Index: net/http/transport_security_state_unittest.cc |
diff --git a/net/http/transport_security_state_unittest.cc b/net/http/transport_security_state_unittest.cc |
index be41ec32f2932ba5bdf28a119e7d3e0f375b9f67..88492c7980d28ce4729caf2549da02070c4c0005 100644 |
--- a/net/http/transport_security_state_unittest.cc |
+++ b/net/http/transport_security_state_unittest.cc |
@@ -18,6 +18,7 @@ |
#include "base/strings/string_piece.h" |
#include "base/test/histogram_tester.h" |
#include "base/test/mock_entropy_provider.h" |
+#include "base/test/scoped_feature_list.h" |
#include "base/values.h" |
#include "crypto/openssl_util.h" |
#include "crypto/sha2.h" |
@@ -786,6 +787,11 @@ TEST_F(TransportSecurityStateTest, NewPinsOverride) { |
} |
TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataSince) { |
+ base::test::ScopedFeatureList feature_list; |
+ feature_list.InitAndEnableFeature( |
+ TransportSecurityState::kDynamicExpectCTFeature); |
+ TransportSecurityState::ExpectCTState expect_ct_state; |
+ |
TransportSecurityState state; |
const base::Time current_time(base::Time::Now()); |
const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
@@ -793,24 +799,32 @@ TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataSince) { |
EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com")); |
EXPECT_FALSE(state.HasPublicKeyPins("example.com")); |
+ EXPECT_FALSE(state.GetDynamicExpectCTState("example.com", &expect_ct_state)); |
bool include_subdomains = false; |
state.AddHSTS("example.com", expiry, include_subdomains); |
state.AddHPKP("example.com", expiry, include_subdomains, |
GetSampleSPKIHashes(), GURL()); |
+ state.AddExpectCT("example.com", expiry, true, GURL()); |
state.DeleteAllDynamicDataSince(expiry); |
EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com")); |
EXPECT_TRUE(state.HasPublicKeyPins("example.com")); |
+ EXPECT_TRUE(state.GetDynamicExpectCTState("example.com", &expect_ct_state)); |
state.DeleteAllDynamicDataSince(older); |
EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com")); |
EXPECT_FALSE(state.HasPublicKeyPins("example.com")); |
+ EXPECT_FALSE(state.GetDynamicExpectCTState("example.com", &expect_ct_state)); |
- // STS and PKP data in |state| should be empty now. |
+ // Dynamic data in |state| should be empty now. |
EXPECT_FALSE(TransportSecurityState::STSStateIterator(state).HasNext()); |
EXPECT_FALSE(TransportSecurityState::PKPStateIterator(state).HasNext()); |
+ EXPECT_FALSE(TransportSecurityState::ExpectCTStateIterator(state).HasNext()); |
} |
TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) { |
+ base::test::ScopedFeatureList feature_list; |
+ feature_list.InitAndEnableFeature( |
+ TransportSecurityState::kDynamicExpectCTFeature); |
TransportSecurityState state; |
const base::Time current_time(base::Time::Now()); |
const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
@@ -819,14 +833,22 @@ TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) { |
state.AddHSTS("example1.test", expiry, include_subdomains); |
state.AddHPKP("example1.test", expiry, include_subdomains, |
GetSampleSPKIHashes(), GURL()); |
+ state.AddExpectCT("example1.test", expiry, true, GURL()); |
EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.test")); |
EXPECT_FALSE(state.ShouldUpgradeToSSL("example2.test")); |
EXPECT_TRUE(state.HasPublicKeyPins("example1.test")); |
EXPECT_FALSE(state.HasPublicKeyPins("example2.test")); |
+ TransportSecurityState::ExpectCTState expect_ct_state; |
+ EXPECT_TRUE(state.GetDynamicExpectCTState("example1.test", &expect_ct_state)); |
+ EXPECT_FALSE( |
+ state.GetDynamicExpectCTState("example2.test", &expect_ct_state)); |
+ |
EXPECT_TRUE(state.DeleteDynamicDataForHost("example1.test")); |
EXPECT_FALSE(state.ShouldUpgradeToSSL("example1.test")); |
EXPECT_FALSE(state.HasPublicKeyPins("example1.test")); |
+ EXPECT_FALSE( |
+ state.GetDynamicExpectCTState("example1.test", &expect_ct_state)); |
} |
TEST_F(TransportSecurityStateTest, EnableStaticPins) { |
@@ -2600,4 +2622,74 @@ TEST_F(TransportSecurityStateTest, RequireCTForSymantec) { |
state.ShouldRequireCT("www.example.com", after_cert.get(), hashes)); |
} |
+// Tests that dynamic Expect-CT state is cleared from ClearDynamicData(). |
+TEST_F(TransportSecurityStateTest, DynamicExpectCTStateCleared) { |
+ base::test::ScopedFeatureList feature_list; |
+ feature_list.InitAndEnableFeature( |
+ TransportSecurityState::kDynamicExpectCTFeature); |
+ const std::string host("example.test"); |
+ TransportSecurityState state; |
+ TransportSecurityState::ExpectCTState expect_ct_state; |
+ const base::Time current_time = base::Time::Now(); |
+ const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
+ |
+ state.AddExpectCT(host, expiry, true, GURL()); |
+ EXPECT_TRUE(state.GetDynamicExpectCTState(host, &expect_ct_state)); |
+ EXPECT_TRUE(expect_ct_state.enforce); |
+ EXPECT_TRUE(expect_ct_state.report_uri.is_empty()); |
+ EXPECT_EQ(expiry, expect_ct_state.expiry); |
+ |
+ state.ClearDynamicData(); |
+ EXPECT_FALSE(state.GetDynamicExpectCTState(host, &expect_ct_state)); |
+} |
+ |
+// Tests that dynamic Expect-CT state can be added and retrieved. |
+TEST_F(TransportSecurityStateTest, DynamicExpectCTState) { |
+ base::test::ScopedFeatureList feature_list; |
+ feature_list.InitAndEnableFeature( |
+ TransportSecurityState::kDynamicExpectCTFeature); |
+ const std::string host("example.test"); |
+ TransportSecurityState state; |
+ TransportSecurityState::ExpectCTState expect_ct_state; |
+ const base::Time current_time = base::Time::Now(); |
+ const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
+ |
+ // Test that Expect-CT state can be added and retrieved. |
+ state.AddExpectCT(host, expiry, true, GURL()); |
+ EXPECT_TRUE(state.GetDynamicExpectCTState(host, &expect_ct_state)); |
+ EXPECT_TRUE(expect_ct_state.enforce); |
+ EXPECT_TRUE(expect_ct_state.report_uri.is_empty()); |
+ EXPECT_EQ(expiry, expect_ct_state.expiry); |
+ |
+ // Test that Expect-CT can be updated (e.g. by changing |enforce| to false and |
+ // adding a report-uri). |
+ const GURL report_uri("https://example-report.test"); |
+ state.AddExpectCT(host, expiry, false, report_uri); |
+ EXPECT_TRUE(state.GetDynamicExpectCTState(host, &expect_ct_state)); |
+ EXPECT_FALSE(expect_ct_state.enforce); |
+ EXPECT_EQ(report_uri, expect_ct_state.report_uri); |
+ EXPECT_EQ(expiry, expect_ct_state.expiry); |
+ |
+ // Test that Expect-CT state is discarded when expired. |
+ state.AddExpectCT(host, current_time - base::TimeDelta::FromSeconds(1000), |
+ true, report_uri); |
+ EXPECT_FALSE(state.GetDynamicExpectCTState(host, &expect_ct_state)); |
+} |
+ |
+// Tests that dynamic Expect-CT state cannot be added when the feature is not |
+// enabled. |
+TEST_F(TransportSecurityStateTest, DynamicExpectCTStateDisabled) { |
+ base::test::ScopedFeatureList feature_list; |
+ feature_list.InitAndDisableFeature( |
+ TransportSecurityState::kDynamicExpectCTFeature); |
+ const std::string host("example.test"); |
+ TransportSecurityState state; |
+ TransportSecurityState::ExpectCTState expect_ct_state; |
+ const base::Time current_time = base::Time::Now(); |
+ const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
+ |
+ state.AddExpectCT(host, expiry, true, GURL()); |
+ EXPECT_FALSE(state.GetDynamicExpectCTState(host, &expect_ct_state)); |
+} |
+ |
} // namespace net |