Componentize SecurityStateModel

components/security_state/security_state_model_unittest.cc

Index: components/security_state/security_state_model_unittest.cc
diff --git a/components/security_state/security_state_model_unittest.cc b/components/security_state/security_state_model_unittest.cc
new file mode 100644
index 0000000000000000000000000000000000000000..2b57580ba73b0b89a5b57f27f471203435cd2e88
--- /dev/null
+++ b/components/security_state/security_state_model_unittest.cc
@@ -0,0 +1,177 @@
+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "components/security_state/security_state_model.h"
+
+#include "components/security_state/security_state_model_delegate.h"
+#include "net/base/test_data_directory.h"
+#include "net/cert/x509_certificate.h"
+#include "net/ssl/ssl_connection_status_flags.h"
+#include "net/test/cert_test_util.h"
+#include "net/test/test_certificate_data.h"
+#include "testing/gtest/include/gtest/gtest.h"
+#include "url/gurl.h"
+
+namespace security_state {
+
+namespace {
+
+const char kUrl[] = "https://foo.test";
+
+class TestSHA1SecurityStateModelDelegate : public SecurityStateModelDelegate {
+ public:
+  TestSHA1SecurityStateModelDelegate()
+      : url_(kUrl),
+        cert_(net::ImportCertFromFile(net::GetTestCertsDirectory(),
+                                      "sha1_2016.pem")),
+        security_level_(SECURE),
+        cert_status_(net::CERT_STATUS_SHA1_SIGNATURE_PRESENT),
+        ran_mixed_content_(false),
+        displayed_mixed_content_(false) {}
+
+  ~TestSHA1SecurityStateModelDelegate() override {}
+
+  // SecurityStateModelDelegate overrides
+  bool VisibleSecurityStateChanged() override { return true; }
+  bool RetrieveCert(scoped_refptr<net::X509Certificate>* cert) override {
+    *cert = cert_;
+    return true;
+  }
+  SecurityLevel GetInitialSecurityLevel() override { return security_level_; }
+  SecurityLevel GetSecurityLevelForNonSecure(const GURL& url) override {
+    return NONE;
+  }
+  bool UsedKnownMITMCertificate() override { return false; }
+  int GetCertId() override { return 1; }
+  net::CertStatus GetCertStatus() override { return cert_status_; }
+  int GetConnectionStatus() override { return connection_status_; }
+  int GetSecurityBits() override { return 256; }
+  const GURL& GetURL() override { return url_; }
+  bool RanMixedContent() override { return ran_mixed_content_; }
+  bool DisplayedMixedContent() override { return displayed_mixed_content_; }
+  void GetSCTVerifyStatuses(
+      std::vector<net::ct::SCTVerifyStatus>* sct_verify_statuses) override {}
+
+  void AddCertStatus(net::CertStatus cert_status) {
+    cert_status_ |= cert_status;
+  }
+  void set_connection_status(int connection_status) {
+    connection_status_ = connection_status;
+  }
+  void SetCipherSuite(int ciphersuite) {
+    net::SSLConnectionStatusSetCipherSuite(ciphersuite, &connection_status_);
+  }
+  void set_security_level(SecurityLevel level) { security_level_ = level; }
+  void set_ran_mixed_content(bool ran_mixed_content) {
+    ran_mixed_content_ = ran_mixed_content;
+  }
+  void set_displayed_mixed_content(bool displayed_mixed_content) {
+    displayed_mixed_content_ = displayed_mixed_content;
+  }
+
+ private:
+  GURL url_;
+  scoped_refptr<net::X509Certificate> cert_;
+  SecurityLevel security_level_;
+  net::CertStatus cert_status_;
+  int connection_status_;
+  bool ran_mixed_content_;
+  bool displayed_mixed_content_;
+};
+
+// Tests that SHA1-signed certificates expiring in 2016 downgrade the
+// security state of the page.
+TEST(SecurityStateModelTest, SHA1Warning) {
+  TestSHA1SecurityStateModelDelegate delegate;
+  SecurityStateModel model;
+  model.SetDelegate(&delegate);
+  const SecurityInfo& security_info = model.GetSecurityInfo();
+  EXPECT_EQ(DEPRECATED_SHA1_MINOR, security_info.sha1_deprecation_status);
+  EXPECT_EQ(NONE, security_info.security_level);
+}
+
+// Tests that SHA1 warnings don't interfere with the handling of mixed
+// content.
+TEST(SecurityStateModelTest, SHA1WarningMixedContent) {
+  TestSHA1SecurityStateModelDelegate delegate;
+  SecurityStateModel model;
+  model.SetDelegate(&delegate);
+  delegate.set_displayed_mixed_content(true);
+  const SecurityInfo& security_info1 = model.GetSecurityInfo();
+  EXPECT_EQ(DEPRECATED_SHA1_MINOR, security_info1.sha1_deprecation_status);
+  EXPECT_EQ(DISPLAYED_MIXED_CONTENT, security_info1.mixed_content_status);
+  EXPECT_EQ(NONE, security_info1.security_level);
+
+  delegate.set_security_level(SECURITY_ERROR);
+  delegate.set_displayed_mixed_content(false);
+  delegate.set_ran_mixed_content(true);
+  const SecurityInfo& security_info2 = model.GetSecurityInfo();
+  EXPECT_EQ(DEPRECATED_SHA1_MINOR, security_info2.sha1_deprecation_status);
+  EXPECT_EQ(RAN_MIXED_CONTENT, security_info2.mixed_content_status);
+  EXPECT_EQ(SECURITY_ERROR, security_info2.security_level);
+}
+
+// Tests that SHA1 warnings don't interfere with the handling of major
+// cert errors.
+TEST(SecurityStateModelTest, SHA1WarningBrokenHTTPS) {
+  TestSHA1SecurityStateModelDelegate delegate;
+  SecurityStateModel model;
+  model.SetDelegate(&delegate);
+  delegate.set_security_level(SECURITY_ERROR);
+  delegate.AddCertStatus(net::CERT_STATUS_DATE_INVALID);
+  const SecurityInfo& security_info = model.GetSecurityInfo();
+  EXPECT_EQ(DEPRECATED_SHA1_MINOR, security_info.sha1_deprecation_status);
+  EXPECT_EQ(SECURITY_ERROR, security_info.security_level);
+}
+
+// Tests that |security_info.is_secure_protocol_and_ciphersuite| is
+// computed correctly.
+TEST(SecurityStateModelTest, SecureProtocolAndCiphersuite) {
+  TestSHA1SecurityStateModelDelegate delegate;
+  SecurityStateModel model;
+  model.SetDelegate(&delegate);
+  delegate.set_connection_status((net::SSL_CONNECTION_VERSION_TLS1_2
+                                  << net::SSL_CONNECTION_VERSION_SHIFT));
+  // TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 from
+  // http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-4
+  const uint16 ciphersuite = 0xc02f;
+  delegate.SetCipherSuite(ciphersuite);
+
+  const SecurityInfo& security_info = model.GetSecurityInfo();
+  EXPECT_TRUE(security_info.is_secure_protocol_and_ciphersuite);
+}
+
+TEST(SecurityStateModelTest, NonsecureProtocol) {
+  TestSHA1SecurityStateModelDelegate delegate;
+  SecurityStateModel model;
+  model.SetDelegate(&delegate);
+  delegate.set_connection_status((net::SSL_CONNECTION_VERSION_TLS1_1
+                                  << net::SSL_CONNECTION_VERSION_SHIFT));
+  // TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 from
+  // http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-4
+  const uint16 ciphersuite = 0xc02f;
+  delegate.SetCipherSuite(ciphersuite);
+
+  const SecurityInfo& security_info = model.GetSecurityInfo();
+  EXPECT_FALSE(security_info.is_secure_protocol_and_ciphersuite);
+}
+
+TEST(SecurityStateModelTest, NonsecureCiphersuite) {
+  TestSHA1SecurityStateModelDelegate delegate;
+  SecurityStateModel model;
+  model.SetDelegate(&delegate);
+  delegate.set_connection_status((net::SSL_CONNECTION_VERSION_TLS1_1
+                                  << net::SSL_CONNECTION_VERSION_SHIFT));
+  // TLS_RSA_WITH_AES_128_CCM_8 from
+  // http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-4
+  const uint16 ciphersuite = 0xc02f;
+  delegate.SetCipherSuite(ciphersuite);
+
+  const SecurityInfo& security_info = model.GetSecurityInfo();
+  EXPECT_FALSE(security_info.is_secure_protocol_and_ciphersuite);
+}
+
+}  // namespace
+
+}  // namespace security_state