summaryrefslogtreecommitdiffstats
path: root/net/base/transport_security_state_unittest.cc
diff options
context:
space:
mode:
authoragl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2009-12-11 21:04:42 +0000
committeragl@chromium.org <agl@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2009-12-11 21:04:42 +0000
commit326e67907033c1e8db115327d59482b1ae6db3ec (patch)
tree2940d88e6de6ce6ba528c4671b6574b4ff6bd1bd /net/base/transport_security_state_unittest.cc
parent5973945e4c3d2baf2b92d11be55c1692a09b12e3 (diff)
downloadchromium_src-326e67907033c1e8db115327d59482b1ae6db3ec.zip
chromium_src-326e67907033c1e8db115327d59482b1ae6db3ec.tar.gz
chromium_src-326e67907033c1e8db115327d59482b1ae6db3ec.tar.bz2
SPDY: augment Strict Transport Security with the beginnings of SPDY upgrade.
This adds an opportunistic flag to the information that we store in the Strict Transport Security State. Given this, STSS might be misnamed now, but renaming it in this patch would add huge amounts of noise. We process the 'X-Bodge-Transport-Security' header which has the same format as the STS header. When we see this on an HTTP connection, we'll probe for a clean HTTPS path to the host and then remember it. This header should be considered mutually exclusive with STS, although this isn't enforced in the code. The remembered flag is currently ignored by the rest of the code. This will be addressed in a future patch. The header should be called 'Opportunistic-Transport-Security' in the future, but we have some issues to work out before we take that name. http://codereview.chromium.org/456011 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@34380 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net/base/transport_security_state_unittest.cc')
-rw-r--r--net/base/transport_security_state_unittest.cc247
1 files changed, 247 insertions, 0 deletions
diff --git a/net/base/transport_security_state_unittest.cc b/net/base/transport_security_state_unittest.cc
new file mode 100644
index 0000000..f52912c
--- /dev/null
+++ b/net/base/transport_security_state_unittest.cc
@@ -0,0 +1,247 @@
+// Copyright (c) 2009 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "net/base/transport_security_state.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+class TransportSecurityStateTest : public testing::Test {
+};
+
+TEST_F(TransportSecurityStateTest, BogusHeaders) {
+ int max_age = 42;
+ bool include_subdomains = false;
+
+ EXPECT_FALSE(net::TransportSecurityState::ParseHeader(
+ "", &max_age, &include_subdomains));
+ EXPECT_FALSE(net::TransportSecurityState::ParseHeader(
+ " ", &max_age, &include_subdomains));
+ EXPECT_FALSE(net::TransportSecurityState::ParseHeader(
+ "abc", &max_age, &include_subdomains));
+ EXPECT_FALSE(net::TransportSecurityState::ParseHeader(
+ " abc", &max_age, &include_subdomains));
+ EXPECT_FALSE(net::TransportSecurityState::ParseHeader(
+ " abc ", &max_age, &include_subdomains));
+ EXPECT_FALSE(net::TransportSecurityState::ParseHeader(
+ "max-age", &max_age, &include_subdomains));
+ EXPECT_FALSE(net::TransportSecurityState::ParseHeader(
+ " max-age", &max_age, &include_subdomains));
+ EXPECT_FALSE(net::TransportSecurityState::ParseHeader(
+ " max-age ", &max_age, &include_subdomains));
+ EXPECT_FALSE(net::TransportSecurityState::ParseHeader(
+ "max-age=", &max_age, &include_subdomains));
+ EXPECT_FALSE(net::TransportSecurityState::ParseHeader(
+ " max-age=", &max_age, &include_subdomains));
+ EXPECT_FALSE(net::TransportSecurityState::ParseHeader(
+ " max-age =", &max_age, &include_subdomains));
+ EXPECT_FALSE(net::TransportSecurityState::ParseHeader(
+ " max-age= ", &max_age, &include_subdomains));
+ EXPECT_FALSE(net::TransportSecurityState::ParseHeader(
+ " max-age = ", &max_age, &include_subdomains));
+ EXPECT_FALSE(net::TransportSecurityState::ParseHeader(
+ " max-age = xy", &max_age, &include_subdomains));
+ EXPECT_FALSE(net::TransportSecurityState::ParseHeader(
+ " max-age = 3488a923", &max_age, &include_subdomains));
+ EXPECT_FALSE(net::TransportSecurityState::ParseHeader(
+ "max-age=3488a923 ", &max_age, &include_subdomains));
+ EXPECT_FALSE(net::TransportSecurityState::ParseHeader(
+ "max-ag=3488923", &max_age, &include_subdomains));
+ EXPECT_FALSE(net::TransportSecurityState::ParseHeader(
+ "max-aged=3488923", &max_age, &include_subdomains));
+ EXPECT_FALSE(net::TransportSecurityState::ParseHeader(
+ "max-age==3488923", &max_age, &include_subdomains));
+ EXPECT_FALSE(net::TransportSecurityState::ParseHeader(
+ "amax-age=3488923", &max_age, &include_subdomains));
+ EXPECT_FALSE(net::TransportSecurityState::ParseHeader(
+ "max-age=-3488923", &max_age, &include_subdomains));
+ EXPECT_FALSE(net::TransportSecurityState::ParseHeader(
+ "max-age=3488923;", &max_age, &include_subdomains));
+ EXPECT_FALSE(net::TransportSecurityState::ParseHeader(
+ "max-age=3488923 e", &max_age, &include_subdomains));
+ EXPECT_FALSE(net::TransportSecurityState::ParseHeader(
+ "max-age=3488923 includesubdomain", &max_age, &include_subdomains));
+ EXPECT_FALSE(net::TransportSecurityState::ParseHeader(
+ "max-age=3488923includesubdomains", &max_age, &include_subdomains));
+ EXPECT_FALSE(net::TransportSecurityState::ParseHeader(
+ "max-age=3488923=includesubdomains", &max_age, &include_subdomains));
+ EXPECT_FALSE(net::TransportSecurityState::ParseHeader(
+ "max-age=3488923 includesubdomainx", &max_age, &include_subdomains));
+ EXPECT_FALSE(net::TransportSecurityState::ParseHeader(
+ "max-age=3488923 includesubdomain=", &max_age, &include_subdomains));
+ EXPECT_FALSE(net::TransportSecurityState::ParseHeader(
+ "max-age=3488923 includesubdomain=true", &max_age, &include_subdomains));
+ EXPECT_FALSE(net::TransportSecurityState::ParseHeader(
+ "max-age=3488923 includesubdomainsx", &max_age, &include_subdomains));
+ EXPECT_FALSE(net::TransportSecurityState::ParseHeader(
+ "max-age=3488923 includesubdomains x", &max_age, &include_subdomains));
+ EXPECT_FALSE(net::TransportSecurityState::ParseHeader(
+ "max-age=34889.23 includesubdomains", &max_age, &include_subdomains));
+ EXPECT_FALSE(net::TransportSecurityState::ParseHeader(
+ "max-age=34889 includesubdomains", &max_age, &include_subdomains));
+
+ EXPECT_EQ(max_age, 42);
+ EXPECT_FALSE(include_subdomains);
+}
+
+TEST_F(TransportSecurityStateTest, ValidHeaders) {
+ int max_age = 42;
+ bool include_subdomains = true;
+
+ EXPECT_TRUE(net::TransportSecurityState::ParseHeader(
+ "max-age=243", &max_age, &include_subdomains));
+ EXPECT_EQ(max_age, 243);
+ EXPECT_FALSE(include_subdomains);
+
+ EXPECT_TRUE(net::TransportSecurityState::ParseHeader(
+ " Max-agE = 567", &max_age, &include_subdomains));
+ EXPECT_EQ(max_age, 567);
+ EXPECT_FALSE(include_subdomains);
+
+ EXPECT_TRUE(net::TransportSecurityState::ParseHeader(
+ " mAx-aGe = 890 ", &max_age, &include_subdomains));
+ EXPECT_EQ(max_age, 890);
+ EXPECT_FALSE(include_subdomains);
+
+ EXPECT_TRUE(net::TransportSecurityState::ParseHeader(
+ "max-age=123;incLudesUbdOmains", &max_age, &include_subdomains));
+ EXPECT_EQ(max_age, 123);
+ EXPECT_TRUE(include_subdomains);
+
+ EXPECT_TRUE(net::TransportSecurityState::ParseHeader(
+ "max-age=394082; incLudesUbdOmains", &max_age, &include_subdomains));
+ EXPECT_EQ(max_age, 394082);
+ EXPECT_TRUE(include_subdomains);
+
+ EXPECT_TRUE(net::TransportSecurityState::ParseHeader(
+ "max-age=39408299 ;incLudesUbdOmains", &max_age, &include_subdomains));
+ EXPECT_EQ(max_age, 39408299);
+ EXPECT_TRUE(include_subdomains);
+
+ EXPECT_TRUE(net::TransportSecurityState::ParseHeader(
+ "max-age=394082038 ; incLudesUbdOmains", &max_age, &include_subdomains));
+ EXPECT_EQ(max_age, 394082038);
+ EXPECT_TRUE(include_subdomains);
+
+ EXPECT_TRUE(net::TransportSecurityState::ParseHeader(
+ " max-age=0 ; incLudesUbdOmains ", &max_age, &include_subdomains));
+ EXPECT_EQ(max_age, 0);
+ EXPECT_TRUE(include_subdomains);
+}
+
+TEST_F(TransportSecurityStateTest, SimpleMatches) {
+ scoped_refptr<net::TransportSecurityState> state(
+ new net::TransportSecurityState);
+ net::TransportSecurityState::DomainState domain_state;
+ const base::Time current_time(base::Time::Now());
+ const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
+
+ EXPECT_FALSE(state->IsEnabledForHost(&domain_state, "google.com"));
+ domain_state.expiry = expiry;
+ state->EnableHost("google.com", domain_state);
+ EXPECT_TRUE(state->IsEnabledForHost(&domain_state, "google.com"));
+}
+
+TEST_F(TransportSecurityStateTest, MatchesCase1) {
+ scoped_refptr<net::TransportSecurityState> state(
+ new net::TransportSecurityState);
+ net::TransportSecurityState::DomainState domain_state;
+ const base::Time current_time(base::Time::Now());
+ const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
+
+ EXPECT_FALSE(state->IsEnabledForHost(&domain_state, "google.com"));
+ domain_state.expiry = expiry;
+ state->EnableHost("GOOgle.coM", domain_state);
+ EXPECT_TRUE(state->IsEnabledForHost(&domain_state, "google.com"));
+}
+
+TEST_F(TransportSecurityStateTest, MatchesCase2) {
+ scoped_refptr<net::TransportSecurityState> state(
+ new net::TransportSecurityState);
+ net::TransportSecurityState::DomainState domain_state;
+ const base::Time current_time(base::Time::Now());
+ const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
+
+ EXPECT_FALSE(state->IsEnabledForHost(&domain_state, "GOOgle.coM"));
+ domain_state.expiry = expiry;
+ state->EnableHost("google.com", domain_state);
+ EXPECT_TRUE(state->IsEnabledForHost(&domain_state, "GOOgle.coM"));
+}
+
+TEST_F(TransportSecurityStateTest, SubdomainMatches) {
+ scoped_refptr<net::TransportSecurityState> state(
+ new net::TransportSecurityState);
+ net::TransportSecurityState::DomainState domain_state;
+ const base::Time current_time(base::Time::Now());
+ const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
+
+ EXPECT_FALSE(state->IsEnabledForHost(&domain_state, "google.com"));
+ domain_state.expiry = expiry;
+ domain_state.include_subdomains = true;
+ state->EnableHost("google.com", domain_state);
+ EXPECT_TRUE(state->IsEnabledForHost(&domain_state, "google.com"));
+ EXPECT_TRUE(state->IsEnabledForHost(&domain_state, "foo.google.com"));
+ EXPECT_TRUE(state->IsEnabledForHost(&domain_state, "foo.bar.google.com"));
+ EXPECT_TRUE(state->IsEnabledForHost(&domain_state,
+ "foo.bar.baz.google.com"));
+ EXPECT_FALSE(state->IsEnabledForHost(&domain_state, "com"));
+}
+
+TEST_F(TransportSecurityStateTest, Serialise1) {
+ scoped_refptr<net::TransportSecurityState> state(
+ new net::TransportSecurityState);
+ std::string output;
+ state->Serialise(&output);
+ EXPECT_TRUE(state->Deserialise(output));
+}
+
+TEST_F(TransportSecurityStateTest, Serialise2) {
+ scoped_refptr<net::TransportSecurityState> state(
+ new net::TransportSecurityState);
+
+ net::TransportSecurityState::DomainState domain_state;
+ const base::Time current_time(base::Time::Now());
+ const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
+
+ EXPECT_FALSE(state->IsEnabledForHost(&domain_state, "google.com"));
+ domain_state.mode = net::TransportSecurityState::DomainState::MODE_STRICT;
+ domain_state.expiry = expiry;
+ domain_state.include_subdomains = true;
+ state->EnableHost("google.com", domain_state);
+
+ std::string output;
+ state->Serialise(&output);
+ EXPECT_TRUE(state->Deserialise(output));
+
+ EXPECT_TRUE(state->IsEnabledForHost(&domain_state, "google.com"));
+ EXPECT_EQ(domain_state.mode, net::TransportSecurityState::DomainState::MODE_STRICT);
+ EXPECT_TRUE(state->IsEnabledForHost(&domain_state, "foo.google.com"));
+ EXPECT_EQ(domain_state.mode, net::TransportSecurityState::DomainState::MODE_STRICT);
+ EXPECT_TRUE(state->IsEnabledForHost(&domain_state, "foo.bar.google.com"));
+ EXPECT_EQ(domain_state.mode, net::TransportSecurityState::DomainState::MODE_STRICT);
+ EXPECT_TRUE(state->IsEnabledForHost(&domain_state,
+ "foo.bar.baz.google.com"));
+ EXPECT_EQ(domain_state.mode, net::TransportSecurityState::DomainState::MODE_STRICT);
+ EXPECT_FALSE(state->IsEnabledForHost(&domain_state, "com"));
+}
+
+TEST_F(TransportSecurityStateTest, Serialise3) {
+ scoped_refptr<net::TransportSecurityState> state(
+ new net::TransportSecurityState);
+
+ net::TransportSecurityState::DomainState domain_state;
+ const base::Time current_time(base::Time::Now());
+ const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000);
+
+ EXPECT_FALSE(state->IsEnabledForHost(&domain_state, "google.com"));
+ domain_state.mode = net::TransportSecurityState::DomainState::MODE_OPPORTUNISTIC;
+ domain_state.expiry = expiry;
+ state->EnableHost("google.com", domain_state);
+
+ std::string output;
+ state->Serialise(&output);
+ EXPECT_TRUE(state->Deserialise(output));
+
+ EXPECT_TRUE(state->IsEnabledForHost(&domain_state, "google.com"));
+ EXPECT_EQ(domain_state.mode,
+ net::TransportSecurityState::DomainState::MODE_OPPORTUNISTIC);
+}
generated by cgit v1.1 at 2025-03-29 14:48:04 +0000