OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "net/http/transport_security_state.h" | 5 #include "net/http/transport_security_state.h" |
6 | 6 |
7 #include <algorithm> | 7 #include <algorithm> |
8 #include <string> | 8 #include <string> |
9 #include <vector> | 9 #include <vector> |
10 | 10 |
(...skipping 37 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
48 } | 48 } |
49 | 49 |
50 static void DisableStaticPins(TransportSecurityState* state) { | 50 static void DisableStaticPins(TransportSecurityState* state) { |
51 state->enable_static_pins_ = false; | 51 state->enable_static_pins_ = false; |
52 } | 52 } |
53 | 53 |
54 static void EnableStaticPins(TransportSecurityState* state) { | 54 static void EnableStaticPins(TransportSecurityState* state) { |
55 state->enable_static_pins_ = true; | 55 state->enable_static_pins_ = true; |
56 } | 56 } |
57 | 57 |
| 58 static HashValueVector GetSampleSPKIHashes() { |
| 59 HashValueVector spki_hashes; |
| 60 HashValue hash(HASH_VALUE_SHA1); |
| 61 memset(hash.data(), 0, hash.size()); |
| 62 spki_hashes.push_back(hash); |
| 63 return spki_hashes; |
| 64 } |
| 65 |
58 protected: | 66 protected: |
59 bool GetStaticDomainState(TransportSecurityState* state, | 67 bool GetStaticDomainState(TransportSecurityState* state, |
60 const std::string& host, | 68 const std::string& host, |
61 TransportSecurityState::DomainState* result) { | 69 TransportSecurityState::DomainState* result) { |
62 return state->GetStaticDomainState(host, result); | 70 return state->GetStaticDomainState(host, result); |
63 } | 71 } |
64 | |
65 void EnableHost(TransportSecurityState* state, | |
66 const std::string& host, | |
67 const TransportSecurityState::DomainState& domain_state) { | |
68 return state->EnableHost(host, domain_state); | |
69 } | |
70 }; | 72 }; |
71 | 73 |
72 TEST_F(TransportSecurityStateTest, SimpleMatches) { | 74 TEST_F(TransportSecurityStateTest, SimpleMatches) { |
73 TransportSecurityState state; | 75 TransportSecurityState state; |
74 TransportSecurityState::DomainState domain_state; | |
75 const base::Time current_time(base::Time::Now()); | 76 const base::Time current_time(base::Time::Now()); |
76 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 77 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
77 | 78 |
78 EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state)); | 79 EXPECT_FALSE(state.ShouldUpgradeToSSL("yahoo.com")); |
79 bool include_subdomains = false; | 80 bool include_subdomains = false; |
80 state.AddHSTS("yahoo.com", expiry, include_subdomains); | 81 state.AddHSTS("yahoo.com", expiry, include_subdomains); |
81 EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state)); | 82 EXPECT_TRUE(state.ShouldUpgradeToSSL("yahoo.com")); |
82 } | 83 } |
83 | 84 |
84 TEST_F(TransportSecurityStateTest, MatchesCase1) { | 85 TEST_F(TransportSecurityStateTest, MatchesCase1) { |
85 TransportSecurityState state; | 86 TransportSecurityState state; |
86 TransportSecurityState::DomainState domain_state; | |
87 const base::Time current_time(base::Time::Now()); | 87 const base::Time current_time(base::Time::Now()); |
88 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 88 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
89 | 89 |
90 EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state)); | 90 EXPECT_FALSE(state.ShouldUpgradeToSSL("yahoo.com")); |
91 bool include_subdomains = false; | 91 bool include_subdomains = false; |
92 state.AddHSTS("YAhoo.coM", expiry, include_subdomains); | 92 state.AddHSTS("YAhoo.coM", expiry, include_subdomains); |
93 EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state)); | 93 EXPECT_TRUE(state.ShouldUpgradeToSSL("yahoo.com")); |
94 } | 94 } |
95 | 95 |
96 TEST_F(TransportSecurityStateTest, Fuzz) { | 96 TEST_F(TransportSecurityStateTest, Fuzz) { |
97 TransportSecurityState state; | 97 TransportSecurityState state; |
98 TransportSecurityState::DomainState domain_state; | 98 TransportSecurityState::DomainState domain_state; |
99 | 99 |
100 EnableStaticPins(&state); | 100 EnableStaticPins(&state); |
101 | 101 |
102 for (size_t i = 0; i < 128; i++) { | 102 for (size_t i = 0; i < 128; i++) { |
103 std::string hostname; | 103 std::string hostname; |
104 | 104 |
105 for (;;) { | 105 for (;;) { |
106 if (base::RandInt(0, 16) == 7) { | 106 if (base::RandInt(0, 16) == 7) { |
107 break; | 107 break; |
108 } | 108 } |
109 if (i > 0 && base::RandInt(0, 7) == 7) { | 109 if (i > 0 && base::RandInt(0, 7) == 7) { |
110 hostname.append(1, '.'); | 110 hostname.append(1, '.'); |
111 } | 111 } |
112 hostname.append(1, 'a' + base::RandInt(0, 25)); | 112 hostname.append(1, 'a' + base::RandInt(0, 25)); |
113 } | 113 } |
114 state.GetStaticDomainState(hostname, &domain_state); | 114 state.GetStaticDomainState(hostname, &domain_state); |
115 } | 115 } |
116 } | 116 } |
117 | 117 |
118 TEST_F(TransportSecurityStateTest, MatchesCase2) { | 118 TEST_F(TransportSecurityStateTest, MatchesCase2) { |
119 TransportSecurityState state; | 119 TransportSecurityState state; |
| 120 const base::Time current_time(base::Time::Now()); |
| 121 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 122 |
| 123 EXPECT_FALSE(state.ShouldUpgradeToSSL("YAhoo.coM")); |
| 124 bool include_subdomains = false; |
| 125 state.AddHSTS("yahoo.com", expiry, include_subdomains); |
| 126 EXPECT_TRUE(state.ShouldUpgradeToSSL("YAhoo.coM")); |
| 127 } |
| 128 |
| 129 TEST_F(TransportSecurityStateTest, SubdomainMatches) { |
| 130 TransportSecurityState state; |
| 131 const base::Time current_time(base::Time::Now()); |
| 132 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 133 |
| 134 EXPECT_FALSE(state.ShouldUpgradeToSSL("yahoo.com")); |
| 135 bool include_subdomains = true; |
| 136 state.AddHSTS("yahoo.com", expiry, include_subdomains); |
| 137 EXPECT_TRUE(state.ShouldUpgradeToSSL("yahoo.com")); |
| 138 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.yahoo.com")); |
| 139 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.bar.yahoo.com")); |
| 140 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.bar.baz.yahoo.com")); |
| 141 EXPECT_FALSE(state.ShouldUpgradeToSSL("com")); |
| 142 EXPECT_FALSE(state.ShouldUpgradeToSSL("notyahoo.com")); |
| 143 } |
| 144 |
| 145 TEST_F(TransportSecurityStateTest, FatalSSLErrors) { |
| 146 TransportSecurityState state; |
| 147 const base::Time current_time(base::Time::Now()); |
| 148 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 149 |
| 150 state.AddHSTS("example1.com", expiry, false); |
| 151 state.AddHPKP("example2.com", expiry, false, GetSampleSPKIHashes()); |
| 152 |
| 153 // The presense of either HSTS or HPKP is enough to make SSL errors fatal. |
| 154 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("example1.com")); |
| 155 EXPECT_TRUE(state.ShouldSSLErrorsBeFatal("example2.com")); |
| 156 } |
| 157 |
| 158 // Tests that HPKP and HSTS state both expire. Also tests that expired entries |
| 159 // are pruned. |
| 160 TEST_F(TransportSecurityStateTest, Expiration) { |
| 161 TransportSecurityState state; |
| 162 const base::Time current_time(base::Time::Now()); |
| 163 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 164 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); |
| 165 |
| 166 // Note: this test assumes that inserting an entry with an expiration time in |
| 167 // the past works and is pruned on query. |
| 168 state.AddHSTS("example1.com", older, false); |
| 169 EXPECT_TRUE(TransportSecurityState::Iterator(state).HasNext()); |
| 170 EXPECT_FALSE(state.ShouldUpgradeToSSL("example1.com")); |
| 171 // Querying |state| for a domain should flush out expired entries. |
| 172 EXPECT_FALSE(TransportSecurityState::Iterator(state).HasNext()); |
| 173 |
| 174 state.AddHPKP("example1.com", older, false, GetSampleSPKIHashes()); |
| 175 EXPECT_TRUE(TransportSecurityState::Iterator(state).HasNext()); |
| 176 EXPECT_FALSE(state.HasPublicKeyPins("example1.com")); |
| 177 // Querying |state| for a domain should flush out expired entries. |
| 178 EXPECT_FALSE(TransportSecurityState::Iterator(state).HasNext()); |
| 179 |
| 180 state.AddHSTS("example1.com", older, false); |
| 181 state.AddHPKP("example1.com", older, false, GetSampleSPKIHashes()); |
| 182 EXPECT_TRUE(TransportSecurityState::Iterator(state).HasNext()); |
| 183 EXPECT_FALSE(state.ShouldSSLErrorsBeFatal("example1.com")); |
| 184 // Querying |state| for a domain should flush out expired entries. |
| 185 EXPECT_FALSE(TransportSecurityState::Iterator(state).HasNext()); |
| 186 |
| 187 // Test that HSTS can outlive HPKP. |
| 188 state.AddHSTS("example1.com", expiry, false); |
| 189 state.AddHPKP("example1.com", older, false, GetSampleSPKIHashes()); |
| 190 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.com")); |
| 191 EXPECT_FALSE(state.HasPublicKeyPins("example1.com")); |
| 192 |
| 193 // Test that HPKP can outlive HSTS. |
| 194 state.AddHSTS("example2.com", older, false); |
| 195 state.AddHPKP("example2.com", expiry, false, GetSampleSPKIHashes()); |
| 196 EXPECT_FALSE(state.ShouldUpgradeToSSL("example2.com")); |
| 197 EXPECT_TRUE(state.HasPublicKeyPins("example2.com")); |
| 198 } |
| 199 |
| 200 TEST_F(TransportSecurityStateTest, InvalidDomains) { |
| 201 TransportSecurityState state; |
| 202 const base::Time current_time(base::Time::Now()); |
| 203 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 204 |
| 205 EXPECT_FALSE(state.ShouldUpgradeToSSL("yahoo.com")); |
| 206 bool include_subdomains = true; |
| 207 state.AddHSTS("yahoo.com", expiry, include_subdomains); |
| 208 EXPECT_TRUE(state.ShouldUpgradeToSSL("www-.foo.yahoo.com")); |
| 209 EXPECT_TRUE(state.ShouldUpgradeToSSL("2\x01.foo.yahoo.com")); |
| 210 } |
| 211 |
| 212 // Tests that HPKP and HSTS state are queried independently for subdomain |
| 213 // matches. |
| 214 TEST_F(TransportSecurityStateTest, IndependentSubdomain) { |
| 215 TransportSecurityState state; |
| 216 const base::Time current_time(base::Time::Now()); |
| 217 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 218 |
| 219 state.AddHSTS("example1.com", expiry, true); |
| 220 state.AddHPKP("example1.com", expiry, false, GetSampleSPKIHashes()); |
| 221 |
| 222 state.AddHSTS("example2.com", expiry, false); |
| 223 state.AddHPKP("example2.com", expiry, true, GetSampleSPKIHashes()); |
| 224 |
| 225 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.com")); |
| 226 EXPECT_FALSE(state.HasPublicKeyPins("foo.example1.com")); |
| 227 EXPECT_FALSE(state.ShouldUpgradeToSSL("foo.example2.com")); |
| 228 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.com")); |
| 229 } |
| 230 |
| 231 // Tests that HPKP and HSTS state are inserted and overridden independently. |
| 232 TEST_F(TransportSecurityStateTest, IndependentInsertion) { |
| 233 TransportSecurityState state; |
| 234 const base::Time current_time(base::Time::Now()); |
| 235 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 236 |
| 237 // Place an includeSubdomains HSTS entry below a normal HPKP entry. |
| 238 state.AddHSTS("example1.com", expiry, true); |
| 239 state.AddHPKP("foo.example1.com", expiry, false, GetSampleSPKIHashes()); |
| 240 |
| 241 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example1.com")); |
| 242 EXPECT_TRUE(state.HasPublicKeyPins("foo.example1.com")); |
| 243 EXPECT_TRUE(state.ShouldUpgradeToSSL("example1.com")); |
| 244 EXPECT_FALSE(state.HasPublicKeyPins("example1.com")); |
| 245 |
| 246 // Drop the includeSubdomains from the HSTS entry. |
| 247 state.AddHSTS("example1.com", expiry, false); |
| 248 |
| 249 EXPECT_FALSE(state.ShouldUpgradeToSSL("foo.example1.com")); |
| 250 EXPECT_TRUE(state.HasPublicKeyPins("foo.example1.com")); |
| 251 |
| 252 // Place an includeSubdomains HPKP entry below a normal HSTS entry. |
| 253 state.AddHSTS("foo.example2.com", expiry, false); |
| 254 state.AddHPKP("example2.com", expiry, true, GetSampleSPKIHashes()); |
| 255 |
| 256 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example2.com")); |
| 257 EXPECT_TRUE(state.HasPublicKeyPins("foo.example2.com")); |
| 258 |
| 259 // Drop the includeSubdomains from the HSTS entry. |
| 260 state.AddHPKP("example2.com", expiry, false, GetSampleSPKIHashes()); |
| 261 |
| 262 EXPECT_TRUE(state.ShouldUpgradeToSSL("foo.example2.com")); |
| 263 EXPECT_FALSE(state.HasPublicKeyPins("foo.example2.com")); |
| 264 } |
| 265 |
| 266 // Tests that GetDynamicDomainState appropriately stitches together the results |
| 267 // of HSTS and HPKP. |
| 268 TEST_F(TransportSecurityStateTest, DynamicDomainState) { |
| 269 TransportSecurityState state; |
| 270 const base::Time current_time(base::Time::Now()); |
| 271 const base::Time expiry1 = current_time + base::TimeDelta::FromSeconds(1000); |
| 272 const base::Time expiry2 = current_time + base::TimeDelta::FromSeconds(2000); |
| 273 |
| 274 state.AddHSTS("example.com", expiry1, true); |
| 275 state.AddHPKP("foo.example.com", expiry2, false, GetSampleSPKIHashes()); |
| 276 |
120 TransportSecurityState::DomainState domain_state; | 277 TransportSecurityState::DomainState domain_state; |
121 const base::Time current_time(base::Time::Now()); | 278 ASSERT_TRUE(state.GetDynamicDomainState("foo.example.com", &domain_state)); |
122 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 279 EXPECT_TRUE(domain_state.ShouldUpgradeToSSL()); |
123 | 280 EXPECT_TRUE(domain_state.HasPublicKeyPins()); |
124 EXPECT_FALSE(state.GetDynamicDomainState("YAhoo.coM", &domain_state)); | 281 EXPECT_TRUE(domain_state.sts.include_subdomains); |
| 282 EXPECT_FALSE(domain_state.pkp.include_subdomains); |
| 283 EXPECT_EQ(expiry1, domain_state.sts.expiry); |
| 284 EXPECT_EQ(expiry2, domain_state.pkp.expiry); |
| 285 EXPECT_EQ("example.com", domain_state.sts.domain); |
| 286 EXPECT_EQ("foo.example.com", domain_state.pkp.domain); |
| 287 } |
| 288 |
| 289 // Tests that new pins always override previous pins. This should be true for |
| 290 // both pins at the same domain or includeSubdomains pins at a parent domain. |
| 291 TEST_F(TransportSecurityStateTest, NewPinsOverride) { |
| 292 TransportSecurityState state; |
| 293 TransportSecurityState::DomainState domain_state; |
| 294 const base::Time current_time(base::Time::Now()); |
| 295 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 296 HashValue hash1(HASH_VALUE_SHA1); |
| 297 memset(hash1.data(), 0x01, hash1.size()); |
| 298 HashValue hash2(HASH_VALUE_SHA1); |
| 299 memset(hash2.data(), 0x02, hash1.size()); |
| 300 HashValue hash3(HASH_VALUE_SHA1); |
| 301 memset(hash3.data(), 0x03, hash1.size()); |
| 302 |
| 303 state.AddHPKP("example.com", expiry, true, HashValueVector(1, hash1)); |
| 304 |
| 305 ASSERT_TRUE(state.GetDynamicDomainState("foo.example.com", &domain_state)); |
| 306 ASSERT_EQ(1u, domain_state.pkp.spki_hashes.size()); |
| 307 EXPECT_TRUE(domain_state.pkp.spki_hashes[0].Equals(hash1)); |
| 308 |
| 309 state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash2)); |
| 310 |
| 311 ASSERT_TRUE(state.GetDynamicDomainState("foo.example.com", &domain_state)); |
| 312 ASSERT_EQ(1u, domain_state.pkp.spki_hashes.size()); |
| 313 EXPECT_TRUE(domain_state.pkp.spki_hashes[0].Equals(hash2)); |
| 314 |
| 315 state.AddHPKP("foo.example.com", expiry, false, HashValueVector(1, hash3)); |
| 316 |
| 317 ASSERT_TRUE(state.GetDynamicDomainState("foo.example.com", &domain_state)); |
| 318 ASSERT_EQ(1u, domain_state.pkp.spki_hashes.size()); |
| 319 EXPECT_TRUE(domain_state.pkp.spki_hashes[0].Equals(hash3)); |
| 320 } |
| 321 |
| 322 TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataSince) { |
| 323 TransportSecurityState state; |
| 324 const base::Time current_time(base::Time::Now()); |
| 325 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
| 326 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); |
| 327 |
| 328 EXPECT_FALSE(state.ShouldUpgradeToSSL("yahoo.com")); |
125 bool include_subdomains = false; | 329 bool include_subdomains = false; |
126 state.AddHSTS("yahoo.com", expiry, include_subdomains); | 330 state.AddHSTS("yahoo.com", expiry, include_subdomains); |
127 EXPECT_TRUE(state.GetDynamicDomainState("YAhoo.coM", &domain_state)); | 331 |
128 } | 332 state.DeleteAllDynamicDataSince(expiry); |
129 | 333 EXPECT_TRUE(state.ShouldUpgradeToSSL("yahoo.com")); |
130 TEST_F(TransportSecurityStateTest, SubdomainMatches) { | 334 state.DeleteAllDynamicDataSince(older); |
131 TransportSecurityState state; | 335 EXPECT_FALSE(state.ShouldUpgradeToSSL("yahoo.com")); |
132 TransportSecurityState::DomainState domain_state; | 336 |
133 const base::Time current_time(base::Time::Now()); | 337 // |state| should be empty now. |
134 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 338 EXPECT_FALSE(TransportSecurityState::Iterator(state).HasNext()); |
135 | 339 } |
136 EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state)); | 340 |
137 bool include_subdomains = true; | 341 TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) { |
138 state.AddHSTS("yahoo.com", expiry, include_subdomains); | 342 TransportSecurityState state; |
139 EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state)); | 343 const base::Time current_time(base::Time::Now()); |
140 EXPECT_TRUE(state.GetDynamicDomainState("foo.yahoo.com", &domain_state)); | 344 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
141 EXPECT_TRUE(state.GetDynamicDomainState("foo.bar.yahoo.com", &domain_state)); | |
142 EXPECT_TRUE( | |
143 state.GetDynamicDomainState("foo.bar.baz.yahoo.com", &domain_state)); | |
144 EXPECT_FALSE(state.GetDynamicDomainState("com", &domain_state)); | |
145 } | |
146 | |
147 TEST_F(TransportSecurityStateTest, InvalidDomains) { | |
148 TransportSecurityState state; | |
149 TransportSecurityState::DomainState domain_state; | |
150 const base::Time current_time(base::Time::Now()); | |
151 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | |
152 | |
153 EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state)); | |
154 bool include_subdomains = true; | |
155 state.AddHSTS("yahoo.com", expiry, include_subdomains); | |
156 EXPECT_TRUE(state.GetDynamicDomainState("www-.foo.yahoo.com", &domain_state)); | |
157 EXPECT_TRUE( | |
158 state.GetDynamicDomainState("2\x01.foo.yahoo.com", &domain_state)); | |
159 } | |
160 | |
161 TEST_F(TransportSecurityStateTest, DeleteAllDynamicDataSince) { | |
162 TransportSecurityState state; | |
163 TransportSecurityState::DomainState domain_state; | |
164 const base::Time current_time(base::Time::Now()); | |
165 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | |
166 const base::Time older = current_time - base::TimeDelta::FromSeconds(1000); | |
167 | |
168 EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state)); | |
169 bool include_subdomains = false; | 345 bool include_subdomains = false; |
170 state.AddHSTS("yahoo.com", expiry, include_subdomains); | 346 state.AddHSTS("yahoo.com", expiry, include_subdomains); |
171 | 347 |
172 state.DeleteAllDynamicDataSince(expiry); | 348 EXPECT_TRUE(state.ShouldUpgradeToSSL("yahoo.com")); |
173 EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state)); | 349 EXPECT_FALSE(state.ShouldUpgradeToSSL("example.com")); |
174 EXPECT_EQ(TransportSecurityState::DomainState::MODE_FORCE_HTTPS, | |
175 domain_state.sts.upgrade_mode); | |
176 state.DeleteAllDynamicDataSince(older); | |
177 EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state)); | |
178 EXPECT_EQ(TransportSecurityState::DomainState::MODE_DEFAULT, | |
179 domain_state.sts.upgrade_mode); | |
180 } | |
181 | |
182 TEST_F(TransportSecurityStateTest, DeleteDynamicDataForHost) { | |
183 TransportSecurityState state; | |
184 TransportSecurityState::DomainState domain_state; | |
185 const base::Time current_time(base::Time::Now()); | |
186 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | |
187 bool include_subdomains = false; | |
188 state.AddHSTS("yahoo.com", expiry, include_subdomains); | |
189 | |
190 EXPECT_TRUE(state.GetDynamicDomainState("yahoo.com", &domain_state)); | |
191 EXPECT_FALSE(state.GetDynamicDomainState("example.com", &domain_state)); | |
192 EXPECT_TRUE(state.DeleteDynamicDataForHost("yahoo.com")); | 350 EXPECT_TRUE(state.DeleteDynamicDataForHost("yahoo.com")); |
193 EXPECT_FALSE(state.GetDynamicDomainState("yahoo.com", &domain_state)); | 351 EXPECT_FALSE(state.ShouldUpgradeToSSL("yahoo.com")); |
194 } | 352 } |
195 | 353 |
196 TEST_F(TransportSecurityStateTest, EnableStaticPins) { | 354 TEST_F(TransportSecurityStateTest, EnableStaticPins) { |
197 TransportSecurityState state; | 355 TransportSecurityState state; |
198 TransportSecurityState::DomainState domain_state; | 356 TransportSecurityState::DomainState domain_state; |
199 | 357 |
200 EnableStaticPins(&state); | 358 EnableStaticPins(&state); |
201 | 359 |
202 EXPECT_TRUE( | 360 EXPECT_TRUE( |
203 state.GetStaticDomainState("chrome.google.com", &domain_state)); | 361 state.GetStaticDomainState("chrome.google.com", &domain_state)); |
(...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
236 } | 394 } |
237 | 395 |
238 TEST_F(TransportSecurityStateTest, PreloadedDomainSet) { | 396 TEST_F(TransportSecurityStateTest, PreloadedDomainSet) { |
239 TransportSecurityState state; | 397 TransportSecurityState state; |
240 TransportSecurityState::DomainState domain_state; | 398 TransportSecurityState::DomainState domain_state; |
241 | 399 |
242 // The domain wasn't being set, leading to a blank string in the | 400 // The domain wasn't being set, leading to a blank string in the |
243 // chrome://net-internals/#hsts UI. So test that. | 401 // chrome://net-internals/#hsts UI. So test that. |
244 EXPECT_TRUE( | 402 EXPECT_TRUE( |
245 state.GetStaticDomainState("market.android.com", &domain_state)); | 403 state.GetStaticDomainState("market.android.com", &domain_state)); |
246 EXPECT_EQ(domain_state.domain, "market.android.com"); | 404 EXPECT_EQ(domain_state.sts.domain, "market.android.com"); |
| 405 EXPECT_EQ(domain_state.pkp.domain, "market.android.com"); |
247 EXPECT_TRUE(state.GetStaticDomainState( | 406 EXPECT_TRUE(state.GetStaticDomainState( |
248 "sub.market.android.com", &domain_state)); | 407 "sub.market.android.com", &domain_state)); |
249 EXPECT_EQ(domain_state.domain, "market.android.com"); | 408 EXPECT_EQ(domain_state.sts.domain, "market.android.com"); |
| 409 EXPECT_EQ(domain_state.pkp.domain, "market.android.com"); |
250 } | 410 } |
251 | 411 |
252 static bool StaticShouldRedirect(const char* hostname) { | 412 static bool StaticShouldRedirect(const char* hostname) { |
253 TransportSecurityState state; | 413 TransportSecurityState state; |
254 TransportSecurityState::DomainState domain_state; | 414 TransportSecurityState::DomainState domain_state; |
255 return state.GetStaticDomainState( | 415 return state.GetStaticDomainState( |
256 hostname, &domain_state) && | 416 hostname, &domain_state) && |
257 domain_state.ShouldUpgradeToSSL(); | 417 domain_state.ShouldUpgradeToSSL(); |
258 } | 418 } |
259 | 419 |
(...skipping 430 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
690 EXPECT_FALSE(HasStaticPublicKeyPins("learn.doubleclick.net")); | 850 EXPECT_FALSE(HasStaticPublicKeyPins("learn.doubleclick.net")); |
691 EXPECT_TRUE(HasStaticPublicKeyPins("a.googlegroups.com")); | 851 EXPECT_TRUE(HasStaticPublicKeyPins("a.googlegroups.com")); |
692 } | 852 } |
693 | 853 |
694 TEST_F(TransportSecurityStateTest, OverrideBuiltins) { | 854 TEST_F(TransportSecurityStateTest, OverrideBuiltins) { |
695 EXPECT_TRUE(HasStaticPublicKeyPins("google.com")); | 855 EXPECT_TRUE(HasStaticPublicKeyPins("google.com")); |
696 EXPECT_FALSE(StaticShouldRedirect("google.com")); | 856 EXPECT_FALSE(StaticShouldRedirect("google.com")); |
697 EXPECT_FALSE(StaticShouldRedirect("www.google.com")); | 857 EXPECT_FALSE(StaticShouldRedirect("www.google.com")); |
698 | 858 |
699 TransportSecurityState state; | 859 TransportSecurityState state; |
700 TransportSecurityState::DomainState domain_state; | |
701 const base::Time current_time(base::Time::Now()); | 860 const base::Time current_time(base::Time::Now()); |
702 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); | 861 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); |
703 domain_state.sts.expiry = expiry; | 862 state.AddHSTS("www.google.com", expiry, true); |
704 EnableHost(&state, "www.google.com", domain_state); | |
705 | 863 |
706 EXPECT_TRUE(state.GetDynamicDomainState("www.google.com", &domain_state)); | 864 EXPECT_TRUE(state.ShouldUpgradeToSSL("www.google.com")); |
707 } | 865 } |
708 | 866 |
709 TEST_F(TransportSecurityStateTest, GooglePinnedProperties) { | 867 TEST_F(TransportSecurityStateTest, GooglePinnedProperties) { |
710 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( | 868 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( |
711 "www.example.com")); | 869 "www.example.com")); |
712 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( | 870 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( |
713 "www.paypal.com")); | 871 "www.paypal.com")); |
714 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( | 872 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( |
715 "mail.twitter.com")); | 873 "mail.twitter.com")); |
716 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( | 874 EXPECT_FALSE(TransportSecurityState::IsGooglePinnedProperty( |
(...skipping 46 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
763 // These hosts used to only be HSTS when SNI was available. | 921 // These hosts used to only be HSTS when SNI was available. |
764 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | 922 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( |
765 "gmail.com")); | 923 "gmail.com")); |
766 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | 924 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( |
767 "googlegroups.com")); | 925 "googlegroups.com")); |
768 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( | 926 EXPECT_TRUE(TransportSecurityState::IsGooglePinnedProperty( |
769 "www.googlegroups.com")); | 927 "www.googlegroups.com")); |
770 } | 928 } |
771 | 929 |
772 } // namespace net | 930 } // namespace net |
OLD | NEW |