Chrome OS: Add AutoEnrollmentCheck browser tests

With different VPD options and missing state keys.

Bug: 934224
Change-Id: I84ac96e7375441357a3832c0f582ea6ff1baf948
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1564085Reviewed-by: Achuith Bhandarkar <achuith@chromium.org>
Reviewed-by: Igor <igorcov@chromium.org>
Reviewed-by: Pavol Marko <pmarko@chromium.org>
Commit-Queue: Roman Sorokin [CET] <rsorokin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#653513}

chrome/browser/chromeos/login/enrollment/auto_enrollment_controller.cc

@@ -461,6 +461,11 @@ void AutoEnrollmentController::SetAutoEnrollmentClientFactoryForTesting(
   testing_auto_enrollment_client_factory_ = auto_enrollment_client_factory;
 }
 
+void AutoEnrollmentController::FireSafeguardTimerForTesting() {
+  DCHECK(safeguard_timer_.IsRunning());
+  safeguard_timer_.FireNow();
+}
+
 AutoEnrollmentController::InitialEnrollmentRequirement
 AutoEnrollmentController::GetInitialEnrollmentRequirement() {
   system::StatisticsProvider* provider =

chrome/browser/chromeos/login/enrollment/auto_enrollment_controller.h

@@ -143,6 +143,8 @@ class AutoEnrollmentController {
   void SetAutoEnrollmentClientFactoryForTesting(
       policy::AutoEnrollmentClient::Factory* auto_enrollment_client_factory);
 
+  void FireSafeguardTimerForTesting();
+
  private:
   class SystemClockSyncWaiter;
 

chrome/browser/chromeos/login/enrollment/enrollment_local_policy_server_browsertest.cc

@@ -19,6 +19,7 @@
 #include "chrome/browser/chromeos/login/ui/login_display_host.h"
 #include "chrome/browser/chromeos/login/wizard_controller.h"
 #include "chrome/browser/chromeos/policy/browser_policy_connector_chromeos.h"
+#include "chrome/browser/chromeos/policy/server_backed_state_keys_broker.h"
 #include "chrome/browser/policy/test/local_policy_test_server.h"
 #include "chrome/grit/generated_resources.h"
 #include "chromeos/attestation/mock_attestation_flow.h"
@@ -26,6 +27,8 @@
 #include "chromeos/cryptohome/async_method_caller.h"
 #include "chromeos/dbus/cryptohome/fake_cryptohome_client.h"
 #include "chromeos/dbus/dbus_thread_manager.h"
+#include "chromeos/dbus/session_manager/fake_session_manager_client.h"
+#include "chromeos/system/fake_statistics_provider.h"
 #include "chromeos/tpm/install_attributes.h"
 #include "components/policy/core/common/policy_switches.h"
 #include "components/strings/grit/components_strings.h"
@@ -129,10 +132,62 @@ class AutoEnrollmentLocalPolicyServer : public EnrollmentLocalPolicyServerBase {
         ->GetStateKeysBroker();
   }
 
+  void FireSafeguardTimer() {
+    WizardController::default_controller()
+        ->GetAutoEnrollmentController()
+        ->FireSafeguardTimerForTesting();
+  }
+
  private:
   DISALLOW_COPY_AND_ASSIGN(AutoEnrollmentLocalPolicyServer);
 };
 
+class AutoEnrollmentWithStatistics : public AutoEnrollmentLocalPolicyServer {
+ public:
+  AutoEnrollmentWithStatistics() : AutoEnrollmentLocalPolicyServer() {
+    // AutoEnrollmentController assumes that VPD is in valid state if
+    // "serial_number" or "Product_S/N" could be read from it.
+    fake_statistics_provider_.SetMachineStatistic("serial_number", "111111");
+  }
+
+  ~AutoEnrollmentWithStatistics() override = default;
+
+ protected:
+  void SetFRERequiredKey(const std::string& value) {
+    fake_statistics_provider_.SetMachineStatistic(system::kCheckEnrollmentKey,
+                                                  value);
+  }
+
+  void SetActivateDate(const std::string& value) {
+    fake_statistics_provider_.SetMachineStatistic(system::kActivateDateKey,
+                                                  value);
+  }
+
+  void SetVPDCorrupted() {
+    fake_statistics_provider_.ClearMachineStatistic("serial_number");
+  }
+
+ private:
+  system::ScopedFakeStatisticsProvider fake_statistics_provider_;
+  DISALLOW_COPY_AND_ASSIGN(AutoEnrollmentWithStatistics);
+};
+
+class AutoEnrollmentNoStateKeys : public AutoEnrollmentWithStatistics {
+ public:
+  AutoEnrollmentNoStateKeys() = default;
+  ~AutoEnrollmentNoStateKeys() override = default;
+
+  // AutoEnrollmentWithStatistics:
+  void SetUpInProcessBrowserTestFixture() override {
+    AutoEnrollmentWithStatistics::SetUpInProcessBrowserTestFixture();
+    SessionManagerClient::InitializeFakeInMemory();
+    FakeSessionManagerClient::Get()->set_force_state_keys_missing(true);
+  }
+
+ private:
+  DISALLOW_COPY_AND_ASSIGN(AutoEnrollmentNoStateKeys);
+};
+
 // Simple manual enrollment.
 IN_PROC_BROWSER_TEST_F(EnrollmentLocalPolicyServerBase, ManualEnrollment) {
   TriggerEnrollmentAndSignInSuccessfully();
@@ -468,4 +523,81 @@ IN_PROC_BROWSER_TEST_F(AutoEnrollmentLocalPolicyServer, Attestation) {
   EXPECT_TRUE(InstallAttributes::Get()->IsCloudManaged());
 }
 
+// FRE explicitly required in VPD, but the state keys are missing.
+IN_PROC_BROWSER_TEST_F(AutoEnrollmentNoStateKeys, FREExplicitlyRequired) {
+  SetFRERequiredKey("1");
+  host()->StartWizard(OobeScreen::SCREEN_AUTO_ENROLLMENT_CHECK);
+  OobeScreenWaiter(OobeScreen::SCREEN_AUTO_ENROLLMENT_CHECK).Wait();
+
+  // Chrome waits for state keys to be available, force a timeout.
+  FireSafeguardTimer();
+
+  OobeScreenWaiter(OobeScreen::SCREEN_ERROR_MESSAGE).Wait();
+  test::OobeJS().ExpectHasNoClass("allow-guest-signin", {"error-message"});
+}
+
+// FRE not explicitly required and the state keys are missing. Should proceed to
+// normal signin.
+IN_PROC_BROWSER_TEST_F(AutoEnrollmentNoStateKeys, FRENotRequired) {
+  host()->StartWizard(OobeScreen::SCREEN_AUTO_ENROLLMENT_CHECK);
+  OobeScreenWaiter(OobeScreen::SCREEN_GAIA_SIGNIN).Wait();
+}
+
+// FRE explicitly not required in VPD, so it should not even contact the policy
+// server.
+IN_PROC_BROWSER_TEST_F(AutoEnrollmentWithStatistics, FREExplicitlyNotRequired) {
+  SetFRERequiredKey("0");
+
+  // Should be ignored.
+  EXPECT_TRUE(policy_server_.SetDeviceStateRetrievalResponse(
+      state_keys_broker(),
+      enterprise_management::DeviceStateRetrievalResponse::
+          RESTORE_MODE_REENROLLMENT_ENFORCED,
+      kTestDomain));
+
+  host()->StartWizard(OobeScreen::SCREEN_AUTO_ENROLLMENT_CHECK);
+  OobeScreenWaiter(OobeScreen::SCREEN_GAIA_SIGNIN).Wait();
+}
+
+// FRE is not required when VPD is valid and activate date is not there.
+IN_PROC_BROWSER_TEST_F(AutoEnrollmentWithStatistics, MachineNotActivated) {
+  // Should be ignored.
+  EXPECT_TRUE(policy_server_.SetDeviceStateRetrievalResponse(
+      state_keys_broker(),
+      enterprise_management::DeviceStateRetrievalResponse::
+          RESTORE_MODE_REENROLLMENT_ENFORCED,
+      kTestDomain));
+
+  host()->StartWizard(OobeScreen::SCREEN_AUTO_ENROLLMENT_CHECK);
+  OobeScreenWaiter(OobeScreen::SCREEN_GAIA_SIGNIN).Wait();
+}
+
+// FRE is required when VPD is valid and activate date is there.
+IN_PROC_BROWSER_TEST_F(AutoEnrollmentWithStatistics, MachineActivated) {
+  SetActivateDate("1970-01");
+
+  EXPECT_TRUE(policy_server_.SetDeviceStateRetrievalResponse(
+      state_keys_broker(),
+      enterprise_management::DeviceStateRetrievalResponse::
+          RESTORE_MODE_REENROLLMENT_ENFORCED,
+      kTestDomain));
+
+  host()->StartWizard(OobeScreen::SCREEN_AUTO_ENROLLMENT_CHECK);
+  OobeScreenWaiter(OobeScreen::SCREEN_OOBE_ENROLLMENT).Wait();
+}
+
+// FRE is required when VPD in invalid state.
+IN_PROC_BROWSER_TEST_F(AutoEnrollmentWithStatistics, CorruptedVPD) {
+  SetVPDCorrupted();
+
+  EXPECT_TRUE(policy_server_.SetDeviceStateRetrievalResponse(
+      state_keys_broker(),
+      enterprise_management::DeviceStateRetrievalResponse::
+          RESTORE_MODE_REENROLLMENT_ENFORCED,
+      kTestDomain));
+
+  host()->StartWizard(OobeScreen::SCREEN_AUTO_ENROLLMENT_CHECK);
+  OobeScreenWaiter(OobeScreen::SCREEN_OOBE_ENROLLMENT).Wait();
+}
+
 }  // namespace chromeos

chrome/browser/chromeos/login/wizard_controller.h

@@ -387,6 +387,7 @@ class WizardController : public BaseScreenDelegate {
   FRIEND_TEST_ALL_PREFIXES(WizardControllerDeviceStateTest,
                            ControlFlowNoForcedReEnrollmentOnFirstBoot);
 
+  friend class AutoEnrollmentLocalPolicyServer;
   friend class WizardControllerBrokenLocalStateTest;
   friend class WizardControllerDeviceStateTest;
   friend class WizardControllerFlowTest;

chromeos/dbus/session_manager/fake_session_manager_client.cc

@@ -528,6 +528,16 @@ void FakeSessionManagerClient::SetFlagsForUser(
 
 void FakeSessionManagerClient::GetServerBackedStateKeys(
     StateKeysCallback callback) {
+  if (force_state_keys_missing_) {
+    // Need delay to prevent excessive warning output in tests caused by being
+    // retried in a tight loop.
+    base::ThreadTaskRunnerHandle::Get()->PostDelayedTask(
+        FROM_HERE,
+        base::BindOnce(std::move(callback), std::vector<std::string>()),
+        base::TimeDelta::FromSeconds(1));
+    return;
+  }
+
   if (policy_storage_ == PolicyStorageType::kOnDisk) {
     base::FilePath owner_key_path;
     CHECK(base::PathService::Get(dbus_paths::FILE_OWNER_KEY, &owner_key_path));

chromeos/dbus/session_manager/fake_session_manager_client.h

@@ -230,6 +230,10 @@ class COMPONENT_EXPORT(SESSION_MANAGER) FakeSessionManagerClient
 
   void set_low_disk(bool low_disk) { low_disk_ = low_disk; }
 
+  void set_force_state_keys_missing(bool force_state_keys_missing) {
+    force_state_keys_missing_ = force_state_keys_missing;
+  }
+
   const std::string& container_instance_id() const {
     return container_instance_id_;
   }
@@ -263,6 +267,7 @@ class COMPONENT_EXPORT(SESSION_MANAGER) FakeSessionManagerClient
   int start_tpm_firmware_update_call_count_ = 0;
   std::string last_tpm_firmware_update_mode_;
   bool screen_is_locked_ = false;
+  bool force_state_keys_missing_ = false;
 
   bool arc_available_ = false;
   base::TimeTicks arc_start_time_;