Cleanup of SSLHostStateDelegate and related code

chrome/browser/ssl/chrome_ssl_host_state_delegate_test.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
+#include "chrome/browser/ssl/chrome_ssl_host_state_delegate.h"
+
 #include <stdint.h>
 
 #include "base/command_line.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/test/simple_test_clock.h"
 #include "chrome/browser/browsing_data/browsing_data_helper.h"
 #include "chrome/browser/browsing_data/browsing_data_remover.h"
 #include "chrome/browser/browsing_data/browsing_data_remover_test_util.h"
 #include "chrome/browser/profiles/profile.h"
-#include "chrome/browser/ssl/chrome_ssl_host_state_delegate.h"
 #include "chrome/browser/ssl/chrome_ssl_host_state_delegate_factory.h"
 #include "chrome/browser/ui/browser.h"
 #include "chrome/browser/ui/tabs/tab_strip_model.h"
 #include "chrome/common/chrome_switches.h"
 #include "chrome/test/base/in_process_browser_test.h"
 #include "content/public/browser/ssl_host_state_delegate.h"
 #include "content/public/browser/web_contents.h"
 #include "content/public/test/browser_test_utils.h"
 #include "net/base/test_data_directory.h"
 #include "net/test/cert_test_util.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
 namespace {
 
 const char kGoogleCertFile[] = "google.single.der";
 
 const char kWWWGoogleHost[] = "www.google.com";
 const char kGoogleHost[] = "google.com";
 const char kExampleHost[] = "example.com";
 
-const char* kForgetAtSessionEnd = "-1";
-const char* kForgetInstantly = "0";
-const char* kDeltaSecondsString = "86400";
+const char kForgetAtSessionEnd[] = "-1";
+const char kForgetInstantly[] = "0";
+const char kDeltaSecondsString[] = "86400";
 const uint64_t kDeltaOneDayInSeconds = UINT64_C(86400);
 
 scoped_refptr<net::X509Certificate> GetGoogleCert() {
   return net::ImportCertFromFile(net::GetTestCertsDirectory(), kGoogleCertFile);
 }
 
 }  // namespace
 
 class ChromeSSLHostStateDelegateTest : public InProcessBrowserTest {};
 
@@ skipping 11 matching lines @@
   content::WebContents* tab =
       browser()->tab_strip_model()->GetActiveWebContents();
   Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext());
   content::SSLHostStateDelegate* state = profile->GetSSLHostStateDelegate();
   bool unused_value;
 
   // Verifying that all three of the certs we will be looking at are unknown
   // before any action has been taken.
   EXPECT_EQ(net::CertPolicy::UNKNOWN,
             state->QueryPolicy(kWWWGoogleHost,
-                               google_cert.get(),
+                               *google_cert.get(),

[willchan no longer on Chromium, 2014/09/04 20:26:49]

Doesn't bug me, but it might bug some people. *google_cert works, you don't need
the .get() anymore. But not a readability thing. Do whatever the OWNERS want
here.

[Ryan Sleevi, 2014/09/04 20:28:16]

Because it's a scoped_refptr<>, this syntax (*google_cert.get()) is correct, as
*google_cert relies on the deprecated implicit pointer conversion.

[willchan no longer on Chromium, 2014/09/04 20:33:12]

Do what sleevi@ says, although I'm a bit confused on what he's saying.
scoped_refptr defines an operator*. I forget the status of whether or not that
temporarily needs to be removed during the transition, but I don't see how
*google_cert relies on the deprecated implicit pointer conversion.

[jww, 2014/09/04 20:56:16]

Well, I've already got willchan's lgtm, so I don't need you anymore :-) sleevi@
ftw!

[willchan no longer on Chromium, 2014/09/04 21:25:23]

haha :)

Btw, I think I see where sleevi@ is getting confused. He must think that this CL
already landed: https://codereview.chromium.org/510323002/. That CL disables
operator* temporarily.

                                net::CERT_STATUS_DATE_INVALID,
                                &unused_value));
   EXPECT_EQ(net::CertPolicy::UNKNOWN,
             state->QueryPolicy(kGoogleHost,
-                               google_cert.get(),
+                               *google_cert.get(),
                                net::CERT_STATUS_DATE_INVALID,
                                &unused_value));
   EXPECT_EQ(net::CertPolicy::UNKNOWN,
             state->QueryPolicy(kExampleHost,
-                               google_cert.get(),
+                               *google_cert.get(),
                                net::CERT_STATUS_DATE_INVALID,
                                &unused_value));
 
   // Simulate a user decision to allow an invalid certificate exception for
   // kWWWGoogleHost.
   state->AllowCert(
-      kWWWGoogleHost, google_cert.get(), net::CERT_STATUS_DATE_INVALID);
+      kWWWGoogleHost, *google_cert.get(), net::CERT_STATUS_DATE_INVALID);
 
   // Verify that only kWWWGoogleHost is allowed and that the other two certs
   // being tested still have no decision associated with them.
   EXPECT_EQ(net::CertPolicy::ALLOWED,
             state->QueryPolicy(kWWWGoogleHost,
-                               google_cert.get(),
+                               *google_cert.get(),
                                net::CERT_STATUS_DATE_INVALID,
                                &unused_value));
   EXPECT_EQ(net::CertPolicy::UNKNOWN,
             state->QueryPolicy(kGoogleHost,
-                               google_cert.get(),
+                               *google_cert.get(),
                                net::CERT_STATUS_DATE_INVALID,
                                &unused_value));
   EXPECT_EQ(net::CertPolicy::UNKNOWN,
             state->QueryPolicy(kExampleHost,
-                               google_cert.get(),
+                               *google_cert.get(),
                                net::CERT_STATUS_DATE_INVALID,
                                &unused_value));
 
   // Simulate a user decision to allow an invalid certificate exception for
   // kExampleHost.
   state->AllowCert(
-      kExampleHost, google_cert.get(), net::CERT_STATUS_DATE_INVALID);
+      kExampleHost, *google_cert.get(), net::CERT_STATUS_DATE_INVALID);
 
   // Verify that both kWWWGoogleHost and kExampleHost have allow exceptions
   // while kGoogleHost still has no associated decision.
   EXPECT_EQ(net::CertPolicy::ALLOWED,
             state->QueryPolicy(kWWWGoogleHost,
-                               google_cert.get(),
+                               *google_cert.get(),
                                net::CERT_STATUS_DATE_INVALID,
                                &unused_value));
   EXPECT_EQ(net::CertPolicy::UNKNOWN,
             state->QueryPolicy(kGoogleHost,
-                               google_cert.get(),
+                               *google_cert.get(),
                                net::CERT_STATUS_DATE_INVALID,
                                &unused_value));
   EXPECT_EQ(net::CertPolicy::ALLOWED,
             state->QueryPolicy(kExampleHost,
-                               google_cert.get(),
+                               *google_cert.get(),
                                net::CERT_STATUS_DATE_INVALID,
                                &unused_value));
 
   // Simulate a user decision to deny an invalid certificate for kExampleHost.
   state->DenyCert(
-      kExampleHost, google_cert.get(), net::CERT_STATUS_DATE_INVALID);
+      kExampleHost, *google_cert.get(), net::CERT_STATUS_DATE_INVALID);
 
   // Verify that kWWWGoogleHost is allowed and kExampleHost is denied while
   // kGoogleHost still has no associated decision.
   EXPECT_EQ(net::CertPolicy::ALLOWED,
             state->QueryPolicy(kWWWGoogleHost,
-                               google_cert.get(),
+                               *google_cert.get(),
                                net::CERT_STATUS_DATE_INVALID,
                                &unused_value));
   EXPECT_EQ(net::CertPolicy::UNKNOWN,
             state->QueryPolicy(kGoogleHost,
-                               google_cert.get(),
+                               *google_cert.get(),
                                net::CERT_STATUS_DATE_INVALID,
                                &unused_value));
   EXPECT_EQ(net::CertPolicy::DENIED,
             state->QueryPolicy(kExampleHost,
-                               google_cert.get(),
+                               *google_cert.get(),
                                net::CERT_STATUS_DATE_INVALID,
                                &unused_value));
 }
 
 // HasPolicyAndRevoke unit tests the expected behavior of calling
 // HasUserDecision before and after calling RevokeUserDecisions on the
 // SSLHostStateDelegate class.
 IN_PROC_BROWSER_TEST_F(ChromeSSLHostStateDelegateTest, HasPolicyAndRevoke) {
   scoped_refptr<net::X509Certificate> google_cert = GetGoogleCert();
   content::WebContents* tab =
       browser()->tab_strip_model()->GetActiveWebContents();
   Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext());
   ChromeSSLHostStateDelegate* state =
       ChromeSSLHostStateDelegateFactory::GetForProfile(profile);
   bool unused_value;
 
   // Simulate a user decision to allow an invalid certificate exception for
   // kWWWGoogleHost and for kExampleHost.
   state->AllowCert(
-      kWWWGoogleHost, google_cert.get(), net::CERT_STATUS_DATE_INVALID);
+      kWWWGoogleHost, *google_cert.get(), net::CERT_STATUS_DATE_INVALID);
   state->AllowCert(
-      kExampleHost, google_cert.get(), net::CERT_STATUS_DATE_INVALID);
+      kExampleHost, *google_cert.get(), net::CERT_STATUS_DATE_INVALID);
 
   // Verify that HasUserDecision correctly acknowledges that a user decision has
   // been made about kWWWGoogleHost. Then verify that HasUserDecision correctly
   // identifies that the decision has been revoked.
   EXPECT_TRUE(state->HasUserDecision(kWWWGoogleHost));
   state->RevokeUserDecisions(kWWWGoogleHost);
   EXPECT_FALSE(state->HasUserDecision(kWWWGoogleHost));
   EXPECT_EQ(net::CertPolicy::UNKNOWN,
             state->QueryPolicy(kWWWGoogleHost,
-                               google_cert.get(),
+                               *google_cert.get(),
                                net::CERT_STATUS_DATE_INVALID,
                                &unused_value));
 
   // Verify that the revocation of the kWWWGoogleHost decision does not affect
   // the Allow for kExampleHost.
   EXPECT_TRUE(state->HasUserDecision(kExampleHost));
 
   // Verify the revocation of the kWWWGoogleHost decision does not affect the
   // non-decision for kGoogleHost. Then verify that a revocation of a URL with
   // no decision has no effect.
   EXPECT_FALSE(state->HasUserDecision(kGoogleHost));
   state->RevokeUserDecisions(kGoogleHost);
   EXPECT_FALSE(state->HasUserDecision(kGoogleHost));
 }
 
 // Clear unit tests the expected behavior of calling Clear to forget all cert
 // decision state on the SSLHostStateDelegate class.
 IN_PROC_BROWSER_TEST_F(ChromeSSLHostStateDelegateTest, Clear) {
   scoped_refptr<net::X509Certificate> google_cert = GetGoogleCert();
   content::WebContents* tab =
       browser()->tab_strip_model()->GetActiveWebContents();
   Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext());
   ChromeSSLHostStateDelegate* state =
       ChromeSSLHostStateDelegateFactory::GetForProfile(profile);
   bool unused_value;
 
   // Simulate a user decision to allow an invalid certificate exception for
   // kWWWGoogleHost and for kExampleHost.
   state->AllowCert(
-      kWWWGoogleHost, google_cert.get(), net::CERT_STATUS_DATE_INVALID);
+      kWWWGoogleHost, *google_cert.get(), net::CERT_STATUS_DATE_INVALID);
 
   // Do a full clear, then make sure that both kWWWGoogleHost, which had a
   // decision made, and kExampleHost, which was untouched, are now in a
   // non-decision state.
   state->Clear();
   EXPECT_FALSE(state->HasUserDecision(kWWWGoogleHost));
   EXPECT_EQ(net::CertPolicy::UNKNOWN,
             state->QueryPolicy(kWWWGoogleHost,
-                               google_cert.get(),
+                               *google_cert.get(),
                                net::CERT_STATUS_DATE_INVALID,
                                &unused_value));
   EXPECT_FALSE(state->HasUserDecision(kExampleHost));
   EXPECT_EQ(net::CertPolicy::UNKNOWN,
             state->QueryPolicy(kExampleHost,
-                               google_cert.get(),
+                               *google_cert.get(),
                                net::CERT_STATUS_DATE_INVALID,
                                &unused_value));
 }
 
 // DidHostRunInsecureContent unit tests the expected behavior of calling
 // DidHostRunInsecureContent as well as HostRanInsecureContent to check if
 // insecure content has been run and to mark it as such.
 IN_PROC_BROWSER_TEST_F(ChromeSSLHostStateDelegateTest,
                        DidHostRunInsecureContent) {
   content::WebContents* tab =
@@ skipping 33 matching lines @@
   scoped_refptr<net::X509Certificate> google_cert = GetGoogleCert();
   content::WebContents* tab =
       browser()->tab_strip_model()->GetActiveWebContents();
   Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext());
   content::SSLHostStateDelegate* state = profile->GetSSLHostStateDelegate();
   bool unused_value;
 
   // Add a cert exception to the profile and then verify that it still exists
   // in the incognito profile.
   state->AllowCert(
-      kWWWGoogleHost, google_cert.get(), net::CERT_STATUS_DATE_INVALID);
+      kWWWGoogleHost, *google_cert.get(), net::CERT_STATUS_DATE_INVALID);
 
   scoped_ptr<Profile> incognito(profile->CreateOffTheRecordProfile());
   content::SSLHostStateDelegate* incognito_state =
       incognito->GetSSLHostStateDelegate();
 
   EXPECT_EQ(net::CertPolicy::ALLOWED,
             incognito_state->QueryPolicy(kWWWGoogleHost,
-                                         google_cert.get(),
+                                         *google_cert.get(),
                                          net::CERT_STATUS_DATE_INVALID,
                                          &unused_value));
 
   // Add a cert exception to the incognito profile. It will be checked after
   // restart that this exception does not exist. Note the different cert URL and
   // error than above thus mapping to a second exception. Also validate that it
   // was not added as an exception to the regular profile.
   incognito_state->AllowCert(
-      kGoogleHost, google_cert.get(), net::CERT_STATUS_COMMON_NAME_INVALID);
+      kGoogleHost, *google_cert.get(), net::CERT_STATUS_COMMON_NAME_INVALID);
 
   EXPECT_EQ(net::CertPolicy::UNKNOWN,
             state->QueryPolicy(kGoogleHost,
-                               google_cert.get(),
+                               *google_cert.get(),
                                net::CERT_STATUS_COMMON_NAME_INVALID,
                                &unused_value));
 }
 
 // AfterRestart ensures that any cert decisions made in an incognito profile are
 // forgetten after a session restart even if given a command line flag to
 // remember cert decisions after restart.
 IN_PROC_BROWSER_TEST_F(IncognitoSSLHostStateDelegateTest, AfterRestart) {
   scoped_refptr<net::X509Certificate> google_cert = GetGoogleCert();
   content::WebContents* tab =
       browser()->tab_strip_model()->GetActiveWebContents();
   Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext());
   content::SSLHostStateDelegate* state = profile->GetSSLHostStateDelegate();
   bool unused_value;
 
   // Verify that the exception added before restart to the regular
   // (non-incognito) profile still exists and was not cleared after the
   // incognito session ended.
   EXPECT_EQ(net::CertPolicy::ALLOWED,
             state->QueryPolicy(kWWWGoogleHost,
-                               google_cert.get(),
+                               *google_cert.get(),
                                net::CERT_STATUS_DATE_INVALID,
                                &unused_value));
 
   scoped_ptr<Profile> incognito(profile->CreateOffTheRecordProfile());
   content::SSLHostStateDelegate* incognito_state =
       incognito->GetSSLHostStateDelegate();
 
   // Verify that the exception added before restart to the incognito profile was
   // cleared when the incognito session ended.
   EXPECT_EQ(net::CertPolicy::UNKNOWN,
             incognito_state->QueryPolicy(kGoogleHost,
-                                         google_cert.get(),
+                                         *google_cert.get(),
                                          net::CERT_STATUS_COMMON_NAME_INVALID,
                                          &unused_value));
 }
 
 // Tests to make sure that if the remember value is set to -1, any decisions
 // won't be remembered over a restart.
 class ForGetSSLHostStateDelegateTest : public ChromeSSLHostStateDelegateTest {
  protected:
   virtual void SetUpCommandLine(CommandLine* command_line) OVERRIDE {
     ChromeSSLHostStateDelegateTest::SetUpCommandLine(command_line);
     command_line->AppendSwitchASCII(switches::kRememberCertErrorDecisions,
                                     kForgetAtSessionEnd);
   }
 };
 
 IN_PROC_BROWSER_TEST_F(ForGetSSLHostStateDelegateTest, PRE_AfterRestart) {
   scoped_refptr<net::X509Certificate> google_cert = GetGoogleCert();
   content::WebContents* tab =
       browser()->tab_strip_model()->GetActiveWebContents();
   Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext());
   content::SSLHostStateDelegate* state = profile->GetSSLHostStateDelegate();
   bool unused_value;
 
   state->AllowCert(
-      kWWWGoogleHost, google_cert.get(), net::CERT_STATUS_DATE_INVALID);
+      kWWWGoogleHost, *google_cert.get(), net::CERT_STATUS_DATE_INVALID);
   EXPECT_EQ(net::CertPolicy::ALLOWED,
             state->QueryPolicy(kWWWGoogleHost,
-                               google_cert.get(),
+                               *google_cert.get(),
                                net::CERT_STATUS_DATE_INVALID,
                                &unused_value));
 }
 
 IN_PROC_BROWSER_TEST_F(ForGetSSLHostStateDelegateTest, AfterRestart) {
   scoped_refptr<net::X509Certificate> google_cert = GetGoogleCert();
   content::WebContents* tab =
       browser()->tab_strip_model()->GetActiveWebContents();
   Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext());
   content::SSLHostStateDelegate* state = profile->GetSSLHostStateDelegate();
   bool unused_value;
 
   // The cert should now be |UNKONWN| because the profile is set to forget cert
   // exceptions after session end.
   EXPECT_EQ(net::CertPolicy::UNKNOWN,
             state->QueryPolicy(kWWWGoogleHost,
-                               google_cert.get(),
+                               *google_cert.get(),
                                net::CERT_STATUS_DATE_INVALID,
                                &unused_value));
 }
 
 // Tests to make sure that if the remember value is set to 0, any decisions made
 // will be forgetten immediately.
 class ForgetInstantlySSLHostStateDelegateTest
     : public ChromeSSLHostStateDelegateTest {
  protected:
   virtual void SetUpCommandLine(CommandLine* command_line) OVERRIDE {
@@ skipping 16 matching lines @@
   base::SimpleTestClock* clock = new base::SimpleTestClock();
   ChromeSSLHostStateDelegate* chrome_state =
       static_cast<ChromeSSLHostStateDelegate*>(state);
   chrome_state->SetClock(scoped_ptr<base::Clock>(clock));
 
   // Start the clock at standard system time but do not advance at all to
   // emphasize that instant forget works.
   clock->SetNow(base::Time::NowFromSystemTime());
 
   state->AllowCert(
-      kWWWGoogleHost, google_cert.get(), net::CERT_STATUS_DATE_INVALID);
+      kWWWGoogleHost, *google_cert.get(), net::CERT_STATUS_DATE_INVALID);
   EXPECT_EQ(net::CertPolicy::UNKNOWN,
             state->QueryPolicy(kWWWGoogleHost,
-                               google_cert.get(),
+                               *google_cert.get(),
                                net::CERT_STATUS_DATE_INVALID,
                                &unused_value));
 }
 
 // Tests to make sure that if the remember value is set to a non-zero value0,
 // any decisions will be remembered over a restart, but only for the length
 // specified.
 class RememberSSLHostStateDelegateTest : public ChromeSSLHostStateDelegateTest {
  protected:
   virtual void SetUpCommandLine(CommandLine* command_line) OVERRIDE {
     ChromeSSLHostStateDelegateTest::SetUpCommandLine(command_line);
     command_line->AppendSwitchASCII(switches::kRememberCertErrorDecisions,
                                     kDeltaSecondsString);
   }
 };
 
 IN_PROC_BROWSER_TEST_F(RememberSSLHostStateDelegateTest, PRE_AfterRestart) {
   scoped_refptr<net::X509Certificate> google_cert = GetGoogleCert();
   content::WebContents* tab =
       browser()->tab_strip_model()->GetActiveWebContents();
   Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext());
   content::SSLHostStateDelegate* state = profile->GetSSLHostStateDelegate();
   bool unused_value;
 
   state->AllowCert(
-      kWWWGoogleHost, google_cert.get(), net::CERT_STATUS_DATE_INVALID);
+      kWWWGoogleHost, *google_cert.get(), net::CERT_STATUS_DATE_INVALID);
   EXPECT_EQ(net::CertPolicy::ALLOWED,
             state->QueryPolicy(kWWWGoogleHost,
-                               google_cert.get(),
+                               *google_cert.get(),
                                net::CERT_STATUS_DATE_INVALID,
                                &unused_value));
 }
 
 IN_PROC_BROWSER_TEST_F(RememberSSLHostStateDelegateTest, AfterRestart) {
   scoped_refptr<net::X509Certificate> google_cert = GetGoogleCert();
   content::WebContents* tab =
       browser()->tab_strip_model()->GetActiveWebContents();
   Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext());
   content::SSLHostStateDelegate* state = profile->GetSSLHostStateDelegate();
   bool unused_value;
 
   // chrome_state takes ownership of this clock
   base::SimpleTestClock* clock = new base::SimpleTestClock();
   ChromeSSLHostStateDelegate* chrome_state =
       static_cast<ChromeSSLHostStateDelegate*>(state);
   chrome_state->SetClock(scoped_ptr<base::Clock>(clock));
 
   // Start the clock at standard system time.
   clock->SetNow(base::Time::NowFromSystemTime());
 
   // This should only pass if the cert was allowed before the test was restart
   // and thus has now been rememebered across browser restarts.
   EXPECT_EQ(net::CertPolicy::ALLOWED,
             state->QueryPolicy(kWWWGoogleHost,
-                               google_cert.get(),
+                               *google_cert.get(),
                                net::CERT_STATUS_DATE_INVALID,
                                &unused_value));
 
   // Simulate the clock advancing by the specified delta.
   clock->Advance(base::TimeDelta::FromSeconds(kDeltaOneDayInSeconds + 1));
 
   // The cert should now be |UNKONWN| because the specified delta has passed.
   EXPECT_EQ(net::CertPolicy::UNKNOWN,
             state->QueryPolicy(kWWWGoogleHost,
-                               google_cert.get(),
+                               *google_cert.get(),
                                net::CERT_STATUS_DATE_INVALID,
                                &unused_value));
 }
 
 // QueryPolicyExpired unit tests to make sure that if a certificate decision has
 // expired, the return value from QueryPolicy returns the correct vaule.
 IN_PROC_BROWSER_TEST_F(RememberSSLHostStateDelegateTest, QueryPolicyExpired) {
   scoped_refptr<net::X509Certificate> google_cert = GetGoogleCert();
   content::WebContents* tab =
       browser()->tab_strip_model()->GetActiveWebContents();
   Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext());
   content::SSLHostStateDelegate* state = profile->GetSSLHostStateDelegate();
   bool expired_previous_decision;
 
   // chrome_state takes ownership of this clock
   base::SimpleTestClock* clock = new base::SimpleTestClock();
   ChromeSSLHostStateDelegate* chrome_state =
       static_cast<ChromeSSLHostStateDelegate*>(state);
   chrome_state->SetClock(scoped_ptr<base::Clock>(clock));
 
   // Start the clock at standard system time but do not advance at all to
   // emphasize that instant forget works.
   clock->SetNow(base::Time::NowFromSystemTime());
 
   // The certificate has never been seen before, so it should be UNKONWN and
   // should also indicate that it hasn't expired.
   EXPECT_EQ(net::CertPolicy::UNKNOWN,
             state->QueryPolicy(kWWWGoogleHost,
-                               google_cert.get(),
+                               *google_cert.get(),
                                net::CERT_STATUS_DATE_INVALID,
                                &expired_previous_decision));
   EXPECT_FALSE(expired_previous_decision);
 
   // After allowing the certificate, a query should say that it is allowed and
   // also specify that it hasn't expired.
   state->AllowCert(
-      kWWWGoogleHost, google_cert.get(), net::CERT_STATUS_DATE_INVALID);
+      kWWWGoogleHost, *google_cert.get(), net::CERT_STATUS_DATE_INVALID);
   EXPECT_EQ(net::CertPolicy::ALLOWED,
             state->QueryPolicy(kWWWGoogleHost,
-                               google_cert.get(),
+                               *google_cert.get(),
                                net::CERT_STATUS_DATE_INVALID,
                                &expired_previous_decision));
   EXPECT_FALSE(expired_previous_decision);
 
   // Simulate the clock advancing by the specified delta.
   clock->Advance(base::TimeDelta::FromSeconds(kDeltaOneDayInSeconds + 1));
 
   // The decision expiration time has come, so it should indicate that the
   // certificate and error are UNKOWN but also that they expired since the last
   // query.
   EXPECT_EQ(net::CertPolicy::UNKNOWN,
             state->QueryPolicy(kWWWGoogleHost,
-                               google_cert.get(),
+                               *google_cert.get(),
                                net::CERT_STATUS_DATE_INVALID,
                                &expired_previous_decision));
   EXPECT_TRUE(expired_previous_decision);
 
   // However, with a new query, it should indicate that no new expiration has
   // occurred.
   EXPECT_EQ(net::CertPolicy::UNKNOWN,
             state->QueryPolicy(kWWWGoogleHost,
-                               google_cert.get(),
+                               *google_cert.get(),
                                net::CERT_STATUS_DATE_INVALID,
                                &expired_previous_decision));
   EXPECT_FALSE(expired_previous_decision);
 }
 
 // Tests to make sure that if the user deletes their browser history, SSL
 // exceptions will be deleted as well.
 class RemoveBrowsingHistorySSLHostStateDelegateTest
     : public ChromeSSLHostStateDelegateTest {
  public:
@@ skipping 12 matching lines @@
   scoped_refptr<net::X509Certificate> google_cert = GetGoogleCert();
   content::WebContents* tab =
       browser()->tab_strip_model()->GetActiveWebContents();
   Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext());
   content::SSLHostStateDelegate* state = profile->GetSSLHostStateDelegate();
   bool unused_value;
 
   // Add an exception for an invalid certificate. Then remove the last hour's
   // worth of browsing history and verify that the exception has been deleted.
   state->AllowCert(
-      kGoogleHost, google_cert.get(), net::CERT_STATUS_DATE_INVALID);
+      kGoogleHost, *google_cert.get(), net::CERT_STATUS_DATE_INVALID);
   RemoveAndWait(profile);
   EXPECT_EQ(net::CertPolicy::UNKNOWN,
             state->QueryPolicy(kGoogleHost,
-                               google_cert.get(),
+                               *google_cert.get(),
                                net::CERT_STATUS_DATE_INVALID,
                                &unused_value));
 }