Make HSTS headers not clobber preloaded pins.

net/http/http_security_headers_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <algorithm>
 
 #include "base/base64.h"
 #include "base/sha1.h"
 #include "base/strings/string_piece.h"
 #include "crypto/sha2.h"
@@ skipping 437 matching lines @@
   TestValidPKPHeaders(HASH_VALUE_SHA256);
 }
 
 TEST_F(HttpSecurityHeadersTest, UpdateDynamicPKPOnly) {
   TransportSecurityState state;
   TransportSecurityState::DomainState domain_state;
 
   // docs.google.com has preloaded pins.
   std::string domain = "docs.google.com";
   EXPECT_TRUE(state.GetDomainState(domain, true, &domain_state));
-  EXPECT_GT(domain_state.static_spki_hashes.size(), 1UL);
-  HashValueVector saved_hashes = domain_state.static_spki_hashes;
+  EXPECT_GT(domain_state.static_pkp.spki_hashes.size(), 1UL);
+  HashValueVector saved_hashes = domain_state.static_pkp.spki_hashes;
 
   // Add a header, which should only update the dynamic state.
   HashValue good_hash = GetTestHashValue(1, HASH_VALUE_SHA1);
   HashValue backup_hash = GetTestHashValue(2, HASH_VALUE_SHA1);
   std::string good_pin = GetTestPin(1, HASH_VALUE_SHA1);
   std::string backup_pin = GetTestPin(2, HASH_VALUE_SHA1);
   std::string header = "max-age = 10000; " + good_pin + "; " + backup_pin;
 
   // Construct a fake SSLInfo that will pass AddHPKPHeader's checks.
   SSLInfo ssl_info;
   ssl_info.public_key_hashes.push_back(good_hash);
   ssl_info.public_key_hashes.push_back(saved_hashes[0]);
   EXPECT_TRUE(state.AddHPKPHeader(domain, header, ssl_info));
 
   // Expect the preloaded state to remain unchanged.
   std::string canonicalized_host = TransportSecurityState::CanonicalizeHost(
       domain);
   TransportSecurityState::DomainState static_domain_state;
   EXPECT_TRUE(state.GetStaticDomainState(canonicalized_host,
                                          true,
                                          &static_domain_state));
   for (size_t i = 0; i < saved_hashes.size(); ++i) {
     EXPECT_TRUE(HashValuesEqual(
-        saved_hashes[i])(static_domain_state.static_spki_hashes[i]));
+        saved_hashes[i])(static_domain_state.static_pkp.spki_hashes[i]));
   }
 
   // Expect the dynamic state to reflect the header.
   TransportSecurityState::DomainState dynamic_domain_state;
   EXPECT_TRUE(state.GetDynamicDomainState(domain, &dynamic_domain_state));
-  EXPECT_EQ(2UL, dynamic_domain_state.dynamic_spki_hashes.size());
+  EXPECT_EQ(2UL, dynamic_domain_state.dynamic_pkp.spki_hashes.size());
 
   HashValueVector::const_iterator hash = std::find_if(
-      dynamic_domain_state.dynamic_spki_hashes.begin(),
-      dynamic_domain_state.dynamic_spki_hashes.end(),
+      dynamic_domain_state.dynamic_pkp.spki_hashes.begin(),
+      dynamic_domain_state.dynamic_pkp.spki_hashes.end(),
       HashValuesEqual(good_hash));
-  EXPECT_NE(dynamic_domain_state.dynamic_spki_hashes.end(), hash);
+  EXPECT_NE(dynamic_domain_state.dynamic_pkp.spki_hashes.end(), hash);
 
   hash = std::find_if(
-      dynamic_domain_state.dynamic_spki_hashes.begin(),
-      dynamic_domain_state.dynamic_spki_hashes.end(),
+      dynamic_domain_state.dynamic_pkp.spki_hashes.begin(),
+      dynamic_domain_state.dynamic_pkp.spki_hashes.end(),
       HashValuesEqual(backup_hash));
-  EXPECT_NE(dynamic_domain_state.dynamic_spki_hashes.end(), hash);
+  EXPECT_NE(dynamic_domain_state.dynamic_pkp.spki_hashes.end(), hash);
 
   // Expect the overall state to reflect the header, too.
   EXPECT_TRUE(state.GetDomainState(domain, true, &domain_state));
-  EXPECT_EQ(2UL, domain_state.dynamic_spki_hashes.size());
+  EXPECT_EQ(2UL, domain_state.dynamic_pkp.spki_hashes.size());
 
-  hash = std::find_if(domain_state.dynamic_spki_hashes.begin(),
-                      domain_state.dynamic_spki_hashes.end(),
+  hash = std::find_if(domain_state.dynamic_pkp.spki_hashes.begin(),
+                      domain_state.dynamic_pkp.spki_hashes.end(),
                       HashValuesEqual(good_hash));
-  EXPECT_NE(domain_state.dynamic_spki_hashes.end(), hash);
+  EXPECT_NE(domain_state.dynamic_pkp.spki_hashes.end(), hash);
 
   hash = std::find_if(
-      domain_state.dynamic_spki_hashes.begin(),
-      domain_state.dynamic_spki_hashes.end(),
+      domain_state.dynamic_pkp.spki_hashes.begin(),
+      domain_state.dynamic_pkp.spki_hashes.end(),
       HashValuesEqual(backup_hash));
-  EXPECT_NE(domain_state.dynamic_spki_hashes.end(), hash);
+  EXPECT_NE(domain_state.dynamic_pkp.spki_hashes.end(), hash);
+}
+
+TEST_F(HttpSecurityHeadersTest, NoClobberPins) {
+  TransportSecurityState state;
+  TransportSecurityState::DomainState domain_state;
+
+  std::string domain("accounts.google.com");

[Ryan Sleevi, 2014/03/07 01:39:19]

Use the same form as the other tests? See line 456

Also add a comment indicating a.g.c has preloaded pins. Or just change this to
docs.google.com

[palmer, 2014/03/14 21:33:39]

Done.

+
+  // Retrieve the DomainState as it is by default, including its known good
+  // pins. Assert sanity.

[Ryan Sleevi, 2014/03/07 01:39:19]

"Assert sanity" is superflous.

[palmer, 2014/03/14 21:33:39]

Done.

+  EXPECT_TRUE(state.GetDomainState(domain, true, &domain_state));
+  HashValueVector saved_hashes = domain_state.static_pkp.spki_hashes;
+  EXPECT_TRUE(domain_state.ShouldUpgradeToSSL());
+  EXPECT_TRUE(domain_state.HasPublicKeyPins());
+
+  // Add a dynamic header. CheckPublicKeyPins (invoked below).
+  // CheckPublicKeyPins should still pass when given the original
+  // |saved_hashes|, indicating that CheckPublicKeyPins can still access and
+  // check the static_pkp data.

[Ryan Sleevi, 2014/03/07 01:39:19]

Rework this comment:

// Add a dynamic HSTS header.
// CheckPublicKeyPins should still pass when given the original
// |saved_hashes|, indicating that the static PKP data is still
// configured for the domain.

[palmer, 2014/03/14 21:33:39]

Done.

+  EXPECT_TRUE(state.AddHSTSHeader(domain, "includesubdomains; max-age=10000"));
+  EXPECT_TRUE(domain_state.ShouldUpgradeToSSL());
+  EXPECT_TRUE(state.GetDomainState(domain, true, &domain_state));
+  EXPECT_TRUE(domain_state.CheckPublicKeyPins(saved_hashes));
+
+  // Add a header, which should only update the dynamic state.
+  HashValue good_hash = GetTestHashValue(1, HASH_VALUE_SHA1);
+  std::string good_pin = GetTestPin(1, HASH_VALUE_SHA1);
+  std::string backup_pin = GetTestPin(2, HASH_VALUE_SHA1);
+  std::string header = "max-age = 10000; " + good_pin + "; " + backup_pin;

[Ryan Sleevi, 2014/03/07 01:39:19]

// Add a HPKP header, which should only update the dynamic state.

[palmer, 2014/03/14 21:33:39]

Done.

+
+  // Construct a fake SSLInfo that will pass AddHPKPHeader's checks.
+  SSLInfo ssl_info;
+  ssl_info.public_key_hashes.push_back(good_hash);
+  ssl_info.public_key_hashes.push_back(saved_hashes[0]);
+  EXPECT_TRUE(state.AddHPKPHeader(domain, header, ssl_info));
+
+  EXPECT_TRUE(state.AddHPKPHeader(domain, header, ssl_info));
+  EXPECT_TRUE(domain_state.ShouldUpgradeToSSL());

[Ryan Sleevi, 2014/03/07 01:39:19]

// HSTS should still be configured for this domain.

[palmer, 2014/03/14 21:33:39]

Done.

+  EXPECT_TRUE(state.GetDomainState(domain, true, &domain_state));
+  EXPECT_TRUE(domain_state.CheckPublicKeyPins(saved_hashes));

[Ryan Sleevi, 2014/03/07 01:39:19]

What are you testing here? Add a comment.

1) Should you be testing that good_pin is valid?
2) Should you be testing that backup_pin is valid?
3) Should you be testing that a non-existant pin is not valid?
4) Does saved_hashes contain good_pin/backup_pin, or are they new pins?

It's not clear what this is testing, so let's expand more.

[palmer, 2014/03/14 21:33:39]

It's to check that a good pin is still valid. Added a comment to that effect.

I think other unit tests test the other cases. This test is just to make sure
that clobbering is not going on.

 }
 
 };    // namespace net