Require a CTVerifier and CTPolicyEnforcer for TLS/QUIC sockets

net/url_request/url_request_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <memory>
 #include <utility>
 
 #include "base/memory/ptr_util.h"
 #include "build/build_config.h"
 
@@ skipping 40 matching lines @@
 #include "net/base/load_timing_info.h"
 #include "net/base/load_timing_info_test_util.h"
 #include "net/base/net_errors.h"
 #include "net/base/net_module.h"
 #include "net/base/request_priority.h"
 #include "net/base/test_data_directory.h"
 #include "net/base/upload_bytes_element_reader.h"
 #include "net/base/upload_data_stream.h"
 #include "net/base/upload_file_element_reader.h"
 #include "net/base/url_util.h"
+#include "net/cert/ct_policy_enforcer.h"
 #include "net/cert/ct_policy_status.h"
 #include "net/cert/ct_verifier.h"
 #include "net/cert/ct_verify_result.h"
 #include "net/cert/ev_root_ca_metadata.h"
 #include "net/cert/mock_cert_verifier.h"
 #include "net/cert/test_root_certs.h"
 #include "net/cert_net/nss_ocsp.h"
 #include "net/cookies/cookie_monster.h"
 #include "net/cookies/cookie_store_test_helpers.h"
 #include "net/disk_cache/disk_cache.h"
@@ skipping 6408 matching lines @@
   // Use a MockHostResolver (which by default maps all hosts to
   // 127.0.0.1) so that the request can be sent to a site on the Expect
   // CT preload list.
   MockHostResolver host_resolver;
   TestURLRequestContext context(true);
   context.set_host_resolver(&host_resolver);
   context.set_transport_security_state(&transport_security_state);
   context.set_network_delegate(&network_delegate);
   context.set_cert_verifier(&cert_verifier);
   context.set_cert_transparency_verifier(&ct_verifier);
-  context.set_ct_policy_enforcer(&ct_policy_enforcer);
+  context.set_ct_policy_enforcer(std::move(&ct_policy_enforcer));
   context.Init();
 
   // Now send a request to trigger the violation.
   TestDelegate d;
   GURL url = https_test_server.GetURL("/expect-ct-header.html");
   GURL::Replacements replace_host;
   replace_host.SetHostStr(kExpectCTStaticHostname);
   url = url.ReplaceComponents(replace_host);
   std::unique_ptr<URLRequest> violating_request(
       context.CreateRequest(url, DEFAULT_PRIORITY, &d));
@@ skipping 2321 matching lines @@
     base::RunLoop().Run();
 
     EXPECT_EQ(1, d.response_started_count());
   }
 
   // Now create a new HttpCache with a different ssl_session_cache_shard value.
   HttpNetworkSession::Params params;
   params.host_resolver = default_context_.host_resolver();
   params.cert_verifier = default_context_.cert_verifier();
   params.transport_security_state = default_context_.transport_security_state();
+  params.cert_transparency_verifier =
+      default_context_.cert_transparency_verifier();
+  params.ct_policy_enforcer = default_context_.ct_policy_enforcer();
   params.proxy_service = default_context_.proxy_service();
   params.ssl_config_service = default_context_.ssl_config_service();
   params.http_auth_handler_factory =
       default_context_.http_auth_handler_factory();
   params.http_server_properties = default_context_.http_server_properties();
 
   HttpNetworkSession network_session(params);
   std::unique_ptr<HttpCache> cache(new HttpCache(
       &network_session, HttpCache::DefaultBackend::InMemory(0), false));
 
@@ skipping 369 matching lines @@
  public:
   HTTPSOCSPTest()
       : context_(true),
         ev_test_policy_(
             new ScopedTestEVPolicy(EVRootCAMetadata::GetInstance(),
                                    kOCSPTestCertFingerprint,
                                    kOCSPTestCertPolicy)) {
   }
 
   void SetUp() override {
-    SetupContext(&context_);
+    context_.SetCTPolicyEnforcer(
+        base::MakeUnique<AllowAnyCertCTPolicyEnforcer>());
+    SetupContext();
     context_.Init();
 
     scoped_refptr<X509Certificate> root_cert =
         ImportCertFromFile(GetTestCertsDirectory(), "ocsp-test-root.pem");
     CHECK_NE(static_cast<X509Certificate*>(NULL), root_cert.get());
     test_root_.reset(new ScopedTestRoot(root_cert.get()));
 
 #if defined(USE_NSS_CERTS)
     SetURLRequestContextForNSSHttpIO(&context_);
     EnsureNSSHttpIOInit();
@@ skipping 22 matching lines @@
     *out_cert_status = r->ssl_info().cert_status;
   }
 
   ~HTTPSOCSPTest() override {
 #if defined(USE_NSS_CERTS)
     ShutdownNSSHttpIO();
 #endif
   }
 
  protected:
+  class AllowAnyCertCTPolicyEnforcer : public CTPolicyEnforcer {
+   public:
+    AllowAnyCertCTPolicyEnforcer() = default;
+    ~AllowAnyCertCTPolicyEnforcer() override = default;
+
+    ct::CertPolicyCompliance DoesConformToCertPolicy(
+        X509Certificate* cert,
+        const SCTList& verified_scts,
+        const BoundNetLog& net_log) override {
+      return ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS;
+    }
+
+    ct::EVPolicyCompliance DoesConformToCTEVPolicy(
+        X509Certificate* cert,
+        const ct::EVCertsWhitelist* ev_whitelist,
+        const SCTList& verified_scts,
+        const BoundNetLog& net_log) override {
+      return ct::EVPolicyCompliance::EV_POLICY_COMPLIES_VIA_SCTS;
+    }
+  };
   // SetupContext configures the URLRequestContext that will be used for making
   // connetions to testserver. This can be overridden in test subclasses for
   // different behaviour.
-  virtual void SetupContext(URLRequestContext* context) {
-    context->set_ssl_config_service(new TestSSLConfigService(
+  virtual void SetupContext() {
+    context_.set_ssl_config_service(new TestSSLConfigService(
         true /* check for EV */, true /* online revocation checking */,
         false /* require rev. checking for local
                                           anchors */,
         false /* token binding enabled */));
   }
 
   std::unique_ptr<ScopedTestRoot> test_root_;
   TestURLRequestContext context_;
   std::unique_ptr<ScopedTestEVPolicy> ev_test_policy_;
 };
@@ skipping 166 matching lines @@
   CertStatus cert_status;
   DoConnection(ssl_options, &cert_status);
 
   EXPECT_EQ(CERT_STATUS_REVOKED, cert_status & CERT_STATUS_ALL_ERRORS);
   EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV);
   EXPECT_TRUE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED);
 }
 
 class HTTPSHardFailTest : public HTTPSOCSPTest {
  protected:
-  void SetupContext(URLRequestContext* context) override {
-    context->set_ssl_config_service(new TestSSLConfigService(
+  void SetupContext() override {
+    context_.set_ssl_config_service(new TestSSLConfigService(
         false /* check for EV */, false /* online revocation checking */,
         true /* require rev. checking for local
                                          anchors */,
         false /* token binding enabled */));
   }
 };
 
 TEST_F(HTTPSHardFailTest, FailsOnOCSPInvalid) {
   if (!SystemSupportsOCSP()) {
     LOG(WARNING) << "Skipping test because system doesn't support OCSP";
@@ skipping 15 matching lines @@
 
   EXPECT_EQ(CERT_STATUS_REVOKED,
             cert_status & CERT_STATUS_REVOKED);
 
   // Without a positive OCSP response, we shouldn't show the EV status.
   EXPECT_TRUE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED);
 }
 
 class HTTPSEVCRLSetTest : public HTTPSOCSPTest {
  protected:
-  void SetupContext(URLRequestContext* context) override {
-    context->set_ssl_config_service(new TestSSLConfigService(
+  void SetupContext() override {
+    context_.set_ssl_config_service(new TestSSLConfigService(
         true /* check for EV */, false /* online revocation checking */,
         false /* require rev. checking for local
                                           anchors */,
         false /* token binding enabled */));
   }
 };
 
 TEST_F(HTTPSEVCRLSetTest, MissingCRLSetAndInvalidOCSP) {
   if (!SystemSupportsOCSP()) {
     LOG(WARNING) << "Skipping test because system doesn't support OCSP";
@@ skipping 163 matching lines @@
   DoConnection(ssl_options, &cert_status);
 
   EXPECT_EQ(0u, cert_status & CERT_STATUS_ALL_ERRORS);
 
   EXPECT_FALSE(cert_status & CERT_STATUS_IS_EV);
   EXPECT_FALSE(cert_status & CERT_STATUS_REV_CHECKING_ENABLED);
 }
 
 class HTTPSCRLSetTest : public HTTPSOCSPTest {
  protected:
-  void SetupContext(URLRequestContext* context) override {
-    context->set_ssl_config_service(new TestSSLConfigService(
+  void SetupContext() override {
+    context_.set_ssl_config_service(new TestSSLConfigService(
         false /* check for EV */, false /* online revocation checking */,
         false /* require rev. checking for local
                                           anchors */,
         false /* token binding enabled */));
   }
 };
 
 TEST_F(HTTPSCRLSetTest, ExpiredCRLSet) {
   SpawnedTestServer::SSLOptions ssl_options(
       SpawnedTestServer::SSLOptions::CERT_AUTO);
@@ skipping 411 matching lines @@
   AddTestInterceptor()->set_main_intercept_job(std::move(job));
 
   req->Start();
   req->Cancel();
   base::RunLoop().RunUntilIdle();
   EXPECT_EQ(URLRequestStatus::CANCELED, req->status().status());
   EXPECT_EQ(0, d.received_redirect_count());
 }
 
 }  // namespace net