1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "chrome/browser/chromeos/policy/device_cloud_policy_store_chromeos.h" 6 7 #include <string> 8 #include <vector> 9 10 #include "base/basictypes.h" 11 #include "base/compiler_specific.h" 12 #include "base/memory/scoped_ptr.h" 13 #include "base/message_loop/message_loop_proxy.h" 14 #include "base/run_loop.h" 15 #include "chrome/browser/chromeos/policy/enterprise_install_attributes.h" 16 #include "chrome/browser/chromeos/policy/proto/chrome_device_policy.pb.h" 17 #include "chrome/browser/chromeos/settings/device_settings_test_helper.h" 18 #include "chrome/test/base/scoped_testing_local_state.h" 19 #include "chrome/test/base/testing_browser_process.h" 20 #include "chromeos/cryptohome/cryptohome_util.h" 21 #include "chromeos/dbus/dbus_thread_manager.h" 22 #include "chromeos/dbus/fake_cryptohome_client.h" 23 #include "content/public/test/test_utils.h" 24 #include "policy/policy_constants.h" 25 #include "testing/gtest/include/gtest/gtest.h" 26 27 namespace policy { 28 29 namespace { 30 31 void CopyLockResult(base::RunLoop* loop, 32 EnterpriseInstallAttributes::LockResult* out, 33 EnterpriseInstallAttributes::LockResult result) { 34 *out = result; 35 loop->Quit(); 36 } 37 38 } // namespace 39 40 class DeviceCloudPolicyStoreChromeOSTest 41 : public chromeos::DeviceSettingsTestBase { 42 protected: 43 DeviceCloudPolicyStoreChromeOSTest() 44 : local_state_(TestingBrowserProcess::GetGlobal()), 45 fake_cryptohome_client_(new chromeos::FakeCryptohomeClient()), 46 install_attributes_( 47 new EnterpriseInstallAttributes(fake_cryptohome_client_)), 48 store_(new DeviceCloudPolicyStoreChromeOS( 49 &device_settings_service_, 50 install_attributes_.get(), 51 base::MessageLoopProxy::current())) { 52 } 53 54 virtual void SetUp() OVERRIDE { 55 DeviceSettingsTestBase::SetUp(); 56 57 dbus_setter_->SetCryptohomeClient( 58 scoped_ptr<chromeos::CryptohomeClient>(fake_cryptohome_client_)); 59 60 base::RunLoop loop; 61 EnterpriseInstallAttributes::LockResult result; 62 install_attributes_->LockDevice( 63 PolicyBuilder::kFakeUsername, 64 DEVICE_MODE_ENTERPRISE, 65 PolicyBuilder::kFakeDeviceId, 66 base::Bind(&CopyLockResult, &loop, &result)); 67 loop.Run(); 68 ASSERT_EQ(EnterpriseInstallAttributes::LOCK_SUCCESS, result); 69 } 70 71 void ExpectFailure(CloudPolicyStore::Status expected_status) { 72 EXPECT_EQ(expected_status, store_->status()); 73 EXPECT_TRUE(store_->is_initialized()); 74 EXPECT_FALSE(store_->has_policy()); 75 EXPECT_FALSE(store_->is_managed()); 76 } 77 78 void ExpectSuccess() { 79 EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status()); 80 EXPECT_TRUE(store_->is_initialized()); 81 EXPECT_TRUE(store_->has_policy()); 82 EXPECT_TRUE(store_->is_managed()); 83 EXPECT_TRUE(store_->policy()); 84 base::FundamentalValue expected(false); 85 EXPECT_TRUE( 86 base::Value::Equals(&expected, 87 store_->policy_map().GetValue( 88 key::kDeviceMetricsReportingEnabled))); 89 } 90 91 void PrepareExistingPolicy() { 92 store_->Load(); 93 FlushDeviceSettings(); 94 ExpectSuccess(); 95 96 device_policy_.UnsetNewSigningKey(); 97 device_policy_.Build(); 98 } 99 100 void PrepareNewSigningKey() { 101 device_policy_.SetDefaultNewSigningKey(); 102 device_policy_.Build(); 103 owner_key_util_->SetPublicKeyFromPrivateKey( 104 *device_policy_.GetNewSigningKey()); 105 } 106 107 void ResetToNonEnterprise() { 108 store_.reset(); 109 chromeos::cryptohome_util::InstallAttributesSet("enterprise.owned", 110 std::string()); 111 install_attributes_.reset( 112 new EnterpriseInstallAttributes(fake_cryptohome_client_)); 113 store_.reset( 114 new DeviceCloudPolicyStoreChromeOS(&device_settings_service_, 115 install_attributes_.get(), 116 base::MessageLoopProxy::current())); 117 } 118 119 ScopedTestingLocalState local_state_; 120 chromeos::FakeCryptohomeClient* fake_cryptohome_client_; 121 scoped_ptr<EnterpriseInstallAttributes> install_attributes_; 122 123 scoped_ptr<DeviceCloudPolicyStoreChromeOS> store_; 124 125 private: 126 DISALLOW_COPY_AND_ASSIGN(DeviceCloudPolicyStoreChromeOSTest); 127 }; 128 129 TEST_F(DeviceCloudPolicyStoreChromeOSTest, LoadNoKey) { 130 owner_key_util_->Clear(); 131 store_->Load(); 132 FlushDeviceSettings(); 133 ExpectFailure(CloudPolicyStore::STATUS_BAD_STATE); 134 } 135 136 TEST_F(DeviceCloudPolicyStoreChromeOSTest, LoadNoPolicy) { 137 device_settings_test_helper_.set_policy_blob(std::string()); 138 store_->Load(); 139 FlushDeviceSettings(); 140 ExpectFailure(CloudPolicyStore::STATUS_LOAD_ERROR); 141 } 142 143 TEST_F(DeviceCloudPolicyStoreChromeOSTest, LoadNotEnterprise) { 144 ResetToNonEnterprise(); 145 store_->Load(); 146 FlushDeviceSettings(); 147 ExpectFailure(CloudPolicyStore::STATUS_BAD_STATE); 148 } 149 150 TEST_F(DeviceCloudPolicyStoreChromeOSTest, LoadSuccess) { 151 store_->Load(); 152 FlushDeviceSettings(); 153 ExpectSuccess(); 154 } 155 156 TEST_F(DeviceCloudPolicyStoreChromeOSTest, StoreSuccess) { 157 PrepareExistingPolicy(); 158 store_->Store(device_policy_.policy()); 159 FlushDeviceSettings(); 160 ExpectSuccess(); 161 } 162 163 TEST_F(DeviceCloudPolicyStoreChromeOSTest, StoreNoSignature) { 164 PrepareExistingPolicy(); 165 device_policy_.policy().clear_policy_data_signature(); 166 store_->Store(device_policy_.policy()); 167 FlushDeviceSettings(); 168 EXPECT_EQ(CloudPolicyStore::STATUS_VALIDATION_ERROR, store_->status()); 169 EXPECT_EQ(CloudPolicyValidatorBase::VALIDATION_BAD_SIGNATURE, 170 store_->validation_status()); 171 } 172 173 TEST_F(DeviceCloudPolicyStoreChromeOSTest, StoreBadSignature) { 174 PrepareExistingPolicy(); 175 device_policy_.policy().set_policy_data_signature("invalid"); 176 store_->Store(device_policy_.policy()); 177 FlushDeviceSettings(); 178 EXPECT_EQ(CloudPolicyStore::STATUS_VALIDATION_ERROR, store_->status()); 179 EXPECT_EQ(CloudPolicyValidatorBase::VALIDATION_BAD_SIGNATURE, 180 store_->validation_status()); 181 } 182 183 TEST_F(DeviceCloudPolicyStoreChromeOSTest, StoreKeyRotation) { 184 PrepareExistingPolicy(); 185 device_policy_.SetDefaultNewSigningKey(); 186 device_policy_.Build(); 187 store_->Store(device_policy_.policy()); 188 content::RunAllBlockingPoolTasksUntilIdle(); 189 device_settings_test_helper_.FlushStore(); 190 owner_key_util_->SetPublicKeyFromPrivateKey( 191 *device_policy_.GetNewSigningKey()); 192 ReloadDeviceSettings(); 193 ExpectSuccess(); 194 } 195 196 TEST_F(DeviceCloudPolicyStoreChromeOSTest, 197 StoreKeyRotationVerificationFailure) { 198 PrepareExistingPolicy(); 199 device_policy_.SetDefaultNewSigningKey(); 200 device_policy_.Build(); 201 *device_policy_.policy().mutable_new_public_key_verification_signature() = 202 "garbage"; 203 store_->Store(device_policy_.policy()); 204 FlushDeviceSettings(); 205 EXPECT_EQ(CloudPolicyStore::STATUS_VALIDATION_ERROR, store_->status()); 206 EXPECT_EQ(CloudPolicyValidatorBase::VALIDATION_BAD_KEY_VERIFICATION_SIGNATURE, 207 store_->validation_status()); 208 } 209 210 TEST_F(DeviceCloudPolicyStoreChromeOSTest, 211 StoreKeyRotationMissingSignatureFailure) { 212 PrepareExistingPolicy(); 213 device_policy_.SetDefaultNewSigningKey(); 214 device_policy_.Build(); 215 device_policy_.policy().clear_new_public_key_verification_signature(); 216 store_->Store(device_policy_.policy()); 217 FlushDeviceSettings(); 218 EXPECT_EQ(CloudPolicyStore::STATUS_VALIDATION_ERROR, store_->status()); 219 EXPECT_EQ(CloudPolicyValidatorBase::VALIDATION_BAD_KEY_VERIFICATION_SIGNATURE, 220 store_->validation_status()); 221 } 222 223 TEST_F(DeviceCloudPolicyStoreChromeOSTest, InstallInitialPolicySuccess) { 224 PrepareNewSigningKey(); 225 store_->InstallInitialPolicy(device_policy_.policy()); 226 FlushDeviceSettings(); 227 ExpectSuccess(); 228 } 229 230 TEST_F(DeviceCloudPolicyStoreChromeOSTest, InstallInitialPolicyNoSignature) { 231 PrepareNewSigningKey(); 232 device_policy_.policy().clear_policy_data_signature(); 233 store_->InstallInitialPolicy(device_policy_.policy()); 234 FlushDeviceSettings(); 235 ExpectFailure(CloudPolicyStore::STATUS_VALIDATION_ERROR); 236 EXPECT_EQ(CloudPolicyValidatorBase::VALIDATION_BAD_INITIAL_SIGNATURE, 237 store_->validation_status()); 238 } 239 240 TEST_F(DeviceCloudPolicyStoreChromeOSTest, 241 InstallInitialPolicyVerificationFailure) { 242 PrepareNewSigningKey(); 243 *device_policy_.policy().mutable_new_public_key_verification_signature() = 244 "garbage"; 245 store_->InstallInitialPolicy(device_policy_.policy()); 246 FlushDeviceSettings(); 247 ExpectFailure(CloudPolicyStore::STATUS_VALIDATION_ERROR); 248 EXPECT_EQ(CloudPolicyValidatorBase::VALIDATION_BAD_KEY_VERIFICATION_SIGNATURE, 249 store_->validation_status()); 250 } 251 252 TEST_F(DeviceCloudPolicyStoreChromeOSTest, 253 InstallInitialPolicyMissingSignatureFailure) { 254 PrepareNewSigningKey(); 255 device_policy_.policy().clear_new_public_key_verification_signature(); 256 store_->InstallInitialPolicy(device_policy_.policy()); 257 FlushDeviceSettings(); 258 ExpectFailure(CloudPolicyStore::STATUS_VALIDATION_ERROR); 259 EXPECT_EQ(CloudPolicyValidatorBase::VALIDATION_BAD_KEY_VERIFICATION_SIGNATURE, 260 store_->validation_status()); 261 } 262 263 TEST_F(DeviceCloudPolicyStoreChromeOSTest, InstallInitialPolicyNoKey) { 264 PrepareNewSigningKey(); 265 device_policy_.policy().clear_new_public_key(); 266 store_->InstallInitialPolicy(device_policy_.policy()); 267 FlushDeviceSettings(); 268 ExpectFailure(CloudPolicyStore::STATUS_VALIDATION_ERROR); 269 EXPECT_EQ(CloudPolicyValidatorBase::VALIDATION_BAD_INITIAL_SIGNATURE, 270 store_->validation_status()); 271 } 272 273 TEST_F(DeviceCloudPolicyStoreChromeOSTest, InstallInitialPolicyNotEnterprise) { 274 PrepareNewSigningKey(); 275 ResetToNonEnterprise(); 276 store_->InstallInitialPolicy(device_policy_.policy()); 277 FlushDeviceSettings(); 278 ExpectFailure(CloudPolicyStore::STATUS_BAD_STATE); 279 } 280 281 } // namespace policy 282
