Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(229)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: net/http/transport_security_state_unittest.cc

Issue 2747173005: Store dynamic Expect-CT state (Closed)
Patch Set: clear dynamic Expect-CT data when needed Created 3 years, 8 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « net/http/transport_security_state.cc ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: net/http/transport_security_state_unittest.cc
diff --git a/net/http/transport_security_state_unittest.cc b/net/http/transport_security_state_unittest.cc
index be41ec32f2932ba5bdf28a119e7d3e0f375b9f67..88492c7980d28ce4729caf2549da02070c4c0005 100644
--- a/net/http/transport_security_state_unittest.cc
+++ b/net/http/transport_security_state_unittest.cc
@@ -18,6 +18,7 @@
#include "base/strings/string_piece.h"
#include "base/test/histogram_tester.h"
#include "base/test/mock_entropy_provider.h"
+#include "base/test/scoped_feature_list.h"
#include "base/values.h"
#include "crypto/openssl_util.h"
#include "crypto/sha2.h"
@@ -786,6 +787,11 @@ TEST_F(TransportSecurityStateTest, NewPinsOverride) {
}
TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataSince) {
+ base::test::ScopedFeatureList feature_list;
+ feature_list.InitAndEnableFeature(
+ TransportSecurityState::kDynamicExpectCTFeature);
+ TransportSecurityState::ExpectCTState expect_ct_state;
+
TransportSecurityState state;
const base::Time current_time(base::Time::Now());
const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
@@ -793,24 +799,32 @@ TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataSince) {
EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com"));
EXPECT_FALSE(state.HasPublicKeyPins("example.com"));
+ EXPECT_FALSE(state.GetDynamicExpectCTState("example.com", &expect_ct_state));
bool include_subdomains = false;
state.AddHSTS("example.com", expiry, include_subdomains);
state.AddHPKP("example.com", expiry, include_subdomains,
GetSampleSPKIHashes(), GURL());
+ state.AddExpectCT("example.com", expiry, true, GURL());
state.DeleteAllDynamicDataSince(expiry);
EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com"));
EXPECT_TRUE(state.HasPublicKeyPins("example.com"));
+ EXPECT_TRUE(state.GetDynamicExpectCTState("example.com", &expect_ct_state));
state.DeleteAllDynamicDataSince(older);
EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com"));
EXPECT_FALSE(state.HasPublicKeyPins("example.com"));
+ EXPECT_FALSE(state.GetDynamicExpectCTState("example.com", &expect_ct_state));
- // STS and PKP data in |state| should be empty now.
+ // Dynamic data in |state| should be empty now.
EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext());
EXPECT_FALSE(TransportSecurityState::PKPStateIterator(state).HasNext());
+ EXPECT_FALSE(TransportSecurityState::ExpectCTStateIterator(state).HasNext());
}
TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) {
+ base::test::ScopedFeatureList feature_list;
+ feature_list.InitAndEnableFeature(
+ TransportSecurityState::kDynamicExpectCTFeature);
TransportSecurityState state;
const base::Time current_time(base::Time::Now());
const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
@@ -819,14 +833,22 @@ TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) {
state.AddHSTS("example1.test", expiry, include_subdomains);
state.AddHPKP("example1.test", expiry, include_subdomains,
GetSampleSPKIHashes(), GURL());
+ state.AddExpectCT("example1.test", expiry, true, GURL());
EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test"));
EXPECT_FALSE(state.ShouldUpgradeToSSL("example2.test"));
EXPECT_TRUE(state.HasPublicKeyPins("example1.test"));
EXPECT_FALSE(state.HasPublicKeyPins("example2.test"));
+ TransportSecurityState::ExpectCTState expect_ct_state;
+ EXPECT_TRUE(state.GetDynamicExpectCTState("example1.test", &expect_ct_state));
+ EXPECT_FALSE(
+ state.GetDynamicExpectCTState("example2.test", &expect_ct_state));
+
EXPECT_TRUE(state.DeleteDynamicDataForHost("example1.test"));
EXPECT_FALSE(state.ShouldUpgradeToSSL("example1.test"));
EXPECT_FALSE(state.HasPublicKeyPins("example1.test"));
+ EXPECT_FALSE(
+ state.GetDynamicExpectCTState("example1.test", &expect_ct_state));
}
TEST_F(TransportSecurityStateTest, EnableStaticPins) {
@@ -2600,4 +2622,74 @@ TEST_F(TransportSecurityStateTest, RequireCTForSymantec) {
state.ShouldRequireCT("www.example.com", after_cert.get(), hashes));
}
+// Tests that dynamic Expect-CT state is cleared from ClearDynamicData().
+TEST_F(TransportSecurityStateTest, DynamicExpectCTStateCleared) {
+ base::test::ScopedFeatureList feature_list;
+ feature_list.InitAndEnableFeature(
+ TransportSecurityState::kDynamicExpectCTFeature);
+ const std::string host("example.test");
+ TransportSecurityState state;
+ TransportSecurityState::ExpectCTState expect_ct_state;
+ const base::Time current_time = base::Time::Now();
+ const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
+
+ state.AddExpectCT(host, expiry, true, GURL());
+ EXPECT_TRUE(state.GetDynamicExpectCTState(host, &expect_ct_state));
+ EXPECT_TRUE(expect_ct_state.enforce);
+ EXPECT_TRUE(expect_ct_state.report_uri.is_empty());
+ EXPECT_EQ(expiry, expect_ct_state.expiry);
+
+ state.ClearDynamicData();
+ EXPECT_FALSE(state.GetDynamicExpectCTState(host, &expect_ct_state));
+}
+
+// Tests that dynamic Expect-CT state can be added and retrieved.
+TEST_F(TransportSecurityStateTest, DynamicExpectCTState) {
+ base::test::ScopedFeatureList feature_list;
+ feature_list.InitAndEnableFeature(
+ TransportSecurityState::kDynamicExpectCTFeature);
+ const std::string host("example.test");
+ TransportSecurityState state;
+ TransportSecurityState::ExpectCTState expect_ct_state;
+ const base::Time current_time = base::Time::Now();
+ const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
+
+ // Test that Expect-CT state can be added and retrieved.
+ state.AddExpectCT(host, expiry, true, GURL());
+ EXPECT_TRUE(state.GetDynamicExpectCTState(host, &expect_ct_state));
+ EXPECT_TRUE(expect_ct_state.enforce);
+ EXPECT_TRUE(expect_ct_state.report_uri.is_empty());
+ EXPECT_EQ(expiry, expect_ct_state.expiry);
+
+ // Test that Expect-CT can be updated (e.g. by changing |enforce| to false and
+ // adding a report-uri).
+ const GURL report_uri("https://example-report.test");
+ state.AddExpectCT(host, expiry, false, report_uri);
+ EXPECT_TRUE(state.GetDynamicExpectCTState(host, &expect_ct_state));
+ EXPECT_FALSE(expect_ct_state.enforce);
+ EXPECT_EQ(report_uri, expect_ct_state.report_uri);
+ EXPECT_EQ(expiry, expect_ct_state.expiry);
+
+ // Test that Expect-CT state is discarded when expired.
+ state.AddExpectCT(host, current_time - base::TimeDelta::FromSeconds(1000),
+ true, report_uri);
+ EXPECT_FALSE(state.GetDynamicExpectCTState(host, &expect_ct_state));
+}
+
+// Tests that dynamic Expect-CT state cannot be added when the feature is not
+// enabled.
+TEST_F(TransportSecurityStateTest, DynamicExpectCTStateDisabled) {
+ base::test::ScopedFeatureList feature_list;
+ feature_list.InitAndDisableFeature(
+ TransportSecurityState::kDynamicExpectCTFeature);
+ const std::string host("example.test");
+ TransportSecurityState state;
+ TransportSecurityState::ExpectCTState expect_ct_state;
+ const base::Time current_time = base::Time::Now();
+ const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
+
+ state.AddExpectCT(host, expiry, true, GURL());
+ EXPECT_FALSE(state.GetDynamicExpectCTState(host, &expect_ct_state));
+}
+
} // namespace net
« no previous file with comments | « net/http/transport_security_state.cc ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698