Add end to end client cert auth test for wss

chrome/browser/ssl/ssl_browser_tests.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "base/command_line.h"
 #include "base/path_service.h"
 #include "base/string_util.h"
 #include "base/stringprintf.h"
 #include "base/time.h"
 #include "base/utf_string_conversions.h"
 #include "chrome/app/chrome_command_ids.h"
+#include "chrome/browser/content_settings/host_content_settings_map.h"
+#include "chrome/browser/profiles/profile.h"
 #include "chrome/browser/ui/browser.h"
 #include "chrome/browser/ui/browser_commands.h"
 #include "chrome/browser/ui/browser_navigator.h"
 #include "chrome/browser/ui/browser_tabstrip.h"
 #include "chrome/browser/ui/constrained_window_tab_helper.h"
 #include "chrome/browser/ui/tab_contents/tab_contents.h"
 #include "chrome/browser/ui/tabs/tab_strip_model.h"
 #include "chrome/common/chrome_notification_types.h"
 #include "chrome/common/chrome_paths.h"
 #include "chrome/common/chrome_switches.h"
 #include "chrome/test/base/in_process_browser_test.h"
 #include "chrome/test/base/ui_test_utils.h"
 #include "content/public/browser/interstitial_page.h"
 #include "content/public/browser/navigation_controller.h"
 #include "content/public/browser/navigation_entry.h"
 #include "content/public/browser/notification_service.h"
 #include "content/public/browser/render_view_host.h"
 #include "content/public/browser/web_contents.h"
 #include "content/public/browser/web_contents_observer.h"
 #include "content/public/common/security_style.h"
 #include "content/public/common/ssl_status.h"
 #include "content/public/test/test_renderer_host.h"
+#include "crypto/nss_util.h"
+#include "net/base/cert_database.h"
 #include "net/base/cert_status_flags.h"
+#include "net/base/crypto_module.h"
+#include "net/base/net_errors.h"
 #include "net/test/test_server.h"
 
 using content::InterstitialPage;
 using content::NavigationController;
 using content::NavigationEntry;
 using content::SSLStatus;
 using content::WebContents;
 
 const FilePath::CharType kDocRoot[] = FILE_PATH_LITERAL("chrome/test/data");
 
@@ skipping 547 matching lines @@
 
   // Proceed anyway.
   ProceedThroughInterstitial(tab);
 
   // Test page run a WebSocket wss connection test. The result will be shown
   // as page title.
   const string16 result = watcher.WaitAndGetTitle();
   EXPECT_TRUE(LowerCaseEqualsASCII(result, "pass"));
 }
 
+#if defined(USE_NSS)

[Ryan Sleevi, 2012/07/13 19:25:06]

nit: Add an explanation for why this is only for USE_NSS

nit:
// SSL client certificate tests are only enabled when using
// NSS for private key storage, as only NSS can avoid
// modifying global machine state when testing.
// See http://crbug.com/51132

[Takashi Toyoshima, 2012/07/17 11:50:58]

Done.

+// Visit a HTTPS page which requires client cert authentication. The client
+// cert will be selected automatically, then a test which uses WebSocket runs.
+IN_PROC_BROWSER_TEST_F(SSLUITest, TestWSSClientCert) {
+  // Open temporal NSSDB for test.
+  // TODO(toyoshim): This interface will be changed as a scoped resource.
+  // See also crypto/nss_util.h and http://crbug.com/136950#c5 .

[Ryan Sleevi, 2012/07/13 19:25:06]

nit:
// Open a temporary NSS DB for testing.
// TODO(toyoshim): This currently intentionally leaks the
// test database due to bugs within NSS. Once fixed, this
// should be a scoped test database. See http://crbug.com/136950#c5
// for more details.

[Takashi Toyoshima, 2012/07/17 11:50:58]

Done.

+  ASSERT_TRUE(crypto::OpenTestNSSDB());
+
+  // Import client cert for test. These interfaces require NSS.
+  net::CertDatabase cert_db;
+  scoped_refptr<net::CryptoModule> crypt_module = cert_db.GetPublicModule();
+  std::string pkcs12_data;
+  FilePath cert_path;
+  ASSERT_TRUE(PathService::Get(chrome::DIR_TEST_DATA, &cert_path));
+  cert_path = cert_path.Append(FILE_PATH_LITERAL("ssl"));
+  cert_path = cert_path.Append(FILE_PATH_LITERAL("client_cert.p12"));
+  EXPECT_TRUE(file_util::ReadFileToString(cert_path, &pkcs12_data));
+  EXPECT_EQ(net::OK, cert_db.ImportFromPKCS12(crypt_module,
+                                              pkcs12_data,
+                                              string16(),
+                                              true,
+                                              NULL));
+
+  // Start pywebsocket with TLS and client cert authentication.
+  ui_test_utils::TestWebSocketServer wss_server;

[Ryan Sleevi, 2012/07/13 19:25:06]

A random note (and not a pre-requisite for this CL), I find it odd that
TestWebSocketServer does not follow the same model as the net::TestServer used
extensively elsewhere.

Specifically:
1) The net::TestServer is immutable once constructed, save for start/stop, to
avoid tests getting in an inconsistent state (635-636)
2) Ports are /always/ randomized. All tests should be shardable. (634)
3) Utility function for building URLs based on the test servers' address and
port (640-642)

Just an inconsistent interface between these two core testing bits.

[Takashi Toyoshima, 2012/07/17 11:50:58]

I filed a bug on this as a TODO.
https://code.google.com/p/chromium/issues/detail?id=137639

+  int port = wss_server.UseRandomPort();
+  wss_server.UseTLS();
+  wss_server.UseClientAuthentication();
+  FilePath wss_root_dir;
+  ASSERT_TRUE(PathService::Get(chrome::DIR_TEST_DATA, &wss_root_dir));
+  ASSERT_TRUE(wss_server.Start(wss_root_dir));
+  std::string urlPath =
+      StringPrintf("%s%d%s", "https://localhost:", port, "/wss.html");
+  GURL url(urlPath);
+
+  // Setup page title observer.
+  WebContents* tab = chrome::GetActiveWebContents(browser());
+  ui_test_utils::TitleWatcher watcher(tab, ASCIIToUTF16("PASS"));
+  watcher.AlsoWaitForTitle(ASCIIToUTF16("FAIL"));
+
+  // Add an entry into AutoSelectCertificateForUrls policy for automatic client
+  // cert selection.
+  Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext());
+  DCHECK(profile);
+  scoped_ptr<DictionaryValue> dict(new DictionaryValue());
+  dict->SetString("ISSUER.CN", "pywebsocket");
+  profile->GetHostContentSettingsMap()->SetWebsiteSetting(
+      ContentSettingsPattern::FromURL(url),
+      ContentSettingsPattern::FromURL(url),
+      CONTENT_SETTINGS_TYPE_AUTO_SELECT_CERTIFICATE,
+      std::string(),
+      dict.release());
+
+  // Visit a HTTPS page which requires client certs.
+  ui_test_utils::NavigateToURL(browser(), url);
+  CheckAuthenticationBrokenState(tab, net::CERT_STATUS_COMMON_NAME_INVALID,
+                                 false, true);  // Interstitial showing

[Ryan Sleevi, 2012/07/13 19:25:06]

Since this is a browser test, you can/should be using TestRootCerts. The
net::TestServer does this automatically when starting and stopping.

By doing so, you're able to disable interstitials from even happening - the
browser truly believes that the cert is trusted.

[Takashi Toyoshima, 2012/07/17 11:50:58]

Currently, we use cert files in WebKit source code repos, because the test
server is launched via a WebKit test infrastructure
(new-run-webkit-websocket-server).
I should remove dependency on WebKit to use TestRootCerts here. I'll fix
TestWebSocketServer to share server implementation for HTTPS.

+
+  // Proceed anyway.
+  ProceedThroughInterstitial(tab);
+
+  // Test page runs a WebSocket wss connection test. The result will be shown
+  // as page title.
+  const string16 result = watcher.WaitAndGetTitle();
+  EXPECT_TRUE(LowerCaseEqualsASCII(result, "pass"));
+}
+#endif  // defined(USE_NSS)
+
 // Flaky on CrOS http://crbug.com/92292
 #if defined(OS_CHROMEOS)
 #define MAYBE_TestHTTPSErrorWithNoNavEntry \
     DISABLED_TestHTTPSErrorWithNoNavEntry
 #else
 #define MAYBE_TestHTTPSErrorWithNoNavEntry TestHTTPSErrorWithNoNavEntry
 #endif  // defined(OS_CHROMEOS)
 
 // Open a page with a HTTPS error in a tab with no prior navigation (through a
 // link with a blank target).  This is to test that the lack of navigation entry
@@ skipping 843 matching lines @@
 
 // Visit a page over https that contains a frame with a redirect.
 
 // XMLHttpRequest insecure content in synchronous mode.
 
 // XMLHttpRequest insecure content in asynchronous mode.
 
 // XMLHttpRequest over bad ssl in synchronous mode.
 
 // XMLHttpRequest over OK ssl in synchronous mode.