Chromium Code Reviews Chromium Code Reviews
Issue 1211363005:
Parse HPKP report-uri and persist in TransportSecurityPersister (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master| Index: net/http/transport_security_state_unittest.cc |
| diff --git a/net/http/transport_security_state_unittest.cc b/net/http/transport_security_state_unittest.cc |
| index 3b9bf7b96a841695cf640b3a0fa71fe91c60a68a..942607b733e8b54b5b1e9d8ede87dcc5a691171c 100644 |
| --- a/net/http/transport_security_state_unittest.cc |
| +++ b/net/http/transport_security_state_unittest.cc |
| @@ -214,6 +214,9 @@ TEST_F(TransportSecurityStateTest, SubdomainMatches) { |
| // with it, regardless of the includeSubDomains bit. This is a regression test |
| // for https://crbug.com/469957. |
| TEST_F(TransportSecurityStateTest, SubdomainCarveout) { |
| + static const char kReportUri[] = "http://example.com/test"; |
| + std::string report_uri(kReportUri); |
| + |
| TransportSecurityState state; |
| const base::Time current_time(base::Time::Now()); |
| const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| @@ -222,8 +225,10 @@ TEST_F(TransportSecurityStateTest, SubdomainCarveout) { |
| state.AddHSTS("example1.test", expiry, true); |
| state.AddHSTS("foo.example1.test", expiry, false); |
| - state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes()); |
| - state.AddHPKP("foo.example2.test", expiry, false, GetSampleSPKIHashes()); |
| + state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes(), |
| + report_uri); |
|
davidben
2015/07/15 22:21:07
Does passing kReportUri in here not work? I would
estark
2015/07/16 00:07:01
Done.
|
| + state.AddHPKP("foo.example2.test", expiry, false, GetSampleSPKIHashes(), |
| + report_uri); |
| EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); |
| EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test")); |
| @@ -243,7 +248,8 @@ TEST_F(TransportSecurityStateTest, SubdomainCarveout) { |
| // Expire the foo.example*.test rules. |
| state.AddHSTS("foo.example1.test", older, false); |
| - state.AddHPKP("foo.example2.test", older, false, GetSampleSPKIHashes()); |
| + state.AddHPKP("foo.example2.test", older, false, GetSampleSPKIHashes(), |
| + report_uri); |
| // Now the base example*.test rules apply to bar.foo.example*.test. |
| EXPECT_TRUE(state.ShouldUpgradeToSSL("bar.foo.example1.test")); |
| @@ -253,12 +259,16 @@ TEST_F(TransportSecurityStateTest, SubdomainCarveout) { |
| } |
| TEST_F(TransportSecurityStateTest, FatalSSLErrors) { |
| + static const char kReportUri[] = "http://example.com/test"; |
| + std::string report_uri(kReportUri); |
| + |
| TransportSecurityState state; |
| const base::Time current_time(base::Time::Now()); |
| const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| state.AddHSTS("example1.test", expiry, false); |
| - state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes()); |
| + state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes(), |
| + report_uri); |
| // The presense of either HSTS or HPKP is enough to make SSL errors fatal. |
| EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("example1.test")); |
| @@ -268,6 +278,9 @@ TEST_F(TransportSecurityStateTest, FatalSSLErrors) { |
| // Tests that HPKP and HSTS state both expire. Also tests that expired entries |
| // are pruned. |
| TEST_F(TransportSecurityStateTest, Expiration) { |
| + static const char kReportUri[] = "http://example.com/test"; |
| + std::string report_uri(kReportUri); |
| + |
| TransportSecurityState state; |
| const base::Time current_time(base::Time::Now()); |
| const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| @@ -281,14 +294,16 @@ TEST_F(TransportSecurityStateTest, Expiration) { |
| // Querying |state| for a domain should flush out expired entries. |
| EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext()); |
| - state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes()); |
| + state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes(), |
| + report_uri); |
| EXPECT_TRUE(TransportSecurityState::PKPStateIterator(state).HasNext()); |
| EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); |
| // Querying |state| for a domain should flush out expired entries. |
| EXPECT_FALSE(TransportSecurityState::PKPStateIterator(state).HasNext()); |
| state.AddHSTS("example1.test", older, false); |
| - state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes()); |
| + state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes(), |
| + report_uri); |
| EXPECT_TRUE(TransportSecurityState::STSStateIterator(state).HasNext()); |
| EXPECT_TRUE(TransportSecurityState::PKPStateIterator(state).HasNext()); |
| EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("example1.test")); |
| @@ -298,13 +313,15 @@ TEST_F(TransportSecurityStateTest, Expiration) { |
| // Test that HSTS can outlive HPKP. |
| state.AddHSTS("example1.test", expiry, false); |
| - state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes()); |
| + state.AddHPKP("example1.test", older, false, GetSampleSPKIHashes(), |
| + report_uri); |
| EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); |
| EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); |
| // Test that HPKP can outlive HSTS. |
| state.AddHSTS("example2.test", older, false); |
| - state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes()); |
| + state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes(), |
| + report_uri); |
| EXPECT_FALSE(state.ShouldUpgradeToSSL("example2.test")); |
| EXPECT_TRUE(state.HasPublicKeyPins("example2.test")); |
| } |
| @@ -324,15 +341,20 @@ TEST_F(TransportSecurityStateTest, InvalidDomains) { |
| // Tests that HPKP and HSTS state are queried independently for subdomain |
| // matches. |
| TEST_F(TransportSecurityStateTest, IndependentSubdomain) { |
| + static const char kReportUri[] = "http://example.com/test"; |
| + std::string report_uri(kReportUri); |
| + |
| TransportSecurityState state; |
| const base::Time current_time(base::Time::Now()); |
| const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| state.AddHSTS("example1.test", expiry, true); |
| - state.AddHPKP("example1.test", expiry, false, GetSampleSPKIHashes()); |
| + state.AddHPKP("example1.test", expiry, false, GetSampleSPKIHashes(), |
| + report_uri); |
| state.AddHSTS("example2.test", expiry, false); |
| - state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes()); |
| + state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes(), |
| + report_uri); |
| EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test")); |
| EXPECT_FALSE(state.HasPublicKeyPins("foo.example1.test")); |
| @@ -342,13 +364,17 @@ TEST_F(TransportSecurityStateTest, IndependentSubdomain) { |
| // Tests that HPKP and HSTS state are inserted and overridden independently. |
| TEST_F(TransportSecurityStateTest, IndependentInsertion) { |
| + static const char kReportUri[] = "http://example.com/test"; |
| + std::string report_uri(kReportUri); |
| + |
| TransportSecurityState state; |
| const base::Time current_time(base::Time::Now()); |
| const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| // Place an includeSubdomains HSTS entry below a normal HPKP entry. |
| state.AddHSTS("example1.test", expiry, true); |
| - state.AddHPKP("foo.example1.test", expiry, false, GetSampleSPKIHashes()); |
| + state.AddHPKP("foo.example1.test", expiry, false, GetSampleSPKIHashes(), |
| + report_uri); |
| EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.test")); |
| EXPECT_TRUE(state.HasPublicKeyPins("foo.example1.test")); |
| @@ -363,13 +389,15 @@ TEST_F(TransportSecurityStateTest, IndependentInsertion) { |
| // Place an includeSubdomains HPKP entry below a normal HSTS entry. |
| state.AddHSTS("foo.example2.test", expiry, false); |
| - state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes()); |
| + state.AddHPKP("example2.test", expiry, true, GetSampleSPKIHashes(), |
| + report_uri); |
| EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example2.test")); |
| EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.test")); |
| // Drop the includeSubdomains from the HSTS entry. |
| - state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes()); |
| + state.AddHPKP("example2.test", expiry, false, GetSampleSPKIHashes(), |
| + report_uri); |
| EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example2.test")); |
| EXPECT_FALSE(state.HasPublicKeyPins("foo.example2.test")); |
| @@ -378,13 +406,17 @@ TEST_F(TransportSecurityStateTest, IndependentInsertion) { |
| // Tests that GetDynamic[PKP|STS]State returns the correct data and that the |
| // states are not mixed together. |
| TEST_F(TransportSecurityStateTest, DynamicDomainState) { |
| + static const char kReportUri[] = "http://example.com/test"; |
| + std::string report_uri(kReportUri); |
| + |
| TransportSecurityState state; |
| const base::Time current_time(base::Time::Now()); |
| const base::Time expiry1 = current_time + base::TimeDelta::FromSeconds(1000); |
| const base::Time expiry2 = current_time + base::TimeDelta::FromSeconds(2000); |
| state.AddHSTS("example.com", expiry1, true); |
| - state.AddHPKP("foo.example.com", expiry2, false, GetSampleSPKIHashes()); |
| + state.AddHPKP("foo.example.com", expiry2, false, GetSampleSPKIHashes(), |
| + report_uri); |
| TransportSecurityState::STSState sts_state; |
| TransportSecurityState::PKPState pkp_state; |
| @@ -403,6 +435,9 @@ TEST_F(TransportSecurityStateTest, DynamicDomainState) { |
| // Tests that new pins always override previous pins. This should be true for |
| // both pins at the same domain or includeSubdomains pins at a parent domain. |
| TEST_F(TransportSecurityStateTest, NewPinsOverride) { |
| + static const char kReportUri[] = "http://example.com/test"; |
| + std::string report_uri(kReportUri); |
| + |
| TransportSecurityState state; |
| TransportSecurityState::PKPState pkp_state; |
| const base::Time current_time(base::Time::Now()); |
| @@ -414,19 +449,22 @@ TEST_F(TransportSecurityStateTest, NewPinsOverride) { |
| HashValue hash3(HASH_VALUE_SHA1); |
| memset(hash3.data(), 0x03, hash1.size()); |
| - state.AddHPKP("example.com", expiry, true, HashValueVector(1, hash1)); |
| + state.AddHPKP("example.com", expiry, true, HashValueVector(1, hash1), |
| + report_uri); |
| ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); |
| ASSERT_EQ(1u, pkp_state.spki_hashes.size()); |
| EXPECT_TRUE(pkp_state.spki_hashes[0].Equals(hash1)); |
| - state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash2)); |
| + state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash2), |
| + report_uri); |
| ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); |
| ASSERT_EQ(1u, pkp_state.spki_hashes.size()); |
| EXPECT_TRUE(pkp_state.spki_hashes[0].Equals(hash2)); |
| - state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash3)); |
| + state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash3), |
| + report_uri); |
| ASSERT_TRUE(state.GetDynamicPKPState("foo.example.com", &pkp_state)); |
| ASSERT_EQ(1u, pkp_state.spki_hashes.size()); |
| @@ -444,7 +482,7 @@ TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataSince) { |
| bool include_subdomains = false; |
| state.AddHSTS("example.com", expiry, include_subdomains); |
| state.AddHPKP("example.com", expiry, include_subdomains, |
| - GetSampleSPKIHashes()); |
| + GetSampleSPKIHashes(), std::string()); |
| state.DeleteAllDynamicDataSince(expiry); |
| EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com")); |
| @@ -466,7 +504,7 @@ TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) { |
| state.AddHSTS("example1.test", expiry, include_subdomains); |
| state.AddHPKP("example1.test", expiry, include_subdomains, |
| - GetSampleSPKIHashes()); |
| + GetSampleSPKIHashes(), std::string()); |
| EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); |
| EXPECT_FALSE(state.ShouldUpgradeToSSL("example2.test")); |
