Add the ability to send Expect-Staple reports.

net/http/transport_security_state.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_HTTP_TRANSPORT_SECURITY_STATE_H_
 #define NET_HTTP_TRANSPORT_SECURITY_STATE_H_
 
 #include <stdint.h>
 
 #include <map>
@@ skipping 431 matching lines @@
   // 1. The header value is "preload", indicating that the site wants to
   // be opted in to Expect CT.
   // 2. The given host is present on the Expect CT preload list with a
   // valid report-uri, and the build is timely (i.e. preload list is fresh).
   // 3. |ssl_info| indicates that the connection violated the Expect CT policy.
   // 4. An Expect CT reporter has been provided with SetExpectCTReporter().
   void ProcessExpectCTHeader(const std::string& value,
                              const HostPortPair& host_port_pair,
                              const SSLInfo& ssl_info);
 
+  // Sends an Expect-Staple report containing the raw |ocsp_response| for
+  // |host_port_pair| if the following conditions are true:
+  // 1. The given host is present on the Expect-Staple preload list with a valid
+  // report-uri, and the build is timely (i.e. preload list is fresh).

[Ryan Sleevi, 2016/07/19 19:11:04]

This is really two conditions (same with #3) :)

1. Sending expect staple reports is enabled (via |enable_static_expect_staple_|)
2. A report sender is provided via SetReportSender()
3. The build is timely (i.e. the preload list is fresh).
4. The given host is present on the Expect-Staple preload list.
5. |ssl_info| indicates the connection did not provide an OCSP response
indicating a revocation status of GOOD.

"with a valid report-uri" seems redundant/unnecessary, since it's a condition of
being on the Expect-Staple preload list that there be a valid report-uri.

(Note that I reordered this so that the comment reads similar to the code, to
make it easily to naturally parse)

[dadrian, 2016/07/19 21:21:45]

Done.

[dadrian, 2016/07/19 21:21:46]

Done.

+  // 2. |ssl_info| indicates the connection did not provide an OCSP response
+  // indicating a revocation status of GOOD.
+  // 3. A report sender is provided with SetReportSender(), and the private
+  // |enable_static_expect_staple_| flag is set.
+  void ProcessExpectStaple(const HostPortPair& host_port_pair,

[Ryan Sleevi, 2016/07/19 19:11:04]

Naming wise, I think this should be CheckExpectStaple (since it's preloaded), or
possibly MaybeSendExpectStapleReport, and moved to either 316 or 305 - it
doesn't really fit with the header processing logic, and makes it clear it's an
active action.

[dadrian, 2016/07/19 21:21:46]

Done.

This is just a ploy to cause name collisions in my test file, isn't it :P

+                           const SSLInfo& ssl_info,
+                           const std::string& ocsp_response);
+
   // For unit tests only; causes ShouldRequireCT() to return |*required|
   // by default (that is, unless a RequireCTDelegate overrides). Set to
   // nullptr to reset.
   static void SetShouldRequireCTForTesting(bool* required);
 
  private:
   friend class TransportSecurityStateTest;
   FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPOnly);
   FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPMaxAge0);
   FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, NoClobberPins);
@@ skipping 114 matching lines @@
   // rate-limiting.
   ExpiringCache<std::string, bool, base::TimeTicks, std::less<base::TimeTicks>>
       sent_reports_cache_;
 
   DISALLOW_COPY_AND_ASSIGN(TransportSecurityState);
 };
 
 }  // namespace net
 
 #endif  // NET_HTTP_TRANSPORT_SECURITY_STATE_H_