search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ozone: evdev: Sync caps lock LED state to evdev
[chromium-blink-merge.git] / chrome / browser / chromeos / login / saml / saml_browsertest.cc
blobb43658f078d8a6cad769ef88729c9ab742eb22ee
1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include <cstring>
6
7 #include "base/bind.h"
8 #include "base/bind_helpers.h"
9 #include "base/callback.h"
10 #include "base/command_line.h"
11 #include "base/files/file_path.h"
12 #include "base/files/file_util.h"
13 #include "base/files/scoped_temp_dir.h"
14 #include "base/location.h"
15 #include "base/macros.h"
16 #include "base/memory/ref_counted.h"
17 #include "base/memory/scoped_ptr.h"
18 #include "base/path_service.h"
19 #include "base/run_loop.h"
20 #include "base/strings/string16.h"
21 #include "base/strings/string_util.h"
22 #include "base/strings/stringprintf.h"
23 #include "base/strings/utf_string_conversions.h"
24 #include "base/values.h"
25 #include "chrome/browser/chrome_notification_types.h"
26 #include "chrome/browser/chromeos/login/existing_user_controller.h"
27 #include "chrome/browser/chromeos/login/test/https_forwarder.h"
28 #include "chrome/browser/chromeos/login/test/oobe_screen_waiter.h"
29 #include "chrome/browser/chromeos/login/ui/login_display_host_impl.h"
30 #include "chrome/browser/chromeos/login/ui/webui_login_display.h"
31 #include "chrome/browser/chromeos/login/wizard_controller.h"
32 #include "chrome/browser/chromeos/policy/device_policy_builder.h"
33 #include "chrome/browser/chromeos/policy/device_policy_cros_browser_test.h"
34 #include "chrome/browser/chromeos/policy/proto/chrome_device_policy.pb.h"
35 #include "chrome/browser/chromeos/profiles/profile_helper.h"
36 #include "chrome/browser/chromeos/settings/cros_settings.h"
37 #include "chrome/browser/lifetime/application_lifetime.h"
38 #include "chrome/browser/policy/test/local_policy_test_server.h"
39 #include "chrome/browser/profiles/profile.h"
40 #include "chrome/browser/ui/webui/signin/inline_login_ui.h"
41 #include "chrome/common/chrome_paths.h"
42 #include "chrome/common/chrome_switches.h"
43 #include "chrome/grit/generated_resources.h"
44 #include "chrome/test/base/in_process_browser_test.h"
45 #include "chromeos/chromeos_switches.h"
46 #include "chromeos/dbus/dbus_thread_manager.h"
47 #include "chromeos/dbus/fake_session_manager_client.h"
48 #include "chromeos/dbus/session_manager_client.h"
49 #include "chromeos/settings/cros_settings_names.h"
50 #include "components/policy/core/browser/browser_policy_connector.h"
51 #include "components/policy/core/common/mock_configuration_policy_provider.h"
52 #include "components/policy/core/common/policy_map.h"
53 #include "components/policy/core/common/policy_switches.h"
54 #include "components/policy/core/common/policy_types.h"
55 #include "components/user_manager/user.h"
56 #include "components/user_manager/user_manager.h"
57 #include "content/public/browser/browser_thread.h"
58 #include "content/public/browser/render_frame_host.h"
59 #include "content/public/browser/web_contents.h"
60 #include "content/public/browser/web_contents_observer.h"
61 #include "content/public/test/browser_test_utils.h"
62 #include "content/public/test/test_utils.h"
63 #include "google_apis/gaia/fake_gaia.h"
64 #include "google_apis/gaia/gaia_constants.h"
65 #include "google_apis/gaia/gaia_switches.h"
66 #include "google_apis/gaia/gaia_urls.h"
67 #include "net/base/url_util.h"
68 #include "net/cookies/canonical_cookie.h"
69 #include "net/cookies/cookie_monster.h"
70 #include "net/cookies/cookie_store.h"
71 #include "net/dns/mock_host_resolver.h"
72 #include "net/test/embedded_test_server/embedded_test_server.h"
73 #include "net/test/embedded_test_server/http_request.h"
74 #include "net/test/embedded_test_server/http_response.h"
75 #include "net/url_request/url_request_context.h"
76 #include "net/url_request/url_request_context_getter.h"
77 #include "policy/policy_constants.h"
78 #include "policy/proto/device_management_backend.pb.h"
79 #include "testing/gmock/include/gmock/gmock.h"
80 #include "testing/gtest/include/gtest/gtest.h"
81 #include "ui/base/l10n/l10n_util.h"
82 #include "url/gurl.h"
83
84 namespace em = enterprise_management;
85
86 using net::test_server::BasicHttpResponse;
87 using net::test_server::HttpRequest;
88 using net::test_server::HttpResponse;
89 using testing::_;
90 using testing::Return;
91
92 namespace chromeos {
93
94 namespace {
95
96 const char kGAIASIDCookieName[] = "SID";
97 const char kGAIALSIDCookieName[] = "LSID";
98
99 const char kTestAuthSIDCookie1[] = "fake-auth-SID-cookie-1";
100 const char kTestAuthSIDCookie2[] = "fake-auth-SID-cookie-2";
101 const char kTestAuthLSIDCookie1[] = "fake-auth-LSID-cookie-1";
102 const char kTestAuthLSIDCookie2[] = "fake-auth-LSID-cookie-2";
103
104 const char kFirstSAMLUserEmail[] = "bob@example.com";
105 const char kSecondSAMLUserEmail[] = "alice@example.com";
106 const char kHTTPSAMLUserEmail[] = "carol@example.com";
107 const char kNonSAMLUserEmail[] = "dan@example.com";
108 const char kDifferentDomainSAMLUserEmail[] = "eve@example.test";
109
110 const char kSAMLIdPCookieName[] = "saml";
111 const char kSAMLIdPCookieValue1[] = "value-1";
112 const char kSAMLIdPCookieValue2[] = "value-2";
113
114 const char kRelayState[] = "RelayState";
115
116 const char kTestUserinfoToken[] = "fake-userinfo-token";
117 const char kTestRefreshToken[] = "fake-refresh-token";
118 const char kPolicy[] = "{\"managed_users\": [\"*\"]}";
119
120 // FakeSamlIdp serves IdP auth form and the form submission. The form is
121 // served with the template's RelayState placeholder expanded to the real
122 // RelayState parameter from request. The form submission redirects back to
123 // FakeGaia with the same RelayState.
124 class FakeSamlIdp {
125 public:
126 FakeSamlIdp();
127 ~FakeSamlIdp();
128
129 void SetUp(const std::string& base_path, const GURL& gaia_url);
130
131 void SetLoginHTMLTemplate(const std::string& template_file);
132 void SetLoginAuthHTMLTemplate(const std::string& template_file);
133 void SetRefreshURL(const GURL& refresh_url);
134 void SetCookieValue(const std::string& cookie_value);
135
136 scoped_ptr<HttpResponse> HandleRequest(const HttpRequest& request);
137
138 private:
139 scoped_ptr<HttpResponse> BuildHTMLResponse(const std::string& html_template,
140 const std::string& relay_state,
141 const std::string& next_path);
142
143 base::FilePath html_template_dir_;
144
145 std::string login_path_;
146 std::string login_auth_path_;
147
148 std::string login_html_template_;
149 std::string login_auth_html_template_;
150 GURL gaia_assertion_url_;
151 GURL refresh_url_;
152 std::string cookie_value_;
153
154 DISALLOW_COPY_AND_ASSIGN(FakeSamlIdp);
155 };
156
157 FakeSamlIdp::FakeSamlIdp() {
158 }
159
160 FakeSamlIdp::~FakeSamlIdp() {
161 }
162
163 void FakeSamlIdp::SetUp(const std::string& base_path, const GURL& gaia_url) {
164 base::FilePath test_data_dir;
165 ASSERT_TRUE(PathService::Get(chrome::DIR_TEST_DATA, &test_data_dir));
166 html_template_dir_ = test_data_dir.Append("login");
167
168 login_path_= base_path;
169 login_auth_path_ = base_path + "Auth";
170 gaia_assertion_url_ = gaia_url.Resolve("/SSO");
171 }
172
173 void FakeSamlIdp::SetLoginHTMLTemplate(const std::string& template_file) {
174 EXPECT_TRUE(base::ReadFileToString(
175 html_template_dir_.Append(template_file),
176 &login_html_template_));
177 }
178
179 void FakeSamlIdp::SetLoginAuthHTMLTemplate(const std::string& template_file) {
180 EXPECT_TRUE(base::ReadFileToString(
181 html_template_dir_.Append(template_file),
182 &login_auth_html_template_));
183 }
184
185 void FakeSamlIdp::SetRefreshURL(const GURL& refresh_url) {
186 refresh_url_ = refresh_url;
187 }
188
189 void FakeSamlIdp::SetCookieValue(const std::string& cookie_value) {
190 cookie_value_ = cookie_value;
191 }
192
193 scoped_ptr<HttpResponse> FakeSamlIdp::HandleRequest(
194 const HttpRequest& request) {
195 // The scheme and host of the URL is actually not important but required to
196 // get a valid GURL in order to parse |request.relative_url|.
197 GURL request_url = GURL("http://localhost").Resolve(request.relative_url);
198 std::string request_path = request_url.path();
199
200 if (request_path == login_path_) {
201 std::string relay_state;
202 net::GetValueForKeyInQuery(request_url, kRelayState, &relay_state);
203 return BuildHTMLResponse(login_html_template_,
204 relay_state,
205 login_auth_path_);
206 }
207
208 if (request_path != login_auth_path_) {
209 // Request not understood.
210 return scoped_ptr<HttpResponse>();
211 }
212
213 std::string relay_state;
214 FakeGaia::GetQueryParameter(request.content, kRelayState, &relay_state);
215 GURL redirect_url = gaia_assertion_url_;
216
217 if (!login_auth_html_template_.empty()) {
218 return BuildHTMLResponse(login_auth_html_template_,
219 relay_state,
220 redirect_url.spec());
221 }
222
223 redirect_url = net::AppendQueryParameter(
224 redirect_url, "SAMLResponse", "fake_response");
225 redirect_url = net::AppendQueryParameter(
226 redirect_url, kRelayState, relay_state);
227
228 scoped_ptr<BasicHttpResponse> http_response(new BasicHttpResponse());
229 http_response->set_code(net::HTTP_TEMPORARY_REDIRECT);
230 http_response->AddCustomHeader("Location", redirect_url.spec());
231 http_response->AddCustomHeader(
232 "Set-cookie",
233 base::StringPrintf("saml=%s", cookie_value_.c_str()));
234 return http_response.Pass();
235 }
236
237 scoped_ptr<HttpResponse> FakeSamlIdp::BuildHTMLResponse(
238 const std::string& html_template,
239 const std::string& relay_state,
240 const std::string& next_path) {
241 std::string response_html = html_template;
242 ReplaceSubstringsAfterOffset(&response_html, 0, "$RelayState", relay_state);
243 ReplaceSubstringsAfterOffset(&response_html, 0, "$Post", next_path);
244 ReplaceSubstringsAfterOffset(
245 &response_html, 0, "$Refresh", refresh_url_.spec());
246
247 scoped_ptr<BasicHttpResponse> http_response(new BasicHttpResponse());
248 http_response->set_code(net::HTTP_OK);
249 http_response->set_content(response_html);
250 http_response->set_content_type("text/html");
251
252 return http_response.Pass();
253 }
254
255 } // namespace
256
257 class SamlTest : public InProcessBrowserTest {
258 public:
259 SamlTest() : gaia_frame_parent_("signin-frame"), saml_load_injected_(false) {}
260 ~SamlTest() override {}
261
262 void SetUp() override {
263 ASSERT_TRUE(embedded_test_server()->InitializeAndWaitUntilReady());
264
265 // Start the GAIA https wrapper here so that the GAIA URLs can be pointed at
266 // it in SetUpCommandLine().
267 gaia_https_forwarder_.reset(
268 new HTTPSForwarder(embedded_test_server()->base_url()));
269 ASSERT_TRUE(gaia_https_forwarder_->Start());
270
271 // Start the SAML IdP https wrapper here so that GAIA can be pointed at it
272 // in SetUpCommandLine().
273 saml_https_forwarder_.reset(
274 new HTTPSForwarder(embedded_test_server()->base_url()));
275 ASSERT_TRUE(saml_https_forwarder_->Start());
276
277 // Stop IO thread here because no threads are allowed while
278 // spawning sandbox host process. See crbug.com/322732.
279 embedded_test_server()->StopThread();
280
281 InProcessBrowserTest::SetUp();
282 }
283
284 void SetUpInProcessBrowserTestFixture() override {
285 host_resolver()->AddRule("*", "127.0.0.1");
286 }
287
288 void SetUpCommandLine(base::CommandLine* command_line) override {
289 command_line->AppendSwitch(switches::kLoginManager);
290 command_line->AppendSwitch(switches::kForceLoginManagerInTests);
291 command_line->AppendSwitch(::switches::kDisableBackgroundNetworking);
292 command_line->AppendSwitchASCII(switches::kLoginProfile, "user");
293
294 const GURL gaia_url = gaia_https_forwarder_->GetURL("");
295 command_line->AppendSwitchASCII(::switches::kGaiaUrl, gaia_url.spec());
296 command_line->AppendSwitchASCII(::switches::kLsoUrl, gaia_url.spec());
297 command_line->AppendSwitchASCII(::switches::kGoogleApisUrl,
298 gaia_url.spec());
299
300 const GURL saml_idp_url = saml_https_forwarder_->GetURL("SAML");
301 fake_saml_idp_.SetUp(saml_idp_url.path(), gaia_url);
302 fake_gaia_.RegisterSamlUser(kFirstSAMLUserEmail, saml_idp_url);
303 fake_gaia_.RegisterSamlUser(kSecondSAMLUserEmail, saml_idp_url);
304 fake_gaia_.RegisterSamlUser(
305 kHTTPSAMLUserEmail,
306 embedded_test_server()->base_url().Resolve("/SAML"));
307 fake_gaia_.RegisterSamlUser(kDifferentDomainSAMLUserEmail, saml_idp_url);
308
309 fake_gaia_.Initialize();
310 }
311
312 void SetUpOnMainThread() override {
313 fake_gaia_.SetFakeMergeSessionParams(kFirstSAMLUserEmail,
314 kTestAuthSIDCookie1,
315 kTestAuthLSIDCookie1);
316
317 embedded_test_server()->RegisterRequestHandler(
318 base::Bind(&FakeGaia::HandleRequest, base::Unretained(&fake_gaia_)));
319 embedded_test_server()->RegisterRequestHandler(base::Bind(
320 &FakeSamlIdp::HandleRequest, base::Unretained(&fake_saml_idp_)));
321
322 // Restart the thread as the sandbox host process has already been spawned.
323 embedded_test_server()->RestartThreadAndListen();
324
325 login_screen_load_observer_.reset(new content::WindowedNotificationObserver(
326 chrome::NOTIFICATION_LOGIN_OR_LOCK_WEBUI_VISIBLE,
327 content::NotificationService::AllSources()));
328 }
329
330 void TearDownOnMainThread() override {
331 // If the login display is still showing, exit gracefully.
332 if (LoginDisplayHostImpl::default_host()) {
333 base::MessageLoop::current()->PostTask(FROM_HERE,
334 base::Bind(&chrome::AttemptExit));
335 content::RunMessageLoop();
336 }
337 }
338
339 WebUILoginDisplay* GetLoginDisplay() {
340 ExistingUserController* controller =
341 ExistingUserController::current_controller();
342 CHECK(controller);
343 return static_cast<WebUILoginDisplay*>(controller->login_display());
344 }
345
346 void WaitForSigninScreen() {
347 WizardController* wizard_controller =
348 WizardController::default_controller();
349 if (wizard_controller) {
350 WizardController::SkipPostLoginScreensForTesting();
351 wizard_controller->SkipToLoginForTesting(LoginScreenContext());
352 }
353
354 login_screen_load_observer_->Wait();
355 }
356
357 virtual void StartSamlAndWaitForIdpPageLoad(const std::string& gaia_email) {
358 WaitForSigninScreen();
359
360 if (!saml_load_injected_) {
361 saml_load_injected_ = true;
362
363 ASSERT_TRUE(content::ExecuteScript(
364 GetLoginUI()->GetWebContents(),
365 "$('gaia-signin').gaiaAuthHost_.addEventListener('authFlowChange',"
366 "function() {"
367 "window.domAutomationController.setAutomationId(0);"
368 "window.domAutomationController.send("
369 "$('gaia-signin').isSAML() ? 'SamlLoaded' : 'GaiaLoaded');"
370 "});"));
371 }
372
373 content::DOMMessageQueue message_queue; // Start observe before SAML.
374 GetLoginDisplay()->ShowSigninScreenForCreds(gaia_email, "");
375
376 std::string message;
377 ASSERT_TRUE(message_queue.WaitForMessage(&message));
378 EXPECT_EQ("\"SamlLoaded\"", message);
379 }
380
381 void SetSignFormField(const std::string& field_id,
382 const std::string& field_value) {
383 std::string js =
384 "(function(){"
385 "document.getElementById('$FieldId').value = '$FieldValue';"
386 "var e = new Event('input');"
387 "document.getElementById('$FieldId').dispatchEvent(e);"
388 "})();";
389 ReplaceSubstringsAfterOffset(&js, 0, "$FieldId", field_id);
390 ReplaceSubstringsAfterOffset(&js, 0, "$FieldValue", field_value);
391 ExecuteJsInSigninFrame(js);
392 }
393
394 void SendConfirmPassword(const std::string& password_to_confirm) {
395 std::string js =
396 "$('confirm-password-input').value='$Password';"
397 "$('confirm-password').onConfirmPassword_();";
398 ReplaceSubstringsAfterOffset(&js, 0, "$Password", password_to_confirm);
399 ASSERT_TRUE(content::ExecuteScript(GetLoginUI()->GetWebContents(), js));
400 }
401
402 void JsExpect(const std::string& js) {
403 bool result;
404 EXPECT_TRUE(content::ExecuteScriptAndExtractBool(
405 GetLoginUI()->GetWebContents(),
406 "window.domAutomationController.send(!!(" + js + "));",
407 &result));
408 EXPECT_TRUE(result) << js;
409 }
410
411 std::string WaitForAndGetFatalErrorMessage() {
412 OobeScreenWaiter(OobeDisplay::SCREEN_FATAL_ERROR).Wait();
413 std::string error_message;
414 if (!content::ExecuteScriptAndExtractString(
415 GetLoginUI()->GetWebContents(),
416 "window.domAutomationController.send("
417 "$('fatal-error-message').textContent);",
418 &error_message)) {
419 ADD_FAILURE();
420 }
421 return error_message;
422 }
423
424 content::WebUI* GetLoginUI() {
425 return static_cast<LoginDisplayHostImpl*>(
426 LoginDisplayHostImpl::default_host())->GetOobeUI()->web_ui();
427 }
428
429 // Executes JavaScript code in the auth iframe hosted by gaia_auth extension.
430 void ExecuteJsInSigninFrame(const std::string& js) {
431 content::RenderFrameHost* frame = InlineLoginUI::GetAuthIframe(
432 GetLoginUI()->GetWebContents(), GURL(), gaia_frame_parent_);
433 ASSERT_TRUE(content::ExecuteScript(frame, js));
434 }
435
436 FakeSamlIdp* fake_saml_idp() { return &fake_saml_idp_; }
437
438 protected:
439 scoped_ptr<content::WindowedNotificationObserver> login_screen_load_observer_;
440 FakeGaia fake_gaia_;
441
442 std::string gaia_frame_parent_;
443
444 scoped_ptr<HTTPSForwarder> gaia_https_forwarder_;
445 scoped_ptr<HTTPSForwarder> saml_https_forwarder_;
446
447 private:
448 FakeSamlIdp fake_saml_idp_;
449
450 bool saml_load_injected_;
451
452 DISALLOW_COPY_AND_ASSIGN(SamlTest);
453 };
454
455 // Tests that signin frame should have 'saml' class and 'cancel' button is
456 // visible when SAML IdP page is loaded. And 'cancel' button goes back to
457 // gaia on clicking.
458 IN_PROC_BROWSER_TEST_F(SamlTest, SamlUI) {
459 fake_saml_idp()->SetLoginHTMLTemplate("saml_login.html");
460 StartSamlAndWaitForIdpPageLoad(kFirstSAMLUserEmail);
461
462 // Saml flow UI expectations.
463 JsExpect("$('gaia-signin').classList.contains('full-width')");
464 JsExpect("!$('cancel-add-user-button').hidden");
465
466 // Click on 'cancel'.
467 content::DOMMessageQueue message_queue; // Observe before 'cancel'.
468 ASSERT_TRUE(content::ExecuteScript(
469 GetLoginUI()->GetWebContents(),
470 "$('cancel-add-user-button').click();"));
471
472 // Auth flow should change back to Gaia.
473 std::string message;
474 do {
475 ASSERT_TRUE(message_queue.WaitForMessage(&message));
476 } while (message != "\"GaiaLoaded\"");
477
478 // Saml flow is gone.
479 JsExpect("!$('gaia-signin').classList.contains('full-width')");
480 }
481
482 // Tests the sign-in flow when the credentials passing API is used.
483 IN_PROC_BROWSER_TEST_F(SamlTest, CredentialPassingAPI) {
484 fake_saml_idp()->SetLoginHTMLTemplate("saml_api_login.html");
485 fake_saml_idp()->SetLoginAuthHTMLTemplate("saml_api_login_auth.html");
486 StartSamlAndWaitForIdpPageLoad(kFirstSAMLUserEmail);
487
488 // Fill-in the SAML IdP form and submit.
489 SetSignFormField("Email", "fake_user");
490 SetSignFormField("Password", "fake_password");
491 ExecuteJsInSigninFrame("document.getElementById('Submit').click();");
492
493 // Login should finish login and a session should start.
494 content::WindowedNotificationObserver(
495 chrome::NOTIFICATION_SESSION_STARTED,
496 content::NotificationService::AllSources()).Wait();
497 }
498
499 // Tests the single password scraped flow.
500 IN_PROC_BROWSER_TEST_F(SamlTest, ScrapedSingle) {
501 fake_saml_idp()->SetLoginHTMLTemplate("saml_login.html");
502 StartSamlAndWaitForIdpPageLoad(kFirstSAMLUserEmail);
503
504 // Fill-in the SAML IdP form and submit.
505 SetSignFormField("Email", "fake_user");
506 SetSignFormField("Password", "fake_password");
507 ExecuteJsInSigninFrame("document.getElementById('Submit').click();");
508
509 // Lands on confirm password screen.
510 OobeScreenWaiter(OobeDisplay::SCREEN_CONFIRM_PASSWORD).Wait();
511
512 // Entering an unknown password should go back to the confirm password screen.
513 SendConfirmPassword("wrong_password");
514 OobeScreenWaiter(OobeDisplay::SCREEN_CONFIRM_PASSWORD).Wait();
515
516 // Entering a known password should finish login and start session.
517 SendConfirmPassword("fake_password");
518 content::WindowedNotificationObserver(
519 chrome::NOTIFICATION_SESSION_STARTED,
520 content::NotificationService::AllSources()).Wait();
521 }
522
523 // Tests password scraping from a dynamically created password field.
524 IN_PROC_BROWSER_TEST_F(SamlTest, ScrapedDynamic) {
525 fake_saml_idp()->SetLoginHTMLTemplate("saml_login.html");
526 StartSamlAndWaitForIdpPageLoad(kFirstSAMLUserEmail);
527
528 ExecuteJsInSigninFrame(
529 "(function() {"
530 "var newPassInput = document.createElement('input');"
531 "newPassInput.id = 'DynamicallyCreatedPassword';"
532 "newPassInput.type = 'password';"
533 "newPassInput.name = 'Password';"
534 "document.forms[0].appendChild(newPassInput);"
535 "})();");
536
537 // Fill-in the SAML IdP form and submit.
538 SetSignFormField("Email", "fake_user");
539 SetSignFormField("DynamicallyCreatedPassword", "fake_password");
540 ExecuteJsInSigninFrame("document.getElementById('Submit').click();");
541
542 // Lands on confirm password screen.
543 OobeScreenWaiter(OobeDisplay::SCREEN_CONFIRM_PASSWORD).Wait();
544
545 // Entering an unknown password should go back to the confirm password screen.
546 SendConfirmPassword("wrong_password");
547 OobeScreenWaiter(OobeDisplay::SCREEN_CONFIRM_PASSWORD).Wait();
548
549 // Entering a known password should finish login and start session.
550 SendConfirmPassword("fake_password");
551 content::WindowedNotificationObserver(
552 chrome::NOTIFICATION_SESSION_STARTED,
553 content::NotificationService::AllSources()).Wait();
554 }
555
556 // Tests the multiple password scraped flow.
557 IN_PROC_BROWSER_TEST_F(SamlTest, ScrapedMultiple) {
558 fake_saml_idp()->SetLoginHTMLTemplate("saml_login_two_passwords.html");
559
560 StartSamlAndWaitForIdpPageLoad(kFirstSAMLUserEmail);
561
562 SetSignFormField("Email", "fake_user");
563 SetSignFormField("Password", "fake_password");
564 SetSignFormField("Password1", "password1");
565 ExecuteJsInSigninFrame("document.getElementById('Submit').click();");
566
567 OobeScreenWaiter(OobeDisplay::SCREEN_CONFIRM_PASSWORD).Wait();
568
569 // Either scraped password should be able to sign-in.
570 SendConfirmPassword("password1");
571 content::WindowedNotificationObserver(
572 chrome::NOTIFICATION_SESSION_STARTED,
573 content::NotificationService::AllSources()).Wait();
574 }
575
576 // Tests the no password scraped flow.
577 IN_PROC_BROWSER_TEST_F(SamlTest, ScrapedNone) {
578 fake_saml_idp()->SetLoginHTMLTemplate("saml_login_no_passwords.html");
579
580 StartSamlAndWaitForIdpPageLoad(kFirstSAMLUserEmail);
581
582 SetSignFormField("Email", "fake_user");
583 ExecuteJsInSigninFrame("document.getElementById('Submit').click();");
584
585 EXPECT_EQ(l10n_util::GetStringUTF8(IDS_LOGIN_FATAL_ERROR_NO_PASSWORD),
586 WaitForAndGetFatalErrorMessage());
587 }
588
589 // Types |bob@example.com| into the GAIA login form but then authenticates as
590 // |alice@example.com| via SAML. Verifies that the logged-in user is correctly
591 // identified as Alice.
592 IN_PROC_BROWSER_TEST_F(SamlTest, UseAutenticatedUserEmailAddress) {
593 fake_saml_idp()->SetLoginHTMLTemplate("saml_login.html");
594 // Type |bob@example.com| into the GAIA login form.
595 StartSamlAndWaitForIdpPageLoad(kSecondSAMLUserEmail);
596
597 // Authenticate as alice@example.com via SAML (the |Email| provided here is
598 // irrelevant - the authenticated user's e-mail address that FakeGAIA
599 // reports was set via |SetFakeMergeSessionParams|.
600 SetSignFormField("Email", "fake_user");
601 SetSignFormField("Password", "fake_password");
602 ExecuteJsInSigninFrame("document.getElementById('Submit').click();");
603
604 OobeScreenWaiter(OobeDisplay::SCREEN_CONFIRM_PASSWORD).Wait();
605
606 SendConfirmPassword("fake_password");
607 content::WindowedNotificationObserver(
608 chrome::NOTIFICATION_SESSION_STARTED,
609 content::NotificationService::AllSources()).Wait();
610 const user_manager::User* user =
611 user_manager::UserManager::Get()->GetActiveUser();
612 ASSERT_TRUE(user);
613 EXPECT_EQ(kFirstSAMLUserEmail, user->email());
614 }
615
616 // Verifies that if the authenticated user's e-mail address cannot be retrieved,
617 // an error message is shown.
618 IN_PROC_BROWSER_TEST_F(SamlTest, FailToRetrieveAutenticatedUserEmailAddress) {
619 fake_saml_idp()->SetLoginHTMLTemplate("saml_login.html");
620 StartSamlAndWaitForIdpPageLoad(kFirstSAMLUserEmail);
621
622 fake_gaia_.SetFakeMergeSessionParams(
623 "", kTestAuthSIDCookie1, kTestAuthLSIDCookie1);
624 SetSignFormField("Email", "fake_user");
625 SetSignFormField("Password", "fake_password");
626 ExecuteJsInSigninFrame("document.getElementById('Submit').click();");
627
628 EXPECT_EQ(l10n_util::GetStringUTF8(IDS_LOGIN_FATAL_ERROR_NO_ACCOUNT_DETAILS),
629 WaitForAndGetFatalErrorMessage());
630 }
631
632 // Tests the password confirm flow: show error on the first failure and
633 // fatal error on the second failure.
634 IN_PROC_BROWSER_TEST_F(SamlTest, PasswordConfirmFlow) {
635 fake_saml_idp()->SetLoginHTMLTemplate("saml_login.html");
636 StartSamlAndWaitForIdpPageLoad(kFirstSAMLUserEmail);
637
638 // Fill-in the SAML IdP form and submit.
639 SetSignFormField("Email", "fake_user");
640 SetSignFormField("Password", "fake_password");
641 ExecuteJsInSigninFrame("document.getElementById('Submit').click();");
642
643 // Lands on confirm password screen with no error message.
644 OobeScreenWaiter(OobeDisplay::SCREEN_CONFIRM_PASSWORD).Wait();
645 JsExpect("!$('confirm-password').classList.contains('error')");
646
647 // Enter an unknown password for the first time should go back to confirm
648 // password screen with error message.
649 SendConfirmPassword("wrong_password");
650 OobeScreenWaiter(OobeDisplay::SCREEN_CONFIRM_PASSWORD).Wait();
651 JsExpect("$('confirm-password').classList.contains('error')");
652
653 // Enter an unknown password 2nd time should go back fatal error message.
654 SendConfirmPassword("wrong_password");
655 EXPECT_EQ(
656 l10n_util::GetStringUTF8(IDS_LOGIN_FATAL_ERROR_PASSWORD_VERIFICATION),
657 WaitForAndGetFatalErrorMessage());
658 }
659
660 // Verifies that when GAIA attempts to redirect to a SAML IdP served over http,
661 // not https, the redirect is blocked and an error message is shown.
662 IN_PROC_BROWSER_TEST_F(SamlTest, HTTPRedirectDisallowed) {
663 fake_saml_idp()->SetLoginHTMLTemplate("saml_login.html");
664
665 WaitForSigninScreen();
666 GetLoginDisplay()->ShowSigninScreenForCreds(kHTTPSAMLUserEmail, "");
667
668 const GURL url = embedded_test_server()->base_url().Resolve("/SAML");
669 EXPECT_EQ(l10n_util::GetStringFUTF8(
670 IDS_LOGIN_FATAL_ERROR_TEXT_INSECURE_URL,
671 base::UTF8ToUTF16(url.spec())),
672 WaitForAndGetFatalErrorMessage());
673 }
674
675 // Verifies that when GAIA attempts to redirect to a page served over http, not
676 // https, via an HTML meta refresh, the redirect is blocked and an error message
677 // is shown. This guards against regressions of http://crbug.com/359515.
678 IN_PROC_BROWSER_TEST_F(SamlTest, MetaRefreshToHTTPDisallowed) {
679 const GURL url = embedded_test_server()->base_url().Resolve("/SSO");
680 fake_saml_idp()->SetLoginHTMLTemplate("saml_login_instant_meta_refresh.html");
681 fake_saml_idp()->SetRefreshURL(url);
682
683 WaitForSigninScreen();
684 GetLoginDisplay()->ShowSigninScreenForCreds(kFirstSAMLUserEmail, "");
685
686 EXPECT_EQ(l10n_util::GetStringFUTF8(
687 IDS_LOGIN_FATAL_ERROR_TEXT_INSECURE_URL,
688 base::UTF8ToUTF16(url.spec())),
689 WaitForAndGetFatalErrorMessage());
690 }
691
692 class SAMLEnrollmentTest : public SamlTest,
693 public content::WebContentsObserver {
694 public:
695 SAMLEnrollmentTest();
696 ~SAMLEnrollmentTest() override;
697
698 // SamlTest:
699 void SetUp() override;
700 void SetUpCommandLine(base::CommandLine* command_line) override;
701 void SetUpOnMainThread() override;
702 void StartSamlAndWaitForIdpPageLoad(const std::string& gaia_email) override;
703
704 // content::WebContentsObserver:
705 void RenderFrameCreated(content::RenderFrameHost* render_frame_host) override;
706 void DidFinishLoad(content::RenderFrameHost* render_frame_host,
707 const GURL& validated_url) override;
708
709 void WaitForEnrollmentSuccess();
710
711 private:
712 scoped_ptr<policy::LocalPolicyTestServer> test_server_;
713 base::ScopedTempDir temp_dir_;
714
715 scoped_ptr<base::RunLoop> run_loop_;
716 content::RenderFrameHost* auth_frame_;
717
718 DISALLOW_COPY_AND_ASSIGN(SAMLEnrollmentTest);
719 };
720
721 SAMLEnrollmentTest::SAMLEnrollmentTest() : auth_frame_(nullptr) {
722 gaia_frame_parent_ = "oauth-enroll-signin-frame";
723 }
724
725 SAMLEnrollmentTest::~SAMLEnrollmentTest() {
726 }
727
728 void SAMLEnrollmentTest::SetUp() {
729 ASSERT_TRUE(temp_dir_.CreateUniqueTempDir());
730 const base::FilePath policy_file =
731 temp_dir_.path().AppendASCII("policy.json");
732 ASSERT_EQ(static_cast<int>(strlen(kPolicy)),
733 base::WriteFile(policy_file, kPolicy, strlen(kPolicy)));
734
735 test_server_.reset(new policy::LocalPolicyTestServer(policy_file));
736 ASSERT_TRUE(test_server_->Start());
737
738 SamlTest::SetUp();
739 }
740
741 void SAMLEnrollmentTest::SetUpCommandLine(base::CommandLine* command_line) {
742 command_line->AppendSwitchASCII(policy::switches::kDeviceManagementUrl,
743 test_server_->GetServiceURL().spec());
744 command_line->AppendSwitch(policy::switches::kDisablePolicyKeyVerification);
745 command_line->AppendSwitch(switches::kEnterpriseEnrollmentSkipRobotAuth);
746
747 SamlTest::SetUpCommandLine(command_line);
748 }
749
750 void SAMLEnrollmentTest::SetUpOnMainThread() {
751 Observe(GetLoginUI()->GetWebContents());
752
753 FakeGaia::AccessTokenInfo token_info;
754 token_info.token = kTestUserinfoToken;
755 token_info.scopes.insert(GaiaConstants::kDeviceManagementServiceOAuth);
756 token_info.scopes.insert(GaiaConstants::kOAuthWrapBridgeUserInfoScope);
757 token_info.audience = GaiaUrls::GetInstance()->oauth2_chrome_client_id();
758 token_info.email = kFirstSAMLUserEmail;
759 fake_gaia_.IssueOAuthToken(kTestRefreshToken, token_info);
760
761 SamlTest::SetUpOnMainThread();
762 }
763
764 void SAMLEnrollmentTest::StartSamlAndWaitForIdpPageLoad(
765 const std::string& gaia_email) {
766 WaitForSigninScreen();
767 run_loop_.reset(new base::RunLoop);
768 ExistingUserController::current_controller()->OnStartEnterpriseEnrollment();
769 run_loop_->Run();
770
771 SetSignFormField("Email", gaia_email);
772
773 run_loop_.reset(new base::RunLoop);
774 ExecuteJsInSigninFrame("document.getElementById('signIn').click();");
775 run_loop_->Run();
776 }
777
778 void SAMLEnrollmentTest::RenderFrameCreated(
779 content::RenderFrameHost* render_frame_host) {
780 content::RenderFrameHost* parent = render_frame_host->GetParent();
781 if (!parent || parent->GetFrameName() != gaia_frame_parent_)
782 return;
783
784 // The GAIA extension created the iframe in which the login form will be
785 // shown. Now wait for the login form to finish loading.
786 auth_frame_ = render_frame_host;
787 Observe(content::WebContents::FromRenderFrameHost(auth_frame_));
788 }
789
790 void SAMLEnrollmentTest::DidFinishLoad(
791 content::RenderFrameHost* render_frame_host,
792 const GURL& validated_url) {
793 if (render_frame_host != auth_frame_)
794 return;
795
796 const GURL origin = validated_url.GetOrigin();
797 if (origin != gaia_https_forwarder_->GetURL("") &&
798 origin != saml_https_forwarder_->GetURL("")) {
799 return;
800 }
801
802 // The GAIA or SAML IdP login form finished loading.
803 if (run_loop_)
804 run_loop_->Quit();
805 }
806
807 // Waits until the class |oauth-enroll-state-success| becomes set for the
808 // enrollment screen, indicating enrollment success.
809 void SAMLEnrollmentTest::WaitForEnrollmentSuccess() {
810 bool done = false;
811 ASSERT_TRUE(content::ExecuteScriptAndExtractBool(
812 GetLoginUI()->GetWebContents(),
813 "var enrollmentScreen = document.getElementById('oauth-enrollment');"
814 "function SendReplyIfEnrollmentDone() {"
815 " if (!enrollmentScreen.classList.contains("
816 " 'oauth-enroll-state-success')) {"
817 " return false;"
818 " }"
819 " domAutomationController.send(true);"
820 " observer.disconnect();"
821 " return true;"
822 "}"
823 "var observer = new MutationObserver(SendReplyIfEnrollmentDone);"
824 "if (!SendReplyIfEnrollmentDone()) {"
825 " var options = { attributes: true, attributeFilter: [ 'class' ] };"
826 " observer.observe(enrollmentScreen, options);"
827 "}",
828 &done));
829 }
830
831 IN_PROC_BROWSER_TEST_F(SAMLEnrollmentTest, WithoutCredentialsPassingAPI) {
832 fake_saml_idp()->SetLoginHTMLTemplate("saml_login.html");
833 StartSamlAndWaitForIdpPageLoad(kFirstSAMLUserEmail);
834
835 // Fill-in the SAML IdP form and submit.
836 SetSignFormField("Email", "fake_user");
837 SetSignFormField("Password", "fake_password");
838 ExecuteJsInSigninFrame("document.getElementById('Submit').click();");
839
840 WaitForEnrollmentSuccess();
841 }
842
843 IN_PROC_BROWSER_TEST_F(SAMLEnrollmentTest, WithCredentialsPassingAPI) {
844 fake_saml_idp()->SetLoginHTMLTemplate("saml_api_login.html");
845 fake_saml_idp()->SetLoginAuthHTMLTemplate("saml_api_login_auth.html");
846 StartSamlAndWaitForIdpPageLoad(kFirstSAMLUserEmail);
847
848 // Fill-in the SAML IdP form and submit.
849 SetSignFormField("Email", "fake_user");
850 SetSignFormField("Password", "fake_password");
851 ExecuteJsInSigninFrame("document.getElementById('Submit').click();");
852
853 WaitForEnrollmentSuccess();
854 }
855
856 class SAMLPolicyTest : public SamlTest {
857 public:
858 SAMLPolicyTest();
859 ~SAMLPolicyTest() override;
860
861 // SamlTest:
862 void SetUpInProcessBrowserTestFixture() override;
863 void SetUpOnMainThread() override;
864
865 void SetSAMLOfflineSigninTimeLimitPolicy(int limit);
866 void EnableTransferSAMLCookiesPolicy();
867
868 void ShowGAIALoginForm();
869 void LogInWithSAML(const std::string& user_id,
870 const std::string& auth_sid_cookie,
871 const std::string& auth_lsid_cookie);
872
873 std::string GetCookieValue(const std::string& name);
874
875 void GetCookies();
876
877 protected:
878 void GetCookiesOnIOThread(
879 const scoped_refptr<net::URLRequestContextGetter>& request_context,
880 const base::Closure& callback);
881 void StoreCookieList(const base::Closure& callback,
882 const net::CookieList& cookie_list);
883
884 policy::DevicePolicyCrosTestHelper test_helper_;
885
886 // FakeDBusThreadManager uses FakeSessionManagerClient.
887 FakeSessionManagerClient* fake_session_manager_client_;
888 policy::DevicePolicyBuilder* device_policy_;
889
890 policy::MockConfigurationPolicyProvider provider_;
891
892 net::CookieList cookie_list_;
893
894 private:
895 DISALLOW_COPY_AND_ASSIGN(SAMLPolicyTest);
896 };
897
898 SAMLPolicyTest::SAMLPolicyTest()
899 : fake_session_manager_client_(new FakeSessionManagerClient),
900 device_policy_(test_helper_.device_policy()) {
901 }
902
903 SAMLPolicyTest::~SAMLPolicyTest() {
904 }
905
906 void SAMLPolicyTest::SetUpInProcessBrowserTestFixture() {
907 DBusThreadManager::GetSetterForTesting()->SetSessionManagerClient(
908 scoped_ptr<SessionManagerClient>(fake_session_manager_client_));
909
910 SamlTest::SetUpInProcessBrowserTestFixture();
911
912 // Initialize device policy.
913 test_helper_.InstallOwnerKey();
914 test_helper_.MarkAsEnterpriseOwned();
915 device_policy_->SetDefaultSigningKey();
916 device_policy_->Build();
917 fake_session_manager_client_->set_device_policy(device_policy_->GetBlob());
918 fake_session_manager_client_->OnPropertyChangeComplete(true);
919
920 // Initialize user policy.
921 EXPECT_CALL(provider_, IsInitializationComplete(_))
922 .WillRepeatedly(Return(true));
923 policy::BrowserPolicyConnector::SetPolicyProviderForTesting(&provider_);
924 }
925
926 void SAMLPolicyTest::SetUpOnMainThread() {
927 SamlTest::SetUpOnMainThread();
928
929 // Pretend that the test users' OAuth tokens are valid.
930 user_manager::UserManager::Get()->SaveUserOAuthStatus(
931 kFirstSAMLUserEmail, user_manager::User::OAUTH2_TOKEN_STATUS_VALID);
932 user_manager::UserManager::Get()->SaveUserOAuthStatus(
933 kNonSAMLUserEmail, user_manager::User::OAUTH2_TOKEN_STATUS_VALID);
934 user_manager::UserManager::Get()->SaveUserOAuthStatus(
935 kDifferentDomainSAMLUserEmail,
936 user_manager::User::OAUTH2_TOKEN_STATUS_VALID);
937 }
938
939 void SAMLPolicyTest::SetSAMLOfflineSigninTimeLimitPolicy(int limit) {
940 policy::PolicyMap user_policy;
941 user_policy.Set(policy::key::kSAMLOfflineSigninTimeLimit,
942 policy::POLICY_LEVEL_MANDATORY,
943 policy::POLICY_SCOPE_USER,
944 new base::FundamentalValue(limit),
945 NULL);
946 provider_.UpdateChromePolicy(user_policy);
947 base::RunLoop().RunUntilIdle();
948 }
949
950 void SAMLPolicyTest::EnableTransferSAMLCookiesPolicy() {
951 em::ChromeDeviceSettingsProto& proto(device_policy_->payload());
952 proto.mutable_saml_settings()->set_transfer_saml_cookies(true);
953
954 base::RunLoop run_loop;
955 scoped_ptr<CrosSettings::ObserverSubscription> observer =
956 CrosSettings::Get()->AddSettingsObserver(
957 kAccountsPrefTransferSAMLCookies,
958 run_loop.QuitClosure());
959 device_policy_->SetDefaultSigningKey();
960 device_policy_->Build();
961 fake_session_manager_client_->set_device_policy(device_policy_->GetBlob());
962 fake_session_manager_client_->OnPropertyChangeComplete(true);
963 run_loop.Run();
964 }
965
966 void SAMLPolicyTest::ShowGAIALoginForm() {
967 login_screen_load_observer_->Wait();
968 ASSERT_TRUE(content::ExecuteScript(
969 GetLoginUI()->GetWebContents(),
970 "$('gaia-signin').gaiaAuthHost_.addEventListener('ready', function() {"
971 " window.domAutomationController.setAutomationId(0);"
972 " window.domAutomationController.send('ready');"
973 "});"
974 "$('add-user-button').click();"));
975 content::DOMMessageQueue message_queue;
976 std::string message;
977 ASSERT_TRUE(message_queue.WaitForMessage(&message));
978 EXPECT_EQ("\"ready\"", message);
979 }
980
981 void SAMLPolicyTest::LogInWithSAML(const std::string& user_id,
982 const std::string& auth_sid_cookie,
983 const std::string& auth_lsid_cookie) {
984 fake_saml_idp()->SetLoginHTMLTemplate("saml_login.html");
985 StartSamlAndWaitForIdpPageLoad(user_id);
986
987 fake_gaia_.SetFakeMergeSessionParams(
988 user_id, auth_sid_cookie, auth_lsid_cookie);
989 SetSignFormField("Email", "fake_user");
990 SetSignFormField("Password", "fake_password");
991 ExecuteJsInSigninFrame("document.getElementById('Submit').click();");
992
993 OobeScreenWaiter(OobeDisplay::SCREEN_CONFIRM_PASSWORD).Wait();
994
995 SendConfirmPassword("fake_password");
996 content::WindowedNotificationObserver(
997 chrome::NOTIFICATION_SESSION_STARTED,
998 content::NotificationService::AllSources()).Wait();
999 }
1000
1001 std::string SAMLPolicyTest::GetCookieValue(const std::string& name) {
1002 for (net::CookieList::const_iterator it = cookie_list_.begin();
1003 it != cookie_list_.end(); ++it) {
1004 if (it->Name() == name)
1005 return it->Value();
1006 }
1007 return std::string();
1008 }
1009
1010 void SAMLPolicyTest::GetCookies() {
1011 Profile* profile = chromeos::ProfileHelper::Get()->GetProfileByUserUnsafe(
1012 user_manager::UserManager::Get()->GetActiveUser());
1013 ASSERT_TRUE(profile);
1014 base::RunLoop run_loop;
1015 content::BrowserThread::PostTask(
1016 content::BrowserThread::IO,
1017 FROM_HERE,
1018 base::Bind(&SAMLPolicyTest::GetCookiesOnIOThread,
1019 base::Unretained(this),
1020 scoped_refptr<net::URLRequestContextGetter>(
1021 profile->GetRequestContext()),
1022 run_loop.QuitClosure()));
1023 run_loop.Run();
1024 }
1025
1026 void SAMLPolicyTest::GetCookiesOnIOThread(
1027 const scoped_refptr<net::URLRequestContextGetter>& request_context,
1028 const base::Closure& callback) {
1029 request_context->GetURLRequestContext()->cookie_store()->
1030 GetCookieMonster()->GetAllCookiesAsync(base::Bind(
1031 &SAMLPolicyTest::StoreCookieList,
1032 base::Unretained(this),
1033 callback));
1034 }
1035
1036 void SAMLPolicyTest::StoreCookieList(
1037 const base::Closure& callback,
1038 const net::CookieList& cookie_list) {
1039 cookie_list_ = cookie_list;
1040 content::BrowserThread::PostTask(content::BrowserThread::UI,
1041 FROM_HERE,
1042 callback);
1043 }
1044
1045 IN_PROC_BROWSER_TEST_F(SAMLPolicyTest, PRE_NoSAML) {
1046 // Set the offline login time limit for SAML users to zero.
1047 SetSAMLOfflineSigninTimeLimitPolicy(0);
1048
1049 WaitForSigninScreen();
1050
1051 // Log in without SAML.
1052 GetLoginDisplay()->ShowSigninScreenForCreds(kNonSAMLUserEmail, "password");
1053
1054 content::WindowedNotificationObserver(
1055 chrome::NOTIFICATION_SESSION_STARTED,
1056 content::NotificationService::AllSources()).Wait();
1057 }
1058
1059 // Verifies that the offline login time limit does not affect a user who
1060 // authenticated without SAML.
1061 IN_PROC_BROWSER_TEST_F(SAMLPolicyTest, NoSAML) {
1062 login_screen_load_observer_->Wait();
1063 // Verify that offline login is allowed.
1064 JsExpect("window.getComputedStyle(document.querySelector("
1065 " '#pod-row .signin-button-container')).display == 'none'");
1066 }
1067
1068 IN_PROC_BROWSER_TEST_F(SAMLPolicyTest, PRE_SAMLNoLimit) {
1069 // Remove the offline login time limit for SAML users.
1070 SetSAMLOfflineSigninTimeLimitPolicy(-1);
1071
1072 LogInWithSAML(kFirstSAMLUserEmail, kTestAuthSIDCookie1, kTestAuthLSIDCookie1);
1073 }
1074
1075 // Verifies that when no offline login time limit is set, a user who
1076 // authenticated with SAML is allowed to log in offline.
1077 IN_PROC_BROWSER_TEST_F(SAMLPolicyTest, SAMLNoLimit) {
1078 login_screen_load_observer_->Wait();
1079 // Verify that offline login is allowed.
1080 JsExpect("window.getComputedStyle(document.querySelector("
1081 " '#pod-row .signin-button-container')).display == 'none'");
1082 }
1083
1084 IN_PROC_BROWSER_TEST_F(SAMLPolicyTest, PRE_SAMLZeroLimit) {
1085 // Set the offline login time limit for SAML users to zero.
1086 SetSAMLOfflineSigninTimeLimitPolicy(0);
1087
1088 LogInWithSAML(kFirstSAMLUserEmail, kTestAuthSIDCookie1, kTestAuthLSIDCookie1);
1089 }
1090
1091 // Verifies that when the offline login time limit is exceeded for a user who
1092 // authenticated via SAML, that user is forced to log in online the next time.
1093 IN_PROC_BROWSER_TEST_F(SAMLPolicyTest, SAMLZeroLimit) {
1094 login_screen_load_observer_->Wait();
1095 // Verify that offline login is not allowed.
1096 JsExpect("window.getComputedStyle(document.querySelector("
1097 " '#pod-row .signin-button-container')).display != 'none'");
1098 }
1099
1100 IN_PROC_BROWSER_TEST_F(SAMLPolicyTest, PRE_PRE_TransferCookiesAffiliated) {
1101 fake_saml_idp()->SetCookieValue(kSAMLIdPCookieValue1);
1102 LogInWithSAML(kFirstSAMLUserEmail, kTestAuthSIDCookie1, kTestAuthLSIDCookie1);
1103
1104 GetCookies();
1105 EXPECT_EQ(kTestAuthSIDCookie1, GetCookieValue(kGAIASIDCookieName));
1106 EXPECT_EQ(kTestAuthLSIDCookie1, GetCookieValue(kGAIALSIDCookieName));
1107 EXPECT_EQ(kSAMLIdPCookieValue1, GetCookieValue(kSAMLIdPCookieName));
1108 }
1109
1110 // Verifies that when the DeviceTransferSAMLCookies policy is not enabled, SAML
1111 // IdP cookies are not transferred to a user's profile on subsequent login, even
1112 // if the user belongs to the domain that the device is enrolled into. Also
1113 // verifies that GAIA cookies are not transferred.
1114 IN_PROC_BROWSER_TEST_F(SAMLPolicyTest, PRE_TransferCookiesAffiliated) {
1115 fake_saml_idp()->SetCookieValue(kSAMLIdPCookieValue2);
1116 fake_saml_idp()->SetLoginHTMLTemplate("saml_login.html");
1117 ShowGAIALoginForm();
1118 LogInWithSAML(kFirstSAMLUserEmail, kTestAuthSIDCookie2, kTestAuthLSIDCookie2);
1119
1120 GetCookies();
1121 EXPECT_EQ(kTestAuthSIDCookie1, GetCookieValue(kGAIASIDCookieName));
1122 EXPECT_EQ(kTestAuthLSIDCookie1, GetCookieValue(kGAIALSIDCookieName));
1123 EXPECT_EQ(kSAMLIdPCookieValue1, GetCookieValue(kSAMLIdPCookieName));
1124 }
1125
1126 // Verifies that when the DeviceTransferSAMLCookies policy is enabled, SAML IdP
1127 // cookies are transferred to a user's profile on subsequent login when the user
1128 // belongs to the domain that the device is enrolled into. Also verifies that
1129 // GAIA cookies are not transferred.
1130 IN_PROC_BROWSER_TEST_F(SAMLPolicyTest, TransferCookiesAffiliated) {
1131 fake_saml_idp()->SetCookieValue(kSAMLIdPCookieValue2);
1132 fake_saml_idp()->SetLoginHTMLTemplate("saml_login.html");
1133 ShowGAIALoginForm();
1134
1135 EnableTransferSAMLCookiesPolicy();
1136 LogInWithSAML(kFirstSAMLUserEmail, kTestAuthSIDCookie2, kTestAuthLSIDCookie2);
1137
1138 GetCookies();
1139 EXPECT_EQ(kTestAuthSIDCookie1, GetCookieValue(kGAIASIDCookieName));
1140 EXPECT_EQ(kTestAuthLSIDCookie1, GetCookieValue(kGAIALSIDCookieName));
1141 EXPECT_EQ(kSAMLIdPCookieValue2, GetCookieValue(kSAMLIdPCookieName));
1142 }
1143
1144 IN_PROC_BROWSER_TEST_F(SAMLPolicyTest, PRE_TransferCookiesUnaffiliated) {
1145 fake_saml_idp()->SetCookieValue(kSAMLIdPCookieValue1);
1146 LogInWithSAML(kDifferentDomainSAMLUserEmail,
1147 kTestAuthSIDCookie1,
1148 kTestAuthLSIDCookie1);
1149
1150 GetCookies();
1151 EXPECT_EQ(kTestAuthSIDCookie1, GetCookieValue(kGAIASIDCookieName));
1152 EXPECT_EQ(kTestAuthLSIDCookie1, GetCookieValue(kGAIALSIDCookieName));
1153 EXPECT_EQ(kSAMLIdPCookieValue1, GetCookieValue(kSAMLIdPCookieName));
1154 }
1155
1156 // Verifies that even if the DeviceTransferSAMLCookies policy is enabled, SAML
1157 // IdP are not transferred to a user's profile on subsequent login if the user
1158 // does not belong to the domain that the device is enrolled into. Also verifies
1159 // that GAIA cookies are not transferred.
1160 IN_PROC_BROWSER_TEST_F(SAMLPolicyTest, TransferCookiesUnaffiliated) {
1161 fake_saml_idp()->SetCookieValue(kSAMLIdPCookieValue2);
1162 fake_saml_idp()->SetLoginHTMLTemplate("saml_login.html");
1163 ShowGAIALoginForm();
1164
1165 EnableTransferSAMLCookiesPolicy();
1166 LogInWithSAML(kDifferentDomainSAMLUserEmail,
1167 kTestAuthSIDCookie1,
1168 kTestAuthLSIDCookie1);
1169
1170 GetCookies();
1171 EXPECT_EQ(kTestAuthSIDCookie1, GetCookieValue(kGAIASIDCookieName));
1172 EXPECT_EQ(kTestAuthLSIDCookie1, GetCookieValue(kGAIALSIDCookieName));
1173 EXPECT_EQ(kSAMLIdPCookieValue1, GetCookieValue(kSAMLIdPCookieName));
1174 }
1175
1176 } // namespace chromeos