device_oauth2_token_service_unittest.cc revision 9ab5563a3196760eb381d102cbb2bc0f7abc6a50
1// Copyright 2013 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#include "chrome/browser/chromeos/settings/device_oauth2_token_service.h" 6 7#include "base/message_loop/message_loop.h" 8#include "base/prefs/testing_pref_service.h" 9#include "base/run_loop.h" 10#include "chrome/browser/signin/oauth2_token_service_test_util.h" 11#include "chrome/common/pref_names.h" 12#include "chrome/test/base/scoped_testing_local_state.h" 13#include "chrome/test/base/testing_browser_process.h" 14#include "chromeos/cryptohome/mock_cryptohome_library.h" 15#include "content/public/browser/browser_thread.h" 16#include "content/public/test/test_browser_thread.h" 17#include "google_apis/gaia/gaia_oauth_client.h" 18#include "net/http/http_status_code.h" 19#include "net/url_request/test_url_fetcher_factory.h" 20#include "net/url_request/url_fetcher_delegate.h" 21#include "net/url_request/url_request_test_util.h" 22#include "testing/gmock/include/gmock/gmock.h" 23#include "testing/gtest/include/gtest/gtest.h" 24 25using ::testing::_; 26using ::testing::AnyNumber; 27using ::testing::Return; 28using ::testing::StrEq; 29using ::testing::StrictMock; 30 31namespace chromeos { 32 33static const int kOAuthTokenServiceUrlFetcherId = 0; 34static const int kValidatorUrlFetcherId = gaia::GaiaOAuthClient::kUrlFetcherId; 35 36class TestDeviceOAuth2TokenService : public DeviceOAuth2TokenService { 37 public: 38 explicit TestDeviceOAuth2TokenService(net::URLRequestContextGetter* getter, 39 PrefService* local_state) 40 : DeviceOAuth2TokenService(getter, local_state) { 41 } 42 void SetRobotAccountIdPolicyValue(const std::string& id) { 43 robot_account_id_ = id; 44 } 45 46 protected: 47 // Skip calling into the policy subsystem and return our test value. 48 virtual std::string GetRobotAccountId() OVERRIDE { 49 return robot_account_id_; 50 } 51 52 private: 53 std::string robot_account_id_; 54 DISALLOW_COPY_AND_ASSIGN(TestDeviceOAuth2TokenService); 55}; 56 57class DeviceOAuth2TokenServiceTest : public testing::Test { 58 public: 59 DeviceOAuth2TokenServiceTest() 60 : ui_thread_(content::BrowserThread::UI, &message_loop_), 61 scoped_testing_local_state_(TestingBrowserProcess::GetGlobal()), 62 request_context_getter_(new net::TestURLRequestContextGetter( 63 message_loop_.message_loop_proxy())), 64 oauth2_service_(request_context_getter_.get(), 65 scoped_testing_local_state_.Get()) { 66 oauth2_service_.max_refresh_token_validation_retries_ = 0; 67 oauth2_service_.set_max_authorization_token_fetch_retries_for_testing(0); 68 } 69 virtual ~DeviceOAuth2TokenServiceTest() {} 70 71 // Most tests just want a noop crypto impl with a dummy refresh token value in 72 // Local State (if the value is an empty string, it will be ignored). 73 void SetUpDefaultValues() { 74 cryptohome_library_.reset(chromeos::CryptohomeLibrary::GetTestImpl()); 75 chromeos::CryptohomeLibrary::SetForTest(cryptohome_library_.get()); 76 SetDeviceRefreshTokenInLocalState("device_refresh_token_4_test"); 77 oauth2_service_.SetRobotAccountIdPolicyValue("service_acct@g.com"); 78 AssertConsumerTokensAndErrors(0, 0); 79 } 80 81 scoped_ptr<OAuth2TokenService::Request> StartTokenRequest() { 82 return oauth2_service_.StartRequest(std::set<std::string>(), &consumer_); 83 } 84 85 virtual void TearDown() OVERRIDE { 86 CryptohomeLibrary::SetForTest(NULL); 87 base::RunLoop().RunUntilIdle(); 88 } 89 90 // Utility method to set a value in Local State for the device refresh token 91 // (it must have a non-empty value or it won't be used). 92 void SetDeviceRefreshTokenInLocalState(const std::string& refresh_token) { 93 scoped_testing_local_state_.Get()->SetManagedPref( 94 prefs::kDeviceRobotAnyApiRefreshToken, 95 Value::CreateStringValue(refresh_token)); 96 } 97 98 std::string GetValidTokenInfoResponse(const std::string email) { 99 return "{ \"email\": \"" + email + "\"," 100 " \"user_id\": \"1234567890\" }"; 101 } 102 103 // A utility method to return fake URL results, for testing the refresh token 104 // validation logic. For a successful validation attempt, this method will be 105 // called three times for the steps listed below (steps 1 and 2 happen in 106 // parallel). 107 // 108 // Step 1a: fetch the access token for the tokeninfo API. 109 // Step 1b: call the tokeninfo API. 110 // Step 2: Fetch the access token for the requested scope 111 // (in this case, cloudprint). 112 void ReturnOAuthUrlFetchResults(int fetcher_id, 113 net::HttpStatusCode response_code, 114 const std::string& response_string); 115 116 void AssertConsumerTokensAndErrors(int num_tokens, int num_errors); 117 118 protected: 119 base::MessageLoop message_loop_; 120 content::TestBrowserThread ui_thread_; 121 ScopedTestingLocalState scoped_testing_local_state_; 122 scoped_refptr<net::TestURLRequestContextGetter> request_context_getter_; 123 net::TestURLFetcherFactory factory_; 124 TestDeviceOAuth2TokenService oauth2_service_; 125 TestingOAuth2TokenServiceConsumer consumer_; 126 scoped_ptr<chromeos::CryptohomeLibrary> cryptohome_library_; 127 128}; 129 130void DeviceOAuth2TokenServiceTest::ReturnOAuthUrlFetchResults( 131 int fetcher_id, 132 net::HttpStatusCode response_code, 133 const std::string& response_string) { 134 135 net::TestURLFetcher* fetcher = factory_.GetFetcherByID(fetcher_id); 136 ASSERT_TRUE(fetcher); 137 fetcher->set_response_code(response_code); 138 fetcher->SetResponseString(response_string); 139 fetcher->delegate()->OnURLFetchComplete(fetcher); 140} 141 142void DeviceOAuth2TokenServiceTest::AssertConsumerTokensAndErrors( 143 int num_tokens, 144 int num_errors) { 145 ASSERT_EQ(num_tokens, consumer_.number_of_successful_tokens_); 146 ASSERT_EQ(num_errors, consumer_.number_of_errors_); 147} 148 149TEST_F(DeviceOAuth2TokenServiceTest, SaveEncryptedToken) { 150 StrictMock<MockCryptohomeLibrary> mock_cryptohome_library; 151 CryptohomeLibrary::SetForTest(&mock_cryptohome_library); 152 153 EXPECT_CALL(mock_cryptohome_library, DecryptWithSystemSalt(StrEq(""))) 154 .Times(1) 155 .WillOnce(Return("")); 156 EXPECT_CALL(mock_cryptohome_library, 157 EncryptWithSystemSalt(StrEq("test-token"))) 158 .Times(1) 159 .WillOnce(Return("encrypted")); 160 EXPECT_CALL(mock_cryptohome_library, 161 DecryptWithSystemSalt(StrEq("encrypted"))) 162 .Times(1) 163 .WillOnce(Return("test-token")); 164 165 ASSERT_EQ("", oauth2_service_.GetRefreshToken()); 166 oauth2_service_.SetAndSaveRefreshToken("test-token"); 167 ASSERT_EQ("test-token", oauth2_service_.GetRefreshToken()); 168 169 // This call won't invoke decrypt again, since the value is cached. 170 ASSERT_EQ("test-token", oauth2_service_.GetRefreshToken()); 171} 172 173TEST_F(DeviceOAuth2TokenServiceTest, RefreshTokenValidation_Success) { 174 SetUpDefaultValues(); 175 scoped_ptr<OAuth2TokenService::Request> request = StartTokenRequest(); 176 177 ReturnOAuthUrlFetchResults( 178 kValidatorUrlFetcherId, 179 net::HTTP_OK, 180 GetValidTokenResponse("tokeninfo_access_token", 3600)); 181 182 ReturnOAuthUrlFetchResults( 183 kValidatorUrlFetcherId, 184 net::HTTP_OK, 185 GetValidTokenInfoResponse("service_acct@g.com")); 186 187 ReturnOAuthUrlFetchResults( 188 kOAuthTokenServiceUrlFetcherId, 189 net::HTTP_OK, 190 GetValidTokenResponse("scoped_access_token", 3600)); 191 192 AssertConsumerTokensAndErrors(1, 0); 193 194 EXPECT_EQ("scoped_access_token", consumer_.last_token_); 195} 196 197TEST_F(DeviceOAuth2TokenServiceTest, 198 RefreshTokenValidation_Failure_TokenInfoAccessTokenHttpError) { 199 SetUpDefaultValues(); 200 scoped_ptr<OAuth2TokenService::Request> request = StartTokenRequest(); 201 202 ReturnOAuthUrlFetchResults( 203 kValidatorUrlFetcherId, 204 net::HTTP_UNAUTHORIZED, 205 ""); 206 207 // TokenInfo API call skipped (error returned in previous step). 208 209 // CloudPrint access token fetch is successful, but consumer still given error 210 // due to bad refresh token. 211 ReturnOAuthUrlFetchResults( 212 kOAuthTokenServiceUrlFetcherId, 213 net::HTTP_OK, 214 GetValidTokenResponse("ignored_scoped_access_token", 3600)); 215 216 AssertConsumerTokensAndErrors(0, 1); 217} 218 219TEST_F(DeviceOAuth2TokenServiceTest, 220 RefreshTokenValidation_Failure_TokenInfoAccessTokenInvalidResponse) { 221 SetUpDefaultValues(); 222 scoped_ptr<OAuth2TokenService::Request> request = StartTokenRequest(); 223 224 ReturnOAuthUrlFetchResults( 225 kValidatorUrlFetcherId, 226 net::HTTP_OK, 227 "invalid response"); 228 229 // TokenInfo API call skipped (error returned in previous step). 230 231 ReturnOAuthUrlFetchResults( 232 kOAuthTokenServiceUrlFetcherId, 233 net::HTTP_OK, 234 GetValidTokenResponse("ignored_scoped_access_token", 3600)); 235 236 // CloudPrint access token fetch is successful, but consumer still given error 237 // due to bad refresh token. 238 AssertConsumerTokensAndErrors(0, 1); 239} 240 241TEST_F(DeviceOAuth2TokenServiceTest, 242 RefreshTokenValidation_Failure_TokenInfoApiCallHttpError) { 243 SetUpDefaultValues(); 244 scoped_ptr<OAuth2TokenService::Request> request = StartTokenRequest(); 245 246 ReturnOAuthUrlFetchResults( 247 kValidatorUrlFetcherId, 248 net::HTTP_OK, 249 GetValidTokenResponse("tokeninfo_access_token", 3600)); 250 251 ReturnOAuthUrlFetchResults( 252 kValidatorUrlFetcherId, 253 net::HTTP_INTERNAL_SERVER_ERROR, 254 ""); 255 256 ReturnOAuthUrlFetchResults( 257 kOAuthTokenServiceUrlFetcherId, 258 net::HTTP_OK, 259 GetValidTokenResponse("ignored_scoped_access_token", 3600)); 260 261 // CloudPrint access token fetch is successful, but consumer still given error 262 // due to bad refresh token. 263 AssertConsumerTokensAndErrors(0, 1); 264} 265 266TEST_F(DeviceOAuth2TokenServiceTest, 267 RefreshTokenValidation_Failure_TokenInfoApiCallInvalidResponse) { 268 SetUpDefaultValues(); 269 scoped_ptr<OAuth2TokenService::Request> request = StartTokenRequest(); 270 271 ReturnOAuthUrlFetchResults( 272 kValidatorUrlFetcherId, 273 net::HTTP_OK, 274 GetValidTokenResponse("tokeninfo_access_token", 3600)); 275 276 ReturnOAuthUrlFetchResults( 277 kValidatorUrlFetcherId, 278 net::HTTP_OK, 279 "invalid response"); 280 281 ReturnOAuthUrlFetchResults( 282 kOAuthTokenServiceUrlFetcherId, 283 net::HTTP_OK, 284 GetValidTokenResponse("ignored_scoped_access_token", 3600)); 285 286 // CloudPrint access token fetch is successful, but consumer still given error 287 // due to bad refresh token. 288 AssertConsumerTokensAndErrors(0, 1); 289} 290 291TEST_F(DeviceOAuth2TokenServiceTest, 292 RefreshTokenValidation_Failure_CloudPrintAccessTokenHttpError) { 293 SetUpDefaultValues(); 294 scoped_ptr<OAuth2TokenService::Request> request = StartTokenRequest(); 295 296 ReturnOAuthUrlFetchResults( 297 kValidatorUrlFetcherId, 298 net::HTTP_OK, 299 GetValidTokenResponse("tokeninfo_access_token", 3600)); 300 301 ReturnOAuthUrlFetchResults( 302 kValidatorUrlFetcherId, 303 net::HTTP_OK, 304 GetValidTokenInfoResponse("service_acct@g.com")); 305 306 ReturnOAuthUrlFetchResults( 307 kOAuthTokenServiceUrlFetcherId, 308 net::HTTP_BAD_REQUEST, 309 ""); 310 311 AssertConsumerTokensAndErrors(0, 1); 312} 313 314TEST_F(DeviceOAuth2TokenServiceTest, 315 RefreshTokenValidation_Failure_CloudPrintAccessTokenInvalidResponse) { 316 SetUpDefaultValues(); 317 scoped_ptr<OAuth2TokenService::Request> request = StartTokenRequest(); 318 319 ReturnOAuthUrlFetchResults( 320 kValidatorUrlFetcherId, 321 net::HTTP_OK, 322 GetValidTokenResponse("tokeninfo_access_token", 3600)); 323 324 ReturnOAuthUrlFetchResults( 325 kValidatorUrlFetcherId, 326 net::HTTP_OK, 327 GetValidTokenInfoResponse("service_acct@g.com")); 328 329 ReturnOAuthUrlFetchResults( 330 kOAuthTokenServiceUrlFetcherId, 331 net::HTTP_OK, 332 "invalid request"); 333 334 AssertConsumerTokensAndErrors(0, 1); 335} 336 337TEST_F(DeviceOAuth2TokenServiceTest, RefreshTokenValidation_Failure_BadOwner) { 338 SetUpDefaultValues(); 339 scoped_ptr<OAuth2TokenService::Request> request = StartTokenRequest(); 340 341 oauth2_service_.SetRobotAccountIdPolicyValue("WRONG_service_acct@g.com"); 342 343 // The requested token comes in before any of the validation calls complete, 344 // but the consumer still gets an error, since the results don't get returned 345 // until validation is over. 346 ReturnOAuthUrlFetchResults( 347 kOAuthTokenServiceUrlFetcherId, 348 net::HTTP_OK, 349 GetValidTokenResponse("ignored_scoped_access_token", 3600)); 350 AssertConsumerTokensAndErrors(0, 0); 351 352 ReturnOAuthUrlFetchResults( 353 kValidatorUrlFetcherId, 354 net::HTTP_OK, 355 GetValidTokenResponse("tokeninfo_access_token", 3600)); 356 AssertConsumerTokensAndErrors(0, 0); 357 358 ReturnOAuthUrlFetchResults( 359 kValidatorUrlFetcherId, 360 net::HTTP_OK, 361 GetValidTokenInfoResponse("service_acct@g.com")); 362 363 // All fetches were successful, but consumer still given error since 364 // the token owner doesn't match the policy value. 365 AssertConsumerTokensAndErrors(0, 1); 366} 367 368} // namespace chromeos 369