Remember user decisions on invalid certificates behind a flag

chrome/browser/ssl/chrome_ssl_host_state_decisions_test.cc

+// Copyright (c) 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "base/command_line.h"
+#include "base/strings/string_number_conversions.h"
+#include "base/test/simple_test_clock.h"
+#include "chrome/browser/profiles/profile.h"
+#include "chrome/browser/ssl/chrome_ssl_host_state_decisions.h"
+#include "chrome/browser/ui/browser.h"
+#include "chrome/browser/ui/tabs/tab_strip_model.h"
+#include "chrome/common/chrome_switches.h"
+#include "chrome/test/base/in_process_browser_test.h"
+#include "content/public/browser/ssl_host_state_decisions.h"
+#include "content/public/browser/web_contents.h"
+#include "content/public/test/browser_test_utils.h"
+#include "testing/gtest/include/gtest/gtest.h"
+#include "url/gurl.h"
+
+namespace {
+
+// Certificate for test data. It is obtained with:
+//
+// $ openssl s_client -connect [host]:443 -showcerts
+// $ openssl x509 -inform PEM -outform DER > /tmp/host.der
+// $ xxd -i /tmp/host.der
+
+// Google's cert.
+
+unsigned char google_der[] = {

[Ryan Sleevi, 2014/07/08 23:53:29]

Use the net test data. Don't hardcode files into tests like this.

[jww, 2014/07/11 00:08:41]

Done.

+    0x30, 0x82, 0x03, 0x21, 0x30, 0x82, 0x02, 0x8a, 0xa0, 0x03, 0x02, 0x01,
+    0x02, 0x02, 0x10, 0x3c, 0x8d, 0x3a, 0x64, 0xee, 0x18, 0xdd, 0x1b, 0x73,
+    0x0b, 0xa1, 0x92, 0xee, 0xf8, 0x98, 0x1b, 0x30, 0x0d, 0x06, 0x09, 0x2a,
+    0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x4c,
+    0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x5a,
+    0x41, 0x31, 0x25, 0x30, 0x23, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x1c,
+    0x54, 0x68, 0x61, 0x77, 0x74, 0x65, 0x20, 0x43, 0x6f, 0x6e, 0x73, 0x75,
+    0x6c, 0x74, 0x69, 0x6e, 0x67, 0x20, 0x28, 0x50, 0x74, 0x79, 0x29, 0x20,
+    0x4c, 0x74, 0x64, 0x2e, 0x31, 0x16, 0x30, 0x14, 0x06, 0x03, 0x55, 0x04,
+    0x03, 0x13, 0x0d, 0x54, 0x68, 0x61, 0x77, 0x74, 0x65, 0x20, 0x53, 0x47,
+    0x43, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d, 0x30, 0x38, 0x30, 0x35,
+    0x30, 0x32, 0x31, 0x37, 0x30, 0x32, 0x35, 0x35, 0x5a, 0x17, 0x0d, 0x30,
+    0x39, 0x30, 0x35, 0x30, 0x32, 0x31, 0x37, 0x30, 0x32, 0x35, 0x35, 0x5a,
+    0x30, 0x68, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
+    0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
+    0x13, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61,
+    0x31, 0x16, 0x30, 0x14, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x0d, 0x4d,
+    0x6f, 0x75, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x20, 0x56, 0x69, 0x65, 0x77,
+    0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0a, 0x47,
+    0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x20, 0x49, 0x6e, 0x63, 0x31, 0x17, 0x30,
+    0x15, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x0e, 0x77, 0x77, 0x77, 0x2e,
+    0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x81,
+    0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
+    0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02,
+    0x81, 0x81, 0x00, 0x9b, 0x19, 0xed, 0x5d, 0xa5, 0x56, 0xaf, 0x49, 0x66,
+    0xdb, 0x79, 0xfd, 0xc2, 0x1c, 0x78, 0x4e, 0x4f, 0x11, 0xa5, 0x8a, 0xac,
+    0xe2, 0x94, 0xee, 0xe3, 0xe2, 0x4b, 0xc0, 0x03, 0x25, 0xa7, 0x99, 0xcc,
+    0x65, 0xe1, 0xec, 0x94, 0xae, 0xae, 0xf0, 0xa7, 0x99, 0xbc, 0x10, 0xd7,
+    0xed, 0x87, 0x30, 0x47, 0xcd, 0x50, 0xf9, 0xaf, 0xd3, 0xd3, 0xf4, 0x0b,
+    0x8d, 0x47, 0x8a, 0x2e, 0xe2, 0xce, 0x53, 0x9b, 0x91, 0x99, 0x7f, 0x1e,
+    0x5c, 0xf9, 0x1b, 0xd6, 0xe9, 0x93, 0x67, 0xe3, 0x4a, 0xf8, 0xcf, 0xc4,
+    0x8c, 0x0c, 0x68, 0xd1, 0x97, 0x54, 0x47, 0x0e, 0x0a, 0x24, 0x30, 0xa7,
+    0x82, 0x94, 0xae, 0xde, 0xae, 0x3f, 0xbf, 0xba, 0x14, 0xc6, 0xf8, 0xb2,
+    0x90, 0x8e, 0x36, 0xad, 0xe1, 0xd0, 0xbe, 0x16, 0x9a, 0xb3, 0x5e, 0x72,
+    0x38, 0x49, 0xda, 0x74, 0xa1, 0x3f, 0xff, 0xd2, 0x87, 0x81, 0xed, 0x02,
+    0x03, 0x01, 0x00, 0x01, 0xa3, 0x81, 0xe7, 0x30, 0x81, 0xe4, 0x30, 0x28,
+    0x06, 0x03, 0x55, 0x1d, 0x25, 0x04, 0x21, 0x30, 0x1f, 0x06, 0x08, 0x2b,
+    0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01, 0x06, 0x08, 0x2b, 0x06, 0x01,
+    0x05, 0x05, 0x07, 0x03, 0x02, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x86,
+    0xf8, 0x42, 0x04, 0x01, 0x30, 0x36, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04,
+    0x2f, 0x30, 0x2d, 0x30, 0x2b, 0xa0, 0x29, 0xa0, 0x27, 0x86, 0x25, 0x68,
+    0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63, 0x72, 0x6c, 0x2e, 0x74, 0x68,
+    0x61, 0x77, 0x74, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x54, 0x68, 0x61,
+    0x77, 0x74, 0x65, 0x53, 0x47, 0x43, 0x43, 0x41, 0x2e, 0x63, 0x72, 0x6c,
+    0x30, 0x72, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x01,
+    0x04, 0x66, 0x30, 0x64, 0x30, 0x22, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
+    0x05, 0x07, 0x30, 0x01, 0x86, 0x16, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f,
+    0x2f, 0x6f, 0x63, 0x73, 0x70, 0x2e, 0x74, 0x68, 0x61, 0x77, 0x74, 0x65,
+    0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x3e, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
+    0x05, 0x07, 0x30, 0x02, 0x86, 0x32, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f,
+    0x2f, 0x77, 0x77, 0x77, 0x2e, 0x74, 0x68, 0x61, 0x77, 0x74, 0x65, 0x2e,
+    0x63, 0x6f, 0x6d, 0x2f, 0x72, 0x65, 0x70, 0x6f, 0x73, 0x69, 0x74, 0x6f,
+    0x72, 0x79, 0x2f, 0x54, 0x68, 0x61, 0x77, 0x74, 0x65, 0x5f, 0x53, 0x47,
+    0x43, 0x5f, 0x43, 0x41, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0c, 0x06, 0x03,
+    0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x02, 0x30, 0x00, 0x30, 0x0d,
+    0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05,
+    0x00, 0x03, 0x81, 0x81, 0x00, 0x31, 0x0a, 0x6c, 0xa2, 0x9e, 0xe9, 0x54,
+    0x19, 0x16, 0x68, 0x99, 0x91, 0xd6, 0x43, 0xcb, 0x6b, 0xb4, 0xcc, 0x6c,
+    0xcc, 0xb0, 0xfb, 0xf1, 0xee, 0x81, 0xbf, 0x00, 0x2b, 0x6f, 0x50, 0x12,
+    0xc6, 0xaf, 0x02, 0x2a, 0x36, 0xc1, 0x28, 0xde, 0xc5, 0x4c, 0x56, 0x20,
+    0x6d, 0xf5, 0x3d, 0x42, 0xb9, 0x18, 0x81, 0x20, 0xb2, 0xdd, 0x57, 0x5d,
+    0xeb, 0xbe, 0x32, 0x84, 0x50, 0x45, 0x51, 0x6e, 0xcd, 0xe4, 0x2e, 0x2a,
+    0x38, 0x88, 0x9f, 0x52, 0xed, 0x28, 0xff, 0xfc, 0x8d, 0x57, 0xb5, 0xad,
+    0x64, 0xae, 0x4d, 0x0e, 0x0e, 0xd9, 0x3d, 0xac, 0xb8, 0xfe, 0x66, 0x4c,
+    0x15, 0x8f, 0x44, 0x52, 0xfa, 0x7c, 0x3c, 0x04, 0xed, 0x7f, 0x37, 0x61,
+    0x04, 0xfe, 0xd5, 0xe9, 0xb9, 0xb0, 0x9e, 0xfe, 0xa5, 0x11, 0x69, 0xc9,
+    0x63, 0xd6, 0x46, 0x81, 0x6f, 0x00, 0xd8, 0x72, 0x2f, 0x82, 0x37, 0x44,
+    0xc1};
+
+GURL www_google_url("https://www.google.com");
+GURL google_url("https://google.com");
+GURL example_url("https://example.com");
+
+const char* kDeltaSecondsString = "86400";
+
+}  // namespace
+
+class ChromeSSLHostStateDecisionsTest : public InProcessBrowserTest {
+ public:
+  ChromeSSLHostStateDecisionsTest() {};
+  virtual ~ChromeSSLHostStateDecisionsTest() {};
+
+  // InProcessBrowserTest:
+  virtual void SetUpInProcessBrowserTestFixture() OVERRIDE{};
+  virtual void SetUpOnMainThread() OVERRIDE{};
+  virtual void CleanUpOnMainThread() OVERRIDE{};

[Ryan Sleevi, 2014/07/08 23:53:29]

1) spaces between OVERRIDE and {}
2) Um, why are you overriding to begin with, if they're just empty?

[jww, 2014/07/11 00:08:41]

I actually had a space initially, but git-cl format changed it.
Habit. Getting rid of them.

+
+  virtual void SetUpOnIOThread() {};
+  virtual void CleanUpOnIOThread() {};
+};
+
+// This tests basic unit test functionality of the SSLHostStateDecisions class.
+// For example, tests that if a certificate is accepted, then it is added to
+// queryable, and if it is revoked, it is not queryable.
+IN_PROC_BROWSER_TEST_F(ChromeSSLHostStateDecisionsTest, QueryPolicy) {
+  scoped_refptr<net::X509Certificate> google_cert(
+      net::X509Certificate::CreateFromBytes(
+          reinterpret_cast<const char*>(google_der), sizeof(google_der)));
+  content::WebContents* tab =
+      browser()->tab_strip_model()->GetActiveWebContents();
+  Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext());
+  content::SSLHostStateDecisions* state = profile->GetSSLHostStateDecisions();

[Ryan Sleevi, 2014/07/08 23:53:29]

Seems like all of this could be done as a simple TEST_F, no IPBT.

That is, just test the decisions class for testing decisions.

If you are going to do any IPBT, it'd probably just to be sure that a regular
and incognito profile don't bleed together.

[jww, 2014/07/11 00:08:41]

I think you're right that these basic unit tests can probably not be IPBT, so
I'm changing them to be just TEST_F. However, the other tests below are all
about profiles and making sure things are maintained (or not) after restart, as
well as checking incognito bleeds, so those, I think, need to remain IPBT.

[jww, 2014/07/11 00:08:41]

Perhaps I don't quite understand how TEST_F works, but I think these need to all
be IPBT because the implementation relies on having a profile. That is, the
state forwards queries and changes into the profile, so if we're not in an IPBT,
I believe there won't be a profile, and none of this will work.

If I'm mistaken, though, could you point me to a good example that's similar
that I can use to model the test off of?

[Ryan Sleevi, 2014/07/11 00:48:49]

Correct, there won't be an associated Profile in a normal test fixture.

That said, I don't think you should be coupling *these* tests - which are about
basic functionality of the host decisions - to being a profile. There's nothing
profile-y about it (compared to the Incognito vs Regular tests, which I agree
should be IPBT)

That is, rather than lines 129-132, which bounce to a profile to get an
SSLHostStateDecisions, you should just be creating an SSLHostStateDecisions, and
running the various tests.

All of these tests (that is, 125-221) belong in content::SSLHostStateDecision's
tests, not Chrome's. Chrome's should only test the profile-relationships, but
content should test the core interface associations.

[jww, 2014/07/11 01:52:07]

Sorry for my density, I still think that doesn't make sense. SSLHostState
actually doesn't have any more tests because it exists simply to forward queries
and changes to ChromeSSLHostStateDecisions, and without a profile it can't
forward anything since ChromeSSLHostStateDecisions exists as a singleton in each
profile.

I understand that it feels weird to put this unit-y tests inside the browser
test, except that all of the things we're testing here (querying, allowing
certs, etc.) are backed on a per-profile basis. For example, with QueryPolicy,
it's meaningless to talk about QueryPolicy anymore without a profile because the
querying works with content settings, which is build into the profile.

[Ryan Sleevi, 2014/07/11 19:43:27]

Bah, I missed *Decisions rather than just SSLHostState (which is Profile-less).

[jww, 2014/07/14 21:21:15]

Acknowledged.

+
+  EXPECT_EQ(
+      net::CertPolicy::UNKNOWN,
+      state->QueryPolicy(
+          www_google_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));
+  EXPECT_EQ(net::CertPolicy::UNKNOWN,
+            state->QueryPolicy(
+                google_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));
+  EXPECT_EQ(net::CertPolicy::UNKNOWN,
+            state->QueryPolicy(
+                example_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));

[Ryan Sleevi, 2014/07/11 19:43:27]

Document the precondition you're testing on line 133.

[jww, 2014/07/14 21:21:15]

Done.

+
+  state->AllowCert(

[Ryan Sleevi, 2014/07/11 19:43:27]

Document what you're doing, and then on line 147, what you're verifying was
done.

[jww, 2014/07/14 21:21:15]

Done.

+      www_google_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID);
+
+  EXPECT_EQ(
+      net::CertPolicy::ALLOWED,
+      state->QueryPolicy(
+          www_google_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));
+  EXPECT_EQ(net::CertPolicy::UNKNOWN,
+            state->QueryPolicy(
+                google_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));
+  EXPECT_EQ(net::CertPolicy::UNKNOWN,
+            state->QueryPolicy(
+                example_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));
+
+  state->AllowCert(

[Ryan Sleevi, 2014/07/11 19:43:27]

Document what you're doing, and what you're verifying was done.

[jww, 2014/07/14 21:21:15]

Done.

+      example_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID);
+
+  EXPECT_EQ(
+      net::CertPolicy::ALLOWED,
+      state->QueryPolicy(
+          www_google_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));
+  EXPECT_EQ(net::CertPolicy::UNKNOWN,
+            state->QueryPolicy(
+                google_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));
+  EXPECT_EQ(net::CertPolicy::ALLOWED,
+            state->QueryPolicy(
+                example_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));
+
+  state->DenyCert(

[Ryan Sleevi, 2014/07/11 19:43:27]

Document what you're doing, and what you're verifying was done (e.g. that you
can deny a cert, and it does not affect other URLs)

[jww, 2014/07/14 21:21:15]

Done.

+      example_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID);
+
+  EXPECT_EQ(
+      net::CertPolicy::ALLOWED,
+      state->QueryPolicy(
+          www_google_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));
+  EXPECT_EQ(net::CertPolicy::UNKNOWN,
+            state->QueryPolicy(
+                google_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));
+  EXPECT_EQ(net::CertPolicy::DENIED,
+            state->QueryPolicy(
+                example_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));
+
+  EXPECT_TRUE(state->HasAllowedOrDeniedCert(www_google_url));

[Ryan Sleevi, 2014/07/11 19:43:27]

Seems like 187-193 should be their own, hermetic test.

[jww, 2014/07/14 21:21:15]

Done.

+  state->RevokeAllowAndDenyPreferences(www_google_url);
+  EXPECT_FALSE(state->HasAllowedOrDeniedCert(www_google_url));
+  EXPECT_EQ(
+      net::CertPolicy::UNKNOWN,
+      state->QueryPolicy(
+          www_google_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));
+
+  EXPECT_FALSE(state->HasAllowedOrDeniedCert(google_url));

[Ryan Sleevi, 2014/07/11 19:43:27]

What is this testing that is different than what you just tested on 187-193?

[jww, 2014/07/14 21:21:15]

187-193 tests that HasAllowedOrDeniedCert works for a cert that has had a
decision made (and then revoked). This confirms that it also works for untouched
URLs, and that a revoke doesn't affect that state.

+  state->RevokeAllowAndDenyPreferences(google_url);
+  EXPECT_FALSE(state->HasAllowedOrDeniedCert(google_url));
+  EXPECT_EQ(net::CertPolicy::UNKNOWN,
+            state->QueryPolicy(
+                google_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));
+
+  EXPECT_TRUE(state->HasAllowedOrDeniedCert(example_url));

[Ryan Sleevi, 2014/07/11 19:43:27]

How is this a different test than the previous two?

Should you perhaps be instead doing a test to ensure revoking for www_google_url
doesn't affect example_url? Or that revoking for google_url affects
www_google_url if content settings are supposed to inherit? Or that it doesn't,
if they're not.

[jww, 2014/07/14 21:21:15]

Yeah, this was a silly test. I'm going to modify it to be your first suggestion
(revoking www_google_url doesn't affect example_url).

+  state->RevokeAllowAndDenyPreferences(example_url);
+  EXPECT_FALSE(state->HasAllowedOrDeniedCert(example_url));
+  EXPECT_EQ(net::CertPolicy::UNKNOWN,
+            state->QueryPolicy(
+                example_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));
+
+  state->Clear();
+
+  EXPECT_EQ(
+      net::CertPolicy::UNKNOWN,
+      state->QueryPolicy(
+          www_google_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));
+  EXPECT_EQ(net::CertPolicy::UNKNOWN,
+            state->QueryPolicy(
+                google_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));
+  EXPECT_EQ(net::CertPolicy::UNKNOWN,
+            state->QueryPolicy(
+                example_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));

[Ryan Sleevi, 2014/07/11 19:43:27]

How does this actually test that Clear() worked, considering you just made them
all unknown on 187-208.

Here, Clear() could fail, and this test would still succeed.

I expect that you should roll 209-220 into its own test, precisely to test that
Clear() works.

[jww, 2014/07/14 21:21:15]

Done.

+}
+
+// Tests the basic behavior of cert memory in incognito
+class IncognitoSSLHostStateDecisionsTest
+    : public ChromeSSLHostStateDecisionsTest {
+ protected:
+  virtual void SetUpCommandLine(CommandLine* command_line) OVERRIDE {
+    ChromeSSLHostStateDecisionsTest::SetUpCommandLine(command_line);
+    // Setting the kRememberCertErrorDecisions flag to positive, non "0" values
+    // indicates that certificate decisions should be remembered even across
+    // browser session restarts for the given length of time, in seconds.
+    command_line->AppendSwitchASCII(switches::kRememberCertErrorDecisions,
+                                    kDeltaSecondsString);
+  }
+};
+
+IN_PROC_BROWSER_TEST_F(IncognitoSSLHostStateDecisionsTest, PRE_AfterRestart) {
+  scoped_refptr<net::X509Certificate> google_cert(
+      net::X509Certificate::CreateFromBytes(
+          reinterpret_cast<const char*>(google_der), sizeof(google_der)));
+  content::WebContents* tab =
+      browser()->tab_strip_model()->GetActiveWebContents();
+  Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext());
+  content::SSLHostStateDecisions* state = profile->GetSSLHostStateDecisions();
+
+  // Add a cert exception to the profile and then verify that it still exists
+  // in the incognito profile.
+  state->AllowCert(
+      www_google_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID);
+
+  scoped_ptr<Profile> incognito(profile->CreateOffTheRecordProfile());
+  content::SSLHostStateDecisions* incognito_state =
+      incognito->GetSSLHostStateDecisions();
+
+  EXPECT_EQ(
+      net::CertPolicy::ALLOWED,
+      incognito_state->QueryPolicy(
+          www_google_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));
+
+  // Add a cert exception to the incognito profile. It will be checked after
+  // restart that this exception does not exist. Note the different cert URL and
+  // error than above thus mapping to a second exception. Also validate that it
+  // was not added as an exception to the regular profile.
+  incognito_state->AllowCert(
+      google_url, google_cert.get(), net::CERT_STATUS_COMMON_NAME_INVALID);
+
+  EXPECT_EQ(
+      net::CertPolicy::UNKNOWN,
+      state->QueryPolicy(
+          google_url, google_cert.get(), net::CERT_STATUS_COMMON_NAME_INVALID));
+}
+
+IN_PROC_BROWSER_TEST_F(IncognitoSSLHostStateDecisionsTest, AfterRestart) {
+  scoped_refptr<net::X509Certificate> google_cert(
+      net::X509Certificate::CreateFromBytes(
+          reinterpret_cast<const char*>(google_der), sizeof(google_der)));
+  content::WebContents* tab =
+      browser()->tab_strip_model()->GetActiveWebContents();
+  Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext());
+  content::SSLHostStateDecisions* state = profile->GetSSLHostStateDecisions();
+
+  // Verify that the exception added before restart to the regular
+  // (non-incognito) profile still exists and was not cleared after the
+  // incognito session ended.
+  EXPECT_EQ(
+      net::CertPolicy::ALLOWED,
+      state->QueryPolicy(
+          www_google_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));
+
+  scoped_ptr<Profile> incognito(profile->CreateOffTheRecordProfile());
+  content::SSLHostStateDecisions* incognito_state =
+      incognito->GetSSLHostStateDecisions();
+
+  // Verify that the exception added before restart to the incognito profile was
+  // cleared when the incognito session ended.
+  EXPECT_EQ(
+      net::CertPolicy::UNKNOWN,
+      incognito_state->QueryPolicy(
+          google_url, google_cert.get(), net::CERT_STATUS_COMMON_NAME_INVALID));
+}
+
+// Tests to make sure that if the remember value is set to 0, any decisions
+// won't be remembered over a restart.
+class ForgetSSLHostStateDecisionsTest : public ChromeSSLHostStateDecisionsTest {
+ protected:
+  virtual void SetUpCommandLine(CommandLine* command_line) OVERRIDE {
+    ChromeSSLHostStateDecisionsTest::SetUpCommandLine(command_line);
+    // Setting the kRememberCertErrorDecisions flag to a value of "0" indicates
+    // that certificate decisions should not be remembered across browser
+    // session restarts.
+    command_line->AppendSwitchASCII(switches::kRememberCertErrorDecisions, "0");
+  }
+};
+
+IN_PROC_BROWSER_TEST_F(ForgetSSLHostStateDecisionsTest, PRE_AfterRestart) {
+  scoped_refptr<net::X509Certificate> google_cert(
+      net::X509Certificate::CreateFromBytes(
+          reinterpret_cast<const char*>(google_der), sizeof(google_der)));
+  content::WebContents* tab =
+      browser()->tab_strip_model()->GetActiveWebContents();
+  Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext());
+  content::SSLHostStateDecisions* state = profile->GetSSLHostStateDecisions();
+
+  state->AllowCert(
+      www_google_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID);
+  EXPECT_EQ(
+      net::CertPolicy::ALLOWED,
+      state->QueryPolicy(
+          www_google_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));
+}
+
+IN_PROC_BROWSER_TEST_F(ForgetSSLHostStateDecisionsTest, AfterRestart) {
+  scoped_refptr<net::X509Certificate> google_cert(
+      net::X509Certificate::CreateFromBytes(
+          reinterpret_cast<const char*>(google_der), sizeof(google_der)));
+  content::WebContents* tab =
+      browser()->tab_strip_model()->GetActiveWebContents();
+  Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext());
+  content::SSLHostStateDecisions* state = profile->GetSSLHostStateDecisions();
+
+  // The cert should now be |UNKONWN| because the profile is set to forget cert
+  // exceptions after session end.
+  EXPECT_EQ(
+      net::CertPolicy::UNKNOWN,
+      state->QueryPolicy(
+          www_google_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));
+}
+
+// Tests to make sure that if the remember value is set to a non-zero value0,
+// any decisions will be remembered over a restart, but only for the length
+// specified.
+class RememberSSLHostStateDecisionsTest
+    : public ChromeSSLHostStateDecisionsTest {
+ protected:
+  virtual void SetUpCommandLine(CommandLine* command_line) OVERRIDE {
+    ChromeSSLHostStateDecisionsTest::SetUpCommandLine(command_line);
+    // Setting the kRememberCertErrorDecisions flag to positive, non "0" values
+    // indicates that certificate decisions should be remembered even across
+    // browser session restarts for the given length of time, in seconds.
+    command_line->AppendSwitchASCII(switches::kRememberCertErrorDecisions,
+                                    kDeltaSecondsString);
+  }
+};
+
+IN_PROC_BROWSER_TEST_F(RememberSSLHostStateDecisionsTest, PRE_AfterRestart) {
+  scoped_refptr<net::X509Certificate> google_cert(
+      net::X509Certificate::CreateFromBytes(
+          reinterpret_cast<const char*>(google_der), sizeof(google_der)));
+  content::WebContents* tab =
+      browser()->tab_strip_model()->GetActiveWebContents();
+  Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext());
+  content::SSLHostStateDecisions* state = profile->GetSSLHostStateDecisions();
+
+  state->AllowCert(
+      www_google_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID);
+  EXPECT_EQ(
+      net::CertPolicy::ALLOWED,
+      state->QueryPolicy(
+          www_google_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));
+}
+
+IN_PROC_BROWSER_TEST_F(RememberSSLHostStateDecisionsTest, AfterRestart) {
+  scoped_refptr<net::X509Certificate> google_cert(
+      net::X509Certificate::CreateFromBytes(
+          reinterpret_cast<const char*>(google_der), sizeof(google_der)));
+  content::WebContents* tab =
+      browser()->tab_strip_model()->GetActiveWebContents();
+  Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext());
+  content::SSLHostStateDecisions* state = profile->GetSSLHostStateDecisions();
+
+  // chrome_state takes ownership of this clock
+  base::SimpleTestClock* clock = new base::SimpleTestClock();
+  ChromeSSLHostStateDecisions* chrome_state =
+      static_cast<ChromeSSLHostStateDecisions*>(state);
+  chrome_state->SetClock(scoped_ptr<base::Clock>(clock));
+
+  // Start the clock at standard system time.
+  clock->SetNow(base::Time::NowFromSystemTime());
+
+  // This should only pass if the cert was allowed before the test was restart
+  // and thus has now been rememebered across browser restarts.
+  EXPECT_EQ(
+      net::CertPolicy::ALLOWED,
+      state->QueryPolicy(
+          www_google_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));
+
+  // Simulate the clock advancing by the specified delta.
+  int64 delta;
+  base::StringToInt64(kDeltaSecondsString, &delta);
+  clock->Advance(base::TimeDelta::FromSeconds(delta + 1));
+
+  // The cert should now be |UNKONWN| because the specified delta has passed.
+  EXPECT_EQ(
+      net::CertPolicy::UNKNOWN,
+      state->QueryPolicy(
+          www_google_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));
+}