// Copyright (c) 2013 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "chrome/browser/policy/cloud/component_cloud_policy_service.h" #include #include #include "base/callback.h" #include "base/files/scoped_temp_dir.h" #include "base/message_loop/message_loop.h" #include "base/run_loop.h" #include "base/sha1.h" #include "base/single_thread_task_runner.h" #include "base/stl_util.h" #include "base/values.h" #include "chrome/browser/policy/cloud/cloud_policy_constants.h" #include "chrome/browser/policy/cloud/mock_cloud_policy_client.h" #include "chrome/browser/policy/cloud/mock_cloud_policy_store.h" #include "chrome/browser/policy/cloud/policy_builder.h" #include "chrome/browser/policy/cloud/resource_cache.h" #include "chrome/browser/policy/proto/cloud/chrome_extension_policy.pb.h" #include "chrome/browser/policy/proto/cloud/device_management_backend.pb.h" #include "components/policy/core/common/external_data_fetcher.h" #include "components/policy/core/common/policy_map.h" #include "components/policy/core/common/policy_types.h" #include "components/policy/core/common/schema.h" #include "components/policy/core/common/schema_map.h" #include "net/url_request/test_url_fetcher_factory.h" #include "net/url_request/url_fetcher_delegate.h" #include "net/url_request/url_request_context.h" #include "net/url_request/url_request_context_getter.h" #include "testing/gmock/include/gmock/gmock.h" #include "testing/gtest/include/gtest/gtest.h" namespace em = enterprise_management; using testing::Mock; namespace policy { namespace { const char kTestExtension[] = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; const char kTestExtension2[] = "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"; const char kTestDownload[] = "http://example.com/getpolicy?id=123"; const char kTestPolicy[] = "{" " \"Name\": {" " \"Value\": \"disabled\"" " }," " \"Second\": {" " \"Value\": \"maybe\"," " \"Level\": \"Recommended\"" " }" "}"; const char kInvalidTestPolicy[] = "{" " \"Name\": {" " \"Value\": \"published\"" " }," " \"Undeclared Name\": {" " \"Value\": \"not published\"" " }" "}"; const char kTestSchema[] = "{" " \"type\": \"object\"," " \"properties\": {" " \"Name\": { \"type\": \"string\" }," " \"Second\": { \"type\": \"string\" }" " }" "}"; class MockComponentCloudPolicyDelegate : public ComponentCloudPolicyService::Delegate { public: virtual ~MockComponentCloudPolicyDelegate() {} MOCK_METHOD0(OnComponentCloudPolicyUpdated, void()); }; class TestURLRequestContextGetter : public net::URLRequestContextGetter { public: explicit TestURLRequestContextGetter( scoped_refptr task_runner) : task_runner_(task_runner) {} virtual net::URLRequestContext* GetURLRequestContext() OVERRIDE { return NULL; } virtual scoped_refptr GetNetworkTaskRunner() const OVERRIDE { return task_runner_; } private: virtual ~TestURLRequestContextGetter() {} scoped_refptr task_runner_; }; } // namespace class ComponentCloudPolicyServiceTest : public testing::Test { protected: ComponentCloudPolicyServiceTest() : client_(NULL), core_(PolicyNamespaceKey(GetChromeUserPolicyType(), ""), &store_, loop_.message_loop_proxy()) {} virtual void SetUp() OVERRIDE { ASSERT_TRUE(temp_dir_.CreateUniqueTempDir()); cache_ = new ResourceCache(temp_dir_.path(), loop_.message_loop_proxy()); request_context_ = new TestURLRequestContextGetter(loop_.message_loop_proxy()); service_.reset(new ComponentCloudPolicyService( &delegate_, ®istry_, &core_, make_scoped_ptr(cache_), request_context_, loop_.message_loop_proxy(), loop_.message_loop_proxy())); builder_.policy_data().set_policy_type( dm_protocol::kChromeExtensionPolicyType); builder_.policy_data().set_settings_entity_id(kTestExtension); builder_.payload().set_download_url(kTestDownload); builder_.payload().set_secure_hash(base::SHA1HashString(kTestPolicy)); expected_policy_.Set("Name", POLICY_LEVEL_MANDATORY, POLICY_SCOPE_USER, base::Value::CreateStringValue("disabled"), NULL); expected_policy_.Set("Second", POLICY_LEVEL_RECOMMENDED, POLICY_SCOPE_USER, base::Value::CreateStringValue("maybe"), NULL); } virtual void TearDown() OVERRIDE { // The service cleans up its backend on the background thread. service_.reset(); RunUntilIdle(); } void RunUntilIdle() { base::RunLoop().RunUntilIdle(); } void Connect(size_t expected_namespaces_in_client) { client_ = new MockCloudPolicyClient(); client_->SetDMToken(ComponentPolicyBuilder::kFakeToken); EXPECT_EQ(0u, client_->namespaces_to_fetch_.size()); core_.Connect(scoped_ptr(client_)); // |expected_namespaces_in_client| is the expected number of components // that the ComponentCloudPolicyService will set at the |client_| at // OnCoreConnected. EXPECT_EQ(expected_namespaces_in_client, client_->namespaces_to_fetch_.size()); // Also initialize the refresh scheduler, so that calls to // core()->RefreshSoon() trigger a FetchPolicy() call on the mock |client_|. // Expect the initial refresh now, if the store doesn't have policy (if it // does then the CloudPolicyRefreshScheduler won't start refreshing until // invalidations are available, or a timeout elapses). if (!store_.has_policy()) EXPECT_CALL(*client_, FetchPolicy()); core_.StartRefreshScheduler(); RunUntilIdle(); Mock::VerifyAndClearExpectations(client_); } void LoadStore() { EXPECT_FALSE(store_.is_initialized()); em::PolicyData* data = new em::PolicyData(); data->set_username(ComponentPolicyBuilder::kFakeUsername); data->set_request_token(ComponentPolicyBuilder::kFakeToken); store_.policy_.reset(data); store_.NotifyStoreLoaded(); RunUntilIdle(); EXPECT_TRUE(store_.is_initialized()); } void InitializeRegistry() { registry_.RegisterComponent( PolicyNamespace(POLICY_DOMAIN_EXTENSIONS, kTestExtension), CreateTestSchema()); registry_.SetReady(POLICY_DOMAIN_CHROME); registry_.SetReady(POLICY_DOMAIN_EXTENSIONS); } void PopulateCache() { EXPECT_TRUE(cache_->Store( "extension-policy", kTestExtension, CreateSerializedResponse())); EXPECT_TRUE( cache_->Store("extension-policy-data", kTestExtension, kTestPolicy)); builder_.policy_data().set_settings_entity_id(kTestExtension2); EXPECT_TRUE(cache_->Store( "extension-policy", kTestExtension2, CreateSerializedResponse())); EXPECT_TRUE( cache_->Store("extension-policy-data", kTestExtension2, kTestPolicy)); } scoped_ptr CreateResponse() { builder_.Build(); return make_scoped_ptr(new em::PolicyFetchResponse(builder_.policy())); } std::string CreateSerializedResponse() { builder_.Build(); return builder_.GetBlob(); } Schema CreateTestSchema() { std::string error; Schema schema = Schema::Parse(kTestSchema, &error); EXPECT_TRUE(schema.valid()) << error; return schema; } base::MessageLoop loop_; base::ScopedTempDir temp_dir_; scoped_refptr request_context_; net::TestURLFetcherFactory fetcher_factory_; MockComponentCloudPolicyDelegate delegate_; // |cache_| is owned by the |service_| and is invalid once the |service_| // is destroyed. ResourceCache* cache_; MockCloudPolicyClient* client_; MockCloudPolicyStore store_; CloudPolicyCore core_; SchemaRegistry registry_; scoped_ptr service_; ComponentPolicyBuilder builder_; PolicyMap expected_policy_; }; TEST_F(ComponentCloudPolicyServiceTest, InitializedAtConstructionTime) { service_.reset(); Connect(1u); LoadStore(); InitializeRegistry(); cache_ = new ResourceCache(temp_dir_.path(), loop_.message_loop_proxy()); service_.reset(new ComponentCloudPolicyService(&delegate_, ®istry_, &core_, make_scoped_ptr(cache_), request_context_, loop_.message_loop_proxy(), loop_.message_loop_proxy())); EXPECT_FALSE(service_->is_initialized()); EXPECT_CALL(delegate_, OnComponentCloudPolicyUpdated()); EXPECT_CALL(*client_, FetchPolicy()); RunUntilIdle(); Mock::VerifyAndClearExpectations(&client_); Mock::VerifyAndClearExpectations(&delegate_); EXPECT_TRUE(service_->is_initialized()); EXPECT_EQ(2u, client_->namespaces_to_fetch_.size()); const PolicyBundle empty_bundle; EXPECT_TRUE(service_->policy().Equals(empty_bundle)); } TEST_F(ComponentCloudPolicyServiceTest, InitializeStoreThenRegistry) { Connect(1u); EXPECT_CALL(delegate_, OnComponentCloudPolicyUpdated()).Times(0); EXPECT_CALL(*client_, FetchPolicy()).Times(0); LoadStore(); Mock::VerifyAndClearExpectations(client_); Mock::VerifyAndClearExpectations(&delegate_); EXPECT_FALSE(service_->is_initialized()); EXPECT_CALL(delegate_, OnComponentCloudPolicyUpdated()); EXPECT_CALL(*client_, FetchPolicy()); InitializeRegistry(); RunUntilIdle(); Mock::VerifyAndClearExpectations(client_); Mock::VerifyAndClearExpectations(&delegate_); EXPECT_TRUE(service_->is_initialized()); const PolicyBundle empty_bundle; EXPECT_TRUE(service_->policy().Equals(empty_bundle)); } TEST_F(ComponentCloudPolicyServiceTest, InitializeRegistryThenStore) { Connect(1u); EXPECT_CALL(delegate_, OnComponentCloudPolicyUpdated()).Times(0); EXPECT_CALL(*client_, FetchPolicy()).Times(0); InitializeRegistry(); RunUntilIdle(); Mock::VerifyAndClearExpectations(client_); Mock::VerifyAndClearExpectations(&delegate_); EXPECT_FALSE(service_->is_initialized()); EXPECT_CALL(delegate_, OnComponentCloudPolicyUpdated()); EXPECT_CALL(*client_, FetchPolicy()); LoadStore(); Mock::VerifyAndClearExpectations(client_); Mock::VerifyAndClearExpectations(&delegate_); EXPECT_TRUE(service_->is_initialized()); EXPECT_EQ(2u, client_->namespaces_to_fetch_.size()); const PolicyBundle empty_bundle; EXPECT_TRUE(service_->policy().Equals(empty_bundle)); } TEST_F(ComponentCloudPolicyServiceTest, InitializeWithCachedPolicy) { PopulateCache(); Connect(1u); EXPECT_CALL(delegate_, OnComponentCloudPolicyUpdated()); EXPECT_CALL(*client_, FetchPolicy()); InitializeRegistry(); LoadStore(); Mock::VerifyAndClearExpectations(client_); Mock::VerifyAndClearExpectations(&delegate_); EXPECT_TRUE(service_->is_initialized()); EXPECT_EQ(2u, client_->namespaces_to_fetch_.size()); // kTestExtension2 is not in the registry so it was dropped. std::map contents; cache_->LoadAllSubkeys("extension-policy", &contents); ASSERT_EQ(1u, contents.size()); EXPECT_EQ(kTestExtension, contents.begin()->first); PolicyBundle expected_bundle; const PolicyNamespace ns(POLICY_DOMAIN_EXTENSIONS, kTestExtension); expected_bundle.Get(ns).CopyFrom(expected_policy_); EXPECT_TRUE(service_->policy().Equals(expected_bundle)); } TEST_F(ComponentCloudPolicyServiceTest, FetchPolicy) { Connect(1u); // Initialize the store and create the backend. // A refresh is not needed, because no components are registered yet. EXPECT_CALL(delegate_, OnComponentCloudPolicyUpdated()); EXPECT_CALL(*client_, FetchPolicy()).Times(0); registry_.SetReady(POLICY_DOMAIN_CHROME); registry_.SetReady(POLICY_DOMAIN_EXTENSIONS); LoadStore(); Mock::VerifyAndClearExpectations(client_); Mock::VerifyAndClearExpectations(&delegate_); EXPECT_TRUE(service_->is_initialized()); // Register the components to fetch. EXPECT_CALL(*client_, FetchPolicy()); registry_.RegisterComponent( PolicyNamespace(POLICY_DOMAIN_EXTENSIONS, kTestExtension), CreateTestSchema()); RunUntilIdle(); Mock::VerifyAndClearExpectations(client_); // Send back a fake policy fetch response. client_->SetPolicy(PolicyNamespaceKey(dm_protocol::kChromeExtensionPolicyType, kTestExtension), *CreateResponse()); service_->OnPolicyFetched(client_); RunUntilIdle(); // That should have triggered the download fetch. net::TestURLFetcher* fetcher = fetcher_factory_.GetFetcherByID(0); ASSERT_TRUE(fetcher); EXPECT_EQ(GURL(kTestDownload), fetcher->GetOriginalURL()); fetcher->set_response_code(200); fetcher->SetResponseString(kTestPolicy); fetcher->delegate()->OnURLFetchComplete(fetcher); EXPECT_CALL(delegate_, OnComponentCloudPolicyUpdated()); RunUntilIdle(); Mock::VerifyAndClearExpectations(&delegate_); // The policy is now being served. const PolicyNamespace ns(POLICY_DOMAIN_EXTENSIONS, kTestExtension); PolicyBundle expected_bundle; expected_bundle.Get(ns).CopyFrom(expected_policy_); EXPECT_TRUE(service_->policy().Equals(expected_bundle)); } TEST_F(ComponentCloudPolicyServiceTest, LoadAndPurgeCache) { Connect(1u); // Insert data in the cache. PopulateCache(); registry_.RegisterComponent( PolicyNamespace(POLICY_DOMAIN_EXTENSIONS, kTestExtension2), CreateTestSchema()); InitializeRegistry(); // Load the initial cache. EXPECT_CALL(delegate_, OnComponentCloudPolicyUpdated()); EXPECT_CALL(*client_, FetchPolicy()); LoadStore(); Mock::VerifyAndClearExpectations(client_); Mock::VerifyAndClearExpectations(&delegate_); PolicyBundle expected_bundle; PolicyNamespace ns(POLICY_DOMAIN_EXTENSIONS, kTestExtension); expected_bundle.Get(ns).CopyFrom(expected_policy_); ns.component_id = kTestExtension2; expected_bundle.Get(ns).CopyFrom(expected_policy_); EXPECT_TRUE(service_->policy().Equals(expected_bundle)); // Now purge one of the extensions. EXPECT_CALL(delegate_, OnComponentCloudPolicyUpdated()); registry_.UnregisterComponent( PolicyNamespace(POLICY_DOMAIN_EXTENSIONS, kTestExtension)); RunUntilIdle(); Mock::VerifyAndClearExpectations(&delegate_); ns.component_id = kTestExtension; expected_bundle.Get(ns).Clear(); EXPECT_TRUE(service_->policy().Equals(expected_bundle)); std::map contents; cache_->LoadAllSubkeys("extension-policy", &contents); EXPECT_EQ(1u, contents.size()); EXPECT_TRUE(ContainsKey(contents, kTestExtension2)); } TEST_F(ComponentCloudPolicyServiceTest, SignInAfterStartup) { registry_.SetReady(POLICY_DOMAIN_CHROME); registry_.SetReady(POLICY_DOMAIN_EXTENSIONS); // Initialize the store without credentials. EXPECT_FALSE(store_.is_initialized()); EXPECT_FALSE(service_->is_initialized()); EXPECT_CALL(delegate_, OnComponentCloudPolicyUpdated()); store_.NotifyStoreLoaded(); RunUntilIdle(); Mock::VerifyAndClearExpectations(&delegate_); EXPECT_TRUE(service_->is_initialized()); // Register an extension. registry_.RegisterComponent( PolicyNamespace(POLICY_DOMAIN_EXTENSIONS, kTestExtension), CreateTestSchema()); RunUntilIdle(); // Now signin. A fetch will be requested for the new extension. Connect(2u); // Send the response to the service. The response data will be ignored, // because the store doesn't have the updated credentials yet. client_->SetPolicy(PolicyNamespaceKey(dm_protocol::kChromeExtensionPolicyType, kTestExtension), *CreateResponse()); service_->OnPolicyFetched(client_); RunUntilIdle(); // The policy was ignored and no download is started because the store // doesn't have credentials. net::TestURLFetcher* fetcher = fetcher_factory_.GetFetcherByID(0); EXPECT_FALSE(fetcher); // Now update the |store_| with the updated policy, which includes // credentials. The responses in the |client_| will be reloaded. em::PolicyData* data = new em::PolicyData(); data->set_username(ComponentPolicyBuilder::kFakeUsername); data->set_request_token(ComponentPolicyBuilder::kFakeToken); store_.policy_.reset(data); store_.NotifyStoreLoaded(); RunUntilIdle(); // The extension policy was validated this time, and the download is started. fetcher = fetcher_factory_.GetFetcherByID(0); ASSERT_TRUE(fetcher); EXPECT_EQ(GURL(kTestDownload), fetcher->GetOriginalURL()); fetcher->set_response_code(200); fetcher->SetResponseString(kTestPolicy); fetcher->delegate()->OnURLFetchComplete(fetcher); EXPECT_CALL(delegate_, OnComponentCloudPolicyUpdated()); RunUntilIdle(); Mock::VerifyAndClearExpectations(&delegate_); // The policy is now being served. PolicyNamespace ns(POLICY_DOMAIN_EXTENSIONS, kTestExtension); PolicyBundle expected_bundle; expected_bundle.Get(ns).CopyFrom(expected_policy_); EXPECT_TRUE(service_->policy().Equals(expected_bundle)); } TEST_F(ComponentCloudPolicyServiceTest, SignOut) { // Initialize everthing and serve policy for a component. PopulateCache(); LoadStore(); InitializeRegistry(); // The initial, cached policy will be served once the backend is initialized. EXPECT_CALL(delegate_, OnComponentCloudPolicyUpdated()); RunUntilIdle(); Mock::VerifyAndClearExpectations(&delegate_); PolicyBundle expected_bundle; const PolicyNamespace ns(POLICY_DOMAIN_EXTENSIONS, kTestExtension); expected_bundle.Get(ns).CopyFrom(expected_policy_); EXPECT_TRUE(service_->policy().Equals(expected_bundle)); std::map contents; cache_->LoadAllSubkeys("extension-policy", &contents); ASSERT_EQ(1u, contents.size()); // Now sign in. Connect(2u); // Signing out removes all of the component policies from the service and // from the cache. It does not trigger a refresh. EXPECT_CALL(delegate_, OnComponentCloudPolicyUpdated()); core_.Disconnect(); store_.policy_.reset(); store_.NotifyStoreLoaded(); RunUntilIdle(); Mock::VerifyAndClearExpectations(&delegate_); const PolicyBundle empty_bundle; EXPECT_TRUE(service_->policy().Equals(empty_bundle)); cache_->LoadAllSubkeys("extension-policy", &contents); ASSERT_EQ(0u, contents.size()); } TEST_F(ComponentCloudPolicyServiceTest, LoadInvalidPolicyFromCache) { // Put the invalid test policy in the cache. One of its policies will be // loaded, the other should be filtered out by the schema. builder_.payload().set_secure_hash(base::SHA1HashString(kInvalidTestPolicy)); EXPECT_TRUE(cache_->Store( "extension-policy", kTestExtension, CreateSerializedResponse())); EXPECT_TRUE(cache_->Store( "extension-policy-data", kTestExtension, kInvalidTestPolicy)); LoadStore(); InitializeRegistry(); // The initial, cached policy will be served once the backend is initialized. EXPECT_CALL(delegate_, OnComponentCloudPolicyUpdated()); RunUntilIdle(); Mock::VerifyAndClearExpectations(&delegate_); PolicyBundle expected_bundle; const PolicyNamespace ns(POLICY_DOMAIN_EXTENSIONS, kTestExtension); expected_bundle.Get(ns).Set("Name", POLICY_LEVEL_MANDATORY, POLICY_SCOPE_USER, base::Value::CreateStringValue("published"), NULL); EXPECT_TRUE(service_->policy().Equals(expected_bundle)); } } // namespace policy