1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #include "net/http/transport_security_persister.h" 6 7 #include <map> 8 #include <string> 9 #include <vector> 10 11 #include "base/file_util.h" 12 #include "base/files/file_path.h" 13 #include "base/files/scoped_temp_dir.h" 14 #include "base/message_loop/message_loop.h" 15 #include "net/http/transport_security_state.h" 16 #include "testing/gtest/include/gtest/gtest.h" 17 18 using net::TransportSecurityPersister; 19 using net::TransportSecurityState; 20 21 class TransportSecurityPersisterTest : public testing::Test { 22 public: 23 TransportSecurityPersisterTest() { 24 } 25 26 virtual ~TransportSecurityPersisterTest() { 27 base::MessageLoopForIO::current()->RunUntilIdle(); 28 } 29 30 virtual void SetUp() OVERRIDE { 31 ASSERT_TRUE(temp_dir_.CreateUniqueTempDir()); 32 persister_.reset(new TransportSecurityPersister( 33 &state_, 34 temp_dir_.path(), 35 base::MessageLoopForIO::current()->message_loop_proxy(), 36 false)); 37 } 38 39 protected: 40 base::ScopedTempDir temp_dir_; 41 TransportSecurityState state_; 42 scoped_ptr<TransportSecurityPersister> persister_; 43 }; 44 45 TEST_F(TransportSecurityPersisterTest, SerializeData1) { 46 std::string output; 47 bool dirty; 48 49 EXPECT_TRUE(persister_->SerializeData(&output)); 50 EXPECT_TRUE(persister_->LoadEntries(output, &dirty)); 51 EXPECT_FALSE(dirty); 52 } 53 54 TEST_F(TransportSecurityPersisterTest, SerializeData2) { 55 TransportSecurityState::DomainState domain_state; 56 const base::Time current_time(base::Time::Now()); 57 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); 58 static const char kYahooDomain[] = "yahoo.com"; 59 60 EXPECT_FALSE(state_.GetStaticDomainState(kYahooDomain, true, &domain_state)); 61 EXPECT_FALSE(state_.GetDynamicDomainState(kYahooDomain, &domain_state)); 62 63 bool include_subdomains = true; 64 state_.AddHSTS(kYahooDomain, expiry, include_subdomains); 65 66 std::string output; 67 bool dirty; 68 EXPECT_TRUE(persister_->SerializeData(&output)); 69 EXPECT_TRUE(persister_->LoadEntries(output, &dirty)); 70 71 EXPECT_TRUE(state_.GetDynamicDomainState(kYahooDomain, &domain_state)); 72 EXPECT_EQ(domain_state.sts.upgrade_mode, 73 TransportSecurityState::DomainState::MODE_FORCE_HTTPS); 74 EXPECT_TRUE(state_.GetDynamicDomainState("foo.yahoo.com", &domain_state)); 75 EXPECT_EQ(domain_state.sts.upgrade_mode, 76 TransportSecurityState::DomainState::MODE_FORCE_HTTPS); 77 EXPECT_TRUE(state_.GetDynamicDomainState("foo.bar.yahoo.com", &domain_state)); 78 EXPECT_EQ(domain_state.sts.upgrade_mode, 79 TransportSecurityState::DomainState::MODE_FORCE_HTTPS); 80 EXPECT_TRUE( 81 state_.GetDynamicDomainState("foo.bar.baz.yahoo.com", &domain_state)); 82 EXPECT_EQ(domain_state.sts.upgrade_mode, 83 TransportSecurityState::DomainState::MODE_FORCE_HTTPS); 84 EXPECT_FALSE(state_.GetStaticDomainState("com", true, &domain_state)); 85 } 86 87 TEST_F(TransportSecurityPersisterTest, SerializeData3) { 88 // Add an entry. 89 net::HashValue fp1(net::HASH_VALUE_SHA1); 90 memset(fp1.data(), 0, fp1.size()); 91 net::HashValue fp2(net::HASH_VALUE_SHA1); 92 memset(fp2.data(), 1, fp2.size()); 93 base::Time expiry = 94 base::Time::Now() + base::TimeDelta::FromSeconds(1000); 95 net::HashValueVector dynamic_spki_hashes; 96 dynamic_spki_hashes.push_back(fp1); 97 dynamic_spki_hashes.push_back(fp2); 98 bool include_subdomains = false; 99 state_.AddHSTS("www.example.com", expiry, include_subdomains); 100 state_.AddHPKP("www.example.com", expiry, include_subdomains, 101 dynamic_spki_hashes); 102 103 // Add another entry. 104 memset(fp1.data(), 2, fp1.size()); 105 memset(fp2.data(), 3, fp2.size()); 106 expiry = 107 base::Time::Now() + base::TimeDelta::FromSeconds(3000); 108 dynamic_spki_hashes.push_back(fp1); 109 dynamic_spki_hashes.push_back(fp2); 110 state_.AddHSTS("www.example.net", expiry, include_subdomains); 111 state_.AddHPKP("www.example.net", expiry, include_subdomains, 112 dynamic_spki_hashes); 113 114 // Save a copy of everything. 115 std::map<std::string, TransportSecurityState::DomainState> saved; 116 TransportSecurityState::Iterator i(state_); 117 while (i.HasNext()) { 118 saved[i.hostname()] = i.domain_state(); 119 i.Advance(); 120 } 121 122 std::string serialized; 123 EXPECT_TRUE(persister_->SerializeData(&serialized)); 124 125 // Persist the data to the file. For the test to be fast and not flaky, we 126 // just do it directly rather than call persister_->StateIsDirty. (That uses 127 // ImportantFileWriter, which has an asynchronous commit interval rather 128 // than block.) Use a different basename just for cleanliness. 129 base::FilePath path = 130 temp_dir_.path().AppendASCII("TransportSecurityPersisterTest"); 131 EXPECT_TRUE(base::WriteFile(path, serialized.c_str(), serialized.size())); 132 133 // Read the data back. 134 std::string persisted; 135 EXPECT_TRUE(base::ReadFileToString(path, &persisted)); 136 EXPECT_EQ(persisted, serialized); 137 bool dirty; 138 EXPECT_TRUE(persister_->LoadEntries(persisted, &dirty)); 139 EXPECT_FALSE(dirty); 140 141 // Check that states are the same as saved. 142 size_t count = 0; 143 TransportSecurityState::Iterator j(state_); 144 while (j.HasNext()) { 145 count++; 146 j.Advance(); 147 } 148 EXPECT_EQ(count, saved.size()); 149 } 150 151 TEST_F(TransportSecurityPersisterTest, SerializeDataOld) { 152 // This is an old-style piece of transport state JSON, which has no creation 153 // date. 154 std::string output = 155 "{ " 156 "\"NiyD+3J1r6z1wjl2n1ALBu94Zj9OsEAMo0kCN8js0Uk=\": {" 157 "\"expiry\": 1266815027.983453, " 158 "\"include_subdomains\": false, " 159 "\"mode\": \"strict\" " 160 "}" 161 "}"; 162 bool dirty; 163 EXPECT_TRUE(persister_->LoadEntries(output, &dirty)); 164 EXPECT_TRUE(dirty); 165 } 166 167 TEST_F(TransportSecurityPersisterTest, PublicKeyHashes) { 168 TransportSecurityState::DomainState domain_state; 169 static const char kTestDomain[] = "example.com"; 170 EXPECT_FALSE(state_.GetDynamicDomainState(kTestDomain, &domain_state)); 171 net::HashValueVector hashes; 172 std::string failure_log; 173 EXPECT_FALSE(domain_state.CheckPublicKeyPins(hashes, &failure_log)); 174 175 net::HashValue sha1(net::HASH_VALUE_SHA1); 176 memset(sha1.data(), '1', sha1.size()); 177 domain_state.pkp.spki_hashes.push_back(sha1); 178 179 EXPECT_FALSE(domain_state.CheckPublicKeyPins(hashes, &failure_log)); 180 181 hashes.push_back(sha1); 182 EXPECT_TRUE(domain_state.CheckPublicKeyPins(hashes, &failure_log)); 183 184 hashes[0].data()[0] = '2'; 185 EXPECT_FALSE(domain_state.CheckPublicKeyPins(hashes, &failure_log)); 186 187 const base::Time current_time(base::Time::Now()); 188 const base::Time expiry = current_time + base::TimeDelta::FromSeconds(1000); 189 bool include_subdomains = false; 190 state_.AddHSTS(kTestDomain, expiry, include_subdomains); 191 state_.AddHPKP( 192 kTestDomain, expiry, include_subdomains, domain_state.pkp.spki_hashes); 193 std::string serialized; 194 EXPECT_TRUE(persister_->SerializeData(&serialized)); 195 bool dirty; 196 EXPECT_TRUE(persister_->LoadEntries(serialized, &dirty)); 197 198 TransportSecurityState::DomainState new_domain_state; 199 EXPECT_TRUE(state_.GetDynamicDomainState(kTestDomain, &new_domain_state)); 200 EXPECT_EQ(1u, new_domain_state.pkp.spki_hashes.size()); 201 EXPECT_EQ(sha1.tag, new_domain_state.pkp.spki_hashes[0].tag); 202 EXPECT_EQ(0, 203 memcmp(new_domain_state.pkp.spki_hashes[0].data(), 204 sha1.data(), 205 sha1.size())); 206 } 207
