OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
6 | 6 |
7 #include <algorithm> | 7 #include <algorithm> |
8 #include <string> | 8 #include <string> |
9 #include <vector> | 9 #include <vector> |
10 | 10 |
(...skipping 37 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
48 } | 48 } |
49 | 49 |
50 static void DisableStaticPins(TransportSecurityState* state) { | 50 static void DisableStaticPins(TransportSecurityState* state) { |
51 state->enable_static_pins_ = false; | 51 state->enable_static_pins_ = false; |
52 } | 52 } |
53 | 53 |
54 static void EnableStaticPins(TransportSecurityState* state) { | 54 static void EnableStaticPins(TransportSecurityState* state) { |
55 state->enable_static_pins_ = true; | 55 state->enable_static_pins_ = true; |
56 } | 56 } |
57 | 57 |
58 static HashValueVector GetSampleSPKIHashes() { | |
59 HashValueVector spki_hashes; | |
60 HashValue hash(HASH_VALUE_SHA1); | |
61 memset(hash.data(), 0, hash.size()); | |
62 spki_hashes.push_back(hash); | |
63 return spki_hashes; | |
64 } | |
65 | |
58 protected: | 66 protected: |
59 bool GetStaticDomainState(TransportSecurityState* state, | 67 bool GetStaticDomainState(TransportSecurityState* state, |
60 const std::string& host, | 68 const std::string& host, |
61 TransportSecurityState::DomainState* result) { | 69 TransportSecurityState::DomainState* result) { |
62 return state->GetStaticDomainState(host, result); | 70 return state->GetStaticDomainState(host, result); |
63 } | 71 } |
64 | |
65 void EnableHost(TransportSecurityState* state, | |
66 const std::string& host, | |
67 const TransportSecurityState::DomainState& domain_state) { | |
68 return state->EnableHost(host, domain_state); | |
69 } | |
70 }; | 72 }; |
71 | 73 |
72 TEST_F(TransportSecurityStateTest, SimpleMatches) { | 74 TEST_F(TransportSecurityStateTest, SimpleMatches) { |
73 TransportSecurityState state; | 75 TransportSecurityState state; |
74 TransportSecurityState::DomainState domain_state; | |
75 const base::Time current_time(base::Time::Now()); | 76 const base::Time current_time(base::Time::Now()); |
76 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 77 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
77 | 78 |
78 EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state)); | 79 EXPECT_FALSE(state.ShouldUpgradeToSSL("yahoo.com")); |
79 bool include_subdomains = false; | 80 bool include_subdomains = false; |
80 state.AddHSTS("yahoo.com", expiry, include_subdomains); | 81 state.AddHSTS("yahoo.com", expiry, include_subdomains); |
81 EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state)); | 82 EXPECT_TRUE(state.ShouldUpgradeToSSL("yahoo.com")); |
82 } | 83 } |
83 | 84 |
84 TEST_F(TransportSecurityStateTest, MatchesCase1) { | 85 TEST_F(TransportSecurityStateTest, MatchesCase1) { |
85 TransportSecurityState state; | 86 TransportSecurityState state; |
86 TransportSecurityState::DomainState domain_state; | |
87 const base::Time current_time(base::Time::Now()); | 87 const base::Time current_time(base::Time::Now()); |
88 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 88 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
89 | 89 |
90 EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state)); | 90 EXPECT_FALSE(state.ShouldUpgradeToSSL("yahoo.com")); |
91 bool include_subdomains = false; | 91 bool include_subdomains = false; |
92 state.AddHSTS("YAhoo.coM", expiry, include_subdomains); | 92 state.AddHSTS("YAhoo.coM", expiry, include_subdomains); |
93 EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state)); | 93 EXPECT_TRUE(state.ShouldUpgradeToSSL("yahoo.com")); |
94 } | 94 } |
95 | 95 |
96 TEST_F(TransportSecurityStateTest, Fuzz) { | 96 TEST_F(TransportSecurityStateTest, Fuzz) { |
97 TransportSecurityState state; | 97 TransportSecurityState state; |
98 TransportSecurityState::DomainState domain_state; | 98 TransportSecurityState::DomainState domain_state; |
99 | 99 |
100 EnableStaticPins(&state); | 100 EnableStaticPins(&state); |
101 | 101 |
102 for (size_t i = 0; i < 128; i++) { | 102 for (size_t i = 0; i < 128; i++) { |
103 std::string hostname; | 103 std::string hostname; |
104 | 104 |
105 for (;;) { | 105 for (;;) { |
106 if (base::RandInt(0, 16) == 7) { | 106 if (base::RandInt(0, 16) == 7) { |
107 break; | 107 break; |
108 } | 108 } |
109 if (i > 0 && base::RandInt(0, 7) == 7) { | 109 if (i > 0 && base::RandInt(0, 7) == 7) { |
110 hostname.append(1, '.'); | 110 hostname.append(1, '.'); |
111 } | 111 } |
112 hostname.append(1, 'a' + base::RandInt(0, 25)); | 112 hostname.append(1, 'a' + base::RandInt(0, 25)); |
113 } | 113 } |
114 state.GetStaticDomainState(hostname, &domain_state); | 114 state.GetStaticDomainState(hostname, &domain_state); |
115 } | 115 } |
116 } | 116 } |
117 | 117 |
118 TEST_F(TransportSecurityStateTest, MatchesCase2) { | 118 TEST_F(TransportSecurityStateTest, MatchesCase2) { |
119 TransportSecurityState state; | 119 TransportSecurityState state; |
120 const base::Time current_time(base::Time::Now()); | |
121 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | |
122 | |
123 EXPECT_FALSE(state.ShouldUpgradeToSSL("YAhoo.coM")); | |
124 bool include_subdomains = false; | |
125 state.AddHSTS("yahoo.com", expiry, include_subdomains); | |
126 EXPECT_TRUE(state.ShouldUpgradeToSSL("YAhoo.coM")); | |
127 } | |
128 | |
129 TEST_F(TransportSecurityStateTest, SubdomainMatches) { | |
130 TransportSecurityState state; | |
131 const base::Time current_time(base::Time::Now()); | |
132 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | |
133 | |
134 EXPECT_FALSE(state.ShouldUpgradeToSSL("yahoo.com")); | |
135 bool include_subdomains = true; | |
136 state.AddHSTS("yahoo.com", expiry, include_subdomains); | |
137 EXPECT_TRUE(state.ShouldUpgradeToSSL("yahoo.com")); | |
138 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.yahoo.com")); | |
139 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.bar.yahoo.com")); | |
140 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.bar.baz.yahoo.com")); | |
141 EXPECT_FALSE(state.ShouldUpgradeToSSL("com")); | |
Ryan Sleevi
2015/01/13 21:56:40
EXPECT_FALSE(...("doyouyahoo.com"))
davidben
2015/01/13 23:30:48
Done.
| |
142 } | |
143 | |
144 TEST_F(TransportSecurityStateTest, FatalSSLErrors) { | |
145 TransportSecurityState state; | |
146 const base::Time current_time(base::Time::Now()); | |
147 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | |
148 | |
149 state.AddHSTS("example1.com", expiry, false); | |
150 state.AddHPKP("example2.com", expiry, false, GetSampleSPKIHashes()); | |
151 | |
152 // The presense of either HSTS or HPKP is enough to make SSL errors fatal. | |
153 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("example1.com")); | |
154 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("example2.com")); | |
155 } | |
156 | |
157 // Tests that HPKP and HSTS state both expire. Also tests that expired entries | |
158 // are pruned. | |
159 TEST_F(TransportSecurityStateTest, Expiration) { | |
160 TransportSecurityState state; | |
161 const base::Time current_time(base::Time::Now()); | |
Ryan Sleevi
2015/01/13 21:56:40
why is current_time a member?
davidben
2015/01/13 23:30:47
No longer applicable.
| |
162 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); | |
163 | |
164 // Note: this test assumes that inserting an entry with an expiration time in | |
165 // the past works and is only pruned on query. | |
166 state.AddHSTS("example1.com", older, false); | |
167 EXPECT_TRUE(TransportSecurityState::Iterator(state).HasNext()); | |
168 EXPECT_FALSE(state.ShouldUpgradeToSSL("example1.com")); | |
Ryan Sleevi
2015/01/13 21:56:40
Need a comment here. It took a while staring at th
davidben
2015/01/13 23:30:48
Done.
| |
169 EXPECT_FALSE(TransportSecurityState::Iterator(state).HasNext()); | |
170 | |
171 state.AddHPKP("example1.com", older, false, GetSampleSPKIHashes()); | |
172 EXPECT_TRUE(TransportSecurityState::Iterator(state).HasNext()); | |
173 EXPECT_FALSE(state.HasPublicKeyPins("example1.com")); | |
174 EXPECT_FALSE(TransportSecurityState::Iterator(state).HasNext()); | |
175 | |
176 state.AddHSTS("example1.com", older, false); | |
177 state.AddHPKP("example1.com", older, false, GetSampleSPKIHashes()); | |
Ryan Sleevi
2015/01/13 21:56:40
Shouldn't you test one with an older entry and one
davidben
2015/01/13 23:30:47
That's in the IndependentExpiry test. I've folded
| |
178 EXPECT_TRUE(TransportSecurityState::Iterator(state).HasNext()); | |
179 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("example1.com")); | |
180 EXPECT_FALSE(TransportSecurityState::Iterator(state).HasNext()); | |
181 } | |
182 | |
183 TEST_F(TransportSecurityStateTest, InvalidDomains) { | |
184 TransportSecurityState state; | |
185 const base::Time current_time(base::Time::Now()); | |
186 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | |
187 | |
188 EXPECT_FALSE(state.ShouldUpgradeToSSL("yahoo.com")); | |
189 bool include_subdomains = true; | |
190 state.AddHSTS("yahoo.com", expiry, include_subdomains); | |
191 EXPECT_TRUE(state.ShouldUpgradeToSSL("www-.foo.yahoo.com")); | |
192 EXPECT_TRUE(state.ShouldUpgradeToSSL("2\x01.foo.yahoo.com")); | |
193 } | |
194 | |
195 // Tests that HPKP and HSTS state are queried independently for subdomain | |
196 // matches. | |
197 TEST_F(TransportSecurityStateTest, IndependentSubdomain) { | |
198 TransportSecurityState state; | |
199 const base::Time current_time(base::Time::Now()); | |
200 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | |
201 | |
202 state.AddHSTS("example1.com", expiry, true); | |
203 state.AddHPKP("example1.com", expiry, false, GetSampleSPKIHashes()); | |
204 | |
205 state.AddHSTS("example2.com", expiry, false); | |
206 state.AddHPKP("example2.com", expiry, true, GetSampleSPKIHashes()); | |
207 | |
208 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.com")); | |
209 EXPECT_FALSE(state.HasPublicKeyPins("foo.example1.com")); | |
210 EXPECT_FALSE(state.ShouldUpgradeToSSL("foo.example2.com")); | |
211 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.com")); | |
212 } | |
213 | |
214 // Tests that HPKP and HSTS state are queried independently for expiry. | |
215 TEST_F(TransportSecurityStateTest, IndependentExpiry) { | |
216 TransportSecurityState state; | |
217 const base::Time current_time(base::Time::Now()); | |
218 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | |
219 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); | |
220 | |
221 state.AddHSTS("example1.com", expiry, false); | |
222 state.AddHPKP("example1.com", older, false, GetSampleSPKIHashes()); | |
223 | |
224 state.AddHSTS("example2.com", older, false); | |
225 state.AddHPKP("example2.com", expiry, false, GetSampleSPKIHashes()); | |
226 | |
227 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.com")); | |
228 EXPECT_FALSE(state.HasPublicKeyPins("example1.com")); | |
229 EXPECT_FALSE(state.ShouldUpgradeToSSL("example2.com")); | |
230 EXPECT_TRUE(state.HasPublicKeyPins("example2.com")); | |
231 } | |
232 | |
233 // Tests that HPKP and HSTS state are inserted and overridden independently. | |
234 TEST_F(TransportSecurityStateTest, IndependentInsertion) { | |
Ryan Sleevi
2015/01/13 21:56:41
Should you also test the interaction of static & d
davidben
2015/01/13 23:30:47
HttpSecurityHeadersTest.NoClobberPins covers some
| |
235 TransportSecurityState state; | |
236 const base::Time current_time(base::Time::Now()); | |
237 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | |
238 | |
239 // Place an includeSubdomains HSTS entry below a normal HPKP entry. | |
240 state.AddHSTS("example1.com", expiry, true); | |
241 state.AddHPKP("foo.example1.com", expiry, false, GetSampleSPKIHashes()); | |
242 | |
243 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.com")); | |
244 EXPECT_TRUE(state.HasPublicKeyPins("foo.example1.com")); | |
Ryan Sleevi
2015/01/13 21:56:40
EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.com
davidben
2015/01/13 23:30:48
Done.
| |
245 | |
246 // Drop the includeSubdomains from the HSTS entry. | |
247 state.AddHSTS("example1.com", expiry, false); | |
248 | |
249 EXPECT_FALSE(state.ShouldUpgradeToSSL("foo.example1.com")); | |
250 EXPECT_TRUE(state.HasPublicKeyPins("foo.example1.com")); | |
251 | |
252 // Place an includeSubdomains HPKP entry below a normal HSTS entry. | |
253 state.AddHSTS("foo.example2.com", expiry, false); | |
254 state.AddHPKP("example2.com", expiry, true, GetSampleSPKIHashes()); | |
255 | |
256 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example2.com")); | |
257 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.com")); | |
258 | |
259 // Drop the includeSubdomains from the HSTS entry. | |
260 state.AddHPKP("example2.com", expiry, false, GetSampleSPKIHashes()); | |
261 | |
262 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example2.com")); | |
263 EXPECT_FALSE(state.HasPublicKeyPins("foo.example2.com")); | |
264 } | |
265 | |
266 // Tests that GetDynamicDomainState appropriately stitches together the results | |
267 // of HSTS and HPKP. | |
268 TEST_F(TransportSecurityStateTest, DynamicDomainState) { | |
269 TransportSecurityState state; | |
270 const base::Time current_time(base::Time::Now()); | |
271 const base::Time expiry1 = current_time + base::TimeDelta::FromSeconds(1000); | |
272 const base::Time expiry2 = current_time + base::TimeDelta::FromSeconds(2000); | |
273 | |
274 state.AddHSTS("example.com", expiry1, true); | |
275 state.AddHPKP("foo.example.com", expiry2, false, GetSampleSPKIHashes()); | |
276 | |
120 TransportSecurityState::DomainState domain_state; | 277 TransportSecurityState::DomainState domain_state; |
121 const base::Time current_time(base::Time::Now()); | 278 ASSERT_TRUE(state.GetDynamicDomainState("foo.example.com", &domain_state)); |
122 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 279 EXPECT_TRUE(domain_state.ShouldUpgradeToSSL()); |
123 | 280 EXPECT_TRUE(domain_state.HasPublicKeyPins()); |
124 EXPECT_FALSE(state.GetDynamicDomainState("YAhoo.coM", &domain_state)); | 281 EXPECT_TRUE(domain_state.sts.include_subdomains); |
282 EXPECT_FALSE(domain_state.pkp.include_subdomains); | |
283 EXPECT_EQ(expiry1, domain_state.sts.expiry); | |
284 EXPECT_EQ(expiry2, domain_state.pkp.expiry); | |
285 EXPECT_EQ("example.com", domain_state.sts.domain); | |
286 EXPECT_EQ("foo.example.com", domain_state.pkp.domain); | |
287 } | |
288 | |
289 // Tests that new pins override entries at both parent domains or previous | |
290 // versions of the current entry. | |
Ryan Sleevi
2015/01/13 21:56:40
This description is a bit confusing.
davidben
2015/01/13 23:30:47
Done. (The original intent with this test was to m
| |
291 TEST_F(TransportSecurityStateTest, NewPinsOverride) { | |
292 TransportSecurityState state; | |
293 TransportSecurityState::DomainState domain_state; | |
294 const base::Time current_time(base::Time::Now()); | |
295 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | |
296 HashValue hash1(HASH_VALUE_SHA1); | |
297 memset(hash1.data(), 0x01, hash1.size()); | |
298 HashValue hash2(HASH_VALUE_SHA1); | |
299 memset(hash2.data(), 0x02, hash1.size()); | |
300 HashValue hash3(HASH_VALUE_SHA1); | |
301 memset(hash3.data(), 0x03, hash1.size()); | |
302 | |
303 state.AddHPKP("example.com", expiry, true, HashValueVector(1, hash1)); | |
304 | |
305 ASSERT_TRUE(state.GetDynamicDomainState("foo.example.com", &domain_state)); | |
306 ASSERT_EQ(1u, domain_state.pkp.spki_hashes.size()); | |
307 EXPECT_TRUE(domain_state.pkp.spki_hashes[0].Equals(hash1)); | |
308 | |
309 state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash2)); | |
310 | |
311 ASSERT_TRUE(state.GetDynamicDomainState("foo.example.com", &domain_state)); | |
312 ASSERT_EQ(1u, domain_state.pkp.spki_hashes.size()); | |
313 EXPECT_TRUE(domain_state.pkp.spki_hashes[0].Equals(hash2)); | |
314 | |
315 state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash3)); | |
316 | |
317 ASSERT_TRUE(state.GetDynamicDomainState("foo.example.com", &domain_state)); | |
318 ASSERT_EQ(1u, domain_state.pkp.spki_hashes.size()); | |
319 EXPECT_TRUE(domain_state.pkp.spki_hashes[0].Equals(hash3)); | |
320 } | |
321 | |
322 TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataSince) { | |
323 TransportSecurityState state; | |
324 const base::Time current_time(base::Time::Now()); | |
325 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | |
326 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); | |
327 | |
328 EXPECT_FALSE(state.ShouldUpgradeToSSL("yahoo.com")); | |
125 bool include_subdomains = false; | 329 bool include_subdomains = false; |
126 state.AddHSTS("yahoo.com", expiry, include_subdomains); | 330 state.AddHSTS("yahoo.com", expiry, include_subdomains); |
127 EXPECT_TRUE(state.GetDynamicDomainState("YAhoo.coM", &domain_state)); | 331 |
128 } | 332 state.DeleteAllDynamicDataSince(expiry); |
129 | 333 EXPECT_TRUE(state.ShouldUpgradeToSSL("yahoo.com")); |
130 TEST_F(TransportSecurityStateTest, SubdomainMatches) { | 334 state.DeleteAllDynamicDataSince(older); |
131 TransportSecurityState state; | 335 EXPECT_FALSE(state.ShouldUpgradeToSSL("yahoo.com")); |
132 TransportSecurityState::DomainState domain_state; | 336 |
133 const base::Time current_time(base::Time::Now()); | 337 // |state| should be empty now. |
134 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 338 EXPECT_FALSE(TransportSecurityState::Iterator(state).HasNext()); |
135 | 339 } |
136 EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state)); | 340 |
137 bool include_subdomains = true; | 341 TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) { |
138 state.AddHSTS("yahoo.com", expiry, include_subdomains); | 342 TransportSecurityState state; |
139 EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state)); | 343 const base::Time current_time(base::Time::Now()); |
140 EXPECT_TRUE(state.GetDynamicDomainState("foo.yahoo.com", &domain_state)); | 344 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
141 EXPECT_TRUE(state.GetDynamicDomainState("foo.bar.yahoo.com", &domain_state)); | |
142 EXPECT_TRUE( | |
143 state.GetDynamicDomainState("foo.bar.baz.yahoo.com", &domain_state)); | |
144 EXPECT_FALSE(state.GetDynamicDomainState("com", &domain_state)); | |
145 } | |
146 | |
147 TEST_F(TransportSecurityStateTest, InvalidDomains) { | |
148 TransportSecurityState state; | |
149 TransportSecurityState::DomainState domain_state; | |
150 const base::Time current_time(base::Time::Now()); | |
151 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | |
152 | |
153 EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state)); | |
154 bool include_subdomains = true; | |
155 state.AddHSTS("yahoo.com", expiry, include_subdomains); | |
156 EXPECT_TRUE(state.GetDynamicDomainState("www-.foo.yahoo.com", &domain_state)); | |
157 EXPECT_TRUE( | |
158 state.GetDynamicDomainState("2\x01.foo.yahoo.com", &domain_state)); | |
159 } | |
160 | |
161 TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataSince) { | |
162 TransportSecurityState state; | |
163 TransportSecurityState::DomainState domain_state; | |
164 const base::Time current_time(base::Time::Now()); | |
165 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | |
166 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); | |
167 | |
168 EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state)); | |
169 bool include_subdomains = false; | 345 bool include_subdomains = false; |
170 state.AddHSTS("yahoo.com", expiry, include_subdomains); | 346 state.AddHSTS("yahoo.com", expiry, include_subdomains); |
171 | 347 |
172 state.DeleteAllDynamicDataSince(expiry); | 348 EXPECT_TRUE(state.ShouldUpgradeToSSL("yahoo.com")); |
173 EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state)); | 349 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com")); |
174 EXPECT_EQ(TransportSecurityState::DomainState::MODE_FORCE_HTTPS, | |
175 domain_state.sts.upgrade_mode); | |
176 state.DeleteAllDynamicDataSince(older); | |
177 EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state)); | |
178 EXPECT_EQ(TransportSecurityState::DomainState::MODE_DEFAULT, | |
179 domain_state.sts.upgrade_mode); | |
180 } | |
181 | |
182 TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) { | |
183 TransportSecurityState state; | |
184 TransportSecurityState::DomainState domain_state; | |
185 const base::Time current_time(base::Time::Now()); | |
186 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | |
187 bool include_subdomains = false; | |
188 state.AddHSTS("yahoo.com", expiry, include_subdomains); | |
189 | |
190 EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state)); | |
191 EXPECT_FALSE(state.GetDynamicDomainState("example.com", &domain_state)); | |
192 EXPECT_TRUE(state.DeleteDynamicDataForHost("yahoo.com")); | 350 EXPECT_TRUE(state.DeleteDynamicDataForHost("yahoo.com")); |
193 EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state)); | 351 EXPECT_FALSE(state.ShouldUpgradeToSSL("yahoo.com")); |
194 } | 352 } |
195 | 353 |
196 TEST_F(TransportSecurityStateTest, EnableStaticPins) { | 354 TEST_F(TransportSecurityStateTest, EnableStaticPins) { |
197 TransportSecurityState state; | 355 TransportSecurityState state; |
198 TransportSecurityState::DomainState domain_state; | 356 TransportSecurityState::DomainState domain_state; |
199 | 357 |
200 EnableStaticPins(&state); | 358 EnableStaticPins(&state); |
201 | 359 |
202 EXPECT_TRUE( | 360 EXPECT_TRUE( |
203 state.GetStaticDomainState("chrome.google.com", &domain_state)); | 361 state.GetStaticDomainState("chrome.google.com", &domain_state)); |
(...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
236 } | 394 } |
237 | 395 |
238 TEST_F(TransportSecurityStateTest, PreloadedDomainSet) { | 396 TEST_F(TransportSecurityStateTest, PreloadedDomainSet) { |
239 TransportSecurityState state; | 397 TransportSecurityState state; |
240 TransportSecurityState::DomainState domain_state; | 398 TransportSecurityState::DomainState domain_state; |
241 | 399 |
242 // The domain wasn't being set, leading to a blank string in the | 400 // The domain wasn't being set, leading to a blank string in the |
243 // chrome://net-internals/#hsts UI. So test that. | 401 // chrome://net-internals/#hsts UI. So test that. |
244 EXPECT_TRUE( | 402 EXPECT_TRUE( |
245 state.GetStaticDomainState("market.android.com", &domain_state)); | 403 state.GetStaticDomainState("market.android.com", &domain_state)); |
246 EXPECT_EQ(domain_state.domain, "market.android.com"); | 404 EXPECT_EQ(domain_state.sts.domain, "market.android.com"); |
405 EXPECT_EQ(domain_state.pkp.domain, "market.android.com"); | |
247 EXPECT_TRUE(state.GetStaticDomainState( | 406 EXPECT_TRUE(state.GetStaticDomainState( |
248 "sub.market.android.com", &domain_state)); | 407 "sub.market.android.com", &domain_state)); |
249 EXPECT_EQ(domain_state.domain, "market.android.com"); | 408 EXPECT_EQ(domain_state.sts.domain, "market.android.com"); |
409 EXPECT_EQ(domain_state.pkp.domain, "market.android.com"); | |
250 } | 410 } |
251 | 411 |
252 static bool StaticShouldRedirect(const char* hostname) { | 412 static bool StaticShouldRedirect(const char* hostname) { |
253 TransportSecurityState state; | 413 TransportSecurityState state; |
254 TransportSecurityState::DomainState domain_state; | 414 TransportSecurityState::DomainState domain_state; |
255 return state.GetStaticDomainState( | 415 return state.GetStaticDomainState( |
256 hostname, &domain_state) && | 416 hostname, &domain_state) && |
257 domain_state.ShouldUpgradeToSSL(); | 417 domain_state.ShouldUpgradeToSSL(); |
258 } | 418 } |
259 | 419 |
(...skipping 430 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
690 EXPECT_FALSE(HasStaticPublicKeyPins("learn.doubleclick.net")); | 850 EXPECT_FALSE(HasStaticPublicKeyPins("learn.doubleclick.net")); |
691 EXPECT_TRUE(HasStaticPublicKeyPins("a.googlegroups.com")); | 851 EXPECT_TRUE(HasStaticPublicKeyPins("a.googlegroups.com")); |
692 } | 852 } |
693 | 853 |
694 TEST_F(TransportSecurityStateTest, OverrideBuiltins) { | 854 TEST_F(TransportSecurityStateTest, OverrideBuiltins) { |
695 EXPECT_TRUE(HasStaticPublicKeyPins("google.com")); | 855 EXPECT_TRUE(HasStaticPublicKeyPins("google.com")); |
696 EXPECT_FALSE(StaticShouldRedirect("google.com")); | 856 EXPECT_FALSE(StaticShouldRedirect("google.com")); |
697 EXPECT_FALSE(StaticShouldRedirect("www.google.com")); | 857 EXPECT_FALSE(StaticShouldRedirect("www.google.com")); |
698 | 858 |
699 TransportSecurityState state; | 859 TransportSecurityState state; |
700 TransportSecurityState::DomainState domain_state; | |
701 const base::Time current_time(base::Time::Now()); | 860 const base::Time current_time(base::Time::Now()); |
702 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 861 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
703 domain_state.sts.expiry = expiry; | 862 state.AddHSTS("www.google.com", expiry, true); |
704 EnableHost(&state, "www.google.com", domain_state); | |
705 | 863 |
706 EXPECT_TRUE(state.GetDynamicDomainState("www.google.com", &domain_state)); | 864 EXPECT_TRUE(state.ShouldUpgradeToSSL("www.google.com")); |
707 } | 865 } |
708 | 866 |
709 TEST_F(TransportSecurityStateTest, GooglePinnedProperties) { | 867 TEST_F(TransportSecurityStateTest, GooglePinnedProperties) { |
710 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( | 868 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( |
711 "www.example.com")); | 869 "www.example.com")); |
712 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( | 870 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( |
713 "www.paypal.com")); | 871 "www.paypal.com")); |
714 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( | 872 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( |
715 "mail.twitter.com")); | 873 "mail.twitter.com")); |
716 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( | 874 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( |
(...skipping 46 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
763 // These hosts used to only be HSTS when SNI was available. | 921 // These hosts used to only be HSTS when SNI was available. |
764 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | 922 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( |
765 "gmail.com")); | 923 "gmail.com")); |
766 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | 924 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( |
767 "googlegroups.com")); | 925 "googlegroups.com")); |
768 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | 926 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( |
769 "www.googlegroups.com")); | 927 "www.googlegroups.com")); |
770 } | 928 } |
771 | 929 |
772 } // namespace net | 930 } // namespace net |
OLD | NEW |