Add --ignore-certificate-errors-spki-list switch and UMA histogram.

chrome/browser/ssl/ssl_browser_tests.cc

Index: chrome/browser/ssl/ssl_browser_tests.cc
diff --git a/chrome/browser/ssl/ssl_browser_tests.cc b/chrome/browser/ssl/ssl_browser_tests.cc
index 169a55beaabd1ba6c20bffcc897328375fa8a76f..8797d940fe276fff0a4147d0ee9ef2bc894efe22 100644
--- a/chrome/browser/ssl/ssl_browser_tests.cc
+++ b/chrome/browser/ssl/ssl_browser_tests.cc
@@ -4,6 +4,7 @@
 
 #include <utility>
 
+#include "base/base64.h"
 #include "base/base_switches.h"
 #include "base/bind.h"
 #include "base/bind_helpers.h"
@@ -53,6 +54,7 @@
 #include "chrome/common/chrome_switches.h"
 #include "chrome/common/pref_names.h"
 #include "chrome/test/base/in_process_browser_test.h"
+#include "chrome/test/base/test_launcher_utils.h"
 #include "chrome/test/base/ui_test_utils.h"
 #include "components/content_settings/core/browser/host_content_settings_map.h"
 #include "components/network_time/network_time_test_utils.h"
@@ -317,7 +319,10 @@ class SSLUITest : public InProcessBrowserTest {
         https_server_mismatched_(net::EmbeddedTestServer::TYPE_HTTPS),
         wss_server_expired_(net::SpawnedTestServer::TYPE_WSS,
                             SSLOptions(SSLOptions::CERT_EXPIRED),
-                            net::GetWebSocketTestDataDirectory()) {
+                            net::GetWebSocketTestDataDirectory()),
+        wss_server_mismatched_(net::SpawnedTestServer::TYPE_WSS,
+                               SSLOptions(SSLOptions::CERT_MISMATCHED_NAME),
+                               net::GetWebSocketTestDataDirectory()) {
     https_server_.AddDefaultHandlers(base::FilePath(kDocRoot));
 
     https_server_expired_.SetSSLConfig(net::EmbeddedTestServer::CERT_EXPIRED);
@@ -631,6 +636,7 @@ class SSLUITest : public InProcessBrowserTest {
   net::EmbeddedTestServer https_server_expired_;
   net::EmbeddedTestServer https_server_mismatched_;
   net::SpawnedTestServer wss_server_expired_;
+  net::SpawnedTestServer wss_server_mismatched_;
 
  protected:
   // Navigates to an interstitial and clicks through the certificate
@@ -689,6 +695,40 @@ class SSLUITestIgnoreCertErrors : public SSLUITest {
   }
 };
 
+static std::string MakeCertSPKIFingerprint(net::X509Certificate* cert) {
+  net::HashValue hash = GetSPKIHash(cert);
+  std::string hash_base64;
+  base::Base64Encode(
+      base::StringPiece(reinterpret_cast<const char*>(hash.data()),
+                        hash.size()),
+      &hash_base64);
+  return hash_base64;
+}
+
+class SSLUITestIgnoreCertErrorsBySPKIHTTPS : public SSLUITest {
+ protected:
+  void SetUpCommandLine(base::CommandLine* command_line) override {
+    std::string whitelist_flag = MakeCertSPKIFingerprint(
+        https_server_mismatched_.GetCertificate().get());
+    command_line->AppendSwitchASCII(switches::kIgnoreCertificateErrorsSPKIList,
+                                    whitelist_flag);
+  }
+};
+
+class SSLUITestIgnoreCertErrorsBySPKIWSS : public SSLUITest {
+ public:
+  SSLUITestIgnoreCertErrorsBySPKIWSS() : SSLUITest() {}
+
+  void SetUpCommandLine(base::CommandLine* command_line) override {
+    std::string whitelist_flag =
+        MakeCertSPKIFingerprint(wss_server_expired_.GetCertificate().get());
+    // Browser will ignore certificate errors for chains matching one of the
+    // public keys from the list.

[estark, 2017/05/17 18:04:18]

optional nit: just for consistency, include this comment above line 713

[martinkr, 2017/05/23 18:30:43]

Done.

+    command_line->AppendSwitchASCII(switches::kIgnoreCertificateErrorsSPKIList,
+                                    whitelist_flag);
+  }
+};
+
 class SSLUITestIgnoreLocalhostCertErrors : public SSLUITest {
  public:
   SSLUITestIgnoreLocalhostCertErrors() : SSLUITest() {}
@@ -2664,6 +2704,52 @@ IN_PROC_BROWSER_TEST_F(SSLUITestIgnoreCertErrors, TestWSS) {
   EXPECT_TRUE(base::LowerCaseEqualsASCII(result, "pass"));
 }
 
+// Visit a page and establish a WebSocket connection over bad https with

[estark, 2017/05/17 18:04:18]

Question: are you testing WebSockets because they are handled in a special way,
or to test that certificate errors on non-main-frame resources are ignored, or
both?

It might be good to have  a test that the flag works properly on subresources,
e.g. navigate to http://blah which loads an image (or script or whatever) from
https://expired.com, where the https://expired.com cert is in
--ignore-cert-errors-spki-list, and check that the image is loaded properly.

[martinkr, 2017/05/23 18:30:43]

I was actually just aping SSLUITestIgnoreCertErrors, but assumed it was to cover
both websocket specialness and non-mainframe resourcey behavior. I added the
suggested test.

+// --disable-certificate-errors-spki-list. The connection should be established

[estark, 2017/05/17 18:04:18]

nit: s/disable/ignore? (same on line 2735)

[martinkr, 2017/05/23 18:30:43]

Done.

+// without interstitial page showing.
+IN_PROC_BROWSER_TEST_F(SSLUITestIgnoreCertErrorsBySPKIWSS, TestWSSExpired) {
+  ASSERT_TRUE(embedded_test_server()->Start());

[estark, 2017/05/17 18:04:19]

Do you need this? Doesn't look like you use it unless I'm missing it.

[martinkr, 2017/05/23 18:30:43]

Done.

+  ASSERT_TRUE(wss_server_expired_.Start());
+
+  // Setup page title observer.
+  WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
+  content::TitleWatcher watcher(tab, ASCIIToUTF16("PASS"));
+  watcher.AlsoWaitForTitle(ASCIIToUTF16("FAIL"));
+
+  // Visit bad HTTPS page.
+  GURL::Replacements replacements;
+  replacements.SetSchemeStr("https");
+  ui_test_utils::NavigateToURL(browser(),
+                               wss_server_expired_.GetURL("connect_check.html")
+                                   .ReplaceComponents(replacements));
+
+  // We shouldn't have an interstitial page showing here.
+
+  // Test page run a WebSocket wss connection test. The result will be shown
+  // as page title.
+  const base::string16 result = watcher.WaitAndGetTitle();
+  EXPECT_TRUE(base::LowerCaseEqualsASCII(result, "pass"));
+}
+
+// Test that HTTPS pages with a bad certificate don't show an interstitial if
+// the public key matches a value from --disable-certificate-errors-spki-list.
+IN_PROC_BROWSER_TEST_F(SSLUITestIgnoreCertErrorsBySPKIHTTPS, TestHTTPS) {
+  ASSERT_TRUE(https_server_mismatched_.Start());
+
+  WebContents* tab = browser()->tab_strip_model()->GetActiveWebContents();
+
+  ui_test_utils::NavigateToURL(
+      browser(),
+      https_server_mismatched_.GetURL("/ssl/page_with_subresource.html"));
+
+  // We should see no interstitial. The script tag in the page should have
+  // loaded and ran (and wasn't blocked by the certificate error).
+  CheckAuthenticatedState(tab, AuthState::NONE);
+  base::string16 title;
+  ui_test_utils::GetCurrentTabTitle(browser(), &title);
+  EXPECT_EQ(title, base::ASCIIToUTF16("This script has loaded"));
+}
+
 // Verifies that the interstitial can proceed, even if JavaScript is disabled.
 // http://crbug.com/322948
 #if defined(OS_LINUX)