add setter for enable_pkp_bypass_etc

components/cronet/ios/Cronet.mm

 // Copyright 2016 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #import "components/cronet/ios/Cronet.h"
 
 #include <memory>
 #include <vector>
 
 #include "base/lazy_instance.h"
@@ skipping 16 matching lines @@
 class CronetHttpProtocolHandlerDelegate;
 
 using QuicHintVector =
     std::vector<std::unique_ptr<cronet::URLRequestContextConfig::QuicHint>>;
 // Currently there is one and only one instance of CronetEnvironment,
 // which is leaked at the shutdown. We should consider allowing multiple
 // instances if that makes sense in the future.
 base::LazyInstance<std::unique_ptr<cronet::CronetEnvironment>>::Leaky
     gChromeNet = LAZY_INSTANCE_INITIALIZER;
 
+// TODO(lilyhoughton) make these independent across Cronet instances, i.e.:
+// refresh them on shutdown, and add tests to make sure the defaults are
+// sane.
 BOOL gHttp2Enabled = YES;
 BOOL gQuicEnabled = NO;
 cronet::URLRequestContextConfig::HttpCacheType gHttpCache =
     cronet::URLRequestContextConfig::HttpCacheType::DISK;
 QuicHintVector gQuicHints;
 NSString* gExperimentalOptions = @"{}";
 NSString* gUserAgent = nil;
 BOOL gUserAgentPartial = NO;
 NSString* gSslKeyLogFileName = nil;
 std::vector<std::unique_ptr<cronet::URLRequestContextConfig::Pkp>> gPkpList;
 RequestFilterBlock gRequestFilterBlock = nil;
 base::LazyInstance<std::unique_ptr<CronetHttpProtocolHandlerDelegate>>::Leaky
     gHttpProtocolHandlerDelegate = LAZY_INSTANCE_INITIALIZER;
 NSURLCache* gPreservedSharedURLCache = nil;
-BOOL gEnableTestCertVerifierForTesting = FALSE;
+BOOL gEnableTestCertVerifierForTesting = NO;
 std::unique_ptr<net::CertVerifier> gMockCertVerifier;
 NSString* gAcceptLanguages = nil;
+BOOL gEnablePKPBypassForLocalTrustAnchors = YES;
 
 // CertVerifier, which allows any certificates for testing.
 class TestCertVerifier : public net::CertVerifier {
   int Verify(const RequestParams& params,
              net::CRLSet* crl_set,
              net::CertVerifyResult* verify_result,
              const net::CompletionCallback& callback,
              std::unique_ptr<Request>* out_req,
              const net::NetLogWithSource& net_log) override {
     net::Error result = net::OK;
@@ skipping 154 matching lines @@
     gRequestFilterBlock = block;
 }
 
 + (BOOL)addPublicKeyPinsForHost:(NSString*)host
                       pinHashes:(NSSet<NSData*>*)pinHashes
               includeSubdomains:(BOOL)includeSubdomains
                  expirationDate:(NSDate*)expirationDate
                           error:(NSError**)outError {
   [self checkNotStarted];
 
+  // Pinning a key only makes sense if pin bypassing has been disabled
+  if (gEnablePKPBypassForLocalTrustAnchors) {
+    *outError =
+        [self createUnsupportedConfigurationError:
+                  @"Cannot pin keys while public key pinning is bypassed"];
+    return NO;
+  }
+
   auto pkp = base::MakeUnique<cronet::URLRequestContextConfig::Pkp>(
       base::SysNSStringToUTF8(host), includeSubdomains,
       base::Time::FromCFAbsoluteTime(
           [expirationDate timeIntervalSinceReferenceDate]));
 
   for (NSData* hash in pinHashes) {
     net::SHA256HashValue hashValue = net::SHA256HashValue();
     if (sizeof(hashValue.data) != hash.length) {
       *outError =
           [self createIllegalArgumentErrorWithArgument:@"pinHashes"
                                                 reason:
                                                     @"The length of PKP SHA256 "
                                                     @"hash should be 256 bits"];
       return NO;
     }
     memcpy((void*)(hashValue.data), [hash bytes], sizeof(hashValue.data));
     pkp->pin_hashes.push_back(net::HashValue(hashValue));
   }
   gPkpList.push_back(std::move(pkp));
   if (outError) {
     *outError = nil;
   }
   return YES;
 }
 
++ (void)setEnablePublicKeyPinningBypassForLocalTrustAnchors:(BOOL)enable {
+  gEnablePKPBypassForLocalTrustAnchors = enable;
+}
+
 + (void)startInternal {
   std::string user_agent = base::SysNSStringToUTF8(gUserAgent);
 
   gChromeNet.Get().reset(
       new cronet::CronetEnvironment(user_agent, gUserAgentPartial));
 
   gChromeNet.Get()->set_accept_language(
       base::SysNSStringToUTF8(gAcceptLanguages ?: [self getAcceptLanguages]));
 
   gChromeNet.Get()->set_http2_enabled(gHttp2Enabled);
   gChromeNet.Get()->set_quic_enabled(gQuicEnabled);
   gChromeNet.Get()->set_experimental_options(
       base::SysNSStringToUTF8(gExperimentalOptions));
   gChromeNet.Get()->set_http_cache(gHttpCache);
   gChromeNet.Get()->set_ssl_key_log_file_name(
       base::SysNSStringToUTF8(gSslKeyLogFileName));
   gChromeNet.Get()->set_pkp_list(std::move(gPkpList));
+  gChromeNet.Get()
+      ->set_enable_public_key_pinning_bypass_for_local_trust_anchors(
+          gEnablePKPBypassForLocalTrustAnchors);
   for (const auto& quicHint : gQuicHints) {
     gChromeNet.Get()->AddQuicHint(quicHint->host, quicHint->port,
                                   quicHint->alternate_port);
   }
 
   [self configureCronetEnvironmentForTesting:gChromeNet.Get().get()];
   gChromeNet.Get()->Start();
   gHttpProtocolHandlerDelegate.Get().reset(
       new CronetHttpProtocolHandlerDelegate(
           gChromeNet.Get()->GetURLRequestContextGetter(), gRequestFilterBlock));
@@ skipping 121 matching lines @@
                                             reason:(NSString*)reason {
   NSMutableDictionary* errorDictionary =
       [[NSMutableDictionary alloc] initWithDictionary:@{
         NSLocalizedDescriptionKey :
             [NSString stringWithFormat:@"Invalid argument: %@", argumentName],
         CRNInvalidArgumentKey : argumentName
       }];
   if (reason) {
     errorDictionary[NSLocalizedFailureReasonErrorKey] = reason;
   }
-  return [self createCronetErrorWith:CRNErrorInvalidArgument
-                            userInfo:errorDictionary];
+  return [self createCronetErrorWithCode:CRNErrorInvalidArgument
+                                userInfo:errorDictionary];
 }
 
-+ (NSError*)createCronetErrorWith:(int)errorCode
-                         userInfo:(NSDictionary*)userInfo {
++ (NSError*)createUnsupportedConfigurationError:(NSString*)contradiction {
+  NSMutableDictionary* errorDictionary =
+      [[NSMutableDictionary alloc] initWithDictionary:@{
+        NSLocalizedDescriptionKey : @"Unsupported configuration",
+        NSLocalizedRecoverySuggestionErrorKey :
+            @"Try disabling Public Key Pinning Bypass before pinning keys.",
+        NSLocalizedFailureReasonErrorKey : @"Pinning public keys while local "
+                                           @"anchor bypass is enabled is "
+                                           @"currently not supported.",
+      }];
+  if (contradiction) {
+    errorDictionary[NSLocalizedFailureReasonErrorKey] = contradiction;
+  }
+
+  return [self createCronetErrorWithCode:CRNErrorUnsupportedConfig
+                                userInfo:errorDictionary];
+}
+
++ (NSError*)createCronetErrorWithCode:(int)errorCode
+                             userInfo:(NSDictionary*)userInfo {
   return [NSError errorWithDomain:CRNCronetErrorDomain
                              code:errorCode
                          userInfo:userInfo];
 }
 
 @end