Turn off Expect-Staple reporting for private roots

net/http/transport_security_state_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/transport_security_state.h"
 
 #include <algorithm>
 #include <string>
 #include <vector>
 
@@ skipping 240 matching lines @@
 // Checks the following hold for |report| such that it is a valid Expect-Staple
 // report:
 // 1. |report| is a JSON dictionary.
 // 2. The "hostname" and "port" fields match |host_port_pair|.
 // 3. The "response-status" field matches |response_status|
 // 4. The "ocsp-response" field is a base64-encoded verson of |ocsp_response|,
 //    and is not present when |ocsp_response| is empty.
 // 5. The "cert-status" field matches |cert_status|, and is not present when
 //    |cert_status| is empty.
 // 6. The "validated-chain" and "serverd-chain" fields match those in
-//    |ssl_info|, and are only present when |ssl_info.is_issued_by_known_root|
-//    is true.
+//    |ssl_info|.
 void CheckSerializedExpectStapleReport(const std::string& report,
                                        const HostPortPair& host_port_pair,
                                        const SSLInfo& ssl_info,
                                        const std::string& ocsp_response,
                                        const std::string& response_status,
                                        const std::string& cert_status) {
   std::unique_ptr<base::Value> value(base::JSONReader::Read(report));
   ASSERT_TRUE(value);
   ASSERT_TRUE(value->IsType(base::Value::TYPE_DICTIONARY));
 
@@ skipping 38 matching lines @@
   }
 
   base::ListValue* report_served_certificate_chain;
   bool has_served_chain = report_dict->GetList(
       "served-certificate-chain", &report_served_certificate_chain);
 
   base::ListValue* report_validated_certificate_chain;
   bool has_validated_chain = report_dict->GetList(
       "validated-certificate-chain", &report_validated_certificate_chain);
 
-  if (ssl_info.is_issued_by_known_root) {
-    EXPECT_TRUE(has_served_chain);
-    EXPECT_NO_FATAL_FAILURE(CompareCertificateChainWithList(
-        ssl_info.unverified_cert, report_served_certificate_chain));
+  EXPECT_TRUE(has_served_chain);
+  EXPECT_NO_FATAL_FAILURE(CompareCertificateChainWithList(
+      ssl_info.unverified_cert, report_served_certificate_chain));
 
-    EXPECT_TRUE(has_validated_chain);
-    EXPECT_NO_FATAL_FAILURE(CompareCertificateChainWithList(
-        ssl_info.cert, report_validated_certificate_chain));
-  } else {
-    EXPECT_FALSE(has_served_chain);
-    EXPECT_FALSE(has_validated_chain);
-  }
+  EXPECT_TRUE(has_validated_chain);
+  EXPECT_NO_FATAL_FAILURE(CompareCertificateChainWithList(
+      ssl_info.cert, report_validated_certificate_chain));
 }
 
 // Set up |state| for ExpectStaple, call CheckExpectStaple(), and verify the
 // serialized report caught by |reporter|.
 void CheckExpectStapleReport(TransportSecurityState* state,
                              MockCertificateReportSender* reporter,
                              const SSLInfo& ssl_info,
                              const std::string& ocsp_response,
                              const std::string& response_status,
                              const std::string& cert_status) {
   // Expect-Staple is preload list based, so we use the baked-in test hostname
   // from the list ("preloaded-expect-staple.badssl.com").
   HostPortPair host_port(kExpectStapleStaticHostname, 443);
   state->SetReportSender(reporter);
   state->CheckExpectStaple(host_port, ssl_info, ocsp_response);
+  if (!ssl_info.is_issued_by_known_root) {
+    EXPECT_EQ(GURL(), reporter->latest_report_uri());
+    EXPECT_EQ(std::string(), reporter->latest_report());
+    return;
+  }
   EXPECT_EQ(GURL(kExpectStapleStaticReportURI), reporter->latest_report_uri());
   EXPECT_EQ("application/json; charset=utf-8", reporter->latest_content_type());
   std::string serialized_report = reporter->latest_report();
   EXPECT_NO_FATAL_FAILURE(CheckSerializedExpectStapleReport(
       serialized_report, host_port, ssl_info, ocsp_response, response_status,
       cert_status));
 }
 
 }  // namespace
 
@@ skipping 1702 matching lines @@
   scoped_refptr<X509Certificate> cert1 =
       ImportCertFromFile(GetTestCertsDirectory(), "test_mail_google_com.pem");
   scoped_refptr<X509Certificate> cert2 =
       ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
 
   SSLInfo ssl_info;
   ssl_info.cert = cert1;
   ssl_info.unverified_cert = cert2;
   ssl_info.ocsp_result.response_status = test.response_status;
 
-  // Certificate chains should only be included when |is_issued_by_known_root|
-  // is true.
+  // Reports should only be sent when |is_issued_by_known_root| is true.
   ssl_info.is_issued_by_known_root = true;
   ASSERT_NO_FATAL_FAILURE(
       CheckExpectStapleReport(&state, &reporter, ssl_info, ocsp_response,
                               test.response_status_string, std::string()));
+  reporter.Clear();
 
-  // No certificate chains should be included in the report.
+  // No report should be sent.
   ssl_info.is_issued_by_known_root = false;
   ASSERT_NO_FATAL_FAILURE(
       CheckExpectStapleReport(&state, &reporter, ssl_info, ocsp_response,
                               test.response_status_string, std::string()));
 }
 
 INSTANTIATE_TEST_CASE_P(ExpectStaple,
                         ExpectStapleErrorResponseTest,
                         testing::ValuesIn(kExpectStapleReportData));
 
@@ skipping 27 matching lines @@
       ImportCertFromFile(GetTestCertsDirectory(), "expired_cert.pem");
 
   SSLInfo ssl_info;
   ssl_info.cert = cert1;
   ssl_info.unverified_cert = cert2;
   // |response_status| must be set to PROVIDED for |revocation_status| to have
   // meaning.
   ssl_info.ocsp_result.response_status = OCSPVerifyResult::PROVIDED;
   ssl_info.ocsp_result.revocation_status = test.revocation_status;
 
-  // Certificate chains should only be included when |is_issued_by_known_root|
-  // is true.
+  // Reports should only be sent when |is_issued_by_known_root| is true.
   ssl_info.is_issued_by_known_root = true;
   ASSERT_NO_FATAL_FAILURE(CheckExpectStapleReport(&state, &reporter, ssl_info,
                                                   ocsp_response, "PROVIDED",
                                                   test.cert_status_string));
+  reporter.Clear();
 
-  // No certificate chains should be included in the report.
   ssl_info.is_issued_by_known_root = false;
   ASSERT_NO_FATAL_FAILURE(CheckExpectStapleReport(&state, &reporter, ssl_info,
                                                   ocsp_response, "PROVIDED",
                                                   test.cert_status_string));
 };
 
 INSTANTIATE_TEST_CASE_P(ExpectStaple,
                         ExpectStapleErrorCertStatusTest,
                         testing::ValuesIn(kExpectStapleErrorCertStatusData));
 
@@ skipping 194 matching lines @@
   base::FieldTrialList::CreateFieldTrial("EnforceCTForProblematicRoots",
                                          "disabled");
 
   EXPECT_FALSE(
       state.ShouldRequireCT("www.example.com", before_cert.get(), hashes));
   EXPECT_FALSE(
       state.ShouldRequireCT("www.example.com", after_cert.get(), hashes));
 }
 
 }  // namespace net