device_cloud_policy_manager_chromeos_unittest.cc revision c2e0dbddbe15c98d52c4786dac06cb8952a8ae6d 
1// Copyright (c) 2012 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#include "chrome/browser/chromeos/policy/device_cloud_policy_manager_chromeos.h"
6
7#include "base/basictypes.h"
8#include "base/compiler_specific.h"
9#include "base/memory/scoped_ptr.h"
10#include "base/message_loop.h"
11#include "base/prefs/pref_registry_simple.h"
12#include "base/prefs/testing_pref_service.h"
13#include "base/run_loop.h"
14#include "chrome/browser/chromeos/policy/device_cloud_policy_store_chromeos.h"
15#include "chrome/browser/chromeos/policy/enterprise_install_attributes.h"
16#include "chrome/browser/chromeos/settings/cros_settings.h"
17#include "chrome/browser/chromeos/settings/device_oauth2_token_service.h"
18#include "chrome/browser/chromeos/settings/device_oauth2_token_service_factory.h"
19#include "chrome/browser/chromeos/settings/device_settings_service.h"
20#include "chrome/browser/chromeos/settings/device_settings_test_helper.h"
21#include "chrome/browser/policy/cloud/cloud_policy_client.h"
22#include "chrome/browser/policy/cloud/mock_device_management_service.h"
23#include "chrome/browser/policy/proto/chromeos/chrome_device_policy.pb.h"
24#include "chrome/browser/policy/proto/cloud/device_management_backend.pb.h"
25#include "chrome/browser/prefs/browser_prefs.h"
26#include "chrome/test/base/testing_browser_process.h"
27#include "chromeos/cryptohome/cryptohome_library.h"
28#include "chromeos/cryptohome/mock_cryptohome_library.h"
29#include "chromeos/dbus/cryptohome_client.h"
30#include "chromeos/dbus/dbus_client_implementation_type.h"
31#include "net/url_request/test_url_fetcher_factory.h"
32#include "net/url_request/url_request_test_util.h"
33#include "policy/policy_constants.h"
34#include "testing/gmock/include/gmock/gmock.h"
35#include "testing/gtest/include/gtest/gtest.h"
36
37using testing::AnyNumber;
38using testing::AtMost;
39using testing::DoAll;
40using testing::Mock;
41using testing::SaveArg;
42using testing::_;
43
44namespace em = enterprise_management;
45
46namespace policy {
47namespace {
48
49void CopyLockResult(base::RunLoop* loop,
50                    EnterpriseInstallAttributes::LockResult* out,
51                    EnterpriseInstallAttributes::LockResult result) {
52  *out = result;
53  loop->Quit();
54}
55
56class DeviceCloudPolicyManagerChromeOSTest
57    : public chromeos::DeviceSettingsTestBase {
58 protected:
59  DeviceCloudPolicyManagerChromeOSTest()
60      : cryptohome_library_(chromeos::CryptohomeLibrary::GetTestImpl()),
61        stub_cryptohome_client_(chromeos::CryptohomeClient::Create(
62            chromeos::STUB_DBUS_CLIENT_IMPLEMENTATION, NULL)),
63        install_attributes_(cryptohome_library_.get(),
64                            stub_cryptohome_client_.get()),
65        store_(new DeviceCloudPolicyStoreChromeOS(&device_settings_service_,
66                                                  &install_attributes_)),
67        manager_(make_scoped_ptr(store_), &install_attributes_) {}
68
69  virtual void SetUp() OVERRIDE {
70    DeviceSettingsTestBase::SetUp();
71    chrome::RegisterLocalState(local_state_.registry());
72    manager_.Init();
73
74    // DeviceOAuth2TokenService uses the system request context to fetch
75    // OAuth tokens, then writes the token to local state, encrypting it
76    // first with methods in CryptohomeLibrary.
77    request_context_getter_ = new net::TestURLRequestContextGetter(
78        loop_.message_loop_proxy());
79    TestingBrowserProcess::GetGlobal()->SetSystemRequestContext(
80        request_context_getter_);
81    TestingBrowserProcess::GetGlobal()->SetLocalState(&local_state_);
82    chromeos::DeviceOAuth2TokenServiceFactory::Initialize();
83    chromeos::CryptohomeLibrary::SetForTest(cryptohome_library_.get());
84    url_fetcher_response_code_ = 200;
85    url_fetcher_response_string_ = "{\"access_token\":\"accessToken4Test\","
86                                   "\"expires_in\":1234,"
87                                   "\"refresh_token\":\"refreshToken4Test\"}";
88  }
89
90  virtual void TearDown() OVERRIDE {
91    manager_.Shutdown();
92    DeviceSettingsTestBase::TearDown();
93
94    chromeos::DeviceOAuth2TokenServiceFactory::Shutdown();
95    chromeos::CryptohomeLibrary::SetForTest(NULL);
96    TestingBrowserProcess::GetGlobal()->SetLocalState(NULL);
97  }
98
99  scoped_ptr<chromeos::CryptohomeLibrary> cryptohome_library_;
100  scoped_ptr<chromeos::CryptohomeClient> stub_cryptohome_client_;
101  EnterpriseInstallAttributes install_attributes_;
102
103  scoped_refptr<net::URLRequestContextGetter> request_context_getter_;
104  net::TestURLFetcherFactory url_fetcher_factory_;
105  int url_fetcher_response_code_;
106  string url_fetcher_response_string_;
107  TestingPrefServiceSimple local_state_;
108  MockDeviceManagementService device_management_service_;
109  chromeos::ScopedTestDeviceSettingsService test_device_settings_service_;
110  chromeos::ScopedTestCrosSettings test_cros_settings_;
111
112  DeviceCloudPolicyStoreChromeOS* store_;
113  DeviceCloudPolicyManagerChromeOS manager_;
114
115 private:
116  DISALLOW_COPY_AND_ASSIGN(DeviceCloudPolicyManagerChromeOSTest);
117};
118
119TEST_F(DeviceCloudPolicyManagerChromeOSTest, FreshDevice) {
120  owner_key_util_->Clear();
121  FlushDeviceSettings();
122  EXPECT_TRUE(manager_.IsInitializationComplete(POLICY_DOMAIN_CHROME));
123
124  manager_.Connect(&local_state_, &device_management_service_,
125                   scoped_ptr<CloudPolicyClient::StatusProvider>(NULL));
126
127  PolicyBundle bundle;
128  EXPECT_TRUE(manager_.policies().Equals(bundle));
129}
130
131TEST_F(DeviceCloudPolicyManagerChromeOSTest, EnrolledDevice) {
132  base::RunLoop loop;
133  EnterpriseInstallAttributes::LockResult result;
134  install_attributes_.LockDevice(PolicyBuilder::kFakeUsername,
135                                 DEVICE_MODE_ENTERPRISE,
136                                 PolicyBuilder::kFakeDeviceId,
137                                 base::Bind(&CopyLockResult, &loop, &result));
138  loop.Run();
139  ASSERT_EQ(EnterpriseInstallAttributes::LOCK_SUCCESS, result);
140
141  FlushDeviceSettings();
142  EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status());
143  EXPECT_TRUE(manager_.IsInitializationComplete(POLICY_DOMAIN_CHROME));
144
145  PolicyBundle bundle;
146  bundle.Get(PolicyNamespace(POLICY_DOMAIN_CHROME, std::string()))
147      .Set(key::kDeviceMetricsReportingEnabled,
148           POLICY_LEVEL_MANDATORY,
149           POLICY_SCOPE_MACHINE,
150           Value::CreateBooleanValue(false));
151  EXPECT_TRUE(manager_.policies().Equals(bundle));
152
153  manager_.Connect(&local_state_, &device_management_service_,
154                   scoped_ptr<CloudPolicyClient::StatusProvider>(NULL));
155  EXPECT_TRUE(manager_.policies().Equals(bundle));
156
157  manager_.Shutdown();
158  EXPECT_TRUE(manager_.policies().Equals(bundle));
159}
160
161TEST_F(DeviceCloudPolicyManagerChromeOSTest, ConsumerDevice) {
162  FlushDeviceSettings();
163  EXPECT_EQ(CloudPolicyStore::STATUS_BAD_STATE, store_->status());
164  EXPECT_TRUE(manager_.IsInitializationComplete(POLICY_DOMAIN_CHROME));
165
166  PolicyBundle bundle;
167  EXPECT_TRUE(manager_.policies().Equals(bundle));
168
169  manager_.Connect(&local_state_, &device_management_service_,
170                   scoped_ptr<CloudPolicyClient::StatusProvider>(NULL));
171  EXPECT_TRUE(manager_.policies().Equals(bundle));
172
173  manager_.Shutdown();
174  EXPECT_TRUE(manager_.policies().Equals(bundle));
175}
176
177class DeviceCloudPolicyManagerChromeOSEnrollmentTest
178    : public DeviceCloudPolicyManagerChromeOSTest {
179 public:
180  void Done(EnrollmentStatus status) {
181    status_ = status;
182    done_ = true;
183  }
184
185 protected:
186  DeviceCloudPolicyManagerChromeOSEnrollmentTest()
187      : is_auto_enrollment_(false),
188        register_status_(DM_STATUS_SUCCESS),
189        policy_fetch_status_(DM_STATUS_SUCCESS),
190        robot_auth_fetch_status_(DM_STATUS_SUCCESS),
191        store_result_(true),
192        status_(EnrollmentStatus::ForStatus(EnrollmentStatus::STATUS_SUCCESS)),
193        done_(false) {}
194
195  virtual void SetUp() OVERRIDE {
196    DeviceCloudPolicyManagerChromeOSTest::SetUp();
197
198    // Set up test data.
199    device_policy_.set_new_signing_key(
200        PolicyBuilder::CreateTestNewSigningKey());
201    device_policy_.policy_data().set_timestamp(
202        (base::Time::NowFromSystemTime() -
203         base::Time::UnixEpoch()).InMilliseconds());
204    device_policy_.Build();
205
206    register_response_.mutable_register_response()->set_device_management_token(
207        PolicyBuilder::kFakeToken);
208    policy_fetch_response_.mutable_policy_response()->add_response()->CopyFrom(
209        device_policy_.policy());
210    robot_auth_fetch_response_.mutable_service_api_access_response()
211        ->set_auth_code("auth_code_for_test");
212    loaded_blob_ = device_policy_.GetBlob();
213
214    // Initialize the manager.
215    FlushDeviceSettings();
216    EXPECT_EQ(CloudPolicyStore::STATUS_BAD_STATE, store_->status());
217    EXPECT_TRUE(manager_.IsInitializationComplete(POLICY_DOMAIN_CHROME));
218
219    PolicyBundle bundle;
220    EXPECT_TRUE(manager_.policies().Equals(bundle));
221
222    manager_.Connect(&local_state_, &device_management_service_,
223                     scoped_ptr<CloudPolicyClient::StatusProvider>(NULL));
224  }
225
226  void ExpectFailedEnrollment(EnrollmentStatus::Status status) {
227    EXPECT_EQ(status, status_.status());
228    EXPECT_FALSE(store_->is_managed());
229    PolicyBundle empty_bundle;
230    EXPECT_TRUE(manager_.policies().Equals(empty_bundle));
231  }
232
233  void ExpectSuccessfulEnrollment() {
234    EXPECT_EQ(EnrollmentStatus::STATUS_SUCCESS, status_.status());
235    EXPECT_EQ(DEVICE_MODE_ENTERPRISE, install_attributes_.GetMode());
236    EXPECT_TRUE(store_->has_policy());
237    EXPECT_TRUE(store_->is_managed());
238    ASSERT_TRUE(manager_.core()->client());
239    EXPECT_TRUE(manager_.core()->client()->is_registered());
240
241    PolicyBundle bundle;
242    bundle.Get(PolicyNamespace(POLICY_DOMAIN_CHROME, std::string()))
243        .Set(key::kDeviceMetricsReportingEnabled,
244             POLICY_LEVEL_MANDATORY,
245             POLICY_SCOPE_MACHINE,
246             Value::CreateBooleanValue(false));
247    EXPECT_TRUE(manager_.policies().Equals(bundle));
248  }
249
250  void RunTest() {
251    // Trigger enrollment.
252    MockDeviceManagementJob* register_job = NULL;
253    EXPECT_CALL(device_management_service_,
254                CreateJob(DeviceManagementRequestJob::TYPE_REGISTRATION))
255        .Times(AtMost(1))
256        .WillOnce(device_management_service_.CreateAsyncJob(&register_job));
257    EXPECT_CALL(device_management_service_, StartJob(_, _, _, _, _, _, _))
258        .Times(AtMost(1))
259        .WillOnce(DoAll(SaveArg<5>(&client_id_),
260                        SaveArg<6>(&register_request_)));
261    DeviceCloudPolicyManagerChromeOS::AllowedDeviceModes modes;
262    modes[DEVICE_MODE_ENTERPRISE] = true;
263    manager_.StartEnrollment(
264        "auth token", is_auto_enrollment_, modes,
265        base::Bind(&DeviceCloudPolicyManagerChromeOSEnrollmentTest::Done,
266                   base::Unretained(this)));
267    Mock::VerifyAndClearExpectations(&device_management_service_);
268
269    if (done_)
270      return;
271
272    // Process registration.
273    ASSERT_TRUE(register_job);
274    MockDeviceManagementJob* policy_fetch_job = NULL;
275    EXPECT_CALL(device_management_service_,
276                CreateJob(DeviceManagementRequestJob::TYPE_POLICY_FETCH))
277        .Times(AtMost(1))
278        .WillOnce(device_management_service_.CreateAsyncJob(&policy_fetch_job));
279    EXPECT_CALL(device_management_service_, StartJob(_, _, _, _, _, _, _))
280        .Times(AtMost(1));
281    register_job->SendResponse(register_status_, register_response_);
282    Mock::VerifyAndClearExpectations(&device_management_service_);
283
284    if (done_)
285      return;
286
287    // Process policy fetch.
288    ASSERT_TRUE(policy_fetch_job);
289    policy_fetch_job->SendResponse(policy_fetch_status_,
290                                   policy_fetch_response_);
291
292    if (done_)
293      return;
294
295    // Process verification.
296    MockDeviceManagementJob* robot_auth_fetch_job = NULL;
297    EXPECT_CALL(device_management_service_,
298                CreateJob(DeviceManagementRequestJob::TYPE_API_AUTH_CODE_FETCH))
299        .Times(AtMost(1))
300        .WillOnce(device_management_service_.CreateAsyncJob(
301            &robot_auth_fetch_job));
302    EXPECT_CALL(device_management_service_, StartJob(_, _, _, _, _, _, _))
303        .Times(AtMost(1));
304    base::RunLoop().RunUntilIdle();
305    Mock::VerifyAndClearExpectations(&device_management_service_);
306
307    if (done_)
308      return;
309
310    // Process robot auth token fetch.
311    ASSERT_TRUE(robot_auth_fetch_job);
312    robot_auth_fetch_job->SendResponse(robot_auth_fetch_status_,
313                                       robot_auth_fetch_response_);
314    Mock::VerifyAndClearExpectations(&device_management_service_);
315
316    if (done_)
317      return;
318
319    // Process robot refresh token fetch if the auth code fetch succeeded.
320    // DeviceCloudPolicyManagerChromeOS holds an EnrollmentHandlerChromeOS which
321    // holds a GaiaOAuthClient that fetches the refresh token during enrollment.
322    // We return a successful OAuth response via a TestURLFetcher to trigger the
323    // happy path for these classes so that enrollment can continue.
324    if (robot_auth_fetch_status_ == DM_STATUS_SUCCESS) {
325      net::TestURLFetcher* url_fetcher = url_fetcher_factory_.GetFetcherByID(0);
326      ASSERT_TRUE(url_fetcher);
327      // The logic in GaiaOAuthClient seems broken, it always retries 1x on
328      // non-200 response codes, even if the retries are set to 0.  Seems like
329      // its num_retries_ > source->GetMaxRetriesOn5xx() should have a >=?
330      url_fetcher->SetMaxRetriesOn5xx(-2);
331      url_fetcher->set_status(net::URLRequestStatus());
332      url_fetcher->set_response_code(url_fetcher_response_code_);
333      url_fetcher->SetResponseString(url_fetcher_response_string_);
334      url_fetcher->delegate()->OnURLFetchComplete(url_fetcher);
335    }
336    base::RunLoop().RunUntilIdle();
337
338    // Process policy store.
339    device_settings_test_helper_.set_store_result(store_result_);
340    device_settings_test_helper_.FlushStore();
341    EXPECT_EQ(device_policy_.GetBlob(),
342              device_settings_test_helper_.policy_blob());
343
344    if (done_)
345      return;
346
347    // Key installation, policy load and refresh token save.
348    device_settings_test_helper_.set_policy_blob(loaded_blob_);
349    owner_key_util_->SetPublicKeyFromPrivateKey(
350        device_policy_.new_signing_key());
351    ReloadDeviceSettings();
352
353    if (done_)
354      return;
355
356    // Process robot refresh token store.
357    EXPECT_EQ(
358        "refreshToken4Test",
359        chromeos::DeviceOAuth2TokenServiceFactory::Get()->GetRefreshToken());
360  }
361
362  bool is_auto_enrollment_;
363
364  DeviceManagementStatus register_status_;
365  em::DeviceManagementResponse register_response_;
366
367  DeviceManagementStatus policy_fetch_status_;
368  em::DeviceManagementResponse policy_fetch_response_;
369
370  DeviceManagementStatus robot_auth_fetch_status_;
371  em::DeviceManagementResponse robot_auth_fetch_response_;
372
373  bool store_result_;
374  std::string loaded_blob_;
375
376  em::DeviceManagementRequest register_request_;
377  std::string client_id_;
378  EnrollmentStatus status_;
379
380  bool done_;
381
382 private:
383  DISALLOW_COPY_AND_ASSIGN(DeviceCloudPolicyManagerChromeOSEnrollmentTest);
384};
385
386TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, Success) {
387  RunTest();
388  ExpectSuccessfulEnrollment();
389}
390
391TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, AutoEnrollment) {
392  is_auto_enrollment_ = true;
393  RunTest();
394  ExpectSuccessfulEnrollment();
395  EXPECT_TRUE(register_request_.register_request().auto_enrolled());
396}
397
398TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, Reenrollment) {
399  base::RunLoop loop;
400  EnterpriseInstallAttributes::LockResult result;
401  install_attributes_.LockDevice(PolicyBuilder::kFakeUsername,
402                                 DEVICE_MODE_ENTERPRISE,
403                                 PolicyBuilder::kFakeDeviceId,
404                                 base::Bind(&CopyLockResult, &loop, &result));
405  loop.Run();
406  ASSERT_EQ(EnterpriseInstallAttributes::LOCK_SUCCESS, result);
407
408  RunTest();
409  ExpectSuccessfulEnrollment();
410  EXPECT_TRUE(register_request_.register_request().reregister());
411  EXPECT_EQ(PolicyBuilder::kFakeDeviceId, client_id_);
412}
413
414TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, RegistrationFailed) {
415  register_status_ = DM_STATUS_REQUEST_FAILED;
416  RunTest();
417  ExpectFailedEnrollment(EnrollmentStatus::STATUS_REGISTRATION_FAILED);
418  EXPECT_EQ(DM_STATUS_REQUEST_FAILED, status_.client_status());
419}
420
421// Policy server implementations are not required to support robot auth
422// tokens, so the following 4 Robot* tests verify that enrollment succeeds
423// even if the robot auth token fetch fails.
424TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest,
425       RobotAuthCodeFetchFailed) {
426  robot_auth_fetch_status_ = DM_STATUS_REQUEST_FAILED;
427  RunTest();
428  ExpectSuccessfulEnrollment();
429}
430
431TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest,
432       RobotRefreshTokenFetchResponseCodeFailed) {
433  url_fetcher_response_code_ = 400;
434  RunTest();
435  ExpectSuccessfulEnrollment();
436}
437
438TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest,
439       RobotRefreshTokenFetchResponseStringFailed) {
440  url_fetcher_response_string_ = "invalid response json";
441  RunTest();
442  ExpectSuccessfulEnrollment();
443}
444
445TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, RobotRefreshSaveFailed) {
446  // Without a DeviceOAuth2TokenService, the refresh token can't be saved.
447  chromeos::DeviceOAuth2TokenServiceFactory::Shutdown();
448  RunTest();
449  ExpectSuccessfulEnrollment();
450}
451
452TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, PolicyFetchFailed) {
453  policy_fetch_status_ = DM_STATUS_REQUEST_FAILED;
454  RunTest();
455  ExpectFailedEnrollment(EnrollmentStatus::STATUS_POLICY_FETCH_FAILED);
456  EXPECT_EQ(DM_STATUS_REQUEST_FAILED, status_.client_status());
457}
458
459TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, ValidationFailed) {
460  device_policy_.policy().set_policy_data_signature("bad");
461  policy_fetch_response_.clear_policy_response();
462  policy_fetch_response_.mutable_policy_response()->add_response()->CopyFrom(
463      device_policy_.policy());
464  RunTest();
465  ExpectFailedEnrollment(EnrollmentStatus::STATUS_VALIDATION_FAILED);
466  EXPECT_EQ(CloudPolicyValidatorBase::VALIDATION_BAD_INITIAL_SIGNATURE,
467            status_.validation_status());
468}
469
470TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, StoreError) {
471  store_result_ = false;
472  RunTest();
473  ExpectFailedEnrollment(EnrollmentStatus::STATUS_STORE_ERROR);
474  EXPECT_EQ(CloudPolicyStore::STATUS_STORE_ERROR,
475            status_.store_status());
476}
477
478TEST_F(DeviceCloudPolicyManagerChromeOSEnrollmentTest, LoadError) {
479  loaded_blob_.clear();
480  RunTest();
481  ExpectFailedEnrollment(EnrollmentStatus::STATUS_STORE_ERROR);
482  EXPECT_EQ(CloudPolicyStore::STATUS_LOAD_ERROR,
483            status_.store_status());
484}
485
486}  // namespace test
487}  // namespace policy
488