search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Explicitly add python-numpy dependency to install-build-deps.
[chromium-blink-merge.git] / chromeos / network / network_cert_migrator_unittest.cc
bloba8c234285f8fe33fcffdee858b73bdb175511352
1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "chromeos/network/network_cert_migrator.h"
6
7 #include <cert.h>
8
9 #include "base/files/file_path.h"
10 #include "base/files/file_util.h"
11 #include "base/run_loop.h"
12 #include "base/strings/string_number_conversions.h"
13 #include "chromeos/cert_loader.h"
14 #include "chromeos/dbus/dbus_thread_manager.h"
15 #include "chromeos/dbus/shill_profile_client.h"
16 #include "chromeos/dbus/shill_service_client.h"
17 #include "chromeos/network/network_state_handler.h"
18 #include "chromeos/tpm_token_loader.h"
19 #include "crypto/nss_util_internal.h"
20 #include "crypto/scoped_test_nss_chromeos_user.h"
21 #include "net/base/crypto_module.h"
22 #include "net/base/net_errors.h"
23 #include "net/base/test_data_directory.h"
24 #include "net/cert/nss_cert_database_chromeos.h"
25 #include "net/cert/x509_certificate.h"
26 #include "net/test/cert_test_util.h"
27 #include "testing/gtest/include/gtest/gtest.h"
28 #include "third_party/cros_system_api/dbus/service_constants.h"
29
30 // http://crbug.com/418369
31 #ifdef NDEBUG
32
33 namespace chromeos {
34
35 namespace {
36
37 const char* kWifiStub = "wifi_stub";
38 const char* kEthernetEapStub = "ethernet_eap_stub";
39 const char* kVPNStub = "vpn_stub";
40 const char* kNSSNickname = "nss_nickname";
41 const char* kFakePEM = "pem";
42 const char* kProfile = "/profile/profile1";
43
44 } // namespace
45
46 class NetworkCertMigratorTest : public testing::Test {
47 public:
48 NetworkCertMigratorTest() : service_test_(NULL),
49 user_("user_hash") {
50 }
51 virtual ~NetworkCertMigratorTest() {}
52
53 virtual void SetUp() override {
54 // Initialize NSS db for the user.
55 ASSERT_TRUE(user_.constructed_successfully());
56 user_.FinishInit();
57 test_nssdb_.reset(new net::NSSCertDatabaseChromeOS(
58 crypto::GetPublicSlotForChromeOSUser(user_.username_hash()),
59 crypto::GetPrivateSlotForChromeOSUser(
60 user_.username_hash(),
61 base::Callback<void(crypto::ScopedPK11Slot)>())));
62 test_nssdb_->SetSlowTaskRunnerForTest(message_loop_.message_loop_proxy());
63
64 DBusThreadManager::Initialize();
65 service_test_ =
66 DBusThreadManager::Get()->GetShillServiceClient()->GetTestInterface();
67 DBusThreadManager::Get()
68 ->GetShillProfileClient()
69 ->GetTestInterface()
70 ->AddProfile(kProfile, "" /* userhash */);
71 base::RunLoop().RunUntilIdle();
72 service_test_->ClearServices();
73 base::RunLoop().RunUntilIdle();
74
75 CertLoader::Initialize();
76 CertLoader* cert_loader_ = CertLoader::Get();
77 cert_loader_->StartWithNSSDB(test_nssdb_.get());
78 }
79
80 virtual void TearDown() override {
81 network_cert_migrator_.reset();
82 network_state_handler_.reset();
83 CertLoader::Shutdown();
84 DBusThreadManager::Shutdown();
85 CleanupTestCert();
86 }
87
88 protected:
89 void SetupTestCACert() {
90 scoped_refptr<net::X509Certificate> cert_wo_nickname =
91 net::CreateCertificateListFromFile(net::GetTestCertsDirectory(),
92 "eku-test-root.pem",
93 net::X509Certificate::FORMAT_AUTO)
94 .back();
95 net::X509Certificate::GetPEMEncoded(cert_wo_nickname->os_cert_handle(),
96 &test_ca_cert_pem_);
97 std::string der_encoded;
98 net::X509Certificate::GetDEREncoded(cert_wo_nickname->os_cert_handle(),
99 &der_encoded);
100 cert_wo_nickname = NULL;
101
102 test_ca_cert_ = net::X509Certificate::CreateFromBytesWithNickname(
103 der_encoded.data(), der_encoded.size(), kNSSNickname);
104 net::CertificateList cert_list;
105 cert_list.push_back(test_ca_cert_);
106 net::NSSCertDatabase::ImportCertFailureList failures;
107 EXPECT_TRUE(test_nssdb_->ImportCACerts(
108 cert_list, net::NSSCertDatabase::TRUST_DEFAULT, &failures));
109 ASSERT_TRUE(failures.empty()) << net::ErrorToString(failures[0].net_error);
110 }
111
112 void SetupTestClientCert() {
113 std::string pkcs12_data;
114 ASSERT_TRUE(base::ReadFileToString(
115 net::GetTestCertsDirectory().Append("websocket_client_cert.p12"),
116 &pkcs12_data));
117
118 net::CertificateList client_cert_list;
119 scoped_refptr<net::CryptoModule> module(net::CryptoModule::CreateFromHandle(
120 test_nssdb_->GetPrivateSlot().get()));
121 ASSERT_EQ(net::OK,
122 test_nssdb_->ImportFromPKCS12(module.get(),
123 pkcs12_data,
124 base::string16(),
125 false,
126 &client_cert_list));
127 ASSERT_TRUE(!client_cert_list.empty());
128 test_client_cert_ = client_cert_list[0];
129
130 int slot_id = -1;
131 test_client_cert_pkcs11_id_ = CertLoader::GetPkcs11IdAndSlotForCert(
132 *test_client_cert_, &slot_id);
133 ASSERT_FALSE(test_client_cert_pkcs11_id_.empty());
134 ASSERT_NE(-1, slot_id);
135 test_client_cert_slot_id_ = base::IntToString(slot_id);
136 }
137
138 void SetupNetworkHandlers() {
139 network_state_handler_.reset(NetworkStateHandler::InitializeForTest());
140 network_cert_migrator_.reset(new NetworkCertMigrator);
141 network_cert_migrator_->Init(network_state_handler_.get());
142 }
143
144 void AddService(const std::string& network_id,
145 const std::string& type,
146 const std::string& state) {
147 service_test_->AddService(network_id /* service_path */,
148 network_id /* guid */,
149 network_id /* name */,
150 type,
151 state,
152 true /* add_to_visible */);
153
154 // Ensure that the service appears as 'configured', i.e. is associated to a
155 // Shill profile.
156 service_test_->SetServiceProperty(
157 network_id, shill::kProfileProperty, base::StringValue(kProfile));
158 }
159
160 void SetupWifiWithNss() {
161 AddService(kWifiStub, shill::kTypeWifi, shill::kStateOnline);
162 service_test_->SetServiceProperty(kWifiStub,
163 shill::kEapCaCertNssProperty,
164 base::StringValue(kNSSNickname));
165 }
166
167 void SetupNetworkWithEapCertId(bool wifi, const std::string& cert_id) {
168 std::string type = wifi ? shill::kTypeWifi: shill::kTypeEthernetEap;
169 std::string name = wifi ? kWifiStub : kEthernetEapStub;
170 AddService(name, type, shill::kStateOnline);
171 service_test_->SetServiceProperty(
172 name, shill::kEapCertIdProperty, base::StringValue(cert_id));
173 service_test_->SetServiceProperty(
174 name, shill::kEapKeyIdProperty, base::StringValue(cert_id));
175
176 if (wifi) {
177 service_test_->SetServiceProperty(
178 name,
179 shill::kSecurityProperty,
180 base::StringValue(shill::kSecurity8021x));
181 }
182 }
183
184 void GetEapCertId(bool wifi, std::string* cert_id) {
185 cert_id->clear();
186
187 std::string name = wifi ? kWifiStub : kEthernetEapStub;
188 const base::DictionaryValue* properties =
189 service_test_->GetServiceProperties(name);
190 properties->GetStringWithoutPathExpansion(shill::kEapCertIdProperty,
191 cert_id);
192 }
193
194 void SetupVpnWithCertId(bool open_vpn,
195 const std::string& slot_id,
196 const std::string& pkcs11_id) {
197 AddService(kVPNStub, shill::kTypeVPN, shill::kStateIdle);
198 base::DictionaryValue provider;
199 if (open_vpn) {
200 provider.SetStringWithoutPathExpansion(shill::kTypeProperty,
201 shill::kProviderOpenVpn);
202 provider.SetStringWithoutPathExpansion(
203 shill::kOpenVPNClientCertIdProperty, pkcs11_id);
204 } else {
205 provider.SetStringWithoutPathExpansion(shill::kTypeProperty,
206 shill::kProviderL2tpIpsec);
207 provider.SetStringWithoutPathExpansion(
208 shill::kL2tpIpsecClientCertSlotProperty, slot_id);
209 provider.SetStringWithoutPathExpansion(
210 shill::kL2tpIpsecClientCertIdProperty, pkcs11_id);
211 }
212 service_test_->SetServiceProperty(
213 kVPNStub, shill::kProviderProperty, provider);
214 }
215
216 void GetVpnCertId(bool open_vpn,
217 std::string* slot_id,
218 std::string* pkcs11_id) {
219 slot_id->clear();
220 pkcs11_id->clear();
221
222 const base::DictionaryValue* properties =
223 service_test_->GetServiceProperties(kVPNStub);
224 ASSERT_TRUE(properties);
225 const base::DictionaryValue* provider = NULL;
226 properties->GetDictionaryWithoutPathExpansion(shill::kProviderProperty,
227 &provider);
228 if (!provider)
229 return;
230 if (open_vpn) {
231 provider->GetStringWithoutPathExpansion(
232 shill::kOpenVPNClientCertIdProperty, pkcs11_id);
233 } else {
234 provider->GetStringWithoutPathExpansion(
235 shill::kL2tpIpsecClientCertSlotProperty, slot_id);
236 provider->GetStringWithoutPathExpansion(
237 shill::kL2tpIpsecClientCertIdProperty, pkcs11_id);
238 }
239 }
240
241 void GetEapCACertProperties(std::string* nss_nickname, std::string* ca_pem) {
242 nss_nickname->clear();
243 ca_pem->clear();
244 const base::DictionaryValue* properties =
245 service_test_->GetServiceProperties(kWifiStub);
246 properties->GetStringWithoutPathExpansion(shill::kEapCaCertNssProperty,
247 nss_nickname);
248 const base::ListValue* ca_pems = NULL;
249 properties->GetListWithoutPathExpansion(shill::kEapCaCertPemProperty,
250 &ca_pems);
251 if (ca_pems && !ca_pems->empty())
252 ca_pems->GetString(0, ca_pem);
253 }
254
255 void SetupVpnWithNss(bool open_vpn) {
256 AddService(kVPNStub, shill::kTypeVPN, shill::kStateIdle);
257 base::DictionaryValue provider;
258 const char* nss_property = open_vpn ? shill::kOpenVPNCaCertNSSProperty
259 : shill::kL2tpIpsecCaCertNssProperty;
260 provider.SetStringWithoutPathExpansion(nss_property, kNSSNickname);
261 service_test_->SetServiceProperty(
262 kVPNStub, shill::kProviderProperty, provider);
263 }
264
265 void GetVpnCACertProperties(bool open_vpn,
266 std::string* nss_nickname,
267 std::string* ca_pem) {
268 nss_nickname->clear();
269 ca_pem->clear();
270 const base::DictionaryValue* properties =
271 service_test_->GetServiceProperties(kVPNStub);
272 const base::DictionaryValue* provider = NULL;
273 properties->GetDictionaryWithoutPathExpansion(shill::kProviderProperty,
274 &provider);
275 if (!provider)
276 return;
277 const char* nss_property = open_vpn ? shill::kOpenVPNCaCertNSSProperty
278 : shill::kL2tpIpsecCaCertNssProperty;
279 provider->GetStringWithoutPathExpansion(nss_property, nss_nickname);
280 const base::ListValue* ca_pems = NULL;
281 const char* pem_property = open_vpn ? shill::kOpenVPNCaCertPemProperty
282 : shill::kL2tpIpsecCaCertPemProperty;
283 provider->GetListWithoutPathExpansion(pem_property, &ca_pems);
284 if (ca_pems && !ca_pems->empty())
285 ca_pems->GetString(0, ca_pem);
286 }
287
288 ShillServiceClient::TestInterface* service_test_;
289 scoped_refptr<net::X509Certificate> test_ca_cert_;
290 scoped_refptr<net::X509Certificate> test_client_cert_;
291 std::string test_client_cert_pkcs11_id_;
292 std::string test_client_cert_slot_id_;
293 std::string test_ca_cert_pem_;
294 base::MessageLoop message_loop_;
295
296 private:
297 void CleanupTestCert() {
298 if (test_ca_cert_.get())
299 ASSERT_TRUE(test_nssdb_->DeleteCertAndKey(test_ca_cert_.get()));
300
301 if (test_client_cert_.get())
302 ASSERT_TRUE(test_nssdb_->DeleteCertAndKey(test_client_cert_.get()));
303 }
304
305 scoped_ptr<NetworkStateHandler> network_state_handler_;
306 scoped_ptr<NetworkCertMigrator> network_cert_migrator_;
307 crypto::ScopedTestNSSChromeOSUser user_;
308 scoped_ptr<net::NSSCertDatabaseChromeOS> test_nssdb_;
309
310 DISALLOW_COPY_AND_ASSIGN(NetworkCertMigratorTest);
311 };
312
313 TEST_F(NetworkCertMigratorTest, MigrateNssOnInitialization) {
314 // Add a new network for migration before the handlers are initialized.
315 SetupWifiWithNss();
316 SetupTestCACert();
317 SetupNetworkHandlers();
318
319 base::RunLoop().RunUntilIdle();
320 std::string nss_nickname, ca_pem;
321 GetEapCACertProperties(&nss_nickname, &ca_pem);
322 EXPECT_TRUE(nss_nickname.empty());
323 EXPECT_EQ(test_ca_cert_pem_, ca_pem);
324 }
325
326 TEST_F(NetworkCertMigratorTest, MigrateNssOnNetworkAppearance) {
327 SetupTestCACert();
328 SetupNetworkHandlers();
329 base::RunLoop().RunUntilIdle();
330
331 // Add a new network for migration after the handlers are initialized.
332 SetupWifiWithNss();
333
334 base::RunLoop().RunUntilIdle();
335 std::string nss_nickname, ca_pem;
336 GetEapCACertProperties(&nss_nickname, &ca_pem);
337 EXPECT_TRUE(nss_nickname.empty());
338 EXPECT_EQ(test_ca_cert_pem_, ca_pem);
339 }
340
341 TEST_F(NetworkCertMigratorTest, DoNotMigrateNssIfPemSet) {
342 // Add a new network with an already set PEM property.
343 SetupWifiWithNss();
344 base::ListValue ca_pems;
345 ca_pems.AppendString(kFakePEM);
346 service_test_->SetServiceProperty(
347 kWifiStub, shill::kEapCaCertPemProperty, ca_pems);
348
349 SetupTestCACert();
350 SetupNetworkHandlers();
351 base::RunLoop().RunUntilIdle();
352
353 std::string nss_nickname, ca_pem;
354 GetEapCACertProperties(&nss_nickname, &ca_pem);
355 EXPECT_TRUE(nss_nickname.empty());
356 EXPECT_EQ(kFakePEM, ca_pem);
357 }
358
359 TEST_F(NetworkCertMigratorTest, MigrateNssOpenVpn) {
360 // Add a new network for migration before the handlers are initialized.
361 SetupVpnWithNss(true /* OpenVPN */);
362
363 SetupTestCACert();
364 SetupNetworkHandlers();
365
366 base::RunLoop().RunUntilIdle();
367 std::string nss_nickname, ca_pem;
368 GetVpnCACertProperties(true /* OpenVPN */, &nss_nickname, &ca_pem);
369 EXPECT_TRUE(nss_nickname.empty());
370 EXPECT_EQ(test_ca_cert_pem_, ca_pem);
371 }
372
373 TEST_F(NetworkCertMigratorTest, MigrateNssIpsecVpn) {
374 // Add a new network for migration before the handlers are initialized.
375 SetupVpnWithNss(false /* not OpenVPN */);
376
377 SetupTestCACert();
378 SetupNetworkHandlers();
379
380 base::RunLoop().RunUntilIdle();
381 std::string nss_nickname, ca_pem;
382 GetVpnCACertProperties(false /* not OpenVPN */, &nss_nickname, &ca_pem);
383 EXPECT_TRUE(nss_nickname.empty());
384 EXPECT_EQ(test_ca_cert_pem_, ca_pem);
385 }
386
387 TEST_F(NetworkCertMigratorTest, MigrateEapCertIdNoMatchingCert) {
388 SetupTestClientCert();
389 SetupNetworkHandlers();
390 base::RunLoop().RunUntilIdle();
391
392 // Add a new network for migration after the handlers are initialized.
393 SetupNetworkWithEapCertId(true /* wifi */, "unknown pkcs11 id");
394
395 base::RunLoop().RunUntilIdle();
396 // Since the PKCS11 ID is unknown, the certificate configuration will be
397 // cleared.
398 std::string cert_id;
399 GetEapCertId(true /* wifi */, &cert_id);
400 EXPECT_EQ(std::string(), cert_id);
401 }
402
403 TEST_F(NetworkCertMigratorTest, MigrateEapCertIdNoSlotId) {
404 SetupTestClientCert();
405 SetupNetworkHandlers();
406 base::RunLoop().RunUntilIdle();
407
408 // Add a new network for migration after the handlers are initialized.
409 SetupNetworkWithEapCertId(true /* wifi */, test_client_cert_pkcs11_id_);
410
411 base::RunLoop().RunUntilIdle();
412
413 std::string cert_id;
414 GetEapCertId(true /* wifi */, &cert_id);
415 std::string expected_cert_id =
416 test_client_cert_slot_id_ + ":" + test_client_cert_pkcs11_id_;
417 EXPECT_EQ(expected_cert_id, cert_id);
418 }
419
420 TEST_F(NetworkCertMigratorTest, MigrateWifiEapCertIdWrongSlotId) {
421 SetupTestClientCert();
422 SetupNetworkHandlers();
423 base::RunLoop().RunUntilIdle();
424
425 // Add a new network for migration after the handlers are initialized.
426 SetupNetworkWithEapCertId(true /* wifi */,
427 "123:" + test_client_cert_pkcs11_id_);
428
429 base::RunLoop().RunUntilIdle();
430
431 std::string cert_id;
432 GetEapCertId(true /* wifi */, &cert_id);
433 std::string expected_cert_id =
434 test_client_cert_slot_id_ + ":" + test_client_cert_pkcs11_id_;
435 EXPECT_EQ(expected_cert_id, cert_id);
436 }
437
438 TEST_F(NetworkCertMigratorTest, DoNotChangeEapCertIdWithCorrectSlotId) {
439 SetupTestClientCert();
440 SetupNetworkHandlers();
441 base::RunLoop().RunUntilIdle();
442
443 std::string expected_cert_id =
444 test_client_cert_slot_id_ + ":" + test_client_cert_pkcs11_id_;
445
446 // Add a new network for migration after the handlers are initialized.
447 SetupNetworkWithEapCertId(true /* wifi */, expected_cert_id);
448
449 base::RunLoop().RunUntilIdle();
450
451 std::string cert_id;
452 GetEapCertId(true /* wifi */, &cert_id);
453 EXPECT_EQ(expected_cert_id, cert_id);
454 }
455
456 TEST_F(NetworkCertMigratorTest, IgnoreOpenVPNCertId) {
457 SetupTestClientCert();
458 SetupNetworkHandlers();
459 base::RunLoop().RunUntilIdle();
460
461 const char kPkcs11Id[] = "any slot id";
462
463 // Add a new network for migration after the handlers are initialized.
464 SetupVpnWithCertId(
465 true /* OpenVPN */, std::string() /* no slot id */, kPkcs11Id);
466
467 base::RunLoop().RunUntilIdle();
468
469 std::string pkcs11_id;
470 std::string unused_slot_id;
471 GetVpnCertId(true /* OpenVPN */, &unused_slot_id, &pkcs11_id);
472 EXPECT_EQ(kPkcs11Id, pkcs11_id);
473 }
474
475 TEST_F(NetworkCertMigratorTest, MigrateEthernetEapCertIdWrongSlotId) {
476 SetupTestClientCert();
477 SetupNetworkHandlers();
478 base::RunLoop().RunUntilIdle();
479
480 // Add a new network for migration after the handlers are initialized.
481 SetupNetworkWithEapCertId(
482 false /* ethernet */, "123:" + test_client_cert_pkcs11_id_);
483
484 base::RunLoop().RunUntilIdle();
485
486 std::string cert_id;
487 GetEapCertId(false /* ethernet */, &cert_id);
488 std::string expected_cert_id =
489 test_client_cert_slot_id_ + ":" + test_client_cert_pkcs11_id_;
490 EXPECT_EQ(expected_cert_id, cert_id);
491 }
492
493 TEST_F(NetworkCertMigratorTest, MigrateIpsecCertIdWrongSlotId) {
494 SetupTestClientCert();
495 SetupNetworkHandlers();
496 base::RunLoop().RunUntilIdle();
497
498 // Add a new network for migration after the handlers are initialized.
499 SetupVpnWithCertId(false /* IPsec */, "123", test_client_cert_pkcs11_id_);
500
501 base::RunLoop().RunUntilIdle();
502
503 std::string pkcs11_id;
504 std::string slot_id;
505 GetVpnCertId(false /* IPsec */, &slot_id, &pkcs11_id);
506 EXPECT_EQ(test_client_cert_pkcs11_id_, pkcs11_id);
507 EXPECT_EQ(test_client_cert_slot_id_, slot_id);
508 }
509
510 } // namespace chromeos
511
512 #endif