diff options
| author | cevans@chromium.org <cevans@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-05-02 22:18:48 +0000 |
|---|---|---|
| committer | cevans@chromium.org <cevans@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-05-02 22:18:48 +0000 |
| commit | d7cf831aced7988f2ec0184beffa09caaadcaad4 (patch) | |
| tree | fa9fcf2b4600c0c942b16de6cbe1c3f60679e11c /net | |
| parent | 946f38c56e0bf6f1444d4a1bf8a1a88f5b14c345 (diff) | |
| download | chromium_src-d7cf831aced7988f2ec0184beffa09caaadcaad4.zip chromium_src-d7cf831aced7988f2ec0184beffa09caaadcaad4.tar.gz chromium_src-d7cf831aced7988f2ec0184beffa09caaadcaad4.tar.bz2 | |
Fix net/ command-line pollution introduced in http://codereview.chromium.org/6869043/
BUG=81042
TEST=TransportSecurityStateTest.ForcePreloads
Review URL: http://codereview.chromium.org/6883294
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@83807 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net')
| -rw-r--r-- | net/base/net_switches.cc | 17 | ||||
| -rw-r--r-- | net/base/net_switches.h | 18 | ||||
| -rw-r--r-- | net/base/transport_security_state.cc | 23 | ||||
| -rw-r--r-- | net/base/transport_security_state.h | 15 | ||||
| -rw-r--r-- | net/base/transport_security_state_unittest.cc | 68 | ||||
| -rw-r--r-- | net/net.gyp | 2 | ||||
| -rw-r--r-- | net/websockets/websocket_job_unittest.cc | 2 |
7 files changed, 60 insertions, 85 deletions
diff --git a/net/base/net_switches.cc b/net/base/net_switches.cc deleted file mode 100644 index 10d6fa0..0000000 --- a/net/base/net_switches.cc +++ /dev/null @@ -1,17 +0,0 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -#include "net/base/net_switches.h" - -namespace switches { - -// This switch will take the JSON-formatted HSTS specification and load it -// as if it were a preloaded HSTS entry. It will take precedence over both -// website-specified rules and built-in rules. -// The JSON format is the same as that persisted in -// <profile_dir>/Default/TransportSecurity -const char kHstsHosts[] = "hsts-hosts"; - -} // namespace switches - diff --git a/net/base/net_switches.h b/net/base/net_switches.h deleted file mode 100644 index 8951372..0000000 --- a/net/base/net_switches.h +++ /dev/null @@ -1,18 +0,0 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. -// Use of this source code is governed by a BSD-style license that can be -// found in the LICENSE file. - -// Defines all the "net" command-line switches. - -#ifndef NET_BASE_SWITCHES_H_ -#define NET_BASE_SWITCHES_H_ -#pragma once - -namespace switches { - -extern const char kHstsHosts[]; - -} // namespace switches - -#endif // NET_BASE_SWITCHES_H_ - diff --git a/net/base/transport_security_state.cc b/net/base/transport_security_state.cc index 93f2e06..dcb0a3d 100644 --- a/net/base/transport_security_state.cc +++ b/net/base/transport_security_state.cc @@ -5,14 +5,12 @@ #include "net/base/transport_security_state.h" #include "base/base64.h" -#include "base/command_line.h" #include "base/json/json_reader.h" #include "base/json/json_writer.h" #include "base/logging.h" #include "base/memory/scoped_ptr.h" #include "base/sha1.h" #include "base/string_number_conversions.h" -#include "base/string_split.h" #include "base/string_tokenizer.h" #include "base/string_util.h" #include "base/utf_string_conversions.h" @@ -20,14 +18,17 @@ #include "crypto/sha2.h" #include "googleurl/src/gurl.h" #include "net/base/dns_util.h" -#include "net/base/net_switches.h" namespace net { const long int TransportSecurityState::kMaxHSTSAgeSecs = 86400 * 365; // 1 year -TransportSecurityState::TransportSecurityState() +TransportSecurityState::TransportSecurityState(const std::string& hsts_hosts) : delegate_(NULL) { + if (!hsts_hosts.empty()) { + bool dirty; + Deserialise(hsts_hosts, &dirty, &forced_hosts_); + } } static std::string HashHost(const std::string& canonicalized_host) { @@ -541,7 +542,6 @@ static bool HasPreload(const struct HSTSPreload* entries, size_t num_entries, // IsPreloadedSTS returns true if the canonicalized hostname should always be // considered to have STS enabled. -// static bool TransportSecurityState::IsPreloadedSTS( const std::string& canonicalized_host, bool sni_available, @@ -550,15 +550,6 @@ bool TransportSecurityState::IsPreloadedSTS( out->mode = DomainState::MODE_STRICT; out->include_subdomains = false; - std::map<std::string, DomainState> hosts; - std::string cmd_line_hsts = - CommandLine::ForCurrentProcess()->GetSwitchValueASCII( - switches::kHstsHosts); - if (!cmd_line_hsts.empty()) { - bool dirty; - Deserialise(cmd_line_hsts, &dirty, &hosts); - } - // These hashes are base64 encodings of SHA1 hashes for cert public keys. static const char kCertPKHashVerisignClass3[] = "sha1/4n972HfV354KP560yw4uqe/baXc="; @@ -667,8 +658,8 @@ bool TransportSecurityState::IsPreloadedSTS( canonicalized_host.size() - i); out->domain = DNSDomainToString(host_sub_chunk); std::string hashed_host(HashHost(host_sub_chunk)); - if (hosts.find(hashed_host) != hosts.end()) { - *out = hosts[hashed_host]; + if (forced_hosts_.find(hashed_host) != forced_hosts_.end()) { + *out = forced_hosts_[hashed_host]; out->domain = DNSDomainToString(host_sub_chunk); out->preloaded = true; return true; diff --git a/net/base/transport_security_state.h b/net/base/transport_security_state.h index b303362..983438c 100644 --- a/net/base/transport_security_state.h +++ b/net/base/transport_security_state.h @@ -26,7 +26,10 @@ namespace net { class TransportSecurityState : public base::RefCountedThreadSafe<TransportSecurityState> { public: - TransportSecurityState(); + // If non-empty, |hsts_hosts| is a JSON-formatted string to treat as if it + // were a built-in entry (same format as persisted metadata in the + // TransportSecurityState file). + explicit TransportSecurityState(const std::string& hsts_hosts); // A DomainState is the information that we persist about a given domain. struct DomainState { @@ -138,11 +141,11 @@ class TransportSecurityState : // If we have a callback configured, call it to let our serialiser know that // our state is dirty. void DirtyNotify(); + bool IsPreloadedSTS(const std::string& canonicalized_host, + bool sni_available, + DomainState* out); static std::string CanonicalizeHost(const std::string& host); - static bool IsPreloadedSTS(const std::string& canonicalized_host, - bool sni_available, - DomainState* out); static bool Deserialise(const std::string& state, bool* dirty, std::map<std::string, DomainState>* out); @@ -152,6 +155,10 @@ class TransportSecurityState : // ('www.google.com') to the form used in DNS: "\x03www\x06google\x03com" std::map<std::string, DomainState> enabled_hosts_; + // These hosts are extra rules to treat as built-in, passed in the + // constructor (typically originating from the command line). + std::map<std::string, DomainState> forced_hosts_; + // Our delegate who gets notified when we are dirtied, or NULL. Delegate* delegate_; diff --git a/net/base/transport_security_state_unittest.cc b/net/base/transport_security_state_unittest.cc index e38e327..8c09414 100644 --- a/net/base/transport_security_state_unittest.cc +++ b/net/base/transport_security_state_unittest.cc @@ -141,7 +141,7 @@ TEST_F(TransportSecurityStateTest, ValidHeaders) { TEST_F(TransportSecurityStateTest, SimpleMatches) { scoped_refptr<TransportSecurityState> state( - new TransportSecurityState); + new TransportSecurityState(std::string())); TransportSecurityState::DomainState domain_state; const base::Time current_time(base::Time::Now()); const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); @@ -154,7 +154,7 @@ TEST_F(TransportSecurityStateTest, SimpleMatches) { TEST_F(TransportSecurityStateTest, MatchesCase1) { scoped_refptr<TransportSecurityState> state( - new TransportSecurityState); + new TransportSecurityState(std::string())); TransportSecurityState::DomainState domain_state; const base::Time current_time(base::Time::Now()); const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); @@ -167,7 +167,7 @@ TEST_F(TransportSecurityStateTest, MatchesCase1) { TEST_F(TransportSecurityStateTest, MatchesCase2) { scoped_refptr<TransportSecurityState> state( - new TransportSecurityState); + new TransportSecurityState(std::string())); TransportSecurityState::DomainState domain_state; const base::Time current_time(base::Time::Now()); const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); @@ -180,7 +180,7 @@ TEST_F(TransportSecurityStateTest, MatchesCase2) { TEST_F(TransportSecurityStateTest, SubdomainMatches) { scoped_refptr<TransportSecurityState> state( - new TransportSecurityState); + new TransportSecurityState(std::string())); TransportSecurityState::DomainState domain_state; const base::Time current_time(base::Time::Now()); const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); @@ -202,7 +202,7 @@ TEST_F(TransportSecurityStateTest, SubdomainMatches) { TEST_F(TransportSecurityStateTest, Serialise1) { scoped_refptr<TransportSecurityState> state( - new TransportSecurityState); + new TransportSecurityState(std::string())); std::string output; bool dirty; state->Serialise(&output); @@ -212,7 +212,7 @@ TEST_F(TransportSecurityStateTest, Serialise1) { TEST_F(TransportSecurityStateTest, Serialise2) { scoped_refptr<TransportSecurityState> state( - new TransportSecurityState); + new TransportSecurityState(std::string())); TransportSecurityState::DomainState domain_state; const base::Time current_time(base::Time::Now()); @@ -246,7 +246,7 @@ TEST_F(TransportSecurityStateTest, Serialise2) { TEST_F(TransportSecurityStateTest, Serialise3) { scoped_refptr<TransportSecurityState> state( - new TransportSecurityState); + new TransportSecurityState(std::string())); TransportSecurityState::DomainState domain_state; const base::Time current_time(base::Time::Now()); @@ -269,7 +269,7 @@ TEST_F(TransportSecurityStateTest, Serialise3) { TEST_F(TransportSecurityStateTest, DeleteSince) { scoped_refptr<TransportSecurityState> state( - new TransportSecurityState); + new TransportSecurityState(std::string())); TransportSecurityState::DomainState domain_state; const base::Time current_time(base::Time::Now()); @@ -289,7 +289,7 @@ TEST_F(TransportSecurityStateTest, DeleteSince) { TEST_F(TransportSecurityStateTest, DeleteHost) { scoped_refptr<TransportSecurityState> state( - new TransportSecurityState); + new TransportSecurityState(std::string())); TransportSecurityState::DomainState domain_state; const base::Time current_time(base::Time::Now()); @@ -306,7 +306,7 @@ TEST_F(TransportSecurityStateTest, DeleteHost) { TEST_F(TransportSecurityStateTest, SerialiseOld) { scoped_refptr<TransportSecurityState> state( - new TransportSecurityState); + new TransportSecurityState(std::string())); // This is an old-style piece of transport state JSON, which has no creation // date. std::string output = @@ -323,6 +323,9 @@ TEST_F(TransportSecurityStateTest, SerialiseOld) { } TEST_F(TransportSecurityStateTest, IsPreloaded) { + scoped_refptr<TransportSecurityState> state( + new TransportSecurityState(std::string())); + const std::string paypal = TransportSecurityState::CanonicalizeHost("paypal.com"); const std::string www_paypal = @@ -337,24 +340,18 @@ TEST_F(TransportSecurityStateTest, IsPreloaded) { TransportSecurityState::CanonicalizeHost("aypal.com"); TransportSecurityState::DomainState domain_state; - EXPECT_FALSE(TransportSecurityState::IsPreloadedSTS( - paypal, true, &domain_state)); - EXPECT_TRUE(TransportSecurityState::IsPreloadedSTS( - www_paypal, true, &domain_state)); + EXPECT_FALSE(state->IsPreloadedSTS(paypal, true, &domain_state)); + EXPECT_TRUE(state->IsPreloadedSTS(www_paypal, true, &domain_state)); EXPECT_FALSE(domain_state.include_subdomains); - EXPECT_FALSE(TransportSecurityState::IsPreloadedSTS( - a_www_paypal, true, &domain_state)); - EXPECT_FALSE(TransportSecurityState::IsPreloadedSTS( - abc_paypal, true, &domain_state)); - EXPECT_FALSE(TransportSecurityState::IsPreloadedSTS( - example, true, &domain_state)); - EXPECT_FALSE(TransportSecurityState::IsPreloadedSTS( - aypal, true, &domain_state)); + EXPECT_FALSE(state->IsPreloadedSTS(a_www_paypal, true, &domain_state)); + EXPECT_FALSE(state->IsPreloadedSTS(abc_paypal, true, &domain_state)); + EXPECT_FALSE(state->IsPreloadedSTS(example, true, &domain_state)); + EXPECT_FALSE(state->IsPreloadedSTS(aypal, true, &domain_state)); } TEST_F(TransportSecurityStateTest, Preloaded) { scoped_refptr<TransportSecurityState> state( - new TransportSecurityState); + new TransportSecurityState(std::string())); TransportSecurityState::DomainState domain_state; EXPECT_FALSE(state->IsEnabledForHost(&domain_state, "paypal.com", true)); EXPECT_TRUE(state->IsEnabledForHost(&domain_state, "www.paypal.com", true)); @@ -553,7 +550,7 @@ TEST_F(TransportSecurityStateTest, Preloaded) { TEST_F(TransportSecurityStateTest, LongNames) { scoped_refptr<TransportSecurityState> state( - new TransportSecurityState); + new TransportSecurityState(std::string())); const char kLongName[] = "lookupByWaveIdHashAndWaveIdIdAndWaveIdDomainAndWaveletIdIdAnd" "WaveletIdDomainAndBlipBlipid"; @@ -564,7 +561,7 @@ TEST_F(TransportSecurityStateTest, LongNames) { TEST_F(TransportSecurityStateTest, PublicKeyHashes) { scoped_refptr<TransportSecurityState> state( - new TransportSecurityState); + new TransportSecurityState(std::string())); TransportSecurityState::DomainState domain_state; EXPECT_FALSE(state->IsEnabledForHost(&domain_state, "example.com", false)); @@ -597,7 +594,7 @@ TEST_F(TransportSecurityStateTest, PublicKeyHashes) { TEST_F(TransportSecurityStateTest, BuiltinCertPins) { scoped_refptr<TransportSecurityState> state( - new TransportSecurityState); + new TransportSecurityState(std::string())); TransportSecurityState::DomainState domain_state; EXPECT_TRUE(state->IsEnabledForHost(&domain_state, @@ -638,7 +635,7 @@ TEST_F(TransportSecurityStateTest, BuiltinCertPins) { TEST_F(TransportSecurityStateTest, OptionalHSTSCertPins) { scoped_refptr<TransportSecurityState> state( - new TransportSecurityState); + new TransportSecurityState(std::string())); TransportSecurityState::DomainState domain_state; EXPECT_FALSE(state->IsEnabledForHost(&domain_state, @@ -680,4 +677,21 @@ TEST_F(TransportSecurityStateTest, OptionalHSTSCertPins) { true)); } +TEST_F(TransportSecurityStateTest, ForcePreloads) { + // This is a docs.google.com override. + std::string preload("{" + "\"4AGT3lHihuMSd5rUj7B4u6At0jlSH3HFePovjPR+oLE=\": {" + "\"created\": 0.0," + "\"expiry\": 2000000000.0," + "\"include_subdomains\": false," + "\"mode\": \"none\"" + "}}"); + + scoped_refptr<TransportSecurityState> state( + new TransportSecurityState(preload)); + TransportSecurityState::DomainState domain_state; + EXPECT_FALSE(state->HasPinsForHost(&domain_state, "docs.google.com", true)); + EXPECT_FALSE(state->IsEnabledForHost(&domain_state, "docs.google.com", true)); +} + } // namespace net diff --git a/net/net.gyp b/net/net.gyp index 3321a88..8634fdd 100644 --- a/net/net.gyp +++ b/net/net.gyp @@ -139,8 +139,6 @@ 'base/net_log_source_type_list.h', 'base/net_module.cc', 'base/net_module.h', - 'base/net_switches.cc', - 'base/net_switches.h', 'base/net_util.cc', 'base/net_util.h', 'base/net_util_posix.cc', diff --git a/net/websockets/websocket_job_unittest.cc b/net/websockets/websocket_job_unittest.cc index f027a4a..db29ee6 100644 --- a/net/websockets/websocket_job_unittest.cc +++ b/net/websockets/websocket_job_unittest.cc @@ -157,7 +157,7 @@ class MockURLRequestContext : public URLRequestContext { CookiePolicy* cookie_policy) { set_cookie_store(cookie_store); set_cookie_policy(cookie_policy); - transport_security_state_ = new TransportSecurityState(); + transport_security_state_ = new TransportSecurityState(std::string()); set_transport_security_state(transport_security_state_.get()); TransportSecurityState::DomainState state; state.expiry = base::Time::Now() + base::TimeDelta::FromSeconds(1000); |