summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorwolfbeast <mcwerewolf@wolfbeast.com>2019-11-14 12:17:00 +0100
committerwolfbeast <mcwerewolf@wolfbeast.com>2019-11-14 12:17:00 +0100
commitf4cc93fc9ee9059c44bb9bc28266b01397ede4a3 (patch)
tree617a6230d01f2d4100b88eb67ed0dd0df66322ed
parentd5a604bb8900875baec73b80554f7d1e540028af (diff)
downloadUXP-f4cc93fc9ee9059c44bb9bc28266b01397ede4a3.tar
UXP-f4cc93fc9ee9059c44bb9bc28266b01397ede4a3.tar.gz
UXP-f4cc93fc9ee9059c44bb9bc28266b01397ede4a3.tar.lz
UXP-f4cc93fc9ee9059c44bb9bc28266b01397ede4a3.tar.xz
UXP-f4cc93fc9ee9059c44bb9bc28266b01397ede4a3.zip
Issue #1289 - Part 3: Update tests.
-rw-r--r--devtools/client/webconsole/test/browser_webconsole_hpkp_invalid-headers.js4
-rw-r--r--devtools/shared/webconsole/test/test_network_security-hpkp.html11
-rw-r--r--security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js22
-rw-r--r--security/manager/ssl/tests/unit/test_ocsp_must_staple.js2
-rw-r--r--security/manager/ssl/tests/unit/test_pinning.js3
-rw-r--r--security/manager/ssl/tests/unit/test_pinning_dynamic.js1
-rw-r--r--security/manager/ssl/tests/unit/test_pinning_header_parsing.js6
-rw-r--r--security/manager/ssl/tests/unit/test_sss_readstate_garbage.js1
-rw-r--r--security/manager/ssl/tests/unit/test_sss_savestate.js1
9 files changed, 46 insertions, 5 deletions
diff --git a/devtools/client/webconsole/test/browser_webconsole_hpkp_invalid-headers.js b/devtools/client/webconsole/test/browser_webconsole_hpkp_invalid-headers.js
index 3ee33669d..39870fd54 100644
--- a/devtools/client/webconsole/test/browser_webconsole_hpkp_invalid-headers.js
+++ b/devtools/client/webconsole/test/browser_webconsole_hpkp_invalid-headers.js
@@ -14,14 +14,18 @@ const SJS_URL = "https://example.com/browser/devtools/client/webconsole/" +
"test/test_hpkp-invalid-headers.sjs";
const LEARN_MORE_URI = "https://developer.mozilla.org/docs/Web/Security/" +
"Public_Key_Pinning" + DOCS_GA_PARAMS;
+const HPKP_ENABLED_PREF = "security.cert_pinning.hpkp.enabled";
const NON_BUILTIN_ROOT_PREF = "security.cert_pinning.process_headers_from_" +
"non_builtin_roots";
add_task(function* () {
registerCleanupFunction(() => {
+ Services.prefs.clearUserPref(HPKP_ENABLED_PREF);
Services.prefs.clearUserPref(NON_BUILTIN_ROOT_PREF);
});
+ Services.prefs.setBoolPref(HPKP_ENABLED_PREF, true);
+
yield loadTab(TEST_URI);
let hud = yield openConsole();
diff --git a/devtools/shared/webconsole/test/test_network_security-hpkp.html b/devtools/shared/webconsole/test/test_network_security-hpkp.html
index 55e2621a8..bc1a9642c 100644
--- a/devtools/shared/webconsole/test/test_network_security-hpkp.html
+++ b/devtools/shared/webconsole/test/test_network_security-hpkp.html
@@ -17,7 +17,8 @@
SimpleTest.waitForExplicitFinish();
let gCurrentTestCase = -1;
-const HPKP_PREF = "security.cert_pinning.process_headers_from_non_builtin_roots";
+const HPKP_ENABLED_PREF = "security.cert_pinning.hpkp.enabled";
+const PROCESS_HPKP_FROM_NON_BUILTIN_ROOTS_PREF = "security.cert_pinning.process_headers_from_non_builtin_roots";
// Static pins tested by unit/test_security-info-static-hpkp.js.
const TEST_CASES = [
@@ -41,11 +42,11 @@ const TEST_CASES = [
function startTest()
{
- // Need to enable this pref or pinning headers are rejected due test
- // certificate.
- Services.prefs.setBoolPref(HPKP_PREF, true);
+ Services.prefs.setBoolPref(HPKP_ENABLED_PREF, true);
+ Services.prefs.setBoolPref(PROCESS_HPKP_FROM_NON_BUILTIN_ROOTS_PREF, true);
SimpleTest.registerCleanupFunction(() => {
- Services.prefs.setBoolPref(HPKP_PREF, false);
+ Services.prefs.setBoolPref(HPKP_ENABLED_PREF, false);
+ Services.prefs.setBoolPref(PROCESS_HPKP_FROM_NON_BUILTIN_ROOTS_PREF, false);
// Reset pinning state.
let gSSService = Cc["@mozilla.org/ssservice;1"]
diff --git a/security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js b/security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js
index 4db133e43..c075428ee 100644
--- a/security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js
+++ b/security/manager/ssl/tests/unit/test_forget_about_site_security_headers.js
@@ -12,6 +12,7 @@
var { ForgetAboutSite } = Cu.import("resource://gre/modules/ForgetAboutSite.jsm", {});
do_register_cleanup(() => {
+ Services.prefs.clearUserPref("security.cert_pinning.hpkp.enabled");
Services.prefs.clearUserPref("security.cert_pinning.enforcement_level");
Services.prefs.clearUserPref(
"security.cert_pinning.process_headers_from_non_builtin_roots");
@@ -26,6 +27,7 @@ const GOOD_MAX_AGE = `max-age=${GOOD_MAX_AGE_SECONDS};`;
do_get_profile(); // must be done before instantiating nsIX509CertDB
+Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", true);
Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 2);
Services.prefs.setBoolPref(
"security.cert_pinning.process_headers_from_non_builtin_roots", true);
@@ -44,6 +46,26 @@ var uri = Services.io.newURI("https://a.pinning2.example.com", null, null);
var sslStatus = new FakeSSLStatus(constructCertFromFile(
"test_pinning_dynamic/a.pinning2.example.com-pinningroot.pem"));
+ // Test that with HPKP disabled, processing HPKP headers results in no
+ // information being saved.
+ add_task(async function() {
+ Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", false);
+ sss.processHeader(
+ Ci.nsISiteSecurityService.HEADER_HPKP,
+ uri,
+ GOOD_MAX_AGE + VALID_PIN + BACKUP_PIN,
+ secInfo,
+ 0,
+ Ci.nsISiteSecurityService.SOURCE_ORGANIC_REQUEST
+ );
+
+ Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", true);
+ Assert.ok(
+ !sss.isSecureURI(Ci.nsISiteSecurityService.HEADER_HPKP, uri, 0),
+ "a.pinning.example.com should not be HPKP"
+ );
+ });
+
// Test the normal case of processing HSTS and HPKP headers for
// a.pinning2.example.com, using "Forget About Site" on a.pinning2.example.com,
// and then checking that the platform doesn't consider a.pinning2.example.com
diff --git a/security/manager/ssl/tests/unit/test_ocsp_must_staple.js b/security/manager/ssl/tests/unit/test_ocsp_must_staple.js
index 24b32d6bc..ece1757ac 100644
--- a/security/manager/ssl/tests/unit/test_ocsp_must_staple.js
+++ b/security/manager/ssl/tests/unit/test_ocsp_must_staple.js
@@ -28,6 +28,7 @@ function add_tests() {
PRErrorCodeSuccess, true);
add_test(() => {
+ Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", true);
Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 1);
Services.prefs.setBoolPref("security.cert_pinning.process_headers_from_non_builtin_roots", true);
let uri = Services.io.newURI("https://ocsp-stapling-must-staple-ee-with-must-staple-int.example.com",
@@ -45,6 +46,7 @@ function add_tests() {
// Clear accumulated state.
ssservice.removeState(Ci.nsISiteSecurityService.HEADER_HPKP, uri, 0);
+ Services.prefs.clearUserPref("security.cert_pinning.hpkp.enabled");
Services.prefs.clearUserPref("security.cert_pinning.process_headers_from_non_builtin_roots");
Services.prefs.clearUserPref("security.cert_pinning.enforcement_level");
run_next_test();
diff --git a/security/manager/ssl/tests/unit/test_pinning.js b/security/manager/ssl/tests/unit/test_pinning.js
index 4d3c2fac8..f18182002 100644
--- a/security/manager/ssl/tests/unit/test_pinning.js
+++ b/security/manager/ssl/tests/unit/test_pinning.js
@@ -246,6 +246,9 @@ function check_pinning_telemetry() {
}
function run_test() {
+ // Ensure that static pinning works when HPKP is disabled.
+ Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", false);
+
add_tls_server_setup("BadCertServer", "bad_certs");
// Add a user-specified trust anchor.
diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic.js b/security/manager/ssl/tests/unit/test_pinning_dynamic.js
index 2c314b53a..7333ad6b3 100644
--- a/security/manager/ssl/tests/unit/test_pinning_dynamic.js
+++ b/security/manager/ssl/tests/unit/test_pinning_dynamic.js
@@ -41,6 +41,7 @@ const NON_ISSUED_KEY_HASH = "KHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAN=";
const PINNING_ROOT_KEY_HASH = "VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8=";
function run_test() {
+ Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", true);
Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 2);
let stateFile = profileDir.clone();
diff --git a/security/manager/ssl/tests/unit/test_pinning_header_parsing.js b/security/manager/ssl/tests/unit/test_pinning_header_parsing.js
index fb4b32353..0dcf6993b 100644
--- a/security/manager/ssl/tests/unit/test_pinning_header_parsing.js
+++ b/security/manager/ssl/tests/unit/test_pinning_header_parsing.js
@@ -98,6 +98,7 @@ const REPORT_URI = "report-uri=\"https://www.example.com/report/\";";
const UNRECOGNIZED_DIRECTIVE = "unreconized-dir=12343;";
function run_test() {
+ Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", true);
Services.prefs.setIntPref("security.cert_pinning.enforcement_level", 2);
Services.prefs.setIntPref("security.cert_pinning.max_max_age_seconds", MAX_MAX_AGE_SECONDS);
Services.prefs.setBoolPref("security.cert_pinning.process_headers_from_non_builtin_roots", true);
@@ -138,4 +139,9 @@ function run_test() {
checkPassSettingPin(VALID_PIN1 + GOOD_MAX_AGE + BACKUP_PIN2 + REPORT_URI + INCLUDE_SUBDOMAINS);
checkPassSettingPin(INCLUDE_SUBDOMAINS + VALID_PIN1 + GOOD_MAX_AGE + BACKUP_PIN2);
checkPassSettingPin(GOOD_MAX_AGE + VALID_PIN1 + BACKUP_PIN1 + UNRECOGNIZED_DIRECTIVE);
+
+ Services.prefs.clearUserPref("security.cert_pinning.hpkp.enabled");
+ Services.prefs.clearUserPref("security.cert_pinning.enforcement_level");
+ Services.prefs.clearUserPref("security.cert_pinning.max_max_age_seconds");
+ Services.prefs.clearUserPref("security.cert_pinning.process_headers_from_non_builtin_roots");
}
diff --git a/security/manager/ssl/tests/unit/test_sss_readstate_garbage.js b/security/manager/ssl/tests/unit/test_sss_readstate_garbage.js
index d4165f7f4..1ca277da4 100644
--- a/security/manager/ssl/tests/unit/test_sss_readstate_garbage.js
+++ b/security/manager/ssl/tests/unit/test_sss_readstate_garbage.js
@@ -31,6 +31,7 @@ function checkStateRead(aSubject, aTopic, aData) {
}
function run_test() {
+ Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", true);
let profileDir = do_get_profile();
let stateFile = profileDir.clone();
stateFile.append(SSS_STATE_FILE_NAME);
diff --git a/security/manager/ssl/tests/unit/test_sss_savestate.js b/security/manager/ssl/tests/unit/test_sss_savestate.js
index a4d8b5297..fefa64ea6 100644
--- a/security/manager/ssl/tests/unit/test_sss_savestate.js
+++ b/security/manager/ssl/tests/unit/test_sss_savestate.js
@@ -96,6 +96,7 @@ function checkStateWritten(aSubject, aTopic, aData) {
}
function run_test() {
+ Services.prefs.setBoolPref("security.cert_pinning.hpkp.enabled", true);
Services.prefs.setIntPref("test.datastorage.write_timer_ms", 100);
gProfileDir = do_get_profile();
let SSService = Cc["@mozilla.org/ssservice;1"]