blob: 1457e2511e2e9bfe5fb24535fac14bc0d71b63a2 [file] [log] [blame]
// Copyright 2022 The ChromiumOS Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
package policy
import (
"context"
"time"
"github.com/golang/protobuf/ptypes/empty"
"go.chromium.org/tast-tests/cros/common/fixture"
"go.chromium.org/tast-tests/cros/common/tape"
"go.chromium.org/tast-tests/cros/services/cros/enterpriseconnectors"
"go.chromium.org/tast-tests/cros/services/cros/graphics"
"go.chromium.org/tast/core/ctxutil"
"go.chromium.org/tast/core/rpc"
"go.chromium.org/tast/core/testing"
)
const deviceTrustEnrollmentTimeout = 7 * time.Minute
type userParam struct {
poolID string
expectedIDPURL string
loginPossible bool
}
func init() {
testing.AddTest(&testing.Test{
Func: DeviceTrustLoginScreen,
LacrosStatus: testing.LacrosVariantUnneeded,
Desc: "Checks that Device Trust is working on login screen with a fake IdP",
Contacts: []string{
"cbe-device-trust-eng@google.com",
"cros-3pidp@google.com",
"lmasopust@google.com",
},
SoftwareDeps: []string{
"chrome",
"chrome_internal",
"reboot",
},
ServiceDeps: []string{
"tast.cros.hwsec.OwnershipService",
"tast.cros.tape.Service",
"tast.cros.enterpriseconnectors.DeviceTrustService",
"tast.cros.graphics.ScreenshotService",
"tast.cros.policy.PolicyService",
},
Attr: []string{
"group:golden_tier",
"group:hardware",
},
VarDeps: []string{
"ui.signinProfileTestExtensionManifestKey",
tape.ServiceAccountVar,
},
Params: []testing.Param{{
Name: "host_allowed",
Val: userParam{
poolID: tape.DeviceTrustEnabled,
expectedIDPURL: "https://staging-idp-dot-cbe-integrationtesting-sandbox.uc.r.appspot.com",
loginPossible: true,
},
}, {
Name: "host_not_allowed",
Val: userParam{
poolID: tape.DeviceTrustDisabled,
expectedIDPURL: "https://www.example.com",
loginPossible: false,
},
}},
Fixture: fixture.CleanOwnership,
Timeout: 4 * time.Minute,
BugComponent: "b:1163683",
})
}
func DeviceTrustLoginScreen(ctx context.Context, s *testing.State) {
param := s.Param().(userParam)
poolID := param.poolID
expectedIDPURL := param.expectedIDPURL
signinProfileTestExtensionManifestKey := s.RequiredVar("ui.signinProfileTestExtensionManifestKey")
// Shorten deadline to leave time for cleanup.
cleanupCtx := ctx
ctx, cancel := ctxutil.Shorten(ctx, 20*time.Second)
defer cancel()
cl, err := rpc.Dial(ctx, s.DUT(), s.RPCHint())
if err != nil {
s.Fatal("Failed to connect to the RPC service on the DUT: ", err)
}
defer cl.Close(cleanupCtx)
tapeClient, err := tape.NewClient(ctx, []byte(s.RequiredVar(tape.ServiceAccountVar)))
if err != nil {
s.Fatal("Failed to create tape client: ", err)
}
timeout := int32(deviceTrustEnrollmentTimeout.Seconds())
// Create an account manager and lease a test account for the duration of the test.
accManager, acc, err := tape.NewOwnedTestAccountManagerFromClient(ctx, tapeClient, false /*lock*/, tape.WithTimeout(timeout), tape.WithPoolID(poolID))
if err != nil {
s.Fatal("Failed to create an account manager and lease an account: ", err)
}
defer accManager.CleanUp(cleanupCtx)
screenshotService := graphics.NewScreenshotServiceClient(cl.Conn)
captureScreenshotOnError := func(ctx context.Context, hasError func() bool) {
if !hasError() {
return
}
screenshotService.CaptureScreenshot(ctx, &graphics.CaptureScreenshotRequest{FilePrefix: "deviceTrustLoginError"})
}
defer captureScreenshotOnError(cleanupCtx, s.HasError)
service := enterpriseconnectors.NewDeviceTrustServiceClient(cl.Conn)
// Deprovision the DUT at the end of the test. As devices might get
// provisioned even when the enrollment fails we need to defer the
// deprovisioning before enrolling.
defer func(ctx context.Context) {
if err := tapeClient.DeprovisionHelper(ctx, cl, acc.OrgUnitPath); err != nil {
s.Fatal("Failed to deprovision device: ", err)
}
}(cleanupCtx)
s.Log("Enrolling device")
if _, err = service.Enroll(ctx, &enterpriseconnectors.EnrollRequest{User: acc.Username, Pass: acc.Password, ExpectedIdPURL: expectedIDPURL, SigninProfileTestExtensionManifestKey: signinProfileTestExtensionManifestKey}); err != nil {
s.Fatal("Remote call Enroll() failed: ", err)
}
defer service.StopChrome(cleanupCtx, &empty.Empty{})
if _, err := service.LoginWithFakeIdP(ctx, &enterpriseconnectors.LoginWithFakeIdPRequest{SigninProfileTestExtensionManifestKey: signinProfileTestExtensionManifestKey}); err != nil {
s.Fatal("Remote call LoginWithFakeIdP() failed: ", err)
}
if _, err = service.CheckFakeIdPStatus(ctx, &enterpriseconnectors.CheckFakeIdPStatusRequest{Expected: param.loginPossible, IsInSession: false}); err != nil {
s.Fatal("Remote call CheckFakeIdPStatus() failed: ", err)
}
}