Add transport security state generator tests.

net/http/transport_security_state_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/transport_security_state.h"
 
 #include <algorithm>
 #include <string>
 #include <vector>
 
@@ skipping 24 matching lines @@
 #include "net/ssl/ssl_info.h"
 #include "net/test/cert_test_util.h"
 #include "net/test/test_data_directory.h"
 #include "testing/gmock/include/gmock/gmock.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 namespace net {
 
 namespace {
 
+namespace test1 {

[martijnc, 2017/02/08 20:58:21]

I tried to mix several cases (common prefix, no common prefix, partial common
prefix, entry as prefix of other entries) to get coverage for all possible
structures in the trie.

+#include "net/http/transport_security_state_static_unittest1.h"
+}
+namespace test2 {
+#include "net/http/transport_security_state_static_unittest2.h"
+}
+namespace test3 {
+#include "net/http/transport_security_state_static_unittest3.h"
+}
+
 const char kHost[] = "example.test";
 const char kSubdomain[] = "foo.example.test";
 const uint16_t kPort = 443;
 const char kReportUri[] = "http://report-example.test/test";
 const char kExpectCTStaticHostname[] = "preloaded-expect-ct.badssl.com";
 const char kExpectCTStaticReportURI[] = "https://clients3.google.com/ct_upload";
 const char kExpectStapleStaticHostname[] = "preloaded-expect-staple.badssl.com";
 const char kExpectStapleStaticReportURI[] =
     "https://report.badssl.com/expect-staple";
 const char kExpectStapleStaticIncludeSubdomainsHostname[] =
@@ skipping 320 matching lines @@
   }
 
   static HashValueVector GetSampleSPKIHashes() {
     HashValueVector spki_hashes;
     HashValue hash(HASH_VALUE_SHA256);
     memset(hash.data(), 0, hash.size());
     spki_hashes.push_back(hash);
     return spki_hashes;
   }
 
+  static HashValue GetSampleSPKIHash(uint8_t value) {
+    HashValue hash(HASH_VALUE_SHA256);
+    memset(hash.data(), value, hash.size());
+    return hash;
+  }
+
  protected:
   bool GetStaticDomainState(TransportSecurityState* state,
                             const std::string& host,
                             TransportSecurityState::STSState* sts_result,
                             TransportSecurityState::PKPState* pkp_result) {
     return state->GetStaticDomainState(host, sts_result, pkp_result);
   }
 
   bool GetExpectCTState(TransportSecurityState* state,
                         const std::string& host,
@@ skipping 1596 matching lines @@
   state.ProcessExpectCTHeader("preload", host_port, ssl_info);
   EXPECT_EQ(1u, reporter.num_failures());
   EXPECT_TRUE(reporter.ssl_info().ct_compliance_details_available);
   EXPECT_EQ(ssl_info.ct_cert_policy_compliance,
             reporter.ssl_info().ct_cert_policy_compliance);
   EXPECT_EQ(host_port.host(), reporter.host_port_pair().host());
   EXPECT_EQ(host_port.port(), reporter.host_port_pair().port());
   EXPECT_EQ(GURL(kExpectCTStaticReportURI), reporter.report_uri());
 }
 
+TEST_F(TransportSecurityStateTest, DecodePreloadedSingle) {
+  SetTransportSecurityStateSource(
+      test1::kHSTSHuffmanTree, sizeof(test1::kHSTSHuffmanTree),
+      test1::kPreloadedHSTSData, test1::kPreloadedHSTSBits,
+      test1::kHSTSRootPosition, test1::kExpectCTReportURIs,
+      test1::kExpectStapleReportURIs, test1::kPinsets,
+      arraysize(test1::kPinsets));
+
+  TransportSecurityState state;
+  TransportSecurityStateTest::EnableStaticPins(&state);
+  TransportSecurityStateTest::EnableStaticExpectCT(&state);
+  TransportSecurityStateTest::SetEnableStaticExpectStaple(&state, true);
+
+  TransportSecurityState::STSState sts_state;
+  TransportSecurityState::PKPState pkp_state;
+  EXPECT_TRUE(
+      GetStaticDomainState(&state, "hsts.example.com", &sts_state, &pkp_state));
+  EXPECT_TRUE(sts_state.include_subdomains);
+  EXPECT_EQ(TransportSecurityState::STSState::MODE_FORCE_HTTPS,
+            sts_state.upgrade_mode);
+  EXPECT_TRUE(pkp_state.include_subdomains);
+  EXPECT_EQ(GURL(""), pkp_state.report_uri);
+  ASSERT_EQ(1u, pkp_state.spki_hashes.size());
+  EXPECT_EQ(pkp_state.spki_hashes[0], GetSampleSPKIHash(0x1));
+  ASSERT_EQ(1u, pkp_state.bad_spki_hashes.size());
+  EXPECT_EQ(pkp_state.bad_spki_hashes[0], GetSampleSPKIHash(0x2));
+
+  TransportSecurityState::ExpectCTState ct_state;
+  EXPECT_FALSE(GetExpectCTState(&state, "hsts.example.com", &ct_state));
+
+  TransportSecurityState::ExpectStapleState staple_state;
+  EXPECT_FALSE(GetExpectStapleState(&state, "hsts.example.com", &staple_state));
+
+  SetDefaultTransportSecurityStateSource();
+}
+
+TEST_F(TransportSecurityStateTest, DecodePreloadedMultiplePrefix) {
+  SetTransportSecurityStateSource(
+      test2::kHSTSHuffmanTree, sizeof(test2::kHSTSHuffmanTree),
+      test2::kPreloadedHSTSData, test2::kPreloadedHSTSBits,
+      test2::kHSTSRootPosition, test2::kExpectCTReportURIs,
+      test2::kExpectStapleReportURIs, test2::kPinsets,
+      arraysize(test2::kPinsets));
+
+  TransportSecurityState state;
+  TransportSecurityStateTest::EnableStaticPins(&state);
+  TransportSecurityStateTest::EnableStaticExpectCT(&state);
+  TransportSecurityStateTest::SetEnableStaticExpectStaple(&state, true);
+
+  TransportSecurityState::STSState sts_state;
+  TransportSecurityState::PKPState pkp_state;
+  TransportSecurityState::ExpectCTState ct_state;
+  TransportSecurityState::ExpectStapleState staple_state;
+
+  EXPECT_TRUE(
+      GetStaticDomainState(&state, "hsts.example.com", &sts_state, &pkp_state));
+  EXPECT_FALSE(sts_state.include_subdomains);
+  EXPECT_EQ(TransportSecurityState::STSState::MODE_FORCE_HTTPS,
+            sts_state.upgrade_mode);
+  EXPECT_FALSE(pkp_state.include_subdomains);
+  EXPECT_EQ(GURL(""), pkp_state.report_uri);
+  EXPECT_EQ(0U, pkp_state.spki_hashes.size());
+  EXPECT_EQ(0U, pkp_state.bad_spki_hashes.size());
+  EXPECT_FALSE(GetExpectCTState(&state, "hsts.example.com", &ct_state));
+  EXPECT_FALSE(GetExpectStapleState(&state, "hsts.example.com", &staple_state));
+
+  sts_state = TransportSecurityState::STSState();
+  pkp_state = TransportSecurityState::PKPState();
+  ct_state = TransportSecurityState::ExpectCTState();
+  staple_state = TransportSecurityState::ExpectStapleState();
+  EXPECT_TRUE(
+      GetStaticDomainState(&state, "hpkp.example.com", &sts_state, &pkp_state));
+  EXPECT_FALSE(sts_state.include_subdomains);
+  EXPECT_EQ(TransportSecurityState::STSState::MODE_DEFAULT,
+            sts_state.upgrade_mode);
+  EXPECT_TRUE(pkp_state.include_subdomains);
+  EXPECT_EQ(GURL("https://report.example.com/hpkp-upload"),
+            pkp_state.report_uri);
+  EXPECT_EQ(1U, pkp_state.spki_hashes.size());
+  EXPECT_EQ(pkp_state.spki_hashes[0], GetSampleSPKIHash(0x1));
+  EXPECT_EQ(0U, pkp_state.bad_spki_hashes.size());
+  EXPECT_FALSE(GetExpectCTState(&state, "hpkp.example.com", &ct_state));
+  EXPECT_FALSE(GetExpectStapleState(&state, "hpkp.example.com", &staple_state));
+
+  sts_state = TransportSecurityState::STSState();
+  pkp_state = TransportSecurityState::PKPState();
+  ct_state = TransportSecurityState::ExpectCTState();
+  staple_state = TransportSecurityState::ExpectStapleState();
+  EXPECT_TRUE(GetStaticDomainState(&state, "expect-ct.example.com", &sts_state,
+                                   &pkp_state));
+  EXPECT_FALSE(sts_state.include_subdomains);
+  EXPECT_EQ(TransportSecurityState::STSState::MODE_DEFAULT,
+            sts_state.upgrade_mode);
+  EXPECT_FALSE(pkp_state.include_subdomains);
+  EXPECT_EQ(GURL(""), pkp_state.report_uri);
+  EXPECT_EQ(0U, pkp_state.spki_hashes.size());
+  EXPECT_EQ(0U, pkp_state.bad_spki_hashes.size());
+  EXPECT_TRUE(GetExpectCTState(&state, "expect-ct.example.com", &ct_state));
+  EXPECT_EQ(GURL("https://report.example.com/ct-upload"), ct_state.report_uri);
+  EXPECT_FALSE(
+      GetExpectStapleState(&state, "expect-ct.example.com", &staple_state));
+
+  sts_state = TransportSecurityState::STSState();
+  pkp_state = TransportSecurityState::PKPState();
+  ct_state = TransportSecurityState::ExpectCTState();
+  staple_state = TransportSecurityState::ExpectStapleState();
+  EXPECT_TRUE(GetStaticDomainState(&state, "expect-staple.example.com",
+                                   &sts_state, &pkp_state));
+  EXPECT_FALSE(sts_state.include_subdomains);
+  EXPECT_EQ(TransportSecurityState::STSState::MODE_DEFAULT,
+            sts_state.upgrade_mode);
+  EXPECT_FALSE(pkp_state.include_subdomains);
+  EXPECT_EQ(GURL(""), pkp_state.report_uri);
+  EXPECT_EQ(0U, pkp_state.spki_hashes.size());
+  EXPECT_EQ(0U, pkp_state.bad_spki_hashes.size());
+  EXPECT_FALSE(
+      GetExpectCTState(&state, "expect-staple.example.com", &ct_state));
+  EXPECT_TRUE(
+      GetExpectStapleState(&state, "expect-staple.example.com", &staple_state));
+  EXPECT_FALSE(staple_state.include_subdomains);
+  EXPECT_EQ(GURL("https://report.example.com/staple-upload"),
+            staple_state.report_uri);
+
+  sts_state = TransportSecurityState::STSState();
+  pkp_state = TransportSecurityState::PKPState();
+  ct_state = TransportSecurityState::ExpectCTState();
+  staple_state = TransportSecurityState::ExpectStapleState();
+  EXPECT_TRUE(
+      GetStaticDomainState(&state, "mix.example.com", &sts_state, &pkp_state));
+  EXPECT_FALSE(sts_state.include_subdomains);
+  EXPECT_EQ(TransportSecurityState::STSState::MODE_FORCE_HTTPS,
+            sts_state.upgrade_mode);
+  EXPECT_TRUE(pkp_state.include_subdomains);
+  EXPECT_EQ(GURL(""), pkp_state.report_uri);
+  EXPECT_EQ(1U, pkp_state.spki_hashes.size());
+  EXPECT_EQ(pkp_state.spki_hashes[0], GetSampleSPKIHash(0x2));
+  EXPECT_EQ(1U, pkp_state.bad_spki_hashes.size());
+  EXPECT_EQ(pkp_state.bad_spki_hashes[0], GetSampleSPKIHash(0x1));
+  EXPECT_TRUE(GetExpectCTState(&state, "mix.example.com", &ct_state));
+  EXPECT_EQ(GURL("https://report.example.com/ct-upload-alt"),
+            ct_state.report_uri);
+  EXPECT_TRUE(GetExpectStapleState(&state, "mix.example.com", &staple_state));
+  EXPECT_TRUE(staple_state.include_subdomains);
+  EXPECT_EQ(GURL("https://report.example.com/staple-upload-alt"),
+            staple_state.report_uri);
+
+  SetDefaultTransportSecurityStateSource();
+}
+
+TEST_F(TransportSecurityStateTest, DecodePreloadedMultipleMix) {
+  SetTransportSecurityStateSource(
+      test3::kHSTSHuffmanTree, sizeof(test3::kHSTSHuffmanTree),
+      test3::kPreloadedHSTSData, test3::kPreloadedHSTSBits,
+      test3::kHSTSRootPosition, test3::kExpectCTReportURIs,
+      test3::kExpectStapleReportURIs, test3::kPinsets,
+      arraysize(test3::kPinsets));
+
+  TransportSecurityState state;
+  TransportSecurityStateTest::EnableStaticPins(&state);
+  TransportSecurityStateTest::EnableStaticExpectCT(&state);
+  TransportSecurityStateTest::SetEnableStaticExpectStaple(&state, true);
+
+  TransportSecurityState::STSState sts_state;
+  TransportSecurityState::PKPState pkp_state;
+  TransportSecurityState::ExpectCTState ct_state;
+  TransportSecurityState::ExpectStapleState staple_state;
+
+  EXPECT_TRUE(
+      GetStaticDomainState(&state, "example.com", &sts_state, &pkp_state));
+  EXPECT_TRUE(sts_state.include_subdomains);
+  EXPECT_EQ(TransportSecurityState::STSState::MODE_FORCE_HTTPS,
+            sts_state.upgrade_mode);
+  EXPECT_FALSE(pkp_state.include_subdomains);
+  EXPECT_EQ(GURL(""), pkp_state.report_uri);
+  EXPECT_EQ(0U, pkp_state.spki_hashes.size());
+  EXPECT_EQ(0U, pkp_state.bad_spki_hashes.size());
+  EXPECT_FALSE(GetExpectCTState(&state, "example.com", &ct_state));
+  EXPECT_EQ(GURL(""), ct_state.report_uri);
+  EXPECT_TRUE(GetExpectStapleState(&state, "example.com", &staple_state));
+  EXPECT_FALSE(staple_state.include_subdomains);
+  EXPECT_EQ(GURL("https://report.example.com/staple-upload"),
+            staple_state.report_uri);
+
+  sts_state = TransportSecurityState::STSState();
+  pkp_state = TransportSecurityState::PKPState();
+  ct_state = TransportSecurityState::ExpectCTState();
+  staple_state = TransportSecurityState::ExpectStapleState();
+  EXPECT_TRUE(
+      GetStaticDomainState(&state, "hpkp.example.com", &sts_state, &pkp_state));
+  EXPECT_FALSE(sts_state.include_subdomains);
+  EXPECT_EQ(TransportSecurityState::STSState::MODE_DEFAULT,
+            sts_state.upgrade_mode);
+  EXPECT_TRUE(pkp_state.include_subdomains);
+  EXPECT_EQ(GURL("https://report.example.com/hpkp-upload"),
+            pkp_state.report_uri);
+  EXPECT_EQ(1U, pkp_state.spki_hashes.size());
+  EXPECT_EQ(pkp_state.spki_hashes[0], GetSampleSPKIHash(0x1));
+  EXPECT_EQ(0U, pkp_state.bad_spki_hashes.size());
+  EXPECT_FALSE(GetExpectCTState(&state, "hpkp.example.com", &ct_state));
+  EXPECT_EQ(GURL(""), ct_state.report_uri);
+  EXPECT_FALSE(GetExpectStapleState(&state, "hpkp.example.com", &staple_state));
+  EXPECT_FALSE(staple_state.include_subdomains);
+  EXPECT_EQ(GURL(""), staple_state.report_uri);
+
+  sts_state = TransportSecurityState::STSState();
+  pkp_state = TransportSecurityState::PKPState();
+  ct_state = TransportSecurityState::ExpectCTState();
+  staple_state = TransportSecurityState::ExpectStapleState();
+  EXPECT_TRUE(
+      GetStaticDomainState(&state, "example.org", &sts_state, &pkp_state));
+  EXPECT_FALSE(sts_state.include_subdomains);
+  EXPECT_EQ(TransportSecurityState::STSState::MODE_FORCE_HTTPS,
+            sts_state.upgrade_mode);
+  EXPECT_FALSE(pkp_state.include_subdomains);
+  EXPECT_EQ(GURL(""), pkp_state.report_uri);
+  EXPECT_EQ(0U, pkp_state.spki_hashes.size());
+  EXPECT_EQ(0U, pkp_state.bad_spki_hashes.size());
+  EXPECT_TRUE(GetExpectCTState(&state, "example.org", &ct_state));
+  EXPECT_EQ(GURL("https://report.example.org/ct-upload"), ct_state.report_uri);
+  EXPECT_FALSE(GetExpectStapleState(&state, "example.org", &staple_state));
+  EXPECT_FALSE(staple_state.include_subdomains);
+  EXPECT_EQ(GURL(""), staple_state.report_uri);
+
+  sts_state = TransportSecurityState::STSState();
+  pkp_state = TransportSecurityState::PKPState();
+  ct_state = TransportSecurityState::ExpectCTState();
+  staple_state = TransportSecurityState::ExpectStapleState();
+  EXPECT_TRUE(
+      GetStaticDomainState(&state, "badssl.com", &sts_state, &pkp_state));
+  EXPECT_TRUE(sts_state.include_subdomains);
+  EXPECT_EQ(TransportSecurityState::STSState::MODE_DEFAULT,
+            sts_state.upgrade_mode);
+  EXPECT_TRUE(pkp_state.include_subdomains);
+  EXPECT_EQ(GURL("https://report.example.com/hpkp-upload"),
+            pkp_state.report_uri);
+  EXPECT_EQ(1U, pkp_state.spki_hashes.size());
+  EXPECT_EQ(pkp_state.spki_hashes[0], GetSampleSPKIHash(0x1));
+  EXPECT_EQ(0U, pkp_state.bad_spki_hashes.size());
+  EXPECT_FALSE(GetExpectCTState(&state, "badssl.com", &ct_state));
+  EXPECT_EQ(GURL(""), ct_state.report_uri);
+  EXPECT_TRUE(GetExpectStapleState(&state, "badssl.com", &staple_state));
+  EXPECT_TRUE(staple_state.include_subdomains);
+  EXPECT_EQ(GURL("https://report.badssl.com/staple-upload"),
+            staple_state.report_uri);
+
+  sts_state = TransportSecurityState::STSState();
+  pkp_state = TransportSecurityState::PKPState();
+  ct_state = TransportSecurityState::ExpectCTState();
+  staple_state = TransportSecurityState::ExpectStapleState();
+  EXPECT_TRUE(
+      GetStaticDomainState(&state, "mix.badssl.com", &sts_state, &pkp_state));
+  EXPECT_FALSE(sts_state.include_subdomains);
+  EXPECT_EQ(TransportSecurityState::STSState::MODE_FORCE_HTTPS,
+            sts_state.upgrade_mode);
+  EXPECT_TRUE(pkp_state.include_subdomains);
+  EXPECT_EQ(GURL(""), pkp_state.report_uri);
+  EXPECT_EQ(1U, pkp_state.spki_hashes.size());
+  EXPECT_EQ(pkp_state.spki_hashes[0], GetSampleSPKIHash(0x2));
+  EXPECT_EQ(1U, pkp_state.bad_spki_hashes.size());
+  EXPECT_EQ(pkp_state.bad_spki_hashes[0], GetSampleSPKIHash(0x1));
+  EXPECT_TRUE(GetExpectCTState(&state, "mix.badssl.com", &ct_state));
+  EXPECT_EQ(GURL("https://report.example.com/ct-upload"), ct_state.report_uri);
+  EXPECT_TRUE(GetExpectStapleState(&state, "mix.badssl.com", &staple_state));
+  EXPECT_TRUE(staple_state.include_subdomains);
+  EXPECT_EQ(GURL("https://report.badssl.com/staple-upload"),
+            staple_state.report_uri);
+
+  SetDefaultTransportSecurityStateSource();
+}
+
 static const struct ExpectStapleErrorResponseData {
   OCSPVerifyResult::ResponseStatus response_status;
   std::string response_status_string;
 } kExpectStapleReportData[] = {
     {OCSPVerifyResult::MISSING, "MISSING"},
     {OCSPVerifyResult::ERROR_RESPONSE, "ERROR_RESPONSE"},
     {OCSPVerifyResult::BAD_PRODUCED_AT, "BAD_PRODUCED_AT"},
     {OCSPVerifyResult::NO_MATCHING_RESPONSE, "NO_MATCHING_RESPONSE"},
     {OCSPVerifyResult::INVALID_DATE, "INVALID_DATE"},
     {OCSPVerifyResult::PARSE_RESPONSE_ERROR, "PARSE_RESPONSE_ERROR"},
@@ skipping 298 matching lines @@
   base::FieldTrialList::CreateFieldTrial("EnforceCTForProblematicRoots",
                                          "disabled");
 
   EXPECT_FALSE(
       state.ShouldRequireCT("www.example.com", before_cert.get(), hashes));
   EXPECT_FALSE(
       state.ShouldRequireCT("www.example.com", after_cert.get(), hashes));
 }
 
 }  // namespace net