Refactor pooling logic into a helper method

net/http/http_util_unittest.cc

Index: net/http/http_util_unittest.cc
diff --git a/net/http/http_util_unittest.cc b/net/http/http_util_unittest.cc
index 54acf68d3c3d52c3bc28aa4b0f9ee3603ac098cd..0c92c1c52086e4ff78577131b349180080d86789 100644
--- a/net/http/http_util_unittest.cc
+++ b/net/http/http_util_unittest.cc
@@ -5,8 +5,14 @@
 #include <algorithm>
 
 #include "base/basictypes.h"
+#include "base/files/file_path.h"
 #include "base/strings/string_util.h"
+#include "net/base/test_data_directory.h"
+#include "net/cert/cert_verify_result.h"
 #include "net/http/http_util.h"
+#include "net/http/transport_security_state.h"
+#include "net/ssl/ssl_info.h"
+#include "net/test/cert_test_util.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 using net::HttpUtil;
@@ -1071,3 +1077,74 @@ TEST(HttpUtilTest, NameValuePairsIteratorMissingEndQuote) {
   ASSERT_NO_FATAL_FAILURE(CheckNextNameValuePair(
       &parser, false, true, std::string(), std::string()));
 }
+
+TEST(HttpUtilTest, CanPool) {
+  // Load a cert that is valid for:
+  //   www.example.org
+  //   mail.example.org
+  //   www.example.com
+  base::FilePath certs_dir = net::GetTestCertsDirectory();
+
+  net::TransportSecurityState tss;
+  net::SSLInfo ssl_info;
+  ssl_info.cert = net::ImportCertFromFile(certs_dir, "spdy_pooling.pem");
+
+  EXPECT_TRUE(net::HttpUtil::CanPool(
+      &tss, ssl_info, "www.example.org", "www.example.org"));
+  EXPECT_TRUE(net::HttpUtil::CanPool(
+      &tss, ssl_info, "www.example.org", "mail.example.org"));
+  EXPECT_TRUE(net::HttpUtil::CanPool(
+      &tss, ssl_info, "www.example.org", "mail.example.com"));
+  EXPECT_FALSE(net::HttpUtil::CanPool(
+      &tss, ssl_info, "www.example.org", "mail.google.com"));
+}
+
+TEST(HttpUtilTest, CanNotPoolWithCertErrors) {
+  // Load a cert that is valid for:
+  //   www.example.org
+  //   mail.example.org
+  //   www.example.com
+  base::FilePath certs_dir = net::GetTestCertsDirectory();
+
+  net::TransportSecurityState tss;
+  net::SSLInfo ssl_info;
+  ssl_info.cert = net::ImportCertFromFile(certs_dir, "spdy_pooling.pem");
+  ssl_info.cert_status = net::CERT_STATUS_REVOKED;
+
+  EXPECT_FALSE(net::HttpUtil::CanPool(
+      &tss, ssl_info, "www.example.org", "mail.example.org"));
+}
+
+TEST(HttpUtilTest, CanNotPoolWithClientCerts) {
+  // Load a cert that is valid for:
+  //   www.example.org
+  //   mail.example.org
+  //   www.example.com
+  base::FilePath certs_dir = net::GetTestCertsDirectory();
+
+  net::TransportSecurityState tss;
+  net::SSLInfo ssl_info;
+  ssl_info.cert = net::ImportCertFromFile(certs_dir, "spdy_pooling.pem");
+  ssl_info.client_cert_sent = true;
+
+  EXPECT_FALSE(net::HttpUtil::CanPool(
+      &tss, ssl_info, "www.example.org", "mail.example.org"));
+}
+
+TEST(HttpUtilTest, CanNotPoolAcrossETLDsWithChannelID) {

[Ryan Sleevi, 2014/08/07 18:49:29]

Need pinning test

[Ryan Hamilton, 2014/08/08 19:27:43]

Right, but I couldn't write such a test until we got to the bottom of the
mechanism we could use which would allow pinning to be checked in a test :>

Done now.

+  // Load a cert that is valid for:
+  //   www.example.org
+  //   mail.example.org
+  //   www.example.com
+  base::FilePath certs_dir = net::GetTestCertsDirectory();
+
+  net::TransportSecurityState tss;
+  net::SSLInfo ssl_info;
+  ssl_info.cert = net::ImportCertFromFile(certs_dir, "spdy_pooling.pem");
+  ssl_info.channel_id_sent = true;
+
+  EXPECT_TRUE(net::HttpUtil::CanPool(
+      &tss, ssl_info, "www.example.org", "mail.example.org"));
+  EXPECT_FALSE(net::HttpUtil::CanPool(
+      &tss, ssl_info, "www.example.org", "www.example.com"));
+}