Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(313)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: net/http/transport_security_state_unittest.cc

Issue 578553004: Remove the "snionly" concept from the HSTS preload. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: ... Created 6 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « net/http/transport_security_state_static.json ('k') | net/quic/crypto/proof_verifier_chromium.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "net/http/transport_security_state.h" 5 #include "net/http/transport_security_state.h"
6 6
7 #include <algorithm> 7 #include <algorithm>
8 #include <string> 8 #include <string>
9 #include <vector> 9 #include <vector>
10 10
(...skipping 39 matching lines...) Expand 10 before | Expand all | Expand 10 after
50 state->enable_static_pins_ = false; 50 state->enable_static_pins_ = false;
51 } 51 }
52 52
53 static void EnableStaticPins(TransportSecurityState* state) { 53 static void EnableStaticPins(TransportSecurityState* state) {
54 state->enable_static_pins_ = true; 54 state->enable_static_pins_ = true;
55 } 55 }
56 56
57 protected: 57 protected:
58 bool GetStaticDomainState(TransportSecurityState* state, 58 bool GetStaticDomainState(TransportSecurityState* state,
59 const std::string& host, 59 const std::string& host,
60 bool sni_enabled,
61 TransportSecurityState::DomainState* result) { 60 TransportSecurityState::DomainState* result) {
62 return state->GetStaticDomainState(host, sni_enabled, result); 61 return state->GetStaticDomainState(host, result);
63 } 62 }
64 63
65 void EnableHost(TransportSecurityState* state, 64 void EnableHost(TransportSecurityState* state,
66 const std::string& host, 65 const std::string& host,
67 const TransportSecurityState::DomainState& domain_state) { 66 const TransportSecurityState::DomainState& domain_state) {
68 return state->EnableHost(host, domain_state); 67 return state->EnableHost(host, domain_state);
69 } 68 }
70 }; 69 };
71 70
72 TEST_F(TransportSecurityStateTest, SimpleMatches) { 71 TEST_F(TransportSecurityStateTest, SimpleMatches) {
(...skipping 98 matching lines...) Expand 10 before | Expand all | Expand 10 after
171 EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state)); 170 EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state));
172 } 171 }
173 172
174 TEST_F(TransportSecurityStateTest, EnableStaticPins) { 173 TEST_F(TransportSecurityStateTest, EnableStaticPins) {
175 TransportSecurityState state; 174 TransportSecurityState state;
176 TransportSecurityState::DomainState domain_state; 175 TransportSecurityState::DomainState domain_state;
177 176
178 EnableStaticPins(&state); 177 EnableStaticPins(&state);
179 178
180 EXPECT_TRUE( 179 EXPECT_TRUE(
181 state.GetStaticDomainState("chrome.google.com", true, &domain_state)); 180 state.GetStaticDomainState("chrome.google.com", &domain_state));
182 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty()); 181 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
183 } 182 }
184 183
185 TEST_F(TransportSecurityStateTest, DisableStaticPins) { 184 TEST_F(TransportSecurityStateTest, DisableStaticPins) {
186 TransportSecurityState state; 185 TransportSecurityState state;
187 TransportSecurityState::DomainState domain_state; 186 TransportSecurityState::DomainState domain_state;
188 187
189 DisableStaticPins(&state); 188 DisableStaticPins(&state);
190 EXPECT_TRUE( 189 EXPECT_TRUE(
191 state.GetStaticDomainState("chrome.google.com", true, &domain_state)); 190 state.GetStaticDomainState("chrome.google.com", &domain_state));
192 EXPECT_TRUE(domain_state.pkp.spki_hashes.empty()); 191 EXPECT_TRUE(domain_state.pkp.spki_hashes.empty());
193 } 192 }
194 193
195 TEST_F(TransportSecurityStateTest, IsPreloaded) { 194 TEST_F(TransportSecurityStateTest, IsPreloaded) {
196 const std::string paypal = "paypal.com"; 195 const std::string paypal = "paypal.com";
197 const std::string www_paypal = "www.paypal.com"; 196 const std::string www_paypal = "www.paypal.com";
198 const std::string foo_paypal = "foo.paypal.com"; 197 const std::string foo_paypal = "foo.paypal.com";
199 const std::string a_www_paypal = "a.www.paypal.com"; 198 const std::string a_www_paypal = "a.www.paypal.com";
200 const std::string abc_paypal = "a.b.c.paypal.com"; 199 const std::string abc_paypal = "a.b.c.paypal.com";
201 const std::string example = "example.com"; 200 const std::string example = "example.com";
202 const std::string aypal = "aypal.com"; 201 const std::string aypal = "aypal.com";
203 202
204 TransportSecurityState state; 203 TransportSecurityState state;
205 TransportSecurityState::DomainState domain_state; 204 TransportSecurityState::DomainState domain_state;
206 205
207 EXPECT_TRUE(GetStaticDomainState(&state, paypal, true, &domain_state)); 206 EXPECT_TRUE(GetStaticDomainState(&state, paypal, &domain_state));
208 EXPECT_TRUE(GetStaticDomainState(&state, www_paypal, true, &domain_state)); 207 EXPECT_TRUE(GetStaticDomainState(&state, www_paypal, &domain_state));
209 EXPECT_FALSE(domain_state.sts.include_subdomains); 208 EXPECT_FALSE(domain_state.sts.include_subdomains);
210 EXPECT_FALSE(GetStaticDomainState(&state, a_www_paypal, true, &domain_state)); 209 EXPECT_FALSE(GetStaticDomainState(&state, a_www_paypal, &domain_state));
211 EXPECT_FALSE(GetStaticDomainState(&state, abc_paypal, true, &domain_state)); 210 EXPECT_FALSE(GetStaticDomainState(&state, abc_paypal, &domain_state));
212 EXPECT_FALSE(GetStaticDomainState(&state, example, true, &domain_state)); 211 EXPECT_FALSE(GetStaticDomainState(&state, example, &domain_state));
213 EXPECT_FALSE(GetStaticDomainState(&state, aypal, true, &domain_state)); 212 EXPECT_FALSE(GetStaticDomainState(&state, aypal, &domain_state));
214 } 213 }
215 214
216 TEST_F(TransportSecurityStateTest, PreloadedDomainSet) { 215 TEST_F(TransportSecurityStateTest, PreloadedDomainSet) {
217 TransportSecurityState state; 216 TransportSecurityState state;
218 TransportSecurityState::DomainState domain_state; 217 TransportSecurityState::DomainState domain_state;
219 218
220 // The domain wasn't being set, leading to a blank string in the 219 // The domain wasn't being set, leading to a blank string in the
221 // chrome://net-internals/#hsts UI. So test that. 220 // chrome://net-internals/#hsts UI. So test that.
222 EXPECT_TRUE( 221 EXPECT_TRUE(
223 state.GetStaticDomainState("market.android.com", true, &domain_state)); 222 state.GetStaticDomainState("market.android.com", &domain_state));
224 EXPECT_EQ(domain_state.domain, "market.android.com"); 223 EXPECT_EQ(domain_state.domain, "market.android.com");
225 EXPECT_TRUE(state.GetStaticDomainState( 224 EXPECT_TRUE(state.GetStaticDomainState(
226 "sub.market.android.com", true, &domain_state)); 225 "sub.market.android.com", &domain_state));
227 EXPECT_EQ(domain_state.domain, "market.android.com"); 226 EXPECT_EQ(domain_state.domain, "market.android.com");
228 } 227 }
229 228
230 static bool StaticShouldRedirect(const char* hostname) { 229 static bool StaticShouldRedirect(const char* hostname) {
231 TransportSecurityState state; 230 TransportSecurityState state;
232 TransportSecurityState::DomainState domain_state; 231 TransportSecurityState::DomainState domain_state;
233 return state.GetStaticDomainState( 232 return state.GetStaticDomainState(
234 hostname, true /* SNI ok */, &domain_state) && 233 hostname, &domain_state) &&
235 domain_state.ShouldUpgradeToSSL(); 234 domain_state.ShouldUpgradeToSSL();
236 } 235 }
237 236
238 static bool HasStaticState(const char* hostname) { 237 static bool HasStaticState(const char* hostname) {
239 TransportSecurityState state; 238 TransportSecurityState state;
240 TransportSecurityState::DomainState domain_state; 239 TransportSecurityState::DomainState domain_state;
241 return state.GetStaticDomainState(hostname, true /* SNI ok */, &domain_state); 240 return state.GetStaticDomainState(hostname, &domain_state);
242 } 241 }
243 242
244 static bool HasStaticPublicKeyPins(const char* hostname, bool sni_enabled) { 243 static bool HasStaticPublicKeyPins(const char* hostname) {
245 TransportSecurityState state; 244 TransportSecurityState state;
246 TransportSecurityStateTest::EnableStaticPins(&state); 245 TransportSecurityStateTest::EnableStaticPins(&state);
247 TransportSecurityState::DomainState domain_state; 246 TransportSecurityState::DomainState domain_state;
248 if (!state.GetStaticDomainState(hostname, sni_enabled, &domain_state)) 247 if (!state.GetStaticDomainState(hostname, &domain_state))
249 return false; 248 return false;
250 249
251 return domain_state.HasPublicKeyPins(); 250 return domain_state.HasPublicKeyPins();
252 } 251 }
253 252
254 static bool HasStaticPublicKeyPins(const char* hostname) {
255 return HasStaticPublicKeyPins(hostname, true);
256 }
257
258 static bool OnlyPinningInStaticState(const char* hostname) { 253 static bool OnlyPinningInStaticState(const char* hostname) {
259 TransportSecurityState state; 254 TransportSecurityState state;
260 TransportSecurityStateTest::EnableStaticPins(&state); 255 TransportSecurityStateTest::EnableStaticPins(&state);
261 TransportSecurityState::DomainState domain_state; 256 TransportSecurityState::DomainState domain_state;
262 if (!state.GetStaticDomainState(hostname, true /* SNI ok */, &domain_state)) 257 if (!state.GetStaticDomainState(hostname, &domain_state))
263 return false; 258 return false;
264 259
265 return (domain_state.pkp.spki_hashes.size() > 0 || 260 return (domain_state.pkp.spki_hashes.size() > 0 ||
266 domain_state.pkp.bad_spki_hashes.size() > 0) && 261 domain_state.pkp.bad_spki_hashes.size() > 0) &&
267 !domain_state.ShouldUpgradeToSSL(); 262 !domain_state.ShouldUpgradeToSSL();
268 } 263 }
269 264
270 TEST_F(TransportSecurityStateTest, Preloaded) { 265 TEST_F(TransportSecurityStateTest, Preloaded) {
271 TransportSecurityState state; 266 TransportSecurityState state;
272 TransportSecurityState::DomainState domain_state; 267 TransportSecurityState::DomainState domain_state;
273 268
274 // We do more extensive checks for the first domain. 269 // We do more extensive checks for the first domain.
275 EXPECT_TRUE( 270 EXPECT_TRUE(
276 state.GetStaticDomainState("www.paypal.com", true, &domain_state)); 271 state.GetStaticDomainState("www.paypal.com", &domain_state));
277 EXPECT_EQ(domain_state.sts.upgrade_mode, 272 EXPECT_EQ(domain_state.sts.upgrade_mode,
278 TransportSecurityState::DomainState::MODE_FORCE_HTTPS); 273 TransportSecurityState::DomainState::MODE_FORCE_HTTPS);
279 EXPECT_FALSE(domain_state.sts.include_subdomains); 274 EXPECT_FALSE(domain_state.sts.include_subdomains);
280 EXPECT_FALSE(domain_state.pkp.include_subdomains); 275 EXPECT_FALSE(domain_state.pkp.include_subdomains);
281 276
282 EXPECT_TRUE(HasStaticState("paypal.com")); 277 EXPECT_TRUE(HasStaticState("paypal.com"));
283 EXPECT_FALSE(HasStaticState("www2.paypal.com")); 278 EXPECT_FALSE(HasStaticState("www2.paypal.com"));
284 EXPECT_FALSE(HasStaticState("www2.paypal.com")); 279 EXPECT_FALSE(HasStaticState("www2.paypal.com"));
285 280
286 // Google hosts: 281 // Google hosts:
(...skipping 19 matching lines...) Expand all
306 EXPECT_TRUE(StaticShouldRedirect("groups.google.com")); 301 EXPECT_TRUE(StaticShouldRedirect("groups.google.com"));
307 EXPECT_TRUE(StaticShouldRedirect("apis.google.com")); 302 EXPECT_TRUE(StaticShouldRedirect("apis.google.com"));
308 EXPECT_FALSE(StaticShouldRedirect("chart.apis.google.com")); 303 EXPECT_FALSE(StaticShouldRedirect("chart.apis.google.com"));
309 EXPECT_TRUE(StaticShouldRedirect("ssl.google-analytics.com")); 304 EXPECT_TRUE(StaticShouldRedirect("ssl.google-analytics.com"));
310 EXPECT_TRUE(StaticShouldRedirect("gmail.com")); 305 EXPECT_TRUE(StaticShouldRedirect("gmail.com"));
311 EXPECT_TRUE(StaticShouldRedirect("www.gmail.com")); 306 EXPECT_TRUE(StaticShouldRedirect("www.gmail.com"));
312 EXPECT_TRUE(StaticShouldRedirect("googlemail.com")); 307 EXPECT_TRUE(StaticShouldRedirect("googlemail.com"));
313 EXPECT_TRUE(StaticShouldRedirect("www.googlemail.com")); 308 EXPECT_TRUE(StaticShouldRedirect("www.googlemail.com"));
314 EXPECT_TRUE(StaticShouldRedirect("googleplex.com")); 309 EXPECT_TRUE(StaticShouldRedirect("googleplex.com"));
315 EXPECT_TRUE(StaticShouldRedirect("www.googleplex.com")); 310 EXPECT_TRUE(StaticShouldRedirect("www.googleplex.com"));
316 EXPECT_FALSE(HasStaticState("m.gmail.com"));
317 EXPECT_FALSE(HasStaticState("m.googlemail.com"));
318 311
319 // Tests for domains that don't work without SNI. 312 // These domains used to be only HSTS when SNI was available.
320 EXPECT_FALSE(state.GetStaticDomainState("gmail.com", false, &domain_state)); 313 EXPECT_TRUE(state.GetStaticDomainState("gmail.com", &domain_state));
321 EXPECT_FALSE( 314 EXPECT_TRUE(state.GetStaticDomainState("www.gmail.com", &domain_state));
322 state.GetStaticDomainState("www.gmail.com", false, &domain_state)); 315 EXPECT_TRUE(state.GetStaticDomainState("googlemail.com", &domain_state));
323 EXPECT_FALSE(state.GetStaticDomainState("m.gmail.com", false, &domain_state)); 316 EXPECT_TRUE(state.GetStaticDomainState("www.googlemail.com", &domain_state));
324 EXPECT_FALSE(
325 state.GetStaticDomainState("googlemail.com", false, &domain_state));
326 EXPECT_FALSE(
327 state.GetStaticDomainState("www.googlemail.com", false, &domain_state));
328 EXPECT_FALSE(
329 state.GetStaticDomainState("m.googlemail.com", false, &domain_state));
330 317
331 // Other hosts: 318 // Other hosts:
332 319
333 EXPECT_TRUE(StaticShouldRedirect("aladdinschools.appspot.com")); 320 EXPECT_TRUE(StaticShouldRedirect("aladdinschools.appspot.com"));
334 321
335 EXPECT_TRUE(StaticShouldRedirect("ottospora.nl")); 322 EXPECT_TRUE(StaticShouldRedirect("ottospora.nl"));
336 EXPECT_TRUE(StaticShouldRedirect("www.ottospora.nl")); 323 EXPECT_TRUE(StaticShouldRedirect("www.ottospora.nl"));
337 324
338 EXPECT_TRUE(StaticShouldRedirect("www.paycheckrecords.com")); 325 EXPECT_TRUE(StaticShouldRedirect("www.paycheckrecords.com"));
339 326
(...skipping 137 matching lines...) Expand 10 before | Expand all | Expand 10 after
477 EXPECT_TRUE(StaticShouldRedirect("foo.crate.io")); 464 EXPECT_TRUE(StaticShouldRedirect("foo.crate.io"));
478 } 465 }
479 466
480 TEST_F(TransportSecurityStateTest, PreloadedPins) { 467 TEST_F(TransportSecurityStateTest, PreloadedPins) {
481 TransportSecurityState state; 468 TransportSecurityState state;
482 EnableStaticPins(&state); 469 EnableStaticPins(&state);
483 TransportSecurityState::DomainState domain_state; 470 TransportSecurityState::DomainState domain_state;
484 471
485 // We do more extensive checks for the first domain. 472 // We do more extensive checks for the first domain.
486 EXPECT_TRUE( 473 EXPECT_TRUE(
487 state.GetStaticDomainState("www.paypal.com", true, &domain_state)); 474 state.GetStaticDomainState("www.paypal.com", &domain_state));
488 EXPECT_EQ(domain_state.sts.upgrade_mode, 475 EXPECT_EQ(domain_state.sts.upgrade_mode,
489 TransportSecurityState::DomainState::MODE_FORCE_HTTPS); 476 TransportSecurityState::DomainState::MODE_FORCE_HTTPS);
490 EXPECT_FALSE(domain_state.sts.include_subdomains); 477 EXPECT_FALSE(domain_state.sts.include_subdomains);
491 EXPECT_FALSE(domain_state.pkp.include_subdomains); 478 EXPECT_FALSE(domain_state.pkp.include_subdomains);
492 479
493 EXPECT_TRUE(OnlyPinningInStaticState("www.google.com")); 480 EXPECT_TRUE(OnlyPinningInStaticState("www.google.com"));
494 EXPECT_TRUE(OnlyPinningInStaticState("foo.google.com")); 481 EXPECT_TRUE(OnlyPinningInStaticState("foo.google.com"));
495 EXPECT_TRUE(OnlyPinningInStaticState("google.com")); 482 EXPECT_TRUE(OnlyPinningInStaticState("google.com"));
496 EXPECT_TRUE(OnlyPinningInStaticState("www.youtube.com")); 483 EXPECT_TRUE(OnlyPinningInStaticState("www.youtube.com"));
497 EXPECT_TRUE(OnlyPinningInStaticState("youtube.com")); 484 EXPECT_TRUE(OnlyPinningInStaticState("youtube.com"));
498 EXPECT_TRUE(OnlyPinningInStaticState("i.ytimg.com")); 485 EXPECT_TRUE(OnlyPinningInStaticState("i.ytimg.com"));
499 EXPECT_TRUE(OnlyPinningInStaticState("ytimg.com")); 486 EXPECT_TRUE(OnlyPinningInStaticState("ytimg.com"));
500 EXPECT_TRUE(OnlyPinningInStaticState("googleusercontent.com")); 487 EXPECT_TRUE(OnlyPinningInStaticState("googleusercontent.com"));
501 EXPECT_TRUE(OnlyPinningInStaticState("www.googleusercontent.com")); 488 EXPECT_TRUE(OnlyPinningInStaticState("www.googleusercontent.com"));
502 EXPECT_TRUE(OnlyPinningInStaticState("www.google-analytics.com")); 489 EXPECT_TRUE(OnlyPinningInStaticState("www.google-analytics.com"));
503 EXPECT_TRUE(OnlyPinningInStaticState("googleapis.com")); 490 EXPECT_TRUE(OnlyPinningInStaticState("googleapis.com"));
504 EXPECT_TRUE(OnlyPinningInStaticState("googleadservices.com")); 491 EXPECT_TRUE(OnlyPinningInStaticState("googleadservices.com"));
505 EXPECT_TRUE(OnlyPinningInStaticState("googlecode.com")); 492 EXPECT_TRUE(OnlyPinningInStaticState("googlecode.com"));
506 EXPECT_TRUE(OnlyPinningInStaticState("appspot.com")); 493 EXPECT_TRUE(OnlyPinningInStaticState("appspot.com"));
507 EXPECT_TRUE(OnlyPinningInStaticState("googlesyndication.com")); 494 EXPECT_TRUE(OnlyPinningInStaticState("googlesyndication.com"));
508 EXPECT_TRUE(OnlyPinningInStaticState("doubleclick.net")); 495 EXPECT_TRUE(OnlyPinningInStaticState("doubleclick.net"));
509 EXPECT_TRUE(OnlyPinningInStaticState("googlegroups.com")); 496 EXPECT_TRUE(OnlyPinningInStaticState("googlegroups.com"));
510 497
511 EXPECT_TRUE(HasStaticPublicKeyPins("torproject.org")); 498 EXPECT_TRUE(HasStaticPublicKeyPins("torproject.org"));
512 EXPECT_TRUE(HasStaticPublicKeyPins("www.torproject.org")); 499 EXPECT_TRUE(HasStaticPublicKeyPins("www.torproject.org"));
513 EXPECT_TRUE(HasStaticPublicKeyPins("check.torproject.org")); 500 EXPECT_TRUE(HasStaticPublicKeyPins("check.torproject.org"));
514 EXPECT_TRUE(HasStaticPublicKeyPins("blog.torproject.org")); 501 EXPECT_TRUE(HasStaticPublicKeyPins("blog.torproject.org"));
515 EXPECT_FALSE(HasStaticState("foo.torproject.org")); 502 EXPECT_FALSE(HasStaticState("foo.torproject.org"));
516 503
517 EXPECT_TRUE( 504 EXPECT_TRUE(state.GetStaticDomainState("torproject.org", &domain_state));
518 state.GetStaticDomainState("torproject.org", false, &domain_state)); 505 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
506 EXPECT_TRUE(state.GetStaticDomainState("www.torproject.org", &domain_state));
519 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty()); 507 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
520 EXPECT_TRUE( 508 EXPECT_TRUE(
521 state.GetStaticDomainState("www.torproject.org", false, &domain_state)); 509 state.GetStaticDomainState("check.torproject.org", &domain_state));
522 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty()); 510 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
523 EXPECT_TRUE( 511 EXPECT_TRUE(state.GetStaticDomainState("blog.torproject.org", &domain_state));
524 state.GetStaticDomainState("check.torproject.org", false, &domain_state));
525 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
526 EXPECT_TRUE(
527 state.GetStaticDomainState("blog.torproject.org", false, &domain_state));
528 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty()); 512 EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
529 513
530 EXPECT_TRUE(HasStaticPublicKeyPins("www.twitter.com")); 514 EXPECT_TRUE(HasStaticPublicKeyPins("www.twitter.com"));
531 } 515 }
532 516
533 TEST_F(TransportSecurityStateTest, LongNames) { 517 TEST_F(TransportSecurityStateTest, LongNames) {
534 TransportSecurityState state; 518 TransportSecurityState state;
535 const char kLongName[] = 519 const char kLongName[] =
536 "lookupByWaveIdHashAndWaveIdIdAndWaveIdDomainAndWaveletIdIdAnd" 520 "lookupByWaveIdHashAndWaveIdIdAndWaveIdDomainAndWaveletIdIdAnd"
537 "WaveletIdDomainAndBlipBlipid"; 521 "WaveletIdDomainAndBlipBlipid";
538 TransportSecurityState::DomainState domain_state; 522 TransportSecurityState::DomainState domain_state;
539 // Just checks that we don't hit a NOTREACHED. 523 // Just checks that we don't hit a NOTREACHED.
540 EXPECT_FALSE(state.GetStaticDomainState(kLongName, true, &domain_state)); 524 EXPECT_FALSE(state.GetStaticDomainState(kLongName, &domain_state));
541 EXPECT_FALSE(state.GetDynamicDomainState(kLongName, &domain_state)); 525 EXPECT_FALSE(state.GetDynamicDomainState(kLongName, &domain_state));
542 } 526 }
543 527
544 TEST_F(TransportSecurityStateTest, BuiltinCertPins) { 528 TEST_F(TransportSecurityStateTest, BuiltinCertPins) {
545 TransportSecurityState state; 529 TransportSecurityState state;
546 EnableStaticPins(&state); 530 EnableStaticPins(&state);
547 TransportSecurityState::DomainState domain_state; 531 TransportSecurityState::DomainState domain_state;
548 532
549 EXPECT_TRUE( 533 EXPECT_TRUE(
550 state.GetStaticDomainState("chrome.google.com", true, &domain_state)); 534 state.GetStaticDomainState("chrome.google.com", &domain_state));
551 EXPECT_TRUE(HasStaticPublicKeyPins("chrome.google.com")); 535 EXPECT_TRUE(HasStaticPublicKeyPins("chrome.google.com"));
552 536
553 HashValueVector hashes; 537 HashValueVector hashes;
554 std::string failure_log; 538 std::string failure_log;
555 // Checks that a built-in list does exist. 539 // Checks that a built-in list does exist.
556 EXPECT_FALSE(domain_state.CheckPublicKeyPins(hashes, &failure_log)); 540 EXPECT_FALSE(domain_state.CheckPublicKeyPins(hashes, &failure_log));
557 EXPECT_FALSE(HasStaticPublicKeyPins("www.paypal.com")); 541 EXPECT_FALSE(HasStaticPublicKeyPins("www.paypal.com"));
558 542
559 EXPECT_TRUE(HasStaticPublicKeyPins("docs.google.com")); 543 EXPECT_TRUE(HasStaticPublicKeyPins("docs.google.com"));
560 EXPECT_TRUE(HasStaticPublicKeyPins("1.docs.google.com")); 544 EXPECT_TRUE(HasStaticPublicKeyPins("1.docs.google.com"));
(...skipping 69 matching lines...) Expand 10 before | Expand all | Expand 10 after
630 } 614 }
631 for (size_t i = 0; kBadPath[i]; i++) { 615 for (size_t i = 0; kBadPath[i]; i++) {
632 EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes)); 616 EXPECT_TRUE(AddHash(kBadPath[i], &bad_hashes));
633 } 617 }
634 618
635 TransportSecurityState state; 619 TransportSecurityState state;
636 EnableStaticPins(&state); 620 EnableStaticPins(&state);
637 621
638 TransportSecurityState::DomainState domain_state; 622 TransportSecurityState::DomainState domain_state;
639 EXPECT_TRUE( 623 EXPECT_TRUE(
640 state.GetStaticDomainState("blog.torproject.org", true, &domain_state)); 624 state.GetStaticDomainState("blog.torproject.org", &domain_state));
641 EXPECT_TRUE(domain_state.HasPublicKeyPins()); 625 EXPECT_TRUE(domain_state.HasPublicKeyPins());
642 626
643 std::string failure_log; 627 std::string failure_log;
644 EXPECT_TRUE(domain_state.CheckPublicKeyPins(good_hashes, &failure_log)); 628 EXPECT_TRUE(domain_state.CheckPublicKeyPins(good_hashes, &failure_log));
645 EXPECT_FALSE(domain_state.CheckPublicKeyPins(bad_hashes, &failure_log)); 629 EXPECT_FALSE(domain_state.CheckPublicKeyPins(bad_hashes, &failure_log));
646 } 630 }
647 631
648 TEST_F(TransportSecurityStateTest, OptionalHSTSCertPins) { 632 TEST_F(TransportSecurityStateTest, OptionalHSTSCertPins) {
649 TransportSecurityState state; 633 TransportSecurityState state;
650 EnableStaticPins(&state); 634 EnableStaticPins(&state);
651 TransportSecurityState::DomainState domain_state; 635 TransportSecurityState::DomainState domain_state;
652 636
653 EXPECT_FALSE(StaticShouldRedirect("www.google-analytics.com")); 637 EXPECT_FALSE(StaticShouldRedirect("www.google-analytics.com"));
654 638
655 EXPECT_FALSE(HasStaticPublicKeyPins("www.google-analytics.com", false));
656 EXPECT_TRUE(HasStaticPublicKeyPins("www.google-analytics.com")); 639 EXPECT_TRUE(HasStaticPublicKeyPins("www.google-analytics.com"));
657 EXPECT_TRUE(HasStaticPublicKeyPins("google.com")); 640 EXPECT_TRUE(HasStaticPublicKeyPins("google.com"));
658 EXPECT_TRUE(HasStaticPublicKeyPins("www.google.com")); 641 EXPECT_TRUE(HasStaticPublicKeyPins("www.google.com"));
659 EXPECT_TRUE(HasStaticPublicKeyPins("mail-attachment.googleusercontent.com")); 642 EXPECT_TRUE(HasStaticPublicKeyPins("mail-attachment.googleusercontent.com"));
660 EXPECT_TRUE(HasStaticPublicKeyPins("www.youtube.com")); 643 EXPECT_TRUE(HasStaticPublicKeyPins("www.youtube.com"));
661 EXPECT_TRUE(HasStaticPublicKeyPins("i.ytimg.com")); 644 EXPECT_TRUE(HasStaticPublicKeyPins("i.ytimg.com"));
662 EXPECT_TRUE(HasStaticPublicKeyPins("googleapis.com")); 645 EXPECT_TRUE(HasStaticPublicKeyPins("googleapis.com"));
663 EXPECT_TRUE(HasStaticPublicKeyPins("ajax.googleapis.com")); 646 EXPECT_TRUE(HasStaticPublicKeyPins("ajax.googleapis.com"));
664 EXPECT_TRUE(HasStaticPublicKeyPins("googleadservices.com")); 647 EXPECT_TRUE(HasStaticPublicKeyPins("googleadservices.com"));
665 EXPECT_TRUE(HasStaticPublicKeyPins("pagead2.googleadservices.com")); 648 EXPECT_TRUE(HasStaticPublicKeyPins("pagead2.googleadservices.com"));
666 EXPECT_TRUE(HasStaticPublicKeyPins("googlecode.com")); 649 EXPECT_TRUE(HasStaticPublicKeyPins("googlecode.com"));
667 EXPECT_TRUE(HasStaticPublicKeyPins("kibbles.googlecode.com")); 650 EXPECT_TRUE(HasStaticPublicKeyPins("kibbles.googlecode.com"));
668 EXPECT_TRUE(HasStaticPublicKeyPins("appspot.com")); 651 EXPECT_TRUE(HasStaticPublicKeyPins("appspot.com"));
669 EXPECT_TRUE(HasStaticPublicKeyPins("googlesyndication.com")); 652 EXPECT_TRUE(HasStaticPublicKeyPins("googlesyndication.com"));
670 EXPECT_TRUE(HasStaticPublicKeyPins("doubleclick.net")); 653 EXPECT_TRUE(HasStaticPublicKeyPins("doubleclick.net"));
671 EXPECT_TRUE(HasStaticPublicKeyPins("ad.doubleclick.net")); 654 EXPECT_TRUE(HasStaticPublicKeyPins("ad.doubleclick.net"));
672 EXPECT_FALSE(HasStaticPublicKeyPins("learn.doubleclick.net")); 655 EXPECT_FALSE(HasStaticPublicKeyPins("learn.doubleclick.net"));
673 EXPECT_TRUE(HasStaticPublicKeyPins("a.googlegroups.com")); 656 EXPECT_TRUE(HasStaticPublicKeyPins("a.googlegroups.com"));
674 EXPECT_FALSE(HasStaticPublicKeyPins("a.googlegroups.com", false));
675 } 657 }
676 658
677 TEST_F(TransportSecurityStateTest, OverrideBuiltins) { 659 TEST_F(TransportSecurityStateTest, OverrideBuiltins) {
678 EXPECT_TRUE(HasStaticPublicKeyPins("google.com")); 660 EXPECT_TRUE(HasStaticPublicKeyPins("google.com"));
679 EXPECT_FALSE(StaticShouldRedirect("google.com")); 661 EXPECT_FALSE(StaticShouldRedirect("google.com"));
680 EXPECT_FALSE(StaticShouldRedirect("www.google.com")); 662 EXPECT_FALSE(StaticShouldRedirect("www.google.com"));
681 663
682 TransportSecurityState state; 664 TransportSecurityState state;
683 TransportSecurityState::DomainState domain_state; 665 TransportSecurityState::DomainState domain_state;
684 const base::Time current_time(base::Time::Now()); 666 const base::Time current_time(base::Time::Now());
685 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); 667 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
686 domain_state.sts.expiry = expiry; 668 domain_state.sts.expiry = expiry;
687 EnableHost(&state, "www.google.com", domain_state); 669 EnableHost(&state, "www.google.com", domain_state);
688 670
689 EXPECT_TRUE(state.GetDynamicDomainState("www.google.com", &domain_state)); 671 EXPECT_TRUE(state.GetDynamicDomainState("www.google.com", &domain_state));
690 } 672 }
691 673
692 TEST_F(TransportSecurityStateTest, GooglePinnedProperties) { 674 TEST_F(TransportSecurityStateTest, GooglePinnedProperties) {
693 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( 675 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
694 "www.example.com", true)); 676 "www.example.com"));
695 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( 677 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
696 "www.paypal.com", true)); 678 "www.paypal.com"));
697 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( 679 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
698 "mail.twitter.com", true)); 680 "mail.twitter.com"));
699 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( 681 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
700 "www.google.com.int", true)); 682 "www.google.com.int"));
701 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( 683 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
702 "jottit.com", true)); 684 "jottit.com"));
703 // learn.doubleclick.net has a more specific match than 685 // learn.doubleclick.net has a more specific match than
704 // *.doubleclick.com, and has 0 or NULL for its required certs. 686 // *.doubleclick.com, and has 0 or NULL for its required certs.
705 // This test ensures that the exact-match-preferred behavior 687 // This test ensures that the exact-match-preferred behavior
706 // works. 688 // works.
707 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( 689 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
708 "learn.doubleclick.net", true)); 690 "learn.doubleclick.net"));
709 691
710 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( 692 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
711 "encrypted.google.com", true)); 693 "encrypted.google.com"));
712 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( 694 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
713 "mail.google.com", true)); 695 "mail.google.com"));
714 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( 696 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
715 "accounts.google.com", true)); 697 "accounts.google.com"));
716 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( 698 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
717 "doubleclick.net", true)); 699 "doubleclick.net"));
718 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( 700 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
719 "ad.doubleclick.net", true)); 701 "ad.doubleclick.net"));
720 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( 702 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
721 "youtube.com", true)); 703 "youtube.com"));
722 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( 704 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
723 "www.profiles.google.com", true)); 705 "www.profiles.google.com"));
724 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( 706 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
725 "checkout.google.com", true)); 707 "checkout.google.com"));
726 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( 708 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
727 "googleadservices.com", true)); 709 "googleadservices.com"));
728 710
729 // Test with sni_enabled false:
730 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( 711 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
731 "www.example.com", false)); 712 "www.example.com"));
732 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( 713 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
733 "www.paypal.com", false)); 714 "www.paypal.com"));
734 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( 715 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
735 "checkout.google.com", false)); 716 "checkout.google.com"));
736 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( 717 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
737 "googleadservices.com", false)); 718 "googleadservices.com"));
738 719
739 // Test some SNI hosts: 720 // Test some SNI hosts:
740 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( 721 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
741 "gmail.com", true)); 722 "gmail.com"));
742 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( 723 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
743 "googlegroups.com", true)); 724 "googlegroups.com"));
744 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( 725 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
745 "www.googlegroups.com", true)); 726 "www.googlegroups.com"));
746 // Expect to fail for SNI hosts when not searching the SNI list: 727
747 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( 728 // These hosts used to only be HSTS when SNI was available.
748 "gmail.com", false)); 729 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
749 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( 730 "gmail.com"));
750 "googlegroups.com", false)); 731 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
751 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( 732 "googlegroups.com"));
752 "www.googlegroups.com", false)); 733 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
734 "www.googlegroups.com"));
753 } 735 }
754 736
755 } // namespace net 737 } // namespace net
OLDNEW
« no previous file with comments | « net/http/transport_security_state_static.json ('k') | net/quic/crypto/proof_verifier_chromium.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698