device_cloud_policy_manager_chromeos_unittest.cc revision 68043e1e95eeb07d5cae7aca370b26518b0867d6 
1// Copyright (c) 2012 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#include "chrome/browser/chromeos/policy/device_cloud_policy_manager_chromeos.h"
6
7#include "base/basictypes.h"
8#include "base/compiler_specific.h"
9#include "base/memory/scoped_ptr.h"
10#include "base/message_loop/message_loop.h"
11#include "base/prefs/pref_registry_simple.h"
12#include "base/prefs/testing_pref_service.h"
13#include "base/run_loop.h"
14#include "chrome/browser/chromeos/policy/device_cloud_policy_store_chromeos.h"
15#include "chrome/browser/chromeos/policy/enterprise_install_attributes.h"
16#include "chrome/browser/chromeos/settings/cros_settings.h"
17#include "chrome/browser/chromeos/settings/device_oauth2_token_service.h"
18#include "chrome/browser/chromeos/settings/device_oauth2_token_service_factory.h"
19#include "chrome/browser/chromeos/settings/device_settings_service.h"
20#include "chrome/browser/chromeos/settings/device_settings_test_helper.h"
21#include "chrome/browser/policy/cloud/cloud_policy_client.h"
22#include "chrome/browser/policy/cloud/mock_device_management_service.h"
23#include "chrome/browser/policy/external_data_fetcher.h"
24#include "chrome/browser/policy/proto/chromeos/chrome_device_policy.pb.h"
25#include "chrome/browser/policy/proto/cloud/device_management_backend.pb.h"
26#include "chrome/browser/prefs/browser_prefs.h"
27#include "chrome/test/base/testing_browser_process.h"
28#include "chromeos/cryptohome/cryptohome_library.h"
29#include "chromeos/dbus/cryptohome_client_stub.h"
30#include "chromeos/dbus/dbus_client_implementation_type.h"
31#include "google_apis/gaia/gaia_oauth_client.h"
32#include "net/url_request/test_url_fetcher_factory.h"
33#include "net/url_request/url_request_test_util.h"
34#include "policy/policy_constants.h"
35#include "testing/gmock/include/gmock/gmock.h"
36#include "testing/gtest/include/gtest/gtest.h"
37
38using testing::AnyNumber;
39using testing::AtMost;
40using testing::DoAll;
41using testing::Mock;
42using testing::SaveArg;
43using testing::_;
44
45namespace em = enterprise_management;
46
47namespace policy {
48namespace {
49
50void CopyLockResult(base::RunLoop* loop,
51                    EnterpriseInstallAttributes::LockResult* out,
52                    EnterpriseInstallAttributes::LockResult result) {
53  *out = result;
54  loop->Quit();
55}
56
57class DeviceCloudPolicyManagerChromeOSTest
58    : public chromeos::DeviceSettingsTestBase {
59 protected:
60  DeviceCloudPolicyManagerChromeOSTest()
61      : cryptohome_library_(chromeos::CryptohomeLibrary::GetTestImpl()),
62        stub_cryptohome_client_(new chromeos::CryptohomeClientStubImpl()),
63        install_attributes_(cryptohome_library_.get(),
64                            stub_cryptohome_client_.get()),
65        store_(new DeviceCloudPolicyStoreChromeOS(&device_settings_service_,
66                                                  &install_attributes_)),
67        manager_(make_scoped_ptr(store_),
68                 loop_.message_loop_proxy(),
69                 &install_attributes_) {
70    stub_cryptohome_client_->Init(NULL /* no dbus::Bus */);
71  }
72
73  virtual void SetUp() OVERRIDE {
74    DeviceSettingsTestBase::SetUp();
75    chrome::RegisterLocalState(local_state_.registry());
76    manager_.Init();
77
78    // DeviceOAuth2TokenService uses the system request context to fetch
79    // OAuth tokens, then writes the token to local state, encrypting it
80    // first with methods in CryptohomeLibrary.
81    request_context_getter_ = new net::TestURLRequestContextGetter(
82        loop_.message_loop_proxy());
83    TestingBrowserProcess::GetGlobal()->SetSystemRequestContext(
84        request_context_getter_.get());
85    TestingBrowserProcess::GetGlobal()->SetLocalState(&local_state_);
86    chromeos::DeviceOAuth2TokenServiceFactory::Initialize();
87    chromeos::CryptohomeLibrary::SetForTest(cryptohome_library_.get());
88    url_fetcher_response_code_ = 200;
89    url_fetcher_response_string_ = "{\"access_token\":\"accessToken4Test\","
90                                   "\"expires_in\":1234,"
91                                   "\"refresh_token\":\"refreshToken4Test\"}";
92  }
93
94  virtual void TearDown() OVERRIDE {
95    manager_.Shutdown();
96    DeviceSettingsTestBase::TearDown();
97
98    chromeos::DeviceOAuth2TokenServiceFactory::Shutdown();
99    chromeos::CryptohomeLibrary::SetForTest(NULL);
100    TestingBrowserProcess::GetGlobal()->SetLocalState(NULL);
101  }
102
103  scoped_ptr<chromeos::CryptohomeLibrary> cryptohome_library_;
104  scoped_ptr<chromeos::CryptohomeClientStubImpl> stub_cryptohome_client_;
105  EnterpriseInstallAttributes install_attributes_;
106
107  scoped_refptr<net::URLRequestContextGetter> request_context_getter_;
108  net::TestURLFetcherFactory url_fetcher_factory_;
109  int url_fetcher_response_code_;
110  string url_fetcher_response_string_;
111  TestingPrefServiceSimple local_state_;
112  MockDeviceManagementService device_management_service_;
113  chromeos::ScopedTestDeviceSettingsService test_device_settings_service_;
114  chromeos::ScopedTestCrosSettings test_cros_settings_;
115
116  DeviceCloudPolicyStoreChromeOS* store_;
117  DeviceCloudPolicyManagerChromeOS manager_;
118
119 private:
120  DISALLOW_COPY_AND_ASSIGN(DeviceCloudPolicyManagerChromeOSTest);
121};
122
123TEST_F(DeviceCloudPolicyManagerChromeOSTest, FreshDevice) {
124  owner_key_util_->Clear();
125  FlushDeviceSettings();
126  EXPECT_TRUE(manager_.IsInitializationComplete(POLICY_DOMAIN_CHROME));
127
128  manager_.Connect(&local_state_,
129                   &device_management_service_,
130                   scoped_ptr<CloudPolicyClient::StatusProvider>());
131
132  PolicyBundle bundle;
133  EXPECT_TRUE(manager_.policies().Equals(bundle));
134}
135
136TEST_F(DeviceCloudPolicyManagerChromeOSTest, EnrolledDevice) {
137  base::RunLoop loop;
138  EnterpriseInstallAttributes::LockResult result;
139  install_attributes_.LockDevice(PolicyBuilder::kFakeUsername,
140                                 DEVICE_MODE_ENTERPRISE,
141                                 PolicyBuilder::kFakeDeviceId,
142                                 base::Bind(&CopyLockResult, &loop, &result));
143  loop.Run();
144  ASSERT_EQ(EnterpriseInstallAttributes::LOCK_SUCCESS, result);
145
146  FlushDeviceSettings();
147  EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status());
148  EXPECT_TRUE(manager_.IsInitializationComplete(POLICY_DOMAIN_CHROME));
149
150  PolicyBundle bundle;
151  bundle.Get(PolicyNamespace(POLICY_DOMAIN_CHROME, std::string()))
152      .Set(key::kDeviceMetricsReportingEnabled,
153           POLICY_LEVEL_MANDATORY,
154           POLICY_SCOPE_MACHINE,
155           Value::CreateBooleanValue(false),
156           NULL);
157  EXPECT_TRUE(manager_.policies().Equals(bundle));
158
159  manager_.Connect(&local_state_,
160                   &device_management_service_,
161                   scoped_ptr<CloudPolicyClient::StatusProvider>());
162  EXPECT_TRUE(manager_.policies().Equals(bundle));
163
164  manager_.Shutdown();
165  EXPECT_TRUE(manager_.policies().Equals(bundle));
166
167  EXPECT_EQ(manager_.GetRobotAccountId(),
168            PolicyBuilder::kFakeServiceAccountIdentity);
169}
170
171TEST_F(DeviceCloudPolicyManagerChromeOSTest, ConsumerDevice) {
172  FlushDeviceSettings();
173  EXPECT_EQ(CloudPolicyStore::STATUS_BAD_STATE, store_->status());
174  EXPECT_TRUE(manager_.IsInitializationComplete(POLICY_DOMAIN_CHROME));
175
176  PolicyBundle bundle;
177  EXPECT_TRUE(manager_.policies().Equals(bundle));
178
179  manager_.Connect(&local_state_,
180                   &device_management_service_,
181                   scoped_ptr<CloudPolicyClient::StatusProvider>());
182  EXPECT_TRUE(manager_.policies().Equals(bundle));
183
184  manager_.Shutdown();
185  EXPECT_TRUE(manager_.policies().Equals(bundle));
186}
187
188class DeviceCloudPolicyManagerChromeOSEnrollmentTest
189    : public DeviceCloudPolicyManagerChromeOSTest {
190 public:
191  void Done(EnrollmentStatus status) {
192    status_ = status;
193    done_ = true;
194  }
195
196 protected:
197  DeviceCloudPolicyManagerChromeOSEnrollmentTest()
198      : is_auto_enrollment_(false),
199        register_status_(DM_STATUS_SUCCESS),
200        policy_fetch_status_(DM_STATUS_SUCCESS),
201        robot_auth_fetch_status_(DM_STATUS_SUCCESS),
202        store_result_(true),
203        status_(EnrollmentStatus::ForStatus(EnrollmentStatus::STATUS_SUCCESS)),
204        done_(false) {}
205
206  virtual void SetUp() OVERRIDE {
207    DeviceCloudPolicyManagerChromeOSTest::SetUp();
208
209    // Set up test data.
210    device_policy_.SetDefaultNewSigningKey();
211    device_policy_.policy_data().set_timestamp(
212        (base::Time::NowFromSystemTime() -
213         base::Time::UnixEpoch()).InMilliseconds());
214    device_policy_.Build();
215
216    register_response_.mutable_register_response()->set_device_management_token(
217        PolicyBuilder::kFakeToken);
218    policy_fetch_response_.mutable_policy_response()->add_response()->CopyFrom(
219        device_policy_.policy());
220    robot_auth_fetch_response_.mutable_service_api_access_response()
221        ->set_auth_code("auth_code_for_test");
222    loaded_blob_ = device_policy_.GetBlob();
223
224    // Initialize the manager.
225    FlushDeviceSettings();
226    EXPECT_EQ(CloudPolicyStore::STATUS_BAD_STATE, store_->status());
227    EXPECT_TRUE(manager_.IsInitializationComplete(POLICY_DOMAIN_CHROME));
228
229    PolicyBundle bundle;
230    EXPECT_TRUE(manager_.policies().Equals(bundle));
231
232    manager_.Connect(&local_state_,
233                     &device_management_service_,
234                     scoped_ptr<CloudPolicyClient::StatusProvider>());
235  }
236
237  void ExpectFailedEnrollment(EnrollmentStatus::Status status) {
238    EXPECT_EQ(status, status_.status());
239    EXPECT_FALSE(store_->is_managed());
240    PolicyBundle empty_bundle;
241    EXPECT_TRUE(manager_.policies().Equals(empty_bundle));
242  }
243
244  void ExpectSuccessfulEnrollment() {
245    EXPECT_EQ(EnrollmentStatus::STATUS_SUCCESS, status_.status());
246    EXPECT_EQ(DEVICE_MODE_ENTERPRISE, install_attributes_.GetMode());
247    EXPECT_TRUE(store_->has_policy());
248    EXPECT_TRUE(store_->is_managed());
249    ASSERT_TRUE(manager_.core()->client());
250    EXPECT_TRUE(manager_.core()->client()->is_registered());
251
252    PolicyBundle bundle;
253    bundle.Get(PolicyNamespace(POLICY_DOMAIN_CHROME, std::string()))
254        .Set(key::kDeviceMetricsReportingEnabled,
255             POLICY_LEVEL_MANDATORY,
256             POLICY_SCOPE_MACHINE,
257             Value::CreateBooleanValue(false),
258             NULL);
259    EXPECT_TRUE(manager_.policies().Equals(bundle));
260  }
261
262  void RunTest() {
263    // Trigger enrollment.
264    MockDeviceManagementJob* register_job = NULL;
265    EXPECT_CALL(device_management_service_,
266                CreateJob(DeviceManagementRequestJob::TYPE_REGISTRATION))
267        .Times(AtMost(1))
268        .WillOnce(device_management_service_.CreateAsyncJob(&register_job));
269    EXPECT_CALL(device_management_service_, StartJob(_, _, _, _, _, _, _))
270        .Times(AtMost(1))
271        .WillOnce(DoAll(SaveArg<5>(&client_id_),
272                        SaveArg<6>(&register_request_)));
273    DeviceCloudPolicyManagerChromeOS::AllowedDeviceModes modes;
274    modes[DEVICE_MODE_ENTERPRISE] = true;
275    manager_.StartEnrollment(
276        "auth token", is_auto_enrollment_, modes,
277        base::Bind(&DeviceCloudPolicyManagerChromeOSEnrollmentTest::Done,
278                   base::Unretained(this)));
279    Mock::VerifyAndClearExpectations(&device_management_service_);
280
281    if (done_)
282      return;
283
284    // Process registration.
285    ASSERT_TRUE(register_job);
286    MockDeviceManagementJob* policy_fetch_job = NULL;
287    EXPECT_CALL(device_management_service_,
288                CreateJob(DeviceManagementRequestJob::TYPE_POLICY_FETCH))
289        .Times(AtMost(1))
290        .WillOnce(device_management_service_.CreateAsyncJob(&policy_fetch_job));
291    EXPECT_CALL(device_management_service_, StartJob(_, _, _, _, _, _, _))
292        .Times(AtMost(1));
293    register_job->SendResponse(register_status_, register_response_);
294    Mock::VerifyAndClearExpectations(&device_management_service_);
295
296    if (done_)
297      return;
298
299    // Process policy fetch.
300    ASSERT_TRUE(policy_fetch_job);
301    policy_fetch_job->SendResponse(policy_fetch_status_,
302                                   policy_fetch_response_);
303
304    if (done_)
305      return;
306
307    // Process verification.
308    MockDeviceManagementJob* robot_auth_fetch_job = NULL;
309    EXPECT_CALL(device_management_service_,
310                CreateJob(DeviceManagementRequestJob::TYPE_API_AUTH_CODE_FETCH))
311        .Times(AtMost(1))
312        .WillOnce(device_management_service_.CreateAsyncJob(
313            &robot_auth_fetch_job));
314    EXPECT_CALL(device_management_service_, StartJob(_, _, _, _, _, _, _))
315        .Times(AtMost(1));
316    base::RunLoop().RunUntilIdle();
317    Mock::VerifyAndClearExpectations(&device_management_service_);
318
319    if (done_)
320      return;
321
322    // Process robot auth token fetch.
323    ASSERT_TRUE(robot_auth_fetch_job);
324    robot_auth_fetch_job->SendResponse(robot_auth_fetch_status_,
325                                       robot_auth_fetch_response_);
326    Mock::VerifyAndClearExpectations(&device_management_service_);
327
328    if (done_)
329      return;
330
331    // Process robot refresh token fetch if the auth code fetch succeeded.
332    // DeviceCloudPolicyManagerChromeOS holds an EnrollmentHandlerChromeOS which
333    // holds a GaiaOAuthClient that fetches the refresh token during enrollment.
334    // We return a successful OAuth response via a TestURLFetcher to trigger the
335    // happy path for these classes so that enrollment can continue.
336    if (robot_auth_fetch_status_ == DM_STATUS_SUCCESS) {
337      net::TestURLFetcher* url_fetcher = url_fetcher_factory_.GetFetcherByID(
338          gaia::GaiaOAuthClient::kUrlFetcherId);
339      ASSERT_TRUE(url_fetcher);
340      url_fetcher->SetMaxRetriesOn5xx(0);
341      url_fetcher->set_status(net::URLRequestStatus());
342      url_fetcher->set_response_code(url_fetcher_response_code_);
343      url_fetcher->SetResponseString(url_fetcher_response_string_);
344      url_fetcher->delegate()->OnURLFetchComplete(url_fetcher);
345    }
346    base::RunLoop().RunUntilIdle();
347
348    // Process policy store.
349    device_settings_test_helper_.set_store_result(store_result_);
350    device_settings_test_helper_.FlushStore();
351    EXPECT_EQ(device_policy_.GetBlob(),
352              device_settings_test_helper_.policy_blob());
353
354    if (done_)
355      return;
356
357    // Key installation, policy load and refresh token save.
358    device_settings_test_helper_.set_policy_blob(loaded_blob_);
359    owner_key_util_->SetPublicKeyFromPrivateKey(
360        *device_policy_.GetNewSigningKey());
361    ReloadDeviceSettings();
362
363    if (done_)
364      return;
365
366    chromeos::DeviceOAuth2TokenService* token_service =
367        chromeos::DeviceOAuth2TokenServiceFactory::Get();
368    // Process robot refresh token store.
369    EXPECT_EQ(
370        "refreshToken4Test",
371        token_service->GetRefreshToken(token_service->GetRobotAccountId()));
372  }
373
374  bool is_auto_enrollment_;
375
376  DeviceManagementStatus register_status_;
377  em::DeviceManagementResponse register_response_;
378
379  DeviceManagementStatus policy_fetch_status_;
380  em::DeviceManagementResponse policy_fetch_response_;
381
382  DeviceManagementStatus robot_auth_fetch_status_;
383  em::DeviceManagementResponse robot_auth_fetch_response_;
384
385  bool store_result_;
386  std::string loaded_blob_;
387
388  em::DeviceManagementRequest register_request_;
389  std::string client_id_;
390  EnrollmentStatus status_;
391
392  bool done_;
393
394 private:
395  DISALLOW_COPY_AND_ASSIGN(DeviceCloudPolicyManagerChromeOSEnrollmentTest);
396};
397
398TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, Success) {
399  RunTest();
400  ExpectSuccessfulEnrollment();
401}
402
403TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, AutoEnrollment) {
404  is_auto_enrollment_ = true;
405  RunTest();
406  ExpectSuccessfulEnrollment();
407  EXPECT_TRUE(register_request_.register_request().auto_enrolled());
408}
409
410TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, Reenrollment) {
411  base::RunLoop loop;
412  EnterpriseInstallAttributes::LockResult result;
413  install_attributes_.LockDevice(PolicyBuilder::kFakeUsername,
414                                 DEVICE_MODE_ENTERPRISE,
415                                 PolicyBuilder::kFakeDeviceId,
416                                 base::Bind(&CopyLockResult, &loop, &result));
417  loop.Run();
418  ASSERT_EQ(EnterpriseInstallAttributes::LOCK_SUCCESS, result);
419
420  RunTest();
421  ExpectSuccessfulEnrollment();
422  EXPECT_TRUE(register_request_.register_request().reregister());
423  EXPECT_EQ(PolicyBuilder::kFakeDeviceId, client_id_);
424}
425
426TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, RegistrationFailed) {
427  register_status_ = DM_STATUS_REQUEST_FAILED;
428  RunTest();
429  ExpectFailedEnrollment(EnrollmentStatus::STATUS_REGISTRATION_FAILED);
430  EXPECT_EQ(DM_STATUS_REQUEST_FAILED, status_.client_status());
431}
432
433// Policy server implementations are not required to support robot auth
434// tokens, so the following 4 Robot* tests verify that enrollment succeeds
435// even if the robot auth token fetch fails.
436TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest,
437       RobotAuthCodeFetchFailed) {
438  robot_auth_fetch_status_ = DM_STATUS_REQUEST_FAILED;
439  RunTest();
440  ExpectSuccessfulEnrollment();
441}
442
443TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest,
444       RobotRefreshTokenFetchResponseCodeFailed) {
445  url_fetcher_response_code_ = 400;
446  RunTest();
447  ExpectSuccessfulEnrollment();
448}
449
450TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest,
451       RobotRefreshTokenFetchResponseStringFailed) {
452  url_fetcher_response_string_ = "invalid response json";
453  RunTest();
454  ExpectSuccessfulEnrollment();
455}
456
457TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, RobotRefreshSaveFailed) {
458  // Without a DeviceOAuth2TokenService, the refresh token can't be saved.
459  chromeos::DeviceOAuth2TokenServiceFactory::Shutdown();
460  RunTest();
461  ExpectSuccessfulEnrollment();
462}
463
464TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, PolicyFetchFailed) {
465  policy_fetch_status_ = DM_STATUS_REQUEST_FAILED;
466  RunTest();
467  ExpectFailedEnrollment(EnrollmentStatus::STATUS_POLICY_FETCH_FAILED);
468  EXPECT_EQ(DM_STATUS_REQUEST_FAILED, status_.client_status());
469}
470
471TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, ValidationFailed) {
472  device_policy_.policy().set_policy_data_signature("bad");
473  policy_fetch_response_.clear_policy_response();
474  policy_fetch_response_.mutable_policy_response()->add_response()->CopyFrom(
475      device_policy_.policy());
476  RunTest();
477  ExpectFailedEnrollment(EnrollmentStatus::STATUS_VALIDATION_FAILED);
478  EXPECT_EQ(CloudPolicyValidatorBase::VALIDATION_BAD_INITIAL_SIGNATURE,
479            status_.validation_status());
480}
481
482TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, StoreError) {
483  store_result_ = false;
484  RunTest();
485  ExpectFailedEnrollment(EnrollmentStatus::STATUS_STORE_ERROR);
486  EXPECT_EQ(CloudPolicyStore::STATUS_STORE_ERROR,
487            status_.store_status());
488}
489
490TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, LoadError) {
491  loaded_blob_.clear();
492  RunTest();
493  ExpectFailedEnrollment(EnrollmentStatus::STATUS_STORE_ERROR);
494  EXPECT_EQ(CloudPolicyStore::STATUS_LOAD_ERROR,
495            status_.store_status());
496}
497
498}  // namespace
499}  // namespace policy
500