device_cloud_policy_manager_chromeos_unittest.cc revision 116680a4aac90f2aa7413d9095a592090648e557 
1// Copyright (c) 2012 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#include "chrome/browser/chromeos/policy/device_cloud_policy_manager_chromeos.h"
6
7#include <algorithm>
8
9#include "base/basictypes.h"
10#include "base/bind.h"
11#include "base/bind_helpers.h"
12#include "base/compiler_specific.h"
13#include "base/memory/scoped_ptr.h"
14#include "base/message_loop/message_loop.h"
15#include "base/prefs/pref_registry_simple.h"
16#include "base/prefs/testing_pref_service.h"
17#include "base/run_loop.h"
18#include "chrome/browser/chromeos/policy/device_cloud_policy_initializer.h"
19#include "chrome/browser/chromeos/policy/device_cloud_policy_store_chromeos.h"
20#include "chrome/browser/chromeos/policy/enterprise_install_attributes.h"
21#include "chrome/browser/chromeos/policy/proto/chrome_device_policy.pb.h"
22#include "chrome/browser/chromeos/settings/cros_settings.h"
23#include "chrome/browser/chromeos/settings/device_oauth2_token_service.h"
24#include "chrome/browser/chromeos/settings/device_oauth2_token_service_factory.h"
25#include "chrome/browser/chromeos/settings/device_settings_service.h"
26#include "chrome/browser/chromeos/settings/device_settings_test_helper.h"
27#include "chrome/browser/prefs/browser_prefs.h"
28#include "chrome/test/base/testing_browser_process.h"
29#include "chromeos/cryptohome/system_salt_getter.h"
30#include "chromeos/dbus/dbus_client_implementation_type.h"
31#include "chromeos/dbus/dbus_thread_manager.h"
32#include "chromeos/dbus/fake_cryptohome_client.h"
33#include "chromeos/dbus/fake_dbus_thread_manager.h"
34#include "chromeos/dbus/fake_session_manager_client.h"
35#include "chromeos/system/mock_statistics_provider.h"
36#include "chromeos/system/statistics_provider.h"
37#include "components/policy/core/common/cloud/cloud_policy_client.h"
38#include "components/policy/core/common/cloud/mock_device_management_service.h"
39#include "components/policy/core/common/external_data_fetcher.h"
40#include "components/policy/core/common/schema_registry.h"
41#include "google_apis/gaia/gaia_oauth_client.h"
42#include "net/url_request/test_url_fetcher_factory.h"
43#include "net/url_request/url_request_test_util.h"
44#include "policy/policy_constants.h"
45#include "policy/proto/device_management_backend.pb.h"
46#include "testing/gmock/include/gmock/gmock.h"
47#include "testing/gtest/include/gtest/gtest.h"
48
49using testing::AnyNumber;
50using testing::AtMost;
51using testing::DoAll;
52using testing::Mock;
53using testing::Return;
54using testing::SaveArg;
55using testing::SetArgumentPointee;
56using testing::_;
57
58namespace em = enterprise_management;
59
60namespace policy {
61namespace {
62
63void CopyLockResult(base::RunLoop* loop,
64                    EnterpriseInstallAttributes::LockResult* out,
65                    EnterpriseInstallAttributes::LockResult result) {
66  *out = result;
67  loop->Quit();
68}
69
70class DeviceCloudPolicyManagerChromeOSTest
71    : public chromeos::DeviceSettingsTestBase {
72 protected:
73  DeviceCloudPolicyManagerChromeOSTest()
74      : fake_cryptohome_client_(new chromeos::FakeCryptohomeClient()),
75        state_keys_broker_(&fake_session_manager_client_,
76                           base::MessageLoopProxy::current()),
77        store_(NULL) {
78    EXPECT_CALL(mock_statistics_provider_,
79                GetMachineStatistic(_, _))
80        .WillRepeatedly(Return(false));
81    EXPECT_CALL(mock_statistics_provider_,
82                GetMachineStatistic("serial_number", _))
83        .WillRepeatedly(DoAll(SetArgumentPointee<1>(std::string("test_sn")),
84                              Return(true)));
85    chromeos::system::StatisticsProvider::SetTestProvider(
86        &mock_statistics_provider_);
87    std::vector<std::string> state_keys;
88    state_keys.push_back("1");
89    state_keys.push_back("2");
90    state_keys.push_back("3");
91    fake_session_manager_client_.set_server_backed_state_keys(state_keys);
92    fake_dbus_thread_manager_->SetCryptohomeClient(
93        scoped_ptr<chromeos::CryptohomeClient>(fake_cryptohome_client_));
94  }
95
96  virtual ~DeviceCloudPolicyManagerChromeOSTest() {
97    chromeos::system::StatisticsProvider::SetTestProvider(NULL);
98  }
99
100  virtual void SetUp() OVERRIDE {
101    DeviceSettingsTestBase::SetUp();
102
103    install_attributes_.reset(
104        new EnterpriseInstallAttributes(fake_cryptohome_client_));
105    store_ =
106        new DeviceCloudPolicyStoreChromeOS(&device_settings_service_,
107                                           install_attributes_.get(),
108                                           base::MessageLoopProxy::current());
109    manager_.reset(new DeviceCloudPolicyManagerChromeOS(
110        make_scoped_ptr(store_),
111        base::MessageLoopProxy::current(),
112        &state_keys_broker_));
113
114    chrome::RegisterLocalState(local_state_.registry());
115    manager_->Init(&schema_registry_);
116
117    // DeviceOAuth2TokenService uses the system request context to fetch
118    // OAuth tokens, then writes the token to local state, encrypting it
119    // first with methods in CryptohomeTokenEncryptor.
120    request_context_getter_ = new net::TestURLRequestContextGetter(
121        base::MessageLoopProxy::current());
122    TestingBrowserProcess::GetGlobal()->SetSystemRequestContext(
123        request_context_getter_.get());
124    TestingBrowserProcess::GetGlobal()->SetLocalState(&local_state_);
125    // SystemSaltGetter is used in DeviceOAuth2TokenService.
126    chromeos::SystemSaltGetter::Initialize();
127    chromeos::DeviceOAuth2TokenServiceFactory::Initialize();
128    url_fetcher_response_code_ = 200;
129    url_fetcher_response_string_ = "{\"access_token\":\"accessToken4Test\","
130                                   "\"expires_in\":1234,"
131                                   "\"refresh_token\":\"refreshToken4Test\"}";
132  }
133
134  virtual void TearDown() OVERRIDE {
135    manager_->Shutdown();
136    if (initializer_)
137      initializer_->Shutdown();
138    DeviceSettingsTestBase::TearDown();
139
140    chromeos::DeviceOAuth2TokenServiceFactory::Shutdown();
141    chromeos::SystemSaltGetter::Shutdown();
142    TestingBrowserProcess::GetGlobal()->SetLocalState(NULL);
143  }
144
145  void LockDevice() {
146    base::RunLoop loop;
147    EnterpriseInstallAttributes::LockResult result;
148    install_attributes_->LockDevice(
149        PolicyBuilder::kFakeUsername,
150        DEVICE_MODE_ENTERPRISE,
151        PolicyBuilder::kFakeDeviceId,
152        base::Bind(&CopyLockResult, &loop, &result));
153    loop.Run();
154    ASSERT_EQ(EnterpriseInstallAttributes::LOCK_SUCCESS, result);
155  }
156
157  void ConnectManager() {
158    manager_->Initialize(&local_state_);
159    initializer_.reset(new DeviceCloudPolicyInitializer(
160        &local_state_,
161        &device_management_service_,
162        &consumer_device_management_service_,
163        base::MessageLoopProxy::current(),
164        install_attributes_.get(),
165        &state_keys_broker_,
166        store_,
167        manager_.get(),
168        base::Bind(&base::DoNothing)));
169  }
170
171  void VerifyPolicyPopulated() {
172    PolicyBundle bundle;
173    bundle.Get(PolicyNamespace(POLICY_DOMAIN_CHROME, std::string()))
174        .Set(key::kDeviceMetricsReportingEnabled,
175             POLICY_LEVEL_MANDATORY,
176             POLICY_SCOPE_MACHINE,
177             new base::FundamentalValue(false),
178             NULL);
179    EXPECT_TRUE(manager_->policies().Equals(bundle));
180  }
181
182  scoped_ptr<EnterpriseInstallAttributes> install_attributes_;
183
184  scoped_refptr<net::URLRequestContextGetter> request_context_getter_;
185  net::TestURLFetcherFactory url_fetcher_factory_;
186  int url_fetcher_response_code_;
187  string url_fetcher_response_string_;
188  TestingPrefServiceSimple local_state_;
189  MockDeviceManagementService device_management_service_;
190  MockDeviceManagementService consumer_device_management_service_;
191  chromeos::ScopedTestDeviceSettingsService test_device_settings_service_;
192  chromeos::ScopedTestCrosSettings test_cros_settings_;
193  chromeos::system::MockStatisticsProvider mock_statistics_provider_;
194  chromeos::FakeSessionManagerClient fake_session_manager_client_;
195  chromeos::FakeCryptohomeClient* fake_cryptohome_client_;
196  ServerBackedStateKeysBroker state_keys_broker_;
197
198  DeviceCloudPolicyStoreChromeOS* store_;
199  SchemaRegistry schema_registry_;
200  scoped_ptr<DeviceCloudPolicyManagerChromeOS> manager_;
201  scoped_ptr<DeviceCloudPolicyInitializer> initializer_;
202
203 private:
204  DISALLOW_COPY_AND_ASSIGN(DeviceCloudPolicyManagerChromeOSTest);
205};
206
207TEST_F(DeviceCloudPolicyManagerChromeOSTest, FreshDevice) {
208  owner_key_util_->Clear();
209  FlushDeviceSettings();
210  EXPECT_TRUE(manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME));
211
212  manager_->Initialize(&local_state_);
213
214  PolicyBundle bundle;
215  EXPECT_TRUE(manager_->policies().Equals(bundle));
216}
217
218TEST_F(DeviceCloudPolicyManagerChromeOSTest, EnrolledDevice) {
219  LockDevice();
220  FlushDeviceSettings();
221  EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status());
222  EXPECT_TRUE(manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME));
223  VerifyPolicyPopulated();
224
225  ConnectManager();
226  VerifyPolicyPopulated();
227
228  manager_->Shutdown();
229  VerifyPolicyPopulated();
230
231  EXPECT_EQ(store_->policy()->service_account_identity(),
232            PolicyBuilder::kFakeServiceAccountIdentity);
233}
234
235TEST_F(DeviceCloudPolicyManagerChromeOSTest, UnmanagedDevice) {
236  device_policy_.policy_data().set_state(em::PolicyData::UNMANAGED);
237  device_policy_.Build();
238  device_settings_test_helper_.set_policy_blob(device_policy_.GetBlob());
239
240  LockDevice();
241  FlushDeviceSettings();
242  EXPECT_TRUE(manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME));
243  EXPECT_FALSE(store_->is_managed());
244
245  // Policy settings should be ignored for UNMANAGED devices.
246  PolicyBundle bundle;
247  EXPECT_TRUE(manager_->policies().Equals(bundle));
248
249  // Trigger a policy refresh.
250  MockDeviceManagementJob* policy_fetch_job = NULL;
251  EXPECT_CALL(device_management_service_,
252              CreateJob(DeviceManagementRequestJob::TYPE_POLICY_FETCH, _))
253      .Times(AtMost(1))
254      .WillOnce(device_management_service_.CreateAsyncJob(&policy_fetch_job));
255  EXPECT_CALL(device_management_service_, StartJob(_, _, _, _, _, _, _))
256      .Times(AtMost(1));
257  ConnectManager();
258  base::RunLoop().RunUntilIdle();
259  Mock::VerifyAndClearExpectations(&device_management_service_);
260  ASSERT_TRUE(policy_fetch_job);
261
262  // Switch back to ACTIVE, service the policy fetch and let it propagate.
263  device_policy_.policy_data().set_state(em::PolicyData::ACTIVE);
264  device_policy_.Build();
265  device_settings_test_helper_.set_policy_blob(device_policy_.GetBlob());
266  em::DeviceManagementResponse policy_fetch_response;
267  policy_fetch_response.mutable_policy_response()->add_response()->CopyFrom(
268      device_policy_.policy());
269  policy_fetch_job->SendResponse(DM_STATUS_SUCCESS, policy_fetch_response);
270  FlushDeviceSettings();
271
272  // Policy state should now be active and the policy map should be populated.
273  EXPECT_TRUE(store_->is_managed());
274  VerifyPolicyPopulated();
275}
276
277TEST_F(DeviceCloudPolicyManagerChromeOSTest, ConsumerDevice) {
278  FlushDeviceSettings();
279  EXPECT_EQ(CloudPolicyStore::STATUS_BAD_STATE, store_->status());
280  EXPECT_TRUE(manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME));
281
282  PolicyBundle bundle;
283  EXPECT_TRUE(manager_->policies().Equals(bundle));
284
285  ConnectManager();
286  EXPECT_TRUE(manager_->policies().Equals(bundle));
287
288  manager_->Shutdown();
289  EXPECT_TRUE(manager_->policies().Equals(bundle));
290}
291
292class DeviceCloudPolicyManagerChromeOSEnrollmentTest
293    : public DeviceCloudPolicyManagerChromeOSTest {
294 public:
295  void Done(EnrollmentStatus status) {
296    status_ = status;
297    done_ = true;
298  }
299
300 protected:
301  DeviceCloudPolicyManagerChromeOSEnrollmentTest()
302      : is_auto_enrollment_(false),
303        register_status_(DM_STATUS_SUCCESS),
304        policy_fetch_status_(DM_STATUS_SUCCESS),
305        robot_auth_fetch_status_(DM_STATUS_SUCCESS),
306        store_result_(true),
307        status_(EnrollmentStatus::ForStatus(EnrollmentStatus::STATUS_SUCCESS)),
308        done_(false) {}
309
310  virtual void SetUp() OVERRIDE {
311    DeviceCloudPolicyManagerChromeOSTest::SetUp();
312
313    // Set up test data.
314    device_policy_.SetDefaultNewSigningKey();
315    device_policy_.policy_data().set_timestamp(
316        (base::Time::NowFromSystemTime() -
317         base::Time::UnixEpoch()).InMilliseconds());
318    device_policy_.Build();
319
320    register_response_.mutable_register_response()->set_device_management_token(
321        PolicyBuilder::kFakeToken);
322    policy_fetch_response_.mutable_policy_response()->add_response()->CopyFrom(
323        device_policy_.policy());
324    robot_auth_fetch_response_.mutable_service_api_access_response()
325        ->set_auth_code("auth_code_for_test");
326    loaded_blob_ = device_policy_.GetBlob();
327
328    // Initialize the manager.
329    FlushDeviceSettings();
330    EXPECT_EQ(CloudPolicyStore::STATUS_BAD_STATE, store_->status());
331    EXPECT_TRUE(manager_->IsInitializationComplete(POLICY_DOMAIN_CHROME));
332
333    PolicyBundle bundle;
334    EXPECT_TRUE(manager_->policies().Equals(bundle));
335
336    ConnectManager();
337  }
338
339  void ExpectFailedEnrollment(EnrollmentStatus::Status status) {
340    EXPECT_EQ(status, status_.status());
341    EXPECT_FALSE(store_->is_managed());
342    PolicyBundle empty_bundle;
343    EXPECT_TRUE(manager_->policies().Equals(empty_bundle));
344  }
345
346  void ExpectSuccessfulEnrollment() {
347    EXPECT_EQ(EnrollmentStatus::STATUS_SUCCESS, status_.status());
348    EXPECT_EQ(DEVICE_MODE_ENTERPRISE, install_attributes_->GetMode());
349    EXPECT_TRUE(store_->has_policy());
350    EXPECT_TRUE(store_->is_managed());
351    ASSERT_TRUE(manager_->core()->client());
352    EXPECT_TRUE(manager_->core()->client()->is_registered());
353
354    VerifyPolicyPopulated();
355  }
356
357  void RunTest() {
358    // Trigger enrollment.
359    MockDeviceManagementJob* register_job = NULL;
360    EXPECT_CALL(device_management_service_,
361                CreateJob(DeviceManagementRequestJob::TYPE_REGISTRATION, _))
362        .Times(AtMost(1))
363        .WillOnce(device_management_service_.CreateAsyncJob(&register_job));
364    EXPECT_CALL(device_management_service_, StartJob(_, _, _, _, _, _, _))
365        .Times(AtMost(1))
366        .WillOnce(DoAll(SaveArg<5>(&client_id_),
367                        SaveArg<6>(&register_request_)));
368    DeviceCloudPolicyInitializer::AllowedDeviceModes modes;
369    modes[DEVICE_MODE_ENTERPRISE] = true;
370    initializer_->StartEnrollment(
371        &device_management_service_,
372        "auth token", is_auto_enrollment_, modes,
373        base::Bind(&DeviceCloudPolicyManagerChromeOSEnrollmentTest::Done,
374                   base::Unretained(this)));
375    base::RunLoop().RunUntilIdle();
376    Mock::VerifyAndClearExpectations(&device_management_service_);
377
378    if (done_)
379      return;
380
381    // Process registration.
382    ASSERT_TRUE(register_job);
383    MockDeviceManagementJob* policy_fetch_job = NULL;
384    EXPECT_CALL(device_management_service_,
385                CreateJob(DeviceManagementRequestJob::TYPE_POLICY_FETCH, _))
386        .Times(AtMost(1))
387        .WillOnce(device_management_service_.CreateAsyncJob(&policy_fetch_job));
388    EXPECT_CALL(device_management_service_, StartJob(_, _, _, _, _, _, _))
389        .Times(AtMost(1));
390    register_job->SendResponse(register_status_, register_response_);
391    Mock::VerifyAndClearExpectations(&device_management_service_);
392
393    if (done_)
394      return;
395
396    // Process policy fetch.
397    ASSERT_TRUE(policy_fetch_job);
398    policy_fetch_job->SendResponse(policy_fetch_status_,
399                                   policy_fetch_response_);
400
401    if (done_)
402      return;
403
404    // Process verification.
405    MockDeviceManagementJob* robot_auth_fetch_job = NULL;
406    EXPECT_CALL(device_management_service_, CreateJob(
407        DeviceManagementRequestJob::TYPE_API_AUTH_CODE_FETCH, _))
408        .Times(AtMost(1))
409        .WillOnce(device_management_service_.CreateAsyncJob(
410            &robot_auth_fetch_job));
411    EXPECT_CALL(device_management_service_, StartJob(_, _, _, _, _, _, _))
412        .Times(AtMost(1));
413    base::RunLoop().RunUntilIdle();
414    Mock::VerifyAndClearExpectations(&device_management_service_);
415
416    if (done_)
417      return;
418
419    // Process robot auth token fetch.
420    ASSERT_TRUE(robot_auth_fetch_job);
421    robot_auth_fetch_job->SendResponse(robot_auth_fetch_status_,
422                                       robot_auth_fetch_response_);
423    Mock::VerifyAndClearExpectations(&device_management_service_);
424
425    if (done_)
426      return;
427
428    // Process robot refresh token fetch if the auth code fetch succeeded.
429    // DeviceCloudPolicyManagerChromeOS holds an EnrollmentHandlerChromeOS which
430    // holds a GaiaOAuthClient that fetches the refresh token during enrollment.
431    // We return a successful OAuth response via a TestURLFetcher to trigger the
432    // happy path for these classes so that enrollment can continue.
433    if (robot_auth_fetch_status_ == DM_STATUS_SUCCESS) {
434      net::TestURLFetcher* url_fetcher = url_fetcher_factory_.GetFetcherByID(
435          gaia::GaiaOAuthClient::kUrlFetcherId);
436      ASSERT_TRUE(url_fetcher);
437      url_fetcher->SetMaxRetriesOn5xx(0);
438      url_fetcher->set_status(net::URLRequestStatus());
439      url_fetcher->set_response_code(url_fetcher_response_code_);
440      url_fetcher->SetResponseString(url_fetcher_response_string_);
441      url_fetcher->delegate()->OnURLFetchComplete(url_fetcher);
442    }
443    base::RunLoop().RunUntilIdle();
444
445    if (done_)
446      return;
447
448    // Process robot refresh token store.
449    chromeos::DeviceOAuth2TokenService* token_service =
450        chromeos::DeviceOAuth2TokenServiceFactory::Get();
451    EXPECT_TRUE(token_service->RefreshTokenIsAvailable(
452        token_service->GetRobotAccountId()));
453
454    // Process policy store.
455    device_settings_test_helper_.set_store_result(store_result_);
456    device_settings_test_helper_.FlushStore();
457    EXPECT_EQ(device_policy_.GetBlob(),
458              device_settings_test_helper_.policy_blob());
459
460    if (done_)
461      return;
462
463    // Key installation and policy load.
464    device_settings_test_helper_.set_policy_blob(loaded_blob_);
465    owner_key_util_->SetPublicKeyFromPrivateKey(
466        *device_policy_.GetNewSigningKey());
467    ReloadDeviceSettings();
468  }
469
470  bool is_auto_enrollment_;
471
472  DeviceManagementStatus register_status_;
473  em::DeviceManagementResponse register_response_;
474
475  DeviceManagementStatus policy_fetch_status_;
476  em::DeviceManagementResponse policy_fetch_response_;
477
478  DeviceManagementStatus robot_auth_fetch_status_;
479  em::DeviceManagementResponse robot_auth_fetch_response_;
480
481  bool store_result_;
482  std::string loaded_blob_;
483
484  em::DeviceManagementRequest register_request_;
485  std::string client_id_;
486  EnrollmentStatus status_;
487
488  bool done_;
489
490 private:
491  DISALLOW_COPY_AND_ASSIGN(DeviceCloudPolicyManagerChromeOSEnrollmentTest);
492};
493
494TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, Success) {
495  RunTest();
496  ExpectSuccessfulEnrollment();
497}
498
499TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, AutoEnrollment) {
500  is_auto_enrollment_ = true;
501  RunTest();
502  ExpectSuccessfulEnrollment();
503  EXPECT_TRUE(register_request_.register_request().auto_enrolled());
504}
505
506TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, Reenrollment) {
507  LockDevice();
508
509  RunTest();
510  ExpectSuccessfulEnrollment();
511  EXPECT_TRUE(register_request_.register_request().reregister());
512  EXPECT_EQ(PolicyBuilder::kFakeDeviceId, client_id_);
513}
514
515TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, RegistrationFailed) {
516  register_status_ = DM_STATUS_REQUEST_FAILED;
517  RunTest();
518  ExpectFailedEnrollment(EnrollmentStatus::STATUS_REGISTRATION_FAILED);
519  EXPECT_EQ(DM_STATUS_REQUEST_FAILED, status_.client_status());
520}
521
522TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest,
523       RobotAuthCodeFetchFailed) {
524  robot_auth_fetch_status_ = DM_STATUS_REQUEST_FAILED;
525  RunTest();
526  ExpectFailedEnrollment(EnrollmentStatus::STATUS_ROBOT_AUTH_FETCH_FAILED);
527}
528
529TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest,
530       RobotRefreshTokenFetchResponseCodeFailed) {
531  url_fetcher_response_code_ = 400;
532  RunTest();
533  ExpectFailedEnrollment(EnrollmentStatus::STATUS_ROBOT_REFRESH_FETCH_FAILED);
534  EXPECT_EQ(400, status_.http_status());
535}
536
537TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest,
538       RobotRefreshTokenFetchResponseStringFailed) {
539  url_fetcher_response_string_ = "invalid response json";
540  RunTest();
541  ExpectFailedEnrollment(EnrollmentStatus::STATUS_ROBOT_REFRESH_FETCH_FAILED);
542}
543
544TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest,
545       RobotRefreshEncryptionFailed) {
546  // The encryption lib is a noop for tests, but empty results from encryption
547  // is an error, so we simulate an encryption error by returning an empty
548  // refresh token.
549  url_fetcher_response_string_ = "{\"access_token\":\"accessToken4Test\","
550                                 "\"expires_in\":1234,"
551                                 "\"refresh_token\":\"\"}";
552  RunTest();
553  ExpectFailedEnrollment(EnrollmentStatus::STATUS_ROBOT_REFRESH_STORE_FAILED);
554}
555
556TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, PolicyFetchFailed) {
557  policy_fetch_status_ = DM_STATUS_REQUEST_FAILED;
558  RunTest();
559  ExpectFailedEnrollment(EnrollmentStatus::STATUS_POLICY_FETCH_FAILED);
560  EXPECT_EQ(DM_STATUS_REQUEST_FAILED, status_.client_status());
561}
562
563TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, ValidationFailed) {
564  device_policy_.policy().set_policy_data_signature("bad");
565  policy_fetch_response_.clear_policy_response();
566  policy_fetch_response_.mutable_policy_response()->add_response()->CopyFrom(
567      device_policy_.policy());
568  RunTest();
569  ExpectFailedEnrollment(EnrollmentStatus::STATUS_VALIDATION_FAILED);
570  EXPECT_EQ(CloudPolicyValidatorBase::VALIDATION_BAD_INITIAL_SIGNATURE,
571            status_.validation_status());
572}
573
574TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, StoreError) {
575  store_result_ = false;
576  RunTest();
577  ExpectFailedEnrollment(EnrollmentStatus::STATUS_STORE_ERROR);
578  EXPECT_EQ(CloudPolicyStore::STATUS_STORE_ERROR,
579            status_.store_status());
580}
581
582TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, LoadError) {
583  loaded_blob_.clear();
584  RunTest();
585  ExpectFailedEnrollment(EnrollmentStatus::STATUS_STORE_ERROR);
586  EXPECT_EQ(CloudPolicyStore::STATUS_LOAD_ERROR,
587            status_.store_status());
588}
589
590// A subclass that runs with a blank system salt.
591class DeviceCloudPolicyManagerChromeOSEnrollmentBlankSystemSaltTest
592    : public DeviceCloudPolicyManagerChromeOSEnrollmentTest {
593 protected:
594  DeviceCloudPolicyManagerChromeOSEnrollmentBlankSystemSaltTest() {
595    // Set up a FakeCryptohomeClient with a blank system salt.
596    fake_cryptohome_client_->set_system_salt(std::vector<uint8>());
597  }
598};
599
600TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentBlankSystemSaltTest,
601       RobotRefreshSaveFailed) {
602  // Without the system salt, the robot token can't be stored.
603  RunTest();
604  ExpectFailedEnrollment(EnrollmentStatus::STATUS_ROBOT_REFRESH_STORE_FAILED);
605}
606
607}  // namespace
608}  // namespace policy
609