| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/ssl/chrome_ssl_host_state_delegate.h" | 5 #include "chrome/browser/ssl/chrome_ssl_host_state_delegate.h" |
| 6 | 6 |
| 7 #include <stdint.h> | 7 #include <stdint.h> |
| 8 | 8 |
| 9 #include "base/command_line.h" | 9 #include "base/command_line.h" |
| 10 #include "base/strings/string_number_conversions.h" | 10 #include "base/strings/string_number_conversions.h" |
| 11 #include "base/test/simple_test_clock.h" | 11 #include "base/test/simple_test_clock.h" |
| 12 #include "chrome/browser/browsing_data/browsing_data_helper.h" | 12 #include "chrome/browser/browsing_data/browsing_data_helper.h" |
| 13 #include "chrome/browser/browsing_data/browsing_data_remover.h" | 13 #include "chrome/browser/browsing_data/browsing_data_remover.h" |
| 14 #include "chrome/browser/browsing_data/browsing_data_remover_test_util.h" | 14 #include "chrome/browser/browsing_data/browsing_data_remover_test_util.h" |
| 15 #include "chrome/browser/profiles/profile.h" | 15 #include "chrome/browser/profiles/profile.h" |
| 16 #include "chrome/browser/ssl/chrome_ssl_host_state_delegate_factory.h" | 16 #include "chrome/browser/ssl/chrome_ssl_host_state_delegate_factory.h" |
| 17 #include "chrome/browser/ui/browser.h" | 17 #include "chrome/browser/ui/browser.h" |
| 18 #include "chrome/browser/ui/tabs/tab_strip_model.h" | 18 #include "chrome/browser/ui/tabs/tab_strip_model.h" |
| 19 #include "chrome/common/chrome_switches.h" | 19 #include "chrome/common/chrome_switches.h" |
| 20 #include "chrome/test/base/in_process_browser_test.h" | 20 #include "chrome/test/base/in_process_browser_test.h" |
| 21 #include "content/public/browser/ssl_host_state_delegate.h" | 21 #include "content/public/browser/ssl_host_state_delegate.h" |
| 22 #include "content/public/browser/web_contents.h" | 22 #include "content/public/browser/web_contents.h" |
| 23 #include "content/public/common/content_switches.h" |
| 23 #include "content/public/test/browser_test_utils.h" | 24 #include "content/public/test/browser_test_utils.h" |
| 24 #include "net/base/test_data_directory.h" | 25 #include "net/base/test_data_directory.h" |
| 25 #include "net/test/cert_test_util.h" | 26 #include "net/test/cert_test_util.h" |
| 26 #include "testing/gtest/include/gtest/gtest.h" | 27 #include "testing/gtest/include/gtest/gtest.h" |
| 27 | 28 |
| 28 namespace { | 29 namespace { |
| 29 | 30 |
| 30 const char kGoogleCertFile[] = "google.single.der"; | 31 const char kOkCertFile[] = "ok_cert.pem"; |
| 31 | 32 |
| 32 const char kWWWGoogleHost[] = "www.google.com"; | 33 const char kWWWGoogleHost[] = "www.google.com"; |
| 33 const char kGoogleHost[] = "google.com"; | 34 const char kGoogleHost[] = "google.com"; |
| 34 const char kExampleHost[] = "example.com"; | 35 const char kExampleHost[] = "example.com"; |
| 35 | 36 |
| 36 const char kForgetAtSessionEnd[] = "-1"; | 37 const char kForgetAtSessionEnd[] = "-1"; |
| 37 const char kForgetInstantly[] = "0"; | 38 const char kForgetInstantly[] = "0"; |
| 38 const char kDeltaSecondsString[] = "86400"; | 39 const char kDeltaSecondsString[] = "86400"; |
| 39 const uint64_t kDeltaOneDayInSeconds = UINT64_C(86400); | 40 const uint64_t kDeltaOneDayInSeconds = UINT64_C(86400); |
| 40 | 41 |
| 41 scoped_refptr<net::X509Certificate> GetGoogleCert() { | 42 scoped_refptr<net::X509Certificate> GetOkCert() { |
| 42 return net::ImportCertFromFile(net::GetTestCertsDirectory(), kGoogleCertFile); | 43 return net::ImportCertFromFile(net::GetTestCertsDirectory(), kOkCertFile); |
| 43 } | 44 } |
| 44 | 45 |
| 45 } // namespace | 46 } // namespace |
| 46 | 47 |
| 47 class ChromeSSLHostStateDelegateTest : public InProcessBrowserTest {}; | 48 class ChromeSSLHostStateDelegateTest : public InProcessBrowserTest {}; |
| 48 | 49 |
| 49 // ChromeSSLHostStateDelegateTest tests basic unit test functionality of the | 50 // ChromeSSLHostStateDelegateTest tests basic unit test functionality of the |
| 50 // SSLHostStateDelegate class. For example, tests that if a certificate is | 51 // SSLHostStateDelegate class. For example, tests that if a certificate is |
| 51 // accepted, then it is added to queryable, and if it is revoked, it is not | 52 // accepted, then it is added to queryable, and if it is revoked, it is not |
| 52 // queryable. Even though it is effectively a unit test, in needs to be an | 53 // queryable. Even though it is effectively a unit test, in needs to be an |
| 53 // InProcessBrowserTest because the actual functionality is provided by | 54 // InProcessBrowserTest because the actual functionality is provided by |
| 54 // ChromeSSLHostStateDelegate which is provided per-profile. | 55 // ChromeSSLHostStateDelegate which is provided per-profile. |
| 55 // | 56 // |
| 56 // QueryPolicy unit tests the expected behavior of calling QueryPolicy on the | 57 // QueryPolicy unit tests the expected behavior of calling QueryPolicy on the |
| 57 // SSLHostStateDelegate class after various SSL cert decisions have been made. | 58 // SSLHostStateDelegate class after various SSL cert decisions have been made. |
| 58 IN_PROC_BROWSER_TEST_F(ChromeSSLHostStateDelegateTest, QueryPolicy) { | 59 IN_PROC_BROWSER_TEST_F(ChromeSSLHostStateDelegateTest, QueryPolicy) { |
| 59 scoped_refptr<net::X509Certificate> google_cert = GetGoogleCert(); | 60 scoped_refptr<net::X509Certificate> cert = GetOkCert(); |
| 60 content::WebContents* tab = | 61 content::WebContents* tab = |
| 61 browser()->tab_strip_model()->GetActiveWebContents(); | 62 browser()->tab_strip_model()->GetActiveWebContents(); |
| 62 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext()); | 63 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext()); |
| 63 content::SSLHostStateDelegate* state = profile->GetSSLHostStateDelegate(); | 64 content::SSLHostStateDelegate* state = profile->GetSSLHostStateDelegate(); |
| 64 bool unused_value; | 65 bool unused_value; |
| 65 | 66 |
| 66 // Verifying that all three of the certs we will be looking at are denied | 67 // Verifying that all three of the certs we will be looking at are denied |
| 67 // before any action has been taken. | 68 // before any action has been taken. |
| 68 EXPECT_EQ(content::SSLHostStateDelegate::DENIED, | 69 EXPECT_EQ(content::SSLHostStateDelegate::DENIED, |
| 69 state->QueryPolicy(kWWWGoogleHost, | 70 state->QueryPolicy(kWWWGoogleHost, |
| 70 *google_cert.get(), | 71 *cert.get(), |
| 71 net::CERT_STATUS_DATE_INVALID, | 72 net::CERT_STATUS_DATE_INVALID, |
| 72 &unused_value)); | 73 &unused_value)); |
| 73 EXPECT_EQ(content::SSLHostStateDelegate::DENIED, | 74 EXPECT_EQ(content::SSLHostStateDelegate::DENIED, |
| 74 state->QueryPolicy(kGoogleHost, | 75 state->QueryPolicy(kGoogleHost, |
| 75 *google_cert.get(), | 76 *cert.get(), |
| 76 net::CERT_STATUS_DATE_INVALID, | 77 net::CERT_STATUS_DATE_INVALID, |
| 77 &unused_value)); | 78 &unused_value)); |
| 78 EXPECT_EQ(content::SSLHostStateDelegate::DENIED, | 79 EXPECT_EQ(content::SSLHostStateDelegate::DENIED, |
| 79 state->QueryPolicy(kExampleHost, | 80 state->QueryPolicy(kExampleHost, |
| 80 *google_cert.get(), | 81 *cert.get(), |
| 81 net::CERT_STATUS_DATE_INVALID, | 82 net::CERT_STATUS_DATE_INVALID, |
| 82 &unused_value)); | 83 &unused_value)); |
| 83 | 84 |
| 84 // Simulate a user decision to allow an invalid certificate exception for | 85 // Simulate a user decision to allow an invalid certificate exception for |
| 85 // kWWWGoogleHost. | 86 // kWWWGoogleHost. |
| 86 state->AllowCert( | 87 state->AllowCert( |
| 87 kWWWGoogleHost, *google_cert.get(), net::CERT_STATUS_DATE_INVALID); | 88 kWWWGoogleHost, *cert.get(), net::CERT_STATUS_DATE_INVALID); |
| 88 | 89 |
| 89 // Verify that only kWWWGoogleHost is allowed and that the other two certs | 90 // Verify that only kWWWGoogleHost is allowed and that the other two certs |
| 90 // being tested still are denied. | 91 // being tested still are denied. |
| 91 EXPECT_EQ(content::SSLHostStateDelegate::ALLOWED, | 92 EXPECT_EQ(content::SSLHostStateDelegate::ALLOWED, |
| 92 state->QueryPolicy(kWWWGoogleHost, | 93 state->QueryPolicy(kWWWGoogleHost, |
| 93 *google_cert.get(), | 94 *cert.get(), |
| 94 net::CERT_STATUS_DATE_INVALID, | 95 net::CERT_STATUS_DATE_INVALID, |
| 95 &unused_value)); | 96 &unused_value)); |
| 96 EXPECT_EQ(content::SSLHostStateDelegate::DENIED, | 97 EXPECT_EQ(content::SSLHostStateDelegate::DENIED, |
| 97 state->QueryPolicy(kGoogleHost, | 98 state->QueryPolicy(kGoogleHost, |
| 98 *google_cert.get(), | 99 *cert.get(), |
| 99 net::CERT_STATUS_DATE_INVALID, | 100 net::CERT_STATUS_DATE_INVALID, |
| 100 &unused_value)); | 101 &unused_value)); |
| 101 EXPECT_EQ(content::SSLHostStateDelegate::DENIED, | 102 EXPECT_EQ(content::SSLHostStateDelegate::DENIED, |
| 102 state->QueryPolicy(kExampleHost, | 103 state->QueryPolicy(kExampleHost, |
| 103 *google_cert.get(), | 104 *cert.get(), |
| 104 net::CERT_STATUS_DATE_INVALID, | 105 net::CERT_STATUS_DATE_INVALID, |
| 105 &unused_value)); | 106 &unused_value)); |
| 106 | 107 |
| 107 // Simulate a user decision to allow an invalid certificate exception for | 108 // Simulate a user decision to allow an invalid certificate exception for |
| 108 // kExampleHost. | 109 // kExampleHost. |
| 109 state->AllowCert( | 110 state->AllowCert( |
| 110 kExampleHost, *google_cert.get(), net::CERT_STATUS_DATE_INVALID); | 111 kExampleHost, *cert.get(), net::CERT_STATUS_DATE_INVALID); |
| 111 | 112 |
| 112 // Verify that both kWWWGoogleHost and kExampleHost have allow exceptions | 113 // Verify that both kWWWGoogleHost and kExampleHost have allow exceptions |
| 113 // while kGoogleHost still is denied. | 114 // while kGoogleHost still is denied. |
| 114 EXPECT_EQ(content::SSLHostStateDelegate::ALLOWED, | 115 EXPECT_EQ(content::SSLHostStateDelegate::ALLOWED, |
| 115 state->QueryPolicy(kWWWGoogleHost, | 116 state->QueryPolicy(kWWWGoogleHost, |
| 116 *google_cert.get(), | 117 *cert.get(), |
| 117 net::CERT_STATUS_DATE_INVALID, | 118 net::CERT_STATUS_DATE_INVALID, |
| 118 &unused_value)); | 119 &unused_value)); |
| 119 EXPECT_EQ(content::SSLHostStateDelegate::DENIED, | 120 EXPECT_EQ(content::SSLHostStateDelegate::DENIED, |
| 120 state->QueryPolicy(kGoogleHost, | 121 state->QueryPolicy(kGoogleHost, |
| 121 *google_cert.get(), | 122 *cert.get(), |
| 122 net::CERT_STATUS_DATE_INVALID, | 123 net::CERT_STATUS_DATE_INVALID, |
| 123 &unused_value)); | 124 &unused_value)); |
| 124 EXPECT_EQ(content::SSLHostStateDelegate::ALLOWED, | 125 EXPECT_EQ(content::SSLHostStateDelegate::ALLOWED, |
| 125 state->QueryPolicy(kExampleHost, | 126 state->QueryPolicy(kExampleHost, |
| 126 *google_cert.get(), | 127 *cert.get(), |
| 127 net::CERT_STATUS_DATE_INVALID, | 128 net::CERT_STATUS_DATE_INVALID, |
| 128 &unused_value)); | 129 &unused_value)); |
| 129 } | 130 } |
| 130 | 131 |
| 131 // HasPolicyAndRevoke unit tests the expected behavior of calling | 132 // HasPolicyAndRevoke unit tests the expected behavior of calling |
| 132 // HasAllowException before and after calling RevokeUserAllowExceptions on the | 133 // HasAllowException before and after calling RevokeUserAllowExceptions on the |
| 133 // SSLHostStateDelegate class. | 134 // SSLHostStateDelegate class. |
| 134 IN_PROC_BROWSER_TEST_F(ChromeSSLHostStateDelegateTest, HasPolicyAndRevoke) { | 135 IN_PROC_BROWSER_TEST_F(ChromeSSLHostStateDelegateTest, HasPolicyAndRevoke) { |
| 135 scoped_refptr<net::X509Certificate> google_cert = GetGoogleCert(); | 136 scoped_refptr<net::X509Certificate> cert = GetOkCert(); |
| 136 content::WebContents* tab = | 137 content::WebContents* tab = |
| 137 browser()->tab_strip_model()->GetActiveWebContents(); | 138 browser()->tab_strip_model()->GetActiveWebContents(); |
| 138 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext()); | 139 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext()); |
| 139 ChromeSSLHostStateDelegate* state = | 140 ChromeSSLHostStateDelegate* state = |
| 140 ChromeSSLHostStateDelegateFactory::GetForProfile(profile); | 141 ChromeSSLHostStateDelegateFactory::GetForProfile(profile); |
| 141 bool unused_value; | 142 bool unused_value; |
| 142 | 143 |
| 143 // Simulate a user decision to allow an invalid certificate exception for | 144 // Simulate a user decision to allow an invalid certificate exception for |
| 144 // kWWWGoogleHost and for kExampleHost. | 145 // kWWWGoogleHost and for kExampleHost. |
| 145 state->AllowCert( | 146 state->AllowCert( |
| 146 kWWWGoogleHost, *google_cert.get(), net::CERT_STATUS_DATE_INVALID); | 147 kWWWGoogleHost, *cert.get(), net::CERT_STATUS_DATE_INVALID); |
| 147 state->AllowCert( | 148 state->AllowCert( |
| 148 kExampleHost, *google_cert.get(), net::CERT_STATUS_DATE_INVALID); | 149 kExampleHost, *cert.get(), net::CERT_STATUS_DATE_INVALID); |
| 149 | 150 |
| 150 // Verify that HasAllowException correctly acknowledges that a user decision | 151 // Verify that HasAllowException correctly acknowledges that a user decision |
| 151 // has been made about kWWWGoogleHost. Then verify that HasAllowException | 152 // has been made about kWWWGoogleHost. Then verify that HasAllowException |
| 152 // correctly identifies that the decision has been revoked. | 153 // correctly identifies that the decision has been revoked. |
| 153 EXPECT_TRUE(state->HasAllowException(kWWWGoogleHost)); | 154 EXPECT_TRUE(state->HasAllowException(kWWWGoogleHost)); |
| 154 state->RevokeUserAllowExceptions(kWWWGoogleHost); | 155 state->RevokeUserAllowExceptions(kWWWGoogleHost); |
| 155 EXPECT_FALSE(state->HasAllowException(kWWWGoogleHost)); | 156 EXPECT_FALSE(state->HasAllowException(kWWWGoogleHost)); |
| 156 EXPECT_EQ(content::SSLHostStateDelegate::DENIED, | 157 EXPECT_EQ(content::SSLHostStateDelegate::DENIED, |
| 157 state->QueryPolicy(kWWWGoogleHost, | 158 state->QueryPolicy(kWWWGoogleHost, |
| 158 *google_cert.get(), | 159 *cert.get(), |
| 159 net::CERT_STATUS_DATE_INVALID, | 160 net::CERT_STATUS_DATE_INVALID, |
| 160 &unused_value)); | 161 &unused_value)); |
| 161 | 162 |
| 162 // Verify that the revocation of the kWWWGoogleHost decision does not affect | 163 // Verify that the revocation of the kWWWGoogleHost decision does not affect |
| 163 // the Allow for kExampleHost. | 164 // the Allow for kExampleHost. |
| 164 EXPECT_TRUE(state->HasAllowException(kExampleHost)); | 165 EXPECT_TRUE(state->HasAllowException(kExampleHost)); |
| 165 | 166 |
| 166 // Verify the revocation of the kWWWGoogleHost decision does not affect the | 167 // Verify the revocation of the kWWWGoogleHost decision does not affect the |
| 167 // non-decision for kGoogleHost. Then verify that a revocation of a URL with | 168 // non-decision for kGoogleHost. Then verify that a revocation of a URL with |
| 168 // no decision has no effect. | 169 // no decision has no effect. |
| 169 EXPECT_FALSE(state->HasAllowException(kGoogleHost)); | 170 EXPECT_FALSE(state->HasAllowException(kGoogleHost)); |
| 170 state->RevokeUserAllowExceptions(kGoogleHost); | 171 state->RevokeUserAllowExceptions(kGoogleHost); |
| 171 EXPECT_FALSE(state->HasAllowException(kGoogleHost)); | 172 EXPECT_FALSE(state->HasAllowException(kGoogleHost)); |
| 172 } | 173 } |
| 173 | 174 |
| 174 // Clear unit tests the expected behavior of calling Clear to forget all cert | 175 // Clear unit tests the expected behavior of calling Clear to forget all cert |
| 175 // decision state on the SSLHostStateDelegate class. | 176 // decision state on the SSLHostStateDelegate class. |
| 176 IN_PROC_BROWSER_TEST_F(ChromeSSLHostStateDelegateTest, Clear) { | 177 IN_PROC_BROWSER_TEST_F(ChromeSSLHostStateDelegateTest, Clear) { |
| 177 scoped_refptr<net::X509Certificate> google_cert = GetGoogleCert(); | 178 scoped_refptr<net::X509Certificate> cert = GetOkCert(); |
| 178 content::WebContents* tab = | 179 content::WebContents* tab = |
| 179 browser()->tab_strip_model()->GetActiveWebContents(); | 180 browser()->tab_strip_model()->GetActiveWebContents(); |
| 180 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext()); | 181 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext()); |
| 181 ChromeSSLHostStateDelegate* state = | 182 ChromeSSLHostStateDelegate* state = |
| 182 ChromeSSLHostStateDelegateFactory::GetForProfile(profile); | 183 ChromeSSLHostStateDelegateFactory::GetForProfile(profile); |
| 183 bool unused_value; | 184 bool unused_value; |
| 184 | 185 |
| 185 // Simulate a user decision to allow an invalid certificate exception for | 186 // Simulate a user decision to allow an invalid certificate exception for |
| 186 // kWWWGoogleHost and for kExampleHost. | 187 // kWWWGoogleHost and for kExampleHost. |
| 187 state->AllowCert( | 188 state->AllowCert( |
| 188 kWWWGoogleHost, *google_cert.get(), net::CERT_STATUS_DATE_INVALID); | 189 kWWWGoogleHost, *cert.get(), net::CERT_STATUS_DATE_INVALID); |
| 189 | 190 |
| 190 // Do a full clear, then make sure that both kWWWGoogleHost, which had a | 191 // Do a full clear, then make sure that both kWWWGoogleHost, which had a |
| 191 // decision made, and kExampleHost, which was untouched, are now in a denied | 192 // decision made, and kExampleHost, which was untouched, are now in a denied |
| 192 // state. | 193 // state. |
| 193 state->Clear(); | 194 state->Clear(); |
| 194 EXPECT_FALSE(state->HasAllowException(kWWWGoogleHost)); | 195 EXPECT_FALSE(state->HasAllowException(kWWWGoogleHost)); |
| 195 EXPECT_EQ(content::SSLHostStateDelegate::DENIED, | 196 EXPECT_EQ(content::SSLHostStateDelegate::DENIED, |
| 196 state->QueryPolicy(kWWWGoogleHost, | 197 state->QueryPolicy(kWWWGoogleHost, |
| 197 *google_cert.get(), | 198 *cert.get(), |
| 198 net::CERT_STATUS_DATE_INVALID, | 199 net::CERT_STATUS_DATE_INVALID, |
| 199 &unused_value)); | 200 &unused_value)); |
| 200 EXPECT_FALSE(state->HasAllowException(kExampleHost)); | 201 EXPECT_FALSE(state->HasAllowException(kExampleHost)); |
| 201 EXPECT_EQ(content::SSLHostStateDelegate::DENIED, | 202 EXPECT_EQ(content::SSLHostStateDelegate::DENIED, |
| 202 state->QueryPolicy(kExampleHost, | 203 state->QueryPolicy(kExampleHost, |
| 203 *google_cert.get(), | 204 *cert.get(), |
| 204 net::CERT_STATUS_DATE_INVALID, | 205 net::CERT_STATUS_DATE_INVALID, |
| 205 &unused_value)); | 206 &unused_value)); |
| 206 } | 207 } |
| 207 | 208 |
| 208 // DidHostRunInsecureContent unit tests the expected behavior of calling | 209 // DidHostRunInsecureContent unit tests the expected behavior of calling |
| 209 // DidHostRunInsecureContent as well as HostRanInsecureContent to check if | 210 // DidHostRunInsecureContent as well as HostRanInsecureContent to check if |
| 210 // insecure content has been run and to mark it as such. | 211 // insecure content has been run and to mark it as such. |
| 211 IN_PROC_BROWSER_TEST_F(ChromeSSLHostStateDelegateTest, | 212 IN_PROC_BROWSER_TEST_F(ChromeSSLHostStateDelegateTest, |
| 212 DidHostRunInsecureContent) { | 213 DidHostRunInsecureContent) { |
| 213 content::WebContents* tab = | 214 content::WebContents* tab = |
| (...skipping 14 matching lines...) Expand all Loading... |
| 228 state->HostRanInsecureContent("example.com", 42); | 229 state->HostRanInsecureContent("example.com", 42); |
| 229 | 230 |
| 230 EXPECT_TRUE(state->DidHostRunInsecureContent("www.google.com", 42)); | 231 EXPECT_TRUE(state->DidHostRunInsecureContent("www.google.com", 42)); |
| 231 EXPECT_FALSE(state->DidHostRunInsecureContent("www.google.com", 191)); | 232 EXPECT_FALSE(state->DidHostRunInsecureContent("www.google.com", 191)); |
| 232 EXPECT_TRUE(state->DidHostRunInsecureContent("example.com", 42)); | 233 EXPECT_TRUE(state->DidHostRunInsecureContent("example.com", 42)); |
| 233 } | 234 } |
| 234 | 235 |
| 235 // QueryPolicyExpired unit tests to make sure that if a certificate decision has | 236 // QueryPolicyExpired unit tests to make sure that if a certificate decision has |
| 236 // expired, the return value from QueryPolicy returns the correct vaule. | 237 // expired, the return value from QueryPolicy returns the correct vaule. |
| 237 IN_PROC_BROWSER_TEST_F(ChromeSSLHostStateDelegateTest, PRE_QueryPolicyExpired) { | 238 IN_PROC_BROWSER_TEST_F(ChromeSSLHostStateDelegateTest, PRE_QueryPolicyExpired) { |
| 238 scoped_refptr<net::X509Certificate> google_cert = GetGoogleCert(); | 239 scoped_refptr<net::X509Certificate> cert = GetOkCert(); |
| 239 content::WebContents* tab = | 240 content::WebContents* tab = |
| 240 browser()->tab_strip_model()->GetActiveWebContents(); | 241 browser()->tab_strip_model()->GetActiveWebContents(); |
| 241 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext()); | 242 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext()); |
| 242 content::SSLHostStateDelegate* state = profile->GetSSLHostStateDelegate(); | 243 content::SSLHostStateDelegate* state = profile->GetSSLHostStateDelegate(); |
| 243 bool expired_previous_decision; | 244 bool expired_previous_decision; |
| 244 | 245 |
| 245 // The certificate has never been seen before, so it should be UNKNOWN and | 246 // The certificate has never been seen before, so it should be UNKNOWN and |
| 246 // should also indicate that it hasn't expired. | 247 // should also indicate that it hasn't expired. |
| 247 EXPECT_EQ(content::SSLHostStateDelegate::DENIED, | 248 EXPECT_EQ(content::SSLHostStateDelegate::DENIED, |
| 248 state->QueryPolicy(kWWWGoogleHost, | 249 state->QueryPolicy(kWWWGoogleHost, |
| 249 *google_cert.get(), | 250 *cert.get(), |
| 250 net::CERT_STATUS_DATE_INVALID, | 251 net::CERT_STATUS_DATE_INVALID, |
| 251 &expired_previous_decision)); | 252 &expired_previous_decision)); |
| 252 EXPECT_FALSE(expired_previous_decision); | 253 EXPECT_FALSE(expired_previous_decision); |
| 253 | 254 |
| 254 // After allowing the certificate, a query should say that it is allowed and | 255 // After allowing the certificate, a query should say that it is allowed and |
| 255 // also specify that it hasn't expired. | 256 // also specify that it hasn't expired. |
| 256 state->AllowCert( | 257 state->AllowCert( |
| 257 kWWWGoogleHost, *google_cert.get(), net::CERT_STATUS_DATE_INVALID); | 258 kWWWGoogleHost, *cert.get(), net::CERT_STATUS_DATE_INVALID); |
| 258 EXPECT_EQ(content::SSLHostStateDelegate::ALLOWED, | 259 EXPECT_EQ(content::SSLHostStateDelegate::ALLOWED, |
| 259 state->QueryPolicy(kWWWGoogleHost, | 260 state->QueryPolicy(kWWWGoogleHost, |
| 260 *google_cert.get(), | 261 *cert.get(), |
| 261 net::CERT_STATUS_DATE_INVALID, | 262 net::CERT_STATUS_DATE_INVALID, |
| 262 &expired_previous_decision)); | 263 &expired_previous_decision)); |
| 263 EXPECT_FALSE(expired_previous_decision); | 264 EXPECT_FALSE(expired_previous_decision); |
| 264 } | 265 } |
| 265 | 266 |
| 266 // Since this is being checked on a browser instance that expires security | 267 // Since this is being checked on a browser instance that expires security |
| 267 // decisions after restart, the test needs to wait until after a restart to | 268 // decisions after restart, the test needs to wait until after a restart to |
| 268 // verify that the expiration state is correct. | 269 // verify that the expiration state is correct. |
| 269 IN_PROC_BROWSER_TEST_F(ChromeSSLHostStateDelegateTest, QueryPolicyExpired) { | 270 IN_PROC_BROWSER_TEST_F(ChromeSSLHostStateDelegateTest, QueryPolicyExpired) { |
| 270 scoped_refptr<net::X509Certificate> google_cert = GetGoogleCert(); | 271 scoped_refptr<net::X509Certificate> cert = GetOkCert(); |
| 271 content::WebContents* tab = | 272 content::WebContents* tab = |
| 272 browser()->tab_strip_model()->GetActiveWebContents(); | 273 browser()->tab_strip_model()->GetActiveWebContents(); |
| 273 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext()); | 274 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext()); |
| 274 content::SSLHostStateDelegate* state = profile->GetSSLHostStateDelegate(); | 275 content::SSLHostStateDelegate* state = profile->GetSSLHostStateDelegate(); |
| 275 bool expired_previous_decision; | 276 bool expired_previous_decision; |
| 276 | 277 |
| 277 // The browser content has restart thus expiring the user decision made above, | 278 // The browser content has restart thus expiring the user decision made above, |
| 278 // so it should indicate that the certificate and error are DENIED but also | 279 // so it should indicate that the certificate and error are DENIED but also |
| 279 // that they expired since the last query. | 280 // that they expired since the last query. |
| 280 EXPECT_EQ(content::SSLHostStateDelegate::DENIED, | 281 EXPECT_EQ(content::SSLHostStateDelegate::DENIED, |
| 281 state->QueryPolicy(kWWWGoogleHost, | 282 state->QueryPolicy(kWWWGoogleHost, |
| 282 *google_cert.get(), | 283 *cert.get(), |
| 283 net::CERT_STATUS_DATE_INVALID, | 284 net::CERT_STATUS_DATE_INVALID, |
| 284 &expired_previous_decision)); | 285 &expired_previous_decision)); |
| 285 EXPECT_TRUE(expired_previous_decision); | 286 EXPECT_TRUE(expired_previous_decision); |
| 286 | 287 |
| 287 // However, with a new query, it should indicate that no new expiration has | 288 // However, with a new query, it should indicate that no new expiration has |
| 288 // occurred. | 289 // occurred. |
| 289 EXPECT_EQ(content::SSLHostStateDelegate::DENIED, | 290 EXPECT_EQ(content::SSLHostStateDelegate::DENIED, |
| 290 state->QueryPolicy(kWWWGoogleHost, | 291 state->QueryPolicy(kWWWGoogleHost, |
| 291 *google_cert.get(), | 292 *cert.get(), |
| 292 net::CERT_STATUS_DATE_INVALID, | 293 net::CERT_STATUS_DATE_INVALID, |
| 293 &expired_previous_decision)); | 294 &expired_previous_decision)); |
| 294 EXPECT_FALSE(expired_previous_decision); | 295 EXPECT_FALSE(expired_previous_decision); |
| 295 } | 296 } |
| 296 | 297 |
| 297 // Tests the basic behavior of cert memory in incognito. | 298 // Tests the basic behavior of cert memory in incognito. |
| 298 class IncognitoSSLHostStateDelegateTest | 299 class IncognitoSSLHostStateDelegateTest |
| 299 : public ChromeSSLHostStateDelegateTest { | 300 : public ChromeSSLHostStateDelegateTest { |
| 300 protected: | 301 protected: |
| 301 void SetUpCommandLine(base::CommandLine* command_line) override { | 302 void SetUpCommandLine(base::CommandLine* command_line) override { |
| 302 ChromeSSLHostStateDelegateTest::SetUpCommandLine(command_line); | 303 ChromeSSLHostStateDelegateTest::SetUpCommandLine(command_line); |
| 303 command_line->AppendSwitchASCII(switches::kRememberCertErrorDecisions, | 304 command_line->AppendSwitchASCII(switches::kRememberCertErrorDecisions, |
| 304 kDeltaSecondsString); | 305 kDeltaSecondsString); |
| 305 } | 306 } |
| 306 }; | 307 }; |
| 307 | 308 |
| 308 IN_PROC_BROWSER_TEST_F(IncognitoSSLHostStateDelegateTest, PRE_AfterRestart) { | 309 IN_PROC_BROWSER_TEST_F(IncognitoSSLHostStateDelegateTest, PRE_AfterRestart) { |
| 309 scoped_refptr<net::X509Certificate> google_cert = GetGoogleCert(); | 310 scoped_refptr<net::X509Certificate> cert = GetOkCert(); |
| 310 content::WebContents* tab = | 311 content::WebContents* tab = |
| 311 browser()->tab_strip_model()->GetActiveWebContents(); | 312 browser()->tab_strip_model()->GetActiveWebContents(); |
| 312 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext()); | 313 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext()); |
| 313 content::SSLHostStateDelegate* state = profile->GetSSLHostStateDelegate(); | 314 content::SSLHostStateDelegate* state = profile->GetSSLHostStateDelegate(); |
| 314 bool unused_value; | 315 bool unused_value; |
| 315 | 316 |
| 316 // Add a cert exception to the profile and then verify that it still exists | 317 // Add a cert exception to the profile and then verify that it still exists |
| 317 // in the incognito profile. | 318 // in the incognito profile. |
| 318 state->AllowCert( | 319 state->AllowCert( |
| 319 kWWWGoogleHost, *google_cert.get(), net::CERT_STATUS_DATE_INVALID); | 320 kWWWGoogleHost, *cert.get(), net::CERT_STATUS_DATE_INVALID); |
| 320 | 321 |
| 321 scoped_ptr<Profile> incognito(profile->CreateOffTheRecordProfile()); | 322 scoped_ptr<Profile> incognito(profile->CreateOffTheRecordProfile()); |
| 322 content::SSLHostStateDelegate* incognito_state = | 323 content::SSLHostStateDelegate* incognito_state = |
| 323 incognito->GetSSLHostStateDelegate(); | 324 incognito->GetSSLHostStateDelegate(); |
| 324 | 325 |
| 325 EXPECT_EQ(content::SSLHostStateDelegate::ALLOWED, | 326 EXPECT_EQ(content::SSLHostStateDelegate::ALLOWED, |
| 326 incognito_state->QueryPolicy(kWWWGoogleHost, | 327 incognito_state->QueryPolicy(kWWWGoogleHost, |
| 327 *google_cert.get(), | 328 *cert.get(), |
| 328 net::CERT_STATUS_DATE_INVALID, | 329 net::CERT_STATUS_DATE_INVALID, |
| 329 &unused_value)); | 330 &unused_value)); |
| 330 | 331 |
| 331 // Add a cert exception to the incognito profile. It will be checked after | 332 // Add a cert exception to the incognito profile. It will be checked after |
| 332 // restart that this exception does not exist. Note the different cert URL and | 333 // restart that this exception does not exist. Note the different cert URL and |
| 333 // error than above thus mapping to a second exception. Also validate that it | 334 // error than above thus mapping to a second exception. Also validate that it |
| 334 // was not added as an exception to the regular profile. | 335 // was not added as an exception to the regular profile. |
| 335 incognito_state->AllowCert( | 336 incognito_state->AllowCert( |
| 336 kGoogleHost, *google_cert.get(), net::CERT_STATUS_COMMON_NAME_INVALID); | 337 kGoogleHost, *cert.get(), net::CERT_STATUS_COMMON_NAME_INVALID); |
| 337 | 338 |
| 338 EXPECT_EQ(content::SSLHostStateDelegate::DENIED, | 339 EXPECT_EQ(content::SSLHostStateDelegate::DENIED, |
| 339 state->QueryPolicy(kGoogleHost, | 340 state->QueryPolicy(kGoogleHost, |
| 340 *google_cert.get(), | 341 *cert.get(), |
| 341 net::CERT_STATUS_COMMON_NAME_INVALID, | 342 net::CERT_STATUS_COMMON_NAME_INVALID, |
| 342 &unused_value)); | 343 &unused_value)); |
| 343 } | 344 } |
| 344 | 345 |
| 345 // AfterRestart ensures that any cert decisions made in an incognito profile are | 346 // AfterRestart ensures that any cert decisions made in an incognito profile are |
| 346 // forgetten after a session restart even if given a command line flag to | 347 // forgetten after a session restart even if given a command line flag to |
| 347 // remember cert decisions after restart. | 348 // remember cert decisions after restart. |
| 348 IN_PROC_BROWSER_TEST_F(IncognitoSSLHostStateDelegateTest, AfterRestart) { | 349 IN_PROC_BROWSER_TEST_F(IncognitoSSLHostStateDelegateTest, AfterRestart) { |
| 349 scoped_refptr<net::X509Certificate> google_cert = GetGoogleCert(); | 350 scoped_refptr<net::X509Certificate> cert = GetOkCert(); |
| 350 content::WebContents* tab = | 351 content::WebContents* tab = |
| 351 browser()->tab_strip_model()->GetActiveWebContents(); | 352 browser()->tab_strip_model()->GetActiveWebContents(); |
| 352 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext()); | 353 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext()); |
| 353 content::SSLHostStateDelegate* state = profile->GetSSLHostStateDelegate(); | 354 content::SSLHostStateDelegate* state = profile->GetSSLHostStateDelegate(); |
| 354 bool unused_value; | 355 bool unused_value; |
| 355 | 356 |
| 356 // Verify that the exception added before restart to the regular | 357 // Verify that the exception added before restart to the regular |
| 357 // (non-incognito) profile still exists and was not cleared after the | 358 // (non-incognito) profile still exists and was not cleared after the |
| 358 // incognito session ended. | 359 // incognito session ended. |
| 359 EXPECT_EQ(content::SSLHostStateDelegate::ALLOWED, | 360 EXPECT_EQ(content::SSLHostStateDelegate::ALLOWED, |
| 360 state->QueryPolicy(kWWWGoogleHost, | 361 state->QueryPolicy(kWWWGoogleHost, |
| 361 *google_cert.get(), | 362 *cert.get(), |
| 362 net::CERT_STATUS_DATE_INVALID, | 363 net::CERT_STATUS_DATE_INVALID, |
| 363 &unused_value)); | 364 &unused_value)); |
| 364 | 365 |
| 365 scoped_ptr<Profile> incognito(profile->CreateOffTheRecordProfile()); | 366 scoped_ptr<Profile> incognito(profile->CreateOffTheRecordProfile()); |
| 366 content::SSLHostStateDelegate* incognito_state = | 367 content::SSLHostStateDelegate* incognito_state = |
| 367 incognito->GetSSLHostStateDelegate(); | 368 incognito->GetSSLHostStateDelegate(); |
| 368 | 369 |
| 369 // Verify that the exception added before restart to the incognito profile was | 370 // Verify that the exception added before restart to the incognito profile was |
| 370 // cleared when the incognito session ended. | 371 // cleared when the incognito session ended. |
| 371 EXPECT_EQ(content::SSLHostStateDelegate::DENIED, | 372 EXPECT_EQ(content::SSLHostStateDelegate::DENIED, |
| 372 incognito_state->QueryPolicy(kGoogleHost, | 373 incognito_state->QueryPolicy(kGoogleHost, |
| 373 *google_cert.get(), | 374 *cert.get(), |
| 374 net::CERT_STATUS_COMMON_NAME_INVALID, | 375 net::CERT_STATUS_COMMON_NAME_INVALID, |
| 375 &unused_value)); | 376 &unused_value)); |
| 376 } | 377 } |
| 377 | 378 |
| 378 // Tests to make sure that if the remember value is set to -1, any decisions | 379 // Tests to make sure that if the remember value is set to -1, any decisions |
| 379 // won't be remembered over a restart. | 380 // won't be remembered over a restart. |
| 380 class ForGetSSLHostStateDelegateTest : public ChromeSSLHostStateDelegateTest { | 381 class ForGetSSLHostStateDelegateTest : public ChromeSSLHostStateDelegateTest { |
| 381 protected: | 382 protected: |
| 382 void SetUpCommandLine(base::CommandLine* command_line) override { | 383 void SetUpCommandLine(base::CommandLine* command_line) override { |
| 383 ChromeSSLHostStateDelegateTest::SetUpCommandLine(command_line); | 384 ChromeSSLHostStateDelegateTest::SetUpCommandLine(command_line); |
| 384 command_line->AppendSwitchASCII(switches::kRememberCertErrorDecisions, | 385 command_line->AppendSwitchASCII(switches::kRememberCertErrorDecisions, |
| 385 kForgetAtSessionEnd); | 386 kForgetAtSessionEnd); |
| 386 } | 387 } |
| 387 }; | 388 }; |
| 388 | 389 |
| 389 IN_PROC_BROWSER_TEST_F(ForGetSSLHostStateDelegateTest, PRE_AfterRestart) { | 390 IN_PROC_BROWSER_TEST_F(ForGetSSLHostStateDelegateTest, PRE_AfterRestart) { |
| 390 scoped_refptr<net::X509Certificate> google_cert = GetGoogleCert(); | 391 scoped_refptr<net::X509Certificate> cert = GetOkCert(); |
| 391 content::WebContents* tab = | 392 content::WebContents* tab = |
| 392 browser()->tab_strip_model()->GetActiveWebContents(); | 393 browser()->tab_strip_model()->GetActiveWebContents(); |
| 393 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext()); | 394 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext()); |
| 394 content::SSLHostStateDelegate* state = profile->GetSSLHostStateDelegate(); | 395 content::SSLHostStateDelegate* state = profile->GetSSLHostStateDelegate(); |
| 395 bool unused_value; | 396 bool unused_value; |
| 396 | 397 |
| 397 state->AllowCert( | 398 state->AllowCert( |
| 398 kWWWGoogleHost, *google_cert.get(), net::CERT_STATUS_DATE_INVALID); | 399 kWWWGoogleHost, *cert.get(), net::CERT_STATUS_DATE_INVALID); |
| 399 EXPECT_EQ(content::SSLHostStateDelegate::ALLOWED, | 400 EXPECT_EQ(content::SSLHostStateDelegate::ALLOWED, |
| 400 state->QueryPolicy(kWWWGoogleHost, | 401 state->QueryPolicy(kWWWGoogleHost, |
| 401 *google_cert.get(), | 402 *cert.get(), |
| 402 net::CERT_STATUS_DATE_INVALID, | 403 net::CERT_STATUS_DATE_INVALID, |
| 403 &unused_value)); | 404 &unused_value)); |
| 404 } | 405 } |
| 405 | 406 |
| 406 IN_PROC_BROWSER_TEST_F(ForGetSSLHostStateDelegateTest, AfterRestart) { | 407 IN_PROC_BROWSER_TEST_F(ForGetSSLHostStateDelegateTest, AfterRestart) { |
| 407 scoped_refptr<net::X509Certificate> google_cert = GetGoogleCert(); | 408 scoped_refptr<net::X509Certificate> cert = GetOkCert(); |
| 408 content::WebContents* tab = | 409 content::WebContents* tab = |
| 409 browser()->tab_strip_model()->GetActiveWebContents(); | 410 browser()->tab_strip_model()->GetActiveWebContents(); |
| 410 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext()); | 411 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext()); |
| 411 content::SSLHostStateDelegate* state = profile->GetSSLHostStateDelegate(); | 412 content::SSLHostStateDelegate* state = profile->GetSSLHostStateDelegate(); |
| 412 bool unused_value; | 413 bool unused_value; |
| 413 | 414 |
| 414 // The cert should now be |DENIED| because the profile is set to forget cert | 415 // The cert should now be |DENIED| because the profile is set to forget cert |
| 415 // exceptions after session end. | 416 // exceptions after session end. |
| 416 EXPECT_EQ(content::SSLHostStateDelegate::DENIED, | 417 EXPECT_EQ(content::SSLHostStateDelegate::DENIED, |
| 417 state->QueryPolicy(kWWWGoogleHost, | 418 state->QueryPolicy(kWWWGoogleHost, |
| 418 *google_cert.get(), | 419 *cert.get(), |
| 419 net::CERT_STATUS_DATE_INVALID, | 420 net::CERT_STATUS_DATE_INVALID, |
| 420 &unused_value)); | 421 &unused_value)); |
| 421 } | 422 } |
| 422 | 423 |
| 423 // Tests to make sure that if the remember value is set to 0, any decisions made | 424 // Tests to make sure that if the remember value is set to 0, any decisions made |
| 424 // will be forgetten immediately. | 425 // will be forgetten immediately. |
| 425 class ForgetInstantlySSLHostStateDelegateTest | 426 class ForgetInstantlySSLHostStateDelegateTest |
| 426 : public ChromeSSLHostStateDelegateTest { | 427 : public ChromeSSLHostStateDelegateTest { |
| 427 protected: | 428 protected: |
| 428 void SetUpCommandLine(base::CommandLine* command_line) override { | 429 void SetUpCommandLine(base::CommandLine* command_line) override { |
| 429 ChromeSSLHostStateDelegateTest::SetUpCommandLine(command_line); | 430 ChromeSSLHostStateDelegateTest::SetUpCommandLine(command_line); |
| 430 command_line->AppendSwitchASCII(switches::kRememberCertErrorDecisions, | 431 command_line->AppendSwitchASCII(switches::kRememberCertErrorDecisions, |
| 431 kForgetInstantly); | 432 kForgetInstantly); |
| 432 } | 433 } |
| 433 }; | 434 }; |
| 434 | 435 |
| 435 IN_PROC_BROWSER_TEST_F(ForgetInstantlySSLHostStateDelegateTest, | 436 IN_PROC_BROWSER_TEST_F(ForgetInstantlySSLHostStateDelegateTest, |
| 436 MakeAndForgetException) { | 437 MakeAndForgetException) { |
| 437 scoped_refptr<net::X509Certificate> google_cert = GetGoogleCert(); | 438 scoped_refptr<net::X509Certificate> cert = GetOkCert(); |
| 438 content::WebContents* tab = | 439 content::WebContents* tab = |
| 439 browser()->tab_strip_model()->GetActiveWebContents(); | 440 browser()->tab_strip_model()->GetActiveWebContents(); |
| 440 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext()); | 441 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext()); |
| 441 content::SSLHostStateDelegate* state = profile->GetSSLHostStateDelegate(); | 442 content::SSLHostStateDelegate* state = profile->GetSSLHostStateDelegate(); |
| 442 bool unused_value; | 443 bool unused_value; |
| 443 | 444 |
| 444 // chrome_state takes ownership of this clock | 445 // chrome_state takes ownership of this clock |
| 445 base::SimpleTestClock* clock = new base::SimpleTestClock(); | 446 base::SimpleTestClock* clock = new base::SimpleTestClock(); |
| 446 ChromeSSLHostStateDelegate* chrome_state = | 447 ChromeSSLHostStateDelegate* chrome_state = |
| 447 static_cast<ChromeSSLHostStateDelegate*>(state); | 448 static_cast<ChromeSSLHostStateDelegate*>(state); |
| 448 chrome_state->SetClock(scoped_ptr<base::Clock>(clock)); | 449 chrome_state->SetClock(scoped_ptr<base::Clock>(clock)); |
| 449 | 450 |
| 450 // Start the clock at standard system time but do not advance at all to | 451 // Start the clock at standard system time but do not advance at all to |
| 451 // emphasize that instant forget works. | 452 // emphasize that instant forget works. |
| 452 clock->SetNow(base::Time::NowFromSystemTime()); | 453 clock->SetNow(base::Time::NowFromSystemTime()); |
| 453 | 454 |
| 454 state->AllowCert( | 455 state->AllowCert( |
| 455 kWWWGoogleHost, *google_cert.get(), net::CERT_STATUS_DATE_INVALID); | 456 kWWWGoogleHost, *cert.get(), net::CERT_STATUS_DATE_INVALID); |
| 456 EXPECT_EQ(content::SSLHostStateDelegate::DENIED, | 457 EXPECT_EQ(content::SSLHostStateDelegate::DENIED, |
| 457 state->QueryPolicy(kWWWGoogleHost, | 458 state->QueryPolicy(kWWWGoogleHost, |
| 458 *google_cert.get(), | 459 *cert.get(), |
| 459 net::CERT_STATUS_DATE_INVALID, | 460 net::CERT_STATUS_DATE_INVALID, |
| 460 &unused_value)); | 461 &unused_value)); |
| 461 } | 462 } |
| 462 | 463 |
| 463 // Tests to make sure that if the remember value is set to a non-zero value, | 464 // Tests to make sure that if the remember value is set to a non-zero value, |
| 464 // any decisions will be remembered over a restart, but only for the length | 465 // any decisions will be remembered over a restart, but only for the length |
| 465 // specified. | 466 // specified. |
| 466 class RememberSSLHostStateDelegateTest : public ChromeSSLHostStateDelegateTest { | 467 class RememberSSLHostStateDelegateTest : public ChromeSSLHostStateDelegateTest { |
| 467 protected: | 468 protected: |
| 468 void SetUpCommandLine(base::CommandLine* command_line) override { | 469 void SetUpCommandLine(base::CommandLine* command_line) override { |
| 469 ChromeSSLHostStateDelegateTest::SetUpCommandLine(command_line); | 470 ChromeSSLHostStateDelegateTest::SetUpCommandLine(command_line); |
| 470 command_line->AppendSwitchASCII(switches::kRememberCertErrorDecisions, | 471 command_line->AppendSwitchASCII(switches::kRememberCertErrorDecisions, |
| 471 kDeltaSecondsString); | 472 kDeltaSecondsString); |
| 472 } | 473 } |
| 473 }; | 474 }; |
| 474 | 475 |
| 475 IN_PROC_BROWSER_TEST_F(RememberSSLHostStateDelegateTest, PRE_AfterRestart) { | 476 IN_PROC_BROWSER_TEST_F(RememberSSLHostStateDelegateTest, PRE_AfterRestart) { |
| 476 scoped_refptr<net::X509Certificate> google_cert = GetGoogleCert(); | 477 scoped_refptr<net::X509Certificate> cert = GetOkCert(); |
| 477 content::WebContents* tab = | 478 content::WebContents* tab = |
| 478 browser()->tab_strip_model()->GetActiveWebContents(); | 479 browser()->tab_strip_model()->GetActiveWebContents(); |
| 479 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext()); | 480 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext()); |
| 480 content::SSLHostStateDelegate* state = profile->GetSSLHostStateDelegate(); | 481 content::SSLHostStateDelegate* state = profile->GetSSLHostStateDelegate(); |
| 481 bool unused_value; | 482 bool unused_value; |
| 482 | 483 |
| 483 state->AllowCert( | 484 state->AllowCert( |
| 484 kWWWGoogleHost, *google_cert.get(), net::CERT_STATUS_DATE_INVALID); | 485 kWWWGoogleHost, *cert.get(), net::CERT_STATUS_DATE_INVALID); |
| 485 EXPECT_EQ(content::SSLHostStateDelegate::ALLOWED, | 486 EXPECT_EQ(content::SSLHostStateDelegate::ALLOWED, |
| 486 state->QueryPolicy(kWWWGoogleHost, | 487 state->QueryPolicy(kWWWGoogleHost, |
| 487 *google_cert.get(), | 488 *cert.get(), |
| 488 net::CERT_STATUS_DATE_INVALID, | 489 net::CERT_STATUS_DATE_INVALID, |
| 489 &unused_value)); | 490 &unused_value)); |
| 490 } | 491 } |
| 491 | 492 |
| 492 IN_PROC_BROWSER_TEST_F(RememberSSLHostStateDelegateTest, AfterRestart) { | 493 IN_PROC_BROWSER_TEST_F(RememberSSLHostStateDelegateTest, AfterRestart) { |
| 493 scoped_refptr<net::X509Certificate> google_cert = GetGoogleCert(); | 494 scoped_refptr<net::X509Certificate> cert = GetOkCert(); |
| 494 content::WebContents* tab = | 495 content::WebContents* tab = |
| 495 browser()->tab_strip_model()->GetActiveWebContents(); | 496 browser()->tab_strip_model()->GetActiveWebContents(); |
| 496 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext()); | 497 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext()); |
| 497 content::SSLHostStateDelegate* state = profile->GetSSLHostStateDelegate(); | 498 content::SSLHostStateDelegate* state = profile->GetSSLHostStateDelegate(); |
| 498 bool unused_value; | 499 bool unused_value; |
| 499 | 500 |
| 500 // chrome_state takes ownership of this clock | 501 // chrome_state takes ownership of this clock |
| 501 base::SimpleTestClock* clock = new base::SimpleTestClock(); | 502 base::SimpleTestClock* clock = new base::SimpleTestClock(); |
| 502 ChromeSSLHostStateDelegate* chrome_state = | 503 ChromeSSLHostStateDelegate* chrome_state = |
| 503 static_cast<ChromeSSLHostStateDelegate*>(state); | 504 static_cast<ChromeSSLHostStateDelegate*>(state); |
| 504 chrome_state->SetClock(scoped_ptr<base::Clock>(clock)); | 505 chrome_state->SetClock(scoped_ptr<base::Clock>(clock)); |
| 505 | 506 |
| 506 // Start the clock at standard system time. | 507 // Start the clock at standard system time. |
| 507 clock->SetNow(base::Time::NowFromSystemTime()); | 508 clock->SetNow(base::Time::NowFromSystemTime()); |
| 508 | 509 |
| 509 // This should only pass if the cert was allowed before the test was restart | 510 // This should only pass if the cert was allowed before the test was restart |
| 510 // and thus has now been rememebered across browser restarts. | 511 // and thus has now been rememebered across browser restarts. |
| 511 EXPECT_EQ(content::SSLHostStateDelegate::ALLOWED, | 512 EXPECT_EQ(content::SSLHostStateDelegate::ALLOWED, |
| 512 state->QueryPolicy(kWWWGoogleHost, | 513 state->QueryPolicy(kWWWGoogleHost, |
| 513 *google_cert.get(), | 514 *cert.get(), |
| 514 net::CERT_STATUS_DATE_INVALID, | 515 net::CERT_STATUS_DATE_INVALID, |
| 515 &unused_value)); | 516 &unused_value)); |
| 516 | 517 |
| 517 // Simulate the clock advancing by the specified delta. | 518 // Simulate the clock advancing by the specified delta. |
| 518 clock->Advance(base::TimeDelta::FromSeconds(kDeltaOneDayInSeconds + 1)); | 519 clock->Advance(base::TimeDelta::FromSeconds(kDeltaOneDayInSeconds + 1)); |
| 519 | 520 |
| 520 // The cert should now be |DENIED| because the specified delta has passed. | 521 // The cert should now be |DENIED| because the specified delta has passed. |
| 521 EXPECT_EQ(content::SSLHostStateDelegate::DENIED, | 522 EXPECT_EQ(content::SSLHostStateDelegate::DENIED, |
| 522 state->QueryPolicy(kWWWGoogleHost, | 523 state->QueryPolicy(kWWWGoogleHost, |
| 523 *google_cert.get(), | 524 *cert.get(), |
| 524 net::CERT_STATUS_DATE_INVALID, | 525 net::CERT_STATUS_DATE_INVALID, |
| 525 &unused_value)); | 526 &unused_value)); |
| 526 } | 527 } |
| 527 | 528 |
| 528 // The same test as ChromeSSLHostStateDelegateTest.QueryPolicyExpired but now | 529 // The same test as ChromeSSLHostStateDelegateTest.QueryPolicyExpired but now |
| 529 // applied to a browser context that expires based on time, not restart. This | 530 // applied to a browser context that expires based on time, not restart. This |
| 530 // unit tests to make sure that if a certificate decision has expired, the | 531 // unit tests to make sure that if a certificate decision has expired, the |
| 531 // return value from QueryPolicy returns the correct vaule. | 532 // return value from QueryPolicy returns the correct vaule. |
| 532 IN_PROC_BROWSER_TEST_F(RememberSSLHostStateDelegateTest, QueryPolicyExpired) { | 533 IN_PROC_BROWSER_TEST_F(RememberSSLHostStateDelegateTest, QueryPolicyExpired) { |
| 533 scoped_refptr<net::X509Certificate> google_cert = GetGoogleCert(); | 534 scoped_refptr<net::X509Certificate> cert = GetOkCert(); |
| 534 content::WebContents* tab = | 535 content::WebContents* tab = |
| 535 browser()->tab_strip_model()->GetActiveWebContents(); | 536 browser()->tab_strip_model()->GetActiveWebContents(); |
| 536 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext()); | 537 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext()); |
| 537 content::SSLHostStateDelegate* state = profile->GetSSLHostStateDelegate(); | 538 content::SSLHostStateDelegate* state = profile->GetSSLHostStateDelegate(); |
| 538 bool expired_previous_decision; | 539 bool expired_previous_decision; |
| 539 | 540 |
| 540 // chrome_state takes ownership of this clock | 541 // chrome_state takes ownership of this clock |
| 541 base::SimpleTestClock* clock = new base::SimpleTestClock(); | 542 base::SimpleTestClock* clock = new base::SimpleTestClock(); |
| 542 ChromeSSLHostStateDelegate* chrome_state = | 543 ChromeSSLHostStateDelegate* chrome_state = |
| 543 static_cast<ChromeSSLHostStateDelegate*>(state); | 544 static_cast<ChromeSSLHostStateDelegate*>(state); |
| 544 chrome_state->SetClock(scoped_ptr<base::Clock>(clock)); | 545 chrome_state->SetClock(scoped_ptr<base::Clock>(clock)); |
| 545 | 546 |
| 546 // Start the clock at standard system time but do not advance at all to | 547 // Start the clock at standard system time but do not advance at all to |
| 547 // emphasize that instant forget works. | 548 // emphasize that instant forget works. |
| 548 clock->SetNow(base::Time::NowFromSystemTime()); | 549 clock->SetNow(base::Time::NowFromSystemTime()); |
| 549 | 550 |
| 550 // The certificate has never been seen before, so it should be UNKONWN and | 551 // The certificate has never been seen before, so it should be UNKONWN and |
| 551 // should also indicate that it hasn't expired. | 552 // should also indicate that it hasn't expired. |
| 552 EXPECT_EQ(content::SSLHostStateDelegate::DENIED, | 553 EXPECT_EQ(content::SSLHostStateDelegate::DENIED, |
| 553 state->QueryPolicy(kWWWGoogleHost, | 554 state->QueryPolicy(kWWWGoogleHost, |
| 554 *google_cert.get(), | 555 *cert.get(), |
| 555 net::CERT_STATUS_DATE_INVALID, | 556 net::CERT_STATUS_DATE_INVALID, |
| 556 &expired_previous_decision)); | 557 &expired_previous_decision)); |
| 557 EXPECT_FALSE(expired_previous_decision); | 558 EXPECT_FALSE(expired_previous_decision); |
| 558 | 559 |
| 559 // After allowing the certificate, a query should say that it is allowed and | 560 // After allowing the certificate, a query should say that it is allowed and |
| 560 // also specify that it hasn't expired. | 561 // also specify that it hasn't expired. |
| 561 state->AllowCert( | 562 state->AllowCert( |
| 562 kWWWGoogleHost, *google_cert.get(), net::CERT_STATUS_DATE_INVALID); | 563 kWWWGoogleHost, *cert.get(), net::CERT_STATUS_DATE_INVALID); |
| 563 EXPECT_EQ(content::SSLHostStateDelegate::ALLOWED, | 564 EXPECT_EQ(content::SSLHostStateDelegate::ALLOWED, |
| 564 state->QueryPolicy(kWWWGoogleHost, | 565 state->QueryPolicy(kWWWGoogleHost, |
| 565 *google_cert.get(), | 566 *cert.get(), |
| 566 net::CERT_STATUS_DATE_INVALID, | 567 net::CERT_STATUS_DATE_INVALID, |
| 567 &expired_previous_decision)); | 568 &expired_previous_decision)); |
| 568 EXPECT_FALSE(expired_previous_decision); | 569 EXPECT_FALSE(expired_previous_decision); |
| 569 | 570 |
| 570 // Simulate the clock advancing by the specified delta. | 571 // Simulate the clock advancing by the specified delta. |
| 571 clock->Advance(base::TimeDelta::FromSeconds(kDeltaOneDayInSeconds + 1)); | 572 clock->Advance(base::TimeDelta::FromSeconds(kDeltaOneDayInSeconds + 1)); |
| 572 | 573 |
| 573 // The decision expiration time has come, so it should indicate that the | 574 // The decision expiration time has come, so it should indicate that the |
| 574 // certificate and error are DENIED but also that they expired since the last | 575 // certificate and error are DENIED but also that they expired since the last |
| 575 // query. | 576 // query. |
| 576 EXPECT_EQ(content::SSLHostStateDelegate::DENIED, | 577 EXPECT_EQ(content::SSLHostStateDelegate::DENIED, |
| 577 state->QueryPolicy(kWWWGoogleHost, | 578 state->QueryPolicy(kWWWGoogleHost, |
| 578 *google_cert.get(), | 579 *cert.get(), |
| 579 net::CERT_STATUS_DATE_INVALID, | 580 net::CERT_STATUS_DATE_INVALID, |
| 580 &expired_previous_decision)); | 581 &expired_previous_decision)); |
| 581 EXPECT_TRUE(expired_previous_decision); | 582 EXPECT_TRUE(expired_previous_decision); |
| 582 | 583 |
| 583 // However, with a new query, it should indicate that no new expiration has | 584 // However, with a new query, it should indicate that no new expiration has |
| 584 // occurred. | 585 // occurred. |
| 585 EXPECT_EQ(content::SSLHostStateDelegate::DENIED, | 586 EXPECT_EQ(content::SSLHostStateDelegate::DENIED, |
| 586 state->QueryPolicy(kWWWGoogleHost, | 587 state->QueryPolicy(kWWWGoogleHost, |
| 587 *google_cert.get(), | 588 *cert.get(), |
| 588 net::CERT_STATUS_DATE_INVALID, | 589 net::CERT_STATUS_DATE_INVALID, |
| 589 &expired_previous_decision)); | 590 &expired_previous_decision)); |
| 590 EXPECT_FALSE(expired_previous_decision); | 591 EXPECT_FALSE(expired_previous_decision); |
| 591 } | 592 } |
| 592 | 593 |
| 593 // Tests to make sure that if the user deletes their browser history, SSL | 594 // Tests to make sure that if the user deletes their browser history, SSL |
| 594 // exceptions will be deleted as well. | 595 // exceptions will be deleted as well. |
| 595 class RemoveBrowsingHistorySSLHostStateDelegateTest | 596 class RemoveBrowsingHistorySSLHostStateDelegateTest |
| 596 : public ChromeSSLHostStateDelegateTest { | 597 : public ChromeSSLHostStateDelegateTest { |
| 597 public: | 598 public: |
| 598 void RemoveAndWait(Profile* profile) { | 599 void RemoveAndWait(Profile* profile) { |
| 599 BrowsingDataRemover* remover = BrowsingDataRemover::CreateForPeriod( | 600 BrowsingDataRemover* remover = BrowsingDataRemover::CreateForPeriod( |
| 600 profile, BrowsingDataRemover::LAST_HOUR); | 601 profile, BrowsingDataRemover::LAST_HOUR); |
| 601 BrowsingDataRemoverCompletionObserver completion_observer(remover); | 602 BrowsingDataRemoverCompletionObserver completion_observer(remover); |
| 602 remover->Remove(BrowsingDataRemover::REMOVE_HISTORY, | 603 remover->Remove(BrowsingDataRemover::REMOVE_HISTORY, |
| 603 BrowsingDataHelper::UNPROTECTED_WEB); | 604 BrowsingDataHelper::UNPROTECTED_WEB); |
| 604 completion_observer.BlockUntilCompletion(); | 605 completion_observer.BlockUntilCompletion(); |
| 605 } | 606 } |
| 606 }; | 607 }; |
| 607 | 608 |
| 608 IN_PROC_BROWSER_TEST_F(RemoveBrowsingHistorySSLHostStateDelegateTest, | 609 IN_PROC_BROWSER_TEST_F(RemoveBrowsingHistorySSLHostStateDelegateTest, |
| 609 DeleteHistory) { | 610 DeleteHistory) { |
| 610 scoped_refptr<net::X509Certificate> google_cert = GetGoogleCert(); | 611 scoped_refptr<net::X509Certificate> cert = GetOkCert(); |
| 611 content::WebContents* tab = | 612 content::WebContents* tab = |
| 612 browser()->tab_strip_model()->GetActiveWebContents(); | 613 browser()->tab_strip_model()->GetActiveWebContents(); |
| 613 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext()); | 614 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext()); |
| 614 content::SSLHostStateDelegate* state = profile->GetSSLHostStateDelegate(); | 615 content::SSLHostStateDelegate* state = profile->GetSSLHostStateDelegate(); |
| 615 bool unused_value; | 616 bool unused_value; |
| 616 | 617 |
| 617 // Add an exception for an invalid certificate. Then remove the last hour's | 618 // Add an exception for an invalid certificate. Then remove the last hour's |
| 618 // worth of browsing history and verify that the exception has been deleted. | 619 // worth of browsing history and verify that the exception has been deleted. |
| 619 state->AllowCert( | 620 state->AllowCert( |
| 620 kGoogleHost, *google_cert.get(), net::CERT_STATUS_DATE_INVALID); | 621 kGoogleHost, *cert.get(), net::CERT_STATUS_DATE_INVALID); |
| 621 RemoveAndWait(profile); | 622 RemoveAndWait(profile); |
| 622 EXPECT_EQ(content::SSLHostStateDelegate::DENIED, | 623 EXPECT_EQ(content::SSLHostStateDelegate::DENIED, |
| 623 state->QueryPolicy(kGoogleHost, | 624 state->QueryPolicy(kGoogleHost, |
| 624 *google_cert.get(), | 625 *cert.get(), |
| 625 net::CERT_STATUS_DATE_INVALID, | 626 net::CERT_STATUS_DATE_INVALID, |
| 626 &unused_value)); | 627 &unused_value)); |
| 627 } | 628 } |
| 629 |
| 630 // Tests to make sure that localhost certificate errors are treated as |
| 631 // normal errors or ignored, depending on whether the |
| 632 // kAllowInsecureLocalhost flag is set. |
| 633 |
| 634 // When the flag isn't set, requests to localhost with invalid |
| 635 // certificates should be denied. |
| 636 IN_PROC_BROWSER_TEST_F(ChromeSSLHostStateDelegateTest, |
| 637 LocalhostErrorWithoutFlag) { |
| 638 // Serve the Google cert for localhost to generate an error. |
| 639 scoped_refptr<net::X509Certificate> cert = GetOkCert(); |
| 640 content::WebContents* tab = |
| 641 browser()->tab_strip_model()->GetActiveWebContents(); |
| 642 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext()); |
| 643 content::SSLHostStateDelegate* state = profile->GetSSLHostStateDelegate(); |
| 644 bool unused_value; |
| 645 |
| 646 EXPECT_EQ(content::SSLHostStateDelegate::DENIED, |
| 647 state->QueryPolicy("localhost", |
| 648 *cert.get(), |
| 649 net::CERT_STATUS_COMMON_NAME_INVALID, |
| 650 &unused_value)); |
| 651 |
| 652 EXPECT_EQ(content::SSLHostStateDelegate::DENIED, |
| 653 state->QueryPolicy("127.0.0.1", |
| 654 *cert.get(), |
| 655 net::CERT_STATUS_COMMON_NAME_INVALID, |
| 656 &unused_value)); |
| 657 } |
| 658 |
| 659 // When the flag is set, requests to localhost with invalid certificates |
| 660 // should be allowed. |
| 661 class AllowLocalhostErrorsSSLHostStateDelegateTest |
| 662 : public ChromeSSLHostStateDelegateTest { |
| 663 protected: |
| 664 void SetUpCommandLine(base::CommandLine* command_line) override { |
| 665 ChromeSSLHostStateDelegateTest::SetUpCommandLine(command_line); |
| 666 command_line->AppendSwitch(switches::kAllowInsecureLocalhost); |
| 667 } |
| 668 }; |
| 669 |
| 670 IN_PROC_BROWSER_TEST_F(AllowLocalhostErrorsSSLHostStateDelegateTest, |
| 671 LocalhostErrorWithFlag) { |
| 672 // Serve the Google cert for localhost to generate an error. |
| 673 scoped_refptr<net::X509Certificate> cert = GetOkCert(); |
| 674 content::WebContents* tab = |
| 675 browser()->tab_strip_model()->GetActiveWebContents(); |
| 676 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext()); |
| 677 content::SSLHostStateDelegate* state = profile->GetSSLHostStateDelegate(); |
| 678 bool unused_value; |
| 679 |
| 680 EXPECT_EQ(content::SSLHostStateDelegate::ALLOWED, |
| 681 state->QueryPolicy("localhost", |
| 682 *cert.get(), |
| 683 net::CERT_STATUS_COMMON_NAME_INVALID, |
| 684 &unused_value)); |
| 685 |
| 686 EXPECT_EQ(content::SSLHostStateDelegate::ALLOWED, |
| 687 state->QueryPolicy("127.0.0.1", |
| 688 *cert.get(), |
| 689 net::CERT_STATUS_COMMON_NAME_INVALID, |
| 690 &unused_value)); |
| 691 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 887223005:
Skip interstitials and don't block requests for localhost SSL errors (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master