Add a test for the "ephemeral_users_enabled" device policy

chrome/test/functional/chromeos_ephemeral_users_enabled.py

Index: chrome/test/functional/chromeos_ephemeral_users_enabled.py
diff --git a/chrome/test/functional/chromeos_ephemeral_users_enabled.py b/chrome/test/functional/chromeos_ephemeral_users_enabled.py
new file mode 100644
index 0000000000000000000000000000000000000000..6277482393cb82b3d4e42e72e8c35067f6b1a560
--- /dev/null
+++ b/chrome/test/functional/chromeos_ephemeral_users_enabled.py
@@ -0,0 +1,187 @@
+# Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be

[Nirnimesh, 2012/04/12 01:46:24]

I'd prefer a shorter filename for this test.
chromeos_ephemeral would suffice.

[bartfab (slow), 2012/04/12 12:49:31]

Done.

+# found in the LICENSE file.
+
+import logging
+import os
+import sys
+
+import pyauto_functional # This must come before pyauto (and thus, policy_base).
+import policy_base
+
+sys.path.append('/usr/local') # Required to import autotest libs.

[Nirnimesh, 2012/04/12 01:46:24]

nit: need at least 2 spaces before #

[bartfab (slow), 2012/04/12 12:49:31]

Done.

+from autotest.cros import constants
+from autotest.cros import cryptohome
+
+
+class ChromeosEphemeralUsersEnabled(policy_base.PolicyTestBase):
+  """Tests a policy that makes all users except the owner ephemeral.
+
+  When this policy is enabled, no persistent information in the form of
+  cryptohome shadow directories or local state prefs should be created for
+  users. Additionally, any persistent information previously accumulated should
+  be cleared when a user first logs in after enabling the policy."""
+
+  def _SetEphemeralUsersEnabled(self, enabled):
+    # The Login browser automation call fails when the login screen is showing

[Nirnimesh, 2012/04/12 01:46:24]

Please provide a docstring.

Some of this info can go in the docstring.

[bartfab (slow), 2012/04/12 12:49:31]

Done.

+    # user pods instead of a login form. This class disables automatic clearing
+    # of the local state, allowing user information to accumulate. To ensure no
+    # pods are shown for recent users, pods are explicitly disabled by setting
+    # the show_user_names policy to False.
+    self.SetDevicePolicy(device_policy={'ephemeral_users_enabled': enabled,
+                                        'show_user_names': False},
+                         owner=self._usernames[0])

[Nirnimesh, 2012/04/12 01:46:24]

it's not clear from the docstring or the method name that the owner is getting
set to user 0. Perhaps move this setUp() so that it's clearer.

[bartfab (slow), 2012/04/12 12:49:31]

It is SetDevicePolicy() that sets the owner. There is no way around dealing with
ownership information whenever device policies are being set. I renamed this
method and added a docstring explaining that it makes user 0 the owner.

+
+  def _DoesVaultDirectoryExist(self, user_index):
+    user_hash = cryptohome.get_user_hash(self._usernames[user_index])
+    return os.path.exists(os.path.join('/home/.shadow', user_hash))
+
+  def _AssertLocalStatePrefsSet(self, user_indexes):
+    expected = sorted([self._usernames[index] for index in user_indexes])
+    # The OAuthTokenStatus pref is populated asynchronously. Checking whether it
+    # is set would lead to an ugly race.
+    for pref in ['LoggedInUsers', 'UserImages', 'UserDisplayEmail', ]:
+      actual = sorted(self.GetLocalStatePrefsInfo().Prefs(pref))
+      self.assertTrue(actual == expected,

[Nirnimesh, 2012/04/12 01:46:24]

use assertEqual

[bartfab (slow), 2012/04/12 12:49:31]

Done.

+                      msg='Expected to find prefs in local state for users.')
+
+  def _AssertLocalStatePrefsEmpty(self):
+    for pref in ['LoggedInUsers',
+                 'UserImages',
+                 'UserDisplayEmail',
+                 'OAuthTokenStatus']:
+      self.assertFalse(self.GetLocalStatePrefsInfo().Prefs(pref),
+          msg='Expected to not find prefs in local state for any user.')
+
+  def _AssertVaultDirectoryExists(self, user_index):
+    self.assertTrue(self._DoesVaultDirectoryExist(user_index=user_index),
+                    msg='Expected vault shadow directory to exist.')
+
+  def _AssertVaultDirectoryDoesNotExist(self, user_index):
+    self.assertFalse(self._DoesVaultDirectoryExist(user_index=user_index),
+                     msg='Expected vault shadow directory to not exist.')
+
+  def _AssertVaultMounted(self, user_index, ephemeral):
+    if ephemeral:
+      device_regex = constants.CRYPTOHOME_DEV_REGEX_REGULAR_USER_EPHEMERAL
+      fs_regex = constants.CRYPTOHOME_FS_REGEX_TMPFS
+    else:
+      device_regex = constants.CRYPTOHOME_DEV_REGEX_REGULAR_USER_SHADOW
+      fs_regex = constants.CRYPTOHOME_FS_REGEX_ANY
+    self.assertTrue(
+        cryptohome.is_vault_mounted(device_regex=device_regex,
+                                    fs_regex=fs_regex,
+                                    user=self._usernames[user_index],
+                                    allow_fail=True),
+        msg='Expected vault backed by %s to be mounted.' %
+            'tmpfs' if ephemeral else 'shadow directory')
+
+  def _AssertNoVaultMounted(self):
+    self.assertFalse(cryptohome.is_vault_mounted(allow_fail=True),
+                     msg='Did not expect any vault to be mounted.')
+
+  def Login(self, user_index):
+    self.assertFalse(self.GetLoginInfo()['is_logged_in'],
+                     msg='Expected to be logged out.')
+    policy_base.PolicyTestBase.Login(self,
+                                     self._usernames[user_index],
+                                     self._passwords[user_index])
+    self.assertTrue(self.GetLoginInfo()['is_logged_in'],
+                    msg='Expected to be logged in.')
+
+  def ExtraChromeFlags(self):
+    """Sets up Chrome to skip OOBE.
+
+    A magic file normally exists on test images that tells the session manager

[Nirnimesh, 2012/04/12 01:46:24]

How is this description related to --login-screen=login?

[bartfab (slow), 2012/04/12 12:49:31]

Rewritten to make it clearer.

+    to skip OOBE. However, that same file also makes session manager clear the
+    local state during startup. This class requires local state to persist.
+    Thus, the magic file has to be removed temporarily and OOBE must be disabled
+    by passing an explicit flag.
+    """
+    flags = policy_base.PolicyTestBase.ExtraChromeFlags(self)
+    flags.append('--login-screen=login')
+    return flags
+
+  def setUp(self):
+    # Allow PolicyTestBase to clear local state and /home/chronos at the start
+    # for test isolation.
+    policy_base.PolicyTestBase.setUp(self)
+    # Disable clearing of local state and /home/chronos for the remainder of
+    # the test.
+    self.DisableLocalStateAutoClearingOnChromeOS()
+    self.set_clear_profile(False)

[Nirnimesh, 2012/04/12 01:46:24]

Why is this necessary?

[bartfab (slow), 2012/04/12 12:49:31]

Added an explanation.

+
+    credentials = (self.GetPrivateInfo()['prod_enterprise_test_user'],
+                   self.GetPrivateInfo()['prod_enterprise_executive_user'],
+                   self.GetPrivateInfo()['prod_enterprise_sales_user'])
+    self._usernames = [credential['username'] for credential in credentials]
+    self._passwords = [credential['password'] for credential in credentials]
+
+  def tearDown(self):
+    # Allow PolicyTestBase to clear local state and /home/chronos at the end for
+    # test isolation.
+    self.EnableLocalStateAutoClearingOnChromeOS()
+    self.set_clear_profile(True)
+    policy_base.PolicyTestBase.tearDown(self)
+
+  def testLoginAsOwnerIsNotEphemeral(self):
+    """Checks that the owner does not become ephemeral."""
+    self._SetEphemeralUsersEnabled(True)
+
+    self.Login(user_index=0)

[Nirnimesh, 2012/04/12 01:46:24]

How did user 0 become the owner? from line 33?

[bartfab (slow), 2012/04/12 12:49:31]

Renamed _SetEphemeralUsersEnabled() to _SetDevicePolicyAndOwner() and added a
docstring explaining that it makes user 0 the owner.

+    self._AssertVaultDirectoryExists(user_index=0)
+    self._AssertVaultMounted(user_index=0, ephemeral=False)
+    self.Logout()
+    self._AssertLocalStatePrefsSet(user_indexes=[0])
+
+    self._AssertVaultDirectoryExists(user_index=0)
+    self._AssertNoVaultMounted()
+
+  def testLoginAsNonOwnerIsEphemeral(self):
+    """Checks that a non-owner user does become ephemeral."""
+    self._SetEphemeralUsersEnabled(True)
+
+    self.Login(user_index=1)
+    self._AssertVaultDirectoryDoesNotExist(user_index=1)
+    self._AssertVaultMounted(user_index=1, ephemeral=True)
+    self.Logout()
+    self._AssertLocalStatePrefsEmpty()
+
+    self._AssertVaultDirectoryDoesNotExist(user_index=1)
+    self._AssertNoVaultMounted()
+
+  def testEnablingEphemeralUsersCleansUp(self):
+    """Checks that persistent information is cleared."""
+    self._SetEphemeralUsersEnabled(False)
+
+    self.Login(user_index=0)
+    self.Logout()
+    self._AssertLocalStatePrefsSet(user_indexes=[0])
+
+    self.Login(user_index=1)
+    self.Logout()
+    self._AssertLocalStatePrefsSet(user_indexes=[0, 1])
+
+    self.Login(user_index=2)
+    self.Logout()
+    self._AssertLocalStatePrefsSet(user_indexes=[0, 1, 2])
+
+    self._AssertVaultDirectoryExists(user_index=0)
+    self._AssertVaultDirectoryExists(user_index=1)
+    self._AssertVaultDirectoryExists(user_index=2)
+
+    self._SetEphemeralUsersEnabled(True)
+
+    self.Login(user_index=1)
+    self._AssertVaultMounted(user_index=1, ephemeral=True)
+    self.Logout()
+
+    self._AssertLocalStatePrefsSet(user_indexes=[0])
+
+    self._AssertVaultDirectoryExists(user_index=0)
+    self._AssertVaultDirectoryDoesNotExist(user_index=1)
+    self._AssertVaultDirectoryDoesNotExist(user_index=2)
+
+
+if __name__ == '__main__':
+  pyauto_functional.Main()