| OLD | NEW |
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "base/bind.h" | 5 #include "base/bind.h" |
| 6 #include "base/file_util.h" | 6 #include "base/file_util.h" |
| 7 #include "base/memory/ref_counted.h" | 7 #include "base/memory/ref_counted.h" |
| 8 #include "base/memory/scoped_vector.h" | 8 #include "base/memory/scoped_vector.h" |
| 9 #include "base/message_loop.h" | 9 #include "base/message_loop.h" |
| 10 #include "base/scoped_temp_dir.h" | 10 #include "base/scoped_temp_dir.h" |
| 11 #include "base/stl_util.h" | 11 #include "base/stl_util.h" |
| 12 #include "base/test/thread_test_helper.h" | 12 #include "base/test/thread_test_helper.h" |
| 13 #include "chrome/browser/net/clear_on_exit_policy.h" |
| 13 #include "chrome/browser/net/sqlite_server_bound_cert_store.h" | 14 #include "chrome/browser/net/sqlite_server_bound_cert_store.h" |
| 14 #include "chrome/common/chrome_constants.h" | 15 #include "chrome/common/chrome_constants.h" |
| 15 #include "content/test/test_browser_thread.h" | 16 #include "content/test/test_browser_thread.h" |
| 16 #include "net/base/cert_test_util.h" | 17 #include "net/base/cert_test_util.h" |
| 17 #include "sql/statement.h" | 18 #include "sql/statement.h" |
| 18 #include "testing/gtest/include/gtest/gtest.h" | 19 #include "testing/gtest/include/gtest/gtest.h" |
| 20 #include "webkit/quota/mock_special_storage_policy.h" |
| 19 | 21 |
| 20 using content::BrowserThread; | 22 using content::BrowserThread; |
| 21 | 23 |
| 22 class SQLiteServerBoundCertStoreTest : public testing::Test { | 24 class SQLiteServerBoundCertStoreTest : public testing::Test { |
| 23 public: | 25 public: |
| 24 SQLiteServerBoundCertStoreTest() | 26 SQLiteServerBoundCertStoreTest() |
| 25 : db_thread_(BrowserThread::DB) { | 27 : db_thread_(BrowserThread::DB) { |
| 26 } | 28 } |
| 27 | 29 |
| 28 protected: | 30 protected: |
| (...skipping 25 matching lines...) Expand all Loading... |
| 54 exploded_time.minute = 23; | 56 exploded_time.minute = 23; |
| 55 exploded_time.second = 45; | 57 exploded_time.second = 45; |
| 56 exploded_time.millisecond = 0; | 58 exploded_time.millisecond = 0; |
| 57 return base::Time::FromUTCExploded(exploded_time); | 59 return base::Time::FromUTCExploded(exploded_time); |
| 58 } | 60 } |
| 59 | 61 |
| 60 virtual void SetUp() { | 62 virtual void SetUp() { |
| 61 db_thread_.Start(); | 63 db_thread_.Start(); |
| 62 ASSERT_TRUE(temp_dir_.CreateUniqueTempDir()); | 64 ASSERT_TRUE(temp_dir_.CreateUniqueTempDir()); |
| 63 store_ = new SQLiteServerBoundCertStore( | 65 store_ = new SQLiteServerBoundCertStore( |
| 64 temp_dir_.path().Append(chrome::kOBCertFilename)); | 66 temp_dir_.path().Append(chrome::kOBCertFilename), NULL); |
| 65 ScopedVector<net::DefaultServerBoundCertStore::ServerBoundCert> certs; | 67 ScopedVector<net::DefaultServerBoundCertStore::ServerBoundCert> certs; |
| 66 ASSERT_TRUE(store_->Load(&certs.get())); | 68 ASSERT_TRUE(store_->Load(&certs.get())); |
| 67 ASSERT_EQ(0u, certs.size()); | 69 ASSERT_EQ(0u, certs.size()); |
| 68 // Make sure the store gets written at least once. | 70 // Make sure the store gets written at least once. |
| 69 store_->AddServerBoundCert( | 71 store_->AddServerBoundCert( |
| 70 net::DefaultServerBoundCertStore::ServerBoundCert( | 72 net::DefaultServerBoundCertStore::ServerBoundCert( |
| 71 "google.com", | 73 "google.com", |
| 72 net::CLIENT_CERT_RSA_SIGN, | 74 net::CLIENT_CERT_RSA_SIGN, |
| 73 base::Time::FromInternalValue(1), | 75 base::Time::FromInternalValue(1), |
| 74 base::Time::FromInternalValue(2), | 76 base::Time::FromInternalValue(2), |
| (...skipping 50 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 125 // Replace the store effectively destroying the current one and forcing it | 127 // Replace the store effectively destroying the current one and forcing it |
| 126 // to write its data to disk. Then we can see if after loading it again it | 128 // to write its data to disk. Then we can see if after loading it again it |
| 127 // is still there. | 129 // is still there. |
| 128 store_ = NULL; | 130 store_ = NULL; |
| 129 scoped_refptr<base::ThreadTestHelper> helper( | 131 scoped_refptr<base::ThreadTestHelper> helper( |
| 130 new base::ThreadTestHelper( | 132 new base::ThreadTestHelper( |
| 131 BrowserThread::GetMessageLoopProxyForThread(BrowserThread::DB))); | 133 BrowserThread::GetMessageLoopProxyForThread(BrowserThread::DB))); |
| 132 // Make sure we wait until the destructor has run. | 134 // Make sure we wait until the destructor has run. |
| 133 ASSERT_TRUE(helper->Run()); | 135 ASSERT_TRUE(helper->Run()); |
| 134 store_ = new SQLiteServerBoundCertStore( | 136 store_ = new SQLiteServerBoundCertStore( |
| 135 temp_dir_.path().Append(chrome::kOBCertFilename)); | 137 temp_dir_.path().Append(chrome::kOBCertFilename), NULL); |
| 136 | 138 |
| 137 // Reload and test for persistence | 139 // Reload and test for persistence |
| 138 ASSERT_TRUE(store_->Load(&certs.get())); | 140 ASSERT_TRUE(store_->Load(&certs.get())); |
| 139 ASSERT_EQ(2U, certs.size()); | 141 ASSERT_EQ(2U, certs.size()); |
| 140 net::DefaultServerBoundCertStore::ServerBoundCert* ec_cert; | 142 net::DefaultServerBoundCertStore::ServerBoundCert* ec_cert; |
| 141 net::DefaultServerBoundCertStore::ServerBoundCert* rsa_cert; | 143 net::DefaultServerBoundCertStore::ServerBoundCert* rsa_cert; |
| 142 if (net::CLIENT_CERT_RSA_SIGN == certs[0]->type()) { | 144 if (net::CLIENT_CERT_RSA_SIGN == certs[0]->type()) { |
| 143 rsa_cert = certs[0]; | 145 rsa_cert = certs[0]; |
| 144 ec_cert = certs[1]; | 146 ec_cert = certs[1]; |
| 145 } else { | 147 } else { |
| (...skipping 14 matching lines...) Expand all Loading... |
| 160 ASSERT_EQ(4, ec_cert->expiration_time().ToInternalValue()); | 162 ASSERT_EQ(4, ec_cert->expiration_time().ToInternalValue()); |
| 161 | 163 |
| 162 // Now delete the cert and check persistence again. | 164 // Now delete the cert and check persistence again. |
| 163 store_->DeleteServerBoundCert(*certs[0]); | 165 store_->DeleteServerBoundCert(*certs[0]); |
| 164 store_->DeleteServerBoundCert(*certs[1]); | 166 store_->DeleteServerBoundCert(*certs[1]); |
| 165 store_ = NULL; | 167 store_ = NULL; |
| 166 // Make sure we wait until the destructor has run. | 168 // Make sure we wait until the destructor has run. |
| 167 ASSERT_TRUE(helper->Run()); | 169 ASSERT_TRUE(helper->Run()); |
| 168 certs.reset(); | 170 certs.reset(); |
| 169 store_ = new SQLiteServerBoundCertStore( | 171 store_ = new SQLiteServerBoundCertStore( |
| 170 temp_dir_.path().Append(chrome::kOBCertFilename)); | 172 temp_dir_.path().Append(chrome::kOBCertFilename), NULL); |
| 171 | 173 |
| 172 // Reload and check if the cert has been removed. | 174 // Reload and check if the cert has been removed. |
| 173 ASSERT_TRUE(store_->Load(&certs.get())); | 175 ASSERT_TRUE(store_->Load(&certs.get())); |
| 174 ASSERT_EQ(0U, certs.size()); | 176 ASSERT_EQ(0U, certs.size()); |
| 175 } | 177 } |
| 176 | 178 |
| 177 TEST_F(SQLiteServerBoundCertStoreTest, TestUpgradeV1) { | 179 TEST_F(SQLiteServerBoundCertStoreTest, TestUpgradeV1) { |
| 178 // Reset the store. We'll be using a different database for this test. | 180 // Reset the store. We'll be using a different database for this test. |
| 179 store_ = NULL; | 181 store_ = NULL; |
| 180 | 182 |
| (...skipping 30 matching lines...) Expand all Loading... |
| 211 )); | 213 )); |
| 212 } | 214 } |
| 213 | 215 |
| 214 // Load and test the DB contents twice. First time ensures that we can use | 216 // Load and test the DB contents twice. First time ensures that we can use |
| 215 // the updated values immediately. Second time ensures that the updated | 217 // the updated values immediately. Second time ensures that the updated |
| 216 // values are stored and read correctly on next load. | 218 // values are stored and read correctly on next load. |
| 217 for (int i = 0; i < 2; ++i) { | 219 for (int i = 0; i < 2; ++i) { |
| 218 SCOPED_TRACE(i); | 220 SCOPED_TRACE(i); |
| 219 | 221 |
| 220 ScopedVector<net::DefaultServerBoundCertStore::ServerBoundCert> certs; | 222 ScopedVector<net::DefaultServerBoundCertStore::ServerBoundCert> certs; |
| 221 store_ = new SQLiteServerBoundCertStore(v1_db_path); | 223 store_ = new SQLiteServerBoundCertStore(v1_db_path, NULL); |
| 222 | 224 |
| 223 // Load the database and ensure the certs can be read and are marked as RSA. | 225 // Load the database and ensure the certs can be read and are marked as RSA. |
| 224 ASSERT_TRUE(store_->Load(&certs.get())); | 226 ASSERT_TRUE(store_->Load(&certs.get())); |
| 225 ASSERT_EQ(2U, certs.size()); | 227 ASSERT_EQ(2U, certs.size()); |
| 226 | 228 |
| 227 ASSERT_STREQ("google.com", certs[0]->server_identifier().c_str()); | 229 ASSERT_STREQ("google.com", certs[0]->server_identifier().c_str()); |
| 228 ASSERT_EQ(net::CLIENT_CERT_RSA_SIGN, certs[0]->type()); | 230 ASSERT_EQ(net::CLIENT_CERT_RSA_SIGN, certs[0]->type()); |
| 229 ASSERT_EQ(GetTestCertExpirationTime(), | 231 ASSERT_EQ(GetTestCertExpirationTime(), |
| 230 certs[0]->expiration_time()); | 232 certs[0]->expiration_time()); |
| 231 ASSERT_EQ(key_data, certs[0]->private_key()); | 233 ASSERT_EQ(key_data, certs[0]->private_key()); |
| (...skipping 67 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 299 )); | 301 )); |
| 300 } | 302 } |
| 301 | 303 |
| 302 // Load and test the DB contents twice. First time ensures that we can use | 304 // Load and test the DB contents twice. First time ensures that we can use |
| 303 // the updated values immediately. Second time ensures that the updated | 305 // the updated values immediately. Second time ensures that the updated |
| 304 // values are saved and read correctly on next load. | 306 // values are saved and read correctly on next load. |
| 305 for (int i = 0; i < 2; ++i) { | 307 for (int i = 0; i < 2; ++i) { |
| 306 SCOPED_TRACE(i); | 308 SCOPED_TRACE(i); |
| 307 | 309 |
| 308 ScopedVector<net::DefaultServerBoundCertStore::ServerBoundCert> certs; | 310 ScopedVector<net::DefaultServerBoundCertStore::ServerBoundCert> certs; |
| 309 store_ = new SQLiteServerBoundCertStore(v2_db_path); | 311 store_ = new SQLiteServerBoundCertStore(v2_db_path, NULL); |
| 310 | 312 |
| 311 // Load the database and ensure the certs can be read and are marked as RSA. | 313 // Load the database and ensure the certs can be read and are marked as RSA. |
| 312 ASSERT_TRUE(store_->Load(&certs.get())); | 314 ASSERT_TRUE(store_->Load(&certs.get())); |
| 313 ASSERT_EQ(2U, certs.size()); | 315 ASSERT_EQ(2U, certs.size()); |
| 314 | 316 |
| 315 ASSERT_STREQ("google.com", certs[0]->server_identifier().c_str()); | 317 ASSERT_STREQ("google.com", certs[0]->server_identifier().c_str()); |
| 316 ASSERT_EQ(net::CLIENT_CERT_RSA_SIGN, certs[0]->type()); | 318 ASSERT_EQ(net::CLIENT_CERT_RSA_SIGN, certs[0]->type()); |
| 317 ASSERT_EQ(GetTestCertExpirationTime(), | 319 ASSERT_EQ(GetTestCertExpirationTime(), |
| 318 certs[0]->expiration_time()); | 320 certs[0]->expiration_time()); |
| 319 ASSERT_EQ(key_data, certs[0]->private_key()); | 321 ASSERT_EQ(key_data, certs[0]->private_key()); |
| (...skipping 69 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 389 )); | 391 )); |
| 390 } | 392 } |
| 391 | 393 |
| 392 // Load and test the DB contents twice. First time ensures that we can use | 394 // Load and test the DB contents twice. First time ensures that we can use |
| 393 // the updated values immediately. Second time ensures that the updated | 395 // the updated values immediately. Second time ensures that the updated |
| 394 // values are saved and read correctly on next load. | 396 // values are saved and read correctly on next load. |
| 395 for (int i = 0; i < 2; ++i) { | 397 for (int i = 0; i < 2; ++i) { |
| 396 SCOPED_TRACE(i); | 398 SCOPED_TRACE(i); |
| 397 | 399 |
| 398 ScopedVector<net::DefaultServerBoundCertStore::ServerBoundCert> certs; | 400 ScopedVector<net::DefaultServerBoundCertStore::ServerBoundCert> certs; |
| 399 store_ = new SQLiteServerBoundCertStore(v3_db_path); | 401 store_ = new SQLiteServerBoundCertStore(v3_db_path, NULL); |
| 400 | 402 |
| 401 // Load the database and ensure the certs can be read and are marked as RSA. | 403 // Load the database and ensure the certs can be read and are marked as RSA. |
| 402 ASSERT_TRUE(store_->Load(&certs.get())); | 404 ASSERT_TRUE(store_->Load(&certs.get())); |
| 403 ASSERT_EQ(2U, certs.size()); | 405 ASSERT_EQ(2U, certs.size()); |
| 404 | 406 |
| 405 ASSERT_STREQ("google.com", certs[0]->server_identifier().c_str()); | 407 ASSERT_STREQ("google.com", certs[0]->server_identifier().c_str()); |
| 406 ASSERT_EQ(net::CLIENT_CERT_RSA_SIGN, certs[0]->type()); | 408 ASSERT_EQ(net::CLIENT_CERT_RSA_SIGN, certs[0]->type()); |
| 407 ASSERT_EQ(1000, certs[0]->expiration_time().ToInternalValue()); | 409 ASSERT_EQ(1000, certs[0]->expiration_time().ToInternalValue()); |
| 408 ASSERT_EQ(GetTestCertCreationTime(), | 410 ASSERT_EQ(GetTestCertCreationTime(), |
| 409 certs[0]->creation_time()); | 411 certs[0]->creation_time()); |
| (...skipping 93 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 503 | 505 |
| 504 store_->Flush(base::Bind(&CallbackCounter::Callback, counter.get())); | 506 store_->Flush(base::Bind(&CallbackCounter::Callback, counter.get())); |
| 505 | 507 |
| 506 scoped_refptr<base::ThreadTestHelper> helper( | 508 scoped_refptr<base::ThreadTestHelper> helper( |
| 507 new base::ThreadTestHelper( | 509 new base::ThreadTestHelper( |
| 508 BrowserThread::GetMessageLoopProxyForThread(BrowserThread::DB))); | 510 BrowserThread::GetMessageLoopProxyForThread(BrowserThread::DB))); |
| 509 ASSERT_TRUE(helper->Run()); | 511 ASSERT_TRUE(helper->Run()); |
| 510 | 512 |
| 511 ASSERT_EQ(1, counter->callback_count()); | 513 ASSERT_EQ(1, counter->callback_count()); |
| 512 } | 514 } |
| 515 |
| 516 namespace { |
| 517 |
| 518 bool CertificateExistsInList( |
| 519 std::vector<net::DefaultServerBoundCertStore::ServerBoundCert*>* certs, |
| 520 const std::string& server, |
| 521 int type, |
| 522 const std::string& key, |
| 523 const std::string& cert, |
| 524 int creation_time, |
| 525 int expiration_time) { |
| 526 for (unsigned i = 0; i < certs->size(); ++i) { |
| 527 if ((*certs)[i]->server_identifier() == server && |
| 528 (*certs)[i]->type() == type && |
| 529 (*certs)[i]->private_key() == key && |
| 530 (*certs)[i]->cert() == cert && |
| 531 (*certs)[i]->creation_time().ToInternalValue() == creation_time && |
| 532 (*certs)[i]->expiration_time().ToInternalValue() == expiration_time) { |
| 533 return true; |
| 534 } |
| 535 } |
| 536 return false; |
| 537 } |
| 538 |
| 539 } // namespace |
| 540 |
| 541 // Tests the interaction with the clear on exit policy. |
| 542 TEST_F(SQLiteServerBoundCertStoreTest, TestClearOnExitPolicy) { |
| 543 // First, delete a possibly existing store. |
| 544 store_->SetClearLocalStateOnExit(true); |
| 545 store_ = NULL; |
| 546 scoped_refptr<base::ThreadTestHelper> helper( |
| 547 new base::ThreadTestHelper( |
| 548 BrowserThread::GetMessageLoopProxyForThread(BrowserThread::DB))); |
| 549 ASSERT_TRUE(helper->Run()); |
| 550 |
| 551 // Create a new store with three certificates in it. |
| 552 store_ = new SQLiteServerBoundCertStore( |
| 553 temp_dir_.path().Append(chrome::kOBCertFilename), NULL); |
| 554 |
| 555 ScopedVector<net::DefaultServerBoundCertStore::ServerBoundCert> certs; |
| 556 ASSERT_TRUE(store_->Load(&certs.get())); |
| 557 ASSERT_EQ(0U, certs.size()); |
| 558 |
| 559 store_->AddServerBoundCert( |
| 560 net::DefaultServerBoundCertStore::ServerBoundCert( |
| 561 "other.com", |
| 562 net::CLIENT_CERT_RSA_SIGN, |
| 563 base::Time::FromInternalValue(1), |
| 564 base::Time::FromInternalValue(2), |
| 565 "a", "b")); |
| 566 store_->AddServerBoundCert( |
| 567 net::DefaultServerBoundCertStore::ServerBoundCert( |
| 568 "session.com", |
| 569 net::CLIENT_CERT_RSA_SIGN, |
| 570 base::Time::FromInternalValue(3), |
| 571 base::Time::FromInternalValue(4), |
| 572 "x", "y")); |
| 573 store_->AddServerBoundCert( |
| 574 net::DefaultServerBoundCertStore::ServerBoundCert( |
| 575 "protected.com", |
| 576 net::CLIENT_CERT_RSA_SIGN, |
| 577 base::Time::FromInternalValue(5), |
| 578 base::Time::FromInternalValue(6), |
| 579 "n", "m")); |
| 580 |
| 581 // Write out the certificates to disk. |
| 582 store_ = NULL; |
| 583 ASSERT_TRUE(helper->Run()); |
| 584 |
| 585 // Load the store again with a clear on exit policy. |
| 586 scoped_refptr<quota::MockSpecialStoragePolicy> storage_policy = |
| 587 new quota::MockSpecialStoragePolicy; |
| 588 scoped_refptr<ClearOnExitPolicy> clear_policy = |
| 589 new ClearOnExitPolicy(storage_policy.get()); |
| 590 storage_policy->AddSessionOnly(GURL("https://session.com")); |
| 591 storage_policy->AddSessionOnly(GURL("https://protected.com")); |
| 592 storage_policy->AddProtected(GURL("https://protected.com")); |
| 593 store_ = new SQLiteServerBoundCertStore( |
| 594 temp_dir_.path().Append(chrome::kOBCertFilename), clear_policy.get()); |
| 595 ASSERT_TRUE(store_->Load(&certs.get())); |
| 596 ASSERT_EQ(3U, certs.size()); |
| 597 |
| 598 // Delete the store. This should apply the clear on exit policy. |
| 599 store_ = NULL; |
| 600 // Make sure we wait until the destructor has run. |
| 601 ASSERT_TRUE(helper->Run()); |
| 602 |
| 603 store_ = new SQLiteServerBoundCertStore( |
| 604 temp_dir_.path().Append(chrome::kOBCertFilename), clear_policy.get()); |
| 605 |
| 606 // Reload and test for persistence |
| 607 certs->clear(); |
| 608 ASSERT_TRUE(store_->Load(&certs.get())); |
| 609 ASSERT_EQ(2U, certs.size()); |
| 610 |
| 611 ASSERT_TRUE(CertificateExistsInList(&certs.get(), |
| 612 "other.com", |
| 613 net::CLIENT_CERT_RSA_SIGN, |
| 614 "a", "b", 1, 2)); |
| 615 ASSERT_TRUE(CertificateExistsInList(&certs.get(), |
| 616 "protected.com", |
| 617 net::CLIENT_CERT_RSA_SIGN, |
| 618 "n", "m", 5, 6)); |
| 619 } |
| OLD | NEW |