Refactor TransportSecurityState.

chrome/browser/transport_security_persister_unittest.cc

Index: chrome/browser/transport_security_persister_unittest.cc
===================================================================
--- chrome/browser/transport_security_persister_unittest.cc	(revision 0)
+++ chrome/browser/transport_security_persister_unittest.cc	(revision 0)
@@ -0,0 +1,134 @@
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/transport_security_persister.h"
+
+#include <string>
+
+#include "net/base/transport_security_state.h"
+#include "net/base/x509_cert_types.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+using net::TransportSecurityState;
+
+TEST_F(TransportSecurityPersisterTest, Serialise1) {
+  TransportSecurityState state;
+  std::string output;
+  TransportSecurityPersister persister;
+  bool dirty;
+
+  EXPECT_TRUE(persister.Serialize(TransportSecurityState::Iterator(state),
+                                  &output));
+  EXPECT_TRUE(persister.LoadEntries(output, &dirty));
+  EXPECT_FALSE(dirty);
+}
+
+TEST_F(TransportSecurityPersisterTest, Serialise2) {
+  TransportSecurityState state;
+  TransportSecurityState::DomainState domain_state;
+  const base::Time current_time(base::Time::Now());
+  const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
+
+  EXPECT_FALSE(state.GetDomainState("yahoo.com", true, &domain_state));
+  domain_state.upgrade_mode =
+      TransportSecurityState::DomainState::MODE_FORCE_HTTPS;
+  domain_state.upgrade_expiry = expiry;
+  domain_state.include_subdomains = true;
+  state.EnableHost("yahoo.com", domain_state);
+
+  std::string output;
+  bool dirty;
+  TransportSecurityPersister persister;
+  EXPECT_TRUE(persister.Serialize(TransportSecurityState::Iterator(state),
+                                  &output));
+  EXPECT_TRUE(persister.LoadEntries(output, &dirty));
+
+  EXPECT_TRUE(state.GetDomainState("yahoo.com", true, &domain_state));
+  EXPECT_EQ(domain_state.upgrade_mode,
+            TransportSecurityState::DomainState::MODE_FORCE_HTTPS);
+  EXPECT_TRUE(state.GetDomainState("foo.yahoo.com", true, &domain_state));
+  EXPECT_EQ(domain_state.upgrade_mode,
+            TransportSecurityState::DomainState::MODE_FORCE_HTTPS);
+  EXPECT_TRUE(state.GetDomainState("foo.bar.yahoo.com", true, &domain_state));
+  EXPECT_EQ(domain_state.upgrade_mode,
+            TransportSecurityState::DomainState::MODE_FORCE_HTTPS);
+  EXPECT_TRUE(state.GetDomainState("foo.bar.baz.yahoo.com", true,
+                                   &domain_state));
+  EXPECT_EQ(domain_state.upgrade_mode,
+            TransportSecurityState::DomainState::MODE_FORCE_HTTPS);
+  EXPECT_FALSE(state.GetDomainState("com", true, &domain_state));
+}
+
+TEST_F(TransportSecurityPersisterTest, SerialiseOld) {
+  TransportSecurityState state;
+  TransportSecurityPersister persister;
+  // This is an old-style piece of transport state JSON, which has no creation
+  // date.
+  std::string output =
+      "{ "
+      "\"NiyD+3J1r6z1wjl2n1ALBu94Zj9OsEAMo0kCN8js0Uk=\": {"
+      "\"expiry\": 1266815027.983453, "
+      "\"include_subdomains\": false, "
+      "\"mode\": \"strict\" "
+      "}"
+      "}";

[Ryan Sleevi, 2012/03/28 00:50:32]

I think you should add additional variants, such as the SPDY handling, if this
was something previously surfaced to users via command-line or UI and may have
been serialized.

[palmer, 2012/04/10 23:25:51]

It was never used. From a source tree that does not have this refactoring CL:

~/chromium/src $ search -v -n '\.(h|cpp)$' -C SPDY_ONLY 
./net/base/transport_security_state.h:50:      // SPDY_ONLY (aka
X-Bodge-Transport-Security) is a hopefully temporary
./net/base/transport_security_state.h:54:      MODE_SPDY_ONLY = 2,
./net/base/transport_security_state.h
./net/base/transport_security_state_static.h:2095:      case
DomainState::MODE_SPDY_ONLY:
./net/base/transport_security_state_static.h:2202:      mode =
DomainState::MODE_SPDY_ONLY;
./net/base/transport_security_state_static.h

So it's defined, and then handled in new code by agl that does not take this
refactoring into account. Nobody else uses it; we'll remove the case from agl's
code too.

+  bool dirty;
+  EXPECT_TRUE(persister.LoadEntries(output, &dirty));
+  EXPECT_TRUE(dirty);
+}
+
+TEST_F(TransportSecurityPersisterTest, PublicKeyHashes) {
+  TransportSecurityState state;
+  TransportSecurityState::DomainState domain_state;
+  TransportSecurityPersister persister;
+  EXPECT_FALSE(state.GetDomainState("example.com", false, &domain_state));
+  FingerprintVector hashes;
+  EXPECT_TRUE(domain_state.IsChainOfPublicKeysPermitted(hashes));
+
+  SHA1Fingerprint hash;
+  memset(hash.data, '1', sizeof(hash.data));
+  domain_state.static_spki_hashes.push_back(hash);
+
+  EXPECT_FALSE(domain_state.IsChainOfPublicKeysPermitted(hashes));
+  hashes.push_back(hash);
+  EXPECT_TRUE(domain_state.IsChainOfPublicKeysPermitted(hashes));
+  hashes[0].data[0] = '2';
+  EXPECT_FALSE(domain_state.IsChainOfPublicKeysPermitted(hashes));
+
+  const base::Time current_time(base::Time::Now());
+  const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
+  domain_state.upgrade_expiry = expiry;
+  state.EnableHost("example.com", domain_state);
+  std::string ser;
+  EXPECT_TRUE(persister.Serialize(TransportSecurityState::Iterator(state),
+                                  &ser));
+  bool dirty;
+  EXPECT_TRUE(persister.LoadEntries(ser, &dirty));
+  EXPECT_TRUE(state.GetDomainState("example.com", false, &domain_state));
+  EXPECT_EQ(1u, domain_state.static_spki_hashes.size());
+  EXPECT_EQ(0, memcmp(domain_state.static_spki_hashes[0].data, hash.data,
+                      sizeof(hash.data)));
+}
+
+TEST_F(TransportSecurityPersisterTest, ForcePreloads) {
+  // This is a docs.google.com override.

[Ryan Sleevi, 2012/03/28 00:50:32]

Could you expand this comment?

It's not clear what it's an override of - an internal preload?

[palmer, 2012/04/10 23:25:51]

Done.

+  std::string preload("{"
+                      "\"4AGT3lHihuMSd5rUj7B4u6At0jlSH3HFePovjPR+oLE=\": {"
+                      "\"created\": 0.0,"
+                      "\"expiry\": 2000000000.0,"
+                      "\"include_subdomains\": false,"
+                      "\"mode\": \"pinning-only\""
+                      "}}");
+
+  TransportSecurityPersister persister;
+  EXPECT_TRUE(persister.LoadEntries(preload, &dirty));
+  EXPECT_TRUE(dirty);
+
+  TransportSecurityState state(preload);
+  TransportSecurityState::DomainState domain_state;
+  EXPECT_TRUE(state.GetDomainState("docs.google.com", true, &domain_state));
+  EXPECT_FALSE(HasPins(domain_state));
+  EXPECT_FALSE(domain_state.ShouldRedirectHTTPToHTTPS());
+}
+
Property changes on: chrome/browser/transport_security_persister_unittest.cc
___________________________________________________________________
Added: svn:eol-style
   + LF