 pkcs12_data,
158 base::string16(),
159 false,
160 imported_certs));
161 ASSERT_EQ(1U, imported_certs->size());
164 CertLoader* cert_loader_;
166 // The user is primary as the one whose certificates CertLoader handles, it
167 // has nothing to do with crypto::InitializeNSSForChromeOSUser is_primary_user
168 // parameter (which is irrelevant for these tests).
169 crypto::ScopedTestNSSChromeOSUser primary_user_;
170 scoped_ptr<net::NSSCertDatabaseChromeOS> primary_db_;
172 base::MessageLoop message_loop_;
174 private:
175 size_t certificates_loaded_events_count_;
178 TEST_F(CertLoaderTest, Basic) {
179 EXPECT_FALSE(cert_loader_->CertificatesLoading());
180 EXPECT_FALSE(cert_loader_->certificates_loaded());
182 FinishUserInitAndGetDatabase(&primary_user_, &primary_db_);
184 cert_loader_->StartWithNSSDB(primary_db_.get());
186 EXPECT_FALSE(cert_loader_->certificates_loaded());
187 EXPECT_TRUE(cert_loader_->CertificatesLoading());
188 EXPECT_TRUE(cert_loader_->cert_list().empty());
190 ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
191 base::RunLoop().RunUntilIdle();
192 EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
194 EXPECT_TRUE(cert_loader_->certificates_loaded());
195 EXPECT_FALSE(cert_loader_->CertificatesLoading());
197 // Default CA cert roots should get loaded.
198 EXPECT_FALSE(cert_loader_->cert_list().empty());
201 TEST_F(CertLoaderTest, CertLoaderUpdatesCertListOnNewCert) {
202 StartCertLoaderWithPrimaryUser();
204 net::CertificateList certs;
205 ImportCACert("root_ca_cert.pem", primary_db_.get(), &certs);
207 // Certs are loaded asynchronously, so the new cert should not yet be in the
208 // cert list.
209 EXPECT_FALSE(
210 IsCertInCertificateList(certs[0].get(), cert_loader_->cert_list()));
212 ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
213 base::RunLoop().RunUntilIdle();
214 EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
216 // The certificate list should be updated now, as the message loop's been run.
217 EXPECT_TRUE(
218 IsCertInCertificateList(certs[0].get(), cert_loader_->cert_list()));
220 EXPECT_FALSE(cert_loader_->IsCertificateHardwareBacked(certs[0].get()));
223 TEST_F(CertLoaderTest, CertLoaderNoUpdateOnSecondaryDbChanges) {
224 crypto::ScopedTestNSSChromeOSUser secondary_user("secondary");
225 scoped_ptr<net::NSSCertDatabaseChromeOS> secondary_db;
227 StartCertLoaderWithPrimaryUser();
228 FinishUserInitAndGetDatabase(&secondary_user, &secondary_db);
230 net::CertificateList certs;
231 ImportCACert("root_ca_cert.pem", secondary_db.get(), &certs);
233 base::RunLoop().RunUntilIdle();
235 EXPECT_FALSE(
236 IsCertInCertificateList(certs[0].get(), cert_loader_->cert_list()));
239 TEST_F(CertLoaderTest, ClientLoaderUpdateOnNewClientCert) {
240 StartCertLoaderWithPrimaryUser();
242 net::CertificateList certs;
243 ImportClientCertAndKey("websocket_client_cert.p12",
244 primary_db_.get(),
245 &certs);
247 ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
248 base::RunLoop().RunUntilIdle();
249 EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
251 EXPECT_TRUE(
252 IsCertInCertificateList(certs[0].get(), cert_loader_->cert_list()));
255 TEST_F(CertLoaderTest, CertLoaderNoUpdateOnNewClientCertInSecondaryDb) {
256 crypto::ScopedTestNSSChromeOSUser secondary_user("secondary");
257 scoped_ptr<net::NSSCertDatabaseChromeOS> secondary_db;
259 StartCertLoaderWithPrimaryUser();
260 FinishUserInitAndGetDatabase(&secondary_user, &secondary_db);
262 net::CertificateList certs;
263 ImportClientCertAndKey("websocket_client_cert.p12",
264 secondary_db.get(),
265 &certs);
267 base::RunLoop().RunUntilIdle();
269 EXPECT_FALSE(
270 IsCertInCertificateList(certs[0].get(), cert_loader_->cert_list()));
273 TEST_F(CertLoaderTest, UpdatedOnCertRemoval) {
274 StartCertLoaderWithPrimaryUser();
276 net::CertificateList certs;
277 ImportClientCertAndKey("websocket_client_cert.p12",
278 primary_db_.get(),
279 &certs);
281 base::RunLoop().RunUntilIdle();
283 ASSERT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
284 ASSERT_TRUE(
285 IsCertInCertificateList(certs[0].get(), cert_loader_->cert_list()));
287 primary_db_->DeleteCertAndKey(certs[0].get());
289 ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
290 base::RunLoop().RunUntilIdle();
291 EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
293 ASSERT_FALSE(
294 IsCertInCertificateList(certs[0].get(), cert_loader_->cert_list()));
297 TEST_F(CertLoaderTest, UpdatedOnCACertTrustChange) {
298 StartCertLoaderWithPrimaryUser();
300 net::CertificateList certs;
301 ImportCACert("root_ca_cert.pem", primary_db_.get(), &certs);
303 base::RunLoop().RunUntilIdle();
304 ASSERT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
305 ASSERT_TRUE(
306 IsCertInCertificateList(certs[0].get(), cert_loader_->cert_list()));
308 // The value that should have been set by |ImportCACert|.
309 ASSERT_EQ(net::NSSCertDatabase::TRUST_DEFAULT,
310 primary_db_->GetCertTrust(certs[0].get(), net::CA_CERT));
311 ASSERT_TRUE(primary_db_->SetCertTrust(
312 certs[0].get(), net::CA_CERT, net::NSSCertDatabase::TRUSTED_SSL));
314 // Cert trust change should trigger certificate reload in cert_loader_.
315 ASSERT_EQ(0U, GetAndResetCertificatesLoadedEventsCount());
316 base::RunLoop().RunUntilIdle();
317 EXPECT_EQ(1U, GetAndResetCertificatesLoadedEventsCount());
320 } // namespace
321 } // namespace chromeos
323 #endif