Policy test server is not performing key rotations as documented |
||||||||||||
Issue descriptionThe policy test server (policy_testserver.py, [1]) has a feature to perform the signing keys rotation. As per command line help: > If the server has multiple keys, it will rotate through > them in at each request in a round-robin fashion. It seems that the actual behavior of the policy test server differs from the expected. In the default configuration, with the two pre-baked signing keys, it only performs one actual key rotation: from key #0 to key #1. It's not clear from the code what was the intended behavior, but it definitely doesn't conform to the documentation. So either the documentation should be corrected (though not sure how to describe it correctly, as I don't understand what will happen in case of three keys), or the policy test server should be fixed. Quick testing revealed at least one test which is actually depending on the current behavior of the policy test server: CloudPolicyTest.FetchPolicyWithRotatedKey ([2]). On the other hand, infinite round-robin key rotation may be useful for writing tests with some scenarios. [1] https://cs.chromium.org/chromium/src/chrome/browser/policy/test/policy_testserver.py [2] https://cs.chromium.org/chromium/src/chrome/browser/policy/cloud/cloud_policy_browsertest.cc?l=401
,
Nov 9 2016
Correction after closer looking at the code: in the default configuration, the policy test server is _not_ performing the key rotation. It's emulated in the CloudPolicyTest.FetchPolicyWithRotatedKey test by changing the test server config on the fly.
,
Nov 10 2016
,
Nov 11 2016
,
Nov 11 2016
,
Nov 11 2016
,
Nov 22 2016
Please update the status if you feel it's incorrect.
,
Nov 24 2016
So looks like there are no known usages of policy test server outside Chrome autotests. I'll work on fixing the doc to reflect the current behavior, and also add a command line flag that would actually enable the key rotation (the latter could be used to write new tests that work with the key rotation).
,
Nov 25 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/26aa638c5ccdd27549493df2d2aff78db8fa8382 commit 26aa638c5ccdd27549493df2d2aff78db8fa8382 Author: emaxx <emaxx@chromium.org> Date: Fri Nov 25 16:21:32 2016 This introduces a special command line flag for the local policy test server that enables the automatic rotation of the signing keys with each received policy fetch request. The LocalPolicyTestServer class is extended to provide ability to trigger this feature. Also the existing documentation for the local policy test server is corrected to correctly describe the default behavior in which there are no cyclic key rotations. BUG= 663870 TEST=existing tests Review-Url: https://codereview.chromium.org/2530023002 Cr-Commit-Position: refs/heads/master@{#434519} [modify] https://crrev.com/26aa638c5ccdd27549493df2d2aff78db8fa8382/chrome/browser/policy/test/local_policy_test_server.cc [modify] https://crrev.com/26aa638c5ccdd27549493df2d2aff78db8fa8382/chrome/browser/policy/test/local_policy_test_server.h [modify] https://crrev.com/26aa638c5ccdd27549493df2d2aff78db8fa8382/chrome/browser/policy/test/policy_testserver.py
,
Nov 25 2016
,
Mar 4 2017
,
Apr 17 2017
,
May 30 2017
,
Jul 6 2017
|
||||||||||||
►
Sign in to add a comment |
||||||||||||
Comment 1 by emaxx@chromium.org
, Nov 9 2016