Split up transport security state related tests.
All transport security state tests currently depend on the real preload
list. This has caused issues when the preload list is updated. This CL
splits up the tests in two categories:
1: tests that test functionality related to the static transport
security state implementation.
2: tests that assert the correctness of the real preload list.
The tests that fall under (1) no longer depend on entries in the real
preload list but use a test-only preload list. The entries in (2) use
the real preload list but are disabled when the preload list is not
used.
Bug: 767108
Change-Id: I71ad58670d0e2366d76602b5a6d799e3c48269a4
Reviewed-on: https://chromium-review.googlesource.com/706786
Reviewed-by: Lucas Garron <[email protected]>
Reviewed-by: Helen Li <[email protected]>
Commit-Queue: Martijn Croonen <[email protected]>
Cr-Commit-Position: refs/heads/master@{#507954}diff --git a/net/url_request/url_request_unittest.cc b/net/url_request/url_request_unittest.cc
index 5e05736c..04fee52c 100644
--- a/net/url_request/url_request_unittest.cc
+++ b/net/url_request/url_request_unittest.cc
@@ -168,8 +168,8 @@
namespace {
-namespace test0 {
-#include "net/http/transport_security_state_static_unittest0.h"
+namespace test_default {
+#include "net/http/transport_security_state_static_unittest_default.h"
}
const base::string16 kChrome(ASCIIToUTF16("chrome"));
@@ -812,6 +812,8 @@
~URLRequestTest() override {
// URLRequestJobs may post clean-up tasks on destruction.
base::RunLoop().RunUntilIdle();
+
+ SetTransportSecurityStateSourceForTesting(nullptr);
}
void SetUp() override {
@@ -6351,9 +6353,10 @@
}
namespace {
-const char kExpectCTStaticHostname[] = "preloaded-expect-ct.badssl.com";
-const char kExpectStapleStaticHostname[] = "preloaded-expect-staple.badssl.com";
-const char kExpectStapleReportURI[] = "https://report.badssl.com/expect-staple";
+const char kExpectCTStaticHostname[] = "expect-ct.preloaded.test";
+const char kExpectStapleStaticHostname[] = "expect-staple.preloaded.test";
+const char kExpectStapleReportURI[] =
+ "http://report-uri.preloaded.test/expect-staple";
const char kHPKPReportUri[] = "https://hpkp-report.test";
} // namespace
@@ -6820,9 +6823,8 @@
// Tests that Expect CT headers for the preload list are processed correctly.
TEST_F(URLRequestTestHTTP, PreloadExpectCTHeader) {
-#if !BUILDFLAG(INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST)
- SetTransportSecurityStateSourceForTesting(&test0::kHSTSSource);
-#endif
+ SetTransportSecurityStateSourceForTesting(&test_default::kHSTSSource);
+
EmbeddedTestServer https_test_server(net::EmbeddedTestServer::TYPE_HTTPS);
https_test_server.SetSSLConfig(
net::EmbeddedTestServer::CERT_COMMON_NAME_IS_DOMAIN);
@@ -9464,7 +9466,9 @@
default_context_.set_network_delegate(&default_network_delegate_);
default_context_.Init();
}
- ~HTTPSRequestTest() override {}
+ ~HTTPSRequestTest() override {
+ SetTransportSecurityStateSourceForTesting(nullptr);
+ }
protected:
TestNetworkDelegate default_network_delegate_; // Must outlive URLRequest.
@@ -9571,22 +9575,22 @@
// TODO(svaldez): iOS tests are flaky with EmbeddedTestServer and transport
// security state. (see http://crbug.com/550977).
#if !defined(OS_IOS)
-// This tests that a load of www.google.com with a certificate error sets
-// the |certificate_errors_are_fatal| flag correctly. This flag will cause
-// the interstitial to be fatal.
+// This tests that a load of a domain with preloaded HSTS and HPKP with a
+// certificate error sets the |certificate_errors_are_fatal| flag correctly.
+// This flag will cause the interstitial to be fatal.
TEST_F(HTTPSRequestTest, HTTPSPreloadedHSTSTest) {
-#if !BUILDFLAG(INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST)
- SetTransportSecurityStateSourceForTesting(&test0::kHSTSSource);
-#endif
+ SetTransportSecurityStateSourceForTesting(&test_default::kHSTSSource);
+
EmbeddedTestServer test_server(net::EmbeddedTestServer::TYPE_HTTPS);
test_server.SetSSLConfig(net::EmbeddedTestServer::CERT_MISMATCHED_NAME);
test_server.ServeFilesFromSourceDirectory("net/data/ssl");
ASSERT_TRUE(test_server.Start());
- // We require that the URL be www.google.com in order to pick up the
- // preloaded HSTS entries in the TransportSecurityState. This means that we
- // have to use a MockHostResolver in order to direct www.google.com to the
- // testserver. By default, MockHostResolver maps all hosts to 127.0.0.1.
+ // We require that the URL be hsts-hpkp-preloaded.test. This is a test domain
+ // that has a preloaded HSTS+HPKP entry in the TransportSecurityState. This
+ // means that we have to use a MockHostResolver in order to direct
+ // hsts-hpkp-preloaded.test to the testserver. By default, MockHostResolver
+ // maps all hosts to 127.0.0.1.
MockHostResolver host_resolver;
TestNetworkDelegate network_delegate; // Must outlive URLRequest.
@@ -9599,7 +9603,7 @@
TestDelegate d;
std::unique_ptr<URLRequest> r(context.CreateRequest(
- GURL(base::StringPrintf("https://www.google.com:%d",
+ GURL(base::StringPrintf("https://hsts-hpkp-preloaded.test:%d",
test_server.host_port_pair().port())),
DEFAULT_PRIORITY, &d, TRAFFIC_ANNOTATION_FOR_TESTS));
@@ -9617,9 +9621,8 @@
// This tests that cached HTTPS page loads do not cause any updates to the
// TransportSecurityState.
TEST_F(HTTPSRequestTest, HTTPSErrorsNoClobberTSSTest) {
-#if !BUILDFLAG(INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST)
- SetTransportSecurityStateSourceForTesting(&test0::kHSTSSource);
-#endif
+ SetTransportSecurityStateSourceForTesting(&test_default::kHSTSSource);
+
// The actual problem -- CERT_MISMATCHED_NAME in this case -- doesn't
// matter. It just has to be any error.
EmbeddedTestServer test_server(net::EmbeddedTestServer::TYPE_HTTPS);
@@ -9627,10 +9630,11 @@
test_server.ServeFilesFromSourceDirectory("net/data/ssl");
ASSERT_TRUE(test_server.Start());
- // We require that the URL be www.google.com in order to pick up the static
- // and dynamic STS and PKP entries in the TransportSecurityState. This means
- // that we have to use a MockHostResolver in order to direct www.google.com to
- // the testserver. By default, MockHostResolver maps all hosts to 127.0.0.1.
+ // We require that the URL be hsts-hpkp-preloaded.test. This is a test domain
+ // that has a preloaded HSTS+HPKP entry in the TransportSecurityState. This
+ // means that we have to use a MockHostResolver in order to direct
+ // hsts-hpkp-preloaded.test to the testserver. By default, MockHostResolver
+ // maps all hosts to 127.0.0.1.
MockHostResolver host_resolver;
TestNetworkDelegate network_delegate; // Must outlive URLRequest.
@@ -9642,20 +9646,20 @@
TransportSecurityState::STSState static_sts_state;
TransportSecurityState::PKPState static_pkp_state;
EXPECT_TRUE(transport_security_state.GetStaticDomainState(
- "www.google.com", &static_sts_state, &static_pkp_state));
+ "hsts-hpkp-preloaded.test", &static_sts_state, &static_pkp_state));
context.set_transport_security_state(&transport_security_state);
context.Init();
TransportSecurityState::STSState dynamic_sts_state;
TransportSecurityState::PKPState dynamic_pkp_state;
- EXPECT_FALSE(transport_security_state.GetDynamicSTSState("www.google.com",
- &dynamic_sts_state));
- EXPECT_FALSE(transport_security_state.GetDynamicPKPState("www.google.com",
- &dynamic_pkp_state));
+ EXPECT_FALSE(transport_security_state.GetDynamicSTSState(
+ "hsts-hpkp-preloaded.test", &dynamic_sts_state));
+ EXPECT_FALSE(transport_security_state.GetDynamicPKPState(
+ "hsts-hpkp-preloaded.test", &dynamic_pkp_state));
TestDelegate d;
std::unique_ptr<URLRequest> r(context.CreateRequest(
- GURL(base::StringPrintf("https://www.google.com:%d",
+ GURL(base::StringPrintf("https://hsts-hpkp-preloaded.test:%d",
test_server.host_port_pair().port())),
DEFAULT_PRIORITY, &d, TRAFFIC_ANNOTATION_FOR_TESTS));
@@ -9673,13 +9677,14 @@
TransportSecurityState::STSState new_static_sts_state;
TransportSecurityState::PKPState new_static_pkp_state;
EXPECT_TRUE(transport_security_state.GetStaticDomainState(
- "www.google.com", &new_static_sts_state, &new_static_pkp_state));
+ "hsts-hpkp-preloaded.test", &new_static_sts_state,
+ &new_static_pkp_state));
TransportSecurityState::STSState new_dynamic_sts_state;
TransportSecurityState::PKPState new_dynamic_pkp_state;
EXPECT_FALSE(transport_security_state.GetDynamicSTSState(
- "www.google.com", &new_dynamic_sts_state));
+ "hsts-hpkp-preloaded.test", &new_dynamic_sts_state));
EXPECT_FALSE(transport_security_state.GetDynamicPKPState(
- "www.google.com", &new_dynamic_pkp_state));
+ "hsts-hpkp-preloaded.test", &new_dynamic_pkp_state));
EXPECT_EQ(new_static_sts_state.upgrade_mode, static_sts_state.upgrade_mode);
EXPECT_EQ(new_static_sts_state.include_subdomains,
@@ -10535,9 +10540,8 @@
}
TEST_F(HTTPSOCSPTest, ExpectStapleReportSentOnMissing) {
-#if !BUILDFLAG(INCLUDE_TRANSPORT_SECURITY_STATE_PRELOAD_LIST)
- SetTransportSecurityStateSourceForTesting(&test0::kHSTSSource);
-#endif
+ SetTransportSecurityStateSourceForTesting(&test_default::kHSTSSource);
+
EmbeddedTestServer https_test_server(net::EmbeddedTestServer::TYPE_HTTPS);
https_test_server.SetSSLConfig(
net::EmbeddedTestServer::CERT_COMMON_NAME_IS_DOMAIN);
