Add Expect CT policy that gets checked on all certs

net/cert/ct_policy_enforcer_unittest.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/cert/ct_policy_enforcer.h"
 
 #include <string>
 
 #include "base/memory/scoped_ptr.h"
 #include "base/time/time.h"
@@ skipping 105 matching lines @@
       const base::Time& start,
       const base::Time& end,
       size_t required_scts) {
     scoped_refptr<X509Certificate> cert(
         new X509Certificate("subject", "issuer", start, end));
     ct::CTVerifyResult result;
 
     for (size_t i = 0; i < required_scts - 1; ++i) {
       FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED,
                                  1, std::vector<std::string>(), false, &result);
-      EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
-          cert.get(), nullptr, result, BoundNetLog()))
+      EXPECT_FALSE(
+          policy_enforcer_->DoesConformToCertPolicy(cert.get(), result))
           << " for: " << (end - start).InDays() << " and " << required_scts
           << " scts=" << result.verified_scts.size() << " i=" << i;
     }
     FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
                                std::vector<std::string>(), false, &result);
-    EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(
-        cert.get(), nullptr, result, BoundNetLog()))
+    EXPECT_TRUE(policy_enforcer_->DoesConformToCertPolicy(cert.get(), result))
         << " for: " << (end - start).InDays() << " and " << required_scts
         << " scts=" << result.verified_scts.size();
   }
 
  protected:
   scoped_ptr<CTPolicyEnforcer> policy_enforcer_;
   scoped_refptr<X509Certificate> chain_;
   std::string google_log_id_;
   std::string non_google_log_id_;
 };
 
 TEST_F(CTPolicyEnforcerTest,
        DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllGoogle) {
   ct::CTVerifyResult result;
   FillResultWithRepeatedLogID(google_log_id_, 2, true, &result);
 
-  EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
-      chain_.get(), nullptr, result, BoundNetLog()));
+  EXPECT_FALSE(policy_enforcer_->DoesConformToCertPolicy(chain_.get(), result));
 }
 
 TEST_F(CTPolicyEnforcerTest,
        DoesNotConformToCTEVPolicyNotEnoughDiverseSCTsAllNonGoogle) {
   ct::CTVerifyResult result;
   FillResultWithRepeatedLogID(non_google_log_id_, 2, true, &result);
 
-  EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
-      chain_.get(), nullptr, result, BoundNetLog()));
+  EXPECT_FALSE(policy_enforcer_->DoesConformToCertPolicy(chain_.get(), result));
 }
 
 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyIfSCTBeforeEnforcementDate) {
   ct::CTVerifyResult result;
   FillResultWithRepeatedLogID(non_google_log_id_, 2, false, &result);
 
-  EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr,
-                                                        result, BoundNetLog()));
+  EXPECT_TRUE(policy_enforcer_->DoesConformToCertPolicy(chain_.get(), result));
 }
 
 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) {
   ct::CTVerifyResult result;
   FillResultWithSCTsOfOrigin(
       ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result);
 
-  EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr,
-                                                        result, BoundNetLog()));
+  EXPECT_TRUE(policy_enforcer_->DoesConformToCertPolicy(chain_.get(), result));
 }
 
 TEST_F(CTPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) {
   // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs.
   ct::CTVerifyResult result;
   FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5,
                              &result);
 
-  EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr,
-                                                        result, BoundNetLog()));
+  EXPECT_TRUE(policy_enforcer_->DoesConformToCertPolicy(chain_.get(), result));
 }
 
 TEST_F(CTPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) {
   scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist(
       new DummyEVCertsWhitelist(true, false));
   // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs.
   // However, as there are only two logs, two SCTs will be required - supply one
   // to guarantee the test fails.
   ct::CTVerifyResult result;
   FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
                              &result);
 
-  EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
-      chain_.get(), non_including_whitelist.get(), result, BoundNetLog()));
+  EXPECT_FALSE(policy_enforcer_->DoesConformToCertPolicy(chain_.get(), result));
+  EXPECT_FALSE(policy_enforcer_->DoesConformToEVPolicy(
+      chain_.get(), result, non_including_whitelist.get(), BoundNetLog()));
 
   // ... but should be OK if whitelisted.
   scoped_refptr<ct::EVCertsWhitelist> whitelist(
       new DummyEVCertsWhitelist(true, true));
-  EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(
-      chain_.get(), whitelist.get(), result, BoundNetLog()));
+  EXPECT_TRUE(policy_enforcer_->DoesConformToEVPolicy(
+      chain_.get(), result, whitelist.get(), BoundNetLog()));
 }
 
 TEST_F(CTPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) {
   scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate(
       "subject", "issuer", base::Time(), base::Time::Now()));
   ct::CTVerifyResult result;
   FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5,
                              &result);
-  EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
-      no_valid_dates_cert.get(), nullptr, result, BoundNetLog()));
+  EXPECT_FALSE(policy_enforcer_->DoesConformToCertPolicy(
+      no_valid_dates_cert.get(), result));
   // ... but should be OK if whitelisted.
   scoped_refptr<ct::EVCertsWhitelist> whitelist(
       new DummyEVCertsWhitelist(true, true));
-  EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(
-      chain_.get(), whitelist.get(), result, BoundNetLog()));
+  EXPECT_TRUE(policy_enforcer_->DoesConformToEVPolicy(
+      chain_.get(), result, whitelist.get(), BoundNetLog()));
 }
 
 TEST_F(CTPolicyEnforcerTest,
        ConformsToPolicyExactNumberOfSCTsForValidityPeriod) {
   // Test multiple validity periods
   const struct TestData {
     base::Time validity_start;
     base::Time validity_end;
     size_t scts_required;
-  } kTestData[] = {{// Cert valid for 14 months, needs 2 SCTs.
-                    base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
-                    base::Time::FromUTCExploded({2016, 6, 0, 6, 11, 25, 0, 0}),
-                    2},
-                   {// Cert valid for exactly 15 months, needs 3 SCTs.
-                    base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
-                    base::Time::FromUTCExploded({2016, 6, 0, 25, 11, 25, 0, 0}),
-                    3},
-                   {// Cert valid for over 15 months, needs 3 SCTs.
-                    base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
-                    base::Time::FromUTCExploded({2016, 6, 0, 27, 11, 25, 0, 0}),
-                    3},
-                   {// Cert valid for exactly 27 months, needs 3 SCTs.
-                    base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
-                    base::Time::FromUTCExploded({2017, 6, 0, 25, 11, 25, 0, 0}),
-                    3},
-                   {// Cert valid for over 27 months, needs 4 SCTs.
-                    base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
-                    base::Time::FromUTCExploded({2017, 6, 0, 28, 11, 25, 0, 0}),
-                    4},
-                   {// Cert valid for exactly 39 months, needs 4 SCTs.
-                    base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
-                    base::Time::FromUTCExploded({2018, 6, 0, 25, 11, 25, 0, 0}),
-                    4},
-                   {// Cert valid for over 39 months, needs 5 SCTs.
-                    base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
-                    base::Time::FromUTCExploded({2018, 6, 0, 27, 11, 25, 0, 0}),
-                    5}};
+  } kTestData[] = {
+      {// Cert valid for 14 months, needs 2 SCTs.
+       base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
+       base::Time::FromUTCExploded({2016, 6, 0, 6, 11, 25, 0, 0}), 2},
+      {// Cert valid for exactly 15 months, needs 3 SCTs.
+       base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
+       base::Time::FromUTCExploded({2016, 6, 0, 25, 11, 25, 0, 0}), 3},
+      {// Cert valid for over 15 months, needs 3 SCTs.
+       base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
+       base::Time::FromUTCExploded({2016, 6, 0, 27, 11, 25, 0, 0}), 3},
+      {// Cert valid for exactly 27 months, needs 3 SCTs.
+       base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
+       base::Time::FromUTCExploded({2017, 6, 0, 25, 11, 25, 0, 0}), 3},
+      {// Cert valid for over 27 months, needs 4 SCTs.
+       base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
+       base::Time::FromUTCExploded({2017, 6, 0, 28, 11, 25, 0, 0}), 4},
+      {// Cert valid for exactly 39 months, needs 4 SCTs.
+       base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
+       base::Time::FromUTCExploded({2018, 6, 0, 25, 11, 25, 0, 0}), 4},
+      {// Cert valid for over 39 months, needs 5 SCTs.
+       base::Time::FromUTCExploded({2015, 3, 0, 25, 11, 25, 0, 0}),
+       base::Time::FromUTCExploded({2018, 6, 0, 27, 11, 25, 0, 0}), 5}};
 
   for (size_t i = 0; i < arraysize(kTestData); ++i) {
     SCOPED_TRACE(i);
     CheckCertificateCompliesWithExactNumberOfEmbeddedSCTs(
         kTestData[i].validity_start, kTestData[i].validity_end,
         kTestData[i].scts_required);
   }
 }
 
 TEST_F(CTPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) {
   scoped_refptr<ct::EVCertsWhitelist> whitelist(
       new DummyEVCertsWhitelist(true, true));
 
   ct::CTVerifyResult result;
   FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
                              &result);
-  EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy(
-      chain_.get(), whitelist.get(), result, BoundNetLog()));
+  EXPECT_FALSE(policy_enforcer_->DoesConformToCertPolicy(chain_.get(), result));
+  EXPECT_TRUE(policy_enforcer_->DoesConformToEVPolicy(
+      chain_.get(), result, whitelist.get(), BoundNetLog()));
 }
 
 TEST_F(CTPolicyEnforcerTest, IgnoresInvalidEVWhitelist) {
   scoped_refptr<ct::EVCertsWhitelist> whitelist(
       new DummyEVCertsWhitelist(false, true));
 
   ct::CTVerifyResult result;
   FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
                              &result);
-  EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
-      chain_.get(), whitelist.get(), result, BoundNetLog()));
+  EXPECT_FALSE(policy_enforcer_->DoesConformToCertPolicy(chain_.get(), result));
+  EXPECT_FALSE(policy_enforcer_->DoesConformToEVPolicy(
+      chain_.get(), result, whitelist.get(), BoundNetLog()));
 }
 
 TEST_F(CTPolicyEnforcerTest, IgnoresNullEVWhitelist) {
   ct::CTVerifyResult result;
   FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1,
                              &result);
-  EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(
-      chain_.get(), nullptr, result, BoundNetLog()));
+  EXPECT_FALSE(policy_enforcer_->DoesConformToCertPolicy(chain_.get(), result));
+  EXPECT_FALSE(policy_enforcer_->DoesConformToEVPolicy(chain_.get(), result,
+                                                       nullptr, BoundNetLog()));
 }
 
 }  // namespace
 
 }  // namespace net