Make HSTS headers not clobber preloaded pins.

net/http/transport_security_state_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/transport_security_state.h"
 
 #include <algorithm>
 #include <string>
 #include <vector>
 
@@ skipping 125 matching lines @@
   const base::Time current_time(base::Time::Now());
   const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
   const base::Time older = current_time - base::TimeDelta::FromSeconds(1000);
 
   EXPECT_FALSE(state.GetDomainState("yahoo.com", true, &domain_state));
   bool include_subdomains = false;
   state.AddHSTS("yahoo.com", expiry, include_subdomains);
 
   state.DeleteAllDynamicDataSince(expiry);
   EXPECT_TRUE(state.GetDomainState("yahoo.com", true, &domain_state));
+  EXPECT_EQ(TransportSecurityState::DomainState::MODE_FORCE_HTTPS,
+            domain_state.dynamic_sts.upgrade_mode);
   state.DeleteAllDynamicDataSince(older);
-  EXPECT_FALSE(state.GetDomainState("yahoo.com", true, &domain_state));
+  EXPECT_TRUE(state.GetDomainState("yahoo.com", true, &domain_state));
+  EXPECT_EQ(TransportSecurityState::DomainState::MODE_DEFAULT,
+            domain_state.dynamic_sts.upgrade_mode);
 }
 
 TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) {
   TransportSecurityState state;
   TransportSecurityState::DomainState domain_state;
   const base::Time current_time(base::Time::Now());
   const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
   bool include_subdomains = false;
   state.AddHSTS("yahoo.com", expiry, include_subdomains);
 
@@ skipping 10 matching lines @@
   const std::string a_www_paypal = CanonicalizeHost("a.www.paypal.com");
   const std::string abc_paypal = CanonicalizeHost("a.b.c.paypal.com");
   const std::string example = CanonicalizeHost("example.com");
   const std::string aypal = CanonicalizeHost("aypal.com");
 
   TransportSecurityState state;
   TransportSecurityState::DomainState domain_state;
 
   EXPECT_TRUE(GetStaticDomainState(&state, paypal, true, &domain_state));
   EXPECT_TRUE(GetStaticDomainState(&state, www_paypal, true, &domain_state));
-  EXPECT_FALSE(domain_state.sts_include_subdomains);
-  EXPECT_FALSE(domain_state.pkp_include_subdomains);
+  EXPECT_FALSE(domain_state.static_sts.include_subdomains);
+  EXPECT_FALSE(domain_state.static_pkp.include_subdomains);
   EXPECT_FALSE(GetStaticDomainState(&state, a_www_paypal, true, &domain_state));
   EXPECT_FALSE(GetStaticDomainState(&state, abc_paypal, true, &domain_state));
   EXPECT_FALSE(GetStaticDomainState(&state, example, true, &domain_state));
   EXPECT_FALSE(GetStaticDomainState(&state, aypal, true, &domain_state));
 }
 
 TEST_F(TransportSecurityStateTest, PreloadedDomainSet) {
   TransportSecurityState state;
   TransportSecurityState::DomainState domain_state;
 
@@ skipping 31 matching lines @@
 static bool HasPublicKeyPins(const char* hostname) {
   return HasPublicKeyPins(hostname, true);
 }
 
 static bool OnlyPinning(const char *hostname) {
   TransportSecurityState state;
   TransportSecurityState::DomainState domain_state;
   if (!state.GetDomainState(hostname, true /* SNI ok */, &domain_state))
     return false;
 
-  return (domain_state.static_spki_hashes.size() > 0 ||
-          domain_state.bad_static_spki_hashes.size() > 0 ||
-          domain_state.dynamic_spki_hashes.size() > 0) &&
+  return (domain_state.static_pkp.spki_hashes.size() > 0 ||
+          domain_state.static_pkp.bad_spki_hashes.size() > 0 ||
+          domain_state.dynamic_pkp.spki_hashes.size() > 0) &&
          !domain_state.ShouldUpgradeToSSL();
 }
 
 TEST_F(TransportSecurityStateTest, Preloaded) {
   TransportSecurityState state;
   TransportSecurityState::DomainState domain_state;
 
   // We do more extensive checks for the first domain.
   EXPECT_TRUE(state.GetDomainState("www.paypal.com", true, &domain_state));
-  EXPECT_EQ(domain_state.upgrade_mode,
+  EXPECT_EQ(domain_state.static_sts.upgrade_mode,
             TransportSecurityState::DomainState::MODE_FORCE_HTTPS);
-  EXPECT_FALSE(domain_state.sts_include_subdomains);
-  EXPECT_FALSE(domain_state.pkp_include_subdomains);
+  EXPECT_FALSE(domain_state.static_sts.include_subdomains);
+  EXPECT_FALSE(domain_state.static_pkp.include_subdomains);
 
   EXPECT_TRUE(HasState("paypal.com"));
   EXPECT_FALSE(HasState("www2.paypal.com"));
   EXPECT_FALSE(HasState("www2.paypal.com"));
 
   // Google hosts:
 
   EXPECT_TRUE(ShouldRedirect("chrome.google.com"));
   EXPECT_TRUE(ShouldRedirect("checkout.google.com"));
   EXPECT_TRUE(ShouldRedirect("wallet.google.com"));
@@ skipping 138 matching lines @@
   EXPECT_TRUE(ShouldRedirect("foo.simon.butcher.name"));
 
   EXPECT_TRUE(ShouldRedirect("linx.net"));
   EXPECT_TRUE(ShouldRedirect("foo.linx.net"));
 
   EXPECT_TRUE(ShouldRedirect("dropcam.com"));
   EXPECT_TRUE(ShouldRedirect("www.dropcam.com"));
   EXPECT_FALSE(HasState("foo.dropcam.com"));
 
   EXPECT_TRUE(state.GetDomainState("torproject.org", false, &domain_state));
-  EXPECT_FALSE(domain_state.static_spki_hashes.empty());
+  EXPECT_FALSE(domain_state.static_pkp.spki_hashes.empty());
   EXPECT_TRUE(state.GetDomainState("www.torproject.org", false,
                                    &domain_state));
-  EXPECT_FALSE(domain_state.static_spki_hashes.empty());
+  EXPECT_FALSE(domain_state.static_pkp.spki_hashes.empty());
   EXPECT_TRUE(state.GetDomainState("check.torproject.org", false,
                                    &domain_state));
-  EXPECT_FALSE(domain_state.static_spki_hashes.empty());
+  EXPECT_FALSE(domain_state.static_pkp.spki_hashes.empty());
   EXPECT_TRUE(state.GetDomainState("blog.torproject.org", false,
                                    &domain_state));
-  EXPECT_FALSE(domain_state.static_spki_hashes.empty());
+  EXPECT_FALSE(domain_state.static_pkp.spki_hashes.empty());
   EXPECT_TRUE(ShouldRedirect("ebanking.indovinabank.com.vn"));
   EXPECT_TRUE(ShouldRedirect("foo.ebanking.indovinabank.com.vn"));
 
   EXPECT_TRUE(ShouldRedirect("epoxate.com"));
   EXPECT_FALSE(HasState("foo.epoxate.com"));
 
   EXPECT_TRUE(HasPublicKeyPins("torproject.org"));
   EXPECT_TRUE(HasPublicKeyPins("www.torproject.org"));
   EXPECT_TRUE(HasPublicKeyPins("check.torproject.org"));
   EXPECT_TRUE(HasPublicKeyPins("blog.torproject.org"));
@@ skipping 188 matching lines @@
 
 TEST_F(TransportSecurityStateTest, OverrideBuiltins) {
   EXPECT_TRUE(HasPublicKeyPins("google.com"));
   EXPECT_FALSE(ShouldRedirect("google.com"));
   EXPECT_FALSE(ShouldRedirect("www.google.com"));
 
   TransportSecurityState state;
   TransportSecurityState::DomainState domain_state;
   const base::Time current_time(base::Time::Now());
   const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
-  domain_state.upgrade_expiry = expiry;
+  domain_state.dynamic_sts.expiry = expiry;
   EnableHost(&state, "www.google.com", domain_state);
 
   EXPECT_TRUE(state.GetDomainState("www.google.com", true, &domain_state));
 }
 
 TEST_F(TransportSecurityStateTest, GooglePinnedProperties) {
   EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
       "www.example.com", true));
   EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
       "www.paypal.com", true));
@@ skipping 49 matching lines @@
   // Expect to fail for SNI hosts when not searching the SNI list:
   EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
       "gmail.com", false));
   EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
       "googlegroups.com", false));
   EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
       "www.googlegroups.com", false));
 }
 
 }  // namespace net