Home | History | Annotate | Download | only in policy
      1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #include "chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.h"
      6 
      7 #include <vector>
      8 
      9 #include "base/basictypes.h"
     10 #include "base/bind.h"
     11 #include "base/file_util.h"
     12 #include "base/files/scoped_temp_dir.h"
     13 #include "base/memory/scoped_ptr.h"
     14 #include "base/message_loop/message_loop.h"
     15 #include "base/threading/sequenced_worker_pool.h"
     16 #include "chromeos/dbus/mock_cryptohome_client.h"
     17 #include "chromeos/dbus/mock_session_manager_client.h"
     18 #include "components/policy/core/common/cloud/cloud_policy_constants.h"
     19 #include "components/policy/core/common/cloud/mock_cloud_policy_store.h"
     20 #include "components/policy/core/common/cloud/policy_builder.h"
     21 #include "policy/policy_constants.h"
     22 #include "policy/proto/cloud_policy.pb.h"
     23 #include "policy/proto/device_management_local.pb.h"
     24 #include "testing/gmock/include/gmock/gmock.h"
     25 #include "testing/gtest/include/gtest/gtest.h"
     26 
     27 namespace em = enterprise_management;
     28 
     29 using testing::AllOf;
     30 using testing::AnyNumber;
     31 using testing::Eq;
     32 using testing::Mock;
     33 using testing::Property;
     34 using testing::Return;
     35 using testing::SaveArg;
     36 using testing::_;
     37 
     38 namespace policy {
     39 
     40 namespace {
     41 
     42 const char kLegacyDeviceId[] = "legacy-device-id";
     43 const char kLegacyToken[] = "legacy-token";
     44 const char kSanitizedUsername[] = "0123456789ABCDEF0123456789ABCDEF012345678";
     45 const char kDefaultHomepage[] = "http://chromium.org";
     46 
     47 ACTION_P2(SendSanitizedUsername, call_status, sanitized_username) {
     48   base::MessageLoop::current()->PostTask(
     49       FROM_HERE, base::Bind(arg1, call_status, sanitized_username));
     50 }
     51 
     52 class UserCloudPolicyStoreChromeOSTest : public testing::Test {
     53  protected:
     54   UserCloudPolicyStoreChromeOSTest()
     55       : loop_(base::MessageLoop::TYPE_UI) {}
     56 
     57   virtual void SetUp() OVERRIDE {
     58     EXPECT_CALL(cryptohome_client_,
     59                 GetSanitizedUsername(PolicyBuilder::kFakeUsername, _))
     60         .Times(AnyNumber())
     61         .WillRepeatedly(
     62             SendSanitizedUsername(chromeos::DBUS_METHOD_CALL_SUCCESS,
     63                                   kSanitizedUsername));
     64 
     65     ASSERT_TRUE(tmp_dir_.CreateUniqueTempDir());
     66     store_.reset(new UserCloudPolicyStoreChromeOS(&cryptohome_client_,
     67                                                   &session_manager_client_,
     68                                                   loop_.message_loop_proxy(),
     69                                                   PolicyBuilder::kFakeUsername,
     70                                                   user_policy_dir(),
     71                                                   token_file(),
     72                                                   policy_file()));
     73     store_->AddObserver(&observer_);
     74 
     75     // Install the initial public key, so that by default the validation of
     76     // the stored/loaded policy blob succeeds.
     77     std::vector<uint8> public_key;
     78     ASSERT_TRUE(policy_.GetSigningKey()->ExportPublicKey(&public_key));
     79     StoreUserPolicyKey(public_key);
     80 
     81     policy_.payload().mutable_homepagelocation()->set_value(kDefaultHomepage);
     82     policy_.Build();
     83   }
     84 
     85   virtual void TearDown() OVERRIDE {
     86     store_->RemoveObserver(&observer_);
     87     store_.reset();
     88     RunUntilIdle();
     89   }
     90 
     91   // Install an expectation on |observer_| for an error code.
     92   void ExpectError(CloudPolicyStore::Status error) {
     93     EXPECT_CALL(observer_,
     94                 OnStoreError(AllOf(Eq(store_.get()),
     95                                    Property(&CloudPolicyStore::status,
     96                                             Eq(error)))));
     97   }
     98 
     99   // Triggers a store_->Load() operation, handles the expected call to
    100   // |session_manager_client_| and sends |response|.
    101   void PerformPolicyLoad(const std::string& response) {
    102     // Issue a load command.
    103     chromeos::SessionManagerClient::RetrievePolicyCallback retrieve_callback;
    104     EXPECT_CALL(session_manager_client_,
    105                 RetrievePolicyForUser(PolicyBuilder::kFakeUsername, _))
    106         .WillOnce(SaveArg<1>(&retrieve_callback));
    107     store_->Load();
    108     RunUntilIdle();
    109     Mock::VerifyAndClearExpectations(&session_manager_client_);
    110     ASSERT_FALSE(retrieve_callback.is_null());
    111 
    112     // Run the callback.
    113     retrieve_callback.Run(response);
    114     RunUntilIdle();
    115   }
    116 
    117   // Verifies that store_->policy_map() has the HomepageLocation entry with
    118   // the |expected_value|.
    119   void VerifyPolicyMap(const char* expected_value) {
    120     EXPECT_EQ(1U, store_->policy_map().size());
    121     const PolicyMap::Entry* entry =
    122         store_->policy_map().Get(key::kHomepageLocation);
    123     ASSERT_TRUE(entry);
    124     EXPECT_TRUE(base::StringValue(expected_value).Equals(entry->value));
    125   }
    126 
    127   void StoreUserPolicyKey(const std::vector<uint8>& public_key) {
    128     ASSERT_TRUE(base::CreateDirectory(user_policy_key_file().DirName()));
    129     ASSERT_TRUE(
    130         file_util::WriteFile(user_policy_key_file(),
    131                              reinterpret_cast<const char*>(public_key.data()),
    132                              public_key.size()));
    133   }
    134 
    135   // Stores the current |policy_| and verifies that it is published.
    136   // If |new_public_key| is set then it will be persisted after storing but
    137   // before loading the policy, so that the signature validation can succeed.
    138   // If |previous_value| is set then a previously existing policy with that
    139   // value will be expected; otherwise no previous policy is expected.
    140   // If |new_value| is set then a new policy with that value is expected after
    141   // storing the |policy_| blob.
    142   void PerformStorePolicy(const std::vector<uint8>* new_public_key,
    143                           const char* previous_value,
    144                           const char* new_value) {
    145     chromeos::SessionManagerClient::StorePolicyCallback store_callback;
    146     EXPECT_CALL(session_manager_client_,
    147                 StorePolicyForUser(PolicyBuilder::kFakeUsername,
    148                                    policy_.GetBlob(), _, _))
    149         .WillOnce(SaveArg<3>(&store_callback));
    150     store_->Store(policy_.policy());
    151     RunUntilIdle();
    152     Mock::VerifyAndClearExpectations(&session_manager_client_);
    153     ASSERT_FALSE(store_callback.is_null());
    154 
    155     // The new policy shouldn't be present yet.
    156     PolicyMap previous_policy;
    157     EXPECT_EQ(previous_value != NULL, store_->policy() != NULL);
    158     if (previous_value) {
    159       previous_policy.Set(key::kHomepageLocation,
    160                           POLICY_LEVEL_MANDATORY,
    161                           POLICY_SCOPE_USER,
    162                           base::Value::CreateStringValue(previous_value), NULL);
    163     }
    164     EXPECT_TRUE(previous_policy.Equals(store_->policy_map()));
    165     EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status());
    166 
    167     // Store the new public key so that the validation after the retrieve
    168     // operation completes can verify the signature.
    169     if (new_public_key)
    170       StoreUserPolicyKey(*new_public_key);
    171 
    172     // Let the store operation complete.
    173     chromeos::SessionManagerClient::RetrievePolicyCallback retrieve_callback;
    174     EXPECT_CALL(session_manager_client_,
    175                 RetrievePolicyForUser(PolicyBuilder::kFakeUsername, _))
    176         .WillOnce(SaveArg<1>(&retrieve_callback));
    177     store_callback.Run(true);
    178     RunUntilIdle();
    179     EXPECT_TRUE(previous_policy.Equals(store_->policy_map()));
    180     EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status());
    181     Mock::VerifyAndClearExpectations(&session_manager_client_);
    182     ASSERT_FALSE(retrieve_callback.is_null());
    183 
    184     // Finish the retrieve callback.
    185     EXPECT_CALL(observer_, OnStoreLoaded(store_.get()));
    186     retrieve_callback.Run(policy_.GetBlob());
    187     RunUntilIdle();
    188     ASSERT_TRUE(store_->policy());
    189     EXPECT_EQ(policy_.policy_data().SerializeAsString(),
    190               store_->policy()->SerializeAsString());
    191     VerifyPolicyMap(new_value);
    192     EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status());
    193   }
    194 
    195   void VerifyStoreHasValidationError() {
    196     EXPECT_FALSE(store_->policy());
    197     EXPECT_TRUE(store_->policy_map().empty());
    198     EXPECT_EQ(CloudPolicyStore::STATUS_VALIDATION_ERROR, store_->status());
    199   }
    200 
    201   void RunUntilIdle() {
    202     loop_.RunUntilIdle();
    203     loop_.RunUntilIdle();
    204   }
    205 
    206   base::FilePath user_policy_dir() {
    207     return tmp_dir_.path().AppendASCII("var_run_user_policy");
    208   }
    209 
    210   base::FilePath user_policy_key_file() {
    211     return user_policy_dir().AppendASCII(kSanitizedUsername)
    212                             .AppendASCII("policy.pub");
    213   }
    214 
    215   base::FilePath token_file() {
    216     return tmp_dir_.path().AppendASCII("token");
    217   }
    218 
    219   base::FilePath policy_file() {
    220     return tmp_dir_.path().AppendASCII("policy");
    221   }
    222 
    223   base::MessageLoop loop_;
    224   chromeos::MockCryptohomeClient cryptohome_client_;
    225   chromeos::MockSessionManagerClient session_manager_client_;
    226   UserPolicyBuilder policy_;
    227   MockCloudPolicyStoreObserver observer_;
    228   scoped_ptr<UserCloudPolicyStoreChromeOS> store_;
    229 
    230  private:
    231   base::ScopedTempDir tmp_dir_;
    232 
    233   DISALLOW_COPY_AND_ASSIGN(UserCloudPolicyStoreChromeOSTest);
    234 };
    235 
    236 TEST_F(UserCloudPolicyStoreChromeOSTest, InitialStore) {
    237   // Start without any public key to trigger the initial key checks.
    238   ASSERT_TRUE(base::DeleteFile(user_policy_key_file(), false));
    239   // Make the policy blob contain a new public key.
    240   policy_.SetDefaultNewSigningKey();
    241   policy_.Build();
    242   std::vector<uint8> new_public_key;
    243   ASSERT_TRUE(policy_.GetNewSigningKey()->ExportPublicKey(&new_public_key));
    244   ASSERT_NO_FATAL_FAILURE(
    245       PerformStorePolicy(&new_public_key, NULL, kDefaultHomepage));
    246 }
    247 
    248 TEST_F(UserCloudPolicyStoreChromeOSTest, StoreWithExistingKey) {
    249   ASSERT_NO_FATAL_FAILURE(
    250       PerformStorePolicy(NULL, NULL, kDefaultHomepage));
    251 }
    252 
    253 TEST_F(UserCloudPolicyStoreChromeOSTest, StoreWithRotation) {
    254   // Make the policy blob contain a new public key.
    255   policy_.SetDefaultNewSigningKey();
    256   policy_.Build();
    257   std::vector<uint8> new_public_key;
    258   ASSERT_TRUE(policy_.GetNewSigningKey()->ExportPublicKey(&new_public_key));
    259   ASSERT_NO_FATAL_FAILURE(
    260       PerformStorePolicy(&new_public_key, NULL, kDefaultHomepage));
    261 }
    262 
    263 TEST_F(UserCloudPolicyStoreChromeOSTest, StoreFail) {
    264   // Store policy.
    265   chromeos::SessionManagerClient::StorePolicyCallback store_callback;
    266   EXPECT_CALL(session_manager_client_,
    267               StorePolicyForUser(PolicyBuilder::kFakeUsername,
    268                                  policy_.GetBlob(), _, _))
    269       .WillOnce(SaveArg<3>(&store_callback));
    270   store_->Store(policy_.policy());
    271   RunUntilIdle();
    272   Mock::VerifyAndClearExpectations(&session_manager_client_);
    273   ASSERT_FALSE(store_callback.is_null());
    274 
    275   // Let the store operation complete.
    276   ExpectError(CloudPolicyStore::STATUS_STORE_ERROR);
    277   store_callback.Run(false);
    278   RunUntilIdle();
    279   EXPECT_FALSE(store_->policy());
    280   EXPECT_TRUE(store_->policy_map().empty());
    281   EXPECT_EQ(CloudPolicyStore::STATUS_STORE_ERROR, store_->status());
    282 }
    283 
    284 TEST_F(UserCloudPolicyStoreChromeOSTest, StoreValidationError) {
    285   policy_.policy_data().clear_policy_type();
    286   policy_.Build();
    287 
    288   // Store policy.
    289   chromeos::SessionManagerClient::StorePolicyCallback store_callback;
    290   ExpectError(CloudPolicyStore::STATUS_VALIDATION_ERROR);
    291   EXPECT_CALL(session_manager_client_,
    292               StorePolicyForUser(PolicyBuilder::kFakeUsername,
    293                                  policy_.GetBlob(), _, _))
    294       .Times(0);
    295   store_->Store(policy_.policy());
    296   RunUntilIdle();
    297   Mock::VerifyAndClearExpectations(&session_manager_client_);
    298 }
    299 
    300 TEST_F(UserCloudPolicyStoreChromeOSTest, StoreWithoutPolicyKey) {
    301   // Make the dbus call to cryptohome fail.
    302   Mock::VerifyAndClearExpectations(&cryptohome_client_);
    303   EXPECT_CALL(cryptohome_client_,
    304               GetSanitizedUsername(PolicyBuilder::kFakeUsername, _))
    305       .Times(AnyNumber())
    306       .WillRepeatedly(SendSanitizedUsername(chromeos::DBUS_METHOD_CALL_FAILURE,
    307                                             std::string()));
    308 
    309   // Store policy.
    310   chromeos::SessionManagerClient::StorePolicyCallback store_callback;
    311   ExpectError(CloudPolicyStore::STATUS_VALIDATION_ERROR);
    312   EXPECT_CALL(session_manager_client_,
    313               StorePolicyForUser(PolicyBuilder::kFakeUsername,
    314                                  policy_.GetBlob(), _, _))
    315       .Times(0);
    316   store_->Store(policy_.policy());
    317   RunUntilIdle();
    318   Mock::VerifyAndClearExpectations(&session_manager_client_);
    319 }
    320 
    321 TEST_F(UserCloudPolicyStoreChromeOSTest, StoreWithInvalidSignature) {
    322   // Break the signature.
    323   policy_.policy().mutable_policy_data_signature()->append("garbage");
    324 
    325   // Store policy.
    326   chromeos::SessionManagerClient::StorePolicyCallback store_callback;
    327   ExpectError(CloudPolicyStore::STATUS_VALIDATION_ERROR);
    328   EXPECT_CALL(session_manager_client_,
    329               StorePolicyForUser(PolicyBuilder::kFakeUsername,
    330                                  policy_.GetBlob(), _, _))
    331       .Times(0);
    332   store_->Store(policy_.policy());
    333   RunUntilIdle();
    334   Mock::VerifyAndClearExpectations(&session_manager_client_);
    335 }
    336 
    337 TEST_F(UserCloudPolicyStoreChromeOSTest, Load) {
    338   EXPECT_CALL(observer_, OnStoreLoaded(store_.get()));
    339   ASSERT_NO_FATAL_FAILURE(PerformPolicyLoad(policy_.GetBlob()));
    340   Mock::VerifyAndClearExpectations(&observer_);
    341 
    342   // Verify that the policy has been loaded.
    343   ASSERT_TRUE(store_->policy());
    344   EXPECT_EQ(policy_.policy_data().SerializeAsString(),
    345             store_->policy()->SerializeAsString());
    346   VerifyPolicyMap(kDefaultHomepage);
    347   EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status());
    348 }
    349 
    350 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadNoPolicy) {
    351   EXPECT_CALL(observer_, OnStoreLoaded(store_.get()));
    352   ASSERT_NO_FATAL_FAILURE(PerformPolicyLoad(""));
    353   Mock::VerifyAndClearExpectations(&observer_);
    354 
    355   // Verify no policy has been installed.
    356   EXPECT_FALSE(store_->policy());
    357   EXPECT_TRUE(store_->policy_map().empty());
    358   EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status());
    359 }
    360 
    361 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadInvalidPolicy) {
    362   ExpectError(CloudPolicyStore::STATUS_PARSE_ERROR);
    363   ASSERT_NO_FATAL_FAILURE(PerformPolicyLoad("invalid"));
    364 
    365   // Verify no policy has been installed.
    366   EXPECT_FALSE(store_->policy());
    367   EXPECT_TRUE(store_->policy_map().empty());
    368   EXPECT_EQ(CloudPolicyStore::STATUS_PARSE_ERROR, store_->status());
    369 }
    370 
    371 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadValidationError) {
    372   policy_.policy_data().clear_policy_type();
    373   policy_.Build();
    374 
    375   ExpectError(CloudPolicyStore::STATUS_VALIDATION_ERROR);
    376   ASSERT_NO_FATAL_FAILURE(PerformPolicyLoad(policy_.GetBlob()));
    377   VerifyStoreHasValidationError();
    378 }
    379 
    380 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadNoKey) {
    381   // The loaded policy can't be verified without the public key.
    382   ASSERT_TRUE(base::DeleteFile(user_policy_key_file(), false));
    383   ExpectError(CloudPolicyStore::STATUS_VALIDATION_ERROR);
    384   ASSERT_NO_FATAL_FAILURE(PerformPolicyLoad(policy_.GetBlob()));
    385   VerifyStoreHasValidationError();
    386 }
    387 
    388 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadInvalidSignature) {
    389   // Break the signature.
    390   policy_.policy().mutable_policy_data_signature()->append("garbage");
    391   ExpectError(CloudPolicyStore::STATUS_VALIDATION_ERROR);
    392   ASSERT_NO_FATAL_FAILURE(PerformPolicyLoad(policy_.GetBlob()));
    393   VerifyStoreHasValidationError();
    394 }
    395 
    396 TEST_F(UserCloudPolicyStoreChromeOSTest, MigrationFull) {
    397   std::string data;
    398 
    399   em::DeviceCredentials credentials;
    400   credentials.set_device_token(kLegacyToken);
    401   credentials.set_device_id(kLegacyDeviceId);
    402   ASSERT_TRUE(credentials.SerializeToString(&data));
    403   ASSERT_NE(-1, file_util::WriteFile(token_file(), data.c_str(), data.size()));
    404 
    405   em::CachedCloudPolicyResponse cached_policy;
    406   cached_policy.mutable_cloud_policy()->CopyFrom(policy_.policy());
    407   ASSERT_TRUE(cached_policy.SerializeToString(&data));
    408   ASSERT_NE(-1, file_util::WriteFile(policy_file(), data.c_str(), data.size()));
    409 
    410   EXPECT_CALL(observer_, OnStoreLoaded(store_.get()));
    411   ASSERT_NO_FATAL_FAILURE(PerformPolicyLoad(""));
    412   Mock::VerifyAndClearExpectations(&observer_);
    413 
    414   // Verify that legacy user policy and token have been loaded.
    415   em::PolicyData expected_policy_data;
    416   EXPECT_TRUE(expected_policy_data.ParseFromString(
    417                   cached_policy.cloud_policy().policy_data()));
    418   expected_policy_data.clear_public_key_version();
    419   expected_policy_data.set_request_token(kLegacyToken);
    420   expected_policy_data.set_device_id(kLegacyDeviceId);
    421   ASSERT_TRUE(store_->policy());
    422   EXPECT_EQ(expected_policy_data.SerializeAsString(),
    423             store_->policy()->SerializeAsString());
    424   VerifyPolicyMap(kDefaultHomepage);
    425   EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status());
    426 }
    427 
    428 TEST_F(UserCloudPolicyStoreChromeOSTest, MigrationNoToken) {
    429   std::string data;
    430   testing::Sequence seq;
    431 
    432   em::CachedCloudPolicyResponse cached_policy;
    433   cached_policy.mutable_cloud_policy()->CopyFrom(policy_.policy());
    434   ASSERT_TRUE(cached_policy.SerializeToString(&data));
    435   ASSERT_NE(-1, file_util::WriteFile(policy_file(), data.c_str(), data.size()));
    436 
    437   EXPECT_CALL(observer_, OnStoreLoaded(store_.get()));
    438   ASSERT_NO_FATAL_FAILURE(PerformPolicyLoad(""));
    439   Mock::VerifyAndClearExpectations(&observer_);
    440 
    441   // Verify the legacy cache has been loaded.
    442   em::PolicyData expected_policy_data;
    443   EXPECT_TRUE(expected_policy_data.ParseFromString(
    444                   cached_policy.cloud_policy().policy_data()));
    445   expected_policy_data.clear_public_key_version();
    446   ASSERT_TRUE(store_->policy());
    447   EXPECT_EQ(expected_policy_data.SerializeAsString(),
    448             store_->policy()->SerializeAsString());
    449   VerifyPolicyMap(kDefaultHomepage);
    450   EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status());
    451 }
    452 
    453 TEST_F(UserCloudPolicyStoreChromeOSTest, MigrationNoPolicy) {
    454   std::string data;
    455 
    456   em::DeviceCredentials credentials;
    457   credentials.set_device_token(kLegacyToken);
    458   credentials.set_device_id(kLegacyDeviceId);
    459   ASSERT_TRUE(credentials.SerializeToString(&data));
    460   ASSERT_NE(-1, file_util::WriteFile(token_file(), data.c_str(), data.size()));
    461 
    462   EXPECT_CALL(observer_, OnStoreLoaded(store_.get()));
    463   ASSERT_NO_FATAL_FAILURE(PerformPolicyLoad(""));
    464   Mock::VerifyAndClearExpectations(&observer_);
    465 
    466   // Verify that legacy user policy and token have been loaded.
    467   em::PolicyData expected_policy_data;
    468   expected_policy_data.set_request_token(kLegacyToken);
    469   expected_policy_data.set_device_id(kLegacyDeviceId);
    470   ASSERT_TRUE(store_->policy());
    471   EXPECT_EQ(expected_policy_data.SerializeAsString(),
    472             store_->policy()->SerializeAsString());
    473   EXPECT_TRUE(store_->policy_map().empty());
    474   EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status());
    475 }
    476 
    477 TEST_F(UserCloudPolicyStoreChromeOSTest, MigrationAndStoreNew) {
    478   // Start without an existing public key.
    479   ASSERT_TRUE(base::DeleteFile(user_policy_key_file(), false));
    480 
    481   std::string data;
    482   em::CachedCloudPolicyResponse cached_policy;
    483   cached_policy.mutable_cloud_policy()->CopyFrom(policy_.policy());
    484   ASSERT_TRUE(cached_policy.SerializeToString(&data));
    485   ASSERT_NE(-1, file_util::WriteFile(policy_file(), data.c_str(), data.size()));
    486 
    487   EXPECT_CALL(observer_, OnStoreLoaded(store_.get()));
    488   ASSERT_NO_FATAL_FAILURE(PerformPolicyLoad(""));
    489   Mock::VerifyAndClearExpectations(&observer_);
    490 
    491   // Verify the legacy cache has been loaded.
    492   em::PolicyData expected_policy_data;
    493   EXPECT_TRUE(expected_policy_data.ParseFromString(
    494                   cached_policy.cloud_policy().policy_data()));
    495   expected_policy_data.clear_public_key_version();
    496   ASSERT_TRUE(store_->policy());
    497   EXPECT_EQ(expected_policy_data.SerializeAsString(),
    498             store_->policy()->SerializeAsString());
    499   VerifyPolicyMap(kDefaultHomepage);
    500   EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status());
    501   EXPECT_TRUE(base::PathExists(policy_file()));
    502 
    503   // Now store a new policy using the new homepage location.
    504   const char kNewHomepage[] = "http://google.com";
    505   policy_.payload().mutable_homepagelocation()->set_value(kNewHomepage);
    506   policy_.SetDefaultNewSigningKey();
    507   policy_.Build();
    508   std::vector<uint8> new_public_key;
    509   ASSERT_TRUE(policy_.GetNewSigningKey()->ExportPublicKey(&new_public_key));
    510   ASSERT_NO_FATAL_FAILURE(
    511       PerformStorePolicy(&new_public_key, kDefaultHomepage, kNewHomepage));
    512   VerifyPolicyMap(kNewHomepage);
    513 
    514   // Verify that the legacy cache has been removed.
    515   EXPECT_FALSE(base::PathExists(policy_file()));
    516 }
    517 
    518 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadImmediately) {
    519   EXPECT_CALL(observer_, OnStoreLoaded(store_.get()));
    520   EXPECT_CALL(session_manager_client_,
    521               BlockingRetrievePolicyForUser(PolicyBuilder::kFakeUsername))
    522       .WillOnce(Return(policy_.GetBlob()));
    523   EXPECT_CALL(cryptohome_client_,
    524               BlockingGetSanitizedUsername(PolicyBuilder::kFakeUsername))
    525       .WillOnce(Return(kSanitizedUsername));
    526 
    527   EXPECT_FALSE(store_->policy());
    528   store_->LoadImmediately();
    529   // Note: verify that the |observer_| got notified synchronously, without
    530   // having to spin the current loop. TearDown() will flush the loop so this
    531   // must be done within the test.
    532   Mock::VerifyAndClearExpectations(&observer_);
    533   Mock::VerifyAndClearExpectations(&session_manager_client_);
    534   Mock::VerifyAndClearExpectations(&cryptohome_client_);
    535 
    536   // The policy should become available without having to spin any loops.
    537   ASSERT_TRUE(store_->policy());
    538   EXPECT_EQ(policy_.policy_data().SerializeAsString(),
    539             store_->policy()->SerializeAsString());
    540   VerifyPolicyMap(kDefaultHomepage);
    541   EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status());
    542 }
    543 
    544 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadImmediatelyNoPolicy) {
    545   EXPECT_CALL(observer_, OnStoreLoaded(store_.get()));
    546   EXPECT_CALL(session_manager_client_,
    547               BlockingRetrievePolicyForUser(PolicyBuilder::kFakeUsername))
    548       .WillOnce(Return(""));
    549 
    550   EXPECT_FALSE(store_->policy());
    551   store_->LoadImmediately();
    552   Mock::VerifyAndClearExpectations(&observer_);
    553   Mock::VerifyAndClearExpectations(&session_manager_client_);
    554 
    555   EXPECT_FALSE(store_->policy());
    556   EXPECT_TRUE(store_->policy_map().empty());
    557   EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status());
    558 }
    559 
    560 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadImmediatelyInvalidBlob) {
    561   EXPECT_CALL(observer_, OnStoreError(store_.get()));
    562   EXPECT_CALL(session_manager_client_,
    563               BlockingRetrievePolicyForUser(PolicyBuilder::kFakeUsername))
    564       .WillOnce(Return("le blob"));
    565 
    566   EXPECT_FALSE(store_->policy());
    567   store_->LoadImmediately();
    568   Mock::VerifyAndClearExpectations(&observer_);
    569   Mock::VerifyAndClearExpectations(&session_manager_client_);
    570 
    571   EXPECT_FALSE(store_->policy());
    572   EXPECT_TRUE(store_->policy_map().empty());
    573   EXPECT_EQ(CloudPolicyStore::STATUS_PARSE_ERROR, store_->status());
    574 }
    575 
    576 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadImmediatelyDBusFailure) {
    577   EXPECT_CALL(observer_, OnStoreError(store_.get()));
    578   EXPECT_CALL(session_manager_client_,
    579               BlockingRetrievePolicyForUser(PolicyBuilder::kFakeUsername))
    580       .WillOnce(Return(policy_.GetBlob()));
    581   EXPECT_CALL(cryptohome_client_,
    582               BlockingGetSanitizedUsername(PolicyBuilder::kFakeUsername))
    583       .WillOnce(Return(""));
    584 
    585   EXPECT_FALSE(store_->policy());
    586   store_->LoadImmediately();
    587   Mock::VerifyAndClearExpectations(&observer_);
    588   Mock::VerifyAndClearExpectations(&session_manager_client_);
    589   Mock::VerifyAndClearExpectations(&cryptohome_client_);
    590 
    591   EXPECT_FALSE(store_->policy());
    592   EXPECT_TRUE(store_->policy_map().empty());
    593   EXPECT_EQ(CloudPolicyStore::STATUS_LOAD_ERROR, store_->status());
    594 }
    595 
    596 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadImmediatelyNoUserPolicyKey) {
    597   EXPECT_CALL(observer_, OnStoreError(store_.get()));
    598   EXPECT_CALL(session_manager_client_,
    599               BlockingRetrievePolicyForUser(PolicyBuilder::kFakeUsername))
    600       .WillOnce(Return(policy_.GetBlob()));
    601   EXPECT_CALL(cryptohome_client_,
    602               BlockingGetSanitizedUsername(PolicyBuilder::kFakeUsername))
    603       .WillOnce(Return("wrong"));
    604 
    605   EXPECT_FALSE(store_->policy());
    606   store_->LoadImmediately();
    607   Mock::VerifyAndClearExpectations(&observer_);
    608   Mock::VerifyAndClearExpectations(&session_manager_client_);
    609   Mock::VerifyAndClearExpectations(&cryptohome_client_);
    610 
    611   EXPECT_FALSE(store_->policy());
    612   EXPECT_TRUE(store_->policy_map().empty());
    613   EXPECT_EQ(CloudPolicyStore::STATUS_VALIDATION_ERROR, store_->status());
    614 }
    615 
    616 }  // namespace
    617 
    618 }  // namespace policy
    619