1// Copyright (c) 2012 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#include "base/files/file_path.h" 6#include "base/message_loop/message_loop.h" 7#include "base/message_loop/message_loop_proxy.h" 8#include "base/prefs/pref_service.h" 9#include "base/run_loop.h" 10#include "base/time/time.h" 11#include "chrome/browser/browser_process.h" 12#include "chrome/browser/chrome_notification_types.h" 13#include "chrome/browser/policy/cloud/user_cloud_policy_manager_factory.h" 14#include "chrome/browser/policy/cloud/user_policy_signin_service_factory.h" 15#include "chrome/browser/prefs/browser_prefs.h" 16#include "chrome/browser/profiles/profile.h" 17#include "chrome/browser/signin/fake_profile_oauth2_token_service.h" 18#include "chrome/browser/signin/fake_profile_oauth2_token_service_builder.h" 19#include "chrome/browser/signin/fake_signin_manager.h" 20#include "chrome/browser/signin/profile_oauth2_token_service_factory.h" 21#include "chrome/browser/signin/signin_manager_factory.h" 22#include "chrome/test/base/testing_browser_process.h" 23#include "chrome/test/base/testing_pref_service_syncable.h" 24#include "chrome/test/base/testing_profile.h" 25#include "components/policy/core/browser/browser_policy_connector.h" 26#include "components/policy/core/common/cloud/cloud_external_data_manager.h" 27#include "components/policy/core/common/cloud/cloud_policy_constants.h" 28#include "components/policy/core/common/cloud/mock_device_management_service.h" 29#include "components/policy/core/common/cloud/mock_user_cloud_policy_store.h" 30#include "components/policy/core/common/cloud/user_cloud_policy_manager.h" 31#include "components/policy/core/common/schema_registry.h" 32#include "components/signin/core/browser/signin_manager.h" 33#include "content/public/browser/browser_context.h" 34#include "content/public/browser/notification_details.h" 35#include "content/public/browser/notification_service.h" 36#include "content/public/browser/notification_source.h" 37#include "content/public/test/test_browser_thread_bundle.h" 38#include "google_apis/gaia/gaia_constants.h" 39#include "google_apis/gaia/google_service_auth_error.h" 40#include "net/http/http_status_code.h" 41#include "net/url_request/test_url_fetcher_factory.h" 42#include "net/url_request/url_request_context_getter.h" 43#include "net/url_request/url_request_status.h" 44#include "net/url_request/url_request_test_util.h" 45#include "testing/gmock/include/gmock/gmock.h" 46#include "testing/gtest/include/gtest/gtest.h" 47 48#if defined(OS_ANDROID) 49#include "chrome/browser/policy/cloud/user_policy_signin_service_mobile.h" 50#else 51#include "chrome/browser/policy/cloud/user_policy_signin_service.h" 52#endif 53 54namespace em = enterprise_management; 55 56using testing::AnyNumber; 57using testing::Mock; 58using testing::_; 59 60namespace policy { 61 62namespace { 63 64const char kTestUser[] = "testuser@test.com"; 65 66#if !defined(OS_ANDROID) 67const char kValidTokenResponse[] = 68 "{" 69 " \"access_token\": \"at1\"," 70 " \"expires_in\": 3600," 71 " \"token_type\": \"Bearer\"" 72 "}"; 73#endif 74 75const char kHostedDomainResponse[] = 76 "{" 77 " \"hd\": \"test.com\"" 78 "}"; 79 80class SigninManagerFake : public FakeSigninManager { 81 public: 82 explicit SigninManagerFake(Profile* profile) 83 : FakeSigninManager(profile) { 84 Initialize(NULL); 85 } 86 87 void ForceSignOut() { 88 // Allow signing out now. 89 prohibit_signout_ = false; 90 SignOut(signin_metrics::SIGNOUT_TEST); 91 } 92 93 static KeyedService* Build(content::BrowserContext* profile) { 94 return new SigninManagerFake(static_cast<Profile*>(profile)); 95 } 96}; 97 98UserCloudPolicyManager* BuildCloudPolicyManager( 99 content::BrowserContext* context) { 100 MockUserCloudPolicyStore *store = new MockUserCloudPolicyStore(); 101 EXPECT_CALL(*store, Load()).Times(AnyNumber()); 102 103 return new UserCloudPolicyManager( 104 scoped_ptr<UserCloudPolicyStore>(store), 105 base::FilePath(), 106 scoped_ptr<CloudExternalDataManager>(), 107 base::MessageLoopProxy::current(), 108 base::MessageLoopProxy::current(), 109 base::MessageLoopProxy::current()); 110} 111 112class UserPolicySigninServiceTest : public testing::Test { 113 public: 114 UserPolicySigninServiceTest() 115 : mock_store_(NULL), 116 thread_bundle_(content::TestBrowserThreadBundle::IO_MAINLOOP), 117 register_completed_(false) {} 118 119 MOCK_METHOD1(OnPolicyRefresh, void(bool)); 120 121 void OnRegisterCompleted(const std::string& dm_token, 122 const std::string& client_id) { 123 register_completed_ = true; 124 dm_token_ = dm_token; 125 client_id_ = client_id; 126 } 127 128 void RegisterPolicyClientWithCallback(UserPolicySigninService* service) { 129 // Policy client registration on Android depends on Token Service having 130 // a valid login token, while on other platforms, the login refresh token 131 // is specified directly. 132#if defined(OS_ANDROID) 133 GetTokenService()->IssueRefreshTokenForUser(kTestUser, 134 "oauth2_login_refresh_token"); 135#endif 136 service->RegisterForPolicy( 137 kTestUser, 138#if !defined(OS_ANDROID) 139 "mock_oauth_token", 140#endif 141 base::Bind(&UserPolicySigninServiceTest::OnRegisterCompleted, 142 base::Unretained(this))); 143 ASSERT_TRUE(IsRequestActive()); 144 } 145 146 virtual void SetUp() OVERRIDE { 147 UserPolicySigninServiceFactory::SetDeviceManagementServiceForTesting( 148 &device_management_service_); 149 150 local_state_.reset(new TestingPrefServiceSimple); 151 chrome::RegisterLocalState(local_state_->registry()); 152 system_request_context_getter_ = new net::TestURLRequestContextGetter( 153 base::MessageLoopProxy::current()); 154 TestingBrowserProcess::GetGlobal()->SetSystemRequestContext( 155 system_request_context_getter_.get()); 156 TestingBrowserProcess::GetGlobal()->SetLocalState(local_state_.get()); 157 158 g_browser_process->browser_policy_connector()->Init( 159 local_state_.get(), system_request_context_getter_); 160 161 // Create a testing profile with cloud-policy-on-signin enabled, and bring 162 // up a UserCloudPolicyManager with a MockUserCloudPolicyStore. 163 scoped_ptr<TestingPrefServiceSyncable> prefs( 164 new TestingPrefServiceSyncable()); 165 chrome::RegisterUserProfilePrefs(prefs->registry()); 166 167 // UserCloudPolicyManagerFactory isn't a real 168 // BrowserContextKeyedServiceFactory (it derives from 169 // BrowserContextKeyedBaseFactory and exposes its own APIs to get 170 // instances) so we have to inject our testing factory via a special 171 // API before creating the profile. 172 UserCloudPolicyManagerFactory::GetInstance()->RegisterTestingFactory( 173 BuildCloudPolicyManager); 174 TestingProfile::Builder builder; 175 builder.SetPrefService(scoped_ptr<PrefServiceSyncable>(prefs.Pass())); 176 builder.AddTestingFactory(SigninManagerFactory::GetInstance(), 177 SigninManagerFake::Build); 178 builder.AddTestingFactory(ProfileOAuth2TokenServiceFactory::GetInstance(), 179 BuildFakeProfileOAuth2TokenService); 180 181 profile_ = builder.Build().Pass(); 182 url_factory_.set_remove_fetcher_on_delete(true); 183 184 signin_manager_ = static_cast<SigninManagerFake*>( 185 SigninManagerFactory::GetForProfile(profile_.get())); 186 // Tests are responsible for freeing the UserCloudPolicyManager instances 187 // they inject. 188 manager_.reset(UserCloudPolicyManagerFactory::GetForBrowserContext( 189 profile_.get())); 190 manager_->Init(&schema_registry_); 191 mock_store_ = static_cast<MockUserCloudPolicyStore*>( 192 manager_->core()->store()); 193 DCHECK(mock_store_); 194 AddProfile(); 195 196 Mock::VerifyAndClearExpectations(mock_store_); 197 } 198 199 virtual void TearDown() OVERRIDE { 200 UserPolicySigninServiceFactory::SetDeviceManagementServiceForTesting(NULL); 201 UserCloudPolicyManagerFactory::GetInstance()->ClearTestingFactory(); 202 // Free the profile before we clear out the browser prefs. 203 profile_.reset(); 204 TestingBrowserProcess* testing_browser_process = 205 TestingBrowserProcess::GetGlobal(); 206 testing_browser_process->SetLocalState(NULL); 207 local_state_.reset(); 208 testing_browser_process->SetBrowserPolicyConnector(NULL); 209 base::RunLoop run_loop; 210 run_loop.RunUntilIdle(); 211 } 212 213 virtual void AddProfile() { 214 // For this test, the user should not be signed in yet. 215 DCHECK(!signin_manager_->IsAuthenticated()); 216 217 // Initializing UserPolicySigninService while the user is not signed in 218 // should result in the store being cleared to remove any lingering policy. 219 EXPECT_CALL(*mock_store_, Clear()); 220 221 // Let the SigninService know that the profile has been created. 222 content::NotificationService::current()->Notify( 223 chrome::NOTIFICATION_PROFILE_ADDED, 224 content::Source<Profile>(profile_.get()), 225 content::NotificationService::NoDetails()); 226 } 227 228 FakeProfileOAuth2TokenService* GetTokenService() { 229 ProfileOAuth2TokenService* service = 230 ProfileOAuth2TokenServiceFactory::GetForProfile(profile_.get()); 231 return static_cast<FakeProfileOAuth2TokenService*>(service); 232 } 233 234 bool IsRequestActive() { 235 if (!GetTokenService()->GetPendingRequests().empty()) 236 return true; 237 return url_factory_.GetFetcherByID(0); 238 } 239 240 void MakeOAuthTokenFetchSucceed() { 241 ASSERT_TRUE(IsRequestActive()); 242#if defined(OS_ANDROID) 243 GetTokenService()->IssueTokenForAllPendingRequests("access_token", 244 base::Time::Now()); 245#else 246 net::TestURLFetcher* fetcher = url_factory_.GetFetcherByID(0); 247 fetcher->set_response_code(net::HTTP_OK); 248 fetcher->SetResponseString(kValidTokenResponse); 249 fetcher->delegate()->OnURLFetchComplete(fetcher); 250#endif 251 } 252 253 void ReportHostedDomainStatus(bool is_hosted_domain) { 254 ASSERT_TRUE(IsRequestActive()); 255 net::TestURLFetcher* fetcher = url_factory_.GetFetcherByID(0); 256 fetcher->set_response_code(net::HTTP_OK); 257 fetcher->SetResponseString(is_hosted_domain ? kHostedDomainResponse : "{}"); 258 fetcher->delegate()->OnURLFetchComplete(fetcher); 259 } 260 261 void TestSuccessfulSignin() { 262 UserPolicySigninService* signin_service = 263 UserPolicySigninServiceFactory::GetForProfile(profile_.get()); 264 EXPECT_CALL(*this, OnPolicyRefresh(true)).Times(0); 265 RegisterPolicyClientWithCallback(signin_service); 266 267 // Mimic successful oauth token fetch. 268 MakeOAuthTokenFetchSucceed(); 269 270 // When the user is from a hosted domain, this should kick off client 271 // registration. 272 MockDeviceManagementJob* register_request = NULL; 273 EXPECT_CALL(device_management_service_, 274 CreateJob(DeviceManagementRequestJob::TYPE_REGISTRATION, _)) 275 .WillOnce(device_management_service_.CreateAsyncJob( 276 ®ister_request)); 277 EXPECT_CALL(device_management_service_, StartJob(_, _, _, _, _, _, _)) 278 .Times(1); 279 280 // Now mimic the user being a hosted domain - this should cause a Register() 281 // call. 282 ReportHostedDomainStatus(true); 283 284 // Should have no more outstanding requests. 285 ASSERT_FALSE(IsRequestActive()); 286 Mock::VerifyAndClearExpectations(this); 287 ASSERT_TRUE(register_request); 288 289 // Mimic successful client registration - this should register the client 290 // and invoke the callback. 291 em::DeviceManagementResponse registration_blob; 292 std::string expected_dm_token = "dm_token"; 293 registration_blob.mutable_register_response()->set_device_management_token( 294 expected_dm_token); 295 registration_blob.mutable_register_response()->set_enrollment_type( 296 em::DeviceRegisterResponse::ENTERPRISE); 297 register_request->SendResponse(DM_STATUS_SUCCESS, registration_blob); 298 299 // UserCloudPolicyManager should not be initialized yet. 300 ASSERT_FALSE(manager_->core()->service()); 301 EXPECT_TRUE(register_completed_); 302 EXPECT_EQ(dm_token_, expected_dm_token); 303 304 // Now call to fetch policy - this should fire off a fetch request. 305 MockDeviceManagementJob* fetch_request = NULL; 306 EXPECT_CALL(device_management_service_, 307 CreateJob(DeviceManagementRequestJob::TYPE_POLICY_FETCH, _)) 308 .WillOnce(device_management_service_.CreateAsyncJob(&fetch_request)); 309 EXPECT_CALL(device_management_service_, StartJob(_, _, _, _, _, _, _)) 310 .Times(1); 311 312 signin_service->FetchPolicyForSignedInUser( 313 kTestUser, 314 dm_token_, 315 client_id_, 316 profile_->GetRequestContext(), 317 base::Bind(&UserPolicySigninServiceTest::OnPolicyRefresh, 318 base::Unretained(this))); 319 320 Mock::VerifyAndClearExpectations(this); 321 ASSERT_TRUE(fetch_request); 322 323 // UserCloudPolicyManager should now be initialized. 324 EXPECT_EQ(mock_store_->signin_username_, kTestUser); 325 ASSERT_TRUE(manager_->core()->service()); 326 327 // Make the policy fetch succeed - this should result in a write to the 328 // store and ultimately result in a call to OnPolicyRefresh(). 329 EXPECT_CALL(*mock_store_, Store(_)); 330 EXPECT_CALL(*this, OnPolicyRefresh(true)).Times(1); 331 332 // Create a fake policy blob to deliver to the client. 333 em::DeviceManagementResponse policy_blob; 334 em::PolicyData policy_data; 335 policy_data.set_policy_type(dm_protocol::kChromeUserPolicyType); 336 em::PolicyFetchResponse* policy_response = 337 policy_blob.mutable_policy_response()->add_response(); 338 ASSERT_TRUE(policy_data.SerializeToString( 339 policy_response->mutable_policy_data())); 340 fetch_request->SendResponse(DM_STATUS_SUCCESS, policy_blob); 341 342 // Complete the store which should cause the policy fetch callback to be 343 // invoked. 344 mock_store_->NotifyStoreLoaded(); 345 Mock::VerifyAndClearExpectations(this); 346 } 347 348 scoped_ptr<TestingProfile> profile_; 349 MockUserCloudPolicyStore* mock_store_; // Not owned. 350 SchemaRegistry schema_registry_; 351 scoped_ptr<UserCloudPolicyManager> manager_; 352 353 // BrowserPolicyConnector and UrlFetcherFactory want to initialize and free 354 // various components asynchronously via tasks, so create fake threads here. 355 content::TestBrowserThreadBundle thread_bundle_; 356 357 net::TestURLFetcherFactory url_factory_; 358 359 SigninManagerFake* signin_manager_; 360 361 // Used in conjunction with OnRegisterCompleted() to test client registration 362 // callbacks. 363 std::string dm_token_; 364 std::string client_id_; 365 366 // True if OnRegisterCompleted() was called. 367 bool register_completed_; 368 369 // Weak ptr to the MockDeviceManagementService (object is owned by the 370 // BrowserPolicyConnector). 371 MockDeviceManagementService device_management_service_; 372 373 scoped_ptr<TestingPrefServiceSimple> local_state_; 374 scoped_refptr<net::URLRequestContextGetter> system_request_context_getter_; 375}; 376 377class UserPolicySigninServiceSignedInTest : public UserPolicySigninServiceTest { 378 public: 379 virtual void AddProfile() OVERRIDE { 380 // UserCloudPolicyManager should not be initialized. 381 ASSERT_FALSE(manager_->core()->service()); 382 383 // Set the user as signed in. 384 SigninManagerFactory::GetForProfile(profile_.get())-> 385 SetAuthenticatedUsername(kTestUser); 386 387 // Let the SigninService know that the profile has been created. 388 content::NotificationService::current()->Notify( 389 chrome::NOTIFICATION_PROFILE_ADDED, 390 content::Source<Profile>(profile_.get()), 391 content::NotificationService::NoDetails()); 392 } 393}; 394 395TEST_F(UserPolicySigninServiceTest, InitWhileSignedOut) { 396 // Make sure user is not signed in. 397 ASSERT_FALSE(SigninManagerFactory::GetForProfile(profile_.get())-> 398 IsAuthenticated()); 399 400 // UserCloudPolicyManager should not be initialized. 401 ASSERT_FALSE(manager_->core()->service()); 402} 403 404 // TODO(joaodasilva): these tests rely on issuing the OAuth2 login refresh 405 // token after signin. Revisit this after figuring how to handle that on 406 // Android. 407#if !defined(OS_ANDROID) 408 409TEST_F(UserPolicySigninServiceSignedInTest, InitWhileSignedIn) { 410 // UserCloudPolicyManager should be initialized. 411 ASSERT_TRUE(manager_->core()->service()); 412 413 // Complete initialization of the store. 414 mock_store_->NotifyStoreLoaded(); 415 416 // No oauth access token yet, so client registration should be deferred. 417 ASSERT_FALSE(IsRequestActive()); 418 419 // Make oauth token available. 420 GetTokenService()->IssueRefreshTokenForUser(kTestUser, 421 "oauth_login_refresh_token"); 422 423 // Client registration should be in progress since we now have an oauth token. 424 EXPECT_EQ(mock_store_->signin_username_, kTestUser); 425 ASSERT_TRUE(IsRequestActive()); 426} 427 428TEST_F(UserPolicySigninServiceSignedInTest, InitWhileSignedInOAuthError) { 429 // UserCloudPolicyManager should be initialized. 430 ASSERT_TRUE(manager_->core()->service()); 431 432 // Complete initialization of the store. 433 mock_store_->NotifyStoreLoaded(); 434 435 // No oauth access token yet, so client registration should be deferred. 436 ASSERT_FALSE(IsRequestActive()); 437 438 // Make oauth token available. 439 GetTokenService()->IssueRefreshTokenForUser(kTestUser, 440 "oauth_login_refresh_token"); 441 442 // Client registration should be in progress since we now have an oauth token. 443 ASSERT_TRUE(IsRequestActive()); 444 445 // Now fail the access token fetch. 446 GoogleServiceAuthError error( 447 GoogleServiceAuthError::INVALID_GAIA_CREDENTIALS); 448 GetTokenService()->IssueErrorForAllPendingRequests(error); 449 ASSERT_FALSE(IsRequestActive()); 450} 451 452TEST_F(UserPolicySigninServiceTest, SignInAfterInit) { 453 // UserCloudPolicyManager should not be initialized since there is no 454 // signed-in user. 455 ASSERT_FALSE(manager_->core()->service()); 456 457 // Now sign in the user. 458 SigninManagerFactory::GetForProfile(profile_.get())->SetAuthenticatedUsername( 459 kTestUser); 460 461 // Complete initialization of the store. 462 mock_store_->NotifyStoreLoaded(); 463 464 // Make oauth token available. 465 GetTokenService()->IssueRefreshTokenForUser(kTestUser, 466 "oauth_login_refresh_token"); 467 468 // UserCloudPolicyManager should be initialized. 469 EXPECT_EQ(mock_store_->signin_username_, kTestUser); 470 ASSERT_TRUE(manager_->core()->service()); 471 472 // Client registration should be in progress since we have an oauth token. 473 ASSERT_TRUE(IsRequestActive()); 474} 475 476TEST_F(UserPolicySigninServiceTest, SignInWithNonEnterpriseUser) { 477 // UserCloudPolicyManager should not be initialized since there is no 478 // signed-in user. 479 ASSERT_FALSE(manager_->core()->service()); 480 481 // Now sign in a non-enterprise user (blacklisted gmail.com domain). 482 SigninManagerFactory::GetForProfile(profile_.get())->SetAuthenticatedUsername( 483 "non_enterprise_user@gmail.com"); 484 485 // Complete initialization of the store. 486 mock_store_->NotifyStoreLoaded(); 487 488 // Make oauth token available. 489 GetTokenService()->IssueRefreshTokenForUser(kTestUser, 490 "oauth_login_refresh_token"); 491 492 // UserCloudPolicyManager should not be initialized and there should be no 493 // DMToken request active. 494 ASSERT_TRUE(!manager_->core()->service()); 495 ASSERT_FALSE(IsRequestActive()); 496} 497 498TEST_F(UserPolicySigninServiceTest, UnregisteredClient) { 499 // UserCloudPolicyManager should not be initialized since there is no 500 // signed-in user. 501 ASSERT_FALSE(manager_->core()->service()); 502 503 // Now sign in the user. 504 SigninManagerFactory::GetForProfile(profile_.get())->SetAuthenticatedUsername( 505 kTestUser); 506 507 // Make oauth token available. 508 GetTokenService()->IssueRefreshTokenForUser(kTestUser, 509 "oauth_login_refresh_token"); 510 511 // UserCloudPolicyManager should be initialized. 512 EXPECT_EQ(mock_store_->signin_username_, kTestUser); 513 ASSERT_TRUE(manager_->core()->service()); 514 515 // Client registration should not be in progress since the store is not 516 // yet initialized. 517 ASSERT_FALSE(IsRequestActive()); 518 519 // Complete initialization of the store with no policy (unregistered client). 520 mock_store_->NotifyStoreLoaded(); 521 522 // Client registration should be in progress since we have an oauth token. 523 ASSERT_TRUE(IsRequestActive()); 524} 525 526TEST_F(UserPolicySigninServiceTest, RegisteredClient) { 527 // UserCloudPolicyManager should not be initialized since there is no 528 // signed-in user. 529 ASSERT_FALSE(manager_->core()->service()); 530 531 // Now sign in the user. 532 SigninManagerFactory::GetForProfile(profile_.get())->SetAuthenticatedUsername( 533 kTestUser); 534 535 // Make oauth token available. 536 GetTokenService()->IssueRefreshTokenForUser(kTestUser, 537 "oauth_login_refresh_token"); 538 539 // UserCloudPolicyManager should be initialized. 540 EXPECT_EQ(mock_store_->signin_username_, kTestUser); 541 ASSERT_TRUE(manager_->core()->service()); 542 543 // Client registration should not be in progress since the store is not 544 // yet initialized. 545 ASSERT_FALSE(manager_->IsClientRegistered()); 546 ASSERT_FALSE(IsRequestActive()); 547 548 mock_store_->policy_.reset(new enterprise_management::PolicyData()); 549 mock_store_->policy_->set_request_token("fake token"); 550 mock_store_->policy_->set_device_id("fake client id"); 551 552 // Complete initialization of the store. 553 mock_store_->NotifyStoreLoaded(); 554 555 // Client registration should not be in progress since the client should be 556 // already registered. 557 ASSERT_TRUE(manager_->IsClientRegistered()); 558 ASSERT_FALSE(IsRequestActive()); 559} 560 561#endif // !defined(OS_ANDROID) 562 563TEST_F(UserPolicySigninServiceSignedInTest, SignOutAfterInit) { 564 // UserCloudPolicyManager should be initialized. 565 EXPECT_EQ(mock_store_->signin_username_, kTestUser); 566 ASSERT_TRUE(manager_->core()->service()); 567 568 // Signing out will clear the policy from the store. 569 EXPECT_CALL(*mock_store_, Clear()); 570 571 // Now sign out. 572 SigninManagerFactory::GetForProfile(profile_.get())->SignOut( 573 signin_metrics::SIGNOUT_TEST); 574 575 // UserCloudPolicyManager should be shut down. 576 ASSERT_FALSE(manager_->core()->service()); 577} 578 579TEST_F(UserPolicySigninServiceTest, RegisterPolicyClientOAuthFailure) { 580 UserPolicySigninService* signin_service = 581 UserPolicySigninServiceFactory::GetForProfile(profile_.get()); 582 RegisterPolicyClientWithCallback(signin_service); 583 Mock::VerifyAndClearExpectations(this); 584 585 // UserCloudPolicyManager should not be initialized. 586 ASSERT_FALSE(manager_->core()->service()); 587 ASSERT_TRUE(IsRequestActive()); 588 EXPECT_FALSE(register_completed_); 589 590 // Cause the access token fetch to fail - callback should be invoked. 591#if defined(OS_ANDROID) 592 ASSERT_TRUE(!GetTokenService()->GetPendingRequests().empty()); 593 GetTokenService()->IssueErrorForAllPendingRequests( 594 GoogleServiceAuthError::FromServiceError("fail")); 595#else 596 net::TestURLFetcher* fetcher = url_factory_.GetFetcherByID(0); 597 fetcher->set_status(net::URLRequestStatus(net::URLRequestStatus::FAILED, -1)); 598 fetcher->delegate()->OnURLFetchComplete(fetcher); 599#endif 600 601 EXPECT_TRUE(register_completed_); 602 EXPECT_TRUE(dm_token_.empty()); 603 EXPECT_FALSE(IsRequestActive()); 604} 605 606TEST_F(UserPolicySigninServiceTest, RegisterPolicyClientNonHostedDomain) { 607 UserPolicySigninService* signin_service = 608 UserPolicySigninServiceFactory::GetForProfile(profile_.get()); 609 RegisterPolicyClientWithCallback(signin_service); 610 611 // UserCloudPolicyManager should not be initialized. 612 ASSERT_FALSE(manager_->core()->service()); 613 ASSERT_TRUE(IsRequestActive()); 614 615 // Cause the access token request to succeed. 616 MakeOAuthTokenFetchSucceed(); 617 618 // Should be a follow-up fetch to check the hosted-domain status. 619 ASSERT_TRUE(IsRequestActive()); 620 Mock::VerifyAndClearExpectations(this); 621 622 EXPECT_FALSE(register_completed_); 623 624 // Report that the user is not on a hosted domain - callback should be 625 // invoked reporting a failed fetch. 626 ReportHostedDomainStatus(false); 627 628 // Since this is not a hosted domain, we should not issue a request for a 629 // DMToken. 630 EXPECT_TRUE(register_completed_); 631 EXPECT_TRUE(dm_token_.empty()); 632 ASSERT_FALSE(IsRequestActive()); 633} 634 635TEST_F(UserPolicySigninServiceTest, RegisterPolicyClientFailedRegistration) { 636 UserPolicySigninService* signin_service = 637 UserPolicySigninServiceFactory::GetForProfile(profile_.get()); 638 RegisterPolicyClientWithCallback(signin_service); 639 640 // UserCloudPolicyManager should not be initialized. 641 ASSERT_FALSE(manager_->core()->service()); 642 643 // Mimic successful oauth token fetch. 644 MakeOAuthTokenFetchSucceed(); 645 646 EXPECT_FALSE(register_completed_); 647 648 // When the user is from a hosted domain, this should kick off client 649 // registration. 650 MockDeviceManagementJob* register_request = NULL; 651 EXPECT_CALL(device_management_service_, 652 CreateJob(DeviceManagementRequestJob::TYPE_REGISTRATION, _)) 653 .WillOnce(device_management_service_.CreateAsyncJob(®ister_request)); 654 EXPECT_CALL(device_management_service_, StartJob(_, _, _, _, _, _, _)) 655 .Times(1); 656 657 // Now mimic the user being a hosted domain - this should cause a Register() 658 // call. 659 ReportHostedDomainStatus(true); 660 661 // Should have no more outstanding requests. 662 ASSERT_FALSE(IsRequestActive()); 663 Mock::VerifyAndClearExpectations(this); 664 ASSERT_TRUE(register_request); 665 EXPECT_FALSE(register_completed_); 666 667 // Make client registration fail (hosted domain user that is not managed). 668 register_request->SendResponse(DM_STATUS_SERVICE_MANAGEMENT_NOT_SUPPORTED, 669 em::DeviceManagementResponse()); 670 EXPECT_TRUE(register_completed_); 671 EXPECT_TRUE(dm_token_.empty()); 672} 673 674TEST_F(UserPolicySigninServiceTest, RegisterPolicyClientSucceeded) { 675 UserPolicySigninService* signin_service = 676 UserPolicySigninServiceFactory::GetForProfile(profile_.get()); 677 RegisterPolicyClientWithCallback(signin_service); 678 679 // Mimic successful oauth token fetch. 680 MakeOAuthTokenFetchSucceed(); 681 682 // When the user is from a hosted domain, this should kick off client 683 // registration. 684 MockDeviceManagementJob* register_request = NULL; 685 EXPECT_CALL(device_management_service_, 686 CreateJob(DeviceManagementRequestJob::TYPE_REGISTRATION, _)) 687 .WillOnce(device_management_service_.CreateAsyncJob(®ister_request)); 688 EXPECT_CALL(device_management_service_, StartJob(_, _, _, _, _, _, _)) 689 .Times(1); 690 691 // Now mimic the user being a hosted domain - this should cause a Register() 692 // call. 693 ReportHostedDomainStatus(true); 694 695 // Should have no more outstanding requests. 696 ASSERT_FALSE(IsRequestActive()); 697 Mock::VerifyAndClearExpectations(this); 698 ASSERT_TRUE(register_request); 699 EXPECT_FALSE(register_completed_); 700 701 em::DeviceManagementResponse registration_blob; 702 std::string expected_dm_token = "dm_token"; 703 registration_blob.mutable_register_response()->set_device_management_token( 704 expected_dm_token); 705 registration_blob.mutable_register_response()->set_enrollment_type( 706 em::DeviceRegisterResponse::ENTERPRISE); 707 register_request->SendResponse(DM_STATUS_SUCCESS, registration_blob); 708 Mock::VerifyAndClearExpectations(this); 709 EXPECT_TRUE(register_completed_); 710 EXPECT_EQ(dm_token_, expected_dm_token); 711 // UserCloudPolicyManager should not be initialized. 712 ASSERT_FALSE(manager_->core()->service()); 713} 714 715TEST_F(UserPolicySigninServiceTest, FetchPolicyFailed) { 716 // Initiate a policy fetch request. 717 MockDeviceManagementJob* fetch_request = NULL; 718 EXPECT_CALL(device_management_service_, 719 CreateJob(DeviceManagementRequestJob::TYPE_POLICY_FETCH, _)) 720 .WillOnce(device_management_service_.CreateAsyncJob(&fetch_request)); 721 EXPECT_CALL(device_management_service_, StartJob(_, _, _, _, _, _, _)) 722 .Times(1); 723 UserPolicySigninService* signin_service = 724 UserPolicySigninServiceFactory::GetForProfile(profile_.get()); 725 signin_service->FetchPolicyForSignedInUser( 726 kTestUser, 727 "mock_dm_token", 728 "mock_client_id", 729 profile_->GetRequestContext(), 730 base::Bind(&UserPolicySigninServiceTest::OnPolicyRefresh, 731 base::Unretained(this))); 732 ASSERT_TRUE(fetch_request); 733 734 // Make the policy fetch fail. 735 EXPECT_CALL(*this, OnPolicyRefresh(false)).Times(1); 736 fetch_request->SendResponse(DM_STATUS_REQUEST_FAILED, 737 em::DeviceManagementResponse()); 738 739 // UserCloudPolicyManager should be initialized. 740 EXPECT_EQ(mock_store_->signin_username_, kTestUser); 741 ASSERT_TRUE(manager_->core()->service()); 742} 743 744TEST_F(UserPolicySigninServiceTest, FetchPolicySuccess) { 745 ASSERT_NO_FATAL_FAILURE(TestSuccessfulSignin()); 746} 747 748TEST_F(UserPolicySigninServiceTest, SignOutThenSignInAgain) { 749 ASSERT_NO_FATAL_FAILURE(TestSuccessfulSignin()); 750 751 EXPECT_CALL(*mock_store_, Clear()); 752 signin_manager_->ForceSignOut(); 753 ASSERT_FALSE(manager_->core()->service()); 754 755 // Now sign in again. 756 ASSERT_NO_FATAL_FAILURE(TestSuccessfulSignin()); 757} 758 759TEST_F(UserPolicySigninServiceTest, PolicyFetchFailureTemporary) { 760 ASSERT_NO_FATAL_FAILURE(TestSuccessfulSignin()); 761 762 ASSERT_TRUE(manager_->IsClientRegistered()); 763 764 // Kick off another policy fetch. 765 MockDeviceManagementJob* fetch_request = NULL; 766 EXPECT_CALL(device_management_service_, 767 CreateJob(DeviceManagementRequestJob::TYPE_POLICY_FETCH, _)) 768 .WillOnce(device_management_service_.CreateAsyncJob(&fetch_request)); 769 EXPECT_CALL(device_management_service_, StartJob(_, _, _, _, _, _, _)) 770 .Times(1); 771 manager_->RefreshPolicies(); 772 Mock::VerifyAndClearExpectations(this); 773 774 // Now, fake a transient error from the server on this policy fetch. This 775 // should have no impact on the cached policy. 776 fetch_request->SendResponse(DM_STATUS_REQUEST_FAILED, 777 em::DeviceManagementResponse()); 778 base::RunLoop().RunUntilIdle(); 779 ASSERT_TRUE(manager_->IsClientRegistered()); 780} 781 782TEST_F(UserPolicySigninServiceTest, PolicyFetchFailureDisableManagement) { 783 ASSERT_NO_FATAL_FAILURE(TestSuccessfulSignin()); 784 785 EXPECT_TRUE(manager_->IsClientRegistered()); 786#if !defined(OS_ANDROID) 787 EXPECT_TRUE(signin_manager_->IsSignoutProhibited()); 788#endif 789 790 // Kick off another policy fetch. 791 MockDeviceManagementJob* fetch_request = NULL; 792 EXPECT_CALL(device_management_service_, 793 CreateJob(DeviceManagementRequestJob::TYPE_POLICY_FETCH, _)) 794 .WillOnce(device_management_service_.CreateAsyncJob(&fetch_request)); 795 EXPECT_CALL(device_management_service_, StartJob(_, _, _, _, _, _, _)) 796 .Times(1); 797 manager_->RefreshPolicies(); 798 Mock::VerifyAndClearExpectations(this); 799 800 // Now, fake a SC_FORBIDDEN error from the server on this policy fetch. This 801 // indicates that chrome management is disabled and will result in the cached 802 // policy being removed and the manager shut down. 803 EXPECT_CALL(*mock_store_, Clear()); 804 fetch_request->SendResponse(DM_STATUS_SERVICE_MANAGEMENT_NOT_SUPPORTED, 805 em::DeviceManagementResponse()); 806 base::RunLoop().RunUntilIdle(); 807 EXPECT_FALSE(manager_->IsClientRegistered()); 808#if !defined(OS_ANDROID) 809 EXPECT_FALSE(signin_manager_->IsSignoutProhibited()); 810#endif 811} 812 813} // namespace 814 815} // namespace policy 816