// Copyright 2022 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "chromeos/ash/components/network/profile_policies.h"
#include <string_view>
#include "base/containers/flat_set.h"
#include "base/functional/callback.h"
#include "base/test/values_test_util.h"
#include "base/values.h"
#include "chromeos/ash/components/network/client_cert_util.h"
#include "components/onc/onc_constants.h"
#include "testing/gmock/include/gmock/gmock.h"
#include "testing/gtest/include/gtest/gtest.h"
namespace ash {
namespace {
using ::testing::ElementsAre;
using ::testing::Eq;
using ::testing::IsEmpty;
using ::testing::Optional;
using ::testing::Pair;
using ::testing::UnorderedElementsAre;
// Creates a list containing clones of elements passed in the initializer list.
base::Value::List NetworkConfigsList(
std::initializer_list<const base::Value::Dict*> network_configs) {
base::Value::List result;
for (const auto* network_config : network_configs) {
result.Append(network_config->Clone());
}
return result;
}
// Creates a very basic for-testing NetworkConfig, essentially
// {
// "guid": <passed_guid>
// }
base::Value::Dict NetworkConfig(std::string_view guid) {
return base::Value::Dict().Set(::onc::network_config::kGUID, guid);
}
bool FalseShillPropertiesMatcher(
const base::Value::Dict& onc_network_configuration,
const base::Value::Dict& shill_properties) {
return false;
}
bool EqShillPropertiesMatcher(
const base::Value::Dict& onc_network_configuration,
const base::Value::Dict& shill_properties) {
return onc_network_configuration == shill_properties;
}
// A runtime values setter which doesn't change its input ONC dictionary.
// Useful for emulating that setting runtime values resulted in no change from
// the "original" ONC dictionary.
base::Value::Dict NoOp(
const base::Value::Dict& onc_network_configuration,
const base::flat_map<std::string, std::string>& profile_wide_expansions,
const client_cert::ResolvedCert& resolved_cert) {
return onc_network_configuration.Clone();
}
// A RuntimeValuesSetter which injects its inputs as
// dictionary keys. Useful for checking behavior when variable
// setting runtime values actually changes the ONC dictionary, and for easy
// verification of the values that have been passed to the RuntimeValuesSetter.
base::Value::Dict Inject(
const base::Value::Dict& onc_network_configuration,
const base::flat_map<std::string, std::string>& profile_wide_expansions,
const client_cert::ResolvedCert& resolved_cert) {
base::Value::Dict result = onc_network_configuration.Clone();
base::Value::Dict profile_wide_expansions_dict;
for (const auto& pair : profile_wide_expansions) {
profile_wide_expansions_dict.Set(pair.first, pair.second);
}
result.Set("profile_wide_expansions",
std::move(profile_wide_expansions_dict));
if (resolved_cert.status() ==
client_cert::ResolvedCert::Status::kNothingMatched) {
result.Set("cert_info", base::Value::Dict().Set("status", "no cert"));
} else if (resolved_cert.status() ==
client_cert::ResolvedCert::Status::kCertMatched) {
auto cert_dict = base::Value::Dict()
.Set("slot_id", resolved_cert.slot_id())
.Set("pkcs11_id", resolved_cert.pkcs11_id());
for (const auto& pair : resolved_cert.variable_expansions()) {
cert_dict.Set(pair.first, pair.second);
}
result.Set("cert_info", std::move(cert_dict));
}
return result;
}
} // namespace
using ProfilePoliciesTest = ::testing::Test;
// Calls GetGlobalNetworkConfig when no GlobalNetworkConfig has been set yet.
TEST(ProfilePoliciesTest, GlobalNetworkConfigIsEmpty) {
ProfilePolicies profile_policies;
ASSERT_TRUE(profile_policies.GetGlobalNetworkConfig());
EXPECT_TRUE(profile_policies.GetGlobalNetworkConfig()->empty());
}
// Sets / retrieves GlobalNetworkConfig.
TEST(ProfilePoliciesTest, SetAndOverwriteGlobalNetworkConfig) {
auto global_network_config_1 = base::Value::Dict().Set("key1", "value1");
auto global_network_config_2 = base::Value::Dict().Set("key2", "value2");
ProfilePolicies profile_policies;
profile_policies.SetGlobalNetworkConfig(global_network_config_1);
ASSERT_TRUE(profile_policies.GetGlobalNetworkConfig());
EXPECT_EQ(*profile_policies.GetGlobalNetworkConfig(),
global_network_config_1);
profile_policies.SetGlobalNetworkConfig(global_network_config_2);
ASSERT_TRUE(profile_policies.GetGlobalNetworkConfig());
EXPECT_EQ(*profile_policies.GetGlobalNetworkConfig(),
global_network_config_2);
}
// Tests accessors to per-network policies when no policy has been set.
TEST(ProfilePoliciesTest, NoNetworkPolicy) {
ProfilePolicies profile_policies;
EXPECT_EQ(profile_policies.GetPolicyByGuid("guid"), nullptr);
EXPECT_THAT(profile_policies.GetAllPolicyGuids(), IsEmpty());
EXPECT_THAT(profile_policies.GetGuidToPolicyMap(), IsEmpty());
}
// Applies a network policy and checks accessors to per-network policies.
// The original policy (none) had no network configs.
// The new policy has no network configs.
TEST(ProfilePoliciesTest, ApplyOncNetworkConfigurationListZeroToZero) {
base::Value::List network_configs;
ProfilePolicies profile_policies;
base::flat_set<std::string> new_or_modified_guids =
profile_policies.ApplyOncNetworkConfigurationList(network_configs);
EXPECT_THAT(new_or_modified_guids, IsEmpty());
EXPECT_THAT(profile_policies.GetAllPolicyGuids(), IsEmpty());
EXPECT_THAT(profile_policies.GetGuidToPolicyMap(), IsEmpty());
}
// Applies a network policy and checks accessors to per-network policies.
// The original policy (none) had no network configs.
// The new policy has one network config.
TEST(ProfilePoliciesTest, ApplyOncNetworkConfigurationListZeroToOne) {
base::Value::Dict network_config_1 = NetworkConfig("guid1");
base::Value::List network_configs = NetworkConfigsList({&network_config_1});
ProfilePolicies profile_policies;
base::flat_set<std::string> new_or_modified_guids =
profile_policies.ApplyOncNetworkConfigurationList(network_configs);
EXPECT_THAT(new_or_modified_guids, ElementsAre("guid1"));
EXPECT_THAT(profile_policies.GetAllPolicyGuids(), ElementsAre("guid1"));
ASSERT_TRUE(profile_policies.GetPolicyByGuid("guid1"));
EXPECT_EQ(*profile_policies.GetPolicyByGuid("guid1"), network_config_1);
EXPECT_THAT(profile_policies.GetGuidToPolicyMap(),
ElementsAre(Pair("guid1", base::test::IsJson(network_config_1))));
}
// Applies a network policy and checks accessors to per-network policies.
// Goes from no policy (0 networks) -> policy with 1 network -> policy with 0
// networks.
TEST(ProfilePoliciesTest, ApplyOncNetworkConfigurationListOneToZero) {
base::Value::Dict network_config_1 = NetworkConfig("guid1");
base::Value::List network_configs_orig =
NetworkConfigsList({&network_config_1});
ProfilePolicies profile_policies;
profile_policies.ApplyOncNetworkConfigurationList(network_configs_orig);
EXPECT_THAT(profile_policies.GetAllPolicyGuids(), ElementsAre("guid1"));
base::Value::List network_configs_new = NetworkConfigsList({});
base::flat_set<std::string> new_or_modified_guids =
profile_policies.ApplyOncNetworkConfigurationList(network_configs_new);
EXPECT_THAT(new_or_modified_guids, IsEmpty());
EXPECT_THAT(profile_policies.GetAllPolicyGuids(), IsEmpty());
EXPECT_THAT(profile_policies.GetGuidToPolicyMap(), IsEmpty());
}
// Applies a network policy and checks accessors to per-network policies.
// Tests re-application of exactly the same policy (no effective change).
TEST(ProfilePoliciesTest, ApplyOncNetworkConfigurationListNoChange) {
base::Value::Dict network_config_1 = NetworkConfig("guid1");
base::Value::List network_configs_orig =
NetworkConfigsList({&network_config_1});
ProfilePolicies profile_policies;
profile_policies.ApplyOncNetworkConfigurationList(network_configs_orig);
EXPECT_THAT(profile_policies.GetAllPolicyGuids(), ElementsAre("guid1"));
base::flat_set<std::string> new_or_modified_guids =
profile_policies.ApplyOncNetworkConfigurationList(network_configs_orig);
EXPECT_THAT(new_or_modified_guids, IsEmpty());
EXPECT_THAT(profile_policies.GetAllPolicyGuids(), ElementsAre("guid1"));
}
// Applies a network policy and checks accessors to per-network policies.
// Applies a policy with a network config "guid1".
// Applies another policy where "guid1" has changed contents.
// Tests that "guid1" is reported as changed and has the new contents.
TEST(ProfilePoliciesTest, ApplyOncNetworkConfigurationListChange) {
base::Value::Dict network_config_orig = NetworkConfig("guid1");
base::Value::List network_configs_orig =
NetworkConfigsList({&network_config_orig});
ProfilePolicies profile_policies;
profile_policies.ApplyOncNetworkConfigurationList(network_configs_orig);
ASSERT_TRUE(profile_policies.GetPolicyByGuid("guid1"));
EXPECT_EQ(*profile_policies.GetPolicyByGuid("guid1"), network_config_orig);
base::Value::Dict network_config_changed = network_config_orig.Clone();
network_config_changed.Set("changed", "changed");
base::Value::List network_configs_changed =
NetworkConfigsList({&network_config_changed});
base::flat_set<std::string> new_or_modified_guids =
profile_policies.ApplyOncNetworkConfigurationList(
network_configs_changed);
EXPECT_THAT(profile_policies.GetAllPolicyGuids(), ElementsAre("guid1"));
EXPECT_THAT(profile_policies.GetAllPolicyGuids(), ElementsAre("guid1"));
ASSERT_TRUE(profile_policies.GetPolicyByGuid("guid1"));
EXPECT_NE(*profile_policies.GetPolicyByGuid("guid1"), network_config_orig);
EXPECT_EQ(*profile_policies.GetPolicyByGuid("guid1"), network_config_changed);
}
// Applies a network policy with multiple NetworkConfiguration elements and
// checks accessors to per-network policies.
TEST(ProfilePoliciesTest, MultipleElements) {
base::Value::Dict network_config_1 = NetworkConfig("guid1");
network_config_1.Set("test1", "value1");
base::Value::Dict network_config_2 = NetworkConfig("guid2");
network_config_2.Set("test2", "value2");
base::Value::List network_configs_orig =
NetworkConfigsList({&network_config_1, &network_config_2});
ProfilePolicies profile_policies;
profile_policies.ApplyOncNetworkConfigurationList(network_configs_orig);
EXPECT_THAT(profile_policies.GetAllPolicyGuids(),
UnorderedElementsAre("guid1", "guid2"));
EXPECT_THAT(profile_policies.GetGuidToPolicyMap(),
UnorderedElementsAre(
Pair("guid1", base::test::IsJson(network_config_1)),
Pair("guid2", base::test::IsJson(network_config_2))));
}
// Tests HasPolicyMatchingShillProperties for the case that no policy matches.
TEST(ProfilePoliciesTest, HasPolicyMatchingShillPropertiesNoMatch) {
base::Value::Dict network_config_1 = NetworkConfig("guid1");
base::Value::List network_configs_orig =
NetworkConfigsList({&network_config_1});
ProfilePolicies profile_policies;
profile_policies.SetShillPropertiesMatcherForTesting(
base::BindRepeating(&FalseShillPropertiesMatcher));
profile_policies.ApplyOncNetworkConfigurationList(network_configs_orig);
EXPECT_FALSE(
profile_policies.HasPolicyMatchingShillProperties(base::Value::Dict()));
}
// Tests HasPolicyMatchingShillProperties for the case that a policy matches.
TEST(ProfilePoliciesTest, HasPolicyMatchingShillPropertiesMatch) {
base::Value::Dict network_config_1 = NetworkConfig("guid1");
base::Value::Dict network_config_2 = NetworkConfig("guid2");
network_config_2.Set("marker", "value");
base::Value::List network_configs_orig =
NetworkConfigsList({&network_config_1, &network_config_2});
ProfilePolicies profile_policies;
profile_policies.SetShillPropertiesMatcherForTesting(
base::BindRepeating(&EqShillPropertiesMatcher));
profile_policies.ApplyOncNetworkConfigurationList(network_configs_orig);
EXPECT_TRUE(
profile_policies.HasPolicyMatchingShillProperties(network_config_2));
}
// Tests that profile-wide expansions apply if they were configured before the
// NetworkConfiguration was applied.
TEST(ProfilePoliciesTest, ProfileWideExpansionsAlreadyExist) {
base::Value::Dict network_config = NetworkConfig("guid1");
base::Value::List network_configs = NetworkConfigsList({&network_config});
ProfilePolicies profile_policies;
// Replace the variable expander with one which is simply injecting all
// expansions as top-level dictionary keys instead.
profile_policies.SetRuntimeValuesSetterForTesting(
base::BindRepeating(&Inject));
{
base::flat_set<std::string> modified_guids =
profile_policies.SetProfileWideExpansions(
{{"profileWideVar", "profileWideValue"}});
EXPECT_THAT(modified_guids, IsEmpty());
}
profile_policies.ApplyOncNetworkConfigurationList(network_configs);
EXPECT_THAT(profile_policies.GetGuidToPolicyMap(),
ElementsAre(Pair("guid1", base::test::IsJson(R"(
{
"GUID": "guid1",
"profile_wide_expansions": {
"profileWideVar": "profileWideValue"
}
})"))));
}
// Tests that nothing happens when the variable expansions change if no
// NetworkConfiguration depends on them. This is emulated by using the NoOp
// expander (in reality it would happen if no network configuration contains a
// known expansion).
TEST(ProfilePoliciesTest, ChangeNoEffect) {
base::Value::Dict network_config_1 = NetworkConfig("guid1");
base::Value::List network_configs = NetworkConfigsList({&network_config_1});
ProfilePolicies profile_policies;
profile_policies.SetRuntimeValuesSetterForTesting(base::BindRepeating(&NoOp));
profile_policies.ApplyOncNetworkConfigurationList(network_configs);
base::flat_set<std::string> modified_guids =
profile_policies.SetProfileWideExpansions(
{{"profileWideVar", "profileWideValue"}});
EXPECT_THAT(modified_guids, IsEmpty());
EXPECT_THAT(profile_policies.GetGuidToPolicyMap(),
UnorderedElementsAre(
Pair("guid1", base::test::IsJson(network_config_1))));
}
// Tests that when variable expansions (both profile-wide and network-specific)
// change and a NetworkConfiguration depends on them, the policy value with
// expansions is updated accordingly and the setter for the expansions returns
// back the set of affected NetworkConfiguration GUIDs to its caller.
TEST(ProfilePoliciesTest, ExpansionsChangeAffectsNetworkConfiguration) {
base::Value::Dict network_config_1 = NetworkConfig("guid1");
base::Value::Dict network_config_2 = NetworkConfig("guid2");
base::Value::List network_configs =
NetworkConfigsList({&network_config_1, &network_config_2});
ProfilePolicies profile_policies;
// Replace the variable expander with one which is simply injecting all
// expansions as top-level dictionary keys instead.
profile_policies.SetRuntimeValuesSetterForTesting(
base::BindRepeating(&Inject));
profile_policies.ApplyOncNetworkConfigurationList(network_configs);
{
base::flat_set<std::string> modified_guids =
profile_policies.SetProfileWideExpansions(
{{"profileWideVar", "profileWideValue"}});
EXPECT_THAT(modified_guids, UnorderedElementsAre("guid1", "guid2"));
}
EXPECT_THAT(profile_policies.GetGuidToPolicyMap(),
UnorderedElementsAre(Pair("guid1", base::test::IsJson(R"(
{
"GUID": "guid1",
"profile_wide_expansions": {
"profileWideVar": "profileWideValue"
}
})")),
Pair("guid2", base::test::IsJson(R"(
{
"GUID": "guid2",
"profile_wide_expansions": {
"profileWideVar": "profileWideValue"
}
})"))));
{
bool change_had_effect = profile_policies.SetResolvedClientCertificate(
"guid1", client_cert::ResolvedCert::CertMatched(
1, "pkcs11_id", {{"certVar", "certVarValue"}}));
EXPECT_TRUE(change_had_effect);
}
EXPECT_THAT(profile_policies.GetGuidToPolicyMap(),
UnorderedElementsAre(Pair("guid1", base::test::IsJson(R"(
{
"GUID": "guid1",
"profile_wide_expansions": {
"profileWideVar": "profileWideValue"
},
"cert_info": {
"slot_id": 1,
"pkcs11_id": "pkcs11_id",
"certVar": "certVarValue"
}
})")),
Pair("guid2", base::test::IsJson(R"(
{
"GUID": "guid2",
"profile_wide_expansions": {
"profileWideVar": "profileWideValue"
}
})"))));
{
bool change_had_effect = profile_policies.SetResolvedClientCertificate(
"guid1", client_cert::ResolvedCert::NothingMatched());
EXPECT_TRUE(change_had_effect);
}
EXPECT_THAT(profile_policies.GetGuidToPolicyMap(),
UnorderedElementsAre(Pair("guid1", base::test::IsJson(R"(
{
"GUID": "guid1",
"profile_wide_expansions": {
"profileWideVar": "profileWideValue"
},
"cert_info": {
"status": "no cert"
}
})")),
Pair("guid2", base::test::IsJson(R"(
{
"GUID": "guid2",
"profile_wide_expansions": {
"profileWideVar": "profileWideValue"
}
})"))));
{
base::flat_set<std::string> modified_guids =
profile_policies.SetProfileWideExpansions({});
EXPECT_THAT(modified_guids, UnorderedElementsAre("guid1", "guid2"));
}
EXPECT_THAT(profile_policies.GetGuidToPolicyMap(),
UnorderedElementsAre(Pair("guid1", base::test::IsJson(R"(
{
"GUID": "guid1",
"profile_wide_expansions": {},
"cert_info": {
"status": "no cert"
}
})")),
Pair("guid2", base::test::IsJson(R"(
{
"GUID": "guid2",
"profile_wide_expansions": {}
})"))));
}
// Tests that variable expansions (both profile-wide and per-network) are
// applied when a NetworkConfiguration changes.
TEST(ProfilePoliciesTest, NetworkConfigurationChangeWithExistingExpansions) {
ProfilePolicies profile_policies;
// Replace the variable expander with one which is simply injecting all
// expansions as top-level dictionary keys instead.
profile_policies.SetRuntimeValuesSetterForTesting(
base::BindRepeating(&Inject));
{
base::flat_set<std::string> modified_guids =
profile_policies.SetProfileWideExpansions(
{{"profileWideVar", "profileWideValue"}});
EXPECT_THAT(modified_guids, IsEmpty());
}
{
base::Value::Dict network_config_1 = NetworkConfig("guid1");
base::Value::List network_configs = NetworkConfigsList({&network_config_1});
base::flat_set<std::string> modified_guids =
profile_policies.ApplyOncNetworkConfigurationList(network_configs);
EXPECT_THAT(modified_guids, UnorderedElementsAre("guid1"));
}
{
bool change_had_effect = profile_policies.SetResolvedClientCertificate(
"guid1", client_cert::ResolvedCert::CertMatched(
1, "pkcs11_id", {{"certVar", "certVarValue"}}));
EXPECT_TRUE(change_had_effect);
}
EXPECT_THAT(profile_policies.GetGuidToPolicyMap(),
UnorderedElementsAre(Pair("guid1", base::test::IsJson(R"(
{
"GUID": "guid1",
"profile_wide_expansions": {
"profileWideVar": "profileWideValue"
},
"cert_info": {
"slot_id": 1,
"pkcs11_id": "pkcs11_id",
"certVar": "certVarValue"
}
})"))));
{
base::Value::Dict network_config_1 = NetworkConfig("guid1");
network_config_1.Set("modified", "yes");
base::Value::List network_configs = NetworkConfigsList({&network_config_1});
base::flat_set<std::string> modified_guids =
profile_policies.ApplyOncNetworkConfigurationList(network_configs);
EXPECT_THAT(modified_guids, UnorderedElementsAre("guid1"));
}
EXPECT_THAT(profile_policies.GetGuidToPolicyMap(),
UnorderedElementsAre(Pair("guid1", base::test::IsJson(R"(
{
"GUID": "guid1",
"modified": "yes",
"profile_wide_expansions": {
"profileWideVar": "profileWideValue"
},
"cert_info": {
"slot_id": 1,
"pkcs11_id": "pkcs11_id",
"certVar": "certVarValue"
}
})"))));
}
// Tests that GetOriginalPolicyByGuid returns the policy without
// variable expansions.
TEST(ProfilePoliciesTest, GetOriginalPolicyByGuid) {
base::Value::Dict network_config_1 = NetworkConfig("guid1");
base::Value::List network_configs = NetworkConfigsList({&network_config_1});
ProfilePolicies profile_policies;
// Replace the variable expander with one which is simply injecting all
// expansions as top-level dictionary keys instead.
profile_policies.SetRuntimeValuesSetterForTesting(
base::BindRepeating(&Inject));
profile_policies.ApplyOncNetworkConfigurationList(network_configs);
profile_policies.SetProfileWideExpansions(
{{"profileWideVar", "profileWideValue"}});
const base::Value::Dict* policy_with_expansions =
profile_policies.GetPolicyByGuid("guid1");
const base::Value::Dict* policy_without_expansions =
profile_policies.GetOriginalPolicyByGuid("guid1");
ASSERT_TRUE(policy_with_expansions);
ASSERT_TRUE(policy_without_expansions);
EXPECT_THAT(*policy_with_expansions, base::test::IsJson(R"(
{
"GUID": "guid1",
"profile_wide_expansions": {
"profileWideVar": "profileWideValue"
}
})"));
EXPECT_THAT(*policy_without_expansions, base::test::IsJson(R"(
{
"GUID": "guid1"
})"));
}
// Tests that setting per-network variable expansions doesn't do anything (and
// doesn't crash) if the GUID is unknown.
TEST(ProfilePoliciesTest, SetResolvedClientCertificateUnknownGuid) {
ProfilePolicies profile_policies;
// Replace the variable expander with one which is simply injecting all
// expansions as top-level dictionary keys instead.
profile_policies.SetRuntimeValuesSetterForTesting(
base::BindRepeating(&Inject));
bool change_had_effect = profile_policies.SetResolvedClientCertificate(
"unknown_guid", client_cert::ResolvedCert::CertMatched(
1, "pkcs11_id", {{"var1", "value1"}}));
EXPECT_FALSE(change_had_effect);
}
} // namespace ash
Codebase Browser
chromium