1 // Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "policy/libpolicy.h"
6
7 #include <memory>
8 #include <utility>
9
10 #include <openssl/err.h>
11 #include <openssl/ssl.h>
12
13 #include <base/files/file_path.h>
14 #include <base/logging.h>
15 #include <gtest/gtest.h>
16
17 #include "bindings/chrome_device_policy.pb.h"
18 #include "install_attributes/mock_install_attributes_reader.h"
19 #include "policy/device_policy_impl.h"
20
21 namespace policy {
22
23 static const char kPolicyFileAllSet[] = "policy/tests/whitelist/policy_all";
24 static const char kPolicyFileNoneSet[] = "policy/tests/whitelist/policy_none";
25 static const char kKeyFile[] = "policy/tests/whitelist/owner.key";
26 static const char kNonExistingFile[] = "file-does-not-exist";
27
28 // Creates the DevicePolicyImpl with given parameters for test.
CreateDevicePolicyImpl(std::unique_ptr<InstallAttributesReader> install_attributes_reader,const base::FilePath & policy_path,const base::FilePath & keyfile_path,bool verify_files)29 std::unique_ptr<DevicePolicyImpl> CreateDevicePolicyImpl(
30 std::unique_ptr<InstallAttributesReader> install_attributes_reader,
31 const base::FilePath& policy_path,
32 const base::FilePath& keyfile_path,
33 bool verify_files) {
34 std::unique_ptr<DevicePolicyImpl> device_policy(new DevicePolicyImpl());
35 device_policy->set_install_attributes_for_testing(
36 std::move(install_attributes_reader));
37 device_policy->set_policy_path_for_testing(policy_path);
38 device_policy->set_key_file_path_for_testing(keyfile_path);
39 device_policy->set_verify_root_ownership_for_testing(verify_files);
40
41 return device_policy;
42 }
43
44 // Test that a policy file can be verified and parsed correctly. The file
45 // contains all possible fields, so reading should succeed for all.
TEST(PolicyTest,DevicePolicyAllSetTest)46 TEST(PolicyTest, DevicePolicyAllSetTest) {
47 base::FilePath policy_file(kPolicyFileAllSet);
48 base::FilePath key_file(kKeyFile);
49 PolicyProvider provider;
50 provider.SetDevicePolicyForTesting(CreateDevicePolicyImpl(
51 std::make_unique<MockInstallAttributesReader>(
52 InstallAttributesReader::kDeviceModeEnterprise, true),
53 policy_file, key_file, false));
54 provider.Reload();
55
56 // Ensure we successfully loaded the device policy file.
57 ASSERT_TRUE(provider.device_policy_is_loaded());
58
59 const DevicePolicy& policy = provider.GetDevicePolicy();
60
61 // Check that we can read out all fields of the sample protobuf.
62 int int_value = -1;
63 ASSERT_TRUE(policy.GetPolicyRefreshRate(&int_value));
64 EXPECT_EQ(100, int_value);
65
66 std::vector<std::string> list_value;
67 ASSERT_TRUE(policy.GetUserWhitelist(&list_value));
68 ASSERT_EQ(3, list_value.size());
69 EXPECT_EQ("me@here.com", list_value[0]);
70 EXPECT_EQ("you@there.com", list_value[1]);
71 EXPECT_EQ("*@monsters.com", list_value[2]);
72
73 bool bool_value = true;
74 ASSERT_TRUE(policy.GetGuestModeEnabled(&bool_value));
75 EXPECT_FALSE(bool_value);
76
77 bool_value = true;
78 ASSERT_TRUE(policy.GetCameraEnabled(&bool_value));
79 EXPECT_FALSE(bool_value);
80
81 bool_value = true;
82 ASSERT_TRUE(policy.GetShowUserNames(&bool_value));
83 EXPECT_FALSE(bool_value);
84
85 bool_value = true;
86 ASSERT_TRUE(policy.GetDataRoamingEnabled(&bool_value));
87 EXPECT_FALSE(bool_value);
88
89 bool_value = true;
90 ASSERT_TRUE(policy.GetAllowNewUsers(&bool_value));
91 EXPECT_FALSE(bool_value);
92
93 bool_value = true;
94 ASSERT_TRUE(policy.GetMetricsEnabled(&bool_value));
95 EXPECT_FALSE(bool_value);
96
97 bool_value = true;
98 ASSERT_TRUE(policy.GetReportVersionInfo(&bool_value));
99 EXPECT_FALSE(bool_value);
100
101 bool_value = true;
102 ASSERT_TRUE(policy.GetReportActivityTimes(&bool_value));
103 EXPECT_FALSE(bool_value);
104
105 bool_value = true;
106 ASSERT_TRUE(policy.GetReportBootMode(&bool_value));
107 EXPECT_FALSE(bool_value);
108
109 bool_value = true;
110 ASSERT_TRUE(policy.GetEphemeralUsersEnabled(&bool_value));
111 EXPECT_FALSE(bool_value);
112
113 std::string string_value;
114 ASSERT_TRUE(policy.GetReleaseChannel(&string_value));
115 EXPECT_EQ("stable-channel", string_value);
116
117 bool_value = false;
118 ASSERT_TRUE(policy.GetReleaseChannelDelegated(&bool_value));
119 EXPECT_TRUE(bool_value);
120
121 bool_value = true;
122 ASSERT_TRUE(policy.GetUpdateDisabled(&bool_value));
123 EXPECT_FALSE(bool_value);
124
125 int64_t int64_value = -1LL;
126 ASSERT_TRUE(policy.GetScatterFactorInSeconds(&int64_value));
127 EXPECT_EQ(17LL, int64_value);
128
129 ASSERT_TRUE(policy.GetTargetVersionPrefix(&string_value));
130 EXPECT_EQ("42.0.", string_value);
131
132 int_value = -1;
133 ASSERT_TRUE(policy.GetRollbackToTargetVersion(&int_value));
134 EXPECT_EQ(enterprise_management::AutoUpdateSettingsProto::
135 ROLLBACK_WITH_FULL_POWERWASH,
136 int_value);
137
138 int_value = -1;
139 ASSERT_TRUE(policy.GetRollbackAllowedMilestones(&int_value));
140 EXPECT_EQ(3, int_value);
141
142 std::set<std::string> types;
143 ASSERT_TRUE(policy.GetAllowedConnectionTypesForUpdate(&types));
144 EXPECT_TRUE(types.end() != types.find("ethernet"));
145 EXPECT_TRUE(types.end() != types.find("wifi"));
146 EXPECT_EQ(2, types.size());
147
148 ASSERT_TRUE(policy.GetOpenNetworkConfiguration(&string_value));
149 EXPECT_EQ("{}", string_value);
150
151 ASSERT_TRUE(policy.GetOwner(&string_value));
152 EXPECT_EQ("", string_value);
153
154 bool_value = true;
155 ASSERT_TRUE(policy.GetHttpDownloadsEnabled(&bool_value));
156 EXPECT_FALSE(bool_value);
157
158 bool_value = true;
159 ASSERT_TRUE(policy.GetAuP2PEnabled(&bool_value));
160 EXPECT_FALSE(bool_value);
161
162 bool_value = true;
163 ASSERT_TRUE(policy.GetAllowKioskAppControlChromeVersion(&bool_value));
164 EXPECT_FALSE(bool_value);
165
166 std::vector<DevicePolicy::UsbDeviceId> list_device;
167 ASSERT_TRUE(policy.GetUsbDetachableWhitelist(&list_device));
168 EXPECT_EQ(2, list_device.size());
169 EXPECT_EQ(0x413c, list_device[0].vendor_id);
170 EXPECT_EQ(0x2105, list_device[0].product_id);
171 EXPECT_EQ(0x0403, list_device[1].vendor_id);
172 EXPECT_EQ(0x6001, list_device[1].product_id);
173
174 ASSERT_TRUE(policy.GetAutoLaunchedKioskAppId(&string_value));
175 EXPECT_EQ("my_kiosk_app", string_value);
176
177 int_value = -1;
178 ASSERT_TRUE(policy.GetSecondFactorAuthenticationMode(&int_value));
179 EXPECT_EQ(2, int_value);
180
181 std::vector<DevicePolicy::WeeklyTimeInterval> intervals;
182 ASSERT_TRUE(policy.GetDisallowedTimeIntervals(&intervals));
183 ASSERT_EQ(2, intervals.size());
184 EXPECT_EQ(4, intervals[0].start_day_of_week);
185 EXPECT_EQ(base::TimeDelta::FromMinutes(30) + base::TimeDelta::FromHours(12),
186 intervals[0].start_time);
187 EXPECT_EQ(6, intervals[0].end_day_of_week);
188 EXPECT_EQ(base::TimeDelta::FromMinutes(15) + base::TimeDelta::FromHours(3),
189 intervals[0].end_time);
190 EXPECT_EQ(1, intervals[1].start_day_of_week);
191 EXPECT_EQ(base::TimeDelta::FromMinutes(10) + base::TimeDelta::FromHours(20),
192 intervals[1].start_time);
193 EXPECT_EQ(3, intervals[1].end_day_of_week);
194 EXPECT_EQ(base::TimeDelta::FromMinutes(20), intervals[1].end_time);
195
196 ASSERT_TRUE(policy.GetAutoLaunchedKioskAppId(&string_value));
197 ASSERT_EQ("my_kiosk_app", string_value);
198
199 // Reloading the protobuf should succeed.
200 EXPECT_TRUE(provider.Reload());
201 }
202
203 // Test that a policy file can be verified and parsed correctly. The file
204 // contains none of the possible fields, so reading should fail for all.
TEST(PolicyTest,DevicePolicyNoneSetTest)205 TEST(PolicyTest, DevicePolicyNoneSetTest) {
206 base::FilePath policy_file(kPolicyFileNoneSet);
207 base::FilePath key_file(kKeyFile);
208
209 PolicyProvider provider;
210 provider.SetDevicePolicyForTesting(CreateDevicePolicyImpl(
211 std::make_unique<MockInstallAttributesReader>(
212 InstallAttributesReader::kDeviceModeEnterprise, true),
213 policy_file, key_file, false));
214 provider.Reload();
215
216 // Ensure we successfully loaded the device policy file.
217 ASSERT_TRUE(provider.device_policy_is_loaded());
218
219 const DevicePolicy& policy = provider.GetDevicePolicy();
220
221 // Check that we cannot read any fields out of the sample protobuf.
222 int int_value;
223 int64_t int64_value;
224 std::vector<std::string> list_value;
225 bool bool_value;
226 std::string string_value;
227 std::vector<DevicePolicy::UsbDeviceId> list_device;
228 std::vector<DevicePolicy::WeeklyTimeInterval> intervals;
229
230 EXPECT_FALSE(policy.GetPolicyRefreshRate(&int_value));
231 EXPECT_FALSE(policy.GetUserWhitelist(&list_value));
232 EXPECT_FALSE(policy.GetGuestModeEnabled(&bool_value));
233 EXPECT_FALSE(policy.GetCameraEnabled(&bool_value));
234 EXPECT_FALSE(policy.GetShowUserNames(&bool_value));
235 EXPECT_FALSE(policy.GetDataRoamingEnabled(&bool_value));
236 EXPECT_FALSE(policy.GetAllowNewUsers(&bool_value));
237 EXPECT_FALSE(policy.GetMetricsEnabled(&bool_value));
238 EXPECT_FALSE(policy.GetReportVersionInfo(&bool_value));
239 EXPECT_FALSE(policy.GetReportActivityTimes(&bool_value));
240 EXPECT_FALSE(policy.GetReportBootMode(&bool_value));
241 EXPECT_FALSE(policy.GetEphemeralUsersEnabled(&bool_value));
242 EXPECT_FALSE(policy.GetReleaseChannel(&string_value));
243 EXPECT_FALSE(policy.GetUpdateDisabled(&bool_value));
244 EXPECT_FALSE(policy.GetTargetVersionPrefix(&string_value));
245 EXPECT_FALSE(policy.GetRollbackToTargetVersion(&int_value));
246 // RollbackAllowedMilestones has the default value of 0 for enterprise
247 // devices.
248 ASSERT_TRUE(policy.GetRollbackAllowedMilestones(&int_value));
249 EXPECT_EQ(0, int_value);
250 EXPECT_FALSE(policy.GetScatterFactorInSeconds(&int64_value));
251 EXPECT_FALSE(policy.GetOpenNetworkConfiguration(&string_value));
252 EXPECT_FALSE(policy.GetHttpDownloadsEnabled(&bool_value));
253 EXPECT_FALSE(policy.GetAuP2PEnabled(&bool_value));
254 EXPECT_FALSE(policy.GetAllowKioskAppControlChromeVersion(&bool_value));
255 EXPECT_FALSE(policy.GetUsbDetachableWhitelist(&list_device));
256 EXPECT_FALSE(policy.GetSecondFactorAuthenticationMode(&int_value));
257 EXPECT_FALSE(policy.GetDisallowedTimeIntervals(&intervals));
258 }
259
260 // Verify that the library will correctly recognize and signal missing files.
TEST(PolicyTest,DevicePolicyFailure)261 TEST(PolicyTest, DevicePolicyFailure) {
262 LOG(INFO) << "Errors expected.";
263 // Try loading non-existing protobuf should fail.
264 base::FilePath policy_file(kNonExistingFile);
265 base::FilePath key_file(kNonExistingFile);
266 PolicyProvider provider;
267 provider.SetDevicePolicyForTesting(
268 CreateDevicePolicyImpl(std::make_unique<MockInstallAttributesReader>(
269 cryptohome::SerializedInstallAttributes()),
270 policy_file, key_file, true));
271
272 // Even after reload the policy should still be not loaded.
273 ASSERT_FALSE(provider.Reload());
274 EXPECT_FALSE(provider.device_policy_is_loaded());
275 }
276
277 // Verify that signature verification is waived for a device in enterprise_ad
278 // mode.
TEST(PolicyTest,SkipSignatureForEnterpriseAD)279 TEST(PolicyTest, SkipSignatureForEnterpriseAD) {
280 base::FilePath policy_file(kPolicyFileAllSet);
281 base::FilePath key_file(kNonExistingFile);
282 PolicyProvider provider;
283 provider.SetDevicePolicyForTesting(CreateDevicePolicyImpl(
284 std::make_unique<MockInstallAttributesReader>(
285 InstallAttributesReader::kDeviceModeEnterpriseAD, true),
286 policy_file, key_file, false));
287 provider.Reload();
288
289 // Ensure we successfully loaded the device policy file.
290 EXPECT_TRUE(provider.device_policy_is_loaded());
291 }
292
293 // Ensure that signature verification is enforced for a device in vanilla
294 // enterprise mode.
TEST(PolicyTest,DontSkipSignatureForEnterprise)295 TEST(PolicyTest, DontSkipSignatureForEnterprise) {
296 base::FilePath policy_file(kPolicyFileAllSet);
297 base::FilePath key_file(kNonExistingFile);
298
299 PolicyProvider provider;
300 provider.SetDevicePolicyForTesting(CreateDevicePolicyImpl(
301 std::make_unique<MockInstallAttributesReader>(
302 InstallAttributesReader::kDeviceModeEnterprise, true),
303 policy_file, key_file, false));
304 provider.Reload();
305
306 // Ensure that unverifed policy is not loaded.
307 EXPECT_FALSE(provider.device_policy_is_loaded());
308 }
309
310 // Ensure that signature verification is enforced for a device in consumer mode.
TEST(PolicyTest,DontSkipSignatureForConsumer)311 TEST(PolicyTest, DontSkipSignatureForConsumer) {
312 base::FilePath policy_file(kPolicyFileAllSet);
313 base::FilePath key_file(kNonExistingFile);
314 cryptohome::SerializedInstallAttributes install_attributes;
315
316 PolicyProvider provider;
317 provider.SetDevicePolicyForTesting(CreateDevicePolicyImpl(
318 std::make_unique<MockInstallAttributesReader>(install_attributes),
319 policy_file, key_file, false));
320 provider.Reload();
321
322 // Ensure that unverifed policy is not loaded.
323 EXPECT_FALSE(provider.device_policy_is_loaded());
324 }
325
326 // Checks return value of IsConsumerDevice when it's a still in OOBE.
TEST(PolicyTest,IsConsumerDeviceOobe)327 TEST(PolicyTest, IsConsumerDeviceOobe) {
328 PolicyProvider provider;
329 provider.SetInstallAttributesReaderForTesting(
330 std::make_unique<MockInstallAttributesReader>("", false));
331 EXPECT_FALSE(provider.IsConsumerDevice());
332 }
333
334 // Checks return value of IsConsumerDevice when it's a consumer device.
TEST(PolicyTest,IsConsumerDeviceConsumer)335 TEST(PolicyTest, IsConsumerDeviceConsumer) {
336 PolicyProvider provider;
337 provider.SetInstallAttributesReaderForTesting(
338 std::make_unique<MockInstallAttributesReader>("", true));
339 EXPECT_TRUE(provider.IsConsumerDevice());
340 }
341
342 // Checks return value of IsConsumerDevice when it's an enterprise device.
TEST(PolicyTest,IsConsumerDeviceEnterprise)343 TEST(PolicyTest, IsConsumerDeviceEnterprise) {
344 PolicyProvider provider;
345 provider.SetInstallAttributesReaderForTesting(
346 std::make_unique<MockInstallAttributesReader>(
347 InstallAttributesReader::kDeviceModeEnterprise, true));
348 EXPECT_FALSE(provider.IsConsumerDevice());
349 }
350
351 // Checks return value of IsConsumerDevice when it's an enterprise AD device.
TEST(PolicyTest,IsConsumerDeviceEnterpriseAd)352 TEST(PolicyTest, IsConsumerDeviceEnterpriseAd) {
353 PolicyProvider provider;
354 provider.SetInstallAttributesReaderForTesting(
355 std::make_unique<MockInstallAttributesReader>(
356 InstallAttributesReader::kDeviceModeEnterpriseAD, true));
357 EXPECT_FALSE(provider.IsConsumerDevice());
358 }
359
360 } // namespace policy
361
main(int argc,char * argv[])362 int main(int argc, char* argv[]) {
363 ::testing::InitGoogleTest(&argc, argv);
364 return RUN_ALL_TESTS();
365 }
366