blob: 72779df19650d378c1db98b10691734319b4e80e [file] [log] [blame] [edit]
// Copyright 2019 The Chromium OS Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
package session
import (
"context"
"github.com/golang/protobuf/proto"
"chromiumos/policy/enterprise_management"
"chromiumos/tast/local/cryptohome"
"chromiumos/tast/local/session"
"chromiumos/tast/local/session/ownership"
"chromiumos/tast/testing"
)
func init() {
testing.AddTest(&testing.Test{
Func: MultiUserPolicy,
Desc: "Verifies that storing and retrieving user policy works with multiple profiles signed-in",
Contacts: []string{
"mnissler@chromium.org", // session_manager owner
"hidehiko@chromium.org", // Tast port author
},
Data: []string{"testcert.p12"},
Attr: []string{"group:mainline"},
})
}
func MultiUserPolicy(ctx context.Context, s *testing.State) {
const (
user1 = "user1@somewhere.com"
user2 = "user2@somewhere.com"
)
desc1 := ownership.UserPolicyDescriptor(user1)
desc2 := ownership.UserPolicyDescriptor(user2)
privKey, err := session.ExtractPrivKey(s.DataPath("testcert.p12"))
if err != nil {
s.Fatal("Failed to parse PKCS #12 file: ", err)
}
var settings enterprise_management.ChromeDeviceSettingsProto
policy, err := session.BuildPolicy("", privKey, nil, &settings)
if err != nil {
s.Fatal("Failed to build test policy data: ", err)
}
empty := &enterprise_management.PolicyFetchResponse{}
if err := session.SetUpDevice(ctx); err != nil {
s.Fatal("Failed to reset device ownership: ", err)
}
// Clear the users' vault to make sure the test starts without any
// policy or key lingering around. At this stage, the session isn't
// started and there's no user signed in.
if err := cryptohome.RemoveVault(ctx, user1); err != nil {
s.Fatalf("Failed to remove vault for %s: %v", user1, err)
}
if err := cryptohome.CreateVault(ctx, user1, ""); err != nil {
s.Fatalf("Failed to create vault for %s: %v", user1, err)
}
if err := cryptohome.RemoveVault(ctx, user2); err != nil {
s.Fatalf("Failed to remove vault for %s: %v", user2, err)
}
if err := cryptohome.CreateVault(ctx, user2, ""); err != nil {
s.Fatalf("Failed to create vault for %s: %v", user2, err)
}
sm, err := session.NewSessionManager(ctx)
if err != nil {
s.Fatal("Failed to create session_manager binding: ", err)
}
if err := session.PrepareChromeForPolicyTesting(ctx, sm); err != nil {
s.Fatal("Failed to prepare Chrome for testing: ", err)
}
// Start a session for the first user, and verify that no policy
// exists for that user yet.
if err := sm.StartSession(ctx, user1, ""); err != nil {
s.Fatalf("Failed to start session for %s: %v", user1, err)
}
if ret, err := sm.RetrievePolicyEx(ctx, desc1); err != nil {
s.Fatalf("Failed to retrieve policy for %s: %v", user1, err)
} else if !proto.Equal(ret, empty) {
s.Fatal("Unexpected policy is fetched for ", user1)
}
// Then, store the policy.
if err := sm.StorePolicyEx(ctx, desc1, policy); err != nil {
s.Fatalf("Failed to store policy for %s: %v", user1, err)
}
// Storing policy for the second user fails before the session starts.
if err := sm.StorePolicyEx(ctx, desc2, policy); err == nil {
s.Fatalf("Unexpectedly succeeded to store policy for %s: %v", user2, err)
}
// Starts the second user's session, and verify that it has no
// policy stored yet.
if err := sm.StartSession(ctx, user2, ""); err != nil {
s.Fatalf("Failed to start session for %s: %v", user1, err)
}
if ret, err := sm.RetrievePolicyEx(ctx, desc2); err != nil {
s.Fatalf("Failed to retrieve policy for %s: %v", user2, err)
} else if !proto.Equal(ret, empty) {
s.Fatal("Unexpected policy is fetched for ", user2)
}
// Strong the policy for the second user should work now.
if err := sm.StorePolicyEx(ctx, desc2, policy); err != nil {
s.Fatalf("Failed to store policy for %s: %v", user2, err)
}
// Verify that retrieving policy for the second user works, too.
if _, err := sm.RetrievePolicyEx(ctx, desc2); err != nil {
s.Fatalf("Failed to retrieve policy for %s: %v", user2, err)
}
}