src/chrome/browser/chromeos/policy/network_configuration_updater_unittest.cc

   1 // Copyright 2013 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "base/bind.h"
   6 #include "base/bind_helpers.h"
   7 #include "base/callback.h"
   8 #include "base/files/file_path.h"
   9 #include "base/memory/scoped_ptr.h"
  10 #include "base/run_loop.h"
  11 #include "base/values.h"
  12 #include "chrome/browser/chromeos/login/user.h"
  13 #include "chrome/browser/chromeos/policy/device_network_configuration_updater.h"
  14 #include "chrome/browser/chromeos/policy/user_network_configuration_updater.h"
  15 #include "chrome/browser/chromeos/settings/cros_settings.h"
  16 #include "chrome/browser/chromeos/settings/device_settings_service.h"
  17 #include "chrome/browser/chromeos/settings/stub_cros_settings_provider.h"
  18 #include "chrome/test/base/testing_profile.h"
  19 #include "chromeos/network/fake_network_device_handler.h"
  20 #include "chromeos/network/mock_managed_network_configuration_handler.h"
  21 #include "chromeos/network/onc/mock_certificate_importer.h"
  22 #include "chromeos/network/onc/onc_test_utils.h"
  23 #include "chromeos/network/onc/onc_utils.h"
  24 #include "components/onc/onc_constants.h"
  25 #include "components/policy/core/common/external_data_fetcher.h"
  26 #include "components/policy/core/common/mock_configuration_policy_provider.h"
  27 #include "components/policy/core/common/policy_map.h"
  28 #include "components/policy/core/common/policy_service_impl.h"
  29 #include "content/public/test/test_browser_thread_bundle.h"
  30 #include "content/public/test/test_utils.h"
  31 #include "net/base/test_data_directory.h"
  32 #include "net/cert/x509_certificate.h"
  33 #include "net/test/cert_test_util.h"
  34 #include "policy/policy_constants.h"
  35 #include "testing/gmock/include/gmock/gmock.h"
  36 #include "testing/gtest/include/gtest/gtest.h"
  37
  38 using testing::AnyNumber;
  39 using testing::AtLeast;
  40 using testing::Mock;
  41 using testing::Ne;
  42 using testing::Return;
  43 using testing::StrictMock;
  44 using testing::_;
  45
  46 namespace policy {
  47
  48 namespace {
  49
  50 const char kFakeUserEmail[] = "fake email";
  51 const char kFakeUsernameHash[] = "fake hash";
  52
  53 class FakeUser : public chromeos::User {
  54  public:
  55   FakeUser() : User(kFakeUserEmail) {
  56     set_display_email(kFakeUserEmail);
  57     set_username_hash(kFakeUsernameHash);
  58   }
  59   virtual ~FakeUser() {}
  60
  61   // User overrides
  62   virtual UserType GetType() const OVERRIDE {
  63     return USER_TYPE_REGULAR;
  64   }
  65
  66  private:
  67   DISALLOW_COPY_AND_ASSIGN(FakeUser);
  68 };
  69
  70 class FakeWebTrustedCertsObserver
  71     : public UserNetworkConfigurationUpdater::WebTrustedCertsObserver {
  72  public:
  73   virtual void OnTrustAnchorsChanged(
  74       const net::CertificateList& trust_anchors) OVERRIDE {
  75     trust_anchors_ = trust_anchors;
  76   }
  77   net::CertificateList trust_anchors_;
  78 };
  79
  80 class FakeNetworkDeviceHandler : public chromeos::FakeNetworkDeviceHandler {
  81   public:
  82    FakeNetworkDeviceHandler() : allow_roaming_(false) {}
  83
  84    virtual void SetCellularAllowRoaming(bool allow_roaming) OVERRIDE {
  85      allow_roaming_ = allow_roaming;
  86    }
  87
  88    bool allow_roaming_;
  89 };
  90
  91 const char kFakeONC[] =
  92     "{ \"NetworkConfigurations\": ["
  93     "    { \"GUID\": \"{485d6076-dd44-6b6d-69787465725f5040}\","
  94     "      \"Type\": \"WiFi\","
  95     "      \"Name\": \"My WiFi Network\","
  96     "      \"WiFi\": {"
  97     "        \"SSID\": \"ssid-none\","
  98     "        \"Security\": \"None\" }"
  99     "    }"
 100     "  ],"
 101     "  \"GlobalNetworkConfiguration\": {"
 102     "    \"AllowOnlyPolicyNetworksToAutoconnect\": true,"
 103     "  },"
 104     "  \"Certificates\": ["
 105     "    { \"GUID\": \"{f998f760-272b-6939-4c2beffe428697ac}\","
 106     "      \"PKCS12\": \"abc\","
 107     "       \"Type\": \"Client\" }"
 108     "  ],"
 109     "  \"Type\": \"UnencryptedConfiguration\""
 110     "}";
 111
 112 std::string ValueToString(const base::Value& value) {
 113   std::stringstream str;
 114   str << value;
 115   return str.str();
 116 }
 117
 118 void AppendAll(const base::ListValue& from, base::ListValue* to) {
 119   for (base::ListValue::const_iterator it = from.begin(); it != from.end();
 120        ++it) {
 121     to->Append((*it)->DeepCopy());
 122   }
 123 }
 124
 125 // Matcher to match base::Value.
 126 MATCHER_P(IsEqualTo,
 127           value,
 128           std::string(negation ? "isn't" : "is") + " equal to " +
 129               ValueToString(*value)) {
 130   return value->Equals(&arg);
 131 }
 132
 133 MATCHER(IsEmpty, std::string(negation ? "isn't" : "is") + " empty.") {
 134   return arg.empty();
 135 }
 136
 137 ACTION_P(SetCertificateList, list) {
 138   if (arg2)
 139     *arg2 = list;
 140   return true;
 141 }
 142
 143 }  // namespace
 144
 145 class NetworkConfigurationUpdaterTest : public testing::Test {
 146  protected:
 147   NetworkConfigurationUpdaterTest() {
 148   }
 149
 150   virtual void SetUp() OVERRIDE {
 151     EXPECT_CALL(provider_, IsInitializationComplete(_))
 152         .WillRepeatedly(Return(false));
 153     provider_.Init();
 154     PolicyServiceImpl::Providers providers;
 155     providers.push_back(&provider_);
 156     policy_service_.reset(new PolicyServiceImpl(providers));
 157
 158     scoped_ptr<base::DictionaryValue> fake_toplevel_onc =
 159         chromeos::onc::ReadDictionaryFromJson(kFakeONC);
 160
 161     base::ListValue* network_configs = NULL;
 162     fake_toplevel_onc->GetListWithoutPathExpansion(
 163         onc::toplevel_config::kNetworkConfigurations, &network_configs);
 164     AppendAll(*network_configs, &fake_network_configs_);
 165
 166     base::DictionaryValue* global_config = NULL;
 167     fake_toplevel_onc->GetDictionaryWithoutPathExpansion(
 168         onc::toplevel_config::kGlobalNetworkConfiguration, &global_config);
 169     fake_global_network_config_.MergeDictionary(global_config);
 170
 171     base::ListValue* certs = NULL;
 172     fake_toplevel_onc->GetListWithoutPathExpansion(
 173         onc::toplevel_config::kCertificates, &certs);
 174     AppendAll(*certs, &fake_certificates_);
 175
 176     certificate_importer_ =
 177         new StrictMock<chromeos::onc::MockCertificateImporter>();
 178     certificate_importer_owned_.reset(certificate_importer_);
 179   }
 180
 181   virtual void TearDown() OVERRIDE {
 182     network_configuration_updater_.reset();
 183     provider_.Shutdown();
 184     base::RunLoop().RunUntilIdle();
 185   }
 186
 187   void MarkPolicyProviderInitialized() {
 188     Mock::VerifyAndClearExpectations(&provider_);
 189     EXPECT_CALL(provider_, IsInitializationComplete(_))
 190         .WillRepeatedly(Return(true));
 191     provider_.SetAutoRefresh();
 192     provider_.RefreshPolicies();
 193     base::RunLoop().RunUntilIdle();
 194   }
 195
 196   void UpdateProviderPolicy(const PolicyMap& policy) {
 197     provider_.UpdateChromePolicy(policy);
 198     base::RunLoop().RunUntilIdle();
 199   }
 200
 201   UserNetworkConfigurationUpdater*
 202   CreateNetworkConfigurationUpdaterForUserPolicy(
 203       bool allow_trusted_certs_from_policy,
 204       bool set_cert_importer) {
 205     UserNetworkConfigurationUpdater* updater =
 206         UserNetworkConfigurationUpdater::CreateForUserPolicy(
 207             &profile_,
 208             allow_trusted_certs_from_policy,
 209             fake_user_,
 210             policy_service_.get(),
 211             &network_config_handler_).release();
 212     if (set_cert_importer) {
 213       EXPECT_TRUE(certificate_importer_owned_);
 214       updater->SetCertificateImporterForTest(
 215           certificate_importer_owned_.Pass());
 216     }
 217     network_configuration_updater_.reset(updater);
 218     return updater;
 219   }
 220
 221   void CreateNetworkConfigurationUpdaterForDevicePolicy() {
 222     network_configuration_updater_ =
 223         DeviceNetworkConfigurationUpdater::CreateForDevicePolicy(
 224             policy_service_.get(),
 225             &network_config_handler_,
 226             &network_device_handler_,
 227             chromeos::CrosSettings::Get());
 228   }
 229
 230   base::ListValue fake_network_configs_;
 231   base::DictionaryValue fake_global_network_config_;
 232   base::ListValue fake_certificates_;
 233   StrictMock<chromeos::MockManagedNetworkConfigurationHandler>
 234       network_config_handler_;
 235   FakeNetworkDeviceHandler network_device_handler_;
 236
 237   // Not used directly. Required for CrosSettings.
 238   chromeos::ScopedTestDeviceSettingsService scoped_device_settings_service_;
 239   chromeos::ScopedTestCrosSettings scoped_cros_settings_;
 240
 241   // Ownership of certificate_importer_owned_ is passed to the
 242   // NetworkConfigurationUpdater. When that happens, |certificate_importer_|
 243   // continues to point to that instance but |certificate_importer_owned_| is
 244   // released.
 245   StrictMock<chromeos::onc::MockCertificateImporter>* certificate_importer_;
 246   scoped_ptr<chromeos::onc::CertificateImporter> certificate_importer_owned_;
 247
 248   StrictMock<MockConfigurationPolicyProvider> provider_;
 249   scoped_ptr<PolicyServiceImpl> policy_service_;
 250   FakeUser fake_user_;
 251
 252   TestingProfile profile_;
 253
 254   scoped_ptr<NetworkConfigurationUpdater> network_configuration_updater_;
 255   content::TestBrowserThreadBundle thread_bundle_;
 256 };
 257
 258 TEST_F(NetworkConfigurationUpdaterTest, CellularAllowRoaming) {
 259   // Ignore network config updates.
 260   EXPECT_CALL(network_config_handler_, SetPolicy(_, _, _, _)).Times(AtLeast(1));
 261
 262   // Setup the DataRoaming device setting.
 263   chromeos::CrosSettings* cros_settings = chromeos::CrosSettings::Get();
 264   chromeos::CrosSettingsProvider* device_settings_provider =
 265       cros_settings->GetProvider(chromeos::kSignedDataRoamingEnabled);
 266   cros_settings->RemoveSettingsProvider(device_settings_provider);
 267   delete device_settings_provider;
 268   chromeos::StubCrosSettingsProvider* stub_settings_provider =
 269       new chromeos::StubCrosSettingsProvider;
 270   cros_settings->AddSettingsProvider(stub_settings_provider);
 271
 272   chromeos::CrosSettings::Get()->Set(chromeos::kSignedDataRoamingEnabled,
 273                                      base::FundamentalValue(false));
 274   EXPECT_FALSE(network_device_handler_.allow_roaming_);
 275
 276   CreateNetworkConfigurationUpdaterForDevicePolicy();
 277   MarkPolicyProviderInitialized();
 278   chromeos::CrosSettings::Get()->Set(chromeos::kSignedDataRoamingEnabled,
 279                                      base::FundamentalValue(true));
 280   EXPECT_TRUE(network_device_handler_.allow_roaming_);
 281
 282   chromeos::CrosSettings::Get()->Set(chromeos::kSignedDataRoamingEnabled,
 283                                      base::FundamentalValue(false));
 284   EXPECT_FALSE(network_device_handler_.allow_roaming_);
 285 }
 286
 287 TEST_F(NetworkConfigurationUpdaterTest, PolicyIsValidatedAndRepaired) {
 288   scoped_ptr<base::DictionaryValue> onc_repaired =
 289       chromeos::onc::test_utils::ReadTestDictionary(
 290           "repaired_toplevel_partially_invalid.onc");
 291
 292   base::ListValue* network_configs_repaired = NULL;
 293   onc_repaired->GetListWithoutPathExpansion(
 294       onc::toplevel_config::kNetworkConfigurations, &network_configs_repaired);
 295   ASSERT_TRUE(network_configs_repaired);
 296
 297   base::DictionaryValue* global_config_repaired = NULL;
 298   onc_repaired->GetDictionaryWithoutPathExpansion(
 299       onc::toplevel_config::kGlobalNetworkConfiguration,
 300       &global_config_repaired);
 301   ASSERT_TRUE(global_config_repaired);
 302
 303   std::string onc_policy =
 304       chromeos::onc::test_utils::ReadTestData("toplevel_partially_invalid.onc");
 305   PolicyMap policy;
 306   policy.Set(key::kOpenNetworkConfiguration,
 307              POLICY_LEVEL_MANDATORY,
 308              POLICY_SCOPE_USER,
 309              new base::StringValue(onc_policy),
 310              NULL);
 311   UpdateProviderPolicy(policy);
 312
 313   EXPECT_CALL(network_config_handler_,
 314               SetPolicy(onc::ONC_SOURCE_USER_POLICY,
 315                         _,
 316                         IsEqualTo(network_configs_repaired),
 317                         IsEqualTo(global_config_repaired)));
 318   EXPECT_CALL(*certificate_importer_,
 319               ImportCertificates(_, onc::ONC_SOURCE_USER_POLICY,  _));
 320
 321   CreateNetworkConfigurationUpdaterForUserPolicy(
 322       false /* do not allow trusted certs from policy */,
 323       true /* set certificate importer */);
 324   MarkPolicyProviderInitialized();
 325 }
 326
 327 TEST_F(NetworkConfigurationUpdaterTest,
 328        DoNotAllowTrustedCertificatesFromPolicy) {
 329   net::CertificateList cert_list;
 330   cert_list =
 331       net::CreateCertificateListFromFile(net::GetTestCertsDirectory(),
 332                                          "ok_cert.pem",
 333                                          net::X509Certificate::FORMAT_AUTO);
 334   ASSERT_EQ(1u, cert_list.size());
 335
 336   EXPECT_CALL(network_config_handler_,
 337               SetPolicy(onc::ONC_SOURCE_USER_POLICY, _, _, _));
 338   EXPECT_CALL(*certificate_importer_, ImportCertificates(_, _, _))
 339       .WillRepeatedly(SetCertificateList(cert_list));
 340
 341   UserNetworkConfigurationUpdater* updater =
 342       CreateNetworkConfigurationUpdaterForUserPolicy(
 343           false /* do not allow trusted certs from policy */,
 344           true /* set certificate importer */);
 345   MarkPolicyProviderInitialized();
 346
 347   // Certificates with the "Web" trust flag set should not be forwarded to
 348   // observers.
 349   FakeWebTrustedCertsObserver observer;
 350   updater->AddTrustedCertsObserver(&observer);
 351
 352   base::RunLoop().RunUntilIdle();
 353
 354   net::CertificateList trust_anchors;
 355   updater->GetWebTrustedCertificates(&trust_anchors);
 356   EXPECT_TRUE(trust_anchors.empty());
 357
 358   EXPECT_TRUE(observer.trust_anchors_.empty());
 359   updater->RemoveTrustedCertsObserver(&observer);
 360 }
 361
 362 TEST_F(NetworkConfigurationUpdaterTest,
 363        AllowTrustedCertificatesFromPolicyInitially) {
 364   // Ignore network configuration changes.
 365   EXPECT_CALL(network_config_handler_, SetPolicy(_, _, _, _))
 366       .Times(AnyNumber());
 367
 368   net::CertificateList cert_list;
 369   cert_list =
 370       net::CreateCertificateListFromFile(net::GetTestCertsDirectory(),
 371                                          "ok_cert.pem",
 372                                          net::X509Certificate::FORMAT_AUTO);
 373   ASSERT_EQ(1u, cert_list.size());
 374
 375   EXPECT_CALL(*certificate_importer_,
 376               ImportCertificates(_, onc::ONC_SOURCE_USER_POLICY, _))
 377       .WillRepeatedly(SetCertificateList(cert_list));
 378
 379   UserNetworkConfigurationUpdater* updater =
 380       CreateNetworkConfigurationUpdaterForUserPolicy(
 381           true /* allow trusted certs from policy */,
 382           true /* set certificate importer */);
 383   MarkPolicyProviderInitialized();
 384
 385   base::RunLoop().RunUntilIdle();
 386
 387   // Certificates with the "Web" trust flag set will be returned.
 388   net::CertificateList trust_anchors;
 389   updater->GetWebTrustedCertificates(&trust_anchors);
 390   EXPECT_EQ(1u, trust_anchors.size());
 391 }
 392
 393 TEST_F(NetworkConfigurationUpdaterTest,
 394        AllowTrustedCertificatesFromPolicyOnUpdate) {
 395   // Ignore network configuration changes.
 396   EXPECT_CALL(network_config_handler_, SetPolicy(_, _, _, _))
 397       .Times(AnyNumber());
 398
 399   // Start with an empty certificate list.
 400   EXPECT_CALL(*certificate_importer_,
 401               ImportCertificates(_, onc::ONC_SOURCE_USER_POLICY, _))
 402       .WillRepeatedly(SetCertificateList(net::CertificateList()));
 403
 404   UserNetworkConfigurationUpdater* updater =
 405       CreateNetworkConfigurationUpdaterForUserPolicy(
 406           true /* allow trusted certs from policy */,
 407           true /* set certificate importer */);
 408   MarkPolicyProviderInitialized();
 409
 410   FakeWebTrustedCertsObserver observer;
 411   updater->AddTrustedCertsObserver(&observer);
 412
 413   base::RunLoop().RunUntilIdle();
 414
 415   // Verify that the returned certificate list is empty.
 416   Mock::VerifyAndClearExpectations(certificate_importer_);
 417   {
 418     net::CertificateList trust_anchors;
 419     updater->GetWebTrustedCertificates(&trust_anchors);
 420     EXPECT_TRUE(trust_anchors.empty());
 421   }
 422   EXPECT_TRUE(observer.trust_anchors_.empty());
 423
 424   // Now use a non-empty certificate list to test the observer notification.
 425   net::CertificateList cert_list;
 426   cert_list =
 427       net::CreateCertificateListFromFile(net::GetTestCertsDirectory(),
 428                                          "ok_cert.pem",
 429                                          net::X509Certificate::FORMAT_AUTO);
 430   ASSERT_EQ(1u, cert_list.size());
 431
 432   EXPECT_CALL(*certificate_importer_,
 433               ImportCertificates(_, onc::ONC_SOURCE_USER_POLICY, _))
 434       .WillOnce(SetCertificateList(cert_list));
 435
 436   // Change to any non-empty policy, so that updates are triggered. The actual
 437   // content of the policy is irrelevant.
 438   PolicyMap policy;
 439   policy.Set(key::kOpenNetworkConfiguration,
 440              POLICY_LEVEL_MANDATORY,
 441              POLICY_SCOPE_USER,
 442              new base::StringValue(kFakeONC),
 443              NULL);
 444   UpdateProviderPolicy(policy);
 445   base::RunLoop().RunUntilIdle();
 446
 447   // Certificates with the "Web" trust flag set will be returned and forwarded
 448   // to observers.
 449   {
 450     net::CertificateList trust_anchors;
 451     updater->GetWebTrustedCertificates(&trust_anchors);
 452     EXPECT_EQ(1u, trust_anchors.size());
 453   }
 454   EXPECT_EQ(1u, observer.trust_anchors_.size());
 455
 456   updater->RemoveTrustedCertsObserver(&observer);
 457 }
 458
 459 TEST_F(NetworkConfigurationUpdaterTest,
 460        DontImportCertificateBeforeCertificateImporterSet) {
 461   PolicyMap policy;
 462   policy.Set(key::kOpenNetworkConfiguration, POLICY_LEVEL_MANDATORY,
 463              POLICY_SCOPE_USER, new base::StringValue(kFakeONC), NULL);
 464   UpdateProviderPolicy(policy);
 465
 466   EXPECT_CALL(network_config_handler_,
 467               SetPolicy(onc::ONC_SOURCE_USER_POLICY,
 468                         kFakeUsernameHash,
 469                         IsEqualTo(&fake_network_configs_),
 470                         IsEqualTo(&fake_global_network_config_)));
 471   EXPECT_CALL(*certificate_importer_, ImportCertificates(_, _ , _)).Times(0);
 472
 473   UserNetworkConfigurationUpdater* updater =
 474       CreateNetworkConfigurationUpdaterForUserPolicy(
 475           true /* allow trusted certs from policy */,
 476           false /* do not set certificate importer */);
 477   MarkPolicyProviderInitialized();
 478
 479   Mock::VerifyAndClearExpectations(&network_config_handler_);
 480   Mock::VerifyAndClearExpectations(certificate_importer_);
 481
 482   EXPECT_CALL(network_config_handler_,
 483               SetPolicy(onc::ONC_SOURCE_USER_POLICY,
 484                         kFakeUsernameHash,
 485                         IsEqualTo(&fake_network_configs_),
 486                         IsEqualTo(&fake_global_network_config_)))
 487       .Times(0);
 488   EXPECT_CALL(*certificate_importer_,
 489               ImportCertificates(IsEqualTo(&fake_certificates_),
 490                                  onc::ONC_SOURCE_USER_POLICY,
 491                                   _));
 492
 493   ASSERT_TRUE(certificate_importer_owned_);
 494   updater->SetCertificateImporterForTest(certificate_importer_owned_.Pass());
 495 }
 496
 497 class NetworkConfigurationUpdaterTestWithParam
 498     : public NetworkConfigurationUpdaterTest,
 499       public testing::WithParamInterface<const char*> {
 500  protected:
 501   // Returns the currently tested ONC source.
 502   onc::ONCSource CurrentONCSource() {
 503     if (GetParam() == key::kOpenNetworkConfiguration)
 504       return onc::ONC_SOURCE_USER_POLICY;
 505     DCHECK(GetParam() == key::kDeviceOpenNetworkConfiguration);
 506     return onc::ONC_SOURCE_DEVICE_POLICY;
 507   }
 508
 509   // Returns the expected username hash to push policies to
 510   // ManagedNetworkConfigurationHandler.
 511   std::string ExpectedUsernameHash() {
 512     if (GetParam() == key::kOpenNetworkConfiguration)
 513       return kFakeUsernameHash;
 514     return std::string();
 515   }
 516
 517   size_t ExpectedImportCertificatesCallCount() {
 518     if (GetParam() == key::kOpenNetworkConfiguration)
 519       return 1u;
 520     return 0u;
 521   }
 522
 523   void CreateNetworkConfigurationUpdater() {
 524     if (GetParam() == key::kOpenNetworkConfiguration) {
 525       CreateNetworkConfigurationUpdaterForUserPolicy(
 526           false /* do not allow trusted certs from policy */,
 527           true /* set certificate importer */);
 528     } else {
 529       CreateNetworkConfigurationUpdaterForDevicePolicy();
 530     }
 531   }
 532 };
 533
 534 TEST_P(NetworkConfigurationUpdaterTestWithParam, InitialUpdates) {
 535   PolicyMap policy;
 536   policy.Set(GetParam(), POLICY_LEVEL_MANDATORY, POLICY_SCOPE_USER,
 537              new base::StringValue(kFakeONC), NULL);
 538   UpdateProviderPolicy(policy);
 539
 540   EXPECT_CALL(network_config_handler_,
 541               SetPolicy(CurrentONCSource(),
 542                         ExpectedUsernameHash(),
 543                         IsEqualTo(&fake_network_configs_),
 544                         IsEqualTo(&fake_global_network_config_)));
 545   EXPECT_CALL(*certificate_importer_,
 546               ImportCertificates(IsEqualTo(&fake_certificates_),
 547                                  CurrentONCSource(),
 548                                   _))
 549       .Times(ExpectedImportCertificatesCallCount());
 550
 551   CreateNetworkConfigurationUpdater();
 552   MarkPolicyProviderInitialized();
 553 }
 554
 555 TEST_P(NetworkConfigurationUpdaterTestWithParam,
 556        PolicyNotSetBeforePolicyProviderInitialized) {
 557   PolicyMap policy;
 558   policy.Set(GetParam(), POLICY_LEVEL_MANDATORY, POLICY_SCOPE_USER,
 559              new base::StringValue(kFakeONC), NULL);
 560   UpdateProviderPolicy(policy);
 561
 562   EXPECT_CALL(network_config_handler_,
 563               SetPolicy(CurrentONCSource(),
 564                         ExpectedUsernameHash(),
 565                         IsEqualTo(&fake_network_configs_),
 566                         IsEqualTo(&fake_global_network_config_)))
 567       .Times(0);
 568   EXPECT_CALL(*certificate_importer_,
 569               ImportCertificates(IsEqualTo(&fake_certificates_),
 570                                  CurrentONCSource(),
 571                                   _))
 572       .Times(0);
 573
 574   CreateNetworkConfigurationUpdater();
 575
 576   Mock::VerifyAndClearExpectations(&network_config_handler_);
 577   Mock::VerifyAndClearExpectations(certificate_importer_);
 578
 579   EXPECT_CALL(network_config_handler_,
 580               SetPolicy(CurrentONCSource(),
 581                         ExpectedUsernameHash(),
 582                         IsEqualTo(&fake_network_configs_),
 583                         IsEqualTo(&fake_global_network_config_)));
 584   EXPECT_CALL(*certificate_importer_,
 585               ImportCertificates(IsEqualTo(&fake_certificates_),
 586                                  CurrentONCSource(),
 587                                   _))
 588       .Times(ExpectedImportCertificatesCallCount());
 589
 590   MarkPolicyProviderInitialized();
 591 }
 592
 593 TEST_P(NetworkConfigurationUpdaterTestWithParam,
 594        PolicyAppliedImmediatelyIfProvidersInitialized) {
 595   MarkPolicyProviderInitialized();
 596
 597   PolicyMap policy;
 598   policy.Set(GetParam(), POLICY_LEVEL_MANDATORY, POLICY_SCOPE_USER,
 599              new base::StringValue(kFakeONC), NULL);
 600   UpdateProviderPolicy(policy);
 601
 602   EXPECT_CALL(network_config_handler_,
 603               SetPolicy(CurrentONCSource(),
 604                         ExpectedUsernameHash(),
 605                         IsEqualTo(&fake_network_configs_),
 606                         IsEqualTo(&fake_global_network_config_)));
 607   EXPECT_CALL(*certificate_importer_,
 608               ImportCertificates(IsEqualTo(&fake_certificates_),
 609                                  CurrentONCSource(),
 610                                   _))
 611       .Times(ExpectedImportCertificatesCallCount());
 612
 613   CreateNetworkConfigurationUpdater();
 614 }
 615
 616 TEST_P(NetworkConfigurationUpdaterTestWithParam, PolicyChange) {
 617   // Ignore the initial updates.
 618   EXPECT_CALL(network_config_handler_, SetPolicy(_, _, _, _)).Times(AtLeast(1));
 619   EXPECT_CALL(*certificate_importer_, ImportCertificates(_, _, _))
 620       .Times(AtLeast(ExpectedImportCertificatesCallCount()));
 621
 622   CreateNetworkConfigurationUpdater();
 623   MarkPolicyProviderInitialized();
 624
 625   Mock::VerifyAndClearExpectations(&network_config_handler_);
 626   Mock::VerifyAndClearExpectations(certificate_importer_);
 627
 628   // The Updater should update if policy changes.
 629   EXPECT_CALL(network_config_handler_,
 630               SetPolicy(CurrentONCSource(),
 631                         _,
 632                         IsEqualTo(&fake_network_configs_),
 633                         IsEqualTo(&fake_global_network_config_)));
 634   EXPECT_CALL(*certificate_importer_,
 635               ImportCertificates(IsEqualTo(&fake_certificates_),
 636                                  CurrentONCSource(),
 637                                   _))
 638       .Times(ExpectedImportCertificatesCallCount());
 639
 640   PolicyMap policy;
 641   policy.Set(GetParam(), POLICY_LEVEL_MANDATORY, POLICY_SCOPE_USER,
 642              new base::StringValue(kFakeONC), NULL);
 643   UpdateProviderPolicy(policy);
 644   Mock::VerifyAndClearExpectations(&network_config_handler_);
 645   Mock::VerifyAndClearExpectations(certificate_importer_);
 646
 647   // Another update is expected if the policy goes away.
 648   EXPECT_CALL(network_config_handler_,
 649               SetPolicy(CurrentONCSource(), _, IsEmpty(), IsEmpty()));
 650   EXPECT_CALL(*certificate_importer_,
 651               ImportCertificates(IsEmpty(), CurrentONCSource(), _))
 652       .Times(ExpectedImportCertificatesCallCount());
 653
 654   policy.Erase(GetParam());
 655   UpdateProviderPolicy(policy);
 656 }
 657
 658 INSTANTIATE_TEST_CASE_P(NetworkConfigurationUpdaterTestWithParamInstance,
 659                         NetworkConfigurationUpdaterTestWithParam,
 660                         testing::Values(key::kDeviceOpenNetworkConfiguration,
 661                                         key::kOpenNetworkConfiguration));
 662
 663 }  // namespace policy