Add initial version of captive portal list checking.

chrome/browser/ssl/ssl_browser_tests.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <utility>
 
 #include "base/base_switches.h"
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/callback.h"
 #include "base/command_line.h"
 #include "base/location.h"
 #include "base/macros.h"
 #include "base/metrics/field_trial.h"
 #include "base/single_thread_task_runner.h"
 #include "base/strings/string_split.h"
 #include "base/strings/string_util.h"
 #include "base/strings/stringprintf.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/test/histogram_tester.h"
+#include "base/test/scoped_feature_list.h"
 #include "base/test/simple_test_clock.h"
 #include "base/threading/thread_task_runner_handle.h"
 #include "base/time/default_clock.h"
 #include "base/time/default_tick_clock.h"
 #include "base/time/time.h"
 #include "build/build_config.h"
 #include "chrome/app/chrome_command_ids.h"
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/chrome_notification_types.h"
 #include "chrome/browser/content_settings/host_content_settings_map_factory.h"
 #include "chrome/browser/interstitials/security_interstitial_page_test_utils.h"
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/browser/ssl/bad_clock_blocking_page.h"
 #include "chrome/browser/ssl/cert_report_helper.h"
 #include "chrome/browser/ssl/cert_verifier_browser_test.h"
 #include "chrome/browser/ssl/certificate_reporting_test_utils.h"
 #include "chrome/browser/ssl/chrome_ssl_host_state_delegate.h"
 #include "chrome/browser/ssl/common_name_mismatch_handler.h"
 #include "chrome/browser/ssl/security_state_tab_helper.h"
 #include "chrome/browser/ssl/ssl_blocking_page.h"
+#include "chrome/browser/ssl/ssl_error_assistant.pb.h"
 #include "chrome/browser/ssl/ssl_error_handler.h"
 #include "chrome/browser/ui/browser.h"
 #include "chrome/browser/ui/browser_commands.h"
 #include "chrome/browser/ui/browser_finder.h"
 #include "chrome/browser/ui/browser_navigator.h"
 #include "chrome/browser/ui/browser_navigator_params.h"
 #include "chrome/browser/ui/browser_tabstrip.h"
 #include "chrome/browser/ui/tabs/tab_strip_model.h"
 #include "chrome/common/chrome_paths.h"
 #include "chrome/common/chrome_switches.h"
@@ skipping 52 matching lines @@
 #include "net/url_request/url_request_filter.h"
 #include "net/url_request/url_request_job.h"
 #include "net/url_request/url_request_test_util.h"
 
 #if defined(USE_NSS_CERTS)
 #include "chrome/browser/net/nss_context.h"
 #include "net/base/crypto_module.h"
 #include "net/cert/nss_cert_database.h"
 #endif  // defined(USE_NSS_CERTS)
 
+#if BUILDFLAG(ENABLE_CAPTIVE_PORTAL_DETECTION)
+#include "chrome/browser/ssl/captive_portal_blocking_page.h"
+#endif
+
 using base::ASCIIToUTF16;
 using chrome_browser_interstitials::SecurityInterstitialIDNTest;
 using content::InterstitialPage;
 using content::NavigationController;
 using content::NavigationEntry;
 using content::SSLStatus;
 using content::WebContents;
 using web_modal::WebContentsModalDialogManager;
 
 const base::FilePath::CharType kDocRoot[] =
     FILE_PATH_LITERAL("chrome/test/data");
 
 namespace {
 
+#if BUILDFLAG(ENABLE_CAPTIVE_PORTAL_DETECTION)
+// Sha256 fingerprint of okay.pem's Subject Public Key Information.

[Ryan Sleevi, 2017/02/01 22:06:06]

s/okay.pem/ok_cert.pem/

Hardcoding to ok_cert.pem makes it annoying to re-generate certs (e.x.
https://bugs.chromium.org/p/chromium/issues/detail?id=249850 ) and ended up
tripping people up. As much as possible, it'd be great to avoid hardcoding it
(making it programatically computed), or making it automatically update whenever
ok_cert.pem is regenerated.

Thoughts?

[meacer, 2017/02/02 01:56:05]

estark mentioned this too. I'm now computing this from the server's cert.

+// Compute the hash as follows:
+// openssl x509 -noout -in net/data/ssl/certificates/ok_cert.pem -pubkey | \
+// openssl asn1parse -noout -inform pem -out public.key; \
+// openssl dgst -sha256 -binary public.key | openssl enc -base64
+const char kOkayPemSPKI[] =
+    "sha256/2zCMVDKgnKec0721Sp1zVh2yiHeW/LJK4STkNnEa1og=";
+
+// A hostname that will trigger a captive portal interstitial. The actual value
+// isn't important.
+const char kCaptivePortalHostname[] = "captive-portal.test";
+#endif
+
 enum ProceedDecision {
   SSL_INTERSTITIAL_PROCEED,
   SSL_INTERSTITIAL_DO_NOT_PROCEED
 };
 
 namespace AuthState {
 
 enum AuthStateFlags {
   NONE = 0,
   DISPLAYED_INSECURE_CONTENT = 1 << 0,
@@ skipping 82 matching lines @@
     SSLErrorHandler::SetInterstitialTimerStartedCallbackForTesting(&callback_);
   }
 
   ~SSLInterstitialTimerObserver() {
     SSLErrorHandler::SetInterstitialTimerStartedCallbackForTesting(nullptr);
   }
 
   // Waits until the interstitial delay timer in SSLErrorHandler is started.
   void WaitForTimerStarted() { message_loop_runner_->Run(); }
 
+  // Returns true if the interstitial delay timer has been started.
+  bool timer_started() const { return timer_started_; }
+
  private:
   void OnTimerStarted(content::WebContents* web_contents) {
+    timer_started_ = true;
     if (web_contents_ == web_contents)
       message_loop_runner_->Quit();
   }
 
+  bool timer_started_ = false;
   const content::WebContents* web_contents_;
   SSLErrorHandler::TimerStartedCallback callback_;
 
   std::unique_ptr<base::RunLoop> message_loop_runner_;
 
   DISALLOW_COPY_AND_ASSIGN(SSLInterstitialTimerObserver);
 };
 
 class HungJob : public net::URLRequestJob {
  public:
@@ skipping 56 matching lines @@
     // authentication state. To avoid this non-determinism, add an
     // interceptor to hang all favicon requests.
     std::unique_ptr<net::URLRequestInterceptor> interceptor(new FaviconFilter);
     net::URLRequestFilter::GetInstance()->AddHostnameInterceptor(
         "https", "127.0.0.1", std::move(interceptor));
     interceptor.reset(new FaviconFilter);
     net::URLRequestFilter::GetInstance()->AddHostnameInterceptor(
         "https", "localhost", std::move(interceptor));
   }
 
+  void SetUp() override {
+    InProcessBrowserTest::SetUp();
+    SSLErrorHandler::ResetConfigForTesting();
+  }
+
   void SetUpCommandLine(base::CommandLine* command_line) override {
     // Browser will both run and display insecure content.
     command_line->AppendSwitch(switches::kAllowRunningInsecureContent);
     // Use process-per-site so that navigating to a same-site page in a
     // new tab will use the same process.
     command_line->AppendSwitch(switches::kProcessPerSite);
   }
 
   void CheckAuthenticatedState(WebContents* tab,
                                int expected_authentication_state) {
@@ skipping 3557 matching lines @@
 IN_PROC_BROWSER_TEST_F(SSLUITestIgnoreLocalhostCertErrors,
                        NoCrashOnLoadWithNoNavigationEntry) {
   ASSERT_TRUE(embedded_test_server()->Start());
 
   ui_test_utils::NavigateToURL(
       browser(), embedded_test_server()->GetURL("/ssl/google.html"));
   WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
   ASSERT_TRUE(content::ExecuteScript(tab, "window.open()"));
 }
 
+#if BUILDFLAG(ENABLE_CAPTIVE_PORTAL_DETECTION)
+
+IN_PROC_BROWSER_TEST_F(SSLUITest, CaptivePortalCertificateList_Disabled) {
+  base::test::ScopedFeatureList scoped_feature_list;
+  scoped_feature_list.InitFromCommandLine(
+      "" /* enabled */, "CaptivePortalCertificateList" /* disabled */);
+
+  ASSERT_TRUE(https_server_mismatched_.Start());
+  base::HistogramTester histograms;
+
+  // Mark the server's cert as a captive portal cert.
+  chrome_browser_ssl::SSLErrorAssistantConfig config_proto;
+  config_proto.add_captive_portal_cert()->set_sha256_hash(kOkayPemSPKI);
+  SSLErrorHandler::SetErrorAssistantProtoForTesting(config_proto);
+
+  // Navigate to an unsafe page on the server. A normal SSL interstitial should
+  // be displayed since CaptivePortalCertificateList feature is disabled.
+  WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
+  SSLInterstitialTimerObserver interstitial_timer_observer(tab);
+  ui_test_utils::NavigateToURL(
+      browser(), https_server_mismatched_.GetURL("/ssl/blank_page.html"));
+  content::WaitForInterstitialAttach(tab);
+
+  InterstitialPage* interstitial_page = tab->GetInterstitialPage();
+  ASSERT_EQ(SSLBlockingPage::kTypeForTesting,
+            interstitial_page->GetDelegateForTesting()->GetTypeForTesting());
+  EXPECT_TRUE(interstitial_timer_observer.timer_started());
+
+  // Check that the histogram for the SSL interstitial was recorded.
+  histograms.ExpectTotalCount(SSLErrorHandler::GetHistogramNameForTesting(), 2);
+  histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(),
+                               SSLErrorHandler::HANDLE_ALL, 1);
+  histograms.ExpectBucketCount(
+      SSLErrorHandler::GetHistogramNameForTesting(),
+      SSLErrorHandler::SHOW_SSL_INTERSTITIAL_OVERRIDABLE, 1);
+  histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(),
+                               SSLErrorHandler::CAPTIVE_PORTAL_CERT_FOUND, 0);
+}
+
+IN_PROC_BROWSER_TEST_F(SSLUITest,
+                       CaptivePortalCertificateList_Enabled_FromProto) {
+  base::test::ScopedFeatureList scoped_feature_list;
+  scoped_feature_list.InitFromCommandLine(
+      "CaptivePortalCertificateList" /* enabled */, "" /* disabled */);
+
+  ASSERT_TRUE(https_server_mismatched_.Start());
+  base::HistogramTester histograms;
+
+  // Mark the server's cert as a captive portal cert.
+  chrome_browser_ssl::SSLErrorAssistantConfig config_proto;
+  config_proto.add_captive_portal_cert()->set_sha256_hash(kOkayPemSPKI);
+  SSLErrorHandler::SetErrorAssistantProtoForTesting(config_proto);
+
+  // Navigate to an unsafe page on the server. The captive portal interstitial
+  // should be displayed since CaptivePortalCertificateList feature is enabled.
+  WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
+  SSLInterstitialTimerObserver interstitial_timer_observer(tab);
+  ui_test_utils::NavigateToURL(
+      browser(), https_server_mismatched_.GetURL("/ssl/blank_page.html"));
+  content::WaitForInterstitialAttach(tab);
+
+  InterstitialPage* interstitial_page = tab->GetInterstitialPage();
+  ASSERT_EQ(CaptivePortalBlockingPage::kTypeForTesting,
+            interstitial_page->GetDelegateForTesting()->GetTypeForTesting());
+  EXPECT_FALSE(interstitial_timer_observer.timer_started());
+
+  // Check that the histogram for the captive portal cert was recorded.
+  histograms.ExpectTotalCount(SSLErrorHandler::GetHistogramNameForTesting(), 3);
+  histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(),
+                               SSLErrorHandler::HANDLE_ALL, 1);
+  histograms.ExpectBucketCount(
+      SSLErrorHandler::GetHistogramNameForTesting(),
+      SSLErrorHandler::SHOW_CAPTIVE_PORTAL_INTERSTITIAL_OVERRIDABLE, 1);
+  histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(),
+                               SSLErrorHandler::CAPTIVE_PORTAL_CERT_FOUND, 1);
+}
+
+namespace {
+
+// Test class that mimics a URL request with a certificate whose SPKI hash is in
+// ssl_error_assistant.asciipb resource. A better way of testing the SPKI hashes
+// inside the resource bundle would be to serve the actual certificate from the
+// embeded test server, but the test server can only serve a limited number of
+// predefined certificates.
+template <int kNetError>
+class SSLUICaptivePortalTest : public InProcessBrowserTest {
+ public:
+  SSLUICaptivePortalTest() : InProcessBrowserTest(), cert_(nullptr) {}
+
+  void SetUpOnMainThread() override {
+    cert_ =
+        net::ImportCertFromFile(net::GetTestCertsDirectory(), "ok_cert.pem");
+    ASSERT_TRUE(cert_);
+    content::BrowserThread::PostTask(
+        content::BrowserThread::IO, FROM_HERE,
+        base::Bind(&SSLUICaptivePortalTest::AddUrlHandler, cert_));
+  }
+
+  static void AddUrlHandler(scoped_refptr<net::X509Certificate> cert) {
+    net::URLRequestFilter* filter = net::URLRequestFilter::GetInstance();
+    filter->AddHostnameInterceptor("https", kCaptivePortalHostname,
+                                   std::unique_ptr<net::URLRequestInterceptor>(
+                                       new CaptivePortalInterceptor(cert)));
+  }
+
+ private:
+  // A URLRequestJob that mocks a TLS connection with a certificate whose SPKI
+  // hash is marked as a known captive portal certificate SPKI.
+  class CaptivePortalURLRequestJob : public net::URLRequestJob {
+   public:
+    CaptivePortalURLRequestJob(net::URLRequest* request,
+                               net::NetworkDelegate* network_delegate,
+                               scoped_refptr<net::X509Certificate> cert)
+        : net::URLRequestJob(request, network_delegate),
+          cert_(std::move(cert)),
+          weak_factory_(this) {}
+
+    // net::URLRequestJob method:
+    void Start() override {
+      net::SSLInfo ssl_info;
+      ssl_info.SetCertError(kNetError);
+      ssl_info.cert = cert_;
+
+      // Set the SPKI hash to captive-portal.badssl.com leaf certificate. This
+      // doesn't match the actual cert (ok_cert.pem) but is good enough for
+      // testing.
+      net::HashValue hash;
+      ASSERT_TRUE(hash.FromString(
+          "sha256/fjZPHewEHTrMDX3I1ecEIeoy3WFxHyGplOLv28kIbtI="));
+      ssl_info.public_key_hashes.push_back(hash);
+
+      base::ThreadTaskRunnerHandle::Get()->PostTask(
+          FROM_HERE,
+          base::Bind(&CaptivePortalURLRequestJob::NotifySSLCertificateError,
+                     weak_factory_.GetWeakPtr(), ssl_info, false));
+    }
+
+   protected:
+    ~CaptivePortalURLRequestJob() override {}
+
+   private:
+    const scoped_refptr<net::X509Certificate> cert_;
+    base::WeakPtrFactory<CaptivePortalURLRequestJob> weak_factory_;
+
+    DISALLOW_COPY_AND_ASSIGN(CaptivePortalURLRequestJob);
+  };
+
+  // A URLRequestInterceptor that handles requests with
+  // CaptivePortalURLRequestJob jobs.
+  class CaptivePortalInterceptor : public net::URLRequestInterceptor {
+   public:
+    CaptivePortalInterceptor(scoped_refptr<net::X509Certificate> cert)
+        : cert_(std::move(cert)) {}
+
+    ~CaptivePortalInterceptor() override {}
+
+    // net::URLRequestInterceptor method:
+    net::URLRequestJob* MaybeInterceptRequest(
+        net::URLRequest* request,
+        net::NetworkDelegate* network_delegate) const override {
+      return new CaptivePortalURLRequestJob(request, network_delegate, cert_);
+    }
+
+   private:
+    const scoped_refptr<net::X509Certificate> cert_;
+
+    DISALLOW_COPY_AND_ASSIGN(CaptivePortalInterceptor);
+  };
+
+  scoped_refptr<net::X509Certificate> cert_;
+};
+
+using SSLUICaptivePortalNameMismatchTest =
+    SSLUICaptivePortalTest<net::ERR_CERT_COMMON_NAME_INVALID>;
+using SSLUICaptivePortalAuthorityInvalidTest =
+    SSLUICaptivePortalTest<net::ERR_CERT_AUTHORITY_INVALID>;
+
+}  // namespace
+
+// Same as CaptivePortalCertificateList_Enabled_FromProto, but this time the
+// cert's SPKI hash is listed in ssl_error_assistant.asciipb.
+IN_PROC_BROWSER_TEST_F(SSLUICaptivePortalNameMismatchTest,
+                       CaptivePortalCertificateList_Enabled_FromResource) {
+  base::test::ScopedFeatureList scoped_feature_list;
+  scoped_feature_list.InitFromCommandLine(
+      "CaptivePortalCertificateList" /* enabled */, "" /* disabled */);
+
+  base::HistogramTester histograms;
+
+  // Navigate to an unsafe page on the server. The captive portal interstitial
+  // should be displayed since CaptivePortalCertificateList feature is enabled.
+  WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
+  SSLInterstitialTimerObserver interstitial_timer_observer(tab);
+  ui_test_utils::NavigateToURL(
+      browser(), GURL(std::string("https://") + kCaptivePortalHostname));
+  content::WaitForInterstitialAttach(tab);
+
+  InterstitialPage* interstitial_page = tab->GetInterstitialPage();
+  ASSERT_EQ(CaptivePortalBlockingPage::kTypeForTesting,
+            interstitial_page->GetDelegateForTesting()->GetTypeForTesting());
+  EXPECT_FALSE(interstitial_timer_observer.timer_started());
+
+  // Check that the histogram for the captive portal cert was recorded.
+  histograms.ExpectTotalCount(SSLErrorHandler::GetHistogramNameForTesting(), 3);
+  histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(),
+                               SSLErrorHandler::HANDLE_ALL, 1);
+  histograms.ExpectBucketCount(
+      SSLErrorHandler::GetHistogramNameForTesting(),
+      SSLErrorHandler::SHOW_CAPTIVE_PORTAL_INTERSTITIAL_OVERRIDABLE, 1);
+  histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(),
+                               SSLErrorHandler::CAPTIVE_PORTAL_CERT_FOUND, 1);
+}
+
+// Same as SSLUICaptivePortalNameMismatchTest, but this time the error is
+// authority-invalid. Captive portal interstitial should not be shown.
+IN_PROC_BROWSER_TEST_F(SSLUICaptivePortalAuthorityInvalidTest,
+                       CaptivePortalCertificateList_Enabled_FromResource) {
+  base::test::ScopedFeatureList scoped_feature_list;
+  scoped_feature_list.InitFromCommandLine(
+      "CaptivePortalCertificateList" /* enabled */, "" /* disabled */);
+
+  // Set interstitial delay to zero.
+  SSLErrorHandler::SetInterstitialDelayForTesting(base::TimeDelta());
+
+  base::HistogramTester histograms;
+  // Navigate to an unsafe page on the server. CaptivePortalCertificateList
+  // feature is enabled but the error is not a name mismatch, so a generic SSL
+  // interstitial should be displayed.
+  WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
+  SSLInterstitialTimerObserver interstitial_timer_observer(tab);
+  ui_test_utils::NavigateToURL(
+      browser(), GURL(std::string("https://") + kCaptivePortalHostname));
+  content::WaitForInterstitialAttach(tab);
+
+  InterstitialPage* interstitial_page = tab->GetInterstitialPage();
+  ASSERT_EQ(SSLBlockingPage::kTypeForTesting,
+            interstitial_page->GetDelegateForTesting()->GetTypeForTesting());
+  EXPECT_TRUE(interstitial_timer_observer.timer_started());
+
+  // Check that the histogram for the captive portal cert was recorded.
+  histograms.ExpectTotalCount(SSLErrorHandler::GetHistogramNameForTesting(), 2);
+  histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(),
+                               SSLErrorHandler::HANDLE_ALL, 1);
+  histograms.ExpectBucketCount(
+      SSLErrorHandler::GetHistogramNameForTesting(),
+      SSLErrorHandler::SHOW_SSL_INTERSTITIAL_OVERRIDABLE, 1);
+}
+
+#endif  // BUILDFLAG(ENABLE_CAPTIVE_PORTAL_DETECTION)
+
 // TODO(jcampan): more tests to do below.
 
 // Visit a page over https that contains a frame with a redirect.
 
 // XMLHttpRequest insecure content in synchronous mode.
 
 // XMLHttpRequest insecure content in asynchronous mode.
 
 // XMLHttpRequest over bad ssl in synchronous mode.
 
 // XMLHttpRequest over OK ssl in synchronous mode.