chrome/browser/chromeos/attestation/attestation_policy_observer_unittest.cc

   1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include <string>
   6
   7 #include "base/bind.h"
   8 #include "base/message_loop/message_loop.h"
   9 #include "base/run_loop.h"
  10 #include "chrome/browser/chromeos/attestation/attestation_key_payload.pb.h"
  11 #include "chrome/browser/chromeos/attestation/attestation_policy_observer.h"
  12 #include "chrome/browser/chromeos/attestation/fake_certificate.h"
  13 #include "chrome/browser/chromeos/settings/scoped_cros_settings_test_helper.h"
  14 #include "chromeos/attestation/mock_attestation_flow.h"
  15 #include "chromeos/dbus/mock_cryptohome_client.h"
  16 #include "chromeos/settings/cros_settings_names.h"
  17 #include "components/policy/core/common/cloud/mock_cloud_policy_client.h"
  18 #include "content/public/test/test_browser_thread.h"
  19 #include "testing/gtest/include/gtest/gtest.h"
  20
  21 using testing::_;
  22 using testing::Invoke;
  23 using testing::StrictMock;
  24 using testing::WithArgs;
  25
  26 namespace chromeos {
  27 namespace attestation {
  28
  29 namespace {
  30
  31 const int64 kCertValid = 90;
  32 const int64 kCertExpiringSoon = 20;
  33 const int64 kCertExpired = -20;
  34
  35 void DBusCallbackFalse(const BoolDBusMethodCallback& callback) {
  36   base::MessageLoop::current()->PostTask(
  37       FROM_HERE, base::Bind(callback, DBUS_METHOD_CALL_SUCCESS, false));
  38 }
  39
  40 void DBusCallbackTrue(const BoolDBusMethodCallback& callback) {
  41   base::MessageLoop::current()->PostTask(
  42       FROM_HERE, base::Bind(callback, DBUS_METHOD_CALL_SUCCESS, true));
  43 }
  44
  45 void DBusCallbackError(const BoolDBusMethodCallback& callback) {
  46   base::MessageLoop::current()->PostTask(
  47       FROM_HERE, base::Bind(callback, DBUS_METHOD_CALL_FAILURE, false));
  48 }
  49
  50 void CertCallbackSuccess(const AttestationFlow::CertificateCallback& callback) {
  51   base::MessageLoop::current()->PostTask(
  52       FROM_HERE, base::Bind(callback, true, "fake_cert"));
  53 }
  54
  55 void StatusCallbackSuccess(
  56     const policy::CloudPolicyClient::StatusCallback& callback) {
  57   base::MessageLoop::current()->PostTask(
  58       FROM_HERE, base::Bind(callback, true));
  59 }
  60
  61 class FakeDBusData {
  62  public:
  63   explicit FakeDBusData(const std::string& data) : data_(data) {}
  64
  65   void operator() (const CryptohomeClient::DataMethodCallback& callback) {
  66     base::MessageLoop::current()->PostTask(
  67         FROM_HERE,
  68         base::Bind(callback, DBUS_METHOD_CALL_SUCCESS, true, data_));
  69   }
  70
  71  private:
  72   std::string data_;
  73 };
  74
  75 }  // namespace
  76
  77 class AttestationPolicyObserverTest : public ::testing::Test {
  78  public:
  79   AttestationPolicyObserverTest()
  80       : ui_thread_(content::BrowserThread::UI, &message_loop_) {
  81     settings_helper_.ReplaceProvider(kDeviceAttestationEnabled);
  82     settings_helper_.SetBoolean(kDeviceAttestationEnabled, true);
  83     policy_client_.SetDMToken("fake_dm_token");
  84   }
  85
  86  protected:
  87   enum MockOptions {
  88     MOCK_KEY_EXISTS = 1,          // Configure so a certified key exists.
  89     MOCK_KEY_UPLOADED = (1 << 1), // Configure so an upload has occurred.
  90     MOCK_NEW_KEY = (1 << 2)       // Configure expecting new key generation.
  91   };
  92
  93   // Configures mock expectations according to |mock_options|.  If options
  94   // require that a certificate exists, |certificate| will be used.
  95   void SetupMocks(int mock_options, const std::string& certificate) {
  96     bool key_exists = (mock_options & MOCK_KEY_EXISTS);
  97     // Setup expected key / cert queries.
  98     if (key_exists) {
  99       EXPECT_CALL(cryptohome_client_, TpmAttestationDoesKeyExist(_, _, _, _))
 100           .WillRepeatedly(WithArgs<3>(Invoke(DBusCallbackTrue)));
 101       EXPECT_CALL(cryptohome_client_, TpmAttestationGetCertificate(_, _, _, _))
 102           .WillRepeatedly(WithArgs<3>(Invoke(FakeDBusData(certificate))));
 103     } else {
 104       EXPECT_CALL(cryptohome_client_, TpmAttestationDoesKeyExist(_, _, _, _))
 105           .WillRepeatedly(WithArgs<3>(Invoke(DBusCallbackFalse)));
 106     }
 107
 108     // Setup expected key payload queries.
 109     bool key_uploaded = (mock_options & MOCK_KEY_UPLOADED);
 110     std::string payload = CreatePayload();
 111     EXPECT_CALL(cryptohome_client_, TpmAttestationGetKeyPayload(_, _, _, _))
 112         .WillRepeatedly(WithArgs<3>(Invoke(
 113             FakeDBusData(key_uploaded ? payload : ""))));
 114
 115     // Setup expected key uploads.  Use WillOnce() so StrictMock will trigger an
 116     // error if our expectations are not met exactly.  We want to verify that
 117     // during a single run through the observer only one upload operation occurs
 118     // (because it is costly) and similarly, that the writing of the uploaded
 119     // status in the key payload matches the upload operation.
 120     bool new_key = (mock_options & MOCK_NEW_KEY);
 121     if (new_key || !key_uploaded) {
 122       EXPECT_CALL(policy_client_,
 123                   UploadCertificate(new_key ? "fake_cert" : certificate, _))
 124           .WillOnce(WithArgs<1>(Invoke(StatusCallbackSuccess)));
 125       EXPECT_CALL(cryptohome_client_,
 126                   TpmAttestationSetKeyPayload(_, _, _, payload, _))
 127           .WillOnce(WithArgs<4>(Invoke(DBusCallbackTrue)));
 128     }
 129
 130     // Setup expected key generations.  Again use WillOnce().  Key generation is
 131     // another costly operation and if it gets triggered more than once during
 132     // a single pass this indicates a logical problem in the observer.
 133     if (new_key) {
 134       EXPECT_CALL(attestation_flow_, GetCertificate(_, _, _, _, _))
 135           .WillOnce(WithArgs<4>(Invoke(CertCallbackSuccess)));
 136     }
 137   }
 138
 139   void Run() {
 140     AttestationPolicyObserver observer(&policy_client_,
 141                                        &cryptohome_client_,
 142                                        &attestation_flow_);
 143     observer.set_retry_delay(0);
 144     base::RunLoop().RunUntilIdle();
 145   }
 146
 147   std::string CreatePayload() {
 148     AttestationKeyPayload proto;
 149     proto.set_is_certificate_uploaded(true);
 150     std::string serialized;
 151     proto.SerializeToString(&serialized);
 152     return serialized;
 153   }
 154
 155   base::MessageLoopForUI message_loop_;
 156   content::TestBrowserThread ui_thread_;
 157   ScopedCrosSettingsTestHelper settings_helper_;
 158   StrictMock<MockCryptohomeClient> cryptohome_client_;
 159   StrictMock<MockAttestationFlow> attestation_flow_;
 160   StrictMock<policy::MockCloudPolicyClient> policy_client_;
 161 };
 162
 163 TEST_F(AttestationPolicyObserverTest, FeatureDisabled) {
 164   settings_helper_.SetBoolean(kDeviceAttestationEnabled, false);
 165   Run();
 166 }
 167
 168 TEST_F(AttestationPolicyObserverTest, UnregisteredPolicyClient) {
 169   policy_client_.SetDMToken("");
 170   Run();
 171 }
 172
 173 TEST_F(AttestationPolicyObserverTest, NewCertificate) {
 174   SetupMocks(MOCK_NEW_KEY, "");
 175   Run();
 176 }
 177
 178 TEST_F(AttestationPolicyObserverTest, KeyExistsNotUploaded) {
 179   std::string certificate;
 180   ASSERT_TRUE(GetFakeCertificateDER(base::TimeDelta::FromDays(kCertValid),
 181                                     &certificate));
 182   SetupMocks(MOCK_KEY_EXISTS, certificate);
 183   Run();
 184 }
 185
 186 TEST_F(AttestationPolicyObserverTest, KeyExistsAlreadyUploaded) {
 187   std::string certificate;
 188   ASSERT_TRUE(GetFakeCertificateDER(base::TimeDelta::FromDays(kCertValid),
 189                                     &certificate));
 190   SetupMocks(MOCK_KEY_EXISTS | MOCK_KEY_UPLOADED, certificate);
 191   Run();
 192 }
 193
 194 TEST_F(AttestationPolicyObserverTest, KeyExistsCertExpiringSoon) {
 195   std::string certificate;
 196   ASSERT_TRUE(GetFakeCertificateDER(
 197       base::TimeDelta::FromDays(kCertExpiringSoon), &certificate));
 198   SetupMocks(MOCK_KEY_EXISTS | MOCK_KEY_UPLOADED | MOCK_NEW_KEY, certificate);
 199   Run();
 200 }
 201
 202 TEST_F(AttestationPolicyObserverTest, KeyExistsCertExpired) {
 203   std::string certificate;
 204   ASSERT_TRUE(GetFakeCertificateDER(base::TimeDelta::FromDays(kCertExpired),
 205                                     &certificate));
 206   SetupMocks(MOCK_KEY_EXISTS | MOCK_KEY_UPLOADED | MOCK_NEW_KEY, certificate);
 207   Run();
 208 }
 209
 210 TEST_F(AttestationPolicyObserverTest, IgnoreUnknownCertFormat) {
 211   SetupMocks(MOCK_KEY_EXISTS | MOCK_KEY_UPLOADED, "unsupported");
 212   Run();
 213 }
 214
 215 TEST_F(AttestationPolicyObserverTest, DBusFailureRetry) {
 216   SetupMocks(MOCK_NEW_KEY, "");
 217   // Simulate a DBus failure.
 218   EXPECT_CALL(cryptohome_client_, TpmAttestationDoesKeyExist(_, _, _, _))
 219       .WillOnce(WithArgs<3>(Invoke(DBusCallbackError)))
 220       .WillRepeatedly(WithArgs<3>(Invoke(DBusCallbackFalse)));
 221   Run();
 222 }
 223
 224 }  // namespace attestation
 225 }  // namespace chromeos