Parse HPKP report-uri and persist in TransportSecurityPersister

net/http/transport_security_state_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/transport_security_state.h"
 
 #include <algorithm>
 #include <string>
 #include <vector>
 
@@ skipping 196 matching lines @@
   EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.bar.example.test"));
   EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.bar.baz.example.test"));
   EXPECT_FALSE(state.ShouldUpgradeToSSL("test"));
   EXPECT_FALSE(state.ShouldUpgradeToSSL("notexample.test"));
 }
 
 // Tests that a more-specific HSTS or HPKP rule overrides a less-specific rule
 // with it, regardless of the includeSubDomains bit. This is a regression test
 // for https://crbug.com/469957.
 TEST_F(TransportSecurityStateTest, SubdomainCarveout) {
+  static const char kReportUri[] = "http://example.com/test";
+  std::string report_uri(kReportUri);
+
   TransportSecurityState state;
   const base::Time current_time(base::Time::Now());
   const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
   const base::Time older = current_time - base::TimeDelta::FromSeconds(1000);
 
   state.AddHSTS("example1.test", expiry, true);
   state.AddHSTS("foo.example1.test", expiry, false);
 
-  state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes());
-  state.AddHPKP("foo.example2.test", expiry, false, GetSampleSPKIHashes());
+  state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes(),
+                report_uri);

[davidben, 2015/07/15 22:21:07]

Does passing kReportUri in here not work? I would have thought that
std::string's const char * ctor would fire. (Ditto elsewhere in the file.)

[estark, 2015/07/16 00:07:01]

Done.

+  state.AddHPKP("foo.example2.test", expiry, false, GetSampleSPKIHashes(),
+                report_uri);
 
   EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test"));
   EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test"));
 
   // The foo.example1.test rule overrides the example1.test rule, so
   // bar.foo.example1.test has no HSTS state.
   EXPECT_FALSE(state.ShouldUpgradeToSSL("bar.foo.example1.test"));
   EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("bar.foo.example1.test"));
 
   EXPECT_TRUE(state.HasPublicKeyPins("example2.test"));
   EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test"));
 
   // The foo.example2.test rule overrides the example1.test rule, so
   // bar.foo.example2.test has no HPKP state.
   EXPECT_FALSE(state.HasPublicKeyPins("bar.foo.example2.test"));
   EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("bar.foo.example2.test"));
 
   // Expire the foo.example*.test rules.
   state.AddHSTS("foo.example1.test", older, false);
-  state.AddHPKP("foo.example2.test", older, false, GetSampleSPKIHashes());
+  state.AddHPKP("foo.example2.test", older, false, GetSampleSPKIHashes(),
+                report_uri);
 
   // Now the base example*.test rules apply to bar.foo.example*.test.
   EXPECT_TRUE(state.ShouldUpgradeToSSL("bar.foo.example1.test"));
   EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("bar.foo.example1.test"));
   EXPECT_TRUE(state.HasPublicKeyPins("bar.foo.example2.test"));
   EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("bar.foo.example2.test"));
 }
 
 TEST_F(TransportSecurityStateTest, FatalSSLErrors) {
+  static const char kReportUri[] = "http://example.com/test";
+  std::string report_uri(kReportUri);
+
   TransportSecurityState state;
   const base::Time current_time(base::Time::Now());
   const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
 
   state.AddHSTS("example1.test", expiry, false);
-  state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes());
+  state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes(),
+                report_uri);
 
   // The presense of either HSTS or HPKP is enough to make SSL errors fatal.
   EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("example1.test"));
   EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("example2.test"));
 }
 
 // Tests that HPKP and HSTS state both expire. Also tests that expired entries
 // are pruned.
 TEST_F(TransportSecurityStateTest, Expiration) {
+  static const char kReportUri[] = "http://example.com/test";
+  std::string report_uri(kReportUri);
+
   TransportSecurityState state;
   const base::Time current_time(base::Time::Now());
   const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
   const base::Time older = current_time - base::TimeDelta::FromSeconds(1000);
 
   // Note: this test assumes that inserting an entry with an expiration time in
   // the past works and is pruned on query.
   state.AddHSTS("example1.test", older, false);
   EXPECT_TRUE(TransportSecurityState::STSStateIterator(state).HasNext());
   EXPECT_FALSE(state.ShouldUpgradeToSSL("example1.test"));
   // Querying |state| for a domain should flush out expired entries.
   EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext());
 
-  state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes());
+  state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes(),
+                report_uri);
   EXPECT_TRUE(TransportSecurityState::PKPStateIterator(state).HasNext());
   EXPECT_FALSE(state.HasPublicKeyPins("example1.test"));
   // Querying |state| for a domain should flush out expired entries.
   EXPECT_FALSE(TransportSecurityState::PKPStateIterator(state).HasNext());
 
   state.AddHSTS("example1.test", older, false);
-  state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes());
+  state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes(),
+                report_uri);
   EXPECT_TRUE(TransportSecurityState::STSStateIterator(state).HasNext());
   EXPECT_TRUE(TransportSecurityState::PKPStateIterator(state).HasNext());
   EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("example1.test"));
   // Querying |state| for a domain should flush out expired entries.
   EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext());
   EXPECT_FALSE(TransportSecurityState::PKPStateIterator(state).HasNext());
 
   // Test that HSTS can outlive HPKP.
   state.AddHSTS("example1.test", expiry, false);
-  state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes());
+  state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes(),
+                report_uri);
   EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test"));
   EXPECT_FALSE(state.HasPublicKeyPins("example1.test"));
 
   // Test that HPKP can outlive HSTS.
   state.AddHSTS("example2.test", older, false);
-  state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes());
+  state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes(),
+                report_uri);
   EXPECT_FALSE(state.ShouldUpgradeToSSL("example2.test"));
   EXPECT_TRUE(state.HasPublicKeyPins("example2.test"));
 }
 
 TEST_F(TransportSecurityStateTest, InvalidDomains) {
   TransportSecurityState state;
   const base::Time current_time(base::Time::Now());
   const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
 
   EXPECT_FALSE(state.ShouldUpgradeToSSL("example.test"));
   bool include_subdomains = true;
   state.AddHSTS("example.test", expiry, include_subdomains);
   EXPECT_TRUE(state.ShouldUpgradeToSSL("www-.foo.example.test"));
   EXPECT_TRUE(state.ShouldUpgradeToSSL("2\x01.foo.example.test"));
 }
 
 // Tests that HPKP and HSTS state are queried independently for subdomain
 // matches.
 TEST_F(TransportSecurityStateTest, IndependentSubdomain) {
+  static const char kReportUri[] = "http://example.com/test";
+  std::string report_uri(kReportUri);
+
   TransportSecurityState state;
   const base::Time current_time(base::Time::Now());
   const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
 
   state.AddHSTS("example1.test", expiry, true);
-  state.AddHPKP("example1.test", expiry, false, GetSampleSPKIHashes());
+  state.AddHPKP("example1.test", expiry, false, GetSampleSPKIHashes(),
+                report_uri);
 
   state.AddHSTS("example2.test", expiry, false);
-  state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes());
+  state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes(),
+                report_uri);
 
   EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test"));
   EXPECT_FALSE(state.HasPublicKeyPins("foo.example1.test"));
   EXPECT_FALSE(state.ShouldUpgradeToSSL("foo.example2.test"));
   EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test"));
 }
 
 // Tests that HPKP and HSTS state are inserted and overridden independently.
 TEST_F(TransportSecurityStateTest, IndependentInsertion) {
+  static const char kReportUri[] = "http://example.com/test";
+  std::string report_uri(kReportUri);
+
   TransportSecurityState state;
   const base::Time current_time(base::Time::Now());
   const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
 
   // Place an includeSubdomains HSTS entry below a normal HPKP entry.
   state.AddHSTS("example1.test", expiry, true);
-  state.AddHPKP("foo.example1.test", expiry, false, GetSampleSPKIHashes());
+  state.AddHPKP("foo.example1.test", expiry, false, GetSampleSPKIHashes(),
+                report_uri);
 
   EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test"));
   EXPECT_TRUE(state.HasPublicKeyPins("foo.example1.test"));
   EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test"));
   EXPECT_FALSE(state.HasPublicKeyPins("example1.test"));
 
   // Drop the includeSubdomains from the HSTS entry.
   state.AddHSTS("example1.test", expiry, false);
 
   EXPECT_FALSE(state.ShouldUpgradeToSSL("foo.example1.test"));
   EXPECT_TRUE(state.HasPublicKeyPins("foo.example1.test"));
 
   // Place an includeSubdomains HPKP entry below a normal HSTS entry.
   state.AddHSTS("foo.example2.test", expiry, false);
-  state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes());
+  state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes(),
+                report_uri);
 
   EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example2.test"));
   EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test"));
 
   // Drop the includeSubdomains from the HSTS entry.
-  state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes());
+  state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes(),
+                report_uri);
 
   EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example2.test"));
   EXPECT_FALSE(state.HasPublicKeyPins("foo.example2.test"));
 }
 
 // Tests that GetDynamic[PKP|STS]State returns the correct data and that the
 // states are not mixed together.
 TEST_F(TransportSecurityStateTest, DynamicDomainState) {
+  static const char kReportUri[] = "http://example.com/test";
+  std::string report_uri(kReportUri);
+
   TransportSecurityState state;
   const base::Time current_time(base::Time::Now());
   const base::Time expiry1 = current_time + base::TimeDelta::FromSeconds(1000);
   const base::Time expiry2 = current_time + base::TimeDelta::FromSeconds(2000);
 
   state.AddHSTS("example.com", expiry1, true);
-  state.AddHPKP("foo.example.com", expiry2, false, GetSampleSPKIHashes());
+  state.AddHPKP("foo.example.com", expiry2, false, GetSampleSPKIHashes(),
+                report_uri);
 
   TransportSecurityState::STSState sts_state;
   TransportSecurityState::PKPState pkp_state;
   ASSERT_TRUE(state.GetDynamicSTSState("foo.example.com", &sts_state));
   ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state));
   EXPECT_TRUE(sts_state.ShouldUpgradeToSSL());
   EXPECT_TRUE(pkp_state.HasPublicKeyPins());
   EXPECT_TRUE(sts_state.include_subdomains);
   EXPECT_FALSE(pkp_state.include_subdomains);
   EXPECT_EQ(expiry1, sts_state.expiry);
   EXPECT_EQ(expiry2, pkp_state.expiry);
   EXPECT_EQ("example.com", sts_state.domain);
   EXPECT_EQ("foo.example.com", pkp_state.domain);
 }
 
 // Tests that new pins always override previous pins. This should be true for
 // both pins at the same domain or includeSubdomains pins at a parent domain.
 TEST_F(TransportSecurityStateTest, NewPinsOverride) {
+  static const char kReportUri[] = "http://example.com/test";
+  std::string report_uri(kReportUri);
+
   TransportSecurityState state;
   TransportSecurityState::PKPState pkp_state;
   const base::Time current_time(base::Time::Now());
   const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
   HashValue hash1(HASH_VALUE_SHA1);
   memset(hash1.data(), 0x01, hash1.size());
   HashValue hash2(HASH_VALUE_SHA1);
   memset(hash2.data(), 0x02, hash1.size());
   HashValue hash3(HASH_VALUE_SHA1);
   memset(hash3.data(), 0x03, hash1.size());
 
-  state.AddHPKP("example.com", expiry, true, HashValueVector(1, hash1));
+  state.AddHPKP("example.com", expiry, true, HashValueVector(1, hash1),
+                report_uri);
 
   ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state));
   ASSERT_EQ(1u, pkp_state.spki_hashes.size());
   EXPECT_TRUE(pkp_state.spki_hashes[0].Equals(hash1));
 
-  state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash2));
+  state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash2),
+                report_uri);
 
   ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state));
   ASSERT_EQ(1u, pkp_state.spki_hashes.size());
   EXPECT_TRUE(pkp_state.spki_hashes[0].Equals(hash2));
 
-  state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash3));
+  state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash3),
+                report_uri);
 
   ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state));
   ASSERT_EQ(1u, pkp_state.spki_hashes.size());
   EXPECT_TRUE(pkp_state.spki_hashes[0].Equals(hash3));
 }
 
 TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataSince) {
   TransportSecurityState state;
   const base::Time current_time(base::Time::Now());
   const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
   const base::Time older = current_time - base::TimeDelta::FromSeconds(1000);
 
   EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com"));
   EXPECT_FALSE(state.HasPublicKeyPins("example.com"));
   bool include_subdomains = false;
   state.AddHSTS("example.com", expiry, include_subdomains);
   state.AddHPKP("example.com", expiry, include_subdomains,
-                GetSampleSPKIHashes());
+                GetSampleSPKIHashes(), std::string());
 
   state.DeleteAllDynamicDataSince(expiry);
   EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com"));
   EXPECT_TRUE(state.HasPublicKeyPins("example.com"));
   state.DeleteAllDynamicDataSince(older);
   EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com"));
   EXPECT_FALSE(state.HasPublicKeyPins("example.com"));
 
   // STS and PKP data in |state| should be empty now.
   EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext());
   EXPECT_FALSE(TransportSecurityState::PKPStateIterator(state).HasNext());
 }
 
 TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) {
   TransportSecurityState state;
   const base::Time current_time(base::Time::Now());
   const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
   bool include_subdomains = false;
 
   state.AddHSTS("example1.test", expiry, include_subdomains);
   state.AddHPKP("example1.test", expiry, include_subdomains,
-                GetSampleSPKIHashes());
+                GetSampleSPKIHashes(), std::string());
 
   EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test"));
   EXPECT_FALSE(state.ShouldUpgradeToSSL("example2.test"));
   EXPECT_TRUE(state.HasPublicKeyPins("example1.test"));
   EXPECT_FALSE(state.HasPublicKeyPins("example2.test"));
   EXPECT_TRUE(state.DeleteDynamicDataForHost("example1.test"));
   EXPECT_FALSE(state.ShouldUpgradeToSSL("example1.test"));
   EXPECT_FALSE(state.HasPublicKeyPins("example1.test"));
 }
 
@@ skipping 596 matching lines @@
   // These hosts used to only be HSTS when SNI was available.
   EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
       "gmail.com"));
   EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
       "googlegroups.com"));
   EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
       "www.googlegroups.com"));
 }
 
 }  // namespace net