1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
8 #include "base/memory/scoped_ptr.h"
9 #include "base/message_loop/message_loop.h"
10 #include "base/message_loop/message_loop_proxy.h"
11 #include "base/strings/string_util.h"
12 #include "chrome/browser/policy/cloud/cloud_policy_constants.h"
13 #include "chrome/browser/policy/cloud/cloud_policy_validator.h"
14 #include "chrome/browser/policy/cloud/policy_builder.h"
15 #include "crypto/rsa_private_key.h"
16 #include "testing/gmock/include/gmock/gmock.h"
17 #include "testing/gtest/include/gtest/gtest.h"
19 namespace em = enterprise_management;
21 using testing::Invoke;
28 ACTION_P(CheckStatus, expected_status) {
29 EXPECT_EQ(expected_status, arg0->status());
32 class CloudPolicyValidatorTest : public testing::Test {
34 CloudPolicyValidatorTest()
35 : loop_(base::MessageLoop::TYPE_UI),
36 timestamp_(base::Time::UnixEpoch() +
37 base::TimeDelta::FromMilliseconds(
38 PolicyBuilder::kFakeTimestamp)),
39 timestamp_option_(CloudPolicyValidatorBase::TIMESTAMP_REQUIRED),
40 ignore_missing_dm_token_(CloudPolicyValidatorBase::DM_TOKEN_REQUIRED),
41 allow_key_rotation_(true),
42 existing_dm_token_(PolicyBuilder::kFakeToken) {
43 policy_.SetDefaultNewSigningKey();
46 void Validate(testing::Action<void(UserCloudPolicyValidator*)> check_action) {
47 // Create a validator.
48 scoped_ptr<UserCloudPolicyValidator> validator = CreateValidator();
50 // Run validation and check the result.
51 EXPECT_CALL(*this, ValidationCompletion(validator.get())).WillOnce(
53 validator.release()->StartValidation(
54 base::Bind(&CloudPolicyValidatorTest::ValidationCompletion,
55 base::Unretained(this)));
57 Mock::VerifyAndClearExpectations(this);
60 scoped_ptr<UserCloudPolicyValidator> CreateValidator() {
61 std::vector<uint8> public_key;
63 PolicyBuilder::CreateTestSigningKey()->ExportPublicKey(&public_key));
66 UserCloudPolicyValidator* validator = UserCloudPolicyValidator::Create(
67 policy_.GetCopy(), base::MessageLoopProxy::current());
68 validator->ValidateTimestamp(timestamp_, timestamp_,
70 validator->ValidateUsername(PolicyBuilder::kFakeUsername);
71 validator->ValidateDomain(PolicyBuilder::kFakeDomain);
72 validator->ValidateDMToken(existing_dm_token_, ignore_missing_dm_token_);
73 validator->ValidatePolicyType(dm_protocol::kChromeUserPolicyType);
74 validator->ValidatePayload();
75 validator->ValidateSignature(public_key, allow_key_rotation_);
76 if (allow_key_rotation_)
77 validator->ValidateInitialKey();
78 return make_scoped_ptr(validator);
82 void CheckSuccessfulValidation(UserCloudPolicyValidator* validator) {
83 EXPECT_TRUE(validator->success());
84 EXPECT_EQ(policy_.policy().SerializeAsString(),
85 validator->policy()->SerializeAsString());
86 EXPECT_EQ(policy_.policy_data().SerializeAsString(),
87 validator->policy_data()->SerializeAsString());
88 EXPECT_EQ(policy_.payload().SerializeAsString(),
89 validator->payload()->SerializeAsString());
92 base::MessageLoop loop_;
93 base::Time timestamp_;
94 CloudPolicyValidatorBase::ValidateTimestampOption timestamp_option_;
95 CloudPolicyValidatorBase::ValidateDMTokenOption ignore_missing_dm_token_;
96 std::string signing_key_;
97 bool allow_key_rotation_;
98 std::string existing_dm_token_;
100 UserPolicyBuilder policy_;
103 MOCK_METHOD1(ValidationCompletion, void(UserCloudPolicyValidator* validator));
105 DISALLOW_COPY_AND_ASSIGN(CloudPolicyValidatorTest);
108 TEST_F(CloudPolicyValidatorTest, SuccessfulValidation) {
109 Validate(Invoke(this, &CloudPolicyValidatorTest::CheckSuccessfulValidation));
112 TEST_F(CloudPolicyValidatorTest, SuccessfulRunValidation) {
113 scoped_ptr<UserCloudPolicyValidator> validator = CreateValidator();
114 // Run validation immediately (no background tasks).
115 validator->RunValidation();
116 CheckSuccessfulValidation(validator.get());
119 TEST_F(CloudPolicyValidatorTest, SuccessfulRunValidationWithNoExistingDMToken) {
120 existing_dm_token_.clear();
121 Validate(Invoke(this, &CloudPolicyValidatorTest::CheckSuccessfulValidation));
124 TEST_F(CloudPolicyValidatorTest, SuccessfulRunValidationWithNoDMTokens) {
125 existing_dm_token_.clear();
126 policy_.policy_data().clear_request_token();
127 ignore_missing_dm_token_ = CloudPolicyValidatorBase::DM_TOKEN_NOT_REQUIRED;
128 Validate(Invoke(this, &CloudPolicyValidatorTest::CheckSuccessfulValidation));
131 TEST_F(CloudPolicyValidatorTest, UsernameCanonicalization) {
132 policy_.policy_data().set_username(
133 StringToUpperASCII(std::string(PolicyBuilder::kFakeUsername)));
134 Validate(CheckStatus(CloudPolicyValidatorBase::VALIDATION_OK));
137 TEST_F(CloudPolicyValidatorTest, ErrorNoPolicyType) {
138 policy_.policy_data().clear_policy_type();
139 Validate(CheckStatus(CloudPolicyValidatorBase::VALIDATION_WRONG_POLICY_TYPE));
142 TEST_F(CloudPolicyValidatorTest, ErrorWrongPolicyType) {
143 policy_.policy_data().set_policy_type("invalid");
144 Validate(CheckStatus(CloudPolicyValidatorBase::VALIDATION_WRONG_POLICY_TYPE));
147 TEST_F(CloudPolicyValidatorTest, ErrorNoTimestamp) {
148 policy_.policy_data().clear_timestamp();
149 Validate(CheckStatus(CloudPolicyValidatorBase::VALIDATION_BAD_TIMESTAMP));
152 TEST_F(CloudPolicyValidatorTest, IgnoreMissingTimestamp) {
153 timestamp_option_ = CloudPolicyValidatorBase::TIMESTAMP_NOT_REQUIRED;
154 policy_.policy_data().clear_timestamp();
155 Validate(CheckStatus(CloudPolicyValidatorBase::VALIDATION_OK));
158 TEST_F(CloudPolicyValidatorTest, ErrorOldTimestamp) {
159 base::Time timestamp(timestamp_ - base::TimeDelta::FromMinutes(5));
160 policy_.policy_data().set_timestamp(
161 (timestamp - base::Time::UnixEpoch()).InMilliseconds());
162 Validate(CheckStatus(CloudPolicyValidatorBase::VALIDATION_BAD_TIMESTAMP));
165 TEST_F(CloudPolicyValidatorTest, ErrorTimestampFromTheFuture) {
166 base::Time timestamp(timestamp_ + base::TimeDelta::FromMinutes(5));
167 policy_.policy_data().set_timestamp(
168 (timestamp - base::Time::UnixEpoch()).InMilliseconds());
169 Validate(CheckStatus(CloudPolicyValidatorBase::VALIDATION_BAD_TIMESTAMP));
172 TEST_F(CloudPolicyValidatorTest, IgnoreErrorTimestampFromTheFuture) {
173 base::Time timestamp(timestamp_ + base::TimeDelta::FromMinutes(5));
175 CloudPolicyValidatorBase::TIMESTAMP_NOT_BEFORE;
176 policy_.policy_data().set_timestamp(
177 (timestamp - base::Time::UnixEpoch()).InMilliseconds());
178 Validate(CheckStatus(CloudPolicyValidatorBase::VALIDATION_OK));
181 TEST_F(CloudPolicyValidatorTest, ErrorNoRequestToken) {
182 policy_.policy_data().clear_request_token();
183 Validate(CheckStatus(CloudPolicyValidatorBase::VALIDATION_WRONG_TOKEN));
186 TEST_F(CloudPolicyValidatorTest, ErrorNoRequestTokenNotRequired) {
187 // Even though DMTokens are not required, if the existing policy has a token,
188 // we should still generate an error if the new policy has none.
189 policy_.policy_data().clear_request_token();
190 ignore_missing_dm_token_ = CloudPolicyValidatorBase::DM_TOKEN_NOT_REQUIRED;
191 Validate(CheckStatus(CloudPolicyValidatorBase::VALIDATION_WRONG_TOKEN));
194 TEST_F(CloudPolicyValidatorTest, ErrorNoRequestTokenNoTokenPassed) {
195 // Mimic the first fetch of policy (no existing DM token) - should still
196 // complain about not having any DMToken.
197 existing_dm_token_.clear();
198 policy_.policy_data().clear_request_token();
199 Validate(CheckStatus(CloudPolicyValidatorBase::VALIDATION_WRONG_TOKEN));
202 TEST_F(CloudPolicyValidatorTest, ErrorInvalidRequestToken) {
203 policy_.policy_data().set_request_token("invalid");
204 Validate(CheckStatus(CloudPolicyValidatorBase::VALIDATION_WRONG_TOKEN));
207 TEST_F(CloudPolicyValidatorTest, ErrorNoPolicyValue) {
208 policy_.clear_payload();
210 CheckStatus(CloudPolicyValidatorBase::VALIDATION_POLICY_PARSE_ERROR));
213 TEST_F(CloudPolicyValidatorTest, ErrorInvalidPolicyValue) {
214 policy_.clear_payload();
215 policy_.policy_data().set_policy_value("invalid");
217 CheckStatus(CloudPolicyValidatorBase::VALIDATION_POLICY_PARSE_ERROR));
220 TEST_F(CloudPolicyValidatorTest, ErrorNoUsername) {
221 policy_.policy_data().clear_username();
222 Validate(CheckStatus(CloudPolicyValidatorBase::VALIDATION_BAD_USERNAME));
225 TEST_F(CloudPolicyValidatorTest, ErrorInvalidUsername) {
226 policy_.policy_data().set_username("invalid");
227 Validate(CheckStatus(CloudPolicyValidatorBase::VALIDATION_BAD_USERNAME));
230 TEST_F(CloudPolicyValidatorTest, ErrorErrorMessage) {
231 policy_.policy().set_error_message("error");
233 CheckStatus(CloudPolicyValidatorBase::VALIDATION_ERROR_CODE_PRESENT));
236 TEST_F(CloudPolicyValidatorTest, ErrorErrorCode) {
237 policy_.policy().set_error_code(42);
239 CheckStatus(CloudPolicyValidatorBase::VALIDATION_ERROR_CODE_PRESENT));
242 TEST_F(CloudPolicyValidatorTest, ErrorNoSignature) {
243 policy_.UnsetSigningKey();
244 policy_.UnsetNewSigningKey();
245 policy_.policy().clear_policy_data_signature();
246 Validate(CheckStatus(CloudPolicyValidatorBase::VALIDATION_BAD_SIGNATURE));
249 TEST_F(CloudPolicyValidatorTest, ErrorInvalidSignature) {
250 policy_.UnsetSigningKey();
251 policy_.UnsetNewSigningKey();
252 policy_.policy().set_policy_data_signature("invalid");
253 Validate(CheckStatus(CloudPolicyValidatorBase::VALIDATION_BAD_SIGNATURE));
256 TEST_F(CloudPolicyValidatorTest, ErrorNoPublicKey) {
257 policy_.UnsetSigningKey();
258 policy_.UnsetNewSigningKey();
259 policy_.policy().clear_new_public_key();
260 Validate(CheckStatus(CloudPolicyValidatorBase::VALIDATION_BAD_SIGNATURE));
263 TEST_F(CloudPolicyValidatorTest, ErrorInvalidPublicKey) {
264 policy_.UnsetSigningKey();
265 policy_.UnsetNewSigningKey();
266 policy_.policy().set_new_public_key("invalid");
267 Validate(CheckStatus(CloudPolicyValidatorBase::VALIDATION_BAD_SIGNATURE));
270 TEST_F(CloudPolicyValidatorTest, ErrorNoPublicKeySignature) {
271 policy_.UnsetSigningKey();
272 policy_.UnsetNewSigningKey();
273 policy_.policy().clear_new_public_key_signature();
274 Validate(CheckStatus(CloudPolicyValidatorBase::VALIDATION_BAD_SIGNATURE));
277 TEST_F(CloudPolicyValidatorTest, ErrorInvalidPublicKeySignature) {
278 policy_.UnsetSigningKey();
279 policy_.UnsetNewSigningKey();
280 policy_.policy().set_new_public_key_signature("invalid");
281 Validate(CheckStatus(CloudPolicyValidatorBase::VALIDATION_BAD_SIGNATURE));
284 TEST_F(CloudPolicyValidatorTest, ErrorNoRotationAllowed) {
285 allow_key_rotation_ = false;
286 Validate(CheckStatus(CloudPolicyValidatorBase::VALIDATION_BAD_SIGNATURE));
289 TEST_F(CloudPolicyValidatorTest, NoRotation) {
290 allow_key_rotation_ = false;
291 policy_.UnsetNewSigningKey();
292 Validate(CheckStatus(CloudPolicyValidatorBase::VALIDATION_OK));
297 } // namespace policy