Chromium Code Reviews Chromium Code Reviews
Issue 2906633003:
Add a build flag to configure bundling of HSTS preload list (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include <stdint.h> | 5 #include <stdint.h> |
| 6 | 6 |
| 7 #include "base/base64.h" | 7 #include "base/base64.h" |
| 8 #include "base/stl_util.h" | 8 #include "base/stl_util.h" |
| 9 #include "base/strings/string_piece.h" | 9 #include "base/strings/string_piece.h" |
| 10 #include "crypto/sha2.h" | 10 #include "crypto/sha2.h" |
| (...skipping 634 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 645 } | 645 } |
| 646 | 646 |
| 647 TEST_F(HttpSecurityHeadersTest, BogusPinsHeadersSHA256) { | 647 TEST_F(HttpSecurityHeadersTest, BogusPinsHeadersSHA256) { |
| 648 TestBogusPinsHeaders(HASH_VALUE_SHA256); | 648 TestBogusPinsHeaders(HASH_VALUE_SHA256); |
| 649 } | 649 } |
| 650 | 650 |
| 651 TEST_F(HttpSecurityHeadersTest, ValidPKPHeadersSHA256) { | 651 TEST_F(HttpSecurityHeadersTest, ValidPKPHeadersSHA256) { |
| 652 TestValidPKPHeaders(HASH_VALUE_SHA256); | 652 TestValidPKPHeaders(HASH_VALUE_SHA256); |
| 653 } | 653 } |
| 654 | 654 |
| 655 #if !BUILDFLAG(INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST) | |
| 656 TEST_F(HttpSecurityHeadersTest, DISABLED_UpdateDynamicPKPOnly) { | |
| 657 #else | |
| 655 TEST_F(HttpSecurityHeadersTest, UpdateDynamicPKPOnly) { | 658 TEST_F(HttpSecurityHeadersTest, UpdateDynamicPKPOnly) { |
| 659 #endif | |
|
Ryan Sleevi
2017/07/07 16:45:13
Ah, apologies for not providing a clearer example.
xunjieli
2017/07/10 22:20:39
Done. Changed to MAYBE_ prefix. Thank you for the
| |
| 656 TransportSecurityState state; | 660 TransportSecurityState state; |
| 657 TransportSecurityState::STSState static_sts_state; | 661 TransportSecurityState::STSState static_sts_state; |
| 658 TransportSecurityState::PKPState static_pkp_state; | 662 TransportSecurityState::PKPState static_pkp_state; |
| 659 | 663 |
| 660 // docs.google.com has preloaded pins. | 664 // docs.google.com has preloaded pins. |
| 661 std::string domain = "docs.google.com"; | 665 std::string domain = "docs.google.com"; |
| 662 state.enable_static_pins_ = true; | 666 state.enable_static_pins_ = true; |
| 663 EXPECT_TRUE( | 667 EXPECT_TRUE( |
| 664 state.GetStaticDomainState(domain, &static_sts_state, &static_pkp_state)); | 668 state.GetStaticDomainState(domain, &static_sts_state, &static_pkp_state)); |
| 665 EXPECT_GT(static_pkp_state.spki_hashes.size(), 1UL); | 669 EXPECT_GT(static_pkp_state.spki_hashes.size(), 1UL); |
| (...skipping 48 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 714 EXPECT_EQ(2UL, new_dynamic_pkp_state.spki_hashes.size()); | 718 EXPECT_EQ(2UL, new_dynamic_pkp_state.spki_hashes.size()); |
| 715 EXPECT_EQ(report_uri, new_dynamic_pkp_state.report_uri); | 719 EXPECT_EQ(report_uri, new_dynamic_pkp_state.report_uri); |
| 716 | 720 |
| 717 EXPECT_TRUE( | 721 EXPECT_TRUE( |
| 718 base::ContainsValue(new_dynamic_pkp_state.spki_hashes, good_hash)); | 722 base::ContainsValue(new_dynamic_pkp_state.spki_hashes, good_hash)); |
| 719 | 723 |
| 720 EXPECT_TRUE( | 724 EXPECT_TRUE( |
| 721 base::ContainsValue(new_dynamic_pkp_state.spki_hashes, backup_hash)); | 725 base::ContainsValue(new_dynamic_pkp_state.spki_hashes, backup_hash)); |
| 722 } | 726 } |
| 723 | 727 |
| 728 #if !BUILDFLAG(INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST) | |
| 729 TEST_F(HttpSecurityHeadersTest, DISABLED_UpdateDynamicPKPMaxAge0) { | |
| 730 #else | |
| 724 TEST_F(HttpSecurityHeadersTest, UpdateDynamicPKPMaxAge0) { | 731 TEST_F(HttpSecurityHeadersTest, UpdateDynamicPKPMaxAge0) { |
| 732 #endif | |
| 725 TransportSecurityState state; | 733 TransportSecurityState state; |
| 726 TransportSecurityState::STSState static_sts_state; | 734 TransportSecurityState::STSState static_sts_state; |
| 727 TransportSecurityState::PKPState static_pkp_state; | 735 TransportSecurityState::PKPState static_pkp_state; |
| 728 | 736 |
| 729 // docs.google.com has preloaded pins. | 737 // docs.google.com has preloaded pins. |
| 730 std::string domain = "docs.google.com"; | 738 std::string domain = "docs.google.com"; |
| 731 state.enable_static_pins_ = true; | 739 state.enable_static_pins_ = true; |
| 732 ASSERT_TRUE( | 740 ASSERT_TRUE( |
| 733 state.GetStaticDomainState(domain, &static_sts_state, &static_pkp_state)); | 741 state.GetStaticDomainState(domain, &static_sts_state, &static_pkp_state)); |
| 734 EXPECT_GT(static_pkp_state.spki_hashes.size(), 1UL); | 742 EXPECT_GT(static_pkp_state.spki_hashes.size(), 1UL); |
| (...skipping 57 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 792 state.CheckPublicKeyPins( | 800 state.CheckPublicKeyPins( |
| 793 domain_port, is_issued_by_known_root, | 801 domain_port, is_issued_by_known_root, |
| 794 new_static_pkp_state2.spki_hashes, nullptr, nullptr, | 802 new_static_pkp_state2.spki_hashes, nullptr, nullptr, |
| 795 TransportSecurityState::DISABLE_PIN_REPORTS, &failure_log)); | 803 TransportSecurityState::DISABLE_PIN_REPORTS, &failure_log)); |
| 796 EXPECT_NE(0UL, failure_log.length()); | 804 EXPECT_NE(0UL, failure_log.length()); |
| 797 } | 805 } |
| 798 | 806 |
| 799 // Tests that when a static HSTS and a static HPKP entry are present, adding a | 807 // Tests that when a static HSTS and a static HPKP entry are present, adding a |
| 800 // dynamic HSTS header does not clobber the static HPKP entry. Further, adding a | 808 // dynamic HSTS header does not clobber the static HPKP entry. Further, adding a |
| 801 // dynamic HPKP entry could not affect the HSTS entry for the site. | 809 // dynamic HPKP entry could not affect the HSTS entry for the site. |
| 810 #if !BUILDFLAG(INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST) | |
| 811 TEST_F(HttpSecurityHeadersTest, DISABLED_NoClobberPins) { | |
| 812 #else | |
| 802 TEST_F(HttpSecurityHeadersTest, NoClobberPins) { | 813 TEST_F(HttpSecurityHeadersTest, NoClobberPins) { |
| 814 #endif | |
| 803 TransportSecurityState state; | 815 TransportSecurityState state; |
| 804 TransportSecurityState::STSState sts_state; | 816 TransportSecurityState::STSState sts_state; |
| 805 TransportSecurityState::PKPState pkp_state; | 817 TransportSecurityState::PKPState pkp_state; |
| 806 | 818 |
| 807 // accounts.google.com has preloaded pins. | 819 // accounts.google.com has preloaded pins. |
| 808 std::string domain = "accounts.google.com"; | 820 std::string domain = "accounts.google.com"; |
| 809 state.enable_static_pins_ = true; | 821 state.enable_static_pins_ = true; |
| 810 | 822 |
| 811 // Retrieve the static STS and PKP states as it is by default, including its | 823 // Retrieve the static STS and PKP states as it is by default, including its |
| 812 // known good pins. | 824 // known good pins. |
| (...skipping 373 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1186 EXPECT_TRUE(ParseExpectCTHeader( | 1198 EXPECT_TRUE(ParseExpectCTHeader( |
| 1187 " max-age=999999999999999999999999999999999999999999999 ," | 1199 " max-age=999999999999999999999999999999999999999999999 ," |
| 1188 " enforce ", | 1200 " enforce ", |
| 1189 &max_age, &enforce, &report_uri)); | 1201 &max_age, &enforce, &report_uri)); |
| 1190 EXPECT_EQ(base::TimeDelta::FromSeconds(kMaxExpectCTAgeSecs), max_age); | 1202 EXPECT_EQ(base::TimeDelta::FromSeconds(kMaxExpectCTAgeSecs), max_age); |
| 1191 EXPECT_TRUE(enforce); | 1203 EXPECT_TRUE(enforce); |
| 1192 EXPECT_TRUE(report_uri.is_empty()); | 1204 EXPECT_TRUE(report_uri.is_empty()); |
| 1193 } | 1205 } |
| 1194 | 1206 |
| 1195 } // namespace net | 1207 } // namespace net |
| OLD | NEW |
