search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Removed 'gaia-endpoint-chromeos' switch.
[chromium-blink-merge.git] / chrome / browser / chromeos / login / saml / saml_browsertest.cc
blob95b0af55f7d86a2f13dbb6db31587d4958a690db
1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include <cstring>
6
7 #include "base/bind.h"
8 #include "base/bind_helpers.h"
9 #include "base/callback.h"
10 #include "base/command_line.h"
11 #include "base/files/file_path.h"
12 #include "base/files/file_util.h"
13 #include "base/files/scoped_temp_dir.h"
14 #include "base/json/json_file_value_serializer.h"
15 #include "base/location.h"
16 #include "base/macros.h"
17 #include "base/memory/ref_counted.h"
18 #include "base/memory/scoped_ptr.h"
19 #include "base/path_service.h"
20 #include "base/run_loop.h"
21 #include "base/strings/string16.h"
22 #include "base/strings/string_util.h"
23 #include "base/strings/stringprintf.h"
24 #include "base/strings/utf_string_conversions.h"
25 #include "base/values.h"
26 #include "chrome/browser/chrome_notification_types.h"
27 #include "chrome/browser/chromeos/login/existing_user_controller.h"
28 #include "chrome/browser/chromeos/login/startup_utils.h"
29 #include "chrome/browser/chromeos/login/test/https_forwarder.h"
30 #include "chrome/browser/chromeos/login/test/oobe_screen_waiter.h"
31 #include "chrome/browser/chromeos/login/ui/login_display_host_impl.h"
32 #include "chrome/browser/chromeos/login/ui/webui_login_display.h"
33 #include "chrome/browser/chromeos/login/wizard_controller.h"
34 #include "chrome/browser/chromeos/policy/device_policy_builder.h"
35 #include "chrome/browser/chromeos/policy/device_policy_cros_browser_test.h"
36 #include "chrome/browser/chromeos/policy/proto/chrome_device_policy.pb.h"
37 #include "chrome/browser/chromeos/profiles/profile_helper.h"
38 #include "chrome/browser/chromeos/settings/cros_settings.h"
39 #include "chrome/browser/lifetime/application_lifetime.h"
40 #include "chrome/browser/policy/test/local_policy_test_server.h"
41 #include "chrome/browser/profiles/profile.h"
42 #include "chrome/browser/ui/webui/signin/inline_login_ui.h"
43 #include "chrome/common/chrome_constants.h"
44 #include "chrome/common/chrome_paths.h"
45 #include "chrome/common/chrome_switches.h"
46 #include "chrome/common/extensions/features/feature_channel.h"
47 #include "chrome/common/pref_names.h"
48 #include "chrome/grit/generated_resources.h"
49 #include "chrome/test/base/in_process_browser_test.h"
50 #include "chromeos/chromeos_switches.h"
51 #include "chromeos/dbus/dbus_thread_manager.h"
52 #include "chromeos/dbus/fake_session_manager_client.h"
53 #include "chromeos/dbus/session_manager_client.h"
54 #include "chromeos/settings/cros_settings_names.h"
55 #include "components/policy/core/browser/browser_policy_connector.h"
56 #include "components/policy/core/common/mock_configuration_policy_provider.h"
57 #include "components/policy/core/common/policy_map.h"
58 #include "components/policy/core/common/policy_switches.h"
59 #include "components/policy/core/common/policy_types.h"
60 #include "components/user_manager/user.h"
61 #include "components/user_manager/user_manager.h"
62 #include "content/public/browser/browser_thread.h"
63 #include "content/public/browser/render_frame_host.h"
64 #include "content/public/browser/web_contents.h"
65 #include "content/public/browser/web_contents_observer.h"
66 #include "content/public/test/browser_test_utils.h"
67 #include "content/public/test/test_utils.h"
68 #include "google_apis/gaia/fake_gaia.h"
69 #include "google_apis/gaia/gaia_constants.h"
70 #include "google_apis/gaia/gaia_switches.h"
71 #include "google_apis/gaia/gaia_urls.h"
72 #include "net/base/url_util.h"
73 #include "net/cookies/canonical_cookie.h"
74 #include "net/cookies/cookie_monster.h"
75 #include "net/cookies/cookie_store.h"
76 #include "net/dns/mock_host_resolver.h"
77 #include "net/test/embedded_test_server/embedded_test_server.h"
78 #include "net/test/embedded_test_server/http_request.h"
79 #include "net/test/embedded_test_server/http_response.h"
80 #include "net/url_request/url_request_context.h"
81 #include "net/url_request/url_request_context_getter.h"
82 #include "policy/policy_constants.h"
83 #include "policy/proto/device_management_backend.pb.h"
84 #include "testing/gmock/include/gmock/gmock.h"
85 #include "testing/gtest/include/gtest/gtest.h"
86 #include "ui/base/l10n/l10n_util.h"
87 #include "url/gurl.h"
88
89 namespace em = enterprise_management;
90
91 using net::test_server::BasicHttpResponse;
92 using net::test_server::HttpRequest;
93 using net::test_server::HttpResponse;
94 using testing::_;
95 using testing::Return;
96
97 namespace chromeos {
98
99 namespace {
100
101 const char kGAIASIDCookieName[] = "SID";
102 const char kGAIALSIDCookieName[] = "LSID";
103
104 const char kTestAuthSIDCookie1[] = "fake-auth-SID-cookie-1";
105 const char kTestAuthSIDCookie2[] = "fake-auth-SID-cookie-2";
106 const char kTestAuthLSIDCookie1[] = "fake-auth-LSID-cookie-1";
107 const char kTestAuthLSIDCookie2[] = "fake-auth-LSID-cookie-2";
108
109 const char kFirstSAMLUserEmail[] = "bob@example.com";
110 const char kSecondSAMLUserEmail[] = "alice@example.com";
111 const char kHTTPSAMLUserEmail[] = "carol@example.com";
112 const char kNonSAMLUserEmail[] = "dan@example.com";
113 const char kDifferentDomainSAMLUserEmail[] = "eve@example.test";
114
115 const char kSAMLIdPCookieName[] = "saml";
116 const char kSAMLIdPCookieValue1[] = "value-1";
117 const char kSAMLIdPCookieValue2[] = "value-2";
118
119 const char kRelayState[] = "RelayState";
120
121 const char kTestUserinfoToken[] = "fake-userinfo-token";
122 const char kTestRefreshToken[] = "fake-refresh-token";
123 const char kPolicy[] = "{\"managed_users\": [\"*\"]}";
124
125 // FakeSamlIdp serves IdP auth form and the form submission. The form is
126 // served with the template's RelayState placeholder expanded to the real
127 // RelayState parameter from request. The form submission redirects back to
128 // FakeGaia with the same RelayState.
129 class FakeSamlIdp {
130 public:
131 FakeSamlIdp();
132 ~FakeSamlIdp();
133
134 void SetUp(const std::string& base_path, const GURL& gaia_url);
135
136 void SetLoginHTMLTemplate(const std::string& template_file);
137 void SetLoginAuthHTMLTemplate(const std::string& template_file);
138 void SetRefreshURL(const GURL& refresh_url);
139 void SetCookieValue(const std::string& cookie_value);
140
141 scoped_ptr<HttpResponse> HandleRequest(const HttpRequest& request);
142
143 private:
144 scoped_ptr<HttpResponse> BuildHTMLResponse(const std::string& html_template,
145 const std::string& relay_state,
146 const std::string& next_path);
147
148 base::FilePath html_template_dir_;
149
150 std::string login_path_;
151 std::string login_auth_path_;
152
153 std::string login_html_template_;
154 std::string login_auth_html_template_;
155 GURL gaia_assertion_url_;
156 GURL refresh_url_;
157 std::string cookie_value_;
158
159 DISALLOW_COPY_AND_ASSIGN(FakeSamlIdp);
160 };
161
162 FakeSamlIdp::FakeSamlIdp() {
163 }
164
165 FakeSamlIdp::~FakeSamlIdp() {
166 }
167
168 void FakeSamlIdp::SetUp(const std::string& base_path, const GURL& gaia_url) {
169 base::FilePath test_data_dir;
170 ASSERT_TRUE(PathService::Get(chrome::DIR_TEST_DATA, &test_data_dir));
171 html_template_dir_ = test_data_dir.Append("login");
172
173 login_path_= base_path;
174 login_auth_path_ = base_path + "Auth";
175 gaia_assertion_url_ = gaia_url.Resolve("/SSO");
176 }
177
178 void FakeSamlIdp::SetLoginHTMLTemplate(const std::string& template_file) {
179 EXPECT_TRUE(base::ReadFileToString(
180 html_template_dir_.Append(template_file),
181 &login_html_template_));
182 }
183
184 void FakeSamlIdp::SetLoginAuthHTMLTemplate(const std::string& template_file) {
185 EXPECT_TRUE(base::ReadFileToString(
186 html_template_dir_.Append(template_file),
187 &login_auth_html_template_));
188 }
189
190 void FakeSamlIdp::SetRefreshURL(const GURL& refresh_url) {
191 refresh_url_ = refresh_url;
192 }
193
194 void FakeSamlIdp::SetCookieValue(const std::string& cookie_value) {
195 cookie_value_ = cookie_value;
196 }
197
198 scoped_ptr<HttpResponse> FakeSamlIdp::HandleRequest(
199 const HttpRequest& request) {
200 // The scheme and host of the URL is actually not important but required to
201 // get a valid GURL in order to parse |request.relative_url|.
202 GURL request_url = GURL("http://localhost").Resolve(request.relative_url);
203 std::string request_path = request_url.path();
204
205 if (request_path == login_path_) {
206 std::string relay_state;
207 net::GetValueForKeyInQuery(request_url, kRelayState, &relay_state);
208 return BuildHTMLResponse(login_html_template_,
209 relay_state,
210 login_auth_path_);
211 }
212
213 if (request_path != login_auth_path_) {
214 // Request not understood.
215 return scoped_ptr<HttpResponse>();
216 }
217
218 std::string relay_state;
219 FakeGaia::GetQueryParameter(request.content, kRelayState, &relay_state);
220 GURL redirect_url = gaia_assertion_url_;
221
222 if (!login_auth_html_template_.empty()) {
223 return BuildHTMLResponse(login_auth_html_template_,
224 relay_state,
225 redirect_url.spec());
226 }
227
228 redirect_url = net::AppendQueryParameter(
229 redirect_url, "SAMLResponse", "fake_response");
230 redirect_url = net::AppendQueryParameter(
231 redirect_url, kRelayState, relay_state);
232
233 scoped_ptr<BasicHttpResponse> http_response(new BasicHttpResponse());
234 http_response->set_code(net::HTTP_TEMPORARY_REDIRECT);
235 http_response->AddCustomHeader("Location", redirect_url.spec());
236 http_response->AddCustomHeader(
237 "Set-cookie",
238 base::StringPrintf("saml=%s", cookie_value_.c_str()));
239 return http_response.Pass();
240 }
241
242 scoped_ptr<HttpResponse> FakeSamlIdp::BuildHTMLResponse(
243 const std::string& html_template,
244 const std::string& relay_state,
245 const std::string& next_path) {
246 std::string response_html = html_template;
247 ReplaceSubstringsAfterOffset(&response_html, 0, "$RelayState", relay_state);
248 ReplaceSubstringsAfterOffset(&response_html, 0, "$Post", next_path);
249 ReplaceSubstringsAfterOffset(
250 &response_html, 0, "$Refresh", refresh_url_.spec());
251
252 scoped_ptr<BasicHttpResponse> http_response(new BasicHttpResponse());
253 http_response->set_code(net::HTTP_OK);
254 http_response->set_content(response_html);
255 http_response->set_content_type("text/html");
256
257 return http_response.Pass();
258 }
259
260 } // namespace
261
262 class SamlTest : public InProcessBrowserTest,
263 public testing::WithParamInterface<bool> {
264 public:
265 SamlTest() : gaia_frame_parent_("signin-frame"), saml_load_injected_(false) {}
266 ~SamlTest() override {}
267
268 bool UseWebView() const {
269 return GetParam();
270 }
271
272 void SetUp() override {
273 ASSERT_TRUE(embedded_test_server()->InitializeAndWaitUntilReady());
274
275 // Start the GAIA https wrapper here so that the GAIA URLs can be pointed at
276 // it in SetUpCommandLine().
277 gaia_https_forwarder_.reset(
278 new HTTPSForwarder(embedded_test_server()->base_url()));
279 ASSERT_TRUE(gaia_https_forwarder_->Start());
280
281 // Start the SAML IdP https wrapper here so that GAIA can be pointed at it
282 // in SetUpCommandLine().
283 saml_https_forwarder_.reset(
284 new HTTPSForwarder(embedded_test_server()->base_url()));
285 ASSERT_TRUE(saml_https_forwarder_->Start());
286
287 // Stop IO thread here because no threads are allowed while
288 // spawning sandbox host process. See crbug.com/322732.
289 embedded_test_server()->StopThread();
290
291 InProcessBrowserTest::SetUp();
292 }
293
294 bool SetUpUserDataDirectory() override {
295 if (UseWebView()) {
296 // Fake Dev channel to enable webview signin.
297 scoped_channel_.reset(new extensions::ScopedCurrentChannel(
298 chrome::VersionInfo::CHANNEL_DEV));
299
300 base::FilePath user_data_dir;
301 CHECK(PathService::Get(chrome::DIR_USER_DATA, &user_data_dir));
302 base::FilePath local_state_path =
303 user_data_dir.Append(chrome::kLocalStateFilename);
304
305 // Set webview enabled flag only when local state file does not exist.
306 // Otherwise, we break PRE tests that leave state in it.
307 if (!base::PathExists(local_state_path)) {
308 base::DictionaryValue local_state_dict;
309 local_state_dict.SetBoolean(prefs::kWebviewSigninEnabled, true);
310 // OobeCompleted to skip controller-pairing-screen which still uses
311 // iframe and ends up in a JS error in oobe page init.
312 // See http://crbug.com/467147
313 local_state_dict.SetBoolean(prefs::kOobeComplete, true);
314
315 CHECK(JSONFileValueSerializer(local_state_path)
316 .Serialize(local_state_dict));
317 }
318 }
319
320 return InProcessBrowserTest::SetUpUserDataDirectory();
321 }
322
323 void SetUpInProcessBrowserTestFixture() override {
324 host_resolver()->AddRule("*", "127.0.0.1");
325 }
326
327 void SetUpCommandLine(base::CommandLine* command_line) override {
328 command_line->AppendSwitch(switches::kLoginManager);
329 command_line->AppendSwitch(switches::kForceLoginManagerInTests);
330 command_line->AppendSwitch(switches::kOobeSkipPostLogin);
331 command_line->AppendSwitch(::switches::kDisableBackgroundNetworking);
332 command_line->AppendSwitchASCII(switches::kLoginProfile, "user");
333
334 const GURL gaia_url = gaia_https_forwarder_->GetURL("");
335 command_line->AppendSwitchASCII(::switches::kGaiaUrl, gaia_url.spec());
336 command_line->AppendSwitchASCII(::switches::kLsoUrl, gaia_url.spec());
337 command_line->AppendSwitchASCII(::switches::kGoogleApisUrl,
338 gaia_url.spec());
339
340 const GURL saml_idp_url = saml_https_forwarder_->GetURL("SAML");
341 fake_saml_idp_.SetUp(saml_idp_url.path(), gaia_url);
342 fake_gaia_.RegisterSamlUser(kFirstSAMLUserEmail, saml_idp_url);
343 fake_gaia_.RegisterSamlUser(kSecondSAMLUserEmail, saml_idp_url);
344 fake_gaia_.RegisterSamlUser(
345 kHTTPSAMLUserEmail,
346 embedded_test_server()->base_url().Resolve("/SAML"));
347 fake_gaia_.RegisterSamlUser(kDifferentDomainSAMLUserEmail, saml_idp_url);
348
349 fake_gaia_.Initialize();
350 fake_gaia_.set_issue_oauth_code_cookie(UseWebView());
351 }
352
353 void SetUpOnMainThread() override {
354 fake_gaia_.SetFakeMergeSessionParams(kFirstSAMLUserEmail,
355 kTestAuthSIDCookie1,
356 kTestAuthLSIDCookie1);
357
358 embedded_test_server()->RegisterRequestHandler(
359 base::Bind(&FakeGaia::HandleRequest, base::Unretained(&fake_gaia_)));
360 embedded_test_server()->RegisterRequestHandler(base::Bind(
361 &FakeSamlIdp::HandleRequest, base::Unretained(&fake_saml_idp_)));
362
363 // Restart the thread as the sandbox host process has already been spawned.
364 embedded_test_server()->RestartThreadAndListen();
365
366 login_screen_load_observer_.reset(new content::WindowedNotificationObserver(
367 chrome::NOTIFICATION_LOGIN_OR_LOCK_WEBUI_VISIBLE,
368 content::NotificationService::AllSources()));
369 }
370
371 void TearDownOnMainThread() override {
372 // If the login display is still showing, exit gracefully.
373 if (LoginDisplayHostImpl::default_host()) {
374 base::MessageLoop::current()->PostTask(FROM_HERE,
375 base::Bind(&chrome::AttemptExit));
376 content::RunMessageLoop();
377 }
378 }
379
380 WebUILoginDisplay* GetLoginDisplay() {
381 ExistingUserController* controller =
382 ExistingUserController::current_controller();
383 CHECK(controller);
384 return static_cast<WebUILoginDisplay*>(controller->login_display());
385 }
386
387 void WaitForSigninScreen() {
388 WizardController* wizard_controller =
389 WizardController::default_controller();
390 if (wizard_controller) {
391 wizard_controller->SkipToLoginForTesting(LoginScreenContext());
392 }
393 WizardController::SkipPostLoginScreensForTesting();
394
395 login_screen_load_observer_->Wait();
396 }
397
398 virtual void StartSamlAndWaitForIdpPageLoad(const std::string& gaia_email) {
399 WaitForSigninScreen();
400
401 if (!saml_load_injected_) {
402 saml_load_injected_ = true;
403
404 ASSERT_TRUE(content::ExecuteScript(
405 GetLoginUI()->GetWebContents(),
406 "$('gaia-signin').gaiaAuthHost_.addEventListener('authFlowChange',"
407 "function() {"
408 "window.domAutomationController.setAutomationId(0);"
409 "window.domAutomationController.send("
410 "$('gaia-signin').isSAML() ? 'SamlLoaded' : 'GaiaLoaded');"
411 "});"));
412 }
413
414 content::DOMMessageQueue message_queue; // Start observe before SAML.
415 GetLoginDisplay()->ShowSigninScreenForCreds(gaia_email, "");
416
417 std::string message;
418 ASSERT_TRUE(message_queue.WaitForMessage(&message));
419 EXPECT_EQ("\"SamlLoaded\"", message);
420 }
421
422 void SetSignFormField(const std::string& field_id,
423 const std::string& field_value) {
424 std::string js =
425 "(function(){"
426 "document.getElementById('$FieldId').value = '$FieldValue';"
427 "var e = new Event('input');"
428 "document.getElementById('$FieldId').dispatchEvent(e);"
429 "})();";
430 ReplaceSubstringsAfterOffset(&js, 0, "$FieldId", field_id);
431 ReplaceSubstringsAfterOffset(&js, 0, "$FieldValue", field_value);
432 ExecuteJsInSigninFrame(js);
433 }
434
435 void SendConfirmPassword(const std::string& password_to_confirm) {
436 std::string js =
437 "$('confirm-password-input').value='$Password';"
438 "$('confirm-password').onConfirmPassword_();";
439 ReplaceSubstringsAfterOffset(&js, 0, "$Password", password_to_confirm);
440 ASSERT_TRUE(content::ExecuteScript(GetLoginUI()->GetWebContents(), js));
441 }
442
443 void JsExpect(const std::string& js) {
444 bool result;
445 EXPECT_TRUE(content::ExecuteScriptAndExtractBool(
446 GetLoginUI()->GetWebContents(),
447 "window.domAutomationController.send(!!(" + js + "));",
448 &result));
449 EXPECT_TRUE(result) << js;
450 }
451
452 std::string WaitForAndGetFatalErrorMessage() {
453 OobeScreenWaiter(OobeDisplay::SCREEN_FATAL_ERROR).Wait();
454 std::string error_message;
455 if (!content::ExecuteScriptAndExtractString(
456 GetLoginUI()->GetWebContents(),
457 "window.domAutomationController.send("
458 "$('fatal-error-message').textContent);",
459 &error_message)) {
460 ADD_FAILURE();
461 }
462 return error_message;
463 }
464
465 content::WebUI* GetLoginUI() {
466 return static_cast<LoginDisplayHostImpl*>(
467 LoginDisplayHostImpl::default_host())->GetOobeUI()->web_ui();
468 }
469
470 // Executes JavaScript code in the auth iframe hosted by gaia_auth extension.
471 void ExecuteJsInSigninFrame(const std::string& js) {
472 content::RenderFrameHost* frame = InlineLoginUI::GetAuthIframe(
473 GetLoginUI()->GetWebContents(), GURL(), gaia_frame_parent_);
474 ASSERT_TRUE(content::ExecuteScript(frame, js));
475 }
476
477 FakeSamlIdp* fake_saml_idp() { return &fake_saml_idp_; }
478
479 protected:
480 scoped_ptr<content::WindowedNotificationObserver> login_screen_load_observer_;
481 FakeGaia fake_gaia_;
482
483 std::string gaia_frame_parent_;
484
485 scoped_ptr<HTTPSForwarder> gaia_https_forwarder_;
486 scoped_ptr<HTTPSForwarder> saml_https_forwarder_;
487
488 private:
489 FakeSamlIdp fake_saml_idp_;
490 scoped_ptr<extensions::ScopedCurrentChannel> scoped_channel_;
491
492 bool saml_load_injected_;
493
494 DISALLOW_COPY_AND_ASSIGN(SamlTest);
495 };
496
497 // Tests that signin frame should have 'saml' class and 'cancel' button is
498 // visible when SAML IdP page is loaded. And 'cancel' button goes back to
499 // gaia on clicking.
500 IN_PROC_BROWSER_TEST_P(SamlTest, SamlUI) {
501 fake_saml_idp()->SetLoginHTMLTemplate("saml_login.html");
502 StartSamlAndWaitForIdpPageLoad(kFirstSAMLUserEmail);
503
504 // Saml flow UI expectations.
505 JsExpect("$('gaia-signin').classList.contains('full-width')");
506 if (!UseWebView()) {
507 JsExpect("!$('cancel-add-user-button').hidden");
508 }
509
510 // Click on 'cancel'.
511 content::DOMMessageQueue message_queue; // Observe before 'cancel'.
512 if (UseWebView()) {
513 ASSERT_TRUE(content::ExecuteScript(
514 GetLoginUI()->GetWebContents(),
515 "$('close-button-item').click();"));
516 } else {
517 ASSERT_TRUE(content::ExecuteScript(
518 GetLoginUI()->GetWebContents(),
519 "$('cancel-add-user-button').click();"));
520 }
521
522 // Auth flow should change back to Gaia.
523 std::string message;
524 do {
525 ASSERT_TRUE(message_queue.WaitForMessage(&message));
526 } while (message != "\"GaiaLoaded\"");
527
528 // Saml flow is gone.
529 JsExpect("!$('gaia-signin').classList.contains('full-width')");
530 }
531
532 // Tests the sign-in flow when the credentials passing API is used.
533 IN_PROC_BROWSER_TEST_P(SamlTest, CredentialPassingAPI) {
534 // Disabled for webview because the script is injected using
535 // webview.executeScript and there is no way to control the injection time.
536 // As a result, this test is flaky and fails about 20% of the time.
537 // TODO(xiyuan): Re-enable when webview.addContentScript API is ready.
538 if (UseWebView())
539 return;
540
541 fake_saml_idp()->SetLoginHTMLTemplate("saml_api_login.html");
542 fake_saml_idp()->SetLoginAuthHTMLTemplate("saml_api_login_auth.html");
543 StartSamlAndWaitForIdpPageLoad(kFirstSAMLUserEmail);
544
545 content::WindowedNotificationObserver session_start_waiter(
546 chrome::NOTIFICATION_SESSION_STARTED,
547 content::NotificationService::AllSources());
548
549 // Fill-in the SAML IdP form and submit.
550 SetSignFormField("Email", "fake_user");
551 SetSignFormField("Password", "fake_password");
552 ExecuteJsInSigninFrame("document.getElementById('Submit').click();");
553
554 // Login should finish login and a session should start.
555 session_start_waiter.Wait();
556 }
557
558 // Tests the single password scraped flow.
559 IN_PROC_BROWSER_TEST_P(SamlTest, ScrapedSingle) {
560 fake_saml_idp()->SetLoginHTMLTemplate("saml_login.html");
561 StartSamlAndWaitForIdpPageLoad(kFirstSAMLUserEmail);
562
563 // Fill-in the SAML IdP form and submit.
564 SetSignFormField("Email", "fake_user");
565 SetSignFormField("Password", "fake_password");
566 ExecuteJsInSigninFrame("document.getElementById('Submit').click();");
567
568 // Lands on confirm password screen.
569 OobeScreenWaiter(OobeDisplay::SCREEN_CONFIRM_PASSWORD).Wait();
570
571 // Entering an unknown password should go back to the confirm password screen.
572 SendConfirmPassword("wrong_password");
573 OobeScreenWaiter(OobeDisplay::SCREEN_CONFIRM_PASSWORD).Wait();
574
575 // Entering a known password should finish login and start session.
576 content::WindowedNotificationObserver session_start_waiter(
577 chrome::NOTIFICATION_SESSION_STARTED,
578 content::NotificationService::AllSources());
579 SendConfirmPassword("fake_password");
580 session_start_waiter.Wait();
581 }
582
583 // Tests password scraping from a dynamically created password field.
584 IN_PROC_BROWSER_TEST_P(SamlTest, ScrapedDynamic) {
585 fake_saml_idp()->SetLoginHTMLTemplate("saml_login.html");
586 StartSamlAndWaitForIdpPageLoad(kFirstSAMLUserEmail);
587
588 ExecuteJsInSigninFrame(
589 "(function() {"
590 "var newPassInput = document.createElement('input');"
591 "newPassInput.id = 'DynamicallyCreatedPassword';"
592 "newPassInput.type = 'password';"
593 "newPassInput.name = 'Password';"
594 "document.forms[0].appendChild(newPassInput);"
595 "})();");
596
597 // Fill-in the SAML IdP form and submit.
598 SetSignFormField("Email", "fake_user");
599 SetSignFormField("DynamicallyCreatedPassword", "fake_password");
600 ExecuteJsInSigninFrame("document.getElementById('Submit').click();");
601
602 // Lands on confirm password screen.
603 OobeScreenWaiter(OobeDisplay::SCREEN_CONFIRM_PASSWORD).Wait();
604
605 // Entering an unknown password should go back to the confirm password screen.
606 SendConfirmPassword("wrong_password");
607 OobeScreenWaiter(OobeDisplay::SCREEN_CONFIRM_PASSWORD).Wait();
608
609 // Entering a known password should finish login and start session.
610 content::WindowedNotificationObserver session_start_waiter(
611 chrome::NOTIFICATION_SESSION_STARTED,
612 content::NotificationService::AllSources());
613 SendConfirmPassword("fake_password");
614 session_start_waiter.Wait();
615 }
616
617 // Tests the multiple password scraped flow.
618 IN_PROC_BROWSER_TEST_P(SamlTest, ScrapedMultiple) {
619 fake_saml_idp()->SetLoginHTMLTemplate("saml_login_two_passwords.html");
620
621 StartSamlAndWaitForIdpPageLoad(kFirstSAMLUserEmail);
622
623 SetSignFormField("Email", "fake_user");
624 SetSignFormField("Password", "fake_password");
625 SetSignFormField("Password1", "password1");
626 ExecuteJsInSigninFrame("document.getElementById('Submit').click();");
627
628 OobeScreenWaiter(OobeDisplay::SCREEN_CONFIRM_PASSWORD).Wait();
629
630 // Either scraped password should be able to sign-in.
631 content::WindowedNotificationObserver session_start_waiter(
632 chrome::NOTIFICATION_SESSION_STARTED,
633 content::NotificationService::AllSources());
634 SendConfirmPassword("password1");
635 session_start_waiter.Wait();
636 }
637
638 // Tests the no password scraped flow.
639 IN_PROC_BROWSER_TEST_P(SamlTest, ScrapedNone) {
640 fake_saml_idp()->SetLoginHTMLTemplate("saml_login_no_passwords.html");
641
642 StartSamlAndWaitForIdpPageLoad(kFirstSAMLUserEmail);
643
644 SetSignFormField("Email", "fake_user");
645 ExecuteJsInSigninFrame("document.getElementById('Submit').click();");
646
647 EXPECT_EQ(l10n_util::GetStringUTF8(IDS_LOGIN_FATAL_ERROR_NO_PASSWORD),
648 WaitForAndGetFatalErrorMessage());
649 }
650
651 // Types |bob@example.com| into the GAIA login form but then authenticates as
652 // |alice@example.com| via SAML. Verifies that the logged-in user is correctly
653 // identified as Alice.
654 IN_PROC_BROWSER_TEST_P(SamlTest, UseAutenticatedUserEmailAddress) {
655 fake_saml_idp()->SetLoginHTMLTemplate("saml_login.html");
656 // Type |bob@example.com| into the GAIA login form.
657 StartSamlAndWaitForIdpPageLoad(kSecondSAMLUserEmail);
658
659 // Authenticate as alice@example.com via SAML (the |Email| provided here is
660 // irrelevant - the authenticated user's e-mail address that FakeGAIA
661 // reports was set via |SetFakeMergeSessionParams|.
662 SetSignFormField("Email", "fake_user");
663 SetSignFormField("Password", "fake_password");
664 ExecuteJsInSigninFrame("document.getElementById('Submit').click();");
665
666 OobeScreenWaiter(OobeDisplay::SCREEN_CONFIRM_PASSWORD).Wait();
667
668 content::WindowedNotificationObserver session_start_waiter(
669 chrome::NOTIFICATION_SESSION_STARTED,
670 content::NotificationService::AllSources());
671 SendConfirmPassword("fake_password");
672 session_start_waiter.Wait();
673 const user_manager::User* user =
674 user_manager::UserManager::Get()->GetActiveUser();
675 ASSERT_TRUE(user);
676 EXPECT_EQ(kFirstSAMLUserEmail, user->email());
677 }
678
679 // Verifies that if the authenticated user's e-mail address cannot be retrieved,
680 // an error message is shown.
681 IN_PROC_BROWSER_TEST_P(SamlTest, FailToRetrieveAutenticatedUserEmailAddress) {
682 fake_saml_idp()->SetLoginHTMLTemplate("saml_login.html");
683 StartSamlAndWaitForIdpPageLoad(kFirstSAMLUserEmail);
684
685 fake_gaia_.SetFakeMergeSessionParams(
686 "", kTestAuthSIDCookie1, kTestAuthLSIDCookie1);
687 SetSignFormField("Email", "fake_user");
688 SetSignFormField("Password", "fake_password");
689 ExecuteJsInSigninFrame("document.getElementById('Submit').click();");
690
691 EXPECT_EQ(l10n_util::GetStringUTF8(IDS_LOGIN_FATAL_ERROR_NO_ACCOUNT_DETAILS),
692 WaitForAndGetFatalErrorMessage());
693 }
694
695 // Tests the password confirm flow: show error on the first failure and
696 // fatal error on the second failure.
697 IN_PROC_BROWSER_TEST_P(SamlTest, PasswordConfirmFlow) {
698 fake_saml_idp()->SetLoginHTMLTemplate("saml_login.html");
699 StartSamlAndWaitForIdpPageLoad(kFirstSAMLUserEmail);
700
701 // Fill-in the SAML IdP form and submit.
702 SetSignFormField("Email", "fake_user");
703 SetSignFormField("Password", "fake_password");
704 ExecuteJsInSigninFrame("document.getElementById('Submit').click();");
705
706 // Lands on confirm password screen with no error message.
707 OobeScreenWaiter(OobeDisplay::SCREEN_CONFIRM_PASSWORD).Wait();
708 JsExpect("!$('confirm-password').classList.contains('error')");
709
710 // Enter an unknown password for the first time should go back to confirm
711 // password screen with error message.
712 SendConfirmPassword("wrong_password");
713 OobeScreenWaiter(OobeDisplay::SCREEN_CONFIRM_PASSWORD).Wait();
714 JsExpect("$('confirm-password').classList.contains('error')");
715
716 // Enter an unknown password 2nd time should go back fatal error message.
717 SendConfirmPassword("wrong_password");
718 EXPECT_EQ(
719 l10n_util::GetStringUTF8(IDS_LOGIN_FATAL_ERROR_PASSWORD_VERIFICATION),
720 WaitForAndGetFatalErrorMessage());
721 }
722
723 // Verifies that when GAIA attempts to redirect to a SAML IdP served over http,
724 // not https, the redirect is blocked and an error message is shown.
725 IN_PROC_BROWSER_TEST_P(SamlTest, HTTPRedirectDisallowed) {
726 fake_saml_idp()->SetLoginHTMLTemplate("saml_login.html");
727
728 WaitForSigninScreen();
729 GetLoginDisplay()->ShowSigninScreenForCreds(kHTTPSAMLUserEmail, "");
730
731 const GURL url = embedded_test_server()->base_url().Resolve("/SAML");
732 EXPECT_EQ(l10n_util::GetStringFUTF8(
733 IDS_LOGIN_FATAL_ERROR_TEXT_INSECURE_URL,
734 base::UTF8ToUTF16(url.spec())),
735 WaitForAndGetFatalErrorMessage());
736 }
737
738 // Verifies that when GAIA attempts to redirect to a page served over http, not
739 // https, via an HTML meta refresh, the redirect is blocked and an error message
740 // is shown. This guards against regressions of http://crbug.com/359515.
741 IN_PROC_BROWSER_TEST_P(SamlTest, MetaRefreshToHTTPDisallowed) {
742 const GURL url = embedded_test_server()->base_url().Resolve("/SSO");
743 fake_saml_idp()->SetLoginHTMLTemplate("saml_login_instant_meta_refresh.html");
744 fake_saml_idp()->SetRefreshURL(url);
745
746 WaitForSigninScreen();
747 GetLoginDisplay()->ShowSigninScreenForCreds(kFirstSAMLUserEmail, "");
748
749 EXPECT_EQ(l10n_util::GetStringFUTF8(
750 IDS_LOGIN_FATAL_ERROR_TEXT_INSECURE_URL,
751 base::UTF8ToUTF16(url.spec())),
752 WaitForAndGetFatalErrorMessage());
753 }
754
755 INSTANTIATE_TEST_CASE_P(SamlSuite,
756 SamlTest,
757 testing::Bool());
758
759 class SAMLEnrollmentTest : public SamlTest,
760 public content::WebContentsObserver {
761 public:
762 SAMLEnrollmentTest();
763 ~SAMLEnrollmentTest() override;
764
765 // SamlTest:
766 void SetUp() override;
767 void SetUpCommandLine(base::CommandLine* command_line) override;
768 void SetUpOnMainThread() override;
769 void StartSamlAndWaitForIdpPageLoad(const std::string& gaia_email) override;
770
771 // content::WebContentsObserver:
772 void RenderFrameCreated(content::RenderFrameHost* render_frame_host) override;
773 void DidFinishLoad(content::RenderFrameHost* render_frame_host,
774 const GURL& validated_url) override;
775
776 void WaitForEnrollmentSuccess();
777
778 private:
779 scoped_ptr<policy::LocalPolicyTestServer> test_server_;
780 base::ScopedTempDir temp_dir_;
781
782 scoped_ptr<base::RunLoop> run_loop_;
783 content::RenderFrameHost* auth_frame_;
784
785 DISALLOW_COPY_AND_ASSIGN(SAMLEnrollmentTest);
786 };
787
788 SAMLEnrollmentTest::SAMLEnrollmentTest() : auth_frame_(nullptr) {
789 gaia_frame_parent_ = "oauth-enroll-signin-frame";
790 }
791
792 SAMLEnrollmentTest::~SAMLEnrollmentTest() {
793 }
794
795 void SAMLEnrollmentTest::SetUp() {
796 ASSERT_TRUE(temp_dir_.CreateUniqueTempDir());
797 const base::FilePath policy_file =
798 temp_dir_.path().AppendASCII("policy.json");
799 ASSERT_EQ(static_cast<int>(strlen(kPolicy)),
800 base::WriteFile(policy_file, kPolicy, strlen(kPolicy)));
801
802 test_server_.reset(new policy::LocalPolicyTestServer(policy_file));
803 ASSERT_TRUE(test_server_->Start());
804
805 SamlTest::SetUp();
806 }
807
808 void SAMLEnrollmentTest::SetUpCommandLine(base::CommandLine* command_line) {
809 command_line->AppendSwitchASCII(policy::switches::kDeviceManagementUrl,
810 test_server_->GetServiceURL().spec());
811 command_line->AppendSwitch(policy::switches::kDisablePolicyKeyVerification);
812 command_line->AppendSwitch(switches::kEnterpriseEnrollmentSkipRobotAuth);
813
814 SamlTest::SetUpCommandLine(command_line);
815 }
816
817 void SAMLEnrollmentTest::SetUpOnMainThread() {
818 Observe(GetLoginUI()->GetWebContents());
819
820 FakeGaia::AccessTokenInfo token_info;
821 token_info.token = kTestUserinfoToken;
822 token_info.scopes.insert(GaiaConstants::kDeviceManagementServiceOAuth);
823 token_info.scopes.insert(GaiaConstants::kOAuthWrapBridgeUserInfoScope);
824 token_info.audience = GaiaUrls::GetInstance()->oauth2_chrome_client_id();
825 token_info.email = kFirstSAMLUserEmail;
826 fake_gaia_.IssueOAuthToken(kTestRefreshToken, token_info);
827
828 SamlTest::SetUpOnMainThread();
829 }
830
831 void SAMLEnrollmentTest::StartSamlAndWaitForIdpPageLoad(
832 const std::string& gaia_email) {
833 WaitForSigninScreen();
834 run_loop_.reset(new base::RunLoop);
835 ExistingUserController::current_controller()->OnStartEnterpriseEnrollment();
836 run_loop_->Run();
837
838 SetSignFormField("Email", gaia_email);
839
840 run_loop_.reset(new base::RunLoop);
841 ExecuteJsInSigninFrame("document.getElementById('signIn').click();");
842 run_loop_->Run();
843 }
844
845 void SAMLEnrollmentTest::RenderFrameCreated(
846 content::RenderFrameHost* render_frame_host) {
847 content::RenderFrameHost* parent = render_frame_host->GetParent();
848 if (!parent || parent->GetFrameName() != gaia_frame_parent_)
849 return;
850
851 // The GAIA extension created the iframe in which the login form will be
852 // shown. Now wait for the login form to finish loading.
853 auth_frame_ = render_frame_host;
854 Observe(content::WebContents::FromRenderFrameHost(auth_frame_));
855 }
856
857 void SAMLEnrollmentTest::DidFinishLoad(
858 content::RenderFrameHost* render_frame_host,
859 const GURL& validated_url) {
860 if (render_frame_host != auth_frame_)
861 return;
862
863 const GURL origin = validated_url.GetOrigin();
864 if (origin != gaia_https_forwarder_->GetURL("") &&
865 origin != saml_https_forwarder_->GetURL("")) {
866 return;
867 }
868
869 // The GAIA or SAML IdP login form finished loading.
870 if (run_loop_)
871 run_loop_->Quit();
872 }
873
874 // Waits until the class |oauth-enroll-state-success| becomes set for the
875 // enrollment screen, indicating enrollment success.
876 void SAMLEnrollmentTest::WaitForEnrollmentSuccess() {
877 bool done = false;
878 ASSERT_TRUE(content::ExecuteScriptAndExtractBool(
879 GetLoginUI()->GetWebContents(),
880 "var enrollmentScreen = document.getElementById('oauth-enrollment');"
881 "function SendReplyIfEnrollmentDone() {"
882 " if (!enrollmentScreen.classList.contains("
883 " 'oauth-enroll-state-success')) {"
884 " return false;"
885 " }"
886 " domAutomationController.send(true);"
887 " observer.disconnect();"
888 " return true;"
889 "}"
890 "var observer = new MutationObserver(SendReplyIfEnrollmentDone);"
891 "if (!SendReplyIfEnrollmentDone()) {"
892 " var options = { attributes: true, attributeFilter: [ 'class' ] };"
893 " observer.observe(enrollmentScreen, options);"
894 "}",
895 &done));
896 }
897
898 IN_PROC_BROWSER_TEST_P(SAMLEnrollmentTest, WithoutCredentialsPassingAPI) {
899 fake_saml_idp()->SetLoginHTMLTemplate("saml_login.html");
900 StartSamlAndWaitForIdpPageLoad(kFirstSAMLUserEmail);
901
902 // Fill-in the SAML IdP form and submit.
903 SetSignFormField("Email", "fake_user");
904 SetSignFormField("Password", "fake_password");
905 ExecuteJsInSigninFrame("document.getElementById('Submit').click();");
906
907 WaitForEnrollmentSuccess();
908 }
909
910 IN_PROC_BROWSER_TEST_P(SAMLEnrollmentTest, WithCredentialsPassingAPI) {
911 fake_saml_idp()->SetLoginHTMLTemplate("saml_api_login.html");
912 fake_saml_idp()->SetLoginAuthHTMLTemplate("saml_api_login_auth.html");
913 StartSamlAndWaitForIdpPageLoad(kFirstSAMLUserEmail);
914
915 // Fill-in the SAML IdP form and submit.
916 SetSignFormField("Email", "fake_user");
917 SetSignFormField("Password", "fake_password");
918 ExecuteJsInSigninFrame("document.getElementById('Submit').click();");
919
920 WaitForEnrollmentSuccess();
921 }
922
923 // TODO(xiyuan): Update once webview flow is implemented.
924 INSTANTIATE_TEST_CASE_P(SamlSuite,
925 SAMLEnrollmentTest,
926 testing::Values(false));
927
928 class SAMLPolicyTest : public SamlTest {
929 public:
930 SAMLPolicyTest();
931 ~SAMLPolicyTest() override;
932
933 // SamlTest:
934 void SetUpInProcessBrowserTestFixture() override;
935 void SetUpOnMainThread() override;
936
937 void SetSAMLOfflineSigninTimeLimitPolicy(int limit);
938 void EnableTransferSAMLCookiesPolicy();
939
940 void ShowGAIALoginForm();
941 void LogInWithSAML(const std::string& user_id,
942 const std::string& auth_sid_cookie,
943 const std::string& auth_lsid_cookie);
944
945 std::string GetCookieValue(const std::string& name);
946
947 void GetCookies();
948
949 protected:
950 void GetCookiesOnIOThread(
951 const scoped_refptr<net::URLRequestContextGetter>& request_context,
952 const base::Closure& callback);
953 void StoreCookieList(const base::Closure& callback,
954 const net::CookieList& cookie_list);
955
956 policy::DevicePolicyCrosTestHelper test_helper_;
957
958 // FakeDBusThreadManager uses FakeSessionManagerClient.
959 FakeSessionManagerClient* fake_session_manager_client_;
960 policy::DevicePolicyBuilder* device_policy_;
961
962 policy::MockConfigurationPolicyProvider provider_;
963
964 net::CookieList cookie_list_;
965
966 private:
967 DISALLOW_COPY_AND_ASSIGN(SAMLPolicyTest);
968 };
969
970 SAMLPolicyTest::SAMLPolicyTest()
971 : fake_session_manager_client_(new FakeSessionManagerClient),
972 device_policy_(test_helper_.device_policy()) {
973 }
974
975 SAMLPolicyTest::~SAMLPolicyTest() {
976 }
977
978 void SAMLPolicyTest::SetUpInProcessBrowserTestFixture() {
979 DBusThreadManager::GetSetterForTesting()->SetSessionManagerClient(
980 scoped_ptr<SessionManagerClient>(fake_session_manager_client_));
981
982 SamlTest::SetUpInProcessBrowserTestFixture();
983
984 // Initialize device policy.
985 test_helper_.InstallOwnerKey();
986 test_helper_.MarkAsEnterpriseOwned();
987 device_policy_->SetDefaultSigningKey();
988 device_policy_->Build();
989 fake_session_manager_client_->set_device_policy(device_policy_->GetBlob());
990 fake_session_manager_client_->OnPropertyChangeComplete(true);
991
992 // Initialize user policy.
993 EXPECT_CALL(provider_, IsInitializationComplete(_))
994 .WillRepeatedly(Return(true));
995 policy::BrowserPolicyConnector::SetPolicyProviderForTesting(&provider_);
996 }
997
998 void SAMLPolicyTest::SetUpOnMainThread() {
999 SamlTest::SetUpOnMainThread();
1000
1001 // Pretend that the test users' OAuth tokens are valid.
1002 user_manager::UserManager::Get()->SaveUserOAuthStatus(
1003 kFirstSAMLUserEmail, user_manager::User::OAUTH2_TOKEN_STATUS_VALID);
1004 user_manager::UserManager::Get()->SaveUserOAuthStatus(
1005 kNonSAMLUserEmail, user_manager::User::OAUTH2_TOKEN_STATUS_VALID);
1006 user_manager::UserManager::Get()->SaveUserOAuthStatus(
1007 kDifferentDomainSAMLUserEmail,
1008 user_manager::User::OAUTH2_TOKEN_STATUS_VALID);
1009 }
1010
1011 void SAMLPolicyTest::SetSAMLOfflineSigninTimeLimitPolicy(int limit) {
1012 policy::PolicyMap user_policy;
1013 user_policy.Set(policy::key::kSAMLOfflineSigninTimeLimit,
1014 policy::POLICY_LEVEL_MANDATORY,
1015 policy::POLICY_SCOPE_USER,
1016 new base::FundamentalValue(limit),
1017 NULL);
1018 provider_.UpdateChromePolicy(user_policy);
1019 base::RunLoop().RunUntilIdle();
1020 }
1021
1022 void SAMLPolicyTest::EnableTransferSAMLCookiesPolicy() {
1023 em::ChromeDeviceSettingsProto& proto(device_policy_->payload());
1024 proto.mutable_saml_settings()->set_transfer_saml_cookies(true);
1025
1026 base::RunLoop run_loop;
1027 scoped_ptr<CrosSettings::ObserverSubscription> observer =
1028 CrosSettings::Get()->AddSettingsObserver(
1029 kAccountsPrefTransferSAMLCookies,
1030 run_loop.QuitClosure());
1031 device_policy_->SetDefaultSigningKey();
1032 device_policy_->Build();
1033 fake_session_manager_client_->set_device_policy(device_policy_->GetBlob());
1034 fake_session_manager_client_->OnPropertyChangeComplete(true);
1035 run_loop.Run();
1036 }
1037
1038 void SAMLPolicyTest::ShowGAIALoginForm() {
1039 login_screen_load_observer_->Wait();
1040 ASSERT_TRUE(content::ExecuteScript(
1041 GetLoginUI()->GetWebContents(),
1042 "$('gaia-signin').gaiaAuthHost_.addEventListener('ready', function() {"
1043 " window.domAutomationController.setAutomationId(0);"
1044 " window.domAutomationController.send('ready');"
1045 "});"
1046 "$('add-user-button').click();"));
1047 content::DOMMessageQueue message_queue;
1048 std::string message;
1049 ASSERT_TRUE(message_queue.WaitForMessage(&message));
1050 EXPECT_EQ("\"ready\"", message);
1051 }
1052
1053 void SAMLPolicyTest::LogInWithSAML(const std::string& user_id,
1054 const std::string& auth_sid_cookie,
1055 const std::string& auth_lsid_cookie) {
1056 fake_saml_idp()->SetLoginHTMLTemplate("saml_login.html");
1057 StartSamlAndWaitForIdpPageLoad(user_id);
1058
1059 fake_gaia_.SetFakeMergeSessionParams(
1060 user_id, auth_sid_cookie, auth_lsid_cookie);
1061 SetSignFormField("Email", "fake_user");
1062 SetSignFormField("Password", "fake_password");
1063 ExecuteJsInSigninFrame("document.getElementById('Submit').click();");
1064
1065 OobeScreenWaiter(OobeDisplay::SCREEN_CONFIRM_PASSWORD).Wait();
1066
1067 content::WindowedNotificationObserver session_start_waiter(
1068 chrome::NOTIFICATION_SESSION_STARTED,
1069 content::NotificationService::AllSources());
1070 SendConfirmPassword("fake_password");
1071 session_start_waiter.Wait();
1072 }
1073
1074 std::string SAMLPolicyTest::GetCookieValue(const std::string& name) {
1075 for (net::CookieList::const_iterator it = cookie_list_.begin();
1076 it != cookie_list_.end(); ++it) {
1077 if (it->Name() == name)
1078 return it->Value();
1079 }
1080 return std::string();
1081 }
1082
1083 void SAMLPolicyTest::GetCookies() {
1084 Profile* profile = chromeos::ProfileHelper::Get()->GetProfileByUserUnsafe(
1085 user_manager::UserManager::Get()->GetActiveUser());
1086 ASSERT_TRUE(profile);
1087 base::RunLoop run_loop;
1088 content::BrowserThread::PostTask(
1089 content::BrowserThread::IO,
1090 FROM_HERE,
1091 base::Bind(&SAMLPolicyTest::GetCookiesOnIOThread,
1092 base::Unretained(this),
1093 scoped_refptr<net::URLRequestContextGetter>(
1094 profile->GetRequestContext()),
1095 run_loop.QuitClosure()));
1096 run_loop.Run();
1097 }
1098
1099 void SAMLPolicyTest::GetCookiesOnIOThread(
1100 const scoped_refptr<net::URLRequestContextGetter>& request_context,
1101 const base::Closure& callback) {
1102 request_context->GetURLRequestContext()->cookie_store()->
1103 GetCookieMonster()->GetAllCookiesAsync(base::Bind(
1104 &SAMLPolicyTest::StoreCookieList,
1105 base::Unretained(this),
1106 callback));
1107 }
1108
1109 void SAMLPolicyTest::StoreCookieList(
1110 const base::Closure& callback,
1111 const net::CookieList& cookie_list) {
1112 cookie_list_ = cookie_list;
1113 content::BrowserThread::PostTask(content::BrowserThread::UI,
1114 FROM_HERE,
1115 callback);
1116 }
1117
1118 IN_PROC_BROWSER_TEST_P(SAMLPolicyTest, PRE_NoSAML) {
1119 // Set the offline login time limit for SAML users to zero.
1120 SetSAMLOfflineSigninTimeLimitPolicy(0);
1121
1122 WaitForSigninScreen();
1123
1124 // Log in without SAML.
1125 GetLoginDisplay()->ShowSigninScreenForCreds(kNonSAMLUserEmail, "password");
1126
1127 content::WindowedNotificationObserver(
1128 chrome::NOTIFICATION_SESSION_STARTED,
1129 content::NotificationService::AllSources()).Wait();
1130 }
1131
1132 // Verifies that the offline login time limit does not affect a user who
1133 // authenticated without SAML.
1134 IN_PROC_BROWSER_TEST_P(SAMLPolicyTest, NoSAML) {
1135 login_screen_load_observer_->Wait();
1136 // Verify that offline login is allowed.
1137 JsExpect("window.getComputedStyle(document.querySelector("
1138 " '#pod-row .signin-button-container')).display == 'none'");
1139 }
1140
1141 IN_PROC_BROWSER_TEST_P(SAMLPolicyTest, PRE_SAMLNoLimit) {
1142 // Remove the offline login time limit for SAML users.
1143 SetSAMLOfflineSigninTimeLimitPolicy(-1);
1144
1145 LogInWithSAML(kFirstSAMLUserEmail, kTestAuthSIDCookie1, kTestAuthLSIDCookie1);
1146 }
1147
1148 // Verifies that when no offline login time limit is set, a user who
1149 // authenticated with SAML is allowed to log in offline.
1150 IN_PROC_BROWSER_TEST_P(SAMLPolicyTest, SAMLNoLimit) {
1151 login_screen_load_observer_->Wait();
1152 // Verify that offline login is allowed.
1153 JsExpect("window.getComputedStyle(document.querySelector("
1154 " '#pod-row .signin-button-container')).display == 'none'");
1155 }
1156
1157 IN_PROC_BROWSER_TEST_P(SAMLPolicyTest, PRE_SAMLZeroLimit) {
1158 // Set the offline login time limit for SAML users to zero.
1159 SetSAMLOfflineSigninTimeLimitPolicy(0);
1160
1161 LogInWithSAML(kFirstSAMLUserEmail, kTestAuthSIDCookie1, kTestAuthLSIDCookie1);
1162 }
1163
1164 // Verifies that when the offline login time limit is exceeded for a user who
1165 // authenticated via SAML, that user is forced to log in online the next time.
1166 IN_PROC_BROWSER_TEST_P(SAMLPolicyTest, SAMLZeroLimit) {
1167 login_screen_load_observer_->Wait();
1168 // Verify that offline login is not allowed.
1169 JsExpect("window.getComputedStyle(document.querySelector("
1170 " '#pod-row .signin-button-container')).display != 'none'");
1171 }
1172
1173 IN_PROC_BROWSER_TEST_P(SAMLPolicyTest, PRE_PRE_TransferCookiesAffiliated) {
1174 fake_saml_idp()->SetCookieValue(kSAMLIdPCookieValue1);
1175 LogInWithSAML(kFirstSAMLUserEmail, kTestAuthSIDCookie1, kTestAuthLSIDCookie1);
1176
1177 GetCookies();
1178 EXPECT_EQ(kTestAuthSIDCookie1, GetCookieValue(kGAIASIDCookieName));
1179 EXPECT_EQ(kTestAuthLSIDCookie1, GetCookieValue(kGAIALSIDCookieName));
1180 EXPECT_EQ(kSAMLIdPCookieValue1, GetCookieValue(kSAMLIdPCookieName));
1181 }
1182
1183 // Verifies that when the DeviceTransferSAMLCookies policy is not enabled, SAML
1184 // IdP cookies are not transferred to a user's profile on subsequent login, even
1185 // if the user belongs to the domain that the device is enrolled into. Also
1186 // verifies that GAIA cookies are not transferred.
1187 IN_PROC_BROWSER_TEST_P(SAMLPolicyTest, PRE_TransferCookiesAffiliated) {
1188 fake_saml_idp()->SetCookieValue(kSAMLIdPCookieValue2);
1189 fake_saml_idp()->SetLoginHTMLTemplate("saml_login.html");
1190 ShowGAIALoginForm();
1191 LogInWithSAML(kFirstSAMLUserEmail, kTestAuthSIDCookie2, kTestAuthLSIDCookie2);
1192
1193 GetCookies();
1194 EXPECT_EQ(kTestAuthSIDCookie1, GetCookieValue(kGAIASIDCookieName));
1195 EXPECT_EQ(kTestAuthLSIDCookie1, GetCookieValue(kGAIALSIDCookieName));
1196 EXPECT_EQ(kSAMLIdPCookieValue1, GetCookieValue(kSAMLIdPCookieName));
1197 }
1198
1199 // Verifies that when the DeviceTransferSAMLCookies policy is enabled, SAML IdP
1200 // cookies are transferred to a user's profile on subsequent login when the user
1201 // belongs to the domain that the device is enrolled into. Also verifies that
1202 // GAIA cookies are not transferred.
1203 IN_PROC_BROWSER_TEST_P(SAMLPolicyTest, TransferCookiesAffiliated) {
1204 fake_saml_idp()->SetCookieValue(kSAMLIdPCookieValue2);
1205 fake_saml_idp()->SetLoginHTMLTemplate("saml_login.html");
1206 ShowGAIALoginForm();
1207
1208 EnableTransferSAMLCookiesPolicy();
1209 LogInWithSAML(kFirstSAMLUserEmail, kTestAuthSIDCookie2, kTestAuthLSIDCookie2);
1210
1211 GetCookies();
1212 EXPECT_EQ(kTestAuthSIDCookie1, GetCookieValue(kGAIASIDCookieName));
1213 EXPECT_EQ(kTestAuthLSIDCookie1, GetCookieValue(kGAIALSIDCookieName));
1214 EXPECT_EQ(kSAMLIdPCookieValue2, GetCookieValue(kSAMLIdPCookieName));
1215 }
1216
1217 IN_PROC_BROWSER_TEST_P(SAMLPolicyTest, PRE_TransferCookiesUnaffiliated) {
1218 fake_saml_idp()->SetCookieValue(kSAMLIdPCookieValue1);
1219 LogInWithSAML(kDifferentDomainSAMLUserEmail,
1220 kTestAuthSIDCookie1,
1221 kTestAuthLSIDCookie1);
1222
1223 GetCookies();
1224 EXPECT_EQ(kTestAuthSIDCookie1, GetCookieValue(kGAIASIDCookieName));
1225 EXPECT_EQ(kTestAuthLSIDCookie1, GetCookieValue(kGAIALSIDCookieName));
1226 EXPECT_EQ(kSAMLIdPCookieValue1, GetCookieValue(kSAMLIdPCookieName));
1227 }
1228
1229 // Verifies that even if the DeviceTransferSAMLCookies policy is enabled, SAML
1230 // IdP are not transferred to a user's profile on subsequent login if the user
1231 // does not belong to the domain that the device is enrolled into. Also verifies
1232 // that GAIA cookies are not transferred.
1233 IN_PROC_BROWSER_TEST_P(SAMLPolicyTest, TransferCookiesUnaffiliated) {
1234 fake_saml_idp()->SetCookieValue(kSAMLIdPCookieValue2);
1235 fake_saml_idp()->SetLoginHTMLTemplate("saml_login.html");
1236 ShowGAIALoginForm();
1237
1238 EnableTransferSAMLCookiesPolicy();
1239 LogInWithSAML(kDifferentDomainSAMLUserEmail,
1240 kTestAuthSIDCookie1,
1241 kTestAuthLSIDCookie1);
1242
1243 GetCookies();
1244 EXPECT_EQ(kTestAuthSIDCookie1, GetCookieValue(kGAIASIDCookieName));
1245 EXPECT_EQ(kTestAuthLSIDCookie1, GetCookieValue(kGAIALSIDCookieName));
1246 EXPECT_EQ(kSAMLIdPCookieValue1, GetCookieValue(kSAMLIdPCookieName));
1247 }
1248
1249 INSTANTIATE_TEST_CASE_P(SamlSuite,
1250 SAMLPolicyTest,
1251 testing::Bool());
1252
1253 } // namespace chromeos