search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Update mojo surfaces bindings and mojo/cc/ glue
[chromium-blink-merge.git] / chrome / browser / ssl / chrome_ssl_host_state_delegate_test.cc
blobdfa4f512084ceff114b5c184e2d86b3c66ed34ff
1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include <stdint.h>
6
7 #include "base/command_line.h"
8 #include "base/strings/string_number_conversions.h"
9 #include "base/test/simple_test_clock.h"
10 #include "chrome/browser/browsing_data/browsing_data_helper.h"
11 #include "chrome/browser/browsing_data/browsing_data_remover.h"
12 #include "chrome/browser/browsing_data/browsing_data_remover_test_util.h"
13 #include "chrome/browser/profiles/profile.h"
14 #include "chrome/browser/ssl/chrome_ssl_host_state_delegate.h"
15 #include "chrome/browser/ssl/chrome_ssl_host_state_delegate_factory.h"
16 #include "chrome/browser/ui/browser.h"
17 #include "chrome/browser/ui/tabs/tab_strip_model.h"
18 #include "chrome/common/chrome_switches.h"
19 #include "chrome/test/base/in_process_browser_test.h"
20 #include "content/public/browser/ssl_host_state_delegate.h"
21 #include "content/public/browser/web_contents.h"
22 #include "content/public/test/browser_test_utils.h"
23 #include "net/base/test_data_directory.h"
24 #include "net/test/cert_test_util.h"
25 #include "testing/gtest/include/gtest/gtest.h"
26
27 namespace {
28
29 const char kGoogleCertFile[] = "google.single.der";
30
31 const char kWWWGoogleHost[] = "www.google.com";
32 const char kGoogleHost[] = "google.com";
33 const char kExampleHost[] = "example.com";
34
35 const char* kForgetAtSessionEnd = "-1";
36 const char* kForgetInstantly = "0";
37 const char* kDeltaSecondsString = "86400";
38 const uint64_t kDeltaOneDayInSeconds = UINT64_C(86400);
39
40 scoped_refptr<net::X509Certificate> GetGoogleCert() {
41 return net::ImportCertFromFile(net::GetTestCertsDirectory(), kGoogleCertFile);
42 }
43
44 } // namespace
45
46 class ChromeSSLHostStateDelegateTest : public InProcessBrowserTest {};
47
48 // ChromeSSLHostStateDelegateTest tests basic unit test functionality of the
49 // SSLHostStateDelegate class. For example, tests that if a certificate is
50 // accepted, then it is added to queryable, and if it is revoked, it is not
51 // queryable. Even though it is effectively a unit test, in needs to be an
52 // InProcessBrowserTest because the actual functionality is provided by
53 // ChromeSSLHostStateDelegate which is provided per-profile.
54 //
55 // QueryPolicy unit tests the expected behavior of calling QueryPolicy on the
56 // SSLHostStateDelegate class after various SSL cert decisions have been made.
57 IN_PROC_BROWSER_TEST_F(ChromeSSLHostStateDelegateTest, QueryPolicy) {
58 scoped_refptr<net::X509Certificate> google_cert = GetGoogleCert();
59 content::WebContents* tab =
60 browser()->tab_strip_model()->GetActiveWebContents();
61 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext());
62 content::SSLHostStateDelegate* state = profile->GetSSLHostStateDelegate();
63 bool unused_value;
64
65 // Verifying that all three of the certs we will be looking at are unknown
66 // before any action has been taken.
67 EXPECT_EQ(net::CertPolicy::UNKNOWN,
68 state->QueryPolicy(kWWWGoogleHost,
69 google_cert.get(),
70 net::CERT_STATUS_DATE_INVALID,
71 &unused_value));
72 EXPECT_EQ(net::CertPolicy::UNKNOWN,
73 state->QueryPolicy(kGoogleHost,
74 google_cert.get(),
75 net::CERT_STATUS_DATE_INVALID,
76 &unused_value));
77 EXPECT_EQ(net::CertPolicy::UNKNOWN,
78 state->QueryPolicy(kExampleHost,
79 google_cert.get(),
80 net::CERT_STATUS_DATE_INVALID,
81 &unused_value));
82
83 // Simulate a user decision to allow an invalid certificate exception for
84 // kWWWGoogleHost.
85 state->AllowCert(
86 kWWWGoogleHost, google_cert.get(), net::CERT_STATUS_DATE_INVALID);
87
88 // Verify that only kWWWGoogleHost is allowed and that the other two certs
89 // being tested still have no decision associated with them.
90 EXPECT_EQ(net::CertPolicy::ALLOWED,
91 state->QueryPolicy(kWWWGoogleHost,
92 google_cert.get(),
93 net::CERT_STATUS_DATE_INVALID,
94 &unused_value));
95 EXPECT_EQ(net::CertPolicy::UNKNOWN,
96 state->QueryPolicy(kGoogleHost,
97 google_cert.get(),
98 net::CERT_STATUS_DATE_INVALID,
99 &unused_value));
100 EXPECT_EQ(net::CertPolicy::UNKNOWN,
101 state->QueryPolicy(kExampleHost,
102 google_cert.get(),
103 net::CERT_STATUS_DATE_INVALID,
104 &unused_value));
105
106 // Simulate a user decision to allow an invalid certificate exception for
107 // kExampleHost.
108 state->AllowCert(
109 kExampleHost, google_cert.get(), net::CERT_STATUS_DATE_INVALID);
110
111 // Verify that both kWWWGoogleHost and kExampleHost have allow exceptions
112 // while kGoogleHost still has no associated decision.
113 EXPECT_EQ(net::CertPolicy::ALLOWED,
114 state->QueryPolicy(kWWWGoogleHost,
115 google_cert.get(),
116 net::CERT_STATUS_DATE_INVALID,
117 &unused_value));
118 EXPECT_EQ(net::CertPolicy::UNKNOWN,
119 state->QueryPolicy(kGoogleHost,
120 google_cert.get(),
121 net::CERT_STATUS_DATE_INVALID,
122 &unused_value));
123 EXPECT_EQ(net::CertPolicy::ALLOWED,
124 state->QueryPolicy(kExampleHost,
125 google_cert.get(),
126 net::CERT_STATUS_DATE_INVALID,
127 &unused_value));
128
129 // Simulate a user decision to deny an invalid certificate for kExampleHost.
130 state->DenyCert(
131 kExampleHost, google_cert.get(), net::CERT_STATUS_DATE_INVALID);
132
133 // Verify that kWWWGoogleHost is allowed and kExampleHost is denied while
134 // kGoogleHost still has no associated decision.
135 EXPECT_EQ(net::CertPolicy::ALLOWED,
136 state->QueryPolicy(kWWWGoogleHost,
137 google_cert.get(),
138 net::CERT_STATUS_DATE_INVALID,
139 &unused_value));
140 EXPECT_EQ(net::CertPolicy::UNKNOWN,
141 state->QueryPolicy(kGoogleHost,
142 google_cert.get(),
143 net::CERT_STATUS_DATE_INVALID,
144 &unused_value));
145 EXPECT_EQ(net::CertPolicy::DENIED,
146 state->QueryPolicy(kExampleHost,
147 google_cert.get(),
148 net::CERT_STATUS_DATE_INVALID,
149 &unused_value));
150 }
151
152 // HasPolicyAndRevoke unit tests the expected behavior of calling
153 // HasUserDecision before and after calling RevokeUserDecisions on the
154 // SSLHostStateDelegate class.
155 IN_PROC_BROWSER_TEST_F(ChromeSSLHostStateDelegateTest, HasPolicyAndRevoke) {
156 scoped_refptr<net::X509Certificate> google_cert = GetGoogleCert();
157 content::WebContents* tab =
158 browser()->tab_strip_model()->GetActiveWebContents();
159 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext());
160 ChromeSSLHostStateDelegate* state =
161 ChromeSSLHostStateDelegateFactory::GetForProfile(profile);
162 bool unused_value;
163
164 // Simulate a user decision to allow an invalid certificate exception for
165 // kWWWGoogleHost and for kExampleHost.
166 state->AllowCert(
167 kWWWGoogleHost, google_cert.get(), net::CERT_STATUS_DATE_INVALID);
168 state->AllowCert(
169 kExampleHost, google_cert.get(), net::CERT_STATUS_DATE_INVALID);
170
171 // Verify that HasUserDecision correctly acknowledges that a user decision has
172 // been made about kWWWGoogleHost. Then verify that HasUserDecision correctly
173 // identifies that the decision has been revoked.
174 EXPECT_TRUE(state->HasUserDecision(kWWWGoogleHost));
175 state->RevokeUserDecisions(kWWWGoogleHost);
176 EXPECT_FALSE(state->HasUserDecision(kWWWGoogleHost));
177 EXPECT_EQ(net::CertPolicy::UNKNOWN,
178 state->QueryPolicy(kWWWGoogleHost,
179 google_cert.get(),
180 net::CERT_STATUS_DATE_INVALID,
181 &unused_value));
182
183 // Verify that the revocation of the kWWWGoogleHost decision does not affect
184 // the Allow for kExampleHost.
185 EXPECT_TRUE(state->HasUserDecision(kExampleHost));
186
187 // Verify the revocation of the kWWWGoogleHost decision does not affect the
188 // non-decision for kGoogleHost. Then verify that a revocation of a URL with
189 // no decision has no effect.
190 EXPECT_FALSE(state->HasUserDecision(kGoogleHost));
191 state->RevokeUserDecisions(kGoogleHost);
192 EXPECT_FALSE(state->HasUserDecision(kGoogleHost));
193 }
194
195 // Clear unit tests the expected behavior of calling Clear to forget all cert
196 // decision state on the SSLHostStateDelegate class.
197 IN_PROC_BROWSER_TEST_F(ChromeSSLHostStateDelegateTest, Clear) {
198 scoped_refptr<net::X509Certificate> google_cert = GetGoogleCert();
199 content::WebContents* tab =
200 browser()->tab_strip_model()->GetActiveWebContents();
201 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext());
202 ChromeSSLHostStateDelegate* state =
203 ChromeSSLHostStateDelegateFactory::GetForProfile(profile);
204 bool unused_value;
205
206 // Simulate a user decision to allow an invalid certificate exception for
207 // kWWWGoogleHost and for kExampleHost.
208 state->AllowCert(
209 kWWWGoogleHost, google_cert.get(), net::CERT_STATUS_DATE_INVALID);
210
211 // Do a full clear, then make sure that both kWWWGoogleHost, which had a
212 // decision made, and kExampleHost, which was untouched, are now in a
213 // non-decision state.
214 state->Clear();
215 EXPECT_FALSE(state->HasUserDecision(kWWWGoogleHost));
216 EXPECT_EQ(net::CertPolicy::UNKNOWN,
217 state->QueryPolicy(kWWWGoogleHost,
218 google_cert.get(),
219 net::CERT_STATUS_DATE_INVALID,
220 &unused_value));
221 EXPECT_FALSE(state->HasUserDecision(kExampleHost));
222 EXPECT_EQ(net::CertPolicy::UNKNOWN,
223 state->QueryPolicy(kExampleHost,
224 google_cert.get(),
225 net::CERT_STATUS_DATE_INVALID,
226 &unused_value));
227 }
228
229 // DidHostRunInsecureContent unit tests the expected behavior of calling
230 // DidHostRunInsecureContent as well as HostRanInsecureContent to check if
231 // insecure content has been run and to mark it as such.
232 IN_PROC_BROWSER_TEST_F(ChromeSSLHostStateDelegateTest,
233 DidHostRunInsecureContent) {
234 content::WebContents* tab =
235 browser()->tab_strip_model()->GetActiveWebContents();
236 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext());
237 content::SSLHostStateDelegate* state = profile->GetSSLHostStateDelegate();
238
239 EXPECT_FALSE(state->DidHostRunInsecureContent("www.google.com", 42));
240 EXPECT_FALSE(state->DidHostRunInsecureContent("www.google.com", 191));
241 EXPECT_FALSE(state->DidHostRunInsecureContent("example.com", 42));
242
243 state->HostRanInsecureContent("www.google.com", 42);
244
245 EXPECT_TRUE(state->DidHostRunInsecureContent("www.google.com", 42));
246 EXPECT_FALSE(state->DidHostRunInsecureContent("www.google.com", 191));
247 EXPECT_FALSE(state->DidHostRunInsecureContent("example.com", 42));
248
249 state->HostRanInsecureContent("example.com", 42);
250
251 EXPECT_TRUE(state->DidHostRunInsecureContent("www.google.com", 42));
252 EXPECT_FALSE(state->DidHostRunInsecureContent("www.google.com", 191));
253 EXPECT_TRUE(state->DidHostRunInsecureContent("example.com", 42));
254 }
255
256 // Tests the basic behavior of cert memory in incognito.
257 class IncognitoSSLHostStateDelegateTest
258 : public ChromeSSLHostStateDelegateTest {
259 protected:
260 virtual void SetUpCommandLine(CommandLine* command_line) OVERRIDE {
261 ChromeSSLHostStateDelegateTest::SetUpCommandLine(command_line);
262 command_line->AppendSwitchASCII(switches::kRememberCertErrorDecisions,
263 kDeltaSecondsString);
264 }
265 };
266
267 IN_PROC_BROWSER_TEST_F(IncognitoSSLHostStateDelegateTest, PRE_AfterRestart) {
268 scoped_refptr<net::X509Certificate> google_cert = GetGoogleCert();
269 content::WebContents* tab =
270 browser()->tab_strip_model()->GetActiveWebContents();
271 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext());
272 content::SSLHostStateDelegate* state = profile->GetSSLHostStateDelegate();
273 bool unused_value;
274
275 // Add a cert exception to the profile and then verify that it still exists
276 // in the incognito profile.
277 state->AllowCert(
278 kWWWGoogleHost, google_cert.get(), net::CERT_STATUS_DATE_INVALID);
279
280 scoped_ptr<Profile> incognito(profile->CreateOffTheRecordProfile());
281 content::SSLHostStateDelegate* incognito_state =
282 incognito->GetSSLHostStateDelegate();
283
284 EXPECT_EQ(net::CertPolicy::ALLOWED,
285 incognito_state->QueryPolicy(kWWWGoogleHost,
286 google_cert.get(),
287 net::CERT_STATUS_DATE_INVALID,
288 &unused_value));
289
290 // Add a cert exception to the incognito profile. It will be checked after
291 // restart that this exception does not exist. Note the different cert URL and
292 // error than above thus mapping to a second exception. Also validate that it
293 // was not added as an exception to the regular profile.
294 incognito_state->AllowCert(
295 kGoogleHost, google_cert.get(), net::CERT_STATUS_COMMON_NAME_INVALID);
296
297 EXPECT_EQ(net::CertPolicy::UNKNOWN,
298 state->QueryPolicy(kGoogleHost,
299 google_cert.get(),
300 net::CERT_STATUS_COMMON_NAME_INVALID,
301 &unused_value));
302 }
303
304 // AfterRestart ensures that any cert decisions made in an incognito profile are
305 // forgetten after a session restart even if given a command line flag to
306 // remember cert decisions after restart.
307 IN_PROC_BROWSER_TEST_F(IncognitoSSLHostStateDelegateTest, AfterRestart) {
308 scoped_refptr<net::X509Certificate> google_cert = GetGoogleCert();
309 content::WebContents* tab =
310 browser()->tab_strip_model()->GetActiveWebContents();
311 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext());
312 content::SSLHostStateDelegate* state = profile->GetSSLHostStateDelegate();
313 bool unused_value;
314
315 // Verify that the exception added before restart to the regular
316 // (non-incognito) profile still exists and was not cleared after the
317 // incognito session ended.
318 EXPECT_EQ(net::CertPolicy::ALLOWED,
319 state->QueryPolicy(kWWWGoogleHost,
320 google_cert.get(),
321 net::CERT_STATUS_DATE_INVALID,
322 &unused_value));
323
324 scoped_ptr<Profile> incognito(profile->CreateOffTheRecordProfile());
325 content::SSLHostStateDelegate* incognito_state =
326 incognito->GetSSLHostStateDelegate();
327
328 // Verify that the exception added before restart to the incognito profile was
329 // cleared when the incognito session ended.
330 EXPECT_EQ(net::CertPolicy::UNKNOWN,
331 incognito_state->QueryPolicy(kGoogleHost,
332 google_cert.get(),
333 net::CERT_STATUS_COMMON_NAME_INVALID,
334 &unused_value));
335 }
336
337 // Tests to make sure that if the remember value is set to -1, any decisions
338 // won't be remembered over a restart.
339 class ForGetSSLHostStateDelegateTest : public ChromeSSLHostStateDelegateTest {
340 protected:
341 virtual void SetUpCommandLine(CommandLine* command_line) OVERRIDE {
342 ChromeSSLHostStateDelegateTest::SetUpCommandLine(command_line);
343 command_line->AppendSwitchASCII(switches::kRememberCertErrorDecisions,
344 kForgetAtSessionEnd);
345 }
346 };
347
348 IN_PROC_BROWSER_TEST_F(ForGetSSLHostStateDelegateTest, PRE_AfterRestart) {
349 scoped_refptr<net::X509Certificate> google_cert = GetGoogleCert();
350 content::WebContents* tab =
351 browser()->tab_strip_model()->GetActiveWebContents();
352 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext());
353 content::SSLHostStateDelegate* state = profile->GetSSLHostStateDelegate();
354 bool unused_value;
355
356 state->AllowCert(
357 kWWWGoogleHost, google_cert.get(), net::CERT_STATUS_DATE_INVALID);
358 EXPECT_EQ(net::CertPolicy::ALLOWED,
359 state->QueryPolicy(kWWWGoogleHost,
360 google_cert.get(),
361 net::CERT_STATUS_DATE_INVALID,
362 &unused_value));
363 }
364
365 IN_PROC_BROWSER_TEST_F(ForGetSSLHostStateDelegateTest, AfterRestart) {
366 scoped_refptr<net::X509Certificate> google_cert = GetGoogleCert();
367 content::WebContents* tab =
368 browser()->tab_strip_model()->GetActiveWebContents();
369 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext());
370 content::SSLHostStateDelegate* state = profile->GetSSLHostStateDelegate();
371 bool unused_value;
372
373 // The cert should now be |UNKONWN| because the profile is set to forget cert
374 // exceptions after session end.
375 EXPECT_EQ(net::CertPolicy::UNKNOWN,
376 state->QueryPolicy(kWWWGoogleHost,
377 google_cert.get(),
378 net::CERT_STATUS_DATE_INVALID,
379 &unused_value));
380 }
381
382 // Tests to make sure that if the remember value is set to 0, any decisions made
383 // will be forgetten immediately.
384 class ForgetInstantlySSLHostStateDelegateTest
385 : public ChromeSSLHostStateDelegateTest {
386 protected:
387 virtual void SetUpCommandLine(CommandLine* command_line) OVERRIDE {
388 ChromeSSLHostStateDelegateTest::SetUpCommandLine(command_line);
389 command_line->AppendSwitchASCII(switches::kRememberCertErrorDecisions,
390 kForgetInstantly);
391 }
392 };
393
394 IN_PROC_BROWSER_TEST_F(ForgetInstantlySSLHostStateDelegateTest,
395 MakeAndForgetException) {
396 scoped_refptr<net::X509Certificate> google_cert = GetGoogleCert();
397 content::WebContents* tab =
398 browser()->tab_strip_model()->GetActiveWebContents();
399 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext());
400 content::SSLHostStateDelegate* state = profile->GetSSLHostStateDelegate();
401 bool unused_value;
402
403 // chrome_state takes ownership of this clock
404 base::SimpleTestClock* clock = new base::SimpleTestClock();
405 ChromeSSLHostStateDelegate* chrome_state =
406 static_cast<ChromeSSLHostStateDelegate*>(state);
407 chrome_state->SetClock(scoped_ptr<base::Clock>(clock));
408
409 // Start the clock at standard system time but do not advance at all to
410 // emphasize that instant forget works.
411 clock->SetNow(base::Time::NowFromSystemTime());
412
413 state->AllowCert(
414 kWWWGoogleHost, google_cert.get(), net::CERT_STATUS_DATE_INVALID);
415 EXPECT_EQ(net::CertPolicy::UNKNOWN,
416 state->QueryPolicy(kWWWGoogleHost,
417 google_cert.get(),
418 net::CERT_STATUS_DATE_INVALID,
419 &unused_value));
420 }
421
422 // Tests to make sure that if the remember value is set to a non-zero value0,
423 // any decisions will be remembered over a restart, but only for the length
424 // specified.
425 class RememberSSLHostStateDelegateTest : public ChromeSSLHostStateDelegateTest {
426 protected:
427 virtual void SetUpCommandLine(CommandLine* command_line) OVERRIDE {
428 ChromeSSLHostStateDelegateTest::SetUpCommandLine(command_line);
429 command_line->AppendSwitchASCII(switches::kRememberCertErrorDecisions,
430 kDeltaSecondsString);
431 }
432 };
433
434 IN_PROC_BROWSER_TEST_F(RememberSSLHostStateDelegateTest, PRE_AfterRestart) {
435 scoped_refptr<net::X509Certificate> google_cert = GetGoogleCert();
436 content::WebContents* tab =
437 browser()->tab_strip_model()->GetActiveWebContents();
438 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext());
439 content::SSLHostStateDelegate* state = profile->GetSSLHostStateDelegate();
440 bool unused_value;
441
442 state->AllowCert(
443 kWWWGoogleHost, google_cert.get(), net::CERT_STATUS_DATE_INVALID);
444 EXPECT_EQ(net::CertPolicy::ALLOWED,
445 state->QueryPolicy(kWWWGoogleHost,
446 google_cert.get(),
447 net::CERT_STATUS_DATE_INVALID,
448 &unused_value));
449 }
450
451 IN_PROC_BROWSER_TEST_F(RememberSSLHostStateDelegateTest, AfterRestart) {
452 scoped_refptr<net::X509Certificate> google_cert = GetGoogleCert();
453 content::WebContents* tab =
454 browser()->tab_strip_model()->GetActiveWebContents();
455 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext());
456 content::SSLHostStateDelegate* state = profile->GetSSLHostStateDelegate();
457 bool unused_value;
458
459 // chrome_state takes ownership of this clock
460 base::SimpleTestClock* clock = new base::SimpleTestClock();
461 ChromeSSLHostStateDelegate* chrome_state =
462 static_cast<ChromeSSLHostStateDelegate*>(state);
463 chrome_state->SetClock(scoped_ptr<base::Clock>(clock));
464
465 // Start the clock at standard system time.
466 clock->SetNow(base::Time::NowFromSystemTime());
467
468 // This should only pass if the cert was allowed before the test was restart
469 // and thus has now been rememebered across browser restarts.
470 EXPECT_EQ(net::CertPolicy::ALLOWED,
471 state->QueryPolicy(kWWWGoogleHost,
472 google_cert.get(),
473 net::CERT_STATUS_DATE_INVALID,
474 &unused_value));
475
476 // Simulate the clock advancing by the specified delta.
477 clock->Advance(base::TimeDelta::FromSeconds(kDeltaOneDayInSeconds + 1));
478
479 // The cert should now be |UNKONWN| because the specified delta has passed.
480 EXPECT_EQ(net::CertPolicy::UNKNOWN,
481 state->QueryPolicy(kWWWGoogleHost,
482 google_cert.get(),
483 net::CERT_STATUS_DATE_INVALID,
484 &unused_value));
485 }
486
487 // QueryPolicyExpired unit tests to make sure that if a certificate decision has
488 // expired, the return value from QueryPolicy returns the correct vaule.
489 IN_PROC_BROWSER_TEST_F(RememberSSLHostStateDelegateTest, QueryPolicyExpired) {
490 scoped_refptr<net::X509Certificate> google_cert = GetGoogleCert();
491 content::WebContents* tab =
492 browser()->tab_strip_model()->GetActiveWebContents();
493 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext());
494 content::SSLHostStateDelegate* state = profile->GetSSLHostStateDelegate();
495 bool expired_previous_decision;
496
497 // chrome_state takes ownership of this clock
498 base::SimpleTestClock* clock = new base::SimpleTestClock();
499 ChromeSSLHostStateDelegate* chrome_state =
500 static_cast<ChromeSSLHostStateDelegate*>(state);
501 chrome_state->SetClock(scoped_ptr<base::Clock>(clock));
502
503 // Start the clock at standard system time but do not advance at all to
504 // emphasize that instant forget works.
505 clock->SetNow(base::Time::NowFromSystemTime());
506
507 // The certificate has never been seen before, so it should be UNKONWN and
508 // should also indicate that it hasn't expired.
509 EXPECT_EQ(net::CertPolicy::UNKNOWN,
510 state->QueryPolicy(kWWWGoogleHost,
511 google_cert.get(),
512 net::CERT_STATUS_DATE_INVALID,
513 &expired_previous_decision));
514 EXPECT_FALSE(expired_previous_decision);
515
516 // After allowing the certificate, a query should say that it is allowed and
517 // also specify that it hasn't expired.
518 state->AllowCert(
519 kWWWGoogleHost, google_cert.get(), net::CERT_STATUS_DATE_INVALID);
520 EXPECT_EQ(net::CertPolicy::ALLOWED,
521 state->QueryPolicy(kWWWGoogleHost,
522 google_cert.get(),
523 net::CERT_STATUS_DATE_INVALID,
524 &expired_previous_decision));
525 EXPECT_FALSE(expired_previous_decision);
526
527 // Simulate the clock advancing by the specified delta.
528 clock->Advance(base::TimeDelta::FromSeconds(kDeltaOneDayInSeconds + 1));
529
530 // The decision expiration time has come, so it should indicate that the
531 // certificate and error are UNKOWN but also that they expired since the last
532 // query.
533 EXPECT_EQ(net::CertPolicy::UNKNOWN,
534 state->QueryPolicy(kWWWGoogleHost,
535 google_cert.get(),
536 net::CERT_STATUS_DATE_INVALID,
537 &expired_previous_decision));
538 EXPECT_TRUE(expired_previous_decision);
539
540 // However, with a new query, it should indicate that no new expiration has
541 // occurred.
542 EXPECT_EQ(net::CertPolicy::UNKNOWN,
543 state->QueryPolicy(kWWWGoogleHost,
544 google_cert.get(),
545 net::CERT_STATUS_DATE_INVALID,
546 &expired_previous_decision));
547 EXPECT_FALSE(expired_previous_decision);
548 }
549
550 // Tests to make sure that if the user deletes their browser history, SSL
551 // exceptions will be deleted as well.
552 class RemoveBrowsingHistorySSLHostStateDelegateTest
553 : public ChromeSSLHostStateDelegateTest {
554 public:
555 void RemoveAndWait(Profile* profile) {
556 BrowsingDataRemover* remover = BrowsingDataRemover::CreateForPeriod(
557 profile, BrowsingDataRemover::LAST_HOUR);
558 BrowsingDataRemoverCompletionObserver completion_observer(remover);
559 remover->Remove(BrowsingDataRemover::REMOVE_HISTORY,
560 BrowsingDataHelper::UNPROTECTED_WEB);
561 completion_observer.BlockUntilCompletion();
562 }
563 };
564
565 IN_PROC_BROWSER_TEST_F(RemoveBrowsingHistorySSLHostStateDelegateTest,
566 DeleteHistory) {
567 scoped_refptr<net::X509Certificate> google_cert = GetGoogleCert();
568 content::WebContents* tab =
569 browser()->tab_strip_model()->GetActiveWebContents();
570 Profile* profile = Profile::FromBrowserContext(tab->GetBrowserContext());
571 content::SSLHostStateDelegate* state = profile->GetSSLHostStateDelegate();
572 bool unused_value;
573
574 // Add an exception for an invalid certificate. Then remove the last hour's
575 // worth of browsing history and verify that the exception has been deleted.
576 state->AllowCert(
577 kGoogleHost, google_cert.get(), net::CERT_STATUS_DATE_INVALID);
578 RemoveAndWait(profile);
579 EXPECT_EQ(net::CertPolicy::UNKNOWN,
580 state->QueryPolicy(kGoogleHost,
581 google_cert.get(),
582 net::CERT_STATUS_DATE_INVALID,
583 &unused_value));
584 }