Add unittests for HSTS decoding.

net/http/transport_security_state_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/transport_security_state.h"
 
 #include <algorithm>
 #include <string>
 #include <vector>
 
@@ skipping 24 matching lines @@
 #include "net/ssl/ssl_info.h"
 #include "net/test/cert_test_util.h"
 #include "net/test/test_data_directory.h"
 #include "testing/gmock/include/gmock/gmock.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 namespace net {
 
 namespace {
 
+namespace test1 {
+#include "net/http/transport_security_state_static_unittest1.h"
+}
+namespace test2 {
+#include "net/http/transport_security_state_static_unittest2.h"
+}
+namespace test3 {
+#include "net/http/transport_security_state_static_unittest3.h"
+}
+
 const char kHost[] = "example.test";
 const char kSubdomain[] = "foo.example.test";
 const uint16_t kPort = 443;
 const char kReportUri[] = "http://report-example.test/test";
 const char kExpectCTStaticHostname[] = "preloaded-expect-ct.badssl.com";
 const char kExpectCTStaticReportURI[] = "https://clients3.google.com/ct_upload";
 const char kExpectStapleStaticHostname[] = "preloaded-expect-staple.badssl.com";
 const char kExpectStapleStaticReportURI[] =
     "https://report.badssl.com/expect-staple";
 const char kExpectStapleStaticIncludeSubdomainsHostname[] =
@@ skipping 291 matching lines @@
   std::string serialized_report = reporter->latest_report();
   EXPECT_NO_FATAL_FAILURE(CheckSerializedExpectStapleReport(
       serialized_report, host_port, ssl_info, ocsp_response, response_status,
       cert_status));
 }
 
 }  // namespace
 
 class TransportSecurityStateTest : public testing::Test {
  public:
+  ~TransportSecurityStateTest() override {
+    SetTransportSecurityStateSourceForTesting(nullptr);
+  }
+
   void SetUp() override {
     crypto::EnsureOpenSSLInit();
   }
 
   static void DisableStaticPins(TransportSecurityState* state) {
     state->enable_static_pins_ = false;
   }
 
   static void EnableStaticPins(TransportSecurityState* state) {
     state->enable_static_pins_ = true;
   }
 
   static void EnableStaticExpectCT(TransportSecurityState* state) {
     state->enable_static_expect_ct_ = true;
   }
 
   static void SetEnableStaticExpectStaple(TransportSecurityState* state,
                                           bool enabled) {
     state->enable_static_expect_staple_ = enabled;
   }
 
   static HashValueVector GetSampleSPKIHashes() {
     HashValueVector spki_hashes;
     HashValue hash(HASH_VALUE_SHA256);
     memset(hash.data(), 0, hash.size());
     spki_hashes.push_back(hash);
     return spki_hashes;
   }
 
+  static HashValue GetSampleSPKIHash(uint8_t value) {
+    HashValue hash(HASH_VALUE_SHA256);
+    memset(hash.data(), value, hash.size());
+    return hash;
+  }
+
  protected:
   bool GetStaticDomainState(TransportSecurityState* state,
                             const std::string& host,
                             TransportSecurityState::STSState* sts_result,
                             TransportSecurityState::PKPState* pkp_result) {
     return state->GetStaticDomainState(host, sts_result, pkp_result);
   }
 
   bool GetExpectCTState(TransportSecurityState* state,
                         const std::string& host,
@@ skipping 1596 matching lines @@
   state.ProcessExpectCTHeader("preload", host_port, ssl_info);
   EXPECT_EQ(1u, reporter.num_failures());
   EXPECT_TRUE(reporter.ssl_info().ct_compliance_details_available);
   EXPECT_EQ(ssl_info.ct_cert_policy_compliance,
             reporter.ssl_info().ct_cert_policy_compliance);
   EXPECT_EQ(host_port.host(), reporter.host_port_pair().host());
   EXPECT_EQ(host_port.port(), reporter.host_port_pair().port());
   EXPECT_EQ(GURL(kExpectCTStaticReportURI), reporter.report_uri());
 }
 
+// Simple test for the HSTS preload process. The trie (generated from
+// transport_security_state_static_unittest1.json) contains 1 entry. Test that
+// the lookup methods can find the entry and correctly decode the different
+// preloaded states (HSTS, HPKP, Expect-CT, and Expect-Staple).
+TEST_F(TransportSecurityStateTest, DecodePreloadedSingle) {
+  SetTransportSecurityStateSourceForTesting(&test1::kHSTSSource);
+
+  TransportSecurityState state;
+  TransportSecurityStateTest::EnableStaticPins(&state);
+  TransportSecurityStateTest::EnableStaticExpectCT(&state);
+  TransportSecurityStateTest::SetEnableStaticExpectStaple(&state, true);
+
+  TransportSecurityState::STSState sts_state;
+  TransportSecurityState::PKPState pkp_state;
+  EXPECT_TRUE(
+      GetStaticDomainState(&state, "hsts.example.com", &sts_state, &pkp_state));
+  EXPECT_TRUE(sts_state.include_subdomains);
+  EXPECT_EQ(TransportSecurityState::STSState::MODE_FORCE_HTTPS,
+            sts_state.upgrade_mode);
+  EXPECT_TRUE(pkp_state.include_subdomains);
+  EXPECT_EQ(GURL(), pkp_state.report_uri);
+  ASSERT_EQ(1u, pkp_state.spki_hashes.size());
+  EXPECT_EQ(pkp_state.spki_hashes[0], GetSampleSPKIHash(0x1));
+  ASSERT_EQ(1u, pkp_state.bad_spki_hashes.size());
+  EXPECT_EQ(pkp_state.bad_spki_hashes[0], GetSampleSPKIHash(0x2));
+
+  TransportSecurityState::ExpectCTState ct_state;
+  EXPECT_FALSE(GetExpectCTState(&state, "hsts.example.com", &ct_state));
+
+  TransportSecurityState::ExpectStapleState staple_state;
+  EXPECT_FALSE(GetExpectStapleState(&state, "hsts.example.com", &staple_state));
+}
+
+// More advanced test for the HSTS preload process where the trie (generated
+// from transport_security_state_static_unittest2.json) contains multiple
+// entries with a common prefix. Test that the lookup methods can find all
+// entries and correctly decode the different preloaded states (HSTS, HPKP,
+// Expect-CT, and Expect-Staple) for each entry.
+TEST_F(TransportSecurityStateTest, DecodePreloadedMultiplePrefix) {
+  SetTransportSecurityStateSourceForTesting(&test2::kHSTSSource);
+
+  TransportSecurityState state;
+  TransportSecurityStateTest::EnableStaticPins(&state);
+  TransportSecurityStateTest::EnableStaticExpectCT(&state);
+  TransportSecurityStateTest::SetEnableStaticExpectStaple(&state, true);
+
+  TransportSecurityState::STSState sts_state;
+  TransportSecurityState::PKPState pkp_state;
+  TransportSecurityState::ExpectCTState ct_state;
+  TransportSecurityState::ExpectStapleState staple_state;
+
+  EXPECT_TRUE(
+      GetStaticDomainState(&state, "hsts.example.com", &sts_state, &pkp_state));
+  EXPECT_FALSE(sts_state.include_subdomains);
+  EXPECT_EQ(TransportSecurityState::STSState::MODE_FORCE_HTTPS,
+            sts_state.upgrade_mode);
+  EXPECT_FALSE(pkp_state.include_subdomains);
+  EXPECT_EQ(GURL(), pkp_state.report_uri);
+  EXPECT_EQ(0U, pkp_state.spki_hashes.size());
+  EXPECT_EQ(0U, pkp_state.bad_spki_hashes.size());
+  EXPECT_FALSE(GetExpectCTState(&state, "hsts.example.com", &ct_state));
+  EXPECT_FALSE(GetExpectStapleState(&state, "hsts.example.com", &staple_state));
+
+  sts_state = TransportSecurityState::STSState();
+  pkp_state = TransportSecurityState::PKPState();
+  ct_state = TransportSecurityState::ExpectCTState();
+  staple_state = TransportSecurityState::ExpectStapleState();
+  EXPECT_TRUE(
+      GetStaticDomainState(&state, "hpkp.example.com", &sts_state, &pkp_state));
+  EXPECT_FALSE(sts_state.include_subdomains);
+  EXPECT_EQ(TransportSecurityState::STSState::MODE_DEFAULT,
+            sts_state.upgrade_mode);
+  EXPECT_TRUE(pkp_state.include_subdomains);
+  EXPECT_EQ(GURL("https://report.example.com/hpkp-upload"),
+            pkp_state.report_uri);
+  EXPECT_EQ(1U, pkp_state.spki_hashes.size());
+  EXPECT_EQ(pkp_state.spki_hashes[0], GetSampleSPKIHash(0x1));
+  EXPECT_EQ(0U, pkp_state.bad_spki_hashes.size());
+  EXPECT_FALSE(GetExpectCTState(&state, "hpkp.example.com", &ct_state));
+  EXPECT_FALSE(GetExpectStapleState(&state, "hpkp.example.com", &staple_state));
+
+  sts_state = TransportSecurityState::STSState();
+  pkp_state = TransportSecurityState::PKPState();
+  ct_state = TransportSecurityState::ExpectCTState();
+  staple_state = TransportSecurityState::ExpectStapleState();
+  EXPECT_TRUE(GetStaticDomainState(&state, "expect-ct.example.com", &sts_state,
+                                   &pkp_state));
+  EXPECT_FALSE(sts_state.include_subdomains);
+  EXPECT_EQ(TransportSecurityState::STSState::MODE_DEFAULT,
+            sts_state.upgrade_mode);
+  EXPECT_FALSE(pkp_state.include_subdomains);
+  EXPECT_EQ(GURL(), pkp_state.report_uri);
+  EXPECT_EQ(0U, pkp_state.spki_hashes.size());
+  EXPECT_EQ(0U, pkp_state.bad_spki_hashes.size());
+  EXPECT_TRUE(GetExpectCTState(&state, "expect-ct.example.com", &ct_state));
+  EXPECT_EQ(GURL("https://report.example.com/ct-upload"), ct_state.report_uri);
+  EXPECT_FALSE(
+      GetExpectStapleState(&state, "expect-ct.example.com", &staple_state));
+
+  sts_state = TransportSecurityState::STSState();
+  pkp_state = TransportSecurityState::PKPState();
+  ct_state = TransportSecurityState::ExpectCTState();
+  staple_state = TransportSecurityState::ExpectStapleState();
+  EXPECT_TRUE(GetStaticDomainState(&state, "expect-staple.example.com",
+                                   &sts_state, &pkp_state));
+  EXPECT_FALSE(sts_state.include_subdomains);
+  EXPECT_EQ(TransportSecurityState::STSState::MODE_DEFAULT,
+            sts_state.upgrade_mode);
+  EXPECT_FALSE(pkp_state.include_subdomains);
+  EXPECT_EQ(GURL(), pkp_state.report_uri);
+  EXPECT_EQ(0U, pkp_state.spki_hashes.size());
+  EXPECT_EQ(0U, pkp_state.bad_spki_hashes.size());
+  EXPECT_FALSE(
+      GetExpectCTState(&state, "expect-staple.example.com", &ct_state));
+  EXPECT_TRUE(
+      GetExpectStapleState(&state, "expect-staple.example.com", &staple_state));
+  EXPECT_FALSE(staple_state.include_subdomains);
+  EXPECT_EQ(GURL("https://report.example.com/staple-upload"),
+            staple_state.report_uri);
+
+  sts_state = TransportSecurityState::STSState();
+  pkp_state = TransportSecurityState::PKPState();
+  ct_state = TransportSecurityState::ExpectCTState();
+  staple_state = TransportSecurityState::ExpectStapleState();
+  EXPECT_TRUE(
+      GetStaticDomainState(&state, "mix.example.com", &sts_state, &pkp_state));
+  EXPECT_FALSE(sts_state.include_subdomains);
+  EXPECT_EQ(TransportSecurityState::STSState::MODE_FORCE_HTTPS,
+            sts_state.upgrade_mode);
+  EXPECT_TRUE(pkp_state.include_subdomains);
+  EXPECT_EQ(GURL(), pkp_state.report_uri);
+  EXPECT_EQ(1U, pkp_state.spki_hashes.size());
+  EXPECT_EQ(pkp_state.spki_hashes[0], GetSampleSPKIHash(0x2));
+  EXPECT_EQ(1U, pkp_state.bad_spki_hashes.size());
+  EXPECT_EQ(pkp_state.bad_spki_hashes[0], GetSampleSPKIHash(0x1));
+  EXPECT_TRUE(GetExpectCTState(&state, "mix.example.com", &ct_state));
+  EXPECT_EQ(GURL("https://report.example.com/ct-upload-alt"),
+            ct_state.report_uri);
+  EXPECT_TRUE(GetExpectStapleState(&state, "mix.example.com", &staple_state));
+  EXPECT_TRUE(staple_state.include_subdomains);
+  EXPECT_EQ(GURL("https://report.example.com/staple-upload-alt"),
+            staple_state.report_uri);
+}
+
+// More advanced test for the HSTS preload process where the trie (generated
+// from transport_security_state_static_unittest3.json) contains a mix of
+// entries. Some entries share a prefix with the prefix also having its own
+// preloaded state while others share no prefix. This results in a trie with
+// several different internal structures. Test that the lookup methods can find
+// all entries and correctly decode the different preloaded states (HSTS, HPKP,
+// Expect-CT, and Expect-Staple) for each entry.
+TEST_F(TransportSecurityStateTest, DecodePreloadedMultipleMix) {
+  SetTransportSecurityStateSourceForTesting(&test3::kHSTSSource);
+
+  TransportSecurityState state;
+  TransportSecurityStateTest::EnableStaticPins(&state);
+  TransportSecurityStateTest::EnableStaticExpectCT(&state);
+  TransportSecurityStateTest::SetEnableStaticExpectStaple(&state, true);
+
+  TransportSecurityState::STSState sts_state;
+  TransportSecurityState::PKPState pkp_state;
+  TransportSecurityState::ExpectCTState ct_state;
+  TransportSecurityState::ExpectStapleState staple_state;
+
+  EXPECT_TRUE(
+      GetStaticDomainState(&state, "example.com", &sts_state, &pkp_state));
+  EXPECT_TRUE(sts_state.include_subdomains);
+  EXPECT_EQ(TransportSecurityState::STSState::MODE_FORCE_HTTPS,
+            sts_state.upgrade_mode);
+  EXPECT_FALSE(pkp_state.include_subdomains);
+  EXPECT_EQ(GURL(), pkp_state.report_uri);
+  EXPECT_EQ(0U, pkp_state.spki_hashes.size());
+  EXPECT_EQ(0U, pkp_state.bad_spki_hashes.size());
+  EXPECT_FALSE(GetExpectCTState(&state, "example.com", &ct_state));
+  EXPECT_EQ(GURL(), ct_state.report_uri);
+  EXPECT_TRUE(GetExpectStapleState(&state, "example.com", &staple_state));
+  EXPECT_FALSE(staple_state.include_subdomains);
+  EXPECT_EQ(GURL("https://report.example.com/staple-upload"),
+            staple_state.report_uri);
+
+  sts_state = TransportSecurityState::STSState();
+  pkp_state = TransportSecurityState::PKPState();
+  ct_state = TransportSecurityState::ExpectCTState();
+  staple_state = TransportSecurityState::ExpectStapleState();
+  EXPECT_TRUE(
+      GetStaticDomainState(&state, "hpkp.example.com", &sts_state, &pkp_state));
+  EXPECT_FALSE(sts_state.include_subdomains);
+  EXPECT_EQ(TransportSecurityState::STSState::MODE_DEFAULT,
+            sts_state.upgrade_mode);
+  EXPECT_TRUE(pkp_state.include_subdomains);
+  EXPECT_EQ(GURL("https://report.example.com/hpkp-upload"),
+            pkp_state.report_uri);
+  EXPECT_EQ(1U, pkp_state.spki_hashes.size());
+  EXPECT_EQ(pkp_state.spki_hashes[0], GetSampleSPKIHash(0x1));
+  EXPECT_EQ(0U, pkp_state.bad_spki_hashes.size());
+  EXPECT_FALSE(GetExpectCTState(&state, "hpkp.example.com", &ct_state));
+  EXPECT_EQ(GURL(), ct_state.report_uri);
+  EXPECT_FALSE(GetExpectStapleState(&state, "hpkp.example.com", &staple_state));
+  EXPECT_FALSE(staple_state.include_subdomains);
+  EXPECT_EQ(GURL(), staple_state.report_uri);
+
+  sts_state = TransportSecurityState::STSState();
+  pkp_state = TransportSecurityState::PKPState();
+  ct_state = TransportSecurityState::ExpectCTState();
+  staple_state = TransportSecurityState::ExpectStapleState();
+  EXPECT_TRUE(
+      GetStaticDomainState(&state, "example.org", &sts_state, &pkp_state));
+  EXPECT_FALSE(sts_state.include_subdomains);
+  EXPECT_EQ(TransportSecurityState::STSState::MODE_FORCE_HTTPS,
+            sts_state.upgrade_mode);
+  EXPECT_FALSE(pkp_state.include_subdomains);
+  EXPECT_EQ(GURL(), pkp_state.report_uri);
+  EXPECT_EQ(0U, pkp_state.spki_hashes.size());
+  EXPECT_EQ(0U, pkp_state.bad_spki_hashes.size());
+  EXPECT_TRUE(GetExpectCTState(&state, "example.org", &ct_state));
+  EXPECT_EQ(GURL("https://report.example.org/ct-upload"), ct_state.report_uri);
+  EXPECT_FALSE(GetExpectStapleState(&state, "example.org", &staple_state));
+  EXPECT_FALSE(staple_state.include_subdomains);
+  EXPECT_EQ(GURL(), staple_state.report_uri);
+
+  sts_state = TransportSecurityState::STSState();
+  pkp_state = TransportSecurityState::PKPState();
+  ct_state = TransportSecurityState::ExpectCTState();
+  staple_state = TransportSecurityState::ExpectStapleState();
+  EXPECT_TRUE(
+      GetStaticDomainState(&state, "badssl.com", &sts_state, &pkp_state));
+  EXPECT_TRUE(sts_state.include_subdomains);
+  EXPECT_EQ(TransportSecurityState::STSState::MODE_DEFAULT,
+            sts_state.upgrade_mode);
+  EXPECT_TRUE(pkp_state.include_subdomains);
+  EXPECT_EQ(GURL("https://report.example.com/hpkp-upload"),
+            pkp_state.report_uri);
+  EXPECT_EQ(1U, pkp_state.spki_hashes.size());
+  EXPECT_EQ(pkp_state.spki_hashes[0], GetSampleSPKIHash(0x1));
+  EXPECT_EQ(0U, pkp_state.bad_spki_hashes.size());
+  EXPECT_FALSE(GetExpectCTState(&state, "badssl.com", &ct_state));
+  EXPECT_EQ(GURL(), ct_state.report_uri);
+  EXPECT_TRUE(GetExpectStapleState(&state, "badssl.com", &staple_state));
+  EXPECT_TRUE(staple_state.include_subdomains);
+  EXPECT_EQ(GURL("https://report.badssl.com/staple-upload"),
+            staple_state.report_uri);
+
+  sts_state = TransportSecurityState::STSState();
+  pkp_state = TransportSecurityState::PKPState();
+  ct_state = TransportSecurityState::ExpectCTState();
+  staple_state = TransportSecurityState::ExpectStapleState();
+  EXPECT_TRUE(
+      GetStaticDomainState(&state, "mix.badssl.com", &sts_state, &pkp_state));
+  EXPECT_FALSE(sts_state.include_subdomains);
+  EXPECT_EQ(TransportSecurityState::STSState::MODE_FORCE_HTTPS,
+            sts_state.upgrade_mode);
+  EXPECT_TRUE(pkp_state.include_subdomains);
+  EXPECT_EQ(GURL(), pkp_state.report_uri);
+  EXPECT_EQ(1U, pkp_state.spki_hashes.size());
+  EXPECT_EQ(pkp_state.spki_hashes[0], GetSampleSPKIHash(0x2));
+  EXPECT_EQ(1U, pkp_state.bad_spki_hashes.size());
+  EXPECT_EQ(pkp_state.bad_spki_hashes[0], GetSampleSPKIHash(0x1));
+  EXPECT_TRUE(GetExpectCTState(&state, "mix.badssl.com", &ct_state));
+  EXPECT_EQ(GURL("https://report.example.com/ct-upload"), ct_state.report_uri);
+  EXPECT_TRUE(GetExpectStapleState(&state, "mix.badssl.com", &staple_state));
+  EXPECT_TRUE(staple_state.include_subdomains);
+  EXPECT_EQ(GURL("https://report.badssl.com/staple-upload"),
+            staple_state.report_uri);
+}
+
 static const struct ExpectStapleErrorResponseData {
   OCSPVerifyResult::ResponseStatus response_status;
   std::string response_status_string;
 } kExpectStapleReportData[] = {
     {OCSPVerifyResult::MISSING, "MISSING"},
     {OCSPVerifyResult::ERROR_RESPONSE, "ERROR_RESPONSE"},
     {OCSPVerifyResult::BAD_PRODUCED_AT, "BAD_PRODUCED_AT"},
     {OCSPVerifyResult::NO_MATCHING_RESPONSE, "NO_MATCHING_RESPONSE"},
     {OCSPVerifyResult::INVALID_DATE, "INVALID_DATE"},
     {OCSPVerifyResult::PARSE_RESPONSE_ERROR, "PARSE_RESPONSE_ERROR"},
@@ skipping 298 matching lines @@
   base::FieldTrialList::CreateFieldTrial("EnforceCTForProblematicRoots",
                                          "disabled");
 
   EXPECT_FALSE(
       state.ShouldRequireCT("www.example.com", before_cert.get(), hashes));
   EXPECT_FALSE(
       state.ShouldRequireCT("www.example.com", after_cert.get(), hashes));
 }
 
 }  // namespace net