Chromium Code Reviews Chromium Code Reviews
Issue 9960074:
Add a test for the "ephemeral_users_enabled" device policy (Closed)
Base URL: http://git.chromium.org/chromium/src.git@master| Index: chrome/test/functional/chromeos_ephemeral_users_enabled.py |
| diff --git a/chrome/test/functional/chromeos_ephemeral_users_enabled.py b/chrome/test/functional/chromeos_ephemeral_users_enabled.py |
| new file mode 100644 |
| index 0000000000000000000000000000000000000000..40d24a92ef303e4eeb4bfb08c297a6be15cadee9 |
| --- /dev/null |
| +++ b/chrome/test/functional/chromeos_ephemeral_users_enabled.py |
| @@ -0,0 +1,154 @@ |
| +# Copyright (c) 2012 The Chromium OS Authors. All rights reserved. |
| +# Use of this source code is governed by a BSD-style license that can be |
| +# found in the LICENSE file. |
| + |
| +import logging |
| +import os |
| +import sys |
| + |
| +import pyauto_functional # must come before pyauto (and thus, policy_base). |
| +import policy_base |
| + |
| +sys.path.append('/usr/local') # to import autotest libs. |
| +from autotest.cros import constants |
| +from autotest.cros import cryptohome |
| + |
| + |
| +class ChromeosEphemeralUsersEnabled(policy_base.PolicyTestBase): |
| + """Tests a policy that makes all users except the owners ephemeral. |
|
xot
2012/04/11 01:42:24
owner -- there can be only one.
bartfab (slow)
2012/04/11 13:44:01
Done.
|
| + |
| + When this policy is enabled, no persistent information in the form of |
| + cryptohome shadow directories or local state prefs should be created for |
| + users. Additionally, any persistent information previously accumulated should |
| + be cleared when a user first logs in after enabling the policy.""" |
| + |
| + def _SetEphemeralUsersEnabled(self, enabled): |
| + self.SetDevicePolicy(device_policy={'ephemeral_users_enabled': enabled}, |
| + owner=self._usernames[0]) |
| + |
| + def _DoesVaultDirectoryExist(self, user_index): |
| + user_hash = cryptohome.get_user_hash(self._usernames[user_index]) |
| + return os.path.exists(os.path.join('/home/.shadow', user_hash)) |
| + |
| + def _AssertLocalStatePrefsSet(self, user_index): |
| + username = self._usernames[user_index] |
| + # The OAuthTokenStatus pref is populated asynchronously. Checking whether it |
| + # is set would lead to an ugly race. |
| + for pref in ['LoggedInUsers', 'UserImages', 'UserDisplayEmail']: |
| + values = self.GetLocalStatePrefsInfo().Prefs(pref) |
| + self.assertTrue(username in values and len(values) == 1, |
| + msg='Expected to find prefs in local state for user.') |
| + |
| + def _AssertLocalStatePrefsEmpty(self): |
| + for pref in ['LoggedInUsers', |
| + 'UserImages', |
| + 'UserDisplayEmail', |
| + 'OAuthTokenStatus']: |
| + self.assertFalse(self.GetLocalStatePrefsInfo().Prefs(pref), |
| + msg='Expected to not find prefs in local state for any user.') |
| + |
| + def _AssertVaultDirectoryExists(self, user_index): |
| + self.assertTrue(self._DoesVaultDirectoryExist(user_index=user_index), |
| + msg='Expected vault shadow directory to exist.') |
| + |
| + def _AssertVaultDirectoryDoesNotExist(self, user_index): |
| + self.assertFalse(self._DoesVaultDirectoryExist(user_index=user_index), |
| + msg='Expected vault shadow directory to not exist.') |
| + |
| + def _AssertVaultMounted(self, user_index, ephemeral): |
| + if ephemeral: |
| + device_regex = constants.CRYPTOHOME_DEV_REGEX_REGULAR_USER_EPHEMERAL |
| + fs_regex = constants.CRYPTOHOME_FS_REGEX_TMPFS |
| + else: |
| + device_regex = constants.CRYPTOHOME_DEV_REGEX_REGULAR_USER_SHADOW |
| + fs_regex = constants.CRYPTOHOME_FS_REGEX_ANY |
| + self.assertTrue( |
| + cryptohome.is_vault_mounted(device_regex=device_regex, |
| + fs_regex=fs_regex, |
| + user=self._usernames[user_index], |
| + allow_fail=True), |
| + msg='Expected vault backed by %s to be mounted.' % |
| + 'tmpfs' if ephemeral else 'shadow directory') |
| + |
| + def _AssertNoVaultMounted(self): |
| + self.assertFalse(cryptohome.is_vault_mounted(allow_fail=True), |
| + msg='Did not expect any vault to be mounted.') |
| + |
| + def Login(self, user_index): |
| + self.assertFalse(self.GetLoginInfo()['is_logged_in'], |
| + msg='Expected to be logged out.') |
| + policy_base.PolicyTestBase.Login(self, |
| + self._usernames[user_index], |
| + self._passwords[user_index]) |
| + self.assertTrue(self.GetLoginInfo()['is_logged_in'], |
| + msg='Expected to be logged in.') |
| + |
| + def setUp(self): |
| + policy_base.PolicyTestBase.setUp(self) |
| + credentials = (self.GetPrivateInfo()['prod_enterprise_test_user'], |
| + self.GetPrivateInfo()['prod_enterprise_executive_user'], |
| + self.GetPrivateInfo()['prod_enterprise_sales_user']) |
| + self._usernames = [credential['username'] for credential in credentials] |
| + self._passwords = [credential['password'] for credential in credentials] |
| + |
| + def testLoginAsOwnerIsNotEphemeral(self): |
| + """Checks that the owner does not become ephemeral.""" |
| + self._SetEphemeralUsersEnabled(True) |
| + |
| + self.Login(user_index=0) |
| + self._AssertLocalStatePrefsSet(user_index=0) |
| + self._AssertVaultDirectoryExists(user_index=0) |
| + self._AssertVaultMounted(user_index=0, ephemeral=False) |
| + self.Logout() |
| + |
| + self._AssertVaultDirectoryExists(user_index=0) |
| + self._AssertNoVaultMounted() |
| + |
| + def testLoginAsNonOwnerIsEphemeral(self): |
| + """Checks that a non-owner user does become ephemeral.""" |
| + self._SetEphemeralUsersEnabled(True) |
| + |
| + self.Login(user_index=1) |
| + self._AssertLocalStatePrefsEmpty() |
| + self._AssertVaultDirectoryDoesNotExist(user_index=1) |
| + self._AssertVaultMounted(user_index=1, ephemeral=True) |
| + self.Logout() |
| + |
| + self._AssertVaultDirectoryDoesNotExist(user_index=1) |
| + self._AssertNoVaultMounted() |
| + |
| + def testEnablingEphemeralUsersCleansUp(self): |
| + """Checks that persistent information is cleared. |
| + |
| + Unfortunately, ChromeOS test images clear the local state on every logout. |
| + It is therefore not possible to test whether accumulated user prefs are |
| + cleared from local state. |
| + """ |
|
xot
2012/04/11 01:42:24
I thought test images only did this when /root/for
bartfab (slow)
2012/04/11 13:44:01
The root file system is normally mounted read-only
|
| + self._SetEphemeralUsersEnabled(False) |
| + |
| + self.Login(user_index=0) |
| + self._AssertLocalStatePrefsSet(user_index=0) |
| + self.Logout() |
| + self.Login(user_index=1) |
| + self._AssertLocalStatePrefsSet(user_index=1) |
| + self.Logout() |
| + self.Login(user_index=2) |
| + self._AssertLocalStatePrefsSet(user_index=2) |
| + self.Logout() |
| + |
| + self._AssertVaultDirectoryExists(user_index=0) |
| + self._AssertVaultDirectoryExists(user_index=1) |
| + self._AssertVaultDirectoryExists(user_index=2) |
| + |
| + self._SetEphemeralUsersEnabled(True) |
| + |
| + self.Login(user_index=1) |
| + self._AssertVaultMounted(user_index=1, ephemeral=True) |
| + self.Logout() |
| + |
| + self._AssertVaultDirectoryExists(user_index=0) |
| + self._AssertVaultDirectoryDoesNotExist(user_index=1) |
| + self._AssertVaultDirectoryDoesNotExist(user_index=2) |
| + |
| +if __name__ == '__main__': |
| + pyauto_functional.Main() |
