Introduce the ability to require CT for specific hosts

net/http/transport_security_state_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/transport_security_state.h"
 
 #include <algorithm>
 #include <string>
 #include <vector>
 
@@ skipping 15 matching lines @@
 #include "net/cert/cert_verifier.h"
 #include "net/cert/cert_verify_result.h"
 #include "net/cert/ct_policy_status.h"
 #include "net/cert/test_root_certs.h"
 #include "net/cert/x509_cert_types.h"
 #include "net/cert/x509_certificate.h"
 #include "net/http/http_util.h"
 #include "net/log/net_log.h"
 #include "net/ssl/ssl_info.h"
 #include "net/test/cert_test_util.h"
+#include "testing/gmock/include/gmock/gmock.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 namespace net {
 
 namespace {
 
 const char kHost[] = "example.test";
 const char kSubdomain[] = "foo.example.test";
 const uint16_t kPort = 443;
 const char kReportUri[] = "http://report-example.test/test";
@@ skipping 107 matching lines @@
   const SSLInfo& ssl_info() { return ssl_info_; }
   uint32_t num_failures() { return num_failures_; }
 
  private:
   HostPortPair host_port_pair_;
   GURL report_uri_;
   SSLInfo ssl_info_;
   uint32_t num_failures_;
 };
 
+class MockRequireCTDelegate : public TransportSecurityState::RequireCTDelegate {
+ public:
+  MOCK_METHOD1(IsCTRequiredForHost,
+               CTRequirementLevel(const std::string& hostname));
+};
+
 void CompareCertificateChainWithList(
     const scoped_refptr<X509Certificate>& cert_chain,
     const base::ListValue* cert_list) {
   ASSERT_TRUE(cert_chain);
   std::vector<std::string> pem_encoded_chain;
   cert_chain->GetPEMEncodedChain(&pem_encoded_chain);
   EXPECT_EQ(pem_encoded_chain.size(), cert_list->GetSize());
 
   for (size_t i = 0; i < pem_encoded_chain.size(); i++) {
     std::string list_cert;
@@ skipping 1689 matching lines @@
   state.ProcessExpectCTHeader("preload", host_port, ssl_info);
   EXPECT_EQ(1u, reporter.num_failures());
   EXPECT_TRUE(reporter.ssl_info().ct_compliance_details_available);
   EXPECT_EQ(ssl_info.ct_cert_policy_compliance,
             reporter.ssl_info().ct_cert_policy_compliance);
   EXPECT_EQ(host_port.host(), reporter.host_port_pair().host());
   EXPECT_EQ(host_port.port(), reporter.host_port_pair().port());
   EXPECT_EQ(GURL(kExpectCTStaticReportURI), reporter.report_uri());
 }
 
+// Tests that TransportSecurityState always consults the RequireCTDelegate,
+// if supplied.
+TEST_F(TransportSecurityStateTest, RequireCTConsultsDelegate) {
+  using ::testing::_;
+  using ::testing::Return;
+  using CTRequirementLevel =
+      TransportSecurityState::RequireCTDelegate::CTRequirementLevel;
+
+  // Dummy cert to use as the validate chain. The contents do not matter.
+  scoped_refptr<X509Certificate> cert =
+      ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
+  ASSERT_TRUE(cert);
+
+  HashValueVector hashes;
+  hashes.push_back(HashValue(
+      X509Certificate::CalculateFingerprint256(cert->os_cert_handle())));
+
+  {
+    TransportSecurityState state;
+    bool original_status =
+        state.ShouldRequireCT("www.example.com", cert.get(), hashes);
+
+    MockRequireCTDelegate always_require_delegate;
+    EXPECT_CALL(always_require_delegate, IsCTRequiredForHost(_))
+        .WillRepeatedly(Return(CTRequirementLevel::REQUIRED));
+    state.SetRequireCTDelegate(&always_require_delegate);
+    EXPECT_EQ(true,
+              state.ShouldRequireCT("www.example.com", cert.get(), hashes));
+
+    state.SetRequireCTDelegate(nullptr);
+    EXPECT_EQ(original_status,
+              state.ShouldRequireCT("www.example.com", cert.get(), hashes));
+  }
+
+  {
+    TransportSecurityState state;
+    bool original_status =
+        state.ShouldRequireCT("www.example.com", cert.get(), hashes);
+
+    MockRequireCTDelegate never_require_delegate;
+    EXPECT_CALL(never_require_delegate, IsCTRequiredForHost(_))
+        .WillRepeatedly(Return(CTRequirementLevel::NOT_REQUIRED));
+    state.SetRequireCTDelegate(&never_require_delegate);
+    EXPECT_EQ(false,
+              state.ShouldRequireCT("www.example.com", cert.get(), hashes));
+
+    state.SetRequireCTDelegate(nullptr);
+    EXPECT_EQ(original_status,
+              state.ShouldRequireCT("www.example.com", cert.get(), hashes));
+  }
+
+  {
+    TransportSecurityState state;
+    bool original_status =
+        state.ShouldRequireCT("www.example.com", cert.get(), hashes);
+
+    MockRequireCTDelegate default_require_ct_delegate;
+    EXPECT_CALL(default_require_ct_delegate, IsCTRequiredForHost(_))
+        .WillRepeatedly(Return(CTRequirementLevel::DEFAULT));
+    state.SetRequireCTDelegate(&default_require_ct_delegate);
+    EXPECT_EQ(original_status,
+              state.ShouldRequireCT("www.example.com", cert.get(), hashes));
+
+    state.SetRequireCTDelegate(nullptr);
+    EXPECT_EQ(original_status,
+              state.ShouldRequireCT("www.example.com", cert.get(), hashes));
+  }
+}
+
 }  // namespace net