Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(152)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/http/transport_security_state_unittest.cc

Issue 2574413002: Make static (preloaded) security state generation part of the build process. (Closed)
Patch Set: also run generator for nacl. Created 4 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« net/BUILD.gn ('K') | « net/http/REMOVED_transport_security_state_static.h ('k') | net/net.gypi » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/http/transport_security_state_unittest.cc
diff --git a/net/http/transport_security_state_unittest.cc b/net/http/transport_security_state_unittest.cc
index 061a0ae6360a95fc9db1e34efd0b3a7e940f6b8a..7701084c3c7bad6759e0c0387418e9021e4dc435 100644
--- a/net/http/transport_security_state_unittest.cc
+++ b/net/http/transport_security_state_unittest.cc
@@ -10,9 +10,11 @@
#include "base/base64.h"
#include "base/files/file_path.h"
+#include "base/files/file_util.h"
#include "base/json/json_reader.h"
#include "base/memory/ptr_util.h"
#include "base/metrics/field_trial.h"
+#include "base/path_service.h"
#include "base/rand_util.h"
#include "base/sha1.h"
#include "base/strings/string_piece.h"
@@ -1871,6 +1873,123 @@ TEST_F(TransportSecurityStateTest, PreloadedExpectStaple) {
EXPECT_FALSE(GetExpectStapleState(&state, subdomain, &expect_staple_state));
}
+// Tests that all static (preloaded) entries are read correctly. When this
+// tests fails, the generation process probably broke.
+TEST_F(TransportSecurityStateTest, PreloadedStateBulk) {
+ struct Pinset {
+ std::string report_uri;
+ uint8_t good_spki_hashes = 0;
+ uint8_t bad_spki_hashes = 0;
+ };
+ TransportSecurityState state;
+ TransportSecurityStateTest::EnableStaticPins(&state);
+ TransportSecurityStateTest::EnableStaticExpectCT(&state);
+ base::ThreadRestrictions::SetIOAllowed(true);
+ base::FilePath json_path;
+ ASSERT_TRUE(PathService::Get(base::DIR_SOURCE_ROOT, &json_path));
+ json_path = json_path.AppendASCII("net");
+ json_path = json_path.AppendASCII("http");
+ json_path = json_path.AppendASCII("transport_security_state_static.json");
+ std::string json_input;
+ ASSERT_TRUE(base::ReadFileToString(json_path, &json_input));
+ base::ThreadRestrictions::SetIOAllowed(false);
+ std::unique_ptr<base::Value> value(base::JSONReader::Read(json_input));
+ ASSERT_TRUE(value.get());
+ base::DictionaryValue* dict_value = nullptr;
+ ASSERT_TRUE(value->GetAsDictionary(&dict_value));
+ // Parse the Pinsets in the JSON file to compare them to |state| later.
+ std::map<std::string, Pinset> pinsets;
+ const base::ListValue* preloaded_pinsets = nullptr;
+ ASSERT_TRUE(dict_value->GetList("pinsets", &preloaded_pinsets));
+ for (size_t i = 0; i < preloaded_pinsets->GetSize(); ++i) {
+ const base::DictionaryValue* parsed = nullptr;
+ ASSERT_TRUE(preloaded_pinsets->GetDictionary(i, &parsed));
+ std::string name;
+ ASSERT_TRUE(parsed->GetString("name", &name));
+ Pinset pinset;
+ std::string report_uri;
+ parsed->GetString("report_uri", &pinset.report_uri);
+ const base::ListValue* static_hashes_list = nullptr;
+ if (parsed->GetList("static_spki_hashes", &static_hashes_list)) {
+ pinset.good_spki_hashes = static_hashes_list->GetSize();
+ }
+ const base::ListValue* bad_static_hashes_list = nullptr;
+ if (parsed->GetList("bad_static_spki_hashes", &bad_static_hashes_list)) {
+ pinset.bad_spki_hashes = bad_static_hashes_list->GetSize();
+ }
+ pinsets.insert(std::pair<std::string, Pinset>(name, pinset));
+ }
+ const base::ListValue* preloaded_entries = nullptr;
+ ASSERT_TRUE(dict_value->GetList("entries", &preloaded_entries));
+ for (size_t i = 0; i < preloaded_entries->GetSize(); ++i) {
+ const base::DictionaryValue* parsed = nullptr;
+ ASSERT_TRUE(preloaded_entries->GetDictionary(i, &parsed));
+ std::string hostname;
+ ASSERT_TRUE(parsed->GetString("name", &hostname));
+ // Check that the entry exists in |state|.
+ TransportSecurityState::STSState sts_state;
+ TransportSecurityState::PKPState pkp_state;
+ ASSERT_TRUE(GetStaticDomainState(&state, hostname, &sts_state, &pkp_state));
+ // Check if |state| matches the HSTS state in the JSON file.
+ bool include_subdomains = false;
+ parsed->GetBoolean("include_subdomains", &include_subdomains);
+ EXPECT_EQ(include_subdomains, sts_state.include_subdomains);
+ std::string mode;
+ parsed->GetString("mode", &mode);
+ TransportSecurityState::STSState::UpgradeMode expected_mode =
+ TransportSecurityState::STSState::MODE_DEFAULT;
+ if (mode == "force-https") {
+ expected_mode = TransportSecurityState::STSState::MODE_FORCE_HTTPS;
+ }
+ ASSERT_EQ(expected_mode, sts_state.upgrade_mode);
+ // Check if |state| matches the HPKP state in the JSON file.
+ bool hpkp_include_subdomains = false;
+ parsed->GetBoolean("include_subdomains_for_pinning",
+ &hpkp_include_subdomains);
+ ASSERT_EQ(hpkp_include_subdomains,
+ !include_subdomains && pkp_state.include_subdomains);
+ std::string pinset;
+ parsed->GetString("pins", &pinset);
+ ASSERT_EQ(!pinset.empty(), pkp_state.HasPublicKeyPins());
+ // If the entry is associated with a pinset, check if the pinset matches
+ // the data in the JSON file.
+ // Note: This doesn't check the actual pins, only |report_uri| and the
+ // counts.
+ if (!pinset.empty()) {
+ const std::map<std::string, Pinset>::iterator it = pinsets.find(pinset);
+ ASSERT_NE(it, pinsets.cend());
+ ASSERT_EQ(it->second.report_uri, pkp_state.report_uri.spec());
+ ASSERT_EQ(it->second.good_spki_hashes, pkp_state.spki_hashes.size());
+ ASSERT_EQ(it->second.good_spki_hashes, pkp_state.spki_hashes.size());
+ }
+ // Check if |state| matches the Expect-CT state in the JSON file.
+ TransportSecurityState::ExpectCTState ct_state;
+ bool has_expect_ct = GetExpectCTState(&state, hostname, &ct_state);
+ bool expect_ct = false;
+ parsed->GetBoolean("expect_ct", &expect_ct);
+ ASSERT_EQ(expect_ct, has_expect_ct);
+ if (has_expect_ct) {
+ std::string expect_ct_report_uri;
+ parsed->GetString("expect_ct_report_uri", &expect_ct_report_uri);
+ ASSERT_EQ(expect_ct_report_uri, ct_state.report_uri.spec());
+ }
+ // Check if |state| matches the Expect-Staple state in the JSON file.
+ TransportSecurityState::ExpectStapleState staple_state;
+ bool has_expect_staple =
+ GetExpectStapleState(&state, hostname, &staple_state);
+ if (has_expect_staple) {
+ std::string expect_staple_report_uri;
+ parsed->GetString("expect_staple_report_uri", &expect_staple_report_uri);
+ ASSERT_EQ(expect_staple_report_uri, staple_state.report_uri.spec());
+ bool expect_staple_include_subdomains = false;
+ parsed->GetBoolean("include_subdomains_for_expect_staple",
+ &expect_staple_include_subdomains);
+ EXPECT_EQ(expect_staple_include_subdomains,
+ staple_state.include_subdomains);
+ }
+ }
+}
+
TEST_F(TransportSecurityStateTest, PreloadedExpectStapleIncludeSubdomains) {
TransportSecurityState state;
TransportSecurityStateTest::SetEnableStaticExpectStaple(&state, true);
« net/BUILD.gn ('K') | « net/http/REMOVED_transport_security_state_static.h ('k') | net/net.gypi » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698