Introduce the ability to require CT for specific hosts

net/spdy/spdy_session_unittest.cc

Index: net/spdy/spdy_session_unittest.cc
diff --git a/net/spdy/spdy_session_unittest.cc b/net/spdy/spdy_session_unittest.cc
index f39d6ce3f8bc903aa7a619a4c6cb7ef6d01bf772..55dc0304564b488cdb3abeefbd474bcb0ff4255a 100644
--- a/net/spdy/spdy_session_unittest.cc
+++ b/net/spdy/spdy_session_unittest.cc
@@ -19,6 +19,7 @@
 #include "net/base/request_priority.h"
 #include "net/base/test_data_stream.h"
 #include "net/base/test_proxy_delegate.h"
+#include "net/cert/ct_policy_status.h"
 #include "net/log/test_net_log.h"
 #include "net/log/test_net_log_entry.h"
 #include "net/log/test_net_log_util.h"
@@ -35,6 +36,7 @@
 #include "net/spdy/spdy_test_utils.h"
 #include "net/test/cert_test_util.h"
 #include "net/test/test_data_directory.h"
+#include "testing/gmock/include/gmock/gmock.h"
 #include "testing/platform_test.h"
 
 namespace net {
@@ -78,6 +80,12 @@ base::TimeTicks InstantaneousReads() {
   return g_time_now;
 }
 
+class MockRequireCTDelegate : public TransportSecurityState::RequireCTDelegate {
+ public:
+  MOCK_METHOD1(IsCTRequiredForHost,
+               CTRequirementLevel(const std::string& host));
+};
+
 }  // namespace
 
 class SpdySessionTest : public PlatformTest,
@@ -5736,6 +5744,87 @@ TEST(CanPoolTest, CanNotPoolWithBadPins) {
       &tss, ssl_info, "www.example.org", "mail.example.org"));
 }
 
+TEST(CanPoolTest, CanNotPoolWithBadCTWhenCTRequired) {
+  using testing::_;
+  using testing::Return;
+  using CTRequirementLevel =
+      TransportSecurityState::RequireCTDelegate::CTRequirementLevel;
+
+  SSLInfo ssl_info;
+  ssl_info.cert =
+      ImportCertFromFile(GetTestCertsDirectory(), "spdy_pooling.pem");
+  ssl_info.is_issued_by_known_root = true;
+  ssl_info.public_key_hashes.push_back(test::GetTestHashValue(1));
+  ssl_info.ct_cert_policy_compliance =
+      ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS;
+
+  MockRequireCTDelegate require_ct_delegate;
+  EXPECT_CALL(require_ct_delegate, IsCTRequiredForHost("www.example.org"))
+      .WillRepeatedly(Return(CTRequirementLevel::NOT_REQUIRED));

[davidben, 2016/06/23 19:51:43]

Only mail.example.org is queried, right?

[Ryan Sleevi, 2016/06/23 21:38:31]

Correct, but nothing in the interface contract of SpdySession::CanPool states
that, so I instead am treating it as a blackbox and testing the observables.

+  EXPECT_CALL(require_ct_delegate, IsCTRequiredForHost("mail.example.org"))
+      .WillRepeatedly(Return(CTRequirementLevel::REQUIRED));
+
+  TransportSecurityState tss;
+  tss.SetRequireCTDelegate(&require_ct_delegate);
+
+  EXPECT_FALSE(SpdySession::CanPool(&tss, ssl_info, "www.example.org",
+                                    "mail.example.org"));
+}
+
+TEST(CanPoolTest, CanPoolWithBadCTWhenCTNotRequired) {
+  using testing::_;
+  using testing::Return;
+  using CTRequirementLevel =
+      TransportSecurityState::RequireCTDelegate::CTRequirementLevel;
+
+  SSLInfo ssl_info;
+  ssl_info.cert =
+      ImportCertFromFile(GetTestCertsDirectory(), "spdy_pooling.pem");
+  ssl_info.is_issued_by_known_root = true;
+  ssl_info.public_key_hashes.push_back(test::GetTestHashValue(1));
+  ssl_info.ct_cert_policy_compliance =
+      ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS;
+
+  MockRequireCTDelegate require_ct_delegate;
+  EXPECT_CALL(require_ct_delegate, IsCTRequiredForHost("www.example.org"))
+      .WillRepeatedly(Return(CTRequirementLevel::NOT_REQUIRED));

[davidben, 2016/06/23 19:51:43]

Ditto.

+  EXPECT_CALL(require_ct_delegate, IsCTRequiredForHost("mail.example.org"))
+      .WillRepeatedly(Return(CTRequirementLevel::NOT_REQUIRED));
+
+  TransportSecurityState tss;
+  tss.SetRequireCTDelegate(&require_ct_delegate);
+
+  EXPECT_TRUE(SpdySession::CanPool(&tss, ssl_info, "www.example.org",
+                                   "mail.example.org"));
+}
+
+TEST(CanPoolTest, CanPoolWithGoodCTWhenCTRequired) {
+  using testing::_;
+  using testing::Return;
+  using CTRequirementLevel =
+      TransportSecurityState::RequireCTDelegate::CTRequirementLevel;
+
+  SSLInfo ssl_info;
+  ssl_info.cert =
+      ImportCertFromFile(GetTestCertsDirectory(), "spdy_pooling.pem");
+  ssl_info.is_issued_by_known_root = true;
+  ssl_info.public_key_hashes.push_back(test::GetTestHashValue(1));
+  ssl_info.ct_cert_policy_compliance =
+      ct::CertPolicyCompliance::CERT_POLICY_COMPLIES_VIA_SCTS;
+
+  MockRequireCTDelegate require_ct_delegate;
+  EXPECT_CALL(require_ct_delegate, IsCTRequiredForHost("www.example.org"))
+      .WillRepeatedly(Return(CTRequirementLevel::NOT_REQUIRED));

[davidben, 2016/06/23 19:51:43]

Ditto.

+  EXPECT_CALL(require_ct_delegate, IsCTRequiredForHost("mail.example.org"))
+      .WillRepeatedly(Return(CTRequirementLevel::REQUIRED));
+
+  TransportSecurityState tss;
+  tss.SetRequireCTDelegate(&require_ct_delegate);
+
+  EXPECT_TRUE(SpdySession::CanPool(&tss, ssl_info, "www.example.org",
+                                   "mail.example.org"));
+}
+
 TEST(CanPoolTest, CanPoolWithAcceptablePins) {
   uint8_t primary_pin = 1;
   uint8_t backup_pin = 2;