add setter for enable_pkp_bypass_etc

components/cronet/ios/Cronet.mm

Index: components/cronet/ios/Cronet.mm
diff --git a/components/cronet/ios/Cronet.mm b/components/cronet/ios/Cronet.mm
index 489b70c3a1d53ea425d88d94682f753b523930a7..7ebb17a454ed6785d09c2ca524bfccc74729bd37 100644
--- a/components/cronet/ios/Cronet.mm
+++ b/components/cronet/ios/Cronet.mm
@@ -48,9 +48,10 @@ RequestFilterBlock gRequestFilterBlock = nil;
 base::LazyInstance<std::unique_ptr<CronetHttpProtocolHandlerDelegate>>::Leaky
     gHttpProtocolHandlerDelegate = LAZY_INSTANCE_INITIALIZER;
 NSURLCache* gPreservedSharedURLCache = nil;
-BOOL gEnableTestCertVerifierForTesting = FALSE;
+BOOL gEnableTestCertVerifierForTesting = NO;
 std::unique_ptr<net::CertVerifier> gMockCertVerifier;
 NSString* gAcceptLanguages = nil;
+BOOL gEnablePKPBypassForLocalTrustAnchors = YES;
 
 // CertVerifier, which allows any certificates for testing.
 class TestCertVerifier : public net::CertVerifier {
@@ -225,6 +226,14 @@ class CronetHttpProtocolHandlerDelegate
                           error:(NSError**)outError {
   [self checkNotStarted];
 
+  // Pinning a key only makes sense if pin bypassing has been disabled
+  if (gEnablePKPBypassForLocalTrustAnchors) {
+    *outError =

[kapishnikov, 2017/06/28 03:42:32]

In addition to localizedDescription, an error also has
localizedRecoverySuggestion. Should we recommend the client to call the setter
to change the bypass setting?

[lilyhoughton, 2017/06/28 14:38:50]

Done.

+        [self createIncoherentConfigurationError:
+                  @"Cannot pin keys while public key pinning is bypassed"];
+    return NO;
+  }
+
   auto pkp = base::MakeUnique<cronet::URLRequestContextConfig::Pkp>(
       base::SysNSStringToUTF8(host), includeSubdomains,
       base::Time::FromCFAbsoluteTime(
@@ -250,6 +259,10 @@ class CronetHttpProtocolHandlerDelegate
   return YES;
 }
 
++ (void)setEnablePublicKeyPinningBypassForLocalTrustAnchors:(BOOL)enable {
+  gEnablePKPBypassForLocalTrustAnchors = enable;
+}
+
 + (void)startInternal {
   std::string user_agent = base::SysNSStringToUTF8(gUserAgent);
 
@@ -267,6 +280,9 @@ class CronetHttpProtocolHandlerDelegate
   gChromeNet.Get()->set_ssl_key_log_file_name(
       base::SysNSStringToUTF8(gSslKeyLogFileName));
   gChromeNet.Get()->set_pkp_list(std::move(gPkpList));
+  gChromeNet.Get()
+      ->set_enable_public_key_pinning_bypass_for_local_trust_anchors(
+          gEnablePKPBypassForLocalTrustAnchors);
   for (const auto& quicHint : gQuicHints) {
     gChromeNet.Get()->AddQuicHint(quicHint->host, quicHint->port,
                                   quicHint->alternate_port);
@@ -412,6 +428,20 @@ class CronetHttpProtocolHandlerDelegate
                             userInfo:errorDictionary];
 }
 
++ (NSError*)createIncoherentConfigurationError:(NSString*)contradiction {
+  NSMutableDictionary* errorDictionary =
+      [[NSMutableDictionary alloc] initWithDictionary:@{
+        NSLocalizedDescriptionKey :
+            [NSString stringWithFormat:@"Incoherent configuration"],
+      }];
+  if (contradiction) {
+    errorDictionary[NSLocalizedFailureReasonErrorKey] = contradiction;
+  }
+
+  return [self createCronetErrorWith:CRNErrorIncoherentConfig
+                            userInfo:errorDictionary];
+}
+
 + (NSError*)createCronetErrorWith:(int)errorCode
                          userInfo:(NSDictionary*)userInfo {
   return [NSError errorWithDomain:CRNCronetErrorDomain