| Index: net/http/transport_security_state_unittest.cc
|
| diff --git a/net/http/transport_security_state_unittest.cc b/net/http/transport_security_state_unittest.cc
|
| index dfbc7539e1a098000a64cb09b94b18ab117e0ce3..67e6f9118524f84885a13bf2d4d6c4c2f944bb4c 100644
|
| --- a/net/http/transport_security_state_unittest.cc
|
| +++ b/net/http/transport_security_state_unittest.cc
|
| @@ -57,9 +57,8 @@ class TransportSecurityStateTest : public testing::Test {
|
| protected:
|
| bool GetStaticDomainState(TransportSecurityState* state,
|
| const std::string& host,
|
| - bool sni_enabled,
|
| TransportSecurityState::DomainState* result) {
|
| - return state->GetStaticDomainState(host, sni_enabled, result);
|
| + return state->GetStaticDomainState(host, result);
|
| }
|
|
|
| void EnableHost(TransportSecurityState* state,
|
| @@ -178,7 +177,7 @@ TEST_F(TransportSecurityStateTest, EnableStaticPins) {
|
| EnableStaticPins(&state);
|
|
|
| EXPECT_TRUE(
|
| - state.GetStaticDomainState("chrome.google.com", true, &domain_state));
|
| + state.GetStaticDomainState("chrome.google.com", &domain_state));
|
| EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
|
| }
|
|
|
| @@ -188,7 +187,7 @@ TEST_F(TransportSecurityStateTest, DisableStaticPins) {
|
|
|
| DisableStaticPins(&state);
|
| EXPECT_TRUE(
|
| - state.GetStaticDomainState("chrome.google.com", true, &domain_state));
|
| + state.GetStaticDomainState("chrome.google.com", &domain_state));
|
| EXPECT_TRUE(domain_state.pkp.spki_hashes.empty());
|
| }
|
|
|
| @@ -204,13 +203,13 @@ TEST_F(TransportSecurityStateTest, IsPreloaded) {
|
| TransportSecurityState state;
|
| TransportSecurityState::DomainState domain_state;
|
|
|
| - EXPECT_TRUE(GetStaticDomainState(&state, paypal, true, &domain_state));
|
| - EXPECT_TRUE(GetStaticDomainState(&state, www_paypal, true, &domain_state));
|
| + EXPECT_TRUE(GetStaticDomainState(&state, paypal, &domain_state));
|
| + EXPECT_TRUE(GetStaticDomainState(&state, www_paypal, &domain_state));
|
| EXPECT_FALSE(domain_state.sts.include_subdomains);
|
| - EXPECT_FALSE(GetStaticDomainState(&state, a_www_paypal, true, &domain_state));
|
| - EXPECT_FALSE(GetStaticDomainState(&state, abc_paypal, true, &domain_state));
|
| - EXPECT_FALSE(GetStaticDomainState(&state, example, true, &domain_state));
|
| - EXPECT_FALSE(GetStaticDomainState(&state, aypal, true, &domain_state));
|
| + EXPECT_FALSE(GetStaticDomainState(&state, a_www_paypal, &domain_state));
|
| + EXPECT_FALSE(GetStaticDomainState(&state, abc_paypal, &domain_state));
|
| + EXPECT_FALSE(GetStaticDomainState(&state, example, &domain_state));
|
| + EXPECT_FALSE(GetStaticDomainState(&state, aypal, &domain_state));
|
| }
|
|
|
| TEST_F(TransportSecurityStateTest, PreloadedDomainSet) {
|
| @@ -220,10 +219,10 @@ TEST_F(TransportSecurityStateTest, PreloadedDomainSet) {
|
| // The domain wasn't being set, leading to a blank string in the
|
| // chrome://net-internals/#hsts UI. So test that.
|
| EXPECT_TRUE(
|
| - state.GetStaticDomainState("market.android.com", true, &domain_state));
|
| + state.GetStaticDomainState("market.android.com", &domain_state));
|
| EXPECT_EQ(domain_state.domain, "market.android.com");
|
| EXPECT_TRUE(state.GetStaticDomainState(
|
| - "sub.market.android.com", true, &domain_state));
|
| + "sub.market.android.com", &domain_state));
|
| EXPECT_EQ(domain_state.domain, "market.android.com");
|
| }
|
|
|
| @@ -231,35 +230,31 @@ static bool StaticShouldRedirect(const char* hostname) {
|
| TransportSecurityState state;
|
| TransportSecurityState::DomainState domain_state;
|
| return state.GetStaticDomainState(
|
| - hostname, true /* SNI ok */, &domain_state) &&
|
| + hostname, &domain_state) &&
|
| domain_state.ShouldUpgradeToSSL();
|
| }
|
|
|
| static bool HasStaticState(const char* hostname) {
|
| TransportSecurityState state;
|
| TransportSecurityState::DomainState domain_state;
|
| - return state.GetStaticDomainState(hostname, true /* SNI ok */, &domain_state);
|
| + return state.GetStaticDomainState(hostname, &domain_state);
|
| }
|
|
|
| -static bool HasStaticPublicKeyPins(const char* hostname, bool sni_enabled) {
|
| +static bool HasStaticPublicKeyPins(const char* hostname) {
|
| TransportSecurityState state;
|
| TransportSecurityStateTest::EnableStaticPins(&state);
|
| TransportSecurityState::DomainState domain_state;
|
| - if (!state.GetStaticDomainState(hostname, sni_enabled, &domain_state))
|
| + if (!state.GetStaticDomainState(hostname, &domain_state))
|
| return false;
|
|
|
| return domain_state.HasPublicKeyPins();
|
| }
|
|
|
| -static bool HasStaticPublicKeyPins(const char* hostname) {
|
| - return HasStaticPublicKeyPins(hostname, true);
|
| -}
|
| -
|
| static bool OnlyPinningInStaticState(const char* hostname) {
|
| TransportSecurityState state;
|
| TransportSecurityStateTest::EnableStaticPins(&state);
|
| TransportSecurityState::DomainState domain_state;
|
| - if (!state.GetStaticDomainState(hostname, true /* SNI ok */, &domain_state))
|
| + if (!state.GetStaticDomainState(hostname, &domain_state))
|
| return false;
|
|
|
| return (domain_state.pkp.spki_hashes.size() > 0 ||
|
| @@ -273,7 +268,7 @@ TEST_F(TransportSecurityStateTest, Preloaded) {
|
|
|
| // We do more extensive checks for the first domain.
|
| EXPECT_TRUE(
|
| - state.GetStaticDomainState("www.paypal.com", true, &domain_state));
|
| + state.GetStaticDomainState("www.paypal.com", &domain_state));
|
| EXPECT_EQ(domain_state.sts.upgrade_mode,
|
| TransportSecurityState::DomainState::MODE_FORCE_HTTPS);
|
| EXPECT_FALSE(domain_state.sts.include_subdomains);
|
| @@ -313,20 +308,12 @@ TEST_F(TransportSecurityStateTest, Preloaded) {
|
| EXPECT_TRUE(StaticShouldRedirect("www.googlemail.com"));
|
| EXPECT_TRUE(StaticShouldRedirect("googleplex.com"));
|
| EXPECT_TRUE(StaticShouldRedirect("www.googleplex.com"));
|
| - EXPECT_FALSE(HasStaticState("m.gmail.com"));
|
| - EXPECT_FALSE(HasStaticState("m.googlemail.com"));
|
| -
|
| - // Tests for domains that don't work without SNI.
|
| - EXPECT_FALSE(state.GetStaticDomainState("gmail.com", false, &domain_state));
|
| - EXPECT_FALSE(
|
| - state.GetStaticDomainState("www.gmail.com", false, &domain_state));
|
| - EXPECT_FALSE(state.GetStaticDomainState("m.gmail.com", false, &domain_state));
|
| - EXPECT_FALSE(
|
| - state.GetStaticDomainState("googlemail.com", false, &domain_state));
|
| - EXPECT_FALSE(
|
| - state.GetStaticDomainState("www.googlemail.com", false, &domain_state));
|
| - EXPECT_FALSE(
|
| - state.GetStaticDomainState("m.googlemail.com", false, &domain_state));
|
| +
|
| + // These domains used to be only HSTS when SNI was available.
|
| + EXPECT_TRUE(state.GetStaticDomainState("gmail.com", &domain_state));
|
| + EXPECT_TRUE(state.GetStaticDomainState("www.gmail.com", &domain_state));
|
| + EXPECT_TRUE(state.GetStaticDomainState("googlemail.com", &domain_state));
|
| + EXPECT_TRUE(state.GetStaticDomainState("www.googlemail.com", &domain_state));
|
|
|
| // Other hosts:
|
|
|
| @@ -484,7 +471,7 @@ TEST_F(TransportSecurityStateTest, PreloadedPins) {
|
|
|
| // We do more extensive checks for the first domain.
|
| EXPECT_TRUE(
|
| - state.GetStaticDomainState("www.paypal.com", true, &domain_state));
|
| + state.GetStaticDomainState("www.paypal.com", &domain_state));
|
| EXPECT_EQ(domain_state.sts.upgrade_mode,
|
| TransportSecurityState::DomainState::MODE_FORCE_HTTPS);
|
| EXPECT_FALSE(domain_state.sts.include_subdomains);
|
| @@ -514,17 +501,14 @@ TEST_F(TransportSecurityStateTest, PreloadedPins) {
|
| EXPECT_TRUE(HasStaticPublicKeyPins("blog.torproject.org"));
|
| EXPECT_FALSE(HasStaticState("foo.torproject.org"));
|
|
|
| - EXPECT_TRUE(
|
| - state.GetStaticDomainState("torproject.org", false, &domain_state));
|
| + EXPECT_TRUE(state.GetStaticDomainState("torproject.org", &domain_state));
|
| EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
|
| - EXPECT_TRUE(
|
| - state.GetStaticDomainState("www.torproject.org", false, &domain_state));
|
| + EXPECT_TRUE(state.GetStaticDomainState("www.torproject.org", &domain_state));
|
| EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
|
| EXPECT_TRUE(
|
| - state.GetStaticDomainState("check.torproject.org", false, &domain_state));
|
| + state.GetStaticDomainState("check.torproject.org", &domain_state));
|
| EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
|
| - EXPECT_TRUE(
|
| - state.GetStaticDomainState("blog.torproject.org", false, &domain_state));
|
| + EXPECT_TRUE(state.GetStaticDomainState("blog.torproject.org", &domain_state));
|
| EXPECT_FALSE(domain_state.pkp.spki_hashes.empty());
|
|
|
| EXPECT_TRUE(HasStaticPublicKeyPins("www.twitter.com"));
|
| @@ -537,7 +521,7 @@ TEST_F(TransportSecurityStateTest, LongNames) {
|
| "WaveletIdDomainAndBlipBlipid";
|
| TransportSecurityState::DomainState domain_state;
|
| // Just checks that we don't hit a NOTREACHED.
|
| - EXPECT_FALSE(state.GetStaticDomainState(kLongName, true, &domain_state));
|
| + EXPECT_FALSE(state.GetStaticDomainState(kLongName, &domain_state));
|
| EXPECT_FALSE(state.GetDynamicDomainState(kLongName, &domain_state));
|
| }
|
|
|
| @@ -547,7 +531,7 @@ TEST_F(TransportSecurityStateTest, BuiltinCertPins) {
|
| TransportSecurityState::DomainState domain_state;
|
|
|
| EXPECT_TRUE(
|
| - state.GetStaticDomainState("chrome.google.com", true, &domain_state));
|
| + state.GetStaticDomainState("chrome.google.com", &domain_state));
|
| EXPECT_TRUE(HasStaticPublicKeyPins("chrome.google.com"));
|
|
|
| HashValueVector hashes;
|
| @@ -637,7 +621,7 @@ TEST_F(TransportSecurityStateTest, PinValidationWithoutRejectedCerts) {
|
|
|
| TransportSecurityState::DomainState domain_state;
|
| EXPECT_TRUE(
|
| - state.GetStaticDomainState("blog.torproject.org", true, &domain_state));
|
| + state.GetStaticDomainState("blog.torproject.org", &domain_state));
|
| EXPECT_TRUE(domain_state.HasPublicKeyPins());
|
|
|
| std::string failure_log;
|
| @@ -652,7 +636,6 @@ TEST_F(TransportSecurityStateTest, OptionalHSTSCertPins) {
|
|
|
| EXPECT_FALSE(StaticShouldRedirect("www.google-analytics.com"));
|
|
|
| - EXPECT_FALSE(HasStaticPublicKeyPins("www.google-analytics.com", false));
|
| EXPECT_TRUE(HasStaticPublicKeyPins("www.google-analytics.com"));
|
| EXPECT_TRUE(HasStaticPublicKeyPins("google.com"));
|
| EXPECT_TRUE(HasStaticPublicKeyPins("www.google.com"));
|
| @@ -671,7 +654,6 @@ TEST_F(TransportSecurityStateTest, OptionalHSTSCertPins) {
|
| EXPECT_TRUE(HasStaticPublicKeyPins("ad.doubleclick.net"));
|
| EXPECT_FALSE(HasStaticPublicKeyPins("learn.doubleclick.net"));
|
| EXPECT_TRUE(HasStaticPublicKeyPins("a.googlegroups.com"));
|
| - EXPECT_FALSE(HasStaticPublicKeyPins("a.googlegroups.com", false));
|
| }
|
|
|
| TEST_F(TransportSecurityStateTest, OverrideBuiltins) {
|
| @@ -691,65 +673,65 @@ TEST_F(TransportSecurityStateTest, OverrideBuiltins) {
|
|
|
| TEST_F(TransportSecurityStateTest, GooglePinnedProperties) {
|
| EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
|
| - "www.example.com", true));
|
| + "www.example.com"));
|
| EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
|
| - "www.paypal.com", true));
|
| + "www.paypal.com"));
|
| EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
|
| - "mail.twitter.com", true));
|
| + "mail.twitter.com"));
|
| EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
|
| - "www.google.com.int", true));
|
| + "www.google.com.int"));
|
| EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
|
| - "jottit.com", true));
|
| + "jottit.com"));
|
| // learn.doubleclick.net has a more specific match than
|
| // *.doubleclick.com, and has 0 or NULL for its required certs.
|
| // This test ensures that the exact-match-preferred behavior
|
| // works.
|
| EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
|
| - "learn.doubleclick.net", true));
|
| + "learn.doubleclick.net"));
|
|
|
| EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
|
| - "encrypted.google.com", true));
|
| + "encrypted.google.com"));
|
| EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
|
| - "mail.google.com", true));
|
| + "mail.google.com"));
|
| EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
|
| - "accounts.google.com", true));
|
| + "accounts.google.com"));
|
| EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
|
| - "doubleclick.net", true));
|
| + "doubleclick.net"));
|
| EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
|
| - "ad.doubleclick.net", true));
|
| + "ad.doubleclick.net"));
|
| EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
|
| - "youtube.com", true));
|
| + "youtube.com"));
|
| EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
|
| - "www.profiles.google.com", true));
|
| + "www.profiles.google.com"));
|
| EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
|
| - "checkout.google.com", true));
|
| + "checkout.google.com"));
|
| EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
|
| - "googleadservices.com", true));
|
| + "googleadservices.com"));
|
|
|
| - // Test with sni_enabled false:
|
| EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
|
| - "www.example.com", false));
|
| + "www.example.com"));
|
| EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
|
| - "www.paypal.com", false));
|
| + "www.paypal.com"));
|
| EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
|
| - "checkout.google.com", false));
|
| + "checkout.google.com"));
|
| EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
|
| - "googleadservices.com", false));
|
| + "googleadservices.com"));
|
|
|
| // Test some SNI hosts:
|
| EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
|
| - "gmail.com", true));
|
| + "gmail.com"));
|
| EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
|
| - "googlegroups.com", true));
|
| + "googlegroups.com"));
|
| EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
|
| - "www.googlegroups.com", true));
|
| - // Expect to fail for SNI hosts when not searching the SNI list:
|
| - EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
|
| - "gmail.com", false));
|
| - EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
|
| - "googlegroups.com", false));
|
| - EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty(
|
| - "www.googlegroups.com", false));
|
| + "www.googlegroups.com"));
|
| +
|
| + // These hosts used to only be HSTS when SNI was available.
|
| + EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
|
| + "gmail.com"));
|
| + EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
|
| + "googlegroups.com"));
|
| + EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty(
|
| + "www.googlegroups.com"));
|
| }
|
|
|
| } // namespace net
|
|
|
Chromium Code Reviews
Issue 578553004:
Remove the "snionly" concept from the HSTS preload. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master