Google Git
Sign in
chromium / chromium / src / 5f959bfdc350e1cf17d1960a012a0cfc4d8a4a30 / . / chrome / browser / ssl / ssl_error_handler_unittest.cc
blob: 43a34b4dbd2ecf39f04b1c964ab546db179bb564 [file] [log] [blame]
// Copyright 2014 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "chrome/browser/ssl/ssl_error_handler.h"
#include "base/callback.h"
#include "base/macros.h"
#include "base/memory/ptr_util.h"
#include "base/metrics/field_trial.h"
#include "base/run_loop.h"
#include "base/test/histogram_tester.h"
#include "base/test/scoped_feature_list.h"
#include "base/test/simple_test_clock.h"
#include "base/test/simple_test_tick_clock.h"
#include "base/time/time.h"
#include "chrome/browser/captive_portal/captive_portal_service.h"
#include "chrome/browser/profiles/profile.h"
#include "chrome/browser/ssl/common_name_mismatch_handler.h"
#include "chrome/browser/ssl/ssl_error_assistant.pb.h"
#include "chrome/common/features.h"
#include "chrome/test/base/chrome_render_view_host_test_harness.h"
#include "chrome/test/base/testing_profile.h"
#include "components/captive_portal/captive_portal_testing_utils.h"
#include "components/network_time/network_time_test_utils.h"
#include "components/network_time/network_time_tracker.h"
#include "components/prefs/testing_pref_service.h"
#include "content/public/browser/browser_thread.h"
#include "content/public/browser/notification_service.h"
#include "net/base/net_errors.h"
#include "net/cert/cert_status_flags.h"
#include "net/cert/x509_certificate.h"
#include "net/http/http_response_headers.h"
#include "net/ssl/ssl_info.h"
#include "net/test/cert_test_util.h"
#include "net/test/embedded_test_server/embedded_test_server.h"
#include "net/test/embedded_test_server/http_response.h"
#include "net/test/test_certificate_data.h"
#include "net/test/test_data_directory.h"
#include "net/url_request/url_request_test_util.h"
#include "testing/gtest/include/gtest/gtest.h"
namespace {
const char kCertDateErrorHistogram[] =
"interstitial.ssl_error_handler.cert_date_error_delay";
const net::SHA256HashValue kCertPublicKeyHashValue = {{0x01, 0x02}};
// Runs |quit_closure| on the UI thread once a URL request has been
// seen. Returns a request that hangs.
std::unique_ptr<net::test_server::HttpResponse> WaitForRequest(
const base::Closure& quit_closure,
const net::test_server::HttpRequest& request) {
content::BrowserThread::PostTask(content::BrowserThread::UI, FROM_HERE,
quit_closure);
return base::MakeUnique<net::test_server::HungResponse>();
}
class TestSSLErrorHandler : public SSLErrorHandler {
public:
TestSSLErrorHandler(
std::unique_ptr<Delegate> delegate,
content::WebContents* web_contents,
Profile* profile,
int cert_error,
const net::SSLInfo& ssl_info,
const GURL& request_url,
const base::Callback<void(content::CertificateRequestResultType)>&
callback)
: SSLErrorHandler(std::move(delegate),
web_contents,
profile,
cert_error,
ssl_info,
request_url,
callback) {}
using SSLErrorHandler::StartHandlingError;
};
class TestSSLErrorHandlerDelegate : public SSLErrorHandler::Delegate {
public:
TestSSLErrorHandlerDelegate(Profile* profile,
content::WebContents* web_contents,
const net::SSLInfo& ssl_info)
: profile_(profile),
captive_portal_checked_(false),
suggested_url_exists_(false),
suggested_url_checked_(false),
ssl_interstitial_shown_(false),
bad_clock_interstitial_shown_(false),
captive_portal_interstitial_shown_(false),
redirected_to_suggested_url_(false),
is_overridable_error_(true) {}
void SendCaptivePortalNotification(
captive_portal::CaptivePortalResult result) {
CaptivePortalService::Results results;
results.previous_result = captive_portal::RESULT_INTERNET_CONNECTED;
results.result = result;
content::NotificationService::current()->Notify(
chrome::NOTIFICATION_CAPTIVE_PORTAL_CHECK_RESULT,
content::Source<Profile>(profile_),
content::Details<CaptivePortalService::Results>(&results));
}
void SendSuggestedUrlCheckResult(
const CommonNameMismatchHandler::SuggestedUrlCheckResult& result,
const GURL& suggested_url) {
suggested_url_callback_.Run(result, suggested_url);
}
int captive_portal_checked() const { return captive_portal_checked_; }
int ssl_interstitial_shown() const { return ssl_interstitial_shown_; }
int captive_portal_interstitial_shown() const {
return captive_portal_interstitial_shown_;
}
bool bad_clock_interstitial_shown() const {
return bad_clock_interstitial_shown_;
}
bool suggested_url_checked() const { return suggested_url_checked_; }
bool redirected_to_suggested_url() const {
return redirected_to_suggested_url_;
}
void set_suggested_url_exists() { suggested_url_exists_ = true; }
void set_non_overridable_error() { is_overridable_error_ = false; }
void ClearSeenOperations() {
captive_portal_checked_ = false;
suggested_url_exists_ = false;
suggested_url_checked_ = false;
ssl_interstitial_shown_ = false;
bad_clock_interstitial_shown_ = false;
captive_portal_interstitial_shown_ = false;
redirected_to_suggested_url_ = false;
}
private:
void CheckForCaptivePortal() override {
captive_portal_checked_ = true;
}
bool GetSuggestedUrl(const std::vector<std::string>& dns_names,
GURL* suggested_url) const override {
if (!suggested_url_exists_)
return false;
*suggested_url = GURL("www.example.com");
return true;
}
void ShowSSLInterstitial() override { ssl_interstitial_shown_ = true; }
void ShowBadClockInterstitial(const base::Time& now,
ssl_errors::ClockState clock_state) override {
bad_clock_interstitial_shown_ = true;
}
void ShowCaptivePortalInterstitial(const GURL& landing_url) override {
captive_portal_interstitial_shown_ = true;
}
void CheckSuggestedUrl(
const GURL& suggested_url,
const CommonNameMismatchHandler::CheckUrlCallback& callback) override {
DCHECK(suggested_url_callback_.is_null());
suggested_url_checked_ = true;
suggested_url_callback_ = callback;
}
void NavigateToSuggestedURL(const GURL& suggested_url) override {
redirected_to_suggested_url_ = true;
}
bool IsErrorOverridable() const override { return is_overridable_error_; }
Profile* profile_;
bool captive_portal_checked_;
bool suggested_url_exists_;
bool suggested_url_checked_;
bool ssl_interstitial_shown_;
bool bad_clock_interstitial_shown_;
bool captive_portal_interstitial_shown_;
bool redirected_to_suggested_url_;
bool is_overridable_error_;
CommonNameMismatchHandler::CheckUrlCallback suggested_url_callback_;
DISALLOW_COPY_AND_ASSIGN(TestSSLErrorHandlerDelegate);
};
} // namespace
// A class to test name mismatch errors. Creates an error handler with a name
// mismatch error.
class SSLErrorHandlerNameMismatchTest : public ChromeRenderViewHostTestHarness {
public:
SSLErrorHandlerNameMismatchTest() : field_trial_list_(nullptr) {}
~SSLErrorHandlerNameMismatchTest() override {}
void SetUp() override {
ChromeRenderViewHostTestHarness::SetUp();
SSLErrorHandler::ResetConfigForTesting();
SSLErrorHandler::SetInterstitialDelayForTesting(base::TimeDelta());
ssl_info_.cert = GetCertificate();
ssl_info_.cert_status = net::CERT_STATUS_COMMON_NAME_INVALID;
ssl_info_.public_key_hashes.push_back(
net::HashValue(kCertPublicKeyHashValue));
delegate_ =
new TestSSLErrorHandlerDelegate(profile(), web_contents(), ssl_info_);
error_handler_.reset(new TestSSLErrorHandler(
std::unique_ptr<SSLErrorHandler::Delegate>(delegate_), web_contents(),
profile(), net::MapCertStatusToNetError(ssl_info_.cert_status),
ssl_info_,
GURL(), // request_url
base::Callback<void(content::CertificateRequestResultType)>()));
}
void TearDown() override {
EXPECT_FALSE(error_handler()->IsTimerRunningForTesting());
error_handler_.reset(nullptr);
SSLErrorHandler::ResetConfigForTesting();
ChromeRenderViewHostTestHarness::TearDown();
}
TestSSLErrorHandler* error_handler() { return error_handler_.get(); }
TestSSLErrorHandlerDelegate* delegate() { return delegate_; }
const net::SSLInfo& ssl_info() { return ssl_info_; }
private:
// Returns a certificate for the test. Virtual to allow derived fixtures to
// use a certificate with different characteristics.
virtual scoped_refptr<net::X509Certificate> GetCertificate() {
return net::ImportCertFromFile(net::GetTestCertsDirectory(),
"subjectAltName_www_example_com.pem");
}
net::SSLInfo ssl_info_;
std::unique_ptr<TestSSLErrorHandler> error_handler_;
TestSSLErrorHandlerDelegate* delegate_;
base::FieldTrialList field_trial_list_;
DISALLOW_COPY_AND_ASSIGN(SSLErrorHandlerNameMismatchTest);
};
// A class to test name mismatch errors, where the certificate lacks a
// SubjectAltName. Creates an error handler with a name mismatch error.
class SSLErrorHandlerNameMismatchNoSANTest
: public SSLErrorHandlerNameMismatchTest {
public:
SSLErrorHandlerNameMismatchNoSANTest() {}
private:
// Return a certificate that contains no SubjectAltName field.
scoped_refptr<net::X509Certificate> GetCertificate() override {
return net::ImportCertFromFile(net::GetTestCertsDirectory(), "ok_cert.pem");
}
DISALLOW_COPY_AND_ASSIGN(SSLErrorHandlerNameMismatchNoSANTest);
};
// A class to test the captive portal certificate list feature. Creates an error
// handler with a name mismatch error by default. The error handler can be
// recreated by calling ResetErrorHandler() with an appropriate cert status.
class SSLErrorHandlerCaptivePortalCertListTest
: public ChromeRenderViewHostTestHarness {
public:
SSLErrorHandlerCaptivePortalCertListTest() : field_trial_list_(nullptr) {}
void SetUp() override {
ChromeRenderViewHostTestHarness::SetUp();
SSLErrorHandler::ResetConfigForTesting();
SSLErrorHandler::SetInterstitialDelayForTesting(base::TimeDelta());
ResetErrorHandler(net::CERT_STATUS_COMMON_NAME_INVALID);
}
void TearDown() override {
EXPECT_FALSE(error_handler()->IsTimerRunningForTesting());
error_handler_.reset(nullptr);
SSLErrorHandler::ResetConfigForTesting();
ChromeRenderViewHostTestHarness::TearDown();
}
TestSSLErrorHandler* error_handler() { return error_handler_.get(); }
TestSSLErrorHandlerDelegate* delegate() { return delegate_; }
const net::SSLInfo& ssl_info() { return ssl_info_; }
protected:
void SetFeatureEnabled(bool enabled) {
if (enabled) {
scoped_feature_list_.InitFromCommandLine(
"CaptivePortalCertificateList" /* enabled */,
std::string() /* disabled */);
} else {
scoped_feature_list_.InitFromCommandLine(
std::string(), "CaptivePortalCertificateList" /* disabled */);
}
}
// Deletes the current error handler and creates a new one with the given
// |cert_status|.
void ResetErrorHandler(net::CertStatus cert_status) {
ssl_info_.Reset();
ssl_info_.cert =
net::ImportCertFromFile(net::GetTestCertsDirectory(), "ok_cert.pem");
ssl_info_.cert_status = cert_status;
ssl_info_.public_key_hashes.push_back(
net::HashValue(kCertPublicKeyHashValue));
delegate_ =
new TestSSLErrorHandlerDelegate(profile(), web_contents(), ssl_info_);
error_handler_.reset(new TestSSLErrorHandler(
std::unique_ptr<SSLErrorHandler::Delegate>(delegate_), web_contents(),
profile(), net::MapCertStatusToNetError(ssl_info_.cert_status),
ssl_info_,
GURL(), // request_url
base::Callback<void(content::CertificateRequestResultType)>()));
// Enable finch experiment for captive portal interstitials.
ASSERT_TRUE(base::FieldTrialList::CreateFieldTrial(
"CaptivePortalInterstitial", "Enabled"));
// Enable finch experiment for SSL common name mismatch handling.
ASSERT_TRUE(base::FieldTrialList::CreateFieldTrial(
"SSLCommonNameMismatchHandling", "Enabled"));
}
void TestNoCaptivePortalInterstitial() {
base::HistogramTester histograms;
EXPECT_FALSE(error_handler()->IsTimerRunningForTesting());
EXPECT_EQ(1u, ssl_info().public_key_hashes.size());
auto config_proto =
base::MakeUnique<chrome_browser_ssl::SSLErrorAssistantConfig>();
config_proto->add_captive_portal_cert()->set_sha256_hash(
"sha256/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");
config_proto->add_captive_portal_cert()->set_sha256_hash(
ssl_info().public_key_hashes[0].ToString());
config_proto->add_captive_portal_cert()->set_sha256_hash(
"sha256/bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb");
SSLErrorHandler::SetErrorAssistantProto(std::move(config_proto));
error_handler()->StartHandlingError();
// Timer should start for captive portal detection.
EXPECT_TRUE(error_handler()->IsTimerRunningForTesting());
EXPECT_TRUE(delegate()->captive_portal_checked());
EXPECT_FALSE(delegate()->ssl_interstitial_shown());
EXPECT_FALSE(delegate()->captive_portal_interstitial_shown());
EXPECT_FALSE(delegate()->suggested_url_checked());
base::RunLoop().RunUntilIdle();
EXPECT_FALSE(error_handler()->IsTimerRunningForTesting());
EXPECT_TRUE(delegate()->captive_portal_checked());
EXPECT_TRUE(delegate()->ssl_interstitial_shown());
EXPECT_FALSE(delegate()->captive_portal_interstitial_shown());
EXPECT_FALSE(delegate()->suggested_url_checked());
// Check that the histogram for the captive portal cert was recorded.
histograms.ExpectTotalCount(SSLErrorHandler::GetHistogramNameForTesting(),
2);
histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(),
SSLErrorHandler::HANDLE_ALL, 1);
histograms.ExpectBucketCount(
SSLErrorHandler::GetHistogramNameForTesting(),
SSLErrorHandler::SHOW_SSL_INTERSTITIAL_OVERRIDABLE, 1);
}
private:
net::SSLInfo ssl_info_;
std::unique_ptr<TestSSLErrorHandler> error_handler_;
TestSSLErrorHandlerDelegate* delegate_;
base::FieldTrialList field_trial_list_;
base::test::ScopedFeatureList scoped_feature_list_;
DISALLOW_COPY_AND_ASSIGN(SSLErrorHandlerCaptivePortalCertListTest);
};
class SSLErrorHandlerDateInvalidTest : public ChromeRenderViewHostTestHarness {
public:
SSLErrorHandlerDateInvalidTest()
: field_trial_test_(new network_time::FieldTrialTest()),
clock_(new base::SimpleTestClock),
tick_clock_(new base::SimpleTestTickClock),
test_server_(new net::EmbeddedTestServer) {
SetThreadBundleOptions(content::TestBrowserThreadBundle::REAL_IO_THREAD);
network_time::NetworkTimeTracker::RegisterPrefs(pref_service_.registry());
}
void SetUp() override {
ChromeRenderViewHostTestHarness::SetUp();
SSLErrorHandler::ResetConfigForTesting();
field_trial_test()->SetNetworkQueriesWithVariationsService(
false, 0.0,
network_time::NetworkTimeTracker::FETCHES_IN_BACKGROUND_ONLY);
tracker_.reset(new network_time::NetworkTimeTracker(
std::unique_ptr<base::Clock>(clock_),
std::unique_ptr<base::TickClock>(tick_clock_), &pref_service_,
new net::TestURLRequestContextGetter(
content::BrowserThread::GetTaskRunnerForThread(
content::BrowserThread::IO))));
// Do this to be sure that |is_null| returns false.
clock_->Advance(base::TimeDelta::FromDays(111));
tick_clock_->Advance(base::TimeDelta::FromDays(222));
SSLErrorHandler::SetInterstitialDelayForTesting(base::TimeDelta());
ssl_info_.cert =
net::ImportCertFromFile(net::GetTestCertsDirectory(), "ok_cert.pem");
ssl_info_.cert_status = net::CERT_STATUS_DATE_INVALID;
delegate_ =
new TestSSLErrorHandlerDelegate(profile(), web_contents(), ssl_info_);
error_handler_.reset(new TestSSLErrorHandler(
std::unique_ptr<SSLErrorHandler::Delegate>(delegate_), web_contents(),
profile(), net::MapCertStatusToNetError(ssl_info_.cert_status),
ssl_info_,
GURL(), // request_url
base::Callback<void(content::CertificateRequestResultType)>()));
error_handler_->SetNetworkTimeTrackerForTesting(tracker_.get());
// Fix flakiness in case system time is off and triggers a bad clock
// interstitial. https://crbug.com/666821#c50
ssl_errors::SetBuildTimeForTesting(base::Time::Now());
}
void TearDown() override {
if (error_handler()) {
EXPECT_FALSE(error_handler()->IsTimerRunningForTesting());
error_handler_.reset(nullptr);
}
SSLErrorHandler::ResetConfigForTesting();
ChromeRenderViewHostTestHarness::TearDown();
}
TestSSLErrorHandler* error_handler() { return error_handler_.get(); }
TestSSLErrorHandlerDelegate* delegate() { return delegate_; }
network_time::FieldTrialTest* field_trial_test() {
return field_trial_test_.get();
}
network_time::NetworkTimeTracker* tracker() { return tracker_.get(); }
net::EmbeddedTestServer* test_server() { return test_server_.get(); }
void ClearErrorHandler() { error_handler_.reset(nullptr); }
private:
net::SSLInfo ssl_info_;
std::unique_ptr<TestSSLErrorHandler> error_handler_;
TestSSLErrorHandlerDelegate* delegate_;
std::unique_ptr<network_time::FieldTrialTest> field_trial_test_;
base::SimpleTestClock* clock_;
base::SimpleTestTickClock* tick_clock_;
TestingPrefServiceSimple pref_service_;
std::unique_ptr<network_time::NetworkTimeTracker> tracker_;
std::unique_ptr<net::EmbeddedTestServer> test_server_;
DISALLOW_COPY_AND_ASSIGN(SSLErrorHandlerDateInvalidTest);
};
#if BUILDFLAG(ENABLE_CAPTIVE_PORTAL_DETECTION)
TEST_F(SSLErrorHandlerNameMismatchTest,
ShouldShowSSLInterstitialOnTimerExpired) {
base::HistogramTester histograms;
EXPECT_FALSE(error_handler()->IsTimerRunningForTesting());
error_handler()->StartHandlingError();
EXPECT_TRUE(error_handler()->IsTimerRunningForTesting());
EXPECT_TRUE(delegate()->captive_portal_checked());
EXPECT_FALSE(delegate()->ssl_interstitial_shown());
EXPECT_FALSE(delegate()->captive_portal_interstitial_shown());
delegate()->ClearSeenOperations();
base::RunLoop().RunUntilIdle();
EXPECT_FALSE(error_handler()->IsTimerRunningForTesting());
EXPECT_FALSE(delegate()->captive_portal_checked());
EXPECT_TRUE(delegate()->ssl_interstitial_shown());
EXPECT_FALSE(delegate()->captive_portal_interstitial_shown());
histograms.ExpectTotalCount(SSLErrorHandler::GetHistogramNameForTesting(), 2);
histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(),
SSLErrorHandler::HANDLE_ALL, 1);
histograms.ExpectBucketCount(
SSLErrorHandler::GetHistogramNameForTesting(),
SSLErrorHandler::SHOW_SSL_INTERSTITIAL_OVERRIDABLE, 1);
}
TEST_F(SSLErrorHandlerNameMismatchTest,
ShouldShowCustomInterstitialOnCaptivePortalResult) {
base::HistogramTester histograms;
EXPECT_FALSE(error_handler()->IsTimerRunningForTesting());
error_handler()->StartHandlingError();
EXPECT_TRUE(error_handler()->IsTimerRunningForTesting());
EXPECT_TRUE(delegate()->captive_portal_checked());
EXPECT_FALSE(delegate()->ssl_interstitial_shown());
EXPECT_FALSE(delegate()->captive_portal_interstitial_shown());
// Fake a captive portal result.
delegate()->ClearSeenOperations();
delegate()->SendCaptivePortalNotification(
captive_portal::RESULT_BEHIND_CAPTIVE_PORTAL);
base::RunLoop().RunUntilIdle();
EXPECT_FALSE(error_handler()->IsTimerRunningForTesting());
EXPECT_FALSE(delegate()->captive_portal_checked());
EXPECT_FALSE(delegate()->ssl_interstitial_shown());
EXPECT_TRUE(delegate()->captive_portal_interstitial_shown());
histograms.ExpectTotalCount(SSLErrorHandler::GetHistogramNameForTesting(), 2);
histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(),
SSLErrorHandler::HANDLE_ALL, 1);
histograms.ExpectBucketCount(
SSLErrorHandler::GetHistogramNameForTesting(),
SSLErrorHandler::SHOW_CAPTIVE_PORTAL_INTERSTITIAL_OVERRIDABLE, 1);
}
TEST_F(SSLErrorHandlerNameMismatchTest,
ShouldShowSSLInterstitialOnNoCaptivePortalResult) {
base::HistogramTester histograms;
EXPECT_FALSE(error_handler()->IsTimerRunningForTesting());
error_handler()->StartHandlingError();
EXPECT_TRUE(error_handler()->IsTimerRunningForTesting());
EXPECT_TRUE(delegate()->captive_portal_checked());
EXPECT_FALSE(delegate()->ssl_interstitial_shown());
EXPECT_FALSE(delegate()->captive_portal_interstitial_shown());
// Fake a "connected to internet" result for the captive portal check.
// This should immediately trigger an SSL interstitial without waiting for
// the timer to expire.
delegate()->ClearSeenOperations();
delegate()->SendCaptivePortalNotification(
captive_portal::RESULT_INTERNET_CONNECTED);
base::RunLoop().RunUntilIdle();
EXPECT_FALSE(error_handler()->IsTimerRunningForTesting());
EXPECT_FALSE(delegate()->captive_portal_checked());
EXPECT_TRUE(delegate()->ssl_interstitial_shown());
EXPECT_FALSE(delegate()->captive_portal_interstitial_shown());
histograms.ExpectTotalCount(SSLErrorHandler::GetHistogramNameForTesting(), 2);
histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(),
SSLErrorHandler::HANDLE_ALL, 1);
histograms.ExpectBucketCount(
SSLErrorHandler::GetHistogramNameForTesting(),
SSLErrorHandler::SHOW_SSL_INTERSTITIAL_OVERRIDABLE, 1);
}
TEST_F(SSLErrorHandlerNameMismatchTest,
ShouldNotCheckSuggestedUrlIfNoSuggestedUrl) {
base::HistogramTester histograms;
error_handler()->StartHandlingError();
EXPECT_TRUE(delegate()->captive_portal_checked());
EXPECT_TRUE(error_handler()->IsTimerRunningForTesting());
EXPECT_FALSE(delegate()->suggested_url_checked());
base::RunLoop().RunUntilIdle();
EXPECT_FALSE(error_handler()->IsTimerRunningForTesting());
EXPECT_TRUE(delegate()->ssl_interstitial_shown());
histograms.ExpectTotalCount(SSLErrorHandler::GetHistogramNameForTesting(), 2);
histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(),
SSLErrorHandler::HANDLE_ALL, 1);
histograms.ExpectBucketCount(
SSLErrorHandler::GetHistogramNameForTesting(),
SSLErrorHandler::SHOW_SSL_INTERSTITIAL_OVERRIDABLE, 1);
}
TEST_F(SSLErrorHandlerNameMismatchTest,
ShouldNotCheckCaptivePortalIfSuggestedUrlExists) {
base::HistogramTester histograms;
EXPECT_FALSE(error_handler()->IsTimerRunningForTesting());
delegate()->set_suggested_url_exists();
error_handler()->StartHandlingError();
EXPECT_TRUE(error_handler()->IsTimerRunningForTesting());
EXPECT_TRUE(delegate()->suggested_url_checked());
EXPECT_FALSE(delegate()->captive_portal_checked());
base::RunLoop().RunUntilIdle();
EXPECT_FALSE(error_handler()->IsTimerRunningForTesting());
EXPECT_TRUE(delegate()->ssl_interstitial_shown());
// Note that the suggested URL check is never completed, so there is no entry
// for WWW_MISMATCH_URL_AVAILABLE or WWW_MISMATCH_URL_NOT_AVAILABLE.
histograms.ExpectTotalCount(SSLErrorHandler::GetHistogramNameForTesting(), 3);
histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(),
SSLErrorHandler::HANDLE_ALL, 1);
histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(),
SSLErrorHandler::WWW_MISMATCH_FOUND_IN_SAN, 1);
histograms.ExpectBucketCount(
SSLErrorHandler::GetHistogramNameForTesting(),
SSLErrorHandler::SHOW_SSL_INTERSTITIAL_OVERRIDABLE, 1);
}
TEST_F(SSLErrorHandlerNameMismatchTest,
ShouldNotHandleNameMismatchOnNonOverridableError) {
base::HistogramTester histograms;
delegate()->set_non_overridable_error();
delegate()->set_suggested_url_exists();
error_handler()->StartHandlingError();
EXPECT_FALSE(delegate()->suggested_url_checked());
EXPECT_TRUE(delegate()->captive_portal_checked());
EXPECT_TRUE(error_handler()->IsTimerRunningForTesting());
base::RunLoop().RunUntilIdle();
EXPECT_FALSE(error_handler()->IsTimerRunningForTesting());
EXPECT_TRUE(delegate()->ssl_interstitial_shown());
histograms.ExpectTotalCount(SSLErrorHandler::GetHistogramNameForTesting(), 2);
histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(),
SSLErrorHandler::HANDLE_ALL, 1);
histograms.ExpectBucketCount(
SSLErrorHandler::GetHistogramNameForTesting(),
SSLErrorHandler::SHOW_SSL_INTERSTITIAL_NONOVERRIDABLE, 1);
}
#else // #if !BUILDFLAG(ENABLE_CAPTIVE_PORTAL_DETECTION)
TEST_F(SSLErrorHandlerNameMismatchTest,
ShouldShowSSLInterstitialOnCaptivePortalDetectionDisabled) {
base::HistogramTester histograms;
EXPECT_FALSE(error_handler()->IsTimerRunningForTesting());
error_handler()->StartHandlingError();
EXPECT_FALSE(error_handler()->IsTimerRunningForTesting());
EXPECT_FALSE(delegate()->captive_portal_checked());
EXPECT_TRUE(delegate()->ssl_interstitial_shown());
EXPECT_FALSE(delegate()->captive_portal_interstitial_shown());
histograms.ExpectTotalCount(SSLErrorHandler::GetHistogramNameForTesting(), 2);
histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(),
SSLErrorHandler::HANDLE_ALL, 1);
histograms.ExpectBucketCount(
SSLErrorHandler::GetHistogramNameForTesting(),
SSLErrorHandler::SHOW_SSL_INTERSTITIAL_OVERRIDABLE, 1);
}
#endif // BUILDFLAG(ENABLE_CAPTIVE_PORTAL_DETECTION)
TEST_F(SSLErrorHandlerNameMismatchTest,
ShouldShowSSLInterstitialOnTimerExpiredWhenSuggestedUrlExists) {
base::HistogramTester histograms;
delegate()->set_suggested_url_exists();
error_handler()->StartHandlingError();
EXPECT_TRUE(error_handler()->IsTimerRunningForTesting());
EXPECT_TRUE(delegate()->suggested_url_checked());
EXPECT_FALSE(delegate()->ssl_interstitial_shown());
EXPECT_FALSE(delegate()->redirected_to_suggested_url());
base::RunLoop().RunUntilIdle();
EXPECT_FALSE(error_handler()->IsTimerRunningForTesting());
EXPECT_TRUE(delegate()->ssl_interstitial_shown());
EXPECT_FALSE(delegate()->redirected_to_suggested_url());
// Note that the suggested URL check is never completed, so there is no entry
// for WWW_MISMATCH_URL_AVAILABLE or WWW_MISMATCH_URL_NOT_AVAILABLE.
histograms.ExpectTotalCount(SSLErrorHandler::GetHistogramNameForTesting(), 3);
histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(),
SSLErrorHandler::HANDLE_ALL, 1);
histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(),
SSLErrorHandler::WWW_MISMATCH_FOUND_IN_SAN, 1);
histograms.ExpectBucketCount(
SSLErrorHandler::GetHistogramNameForTesting(),
SSLErrorHandler::SHOW_SSL_INTERSTITIAL_OVERRIDABLE, 1);
}
TEST_F(SSLErrorHandlerNameMismatchTest,
ShouldRedirectOnSuggestedUrlCheckResult) {
base::HistogramTester histograms;
delegate()->set_suggested_url_exists();
error_handler()->StartHandlingError();
EXPECT_TRUE(error_handler()->IsTimerRunningForTesting());
EXPECT_TRUE(delegate()->suggested_url_checked());
EXPECT_FALSE(delegate()->ssl_interstitial_shown());
EXPECT_FALSE(delegate()->redirected_to_suggested_url());
// Fake a valid suggested URL check result.
// The URL returned by |SuggestedUrlCheckResult| can be different from
// |suggested_url|, if there is a redirect.
delegate()->SendSuggestedUrlCheckResult(
CommonNameMismatchHandler::SuggestedUrlCheckResult::
SUGGESTED_URL_AVAILABLE,
GURL("https://random.example.com"));
EXPECT_FALSE(error_handler()->IsTimerRunningForTesting());
EXPECT_FALSE(delegate()->ssl_interstitial_shown());
EXPECT_TRUE(delegate()->redirected_to_suggested_url());
histograms.ExpectTotalCount(SSLErrorHandler::GetHistogramNameForTesting(), 3);
histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(),
SSLErrorHandler::HANDLE_ALL, 1);
histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(),
SSLErrorHandler::WWW_MISMATCH_FOUND_IN_SAN, 1);
histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(),
SSLErrorHandler::WWW_MISMATCH_URL_AVAILABLE, 1);
}
// No suggestions should be requested if certificate lacks a SubjectAltName.
TEST_F(SSLErrorHandlerNameMismatchNoSANTest,
SSLCommonNameMismatchHandlingRequiresSubjectAltName) {
base::HistogramTester histograms;
EXPECT_FALSE(error_handler()->IsTimerRunningForTesting());
delegate()->set_suggested_url_exists();
error_handler()->StartHandlingError();
EXPECT_FALSE(delegate()->suggested_url_checked());
base::RunLoop().RunUntilIdle();
EXPECT_TRUE(delegate()->ssl_interstitial_shown());
EXPECT_FALSE(delegate()->redirected_to_suggested_url());
histograms.ExpectTotalCount(SSLErrorHandler::GetHistogramNameForTesting(), 2);
histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(),
SSLErrorHandler::HANDLE_ALL, 1);
histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(),
SSLErrorHandler::WWW_MISMATCH_FOUND_IN_SAN, 0);
histograms.ExpectBucketCount(
SSLErrorHandler::GetHistogramNameForTesting(),
SSLErrorHandler::SHOW_SSL_INTERSTITIAL_OVERRIDABLE, 1);
}
TEST_F(SSLErrorHandlerNameMismatchTest,
ShouldShowSSLInterstitialOnInvalidUrlCheckResult) {
base::HistogramTester histograms;
delegate()->set_suggested_url_exists();
error_handler()->StartHandlingError();
EXPECT_TRUE(error_handler()->IsTimerRunningForTesting());
EXPECT_TRUE(delegate()->suggested_url_checked());
EXPECT_FALSE(delegate()->ssl_interstitial_shown());
EXPECT_FALSE(delegate()->redirected_to_suggested_url());
// Fake an Invalid Suggested URL Check result.
delegate()->SendSuggestedUrlCheckResult(
CommonNameMismatchHandler::SuggestedUrlCheckResult::
SUGGESTED_URL_NOT_AVAILABLE,
GURL());
EXPECT_FALSE(error_handler()->IsTimerRunningForTesting());
EXPECT_TRUE(delegate()->ssl_interstitial_shown());
EXPECT_FALSE(delegate()->redirected_to_suggested_url());
histograms.ExpectTotalCount(SSLErrorHandler::GetHistogramNameForTesting(), 4);
histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(),
SSLErrorHandler::HANDLE_ALL, 1);
histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(),
SSLErrorHandler::WWW_MISMATCH_FOUND_IN_SAN, 1);
histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(),
SSLErrorHandler::WWW_MISMATCH_URL_NOT_AVAILABLE,
1);
histograms.ExpectBucketCount(
SSLErrorHandler::GetHistogramNameForTesting(),
SSLErrorHandler::SHOW_SSL_INTERSTITIAL_OVERRIDABLE, 1);
}
TEST_F(SSLErrorHandlerDateInvalidTest, TimeQueryStarted) {
base::HistogramTester histograms;
base::Time network_time;
base::TimeDelta uncertainty;
SSLErrorHandler::SetInterstitialDelayForTesting(
base::TimeDelta::FromHours(1));
EXPECT_EQ(network_time::NetworkTimeTracker::NETWORK_TIME_NO_SYNC_ATTEMPT,
tracker()->GetNetworkTime(&network_time, &uncertainty));
// Enable network time queries and handle the error. A bad clock interstitial
// should be shown.
test_server()->RegisterRequestHandler(
base::Bind(&network_time::GoodTimeResponseHandler));
EXPECT_TRUE(test_server()->Start());
tracker()->SetTimeServerURLForTesting(test_server()->GetURL("/"));
field_trial_test()->SetNetworkQueriesWithVariationsService(
true, 0.0, network_time::NetworkTimeTracker::FETCHES_ON_DEMAND_ONLY);
error_handler()->StartHandlingError();
EXPECT_TRUE(error_handler()->IsTimerRunningForTesting());
tracker()->WaitForFetchForTesting(123123123);
base::RunLoop().RunUntilIdle();
EXPECT_TRUE(delegate()->bad_clock_interstitial_shown());
EXPECT_FALSE(error_handler()->IsTimerRunningForTesting());
// Check that the histogram for the delay was recorded.
histograms.ExpectTotalCount(kCertDateErrorHistogram, 1);
}
// Tests that an SSL interstitial is shown if the accuracy of the system
// clock can't be determined because network time is unavailable.
TEST_F(SSLErrorHandlerDateInvalidTest, NoTimeQueries) {
base::HistogramTester histograms;
base::Time network_time;
base::TimeDelta uncertainty;
EXPECT_EQ(network_time::NetworkTimeTracker::NETWORK_TIME_NO_SYNC_ATTEMPT,
tracker()->GetNetworkTime(&network_time, &uncertainty));
// Handle the error without enabling time queries. A bad clock interstitial
// should not be shown.
error_handler()->StartHandlingError();
EXPECT_FALSE(error_handler()->IsTimerRunningForTesting());
EXPECT_FALSE(delegate()->bad_clock_interstitial_shown());
EXPECT_TRUE(delegate()->ssl_interstitial_shown());
// Check that the histogram for the delay was recorded.
histograms.ExpectTotalCount(kCertDateErrorHistogram, 1);
}
// Tests that an SSL interstitial is shown if determing the accuracy of
// the system clock times out (e.g. because a network time query hangs).
TEST_F(SSLErrorHandlerDateInvalidTest, TimeQueryHangs) {
base::HistogramTester histograms;
base::Time network_time;
base::TimeDelta uncertainty;
EXPECT_EQ(network_time::NetworkTimeTracker::NETWORK_TIME_NO_SYNC_ATTEMPT,
tracker()->GetNetworkTime(&network_time, &uncertainty));
// Enable network time queries and handle the error. Because the
// network time cannot be determined before the timer elapses, an SSL
// interstitial should be shown.
base::RunLoop wait_for_time_query_loop;
test_server()->RegisterRequestHandler(
base::Bind(&WaitForRequest, wait_for_time_query_loop.QuitClosure()));
EXPECT_TRUE(test_server()->Start());
tracker()->SetTimeServerURLForTesting(test_server()->GetURL("/"));
field_trial_test()->SetNetworkQueriesWithVariationsService(
true, 0.0, network_time::NetworkTimeTracker::FETCHES_ON_DEMAND_ONLY);
error_handler()->StartHandlingError();
EXPECT_TRUE(error_handler()->IsTimerRunningForTesting());
wait_for_time_query_loop.Run();
base::RunLoop().RunUntilIdle();
EXPECT_FALSE(delegate()->bad_clock_interstitial_shown());
EXPECT_TRUE(delegate()->ssl_interstitial_shown());
EXPECT_FALSE(error_handler()->IsTimerRunningForTesting());
// Check that the histogram for the delay was recorded.
histograms.ExpectTotalCount(kCertDateErrorHistogram, 1);
// Clear the error handler to test that, when the request completes,
// it doesn't try to call a callback on a deleted SSLErrorHandler.
ClearErrorHandler();
// Shut down the server to cancel the pending request.
ASSERT_TRUE(test_server()->ShutdownAndWaitUntilComplete());
}
#if BUILDFLAG(ENABLE_CAPTIVE_PORTAL_DETECTION)
// Tests that a certificate marked as a known captive portal certificate causes
// the captive portal interstitial to be shown.
TEST_F(SSLErrorHandlerCaptivePortalCertListTest, Enabled) {
SetFeatureEnabled(true);
EXPECT_FALSE(error_handler()->IsTimerRunningForTesting());
EXPECT_EQ(1u, ssl_info().public_key_hashes.size());
auto config_proto =
base::MakeUnique<chrome_browser_ssl::SSLErrorAssistantConfig>();
config_proto->add_captive_portal_cert()->set_sha256_hash(
"sha256/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");
config_proto->add_captive_portal_cert()->set_sha256_hash(
ssl_info().public_key_hashes[0].ToString());
config_proto->add_captive_portal_cert()->set_sha256_hash(
"sha256/bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb");
SSLErrorHandler::SetErrorAssistantProto(std::move(config_proto));
base::HistogramTester histograms;
error_handler()->StartHandlingError();
// Timer shouldn't start for a known captive portal certificate.
EXPECT_FALSE(error_handler()->IsTimerRunningForTesting());
EXPECT_FALSE(delegate()->captive_portal_checked());
EXPECT_FALSE(delegate()->ssl_interstitial_shown());
EXPECT_TRUE(delegate()->captive_portal_interstitial_shown());
EXPECT_FALSE(delegate()->suggested_url_checked());
// A buggy SSL error handler might have incorrectly started the timer. Run
// to completion to ensure the timer is expired.
base::RunLoop().RunUntilIdle();
EXPECT_FALSE(error_handler()->IsTimerRunningForTesting());
EXPECT_FALSE(delegate()->captive_portal_checked());
EXPECT_FALSE(delegate()->ssl_interstitial_shown());
EXPECT_TRUE(delegate()->captive_portal_interstitial_shown());
EXPECT_FALSE(delegate()->suggested_url_checked());
// Check that the histogram for the captive portal cert was recorded.
histograms.ExpectTotalCount(SSLErrorHandler::GetHistogramNameForTesting(), 3);
histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(),
SSLErrorHandler::HANDLE_ALL, 1);
histograms.ExpectBucketCount(
SSLErrorHandler::GetHistogramNameForTesting(),
SSLErrorHandler::SHOW_CAPTIVE_PORTAL_INTERSTITIAL_OVERRIDABLE, 1);
histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(),
SSLErrorHandler::CAPTIVE_PORTAL_CERT_FOUND, 1);
}
// Tests that a certificate marked as a known captive portal certificate does
// not cause the captive portal interstitial to be shown, if the feature is
// disabled.
TEST_F(SSLErrorHandlerCaptivePortalCertListTest, Disabled) {
SetFeatureEnabled(false);
// Default error for SSLErrorHandlerNameMismatchTest tests is name mismatch.
TestNoCaptivePortalInterstitial();
}
// Tests that an error other than name mismatch does not cause a captive portal
// interstitial to be shown, even if the certificate is marked as a known
// captive portal certificate.
TEST_F(SSLErrorHandlerCaptivePortalCertListTest, AuthorityInvalid) {
SetFeatureEnabled(true);
ResetErrorHandler(net::CERT_STATUS_AUTHORITY_INVALID);
TestNoCaptivePortalInterstitial();
}
// Tests that an authority invalid error in addition to name mismatch error does
// not cause a captive portal interstitial to be shown, even if the certificate
// is marked as a known captive portal certificate. The resulting error is
// authority-invalid.
TEST_F(SSLErrorHandlerCaptivePortalCertListTest,
NameMismatchAndAuthorityInvalid) {
SetFeatureEnabled(true);
const net::CertStatus cert_status =
net::CERT_STATUS_COMMON_NAME_INVALID | net::CERT_STATUS_AUTHORITY_INVALID;
// Sanity check that AUTHORITY_INVALID is seen as the net error.
ASSERT_EQ(net::ERR_CERT_AUTHORITY_INVALID,
net::MapCertStatusToNetError(cert_status));
ResetErrorHandler(cert_status);
TestNoCaptivePortalInterstitial();
}
// Tests that another error in addition to name mismatch error does not cause a
// captive portal interstitial to be shown, even if the certificate is marked as
// a known captive portal certificate. Similar to
// NameMismatchAndAuthorityInvalid, except the resulting error is name mismatch.
TEST_F(SSLErrorHandlerCaptivePortalCertListTest, NameMismatchAndWeakKey) {
SetFeatureEnabled(true);
const net::CertStatus cert_status =
net::CERT_STATUS_COMMON_NAME_INVALID | net::CERT_STATUS_WEAK_KEY;
// Sanity check that COMMON_NAME_INVALID is seen as the net error, since the
// test is designed to verify that SSLErrorHandler notices other errors in the
// CertStatus even when COMMON_NAME_INVALID is the net error.
ASSERT_EQ(net::ERR_CERT_COMMON_NAME_INVALID,
net::MapCertStatusToNetError(cert_status));
ResetErrorHandler(cert_status);
TestNoCaptivePortalInterstitial();
}
#else
TEST_F(SSLErrorHandlerCaptivePortalCertListTest, DisabledByBuild) {
SetFeatureEnabled(true);
// Default error for SSLErrorHandlerNameMismatchTest tests is name mismatch,
// but the feature is disabled by build so a generic SSL interstitial will be
// displayed.
base::HistogramTester histograms;
EXPECT_FALSE(error_handler()->IsTimerRunningForTesting());
EXPECT_EQ(1u, ssl_info().public_key_hashes.size());
auto config_proto =
base::MakeUnique<chrome_browser_ssl::SSLErrorAssistantConfig>();
config_proto->add_captive_portal_cert()->set_sha256_hash(
"sha256/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");
config_proto->add_captive_portal_cert()->set_sha256_hash(
ssl_info().public_key_hashes[0].ToString());
config_proto->add_captive_portal_cert()->set_sha256_hash(
"sha256/bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb");
SSLErrorHandler::SetErrorAssistantProto(std::move(config_proto));
error_handler()->StartHandlingError();
EXPECT_FALSE(error_handler()->IsTimerRunningForTesting());
EXPECT_FALSE(delegate()->captive_portal_checked());
EXPECT_TRUE(delegate()->ssl_interstitial_shown());
EXPECT_FALSE(delegate()->captive_portal_interstitial_shown());
EXPECT_FALSE(delegate()->suggested_url_checked());
base::RunLoop().RunUntilIdle();
EXPECT_FALSE(error_handler()->IsTimerRunningForTesting());
EXPECT_FALSE(delegate()->captive_portal_checked());
EXPECT_TRUE(delegate()->ssl_interstitial_shown());
EXPECT_FALSE(delegate()->captive_portal_interstitial_shown());
EXPECT_FALSE(delegate()->suggested_url_checked());
histograms.ExpectTotalCount(SSLErrorHandler::GetHistogramNameForTesting(), 2);
histograms.ExpectBucketCount(SSLErrorHandler::GetHistogramNameForTesting(),
SSLErrorHandler::HANDLE_ALL, 1);
histograms.ExpectBucketCount(
SSLErrorHandler::GetHistogramNameForTesting(),
SSLErrorHandler::SHOW_SSL_INTERSTITIAL_OVERRIDABLE, 1);
}
#endif // BUILDFLAG(ENABLE_CAPTIVE_PORTAL_DETECTION)