Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(288)

Side by Side Diff: chrome/browser/ssl/chrome_ssl_host_state_decisions_test.cc

Issue 369703002: Remember user decisions on invalid certificates behind a flag (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src
Patch Set: Fixes from felt plus new incognito browser tests Created 6 years, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
OLDNEW
(Empty)
1 // Copyright (c) 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "base/command_line.h"
6 #include "base/strings/string_number_conversions.h"
7 #include "base/test/simple_test_clock.h"
8 #include "chrome/browser/profiles/profile.h"
9 #include "chrome/browser/ssl/chrome_ssl_host_state_decisions.h"
10 #include "chrome/browser/ui/browser.h"
11 #include "chrome/browser/ui/tabs/tab_strip_model.h"
12 #include "chrome/common/chrome_switches.h"
13 #include "chrome/test/base/in_process_browser_test.h"
14 #include "content/public/browser/ssl_host_state_decisions.h"
15 #include "content/public/browser/web_contents.h"
16 #include "content/public/test/browser_test_utils.h"
17 #include "testing/gtest/include/gtest/gtest.h"
18 #include "url/gurl.h"
19
20 namespace {
21
22 // Certificate for test data. It is obtained with:
23 //
24 // $ openssl s_client -connect [host]:443 -showcerts
25 // $ openssl x509 -inform PEM -outform DER > /tmp/host.der
26 // $ xxd -i /tmp/host.der
27
28 // Google's cert.
29
30 unsigned char google_der[] = {
Ryan Sleevi 2014/07/08 23:53:29 Use the net test data. Don't hardcode files into t
jww 2014/07/11 00:08:41 Done.
31 0x30, 0x82, 0x03, 0x21, 0x30, 0x82, 0x02, 0x8a, 0xa0, 0x03, 0x02, 0x01,
32 0x02, 0x02, 0x10, 0x3c, 0x8d, 0x3a, 0x64, 0xee, 0x18, 0xdd, 0x1b, 0x73,
33 0x0b, 0xa1, 0x92, 0xee, 0xf8, 0x98, 0x1b, 0x30, 0x0d, 0x06, 0x09, 0x2a,
34 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x4c,
35 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x5a,
36 0x41, 0x31, 0x25, 0x30, 0x23, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x1c,
37 0x54, 0x68, 0x61, 0x77, 0x74, 0x65, 0x20, 0x43, 0x6f, 0x6e, 0x73, 0x75,
38 0x6c, 0x74, 0x69, 0x6e, 0x67, 0x20, 0x28, 0x50, 0x74, 0x79, 0x29, 0x20,
39 0x4c, 0x74, 0x64, 0x2e, 0x31, 0x16, 0x30, 0x14, 0x06, 0x03, 0x55, 0x04,
40 0x03, 0x13, 0x0d, 0x54, 0x68, 0x61, 0x77, 0x74, 0x65, 0x20, 0x53, 0x47,
41 0x43, 0x20, 0x43, 0x41, 0x30, 0x1e, 0x17, 0x0d, 0x30, 0x38, 0x30, 0x35,
42 0x30, 0x32, 0x31, 0x37, 0x30, 0x32, 0x35, 0x35, 0x5a, 0x17, 0x0d, 0x30,
43 0x39, 0x30, 0x35, 0x30, 0x32, 0x31, 0x37, 0x30, 0x32, 0x35, 0x35, 0x5a,
44 0x30, 0x68, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
45 0x02, 0x55, 0x53, 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x08,
46 0x13, 0x0a, 0x43, 0x61, 0x6c, 0x69, 0x66, 0x6f, 0x72, 0x6e, 0x69, 0x61,
47 0x31, 0x16, 0x30, 0x14, 0x06, 0x03, 0x55, 0x04, 0x07, 0x13, 0x0d, 0x4d,
48 0x6f, 0x75, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x20, 0x56, 0x69, 0x65, 0x77,
49 0x31, 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x0a, 0x47,
50 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x20, 0x49, 0x6e, 0x63, 0x31, 0x17, 0x30,
51 0x15, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x0e, 0x77, 0x77, 0x77, 0x2e,
52 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x81,
53 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
54 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02,
55 0x81, 0x81, 0x00, 0x9b, 0x19, 0xed, 0x5d, 0xa5, 0x56, 0xaf, 0x49, 0x66,
56 0xdb, 0x79, 0xfd, 0xc2, 0x1c, 0x78, 0x4e, 0x4f, 0x11, 0xa5, 0x8a, 0xac,
57 0xe2, 0x94, 0xee, 0xe3, 0xe2, 0x4b, 0xc0, 0x03, 0x25, 0xa7, 0x99, 0xcc,
58 0x65, 0xe1, 0xec, 0x94, 0xae, 0xae, 0xf0, 0xa7, 0x99, 0xbc, 0x10, 0xd7,
59 0xed, 0x87, 0x30, 0x47, 0xcd, 0x50, 0xf9, 0xaf, 0xd3, 0xd3, 0xf4, 0x0b,
60 0x8d, 0x47, 0x8a, 0x2e, 0xe2, 0xce, 0x53, 0x9b, 0x91, 0x99, 0x7f, 0x1e,
61 0x5c, 0xf9, 0x1b, 0xd6, 0xe9, 0x93, 0x67, 0xe3, 0x4a, 0xf8, 0xcf, 0xc4,
62 0x8c, 0x0c, 0x68, 0xd1, 0x97, 0x54, 0x47, 0x0e, 0x0a, 0x24, 0x30, 0xa7,
63 0x82, 0x94, 0xae, 0xde, 0xae, 0x3f, 0xbf, 0xba, 0x14, 0xc6, 0xf8, 0xb2,
64 0x90, 0x8e, 0x36, 0xad, 0xe1, 0xd0, 0xbe, 0x16, 0x9a, 0xb3, 0x5e, 0x72,
65 0x38, 0x49, 0xda, 0x74, 0xa1, 0x3f, 0xff, 0xd2, 0x87, 0x81, 0xed, 0x02,
66 0x03, 0x01, 0x00, 0x01, 0xa3, 0x81, 0xe7, 0x30, 0x81, 0xe4, 0x30, 0x28,
67 0x06, 0x03, 0x55, 0x1d, 0x25, 0x04, 0x21, 0x30, 0x1f, 0x06, 0x08, 0x2b,
68 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01, 0x06, 0x08, 0x2b, 0x06, 0x01,
69 0x05, 0x05, 0x07, 0x03, 0x02, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x86,
70 0xf8, 0x42, 0x04, 0x01, 0x30, 0x36, 0x06, 0x03, 0x55, 0x1d, 0x1f, 0x04,
71 0x2f, 0x30, 0x2d, 0x30, 0x2b, 0xa0, 0x29, 0xa0, 0x27, 0x86, 0x25, 0x68,
72 0x74, 0x74, 0x70, 0x3a, 0x2f, 0x2f, 0x63, 0x72, 0x6c, 0x2e, 0x74, 0x68,
73 0x61, 0x77, 0x74, 0x65, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x54, 0x68, 0x61,
74 0x77, 0x74, 0x65, 0x53, 0x47, 0x43, 0x43, 0x41, 0x2e, 0x63, 0x72, 0x6c,
75 0x30, 0x72, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x01, 0x01,
76 0x04, 0x66, 0x30, 0x64, 0x30, 0x22, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
77 0x05, 0x07, 0x30, 0x01, 0x86, 0x16, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f,
78 0x2f, 0x6f, 0x63, 0x73, 0x70, 0x2e, 0x74, 0x68, 0x61, 0x77, 0x74, 0x65,
79 0x2e, 0x63, 0x6f, 0x6d, 0x30, 0x3e, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05,
80 0x05, 0x07, 0x30, 0x02, 0x86, 0x32, 0x68, 0x74, 0x74, 0x70, 0x3a, 0x2f,
81 0x2f, 0x77, 0x77, 0x77, 0x2e, 0x74, 0x68, 0x61, 0x77, 0x74, 0x65, 0x2e,
82 0x63, 0x6f, 0x6d, 0x2f, 0x72, 0x65, 0x70, 0x6f, 0x73, 0x69, 0x74, 0x6f,
83 0x72, 0x79, 0x2f, 0x54, 0x68, 0x61, 0x77, 0x74, 0x65, 0x5f, 0x53, 0x47,
84 0x43, 0x5f, 0x43, 0x41, 0x2e, 0x63, 0x72, 0x74, 0x30, 0x0c, 0x06, 0x03,
85 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x02, 0x30, 0x00, 0x30, 0x0d,
86 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05,
87 0x00, 0x03, 0x81, 0x81, 0x00, 0x31, 0x0a, 0x6c, 0xa2, 0x9e, 0xe9, 0x54,
88 0x19, 0x16, 0x68, 0x99, 0x91, 0xd6, 0x43, 0xcb, 0x6b, 0xb4, 0xcc, 0x6c,
89 0xcc, 0xb0, 0xfb, 0xf1, 0xee, 0x81, 0xbf, 0x00, 0x2b, 0x6f, 0x50, 0x12,
90 0xc6, 0xaf, 0x02, 0x2a, 0x36, 0xc1, 0x28, 0xde, 0xc5, 0x4c, 0x56, 0x20,
91 0x6d, 0xf5, 0x3d, 0x42, 0xb9, 0x18, 0x81, 0x20, 0xb2, 0xdd, 0x57, 0x5d,
92 0xeb, 0xbe, 0x32, 0x84, 0x50, 0x45, 0x51, 0x6e, 0xcd, 0xe4, 0x2e, 0x2a,
93 0x38, 0x88, 0x9f, 0x52, 0xed, 0x28, 0xff, 0xfc, 0x8d, 0x57, 0xb5, 0xad,
94 0x64, 0xae, 0x4d, 0x0e, 0x0e, 0xd9, 0x3d, 0xac, 0xb8, 0xfe, 0x66, 0x4c,
95 0x15, 0x8f, 0x44, 0x52, 0xfa, 0x7c, 0x3c, 0x04, 0xed, 0x7f, 0x37, 0x61,
96 0x04, 0xfe, 0xd5, 0xe9, 0xb9, 0xb0, 0x9e, 0xfe, 0xa5, 0x11, 0x69, 0xc9,
97 0x63, 0xd6, 0x46, 0x81, 0x6f, 0x00, 0xd8, 0x72, 0x2f, 0x82, 0x37, 0x44,
98 0xc1};
99
100 GURL www_google_url("https://www.google.com");
101 GURL google_url("https://google.com");
102 GURL example_url("https://example.com");
103
104 const char* kDeltaSecondsString = "86400";
105
106 } // namespace
107
108 class ChromeSSLHostStateDecisionsTest : public InProcessBrowserTest {
109 public:
110 ChromeSSLHostStateDecisionsTest() {};
111 virtual ~ChromeSSLHostStateDecisionsTest() {};
112
113 // InProcessBrowserTest:
114 virtual void SetUpInProcessBrowserTestFixture() OVERRIDE{};
115 virtual void SetUpOnMainThread() OVERRIDE{};
116 virtual void CleanUpOnMainThread() OVERRIDE{};
Ryan Sleevi 2014/07/08 23:53:29 1) spaces between OVERRIDE and {} 2) Um, why are y
jww 2014/07/11 00:08:41 I actually had a space initially, but git-cl forma
117
118 virtual void SetUpOnIOThread() {};
119 virtual void CleanUpOnIOThread() {};
120 };
121
122 // This tests basic unit test functionality of the SSLHostStateDecisions class.
123 // For example, tests that if a certificate is accepted, then it is added to
124 // queryable, and if it is revoked, it is not queryable.
125 IN_PROC_BROWSER_TEST_F(ChromeSSLHostStateDecisionsTest, QueryPolicy) {
126 scoped_refptr<net::X509Certificate> google_cert(
127 net::X509Certificate::CreateFromBytes(
128 reinterpret_cast<const char*>(google_der), sizeof(google_der)));
129 content::WebContents* tab =
130 browser()->tab_strip_model()->GetActiveWebContents();
131 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext());
132 content::SSLHostStateDecisions* state = profile->GetSSLHostStateDecisions();
Ryan Sleevi 2014/07/08 23:53:29 Seems like all of this could be done as a simple T
jww 2014/07/11 00:08:41 I think you're right that these basic unit tests c
jww 2014/07/11 00:08:41 Perhaps I don't quite understand how TEST_F works,
Ryan Sleevi 2014/07/11 00:48:49 Correct, there won't be an associated Profile in a
jww 2014/07/11 01:52:07 Sorry for my density, I still think that doesn't m
Ryan Sleevi 2014/07/11 19:43:27 Bah, I missed *Decisions rather than just SSLHostS
jww 2014/07/14 21:21:15 Acknowledged.
133
134 EXPECT_EQ(
135 net::CertPolicy::UNKNOWN,
136 state->QueryPolicy(
137 www_google_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));
138 EXPECT_EQ(net::CertPolicy::UNKNOWN,
139 state->QueryPolicy(
140 google_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));
141 EXPECT_EQ(net::CertPolicy::UNKNOWN,
142 state->QueryPolicy(
143 example_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));
Ryan Sleevi 2014/07/11 19:43:27 Document the precondition you're testing on line 1
jww 2014/07/14 21:21:15 Done.
144
145 state->AllowCert(
Ryan Sleevi 2014/07/11 19:43:27 Document what you're doing, and then on line 147,
jww 2014/07/14 21:21:15 Done.
146 www_google_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID);
147
148 EXPECT_EQ(
149 net::CertPolicy::ALLOWED,
150 state->QueryPolicy(
151 www_google_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));
152 EXPECT_EQ(net::CertPolicy::UNKNOWN,
153 state->QueryPolicy(
154 google_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));
155 EXPECT_EQ(net::CertPolicy::UNKNOWN,
156 state->QueryPolicy(
157 example_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));
158
159 state->AllowCert(
Ryan Sleevi 2014/07/11 19:43:27 Document what you're doing, and what you're verify
jww 2014/07/14 21:21:15 Done.
160 example_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID);
161
162 EXPECT_EQ(
163 net::CertPolicy::ALLOWED,
164 state->QueryPolicy(
165 www_google_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));
166 EXPECT_EQ(net::CertPolicy::UNKNOWN,
167 state->QueryPolicy(
168 google_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));
169 EXPECT_EQ(net::CertPolicy::ALLOWED,
170 state->QueryPolicy(
171 example_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));
172
173 state->DenyCert(
Ryan Sleevi 2014/07/11 19:43:27 Document what you're doing, and what you're verify
jww 2014/07/14 21:21:15 Done.
174 example_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID);
175
176 EXPECT_EQ(
177 net::CertPolicy::ALLOWED,
178 state->QueryPolicy(
179 www_google_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));
180 EXPECT_EQ(net::CertPolicy::UNKNOWN,
181 state->QueryPolicy(
182 google_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));
183 EXPECT_EQ(net::CertPolicy::DENIED,
184 state->QueryPolicy(
185 example_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));
186
187 EXPECT_TRUE(state->HasAllowedOrDeniedCert(www_google_url));
Ryan Sleevi 2014/07/11 19:43:27 Seems like 187-193 should be their own, hermetic t
jww 2014/07/14 21:21:15 Done.
188 state->RevokeAllowAndDenyPreferences(www_google_url);
189 EXPECT_FALSE(state->HasAllowedOrDeniedCert(www_google_url));
190 EXPECT_EQ(
191 net::CertPolicy::UNKNOWN,
192 state->QueryPolicy(
193 www_google_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));
194
195 EXPECT_FALSE(state->HasAllowedOrDeniedCert(google_url));
Ryan Sleevi 2014/07/11 19:43:27 What is this testing that is different than what y
jww 2014/07/14 21:21:15 187-193 tests that HasAllowedOrDeniedCert works fo
196 state->RevokeAllowAndDenyPreferences(google_url);
197 EXPECT_FALSE(state->HasAllowedOrDeniedCert(google_url));
198 EXPECT_EQ(net::CertPolicy::UNKNOWN,
199 state->QueryPolicy(
200 google_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));
201
202 EXPECT_TRUE(state->HasAllowedOrDeniedCert(example_url));
Ryan Sleevi 2014/07/11 19:43:27 How is this a different test than the previous two
jww 2014/07/14 21:21:15 Yeah, this was a silly test. I'm going to modify i
203 state->RevokeAllowAndDenyPreferences(example_url);
204 EXPECT_FALSE(state->HasAllowedOrDeniedCert(example_url));
205 EXPECT_EQ(net::CertPolicy::UNKNOWN,
206 state->QueryPolicy(
207 example_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));
208
209 state->Clear();
210
211 EXPECT_EQ(
212 net::CertPolicy::UNKNOWN,
213 state->QueryPolicy(
214 www_google_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));
215 EXPECT_EQ(net::CertPolicy::UNKNOWN,
216 state->QueryPolicy(
217 google_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));
218 EXPECT_EQ(net::CertPolicy::UNKNOWN,
219 state->QueryPolicy(
220 example_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));
Ryan Sleevi 2014/07/11 19:43:27 How does this actually test that Clear() worked, c
jww 2014/07/14 21:21:15 Done.
221 }
222
223 // Tests the basic behavior of cert memory in incognito
224 class IncognitoSSLHostStateDecisionsTest
225 : public ChromeSSLHostStateDecisionsTest {
226 protected:
227 virtual void SetUpCommandLine(CommandLine* command_line) OVERRIDE {
228 ChromeSSLHostStateDecisionsTest::SetUpCommandLine(command_line);
229 // Setting the kRememberCertErrorDecisions flag to positive, non "0" values
230 // indicates that certificate decisions should be remembered even across
231 // browser session restarts for the given length of time, in seconds.
232 command_line->AppendSwitchASCII(switches::kRememberCertErrorDecisions,
233 kDeltaSecondsString);
234 }
235 };
236
237 IN_PROC_BROWSER_TEST_F(IncognitoSSLHostStateDecisionsTest, PRE_AfterRestart) {
238 scoped_refptr<net::X509Certificate> google_cert(
239 net::X509Certificate::CreateFromBytes(
240 reinterpret_cast<const char*>(google_der), sizeof(google_der)));
241 content::WebContents* tab =
242 browser()->tab_strip_model()->GetActiveWebContents();
243 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext());
244 content::SSLHostStateDecisions* state = profile->GetSSLHostStateDecisions();
245
246 // Add a cert exception to the profile and then verify that it still exists
247 // in the incognito profile.
248 state->AllowCert(
249 www_google_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID);
250
251 scoped_ptr<Profile> incognito(profile->CreateOffTheRecordProfile());
252 content::SSLHostStateDecisions* incognito_state =
253 incognito->GetSSLHostStateDecisions();
254
255 EXPECT_EQ(
256 net::CertPolicy::ALLOWED,
257 incognito_state->QueryPolicy(
258 www_google_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));
259
260 // Add a cert exception to the incognito profile. It will be checked after
261 // restart that this exception does not exist. Note the different cert URL and
262 // error than above thus mapping to a second exception. Also validate that it
263 // was not added as an exception to the regular profile.
264 incognito_state->AllowCert(
265 google_url, google_cert.get(), net::CERT_STATUS_COMMON_NAME_INVALID);
266
267 EXPECT_EQ(
268 net::CertPolicy::UNKNOWN,
269 state->QueryPolicy(
270 google_url, google_cert.get(), net::CERT_STATUS_COMMON_NAME_INVALID));
271 }
272
273 IN_PROC_BROWSER_TEST_F(IncognitoSSLHostStateDecisionsTest, AfterRestart) {
274 scoped_refptr<net::X509Certificate> google_cert(
275 net::X509Certificate::CreateFromBytes(
276 reinterpret_cast<const char*>(google_der), sizeof(google_der)));
277 content::WebContents* tab =
278 browser()->tab_strip_model()->GetActiveWebContents();
279 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext());
280 content::SSLHostStateDecisions* state = profile->GetSSLHostStateDecisions();
281
282 // Verify that the exception added before restart to the regular
283 // (non-incognito) profile still exists and was not cleared after the
284 // incognito session ended.
285 EXPECT_EQ(
286 net::CertPolicy::ALLOWED,
287 state->QueryPolicy(
288 www_google_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));
289
290 scoped_ptr<Profile> incognito(profile->CreateOffTheRecordProfile());
291 content::SSLHostStateDecisions* incognito_state =
292 incognito->GetSSLHostStateDecisions();
293
294 // Verify that the exception added before restart to the incognito profile was
295 // cleared when the incognito session ended.
296 EXPECT_EQ(
297 net::CertPolicy::UNKNOWN,
298 incognito_state->QueryPolicy(
299 google_url, google_cert.get(), net::CERT_STATUS_COMMON_NAME_INVALID));
300 }
301
302 // Tests to make sure that if the remember value is set to 0, any decisions
303 // won't be remembered over a restart.
304 class ForgetSSLHostStateDecisionsTest : public ChromeSSLHostStateDecisionsTest {
305 protected:
306 virtual void SetUpCommandLine(CommandLine* command_line) OVERRIDE {
307 ChromeSSLHostStateDecisionsTest::SetUpCommandLine(command_line);
308 // Setting the kRememberCertErrorDecisions flag to a value of "0" indicates
309 // that certificate decisions should not be remembered across browser
310 // session restarts.
311 command_line->AppendSwitchASCII(switches::kRememberCertErrorDecisions, "0");
312 }
313 };
314
315 IN_PROC_BROWSER_TEST_F(ForgetSSLHostStateDecisionsTest, PRE_AfterRestart) {
316 scoped_refptr<net::X509Certificate> google_cert(
317 net::X509Certificate::CreateFromBytes(
318 reinterpret_cast<const char*>(google_der), sizeof(google_der)));
319 content::WebContents* tab =
320 browser()->tab_strip_model()->GetActiveWebContents();
321 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext());
322 content::SSLHostStateDecisions* state = profile->GetSSLHostStateDecisions();
323
324 state->AllowCert(
325 www_google_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID);
326 EXPECT_EQ(
327 net::CertPolicy::ALLOWED,
328 state->QueryPolicy(
329 www_google_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));
330 }
331
332 IN_PROC_BROWSER_TEST_F(ForgetSSLHostStateDecisionsTest, AfterRestart) {
333 scoped_refptr<net::X509Certificate> google_cert(
334 net::X509Certificate::CreateFromBytes(
335 reinterpret_cast<const char*>(google_der), sizeof(google_der)));
336 content::WebContents* tab =
337 browser()->tab_strip_model()->GetActiveWebContents();
338 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext());
339 content::SSLHostStateDecisions* state = profile->GetSSLHostStateDecisions();
340
341 // The cert should now be |UNKONWN| because the profile is set to forget cert
342 // exceptions after session end.
343 EXPECT_EQ(
344 net::CertPolicy::UNKNOWN,
345 state->QueryPolicy(
346 www_google_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));
347 }
348
349 // Tests to make sure that if the remember value is set to a non-zero value0,
350 // any decisions will be remembered over a restart, but only for the length
351 // specified.
352 class RememberSSLHostStateDecisionsTest
353 : public ChromeSSLHostStateDecisionsTest {
354 protected:
355 virtual void SetUpCommandLine(CommandLine* command_line) OVERRIDE {
356 ChromeSSLHostStateDecisionsTest::SetUpCommandLine(command_line);
357 // Setting the kRememberCertErrorDecisions flag to positive, non "0" values
358 // indicates that certificate decisions should be remembered even across
359 // browser session restarts for the given length of time, in seconds.
360 command_line->AppendSwitchASCII(switches::kRememberCertErrorDecisions,
361 kDeltaSecondsString);
362 }
363 };
364
365 IN_PROC_BROWSER_TEST_F(RememberSSLHostStateDecisionsTest, PRE_AfterRestart) {
366 scoped_refptr<net::X509Certificate> google_cert(
367 net::X509Certificate::CreateFromBytes(
368 reinterpret_cast<const char*>(google_der), sizeof(google_der)));
369 content::WebContents* tab =
370 browser()->tab_strip_model()->GetActiveWebContents();
371 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext());
372 content::SSLHostStateDecisions* state = profile->GetSSLHostStateDecisions();
373
374 state->AllowCert(
375 www_google_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID);
376 EXPECT_EQ(
377 net::CertPolicy::ALLOWED,
378 state->QueryPolicy(
379 www_google_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));
380 }
381
382 IN_PROC_BROWSER_TEST_F(RememberSSLHostStateDecisionsTest, AfterRestart) {
383 scoped_refptr<net::X509Certificate> google_cert(
384 net::X509Certificate::CreateFromBytes(
385 reinterpret_cast<const char*>(google_der), sizeof(google_der)));
386 content::WebContents* tab =
387 browser()->tab_strip_model()->GetActiveWebContents();
388 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext());
389 content::SSLHostStateDecisions* state = profile->GetSSLHostStateDecisions();
390
391 // chrome_state takes ownership of this clock
392 base::SimpleTestClock* clock = new base::SimpleTestClock();
393 ChromeSSLHostStateDecisions* chrome_state =
394 static_cast<ChromeSSLHostStateDecisions*>(state);
395 chrome_state->SetClock(scoped_ptr<base::Clock>(clock));
396
397 // Start the clock at standard system time.
398 clock->SetNow(base::Time::NowFromSystemTime());
399
400 // This should only pass if the cert was allowed before the test was restart
401 // and thus has now been rememebered across browser restarts.
402 EXPECT_EQ(
403 net::CertPolicy::ALLOWED,
404 state->QueryPolicy(
405 www_google_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));
406
407 // Simulate the clock advancing by the specified delta.
408 int64 delta;
409 base::StringToInt64(kDeltaSecondsString, &delta);
410 clock->Advance(base::TimeDelta::FromSeconds(delta + 1));
411
412 // The cert should now be |UNKONWN| because the specified delta has passed.
413 EXPECT_EQ(
414 net::CertPolicy::UNKNOWN,
415 state->QueryPolicy(
416 www_google_url, google_cert.get(), net::CERT_STATUS_DATE_INVALID));
417 }
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698