device_cloud_policy_manager_chromeos_unittest.cc revision 68043e1e95eeb07d5cae7aca370b26518b0867d6
1// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#include "chrome/browser/chromeos/policy/device_cloud_policy_manager_chromeos.h" 6 7#include "base/basictypes.h" 8#include "base/compiler_specific.h" 9#include "base/memory/scoped_ptr.h" 10#include "base/message_loop/message_loop.h" 11#include "base/prefs/pref_registry_simple.h" 12#include "base/prefs/testing_pref_service.h" 13#include "base/run_loop.h" 14#include "chrome/browser/chromeos/policy/device_cloud_policy_store_chromeos.h" 15#include "chrome/browser/chromeos/policy/enterprise_install_attributes.h" 16#include "chrome/browser/chromeos/settings/cros_settings.h" 17#include "chrome/browser/chromeos/settings/device_oauth2_token_service.h" 18#include "chrome/browser/chromeos/settings/device_oauth2_token_service_factory.h" 19#include "chrome/browser/chromeos/settings/device_settings_service.h" 20#include "chrome/browser/chromeos/settings/device_settings_test_helper.h" 21#include "chrome/browser/policy/cloud/cloud_policy_client.h" 22#include "chrome/browser/policy/cloud/mock_device_management_service.h" 23#include "chrome/browser/policy/external_data_fetcher.h" 24#include "chrome/browser/policy/proto/chromeos/chrome_device_policy.pb.h" 25#include "chrome/browser/policy/proto/cloud/device_management_backend.pb.h" 26#include "chrome/browser/prefs/browser_prefs.h" 27#include "chrome/test/base/testing_browser_process.h" 28#include "chromeos/cryptohome/cryptohome_library.h" 29#include "chromeos/dbus/cryptohome_client_stub.h" 30#include "chromeos/dbus/dbus_client_implementation_type.h" 31#include "google_apis/gaia/gaia_oauth_client.h" 32#include "net/url_request/test_url_fetcher_factory.h" 33#include "net/url_request/url_request_test_util.h" 34#include "policy/policy_constants.h" 35#include "testing/gmock/include/gmock/gmock.h" 36#include "testing/gtest/include/gtest/gtest.h" 37 38using testing::AnyNumber; 39using testing::AtMost; 40using testing::DoAll; 41using testing::Mock; 42using testing::SaveArg; 43using testing::_; 44 45namespace em = enterprise_management; 46 47namespace policy { 48namespace { 49 50void CopyLockResult(base::RunLoop* loop, 51 EnterpriseInstallAttributes::LockResult* out, 52 EnterpriseInstallAttributes::LockResult result) { 53 *out = result; 54 loop->Quit(); 55} 56 57class DeviceCloudPolicyManagerChromeOSTest 58 : public chromeos::DeviceSettingsTestBase { 59 protected: 60 DeviceCloudPolicyManagerChromeOSTest() 61 : cryptohome_library_(chromeos::CryptohomeLibrary::GetTestImpl()), 62 stub_cryptohome_client_(new chromeos::CryptohomeClientStubImpl()), 63 install_attributes_(cryptohome_library_.get(), 64 stub_cryptohome_client_.get()), 65 store_(new DeviceCloudPolicyStoreChromeOS(&device_settings_service_, 66 &install_attributes_)), 67 manager_(make_scoped_ptr(store_), 68 loop_.message_loop_proxy(), 69 &install_attributes_) { 70 stub_cryptohome_client_->Init(NULL /* no dbus::Bus */); 71 } 72 73 virtual void SetUp() OVERRIDE { 74 DeviceSettingsTestBase::SetUp(); 75 chrome::RegisterLocalState(local_state_.registry()); 76 manager_.Init(); 77 78 // DeviceOAuth2TokenService uses the system request context to fetch 79 // OAuth tokens, then writes the token to local state, encrypting it 80 // first with methods in CryptohomeLibrary. 81 request_context_getter_ = new net::TestURLRequestContextGetter( 82 loop_.message_loop_proxy()); 83 TestingBrowserProcess::GetGlobal()->SetSystemRequestContext( 84 request_context_getter_.get()); 85 TestingBrowserProcess::GetGlobal()->SetLocalState(&local_state_); 86 chromeos::DeviceOAuth2TokenServiceFactory::Initialize(); 87 chromeos::CryptohomeLibrary::SetForTest(cryptohome_library_.get()); 88 url_fetcher_response_code_ = 200; 89 url_fetcher_response_string_ = "{\"access_token\":\"accessToken4Test\"," 90 "\"expires_in\":1234," 91 "\"refresh_token\":\"refreshToken4Test\"}"; 92 } 93 94 virtual void TearDown() OVERRIDE { 95 manager_.Shutdown(); 96 DeviceSettingsTestBase::TearDown(); 97 98 chromeos::DeviceOAuth2TokenServiceFactory::Shutdown(); 99 chromeos::CryptohomeLibrary::SetForTest(NULL); 100 TestingBrowserProcess::GetGlobal()->SetLocalState(NULL); 101 } 102 103 scoped_ptr<chromeos::CryptohomeLibrary> cryptohome_library_; 104 scoped_ptr<chromeos::CryptohomeClientStubImpl> stub_cryptohome_client_; 105 EnterpriseInstallAttributes install_attributes_; 106 107 scoped_refptr<net::URLRequestContextGetter> request_context_getter_; 108 net::TestURLFetcherFactory url_fetcher_factory_; 109 int url_fetcher_response_code_; 110 string url_fetcher_response_string_; 111 TestingPrefServiceSimple local_state_; 112 MockDeviceManagementService device_management_service_; 113 chromeos::ScopedTestDeviceSettingsService test_device_settings_service_; 114 chromeos::ScopedTestCrosSettings test_cros_settings_; 115 116 DeviceCloudPolicyStoreChromeOS* store_; 117 DeviceCloudPolicyManagerChromeOS manager_; 118 119 private: 120 DISALLOW_COPY_AND_ASSIGN(DeviceCloudPolicyManagerChromeOSTest); 121}; 122 123TEST_F(DeviceCloudPolicyManagerChromeOSTest, FreshDevice) { 124 owner_key_util_->Clear(); 125 FlushDeviceSettings(); 126 EXPECT_TRUE(manager_.IsInitializationComplete(POLICY_DOMAIN_CHROME)); 127 128 manager_.Connect(&local_state_, 129 &device_management_service_, 130 scoped_ptr<CloudPolicyClient::StatusProvider>()); 131 132 PolicyBundle bundle; 133 EXPECT_TRUE(manager_.policies().Equals(bundle)); 134} 135 136TEST_F(DeviceCloudPolicyManagerChromeOSTest, EnrolledDevice) { 137 base::RunLoop loop; 138 EnterpriseInstallAttributes::LockResult result; 139 install_attributes_.LockDevice(PolicyBuilder::kFakeUsername, 140 DEVICE_MODE_ENTERPRISE, 141 PolicyBuilder::kFakeDeviceId, 142 base::Bind(&CopyLockResult, &loop, &result)); 143 loop.Run(); 144 ASSERT_EQ(EnterpriseInstallAttributes::LOCK_SUCCESS, result); 145 146 FlushDeviceSettings(); 147 EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status()); 148 EXPECT_TRUE(manager_.IsInitializationComplete(POLICY_DOMAIN_CHROME)); 149 150 PolicyBundle bundle; 151 bundle.Get(PolicyNamespace(POLICY_DOMAIN_CHROME, std::string())) 152 .Set(key::kDeviceMetricsReportingEnabled, 153 POLICY_LEVEL_MANDATORY, 154 POLICY_SCOPE_MACHINE, 155 Value::CreateBooleanValue(false), 156 NULL); 157 EXPECT_TRUE(manager_.policies().Equals(bundle)); 158 159 manager_.Connect(&local_state_, 160 &device_management_service_, 161 scoped_ptr<CloudPolicyClient::StatusProvider>()); 162 EXPECT_TRUE(manager_.policies().Equals(bundle)); 163 164 manager_.Shutdown(); 165 EXPECT_TRUE(manager_.policies().Equals(bundle)); 166 167 EXPECT_EQ(manager_.GetRobotAccountId(), 168 PolicyBuilder::kFakeServiceAccountIdentity); 169} 170 171TEST_F(DeviceCloudPolicyManagerChromeOSTest, ConsumerDevice) { 172 FlushDeviceSettings(); 173 EXPECT_EQ(CloudPolicyStore::STATUS_BAD_STATE, store_->status()); 174 EXPECT_TRUE(manager_.IsInitializationComplete(POLICY_DOMAIN_CHROME)); 175 176 PolicyBundle bundle; 177 EXPECT_TRUE(manager_.policies().Equals(bundle)); 178 179 manager_.Connect(&local_state_, 180 &device_management_service_, 181 scoped_ptr<CloudPolicyClient::StatusProvider>()); 182 EXPECT_TRUE(manager_.policies().Equals(bundle)); 183 184 manager_.Shutdown(); 185 EXPECT_TRUE(manager_.policies().Equals(bundle)); 186} 187 188class DeviceCloudPolicyManagerChromeOSEnrollmentTest 189 : public DeviceCloudPolicyManagerChromeOSTest { 190 public: 191 void Done(EnrollmentStatus status) { 192 status_ = status; 193 done_ = true; 194 } 195 196 protected: 197 DeviceCloudPolicyManagerChromeOSEnrollmentTest() 198 : is_auto_enrollment_(false), 199 register_status_(DM_STATUS_SUCCESS), 200 policy_fetch_status_(DM_STATUS_SUCCESS), 201 robot_auth_fetch_status_(DM_STATUS_SUCCESS), 202 store_result_(true), 203 status_(EnrollmentStatus::ForStatus(EnrollmentStatus::STATUS_SUCCESS)), 204 done_(false) {} 205 206 virtual void SetUp() OVERRIDE { 207 DeviceCloudPolicyManagerChromeOSTest::SetUp(); 208 209 // Set up test data. 210 device_policy_.SetDefaultNewSigningKey(); 211 device_policy_.policy_data().set_timestamp( 212 (base::Time::NowFromSystemTime() - 213 base::Time::UnixEpoch()).InMilliseconds()); 214 device_policy_.Build(); 215 216 register_response_.mutable_register_response()->set_device_management_token( 217 PolicyBuilder::kFakeToken); 218 policy_fetch_response_.mutable_policy_response()->add_response()->CopyFrom( 219 device_policy_.policy()); 220 robot_auth_fetch_response_.mutable_service_api_access_response() 221 ->set_auth_code("auth_code_for_test"); 222 loaded_blob_ = device_policy_.GetBlob(); 223 224 // Initialize the manager. 225 FlushDeviceSettings(); 226 EXPECT_EQ(CloudPolicyStore::STATUS_BAD_STATE, store_->status()); 227 EXPECT_TRUE(manager_.IsInitializationComplete(POLICY_DOMAIN_CHROME)); 228 229 PolicyBundle bundle; 230 EXPECT_TRUE(manager_.policies().Equals(bundle)); 231 232 manager_.Connect(&local_state_, 233 &device_management_service_, 234 scoped_ptr<CloudPolicyClient::StatusProvider>()); 235 } 236 237 void ExpectFailedEnrollment(EnrollmentStatus::Status status) { 238 EXPECT_EQ(status, status_.status()); 239 EXPECT_FALSE(store_->is_managed()); 240 PolicyBundle empty_bundle; 241 EXPECT_TRUE(manager_.policies().Equals(empty_bundle)); 242 } 243 244 void ExpectSuccessfulEnrollment() { 245 EXPECT_EQ(EnrollmentStatus::STATUS_SUCCESS, status_.status()); 246 EXPECT_EQ(DEVICE_MODE_ENTERPRISE, install_attributes_.GetMode()); 247 EXPECT_TRUE(store_->has_policy()); 248 EXPECT_TRUE(store_->is_managed()); 249 ASSERT_TRUE(manager_.core()->client()); 250 EXPECT_TRUE(manager_.core()->client()->is_registered()); 251 252 PolicyBundle bundle; 253 bundle.Get(PolicyNamespace(POLICY_DOMAIN_CHROME, std::string())) 254 .Set(key::kDeviceMetricsReportingEnabled, 255 POLICY_LEVEL_MANDATORY, 256 POLICY_SCOPE_MACHINE, 257 Value::CreateBooleanValue(false), 258 NULL); 259 EXPECT_TRUE(manager_.policies().Equals(bundle)); 260 } 261 262 void RunTest() { 263 // Trigger enrollment. 264 MockDeviceManagementJob* register_job = NULL; 265 EXPECT_CALL(device_management_service_, 266 CreateJob(DeviceManagementRequestJob::TYPE_REGISTRATION)) 267 .Times(AtMost(1)) 268 .WillOnce(device_management_service_.CreateAsyncJob(®ister_job)); 269 EXPECT_CALL(device_management_service_, StartJob(_, _, _, _, _, _, _)) 270 .Times(AtMost(1)) 271 .WillOnce(DoAll(SaveArg<5>(&client_id_), 272 SaveArg<6>(®ister_request_))); 273 DeviceCloudPolicyManagerChromeOS::AllowedDeviceModes modes; 274 modes[DEVICE_MODE_ENTERPRISE] = true; 275 manager_.StartEnrollment( 276 "auth token", is_auto_enrollment_, modes, 277 base::Bind(&DeviceCloudPolicyManagerChromeOSEnrollmentTest::Done, 278 base::Unretained(this))); 279 Mock::VerifyAndClearExpectations(&device_management_service_); 280 281 if (done_) 282 return; 283 284 // Process registration. 285 ASSERT_TRUE(register_job); 286 MockDeviceManagementJob* policy_fetch_job = NULL; 287 EXPECT_CALL(device_management_service_, 288 CreateJob(DeviceManagementRequestJob::TYPE_POLICY_FETCH)) 289 .Times(AtMost(1)) 290 .WillOnce(device_management_service_.CreateAsyncJob(&policy_fetch_job)); 291 EXPECT_CALL(device_management_service_, StartJob(_, _, _, _, _, _, _)) 292 .Times(AtMost(1)); 293 register_job->SendResponse(register_status_, register_response_); 294 Mock::VerifyAndClearExpectations(&device_management_service_); 295 296 if (done_) 297 return; 298 299 // Process policy fetch. 300 ASSERT_TRUE(policy_fetch_job); 301 policy_fetch_job->SendResponse(policy_fetch_status_, 302 policy_fetch_response_); 303 304 if (done_) 305 return; 306 307 // Process verification. 308 MockDeviceManagementJob* robot_auth_fetch_job = NULL; 309 EXPECT_CALL(device_management_service_, 310 CreateJob(DeviceManagementRequestJob::TYPE_API_AUTH_CODE_FETCH)) 311 .Times(AtMost(1)) 312 .WillOnce(device_management_service_.CreateAsyncJob( 313 &robot_auth_fetch_job)); 314 EXPECT_CALL(device_management_service_, StartJob(_, _, _, _, _, _, _)) 315 .Times(AtMost(1)); 316 base::RunLoop().RunUntilIdle(); 317 Mock::VerifyAndClearExpectations(&device_management_service_); 318 319 if (done_) 320 return; 321 322 // Process robot auth token fetch. 323 ASSERT_TRUE(robot_auth_fetch_job); 324 robot_auth_fetch_job->SendResponse(robot_auth_fetch_status_, 325 robot_auth_fetch_response_); 326 Mock::VerifyAndClearExpectations(&device_management_service_); 327 328 if (done_) 329 return; 330 331 // Process robot refresh token fetch if the auth code fetch succeeded. 332 // DeviceCloudPolicyManagerChromeOS holds an EnrollmentHandlerChromeOS which 333 // holds a GaiaOAuthClient that fetches the refresh token during enrollment. 334 // We return a successful OAuth response via a TestURLFetcher to trigger the 335 // happy path for these classes so that enrollment can continue. 336 if (robot_auth_fetch_status_ == DM_STATUS_SUCCESS) { 337 net::TestURLFetcher* url_fetcher = url_fetcher_factory_.GetFetcherByID( 338 gaia::GaiaOAuthClient::kUrlFetcherId); 339 ASSERT_TRUE(url_fetcher); 340 url_fetcher->SetMaxRetriesOn5xx(0); 341 url_fetcher->set_status(net::URLRequestStatus()); 342 url_fetcher->set_response_code(url_fetcher_response_code_); 343 url_fetcher->SetResponseString(url_fetcher_response_string_); 344 url_fetcher->delegate()->OnURLFetchComplete(url_fetcher); 345 } 346 base::RunLoop().RunUntilIdle(); 347 348 // Process policy store. 349 device_settings_test_helper_.set_store_result(store_result_); 350 device_settings_test_helper_.FlushStore(); 351 EXPECT_EQ(device_policy_.GetBlob(), 352 device_settings_test_helper_.policy_blob()); 353 354 if (done_) 355 return; 356 357 // Key installation, policy load and refresh token save. 358 device_settings_test_helper_.set_policy_blob(loaded_blob_); 359 owner_key_util_->SetPublicKeyFromPrivateKey( 360 *device_policy_.GetNewSigningKey()); 361 ReloadDeviceSettings(); 362 363 if (done_) 364 return; 365 366 chromeos::DeviceOAuth2TokenService* token_service = 367 chromeos::DeviceOAuth2TokenServiceFactory::Get(); 368 // Process robot refresh token store. 369 EXPECT_EQ( 370 "refreshToken4Test", 371 token_service->GetRefreshToken(token_service->GetRobotAccountId())); 372 } 373 374 bool is_auto_enrollment_; 375 376 DeviceManagementStatus register_status_; 377 em::DeviceManagementResponse register_response_; 378 379 DeviceManagementStatus policy_fetch_status_; 380 em::DeviceManagementResponse policy_fetch_response_; 381 382 DeviceManagementStatus robot_auth_fetch_status_; 383 em::DeviceManagementResponse robot_auth_fetch_response_; 384 385 bool store_result_; 386 std::string loaded_blob_; 387 388 em::DeviceManagementRequest register_request_; 389 std::string client_id_; 390 EnrollmentStatus status_; 391 392 bool done_; 393 394 private: 395 DISALLOW_COPY_AND_ASSIGN(DeviceCloudPolicyManagerChromeOSEnrollmentTest); 396}; 397 398TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, Success) { 399 RunTest(); 400 ExpectSuccessfulEnrollment(); 401} 402 403TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, AutoEnrollment) { 404 is_auto_enrollment_ = true; 405 RunTest(); 406 ExpectSuccessfulEnrollment(); 407 EXPECT_TRUE(register_request_.register_request().auto_enrolled()); 408} 409 410TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, Reenrollment) { 411 base::RunLoop loop; 412 EnterpriseInstallAttributes::LockResult result; 413 install_attributes_.LockDevice(PolicyBuilder::kFakeUsername, 414 DEVICE_MODE_ENTERPRISE, 415 PolicyBuilder::kFakeDeviceId, 416 base::Bind(&CopyLockResult, &loop, &result)); 417 loop.Run(); 418 ASSERT_EQ(EnterpriseInstallAttributes::LOCK_SUCCESS, result); 419 420 RunTest(); 421 ExpectSuccessfulEnrollment(); 422 EXPECT_TRUE(register_request_.register_request().reregister()); 423 EXPECT_EQ(PolicyBuilder::kFakeDeviceId, client_id_); 424} 425 426TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, RegistrationFailed) { 427 register_status_ = DM_STATUS_REQUEST_FAILED; 428 RunTest(); 429 ExpectFailedEnrollment(EnrollmentStatus::STATUS_REGISTRATION_FAILED); 430 EXPECT_EQ(DM_STATUS_REQUEST_FAILED, status_.client_status()); 431} 432 433// Policy server implementations are not required to support robot auth 434// tokens, so the following 4 Robot* tests verify that enrollment succeeds 435// even if the robot auth token fetch fails. 436TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, 437 RobotAuthCodeFetchFailed) { 438 robot_auth_fetch_status_ = DM_STATUS_REQUEST_FAILED; 439 RunTest(); 440 ExpectSuccessfulEnrollment(); 441} 442 443TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, 444 RobotRefreshTokenFetchResponseCodeFailed) { 445 url_fetcher_response_code_ = 400; 446 RunTest(); 447 ExpectSuccessfulEnrollment(); 448} 449 450TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, 451 RobotRefreshTokenFetchResponseStringFailed) { 452 url_fetcher_response_string_ = "invalid response json"; 453 RunTest(); 454 ExpectSuccessfulEnrollment(); 455} 456 457TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, RobotRefreshSaveFailed) { 458 // Without a DeviceOAuth2TokenService, the refresh token can't be saved. 459 chromeos::DeviceOAuth2TokenServiceFactory::Shutdown(); 460 RunTest(); 461 ExpectSuccessfulEnrollment(); 462} 463 464TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, PolicyFetchFailed) { 465 policy_fetch_status_ = DM_STATUS_REQUEST_FAILED; 466 RunTest(); 467 ExpectFailedEnrollment(EnrollmentStatus::STATUS_POLICY_FETCH_FAILED); 468 EXPECT_EQ(DM_STATUS_REQUEST_FAILED, status_.client_status()); 469} 470 471TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, ValidationFailed) { 472 device_policy_.policy().set_policy_data_signature("bad"); 473 policy_fetch_response_.clear_policy_response(); 474 policy_fetch_response_.mutable_policy_response()->add_response()->CopyFrom( 475 device_policy_.policy()); 476 RunTest(); 477 ExpectFailedEnrollment(EnrollmentStatus::STATUS_VALIDATION_FAILED); 478 EXPECT_EQ(CloudPolicyValidatorBase::VALIDATION_BAD_INITIAL_SIGNATURE, 479 status_.validation_status()); 480} 481 482TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, StoreError) { 483 store_result_ = false; 484 RunTest(); 485 ExpectFailedEnrollment(EnrollmentStatus::STATUS_STORE_ERROR); 486 EXPECT_EQ(CloudPolicyStore::STATUS_STORE_ERROR, 487 status_.store_status()); 488} 489 490TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, LoadError) { 491 loaded_blob_.clear(); 492 RunTest(); 493 ExpectFailedEnrollment(EnrollmentStatus::STATUS_STORE_ERROR); 494 EXPECT_EQ(CloudPolicyStore::STATUS_LOAD_ERROR, 495 status_.store_status()); 496} 497 498} // namespace 499} // namespace policy 500