|  | // Copyright 2013 The Chromium Authors | 
|  | // Use of this source code is governed by a BSD-style license that can be | 
|  | // found in the LICENSE file. | 
|  |  | 
|  | #include <memory> | 
|  |  | 
|  | #include "base/functional/bind.h" | 
|  | #include "base/memory/raw_ptr.h" | 
|  | #include "base/run_loop.h" | 
|  | #include "build/build_config.h" | 
|  | #include "chrome/browser/ash/login/login_manager_test.h" | 
|  | #include "chrome/browser/ash/login/test/device_state_mixin.h" | 
|  | #include "chrome/browser/ash/login/test/login_manager_mixin.h" | 
|  | #include "chrome/browser/ash/login/test/user_policy_mixin.h" | 
|  | #include "chrome/browser/ash/profiles/profile_helper.h" | 
|  | #include "chrome/browser/net/nss_service.h" | 
|  | #include "chrome/browser/net/nss_service_factory.h" | 
|  | #include "chrome/browser/profiles/profile.h" | 
|  | #include "chrome/browser/ui/ash/login/user_adding_screen.h" | 
|  | #include "chrome/test/base/ash/scoped_test_system_nss_key_slot_mixin.h" | 
|  | #include "chromeos/ash/components/login/auth/public/user_context.h" | 
|  | #include "components/account_id/account_id.h" | 
|  | #include "components/signin/public/identity_manager/identity_test_utils.h" | 
|  | #include "components/user_manager/user.h" | 
|  | #include "components/user_manager/user_manager.h" | 
|  | #include "content/public/browser/browser_task_traits.h" | 
|  | #include "content/public/browser/browser_thread.h" | 
|  | #include "content/public/test/browser_test.h" | 
|  | #include "net/cert/nss_cert_database.h" | 
|  |  | 
|  | namespace { | 
|  |  | 
|  | constexpr char kTestEmail1[] = "test1@example.com"; | 
|  | constexpr char kTestEmail2[] = "test2@example.com"; | 
|  | constexpr char kTestAffiliationId[] = "test_affiliation_id"; | 
|  |  | 
|  | void NotCalledDbCallback(net::NSSCertDatabase* db) { | 
|  | ASSERT_TRUE(false); | 
|  | } | 
|  |  | 
|  | // DBTester handles retrieving the NSSCertDatabase for a given profile, and | 
|  | // doing some simple sanity checks. | 
|  | // Browser test cases run on the UI thread, while the nss_context access needs | 
|  | // to happen on the IO thread. The DBTester class encapsulates the thread | 
|  | // posting and waiting on the UI thread so that the test case body can be | 
|  | // written linearly. | 
|  | class DBTester { | 
|  | public: | 
|  | explicit DBTester(Profile* profile, bool will_have_system_slot) | 
|  | : profile_(profile), | 
|  | db_(nullptr), | 
|  | will_have_system_slot_(will_have_system_slot) {} | 
|  |  | 
|  | // Initial retrieval of cert database. It may be asynchronous or synchronous. | 
|  | // Returns true if the database was retrieved successfully. | 
|  | bool DoGetDBTests() { | 
|  | base::RunLoop run_loop; | 
|  | content::GetIOThreadTaskRunner({})->PostTask( | 
|  | FROM_HERE, | 
|  | base::BindOnce(&DBTester::GetDBAndDoTestsOnIOThread, | 
|  | base::Unretained(this), | 
|  | NssServiceFactory::GetForContext(profile_) | 
|  | ->CreateNSSCertDatabaseGetterForIOThread(), | 
|  | run_loop.QuitClosure())); | 
|  | run_loop.Run(); | 
|  | return !!db_; | 
|  | } | 
|  |  | 
|  | // Test retrieving the database again, should be called after DoGetDBTests. | 
|  | void DoGetDBAgainTests() { | 
|  | base::RunLoop run_loop; | 
|  | content::GetIOThreadTaskRunner({})->PostTask( | 
|  | FROM_HERE, | 
|  | base::BindOnce(&DBTester::DoGetDBAgainTestsOnIOThread, | 
|  | base::Unretained(this), | 
|  | NssServiceFactory::GetForContext(profile_) | 
|  | ->CreateNSSCertDatabaseGetterForIOThread(), | 
|  | run_loop.QuitClosure())); | 
|  | run_loop.Run(); | 
|  | } | 
|  |  | 
|  | void DoNotEqualsTests(DBTester* other_tester) { | 
|  | // The DB and its NSS slots should be different for each profile. | 
|  | EXPECT_NE(db_, other_tester->db_); | 
|  | EXPECT_NE(db_->GetPublicSlot().get(), | 
|  | other_tester->db_->GetPublicSlot().get()); | 
|  | } | 
|  |  | 
|  | private: | 
|  | void GetDBAndDoTestsOnIOThread(NssCertDatabaseGetter database_getter, | 
|  | const base::RepeatingClosure& done_callback) { | 
|  | DCHECK_CURRENTLY_ON(content::BrowserThread::IO); | 
|  |  | 
|  | net::NSSCertDatabase* db = | 
|  | std::move(database_getter) | 
|  | .Run(base::BindOnce(&DBTester::DoTestsOnIOThread, | 
|  | base::Unretained(this), done_callback)); | 
|  | if (db) { | 
|  | DVLOG(1) << "got db synchronously"; | 
|  | DoTestsOnIOThread(done_callback, db); | 
|  | } else { | 
|  | DVLOG(1) << "getting db asynchronously..."; | 
|  | } | 
|  | } | 
|  |  | 
|  | void DoTestsOnIOThread(base::OnceClosure done_callback, | 
|  | net::NSSCertDatabase* db) { | 
|  | DCHECK_CURRENTLY_ON(content::BrowserThread::IO); | 
|  |  | 
|  | db_ = db; | 
|  | EXPECT_TRUE(db); | 
|  | if (db) { | 
|  | EXPECT_TRUE(db->GetPublicSlot().get()); | 
|  | // Public and private slot are the same in tests. | 
|  | EXPECT_EQ(db->GetPublicSlot().get(), db->GetPrivateSlot().get()); | 
|  | // System slot should be already initialized when the database is | 
|  | // available. | 
|  | EXPECT_EQ(will_have_system_slot_, !!db->GetSystemSlot()); | 
|  | } | 
|  |  | 
|  | content::GetUIThreadTaskRunner({})->PostTask(FROM_HERE, | 
|  | std::move(done_callback)); | 
|  | } | 
|  |  | 
|  | void DoGetDBAgainTestsOnIOThread(NssCertDatabaseGetter database_getter, | 
|  | base::OnceClosure done_callback) { | 
|  | DCHECK_CURRENTLY_ON(content::BrowserThread::IO); | 
|  |  | 
|  | net::NSSCertDatabase* db = | 
|  | std::move(database_getter).Run(base::BindOnce(&NotCalledDbCallback)); | 
|  | // Should always be synchronous now. | 
|  | EXPECT_TRUE(db); | 
|  | // Should return the same db as before. | 
|  | EXPECT_EQ(db_, db); | 
|  |  | 
|  | content::GetUIThreadTaskRunner({})->PostTask(FROM_HERE, | 
|  | std::move(done_callback)); | 
|  | } | 
|  |  | 
|  | raw_ptr<Profile> profile_ = nullptr; | 
|  | raw_ptr<net::NSSCertDatabase> db_ = nullptr; | 
|  | // Indicates if the tester should expect to receive a database with | 
|  | // initialized system slot or not. | 
|  | bool will_have_system_slot_ = false; | 
|  | }; | 
|  |  | 
|  | class UserAddingFinishObserver : public ash::UserAddingScreen::Observer { | 
|  | public: | 
|  | UserAddingFinishObserver() { | 
|  | ash::UserAddingScreen::Get()->AddObserver(this); | 
|  | } | 
|  |  | 
|  | UserAddingFinishObserver(const UserAddingFinishObserver&) = delete; | 
|  | UserAddingFinishObserver& operator=(const UserAddingFinishObserver&) = delete; | 
|  |  | 
|  | ~UserAddingFinishObserver() override { | 
|  | ash::UserAddingScreen::Get()->RemoveObserver(this); | 
|  | } | 
|  |  | 
|  | void WaitUntilUserAddingFinishedOrCancelled() { | 
|  | DCHECK_CURRENTLY_ON(content::BrowserThread::UI); | 
|  | if (finished_) | 
|  | return; | 
|  | run_loop_ = std::make_unique<base::RunLoop>(); | 
|  | run_loop_->Run(); | 
|  | } | 
|  |  | 
|  | // ash::UserAddingScreen::Observer: | 
|  | void OnUserAddingFinished() override { | 
|  | DCHECK_CURRENTLY_ON(content::BrowserThread::UI); | 
|  | finished_ = true; | 
|  | if (run_loop_) | 
|  | run_loop_->Quit(); | 
|  | } | 
|  |  | 
|  | void OnBeforeUserAddingScreenStarted() override { | 
|  | DCHECK_CURRENTLY_ON(content::BrowserThread::UI); | 
|  | finished_ = false; | 
|  | } | 
|  |  | 
|  | private: | 
|  | bool finished_ = false; | 
|  | std::unique_ptr<base::RunLoop> run_loop_; | 
|  | }; | 
|  |  | 
|  | }  // namespace | 
|  |  | 
|  | class NSSContextChromeOSBrowserTest : public ash::LoginManagerTest { | 
|  | public: | 
|  | NSSContextChromeOSBrowserTest() : LoginManagerTest() { | 
|  | // These users will be unaffiliated and will have indexes after the | 
|  | // affiliated ones in the `login_mixin_.users()` array. | 
|  | login_mixin_.AppendRegularUsers(2); | 
|  | } | 
|  | ~NSSContextChromeOSBrowserTest() override = default; | 
|  |  | 
|  | void SetUpInProcessBrowserTestFixture() override { | 
|  | LoginManagerTest::SetUpInProcessBrowserTestFixture(); | 
|  |  | 
|  | auto device_policy_update = device_state_mixin_.RequestDevicePolicyUpdate(); | 
|  | auto user_policy_update_1 = user_policy_mixin_1_.RequestPolicyUpdate(); | 
|  | auto user_policy_update_2 = user_policy_mixin_2_.RequestPolicyUpdate(); | 
|  |  | 
|  | device_policy_update->policy_data()->add_device_affiliation_ids( | 
|  | kTestAffiliationId); | 
|  | user_policy_update_1->policy_data()->add_user_affiliation_ids( | 
|  | kTestAffiliationId); | 
|  | user_policy_update_2->policy_data()->add_user_affiliation_ids( | 
|  | kTestAffiliationId); | 
|  | } | 
|  |  | 
|  | protected: | 
|  | // Affiliated user 1 | 
|  | AccountId affiliated_account_id_1_{AccountId::FromUserEmailGaiaId( | 
|  | kTestEmail1, | 
|  | signin::GetTestGaiaIdForEmail(kTestEmail1))}; | 
|  | ash::LoginManagerMixin::TestUserInfo affiliated_user_1_{ | 
|  | affiliated_account_id_1_}; | 
|  | ash::UserPolicyMixin user_policy_mixin_1_{&mixin_host_, | 
|  | affiliated_account_id_1_}; | 
|  |  | 
|  | // Affiliated user 2 | 
|  | AccountId affiliated_account_id_2_{AccountId::FromUserEmailGaiaId( | 
|  | kTestEmail2, | 
|  | signin::GetTestGaiaIdForEmail(kTestEmail2))}; | 
|  | ash::LoginManagerMixin::TestUserInfo affiliated_user_2_{ | 
|  | affiliated_account_id_2_}; | 
|  | ash::UserPolicyMixin user_policy_mixin_2_{&mixin_host_, | 
|  | affiliated_account_id_2_}; | 
|  |  | 
|  | // Indexes of unaffiliated users in the `login_mixin_.users()` array.` The | 
|  | // affiliated users above will take indexes 0 and 1. | 
|  | static constexpr size_t kUnaffiliatedUserIdx1 = 2; | 
|  | static constexpr size_t kUnaffiliatedUserIdx2 = 3; | 
|  |  | 
|  | ash::ScopedTestSystemNSSKeySlotMixin system_nss_key_slot_mixin_{&mixin_host_}; | 
|  | ash::DeviceStateMixin device_state_mixin_{ | 
|  | &mixin_host_, | 
|  | ash::DeviceStateMixin::State::OOBE_COMPLETED_CLOUD_ENROLLED}; | 
|  |  | 
|  | ash::LoginManagerMixin login_mixin_{ | 
|  | &mixin_host_, | 
|  | /*initial_users=*/{affiliated_user_1_, affiliated_user_2_}}; | 
|  | }; | 
|  |  | 
|  | IN_PROC_BROWSER_TEST_F(NSSContextChromeOSBrowserTest, | 
|  | AffiliatedUserHasSystemSlot) { | 
|  | user_manager::UserManager* user_manager = user_manager::UserManager::Get(); | 
|  |  | 
|  | LoginUser(affiliated_account_id_1_); | 
|  | Profile* profile1 = ash::ProfileHelper::Get()->GetProfileByUser( | 
|  | user_manager->FindUser(affiliated_account_id_1_)); | 
|  | ASSERT_TRUE(profile1); | 
|  |  | 
|  | DBTester tester1(profile1, /*will_have_system_slot=*/true); | 
|  | ASSERT_TRUE(tester1.DoGetDBTests()); | 
|  |  | 
|  | tester1.DoGetDBAgainTests(); | 
|  | } | 
|  |  | 
|  | IN_PROC_BROWSER_TEST_F(NSSContextChromeOSBrowserTest, | 
|  | UnaffiliatedUserDoesNotHaveSystemSlot) { | 
|  | user_manager::UserManager* user_manager = user_manager::UserManager::Get(); | 
|  |  | 
|  | const AccountId account_id1( | 
|  | login_mixin_.users()[kUnaffiliatedUserIdx1].account_id); | 
|  | LoginUser(account_id1); | 
|  | Profile* profile1 = ash::ProfileHelper::Get()->GetProfileByUser( | 
|  | user_manager->FindUser(account_id1)); | 
|  | ASSERT_TRUE(profile1); | 
|  |  | 
|  | DBTester tester1(profile1, /*will_have_system_slot=*/false); | 
|  | ASSERT_TRUE(tester1.DoGetDBTests()); | 
|  |  | 
|  | tester1.DoGetDBAgainTests(); | 
|  | } | 
|  |  | 
|  | IN_PROC_BROWSER_TEST_F(NSSContextChromeOSBrowserTest, | 
|  | DISABLED_TwoAffiliatedUsersHaveSystemSlots) { | 
|  | user_manager::UserManager* user_manager = user_manager::UserManager::Get(); | 
|  |  | 
|  | // Log in first user and get their DB. | 
|  | LoginUser(affiliated_account_id_1_); | 
|  | Profile* profile1 = ash::ProfileHelper::Get()->GetProfileByUser( | 
|  | user_manager->FindUser(affiliated_account_id_1_)); | 
|  | ASSERT_TRUE(profile1); | 
|  |  | 
|  | DBTester tester1(profile1, /*will_have_system_slot=*/true); | 
|  | ASSERT_TRUE(tester1.DoGetDBTests()); | 
|  |  | 
|  | // Log in second user and get their DB. | 
|  | UserAddingFinishObserver observer; | 
|  | ash::UserAddingScreen::Get()->Start(); | 
|  | base::RunLoop().RunUntilIdle(); | 
|  |  | 
|  | AddUser(affiliated_account_id_2_); | 
|  | observer.WaitUntilUserAddingFinishedOrCancelled(); | 
|  |  | 
|  | Profile* profile2 = ash::ProfileHelper::Get()->GetProfileByUser( | 
|  | user_manager->FindUser(affiliated_account_id_2_)); | 
|  | ASSERT_TRUE(profile2); | 
|  |  | 
|  | DBTester tester2(profile2, /*will_have_system_slot=*/true); | 
|  | ASSERT_TRUE(tester2.DoGetDBTests()); | 
|  |  | 
|  | // Get both DBs again to check that the same object is returned. | 
|  | tester1.DoGetDBAgainTests(); | 
|  | tester2.DoGetDBAgainTests(); | 
|  |  | 
|  | // Check that each user has a separate DB and NSS slots. | 
|  | tester1.DoNotEqualsTests(&tester2); | 
|  | } | 
|  |  | 
|  | IN_PROC_BROWSER_TEST_F(NSSContextChromeOSBrowserTest, | 
|  | TwoUnaffiliatedUsersDontHaveSystemSlots) { | 
|  | user_manager::UserManager* user_manager = user_manager::UserManager::Get(); | 
|  |  | 
|  | // Log in first user and get their DB. | 
|  | const AccountId account_id1( | 
|  | login_mixin_.users()[kUnaffiliatedUserIdx1].account_id); | 
|  | LoginUser(account_id1); | 
|  | Profile* profile1 = ash::ProfileHelper::Get()->GetProfileByUser( | 
|  | user_manager->FindUser(account_id1)); | 
|  | ASSERT_TRUE(profile1); | 
|  |  | 
|  | DBTester tester1(profile1, /*will_have_system_slot=*/false); | 
|  | ASSERT_TRUE(tester1.DoGetDBTests()); | 
|  |  | 
|  | // Log in second user and get their DB. | 
|  | UserAddingFinishObserver observer; | 
|  | ash::UserAddingScreen::Get()->Start(); | 
|  | base::RunLoop().RunUntilIdle(); | 
|  |  | 
|  | const AccountId account_id2( | 
|  | login_mixin_.users()[kUnaffiliatedUserIdx2].account_id); | 
|  | AddUser(account_id2); | 
|  | observer.WaitUntilUserAddingFinishedOrCancelled(); | 
|  |  | 
|  | Profile* profile2 = ash::ProfileHelper::Get()->GetProfileByUser( | 
|  | user_manager->FindUser(account_id2)); | 
|  | ASSERT_TRUE(profile2); | 
|  |  | 
|  | DBTester tester2(profile2, /*will_have_system_slot=*/false); | 
|  | ASSERT_TRUE(tester2.DoGetDBTests()); | 
|  |  | 
|  | // Get both DBs again to check that the same object is returned. | 
|  | tester1.DoGetDBAgainTests(); | 
|  | tester2.DoGetDBAgainTests(); | 
|  |  | 
|  | // Check that each user has a separate DB and NSS slots. | 
|  | tester1.DoNotEqualsTests(&tester2); | 
|  | } | 
|  |  | 
|  | IN_PROC_BROWSER_TEST_F(NSSContextChromeOSBrowserTest, | 
|  | TwoUsersOnlyAffiliatedHasSystemSlot) { | 
|  | user_manager::UserManager* user_manager = user_manager::UserManager::Get(); | 
|  |  | 
|  | // Log in first user and get their DB. | 
|  | LoginUser(affiliated_account_id_1_); | 
|  | Profile* profile1 = ash::ProfileHelper::Get()->GetProfileByUser( | 
|  | user_manager->FindUser(affiliated_account_id_1_)); | 
|  | ASSERT_TRUE(profile1); | 
|  |  | 
|  | DBTester tester1(profile1, /*will_have_system_slot=*/true); | 
|  | ASSERT_TRUE(tester1.DoGetDBTests()); | 
|  |  | 
|  | // Log in second user and get their DB. | 
|  | UserAddingFinishObserver observer; | 
|  | ash::UserAddingScreen::Get()->Start(); | 
|  | base::RunLoop().RunUntilIdle(); | 
|  |  | 
|  | const AccountId account_id2( | 
|  | login_mixin_.users()[kUnaffiliatedUserIdx1].account_id); | 
|  | AddUser(account_id2); | 
|  | observer.WaitUntilUserAddingFinishedOrCancelled(); | 
|  |  | 
|  | Profile* profile2 = ash::ProfileHelper::Get()->GetProfileByUser( | 
|  | user_manager->FindUser(account_id2)); | 
|  | ASSERT_TRUE(profile2); | 
|  |  | 
|  | DBTester tester2(profile2, /*will_have_system_slot=*/false); | 
|  | ASSERT_TRUE(tester2.DoGetDBTests()); | 
|  |  | 
|  | // Get both DBs again to check that the same object is returned. | 
|  | tester1.DoGetDBAgainTests(); | 
|  | tester2.DoGetDBAgainTests(); | 
|  |  | 
|  | // Check that each user has a separate DB and NSS slots. | 
|  | tester1.DoNotEqualsTests(&tester2); | 
|  | } |