net/http/http_security_headers_unittest.cc - Issue 1213783005: Send HPKP violation reports when a pin check fails

Unified Diff: net/http/http_security_headers_unittest.cc

Issue 1213783005: Send HPKP violation reports when a pin check fails (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: rsleevi comments Created 5 years, 5 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: net/http/http_security_headers_unittest.cc

diff --git a/net/http/http_security_headers_unittest.cc b/net/http/http_security_headers_unittest.cc

index 80cc1924bd2c96cdff8fc66c3f0cb23eb98babba..8a37d55b4c4f96554559a18f1b20726025751b96 100644

--- a/net/http/http_security_headers_unittest.cc

+++ b/net/http/http_security_headers_unittest.cc

@@ -670,7 +670,8 @@ TEST_F(HttpSecurityHeadersTest, UpdateDynamicPKPOnly) {

std::string failure_log;

const bool is_issued_by_known_root = true;

EXPECT_TRUE(state.CheckPublicKeyPins(

- domain, is_issued_by_known_root, hashes, &failure_log));

+ domain, is_issued_by_known_root, hashes, 0, nullptr, nullptr,

+ TransportSecurityState::DO_NOT_SEND_PUBLIC_KEY_PIN_REPORT, &failure_log));

TransportSecurityState::PKPState new_dynamic_pkp_state;

EXPECT_TRUE(state.GetDynamicPKPState(domain, &new_dynamic_pkp_state));

@@ -762,9 +763,10 @@ TEST_F(HttpSecurityHeadersTest, UpdateDynamicPKPMaxAge0) {

new_static_pkp_state2.spki_hashes[2].data()[0] ^= 0x80;

const bool is_issued_by_known_root = true;

- EXPECT_FALSE(state.CheckPublicKeyPins(domain, is_issued_by_known_root,

- new_static_pkp_state2.spki_hashes,

- &failure_log));

+ EXPECT_FALSE(state.CheckPublicKeyPins(

+ domain, is_issued_by_known_root, new_static_pkp_state2.spki_hashes, 0,

+ nullptr, nullptr,

+ TransportSecurityState::DO_NOT_SEND_PUBLIC_KEY_PIN_REPORT, &failure_log));

EXPECT_NE(0UL, failure_log.length());

}

@@ -796,10 +798,9 @@ TEST_F(HttpSecurityHeadersTest, NoClobberPins) {

EXPECT_TRUE(state.ShouldUpgradeToSSL(domain));

std::string failure_log;

const bool is_issued_by_known_root = true;

- EXPECT_TRUE(state.CheckPublicKeyPins(domain,

- is_issued_by_known_root,

- saved_hashes,

- &failure_log));

+ EXPECT_TRUE(state.CheckPublicKeyPins(

+ domain, is_issued_by_known_root, saved_hashes, 0, nullptr, nullptr,

+ TransportSecurityState::DO_NOT_SEND_PUBLIC_KEY_PIN_REPORT, &failure_log));

// Add an HPKP header, which should only update the dynamic state.

HashValue good_hash = GetTestHashValue(1, HASH_VALUE_SHA1);

@@ -819,10 +820,9 @@ TEST_F(HttpSecurityHeadersTest, NoClobberPins) {

EXPECT_TRUE(state.ShouldUpgradeToSSL(domain));

// The dynamic pins, which do not match |saved_hashes|, should take

// precedence over the static pins and cause the check to fail.

- EXPECT_FALSE(state.CheckPublicKeyPins(domain,

- is_issued_by_known_root,

- saved_hashes,

- &failure_log));

+ EXPECT_FALSE(state.CheckPublicKeyPins(

+ domain, is_issued_by_known_root, saved_hashes, 0, nullptr, nullptr,

+ TransportSecurityState::DO_NOT_SEND_PUBLIC_KEY_PIN_REPORT, &failure_log));

}

// Tests that seeing an invalid HPKP header leaves the existing one alone.

@@ -846,9 +846,10 @@ TEST_F(HttpSecurityHeadersTest, IgnoreInvalidHeaders) {

EXPECT_TRUE(state.HasPublicKeyPins("example.com"));

std::string failure_log;

bool is_issued_by_known_root = true;

- EXPECT_TRUE(state.CheckPublicKeyPins("example.com", is_issued_by_known_root,

- ssl_info.public_key_hashes,

- &failure_log));

+ EXPECT_TRUE(state.CheckPublicKeyPins(

+ "example.com", is_issued_by_known_root, ssl_info.public_key_hashes, 0,

+ nullptr, nullptr,

+ TransportSecurityState::DO_NOT_SEND_PUBLIC_KEY_PIN_REPORT, &failure_log));

// Now assert an invalid one. This should fail.

EXPECT_FALSE(state.AddHPKPHeader(

@@ -857,9 +858,10 @@ TEST_F(HttpSecurityHeadersTest, IgnoreInvalidHeaders) {

// The old pins must still exist.

EXPECT_TRUE(state.HasPublicKeyPins("example.com"));

- EXPECT_TRUE(state.CheckPublicKeyPins("example.com", is_issued_by_known_root,

- ssl_info.public_key_hashes,

- &failure_log));

+ EXPECT_TRUE(state.CheckPublicKeyPins(

+ "example.com", is_issued_by_known_root, ssl_info.public_key_hashes, 0,

+ nullptr, nullptr,

+ TransportSecurityState::DO_NOT_SEND_PUBLIC_KEY_PIN_REPORT, &failure_log));

}

}; // namespace net

« no previous file with comments | « chrome/browser/profiles/profile_io_data.cc ('k') | net/http/transport_security_state.h » ('j') | net/http/transport_security_state.h » ('J')