Centralize the logic for checking public key pins

net/http/http_security_headers_unittest.cc

Index: net/http/http_security_headers_unittest.cc
diff --git a/net/http/http_security_headers_unittest.cc b/net/http/http_security_headers_unittest.cc
index ce919ff81f39455739be69855779f1f2f5f96bed..694bab9aa6e04094c9fb0103e165d110f981356b 100644
--- a/net/http/http_security_headers_unittest.cc
+++ b/net/http/http_security_headers_unittest.cc
@@ -501,6 +501,7 @@ TEST_F(HttpSecurityHeadersTest, ValidPKPHeadersSHA256) {
 
 TEST_F(HttpSecurityHeadersTest, UpdateDynamicPKPOnly) {
   TransportSecurityState state;
+  state.enable_static_pinning_ = true;

[Ryan Sleevi, 2014/08/07 22:19:07]

pedantry: enable_static_pins_

Also, feels like this is better on line 508, since it's set precisely because of
the comment.

[Ryan Hamilton, 2014/08/07 22:49:38]

Heh, I did that first and then switched it. Should have stuck with my gut. 

Done.

   TransportSecurityState::DomainState static_domain_state;
 
   // docs.google.com has preloaded pins.
@@ -554,8 +555,10 @@ TEST_F(HttpSecurityHeadersTest, UpdateDynamicPKPOnly) {
   HashValueVector hashes;
   hashes.push_back(good_hash);
   std::string failure_log;
+  const bool is_issued_by_known_root = true;
   EXPECT_TRUE(
-      state.CheckPublicKeyPins(domain, sni_enabled, hashes, &failure_log));
+      state.CheckPublicKeyPins(domain, sni_enabled, is_issued_by_known_root,
+                               hashes, &failure_log));
 
   TransportSecurityState::DomainState new_dynamic_domain_state;
   EXPECT_TRUE(state.GetDynamicDomainState(domain, &new_dynamic_domain_state));
@@ -580,6 +583,7 @@ TEST_F(HttpSecurityHeadersTest, UpdateDynamicPKPOnly) {
 #endif
 TEST_F(HttpSecurityHeadersTest, MAYBE_UpdateDynamicPKPMaxAge0) {
   TransportSecurityState state;
+  state.enable_static_pinning_ = true;

[Ryan Sleevi, 2014/08/07 22:19:07]

I think this would be better moved to line 590, since that's *why* we're
enabling it.

[Ryan Hamilton, 2014/08/07 22:49:39]

Done.

   TransportSecurityState::DomainState static_domain_state;
 
   // docs.google.com has preloaded pins.
@@ -648,8 +652,10 @@ TEST_F(HttpSecurityHeadersTest, MAYBE_UpdateDynamicPKPMaxAge0) {
   // Damage the hashes to cause a pin validation failure.
   new_static_domain_state2.pkp.spki_hashes[0].data()[0] ^= 0x80;
   new_static_domain_state2.pkp.spki_hashes[1].data()[0] ^= 0x80;
+  const bool is_issued_by_known_root = true;
   EXPECT_FALSE(state.CheckPublicKeyPins(
-      domain, true, new_static_domain_state2.pkp.spki_hashes, &failure_log));
+      domain, true, is_issued_by_known_root,
+      new_static_domain_state2.pkp.spki_hashes, &failure_log));
   EXPECT_NE(0UL, failure_log.length());
 }
 #undef MAYBE_UpdateDynamicPKPMaxAge0
@@ -659,6 +665,7 @@ TEST_F(HttpSecurityHeadersTest, MAYBE_UpdateDynamicPKPMaxAge0) {
 // dynamic HPKP entry could not affect the HSTS entry for the site.
 TEST_F(HttpSecurityHeadersTest, NoClobberPins) {
   TransportSecurityState state;
+  state.enable_static_pinning_ = true;

[Ryan Sleevi, 2014/08/07 22:19:07]

ditto on the shuffle - 672

[Ryan Hamilton, 2014/08/07 22:49:38]

Done.

   TransportSecurityState::DomainState domain_state;
 
   // accounts.google.com has preloaded pins.
@@ -680,8 +687,10 @@ TEST_F(HttpSecurityHeadersTest, NoClobberPins) {
   EXPECT_TRUE(state.AddHSTSHeader(domain, "includesubdomains; max-age=10000"));
   EXPECT_TRUE(state.ShouldUpgradeToSSL(domain, sni_enabled));
   std::string failure_log;
+  const bool is_issued_by_known_root = true;
   EXPECT_TRUE(state.CheckPublicKeyPins(
-      domain, sni_enabled, saved_hashes, &failure_log));
+      domain, sni_enabled, is_issued_by_known_root, saved_hashes,
+      &failure_log));
 
   // Add an HPKP header, which should only update the dynamic state.
   HashValue good_hash = GetTestHashValue(1, HASH_VALUE_SHA1);
@@ -702,7 +711,8 @@ TEST_F(HttpSecurityHeadersTest, NoClobberPins) {
   // The dynamic pins, which do not match |saved_hashes|, should take
   // precedence over the static pins and cause the check to fail.
   EXPECT_FALSE(state.CheckPublicKeyPins(
-      domain, sni_enabled, saved_hashes, &failure_log));
+      domain, sni_enabled, is_issued_by_known_root, saved_hashes,
+      &failure_log));
 }
 
 };    // namespace net