Serialize and deserialize dynamic Expect-CT state

net/http/transport_security_persister_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/http/transport_security_persister.h"
 
 #include <map>
 #include <memory>
 #include <string>
 #include <vector>
 
 #include "base/files/file_path.h"
 #include "base/files/file_util.h"
 #include "base/files/scoped_temp_dir.h"
 #include "base/message_loop/message_loop.h"
 #include "base/run_loop.h"
+#include "base/test/scoped_feature_list.h"
 #include "base/threading/thread_task_runner_handle.h"
 #include "net/http/transport_security_state.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 namespace net {
 
 namespace {
 
 const char kReportUri[] = "http://www.example.test/report";
 
@@ skipping 197 matching lines @@
 
   TransportSecurityState::PKPState new_pkp_state;
   EXPECT_TRUE(state_.GetDynamicPKPState(kTestDomain, &new_pkp_state));
   EXPECT_EQ(1u, new_pkp_state.spki_hashes.size());
   EXPECT_EQ(sha256.tag, new_pkp_state.spki_hashes[0].tag);
   EXPECT_EQ(0, memcmp(new_pkp_state.spki_hashes[0].data(), sha256.data(),
                       sha256.size()));
   EXPECT_EQ(report_uri, new_pkp_state.report_uri);
 }
 
+TEST_F(TransportSecurityPersisterTest, ExpectCT) {
+  base::test::ScopedFeatureList feature_list;
+  feature_list.InitAndEnableFeature(
+      TransportSecurityState::kDynamicExpectCTFeature);
+  const GURL report_uri(kReportUri);
+  TransportSecurityState::ExpectCTState expect_ct_state;
+  static const char kTestDomain[] = "example.test";
+
+  EXPECT_FALSE(state_.GetDynamicExpectCTState(kTestDomain, &expect_ct_state));
+
+  const base::Time current_time(base::Time::Now());
+  const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
+  state_.AddExpectCT(kTestDomain, expiry, true /* enforce */, GURL());
+  std::string serialized;
+  EXPECT_TRUE(persister_->SerializeData(&serialized));
+  bool dirty;
+  EXPECT_TRUE(persister_->LoadEntries(serialized, &dirty));

[mattm, 2017/04/15 04:45:02]

So this is loading the serialized data back into the same state_ object? Would
the test still pass if persister_ did nothing at all?

[estark, 2017/04/15 20:18:03]

LoadEntries() clears existing dynamic data
(https://cs.chromium.org/chromium/src/net/http/transport_security_persister.h?...)

I noted this in a comment to make it clearer. I could instead reset |state_| and
|persister_| before calling LoadEntries() to make it more explicit; any
preference?

[mattm, 2017/04/18 20:25:35]

I think this would be fine if there was another test that verified that
LoadEntries actually did clear entries (eg, create entries of each type, load an
empty json dictionary, check that the entries no longer exist.) 

[estark, 2017/04/18 22:36:26]

Done.

+
+  TransportSecurityState::ExpectCTState new_expect_ct_state;
+  EXPECT_TRUE(
+      state_.GetDynamicExpectCTState(kTestDomain, &new_expect_ct_state));
+  EXPECT_TRUE(new_expect_ct_state.enforce);
+  EXPECT_TRUE(new_expect_ct_state.report_uri.is_empty());
+  EXPECT_EQ(expiry, new_expect_ct_state.expiry);
+
+  // Update the state for the domian and check that it is

[mattm, 2017/04/15 04:45:01]

domain

[estark, 2017/04/15 20:18:03]

Done.

+  // serialized/deserialized correctly.
+  state_.AddExpectCT(kTestDomain, expiry, false /* enforce */, report_uri);
+  EXPECT_TRUE(persister_->SerializeData(&serialized));
+  EXPECT_TRUE(persister_->LoadEntries(serialized, &dirty));
+  EXPECT_TRUE(
+      state_.GetDynamicExpectCTState(kTestDomain, &new_expect_ct_state));
+  EXPECT_FALSE(new_expect_ct_state.enforce);
+  EXPECT_EQ(report_uri, new_expect_ct_state.report_uri);
+  EXPECT_EQ(expiry, new_expect_ct_state.expiry);
+}
+
+// Tests that Expect-CT state is not serialized and persisted when the feature
+// is disabled.
+TEST_F(TransportSecurityPersisterTest, ExpectCTDisabled) {
+  base::test::ScopedFeatureList feature_list;
+  feature_list.InitAndDisableFeature(
+      TransportSecurityState::kDynamicExpectCTFeature);
+  const GURL report_uri(kReportUri);
+  TransportSecurityState::ExpectCTState expect_ct_state;
+  static const char kTestDomain[] = "example.test";
+
+  EXPECT_FALSE(state_.GetDynamicExpectCTState(kTestDomain, &expect_ct_state));
+
+  const base::Time current_time(base::Time::Now());
+  const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
+  state_.AddExpectCT(kTestDomain, expiry, true /* enforce */, GURL());
+  std::string serialized;
+  EXPECT_TRUE(persister_->SerializeData(&serialized));
+  bool dirty;
+  EXPECT_TRUE(persister_->LoadEntries(serialized, &dirty));
+
+  TransportSecurityState::ExpectCTState new_expect_ct_state;
+  EXPECT_FALSE(
+      state_.GetDynamicExpectCTState(kTestDomain, &new_expect_ct_state));
+}
+
 }  // namespace
 
 }  // namespace net