components/cronet/ios/test/cronet_pkp_test.mm - Issue 2937523002: add setter for enable_pkp_bypass_etc

Side by Side Diff: components/cronet/ios/test/cronet_pkp_test.mm

Issue 2937523002: add setter for enable_pkp_bypass_etc (Closed)

Patch Set: add tests for pkpbypass, make disabling it mandatory Created 3 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
1 // Copyright 2017 The Chromium Authors. All rights reserved.	1 // Copyright 2017 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #import <Cronet/Cronet.h>	5 #import <Cronet/Cronet.h>

6	6

7 #include "components/cronet/ios/test/start_cronet.h"	7 #include "components/cronet/ios/test/start_cronet.h"

8 #include "components/grpc_support/test/quic_test_server.h"	8 #include "components/grpc_support/test/quic_test_server.h"

9 #include "cronet_test_base.h"	9 #include "cronet_test_base.h"

10 #include "net/base/mac/url_conversions.h"	10 #include "net/base/mac/url_conversions.h"

(...skipping 60 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
71 } else {	71 } else {

72 ASSERT_FALSE(IsResponseSuccessful());	72 ASSERT_FALSE(IsResponseSuccessful());

73 }	73 }

74 }	74 }

75	75

76 // Adds a given public-key-pin and starts a Cronet engine for testing.	76 // Adds a given public-key-pin and starts a Cronet engine for testing.

77 void AddPkpAndStartCronet(NSString* host,	77 void AddPkpAndStartCronet(NSString* host,

78 NSData* hash,	78 NSData* hash,

79 BOOL include_subdomains,	79 BOOL include_subdomains,

80 NSDate* expiration_date) {	80 NSDate* expiration_date) {

	81 [Cronet setEnablePublicKeyPinningBypassForLocalTrustAnchors:NO];

81 NSSet* hashes = [NSSet setWithObject:hash];	82 NSSet* hashes = [NSSet setWithObject:hash];

82 NSError* error;	83 NSError* error;

83 BOOL success = [Cronet addPublicKeyPinsForHost:host	84 BOOL success = [Cronet addPublicKeyPinsForHost:host

84 pinHashes:hashes	85 pinHashes:hashes

85 includeSubdomains:include_subdomains	86 includeSubdomains:include_subdomains

86 expirationDate:(NSDate*)expiration_date	87 expirationDate:(NSDate*)expiration_date

87 error:&error];	88 error:&error];

88 CHECK(success);	89 CHECK(success);

89 CHECK(!error);	90 CHECK(!error);

90 StartCronet(grpc_support::GetQuicTestServerPort());	91 StartCronet(grpc_support::GetQuicTestServerPort());

(...skipping 43 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
134 }	135 }

135	136

136 // Tests the case when the pin hash matches. The client is expected to	137 // Tests the case when the pin hash matches. The client is expected to

137 // receive the successful response with the response code 200.	138 // receive the successful response with the response code 200.

138 TEST_F(PkpTest, TestSuccessIfPinMatches) {	139 TEST_F(PkpTest, TestSuccessIfPinMatches) {

139 AddPkpAndStartCronet(server_host_, MatchingHash(), kExcludeSubdomains,	140 AddPkpAndStartCronet(server_host_, MatchingHash(), kExcludeSubdomains,

140 kDistantFuture);	141 kDistantFuture);

141 ASSERT_NO_FATAL_FAILURE(sendRequestAndAssertResult(request_url_, kSuccess));	142 ASSERT_NO_FATAL_FAILURE(sendRequestAndAssertResult(request_url_, kSuccess));

142 }	143 }

143	144

	145 TEST_F(PkpTest, TestBypass) {
	kapishnikov 2017/06/28 03:42:32 Can we add another test that tests behavior with t Can we add another test that tests behavior with the default bypass value? I am afraid that if for some reason we change the default value, we may break existing applications. lilyhoughton 2017/06/28 14:38:51 I don't know how to do this, since that would requ Show quoted text On 2017/06/28 03:42:32, kapishnikov wrote: > Can we add another test that tests behavior with the default bypass value? I am > afraid that if for some reason we change the default value, we may break > existing applications. I don't know how to do this, since that would require running the test before any of the tests which call the setter; and I don't think test-order is guaranteed. kapishnikov 2017/06/28 15:32:23 I was thinking of creating the same test but witho Show quoted text On 2017/06/28 14:38:51, lilyhoughton wrote: > On 2017/06/28 03:42:32, kapishnikov wrote: > > Can we add another test that tests behavior with the default bypass value? I > am > > afraid that if for some reason we change the default value, we may break > > existing applications. > > I don't know how to do this, since that would require running the test before > any of the tests which call the setter; and I don't think test-order is > guaranteed. I was thinking of creating the same test but without calling [Cronet setEnablePublicKeyPinningBypassForLocalTrustAnchors:YES]; Let's assume that somebody in the future will change the definition of BOOL gEnablePKPBypassForLocalTrustAnchors = YES; to 'NO' by mistake. Since our PKP tests set the value explicitly, they will still continue passing but the behavior will change and we will not detect it.
	146 [Cronet setEnablePublicKeyPinningBypassForLocalTrustAnchors:YES];

	147

	148 NSSet* hashes = [NSSet setWithObject:NonMatchingHash()];

	149 NSError* error;

	150 BOOL success = [Cronet addPublicKeyPinsForHost:server_host_

	151 pinHashes:hashes

	152 includeSubdomains:kExcludeSubdomains

	153 expirationDate:(NSDate*)kDistantFuture

	154 error:&error];

	155

	156 EXPECT_FALSE(success);

	157 EXPECT_EQ([error code], CRNErrorIncoherentConfig);

	158 }

	159

144 // Tests the case when the pin hash does not match and the client accesses the	160 // Tests the case when the pin hash does not match and the client accesses the

145 // subdomain of the configured PKP host with includeSubdomains flag set to true.	161 // subdomain of the configured PKP host with includeSubdomains flag set to true.

146 // The client is expected to receive the error response.	162 // The client is expected to receive the error response.

147 TEST_F(PkpTest, TestIncludeSubdomainsFlagEqualTrue) {	163 TEST_F(PkpTest, TestIncludeSubdomainsFlagEqualTrue) {

148 AddPkpAndStartCronet(server_domain_, NonMatchingHash(), kIncludeSubdomains,	164 AddPkpAndStartCronet(server_domain_, NonMatchingHash(), kIncludeSubdomains,

149 kDistantFuture);	165 kDistantFuture);

150 ASSERT_NO_FATAL_FAILURE(sendRequestAndAssertResult(request_url_, kError));	166 ASSERT_NO_FATAL_FAILURE(sendRequestAndAssertResult(request_url_, kError));

151 }	167 }

152	168

153 // Tests the case when the pin hash does not match and the client accesses the	169 // Tests the case when the pin hash does not match and the client accesses the

(...skipping 90 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
244 expirationDate:kDistantFuture	260 expirationDate:kDistantFuture

245 error:nil];	261 error:nil];

246 ASSERT_TRUE(success);	262 ASSERT_TRUE(success);

247 // Add non-matching pin.	263 // Add non-matching pin.

248 AddPkpAndStartCronet(server_host_, NonMatchingHash(), kExcludeSubdomains,	264 AddPkpAndStartCronet(server_host_, NonMatchingHash(), kExcludeSubdomains,

249 kDistantFuture);	265 kDistantFuture);

250 ASSERT_NO_FATAL_FAILURE(sendRequestAndAssertResult(request_url_, kError));	266 ASSERT_NO_FATAL_FAILURE(sendRequestAndAssertResult(request_url_, kError));

251 }	267 }

252	268

253 } // namespace cronet	269 } // namespace cronet

OLD	NEW

« components/cronet/ios/Cronet.mm ('K') | « components/cronet/ios/cronet_environment.mm ('k') | components/cronet/ios/test/cronet_test_base.h » ('j') | no next file with comments »