OLD | NEW |
---|---|
(Empty) | |
1 // Copyright 2016 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "components/certificate_transparency/ct_policy_manager.h" | |
6 | |
7 #include <iterator> | |
8 | |
9 #include "base/run_loop.h" | |
10 #include "base/sequenced_task_runner.h" | |
11 #include "base/single_thread_task_runner.h" | |
12 #include "base/test/test_message_loop.h" | |
13 #include "base/values.h" | |
14 #include "components/certificate_transparency/pref_names.h" | |
15 #include "components/prefs/pref_registry_simple.h" | |
16 #include "components/prefs/testing_pref_service.h" | |
17 #include "testing/gtest/include/gtest/gtest.h" | |
18 | |
19 namespace certificate_transparency { | |
20 | |
21 namespace { | |
22 | |
23 template <size_t N> | |
24 base::ListValue* ListValueFromStrings(const char* const (&strings)[N]) { | |
25 std::unique_ptr<base::ListValue> result(new base::ListValue); | |
26 for (const auto& str : strings) { | |
27 result->AppendString(str); | |
28 } | |
29 return result.release(); | |
30 } | |
31 | |
32 class CTPolicyManagerTest : public ::testing::Test { | |
33 public: | |
34 CTPolicyManagerTest() : message_loop_(base::MessageLoop::TYPE_IO) {} | |
35 | |
36 protected: | |
37 base::TestMessageLoop message_loop_; | |
38 TestingPrefServiceSimple pref_service_; | |
39 }; | |
40 | |
41 // Treat the preferences as a black box as far as naming, but ensure that | |
42 // preferences get registered. | |
43 TEST_F(CTPolicyManagerTest, RegistersPrefs) { | |
44 auto registered_prefs = std::distance(pref_service_.registry()->begin(), | |
45 pref_service_.registry()->end()); | |
46 CTPolicyManager::RegisterPrefs(pref_service_.registry()); | |
47 auto newly_registered_prefs = std::distance(pref_service_.registry()->begin(), | |
48 pref_service_.registry()->end()); | |
49 EXPECT_NE(registered_prefs, newly_registered_prefs); | |
50 } | |
51 | |
52 TEST_F(CTPolicyManagerTest, DelegateChecksRequired) { | |
53 using CTRequirementLevel = | |
54 net::TransportSecurityState::RequireCTDelegate::CTRequirementLevel; | |
55 // Register preferences and set up initial state | |
56 CTPolicyManager::RegisterPrefs(pref_service_.registry()); | |
57 CTPolicyManager manager(&pref_service_, message_loop_.task_runner()); | |
58 base::RunLoop().RunUntilIdle(); | |
59 | |
60 net::TransportSecurityState::RequireCTDelegate* delegate = | |
61 manager.GetDelegate(); | |
62 ASSERT_TRUE(delegate); | |
63 | |
64 // No preferences should yield the default results. | |
65 EXPECT_EQ(CTRequirementLevel::DEFAULT, | |
66 delegate->IsCTRequiredForHost("google.com")); | |
67 | |
68 // Now set a preference, pump the message loop, and ensure things are now | |
69 // reflected. | |
70 pref_service_.SetManagedPref(prefs::kCTRequiredHosts, | |
71 ListValueFromStrings({"google.com"})); | |
72 base::RunLoop().RunUntilIdle(); | |
73 | |
74 // The new preferences should take effect. | |
75 EXPECT_EQ(CTRequirementLevel::REQUIRED, | |
76 delegate->IsCTRequiredForHost("google.com")); | |
77 } | |
78 | |
79 TEST_F(CTPolicyManagerTest, DelegateChecksExcluded) { | |
80 using CTRequirementLevel = | |
81 net::TransportSecurityState::RequireCTDelegate::CTRequirementLevel; | |
82 // Register preferences and set up initial state | |
83 CTPolicyManager::RegisterPrefs(pref_service_.registry()); | |
84 CTPolicyManager manager(&pref_service_, message_loop_.task_runner()); | |
85 base::RunLoop().RunUntilIdle(); | |
86 | |
87 net::TransportSecurityState::RequireCTDelegate* delegate = | |
88 manager.GetDelegate(); | |
89 ASSERT_TRUE(delegate); | |
90 | |
91 // No preferences should yield the default results. | |
92 EXPECT_EQ(CTRequirementLevel::DEFAULT, | |
93 delegate->IsCTRequiredForHost("google.com")); | |
eroman
2016/06/30 02:24:36
Are there any tests with:
* non-lowercased hostn
Ryan Sleevi
2016/06/30 07:42:33
Beyond the existing URLMatcher code? No.
non-lowe
| |
94 | |
95 // Now set a preference, pump the message loop, and ensure things are now | |
96 // reflected. | |
97 pref_service_.SetManagedPref(prefs::kCTExcludedHosts, | |
98 ListValueFromStrings({"google.com"})); | |
99 base::RunLoop().RunUntilIdle(); | |
100 | |
101 // The new preferences should take effect. | |
102 EXPECT_EQ(CTRequirementLevel::NOT_REQUIRED, | |
103 delegate->IsCTRequiredForHost("google.com")); | |
104 } | |
105 | |
106 TEST_F(CTPolicyManagerTest, IgnoresInvalidEntries) { | |
107 using CTRequirementLevel = | |
108 net::TransportSecurityState::RequireCTDelegate::CTRequirementLevel; | |
109 // Register preferences and set up initial state | |
110 CTPolicyManager::RegisterPrefs(pref_service_.registry()); | |
111 CTPolicyManager manager(&pref_service_, message_loop_.task_runner()); | |
112 base::RunLoop().RunUntilIdle(); | |
113 | |
114 net::TransportSecurityState::RequireCTDelegate* delegate = | |
115 manager.GetDelegate(); | |
116 ASSERT_TRUE(delegate); | |
117 | |
118 // No preferences should yield the default results. | |
119 EXPECT_EQ(CTRequirementLevel::DEFAULT, | |
120 delegate->IsCTRequiredForHost("google.com")); | |
121 | |
122 // Now setup invalid preferences (that is, that fail to be parsable as | |
123 // URLs). | |
124 pref_service_.SetManagedPref( | |
125 prefs::kCTRequiredHosts, | |
126 ListValueFromStrings({ | |
127 "file:///etc/fstab", "file://withahost/etc/fstab", | |
128 "file:///c|/Windows", "*", "https://*", "example.com", | |
129 "https://example.test:invalid_port", | |
130 })); | |
131 base::RunLoop().RunUntilIdle(); | |
132 | |
133 // Wildcards are ignored (both * and https://*). | |
134 EXPECT_EQ(CTRequirementLevel::DEFAULT, | |
135 delegate->IsCTRequiredForHost("google.com")); | |
136 // File URL hosts are ignored. | |
137 EXPECT_EQ(CTRequirementLevel::DEFAULT, | |
138 delegate->IsCTRequiredForHost("withahost")); | |
139 | |
140 // While the partially parsed hosts should take effect. | |
141 EXPECT_EQ(CTRequirementLevel::REQUIRED, | |
142 delegate->IsCTRequiredForHost("example.test")); | |
143 EXPECT_EQ(CTRequirementLevel::REQUIRED, | |
144 delegate->IsCTRequiredForHost("example.com")); | |
145 } | |
146 | |
147 // Make sure the various 'undocumented' priorities apply: | |
148 // - non-wildcards beat wildcards | |
149 // - more specific hosts beat less specific hosts | |
150 // - requiring beats excluding | |
151 TEST_F(CTPolicyManagerTest, AppliesPriority) { | |
152 using CTRequirementLevel = | |
153 net::TransportSecurityState::RequireCTDelegate::CTRequirementLevel; | |
154 // Register preferences and set up initial state | |
155 CTPolicyManager::RegisterPrefs(pref_service_.registry()); | |
156 CTPolicyManager manager(&pref_service_, message_loop_.task_runner()); | |
157 base::RunLoop().RunUntilIdle(); | |
158 | |
159 net::TransportSecurityState::RequireCTDelegate* delegate = | |
160 manager.GetDelegate(); | |
161 ASSERT_TRUE(delegate); | |
162 | |
163 // No preferences should yield the default results. | |
164 EXPECT_EQ(CTRequirementLevel::DEFAULT, | |
165 delegate->IsCTRequiredForHost("example.com")); | |
166 EXPECT_EQ(CTRequirementLevel::DEFAULT, | |
167 delegate->IsCTRequiredForHost("sub.example.com")); | |
168 EXPECT_EQ(CTRequirementLevel::DEFAULT, | |
169 delegate->IsCTRequiredForHost("accounts.example.com")); | |
170 EXPECT_EQ(CTRequirementLevel::DEFAULT, | |
171 delegate->IsCTRequiredForHost("login.accounts.example.com")); | |
172 EXPECT_EQ(CTRequirementLevel::DEFAULT, | |
173 delegate->IsCTRequiredForHost("sub.accounts.example.com")); | |
174 EXPECT_EQ(CTRequirementLevel::DEFAULT, | |
175 delegate->IsCTRequiredForHost("login.sub.accounts.example.com")); | |
176 EXPECT_EQ(CTRequirementLevel::DEFAULT, | |
177 delegate->IsCTRequiredForHost("test.example.com")); | |
178 | |
179 // Set up policies that exclude it for a domain and all of its subdomains, | |
180 // but then require it for a specific host. | |
181 pref_service_.SetManagedPref( | |
182 prefs::kCTExcludedHosts, | |
183 ListValueFromStrings({"example.com", ".sub.example.com", | |
184 ".sub.accounts.example.com", "test.example.com"})); | |
185 pref_service_.SetManagedPref( | |
186 prefs::kCTRequiredHosts, | |
187 ListValueFromStrings( | |
188 {"sub.example.com", "accounts.example.com", "test.example.com"})); | |
189 base::RunLoop().RunUntilIdle(); | |
190 | |
191 EXPECT_EQ(CTRequirementLevel::NOT_REQUIRED, | |
192 delegate->IsCTRequiredForHost("example.com")); | |
193 // Non-wildcarding (.sub.example.com) beats wildcarding (sub.example.com). | |
194 EXPECT_EQ(CTRequirementLevel::NOT_REQUIRED, | |
195 delegate->IsCTRequiredForHost("sub.example.com")); | |
196 // More specific hosts (accounts.example.com) beat less specific hosts | |
197 // (example.com + wildcard). | |
198 EXPECT_EQ(CTRequirementLevel::REQUIRED, | |
199 delegate->IsCTRequiredForHost("accounts.example.com")); | |
200 // More specific hosts (accounts.example.com) beat less specific hosts | |
201 // (example.com). | |
202 EXPECT_EQ(CTRequirementLevel::REQUIRED, | |
203 delegate->IsCTRequiredForHost("login.accounts.example.com")); | |
204 EXPECT_EQ(CTRequirementLevel::NOT_REQUIRED, | |
205 delegate->IsCTRequiredForHost("sub.accounts.example.com")); | |
206 EXPECT_EQ(CTRequirementLevel::REQUIRED, | |
207 delegate->IsCTRequiredForHost("login.sub.accounts.example.com")); | |
208 // Requiring beats excluding. | |
209 EXPECT_EQ(CTRequirementLevel::REQUIRED, | |
210 delegate->IsCTRequiredForHost("test.example.com")); | |
211 } | |
212 | |
213 // Ensure that the RequireCTDelegate is still valid and usable after Shutdown | |
214 // has been called. Preferences should no longer sync, but the old results | |
215 // should still be returned. | |
216 TEST_F(CTPolicyManagerTest, UsableAfterShutdown) { | |
217 using CTRequirementLevel = | |
218 net::TransportSecurityState::RequireCTDelegate::CTRequirementLevel; | |
219 // Register preferences and set up initial state | |
220 CTPolicyManager::RegisterPrefs(pref_service_.registry()); | |
221 CTPolicyManager manager(&pref_service_, message_loop_.task_runner()); | |
222 base::RunLoop().RunUntilIdle(); | |
223 | |
224 net::TransportSecurityState::RequireCTDelegate* delegate = | |
225 manager.GetDelegate(); | |
226 ASSERT_TRUE(delegate); | |
227 | |
228 // No preferences should yield the default results. | |
229 EXPECT_EQ(CTRequirementLevel::DEFAULT, | |
230 delegate->IsCTRequiredForHost("google.com")); | |
231 | |
232 // Now set a preference, pump the message loop, and ensure things are now | |
233 // reflected. | |
234 pref_service_.SetManagedPref(prefs::kCTRequiredHosts, | |
235 ListValueFromStrings({"google.com"})); | |
236 base::RunLoop().RunUntilIdle(); | |
237 | |
238 // The new preferences should take effect. | |
239 EXPECT_EQ(CTRequirementLevel::REQUIRED, | |
240 delegate->IsCTRequiredForHost("google.com")); | |
241 | |
242 // Shut down the preferences, which should unregister any observers. | |
243 manager.Shutdown(); | |
244 base::RunLoop().RunUntilIdle(); | |
245 | |
246 // Update the preferences again, which should do nothing; the | |
247 // RequireCTDelegate should continue to be valid and return the old results. | |
248 EXPECT_EQ(CTRequirementLevel::REQUIRED, | |
249 delegate->IsCTRequiredForHost("google.com")); | |
250 EXPECT_EQ(CTRequirementLevel::DEFAULT, | |
251 delegate->IsCTRequiredForHost("example.com")); | |
252 EXPECT_EQ(CTRequirementLevel::DEFAULT, | |
253 delegate->IsCTRequiredForHost("sub.example.com")); | |
254 pref_service_.SetManagedPref(prefs::kCTRequiredHosts, | |
255 ListValueFromStrings({"sub.example.com"})); | |
256 base::RunLoop().RunUntilIdle(); | |
257 EXPECT_EQ(CTRequirementLevel::REQUIRED, | |
258 delegate->IsCTRequiredForHost("google.com")); | |
259 EXPECT_EQ(CTRequirementLevel::DEFAULT, | |
260 delegate->IsCTRequiredForHost("example.com")); | |
261 EXPECT_EQ(CTRequirementLevel::DEFAULT, | |
262 delegate->IsCTRequiredForHost("sub.example.com")); | |
263 | |
264 // And it should still be possible to get the delegate, even after calling | |
265 // Shutdown(). | |
266 EXPECT_TRUE(manager.GetDelegate()); | |
267 } | |
268 | |
269 } // namespace | |
270 | |
271 } // namespace certificate_transparency | |
OLD | NEW |