Index: net/http/transport_security_state_unittest.cc |
diff --git a/net/http/transport_security_state_unittest.cc b/net/http/transport_security_state_unittest.cc |
index 31c4062892d488d25378759b777b9d788f8f9833..eb4f966d7c67ad0fa96f083cfcc3c7a2fe46b8e0 100644 |
--- a/net/http/transport_security_state_unittest.cc |
+++ b/net/http/transport_security_state_unittest.cc |
@@ -57,6 +57,11 @@ class MockCertificateReportSender |
latest_report_ = report; |
} |
+ void Clear() { |
+ latest_report_uri_ = GURL(); |
+ latest_report_ = std::string(); |
+ } |
+ |
const GURL& latest_report_uri() { return latest_report_uri_; } |
const std::string& latest_report() { return latest_report_; } |
@@ -1276,7 +1281,7 @@ TEST_F(TransportSecurityStateTest, HPKPReporting) { |
ASSERT_NO_FATAL_FAILURE(CheckHPKPReport(report, host_port_pair, expiry, true, |
kHost, cert1.get(), cert2.get(), |
good_hashes)); |
- |
+ mock_report_sender.Clear(); |
EXPECT_FALSE(state.CheckPublicKeyPins( |
subdomain_host_port_pair, true, bad_hashes, cert1.get(), cert2.get(), |
TransportSecurityState::ENABLE_PIN_REPORTS, &failure_log)); |
@@ -1289,6 +1294,62 @@ TEST_F(TransportSecurityStateTest, HPKPReporting) { |
ASSERT_NO_FATAL_FAILURE(CheckHPKPReport(report, subdomain_host_port_pair, |
expiry, true, kHost, cert1.get(), |
cert2.get(), good_hashes)); |
+ |
+ // Check that a report is not sent for a Report-Only header with no |
+ // violation. |
Ryan Sleevi
2015/07/30 01:52:17
Seems like this could / should just be a new test?
estark
2015/07/31 00:49:44
Done.
|
+ mock_report_sender.Clear(); |
+ const std::string pin1 = "m9lHYJYke9k0GtVZ+bXSQYE8nDI="; |
+ const std::string pin2 = "o5OZxATDsgmwgcIfIWIneMJ0jkw="; |
+ const std::string pin3 = "wHqYaI2J+6sFZAwRfap9ZbjKzE4="; |
+ std::string header = "pin-sha1=\"" + pin1 + "\";pin-sha1=\"" + pin2 + |
+ "\";pin-sha1=\"" + pin3 + "\";report-uri=\"" + |
+ report_uri.spec() + "\""; |
+ SSLInfo ssl_info; |
+ ssl_info.is_issued_by_known_root = true; |
+ ssl_info.unverified_cert = cert1; |
+ ssl_info.cert = cert2; |
+ for (size_t i = 0; kGoodPath[i]; i++) |
+ EXPECT_TRUE(AddHash(kGoodPath[i], &ssl_info.public_key_hashes)); |
+ |
+ EXPECT_TRUE( |
+ state.ProcessHPKPReportOnlyHeader(host_port_pair, header, ssl_info)); |
+ EXPECT_EQ(GURL(), mock_report_sender.latest_report_uri()); |
+ EXPECT_EQ(std::string(), mock_report_sender.latest_report()); |
+ |
+ // Check that a report is sent for a Report-Only header with a |
+ // violation. |
+ ssl_info.public_key_hashes.clear(); |
+ for (size_t i = 0; kBadPath[i]; i++) |
+ EXPECT_TRUE(AddHash(kBadPath[i], &ssl_info.public_key_hashes)); |
+ |
+ EXPECT_TRUE( |
+ state.ProcessHPKPReportOnlyHeader(host_port_pair, header, ssl_info)); |
+ EXPECT_EQ(report_uri, mock_report_sender.latest_report_uri()); |
+ report = mock_report_sender.latest_report(); |
+ ASSERT_FALSE(report.empty()); |
+ ASSERT_NO_FATAL_FAILURE(CheckHPKPReport(report, host_port_pair, expiry, false, |
+ kHost, cert1.get(), cert2.get(), |
+ good_hashes)); |
+ |
+ // Test that Report-Only reports are not sent on certs that chain to |
+ // local roots. |
Ryan Sleevi
2015/07/30 01:52:17
Ditto here as perhaps a unique test.
estark
2015/07/31 00:49:44
Done.
|
+ mock_report_sender.Clear(); |
+ ssl_info.is_issued_by_known_root = false; |
+ EXPECT_TRUE( |
+ state.ProcessHPKPReportOnlyHeader(host_port_pair, header, ssl_info)); |
+ EXPECT_EQ(GURL(), mock_report_sender.latest_report_uri()); |
+ EXPECT_EQ(std::string(), mock_report_sender.latest_report()); |
+ |
+ // Test that ProcessHPKPReportOnlyHeader() returns false if a |
+ // report-uri wasn't specified or if the header fails to parse; |
Ryan Sleevi
2015/07/30 01:52:16
Ditto for unique test :)
estark
2015/07/31 00:49:44
Done.
|
+ header = "pin-sha1=\"" + pin1 + "\";pin-sha1=\"" + pin2 + "\";pin-sha1=\"" + |
+ pin3 + "\""; |
+ EXPECT_FALSE( |
+ state.ProcessHPKPReportOnlyHeader(host_port_pair, header, ssl_info)); |
+ header = "pin-sha1=\"" + pin1 + "\";pin-sha1=\"" + pin2 + "\";pin-sha1=\"" + |
+ pin3 + "\";report-uri=\""; |
+ EXPECT_FALSE( |
+ state.ProcessHPKPReportOnlyHeader(host_port_pair, header, ssl_info)); |
} |
} // namespace net |