Chrome Participated Tamper Detect

components/data_reduction_proxy/browser/data_reduction_proxy_tamper_detect_unittest.cc

+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "components/data_reduction_proxy/browser/data_reduction_proxy_tamper_detect.h"
+
+#include <string.h>
+#include <algorithm>
+#include <map>
+#include <vector>
+
+#include "base/base64.h"
+#include "base/md5.h"
+#include "base/strings/string_number_conversions.h"
+#include "base/strings/string_split.h"
+#include "components/data_reduction_proxy/common/data_reduction_proxy_headers.h"
+#include "net/android/network_library.h"
+#include "net/http/http_response_headers.h"
+#include "net/http/http_util.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace {
+
+void HeadersToRaw(std::string* headers) {
+  std::replace(headers->begin(), headers->end(), '\n', '\0');
+  if (!headers->empty())
+    *headers += '\0';
+}
+
+// Calcuates MD5 hash value for a string and then base64 encode it.
+std::string GetEncoded(const std::string& input) {
+  base::MD5Digest digest;
+  base::MD5Sum(input.c_str(), input.size(), &digest);
+  std::string base64encoded;
+  base::Base64Encode(std::string((char*)digest.a,
+                     ARRAYSIZE_UNSAFE(digest.a)), &base64encoded);
+  return base64encoded;
+}
+
+// Replaces all contents within "[]" by corresponding base64 encoded MD5 value.
+void ReplaceWithEncodedString(std::string* input) {
+  size_t start, end;
+  while (true) {
+    start = input->find("[");
+    if (start == std::string::npos) break;
+    end = input->find("]", start);
+    std::string need_to_encode = input->substr(start + 1, end - start - 1);
+    *input = input->substr(0, start) + GetEncoded(need_to_encode) +
+             input->substr(end + 1);
+  }
+}
+
+const int kMaxVectorSize = 10;
+// Put a list of strings into a vector.
+std::vector<std::string> StringsToVector(std::string* input) {
+  std::vector<std::string> vector;
+  for (size_t i=0; i<kMaxVectorSize; ++i) {
+    if (input[i].size()) {
+      if (input[i] == " ")
+        vector.push_back("");
+      else
+        vector.push_back(input[i]);
+    }
+  }
+  return vector;
+}
+
+// Testcase for fingerprint checking functions. |received_fingerprint| is
+// fingerprint received from the data reduction proxy. |expected_tampered| is
+// expected tampered or not result.
+struct TamperDetectionTestCase {
+  std::string label;
+  std::string raw_header;
+  std::string received_fingerprint;
+  bool expected_tampered;
+  bool expected_has_chrome_proxy_via_header;
+};
+
+}  // namespace
+
+namespace data_reduction_proxy {
+
+class DataReductionProxyTamperDetectionTest : public testing::Test {
+ public:
+  static void TestFingerprintCommon(const TamperDetectionTestCase& test,
+      DataReductionProxyTamperDetection::FingerprintCode fingerprint);
+};
+
+// Common function for testing fingerprint checking functions. For a given
+// header string |test.raw_header|, generates HttpResponseHeaders |headers| and
+// checks specified fingerprint checking function returns expected result or
+// not.
+void DataReductionProxyTamperDetectionTest::TestFingerprintCommon(
+    const TamperDetectionTestCase& test,
+    DataReductionProxyTamperDetection::FingerprintCode fingerprint_code) {
+  std::string raw_headers(test.raw_header);
+  HeadersToRaw(&raw_headers);
+  net::HttpResponseHeaders* headers = new net::HttpResponseHeaders(raw_headers);
+
+  // Removes Chrome-Proxy header's fingerprint from Chrome-Proxy header.
+  std::vector<std::string> chrome_proxy_header_values =
+      DataReductionProxyTamperDetection::
+      GetHeaderValues(headers, "Chrome-Proxy");
+
+  DataReductionProxyTamperDetection::RemoveChromeProxyFingerprint(
+      &chrome_proxy_header_values);
+
+  DataReductionProxyTamperDetection tamper_detection(
+      headers, true, 0, &chrome_proxy_header_values);
+
+  bool tampered, has_chrome_proxy_via_header = false;
+  switch (fingerprint_code) {
+  case DataReductionProxyTamperDetection::CHROMEPROXY:
+    tampered = tamper_detection.IsChromeProxyHeaderTampered(
+        test.received_fingerprint);
+    break;
+  case DataReductionProxyTamperDetection::VIA:
+    tampered = tamper_detection.IsViaHeaderTampered(
+        test.received_fingerprint, &has_chrome_proxy_via_header);
+    EXPECT_EQ(test.expected_has_chrome_proxy_via_header,
+              has_chrome_proxy_via_header)<<test.label;

[bolian, 2014/07/23 23:22:57]

space before and after "<<". everywhere.

[xingx, 2014/07/24 01:18:50]

Done.

+    break;
+  case DataReductionProxyTamperDetection::OTHERHEADERS:
+    tampered = tamper_detection.AreOtherHeadersTampered(
+        test.received_fingerprint);
+    break;
+  case DataReductionProxyTamperDetection::CONTENTLENGTH:
+    tampered = tamper_detection.IsContentLengthHeaderTampered(
+        test.received_fingerprint);
+    break;
+  case DataReductionProxyTamperDetection::NONEXIST:
+  default:
+    NOTREACHED();
+    break;
+  }
+
+  EXPECT_EQ(test.expected_tampered, tampered)<<test.label;
+}
+
+// Checks function IsChromeProxyHeaderTampered.

[bolian, 2014/07/24 07:11:58]

s/Checks/Tests. And in below cases as well.

+TEST_F(DataReductionProxyTamperDetectionTest, ChromeProxy) {
+  // |received_fingerprint| is not the actual fingerprint from data reduction
+  // proxy, instead, the base64 encoded field is in plain text (within "[]")

[bolian, 2014/07/23 23:22:57]

I think I now understand you tests, but probably because I have read it many
times. I think part of the problem is you add a fcp and then removed it. Can you
setup tests as follows?

TamperDetectionTestCase test[] = {
  {
    "reordering",
    string("Chrome-Proxy: b=2,a=1,c=3,fcp=") +
        GetEncoded("a=1,b=2,c=3),
    false,
  },
}

This way, you can also test the case when fcp value cannot be decoded.
WDYT?

[xingx, 2014/07/24 01:18:50]

Done. But a little bit tricky, Chrome-Proxy fingerprint contains OtherHeader
fingerprint, which is nested encoding. Modified ReplaceWithEncodedString to
support nested case like [[abc]def].

+  // and needs to be encoded first.
+  TamperDetectionTestCase test[] = {
+    {
+      "Checks sorting.",
+      "HTTP/1.1 200 OK\n"

[bolian, 2014/07/23 23:22:57]

Do you need the 200 OK line? You are not enforcing that, right?  It is a
condition in chrome_network_delegate.

[xingx, 2014/07/24 01:18:50]

I need that to parse it as a HTTP header, otherwise I can't form
httpresponseheader.

+      "Chrome-Proxy: c,b,a,3,2,1,fcp=f\n",
+      "[1,2,3,a,b,c,]",
+      false,
+    },
+    {
+      "Checks Chrome-Proxy's fingerprint removing.",
+      "HTTP/1.1 200 OK\n"
+      "Chrome-Proxy: a,b,c,d,e,3,2,1,fcp=f\n",
+      "[1,2,3,a,b,c,d,e,]",
+      false,
+    },
+    {
+      "Checks no Chrome-Proxy header case (should not happen).",
+      "HTTP/1.1 200 OK\n",
+      "[]",
+      false,
+    },
+    {
+      "Checks empty Chrome-Proxy header case (should not happen).",
+      "HTTP/1.1 200 OK\n"
+      "Chrome-Proxy:    \n",
+      "[,]",
+      false,
+    },
+    {
+      "Checks Chrome-Proxy header with its fingerprint only case.",
+      "HTTP/1.1 200 OK\n"
+      "Chrome-Proxy: fcp=f\n",
+      "[]",
+      false,
+    },
+    {
+      "Checks empty Chrome-Proxy header case, with extra ',' and ' '",
+      "HTTP/1.1 200 OK\n"
+      "Chrome-Proxy: fcp=f  ,  \n",
+      "[]",
+      false,
+    },
+    {
+      "Changed no value to empty value.",
+      "HTTP/1.1 200 OK\n"
+      "Chrome-Proxy: fcp=f\n",
+      "[,]",
+      true,
+    },
+    {
+      "Changed header values.",
+      "HTTP/1.1 200 OK\n"
+      "Chrome-Proxy: a,b=2,c,d=1,fcp=f\n",
+      "[a,b=3,c,d=1,]",
+      true,
+    },
+    {
+      "Changed order of header values.",
+      "HTTP/1.1 200 OK\n"
+      "Chrome-Proxy: c,b,a,fcp=1\n",
+      "[c,b,a,]",
+      true,
+    },
+    {
+      "Checks Chrome-Proxy header with extra ' '.",
+      "HTTP/1.1 200 OK\n"
+      "Chrome-Proxy: a  , b   , c,   d,  fcp=f\n",
+      "[a,b,c,d,]",
+      false
+    },
+    {
+      "Check Chrome-Proxy header with multiple lines and ' '.",
+      "HTTP/1.1 200 OK\n"
+      "Chrome-Proxy:     a    ,   c   , d, fcp=f    \n"
+      "Chrome-Proxy:    b \n",
+      "[a,b,c,d,]",
+      false
+    },
+    {
+      "Checks Chrome-Proxy header with multiple lines, at different positions",
+      "HTTP/1.1 200 OK\n"
+      "Chrome-Proxy:     a   \n"
+      "Chrome-Proxy:    c \n"
+      "Content-Type: 1\n"
+      "Cache-Control: 2\n"
+      "ETag: 3\n"
+      "Chrome-Proxy:    b  \n"
+      "Connection: 4\n"
+      "Expires: 5\n"
+      "Chrome-Proxy:    fcp=f \n"
+      "Via: \n"
+      "Content-Length: 12345\n",
+      "[a,b,c,]",
+      false
+    },
+    {
+      "Checks Chrome-Proxy header with multiple same values.",
+      "HTTP/1.1 200 OK\n"
+      "Chrome-Proxy:     a   \n"
+      "Chrome-Proxy:    b\n"
+      "Chrome-Proxy:    c\n"
+      "Chrome-Proxy:    d,   fcp=f    \n"
+      "Chrome-Proxy:     a   \n",
+      "[a,a,b,c,d,]",
+      false
+    },
+    {
+      "Changed Chrome-Proxy header with multiple lines..",
+      "HTTP/1.1 200 OK\n"
+      "Chrome-Proxy: a\n"
+      "Chrome-Proxy: a\n"
+      "Chrome-Proxy: b\n"
+      "Chrome-Proxy: c,fcp=f\n",
+      "[a,b,c,]",
+      true,
+    },
+    {
+      "Checks case whose received fingerprint is empty.",
+      "HTTP/1.1 200 OK\n"
+      "Chrome-Proxy: a,b,c,fcp=1\n",
+      "[]",
+      true,
+    },
+    {
+      "Checks case whose received fingerprint cannot be base64 decoded.",
+      "HTTP/1.1 200 OK\n"
+      "Chrome-Proxy: a,b,c,fcp=1\n",
+      "not_base64_encoded",
+      true,
+    },
+  };
+
+  for (size_t i=0; i<ARRAYSIZE_UNSAFE(test); ++i) {
+    ReplaceWithEncodedString(&test[i].received_fingerprint);
+
+    DataReductionProxyTamperDetectionTest::TestFingerprintCommon(test[i],
+        DataReductionProxyTamperDetection::CHROMEPROXY);
+  }
+}
+
+// Check function IsViaHeaderTampered.
+TEST_F(DataReductionProxyTamperDetectionTest, Via) {
+  TamperDetectionTestCase test[] = {
+    {
+      "Checks the case that Chrome-Compression-Proxy occurs at the last.",
+      "HTTP/1.1 200 OK\n"
+      "Via: a, b, c, 1.1 Chrome-Compression-Proxy\n",
+      "",
+      false,
+      true,
+    },
+    {
+      "Checks when there is intermediary.",
+      "HTTP/1.1 200 OK\n"
+      "Via: a, b,  c,   1.1 Chrome-Compression-Proxy,    xyz\n",
+      "",
+      true,
+      true,
+    },
+    {
+      "Checks the case of empty Via header.",
+      "HTTP/1.1 200 OK\n"
+      "Via:  \n",
+      "",
+      false,
+      false,
+    },
+    {
+      "Checks the case that only the data reduction proxy's Via header occurs.",
+      "HTTP/1.1 200 OK\n"
+      "Via:  1.1 Chrome-Compression-Proxy    \n",
+      "",
+      false,
+      true,
+    },
+    {
+      "Checks the case that there are ' ', i.e., empty value after the data"
+      " reduction proxy's Via header.",
+      "HTTP/1.1 200 OK\n"
+      "Via:  1.1 Chrome-Compression-Proxy  ,  , \n",
+      "",
+      false,
+      true,
+    },
+    {
+      "Checks the case when there is no Via header",
+      "HTTP/1.1 200 OK\n",
+      "",
+      false,
+      false,
+    },
+    // Same to above test cases, but with deprecated data reduciton proxy Via
+    // header.
+    {
+      "Checks the case that Chrome Compression Proxy occurs at the last.",
+      "HTTP/1.1 200 OK\n"
+      "Via: a, b, c, 1.1 Chrome Compression Proxy\n",
+      "",
+      false,
+      true,
+    },
+    {
+      "Checks when there is intermediary.",
+      "HTTP/1.1 200 OK\n"
+      "Via: a, b,  c,   1.1 Chrome Compression Proxy,    xyz\n",
+      "",
+      true,
+      true,
+    },
+    {
+      "Checks the case of empty Via header.",
+      "HTTP/1.1 200 OK\n"
+      "Via:  \n",
+      "",
+      false,
+      false,
+    },
+    {
+      "Checks the case that only the data reduction proxy's Via header occurs.",
+      "HTTP/1.1 200 OK\n"
+      "Via:  1.1 Chrome Compression Proxy    \n",
+      "",
+      false,
+      true,
+    },
+    {
+      "Checks the case that there are ' ', i.e., empty value after the data"
+      "reduction proxy's Via header.",
+      "HTTP/1.1 200 OK\n"
+      "Via:  1.1 Chrome Compression Proxy  ,  , \n",
+      "",
+      false,
+      true,
+    },
+    {
+      "Checks the case when there is no Via header",
+      "HTTP/1.1 200 OK\n",
+      "",
+      false,
+      false,
+    },
+  };
+
+  for (size_t i=0; i<ARRAYSIZE_UNSAFE(test); ++i) {
+    DataReductionProxyTamperDetectionTest::TestFingerprintCommon(test[i],
+        DataReductionProxyTamperDetection::VIA);
+  }
+}
+
+// Checks function AreOtherHeadersTampered.
+TEST_F(DataReductionProxyTamperDetectionTest, OtherHeaders) {
+  // For following testcases, |received_fingerprint| is not the actual
+  // fingerprint from data reduction proxy, instead, the base64 encoded field
+  // is in plain text (within "[]") and needs to be encoded first. For example,
+  // "[12345;]|content-length" needs to be encoded to
+  // "Base64Encoded(MD5(12345;))|content-length" before calling the checking
+  // function.
+  TamperDetectionTestCase test[] = {
+    {
+      "Checks the case that only one header is requested.",
+      "HTTP/1.1 200 OK\n"
+      "Content-Length: 12345\n",
+      "[12345,;]|content-length",
+      false
+    },
+    {
+      "Checks the case that there is only one requested header and it does not"
+      "exist.",
+      "HTTP/1.1 200 OK\n",
+      "[;]|non_exist_header",
+      false
+    },
+    {
+      "Checks the case of multiple headers are requested.",
+      "HTTP/1.1 200 OK\n"
+      "Content-Type: 1\n"
+      "Cache-Control: 2\n"
+      "ETag: 3\n"
+      "Connection: 4\n"
+      "Expires: 5\n",
+      "[1,;2,;3,;4,;5,;]|content-type|cache-control|etag|connection|expires",
+      false
+    },
+    {
+      "Checks the case that one header has multiple values.",
+      "HTTP/1.1 200 OK\n"
+      "Content-Type: aaa1,    bbb1, ccc1\n"
+      "Cache-Control: aaa2\n",
+      "[aaa1,bbb1,ccc1,;aaa2,;]|content-type|cache-control",
+      false
+    },
+    {
+      "Checks the case that one header has multiple lines.",
+      "HTTP/1.1 200 OK\n"
+      "Content-Type: aaa1,   ccc1\n"
+      "Content-Type: xxx1,    bbb1, ccc1\n"
+      "Cache-Control: aaa2\n",
+      "[aaa1,bbb1,ccc1,ccc1,xxx1,;aaa2,;]|content-type|cache-control",
+      false
+    },
+    {
+      "Checks the case that more than one headers have multiple values.",
+      "HTTP/1.1 200 OK\n"
+      "Content-Type: aaa1,   ccc1\n"
+      "Cache-Control: ccc2    , bbb2\n"
+      "Content-Type:  bbb1, ccc1\n"
+      "Cache-Control: aaa2   \n",
+      "[aaa1,bbb1,ccc1,ccc1,;aaa2,bbb2,ccc2,;]|content-type|cache-control",
+      false
+    },
+    {
+      "Checks the case that one of the requested headers is missing (Expires).",
+      "HTTP/1.1 200 OK\n"
+      "Content-Type: aaa1,   ccc1\n",
+      "[aaa1,ccc1,;;]|content-type|expires",
+      false
+    },
+    {
+      "Checks the case that some of the requested headers have empty value.",
+      "HTTP/1.1 200 OK\n"
+      "Content-Type:   \n"
+      "Cache-Control: \n",
+      "[,;,;]|content-type|cache-control",
+      false
+    },
+    {
+      "Checks the case that all the requested headers are missing.",
+      "HTTP/1.1 200 OK\n",
+      "[;;]|content-type|expires",
+      false
+    },
+    {
+      "Checks the case that some headers are missing, some of them are empty.",
+      "HTTP/1.1 200 OK\n"
+      "Cache-Control: \n",
+      "[;,;]|content-type|cache-control",
+      false
+    },
+    {
+      "Checks the case there is no requested header (header list is empty).",
+      "HTTP/1.1 200 OK\n"
+      "Chrome-Proxy: aut=aauutthh,bbbypas=0,aaxxx=xxx,bbbloc=1\n"
+      "Content-Type: 1\n"
+      "Cache-Control: 2\n",
+      "[]",
+      false
+    },
+    {
+      "Checks tampered requested header values.",
+      "HTTP/1.1 200 OK\n"
+      "Content-Type: aaa1,   ccc1\n"
+      "Cache-Control: ccc2    , bbb2\n",
+      "[aaa1,bbb1,;bbb2,ccc2,;]|content-type|cache-control",
+      true
+    },
+    /* will lead to NOTREACHED() */
+    /*
+    {
+      "Checks the case that base64 decoding fails.",
+      "HTTP/1.1 200 OK\n"
+      "Cache-Control: \n"
+      "Connection: \n"
+      "Expires: 5\n"
+      "Via: \n"
+      "Content-Length: 12345\n",
+      "abcde|content-type|cache-control|etag|connection|expires",
+      true
+    },
+    */
+  };
+
+  for (size_t i=0; i<ARRAYSIZE_UNSAFE(test); ++i) {
+    ReplaceWithEncodedString(&(test[i].received_fingerprint));
+    DataReductionProxyTamperDetectionTest::TestFingerprintCommon(test[i],
+        DataReductionProxyTamperDetection::OTHERHEADERS);
+  }
+}
+
+// Checks function IsContentLengthTampered.
+TEST_F(DataReductionProxyTamperDetectionTest, ContentLength) {
+  TamperDetectionTestCase test[] = {
+    {
+      "Checks the case fingerprint matches received response.",
+      "HTTP/1.1 200 OK\n"
+      "Content-Length: 12345\n",
+      "12345",
+      false,
+    },
+    {
+      "Checks case that response got modified.",
+      "HTTP/1.1 200 OK\n"
+      "Content-Length: 12345\n",
+      "125",
+      true,
+    },
+    {
+      "Checks the case that the data reduction proxy has not sent"
+      "Content-Length header.",
+      "HTTP/1.1 200 OK\n"
+      "Content-Length: 12345\n",
+      "",
+      false,
+    },
+    {
+      "Checks the case that the data reduction proxy sends invalid"
+      "Content-Length header.",
+      "HTTP/1.1 200 OK\n"
+      "Content-Length: 12345\n",
+      "aaa",
+      false,
+    },
+    {
+      "Checks the case that the data reduction proxy sends invalid"
+      "Content-Length header.",
+      "HTTP/1.1 200 OK\n"
+      "Content-Length: aaa\n",
+      "aaa",
+      false,
+    },
+    {
+      "Checks the case that Content-Length header is missing at the Chromium"
+      "client side.",
+      "HTTP/1.1 200 OK\n",
+      "123",
+      false,
+    },
+    {
+      "Checks the case that Content-Length header are missing at both end.",
+      "HTTP/1.1 200 OK\n",
+      "",
+      false,
+    },
+  };
+
+  for (size_t i=0; i<ARRAYSIZE_UNSAFE(test); ++i) {
+    DataReductionProxyTamperDetectionTest::TestFingerprintCommon(test[i],
+        DataReductionProxyTamperDetection::CONTENTLENGTH);
+  }
+}
+
+// Testcase for RemoveChromeProxyFingerprint function.
+TEST_F(DataReductionProxyTamperDetectionTest, HeaderRemoving) {
+  struct {
+    std::string label;
+    std::string input_values[kMaxVectorSize];
+    std::string expected_output_values[kMaxVectorSize];
+  } test[] = {
+    {
+      "Checks the case that there is no Chrome-Proxy header's fingerprint.",
+      {"1", "2", "3", "5",},
+      {"1", "2", "3", "5",},
+    },
+    {
+      "Checks the case that there is Chrome-Proxy header's fingerprint.",
+      {"1", "2", "3", "fcp=4", "5",},
+      {"1", "2", "3", "5",},
+    },
+    {
+      "Checks the case that there is Chrome-Proxy header's fingerprint, and it"
+      "occurs at the end.",
+      {"1", "2", "3", "fcp=4",},
+      {"1", "2", "3",},
+    },
+    {
+      "Checks the case that there is Chrome-Proxy header's fingerprint, and it"
+      "occurs at the beginning.",
+      {"fcp=1", "2", "3",},
+      {"2", "3",},
+    },
+  };
+
+  for (size_t i=0; i<ARRAYSIZE_UNSAFE(test); ++i) {
+    std::vector<std::string> input_values =
+        StringsToVector(test[i].input_values);
+    std::vector<std::string> output_values =
+        StringsToVector(test[i].expected_output_values);
+
+    DataReductionProxyTamperDetection::RemoveChromeProxyFingerprint(
+        &input_values);
+
+    EXPECT_EQ(input_values, output_values)<<test[i].label;
+  }
+}
+
+// Testcase for ValuesToSortedString function.
+TEST_F(DataReductionProxyTamperDetectionTest, ValuesToSortedString) {
+  struct {
+    std::string label;
+    std::string input_values[kMaxVectorSize];
+    std::string expected_output_string;
+  } test[] = {
+    {
+      "Checks the correctness of sorting.",
+      {"1", "2", "3",},
+      "1,2,3,",
+    },
+    {
+      "Checks the case that there is an empty input vector.",
+      {},
+      "",
+    },
+    {
+      "Checks the case that there is an empty string in the input vector.",
+      // Use " " to represent empty value.
+      {" ",},
+      ",",
+    },
+  };
+
+  for (size_t i=0; i<ARRAYSIZE_UNSAFE(test); ++i) {
+    std::vector<std::string> input_values =
+        StringsToVector(test[i].input_values);
+
+    std::string output_string = DataReductionProxyTamperDetection::
+        ValuesToSortedString(&input_values);
+
+    EXPECT_EQ(output_string, test[i].expected_output_string)<<test[i].label;
+  }
+}
+
+// Testcase for GetHeaderValues function.
+TEST_F(DataReductionProxyTamperDetectionTest, GetHeaderValues) {
+  struct {
+    std::string label;
+    std::string raw_header;
+    std::string header_name;
+    std::string expected_output_values[kMaxVectorSize];
+  } test[] = {
+    {
+      "Checks the correctness of getting single line header.",
+      "HTTP/1.1 200 OK\n"
+      "test: 1, 2, 3\n",
+      "test",
+      {"1", "2", "3"},
+    },
+    {
+      "Checks the correctness of getting multiple lines header.",
+      "HTTP/1.1 200 OK\n"
+      "test: 1, 2, 3\n"
+      "test: 4, 5, 6\n"
+      "test: 7, 8, 9\n",
+      "test",
+      {"1", "2", "3", "4", "5", "6", "7", "8", "9"},
+    },
+    {
+      "Checks the correctness of getting missing header.",
+      "HTTP/1.1 200 OK\n",
+      "test",
+      {},
+    },
+    {
+      "Checks the correctness of getting empty header.",
+      "HTTP/1.1 200 OK\n"
+      "test:   \n",
+      "test",
+      {" "},
+    },
+  };
+
+  for (size_t i=0; i<ARRAYSIZE_UNSAFE(test); ++i) {
+    std::string raw_headers(test[i].raw_header);
+    HeadersToRaw(&raw_headers);
+    net::HttpResponseHeaders* headers =
+        new net::HttpResponseHeaders(raw_headers);
+
+    std::vector<std::string> expected_output_values =
+        StringsToVector(test[i].expected_output_values);
+
+    std::vector<std::string> output_values =
+        DataReductionProxyTamperDetection::GetHeaderValues(
+        headers, test[i].header_name);
+    EXPECT_EQ(expected_output_values, output_values)<<test[i].label;
+  }
+}
+
+// Testcase for main function DetectAndReport. First generate
+// simulated response from the data reduction proxy, by replacing fingerprint
+// with its base64 encoded MD5 value and appending it to Chrome-Proxy header.
+// Then runs through function CheckResponseFingerprint.
+TEST_F(DataReductionProxyTamperDetectionTest, Completed) {
+  struct {
+    std::string label;
+    std::string raw_header;
+    std::string chrome_header;
+    bool expected_contain_tamper_detect_fingerprints;
+    bool expected_tampered_chrome_proxy;
+    bool expected_tampered_via;
+    bool expected_tampered_other_headers;
+    bool expected_tampered_content_length;
+    bool expected_has_chrome_proxy_via_header;
+  } test[] = {
+    {
+      "Check normal case, Chrome-Proxy fingerprint doesn't exist",
+      "HTTP/1.1 200 OK\n"
+      "Via: a1, b2, 1.1 Chrome-Compression-Proxy\n"
+      "Content-Length: 12345\n"
+      "header1: header_1\n"
+      "header2: header_2\n"
+      "header3: header_3\n",
+      "a,b,c,d,e," +
+      std::string(kChromeProxyActionFingerprintContentLength) + "=12345," +
+      std::string(kChromeProxyActionFingerprintOtherHeaders) +
+      "=[header_1,;header_2,;header_3,;]|header1|header2|header3," +
+      std::string(kChromeProxyActionFingerprintVia) + "=0,",
+      true,
+      false,
+      false,
+      false,
+      false,
+      true,
+    },
+  };
+
+  for (size_t i=0; i<ARRAYSIZE_UNSAFE(test); ++i) {
+    // Replace fingerprint with base64 encoded MD5 value.
+    ReplaceWithEncodedString(&(test[i].chrome_header));
+    // Generate fingerprint for Chrome-Proxy header.
+    std::string chrome_header_fingerprint = GetEncoded(test[i].chrome_header);
+    // Append Chrome-Proxy header to response headers.
+    test[i].raw_header += "Chrome-Proxy: " + test[i].chrome_header +
+        std::string(kChromeProxyActionFingerprintChromeProxy) +
+        "=" + chrome_header_fingerprint + "\n";
+
+    std::string raw_headers(test[i].raw_header);
+    HeadersToRaw(&raw_headers);
+    scoped_refptr<net::HttpResponseHeaders> headers =
+        new net::HttpResponseHeaders(raw_headers);
+
+    // Below copying codes from DetectAndReport, with checking points
+    // added.
+    std::string chrome_proxy_fingerprint;
+    bool contain_chrome_proxy_fingerprint = GetDataReductionProxyActionValue(
+        headers,
+        kChromeProxyActionFingerprintChromeProxy,
+        &chrome_proxy_fingerprint);
+
+
+    EXPECT_EQ(test[i].expected_contain_tamper_detect_fingerprints,
+              contain_chrome_proxy_fingerprint)<<test[i].label;
+    if (!contain_chrome_proxy_fingerprint)
+      return;
+    std::vector<std::string> chrome_proxy_header_values =
+        DataReductionProxyTamperDetection::
+        GetHeaderValues(headers, "Chrome-Proxy");
+
+    DataReductionProxyTamperDetection::
+        RemoveChromeProxyFingerprint(&chrome_proxy_header_values);
+
+    DataReductionProxyTamperDetection tamper_detection(
+        headers,
+        true,
+        0,
+        &chrome_proxy_header_values);
+
+    bool tampered_chrome_proxy =
+        tamper_detection.IsChromeProxyHeaderTampered(chrome_proxy_fingerprint);
+    EXPECT_EQ(test[i].expected_tampered_chrome_proxy, tampered_chrome_proxy)
+        <<test[i].label;
+    if (tampered_chrome_proxy)
+      return;
+
+    std::map<std::string, DataReductionProxyTamperDetection::FingerprintCode>::
+        iterator it;
+    for (it = tamper_detection.fingerprint_name_code_map_.begin();
+         it != tamper_detection.fingerprint_name_code_map_.end(); ++it) {
+      std::string fingerprint;
+      if (!GetDataReductionProxyActionValue(
+          headers, it->first, &fingerprint)) {
+        continue;
+      }
+
+      bool tampered = false;
+      switch (it->second) {
+      case DataReductionProxyTamperDetection::VIA:
+        bool has_chrome_proxy_via_header;
+        tampered = tamper_detection.IsViaHeaderTampered(
+            fingerprint, &has_chrome_proxy_via_header);
+        EXPECT_EQ(test[i].expected_tampered_via, tampered)<<test[i].label;
+        EXPECT_EQ(test[i].expected_has_chrome_proxy_via_header,
+                  has_chrome_proxy_via_header)<<test[i].label;
+        break;
+      case DataReductionProxyTamperDetection::OTHERHEADERS:
+        tampered = tamper_detection.AreOtherHeadersTampered(fingerprint);
+        EXPECT_EQ(test[i].expected_tampered_other_headers, tampered)
+            <<test[i].label;
+        break;
+      case DataReductionProxyTamperDetection::CONTENTLENGTH:
+        tampered = tamper_detection.IsContentLengthHeaderTampered(fingerprint);
+        EXPECT_EQ(test[i].expected_tampered_content_length, tampered)
+            <<test[i].label;
+        break;
+      default:
+        NOTREACHED();
+        break;
+      }
+    }
+  }
+}
+
+} // namespace