Chrome Participated Tamper Detect

components/data_reduction_proxy/browser/data_reduction_proxy_tamper_detect_unittest.cc

+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "components/data_reduction_proxy/browser/data_reduction_proxy_tamper_detect.h"
+
+#include <string.h>
+#include <algorithm>
+#include <map>
+#include <vector>
+
+#include "base/base64.h"
+#include "base/md5.h"
+#include "base/strings/string_number_conversions.h"
+#include "base/strings/string_split.h"
+#include "components/data_reduction_proxy/common/data_reduction_proxy_headers.h"
+#include "net/android/network_library.h"
+#include "net/http/http_response_headers.h"
+#include "net/http/http_util.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace {
+
+void HeadersToRaw(std::string* headers) {
+  std::replace(headers->begin(), headers->end(), '\n', '\0');
+  if (!headers->empty())
+    *headers += '\0';
+}
+
+// Calcuates MD5 hash value for a string and then base64 encode it.
+static std::string GetEncoded(const std::string& input) {

[bolian, 2014/07/21 23:43:05]

s/static//

[xingx, 2014/07/23 19:00:29]

Done.

+  base::MD5Digest digest;
+  base::MD5Sum(input.c_str(), input.size(), &digest);
+  std::string base64encoded;
+  base::Base64Encode(std::string((char*)digest.a,
+                     ARRAYSIZE_UNSAFE(digest.a)), &base64encoded);
+  return base64encoded;
+}
+
+// Replaces all contents within "[]" by corresponding base64 encoded MD5 value.
+void ReplaceWithEncodedString(std::string* input)
+{
+  size_t start, end;
+  while (true) {
+    start = input->find("[");
+    if (start == std::string::npos) break;
+    end = input->find("]", start);
+    std::string need_to_encode = input->substr(start + 1, end - start - 1);
+    *input = input->substr(0, start) + GetEncoded(need_to_encode) +
+             input->substr(end + 1);
+  }
+}
+
+// Testcase for fingerprint checking functions. |received_fingerprint| is
+// fingerprint received from the data reduction proxy. |expected_tampered| is
+// expected tampered or not result.
+struct TestCaseCheckingFingerprint {

[bolian, 2014/07/21 23:43:05]

rename it to TamperDetectionTestCase?

[xingx, 2014/07/23 19:00:29]

Done.

+  std::string raw_header;
+  std::string received_fingerprint;
+  bool expected_tampered;
+  bool expected_has_chrome_proxy_via_header;
+};
+
+}  // namespace
+
+namespace data_reduction_proxy {
+
+class DataReductionProxyTamperDetectionTest : public testing::Test {
+ public:
+  static void TestFingerprintCommon(const TestCaseCheckingFingerprint& test,
+      DataReductionProxyTamperDetection::FingerprintCode fingerprint);
+};
+
+// Common function for testing fingerprint checking functions. For a given
+// header string |test.raw_header|, generates HttpResponseHeaders |headers| and
+// checks specified fingerprint checking function returns expected result or
+// not.
+void DataReductionProxyTamperDetectionTest::TestFingerprintCommon(
+    const TestCaseCheckingFingerprint& test,
+    DataReductionProxyTamperDetection::FingerprintCode fingerprint) {

[bolian, 2014/07/21 23:43:05]

s/fingerprint/fingerprint_code/

[xingx, 2014/07/23 19:00:29]

Done.

+  std::string raw_headers(test.raw_header);
+  HeadersToRaw(&raw_headers);
+  scoped_refptr<net::HttpResponseHeaders> headers(

[bolian, 2014/07/21 23:43:05]

why scoped_refptr?  Will a stack var of net::HttpResponseHeaders work?

[xingx, 2014/07/23 19:00:29]

Done.

[bolian, 2014/07/23 23:22:57]

You are leaking memory. Just
net::HttpResponseHeaders headers(raw_headers);

+      new net::HttpResponseHeaders(raw_headers));
+
+  // Removes Chrome-Proxy header's fingerprint from Chrome-Proxy header.
+  std::vector<std::string> chrome_proxy_header_values =
+      DataReductionProxyTamperDetection::
+      GetHeaderValues(headers, "Chrome-Proxy");
+
+  DataReductionProxyTamperDetection::RemoveChromeProxyFingerprint(
+      &chrome_proxy_header_values);
+
+  DataReductionProxyTamperDetection tamper_detection(
+      headers, true, 0, &chrome_proxy_header_values);
+
+  bool tampered;

[bolian, 2014/07/21 23:43:05]

set a default value.

[xingx, 2014/07/23 19:00:29]

Done.

+  switch (fingerprint) {
+  case DataReductionProxyTamperDetection::CHROMEPROXY:
+    tampered = tamper_detection.IsChromeProxyHeaderTampered(
+        test.received_fingerprint);
+    break;
+  case DataReductionProxyTamperDetection::VIA:
+    bool has_chrome_proxy_via_header;
+    tampered = tamper_detection.IsViaHeaderTampered(
+        test.received_fingerprint, &has_chrome_proxy_via_header);
+    EXPECT_EQ(test.expected_has_chrome_proxy_via_header,
+              has_chrome_proxy_via_header);
+    break;
+  case DataReductionProxyTamperDetection::OTHERHEADERS:
+    tampered = tamper_detection.AreOtherHeadersTampered(
+        test.received_fingerprint);
+    break;
+  case DataReductionProxyTamperDetection::CONTENTLENGTH:
+    tampered = tamper_detection.IsContentLengthHeaderTampered(
+        test.received_fingerprint);
+    break;
+  case DataReductionProxyTamperDetection::NONEXIST:
+    break;

[bolian, 2014/07/21 23:43:04]

not setting tampered in this case?

[xingx, 2014/07/23 19:00:29]

It should not reach here.

+  }
+
+  EXPECT_EQ(test.expected_tampered, tampered);
+}
+
+// Checks function IsChromeProxyHeaderTampered.
+TEST_F(DataReductionProxyTamperDetectionTest, ChromeProxy) {
+  TestCaseCheckingFingerprint test[] = {
+    // Checks sorting values and decoding.

[bolian, 2014/07/21 23:43:05]

This is the case that server does not ask for detection,right?

[xingx, 2014/07/23 19:00:29]

No, this is the case we check ChromeProxy's fingerprint.

We have the fingerprint, we have the header; but at header, I removed
Chrome-Proxy's fingerprint. 

+    {
+      "HTTP/1.1    200   OK  \n"
+      "Chrome-Proxy: aut=aauutthh,"
+      "fp=123,bbbypas=0,aaxxx=xxx,bbbloc=1\n",
+      "aaxxx=xxx,aut=aauutthh,bbbloc=1,bbbypas=0,fp=123,",
+      false,
+    },
+
+    // Checks Chrome-Proxy's fingerprint removing.
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Chrome-Proxy: a,b,c,d,e,3,2,1," +
+      std::string(kChromeProxyActionFingerprintChromeProxy) +
+      "=1231\n",
+      "1,2,3,a,b,c,d,e,",
+      false,
+    },
+
+    // Checks no Chrome-Proxy header case (should not happen).
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Content-Length: 12345\n",
+      "",
+      false,
+    },
+
+    // Checks empty Chrome-Proxy header case (should not happen).
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Chrome-Proxy:    \n",
+      ",",
+      false,
+    },
+
+    // Checks Chrome-Proxy header with its fingerprint only case.
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Chrome-Proxy:    " +
+      std::string(kChromeProxyActionFingerprintChromeProxy) +
+      "=xyz\n",
+      "",
+      false,
+    },
+
+    // Checks empty Chrome-Proxy header case, with extra ","
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Chrome-Proxy:   " +
+      std::string(kChromeProxyActionFingerprintChromeProxy) +
+      "=abcde   ,   \n",
+      "",
+      false,
+    },
+
+    // Checks empty Chrome-Proxy header, different to fingerprint.
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Chrome-Proxy:    " +
+      std::string(kChromeProxyActionFingerprintChromeProxy) +
+      "=xyz\n",
+      ",",
+      true,
+    },
+
+    // Chrome-Proxy header different to its fingerprint.

[bolian, 2014/07/21 23:43:05]

This comment does not make sense. Do you mean
// Missing header values.
or
// Changed header values.
or
// Additional header values.
or
all of them?

[xingx, 2014/07/23 19:00:29]

Done.

+    {
+      "HTTP/1.1    200   OK  \n"
+      "Chrome-Proxy: aut=aauutthh,bbbypas=2,aaxxx=xxx,bbbloc=1\n",

[bolian, 2014/07/21 23:43:04]

can you minimize you headers to test exact this case? You have too many values
that don't matter, which makes it not easy to read.  Apply this to all other
cases.

[xingx, 2014/07/23 19:00:29]

Done.

+      "aaxxx=xxx,aut=aauutthh,bbbloc=1,bbbypas=0,",
+      true,
+    },
+
+    // Chrome-Proxy header different to its fingerprint.

[bolian, 2014/07/21 23:43:05]

How is this different than above (your comment is the same)?

[xingx, 2014/07/23 19:00:29]

Done.

+    {
+      "HTTP/1.1    200   OK  \n"
+      "Chrome-Proxy: a,aut=aauutthh,bbbypas=0,aaxxx=xxx,bbbloc=1\n",
+      "aaxxx=xxx,aut=aauutthh,bbbloc=1,bbbypas=0,",
+      true,
+    },
+
+    // Chrome-Proxy header different to its fingerprint in order.
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Chrome-Proxy: aut=aauutthh,bbbypas=0,aaxxx=xxx,bbbloc=1\n",
+      "aaxxx=xxx,aut=aauutthh,bbbypas=0,bbbloc=1,",
+      true,
+    },
+
+    // Checks Chrome-Proxy header with extra " ".
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Chrome-Proxy:     aut=aauutthh    ,   bbbypas=0   ,     aaxxx=xxx"
+      "              ,bbbloc=1     \n",
+      "aaxxx=xxx,aut=aauutthh,bbbloc=1,bbbypas=0,",
+      false
+    },
+
+    // Check Chrome-Proxy header, with extra lines and " ".
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Chrome-Proxy:     aut=aauutthh    ,   bbbypas=0   , bbbloc=1    \n"
+      "Chrome-Proxy:    aaxxx=xxx \n",
+      "aaxxx=xxx,aut=aauutthh,bbbloc=1,bbbypas=0,",
+      false
+    },
+
+    // Checks Chrome-Proxy header with multiple lines.
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Chrome-Proxy:     aaxxx=xxx   \n"
+      "Chrome-Proxy:    aut=aauutthh\n"
+      "Chrome-Proxy:    bbbypas=0\n"
+      "Chrome-Proxy:bbbloc=1   \n",
+      "aaxxx=xxx,aut=aauutthh,bbbloc=1,bbbypas=0,",
+      false
+    },
+
+    // Checks Chrome-Proxy header with multiple lines, at different positions
+    // of the entire header.
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Chrome-Proxy:     aaxxx=xxx   \n"
+      "Chrome-Proxy:    aut=aauutthh\n"
+      "Content-Type: 1\n"
+      "Cache-Control: 2\n"
+      "ETag: 3\n"
+      "Chrome-Proxy:    bbbypas=0\n"
+      "Connection: 4\n"
+      "Expires: 5\n"
+      "Chrome-Proxy:    bbbloc=1\n"
+      "Via: \n"
+      "Content-Length: 12345\n"
+      "fp=123    \n",
+      "aaxxx=xxx,aut=aauutthh,bbbloc=1,bbbypas=0,",
+      false
+    },
+
+    // Checks Chrome-Proxy header with multiple same values.
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Chrome-Proxy:     aaxxx=xxx   \n"
+      "Chrome-Proxy:    aut=aauutthh\n"
+      "Content-Type: 1\n"
+      "Cache-Control: 2\n"
+      "ETag: 3\n"
+      "Chrome-Proxy:    bbbypas=0\n"
+      "Connection: 4\n"
+      "Expires: 5\n"
+      "Chrome-Proxy:    bbbloc=1,   fp=123    \n"
+      "Chrome-Proxy:     aaxxx=xxx   \n"
+      "Via: \n"
+      "Content-Length: 12345\n",
+      "aaxxx=xxx,aaxxx=xxx,aut=aauutthh,bbbloc=1,bbbypas=0,fp=123,",
+      false
+    },
+
+    // Checks Chrome-Proxy header with multiple same values.
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Chrome-Proxy:     aaxxx=xxx   \n"
+      "Chrome-Proxy:    aut=aauutthh\n"
+      "Content-Type: 1\n"
+      "Cache-Control: 2\n"
+      "ETag: 3\n"
+      "Chrome-Proxy:    bbbypas=0\n"
+      "Connection: 4\n"
+      "Expires: 5\n"
+      "Chrome-Proxy:    bbbloc=1,   fp=123    \n" +
+      std::string(kChromeProxyActionFingerprintChromeProxy) +
+      "xyn \n" +
+      "Chrome-Proxy:     aaxxx=xxx   \n"
+      "Via: \n"
+      "Content-Length: 12345\n",
+      "aaxxx=xxx,aaxxx=xxx,aut=aauutthh,bbbloc=1,bbbypas=0,fp=123,",
+      false
+    },
+
+    // Checks Chrome-Proxy header with multiple same values, but different to
+    // fingerprint.
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Chrome-Proxy:     aaxxx=xxx   \n"
+      "Chrome-Proxy:     aaxxx=xxx   \n"
+      "Chrome-Proxy:    aut=aauutthh\n"
+      "Content-Type: 1\n"
+      "Cache-Control: 2\n"
+      "ETag: 3\n"
+      "Chrome-Proxy:    bbbypas=0\n"
+      "Connection: 4\n"
+      "Expires: 5\n"
+      "Chrome-Proxy:    bbbloc=1\n"
+      "Chrome-Proxy:     aaxxx=xxx   \n"
+      "Via: \n"
+      "Content-Length: 12345\n",
+      "aaxxx=xxx,aaxxx=xxx,aut=aauutthh,bbbloc=1,bbbypas=0,",
+      true,
+    },
+
+    // Check Chrome-Proxy header with multiple same values, but different to
+    // fingerprint.
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Chrome-Proxy:     aaxxx=xxx   \n"
+      "Chrome-Proxy:     aaxxx=xxx   \n"
+      "Chrome-Proxy:    aut=aauutthh\n"
+      "Content-Type: 1\n"
+      "Cache-Control: 2\n"
+      "ETag: 3\n"
+      "Chrome-Proxy:    bbbypas=0\n"
+      "Connection: 4\n"
+      "Expires: 5\n" +
+      std::string(kChromeProxyActionFingerprintChromeProxy) +
+      "xyn \n" +
+      "Chrome-Proxy:    bbbloc=1\n"
+      "Chrome-Proxy:     aaxxx=xxx   \n"
+      "Via: \n"
+      "Content-Length: 12345\n",
+      "aaxxx=xxx,aaxxx=xxx,aut=aauutthh,bbbloc=1,bbbypas=0,",
+      true,
+    },
+
+    // Check Chrome-Proxy header with multiple lines, but different to
+    // fingerprint.
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Content-Type: 1\n"
+      "Cache-Control: 2\n"
+      "ETag: 3\n"
+      "Chrome-Proxy:    bbbypas=0\n"
+      "Connection: 4\n"
+      "Expires: 5\n"
+      "Chrome-Proxy:    bbbloc=1\n"
+      "Chrome-Proxy:     aaxxx=xxx   \n"
+      "Via: \n"
+      "Content-Length: 12345\n",
+      "aaxxx=xxx,aaxxx=xxx,aut=aauutthh,bbbloc=1,bbbypas=0,",
+      true,
+    },
+
+    // Checks case whose received fingerprint is empty.
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Chrome-Proxy:     aaxxx=xxx   \n"
+      "Chrome-Proxy:     aaxxx=xxx   \n"
+      "Chrome-Proxy:    aut=aauutthh\n"
+      "Content-Type: 1\n"
+      "Cache-Control: 2\n"
+      "ETag: 3\n"
+      "Chrome-Proxy:    bbbypas=0\n"
+      "Connection: 4\n"
+      "Expires: 5\n"
+      "Chrome-Proxy:    bbbloc=1\n"
+      "Chrome-Proxy:     aaxxx=xxx   \n"
+      "Via: \n"
+      "Content-Length: 12345\n",
+      "",
+      true,
+    },
+
+  };
+
+  for (size_t i=0; i<ARRAYSIZE_UNSAFE(test); ++i) {
+    test[i].received_fingerprint =

[bolian, 2014/07/21 23:43:05]

You need to test the case that fcp value encoding is wrong. You can pre-compute
the encoding before setting up the tests. 

[xingx, 2014/07/23 19:00:29]

Done.

+        GetEncoded(test[i].received_fingerprint);
+
+    DataReductionProxyTamperDetectionTest::TestFingerprintCommon(test[i],

[bolian, 2014/07/21 23:43:04]

If you one case fails, can you easily tell which one it is from the error
message?

[xingx, 2014/07/23 19:00:29]

Done.

+        DataReductionProxyTamperDetection::CHROMEPROXY);
+  }
+}
+
+// Check function IsViaHeaderTampered.
+TEST_F(DataReductionProxyTamperDetectionTest, Via) {
+  TestCaseCheckingFingerprint test[] = {
+    // Checks the case that Chrome-Compression-Proxy occurs at the last.
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Via: a, b, c, 1.1 Chrome-Compression-Proxy\n",
+      "0",
+      false,
+      true,
+    },
+
+    // Checks when there is intermediary between the data reduction proxy and
+    // the Chromium client.
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Via: a, b,  c,   1.1 Chrome-Compression-Proxy,    xyz\n",
+      "0",
+      true,
+      true,
+    },
+
+    // Checks the case of empty Via header.
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Via:  \n",
+      "0",
+      false,
+      false,
+    },
+
+    // Checks the case that only the data reduction proxy's Via header occurs.
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Via:  1.1 Chrome-Compression-Proxy    \n",
+      "0",
+      false,
+      true,
+    },
+
+    // Checks the case that there are " ", i.e., empty value after the data
+    // reduction proxy's Via header.
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Via:  1.1 Chrome-Compression-Proxy  ,  , \n",
+      "0",
+      false,
+      true,
+    },
+
+    // Checks the case when there is no Via header
+    {
+      "HTTP/1.1    200   OK  \n",
+      "0",
+      false,
+      false,
+    },
+
+    // Same to above test cases, but with deprecated data reduciton proxy Via
+    // header.
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Via: a, b, c, 1.1 Chrome Compression Proxy\n",
+      "0",
+      false,
+      true,
+    },
+
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Via: a, b,  c,   1.1 Chrome Compression Proxy,    xyz\n",
+      "0",
+      true,
+      true,
+    },
+
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Via:  \n",
+      "0",
+      false,
+      false,
+    },
+
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Via:  1.1 Chrome Compression Proxy    \n",
+      "0",
+      false,
+      true,
+    },
+
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Via:  1.1 Chrome Compression Proxy  ,  , \n",
+      "0",
+      false,
+      true,
+    },
+
+    {
+      "HTTP/1.1    200   OK  \n",
+      "0",
+      false,
+      false,
+    },
+  };
+
+  for (size_t i=0; i<ARRAYSIZE_UNSAFE(test); ++i) {
+    DataReductionProxyTamperDetectionTest::TestFingerprintCommon(test[i],
+        DataReductionProxyTamperDetection::VIA);
+  }
+}
+
+// Checks function AreOtherHeadersTampered.
+TEST_F(DataReductionProxyTamperDetectionTest, OtherHeaders) {
+  // For following testcases, |received_fingerprint| is not the actual
+  // fingerprint from data reduction proxy, instead, the base64 encoded field
+  // is in plain text (within "[]") and needs to be encoded first. For example,
+  // "[12345;]:content-length" needs to be encoded to
+  // "Base64Encoded(MD5(12345;))|content-length" before calling the checking
+  // function.
+  TestCaseCheckingFingerprint test[] = {
+    // Checks the case of correct fingerprint.
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Chrome-Proxy: aut=aauutthh,bbbypas=0,aaxxx=xxx,bbbloc=1\n"
+      "Content-Type: 1\n"
+      "Cache-Control: 2\n"
+      "ETag: 3\n"
+      "Connection: 4\n"
+      "Expires: 5\n"
+      "Via:   \n" +
+      std::string(kChromeProxyActionFingerprintChromeProxy) +
+      "abcde \n"
+      "Content-Length: 12345\n",
+      "[1,;2,;3,;4,;5,;]|content-type|cache-control|etag|connection|expires",
+      false
+    },
+
+    // Checks the case of correct fingerprint.
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Chrome-Proxy: aut=aauutthh,bbbypas=0,aaxxx=xxx,bbbloc=1\n"
+      "Content-Type: aaa1\n"
+      "Cache-Control: aaa2\n" +
+      std::string(kChromeProxyActionFingerprintChromeProxy) +
+      "abcde \n" +
+      "ETag: aaa3\n"
+      "Connection: aaa4\n"
+      "Expires: aaa5\n"
+      "Via:   \n"
+      "Content-Length: 12345\n",
+      "[aaa1,;aaa2,;aaa3,;aaa4,;aaa5,;]|content-type|cache-control|"
+      "etag|connection|expires",
+      false
+    },
+
+    // Checks the case that one header has multiple values.
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Chrome-Proxy: aut=aauutthh,bbbypas=0,aaxxx=xxx,bbbloc=1\n" +
+      std::string(kChromeProxyActionFingerprintChromeProxy) +
+      "abcde \n" +
+      "Content-Type: aaa1,    bbb1, ccc1\n"
+      "Cache-Control: aaa2\n"
+      "ETag: aaa3\n"
+      "Connection: aaa4\n"
+      "Expires: aaa5\n"
+      "Via:   \n"
+      "Content-Length: 12345\n",
+      "[aaa1,bbb1,ccc1,;aaa2,;aaa3,;aaa4,;aaa5,;]|"
+      "content-type|cache-control|etag|connection|expires",
+      false
+    },
+
+    // Checks the case that one header has multiple lines.
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Chrome-Proxy: aut=aauutthh,bbbypas=0,aaxxx=xxx,bbbloc=1\n"
+      "Content-Type: aaa1,   ccc1\n"
+      "Content-Type: xxx1,    bbb1, ccc1\n"
+      "Cache-Control: aaa2\n"
+      "ETag: aaa3\n"
+      "Connection: aaa4\n"
+      "Expires: aaa5\n"
+      "Via:   \n" +
+      std::string(kChromeProxyActionFingerprintChromeProxy) +
+      "abcde \n" +
+      "Content-Length: 12345\n",
+      "[aaa1,bbb1,ccc1,ccc1,xxx1,;aaa2,;aaa3,;aaa4,;aaa5,;]|"
+      "content-type|cache-control|etag|connection|expires",
+      false
+    },
+
+    // Checks the case that one header has multiple values, and such multiple
+    // lines occur at different positions.
+    {
+      "HTTP/1.1    200   OK  \n" +
+      std::string(kChromeProxyActionFingerprintChromeProxy) +
+      "abcde \n" +
+      "Chrome-Proxy: aut=aauutthh,bbbypas=0,aaxxx=xxx,bbbloc=1\n"
+      "Content-Type: aaa1,   ccc1\n"
+      "Cache-Control: aaa2\n"
+      "ETag: aaa3\n"
+      "Content-Type: xxx1,    bbb1, ccc1\n"
+      "Connection: aaa4\n"
+      "Expires: aaa5\n"
+      "Via:   \n"
+      "Content-Length: 12345\n",
+      "[aaa1,bbb1,ccc1,ccc1,xxx1,;aaa2,;aaa3,;aaa4,;aaa5,;]"
+      "|content-type|cache-control|etag|connection|expires",
+      false
+    },
+
+    // Checks the case that more than one headers have multiple values.
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Chrome-Proxy: aut=aauutthh,bbbypas=0,aaxxx=xxx,bbbloc=1\n"
+      "Content-Type: aaa1,   ccc1\n"
+      "Cache-Control: ccc2    , bbb2\n"
+      "ETag: aaa3\n"
+      "Content-Type: xxx1,    bbb1, ccc1\n"
+      "Connection: aaa4\n"
+      "Cache-Control: aaa2   \n"
+      "Expires: aaa5\n" +
+      std::string(kChromeProxyActionFingerprintChromeProxy) +
+      "abcde \n" +
+      "Via:   \n"
+      "Content-Length: 12345\n",
+      "[aaa1,bbb1,ccc1,ccc1,xxx1,;aaa2,bbb2,ccc2,;aaa3,;aaa4,;aaa5,;]|"
+      "content-type|cache-control|etag|connection|expires",
+      false
+    },
+
+    // Checks the case that one of the requested headers is missing (Expires).
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Chrome-Proxy: aut=aauutthh,bbbypas=0,aaxxx=xxx,bbbloc=1\n"
+      "Content-Type: aaa1,   ccc1\n"
+      "Cache-Control: ccc2    , bbb2\n"
+      "ETag: aaa3\n"
+      "Content-Type: xxx1,    bbb1, ccc1\n"
+      "Connection: aaa4\n"
+      "Cache-Control: aaa2   \n"
+      "Via:   \n"
+      "Content-Length: 12345\n" +
+      std::string(kChromeProxyActionFingerprintChromeProxy) +
+      "abcde \n",
+      "[aaa1,bbb1,ccc1,ccc1,xxx1,;aaa2,bbb2,ccc2,;aaa3,;aaa4,;;]|"
+      "content-type|cache-control|etag|connection|expires",
+      false
+    },
+
+    // Checks the case that more than one of the requested headers are missing.
+    // (Content-Type, Expires).
+    {
+      "HTTP/1.1    200   OK  \n" +
+      std::string(kChromeProxyActionFingerprintChromeProxy) +
+      "abcde \n" +
+      "Chrome-Proxy: aut=aauutthh,bbbypas=0,aaxxx=xxx,bbbloc=1\n"
+      "Cache-Control: ccc2    , bbb2\n"
+      "ETag: aaa3\n"
+      "Connection: aaa4\n"
+      "Cache-Control: aaa2   \n"
+      "Via:   \n"
+      "Content-Length: 12345\n",
+      "[;aaa2,bbb2,ccc2,;aaa3,;aaa4,;;]|content-type|cache-control|"
+      "etag|connection|expires",
+      false
+    },
+
+    // Checks the case that all the requested headers are missing.
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Chrome-Proxy: aut=aauutthh,bbbypas=0,aaxxx=xxx,bbbloc=1\n"
+      "Via:   \n"
+      "Content-Length: 12345\n" +
+      std::string(kChromeProxyActionFingerprintChromeProxy) +
+      "abcde \n",
+      "[;;;;;]|content-type|cache-control|etag|connection|expires",
+      false
+    },
+
+    // Checks the case that only one header is requested.
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Chrome-Proxy: aut=aauutthh,bbbypas=0,aaxxx=xxx,bbbloc=1\n"
+      "Via:   \n"
+      "Content-Length: 12345\n" +
+      std::string(kChromeProxyActionFingerprintChromeProxy) +
+      "abcde \n",
+      "[12345,;]|content-length",
+      false
+    },
+
+    // Checks the case that fingerprint is different to received one.
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Chrome-Proxy: aut=aauutthh,bbbypas=0,aaxxx=xxx,bbbloc=1\n"
+      "Content-Type: aaa1,   ccc1\n"
+      "Cache-Control: ccc2    , bbb2\n"
+      "ETag: etag\n"
+      "Content-Type: xxx1,    bbb1, ccc1\n"
+      "Connection: aaa4\n"
+      "Cache-Control: aaa2   \n"
+      "Via:   \n"
+      "Content-Length: 12345\n",
+      "[aaa1,bbb1,ccc1,ccc1,xxx1,;aaa2,bbb2,ccc2,;aaa3,;aaa4,;;]|"
+      "content-type|cache-control|etag|connection|expires",
+      true
+    },
+
+    // Checks the case that some of the requested headers have empty value
+    // (different to above header-missing case).
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Content-Type:   \n"
+      "Cache-Control: \n"
+      "ETag: \n"
+      "Connection: \n"
+      "Expires: 5\n" +
+      std::string(kChromeProxyActionFingerprintChromeProxy) +
+      "abcde \n" +
+      "Via: \n"
+      "Content-Length: 12345\n",
+      "[,;,;,;,;5,;]|content-type|cache-control|etag|connection|expires",
+      false
+    },
+
+    // Checks the case that some headers are missing, some of them are of
+    // empty values (whether delimiter "," and ";" work correctly).
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Cache-Control: \n"
+      "Connection: \n"
+      "Expires: 5\n"
+      "Via: \n"
+      "Content-Length: 12345\n" +
+      std::string(kChromeProxyActionFingerprintChromeProxy) +
+      "abcde \n",
+      "[;,;;,;5,;]|content-type|cache-control|etag|connection|expires",
+      false
+    },
+
+    // Checks the case there is no requested header (header list is empty).
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Chrome-Proxy: aut=aauutthh,bbbypas=0,aaxxx=xxx,bbbloc=1\n"
+      "Content-Type: 1\n"
+      "Cache-Control: 2\n"
+      "ETag: 3\n"
+      "Connection: 4\n" +
+      std::string(kChromeProxyActionFingerprintChromeProxy) +
+      "abcde \n" +
+      "Expires: 5\n"
+      "Via:   \n"
+      "Content-Length: 12345\n",
+      "[]",
+      false
+    },
+
+    // Checks the case that there is only one requested header and it does not
+    // exist.
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Chrome-Proxy: aut=aauutthh,bbbypas=0,aaxxx=xxx,bbbloc=1\n"
+      "Content-Type: 1\n"
+      "Cache-Control: 2\n"
+      "ETag: 3\n"
+      "Connection: 4\n"
+      "Expires: 5\n"
+      "Via:   \n" +
+      std::string(kChromeProxyActionFingerprintChromeProxy) +
+      "abcde \n" +
+      "Content-Length: 12345\n",
+      "[;]|non_exist_header",
+      false
+    },
+
+    // Checks the case that there is only one requested header.
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Cache-Control: \n"
+      "Connection: \n"
+      "Expires: 5\n"
+      "Via: \n"
+      "Content-Length: 12345\n" +
+      std::string(kChromeProxyActionFingerprintChromeProxy) +
+      "abcde \n",
+      "[;]|content-type",
+      false
+    },
+
+    /* Lead to NOTREACHED() */
+    /*
+    // special case, if base64 decoding fails
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Cache-Control: \n"
+      "Connection: \n"
+      "Expires: 5\n"
+      "Via: \n"
+      "Content-Length: 12345\n",
+      ";|content-type",
+      true
+    },
+
+    // special case, if base64 decoding fails
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Cache-Control: \n"
+      "Connection: \n"
+      "Expires: 5\n"
+      "Via: \n"
+      "Content-Length: 12345\n",
+      "abcde|content-type|cache-control|etag|connection|expires",
+      true
+    },
+    */
+  };
+
+  for (size_t i=0; i<ARRAYSIZE_UNSAFE(test); ++i) {
+    ReplaceWithEncodedString(&(test[i].received_fingerprint));
+    DataReductionProxyTamperDetectionTest::TestFingerprintCommon(test[i],
+        DataReductionProxyTamperDetection::OTHERHEADERS);
+  }
+}
+
+// Checks function IsContentLengthTampered.
+TEST_F(DataReductionProxyTamperDetectionTest, ContentLength) {
+  TestCaseCheckingFingerprint test[] = {
+    // Checks the case fingerprint matches received response.
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Content-Type: 1\n"
+      "Content-Length: 12345\n",
+      "12345",
+      false,
+    },
+
+    // Checks the case that fingerprint does not match received response.
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Content-Type: text/html; charset=ISO-8859-4\n"
+      "Content-Length: 12345\n",
+      "125",
+      true,
+    },
+
+    // Checks the case that the data reduction proxy has not sent
+    // Content-Length header.
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Content-Type: text/javascript\n"
+      "Content-Length: 12345\n",
+      "",
+      false,
+    },
+
+    // Checks the case that the data reduction proxy sends invalid
+    // Content-Length header.
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Content-Type: text/javascript\n"
+      "Content-Length: 12345\n",
+      "aaa",
+      false,
+    },
+
+    // Checks the case that the data reduction proxy sends invalid
+    // Content-Length header.
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Content-Type: text/javascript\n"
+      "Content-Length: aaa\n",
+      "aaa",
+      false,
+    },
+
+    // Checks the case that Content-Length header are missing at both end.
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Content-Type: 1\n",
+      "",
+      false,
+    },
+
+    // Checks the case that Content-Length is 0.
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Content-Type: application/x-javascript\n"
+      "Content-Length: 0\n",
+      "0",
+      false,
+    },
+
+    // Checks the case that Content-Length is empty at the data reduction proxy
+    // side.
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Content-Type: application/x-javascript\n"
+      "Content-Length: 123\n",
+      ",",
+      false,
+    },
+
+    // Checks the case that Content-Length header is missing at the Chromium
+    // client side.
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Content-Type: application/javascript \n",
+      "123",
+      false,
+    },
+  };
+
+  for (size_t i=0; i<ARRAYSIZE_UNSAFE(test); ++i) {
+    DataReductionProxyTamperDetectionTest::TestFingerprintCommon(test[i],
+        DataReductionProxyTamperDetection::CONTENTLENGTH);
+  }
+}
+
+// Testcase for RemoveChromeProxyFingerprint function.
+TEST_F(DataReductionProxyTamperDetectionTest, HeaderRemoving) {
+  struct {
+    std::string input_values[10];
+    std::string expected_output_values[10];
+  } test[] = {
+    // Checks the case that there is no Chrome-Proxy header's fingerprint.
+    {
+      {"1", "2", "3", "5",},
+      {"1", "2", "3", "5",},
+    },
+    // Checks the case that there is Chrome-Proxy header's fingerprint.
+    {
+      {"1", "2", "3",
+          std::string(kChromeProxyActionFingerprintChromeProxy) + "=4", "5",},
+      {"1", "2", "3", "5",},
+    },
+    // Checks the case that there is Chrome-Proxy header's fingerprint, and it
+    // occurs at the end.
+    {
+      {"1", "2", "3",
+          std::string(kChromeProxyActionFingerprintChromeProxy) + "=4",},
+      {"1", "2", "3",},
+    },
+    // Checks the case that there is Chrome-Proxy header's fingerprint, and it
+    // occurs at the beginning.
+    {
+      {std::string(kChromeProxyActionFingerprintChromeProxy)
+          + "=1", "2", "3",},
+      {"2", "3",},
+    },
+  };
+
+  for (size_t i=0; i<ARRAYSIZE_UNSAFE(test); ++i) {
+    std::vector<std::string> input_values, output_values;
+    for (size_t j=0; j<ARRAYSIZE_UNSAFE(test[i].input_values); ++j) {
+      if (test[i].input_values[j].size())
+        input_values.push_back(test[i].input_values[j]);
+    }
+    for (size_t j=0; j<ARRAYSIZE_UNSAFE(test[i].expected_output_values); ++j) {
+      if (test[i].expected_output_values[j].size())
+        output_values.push_back(test[i].expected_output_values[j]);
+    }
+
+    DataReductionProxyTamperDetection::RemoveChromeProxyFingerprint(
+        &input_values);
+
+    EXPECT_EQ(input_values, output_values);
+  }
+}
+
+// Testcase for ValuesToSortedString function.
+TEST_F(DataReductionProxyTamperDetectionTest, ValuesToSortedString) {
+  struct {
+    std::string input_values[10];
+    std::string expected_output_string;
+  } test[] = {
+    // Checks the correctness of sorting.
+    {
+      {"1", "2", "3",},
+      "1,2,3,",
+    },
+    // Checks the case that there is an empty input vector.
+    {
+      {},
+      "",
+    },
+    // Checks the case that there is an empty string in the input vector.
+    {
+      {" ",},
+      ",",
+    },
+  };
+
+  for (size_t i=0; i<ARRAYSIZE_UNSAFE(test); ++i) {
+    std::vector<std::string> input_values;
+    for (size_t j=0; j<ARRAYSIZE_UNSAFE(test[i].input_values); ++j) {
+      if (test[i].input_values[j].size()) {
+        if (test[i].input_values[j] == " ")
+          input_values.push_back("");
+        else
+          input_values.push_back(test[i].input_values[j]);
+      }
+    }
+
+    std::string output_string = DataReductionProxyTamperDetection::
+        ValuesToSortedString(&input_values);
+
+    EXPECT_EQ(output_string, test[i].expected_output_string);
+  }
+}
+
+// Testcase for GetHeaderValues function.
+TEST_F(DataReductionProxyTamperDetectionTest, GetHeaderValues) {
+  struct {
+    std::string raw_header;
+    std::string header_name;
+    std::string expected_output_values[10];
+  } test[] = {
+    // Checks the correctness of getting single line header.
+    {
+      "HTTP/1.1    200   OK  \n"
+      "test: 1, 2, 3\n",
+      "test",
+      {"1", "2", "3"},
+    },
+    // Checks the correctness of getting multiple lines header.
+    {
+      "HTTP/1.1    200   OK  \n"
+      "test: 1, 2, 3\n"
+      "test: 4, 5, 6\n"
+      "test: 7, 8, 9\n",
+      "test",
+      {"1", "2", "3", "4", "5", "6", "7", "8", "9"},
+    },
+    // Checks the correctness of getting missing header.
+    {
+      "HTTP/1.1    200   OK  \n",
+      "test",
+      {},
+    },
+    // Checks the correctness of getting empty header.
+    {
+      "HTTP/1.1    200   OK  \n"
+      "test:   \n",
+      "test",
+      {" "},
+    },
+  };
+
+  for (size_t i=0; i<ARRAYSIZE_UNSAFE(test); ++i) {
+    std::string raw_headers(test[i].raw_header);
+    HeadersToRaw(&raw_headers);
+    scoped_refptr<net::HttpResponseHeaders> headers =
+        new net::HttpResponseHeaders(raw_headers);
+
+    std::vector<std::string> expected_output_values;
+    for (size_t j=0; j<ARRAYSIZE_UNSAFE(test[i].expected_output_values); ++j) {
+      if ((test[i].expected_output_values[j]).size()) {
+        if (test[i].expected_output_values[j] == " ")
+          expected_output_values.push_back("");
+        else
+          expected_output_values.push_back(test[i].expected_output_values[j]);
+      }
+    }
+
+    std::vector<std::string> output_values =
+        DataReductionProxyTamperDetection::GetHeaderValues(
+        headers, test[i].header_name);
+    EXPECT_EQ(expected_output_values, output_values);
+  }
+}
+
+// Testcase for main function CheckResponseFingerprint. First generate
+// simulated response from the data reduction proxy, by replacing fingerprint
+// with its base64 encoded MD5 value and appending it to Chrome-Proxy header.
+// Then runs through function CheckResponseFingerprint.
+TEST_F(DataReductionProxyTamperDetectionTest, Completed) {
+  struct {
+    std::string raw_header;
+    std::string chrome_header;
+    bool expected_contain_tamper_detect_fingerprints;
+    bool expected_tampered_chrome_proxy;
+    bool expected_tampered_via;
+    bool expected_tampered_other_headers;
+    bool expected_tampered_content_length;
+    bool expected_has_chrome_proxy_via_header;
+  } test[] = {
+    // Check normal case, Chrome-Proxy fingerprint doesn't exist
+    {
+      "HTTP/1.1    200   OK  \n"
+      "Via: a1, b2, 1.1 Chrome-Compression-Proxy\n"
+      "Content-Length: 12345\n"
+      "header1: header_1\n"
+      "header2: header_2\n"
+      "header3: header_3\n",
+      "a,b,c,d,e," +
+      std::string(kChromeProxyActionFingerprintContentLength) + "=12345," +
+      std::string(kChromeProxyActionFingerprintOtherHeaders) +
+      "=[header_1,;header_2,;header_3,;]|header1|header2|header3," +
+      std::string(kChromeProxyActionFingerprintVia) + "=0,",
+      true,
+      false,
+      false,
+      false,
+      false,
+      true,
+    },
+  };
+
+  for (size_t i=0; i<ARRAYSIZE_UNSAFE(test); ++i) {
+    // Replace fingerprint with base64 encoded MD5 value.
+    ReplaceWithEncodedString(&(test[i].chrome_header));
+    // Generate fingerprint for Chrome-Proxy header.
+    std::string chrome_header_fingerprint = GetEncoded(test[i].chrome_header);
+    // Append Chrome-Proxy header to response headers.
+    test[i].raw_header += "Chrome-Proxy: " + test[i].chrome_header +
+        std::string(kChromeProxyActionFingerprintChromeProxy) +
+        "=" + chrome_header_fingerprint + "\n";
+
+    std::string raw_headers(test[i].raw_header);
+    HeadersToRaw(&raw_headers);
+    scoped_refptr<net::HttpResponseHeaders> headers =
+        new net::HttpResponseHeaders(raw_headers);
+
+    // Below copying codes from CheckResponseFingerprint, with checking points
+    // added.
+    std::string chrome_proxy_fingerprint;
+    bool contain_chrome_proxy_fingerprint = GetDataReductionProxyActionValue(
+        headers,
+        kChromeProxyActionFingerprintChromeProxy,
+        &chrome_proxy_fingerprint);
+
+
+    EXPECT_EQ(test[i].expected_contain_tamper_detect_fingerprints,
+              contain_chrome_proxy_fingerprint);
+    if (!contain_chrome_proxy_fingerprint)
+      return;
+    std::vector<std::string> chrome_proxy_header_values =
+        DataReductionProxyTamperDetection::
+        GetHeaderValues(headers, "Chrome-Proxy");
+
+    DataReductionProxyTamperDetection::
+        RemoveChromeProxyFingerprint(&chrome_proxy_header_values);
+
+    DataReductionProxyTamperDetection tamper_detection(
+        headers,
+        true,
+        0,
+        &chrome_proxy_header_values);
+
+    bool tampered_chrome_proxy =
+        tamper_detection.IsChromeProxyHeaderTampered(chrome_proxy_fingerprint);
+    EXPECT_EQ(test[i].expected_tampered_chrome_proxy, tampered_chrome_proxy);
+    if (tampered_chrome_proxy)
+      return;
+
+    std::map<std::string, DataReductionProxyTamperDetection::FingerprintCode>::
+        iterator it;
+    for (it = tamper_detection.fingerprint_name_code_map_.begin();
+         it != tamper_detection.fingerprint_name_code_map_.end(); ++it) {
+      std::string fingerprint;
+      if (!GetDataReductionProxyActionValue(
+          headers, it->first, &fingerprint)) {
+        continue;
+      }
+
+      bool tampered = false;
+      switch (it->second) {
+      case DataReductionProxyTamperDetection::VIA:
+        bool has_chrome_proxy_via_header;
+        tampered = tamper_detection.IsViaHeaderTampered(
+            fingerprint, &has_chrome_proxy_via_header);
+        EXPECT_EQ(test[i].expected_tampered_via, tampered);
+        EXPECT_EQ(test[i].expected_has_chrome_proxy_via_header,
+                  has_chrome_proxy_via_header);
+        break;
+      case DataReductionProxyTamperDetection::OTHERHEADERS:
+        tampered = tamper_detection.AreOtherHeadersTampered(fingerprint);
+        EXPECT_EQ(test[i].expected_tampered_other_headers, tampered);
+        break;
+      case DataReductionProxyTamperDetection::CONTENTLENGTH:
+        tampered = tamper_detection.IsContentLengthHeaderTampered(fingerprint);
+        EXPECT_EQ(test[i].expected_tampered_content_length, tampered);
+        break;
+      default:
+        NOTREACHED();
+        break;
+      }
+    }
+  }
+}
+
+} // namespace