1 // Copyright (c) 2012 The Chromium OS Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "policy/libpolicy.h" 6 7 #include <memory> 8 #include <utility> 9 10 #include <openssl/err.h> 11 #include <openssl/ssl.h> 12 13 #include <base/files/file_path.h> 14 #include <base/logging.h> 15 #include <gtest/gtest.h> 16 17 #include "bindings/chrome_device_policy.pb.h" 18 #include "install_attributes/mock_install_attributes_reader.h" 19 #include "policy/device_policy_impl.h" 20 21 namespace policy { 22 23 static const char kPolicyFileAllSet[] = "policy/tests/whitelist/policy_all"; 24 static const char kPolicyFileNoneSet[] = "policy/tests/whitelist/policy_none"; 25 static const char kKeyFile[] = "policy/tests/whitelist/owner.key"; 26 static const char kNonExistingFile[] = "file-does-not-exist"; 27 28 // Creates the DevicePolicyImpl with given parameters for test. 29 std::unique_ptr<DevicePolicyImpl> CreateDevicePolicyImpl( 30 std::unique_ptr<InstallAttributesReader> install_attributes_reader, 31 const base::FilePath& policy_path, 32 const base::FilePath& keyfile_path, 33 bool verify_files) { 34 std::unique_ptr<DevicePolicyImpl> device_policy(new DevicePolicyImpl()); 35 device_policy->set_install_attributes_for_testing( 36 std::move(install_attributes_reader)); 37 device_policy->set_policy_path_for_testing(policy_path); 38 device_policy->set_key_file_path_for_testing(keyfile_path); 39 device_policy->set_verify_root_ownership_for_testing(verify_files); 40 41 return device_policy; 42 } 43 44 // Test that a policy file can be verified and parsed correctly. The file 45 // contains all possible fields, so reading should succeed for all. 46 TEST(PolicyTest, DevicePolicyAllSetTest) { 47 base::FilePath policy_file(kPolicyFileAllSet); 48 base::FilePath key_file(kKeyFile); 49 PolicyProvider provider; 50 provider.SetDevicePolicyForTesting(CreateDevicePolicyImpl( 51 std::make_unique<MockInstallAttributesReader>( 52 InstallAttributesReader::kDeviceModeEnterprise, true), 53 policy_file, key_file, false)); 54 provider.Reload(); 55 56 // Ensure we successfully loaded the device policy file. 57 ASSERT_TRUE(provider.device_policy_is_loaded()); 58 59 const DevicePolicy& policy = provider.GetDevicePolicy(); 60 61 // Check that we can read out all fields of the sample protobuf. 62 int int_value = -1; 63 ASSERT_TRUE(policy.GetPolicyRefreshRate(&int_value)); 64 EXPECT_EQ(100, int_value); 65 66 std::vector<std::string> list_value; 67 ASSERT_TRUE(policy.GetUserWhitelist(&list_value)); 68 ASSERT_EQ(3, list_value.size()); 69 EXPECT_EQ("me (at) here.com", list_value[0]); 70 EXPECT_EQ("you (at) there.com", list_value[1]); 71 EXPECT_EQ("*@monsters.com", list_value[2]); 72 73 bool bool_value = true; 74 ASSERT_TRUE(policy.GetGuestModeEnabled(&bool_value)); 75 EXPECT_FALSE(bool_value); 76 77 bool_value = true; 78 ASSERT_TRUE(policy.GetCameraEnabled(&bool_value)); 79 EXPECT_FALSE(bool_value); 80 81 bool_value = true; 82 ASSERT_TRUE(policy.GetShowUserNames(&bool_value)); 83 EXPECT_FALSE(bool_value); 84 85 bool_value = true; 86 ASSERT_TRUE(policy.GetDataRoamingEnabled(&bool_value)); 87 EXPECT_FALSE(bool_value); 88 89 bool_value = true; 90 ASSERT_TRUE(policy.GetAllowNewUsers(&bool_value)); 91 EXPECT_FALSE(bool_value); 92 93 bool_value = true; 94 ASSERT_TRUE(policy.GetMetricsEnabled(&bool_value)); 95 EXPECT_FALSE(bool_value); 96 97 bool_value = true; 98 ASSERT_TRUE(policy.GetReportVersionInfo(&bool_value)); 99 EXPECT_FALSE(bool_value); 100 101 bool_value = true; 102 ASSERT_TRUE(policy.GetReportActivityTimes(&bool_value)); 103 EXPECT_FALSE(bool_value); 104 105 bool_value = true; 106 ASSERT_TRUE(policy.GetReportBootMode(&bool_value)); 107 EXPECT_FALSE(bool_value); 108 109 bool_value = true; 110 ASSERT_TRUE(policy.GetEphemeralUsersEnabled(&bool_value)); 111 EXPECT_FALSE(bool_value); 112 113 std::string string_value; 114 ASSERT_TRUE(policy.GetReleaseChannel(&string_value)); 115 EXPECT_EQ("stable-channel", string_value); 116 117 bool_value = false; 118 ASSERT_TRUE(policy.GetReleaseChannelDelegated(&bool_value)); 119 EXPECT_TRUE(bool_value); 120 121 bool_value = true; 122 ASSERT_TRUE(policy.GetUpdateDisabled(&bool_value)); 123 EXPECT_FALSE(bool_value); 124 125 int64_t int64_value = -1LL; 126 ASSERT_TRUE(policy.GetScatterFactorInSeconds(&int64_value)); 127 EXPECT_EQ(17LL, int64_value); 128 129 ASSERT_TRUE(policy.GetTargetVersionPrefix(&string_value)); 130 EXPECT_EQ("42.0.", string_value); 131 132 int_value = -1; 133 ASSERT_TRUE(policy.GetRollbackToTargetVersion(&int_value)); 134 EXPECT_EQ(enterprise_management::AutoUpdateSettingsProto:: 135 ROLLBACK_WITH_FULL_POWERWASH, 136 int_value); 137 138 int_value = -1; 139 ASSERT_TRUE(policy.GetRollbackAllowedMilestones(&int_value)); 140 EXPECT_EQ(3, int_value); 141 142 std::set<std::string> types; 143 ASSERT_TRUE(policy.GetAllowedConnectionTypesForUpdate(&types)); 144 EXPECT_TRUE(types.end() != types.find("ethernet")); 145 EXPECT_TRUE(types.end() != types.find("wifi")); 146 EXPECT_EQ(2, types.size()); 147 148 ASSERT_TRUE(policy.GetOpenNetworkConfiguration(&string_value)); 149 EXPECT_EQ("{}", string_value); 150 151 ASSERT_TRUE(policy.GetOwner(&string_value)); 152 EXPECT_EQ("", string_value); 153 154 bool_value = true; 155 ASSERT_TRUE(policy.GetHttpDownloadsEnabled(&bool_value)); 156 EXPECT_FALSE(bool_value); 157 158 bool_value = true; 159 ASSERT_TRUE(policy.GetAuP2PEnabled(&bool_value)); 160 EXPECT_FALSE(bool_value); 161 162 bool_value = true; 163 ASSERT_TRUE(policy.GetAllowKioskAppControlChromeVersion(&bool_value)); 164 EXPECT_FALSE(bool_value); 165 166 std::vector<DevicePolicy::UsbDeviceId> list_device; 167 ASSERT_TRUE(policy.GetUsbDetachableWhitelist(&list_device)); 168 EXPECT_EQ(2, list_device.size()); 169 EXPECT_EQ(0x413c, list_device[0].vendor_id); 170 EXPECT_EQ(0x2105, list_device[0].product_id); 171 EXPECT_EQ(0x0403, list_device[1].vendor_id); 172 EXPECT_EQ(0x6001, list_device[1].product_id); 173 174 ASSERT_TRUE(policy.GetAutoLaunchedKioskAppId(&string_value)); 175 EXPECT_EQ("my_kiosk_app", string_value); 176 177 int_value = -1; 178 ASSERT_TRUE(policy.GetSecondFactorAuthenticationMode(&int_value)); 179 EXPECT_EQ(2, int_value); 180 181 std::vector<DevicePolicy::WeeklyTimeInterval> intervals; 182 ASSERT_TRUE(policy.GetDisallowedTimeIntervals(&intervals)); 183 ASSERT_EQ(2, intervals.size()); 184 EXPECT_EQ(4, intervals[0].start_day_of_week); 185 EXPECT_EQ(base::TimeDelta::FromMinutes(30) + base::TimeDelta::FromHours(12), 186 intervals[0].start_time); 187 EXPECT_EQ(6, intervals[0].end_day_of_week); 188 EXPECT_EQ(base::TimeDelta::FromMinutes(15) + base::TimeDelta::FromHours(3), 189 intervals[0].end_time); 190 EXPECT_EQ(1, intervals[1].start_day_of_week); 191 EXPECT_EQ(base::TimeDelta::FromMinutes(10) + base::TimeDelta::FromHours(20), 192 intervals[1].start_time); 193 EXPECT_EQ(3, intervals[1].end_day_of_week); 194 EXPECT_EQ(base::TimeDelta::FromMinutes(20), intervals[1].end_time); 195 196 ASSERT_TRUE(policy.GetAutoLaunchedKioskAppId(&string_value)); 197 ASSERT_EQ("my_kiosk_app", string_value); 198 199 // Reloading the protobuf should succeed. 200 EXPECT_TRUE(provider.Reload()); 201 } 202 203 // Test that a policy file can be verified and parsed correctly. The file 204 // contains none of the possible fields, so reading should fail for all. 205 TEST(PolicyTest, DevicePolicyNoneSetTest) { 206 base::FilePath policy_file(kPolicyFileNoneSet); 207 base::FilePath key_file(kKeyFile); 208 209 PolicyProvider provider; 210 provider.SetDevicePolicyForTesting(CreateDevicePolicyImpl( 211 std::make_unique<MockInstallAttributesReader>( 212 InstallAttributesReader::kDeviceModeEnterprise, true), 213 policy_file, key_file, false)); 214 provider.Reload(); 215 216 // Ensure we successfully loaded the device policy file. 217 ASSERT_TRUE(provider.device_policy_is_loaded()); 218 219 const DevicePolicy& policy = provider.GetDevicePolicy(); 220 221 // Check that we cannot read any fields out of the sample protobuf. 222 int int_value; 223 int64_t int64_value; 224 std::vector<std::string> list_value; 225 bool bool_value; 226 std::string string_value; 227 std::vector<DevicePolicy::UsbDeviceId> list_device; 228 std::vector<DevicePolicy::WeeklyTimeInterval> intervals; 229 230 EXPECT_FALSE(policy.GetPolicyRefreshRate(&int_value)); 231 EXPECT_FALSE(policy.GetUserWhitelist(&list_value)); 232 EXPECT_FALSE(policy.GetGuestModeEnabled(&bool_value)); 233 EXPECT_FALSE(policy.GetCameraEnabled(&bool_value)); 234 EXPECT_FALSE(policy.GetShowUserNames(&bool_value)); 235 EXPECT_FALSE(policy.GetDataRoamingEnabled(&bool_value)); 236 EXPECT_FALSE(policy.GetAllowNewUsers(&bool_value)); 237 EXPECT_FALSE(policy.GetMetricsEnabled(&bool_value)); 238 EXPECT_FALSE(policy.GetReportVersionInfo(&bool_value)); 239 EXPECT_FALSE(policy.GetReportActivityTimes(&bool_value)); 240 EXPECT_FALSE(policy.GetReportBootMode(&bool_value)); 241 EXPECT_FALSE(policy.GetEphemeralUsersEnabled(&bool_value)); 242 EXPECT_FALSE(policy.GetReleaseChannel(&string_value)); 243 EXPECT_FALSE(policy.GetUpdateDisabled(&bool_value)); 244 EXPECT_FALSE(policy.GetTargetVersionPrefix(&string_value)); 245 EXPECT_FALSE(policy.GetRollbackToTargetVersion(&int_value)); 246 // RollbackAllowedMilestones has the default value of 0 for enterprise 247 // devices. 248 ASSERT_TRUE(policy.GetRollbackAllowedMilestones(&int_value)); 249 EXPECT_EQ(0, int_value); 250 EXPECT_FALSE(policy.GetScatterFactorInSeconds(&int64_value)); 251 EXPECT_FALSE(policy.GetOpenNetworkConfiguration(&string_value)); 252 EXPECT_FALSE(policy.GetHttpDownloadsEnabled(&bool_value)); 253 EXPECT_FALSE(policy.GetAuP2PEnabled(&bool_value)); 254 EXPECT_FALSE(policy.GetAllowKioskAppControlChromeVersion(&bool_value)); 255 EXPECT_FALSE(policy.GetUsbDetachableWhitelist(&list_device)); 256 EXPECT_FALSE(policy.GetSecondFactorAuthenticationMode(&int_value)); 257 EXPECT_FALSE(policy.GetDisallowedTimeIntervals(&intervals)); 258 } 259 260 // Verify that the library will correctly recognize and signal missing files. 261 TEST(PolicyTest, DevicePolicyFailure) { 262 LOG(INFO) << "Errors expected."; 263 // Try loading non-existing protobuf should fail. 264 base::FilePath policy_file(kNonExistingFile); 265 base::FilePath key_file(kNonExistingFile); 266 PolicyProvider provider; 267 provider.SetDevicePolicyForTesting( 268 CreateDevicePolicyImpl(std::make_unique<MockInstallAttributesReader>( 269 cryptohome::SerializedInstallAttributes()), 270 policy_file, key_file, true)); 271 272 // Even after reload the policy should still be not loaded. 273 ASSERT_FALSE(provider.Reload()); 274 EXPECT_FALSE(provider.device_policy_is_loaded()); 275 } 276 277 // Verify that signature verification is waived for a device in enterprise_ad 278 // mode. 279 TEST(PolicyTest, SkipSignatureForEnterpriseAD) { 280 base::FilePath policy_file(kPolicyFileAllSet); 281 base::FilePath key_file(kNonExistingFile); 282 PolicyProvider provider; 283 provider.SetDevicePolicyForTesting(CreateDevicePolicyImpl( 284 std::make_unique<MockInstallAttributesReader>( 285 InstallAttributesReader::kDeviceModeEnterpriseAD, true), 286 policy_file, key_file, false)); 287 provider.Reload(); 288 289 // Ensure we successfully loaded the device policy file. 290 EXPECT_TRUE(provider.device_policy_is_loaded()); 291 } 292 293 // Ensure that signature verification is enforced for a device in vanilla 294 // enterprise mode. 295 TEST(PolicyTest, DontSkipSignatureForEnterprise) { 296 base::FilePath policy_file(kPolicyFileAllSet); 297 base::FilePath key_file(kNonExistingFile); 298 299 PolicyProvider provider; 300 provider.SetDevicePolicyForTesting(CreateDevicePolicyImpl( 301 std::make_unique<MockInstallAttributesReader>( 302 InstallAttributesReader::kDeviceModeEnterprise, true), 303 policy_file, key_file, false)); 304 provider.Reload(); 305 306 // Ensure that unverifed policy is not loaded. 307 EXPECT_FALSE(provider.device_policy_is_loaded()); 308 } 309 310 // Ensure that signature verification is enforced for a device in consumer mode. 311 TEST(PolicyTest, DontSkipSignatureForConsumer) { 312 base::FilePath policy_file(kPolicyFileAllSet); 313 base::FilePath key_file(kNonExistingFile); 314 cryptohome::SerializedInstallAttributes install_attributes; 315 316 PolicyProvider provider; 317 provider.SetDevicePolicyForTesting(CreateDevicePolicyImpl( 318 std::make_unique<MockInstallAttributesReader>(install_attributes), 319 policy_file, key_file, false)); 320 provider.Reload(); 321 322 // Ensure that unverifed policy is not loaded. 323 EXPECT_FALSE(provider.device_policy_is_loaded()); 324 } 325 326 // Checks return value of IsConsumerDevice when it's a still in OOBE. 327 TEST(PolicyTest, IsConsumerDeviceOobe) { 328 PolicyProvider provider; 329 provider.SetInstallAttributesReaderForTesting( 330 std::make_unique<MockInstallAttributesReader>("", false)); 331 EXPECT_FALSE(provider.IsConsumerDevice()); 332 } 333 334 // Checks return value of IsConsumerDevice when it's a consumer device. 335 TEST(PolicyTest, IsConsumerDeviceConsumer) { 336 PolicyProvider provider; 337 provider.SetInstallAttributesReaderForTesting( 338 std::make_unique<MockInstallAttributesReader>("", true)); 339 EXPECT_TRUE(provider.IsConsumerDevice()); 340 } 341 342 // Checks return value of IsConsumerDevice when it's an enterprise device. 343 TEST(PolicyTest, IsConsumerDeviceEnterprise) { 344 PolicyProvider provider; 345 provider.SetInstallAttributesReaderForTesting( 346 std::make_unique<MockInstallAttributesReader>( 347 InstallAttributesReader::kDeviceModeEnterprise, true)); 348 EXPECT_FALSE(provider.IsConsumerDevice()); 349 } 350 351 // Checks return value of IsConsumerDevice when it's an enterprise AD device. 352 TEST(PolicyTest, IsConsumerDeviceEnterpriseAd) { 353 PolicyProvider provider; 354 provider.SetInstallAttributesReaderForTesting( 355 std::make_unique<MockInstallAttributesReader>( 356 InstallAttributesReader::kDeviceModeEnterpriseAD, true)); 357 EXPECT_FALSE(provider.IsConsumerDevice()); 358 } 359 360 } // namespace policy 361 362 int main(int argc, char* argv[]) { 363 ::testing::InitGoogleTest(&argc, argv); 364 return RUN_ALL_TESTS(); 365 } 366
