Check Expect-CT at connection setup

net/spdy/chromium/spdy_session_unittest.cc

Index: net/spdy/chromium/spdy_session_unittest.cc
diff --git a/net/spdy/chromium/spdy_session_unittest.cc b/net/spdy/chromium/spdy_session_unittest.cc
index 57bfa214e1010e232bae6f905a18afe32b0f58f3..6b0b2b093414503457db58255af3e9cf727022f6 100644
--- a/net/spdy/chromium/spdy_session_unittest.cc
+++ b/net/spdy/chromium/spdy_session_unittest.cc
@@ -5945,6 +5945,36 @@ TEST(CanPoolTest, CanPool) {
       &tss, ssl_info, "www.example.org", "mail.google.com"));
 }
 
+TEST(CanPoolTest, CanPoolExpectCT) {
+  base::test::ScopedFeatureList feature_list;
+  feature_list.InitAndEnableFeature(
+      TransportSecurityState::kDynamicExpectCTFeature);
+  // Load a cert that is valid for:
+  //   www.example.org
+  //   mail.example.org
+  //   mail.example.com
+
+  TransportSecurityState tss;
+  SSLInfo ssl_info;
+  ssl_info.cert =
+      ImportCertFromFile(GetTestCertsDirectory(), "spdy_pooling.pem");
+  ssl_info.unverified_cert = ssl_info.cert;
+  ssl_info.ct_cert_policy_compliance =
+      ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS;
+  ssl_info.is_issued_by_known_root = true;
+
+  EXPECT_TRUE(SpdySession::CanPool(&tss, ssl_info, "www.example.org",
+                                   "www.example.org"));
+
+  const base::Time current_time(base::Time::Now());
+  const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
+  tss.AddExpectCT("www.example.org", expiry, true, GURL());
+  ssl_info.ct_cert_policy_compliance =
+      ct::CertPolicyCompliance::CERT_POLICY_NOT_ENOUGH_SCTS;
+  EXPECT_FALSE(SpdySession::CanPool(&tss, ssl_info, "www.example.org",
+                                    "www.example.org"));

[mattm, 2017/05/02 23:32:52]

use different hostnames so that the test verifies that it is checking the
expect-ct status for the correct hostname

[estark, 2017/05/04 01:18:30]

Done.

+}
+
 TEST(CanPoolTest, CanNotPoolWithCertErrors) {
   // Load a cert that is valid for:
   //   www.example.org