Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(619)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/http/http_security_headers_unittest.cc

Issue 11274032: Separate http_security_headers from transport_security_state (Closed) Base URL: https://src.chromium.org/chrome/trunk/src/
Patch Set: Created 7 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/http/http_security_headers.cc ('k') | net/net.gyp » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "base/base64.h"
6 #include "base/sha1.h"
7 #include "base/string_piece.h"
8 #include "crypto/sha2.h"
9 #include "net/base/net_log.h"
10 #include "net/base/test_completion_callback.h"
11 #include "net/http/http_security_headers.h"
12 #include "net/http/http_util.h"
13 #include "testing/gtest/include/gtest/gtest.h"
14
15 namespace net {
16
17 namespace {
18
19 HashValue GetTestHashValue(uint8 label, HashValueTag tag) {
20 HashValue hash_value(tag);
21 memset(hash_value.data(), label, hash_value.size());
22 return hash_value;
23 }
24
25 std::string GetTestPin(uint8 label, HashValueTag tag) {
26 HashValue hash_value = GetTestHashValue(label, tag);
27 std::string base64;
28 base::Base64Encode(base::StringPiece(
29 reinterpret_cast<char*>(hash_value.data()), hash_value.size()), &base64);
30
31 switch (hash_value.tag) {
32 case HASH_VALUE_SHA1:
33 return std::string("pin-sha1=\"") + base64 + "\"";
34 case HASH_VALUE_SHA256:
35 return std::string("pin-sha256=\"") + base64 + "\"";
36 default:
37 NOTREACHED() << "Unknown HashValueTag " << hash_value.tag;
38 return std::string("ERROR");
39 }
40 }
41
42 };
43
44
45 class HttpSecurityHeadersTest : public testing::Test {
46 };
47
48
49 TEST_F(HttpSecurityHeadersTest, BogusHeaders) {
50 base::Time now = base::Time::Now();
51 base::Time expiry = now;
52 bool include_subdomains = false;
53
54 EXPECT_FALSE(ParseHSTSHeader(now, "", &expiry, &include_subdomains));
55 EXPECT_FALSE(ParseHSTSHeader(now, " ", &expiry, &include_subdomains));
56 EXPECT_FALSE(ParseHSTSHeader(now, "abc", &expiry, &include_subdomains));
57 EXPECT_FALSE(ParseHSTSHeader(now, " abc", &expiry, &include_subdomains));
58 EXPECT_FALSE(ParseHSTSHeader(now, " abc ", &expiry, &include_subdomains));
59 EXPECT_FALSE(ParseHSTSHeader(now, "max-age", &expiry, &include_subdomains));
60 EXPECT_FALSE(ParseHSTSHeader(now, " max-age", &expiry,
61 &include_subdomains));
62 EXPECT_FALSE(ParseHSTSHeader(now, " max-age ", &expiry,
63 &include_subdomains));
64 EXPECT_FALSE(ParseHSTSHeader(now, "max-age=", &expiry, &include_subdomains));
65 EXPECT_FALSE(ParseHSTSHeader(now, " max-age=", &expiry,
66 &include_subdomains));
67 EXPECT_FALSE(ParseHSTSHeader(now, " max-age =", &expiry,
68 &include_subdomains));
69 EXPECT_FALSE(ParseHSTSHeader(now, " max-age= ", &expiry,
70 &include_subdomains));
71 EXPECT_FALSE(ParseHSTSHeader(now, " max-age = ", &expiry,
72 &include_subdomains));
73 EXPECT_FALSE(ParseHSTSHeader(now, " max-age = xy", &expiry,
74 &include_subdomains));
75 EXPECT_FALSE(ParseHSTSHeader(now, " max-age = 3488a923", &expiry,
76 &include_subdomains));
77 EXPECT_FALSE(ParseHSTSHeader(now, "max-age=3488a923 ", &expiry,
78 &include_subdomains));
79 EXPECT_FALSE(ParseHSTSHeader(now, "max-ag=3488923", &expiry,
80 &include_subdomains));
81 EXPECT_FALSE(ParseHSTSHeader(now, "max-aged=3488923", &expiry,
82 &include_subdomains));
83 EXPECT_FALSE(ParseHSTSHeader(now, "max-age==3488923", &expiry,
84 &include_subdomains));
85 EXPECT_FALSE(ParseHSTSHeader(now, "amax-age=3488923", &expiry,
86 &include_subdomains));
87 EXPECT_FALSE(ParseHSTSHeader(now, "max-age=-3488923", &expiry,
88 &include_subdomains));
89 EXPECT_FALSE(ParseHSTSHeader(now, "max-age=3488923;", &expiry,
90 &include_subdomains));
91 EXPECT_FALSE(ParseHSTSHeader(now, "max-age=3488923 e", &expiry,
92 &include_subdomains));
93 EXPECT_FALSE(ParseHSTSHeader(now,
94 "max-age=3488923 includesubdomain",
95 &expiry, &include_subdomains));
96 EXPECT_FALSE(ParseHSTSHeader(now, "max-age=3488923includesubdomains",
97 &expiry, &include_subdomains));
98 EXPECT_FALSE(ParseHSTSHeader(now, "max-age=3488923=includesubdomains",
99 &expiry, &include_subdomains));
100 EXPECT_FALSE(ParseHSTSHeader(now, "max-age=3488923 includesubdomainx",
101 &expiry, &include_subdomains));
102 EXPECT_FALSE(ParseHSTSHeader(now, "max-age=3488923 includesubdomain=",
103 &expiry, &include_subdomains));
104 EXPECT_FALSE(ParseHSTSHeader(now,
105 "max-age=3488923 includesubdomain=true",
106 &expiry, &include_subdomains));
107 EXPECT_FALSE(ParseHSTSHeader(now, "max-age=3488923 includesubdomainsx",
108 &expiry, &include_subdomains));
109 EXPECT_FALSE(ParseHSTSHeader(now,
110 "max-age=3488923 includesubdomains x",
111 &expiry, &include_subdomains));
112 EXPECT_FALSE(ParseHSTSHeader(now, "max-age=34889.23 includesubdomains",
113 &expiry, &include_subdomains));
114 EXPECT_FALSE(ParseHSTSHeader(now, "max-age=34889 includesubdomains",
115 &expiry, &include_subdomains));
116
117 // Check the out args were not updated by checking the default
118 // values for its predictable fields.
119 EXPECT_EQ(now, expiry);
120 EXPECT_FALSE(include_subdomains);
121 }
122
123 static void TestBogusPinsHeaders(HashValueTag tag) {
124 base::Time now = base::Time::Now();
125 base::Time expiry = now;
126 HashValueVector hashes;
127 HashValueVector chain_hashes;
128
129 // Set some fake "chain" hashes
130 chain_hashes.push_back(GetTestHashValue(1, tag));
131 chain_hashes.push_back(GetTestHashValue(2, tag));
132 chain_hashes.push_back(GetTestHashValue(3, tag));
133
134 // The good pin must be in the chain, the backup pin must not be
135 std::string good_pin = GetTestPin(2, tag);
136 std::string backup_pin = GetTestPin(4, tag);
137
138 EXPECT_FALSE(ParseHPKPHeader(now, "", chain_hashes, &expiry, &hashes));
139 EXPECT_FALSE(ParseHPKPHeader(now, " ", chain_hashes, &expiry, &hashes));
140 EXPECT_FALSE(ParseHPKPHeader(now, "abc", chain_hashes, &expiry, &hashes));
141 EXPECT_FALSE(ParseHPKPHeader(now, " abc", chain_hashes, &expiry, &hashes));
142 EXPECT_FALSE(ParseHPKPHeader(now, " abc ", chain_hashes, &expiry, &hashes)) ;
143 EXPECT_FALSE(ParseHPKPHeader(now, "max-age", chain_hashes, &expiry, &hashes));
144 EXPECT_FALSE(ParseHPKPHeader(now, " max-age", chain_hashes, &expiry, &hashes) );
145 EXPECT_FALSE(ParseHPKPHeader(now, " max-age ", chain_hashes, &expiry,
146 &hashes));
147 EXPECT_FALSE(ParseHPKPHeader(now, "max-age=", chain_hashes, &expiry, &hashes)) ;
148 EXPECT_FALSE(ParseHPKPHeader(now, " max-age=", chain_hashes, &expiry,
149 &hashes));
150 EXPECT_FALSE(ParseHPKPHeader(now, " max-age =", chain_hashes, &expiry,
151 &hashes));
152 EXPECT_FALSE(ParseHPKPHeader(now, " max-age= ", chain_hashes, &expiry,
153 &hashes));
154 EXPECT_FALSE(ParseHPKPHeader(now, " max-age = ", chain_hashes, &expiry,
155 &hashes));
156 EXPECT_FALSE(ParseHPKPHeader(now, " max-age = xy", chain_hashes,
157 &expiry, &hashes));
158 EXPECT_FALSE(ParseHPKPHeader(now,
159 " max-age = 3488a923",
160 chain_hashes, &expiry, &hashes));
161 EXPECT_FALSE(ParseHPKPHeader(now, "max-age=3488a923 ", chain_hashes, &expiry,
162 &hashes));
163 EXPECT_FALSE(ParseHPKPHeader(now,
164 "max-ag=3488923pins=" + good_pin + "," +
165 backup_pin,
166 chain_hashes, &expiry, &hashes));
167 EXPECT_FALSE(ParseHPKPHeader(now, "max-aged=3488923" + backup_pin,
168 chain_hashes, &expiry, &hashes));
169 EXPECT_FALSE(ParseHPKPHeader(now, "max-aged=3488923; " + backup_pin,
170 chain_hashes, &expiry, &hashes));
171 EXPECT_FALSE(ParseHPKPHeader(now,
172 "max-aged=3488923; " + backup_pin + ";" +
173 backup_pin,
174 chain_hashes, &expiry, &hashes));
175 EXPECT_FALSE(ParseHPKPHeader(now,
176 "max-aged=3488923; " + good_pin + ";" +
177 good_pin,
178 chain_hashes, &expiry, &hashes));
179 EXPECT_FALSE(ParseHPKPHeader(now, "max-aged=3488923; " + good_pin,
180 chain_hashes, &expiry, &hashes));
181 EXPECT_FALSE(ParseHPKPHeader(now, "max-age==3488923", chain_hashes, &expiry,
182 &hashes));
183 EXPECT_FALSE(ParseHPKPHeader(now, "amax-age=3488923", chain_hashes, &expiry,
184 &hashes));
185 EXPECT_FALSE(ParseHPKPHeader(now, "max-age=-3488923", chain_hashes, &expiry,
186 &hashes));
187 EXPECT_FALSE(ParseHPKPHeader(now, "max-age=3488923;", chain_hashes, &expiry,
188 &hashes));
189 EXPECT_FALSE(ParseHPKPHeader(now, "max-age=3488923 e", chain_hashes,
190 &expiry, &hashes));
191 EXPECT_FALSE(ParseHPKPHeader(now,
192 "max-age=3488923 includesubdomain",
193 chain_hashes, &expiry, &hashes));
194 EXPECT_FALSE(ParseHPKPHeader(now, "max-age=34889.23", chain_hashes, &expiry,
195 &hashes));
196
197 // Check the out args were not updated by checking the default
198 // values for its predictable fields.
199 EXPECT_EQ(now, expiry);
200 EXPECT_EQ(hashes.size(), (size_t)0);
201 }
202
203 TEST_F(HttpSecurityHeadersTest, ValidSTSHeaders) {
204 base::Time now = base::Time::Now();
205 base::Time expiry = now;
206 base::Time expect_expiry = now;
207 bool include_subdomains = false;
208
209 EXPECT_TRUE(ParseHSTSHeader(now, "max-age=243", &expiry,
210 &include_subdomains));
211 expect_expiry = now + base::TimeDelta::FromSeconds(243);
212 EXPECT_EQ(expect_expiry, expiry);
213 EXPECT_FALSE(include_subdomains);
214
215 EXPECT_TRUE(ParseHSTSHeader(now, " Max-agE = 567", &expiry,
216 &include_subdomains));
217 expect_expiry = now + base::TimeDelta::FromSeconds(567);
218 EXPECT_EQ(expect_expiry, expiry);
219 EXPECT_FALSE(include_subdomains);
220
221 EXPECT_TRUE(ParseHSTSHeader(now, " mAx-aGe = 890 ", &expiry,
222 &include_subdomains));
223 expect_expiry = now + base::TimeDelta::FromSeconds(890);
224 EXPECT_EQ(expect_expiry, expiry);
225 EXPECT_FALSE(include_subdomains);
226
227 EXPECT_TRUE(ParseHSTSHeader(now, "max-age=123;incLudesUbdOmains", &expiry,
228 &include_subdomains));
229 expect_expiry = now + base::TimeDelta::FromSeconds(123);
230 EXPECT_EQ(expect_expiry, expiry);
231 EXPECT_TRUE(include_subdomains);
232
233 EXPECT_TRUE(ParseHSTSHeader(now, "incLudesUbdOmains; max-age=123", &expiry,
234 &include_subdomains));
235 expect_expiry = now + base::TimeDelta::FromSeconds(123);
236 EXPECT_EQ(expect_expiry, expiry);
237 EXPECT_TRUE(include_subdomains);
238
239 EXPECT_TRUE(ParseHSTSHeader(now, " incLudesUbdOmains; max-age=123",
240 &expiry, &include_subdomains));
241 expect_expiry = now + base::TimeDelta::FromSeconds(123);
242 EXPECT_EQ(expect_expiry, expiry);
243 EXPECT_TRUE(include_subdomains);
244
245 EXPECT_TRUE(ParseHSTSHeader(now,
246 " incLudesUbdOmains; max-age=123; pumpkin=kitten", &expiry,
247 &include_subdomains));
248 expect_expiry = now + base::TimeDelta::FromSeconds(123);
249 EXPECT_EQ(expect_expiry, expiry);
250 EXPECT_TRUE(include_subdomains);
251
252 EXPECT_TRUE(ParseHSTSHeader(now,
253 " pumpkin=894; incLudesUbdOmains; max-age=123 ", &expiry,
254 &include_subdomains));
255 expect_expiry = now + base::TimeDelta::FromSeconds(123);
256 EXPECT_EQ(expect_expiry, expiry);
257 EXPECT_TRUE(include_subdomains);
258
259 EXPECT_TRUE(ParseHSTSHeader(now,
260 " pumpkin; incLudesUbdOmains; max-age=123 ", &expiry,
261 &include_subdomains));
262 expect_expiry = now + base::TimeDelta::FromSeconds(123);
263 EXPECT_EQ(expect_expiry, expiry);
264 EXPECT_TRUE(include_subdomains);
265
266 EXPECT_TRUE(ParseHSTSHeader(now,
267 " pumpkin; incLudesUbdOmains; max-age=\"123\" ", &expiry,
268 &include_subdomains));
269 expect_expiry = now + base::TimeDelta::FromSeconds(123);
270 EXPECT_EQ(expect_expiry, expiry);
271 EXPECT_TRUE(include_subdomains);
272
273 EXPECT_TRUE(ParseHSTSHeader(now,
274 "animal=\"squirrel; distinguished\"; incLudesUbdOmains; max-age=123",
275 &expiry, &include_subdomains));
276 expect_expiry = now + base::TimeDelta::FromSeconds(123);
277 EXPECT_EQ(expect_expiry, expiry);
278 EXPECT_TRUE(include_subdomains);
279
280 EXPECT_TRUE(ParseHSTSHeader(now, "max-age=394082; incLudesUbdOmains",
281 &expiry, &include_subdomains));
282 expect_expiry = now + base::TimeDelta::FromSeconds(394082);
283 EXPECT_EQ(expect_expiry, expiry);
284 EXPECT_TRUE(include_subdomains);
285
286 EXPECT_TRUE(ParseHSTSHeader(
287 now, "max-age=39408299 ;incLudesUbdOmains", &expiry,
288 &include_subdomains));
289 expect_expiry = now + base::TimeDelta::FromSeconds(
290 std::min(kMaxHSTSAgeSecs, (int64)GG_INT64_C(39408299)));
Ryan Sleevi 2013/01/04 19:46:37 NACK: We don't use C-style casts It seems the amb
unsafe 2013/01/04 21:55:18 Done (though I think Ryan meant below instead, as
291 EXPECT_EQ(expect_expiry, expiry);
292 EXPECT_TRUE(include_subdomains);
293
294 EXPECT_TRUE(ParseHSTSHeader(
295 now, "max-age=394082038 ; incLudesUbdOmains", &expiry,
296 &include_subdomains));
297 expect_expiry = now + base::TimeDelta::FromSeconds(
298 std::min(kMaxHSTSAgeSecs, (int64)GG_INT64_C(394082038)));
299 EXPECT_EQ(expect_expiry, expiry);
300 EXPECT_TRUE(include_subdomains);
301
302 EXPECT_TRUE(ParseHSTSHeader(
303 now, " max-age=0 ; incLudesUbdOmains ", &expiry,
304 &include_subdomains));
305 expect_expiry = now + base::TimeDelta::FromSeconds(0);
306 EXPECT_EQ(expect_expiry, expiry);
307 EXPECT_TRUE(include_subdomains);
308
309 EXPECT_TRUE(ParseHSTSHeader(
310 now,
311 " max-age=999999999999999999999999999999999999999999999 ;"
312 " incLudesUbdOmains ", &expiry, &include_subdomains));
313 expect_expiry = now + base::TimeDelta::FromSeconds(
314 kMaxHSTSAgeSecs);
315 EXPECT_EQ(expect_expiry, expiry);
316 EXPECT_TRUE(include_subdomains);
317 }
318
319 static void TestValidPinsHeaders(HashValueTag tag) {
320 base::Time now = base::Time::Now();
321 base::Time expiry = now;
322 base::Time expect_expiry = now;
323 HashValueVector hashes;
324 HashValueVector chain_hashes;
325
326 // Set some fake "chain" hashes into chain_hashes
327 chain_hashes.push_back(GetTestHashValue(1, tag));
328 chain_hashes.push_back(GetTestHashValue(2, tag));
329 chain_hashes.push_back(GetTestHashValue(3, tag));
330
331 // The good pin must be in the chain, the backup pin must not be
332 std::string good_pin = GetTestPin(2, tag);
333 std::string backup_pin = GetTestPin(4, tag);
334
335 EXPECT_TRUE(ParseHPKPHeader(
336 now,
337 "max-age=243; " + good_pin + ";" + backup_pin,
338 chain_hashes, &expiry, &hashes));
339 expect_expiry = now + base::TimeDelta::FromSeconds(243);
340 EXPECT_EQ(expect_expiry, expiry);
341
342 EXPECT_TRUE(ParseHPKPHeader(
343 now,
344 " " + good_pin + "; " + backup_pin + " ; Max-agE = 567",
345 chain_hashes, &expiry, &hashes));
346 expect_expiry = now + base::TimeDelta::FromSeconds(567);
347 EXPECT_EQ(expect_expiry, expiry);
348
349 EXPECT_TRUE(ParseHPKPHeader(
350 now,
351 good_pin + ";" + backup_pin + " ; mAx-aGe = 890 ",
352 chain_hashes, &expiry, &hashes));
353 expect_expiry = now + base::TimeDelta::FromSeconds(890);
354 EXPECT_EQ(expect_expiry, expiry);
355
356 EXPECT_TRUE(ParseHPKPHeader(
357 now,
358 good_pin + ";" + backup_pin + "; max-age=123;IGNORED;",
359 chain_hashes, &expiry, &hashes));
360 expect_expiry = now + base::TimeDelta::FromSeconds(123);
361 EXPECT_EQ(expect_expiry, expiry);
362
363 EXPECT_TRUE(ParseHPKPHeader(
364 now,
365 "max-age=394082;" + backup_pin + ";" + good_pin + "; ",
366 chain_hashes, &expiry, &hashes));
367 expect_expiry = now + base::TimeDelta::FromSeconds(394082);
368 EXPECT_EQ(expect_expiry, expiry);
369
370 EXPECT_TRUE(ParseHPKPHeader(
371 now,
372 "max-age=39408299 ;" + backup_pin + ";" + good_pin + "; ",
373 chain_hashes, &expiry, &hashes));
374 expect_expiry = now + base::TimeDelta::FromSeconds(
375 std::min(kMaxHSTSAgeSecs, (int64)GG_INT64_C(39408299)));
376 EXPECT_EQ(expect_expiry, expiry);
377
378 EXPECT_TRUE(ParseHPKPHeader(
379 now,
380 "max-age=39408038 ; cybers=39408038 ; " +
381 good_pin + ";" + backup_pin + "; ",
382 chain_hashes, &expiry, &hashes));
383 expect_expiry = now + base::TimeDelta::FromSeconds(
384 std::min(kMaxHSTSAgeSecs, (int64)GG_INT64_C(394082038)));
385 EXPECT_EQ(expect_expiry, expiry);
386
387 EXPECT_TRUE(ParseHPKPHeader(
388 now,
389 " max-age=0 ; " + good_pin + ";" + backup_pin,
390 chain_hashes, &expiry, &hashes));
391 expect_expiry = now + base::TimeDelta::FromSeconds(0);
392 EXPECT_EQ(expect_expiry, expiry);
393
394 EXPECT_TRUE(ParseHPKPHeader(
395 now,
396 " max-age=999999999999999999999999999999999999999999999 ; " +
397 backup_pin + ";" + good_pin + "; ",
398 chain_hashes, &expiry, &hashes));
399 expect_expiry = now +
400 base::TimeDelta::FromSeconds(kMaxHSTSAgeSecs);
401 EXPECT_EQ(expect_expiry, expiry);
402 }
403
404 TEST_F(HttpSecurityHeadersTest, BogusPinsHeadersSHA1) {
405 TestBogusPinsHeaders(HASH_VALUE_SHA1);
406 }
407
408 TEST_F(HttpSecurityHeadersTest, BogusPinsHeadersSHA256) {
409 TestBogusPinsHeaders(HASH_VALUE_SHA256);
410 }
411
412 TEST_F(HttpSecurityHeadersTest, ValidPinsHeadersSHA1) {
413 TestValidPinsHeaders(HASH_VALUE_SHA1);
414 }
415
416 TEST_F(HttpSecurityHeadersTest, ValidPinsHeadersSHA256) {
417 TestValidPinsHeaders(HASH_VALUE_SHA256);
418 }
419 };
420
OLDNEW
« no previous file with comments | « net/http/http_security_headers.cc ('k') | net/net.gyp » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698