blob: a905f5720bc4d9788b611e7b491c2040f316a9ab [file] [log] [blame]
// Copyright 2020 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "chrome/browser/policy/cloud/user_policy_signin_service.h"
#include <memory>
#include "base/callback_helpers.h"
#include "base/command_line.h"
#include "base/feature_list.h"
#include "base/memory/raw_ptr.h"
#include "base/strings/stringprintf.h"
#include "base/values.h"
#include "build/build_config.h"
#include "build/chromeos_buildflags.h"
#include "chrome/browser/browser_process.h"
#include "chrome/browser/enterprise/util/managed_browser_utils.h"
#include "chrome/browser/policy/chrome_browser_policy_connector.h"
#include "chrome/browser/policy/profile_policy_connector.h"
#include "chrome/browser/signin/identity_manager_factory.h"
#include "chrome/browser/signin/signin_features.h"
#include "chrome/browser/ui/browser.h"
#include "chrome/browser/ui/webui/signin/dice_turn_sync_on_helper.h"
#include "chrome/common/pref_names.h"
#include "chrome/test/base/in_process_browser_test.h"
#include "components/policy/core/common/policy_namespace.h"
#include "components/policy/core/common/policy_switches.h"
#include "components/policy/core/common/policy_test_utils.h"
#include "components/policy/policy_constants.h"
#include "components/policy/test_support/local_policy_test_server.h"
#include "components/prefs/pref_service.h"
#include "components/prefs/pref_test_utils.h"
#include "components/signin/public/identity_manager/accounts_mutator.h"
#include "components/signin/public/identity_manager/identity_test_utils.h"
#include "components/sync/driver/sync_driver_switches.h"
#include "content/public/test/browser_test.h"
#include "google_apis/gaia/fake_gaia.h"
#include "google_apis/gaia/gaia_switches.h"
#include "google_apis/gaia/gaia_urls.h"
#include "net/base/url_util.h"
#include "net/test/embedded_test_server/http_request.h"
#include "net/test/embedded_test_server/http_response.h"
#include "net/test/embedded_test_server/request_handler_util.h"
#include "testing/gtest/include/gtest/gtest.h"
class UserPolicySigninServiceTest;
class SigninUIError;
namespace {
const char kTestEmail[] = "enterprise@example.com";
const char kTestRefreshToken[] =
"test_refresh_token_for_enterprise@example.com";
// Dummy delegate forwarding all the calls the test fixture.
// Owned by the DiceTurnOnSyncHelper.
class TestDiceTurnSyncOnHelperDelegate : public DiceTurnSyncOnHelper::Delegate {
public:
explicit TestDiceTurnSyncOnHelperDelegate(
UserPolicySigninServiceTest* test_fixture);
~TestDiceTurnSyncOnHelperDelegate() override;
private:
// DiceTurnSyncOnHelper::Delegate:
void ShowLoginError(const SigninUIError& error) override;
void ShowMergeSyncDataConfirmation(
const std::string& previous_email,
const std::string& new_email,
DiceTurnSyncOnHelper::SigninChoiceCallback callback) override;
void ShowEnterpriseAccountConfirmation(
const AccountInfo& account_info,
DiceTurnSyncOnHelper::SigninChoiceCallback callback) override;
void ShowSyncConfirmation(
base::OnceCallback<void(LoginUIService::SyncConfirmationUIClosedResult)>
callback) override;
void ShowSyncDisabledConfirmation(
bool is_managed_account,
base::OnceCallback<void(LoginUIService::SyncConfirmationUIClosedResult)>
callback) override;
void ShowSyncSettings() override;
void SwitchToProfile(Profile* new_profile) override;
raw_ptr<UserPolicySigninServiceTest> test_fixture_;
};
std::string GetTestPolicy() {
const char kTestPolicy[] = R"(
{
"%s": {
"mandatory": {
"ShowHomeButton": true
}
},
"managed_users": [ "*" ],
"policy_user": "%s",
"current_key_index": 0,
"policy_invalidation_topic": "test_policy_topic"
})";
return base::StringPrintf(
kTestPolicy, policy::dm_protocol::kChromeUserPolicyType, kTestEmail);
}
} // namespace
class UserPolicySigninServiceTest : public InProcessBrowserTest {
public:
UserPolicySigninServiceTest()
: embedded_test_server_(net::EmbeddedTestServer::TYPE_HTTPS) {
// HandleUserInfoRequest must be registered first, to take priority over
// FakeGaia.
embedded_test_server_.RegisterRequestHandler(base::BindRepeating(
&net::test_server::HandlePrefixedRequest, "/oauth2/v1/userinfo",
base::BindRepeating(&UserPolicySigninServiceTest::HandleUserInfoRequest,
base::Unretained(this))));
embedded_test_server_.RegisterRequestHandler(base::BindRepeating(
&net::test_server::HandlePrefixedRequest, "/devicemanagement",
base::BindRepeating(
&UserPolicySigninServiceTest::HandleDeviceManagementRequest,
base::Unretained(this))));
embedded_test_server_.RegisterRequestHandler(base::BindRepeating(
&FakeGaia::HandleRequest, base::Unretained(&fake_gaia_)));
}
~UserPolicySigninServiceTest() override {
// Ensure that no helper leaked.
DCHECK_EQ(dice_helper_created_count_, dice_helper_deleted_count_);
}
Profile* profile() { return browser()->profile(); }
const CoreAccountId& account_id() { return account_info_.account_id; }
policy::PolicyService* GetPolicyService() {
return profile()->GetProfilePolicyConnector()->policy_service();
}
DiceTurnSyncOnHelper* CreateDiceTurnOnSyncHelper() {
// DiceTurnSyncOnHelper deletes itself. At the end of the test, there is a
// check that these objects did not leak.
++dice_helper_created_count_;
return new DiceTurnSyncOnHelper(
profile(), signin_metrics::AccessPoint::ACCESS_POINT_BOOKMARK_MANAGER,
signin_metrics::PromoAction::PROMO_ACTION_WITH_DEFAULT,
signin_metrics::Reason::kReauthentication, account_info_.account_id,
DiceTurnSyncOnHelper::SigninAbortedMode::REMOVE_ACCOUNT,
std::make_unique<TestDiceTurnSyncOnHelperDelegate>(this),
base::DoNothing());
}
// This will never return if the Sync confirmation was already shown. Make
// sure to call this before the sync confirmation.
void WaitForSyncConfirmation() {
base::RunLoop loop;
sync_confirmation_shown_closure_ = loop.QuitClosure();
loop.Run();
}
// This will never return if the policy request was already handled. Make sure
// to call this before the policy request is made.
void WaitForPolicyHanging() {
base::RunLoop loop;
policy_hanging_closure_ = loop.QuitClosure();
loop.Run();
}
void ConfirmSync(
LoginUIService::SyncConfirmationUIClosedResult confirmation_result) {
std::move(sync_confirmation_callback_).Run(confirmation_result);
}
// DiceTurnSyncOnHelperDelegate calls:
void OnShowEnterpriseAccountConfirmation(
const AccountInfo& account_info,
DiceTurnSyncOnHelper::SigninChoiceCallback callback) {
std::move(callback).Run(DiceTurnSyncOnHelper::SIGNIN_CHOICE_CONTINUE);
}
void OnShowSyncConfirmation(
base::OnceCallback<void(LoginUIService::SyncConfirmationUIClosedResult)>
callback) {
sync_confirmation_callback_ = std::move(callback);
if (sync_confirmation_shown_closure_)
std::move(sync_confirmation_shown_closure_).Run();
}
void OnShowSyncDisabledConfirmation(
base::OnceCallback<void(LoginUIService::SyncConfirmationUIClosedResult)>
callback) {
sync_confirmation_callback_ = std::move(callback);
if (sync_confirmation_shown_closure_)
std::move(sync_confirmation_shown_closure_).Run();
}
void OnDiceTurnSyncOnHelperDeleted() { ++dice_helper_deleted_count_; }
void set_policy_hanging(bool hanging) { policy_hanging_ = hanging; }
private:
// InProcessBrowserTest:
void SetUp() override {
ASSERT_TRUE(embedded_test_server_.InitializeAndListen());
InProcessBrowserTest::SetUp();
}
void SetUpInProcessBrowserTestFixture() override {
InProcessBrowserTest::SetUpInProcessBrowserTestFixture();
// Configure policy server.
ASSERT_NO_FATAL_FAILURE(SetUpPolicyServer());
ASSERT_TRUE(policy_server_->Start());
base::CommandLine* command_line = base::CommandLine::ForCurrentProcess();
// Configure embedded test server.
const GURL& base_url = embedded_test_server_.base_url();
command_line->AppendSwitchASCII(
policy::switches::kDeviceManagementUrl,
base_url.Resolve("/devicemanagement").spec());
command_line->AppendSwitchASCII(switches::kGaiaUrl, base_url.spec());
command_line->AppendSwitchASCII(switches::kLsoUrl, base_url.spec());
command_line->AppendSwitchASCII(switches::kGoogleApisUrl, base_url.spec());
policy::ChromeBrowserPolicyConnector::EnableCommandLineSupportForTesting();
fake_gaia_.Initialize();
// Configure Sync server.
command_line->AppendSwitch(switches::kDisableSync);
// Set retry delay to prevent timeouts.
policy::DeviceManagementService::SetRetryDelayForTesting(0);
}
void SetUpOnMainThread() override {
InProcessBrowserTest::SetUpOnMainThread();
ASSERT_TRUE(PolicyServiceIsEmpty(g_browser_process->policy_service()))
<< "Pre-existing policies in this machine will make this test fail.";
embedded_test_server_.StartAcceptingConnections();
account_info_ = signin::MakeAccountAvailable(
IdentityManagerFactory::GetForProfile(profile()), kTestEmail);
signin::SetRefreshTokenForAccount(
IdentityManagerFactory::GetForProfile(profile()),
account_info_.account_id, kTestRefreshToken);
SetupFakeGaiaResponses();
}
void SetServerPolicy(const std::string& policy) {
base::ScopedAllowBlockingForTesting allow_blocking;
ASSERT_TRUE(base::WriteFile(policy_file_path(), policy));
}
base::FilePath policy_file_path() const {
return temp_dir_.GetPath().AppendASCII("policy.json");
}
void SetUpPolicyServer() {
base::ScopedAllowBlockingForTesting allow_blocking;
ASSERT_TRUE(temp_dir_.CreateUniqueTempDir());
ASSERT_NO_FATAL_FAILURE(SetServerPolicy(GetTestPolicy()));
policy_server_ =
std::make_unique<policy::LocalPolicyTestServer>(policy_file_path());
}
void SetupFakeGaiaResponses() {
FakeGaia::AccessTokenInfo access_token_info;
access_token_info.token = "test_access_token";
access_token_info.any_scope = true;
access_token_info.audience =
GaiaUrls::GetInstance()->oauth2_chrome_client_id();
access_token_info.email = kTestEmail;
fake_gaia_.IssueOAuthToken(kTestRefreshToken, access_token_info);
}
std::unique_ptr<net::test_server::HttpResponse> HandleUserInfoRequest(
const net::test_server::HttpRequest& r) {
auto http_response =
std::make_unique<net::test_server::BasicHttpResponse>();
http_response->set_content(R"(
{
"email": "enterprise@example.com",
"verified_email": true,
"hd": "example.com"
})");
return http_response;
}
// This simply redirects to the policy server, unless |policy_hanging_| is
// true.
std::unique_ptr<net::test_server::HttpResponse> HandleDeviceManagementRequest(
const net::test_server::HttpRequest& r) {
std::string request_type;
net::GetValueForKeyInQuery(r.GetURL(), policy::dm_protocol::kParamRequest,
&request_type);
if (request_type == policy::dm_protocol::kValueRequestPolicy &&
policy_hanging_) {
if (policy_hanging_closure_)
std::move(policy_hanging_closure_).Run();
return std::make_unique<net::test_server::HungResponse>();
}
// Redirect to the policy server.
GURL::Replacements replace_query;
std::string query = r.GetURL().query();
replace_query.SetQueryStr(query);
std::string dest =
policy_server_->GetServiceURL().ReplaceComponents(replace_query).spec();
auto http_response =
std::make_unique<net::test_server::BasicHttpResponse>();
http_response->set_code(net::HTTP_TEMPORARY_REDIRECT);
http_response->AddCustomHeader("Location", dest);
return http_response;
}
base::ScopedTempDir temp_dir_;
net::EmbeddedTestServer embedded_test_server_;
FakeGaia fake_gaia_;
std::unique_ptr<policy::LocalPolicyTestServer> policy_server_;
CoreAccountInfo account_info_;
base::OnceClosure sync_confirmation_shown_closure_;
base::OnceClosure policy_hanging_closure_;
base::OnceCallback<void(LoginUIService::SyncConfirmationUIClosedResult)>
sync_confirmation_callback_;
bool policy_hanging_ = false;
int dice_helper_created_count_ = 0;
int dice_helper_deleted_count_ = 0;
};
TestDiceTurnSyncOnHelperDelegate::TestDiceTurnSyncOnHelperDelegate(
UserPolicySigninServiceTest* test_fixture)
: test_fixture_(test_fixture) {}
TestDiceTurnSyncOnHelperDelegate::~TestDiceTurnSyncOnHelperDelegate() {
test_fixture_->OnDiceTurnSyncOnHelperDeleted();
}
void TestDiceTurnSyncOnHelperDelegate::ShowLoginError(
const SigninUIError& error) {
NOTREACHED();
}
void TestDiceTurnSyncOnHelperDelegate::ShowMergeSyncDataConfirmation(
const std::string& previous_email,
const std::string& new_email,
DiceTurnSyncOnHelper::SigninChoiceCallback callback) {
NOTREACHED();
}
void TestDiceTurnSyncOnHelperDelegate::ShowEnterpriseAccountConfirmation(
const AccountInfo& account_info,
DiceTurnSyncOnHelper::SigninChoiceCallback callback) {
test_fixture_->OnShowEnterpriseAccountConfirmation(account_info,
std::move(callback));
}
void TestDiceTurnSyncOnHelperDelegate::ShowSyncConfirmation(
base::OnceCallback<void(LoginUIService::SyncConfirmationUIClosedResult)>
callback) {
test_fixture_->OnShowSyncConfirmation(std::move(callback));
}
void TestDiceTurnSyncOnHelperDelegate::ShowSyncDisabledConfirmation(
bool is_managed_account,
base::OnceCallback<void(LoginUIService::SyncConfirmationUIClosedResult)>
callback) {
test_fixture_->OnShowSyncDisabledConfirmation(std::move(callback));
}
void TestDiceTurnSyncOnHelperDelegate::ShowSyncSettings() {
NOTREACHED();
}
void TestDiceTurnSyncOnHelperDelegate::SwitchToProfile(Profile* new_profile) {
NOTREACHED();
}
IN_PROC_BROWSER_TEST_F(UserPolicySigninServiceTest, BasicSignin) {
EXPECT_FALSE(profile()->GetPrefs()->GetBoolean(prefs::kShowHomeButton));
// Signin and show sync confirmation dialog.
CreateDiceTurnOnSyncHelper();
WaitForSyncConfirmation();
// Policies are applied even before the user confirms.
EXPECT_TRUE(
IdentityManagerFactory::GetForProfile(profile())->HasPrimaryAccount(
signin::ConsentLevel::kSync));
WaitForPrefValue(profile()->GetPrefs(), prefs::kShowHomeButton,
base::Value(true));
// Confirm the signin.
ConfirmSync(LoginUIService::SYNC_WITH_DEFAULT_SETTINGS);
// Policy is still applied.
EXPECT_TRUE(profile()->GetPrefs()->GetBoolean(prefs::kShowHomeButton));
}
IN_PROC_BROWSER_TEST_F(UserPolicySigninServiceTest, UndoSignin) {
EXPECT_FALSE(profile()->GetPrefs()->GetBoolean(prefs::kShowHomeButton));
// Signin and show sync confirmation dialog.
CreateDiceTurnOnSyncHelper();
WaitForSyncConfirmation();
// Policies are applied even before the user confirms.
EXPECT_TRUE(
IdentityManagerFactory::GetForProfile(profile())->HasPrimaryAccount(
signin::ConsentLevel::kSync));
WaitForPrefValue(profile()->GetPrefs(), prefs::kShowHomeButton,
base::Value(true));
// Cancel sync.
ConfirmSync(LoginUIService::ABORT_SYNC);
// Policy is reverted.
WaitForPrefValue(profile()->GetPrefs(), prefs::kShowHomeButton,
base::Value(false));
}
// Regression test for https://crbug.com/1061459
// Start a new signing flow while the existing one is hanging on a policy
// request.
IN_PROC_BROWSER_TEST_F(UserPolicySigninServiceTest, ConcurrentSignin) {
EXPECT_FALSE(profile()->GetPrefs()->GetBoolean(prefs::kShowHomeButton));
set_policy_hanging(true);
CreateDiceTurnOnSyncHelper();
WaitForPolicyHanging();
// User is not signed in, policy is not applied.
EXPECT_FALSE(
IdentityManagerFactory::GetForProfile(profile())->HasPrimaryAccount(
signin::ConsentLevel::kSync));
EXPECT_FALSE(profile()->GetPrefs()->GetBoolean(prefs::kShowHomeButton));
// Restart a new signin flow and allow it to complete.
CreateDiceTurnOnSyncHelper();
set_policy_hanging(false);
WaitForSyncConfirmation();
// Policies are applied even before the user confirms.
EXPECT_TRUE(
IdentityManagerFactory::GetForProfile(profile())->HasPrimaryAccount(
signin::ConsentLevel::kSync));
WaitForPrefValue(profile()->GetPrefs(), prefs::kShowHomeButton,
base::Value(true));
// Confirm the signin.
ConfirmSync(LoginUIService::SYNC_WITH_DEFAULT_SETTINGS);
// Policy is still applied.
EXPECT_TRUE(profile()->GetPrefs()->GetBoolean(prefs::kShowHomeButton));
}
class UserPolicySigninServiceSyncNotRequiredTest
: public UserPolicySigninServiceTest {
public:
UserPolicySigninServiceSyncNotRequiredTest() {
DiceTurnSyncOnHelper::SetShowSyncEnabledUiForTesting(true);
feature_list.InitAndEnableFeature(kAccountPoliciesLoadedWithoutSync);
}
~UserPolicySigninServiceSyncNotRequiredTest() override {
DiceTurnSyncOnHelper::SetShowSyncEnabledUiForTesting(false);
}
private:
base::test::ScopedFeatureList feature_list;
};
// crbug.com/1230268 not working on Lacros.
// TODO(crbug.com/1254962): flaky on Mac builders
#if BUILDFLAG(IS_CHROMEOS_LACROS) || BUILDFLAG(IS_MAC)
#define MAYBE_AcceptManagementDeclineSync DISABLED_AcceptManagementDeclineSync
#else
#define MAYBE_AcceptManagementDeclineSync AcceptManagementDeclineSync
#endif
IN_PROC_BROWSER_TEST_F(UserPolicySigninServiceSyncNotRequiredTest,
MAYBE_AcceptManagementDeclineSync) {
EXPECT_FALSE(profile()->GetPrefs()->GetBoolean(prefs::kShowHomeButton));
// Signin and show sync confirmation dialog.
CreateDiceTurnOnSyncHelper();
WaitForSyncConfirmation();
// Policies are applied even before the user confirms.
EXPECT_TRUE(
IdentityManagerFactory::GetForProfile(profile())->HasPrimaryAccount(
signin::ConsentLevel::kSync));
WaitForPrefValue(profile()->GetPrefs(), prefs::kShowHomeButton,
base::Value(true));
// Cancel sync.
ConfirmSync(LoginUIService::ABORT_SYNC);
EXPECT_TRUE(
IdentityManagerFactory::GetForProfile(profile())->HasPrimaryAccount(
signin::ConsentLevel::kSignin));
EXPECT_FALSE(
IdentityManagerFactory::GetForProfile(profile())->HasPrimaryAccount(
signin::ConsentLevel::kSync));
EXPECT_TRUE(
chrome::enterprise_util::UserAcceptedAccountManagement(profile()));
EXPECT_TRUE(chrome::enterprise_util::ProfileCanBeManaged(profile()));
// Policy is still applied.
EXPECT_TRUE(profile()->GetPrefs()->GetBoolean(prefs::kShowHomeButton));
// Signout
auto* accounts_mutator =
IdentityManagerFactory::GetForProfile(profile())->GetAccountsMutator();
accounts_mutator->RemoveAccount(
account_id(), signin_metrics::SourceForRefreshTokenOperation::
kDiceResponseHandler_Signout);
EXPECT_FALSE(
IdentityManagerFactory::GetForProfile(profile())->HasPrimaryAccount(
signin::ConsentLevel::kSignin));
EXPECT_FALSE(
chrome::enterprise_util::UserAcceptedAccountManagement(profile()));
EXPECT_FALSE(chrome::enterprise_util::ProfileCanBeManaged(profile()));
}