add setter for enable_pkp_bypass_etc

components/cronet/ios/Cronet.mm

Index: components/cronet/ios/Cronet.mm
diff --git a/components/cronet/ios/Cronet.mm b/components/cronet/ios/Cronet.mm
index 489b70c3a1d53ea425d88d94682f753b523930a7..e99b561079421ba01f53e7a972876e04e1641136 100644
--- a/components/cronet/ios/Cronet.mm
+++ b/components/cronet/ios/Cronet.mm
@@ -48,9 +48,10 @@ RequestFilterBlock gRequestFilterBlock = nil;
 base::LazyInstance<std::unique_ptr<CronetHttpProtocolHandlerDelegate>>::Leaky
     gHttpProtocolHandlerDelegate = LAZY_INSTANCE_INITIALIZER;
 NSURLCache* gPreservedSharedURLCache = nil;
-BOOL gEnableTestCertVerifierForTesting = FALSE;
+BOOL gEnableTestCertVerifierForTesting = NO;
 std::unique_ptr<net::CertVerifier> gMockCertVerifier;
 NSString* gAcceptLanguages = nil;
+BOOL gEnablePKPBypassForLocalTrustAnchors = YES;
 
 // CertVerifier, which allows any certificates for testing.
 class TestCertVerifier : public net::CertVerifier {
@@ -225,6 +226,14 @@ class CronetHttpProtocolHandlerDelegate
                           error:(NSError**)outError {
   [self checkNotStarted];
 
+  // Pinning a key only makes sense if pin bypassing has been disabled
+  if (gEnablePKPBypassForLocalTrustAnchors) {
+    *outError =
+        [self createUnsupportedConfigurationError:
+                  @"Cannot pin keys while public key pinning is bypassed"];
+    return NO;
+  }
+
   auto pkp = base::MakeUnique<cronet::URLRequestContextConfig::Pkp>(
       base::SysNSStringToUTF8(host), includeSubdomains,
       base::Time::FromCFAbsoluteTime(
@@ -250,6 +259,10 @@ class CronetHttpProtocolHandlerDelegate
   return YES;
 }
 
++ (void)setEnablePublicKeyPinningBypassForLocalTrustAnchors:(BOOL)enable {
+  gEnablePKPBypassForLocalTrustAnchors = enable;
+}
+
 + (void)startInternal {
   std::string user_agent = base::SysNSStringToUTF8(gUserAgent);
 
@@ -267,6 +280,9 @@ class CronetHttpProtocolHandlerDelegate
   gChromeNet.Get()->set_ssl_key_log_file_name(
       base::SysNSStringToUTF8(gSslKeyLogFileName));
   gChromeNet.Get()->set_pkp_list(std::move(gPkpList));
+  gChromeNet.Get()
+      ->set_enable_public_key_pinning_bypass_for_local_trust_anchors(
+          gEnablePKPBypassForLocalTrustAnchors);
   for (const auto& quicHint : gQuicHints) {
     gChromeNet.Get()->AddQuicHint(quicHint->host, quicHint->port,
                                   quicHint->alternate_port);
@@ -412,6 +428,21 @@ class CronetHttpProtocolHandlerDelegate
                             userInfo:errorDictionary];
 }
 
++ (NSError*)createUnsupportedConfigurationError:(NSString*)contradiction {
+  NSMutableDictionary* errorDictionary =

[kapishnikov, 2017/06/28 15:32:23]

Could we also add |NSLocalizedFailureReasonErrorKey| saying something like:
"Setting public-key-pinning with local anchor bypass turned on is currently not
supported"?

[lilyhoughton, 2017/06/28 15:52:06]

Done.

+      [[NSMutableDictionary alloc] initWithDictionary:@{
+        NSLocalizedDescriptionKey : @"Unsupported configuration",
+        NSLocalizedRecoverySuggestionErrorKey :
+            @"Try disabling Public Key Pinning Bypass before pinning keys.",
+      }];
+  if (contradiction) {
+    errorDictionary[NSLocalizedFailureReasonErrorKey] = contradiction;
+  }
+
+  return [self createCronetErrorWith:CRNErrorUnsupportedConfig
+                            userInfo:errorDictionary];
+}
+
 + (NSError*)createCronetErrorWith:(int)errorCode

[kapishnikov, 2017/06/28 15:32:24]

Could you rename this method from "createCronetErrorWith" to
"createCronetErrorWithCode"?

[lilyhoughton, 2017/06/28 15:52:06]

Done.

                          userInfo:(NSDictionary*)userInfo {
   return [NSError errorWithDomain:CRNCronetErrorDomain