search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Elim cr-checkbox
[chromium-blink-merge.git] / chrome / browser / chromeos / policy / user_cloud_policy_store_chromeos_unittest.cc
blob7bd03e329a2ab10fb99982ce3d9be70d94f25e57
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.h"
6
7 #include <vector>
8
9 #include "base/basictypes.h"
10 #include "base/bind.h"
11 #include "base/files/file_util.h"
12 #include "base/files/scoped_temp_dir.h"
13 #include "base/memory/scoped_ptr.h"
14 #include "base/message_loop/message_loop.h"
15 #include "base/threading/sequenced_worker_pool.h"
16 #include "chromeos/dbus/mock_cryptohome_client.h"
17 #include "chromeos/dbus/mock_session_manager_client.h"
18 #include "components/policy/core/common/cloud/cloud_policy_constants.h"
19 #include "components/policy/core/common/cloud/mock_cloud_policy_store.h"
20 #include "components/policy/core/common/cloud/policy_builder.h"
21 #include "components/policy/core/common/policy_types.h"
22 #include "policy/policy_constants.h"
23 #include "policy/proto/cloud_policy.pb.h"
24 #include "policy/proto/device_management_local.pb.h"
25 #include "testing/gmock/include/gmock/gmock.h"
26 #include "testing/gtest/include/gtest/gtest.h"
27
28 namespace em = enterprise_management;
29
30 using testing::AllOf;
31 using testing::AnyNumber;
32 using testing::Eq;
33 using testing::Mock;
34 using testing::Property;
35 using testing::Return;
36 using testing::SaveArg;
37 using testing::_;
38
39 namespace policy {
40
41 namespace {
42
43 const char kLegacyDeviceId[] = "legacy-device-id";
44 const char kLegacyToken[] = "legacy-token";
45 const char kSanitizedUsername[] =
46 "0123456789ABCDEF0123456789ABCDEF012345678@example.com";
47 const char kDefaultHomepage[] = "http://chromium.org";
48
49 ACTION_P2(SendSanitizedUsername, call_status, sanitized_username) {
50 base::MessageLoop::current()->PostTask(
51 FROM_HERE, base::Bind(arg1, call_status, sanitized_username));
52 }
53
54 class UserCloudPolicyStoreChromeOSTest : public testing::Test {
55 protected:
56 UserCloudPolicyStoreChromeOSTest() {}
57
58 void SetUp() override {
59 EXPECT_CALL(cryptohome_client_,
60 GetSanitizedUsername(PolicyBuilder::kFakeUsername, _))
61 .Times(AnyNumber())
62 .WillRepeatedly(
63 SendSanitizedUsername(chromeos::DBUS_METHOD_CALL_SUCCESS,
64 kSanitizedUsername));
65
66 ASSERT_TRUE(tmp_dir_.CreateUniqueTempDir());
67 store_.reset(new UserCloudPolicyStoreChromeOS(
68 &cryptohome_client_, &session_manager_client_, loop_.task_runner(),
69 PolicyBuilder::kFakeUsername, user_policy_dir(), token_file(),
70 policy_file()));
71 store_->AddObserver(&observer_);
72
73 // Install the initial public key, so that by default the validation of
74 // the stored/loaded policy blob succeeds.
75 std::vector<uint8> public_key;
76 ASSERT_TRUE(policy_.GetSigningKey()->ExportPublicKey(&public_key));
77 StoreUserPolicyKey(public_key);
78
79 policy_.payload().mutable_homepagelocation()->set_value(kDefaultHomepage);
80 policy_.Build();
81 }
82
83 void TearDown() override {
84 store_->RemoveObserver(&observer_);
85 store_.reset();
86 RunUntilIdle();
87 }
88
89 // Install an expectation on |observer_| for an error code.
90 void ExpectError(CloudPolicyStore::Status error) {
91 EXPECT_CALL(observer_,
92 OnStoreError(AllOf(Eq(store_.get()),
93 Property(&CloudPolicyStore::status,
94 Eq(error)))));
95 }
96
97 // Triggers a store_->Load() operation, handles the expected call to
98 // |session_manager_client_| and sends |response|.
99 void PerformPolicyLoad(const std::string& response) {
100 // Issue a load command.
101 chromeos::SessionManagerClient::RetrievePolicyCallback retrieve_callback;
102 EXPECT_CALL(session_manager_client_,
103 RetrievePolicyForUser(PolicyBuilder::kFakeUsername, _))
104 .WillOnce(SaveArg<1>(&retrieve_callback));
105 store_->Load();
106 RunUntilIdle();
107 Mock::VerifyAndClearExpectations(&session_manager_client_);
108 ASSERT_FALSE(retrieve_callback.is_null());
109
110 // Run the callback.
111 retrieve_callback.Run(response);
112 RunUntilIdle();
113 }
114
115 // Verifies that store_->policy_map() has the HomepageLocation entry with
116 // the |expected_value|.
117 void VerifyPolicyMap(const char* expected_value) {
118 EXPECT_EQ(1U, store_->policy_map().size());
119 const PolicyMap::Entry* entry =
120 store_->policy_map().Get(key::kHomepageLocation);
121 ASSERT_TRUE(entry);
122 EXPECT_TRUE(base::StringValue(expected_value).Equals(entry->value));
123 }
124
125 void StoreUserPolicyKey(const std::vector<uint8>& public_key) {
126 ASSERT_TRUE(base::CreateDirectory(user_policy_key_file().DirName()));
127 ASSERT_TRUE(
128 base::WriteFile(user_policy_key_file(),
129 reinterpret_cast<const char*>(public_key.data()),
130 public_key.size()));
131 }
132
133 // Stores the current |policy_| and verifies that it is published.
134 // If |new_public_key| is set then it will be persisted after storing but
135 // before loading the policy, so that the signature validation can succeed.
136 // If |previous_value| is set then a previously existing policy with that
137 // value will be expected; otherwise no previous policy is expected.
138 // If |new_value| is set then a new policy with that value is expected after
139 // storing the |policy_| blob.
140 void PerformStorePolicy(const std::vector<uint8>* new_public_key,
141 const char* previous_value,
142 const char* new_value) {
143 chromeos::SessionManagerClient::StorePolicyCallback store_callback;
144 EXPECT_CALL(session_manager_client_,
145 StorePolicyForUser(PolicyBuilder::kFakeUsername,
146 policy_.GetBlob(), _))
147 .WillOnce(SaveArg<2>(&store_callback));
148 store_->Store(policy_.policy());
149 RunUntilIdle();
150 Mock::VerifyAndClearExpectations(&session_manager_client_);
151 ASSERT_FALSE(store_callback.is_null());
152
153 // The new policy shouldn't be present yet.
154 PolicyMap previous_policy;
155 EXPECT_EQ(previous_value != NULL, store_->policy() != NULL);
156 if (previous_value) {
157 previous_policy.Set(key::kHomepageLocation,
158 POLICY_LEVEL_MANDATORY,
159 POLICY_SCOPE_USER,
160 POLICY_SOURCE_CLOUD,
161 new base::StringValue(previous_value), NULL);
162 }
163 EXPECT_TRUE(previous_policy.Equals(store_->policy_map()));
164 EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status());
165
166 // Store the new public key so that the validation after the retrieve
167 // operation completes can verify the signature.
168 if (new_public_key)
169 StoreUserPolicyKey(*new_public_key);
170
171 // Let the store operation complete.
172 chromeos::SessionManagerClient::RetrievePolicyCallback retrieve_callback;
173 EXPECT_CALL(session_manager_client_,
174 RetrievePolicyForUser(PolicyBuilder::kFakeUsername, _))
175 .WillOnce(SaveArg<1>(&retrieve_callback));
176 store_callback.Run(true);
177 RunUntilIdle();
178 EXPECT_TRUE(previous_policy.Equals(store_->policy_map()));
179 EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status());
180 Mock::VerifyAndClearExpectations(&session_manager_client_);
181 ASSERT_FALSE(retrieve_callback.is_null());
182
183 // Finish the retrieve callback.
184 EXPECT_CALL(observer_, OnStoreLoaded(store_.get()));
185 retrieve_callback.Run(policy_.GetBlob());
186 RunUntilIdle();
187 ASSERT_TRUE(store_->policy());
188 EXPECT_EQ(policy_.policy_data().SerializeAsString(),
189 store_->policy()->SerializeAsString());
190 VerifyPolicyMap(new_value);
191 EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status());
192 }
193
194 void VerifyStoreHasValidationError() {
195 EXPECT_FALSE(store_->policy());
196 EXPECT_TRUE(store_->policy_map().empty());
197 EXPECT_EQ(CloudPolicyStore::STATUS_VALIDATION_ERROR, store_->status());
198 }
199
200 void RunUntilIdle() {
201 loop_.RunUntilIdle();
202 loop_.RunUntilIdle();
203 }
204
205 base::FilePath user_policy_dir() {
206 return tmp_dir_.path().AppendASCII("var_run_user_policy");
207 }
208
209 base::FilePath user_policy_key_file() {
210 return user_policy_dir().AppendASCII(kSanitizedUsername)
211 .AppendASCII("policy.pub");
212 }
213
214 base::FilePath token_file() {
215 return tmp_dir_.path().AppendASCII("token");
216 }
217
218 base::FilePath policy_file() {
219 return tmp_dir_.path().AppendASCII("policy");
220 }
221
222 base::MessageLoopForUI loop_;
223 chromeos::MockCryptohomeClient cryptohome_client_;
224 chromeos::MockSessionManagerClient session_manager_client_;
225 UserPolicyBuilder policy_;
226 MockCloudPolicyStoreObserver observer_;
227 scoped_ptr<UserCloudPolicyStoreChromeOS> store_;
228
229 private:
230 base::ScopedTempDir tmp_dir_;
231
232 DISALLOW_COPY_AND_ASSIGN(UserCloudPolicyStoreChromeOSTest);
233 };
234
235 TEST_F(UserCloudPolicyStoreChromeOSTest, InitialStore) {
236 // Start without any public key to trigger the initial key checks.
237 ASSERT_TRUE(base::DeleteFile(user_policy_key_file(), false));
238 // Make the policy blob contain a new public key.
239 policy_.SetDefaultNewSigningKey();
240 policy_.Build();
241 std::vector<uint8> new_public_key;
242 ASSERT_TRUE(policy_.GetNewSigningKey()->ExportPublicKey(&new_public_key));
243 ASSERT_NO_FATAL_FAILURE(
244 PerformStorePolicy(&new_public_key, NULL, kDefaultHomepage));
245 }
246
247 TEST_F(UserCloudPolicyStoreChromeOSTest, InitialStoreValidationFail) {
248 // Start without any public key to trigger the initial key checks.
249 ASSERT_TRUE(base::DeleteFile(user_policy_key_file(), false));
250 // Make the policy blob contain a new public key.
251 policy_.SetDefaultSigningKey();
252 policy_.Build();
253 *policy_.policy().mutable_new_public_key_verification_signature() = "garbage";
254
255 EXPECT_CALL(session_manager_client_,
256 StorePolicyForUser(
257 PolicyBuilder::kFakeUsername, policy_.GetBlob(), _)).Times(0);
258 store_->Store(policy_.policy());
259 RunUntilIdle();
260 Mock::VerifyAndClearExpectations(&session_manager_client_);
261 }
262
263 TEST_F(UserCloudPolicyStoreChromeOSTest, InitialStoreMissingSignatureFailure) {
264 // Start without any public key to trigger the initial key checks.
265 ASSERT_TRUE(base::DeleteFile(user_policy_key_file(), false));
266 // Make the policy blob contain a new public key.
267 policy_.SetDefaultSigningKey();
268 policy_.Build();
269 policy_.policy().clear_new_public_key_verification_signature();
270
271 EXPECT_CALL(session_manager_client_,
272 StorePolicyForUser(
273 PolicyBuilder::kFakeUsername, policy_.GetBlob(), _)).Times(0);
274 store_->Store(policy_.policy());
275 RunUntilIdle();
276 Mock::VerifyAndClearExpectations(&session_manager_client_);
277 }
278
279 TEST_F(UserCloudPolicyStoreChromeOSTest, StoreWithExistingKey) {
280 ASSERT_NO_FATAL_FAILURE(
281 PerformStorePolicy(NULL, NULL, kDefaultHomepage));
282 }
283
284 TEST_F(UserCloudPolicyStoreChromeOSTest, StoreWithRotation) {
285 // Make the policy blob contain a new public key.
286 policy_.SetDefaultNewSigningKey();
287 policy_.Build();
288 std::vector<uint8> new_public_key;
289 ASSERT_TRUE(policy_.GetNewSigningKey()->ExportPublicKey(&new_public_key));
290 ASSERT_NO_FATAL_FAILURE(
291 PerformStorePolicy(&new_public_key, NULL, kDefaultHomepage));
292 }
293
294 TEST_F(UserCloudPolicyStoreChromeOSTest,
295 StoreWithRotationMissingSignatureError) {
296 // Make the policy blob contain a new public key.
297 policy_.SetDefaultNewSigningKey();
298 policy_.Build();
299 policy_.policy().clear_new_public_key_verification_signature();
300
301 EXPECT_CALL(session_manager_client_,
302 StorePolicyForUser(
303 PolicyBuilder::kFakeUsername, policy_.GetBlob(), _)).Times(0);
304 store_->Store(policy_.policy());
305 RunUntilIdle();
306 Mock::VerifyAndClearExpectations(&session_manager_client_);
307 }
308
309 TEST_F(UserCloudPolicyStoreChromeOSTest, StoreWithRotationValidationError) {
310 // Make the policy blob contain a new public key.
311 policy_.SetDefaultNewSigningKey();
312 policy_.Build();
313 *policy_.policy().mutable_new_public_key_verification_signature() = "garbage";
314
315 EXPECT_CALL(session_manager_client_,
316 StorePolicyForUser(
317 PolicyBuilder::kFakeUsername, policy_.GetBlob(), _)).Times(0);
318 store_->Store(policy_.policy());
319 RunUntilIdle();
320 Mock::VerifyAndClearExpectations(&session_manager_client_);
321 }
322
323 TEST_F(UserCloudPolicyStoreChromeOSTest, StoreFail) {
324 // Store policy.
325 chromeos::SessionManagerClient::StorePolicyCallback store_callback;
326 EXPECT_CALL(session_manager_client_,
327 StorePolicyForUser(PolicyBuilder::kFakeUsername,
328 policy_.GetBlob(), _))
329 .WillOnce(SaveArg<2>(&store_callback));
330 store_->Store(policy_.policy());
331 RunUntilIdle();
332 Mock::VerifyAndClearExpectations(&session_manager_client_);
333 ASSERT_FALSE(store_callback.is_null());
334
335 // Let the store operation complete.
336 ExpectError(CloudPolicyStore::STATUS_STORE_ERROR);
337 store_callback.Run(false);
338 RunUntilIdle();
339 EXPECT_FALSE(store_->policy());
340 EXPECT_TRUE(store_->policy_map().empty());
341 EXPECT_EQ(CloudPolicyStore::STATUS_STORE_ERROR, store_->status());
342 }
343
344 TEST_F(UserCloudPolicyStoreChromeOSTest, StoreValidationError) {
345 policy_.policy_data().clear_policy_type();
346 policy_.Build();
347
348 // Store policy.
349 chromeos::SessionManagerClient::StorePolicyCallback store_callback;
350 ExpectError(CloudPolicyStore::STATUS_VALIDATION_ERROR);
351 EXPECT_CALL(session_manager_client_,
352 StorePolicyForUser(PolicyBuilder::kFakeUsername,
353 policy_.GetBlob(), _))
354 .Times(0);
355 store_->Store(policy_.policy());
356 RunUntilIdle();
357 Mock::VerifyAndClearExpectations(&session_manager_client_);
358 }
359
360 TEST_F(UserCloudPolicyStoreChromeOSTest, StoreWithoutPolicyKey) {
361 // Make the dbus call to cryptohome fail.
362 Mock::VerifyAndClearExpectations(&cryptohome_client_);
363 EXPECT_CALL(cryptohome_client_,
364 GetSanitizedUsername(PolicyBuilder::kFakeUsername, _))
365 .Times(AnyNumber())
366 .WillRepeatedly(SendSanitizedUsername(chromeos::DBUS_METHOD_CALL_FAILURE,
367 std::string()));
368
369 // Store policy.
370 chromeos::SessionManagerClient::StorePolicyCallback store_callback;
371 ExpectError(CloudPolicyStore::STATUS_VALIDATION_ERROR);
372 EXPECT_CALL(session_manager_client_,
373 StorePolicyForUser(PolicyBuilder::kFakeUsername,
374 policy_.GetBlob(), _))
375 .Times(0);
376 store_->Store(policy_.policy());
377 RunUntilIdle();
378 Mock::VerifyAndClearExpectations(&session_manager_client_);
379 }
380
381 TEST_F(UserCloudPolicyStoreChromeOSTest, StoreWithInvalidSignature) {
382 // Break the signature.
383 policy_.policy().mutable_policy_data_signature()->append("garbage");
384
385 // Store policy.
386 chromeos::SessionManagerClient::StorePolicyCallback store_callback;
387 ExpectError(CloudPolicyStore::STATUS_VALIDATION_ERROR);
388 EXPECT_CALL(session_manager_client_,
389 StorePolicyForUser(PolicyBuilder::kFakeUsername,
390 policy_.GetBlob(), _))
391 .Times(0);
392 store_->Store(policy_.policy());
393 RunUntilIdle();
394 Mock::VerifyAndClearExpectations(&session_manager_client_);
395 }
396
397 TEST_F(UserCloudPolicyStoreChromeOSTest, Load) {
398 EXPECT_CALL(observer_, OnStoreLoaded(store_.get()));
399 ASSERT_NO_FATAL_FAILURE(PerformPolicyLoad(policy_.GetBlob()));
400 Mock::VerifyAndClearExpectations(&observer_);
401
402 // Verify that the policy has been loaded.
403 ASSERT_TRUE(store_->policy());
404 EXPECT_EQ(policy_.policy_data().SerializeAsString(),
405 store_->policy()->SerializeAsString());
406 VerifyPolicyMap(kDefaultHomepage);
407 EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status());
408 }
409
410 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadNoPolicy) {
411 EXPECT_CALL(observer_, OnStoreLoaded(store_.get()));
412 ASSERT_NO_FATAL_FAILURE(PerformPolicyLoad(""));
413 Mock::VerifyAndClearExpectations(&observer_);
414
415 // Verify no policy has been installed.
416 EXPECT_FALSE(store_->policy());
417 EXPECT_TRUE(store_->policy_map().empty());
418 EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status());
419 }
420
421 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadInvalidPolicy) {
422 ExpectError(CloudPolicyStore::STATUS_PARSE_ERROR);
423 ASSERT_NO_FATAL_FAILURE(PerformPolicyLoad("invalid"));
424
425 // Verify no policy has been installed.
426 EXPECT_FALSE(store_->policy());
427 EXPECT_TRUE(store_->policy_map().empty());
428 EXPECT_EQ(CloudPolicyStore::STATUS_PARSE_ERROR, store_->status());
429 }
430
431 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadValidationError) {
432 policy_.policy_data().clear_policy_type();
433 policy_.Build();
434
435 ExpectError(CloudPolicyStore::STATUS_VALIDATION_ERROR);
436 ASSERT_NO_FATAL_FAILURE(PerformPolicyLoad(policy_.GetBlob()));
437 VerifyStoreHasValidationError();
438 }
439
440 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadNoKey) {
441 // The loaded policy can't be verified without the public key.
442 ASSERT_TRUE(base::DeleteFile(user_policy_key_file(), false));
443 ExpectError(CloudPolicyStore::STATUS_VALIDATION_ERROR);
444 ASSERT_NO_FATAL_FAILURE(PerformPolicyLoad(policy_.GetBlob()));
445 VerifyStoreHasValidationError();
446 }
447
448 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadInvalidSignature) {
449 // Break the signature.
450 policy_.policy().mutable_policy_data_signature()->append("garbage");
451 ExpectError(CloudPolicyStore::STATUS_VALIDATION_ERROR);
452 ASSERT_NO_FATAL_FAILURE(PerformPolicyLoad(policy_.GetBlob()));
453 VerifyStoreHasValidationError();
454 }
455
456 TEST_F(UserCloudPolicyStoreChromeOSTest, MigrationFull) {
457 std::string data;
458
459 em::DeviceCredentials credentials;
460 credentials.set_device_token(kLegacyToken);
461 credentials.set_device_id(kLegacyDeviceId);
462 ASSERT_TRUE(credentials.SerializeToString(&data));
463 ASSERT_NE(-1, base::WriteFile(token_file(), data.c_str(), data.size()));
464
465 em::CachedCloudPolicyResponse cached_policy;
466 cached_policy.mutable_cloud_policy()->CopyFrom(policy_.policy());
467 ASSERT_TRUE(cached_policy.SerializeToString(&data));
468 ASSERT_NE(-1, base::WriteFile(policy_file(), data.c_str(), data.size()));
469
470 EXPECT_CALL(observer_, OnStoreLoaded(store_.get()));
471 ASSERT_NO_FATAL_FAILURE(PerformPolicyLoad(""));
472 Mock::VerifyAndClearExpectations(&observer_);
473
474 // Verify that legacy user policy and token have been loaded.
475 em::PolicyData expected_policy_data;
476 EXPECT_TRUE(expected_policy_data.ParseFromString(
477 cached_policy.cloud_policy().policy_data()));
478 expected_policy_data.clear_public_key_version();
479 expected_policy_data.set_request_token(kLegacyToken);
480 expected_policy_data.set_device_id(kLegacyDeviceId);
481 ASSERT_TRUE(store_->policy());
482 EXPECT_EQ(expected_policy_data.SerializeAsString(),
483 store_->policy()->SerializeAsString());
484 VerifyPolicyMap(kDefaultHomepage);
485 EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status());
486 }
487
488 TEST_F(UserCloudPolicyStoreChromeOSTest, MigrationNoToken) {
489 std::string data;
490 testing::Sequence seq;
491
492 em::CachedCloudPolicyResponse cached_policy;
493 cached_policy.mutable_cloud_policy()->CopyFrom(policy_.policy());
494 ASSERT_TRUE(cached_policy.SerializeToString(&data));
495 ASSERT_NE(-1, base::WriteFile(policy_file(), data.c_str(), data.size()));
496
497 EXPECT_CALL(observer_, OnStoreLoaded(store_.get()));
498 ASSERT_NO_FATAL_FAILURE(PerformPolicyLoad(""));
499 Mock::VerifyAndClearExpectations(&observer_);
500
501 // Verify the legacy cache has been loaded.
502 em::PolicyData expected_policy_data;
503 EXPECT_TRUE(expected_policy_data.ParseFromString(
504 cached_policy.cloud_policy().policy_data()));
505 expected_policy_data.clear_public_key_version();
506 ASSERT_TRUE(store_->policy());
507 EXPECT_EQ(expected_policy_data.SerializeAsString(),
508 store_->policy()->SerializeAsString());
509 VerifyPolicyMap(kDefaultHomepage);
510 EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status());
511 }
512
513 TEST_F(UserCloudPolicyStoreChromeOSTest, MigrationNoPolicy) {
514 std::string data;
515
516 em::DeviceCredentials credentials;
517 credentials.set_device_token(kLegacyToken);
518 credentials.set_device_id(kLegacyDeviceId);
519 ASSERT_TRUE(credentials.SerializeToString(&data));
520 ASSERT_NE(-1, base::WriteFile(token_file(), data.c_str(), data.size()));
521
522 EXPECT_CALL(observer_, OnStoreLoaded(store_.get()));
523 ASSERT_NO_FATAL_FAILURE(PerformPolicyLoad(""));
524 Mock::VerifyAndClearExpectations(&observer_);
525
526 // Verify that legacy user policy and token have been loaded.
527 em::PolicyData expected_policy_data;
528 expected_policy_data.set_request_token(kLegacyToken);
529 expected_policy_data.set_device_id(kLegacyDeviceId);
530 ASSERT_TRUE(store_->policy());
531 EXPECT_EQ(expected_policy_data.SerializeAsString(),
532 store_->policy()->SerializeAsString());
533 EXPECT_TRUE(store_->policy_map().empty());
534 EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status());
535 }
536
537 TEST_F(UserCloudPolicyStoreChromeOSTest, MigrationAndStoreNew) {
538 // Start without an existing public key.
539 ASSERT_TRUE(base::DeleteFile(user_policy_key_file(), false));
540
541 std::string data;
542 em::CachedCloudPolicyResponse cached_policy;
543 cached_policy.mutable_cloud_policy()->CopyFrom(policy_.policy());
544 ASSERT_TRUE(cached_policy.SerializeToString(&data));
545 ASSERT_NE(-1, base::WriteFile(policy_file(), data.c_str(), data.size()));
546
547 EXPECT_CALL(observer_, OnStoreLoaded(store_.get()));
548 ASSERT_NO_FATAL_FAILURE(PerformPolicyLoad(""));
549 Mock::VerifyAndClearExpectations(&observer_);
550
551 // Verify the legacy cache has been loaded.
552 em::PolicyData expected_policy_data;
553 EXPECT_TRUE(expected_policy_data.ParseFromString(
554 cached_policy.cloud_policy().policy_data()));
555 expected_policy_data.clear_public_key_version();
556 ASSERT_TRUE(store_->policy());
557 EXPECT_EQ(expected_policy_data.SerializeAsString(),
558 store_->policy()->SerializeAsString());
559 VerifyPolicyMap(kDefaultHomepage);
560 EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status());
561 EXPECT_TRUE(base::PathExists(policy_file()));
562
563 // Now store a new policy using the new homepage location.
564 const char kNewHomepage[] = "http://google.com";
565 policy_.payload().mutable_homepagelocation()->set_value(kNewHomepage);
566 policy_.SetDefaultNewSigningKey();
567 policy_.Build();
568 std::vector<uint8> new_public_key;
569 ASSERT_TRUE(policy_.GetNewSigningKey()->ExportPublicKey(&new_public_key));
570 ASSERT_NO_FATAL_FAILURE(
571 PerformStorePolicy(&new_public_key, kDefaultHomepage, kNewHomepage));
572 VerifyPolicyMap(kNewHomepage);
573
574 // Verify that the legacy cache has been removed.
575 EXPECT_FALSE(base::PathExists(policy_file()));
576 }
577
578 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadImmediately) {
579 EXPECT_CALL(observer_, OnStoreLoaded(store_.get()));
580 EXPECT_CALL(session_manager_client_,
581 BlockingRetrievePolicyForUser(PolicyBuilder::kFakeUsername))
582 .WillOnce(Return(policy_.GetBlob()));
583 EXPECT_CALL(cryptohome_client_,
584 BlockingGetSanitizedUsername(PolicyBuilder::kFakeUsername))
585 .WillOnce(Return(kSanitizedUsername));
586
587 EXPECT_FALSE(store_->policy());
588 store_->LoadImmediately();
589 // Note: verify that the |observer_| got notified synchronously, without
590 // having to spin the current loop. TearDown() will flush the loop so this
591 // must be done within the test.
592 Mock::VerifyAndClearExpectations(&observer_);
593 Mock::VerifyAndClearExpectations(&session_manager_client_);
594 Mock::VerifyAndClearExpectations(&cryptohome_client_);
595
596 // The policy should become available without having to spin any loops.
597 ASSERT_TRUE(store_->policy());
598 EXPECT_EQ(policy_.policy_data().SerializeAsString(),
599 store_->policy()->SerializeAsString());
600 VerifyPolicyMap(kDefaultHomepage);
601 EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status());
602 }
603
604 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadImmediatelyNoPolicy) {
605 EXPECT_CALL(observer_, OnStoreLoaded(store_.get()));
606 EXPECT_CALL(session_manager_client_,
607 BlockingRetrievePolicyForUser(PolicyBuilder::kFakeUsername))
608 .WillOnce(Return(""));
609
610 EXPECT_FALSE(store_->policy());
611 store_->LoadImmediately();
612 Mock::VerifyAndClearExpectations(&observer_);
613 Mock::VerifyAndClearExpectations(&session_manager_client_);
614
615 EXPECT_FALSE(store_->policy());
616 EXPECT_TRUE(store_->policy_map().empty());
617 EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status());
618 }
619
620 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadImmediatelyInvalidBlob) {
621 EXPECT_CALL(observer_, OnStoreError(store_.get()));
622 EXPECT_CALL(session_manager_client_,
623 BlockingRetrievePolicyForUser(PolicyBuilder::kFakeUsername))
624 .WillOnce(Return("le blob"));
625
626 EXPECT_FALSE(store_->policy());
627 store_->LoadImmediately();
628 Mock::VerifyAndClearExpectations(&observer_);
629 Mock::VerifyAndClearExpectations(&session_manager_client_);
630
631 EXPECT_FALSE(store_->policy());
632 EXPECT_TRUE(store_->policy_map().empty());
633 EXPECT_EQ(CloudPolicyStore::STATUS_PARSE_ERROR, store_->status());
634 }
635
636 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadImmediatelyDBusFailure) {
637 EXPECT_CALL(observer_, OnStoreError(store_.get()));
638 EXPECT_CALL(session_manager_client_,
639 BlockingRetrievePolicyForUser(PolicyBuilder::kFakeUsername))
640 .WillOnce(Return(policy_.GetBlob()));
641 EXPECT_CALL(cryptohome_client_,
642 BlockingGetSanitizedUsername(PolicyBuilder::kFakeUsername))
643 .WillOnce(Return(""));
644
645 EXPECT_FALSE(store_->policy());
646 store_->LoadImmediately();
647 Mock::VerifyAndClearExpectations(&observer_);
648 Mock::VerifyAndClearExpectations(&session_manager_client_);
649 Mock::VerifyAndClearExpectations(&cryptohome_client_);
650
651 EXPECT_FALSE(store_->policy());
652 EXPECT_TRUE(store_->policy_map().empty());
653 EXPECT_EQ(CloudPolicyStore::STATUS_LOAD_ERROR, store_->status());
654 }
655
656 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadImmediatelyNoUserPolicyKey) {
657 EXPECT_CALL(observer_, OnStoreError(store_.get()));
658 EXPECT_CALL(session_manager_client_,
659 BlockingRetrievePolicyForUser(PolicyBuilder::kFakeUsername))
660 .WillOnce(Return(policy_.GetBlob()));
661 EXPECT_CALL(cryptohome_client_,
662 BlockingGetSanitizedUsername(PolicyBuilder::kFakeUsername))
663 .WillOnce(Return("wrong@example.com"));
664
665 EXPECT_FALSE(store_->policy());
666 store_->LoadImmediately();
667 Mock::VerifyAndClearExpectations(&observer_);
668 Mock::VerifyAndClearExpectations(&session_manager_client_);
669 Mock::VerifyAndClearExpectations(&cryptohome_client_);
670
671 EXPECT_FALSE(store_->policy());
672 EXPECT_TRUE(store_->policy_map().empty());
673 EXPECT_EQ(CloudPolicyStore::STATUS_VALIDATION_ERROR, store_->status());
674 }
675
676 } // namespace
677
678 } // namespace policy