1// Copyright (c) 2012 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#include "chrome/browser/chromeos/policy/device_local_account_policy_service.h"
6
7#include <algorithm>
8
9#include "base/bind.h"
10#include "base/bind_helpers.h"
11#include "base/callback.h"
12#include "base/files/file_path.h"
13#include "base/files/file_util.h"
14#include "base/files/scoped_temp_dir.h"
15#include "base/message_loop/message_loop.h"
16#include "base/message_loop/message_loop_proxy.h"
17#include "base/path_service.h"
18#include "base/run_loop.h"
19#include "base/strings/string_number_conversions.h"
20#include "base/strings/stringprintf.h"
21#include "base/test/scoped_path_override.h"
22#include "base/test/test_simple_task_runner.h"
23#include "chrome/browser/chromeos/policy/device_local_account.h"
24#include "chrome/browser/chromeos/policy/device_local_account_policy_provider.h"
25#include "chrome/browser/chromeos/policy/proto/chrome_device_policy.pb.h"
26#include "chrome/browser/chromeos/settings/cros_settings.h"
27#include "chrome/browser/chromeos/settings/device_settings_service.h"
28#include "chrome/browser/chromeos/settings/device_settings_test_helper.h"
29#include "chrome/common/chrome_paths.h"
30#include "chromeos/chromeos_paths.h"
31#include "chromeos/dbus/power_policy_controller.h"
32#include "components/policy/core/common/cloud/cloud_policy_client.h"
33#include "components/policy/core/common/cloud/cloud_policy_constants.h"
34#include "components/policy/core/common/cloud/cloud_policy_service.h"
35#include "components/policy/core/common/cloud/mock_device_management_service.h"
36#include "components/policy/core/common/cloud/policy_builder.h"
37#include "components/policy/core/common/external_data_fetcher.h"
38#include "components/policy/core/common/mock_configuration_policy_provider.h"
39#include "components/policy/core/common/policy_bundle.h"
40#include "components/policy/core/common/policy_map.h"
41#include "components/policy/core/common/schema_registry.h"
42#include "net/url_request/url_request_context_getter.h"
43#include "net/url_request/url_request_test_util.h"
44#include "policy/policy_constants.h"
45#include "policy/proto/cloud_policy.pb.h"
46#include "policy/proto/device_management_backend.pb.h"
47#include "testing/gtest/include/gtest/gtest.h"
48
49using testing::AnyNumber;
50using testing::AtLeast;
51using testing::Mock;
52using testing::SaveArg;
53using testing::_;
54
55namespace em = enterprise_management;
56
57namespace policy {
58
59namespace {
60
61const char kAccount1[] = "account1@localhost";
62const char kAccount2[] = "account2@localhost";
63const char kAccount3[] = "account3@localhost";
64
65const char kExtensionID[] = "kbmnembihfiondgfjekmnmcbddelicoi";
66const char kExtensionVersion[] = "1.0.0.0";
67const char kExtensionCRXPath[] = "extensions/hosted_app.crx";
68const char kUpdateURL[] = "https://clients2.google.com/service/update2/crx";
69
70}  // namespace
71
72class MockDeviceLocalAccountPolicyServiceObserver
73    : public DeviceLocalAccountPolicyService::Observer {
74 public:
75  MOCK_METHOD1(OnPolicyUpdated, void(const std::string&));
76  MOCK_METHOD0(OnDeviceLocalAccountsChanged, void(void));
77};
78
79class DeviceLocalAccountPolicyServiceTestBase
80    : public chromeos::DeviceSettingsTestBase {
81 public:
82  DeviceLocalAccountPolicyServiceTestBase();
83
84  virtual void SetUp() OVERRIDE;
85  virtual void TearDown() OVERRIDE;
86
87  void CreatePolicyService();
88
89  void InstallDeviceLocalAccountPolicy(const std::string& account_id);
90  void AddDeviceLocalAccountToPolicy(const std::string& account_id);
91  virtual void InstallDevicePolicy();
92
93  const std::string account_1_user_id_;
94  const std::string account_2_user_id_;
95
96  PolicyMap expected_policy_map_;
97  UserPolicyBuilder device_local_account_policy_;
98  chromeos::CrosSettings cros_settings_;
99  scoped_refptr<base::TestSimpleTaskRunner> extension_cache_task_runner_;
100  MockDeviceManagementService mock_device_management_service_;
101  scoped_ptr<DeviceLocalAccountPolicyService> service_;
102
103 private:
104  DISALLOW_COPY_AND_ASSIGN(DeviceLocalAccountPolicyServiceTestBase);
105};
106
107class DeviceLocalAccountPolicyServiceTest
108    : public DeviceLocalAccountPolicyServiceTestBase {
109 public:
110  MOCK_METHOD1(OnRefreshDone, void(bool));
111
112 protected:
113  DeviceLocalAccountPolicyServiceTest();
114
115  virtual void SetUp() OVERRIDE;
116  virtual void TearDown() OVERRIDE;
117
118  void InstallDevicePolicy() OVERRIDE;
119
120  MockDeviceLocalAccountPolicyServiceObserver service_observer_;
121
122 private:
123  DISALLOW_COPY_AND_ASSIGN(DeviceLocalAccountPolicyServiceTest);
124};
125
126DeviceLocalAccountPolicyServiceTestBase::
127    DeviceLocalAccountPolicyServiceTestBase()
128    : account_1_user_id_(GenerateDeviceLocalAccountUserId(
129          kAccount1,
130          DeviceLocalAccount::TYPE_PUBLIC_SESSION)),
131      account_2_user_id_(GenerateDeviceLocalAccountUserId(
132          kAccount2,
133          DeviceLocalAccount::TYPE_PUBLIC_SESSION)),
134      cros_settings_(&device_settings_service_),
135      extension_cache_task_runner_(new base::TestSimpleTaskRunner) {
136}
137
138void DeviceLocalAccountPolicyServiceTestBase::SetUp() {
139  chromeos::DeviceSettingsTestBase::SetUp();
140
141  expected_policy_map_.Set(key::kDisableSpdy,
142                           POLICY_LEVEL_MANDATORY,
143                           POLICY_SCOPE_USER,
144                           new base::FundamentalValue(true),
145                           NULL);
146
147  device_local_account_policy_.payload().mutable_disablespdy()->set_value(
148      true);
149  device_local_account_policy_.policy_data().set_policy_type(
150      dm_protocol::kChromePublicAccountPolicyType);
151}
152
153void DeviceLocalAccountPolicyServiceTestBase::TearDown() {
154  service_->Shutdown();
155  service_.reset();
156  extension_cache_task_runner_->RunUntilIdle();
157  chromeos::DeviceSettingsTestBase::TearDown();
158}
159
160void DeviceLocalAccountPolicyServiceTestBase::CreatePolicyService() {
161  service_.reset(new DeviceLocalAccountPolicyService(
162      &device_settings_test_helper_,
163      &device_settings_service_,
164      &cros_settings_,
165      base::MessageLoopProxy::current(),
166      extension_cache_task_runner_,
167      base::MessageLoopProxy::current(),
168      base::MessageLoopProxy::current(),
169      new net::TestURLRequestContextGetter(base::MessageLoopProxy::current())));
170}
171
172void DeviceLocalAccountPolicyServiceTestBase::
173    InstallDeviceLocalAccountPolicy(const std::string& account_id) {
174  device_local_account_policy_.policy_data().set_settings_entity_id(account_id);
175  device_local_account_policy_.policy_data().set_username(account_id);
176  device_local_account_policy_.Build();
177  device_settings_test_helper_.set_device_local_account_policy_blob(
178      account_id, device_local_account_policy_.GetBlob());
179}
180
181void DeviceLocalAccountPolicyServiceTestBase::AddDeviceLocalAccountToPolicy(
182    const std::string& account_id) {
183  em::DeviceLocalAccountInfoProto* account =
184      device_policy_.payload().mutable_device_local_accounts()->add_account();
185  account->set_account_id(account_id);
186  account->set_type(
187      em::DeviceLocalAccountInfoProto::ACCOUNT_TYPE_PUBLIC_SESSION);
188}
189
190void DeviceLocalAccountPolicyServiceTestBase::InstallDevicePolicy() {
191  device_policy_.Build();
192  device_settings_test_helper_.set_policy_blob(device_policy_.GetBlob());
193  ReloadDeviceSettings();
194}
195
196DeviceLocalAccountPolicyServiceTest::DeviceLocalAccountPolicyServiceTest() {
197  CreatePolicyService();
198}
199
200void DeviceLocalAccountPolicyServiceTest::SetUp() {
201  DeviceLocalAccountPolicyServiceTestBase::SetUp();
202  service_->AddObserver(&service_observer_);
203}
204
205void DeviceLocalAccountPolicyServiceTest::TearDown() {
206  service_->RemoveObserver(&service_observer_);
207  DeviceLocalAccountPolicyServiceTestBase::TearDown();
208}
209
210void DeviceLocalAccountPolicyServiceTest::InstallDevicePolicy() {
211  EXPECT_CALL(service_observer_, OnDeviceLocalAccountsChanged());
212  DeviceLocalAccountPolicyServiceTestBase::InstallDevicePolicy();
213  Mock::VerifyAndClearExpectations(&service_observer_);
214}
215
216TEST_F(DeviceLocalAccountPolicyServiceTest, NoAccounts) {
217  EXPECT_FALSE(service_->GetBrokerForUser(account_1_user_id_));
218}
219
220TEST_F(DeviceLocalAccountPolicyServiceTest, GetBroker) {
221  InstallDeviceLocalAccountPolicy(kAccount1);
222  AddDeviceLocalAccountToPolicy(kAccount1);
223  EXPECT_CALL(service_observer_, OnPolicyUpdated(account_1_user_id_));
224  InstallDevicePolicy();
225
226  DeviceLocalAccountPolicyBroker* broker =
227      service_->GetBrokerForUser(account_1_user_id_);
228  ASSERT_TRUE(broker);
229  EXPECT_EQ(account_1_user_id_, broker->user_id());
230  ASSERT_TRUE(broker->core()->store());
231  EXPECT_EQ(CloudPolicyStore::STATUS_OK, broker->core()->store()->status());
232  EXPECT_FALSE(broker->core()->client());
233  EXPECT_FALSE(broker->core()->store()->policy_map().empty());
234}
235
236TEST_F(DeviceLocalAccountPolicyServiceTest, LoadNoPolicy) {
237  AddDeviceLocalAccountToPolicy(kAccount1);
238  EXPECT_CALL(service_observer_, OnPolicyUpdated(account_1_user_id_));
239  InstallDevicePolicy();
240
241  DeviceLocalAccountPolicyBroker* broker =
242      service_->GetBrokerForUser(account_1_user_id_);
243  ASSERT_TRUE(broker);
244  EXPECT_EQ(account_1_user_id_, broker->user_id());
245  ASSERT_TRUE(broker->core()->store());
246  EXPECT_EQ(CloudPolicyStore::STATUS_LOAD_ERROR,
247            broker->core()->store()->status());
248  EXPECT_TRUE(broker->core()->store()->policy_map().empty());
249  EXPECT_FALSE(service_->IsPolicyAvailableForUser(account_1_user_id_));
250}
251
252TEST_F(DeviceLocalAccountPolicyServiceTest, LoadValidationFailure) {
253  device_local_account_policy_.policy_data().set_policy_type(
254      dm_protocol::kChromeUserPolicyType);
255  InstallDeviceLocalAccountPolicy(kAccount1);
256  AddDeviceLocalAccountToPolicy(kAccount1);
257  EXPECT_CALL(service_observer_, OnPolicyUpdated(account_1_user_id_));
258  InstallDevicePolicy();
259
260  DeviceLocalAccountPolicyBroker* broker =
261      service_->GetBrokerForUser(account_1_user_id_);
262  ASSERT_TRUE(broker);
263  EXPECT_EQ(account_1_user_id_, broker->user_id());
264  ASSERT_TRUE(broker->core()->store());
265  EXPECT_EQ(CloudPolicyStore::STATUS_VALIDATION_ERROR,
266            broker->core()->store()->status());
267  EXPECT_TRUE(broker->core()->store()->policy_map().empty());
268  EXPECT_FALSE(service_->IsPolicyAvailableForUser(account_1_user_id_));
269}
270
271TEST_F(DeviceLocalAccountPolicyServiceTest, LoadPolicy) {
272  InstallDeviceLocalAccountPolicy(kAccount1);
273  AddDeviceLocalAccountToPolicy(kAccount1);
274  EXPECT_CALL(service_observer_, OnPolicyUpdated(account_1_user_id_));
275  InstallDevicePolicy();
276
277  DeviceLocalAccountPolicyBroker* broker =
278      service_->GetBrokerForUser(account_1_user_id_);
279  ASSERT_TRUE(broker);
280  EXPECT_EQ(account_1_user_id_, broker->user_id());
281  ASSERT_TRUE(broker->core()->store());
282  EXPECT_EQ(CloudPolicyStore::STATUS_OK, broker->core()->store()->status());
283  ASSERT_TRUE(broker->core()->store()->policy());
284  EXPECT_EQ(device_local_account_policy_.policy_data().SerializeAsString(),
285            broker->core()->store()->policy()->SerializeAsString());
286  EXPECT_TRUE(expected_policy_map_.Equals(
287      broker->core()->store()->policy_map()));
288  EXPECT_TRUE(service_->IsPolicyAvailableForUser(account_1_user_id_));
289}
290
291TEST_F(DeviceLocalAccountPolicyServiceTest, StoreValidationFailure) {
292  AddDeviceLocalAccountToPolicy(kAccount1);
293  EXPECT_CALL(service_observer_, OnPolicyUpdated(account_1_user_id_));
294  InstallDevicePolicy();
295  Mock::VerifyAndClearExpectations(&service_observer_);
296
297  DeviceLocalAccountPolicyBroker* broker =
298      service_->GetBrokerForUser(account_1_user_id_);
299  ASSERT_TRUE(broker);
300  EXPECT_EQ(account_1_user_id_, broker->user_id());
301  ASSERT_TRUE(broker->core()->store());
302
303  device_local_account_policy_.policy_data().set_policy_type(
304      dm_protocol::kChromeUserPolicyType);
305  device_local_account_policy_.Build();
306  broker->core()->store()->Store(device_local_account_policy_.policy());
307  EXPECT_CALL(service_observer_, OnPolicyUpdated(account_1_user_id_));
308  FlushDeviceSettings();
309
310  EXPECT_EQ(CloudPolicyStore::STATUS_VALIDATION_ERROR,
311            broker->core()->store()->status());
312  EXPECT_EQ(CloudPolicyValidatorBase::VALIDATION_WRONG_POLICY_TYPE,
313            broker->core()->store()->validation_status());
314  EXPECT_FALSE(service_->IsPolicyAvailableForUser(account_1_user_id_));
315}
316
317TEST_F(DeviceLocalAccountPolicyServiceTest, StorePolicy) {
318  AddDeviceLocalAccountToPolicy(kAccount1);
319  EXPECT_CALL(service_observer_, OnPolicyUpdated(account_1_user_id_));
320  InstallDevicePolicy();
321  Mock::VerifyAndClearExpectations(&service_observer_);
322
323  DeviceLocalAccountPolicyBroker* broker =
324      service_->GetBrokerForUser(account_1_user_id_);
325  ASSERT_TRUE(broker);
326  EXPECT_EQ(account_1_user_id_, broker->user_id());
327  ASSERT_TRUE(broker->core()->store());
328
329  device_local_account_policy_.policy_data().set_settings_entity_id(kAccount1);
330  device_local_account_policy_.policy_data().set_username(kAccount1);
331  device_local_account_policy_.Build();
332  broker->core()->store()->Store(device_local_account_policy_.policy());
333  EXPECT_CALL(service_observer_, OnPolicyUpdated(account_1_user_id_));
334  FlushDeviceSettings();
335
336  EXPECT_EQ(CloudPolicyStore::STATUS_OK, broker->core()->store()->status());
337  ASSERT_TRUE(broker->core()->store()->policy());
338  EXPECT_EQ(device_local_account_policy_.policy_data().SerializeAsString(),
339            broker->core()->store()->policy()->SerializeAsString());
340  EXPECT_TRUE(expected_policy_map_.Equals(
341      broker->core()->store()->policy_map()));
342  EXPECT_TRUE(service_->IsPolicyAvailableForUser(account_1_user_id_));
343}
344
345TEST_F(DeviceLocalAccountPolicyServiceTest, DevicePolicyChange) {
346  InstallDeviceLocalAccountPolicy(kAccount1);
347  AddDeviceLocalAccountToPolicy(kAccount1);
348  EXPECT_CALL(service_observer_, OnPolicyUpdated(account_1_user_id_));
349  InstallDevicePolicy();
350
351  device_policy_.payload().mutable_device_local_accounts()->clear_account();
352  InstallDevicePolicy();
353
354  EXPECT_FALSE(service_->GetBrokerForUser(account_1_user_id_));
355}
356
357TEST_F(DeviceLocalAccountPolicyServiceTest, DuplicateAccounts) {
358  InstallDeviceLocalAccountPolicy(kAccount1);
359  AddDeviceLocalAccountToPolicy(kAccount1);
360  EXPECT_CALL(service_observer_, OnPolicyUpdated(account_1_user_id_));
361  InstallDevicePolicy();
362  Mock::VerifyAndClearExpectations(&service_observer_);
363
364  // Add a second entry with a duplicate account name to device policy.
365  AddDeviceLocalAccountToPolicy(kAccount1);
366  InstallDevicePolicy();
367
368  // Make sure the broker is accessible and policy got loaded.
369  DeviceLocalAccountPolicyBroker* broker =
370      service_->GetBrokerForUser(account_1_user_id_);
371  ASSERT_TRUE(broker);
372  EXPECT_EQ(account_1_user_id_, broker->user_id());
373  ASSERT_TRUE(broker->core()->store());
374  EXPECT_EQ(CloudPolicyStore::STATUS_OK, broker->core()->store()->status());
375  ASSERT_TRUE(broker->core()->store()->policy());
376  EXPECT_EQ(device_local_account_policy_.policy_data().SerializeAsString(),
377            broker->core()->store()->policy()->SerializeAsString());
378  EXPECT_TRUE(expected_policy_map_.Equals(
379      broker->core()->store()->policy_map()));
380  EXPECT_TRUE(service_->IsPolicyAvailableForUser(account_1_user_id_));
381}
382
383TEST_F(DeviceLocalAccountPolicyServiceTest, FetchPolicy) {
384  InstallDeviceLocalAccountPolicy(kAccount1);
385  AddDeviceLocalAccountToPolicy(kAccount1);
386  EXPECT_CALL(service_observer_, OnPolicyUpdated(account_1_user_id_));
387  InstallDevicePolicy();
388
389  DeviceLocalAccountPolicyBroker* broker =
390      service_->GetBrokerForUser(account_1_user_id_);
391  ASSERT_TRUE(broker);
392
393  service_->Connect(&mock_device_management_service_);
394  EXPECT_TRUE(broker->core()->client());
395
396  em::DeviceManagementRequest request;
397  em::DeviceManagementResponse response;
398  response.mutable_policy_response()->add_response()->CopyFrom(
399      device_local_account_policy_.policy());
400  EXPECT_CALL(mock_device_management_service_,
401              CreateJob(DeviceManagementRequestJob::TYPE_POLICY_FETCH, _))
402      .WillOnce(mock_device_management_service_.SucceedJob(response));
403  EXPECT_CALL(mock_device_management_service_,
404              StartJob(dm_protocol::kValueRequestPolicy,
405                       std::string(), std::string(),
406                       device_policy_.policy_data().request_token(),
407                       dm_protocol::kValueUserAffiliationManaged,
408                       device_policy_.policy_data().device_id(),
409                       _))
410      .WillOnce(SaveArg<6>(&request));
411  // This will be called twice, because the ComponentCloudPolicyService will
412  // also become ready after flushing all the pending tasks.
413  EXPECT_CALL(service_observer_, OnPolicyUpdated(account_1_user_id_)).Times(2);
414  broker->core()->client()->FetchPolicy();
415  FlushDeviceSettings();
416  Mock::VerifyAndClearExpectations(&service_observer_);
417  Mock::VerifyAndClearExpectations(&mock_device_management_service_);
418  EXPECT_TRUE(request.has_policy_request());
419  ASSERT_EQ(2, request.policy_request().request_size());
420
421  const em::PolicyFetchRequest* public_account =
422      &request.policy_request().request(0);
423  const em::PolicyFetchRequest* extensions =
424      &request.policy_request().request(1);
425  // The order is not guarateed.
426  if (extensions->policy_type() ==
427      dm_protocol::kChromePublicAccountPolicyType) {
428    std::swap(public_account, extensions);
429  }
430
431  EXPECT_EQ(dm_protocol::kChromePublicAccountPolicyType,
432            public_account->policy_type());
433  EXPECT_FALSE(public_account->has_machine_id());
434  EXPECT_EQ(kAccount1, public_account->settings_entity_id());
435
436  EXPECT_EQ(dm_protocol::kChromeExtensionPolicyType,
437            extensions->policy_type());
438  EXPECT_FALSE(extensions->has_machine_id());
439  EXPECT_FALSE(extensions->has_settings_entity_id());
440
441  ASSERT_TRUE(broker->core()->store());
442  EXPECT_EQ(CloudPolicyStore::STATUS_OK,
443            broker->core()->store()->status());
444  ASSERT_TRUE(broker->core()->store()->policy());
445  EXPECT_EQ(device_local_account_policy_.policy_data().SerializeAsString(),
446            broker->core()->store()->policy()->SerializeAsString());
447  EXPECT_TRUE(expected_policy_map_.Equals(
448      broker->core()->store()->policy_map()));
449  EXPECT_TRUE(service_->IsPolicyAvailableForUser(account_1_user_id_));
450}
451
452TEST_F(DeviceLocalAccountPolicyServiceTest, RefreshPolicy) {
453  InstallDeviceLocalAccountPolicy(kAccount1);
454  AddDeviceLocalAccountToPolicy(kAccount1);
455  EXPECT_CALL(service_observer_, OnPolicyUpdated(account_1_user_id_));
456  InstallDevicePolicy();
457
458  DeviceLocalAccountPolicyBroker* broker =
459      service_->GetBrokerForUser(account_1_user_id_);
460  ASSERT_TRUE(broker);
461
462  service_->Connect(&mock_device_management_service_);
463  ASSERT_TRUE(broker->core()->service());
464
465  em::DeviceManagementResponse response;
466  response.mutable_policy_response()->add_response()->CopyFrom(
467      device_local_account_policy_.policy());
468  EXPECT_CALL(mock_device_management_service_, CreateJob(_, _))
469      .WillOnce(mock_device_management_service_.SucceedJob(response));
470  EXPECT_CALL(mock_device_management_service_, StartJob(_, _, _, _, _, _, _));
471  EXPECT_CALL(*this, OnRefreshDone(true)).Times(1);
472  // This will be called twice, because the ComponentCloudPolicyService will
473  // also become ready after flushing all the pending tasks.
474  EXPECT_CALL(service_observer_, OnPolicyUpdated(account_1_user_id_)).Times(2);
475  broker->core()->service()->RefreshPolicy(
476      base::Bind(&DeviceLocalAccountPolicyServiceTest::OnRefreshDone,
477                 base::Unretained(this)));
478  FlushDeviceSettings();
479  Mock::VerifyAndClearExpectations(&service_observer_);
480  Mock::VerifyAndClearExpectations(this);
481  Mock::VerifyAndClearExpectations(&mock_device_management_service_);
482
483  ASSERT_TRUE(broker->core()->store());
484  EXPECT_EQ(CloudPolicyStore::STATUS_OK,
485            broker->core()->store()->status());
486  EXPECT_TRUE(expected_policy_map_.Equals(
487      broker->core()->store()->policy_map()));
488  EXPECT_TRUE(service_->IsPolicyAvailableForUser(account_1_user_id_));
489}
490
491class DeviceLocalAccountPolicyExtensionCacheTest
492    : public DeviceLocalAccountPolicyServiceTestBase {
493 protected:
494  DeviceLocalAccountPolicyExtensionCacheTest();
495
496  virtual void SetUp() OVERRIDE;
497
498  base::FilePath GetCacheDirectoryForAccountID(const std::string& account_id);
499
500  base::ScopedTempDir cache_root_dir_;
501  scoped_ptr<base::ScopedPathOverride> cache_root_dir_override_;
502
503  base::FilePath cache_dir_1_;
504  base::FilePath cache_dir_2_;
505  base::FilePath cache_dir_3_;
506
507 private:
508  DISALLOW_COPY_AND_ASSIGN(DeviceLocalAccountPolicyExtensionCacheTest);
509};
510
511DeviceLocalAccountPolicyExtensionCacheTest::
512    DeviceLocalAccountPolicyExtensionCacheTest() {
513}
514
515void DeviceLocalAccountPolicyExtensionCacheTest::SetUp() {
516  DeviceLocalAccountPolicyServiceTestBase::SetUp();
517  ASSERT_TRUE(cache_root_dir_.CreateUniqueTempDir());
518  cache_root_dir_override_.reset(new base::ScopedPathOverride(
519      chromeos::DIR_DEVICE_LOCAL_ACCOUNT_EXTENSIONS,
520      cache_root_dir_.path()));
521
522  cache_dir_1_ = GetCacheDirectoryForAccountID(kAccount1);
523  cache_dir_2_ = GetCacheDirectoryForAccountID(kAccount2);
524  cache_dir_3_ = GetCacheDirectoryForAccountID(kAccount3);
525
526  em::StringList* forcelist = device_local_account_policy_.payload()
527      .mutable_extensioninstallforcelist()->mutable_value();
528  forcelist->add_entries(base::StringPrintf("%s;%s", kExtensionID, kUpdateURL));
529}
530
531base::FilePath DeviceLocalAccountPolicyExtensionCacheTest::
532    GetCacheDirectoryForAccountID(const std::string& account_id) {
533  return cache_root_dir_.path().Append(base::HexEncode(account_id.c_str(),
534                                                       account_id.size()));
535}
536
537// Verifies that during startup, orphaned cache directories are deleted,
538// cache directories belonging to an existing account are preserved and missing
539// cache directories are created. Also verifies that when startup is complete,
540// the caches for all existing accounts are running.
541TEST_F(DeviceLocalAccountPolicyExtensionCacheTest, Startup) {
542  base::FilePath test_data_dir;
543  ASSERT_TRUE(PathService::Get(chrome::DIR_TEST_DATA, &test_data_dir));
544  const base::FilePath source_crx_file =
545      test_data_dir.Append(kExtensionCRXPath);
546  const std::string target_crx_file_name =
547      base::StringPrintf("%s-%s.crx", kExtensionID, kExtensionVersion);
548
549  // Create and pre-populate a cache directory for account 1.
550  EXPECT_TRUE(base::CreateDirectory(cache_dir_1_));
551  EXPECT_TRUE(CopyFile(source_crx_file,
552                       cache_dir_1_.Append(target_crx_file_name)));
553
554  // Create and pre-populate a cache directory for account 3.
555  EXPECT_TRUE(base::CreateDirectory(cache_dir_3_));
556  EXPECT_TRUE(CopyFile(source_crx_file,
557                       cache_dir_3_.Append(target_crx_file_name)));
558
559  // Add accounts 1 and 2 to device policy.
560  InstallDeviceLocalAccountPolicy(kAccount1);
561  InstallDeviceLocalAccountPolicy(kAccount2);
562  AddDeviceLocalAccountToPolicy(kAccount1);
563  AddDeviceLocalAccountToPolicy(kAccount2);
564  InstallDevicePolicy();
565
566  // Create the DeviceLocalAccountPolicyService, allowing it to finish the
567  // deletion of orphaned cache directories.
568  CreatePolicyService();
569  FlushDeviceSettings();
570  extension_cache_task_runner_->RunUntilIdle();
571
572  // Verify that the cache directory for account 1 and its contents still exist.
573  EXPECT_TRUE(base::DirectoryExists(cache_dir_1_));
574  EXPECT_TRUE(ContentsEqual(source_crx_file,
575                            cache_dir_1_.Append(target_crx_file_name)));
576
577  // Verify that a cache directory for account 2 was created.
578  EXPECT_TRUE(base::DirectoryExists(cache_dir_2_));
579
580  // Verify that the cache directory for account 3 was deleted.
581  EXPECT_FALSE(base::DirectoryExists(cache_dir_3_));
582
583  // Verify that the cache for account 1 has been started.
584  DeviceLocalAccountPolicyBroker* broker =
585      service_->GetBrokerForUser(account_1_user_id_);
586  ASSERT_TRUE(broker);
587  EXPECT_TRUE(broker->extension_loader()->IsCacheRunning());
588
589  // Verify that the cache for account 2 has been started.
590  broker = service_->GetBrokerForUser(account_2_user_id_);
591  ASSERT_TRUE(broker);
592  EXPECT_TRUE(broker->extension_loader()->IsCacheRunning());
593}
594
595// Verifies that while the deletion of orphaned cache directories is in
596// progress, the caches for accounts which existed before the deletion started
597// are running but caches for newly added accounts are not started.
598TEST_F(DeviceLocalAccountPolicyExtensionCacheTest, RaceAgainstOrphanDeletion) {
599  // Add account 1 to device policy.
600  InstallDeviceLocalAccountPolicy(kAccount1);
601  AddDeviceLocalAccountToPolicy(kAccount1);
602  InstallDevicePolicy();
603
604  // Create the DeviceLocalAccountPolicyService, triggering the deletion of
605  // orphaned cache directories.
606  CreatePolicyService();
607  FlushDeviceSettings();
608
609  // Verify that the cache for account 1 has been started as it is unaffected by
610  // the orphan deletion.
611  DeviceLocalAccountPolicyBroker* broker =
612      service_->GetBrokerForUser(account_1_user_id_);
613  ASSERT_TRUE(broker);
614  EXPECT_TRUE(broker->extension_loader()->IsCacheRunning());
615
616  // Add account 2 to device policy.
617  InstallDeviceLocalAccountPolicy(kAccount2);
618  AddDeviceLocalAccountToPolicy(kAccount2);
619  InstallDevicePolicy();
620
621  // Verify that the cache for account 2 has not been started yet as the orphan
622  // deletion is still in progress.
623  broker = service_->GetBrokerForUser(account_2_user_id_);
624  ASSERT_TRUE(broker);
625  EXPECT_FALSE(broker->extension_loader()->IsCacheRunning());
626
627  // Allow the orphan deletion to finish.
628  extension_cache_task_runner_->RunUntilIdle();
629  base::RunLoop().RunUntilIdle();
630
631  // Verify that the cache for account 2 has been started.
632  EXPECT_TRUE(broker->extension_loader()->IsCacheRunning());
633}
634
635// Verifies that while the shutdown of a cache is in progress, no new cache is
636// started if an account with the same ID is re-added.
637TEST_F(DeviceLocalAccountPolicyExtensionCacheTest, RaceAgainstCacheShutdown) {
638  // Add account 1 to device policy.
639  InstallDeviceLocalAccountPolicy(kAccount1);
640  AddDeviceLocalAccountToPolicy(kAccount1);
641  InstallDevicePolicy();
642
643  // Create the DeviceLocalAccountPolicyService, allowing it to finish the
644  // deletion of orphaned cache directories.
645  CreatePolicyService();
646  FlushDeviceSettings();
647  extension_cache_task_runner_->RunUntilIdle();
648
649  // Remove account 1 from device policy, triggering a shutdown of its cache.
650  device_policy_.payload().mutable_device_local_accounts()->clear_account();
651  InstallDevicePolicy();
652
653  // Re-add account 1 to device policy.
654  AddDeviceLocalAccountToPolicy(kAccount1);
655  InstallDevicePolicy();
656
657  // Verify that the cache for account 1 has not been started yet as the
658  // shutdown of a previous cache for this account ID is still in progress.
659  DeviceLocalAccountPolicyBroker* broker =
660      service_->GetBrokerForUser(account_1_user_id_);
661  ASSERT_TRUE(broker);
662  EXPECT_FALSE(broker->extension_loader()->IsCacheRunning());
663
664  // Allow the cache shutdown to finish.
665  extension_cache_task_runner_->RunUntilIdle();
666  base::RunLoop().RunUntilIdle();
667
668  // Verify that the cache directory for account 1 still exists.
669  EXPECT_TRUE(base::DirectoryExists(cache_dir_1_));
670
671  // Verify that the cache for account 1 has been started, reusing the existing
672  // cache directory.
673  EXPECT_TRUE(broker->extension_loader()->IsCacheRunning());
674}
675
676// Verifies that while the deletion of an obsolete cache directory is in
677// progress, no new cache is started if an account with the same ID is re-added.
678TEST_F(DeviceLocalAccountPolicyExtensionCacheTest,
679       RaceAgainstObsoleteDeletion) {
680  // Add account 1 to device policy.
681  InstallDeviceLocalAccountPolicy(kAccount1);
682  AddDeviceLocalAccountToPolicy(kAccount1);
683  InstallDevicePolicy();
684
685  // Create the DeviceLocalAccountPolicyService, allowing it to finish the
686  // deletion of orphaned cache directories.
687  CreatePolicyService();
688  FlushDeviceSettings();
689  extension_cache_task_runner_->RunUntilIdle();
690
691  // Remove account 1 from device policy, allowing the shutdown of its cache to
692  // finish and the deletion of its now obsolete cache directory to begin.
693  device_policy_.payload().mutable_device_local_accounts()->clear_account();
694  InstallDevicePolicy();
695  extension_cache_task_runner_->RunUntilIdle();
696  base::RunLoop().RunUntilIdle();
697
698  // Re-add account 1 to device policy.
699  AddDeviceLocalAccountToPolicy(kAccount1);
700  InstallDevicePolicy();
701
702  // Verify that the cache for account 1 has not been started yet as the
703  // deletion of the cache directory for this account ID is still in progress.
704  DeviceLocalAccountPolicyBroker* broker =
705      service_->GetBrokerForUser(account_1_user_id_);
706  ASSERT_TRUE(broker);
707  EXPECT_FALSE(broker->extension_loader()->IsCacheRunning());
708
709  // Allow the deletion to finish.
710  extension_cache_task_runner_->RunUntilIdle();
711  base::RunLoop().RunUntilIdle();
712
713  // Verify that the cache directory for account 1 was deleted.
714  EXPECT_FALSE(base::DirectoryExists(cache_dir_1_));
715
716  // Verify that the cache for account 1 has been started.
717  EXPECT_TRUE(broker->extension_loader()->IsCacheRunning());
718}
719
720// Verifies that when an account is added and no deletion of cache directories
721// affecting this account is in progress, its cache is started immediately.
722TEST_F(DeviceLocalAccountPolicyExtensionCacheTest, AddAccount) {
723  // Create the DeviceLocalAccountPolicyService, allowing it to finish the
724  // deletion of orphaned cache directories.
725  InstallDevicePolicy();
726  CreatePolicyService();
727  FlushDeviceSettings();
728  extension_cache_task_runner_->RunUntilIdle();
729
730  // Add account 1 to device policy.
731  InstallDeviceLocalAccountPolicy(kAccount1);
732  AddDeviceLocalAccountToPolicy(kAccount1);
733  InstallDevicePolicy();
734
735  // Verify that the cache for account 1 has been started.
736  DeviceLocalAccountPolicyBroker* broker =
737      service_->GetBrokerForUser(account_1_user_id_);
738  ASSERT_TRUE(broker);
739  EXPECT_TRUE(broker->extension_loader()->IsCacheRunning());
740}
741
742// Verifies that when an account is removed, its cache directory is deleted.
743TEST_F(DeviceLocalAccountPolicyExtensionCacheTest, RemoveAccount) {
744  // Add account 1 to device policy.
745  InstallDeviceLocalAccountPolicy(kAccount1);
746  AddDeviceLocalAccountToPolicy(kAccount1);
747  InstallDevicePolicy();
748
749  // Create the DeviceLocalAccountPolicyService, allowing it to finish the
750  // deletion of orphaned cache directories.
751  CreatePolicyService();
752  FlushDeviceSettings();
753  extension_cache_task_runner_->RunUntilIdle();
754
755  // Verify that a cache directory has been created for account 1.
756  EXPECT_TRUE(base::DirectoryExists(cache_dir_1_));
757
758  // Remove account 1 from device policy, allowing the deletion of its now
759  // obsolete cache directory to finish.
760  device_policy_.payload().mutable_device_local_accounts()->clear_account();
761  InstallDevicePolicy();
762  extension_cache_task_runner_->RunUntilIdle();
763  base::RunLoop().RunUntilIdle();
764  extension_cache_task_runner_->RunUntilIdle();
765
766  // Verify that the cache directory for account 1 was deleted.
767  EXPECT_FALSE(base::DirectoryExists(cache_dir_1_));
768}
769
770class DeviceLocalAccountPolicyProviderTest
771    : public DeviceLocalAccountPolicyServiceTestBase {
772 protected:
773  DeviceLocalAccountPolicyProviderTest();
774
775  virtual void SetUp() OVERRIDE;
776  virtual void TearDown() OVERRIDE;
777
778  SchemaRegistry schema_registry_;
779  scoped_ptr<DeviceLocalAccountPolicyProvider> provider_;
780  MockConfigurationPolicyObserver provider_observer_;
781
782 private:
783  DISALLOW_COPY_AND_ASSIGN(DeviceLocalAccountPolicyProviderTest);
784};
785
786DeviceLocalAccountPolicyProviderTest::DeviceLocalAccountPolicyProviderTest() {
787  CreatePolicyService();
788  provider_ = DeviceLocalAccountPolicyProvider::Create(
789      GenerateDeviceLocalAccountUserId(kAccount1,
790                                       DeviceLocalAccount::TYPE_PUBLIC_SESSION),
791      service_.get());
792}
793
794void DeviceLocalAccountPolicyProviderTest::SetUp() {
795  DeviceLocalAccountPolicyServiceTestBase::SetUp();
796  provider_->Init(&schema_registry_);
797  provider_->AddObserver(&provider_observer_);
798
799  // Values implicitly enforced for public accounts.
800  expected_policy_map_.Set(key::kLidCloseAction,
801                           POLICY_LEVEL_MANDATORY,
802                           POLICY_SCOPE_MACHINE,
803                           new base::FundamentalValue(
804                               chromeos::PowerPolicyController::
805                                   ACTION_STOP_SESSION),
806                           NULL);
807  expected_policy_map_.Set(key::kShelfAutoHideBehavior,
808                           POLICY_LEVEL_MANDATORY,
809                           POLICY_SCOPE_MACHINE,
810                           new base::StringValue("Never"),
811                           NULL);
812  expected_policy_map_.Set(key::kShowLogoutButtonInTray,
813                           POLICY_LEVEL_MANDATORY,
814                           POLICY_SCOPE_MACHINE,
815                           new base::FundamentalValue(true),
816                           NULL);
817  expected_policy_map_.Set(key::kFullscreenAllowed,
818                           POLICY_LEVEL_MANDATORY,
819                           POLICY_SCOPE_MACHINE,
820                           new base::FundamentalValue(false),
821                           NULL);
822}
823
824void DeviceLocalAccountPolicyProviderTest::TearDown() {
825  provider_->RemoveObserver(&provider_observer_);
826  provider_->Shutdown();
827  provider_.reset();
828  DeviceLocalAccountPolicyServiceTestBase::TearDown();
829}
830
831TEST_F(DeviceLocalAccountPolicyProviderTest, Initialization) {
832  EXPECT_FALSE(provider_->IsInitializationComplete(POLICY_DOMAIN_CHROME));
833
834  // Policy change should complete initialization.
835  InstallDeviceLocalAccountPolicy(kAccount1);
836  AddDeviceLocalAccountToPolicy(kAccount1);
837  EXPECT_CALL(provider_observer_, OnUpdatePolicy(provider_.get()))
838      .Times(AtLeast(1));
839  InstallDevicePolicy();
840  Mock::VerifyAndClearExpectations(&provider_observer_);
841
842  EXPECT_TRUE(provider_->IsInitializationComplete(POLICY_DOMAIN_CHROME));
843
844  // The account disappearing should *not* flip the initialization flag back.
845  EXPECT_CALL(provider_observer_, OnUpdatePolicy(provider_.get()))
846      .Times(AnyNumber());
847  device_policy_.payload().mutable_device_local_accounts()->clear_account();
848  InstallDevicePolicy();
849  Mock::VerifyAndClearExpectations(&provider_observer_);
850
851  EXPECT_TRUE(provider_->IsInitializationComplete(POLICY_DOMAIN_CHROME));
852}
853
854TEST_F(DeviceLocalAccountPolicyProviderTest, Policy) {
855  // Policy should load successfully.
856  EXPECT_CALL(provider_observer_, OnUpdatePolicy(provider_.get()))
857      .Times(AtLeast(1));
858  InstallDeviceLocalAccountPolicy(kAccount1);
859  AddDeviceLocalAccountToPolicy(kAccount1);
860  InstallDevicePolicy();
861  Mock::VerifyAndClearExpectations(&provider_observer_);
862
863  PolicyBundle expected_policy_bundle;
864  expected_policy_bundle.Get(PolicyNamespace(
865      POLICY_DOMAIN_CHROME, std::string())).CopyFrom(expected_policy_map_);
866  EXPECT_TRUE(expected_policy_bundle.Equals(provider_->policies()));
867
868  // Policy change should be reported.
869  EXPECT_CALL(provider_observer_, OnUpdatePolicy(provider_.get()))
870      .Times(AtLeast(1));
871  device_local_account_policy_.payload().mutable_disablespdy()->set_value(
872      false);
873  InstallDeviceLocalAccountPolicy(kAccount1);
874  DeviceLocalAccountPolicyBroker* broker =
875      service_->GetBrokerForUser(account_1_user_id_);
876  ASSERT_TRUE(broker);
877  broker->core()->store()->Load();
878  FlushDeviceSettings();
879  Mock::VerifyAndClearExpectations(&provider_observer_);
880
881  expected_policy_bundle.Get(
882      PolicyNamespace(POLICY_DOMAIN_CHROME, std::string()))
883      .Set(key::kDisableSpdy,
884           POLICY_LEVEL_MANDATORY,
885           POLICY_SCOPE_USER,
886           new base::FundamentalValue(false),
887           NULL);
888  EXPECT_TRUE(expected_policy_bundle.Equals(provider_->policies()));
889
890  // Any values set for the |ShelfAutoHideBehavior|, |ShowLogoutButtonInTray|
891  // and |ExtensionAllowedTypes| policies should be overridden.
892  EXPECT_CALL(provider_observer_, OnUpdatePolicy(provider_.get()))
893      .Times(AtLeast(1));
894  device_local_account_policy_.payload().mutable_shelfautohidebehavior()->
895      set_value("Always");
896  device_local_account_policy_.payload().mutable_showlogoutbuttonintray()->
897      set_value(false);
898  InstallDeviceLocalAccountPolicy(kAccount1);
899  broker->core()->store()->Load();
900  FlushDeviceSettings();
901  Mock::VerifyAndClearExpectations(&provider_observer_);
902  EXPECT_TRUE(expected_policy_bundle.Equals(provider_->policies()));
903
904  // Account disappears, policy should stay in effect.
905  EXPECT_CALL(provider_observer_, OnUpdatePolicy(provider_.get()))
906      .Times(AnyNumber());
907  device_policy_.payload().mutable_device_local_accounts()->clear_account();
908  InstallDevicePolicy();
909  Mock::VerifyAndClearExpectations(&provider_observer_);
910
911  EXPECT_TRUE(expected_policy_bundle.Equals(provider_->policies()));
912}
913
914TEST_F(DeviceLocalAccountPolicyProviderTest, RefreshPolicies) {
915  // If there's no device policy, the refresh completes immediately.
916  EXPECT_FALSE(service_->GetBrokerForUser(account_1_user_id_));
917  EXPECT_CALL(provider_observer_, OnUpdatePolicy(provider_.get()))
918      .Times(AtLeast(1));
919  provider_->RefreshPolicies();
920  Mock::VerifyAndClearExpectations(&provider_observer_);
921
922  // Make device settings appear.
923  EXPECT_CALL(provider_observer_, OnUpdatePolicy(provider_.get()))
924      .Times(AnyNumber());
925  AddDeviceLocalAccountToPolicy(kAccount1);
926  InstallDevicePolicy();
927  EXPECT_TRUE(service_->GetBrokerForUser(account_1_user_id_));
928
929  // If there's no cloud connection, refreshes are still immediate.
930  DeviceLocalAccountPolicyBroker* broker =
931      service_->GetBrokerForUser(account_1_user_id_);
932  ASSERT_TRUE(broker);
933  EXPECT_FALSE(broker->core()->client());
934  EXPECT_CALL(provider_observer_, OnUpdatePolicy(provider_.get()))
935      .Times(AtLeast(1));
936  provider_->RefreshPolicies();
937  Mock::VerifyAndClearExpectations(&provider_observer_);
938
939  // Bring up the cloud connection. The refresh scheduler may fire refreshes at
940  // this point which are not relevant for the test.
941  EXPECT_CALL(mock_device_management_service_, CreateJob(_, _))
942      .WillRepeatedly(
943          mock_device_management_service_.FailJob(DM_STATUS_REQUEST_FAILED));
944  EXPECT_CALL(mock_device_management_service_, StartJob(_, _, _, _, _, _, _))
945      .Times(AnyNumber());
946  service_->Connect(&mock_device_management_service_);
947  FlushDeviceSettings();
948  Mock::VerifyAndClearExpectations(&mock_device_management_service_);
949
950  // No callbacks until the refresh completes.
951  EXPECT_CALL(provider_observer_, OnUpdatePolicy(_)).Times(0);
952  MockDeviceManagementJob* request_job;
953  EXPECT_CALL(mock_device_management_service_, CreateJob(_, _))
954      .WillOnce(mock_device_management_service_.CreateAsyncJob(&request_job));
955  EXPECT_CALL(mock_device_management_service_, StartJob(_, _, _, _, _, _, _));
956  provider_->RefreshPolicies();
957  ReloadDeviceSettings();
958  Mock::VerifyAndClearExpectations(&provider_observer_);
959  Mock::VerifyAndClearExpectations(&mock_device_management_service_);
960  EXPECT_TRUE(provider_->IsInitializationComplete(POLICY_DOMAIN_CHROME));
961
962  // When the response comes in, it should propagate and fire the notification.
963  EXPECT_CALL(provider_observer_, OnUpdatePolicy(provider_.get()))
964      .Times(AtLeast(1));
965  ASSERT_TRUE(request_job);
966  em::DeviceManagementResponse response;
967  device_local_account_policy_.Build();
968  response.mutable_policy_response()->add_response()->CopyFrom(
969      device_local_account_policy_.policy());
970  request_job->SendResponse(DM_STATUS_SUCCESS, response);
971  FlushDeviceSettings();
972  Mock::VerifyAndClearExpectations(&provider_observer_);
973}
974
975}  // namespace policy
976