#include "chrome/browser/enterprise/signals/client_certificate_fetcher.h"
#include <vector>
#include "base/logging.h"
#include "base/memory/raw_ptr.h"
#include "base/test/test_future.h"
#include "chrome/browser/content_settings/host_content_settings_map_factory.h"
#include "chrome/test/base/testing_browser_process.h"
#include "chrome/test/base/testing_profile.h"
#include "chrome/test/base/testing_profile_manager.h"
#include "components/content_settings/core/browser/host_content_settings_map.h"
#include "content/public/test/browser_task_environment.h"
#include "net/cert/x509_certificate.h"
#include "net/ssl/client_cert_identity_test_util.h"
#include "net/ssl/client_cert_store.h"
#include "net/ssl/ssl_cert_request_info.h"
#include "net/test/cert_test_util.h"
#include "net/test/test_data_directory.h"
#include "testing/gmock/include/gmock/gmock.h"
#include "testing/gtest/include/gtest/gtest.h"
#include "url/gurl.h"
namespace enterprise_signals {
namespace {
const char kRequestingUrl[] = "https://www.example.com";
class MockProfileNetworkContextServiceWrapper
: public ProfileNetworkContextServiceWrapper {
public:
MockProfileNetworkContextServiceWrapper() = default;
~MockProfileNetworkContextServiceWrapper() override = default;
MOCK_METHOD(std::unique_ptr<net::ClientCertStore>,
CreateClientCertStore,
(),
(override));
MOCK_METHOD(void,
FlushCachedClientCertIfNeeded,
(const net::HostPortPair&,
const scoped_refptr<net::X509Certificate>&),
(override));
};
class MockClientCertStore : public net::ClientCertStore {
public:
void GetClientCerts(
scoped_refptr<const net::SSLCertRequestInfo> cert_request_info,
ClientCertListCallback callback) override {
callback_ = std::move(callback);
}
void SimulateCallback(net::ClientCertIdentityList certs) {
std::move(callback_).Run(std::move(certs));
}
ClientCertListCallback callback_;
};
class FetchCertificateCallbackWrapper {
public:
void OnFetchCertificateFinished(
std::unique_ptr<net::ClientCertIdentity> cert) {
cert_ = std::move(cert);
++callbacks_called_;
}
int callbacks_called_{0};
std::unique_ptr<net::ClientCertIdentity> cert_;
};
MATCHER_P(CertEqualsIncludingChain, cert, "") {
return arg->EqualsIncludingChain(cert.get());
}
}
class ClientCertificateFetcherTest : public testing::Test {
protected:
void SetUp() override {
profile_manager_ = std::make_unique<TestingProfileManager>(
TestingBrowserProcess::GetGlobal());
ASSERT_TRUE(profile_manager_->SetUp());
profile_ = profile_manager_->CreateTestingProfile("TestProfile");
}
void TearDown() override {
HostContentSettingsMap* m =
HostContentSettingsMapFactory::GetForProfile(profile());
m->ClearSettingsForOneType(ContentSettingsType::AUTO_SELECT_CERTIFICATE);
}
net::ClientCertIdentityList GetDefaultClientCertList() {
EXPECT_EQ(0UL, client_certs_.size());
client_certs_.push_back(
net::ImportCertFromFile(net::GetTestCertsDirectory(), "client_1.pem"));
client_certs_.push_back(
net::ImportCertFromFile(net::GetTestCertsDirectory(), "client_2.pem"));
return net::FakeClientCertIdentityListFromCertificateList(client_certs_);
}
void SetPolicyValueInContentSettings(base::Value::List filters) {
HostContentSettingsMap* m =
HostContentSettingsMapFactory::GetForProfile(profile());
base::Value::Dict root;
root.Set("filters", std::move(filters));
m->SetWebsiteSettingDefaultScope(
GURL(kRequestingUrl), GURL(),
ContentSettingsType::AUTO_SELECT_CERTIFICATE,
base::Value(std::move(root)));
}
base::Value::Dict CreateFilterValue(const std::string& issuer,
const std::string& subject) {
EXPECT_FALSE(issuer.empty() && subject.empty());
base::Value::Dict filter;
if (!issuer.empty()) {
base::Value::Dict issuer_value;
issuer_value.Set("CN", issuer);
filter.Set("ISSUER", std::move(issuer_value));
}
if (!subject.empty()) {
base::Value::Dict subject_value;
subject_value.Set("CN", subject);
filter.Set("SUBJECT", std::move(subject_value));
}
return filter;
}
void CreateFetcher(std::unique_ptr<MockClientCertStore> mock_store) {
auto mock_network_context_service_wrapper = std::make_unique<
testing::StrictMock<MockProfileNetworkContextServiceWrapper>>();
mock_network_context_service_wrapper_ =
mock_network_context_service_wrapper.get();
EXPECT_CALL(*mock_network_context_service_wrapper, CreateClientCertStore())
.WillOnce(testing::Return(testing::ByMove(std::move(mock_store))));
fetcher_ = std::make_unique<ClientCertificateFetcher>(
std::move(mock_network_context_service_wrapper), profile());
}
TestingProfile* profile() { return profile_; }
std::vector<scoped_refptr<net::X509Certificate>>& client_certs() {
return client_certs_;
}
content::BrowserTaskEnvironment task_environment_;
std::unique_ptr<TestingProfileManager> profile_manager_;
raw_ptr<TestingProfile> profile_;
std::unique_ptr<ClientCertificateFetcher> fetcher_;
raw_ptr<MockProfileNetworkContextServiceWrapper>
mock_network_context_service_wrapper_;
std::vector<scoped_refptr<net::X509Certificate>> client_certs_;
};
TEST_F(ClientCertificateFetcherTest, NoCertStoreImmediatelyCallsBack) {
CreateFetcher(nullptr);
FetchCertificateCallbackWrapper wrapper;
fetcher_->FetchAutoSelectedCertificateForUrl(
GURL(kRequestingUrl),
base::BindOnce(
&FetchCertificateCallbackWrapper::OnFetchCertificateFinished,
base::Unretained(&wrapper)));
EXPECT_EQ(1, wrapper.callbacks_called_);
EXPECT_EQ(nullptr, wrapper.cert_);
}
TEST_F(ClientCertificateFetcherTest, EmptyUrl) {
CreateFetcher(std::make_unique<MockClientCertStore>());
base::test::TestFuture<std::unique_ptr<net::ClientCertIdentity>> test_future;
fetcher_->FetchAutoSelectedCertificateForUrl(GURL(),
test_future.GetCallback());
EXPECT_EQ(test_future.Get(), nullptr);
}
TEST_F(ClientCertificateFetcherTest, NoMatchingCertStoreCallsBackNull) {
std::unique_ptr<MockClientCertStore> cert_store =
std::make_unique<MockClientCertStore>();
MockClientCertStore* cert_store_ptr = cert_store.get();
CreateFetcher(std::move(cert_store));
FetchCertificateCallbackWrapper wrapper;
GURL url(kRequestingUrl);
EXPECT_CALL(*mock_network_context_service_wrapper_,
FlushCachedClientCertIfNeeded(
net::HostPortPair::FromURL(url),
scoped_refptr<net::X509Certificate>(nullptr)));
fetcher_->FetchAutoSelectedCertificateForUrl(
url, base::BindOnce(
&FetchCertificateCallbackWrapper::OnFetchCertificateFinished,
base::Unretained(&wrapper)));
net::ClientCertIdentityList certs;
cert_store_ptr->SimulateCallback(std::move(certs));
EXPECT_EQ(1, wrapper.callbacks_called_);
EXPECT_EQ(nullptr, wrapper.cert_);
}
TEST_F(ClientCertificateFetcherTest, ReturnsFirstCertIfMatching) {
std::unique_ptr<MockClientCertStore> cert_store =
std::make_unique<MockClientCertStore>();
base::Value::List filters;
filters.Append(CreateFilterValue("", "Client Cert A"));
SetPolicyValueInContentSettings(std::move(filters));
MockClientCertStore* cert_store_ptr = cert_store.get();
CreateFetcher(std::move(cert_store));
FetchCertificateCallbackWrapper wrapper;
GURL url(kRequestingUrl);
EXPECT_CALL(*mock_network_context_service_wrapper_,
FlushCachedClientCertIfNeeded(
net::HostPortPair::FromURL(url),
CertEqualsIncludingChain(net::ImportCertFromFile(
net::GetTestCertsDirectory(), "client_1.pem"))));
fetcher_->FetchAutoSelectedCertificateForUrl(
url, base::BindOnce(
&FetchCertificateCallbackWrapper::OnFetchCertificateFinished,
base::Unretained(&wrapper)));
net::ClientCertIdentityList certs;
cert_store_ptr->SimulateCallback(GetDefaultClientCertList());
EXPECT_EQ(1, wrapper.callbacks_called_);
EXPECT_NE(nullptr, wrapper.cert_);
EXPECT_TRUE(wrapper.cert_->certificate()->EqualsIncludingChain(
client_certs()[0].get()));
}
TEST_F(ClientCertificateFetcherTest, ReturnsSecondCertIfMatching) {
std::unique_ptr<MockClientCertStore> cert_store =
std::make_unique<MockClientCertStore>();
base::Value::List filters;
filters.Append(CreateFilterValue("E CA", ""));
SetPolicyValueInContentSettings(std::move(filters));
MockClientCertStore* cert_store_ptr = cert_store.get();
CreateFetcher(std::move(cert_store));
FetchCertificateCallbackWrapper wrapper;
GURL url(kRequestingUrl);
EXPECT_CALL(*mock_network_context_service_wrapper_,
FlushCachedClientCertIfNeeded(
net::HostPortPair::FromURL(url),
CertEqualsIncludingChain(net::ImportCertFromFile(
net::GetTestCertsDirectory(), "client_2.pem"))));
fetcher_->FetchAutoSelectedCertificateForUrl(
url, base::BindOnce(
&FetchCertificateCallbackWrapper::OnFetchCertificateFinished,
base::Unretained(&wrapper)));
net::ClientCertIdentityList certs;
cert_store_ptr->SimulateCallback(GetDefaultClientCertList());
EXPECT_EQ(1, wrapper.callbacks_called_);
EXPECT_NE(nullptr, wrapper.cert_);
EXPECT_TRUE(wrapper.cert_->certificate()->EqualsIncludingChain(
client_certs()[1].get()));
}
TEST_F(ClientCertificateFetcherTest, ReturnsNoCertIfNoFiltersMatch) {
std::unique_ptr<MockClientCertStore> cert_store =
std::make_unique<MockClientCertStore>();
base::Value::List filters;
filters.Append(CreateFilterValue("E CA", "Bad Subject"));
SetPolicyValueInContentSettings(std::move(filters));
MockClientCertStore* cert_store_ptr = cert_store.get();
CreateFetcher(std::move(cert_store));
FetchCertificateCallbackWrapper wrapper;
GURL url(kRequestingUrl);
EXPECT_CALL(*mock_network_context_service_wrapper_,
FlushCachedClientCertIfNeeded(
net::HostPortPair::FromURL(url),
scoped_refptr<net::X509Certificate>(nullptr)));
fetcher_->FetchAutoSelectedCertificateForUrl(
url, base::BindOnce(
&FetchCertificateCallbackWrapper::OnFetchCertificateFinished,
base::Unretained(&wrapper)));
net::ClientCertIdentityList certs;
cert_store_ptr->SimulateCallback(GetDefaultClientCertList());
EXPECT_EQ(1, wrapper.callbacks_called_);
EXPECT_EQ(nullptr, wrapper.cert_);
}
TEST_F(ClientCertificateFetcherTest, ReturnsNoCertIfNoFilters) {
std::unique_ptr<MockClientCertStore> cert_store =
std::make_unique<MockClientCertStore>();
MockClientCertStore* cert_store_ptr = cert_store.get();
CreateFetcher(std::move(cert_store));
FetchCertificateCallbackWrapper wrapper;
GURL url(kRequestingUrl);
EXPECT_CALL(*mock_network_context_service_wrapper_,
FlushCachedClientCertIfNeeded(
net::HostPortPair::FromURL(url),
scoped_refptr<net::X509Certificate>(nullptr)));
fetcher_->FetchAutoSelectedCertificateForUrl(
url, base::BindOnce(
&FetchCertificateCallbackWrapper::OnFetchCertificateFinished,
base::Unretained(&wrapper)));
net::ClientCertIdentityList certs;
cert_store_ptr->SimulateCallback(GetDefaultClientCertList());
EXPECT_EQ(1, wrapper.callbacks_called_);
EXPECT_EQ(nullptr, wrapper.cert_);
}
}
