| // Copyright 2022 The Chromium Authors |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #include "chrome/browser/ash/crosapi/cert_provisioning_ash.h" |
| |
| #include "base/base64.h" |
| #include "base/test/test_future.h" |
| #include "chrome/browser/ash/cert_provisioning/mock_cert_provisioning_scheduler.h" |
| #include "chrome/browser/ash/cert_provisioning/mock_cert_provisioning_worker.h" |
| #include "chromeos/crosapi/mojom/cert_provisioning.mojom.h" |
| #include "content/public/test/browser_task_environment.h" |
| #include "testing/gmock/include/gmock/gmock.h" |
| #include "testing/gtest/include/gtest/gtest.h" |
| |
| using ::base::test::TestFuture; |
| using ::testing::ByMove; |
| using ::testing::DoAll; |
| using ::testing::Invoke; |
| using ::testing::Mock; |
| using ::testing::Return; |
| using ::testing::ReturnPointee; |
| using ::testing::ReturnRef; |
| using ::testing::SaveArg; |
| |
| namespace crosapi { |
| namespace { |
| |
| // Fake failure message used for tests. The exact content of the message can be |
| // chosen arbitrarily. |
| const char kFakeFailureMessage[] = "Failure Message"; |
| |
| // Extracted from a X.509 certificate using the command: |
| // openssl x509 -pubkey -noout -in cert.pem |
| // and reformatted as a single line. |
| // This represents a RSA public key. |
| constexpr char kDerEncodedSpkiBase64[] = |
| "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1na7r6WiaL5slsyHI7bEpP5ad9ffsz" |
| "T0mBi8yc03hJpxaA3/2/" |
| "PX7esUdTSGoZr1XVBxjjJc4AypzZKlsPqYKZ+lPHZPpXlp8JVHn8w8+" |
| "zmPKl319vVYdJv5AE0HOuJZ6a19fXxItgzoB+" |
| "oXgkA0mhyPygJwF3HMJfJHRrkxJ73c23R6kKvKTxqRKswvzTo5O5AzZFLdCe+" |
| "GVTJuPo4VToGd+ZhS7QvsY38nAYG57fMnzzs5jjMF042AzzWiMt9gGbeuqCE6LXqFuSJYPo+" |
| "TLaN7pwQx68PK5pd/lv58B7jjxCIAai0BX1rV6bl/Am3EukhTSuIcQiTr5c1G4E6bKwIDAQAB"; |
| |
| constexpr char kCertProfileVersion[] = "cert_profile_version_1"; |
| constexpr base::TimeDelta kCertProfileRenewalPeriod = base::Days(30); |
| constexpr char kDeviceCertProfileId[] = "device_cert_profile_1"; |
| constexpr char kDeviceCertProfileName[] = "Device Certificate Profile 1"; |
| constexpr char kUserCertProfileId[] = "user_cert_profile_1"; |
| constexpr char kUserCertProfileName[] = "User Certificate Profile 1"; |
| constexpr char kFailedDeviceCertProfileId[] = "failed_device_cert_profile_1"; |
| constexpr char kFailedDeviceCertProfileName[] = |
| "Failed Device Certificate Profile 1"; |
| constexpr char kFailedUserCertProfileId[] = "failed_user_cert_profile_1"; |
| constexpr char kFailedUserCertProfileName[] = |
| "Failed User Certificate Profile 1"; |
| |
| void SetupMockCertProvisioningWorker( |
| ash::cert_provisioning::MockCertProvisioningWorker* worker, |
| ash::cert_provisioning::CertProvisioningWorkerState state, |
| const std::vector<uint8_t>* public_key, |
| ash::cert_provisioning::CertProfile& cert_profile, |
| base::Time last_update_time, |
| std::optional<ash::cert_provisioning::BackendServerError>& backend_error) { |
| EXPECT_CALL(*worker, GetState).WillRepeatedly(Return(state)); |
| EXPECT_CALL(*worker, GetLastUpdateTime) |
| .WillRepeatedly(Return(last_update_time)); |
| EXPECT_CALL(*worker, GetPublicKey).WillRepeatedly(ReturnPointee(public_key)); |
| ON_CALL(*worker, GetCertProfile).WillByDefault(ReturnRef(cert_profile)); |
| ON_CALL(*worker, GetLastBackendServerError) |
| .WillByDefault(ReturnRef(backend_error)); |
| } |
| |
| class MockMojoObserver : public mojom::CertProvisioningObserver { |
| public: |
| MOCK_METHOD(void, OnStateChanged, (), (override)); |
| |
| auto GetRemote() { return receiver_.BindNewPipeAndPassRemote(); } |
| |
| private: |
| mojo::Receiver<crosapi::mojom::CertProvisioningObserver> receiver_{this}; |
| }; |
| |
| class CertProvisioningAshTest : public ::testing::Test { |
| public: |
| void SetUp() override { |
| der_encoded_spki_ = base::Base64Decode(kDerEncodedSpkiBase64).value(); |
| |
| ON_CALL(user_scheduler_, GetWorkers) |
| .WillByDefault(ReturnRef(user_workers_)); |
| ON_CALL(user_scheduler_, GetFailedCertProfileIds) |
| .WillByDefault(ReturnRef(user_failed_workers_)); |
| ON_CALL(user_scheduler_, AddObserver) |
| .WillByDefault( |
| Invoke(this, &CertProvisioningAshTest::SaveUserObserver)); |
| |
| ON_CALL(device_scheduler_, GetWorkers) |
| .WillByDefault(ReturnRef(device_workers_)); |
| ON_CALL(device_scheduler_, GetFailedCertProfileIds) |
| .WillByDefault(ReturnRef(device_failed_workers_)); |
| ON_CALL(device_scheduler_, AddObserver) |
| .WillByDefault( |
| Invoke(this, &CertProvisioningAshTest::SaveDeviceObserver)); |
| } |
| |
| base::CallbackListSubscription SaveUserObserver( |
| base::RepeatingClosure callback) { |
| user_scheduler_observer_ = std::move(callback); |
| return base::CallbackListSubscription(); |
| } |
| |
| base::CallbackListSubscription SaveDeviceObserver( |
| base::RepeatingClosure callback) { |
| device_scheduler_observer_ = std::move(callback); |
| return base::CallbackListSubscription(); |
| } |
| |
| protected: |
| // The mojo service is async, so the tests need to explicitly give it an |
| // opportunity to execute its scheduled tasks within their synchronous |
| // sequences of calls. |
| void ExecuteAsyncTasks() { task_environment_.RunUntilIdle(); } |
| |
| std::vector<uint8_t> der_encoded_spki_; |
| |
| content::BrowserTaskEnvironment task_environment_{ |
| base::test::TaskEnvironment::TimeSource::MOCK_TIME}; |
| |
| ash::cert_provisioning::MockCertProvisioningScheduler user_scheduler_; |
| ash::cert_provisioning::WorkerMap user_workers_; |
| base::flat_map<ash::cert_provisioning::CertProfileId, |
| ash::cert_provisioning::FailedWorkerInfo> |
| user_failed_workers_; |
| base::RepeatingClosure user_scheduler_observer_; |
| |
| ash::cert_provisioning::MockCertProvisioningScheduler device_scheduler_; |
| ash::cert_provisioning::WorkerMap device_workers_; |
| base::flat_map<ash::cert_provisioning::CertProfileId, |
| ash::cert_provisioning::FailedWorkerInfo> |
| device_failed_workers_; |
| base::RepeatingClosure device_scheduler_observer_; |
| |
| // The CertProvisioningAsh mojo service under test. |
| CertProvisioningAsh service_; |
| }; |
| |
| TEST_F(CertProvisioningAshTest, ObserveSchedulersWhenNeeded) { |
| service_.InjectForTesting(&user_scheduler_, &device_scheduler_); |
| |
| auto observer_1 = std::make_unique<MockMojoObserver>(); |
| auto observer_2 = std::make_unique<MockMojoObserver>(); |
| auto observer_3 = std::make_unique<MockMojoObserver>(); |
| |
| { |
| // AddObserver is called when the mojo service needs to start tracking |
| // changes. One observer per scheduler is enough for any number of mojo |
| // observers. |
| EXPECT_CALL(user_scheduler_, AddObserver); |
| EXPECT_CALL(device_scheduler_, AddObserver); |
| |
| service_.AddObserver(observer_1->GetRemote()); |
| service_.AddObserver(observer_2->GetRemote()); |
| service_.AddObserver(observer_3->GetRemote()); |
| |
| ExecuteAsyncTasks(); |
| Mock::VerifyAndClearExpectations(&user_scheduler_); |
| Mock::VerifyAndClearExpectations(&device_scheduler_); |
| } |
| |
| { |
| // The mojo service is supposed to stop observing the schedulers without its |
| // own observers. It's indirectly verified by the fact that later it adds |
| // observers again. |
| observer_1.reset(); |
| observer_2.reset(); |
| observer_3.reset(); |
| |
| ExecuteAsyncTasks(); |
| } |
| |
| // Check that the mojo service can start and stop observering several times |
| // within its lifetime. |
| { |
| auto observer_4 = std::make_unique<MockMojoObserver>(); |
| |
| EXPECT_CALL(user_scheduler_, AddObserver); |
| EXPECT_CALL(device_scheduler_, AddObserver); |
| |
| service_.AddObserver(observer_4->GetRemote()); |
| |
| ExecuteAsyncTasks(); |
| Mock::VerifyAndClearExpectations(&user_scheduler_); |
| Mock::VerifyAndClearExpectations(&device_scheduler_); |
| |
| observer_4.reset(); |
| ExecuteAsyncTasks(); |
| } |
| } |
| |
| TEST_F(CertProvisioningAshTest, ChangeNotificationsForwarded) { |
| service_.InjectForTesting(&user_scheduler_, &device_scheduler_); |
| EXPECT_FALSE(user_scheduler_observer_); |
| EXPECT_FALSE(device_scheduler_observer_); |
| |
| MockMojoObserver observer_1; |
| MockMojoObserver observer_2; |
| service_.AddObserver(observer_1.GetRemote()); |
| service_.AddObserver(observer_2.GetRemote()); |
| ASSERT_TRUE(user_scheduler_observer_); |
| ASSERT_TRUE(device_scheduler_observer_); |
| |
| { |
| // User changes are propagated. |
| EXPECT_CALL(observer_1, OnStateChanged); |
| EXPECT_CALL(observer_2, OnStateChanged); |
| |
| user_scheduler_observer_.Run(); |
| |
| ExecuteAsyncTasks(); |
| Mock::VerifyAndClearExpectations(&observer_1); |
| Mock::VerifyAndClearExpectations(&observer_2); |
| } |
| |
| { |
| // Device changes are propagated. |
| EXPECT_CALL(observer_1, OnStateChanged); |
| EXPECT_CALL(observer_2, OnStateChanged); |
| |
| device_scheduler_observer_.Run(); |
| |
| ExecuteAsyncTasks(); |
| Mock::VerifyAndClearExpectations(&observer_1); |
| Mock::VerifyAndClearExpectations(&observer_2); |
| } |
| } |
| |
| TEST_F(CertProvisioningAshTest, GetStatusEmpty) { |
| service_.InjectForTesting(&user_scheduler_, &device_scheduler_); |
| |
| TestFuture<std::vector<mojom::CertProvisioningProcessStatusPtr>> result; |
| service_.GetStatus(result.GetCallback()); |
| |
| EXPECT_EQ(0u, result.Get().size()); |
| } |
| |
| TEST_F(CertProvisioningAshTest, GetStatusAliveUserWorker) { |
| service_.InjectForTesting(&user_scheduler_, &device_scheduler_); |
| |
| // Setup a user mock worker. |
| ash::cert_provisioning::CertProfile user_cert_profile( |
| kUserCertProfileId, kUserCertProfileName, kCertProfileVersion, |
| /*is_va_enabled=*/true, kCertProfileRenewalPeriod, |
| ash::cert_provisioning::ProtocolVersion::kStatic); |
| // Any time should work. Any time in the past is a realistic value. |
| base::Time last_update_time = base::Time::Now() - base::Hours(1); |
| std::optional<ash::cert_provisioning::BackendServerError> backend_error = |
| ash::cert_provisioning::BackendServerError( |
| policy::DM_STATUS_REQUEST_INVALID, last_update_time); |
| auto user_cert_worker = |
| std::make_unique<ash::cert_provisioning::MockCertProvisioningWorker>(); |
| SetupMockCertProvisioningWorker( |
| user_cert_worker.get(), |
| ash::cert_provisioning::CertProvisioningWorkerState::kKeypairGenerated, |
| &der_encoded_spki_, user_cert_profile, last_update_time, backend_error); |
| user_workers_[kUserCertProfileId] = std::move(user_cert_worker); |
| |
| auto expected_user_status = mojom::CertProvisioningProcessStatus::New(); |
| expected_user_status->cert_profile_id = kUserCertProfileId; |
| expected_user_status->cert_profile_name = kUserCertProfileName; |
| expected_user_status->public_key = der_encoded_spki_; |
| expected_user_status->last_update_time = last_update_time; |
| expected_user_status->last_backend_server_error = |
| crosapi::mojom::CertProvisioningBackendServerError::New( |
| last_update_time, policy::DM_STATUS_REQUEST_INVALID); |
| expected_user_status->state = |
| mojom::CertProvisioningProcessState::kKeypairGenerated; |
| expected_user_status->did_fail = false; |
| expected_user_status->is_device_wide = false; |
| expected_user_status->failure_message = std::nullopt; |
| |
| TestFuture<std::vector<mojom::CertProvisioningProcessStatusPtr>> result; |
| service_.GetStatus(result.GetCallback()); |
| |
| ASSERT_EQ(1u, result.Get().size()); |
| EXPECT_EQ(*result.Get()[0], *expected_user_status); |
| } |
| |
| TEST_F(CertProvisioningAshTest, GetStatusAliveDeviceWorker) { |
| service_.InjectForTesting(&user_scheduler_, &device_scheduler_); |
| |
| // Setup a device mock worker. |
| ash::cert_provisioning::CertProfile device_cert_profile( |
| kDeviceCertProfileId, kDeviceCertProfileName, kCertProfileVersion, |
| /*is_va_enabled=*/true, kCertProfileRenewalPeriod, |
| ash::cert_provisioning::ProtocolVersion::kStatic); |
| base::Time last_update_time = base::Time::Now() - base::Hours(2); |
| std::optional<ash::cert_provisioning::BackendServerError> backend_error = |
| ash::cert_provisioning::BackendServerError( |
| policy::DM_STATUS_REQUEST_FAILED, last_update_time); |
| auto device_cert_worker = |
| std::make_unique<ash::cert_provisioning::MockCertProvisioningWorker>(); |
| SetupMockCertProvisioningWorker( |
| device_cert_worker.get(), |
| ash::cert_provisioning::CertProvisioningWorkerState::kSignCsrFinished, |
| &der_encoded_spki_, device_cert_profile, last_update_time, backend_error); |
| device_workers_[kDeviceCertProfileId] = std::move(device_cert_worker); |
| |
| auto expected_device_status = mojom::CertProvisioningProcessStatus::New(); |
| expected_device_status->cert_profile_id = kDeviceCertProfileId; |
| expected_device_status->cert_profile_name = kDeviceCertProfileName; |
| expected_device_status->public_key = der_encoded_spki_; |
| expected_device_status->last_update_time = last_update_time; |
| expected_device_status->last_backend_server_error = |
| crosapi::mojom::CertProvisioningBackendServerError::New( |
| last_update_time, policy::DM_STATUS_REQUEST_FAILED); |
| expected_device_status->state = |
| mojom::CertProvisioningProcessState::kSignCsrFinished; |
| expected_device_status->did_fail = false; |
| expected_device_status->is_device_wide = true; |
| expected_device_status->failure_message = std::nullopt; |
| |
| TestFuture<std::vector<mojom::CertProvisioningProcessStatusPtr>> result; |
| service_.GetStatus(result.GetCallback()); |
| |
| ASSERT_EQ(1u, result.Get().size()); |
| EXPECT_EQ(*result.Get()[0], *expected_device_status); |
| } |
| |
| TEST_F(CertProvisioningAshTest, GetStatusFailedUserWorker) { |
| service_.InjectForTesting(&user_scheduler_, &device_scheduler_); |
| |
| base::Time last_update_time = base::Time::Now() - base::Hours(3); |
| |
| ash::cert_provisioning::FailedWorkerInfo& info = |
| user_failed_workers_[kFailedUserCertProfileId]; |
| info.state_before_failure = |
| ash::cert_provisioning::CertProvisioningWorkerState::kVaChallengeFinished; |
| info.public_key = der_encoded_spki_; |
| info.cert_profile_name = kFailedUserCertProfileName; |
| info.last_update_time = last_update_time; |
| info.failure_message = kFakeFailureMessage; |
| |
| auto expected_user_status = mojom::CertProvisioningProcessStatus::New(); |
| expected_user_status->cert_profile_id = kFailedUserCertProfileId; |
| expected_user_status->cert_profile_name = kFailedUserCertProfileName; |
| expected_user_status->public_key = der_encoded_spki_; |
| expected_user_status->last_update_time = last_update_time; |
| expected_user_status->state = |
| mojom::CertProvisioningProcessState::kVaChallengeFinished; |
| expected_user_status->did_fail = true; |
| expected_user_status->is_device_wide = false; |
| expected_user_status->failure_message = kFakeFailureMessage; |
| |
| TestFuture<std::vector<mojom::CertProvisioningProcessStatusPtr>> result; |
| service_.GetStatus(result.GetCallback()); |
| |
| ASSERT_EQ(1u, result.Get().size()); |
| EXPECT_EQ(*result.Get()[0], *expected_user_status); |
| } |
| |
| TEST_F(CertProvisioningAshTest, GetStatusFailedDeviceWorker) { |
| service_.InjectForTesting(&user_scheduler_, &device_scheduler_); |
| |
| base::Time last_update_time = base::Time::Now() - base::Hours(4); |
| |
| ash::cert_provisioning::FailedWorkerInfo& info = |
| device_failed_workers_[kFailedDeviceCertProfileId]; |
| info.state_before_failure = ash::cert_provisioning:: |
| CertProvisioningWorkerState::kFinishCsrResponseReceived; |
| info.public_key = der_encoded_spki_; |
| info.cert_profile_name = kFailedDeviceCertProfileName; |
| info.last_update_time = last_update_time; |
| info.failure_message = kFakeFailureMessage; |
| |
| auto expected_device_status = mojom::CertProvisioningProcessStatus::New(); |
| expected_device_status->cert_profile_id = kFailedDeviceCertProfileId; |
| expected_device_status->cert_profile_name = kFailedDeviceCertProfileName; |
| expected_device_status->public_key = der_encoded_spki_; |
| expected_device_status->last_update_time = last_update_time; |
| expected_device_status->state = |
| mojom::CertProvisioningProcessState::kFinishCsrResponseReceived; |
| expected_device_status->did_fail = true; |
| expected_device_status->is_device_wide = true; |
| expected_device_status->failure_message = kFakeFailureMessage; |
| |
| TestFuture<std::vector<mojom::CertProvisioningProcessStatusPtr>> result; |
| service_.GetStatus(result.GetCallback()); |
| |
| ASSERT_EQ(1u, result.Get().size()); |
| EXPECT_EQ(*result.Get()[0], *expected_device_status); |
| } |
| |
| TEST_F(CertProvisioningAshTest, UpdateOneProcess) { |
| service_.InjectForTesting(&user_scheduler_, &device_scheduler_); |
| |
| { |
| // The service will try different schedulers until it finds the one that |
| // contains the profile id. |
| EXPECT_CALL(user_scheduler_, UpdateOneWorker("111")).WillOnce(Return(true)); |
| EXPECT_CALL(device_scheduler_, UpdateOneWorker).Times(0); |
| |
| service_.UpdateOneProcess("111"); |
| |
| ExecuteAsyncTasks(); |
| Mock::VerifyAndClearExpectations(&user_scheduler_); |
| Mock::VerifyAndClearExpectations(&device_scheduler_); |
| } |
| |
| { |
| // If the first one reports that it doesn't own the id, the service will try |
| // another one. |
| EXPECT_CALL(user_scheduler_, UpdateOneWorker("222")) |
| .WillOnce(Return(false)); |
| EXPECT_CALL(device_scheduler_, UpdateOneWorker("222")) |
| .WillOnce(Return(false)); |
| |
| service_.UpdateOneProcess("222"); |
| |
| ExecuteAsyncTasks(); |
| Mock::VerifyAndClearExpectations(&user_scheduler_); |
| Mock::VerifyAndClearExpectations(&device_scheduler_); |
| } |
| } |
| |
| } // namespace |
| } // namespace crosapi |
