search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Only grant permissions to new extensions from sync if they have the expected version
[chromium-blink-merge.git] / chromeos / network / client_cert_resolver_unittest.cc
blob5032b63957a1bdc21cfc668b4ab8a61bb383d082
1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 #include "chromeos/network/client_cert_resolver.h"
5
6 #include <cert.h>
7 #include <pk11pub.h>
8
9 #include "base/bind.h"
10 #include "base/bind_helpers.h"
11 #include "base/files/file_path.h"
12 #include "base/files/file_util.h"
13 #include "base/json/json_reader.h"
14 #include "base/run_loop.h"
15 #include "base/strings/stringprintf.h"
16 #include "base/values.h"
17 #include "chromeos/cert_loader.h"
18 #include "chromeos/dbus/dbus_thread_manager.h"
19 #include "chromeos/dbus/shill_manager_client.h"
20 #include "chromeos/dbus/shill_profile_client.h"
21 #include "chromeos/dbus/shill_service_client.h"
22 #include "chromeos/network/managed_network_configuration_handler_impl.h"
23 #include "chromeos/network/network_configuration_handler.h"
24 #include "chromeos/network/network_profile_handler.h"
25 #include "chromeos/network/network_state_handler.h"
26 #include "components/onc/onc_constants.h"
27 #include "crypto/scoped_nss_types.h"
28 #include "crypto/scoped_test_nss_db.h"
29 #include "net/base/net_errors.h"
30 #include "net/base/test_data_directory.h"
31 #include "net/cert/nss_cert_database_chromeos.h"
32 #include "net/cert/x509_certificate.h"
33 #include "net/test/cert_test_util.h"
34 #include "testing/gtest/include/gtest/gtest.h"
35 #include "third_party/cros_system_api/dbus/service_constants.h"
36
37 namespace chromeos {
38
39 namespace {
40
41 const char* kWifiStub = "wifi_stub";
42 const char* kWifiSSID = "wifi_ssid";
43 const char* kUserProfilePath = "user_profile";
44 const char* kUserHash = "user_hash";
45
46 } // namespace
47
48 class ClientCertResolverTest : public testing::Test,
49 public ClientCertResolver::Observer {
50 public:
51 ClientCertResolverTest()
52 : network_properties_changed_count_(0),
53 service_test_(NULL),
54 profile_test_(NULL),
55 cert_loader_(NULL) {}
56 ~ClientCertResolverTest() override {}
57
58 void SetUp() override {
59 ASSERT_TRUE(test_nssdb_.is_open());
60
61 // Use the same DB for public and private slot.
62 test_nsscertdb_.reset(new net::NSSCertDatabaseChromeOS(
63 crypto::ScopedPK11Slot(PK11_ReferenceSlot(test_nssdb_.slot())),
64 crypto::ScopedPK11Slot(PK11_ReferenceSlot(test_nssdb_.slot()))));
65 test_nsscertdb_->SetSlowTaskRunnerForTest(message_loop_.task_runner());
66
67 DBusThreadManager::Initialize();
68 service_test_ =
69 DBusThreadManager::Get()->GetShillServiceClient()->GetTestInterface();
70 profile_test_ =
71 DBusThreadManager::Get()->GetShillProfileClient()->GetTestInterface();
72 profile_test_->AddProfile(kUserProfilePath, kUserHash);
73 base::RunLoop().RunUntilIdle();
74 service_test_->ClearServices();
75 base::RunLoop().RunUntilIdle();
76
77 CertLoader::Initialize();
78 cert_loader_ = CertLoader::Get();
79 CertLoader::ForceHardwareBackedForTesting();
80 }
81
82 void TearDown() override {
83 client_cert_resolver_->RemoveObserver(this);
84 client_cert_resolver_.reset();
85 managed_config_handler_.reset();
86 network_config_handler_.reset();
87 network_profile_handler_.reset();
88 network_state_handler_.reset();
89 CertLoader::Shutdown();
90 DBusThreadManager::Shutdown();
91 }
92
93 protected:
94 void StartCertLoader() {
95 cert_loader_->StartWithNSSDB(test_nsscertdb_.get());
96 if (test_client_cert_.get()) {
97 int slot_id = 0;
98 const std::string pkcs11_id =
99 CertLoader::GetPkcs11IdAndSlotForCert(*test_client_cert_, &slot_id);
100 test_cert_id_ = base::StringPrintf("%i:%s", slot_id, pkcs11_id.c_str());
101 }
102 }
103
104 // Imports a CA cert (stored as PEM in test_ca_cert_pem_) and a client
105 // certificate signed by that CA. Its PKCS#11 ID is stored in
106 // |test_cert_id_|.
107 void SetupTestCerts() {
108 // Import a CA cert.
109 net::CertificateList ca_cert_list =
110 net::CreateCertificateListFromFile(net::GetTestCertsDirectory(),
111 "client_1_ca.pem",
112 net::X509Certificate::FORMAT_AUTO);
113 ASSERT_TRUE(!ca_cert_list.empty());
114 net::NSSCertDatabase::ImportCertFailureList failures;
115 EXPECT_TRUE(test_nsscertdb_->ImportCACerts(
116 ca_cert_list, net::NSSCertDatabase::TRUST_DEFAULT, &failures));
117 ASSERT_TRUE(failures.empty()) << net::ErrorToString(failures[0].net_error);
118
119 net::X509Certificate::GetPEMEncoded(ca_cert_list[0]->os_cert_handle(),
120 &test_ca_cert_pem_);
121 ASSERT_TRUE(!test_ca_cert_pem_.empty());
122
123 // Import a client cert signed by that CA.
124 test_client_cert_ =
125 net::ImportClientCertAndKeyFromFile(net::GetTestCertsDirectory(),
126 "client_1.pem",
127 "client_1.pk8",
128 test_nssdb_.slot());
129 ASSERT_TRUE(test_client_cert_.get());
130 }
131
132 void SetupNetworkHandlers() {
133 network_state_handler_.reset(NetworkStateHandler::InitializeForTest());
134 network_profile_handler_.reset(new NetworkProfileHandler());
135 network_config_handler_.reset(new NetworkConfigurationHandler());
136 managed_config_handler_.reset(new ManagedNetworkConfigurationHandlerImpl());
137 client_cert_resolver_.reset(new ClientCertResolver());
138
139 network_profile_handler_->Init();
140 network_config_handler_->Init(network_state_handler_.get(),
141 NULL /* network_device_handler */);
142 managed_config_handler_->Init(network_state_handler_.get(),
143 network_profile_handler_.get(),
144 network_config_handler_.get(),
145 NULL /* network_device_handler */);
146 // Run all notifications before starting the cert loader to reduce run time.
147 base::RunLoop().RunUntilIdle();
148
149 client_cert_resolver_->Init(network_state_handler_.get(),
150 managed_config_handler_.get());
151 client_cert_resolver_->AddObserver(this);
152 client_cert_resolver_->SetSlowTaskRunnerForTest(
153 message_loop_.task_runner());
154 }
155
156 void SetupWifi() {
157 service_test_->SetServiceProperties(kWifiStub,
158 kWifiStub,
159 kWifiSSID,
160 shill::kTypeWifi,
161 shill::kStateOnline,
162 true /* visible */);
163 // Set an arbitrary cert id, so that we can check afterwards whether we
164 // cleared the property or not.
165 service_test_->SetServiceProperty(
166 kWifiStub, shill::kEapCertIdProperty, base::StringValue("invalid id"));
167 profile_test_->AddService(kUserProfilePath, kWifiStub);
168
169 DBusThreadManager::Get()
170 ->GetShillManagerClient()
171 ->GetTestInterface()
172 ->AddManagerService(kWifiStub, true);
173 }
174
175 // Setup a policy with a certificate pattern that matches any client cert that
176 // is signed by the test CA cert (stored in |test_ca_cert_pem_|). In
177 // particular it will match the test client cert.
178 void SetupPolicy() {
179 const char* kTestPolicyTemplate =
180 "[ { \"GUID\": \"wifi_stub\","
181 " \"Name\": \"wifi_stub\","
182 " \"Type\": \"WiFi\","
183 " \"WiFi\": {"
184 " \"Security\": \"WPA-EAP\","
185 " \"SSID\": \"wifi_ssid\","
186 " \"EAP\": {"
187 " \"Outer\": \"EAP-TLS\","
188 " \"ClientCertType\": \"Pattern\","
189 " \"ClientCertPattern\": {"
190 " \"IssuerCAPEMs\": [ \"%s\" ]"
191 " }"
192 " }"
193 " }"
194 "} ]";
195 std::string policy_json =
196 base::StringPrintf(kTestPolicyTemplate, test_ca_cert_pem_.c_str());
197
198 std::string error;
199 scoped_ptr<base::Value> policy_value = base::JSONReader::ReadAndReturnError(
200 policy_json, base::JSON_ALLOW_TRAILING_COMMAS, NULL, &error);
201 ASSERT_TRUE(policy_value) << error;
202
203 base::ListValue* policy = NULL;
204 ASSERT_TRUE(policy_value->GetAsList(&policy));
205
206 managed_config_handler_->SetPolicy(
207 onc::ONC_SOURCE_USER_POLICY,
208 kUserHash,
209 *policy,
210 base::DictionaryValue() /* no global network config */);
211 }
212
213 void GetClientCertProperties(std::string* pkcs11_id) {
214 pkcs11_id->clear();
215 const base::DictionaryValue* properties =
216 service_test_->GetServiceProperties(kWifiStub);
217 if (!properties)
218 return;
219 properties->GetStringWithoutPathExpansion(shill::kEapCertIdProperty,
220 pkcs11_id);
221 }
222
223 int network_properties_changed_count_;
224 std::string test_cert_id_;
225 scoped_ptr<ClientCertResolver> client_cert_resolver_;
226
227 private:
228 // ClientCertResolver::Observer:
229 void ResolveRequestCompleted(bool network_properties_changed) override {
230 if (network_properties_changed)
231 ++network_properties_changed_count_;
232 }
233
234 ShillServiceClient::TestInterface* service_test_;
235 ShillProfileClient::TestInterface* profile_test_;
236 CertLoader* cert_loader_;
237 scoped_ptr<NetworkStateHandler> network_state_handler_;
238 scoped_ptr<NetworkProfileHandler> network_profile_handler_;
239 scoped_ptr<NetworkConfigurationHandler> network_config_handler_;
240 scoped_ptr<ManagedNetworkConfigurationHandlerImpl> managed_config_handler_;
241 base::MessageLoop message_loop_;
242 scoped_refptr<net::X509Certificate> test_client_cert_;
243 std::string test_ca_cert_pem_;
244 crypto::ScopedTestNSSDB test_nssdb_;
245 scoped_ptr<net::NSSCertDatabaseChromeOS> test_nsscertdb_;
246
247 DISALLOW_COPY_AND_ASSIGN(ClientCertResolverTest);
248 };
249
250 TEST_F(ClientCertResolverTest, NoMatchingCertificates) {
251 StartCertLoader();
252 SetupWifi();
253 base::RunLoop().RunUntilIdle();
254 network_properties_changed_count_ = 0;
255 SetupNetworkHandlers();
256 SetupPolicy();
257 base::RunLoop().RunUntilIdle();
258
259 // Verify that no client certificate was configured.
260 std::string pkcs11_id;
261 GetClientCertProperties(&pkcs11_id);
262 EXPECT_EQ(std::string(), pkcs11_id);
263 EXPECT_EQ(1, network_properties_changed_count_);
264 EXPECT_FALSE(client_cert_resolver_->IsAnyResolveTaskRunning());
265 }
266
267 TEST_F(ClientCertResolverTest, ResolveOnCertificatesLoaded) {
268 SetupTestCerts();
269 SetupWifi();
270 base::RunLoop().RunUntilIdle();
271
272 SetupNetworkHandlers();
273 SetupPolicy();
274 base::RunLoop().RunUntilIdle();
275
276 network_properties_changed_count_ = 0;
277 StartCertLoader();
278 base::RunLoop().RunUntilIdle();
279
280 // Verify that the resolver positively matched the pattern in the policy with
281 // the test client cert and configured the network.
282 std::string pkcs11_id;
283 GetClientCertProperties(&pkcs11_id);
284 EXPECT_EQ(test_cert_id_, pkcs11_id);
285 EXPECT_EQ(1, network_properties_changed_count_);
286 }
287
288 TEST_F(ClientCertResolverTest, ResolveAfterPolicyApplication) {
289 SetupTestCerts();
290 SetupWifi();
291 base::RunLoop().RunUntilIdle();
292 StartCertLoader();
293 SetupNetworkHandlers();
294 base::RunLoop().RunUntilIdle();
295
296 // Policy application will trigger the ClientCertResolver.
297 network_properties_changed_count_ = 0;
298 SetupPolicy();
299 base::RunLoop().RunUntilIdle();
300
301 // Verify that the resolver positively matched the pattern in the policy with
302 // the test client cert and configured the network.
303 std::string pkcs11_id;
304 GetClientCertProperties(&pkcs11_id);
305 EXPECT_EQ(test_cert_id_, pkcs11_id);
306 EXPECT_EQ(1, network_properties_changed_count_);
307 }
308
309 } // namespace chromeos