net/cert/ignore_errors_cert_verifier_unittest.cc - Issue 2753123002: Add --ignore-certificate-errors-spki-list switch and UMA histogram.

Unified Diff: net/cert/ignore_errors_cert_verifier_unittest.cc

Issue 2753123002: Add --ignore-certificate-errors-spki-list switch and UMA histogram. (Closed)

Patch Set: Really add IgnoreErrorsCertVerifier. Created 3 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Index: net/cert/ignore_errors_cert_verifier_unittest.cc

diff --git a/net/cert/ignore_errors_cert_verifier_unittest.cc b/net/cert/ignore_errors_cert_verifier_unittest.cc

new file mode 100644

index 0000000000000000000000000000000000000000..ff8c1588c7db4887ae251fbbbc45fb222bde5ddd

--- /dev/null

+++ b/net/cert/ignore_errors_cert_verifier_unittest.cc

@@ -0,0 +1,147 @@

+// Use of this source code is governed by a BSD-style license that can be

+// found in the LICENSE file.

+#include "net/cert/ignore_errors_cert_verifier.h"

+#include "base/files/file_path.h"

+#include "base/memory/ptr_util.h"

+#include "base/memory/ref_counted.h"

+#include "net/base/net_errors.h"

+#include "net/base/test_completion_callback.h"

+#include "net/cert/mock_cert_verifier.h"

+#include "net/cert/x509_certificate.h"

+#include "net/log/net_log_with_source.h"

+#include "net/test/cert_test_util.h"

+#include "net/test/gtest_util.h"

+#include "net/test/test_data_directory.h"

+#include "testing/gmock/include/gmock/gmock.h"

+#include "testing/gtest/include/gtest/gtest.h"

+namespace net {

+using test::IsError;

+using test::IsOk;

+static IgnoreErrorsCertVerifier::SPKIHashSet MakeWhitelist() {

+ std::vector<std::string> fingerprints{

+ "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=", "foobar",

+ // SPKI fingerprint of the intermediate from

+ // x509_verify_results.chain.pem:

+ "MtnqgdSwAIgEjse7SpxnmyKoo/RTiL9CDIWwFnz4nas=",

+ "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB="};

+ return IgnoreErrorsCertVerifier::MakeWhitelist(fingerprints);

+};

+class IgnoreErrorsCertVerifierTest : public ::testing::Test {

+ public:

+ IgnoreErrorsCertVerifierTest()

+ : mock_verifier_(new MockCertVerifier()),

+ verifier_(base::WrapUnique(mock_verifier_), MakeWhitelist()) {}

+ ~IgnoreErrorsCertVerifierTest() override {}

+ protected:

+ // The wrapped CertVerifier. Defaults to returning ERR_CERT_INVALID. Owned by

+ // verifier_.

+ MockCertVerifier* mock_verifier_;

+ IgnoreErrorsCertVerifier verifier_;

+};

+static scoped_refptr<X509Certificate> GetNonWhitelistedTestCert() {

+ base::FilePath certs_dir = GetTestCertsDirectory();

+ scoped_refptr<X509Certificate> test_cert(

+ ImportCertFromFile(certs_dir, "ok_cert.pem"));

+ CHECK(test_cert);

+ return test_cert;

+static CertVerifier::RequestParams MakeRequestParams(

+ const scoped_refptr<X509Certificate>& cert) {

+ return CertVerifier::RequestParams(cert, "example.com", 0, "",

+ CertificateList());

+static scoped_refptr<X509Certificate> GetWhitelistedTestCert() {

+ base::FilePath certs_dir = GetTestCertsDirectory();

+ CertificateList certs = CreateCertificateListFromFile(

+ certs_dir, "x509_verify_results.chain.pem", X509Certificate::FORMAT_AUTO);

+ CHECK_EQ(3U, certs.size());

+ X509Certificate::OSCertHandles intermediates;

+ intermediates.push_back(certs[1]->os_cert_handle());

+ intermediates.push_back(certs[2]->os_cert_handle());

+ scoped_refptr<X509Certificate> cert_chain = X509Certificate::CreateFromHandle(

+ certs[0]->os_cert_handle(), intermediates);

+ CHECK(cert_chain);

+ CHECK_EQ(2U, cert_chain->GetIntermediateCertificates().size());

+ return cert_chain;

+TEST_F(IgnoreErrorsCertVerifierTest, TestNoMatchCertOk) {

+ mock_verifier_->set_default_result(OK);

+ auto test_cert = GetNonWhitelistedTestCert();

Ryan Sleevi 2017/04/07 16:08:05 We try to forbid auto here when it can hide memory

martinkr 2017/04/07 21:40:57 Yep, agreed. Done.

+ CertVerifyResult verify_result;

+ TestCompletionCallback callback;

+ std::unique_ptr<CertVerifier::Request> request;

+ EXPECT_THAT(callback.GetResult(verifier_.Verify(

+ MakeRequestParams(test_cert), nullptr, &verify_result,

+ callback.callback(), &request, NetLogWithSource())),

+ IsOk());

+TEST_F(IgnoreErrorsCertVerifierTest, TestNoMatchCertError) {

+ auto test_cert = GetNonWhitelistedTestCert();

+ CertVerifyResult verify_result;

+ TestCompletionCallback callback;

+ std::unique_ptr<CertVerifier::Request> request;

+ EXPECT_THAT(callback.GetResult(verifier_.Verify(

+ MakeRequestParams(test_cert), nullptr, &verify_result,

+ callback.callback(), &request, NetLogWithSource())),

+ IsError(ERR_CERT_INVALID));

+TEST_F(IgnoreErrorsCertVerifierTest, TestNoMatchCertErrorCallback) {

+ mock_verifier_->set_async(true);

+ auto test_cert = GetNonWhitelistedTestCert();

+ CertVerifyResult verify_result;

+ TestCompletionCallback callback;

+ std::unique_ptr<CertVerifier::Request> request;

+ EXPECT_THAT(

+ verifier_.Verify(MakeRequestParams(test_cert), nullptr, &verify_result,

+ callback.callback(), &request, NetLogWithSource()),

+ IsError(ERR_IO_PENDING));

+ EXPECT_THAT(callback.WaitForResult(), IsError(ERR_CERT_INVALID));

+TEST_F(IgnoreErrorsCertVerifierTest, TestMatch) {

+ auto test_cert = GetWhitelistedTestCert();

+ CertVerifyResult verify_result;

+ TestCompletionCallback callback;

+ std::unique_ptr<CertVerifier::Request> request;

+ EXPECT_THAT(callback.GetResult(verifier_.Verify(

+ MakeRequestParams(test_cert), nullptr, &verify_result,

+ callback.callback(), &request, NetLogWithSource())),

+ IsOk());

+TEST_F(IgnoreErrorsCertVerifierTest, TestMatchCallback) {

+ mock_verifier_->set_async(true);

+ auto test_cert = GetWhitelistedTestCert();

+ CertVerifyResult verify_result;

+ TestCompletionCallback callback;

+ std::unique_ptr<CertVerifier::Request> request;

+ EXPECT_THAT(

+ verifier_.Verify(MakeRequestParams(test_cert), nullptr, &verify_result,

+ callback.callback(), &request, NetLogWithSource()),

+ IsError(ERR_IO_PENDING));

+ EXPECT_THAT(callback.WaitForResult(), IsOk());

+} // namespace net

« net/cert/ignore_errors_cert_verifier.cc ('K') | « net/cert/ignore_errors_cert_verifier.cc ('k') | net/cert/mock_cert_verifier.h » ('j') | net/cert/mock_cert_verifier.cc » ('J')