src/chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos_unittest.cc

   1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #include "chrome/browser/chromeos/policy/user_cloud_policy_store_chromeos.h"
   6
   7 #include <vector>
   8
   9 #include "base/basictypes.h"
  10 #include "base/bind.h"
  11 #include "base/file_util.h"
  12 #include "base/files/scoped_temp_dir.h"
  13 #include "base/memory/scoped_ptr.h"
  14 #include "base/message_loop/message_loop.h"
  15 #include "base/threading/sequenced_worker_pool.h"
  16 #include "chromeos/dbus/mock_cryptohome_client.h"
  17 #include "chromeos/dbus/mock_session_manager_client.h"
  18 #include "components/policy/core/common/cloud/cloud_policy_constants.h"
  19 #include "components/policy/core/common/cloud/mock_cloud_policy_store.h"
  20 #include "components/policy/core/common/cloud/policy_builder.h"
  21 #include "policy/policy_constants.h"
  22 #include "policy/proto/cloud_policy.pb.h"
  23 #include "policy/proto/device_management_local.pb.h"
  24 #include "testing/gmock/include/gmock/gmock.h"
  25 #include "testing/gtest/include/gtest/gtest.h"
  26
  27 namespace em = enterprise_management;
  28
  29 using testing::AllOf;
  30 using testing::AnyNumber;
  31 using testing::Eq;
  32 using testing::Mock;
  33 using testing::Property;
  34 using testing::Return;
  35 using testing::SaveArg;
  36 using testing::_;
  37
  38 namespace policy {
  39
  40 namespace {
  41
  42 const char kLegacyDeviceId[] = "legacy-device-id";
  43 const char kLegacyToken[] = "legacy-token";
  44 const char kSanitizedUsername[] =
  45     "0123456789ABCDEF0123456789ABCDEF012345678@example.com";
  46 const char kDefaultHomepage[] = "http://chromium.org";
  47
  48 ACTION_P2(SendSanitizedUsername, call_status, sanitized_username) {
  49   base::MessageLoop::current()->PostTask(
  50       FROM_HERE, base::Bind(arg1, call_status, sanitized_username));
  51 }
  52
  53 class UserCloudPolicyStoreChromeOSTest : public testing::Test {
  54  protected:
  55   UserCloudPolicyStoreChromeOSTest() {}
  56
  57   virtual void SetUp() OVERRIDE {
  58     EXPECT_CALL(cryptohome_client_,
  59                 GetSanitizedUsername(PolicyBuilder::kFakeUsername, _))
  60         .Times(AnyNumber())
  61         .WillRepeatedly(
  62             SendSanitizedUsername(chromeos::DBUS_METHOD_CALL_SUCCESS,
  63                                   kSanitizedUsername));
  64
  65     ASSERT_TRUE(tmp_dir_.CreateUniqueTempDir());
  66     store_.reset(new UserCloudPolicyStoreChromeOS(&cryptohome_client_,
  67                                                   &session_manager_client_,
  68                                                   loop_.message_loop_proxy(),
  69                                                   PolicyBuilder::kFakeUsername,
  70                                                   user_policy_dir(),
  71                                                   token_file(),
  72                                                   policy_file()));
  73     store_->AddObserver(&observer_);
  74
  75     // Install the initial public key, so that by default the validation of
  76     // the stored/loaded policy blob succeeds.
  77     std::vector<uint8> public_key;
  78     ASSERT_TRUE(policy_.GetSigningKey()->ExportPublicKey(&public_key));
  79     StoreUserPolicyKey(public_key);
  80
  81     policy_.payload().mutable_homepagelocation()->set_value(kDefaultHomepage);
  82     policy_.Build();
  83   }
  84
  85   virtual void TearDown() OVERRIDE {
  86     store_->RemoveObserver(&observer_);
  87     store_.reset();
  88     RunUntilIdle();
  89   }
  90
  91   // Install an expectation on |observer_| for an error code.
  92   void ExpectError(CloudPolicyStore::Status error) {
  93     EXPECT_CALL(observer_,
  94                 OnStoreError(AllOf(Eq(store_.get()),
  95                                    Property(&CloudPolicyStore::status,
  96                                             Eq(error)))));
  97   }
  98
  99   // Triggers a store_->Load() operation, handles the expected call to
 100   // |session_manager_client_| and sends |response|.
 101   void PerformPolicyLoad(const std::string& response) {
 102     // Issue a load command.
 103     chromeos::SessionManagerClient::RetrievePolicyCallback retrieve_callback;
 104     EXPECT_CALL(session_manager_client_,
 105                 RetrievePolicyForUser(PolicyBuilder::kFakeUsername, _))
 106         .WillOnce(SaveArg<1>(&retrieve_callback));
 107     store_->Load();
 108     RunUntilIdle();
 109     Mock::VerifyAndClearExpectations(&session_manager_client_);
 110     ASSERT_FALSE(retrieve_callback.is_null());
 111
 112     // Run the callback.
 113     retrieve_callback.Run(response);
 114     RunUntilIdle();
 115   }
 116
 117   // Verifies that store_->policy_map() has the HomepageLocation entry with
 118   // the |expected_value|.
 119   void VerifyPolicyMap(const char* expected_value) {
 120     EXPECT_EQ(1U, store_->policy_map().size());
 121     const PolicyMap::Entry* entry =
 122         store_->policy_map().Get(key::kHomepageLocation);
 123     ASSERT_TRUE(entry);
 124     EXPECT_TRUE(base::StringValue(expected_value).Equals(entry->value));
 125   }
 126
 127   void StoreUserPolicyKey(const std::vector<uint8>& public_key) {
 128     ASSERT_TRUE(base::CreateDirectory(user_policy_key_file().DirName()));
 129     ASSERT_TRUE(
 130         base::WriteFile(user_policy_key_file(),
 131                         reinterpret_cast<const char*>(public_key.data()),
 132                         public_key.size()));
 133   }
 134
 135   // Stores the current |policy_| and verifies that it is published.
 136   // If |new_public_key| is set then it will be persisted after storing but
 137   // before loading the policy, so that the signature validation can succeed.
 138   // If |previous_value| is set then a previously existing policy with that
 139   // value will be expected; otherwise no previous policy is expected.
 140   // If |new_value| is set then a new policy with that value is expected after
 141   // storing the |policy_| blob.
 142   void PerformStorePolicy(const std::vector<uint8>* new_public_key,
 143                           const char* previous_value,
 144                           const char* new_value) {
 145     chromeos::SessionManagerClient::StorePolicyCallback store_callback;
 146     EXPECT_CALL(session_manager_client_,
 147                 StorePolicyForUser(PolicyBuilder::kFakeUsername,
 148                                    policy_.GetBlob(), _))
 149         .WillOnce(SaveArg<2>(&store_callback));
 150     store_->Store(policy_.policy());
 151     RunUntilIdle();
 152     Mock::VerifyAndClearExpectations(&session_manager_client_);
 153     ASSERT_FALSE(store_callback.is_null());
 154
 155     // The new policy shouldn't be present yet.
 156     PolicyMap previous_policy;
 157     EXPECT_EQ(previous_value != NULL, store_->policy() != NULL);
 158     if (previous_value) {
 159       previous_policy.Set(key::kHomepageLocation,
 160                           POLICY_LEVEL_MANDATORY,
 161                           POLICY_SCOPE_USER,
 162                           new base::StringValue(previous_value), NULL);
 163     }
 164     EXPECT_TRUE(previous_policy.Equals(store_->policy_map()));
 165     EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status());
 166
 167     // Store the new public key so that the validation after the retrieve
 168     // operation completes can verify the signature.
 169     if (new_public_key)
 170       StoreUserPolicyKey(*new_public_key);
 171
 172     // Let the store operation complete.
 173     chromeos::SessionManagerClient::RetrievePolicyCallback retrieve_callback;
 174     EXPECT_CALL(session_manager_client_,
 175                 RetrievePolicyForUser(PolicyBuilder::kFakeUsername, _))
 176         .WillOnce(SaveArg<1>(&retrieve_callback));
 177     store_callback.Run(true);
 178     RunUntilIdle();
 179     EXPECT_TRUE(previous_policy.Equals(store_->policy_map()));
 180     EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status());
 181     Mock::VerifyAndClearExpectations(&session_manager_client_);
 182     ASSERT_FALSE(retrieve_callback.is_null());
 183
 184     // Finish the retrieve callback.
 185     EXPECT_CALL(observer_, OnStoreLoaded(store_.get()));
 186     retrieve_callback.Run(policy_.GetBlob());
 187     RunUntilIdle();
 188     ASSERT_TRUE(store_->policy());
 189     EXPECT_EQ(policy_.policy_data().SerializeAsString(),
 190               store_->policy()->SerializeAsString());
 191     VerifyPolicyMap(new_value);
 192     EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status());
 193   }
 194
 195   void VerifyStoreHasValidationError() {
 196     EXPECT_FALSE(store_->policy());
 197     EXPECT_TRUE(store_->policy_map().empty());
 198     EXPECT_EQ(CloudPolicyStore::STATUS_VALIDATION_ERROR, store_->status());
 199   }
 200
 201   void RunUntilIdle() {
 202     loop_.RunUntilIdle();
 203     loop_.RunUntilIdle();
 204   }
 205
 206   base::FilePath user_policy_dir() {
 207     return tmp_dir_.path().AppendASCII("var_run_user_policy");
 208   }
 209
 210   base::FilePath user_policy_key_file() {
 211     return user_policy_dir().AppendASCII(kSanitizedUsername)
 212                             .AppendASCII("policy.pub");
 213   }
 214
 215   base::FilePath token_file() {
 216     return tmp_dir_.path().AppendASCII("token");
 217   }
 218
 219   base::FilePath policy_file() {
 220     return tmp_dir_.path().AppendASCII("policy");
 221   }
 222
 223   base::MessageLoopForUI loop_;
 224   chromeos::MockCryptohomeClient cryptohome_client_;
 225   chromeos::MockSessionManagerClient session_manager_client_;
 226   UserPolicyBuilder policy_;
 227   MockCloudPolicyStoreObserver observer_;
 228   scoped_ptr<UserCloudPolicyStoreChromeOS> store_;
 229
 230  private:
 231   base::ScopedTempDir tmp_dir_;
 232
 233   DISALLOW_COPY_AND_ASSIGN(UserCloudPolicyStoreChromeOSTest);
 234 };
 235
 236 TEST_F(UserCloudPolicyStoreChromeOSTest, InitialStore) {
 237   // Start without any public key to trigger the initial key checks.
 238   ASSERT_TRUE(base::DeleteFile(user_policy_key_file(), false));
 239   // Make the policy blob contain a new public key.
 240   policy_.SetDefaultNewSigningKey();
 241   policy_.Build();
 242   std::vector<uint8> new_public_key;
 243   ASSERT_TRUE(policy_.GetNewSigningKey()->ExportPublicKey(&new_public_key));
 244   ASSERT_NO_FATAL_FAILURE(
 245       PerformStorePolicy(&new_public_key, NULL, kDefaultHomepage));
 246 }
 247
 248 TEST_F(UserCloudPolicyStoreChromeOSTest, StoreWithExistingKey) {
 249   ASSERT_NO_FATAL_FAILURE(
 250       PerformStorePolicy(NULL, NULL, kDefaultHomepage));
 251 }
 252
 253 TEST_F(UserCloudPolicyStoreChromeOSTest, StoreWithRotation) {
 254   // Make the policy blob contain a new public key.
 255   policy_.SetDefaultNewSigningKey();
 256   policy_.Build();
 257   std::vector<uint8> new_public_key;
 258   ASSERT_TRUE(policy_.GetNewSigningKey()->ExportPublicKey(&new_public_key));
 259   ASSERT_NO_FATAL_FAILURE(
 260       PerformStorePolicy(&new_public_key, NULL, kDefaultHomepage));
 261 }
 262
 263 TEST_F(UserCloudPolicyStoreChromeOSTest, StoreFail) {
 264   // Store policy.
 265   chromeos::SessionManagerClient::StorePolicyCallback store_callback;
 266   EXPECT_CALL(session_manager_client_,
 267               StorePolicyForUser(PolicyBuilder::kFakeUsername,
 268                                  policy_.GetBlob(), _))
 269       .WillOnce(SaveArg<2>(&store_callback));
 270   store_->Store(policy_.policy());
 271   RunUntilIdle();
 272   Mock::VerifyAndClearExpectations(&session_manager_client_);
 273   ASSERT_FALSE(store_callback.is_null());
 274
 275   // Let the store operation complete.
 276   ExpectError(CloudPolicyStore::STATUS_STORE_ERROR);
 277   store_callback.Run(false);
 278   RunUntilIdle();
 279   EXPECT_FALSE(store_->policy());
 280   EXPECT_TRUE(store_->policy_map().empty());
 281   EXPECT_EQ(CloudPolicyStore::STATUS_STORE_ERROR, store_->status());
 282 }
 283
 284 TEST_F(UserCloudPolicyStoreChromeOSTest, StoreValidationError) {
 285   policy_.policy_data().clear_policy_type();
 286   policy_.Build();
 287
 288   // Store policy.
 289   chromeos::SessionManagerClient::StorePolicyCallback store_callback;
 290   ExpectError(CloudPolicyStore::STATUS_VALIDATION_ERROR);
 291   EXPECT_CALL(session_manager_client_,
 292               StorePolicyForUser(PolicyBuilder::kFakeUsername,
 293                                  policy_.GetBlob(), _))
 294       .Times(0);
 295   store_->Store(policy_.policy());
 296   RunUntilIdle();
 297   Mock::VerifyAndClearExpectations(&session_manager_client_);
 298 }
 299
 300 TEST_F(UserCloudPolicyStoreChromeOSTest, StoreWithoutPolicyKey) {
 301   // Make the dbus call to cryptohome fail.
 302   Mock::VerifyAndClearExpectations(&cryptohome_client_);
 303   EXPECT_CALL(cryptohome_client_,
 304               GetSanitizedUsername(PolicyBuilder::kFakeUsername, _))
 305       .Times(AnyNumber())
 306       .WillRepeatedly(SendSanitizedUsername(chromeos::DBUS_METHOD_CALL_FAILURE,
 307                                             std::string()));
 308
 309   // Store policy.
 310   chromeos::SessionManagerClient::StorePolicyCallback store_callback;
 311   ExpectError(CloudPolicyStore::STATUS_VALIDATION_ERROR);
 312   EXPECT_CALL(session_manager_client_,
 313               StorePolicyForUser(PolicyBuilder::kFakeUsername,
 314                                  policy_.GetBlob(), _))
 315       .Times(0);
 316   store_->Store(policy_.policy());
 317   RunUntilIdle();
 318   Mock::VerifyAndClearExpectations(&session_manager_client_);
 319 }
 320
 321 TEST_F(UserCloudPolicyStoreChromeOSTest, StoreWithInvalidSignature) {
 322   // Break the signature.
 323   policy_.policy().mutable_policy_data_signature()->append("garbage");
 324
 325   // Store policy.
 326   chromeos::SessionManagerClient::StorePolicyCallback store_callback;
 327   ExpectError(CloudPolicyStore::STATUS_VALIDATION_ERROR);
 328   EXPECT_CALL(session_manager_client_,
 329               StorePolicyForUser(PolicyBuilder::kFakeUsername,
 330                                  policy_.GetBlob(), _))
 331       .Times(0);
 332   store_->Store(policy_.policy());
 333   RunUntilIdle();
 334   Mock::VerifyAndClearExpectations(&session_manager_client_);
 335 }
 336
 337 TEST_F(UserCloudPolicyStoreChromeOSTest, Load) {
 338   EXPECT_CALL(observer_, OnStoreLoaded(store_.get()));
 339   ASSERT_NO_FATAL_FAILURE(PerformPolicyLoad(policy_.GetBlob()));
 340   Mock::VerifyAndClearExpectations(&observer_);
 341
 342   // Verify that the policy has been loaded.
 343   ASSERT_TRUE(store_->policy());
 344   EXPECT_EQ(policy_.policy_data().SerializeAsString(),
 345             store_->policy()->SerializeAsString());
 346   VerifyPolicyMap(kDefaultHomepage);
 347   EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status());
 348 }
 349
 350 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadNoPolicy) {
 351   EXPECT_CALL(observer_, OnStoreLoaded(store_.get()));
 352   ASSERT_NO_FATAL_FAILURE(PerformPolicyLoad(""));
 353   Mock::VerifyAndClearExpectations(&observer_);
 354
 355   // Verify no policy has been installed.
 356   EXPECT_FALSE(store_->policy());
 357   EXPECT_TRUE(store_->policy_map().empty());
 358   EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status());
 359 }
 360
 361 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadInvalidPolicy) {
 362   ExpectError(CloudPolicyStore::STATUS_PARSE_ERROR);
 363   ASSERT_NO_FATAL_FAILURE(PerformPolicyLoad("invalid"));
 364
 365   // Verify no policy has been installed.
 366   EXPECT_FALSE(store_->policy());
 367   EXPECT_TRUE(store_->policy_map().empty());
 368   EXPECT_EQ(CloudPolicyStore::STATUS_PARSE_ERROR, store_->status());
 369 }
 370
 371 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadValidationError) {
 372   policy_.policy_data().clear_policy_type();
 373   policy_.Build();
 374
 375   ExpectError(CloudPolicyStore::STATUS_VALIDATION_ERROR);
 376   ASSERT_NO_FATAL_FAILURE(PerformPolicyLoad(policy_.GetBlob()));
 377   VerifyStoreHasValidationError();
 378 }
 379
 380 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadNoKey) {
 381   // The loaded policy can't be verified without the public key.
 382   ASSERT_TRUE(base::DeleteFile(user_policy_key_file(), false));
 383   ExpectError(CloudPolicyStore::STATUS_VALIDATION_ERROR);
 384   ASSERT_NO_FATAL_FAILURE(PerformPolicyLoad(policy_.GetBlob()));
 385   VerifyStoreHasValidationError();
 386 }
 387
 388 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadInvalidSignature) {
 389   // Break the signature.
 390   policy_.policy().mutable_policy_data_signature()->append("garbage");
 391   ExpectError(CloudPolicyStore::STATUS_VALIDATION_ERROR);
 392   ASSERT_NO_FATAL_FAILURE(PerformPolicyLoad(policy_.GetBlob()));
 393   VerifyStoreHasValidationError();
 394 }
 395
 396 TEST_F(UserCloudPolicyStoreChromeOSTest, MigrationFull) {
 397   std::string data;
 398
 399   em::DeviceCredentials credentials;
 400   credentials.set_device_token(kLegacyToken);
 401   credentials.set_device_id(kLegacyDeviceId);
 402   ASSERT_TRUE(credentials.SerializeToString(&data));
 403   ASSERT_NE(-1, base::WriteFile(token_file(), data.c_str(), data.size()));
 404
 405   em::CachedCloudPolicyResponse cached_policy;
 406   cached_policy.mutable_cloud_policy()->CopyFrom(policy_.policy());
 407   ASSERT_TRUE(cached_policy.SerializeToString(&data));
 408   ASSERT_NE(-1, base::WriteFile(policy_file(), data.c_str(), data.size()));
 409
 410   EXPECT_CALL(observer_, OnStoreLoaded(store_.get()));
 411   ASSERT_NO_FATAL_FAILURE(PerformPolicyLoad(""));
 412   Mock::VerifyAndClearExpectations(&observer_);
 413
 414   // Verify that legacy user policy and token have been loaded.
 415   em::PolicyData expected_policy_data;
 416   EXPECT_TRUE(expected_policy_data.ParseFromString(
 417                   cached_policy.cloud_policy().policy_data()));
 418   expected_policy_data.clear_public_key_version();
 419   expected_policy_data.set_request_token(kLegacyToken);
 420   expected_policy_data.set_device_id(kLegacyDeviceId);
 421   ASSERT_TRUE(store_->policy());
 422   EXPECT_EQ(expected_policy_data.SerializeAsString(),
 423             store_->policy()->SerializeAsString());
 424   VerifyPolicyMap(kDefaultHomepage);
 425   EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status());
 426 }
 427
 428 TEST_F(UserCloudPolicyStoreChromeOSTest, MigrationNoToken) {
 429   std::string data;
 430   testing::Sequence seq;
 431
 432   em::CachedCloudPolicyResponse cached_policy;
 433   cached_policy.mutable_cloud_policy()->CopyFrom(policy_.policy());
 434   ASSERT_TRUE(cached_policy.SerializeToString(&data));
 435   ASSERT_NE(-1, base::WriteFile(policy_file(), data.c_str(), data.size()));
 436
 437   EXPECT_CALL(observer_, OnStoreLoaded(store_.get()));
 438   ASSERT_NO_FATAL_FAILURE(PerformPolicyLoad(""));
 439   Mock::VerifyAndClearExpectations(&observer_);
 440
 441   // Verify the legacy cache has been loaded.
 442   em::PolicyData expected_policy_data;
 443   EXPECT_TRUE(expected_policy_data.ParseFromString(
 444                   cached_policy.cloud_policy().policy_data()));
 445   expected_policy_data.clear_public_key_version();
 446   ASSERT_TRUE(store_->policy());
 447   EXPECT_EQ(expected_policy_data.SerializeAsString(),
 448             store_->policy()->SerializeAsString());
 449   VerifyPolicyMap(kDefaultHomepage);
 450   EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status());
 451 }
 452
 453 TEST_F(UserCloudPolicyStoreChromeOSTest, MigrationNoPolicy) {
 454   std::string data;
 455
 456   em::DeviceCredentials credentials;
 457   credentials.set_device_token(kLegacyToken);
 458   credentials.set_device_id(kLegacyDeviceId);
 459   ASSERT_TRUE(credentials.SerializeToString(&data));
 460   ASSERT_NE(-1, base::WriteFile(token_file(), data.c_str(), data.size()));
 461
 462   EXPECT_CALL(observer_, OnStoreLoaded(store_.get()));
 463   ASSERT_NO_FATAL_FAILURE(PerformPolicyLoad(""));
 464   Mock::VerifyAndClearExpectations(&observer_);
 465
 466   // Verify that legacy user policy and token have been loaded.
 467   em::PolicyData expected_policy_data;
 468   expected_policy_data.set_request_token(kLegacyToken);
 469   expected_policy_data.set_device_id(kLegacyDeviceId);
 470   ASSERT_TRUE(store_->policy());
 471   EXPECT_EQ(expected_policy_data.SerializeAsString(),
 472             store_->policy()->SerializeAsString());
 473   EXPECT_TRUE(store_->policy_map().empty());
 474   EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status());
 475 }
 476
 477 TEST_F(UserCloudPolicyStoreChromeOSTest, MigrationAndStoreNew) {
 478   // Start without an existing public key.
 479   ASSERT_TRUE(base::DeleteFile(user_policy_key_file(), false));
 480
 481   std::string data;
 482   em::CachedCloudPolicyResponse cached_policy;
 483   cached_policy.mutable_cloud_policy()->CopyFrom(policy_.policy());
 484   ASSERT_TRUE(cached_policy.SerializeToString(&data));
 485   ASSERT_NE(-1, base::WriteFile(policy_file(), data.c_str(), data.size()));
 486
 487   EXPECT_CALL(observer_, OnStoreLoaded(store_.get()));
 488   ASSERT_NO_FATAL_FAILURE(PerformPolicyLoad(""));
 489   Mock::VerifyAndClearExpectations(&observer_);
 490
 491   // Verify the legacy cache has been loaded.
 492   em::PolicyData expected_policy_data;
 493   EXPECT_TRUE(expected_policy_data.ParseFromString(
 494                   cached_policy.cloud_policy().policy_data()));
 495   expected_policy_data.clear_public_key_version();
 496   ASSERT_TRUE(store_->policy());
 497   EXPECT_EQ(expected_policy_data.SerializeAsString(),
 498             store_->policy()->SerializeAsString());
 499   VerifyPolicyMap(kDefaultHomepage);
 500   EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status());
 501   EXPECT_TRUE(base::PathExists(policy_file()));
 502
 503   // Now store a new policy using the new homepage location.
 504   const char kNewHomepage[] = "http://google.com";
 505   policy_.payload().mutable_homepagelocation()->set_value(kNewHomepage);
 506   policy_.SetDefaultNewSigningKey();
 507   policy_.Build();
 508   std::vector<uint8> new_public_key;
 509   ASSERT_TRUE(policy_.GetNewSigningKey()->ExportPublicKey(&new_public_key));
 510   ASSERT_NO_FATAL_FAILURE(
 511       PerformStorePolicy(&new_public_key, kDefaultHomepage, kNewHomepage));
 512   VerifyPolicyMap(kNewHomepage);
 513
 514   // Verify that the legacy cache has been removed.
 515   EXPECT_FALSE(base::PathExists(policy_file()));
 516 }
 517
 518 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadImmediately) {
 519   EXPECT_CALL(observer_, OnStoreLoaded(store_.get()));
 520   EXPECT_CALL(session_manager_client_,
 521               BlockingRetrievePolicyForUser(PolicyBuilder::kFakeUsername))
 522       .WillOnce(Return(policy_.GetBlob()));
 523   EXPECT_CALL(cryptohome_client_,
 524               BlockingGetSanitizedUsername(PolicyBuilder::kFakeUsername))
 525       .WillOnce(Return(kSanitizedUsername));
 526
 527   EXPECT_FALSE(store_->policy());
 528   store_->LoadImmediately();
 529   // Note: verify that the |observer_| got notified synchronously, without
 530   // having to spin the current loop. TearDown() will flush the loop so this
 531   // must be done within the test.
 532   Mock::VerifyAndClearExpectations(&observer_);
 533   Mock::VerifyAndClearExpectations(&session_manager_client_);
 534   Mock::VerifyAndClearExpectations(&cryptohome_client_);
 535
 536   // The policy should become available without having to spin any loops.
 537   ASSERT_TRUE(store_->policy());
 538   EXPECT_EQ(policy_.policy_data().SerializeAsString(),
 539             store_->policy()->SerializeAsString());
 540   VerifyPolicyMap(kDefaultHomepage);
 541   EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status());
 542 }
 543
 544 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadImmediatelyNoPolicy) {
 545   EXPECT_CALL(observer_, OnStoreLoaded(store_.get()));
 546   EXPECT_CALL(session_manager_client_,
 547               BlockingRetrievePolicyForUser(PolicyBuilder::kFakeUsername))
 548       .WillOnce(Return(""));
 549
 550   EXPECT_FALSE(store_->policy());
 551   store_->LoadImmediately();
 552   Mock::VerifyAndClearExpectations(&observer_);
 553   Mock::VerifyAndClearExpectations(&session_manager_client_);
 554
 555   EXPECT_FALSE(store_->policy());
 556   EXPECT_TRUE(store_->policy_map().empty());
 557   EXPECT_EQ(CloudPolicyStore::STATUS_OK, store_->status());
 558 }
 559
 560 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadImmediatelyInvalidBlob) {
 561   EXPECT_CALL(observer_, OnStoreError(store_.get()));
 562   EXPECT_CALL(session_manager_client_,
 563               BlockingRetrievePolicyForUser(PolicyBuilder::kFakeUsername))
 564       .WillOnce(Return("le blob"));
 565
 566   EXPECT_FALSE(store_->policy());
 567   store_->LoadImmediately();
 568   Mock::VerifyAndClearExpectations(&observer_);
 569   Mock::VerifyAndClearExpectations(&session_manager_client_);
 570
 571   EXPECT_FALSE(store_->policy());
 572   EXPECT_TRUE(store_->policy_map().empty());
 573   EXPECT_EQ(CloudPolicyStore::STATUS_PARSE_ERROR, store_->status());
 574 }
 575
 576 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadImmediatelyDBusFailure) {
 577   EXPECT_CALL(observer_, OnStoreError(store_.get()));
 578   EXPECT_CALL(session_manager_client_,
 579               BlockingRetrievePolicyForUser(PolicyBuilder::kFakeUsername))
 580       .WillOnce(Return(policy_.GetBlob()));
 581   EXPECT_CALL(cryptohome_client_,
 582               BlockingGetSanitizedUsername(PolicyBuilder::kFakeUsername))
 583       .WillOnce(Return(""));
 584
 585   EXPECT_FALSE(store_->policy());
 586   store_->LoadImmediately();
 587   Mock::VerifyAndClearExpectations(&observer_);
 588   Mock::VerifyAndClearExpectations(&session_manager_client_);
 589   Mock::VerifyAndClearExpectations(&cryptohome_client_);
 590
 591   EXPECT_FALSE(store_->policy());
 592   EXPECT_TRUE(store_->policy_map().empty());
 593   EXPECT_EQ(CloudPolicyStore::STATUS_LOAD_ERROR, store_->status());
 594 }
 595
 596 TEST_F(UserCloudPolicyStoreChromeOSTest, LoadImmediatelyNoUserPolicyKey) {
 597   EXPECT_CALL(observer_, OnStoreError(store_.get()));
 598   EXPECT_CALL(session_manager_client_,
 599               BlockingRetrievePolicyForUser(PolicyBuilder::kFakeUsername))
 600       .WillOnce(Return(policy_.GetBlob()));
 601   EXPECT_CALL(cryptohome_client_,
 602               BlockingGetSanitizedUsername(PolicyBuilder::kFakeUsername))
 603       .WillOnce(Return("wrong@example.com"));
 604
 605   EXPECT_FALSE(store_->policy());
 606   store_->LoadImmediately();
 607   Mock::VerifyAndClearExpectations(&observer_);
 608   Mock::VerifyAndClearExpectations(&session_manager_client_);
 609   Mock::VerifyAndClearExpectations(&cryptohome_client_);
 610
 611   EXPECT_FALSE(store_->policy());
 612   EXPECT_TRUE(store_->policy_map().empty());
 613   EXPECT_EQ(CloudPolicyStore::STATUS_VALIDATION_ERROR, store_->status());
 614 }
 615
 616 }  // namespace
 617
 618 }  // namespace policy