зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1512451
- Read OneCRL blocklist from security-states/onecrl r=jcj,mgoodwin,glasserc
Read OneCRL blocklist from security-states/onecrl Differential Revision: https://phabricator.services.mozilla.com/D23645 --HG-- rename : services/common/tests/unit/test_blocklist_certificates.js => services/common/tests/unit/test_blocklist_onecrl.js extra : moz-landing-system : lando
This commit is contained in:
Родитель
cc3ea31460
Коммит
6e4798bb72
|
@ -291,6 +291,7 @@
|
|||
@RESPATH@/browser/defaults/settings/blocklists
|
||||
@RESPATH@/browser/defaults/settings/pinning
|
||||
@RESPATH@/browser/defaults/settings/main
|
||||
@RESPATH@/browser/defaults/settings/security-state
|
||||
|
||||
; Warning: changing the path to channel-prefs.js can cause bugs (Bug 756325)
|
||||
; Technically this is an app pref file, but we are keeping it in the original
|
||||
|
|
|
@ -95,7 +95,7 @@
|
|||
@BINPATH@/platform.ini
|
||||
@BINPATH@/blocklist.xml
|
||||
@BINPATH@/defaults/settings/blocklists/addons.json
|
||||
@BINPATH@/defaults/settings/blocklists/certificates.json
|
||||
@BINPATH@/defaults/settings/security-state/onecrl.json
|
||||
|
||||
; [Components]
|
||||
@BINPATH@/components/components.manifest
|
||||
|
|
|
@ -2780,6 +2780,12 @@ pref("services.settings.default_signer", "remote-settings.content-signature.mozi
|
|||
// other channels always report events.
|
||||
pref("services.common.uptake.sampleRate", 1); // 1%
|
||||
|
||||
// Security state OneCRL.
|
||||
pref("services.settings.security.onecrl.bucket", "security-state");
|
||||
pref("services.settings.security.onecrl.collection", "onecrl");
|
||||
pref("services.settings.security.onecrl.signer", "onecrl.content-signature.mozilla.org");
|
||||
pref("services.settings.security.onecrl.checked", 0);
|
||||
|
||||
// Blocklist preferences
|
||||
pref("extensions.blocklist.enabled", true);
|
||||
// OneCRL freshness checking depends on this value, so if you change it,
|
||||
|
@ -2796,9 +2802,6 @@ pref("extensions.blocklist.itemURL", "https://blocked.cdn.mozilla.net/%blockID%.
|
|||
pref("extensions.blocklist.level", 2);
|
||||
// Blocklist via settings server (Kinto)
|
||||
pref("services.blocklist.bucket", "blocklists");
|
||||
pref("services.blocklist.onecrl.collection", "certificates");
|
||||
pref("services.blocklist.onecrl.checked", 0);
|
||||
pref("services.blocklist.onecrl.signer", "onecrl.content-signature.mozilla.org");
|
||||
pref("services.blocklist.addons.collection", "addons");
|
||||
pref("services.blocklist.addons.checked", 0);
|
||||
pref("services.blocklist.addons.signer", "remote-settings.content-signature.mozilla.org");
|
||||
|
|
|
@ -389,7 +389,7 @@ impl SecurityState {
|
|||
|
||||
pub fn is_blocklist_fresh(&self) -> Result<bool, SecurityStateError> {
|
||||
self.is_data_fresh(
|
||||
"services.blocklist.onecrl.checked",
|
||||
"services.settings.security.onecrl.checked",
|
||||
"security.onecrl.maximum_staleness_in_seconds",
|
||||
)
|
||||
}
|
||||
|
@ -661,7 +661,7 @@ struct InitCertStorage {
|
|||
impl CertStorage {
|
||||
unsafe fn setup_prefs(&self) -> Result<(), SecurityStateError> {
|
||||
let int_prefs = [
|
||||
"services.blocklist.onecrl.checked",
|
||||
"services.settings.security.onecrl.checked",
|
||||
"services.blocklist.intermediates.checked",
|
||||
"services.blocklist.crlite.checked",
|
||||
"security.onecrl.maximum_staleness_in_seconds",
|
||||
|
|
|
@ -56,8 +56,8 @@ const kintoChangesJSON = `{
|
|||
"host": "firefox.settings.services.mozilla.com",
|
||||
"id": "3ace9d8e-00b5-a353-7fd5-1f081ff482ba",
|
||||
"last_modified": 100000000000000000001,
|
||||
"bucket": "blocklists",
|
||||
"collection": "certificates"
|
||||
"bucket": "security-state",
|
||||
"collection": "onecrl"
|
||||
}
|
||||
]
|
||||
}`;
|
||||
|
@ -147,9 +147,9 @@ testserver.registerPathHandler("/v1/",
|
|||
serveResponse(kintoHelloViewJSON));
|
||||
testserver.registerPathHandler("/v1/buckets/monitor/collections/changes/records",
|
||||
serveResponse(kintoChangesJSON));
|
||||
testserver.registerPathHandler("/v1/buckets/blocklists/collections/certificates",
|
||||
testserver.registerPathHandler("/v1/buckets/security-state/collections/onecrl",
|
||||
serveResponse(certMetadataJSON));
|
||||
testserver.registerPathHandler("/v1/buckets/blocklists/collections/certificates/records",
|
||||
testserver.registerPathHandler("/v1/buckets/security-state/collections/onecrl/records",
|
||||
serveResponse(certBlocklistJSON));
|
||||
|
||||
// start the test server
|
||||
|
|
|
@ -245,7 +245,7 @@ add_task(async function oneCRLTests() {
|
|||
Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds",
|
||||
108000);
|
||||
// set the blocklist-background-update-timer value to the recent past
|
||||
Services.prefs.setIntPref("services.blocklist.onecrl.checked",
|
||||
Services.prefs.setIntPref("services.settings.security.onecrl.checked",
|
||||
Math.floor(Date.now() / 1000) - 1);
|
||||
Services.prefs.setIntPref(
|
||||
"app.update.lastUpdateTime.blocklist-background-update-timer",
|
||||
|
@ -269,7 +269,7 @@ add_task(async function oneCRLTests() {
|
|||
Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds",
|
||||
108000);
|
||||
// set the blocklist-background-update-timer value to the more distant past
|
||||
Services.prefs.setIntPref("services.blocklist.onecrl.checked",
|
||||
Services.prefs.setIntPref("services.settings.security.onecrl.checked",
|
||||
Math.floor(Date.now() / 1000) - 108080);
|
||||
Services.prefs.setIntPref(
|
||||
"app.update.lastUpdateTime.blocklist-background-update-timer",
|
||||
|
@ -279,13 +279,13 @@ add_task(async function oneCRLTests() {
|
|||
await ensureVerifiesAsEV("test-oid-path");
|
||||
|
||||
clearOCSPCache();
|
||||
// test the OCSP behavior when services.blocklist.onecrl.checked is in the
|
||||
// test the OCSP behavior when services.settings.security.onecrl.checked is in the
|
||||
// distant past and blacklist-background-update-timer is recent
|
||||
// enable OneCRL OCSP skipping - allow staleness of up to 30 hours
|
||||
Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds",
|
||||
108000);
|
||||
// set the blocklist-background-update-timer value to the recent past
|
||||
// (services.blocklist.onecrl.checked defaults to 0)
|
||||
// (services.settings.security.onecrl.checked defaults to 0)
|
||||
Services.prefs.setIntPref(
|
||||
"app.update.lastUpdateTime.blocklist-background-update-timer",
|
||||
Math.floor(Date.now() / 1000) - 1);
|
||||
|
@ -295,19 +295,19 @@ add_task(async function oneCRLTests() {
|
|||
await ensureVerifiesAsEV("test-oid-path");
|
||||
|
||||
clearOCSPCache();
|
||||
// test the OCSP behavior when services.blocklist.onecrl.checked is recent
|
||||
// test the OCSP behavior when services.settings.security.onecrl.checked is recent
|
||||
// enable OneCRL OCSP skipping - allow staleness of up to 30 hours
|
||||
Services.prefs.setIntPref("security.onecrl.maximum_staleness_in_seconds",
|
||||
108000);
|
||||
// now set services.blocklist.onecrl.checked to a recent value
|
||||
Services.prefs.setIntPref("services.blocklist.onecrl.checked",
|
||||
// now set services.settings.security.onecrl.checked to a recent value
|
||||
Services.prefs.setIntPref("services.settings.security.onecrl.checked",
|
||||
Math.floor(Date.now() / 1000) - 1);
|
||||
await ensureOneCRLSkipsOCSPForIntermediates("anyPolicy-int-path");
|
||||
await ensureOneCRLSkipsOCSPForIntermediates("no-ocsp-int-path");
|
||||
await ensureOneCRLSkipsOCSPForIntermediates("test-oid-path");
|
||||
|
||||
Services.prefs.clearUserPref("security.onecrl.maximum_staleness_in_seconds");
|
||||
Services.prefs.clearUserPref("services.blocklist.onecrl.checked");
|
||||
Services.prefs.clearUserPref("services.settings.security.onecrl.checked");
|
||||
Services.prefs.clearUserPref(
|
||||
"app.update.lastUpdateTime.blocklist-background-update-timer");
|
||||
});
|
||||
|
|
|
@ -15,10 +15,12 @@ const { OS } = ChromeUtils.import("resource://gre/modules/osfile.jsm");
|
|||
ChromeUtils.defineModuleGetter(this, "RemoteSettings", "resource://services-settings/remote-settings.js");
|
||||
ChromeUtils.defineModuleGetter(this, "jexlFilterFunc", "resource://services-settings/remote-settings.js");
|
||||
|
||||
const PREF_SECURITY_SETTINGS_ONECRL_BUCKET = "services.settings.security.onecrl.bucket";
|
||||
const PREF_SECURITY_SETTINGS_ONECRL_COLLECTION = "services.settings.security.onecrl.collection";
|
||||
const PREF_SECURITY_SETTINGS_ONECRL_SIGNER = "services.settings.security.onecrl.signer";
|
||||
const PREF_SECURITY_SETTINGS_ONECRL_CHECKED = "services.settings.security.onecrl.checked";
|
||||
|
||||
const PREF_BLOCKLIST_BUCKET = "services.blocklist.bucket";
|
||||
const PREF_BLOCKLIST_ONECRL_COLLECTION = "services.blocklist.onecrl.collection";
|
||||
const PREF_BLOCKLIST_ONECRL_CHECKED_SECONDS = "services.blocklist.onecrl.checked";
|
||||
const PREF_BLOCKLIST_ONECRL_SIGNER = "services.blocklist.onecrl.signer";
|
||||
const PREF_BLOCKLIST_ADDONS_COLLECTION = "services.blocklist.addons.collection";
|
||||
const PREF_BLOCKLIST_ADDONS_CHECKED_SECONDS = "services.blocklist.addons.checked";
|
||||
const PREF_BLOCKLIST_ADDONS_SIGNER = "services.blocklist.addons.signer";
|
||||
|
@ -198,10 +200,10 @@ var PluginBlocklistClient;
|
|||
var RemoteSecuritySettingsClient;
|
||||
|
||||
function initialize() {
|
||||
OneCRLBlocklistClient = RemoteSettings(Services.prefs.getCharPref(PREF_BLOCKLIST_ONECRL_COLLECTION), {
|
||||
bucketNamePref: PREF_BLOCKLIST_BUCKET,
|
||||
lastCheckTimePref: PREF_BLOCKLIST_ONECRL_CHECKED_SECONDS,
|
||||
signerName: Services.prefs.getCharPref(PREF_BLOCKLIST_ONECRL_SIGNER),
|
||||
OneCRLBlocklistClient = RemoteSettings(Services.prefs.getCharPref(PREF_SECURITY_SETTINGS_ONECRL_COLLECTION), {
|
||||
bucketNamePref: PREF_SECURITY_SETTINGS_ONECRL_BUCKET,
|
||||
lastCheckTimePref: PREF_SECURITY_SETTINGS_ONECRL_CHECKED,
|
||||
signerName: Services.prefs.getCharPref(PREF_SECURITY_SETTINGS_ONECRL_SIGNER),
|
||||
});
|
||||
OneCRLBlocklistClient.on("sync", updateCertBlocklist);
|
||||
|
||||
|
|
|
@ -14,7 +14,7 @@ let server;
|
|||
// xpcshell tests under /services/common
|
||||
add_task(async function test_something() {
|
||||
const configPath = "/v1/";
|
||||
const recordsPath = "/v1/buckets/blocklists/collections/certificates/records";
|
||||
const recordsPath = "/v1/buckets/security-state/collections/onecrl/records";
|
||||
|
||||
const dummyServerURL = `http://localhost:${server.identity.primaryPort}/v1`;
|
||||
Services.prefs.setCharPref("services.settings.server", dummyServerURL);
|
||||
|
@ -48,8 +48,8 @@ add_task(async function test_something() {
|
|||
server.registerPathHandler(configPath, handleResponse);
|
||||
server.registerPathHandler(recordsPath, handleResponse);
|
||||
|
||||
// Test an empty db populates
|
||||
await OneCRLBlocklistClient.maybeSync(2000);
|
||||
// Test an empty db populates from JSON dump.
|
||||
await OneCRLBlocklistClient.maybeSync(42);
|
||||
|
||||
// Open the collection, verify it's been populated:
|
||||
const list = await OneCRLBlocklistClient.get();
|
||||
|
@ -59,7 +59,7 @@ add_task(async function test_something() {
|
|||
|
||||
// No sync will be intented if maybeSync() is up-to-date.
|
||||
Services.prefs.clearUserPref("services.settings.server");
|
||||
Services.prefs.setIntPref("services.blocklist.onecrl.checked", 0);
|
||||
Services.prefs.setIntPref("services.settings.security.onecrl.checked", 0);
|
||||
// Use any last_modified older than highest shipped in JSON dump.
|
||||
await OneCRLBlocklistClient.maybeSync(123456);
|
||||
|
||||
|
@ -154,18 +154,7 @@ function getSampleResponse(req, port) {
|
|||
"hello": "kinto",
|
||||
}),
|
||||
},
|
||||
"GET:/v1/buckets/blocklists/collections/certificates/records?_sort=-last_modified": {
|
||||
"sampleHeaders": [
|
||||
"Access-Control-Allow-Origin: *",
|
||||
"Access-Control-Expose-Headers: Retry-After, Content-Length, Alert, Backoff",
|
||||
"Content-Type: application/json; charset=UTF-8",
|
||||
"Server: waitress",
|
||||
"Etag: \"1000\"",
|
||||
],
|
||||
"status": {status: 200, statusText: "OK"},
|
||||
"responseBody": JSON.stringify({"data": [{}]}),
|
||||
},
|
||||
"GET:/v1/buckets/blocklists/collections/certificates/records?_expected=2000&_sort=-last_modified&_since=1000": {
|
||||
"GET:/v1/buckets/security-state/collections/onecrl/records?_expected=2000&_sort=-last_modified&_since=1000": {
|
||||
"sampleHeaders": [
|
||||
"Access-Control-Allow-Origin: *",
|
||||
"Access-Control-Expose-Headers: Retry-After, Content-Length, Alert, Backoff",
|
||||
|
@ -181,7 +170,7 @@ function getSampleResponse(req, port) {
|
|||
"last_modified": 3000,
|
||||
}]}),
|
||||
},
|
||||
"GET:/v1/buckets/blocklists/collections/certificates/records?_expected=4000&_sort=-last_modified&_since=3000": {
|
||||
"GET:/v1/buckets/security-state/collections/onecrl/records?_expected=4000&_sort=-last_modified&_since=3000": {
|
||||
"sampleHeaders": [
|
||||
"Access-Control-Allow-Origin: *",
|
||||
"Access-Control-Expose-Headers: Retry-After, Content-Length, Alert, Backoff",
|
||||
|
@ -202,7 +191,7 @@ function getSampleResponse(req, port) {
|
|||
"last_modified": 4000,
|
||||
}]}),
|
||||
},
|
||||
"GET:/v1/buckets/blocklists/collections/certificates/records?_expected=5000&_sort=-last_modified&_since=4000": {
|
||||
"GET:/v1/buckets/security-state/collections/onecrl/records?_expected=5000&_sort=-last_modified&_since=4000": {
|
||||
"sampleHeaders": [
|
||||
"Access-Control-Allow-Origin: *",
|
||||
"Access-Control-Expose-Headers: Retry-After, Content-Length, Alert, Backoff",
|
|
@ -280,9 +280,9 @@ add_task(async function test_check_signatures() {
|
|||
const emptyCollectionResponses = {
|
||||
"GET:/test_blocklist_signatures/test_cert_chain.pem?": [RESPONSE_CERT_CHAIN],
|
||||
"GET:/v1/?": [RESPONSE_SERVER_SETTINGS],
|
||||
"GET:/v1/buckets/blocklists/collections/certificates/records?_expected=1000&_sort=-last_modified":
|
||||
"GET:/v1/buckets/security-state/collections/onecrl/records?_expected=1000&_sort=-last_modified":
|
||||
[RESPONSE_EMPTY_INITIAL],
|
||||
"GET:/v1/buckets/blocklists/collections/certificates?_expected=1000":
|
||||
"GET:/v1/buckets/security-state/collections/onecrl?_expected=1000":
|
||||
[RESPONSE_META_EMPTY_SIG],
|
||||
};
|
||||
|
||||
|
@ -326,9 +326,9 @@ add_task(async function test_check_signatures() {
|
|||
"RESPONSE_META_TWO_ITEMS_SIG");
|
||||
|
||||
const twoItemsResponses = {
|
||||
"GET:/v1/buckets/blocklists/collections/certificates/records?_expected=3000&_sort=-last_modified&_since=1000":
|
||||
"GET:/v1/buckets/security-state/collections/onecrl/records?_expected=3000&_sort=-last_modified&_since=1000":
|
||||
[RESPONSE_TWO_ADDED],
|
||||
"GET:/v1/buckets/blocklists/collections/certificates?_expected=3000":
|
||||
"GET:/v1/buckets/security-state/collections/onecrl?_expected=3000":
|
||||
[RESPONSE_META_TWO_ITEMS_SIG],
|
||||
};
|
||||
registerHandlers(twoItemsResponses);
|
||||
|
@ -358,9 +358,9 @@ add_task(async function test_check_signatures() {
|
|||
"RESPONSE_META_THREE_ITEMS_SIG");
|
||||
|
||||
const oneAddedOneRemovedResponses = {
|
||||
"GET:/v1/buckets/blocklists/collections/certificates/records?_expected=4000&_sort=-last_modified&_since=3000":
|
||||
"GET:/v1/buckets/security-state/collections/onecrl/records?_expected=4000&_sort=-last_modified&_since=3000":
|
||||
[RESPONSE_ONE_ADDED_ONE_REMOVED],
|
||||
"GET:/v1/buckets/blocklists/collections/certificates?_expected=4000":
|
||||
"GET:/v1/buckets/security-state/collections/onecrl?_expected=4000":
|
||||
[RESPONSE_META_THREE_ITEMS_SIG],
|
||||
};
|
||||
registerHandlers(oneAddedOneRemovedResponses);
|
||||
|
@ -380,9 +380,9 @@ add_task(async function test_check_signatures() {
|
|||
};
|
||||
|
||||
const noOpResponses = {
|
||||
"GET:/v1/buckets/blocklists/collections/certificates/records?_expected=4100&_sort=-last_modified&_since=4000":
|
||||
"GET:/v1/buckets/security-state/collections/onecrl/records?_expected=4100&_sort=-last_modified&_since=4000":
|
||||
[RESPONSE_EMPTY_NO_UPDATE],
|
||||
"GET:/v1/buckets/blocklists/collections/certificates?_expected=4100":
|
||||
"GET:/v1/buckets/security-state/collections/onecrl?_expected=4100":
|
||||
[RESPONSE_META_THREE_ITEMS_SIG],
|
||||
};
|
||||
registerHandlers(noOpResponses);
|
||||
|
@ -423,20 +423,20 @@ add_task(async function test_check_signatures() {
|
|||
// In this test, we deliberately serve a bad signature initially. The
|
||||
// subsequent signature returned is a valid one for the three item
|
||||
// collection.
|
||||
"GET:/v1/buckets/blocklists/collections/certificates?_expected=5000":
|
||||
"GET:/v1/buckets/security-state/collections/onecrl?_expected=5000":
|
||||
[RESPONSE_META_BAD_SIG, RESPONSE_META_THREE_ITEMS_SIG],
|
||||
// The first collection state is the three item collection (since
|
||||
// there's a sync with no updates) - but, since the signature is wrong,
|
||||
// another request will be made...
|
||||
"GET:/v1/buckets/blocklists/collections/certificates/records?_expected=5000&_sort=-last_modified&_since=4000":
|
||||
"GET:/v1/buckets/security-state/collections/onecrl/records?_expected=5000&_sort=-last_modified&_since=4000":
|
||||
[RESPONSE_EMPTY_NO_UPDATE],
|
||||
// The next request is for the full collection. This will be checked
|
||||
// against the valid signature - so the sync should succeed.
|
||||
"GET:/v1/buckets/blocklists/collections/certificates/records?_sort=-last_modified":
|
||||
"GET:/v1/buckets/security-state/collections/onecrl/records?_sort=-last_modified":
|
||||
[RESPONSE_COMPLETE_INITIAL],
|
||||
// The next request is for the full collection sorted by id. This will be
|
||||
// checked against the valid signature - so the sync should succeed.
|
||||
"GET:/v1/buckets/blocklists/collections/certificates/records?_expected=5000&_sort=id":
|
||||
"GET:/v1/buckets/security-state/collections/onecrl/records?_expected=5000&_sort=id":
|
||||
[RESPONSE_COMPLETE_INITIAL_SORTED_BY_ID],
|
||||
};
|
||||
|
||||
|
@ -466,17 +466,17 @@ add_task(async function test_check_signatures() {
|
|||
// In this test, we deliberately serve a bad signature initially. The
|
||||
// subsequent sitnature returned is a valid one for the three item
|
||||
// collection.
|
||||
"GET:/v1/buckets/blocklists/collections/certificates?_expected=5000":
|
||||
"GET:/v1/buckets/security-state/collections/onecrl?_expected=5000":
|
||||
[RESPONSE_META_BAD_SIG, RESPONSE_META_EMPTY_SIG],
|
||||
// The first collection state is the current state (since there's no update
|
||||
// - but, since the signature is wrong, another request will be made)
|
||||
"GET:/v1/buckets/blocklists/collections/certificates/records?_expected=5000&_sort=-last_modified&_since=4000":
|
||||
"GET:/v1/buckets/security-state/collections/onecrl/records?_expected=5000&_sort=-last_modified&_since=4000":
|
||||
[RESPONSE_EMPTY_NO_UPDATE],
|
||||
// The next request is for the full collection sorted by id. This will be
|
||||
// checked against the valid signature and last_modified times will be
|
||||
// compared. Sync should fail, even though the signature is good,
|
||||
// because the local collection is newer.
|
||||
"GET:/v1/buckets/blocklists/collections/certificates/records?_expected=5000&_sort=id":
|
||||
"GET:/v1/buckets/security-state/collections/onecrl/records?_expected=5000&_sort=id":
|
||||
[RESPONSE_EMPTY_INITIAL],
|
||||
};
|
||||
|
||||
|
@ -498,15 +498,15 @@ add_task(async function test_check_signatures() {
|
|||
// In this test, we deliberately serve a bad signature initially. The
|
||||
// subsequent signature returned is a valid one for the three item
|
||||
// collection.
|
||||
"GET:/v1/buckets/blocklists/collections/certificates?_expected=5000":
|
||||
"GET:/v1/buckets/security-state/collections/onecrl?_expected=5000":
|
||||
[RESPONSE_META_BAD_SIG, RESPONSE_META_THREE_ITEMS_SIG],
|
||||
// The next request is for the full collection. This will be checked
|
||||
// against the valid signature - so the sync should succeed.
|
||||
"GET:/v1/buckets/blocklists/collections/certificates/records?_expected=5000&_sort=-last_modified":
|
||||
"GET:/v1/buckets/security-state/collections/onecrl/records?_expected=5000&_sort=-last_modified":
|
||||
[RESPONSE_COMPLETE_INITIAL],
|
||||
// The next request is for the full collection sorted by id. This will be
|
||||
// checked against the valid signature - so the sync should succeed.
|
||||
"GET:/v1/buckets/blocklists/collections/certificates/records?_expected=5000&_sort=id":
|
||||
"GET:/v1/buckets/security-state/collections/onecrl/records?_expected=5000&_sort=id":
|
||||
[RESPONSE_COMPLETE_INITIAL_SORTED_BY_ID],
|
||||
};
|
||||
|
||||
|
@ -539,16 +539,16 @@ add_task(async function test_check_signatures() {
|
|||
|
||||
const allBadSigResponses = {
|
||||
// In this test, we deliberately serve only a bad signature.
|
||||
"GET:/v1/buckets/blocklists/collections/certificates?_expected=6000":
|
||||
"GET:/v1/buckets/security-state/collections/onecrl?_expected=6000":
|
||||
[RESPONSE_META_BAD_SIG],
|
||||
// The first collection state is the three item collection (since
|
||||
// there's a sync with no updates) - but, since the signature is wrong,
|
||||
// another request will be made...
|
||||
"GET:/v1/buckets/blocklists/collections/certificates/records?_expected=6000&_sort=-last_modified&_since=4000":
|
||||
"GET:/v1/buckets/security-state/collections/onecrl/records?_expected=6000&_sort=-last_modified&_since=4000":
|
||||
[RESPONSE_EMPTY_NO_UPDATE],
|
||||
// The next request is for the full collection sorted by id. This will be
|
||||
// checked against the valid signature - so the sync should succeed.
|
||||
"GET:/v1/buckets/blocklists/collections/certificates/records?_expected=6000&_sort=id":
|
||||
"GET:/v1/buckets/security-state/collections/onecrl/records?_expected=6000&_sort=id":
|
||||
[RESPONSE_COMPLETE_INITIAL_SORTED_BY_ID],
|
||||
};
|
||||
|
||||
|
@ -570,7 +570,7 @@ add_task(async function test_check_signatures() {
|
|||
const missingSigResponses = {
|
||||
// In this test, we deliberately serve metadata without the signature attribute.
|
||||
// As if the collection was not signed.
|
||||
"GET:/v1/buckets/blocklists/collections/certificates?_expected=6000":
|
||||
"GET:/v1/buckets/security-state/collections/onecrl?_expected=6000":
|
||||
[RESPONSE_META_NO_SIG],
|
||||
};
|
||||
|
||||
|
|
|
@ -8,7 +8,7 @@ support-files =
|
|||
# Test load modules first so syntax failures are caught early.
|
||||
[test_load_modules.js]
|
||||
|
||||
[test_blocklist_certificates.js]
|
||||
[test_blocklist_onecrl.js]
|
||||
# Skip signature tests for Thunderbird (Bug 1341983).
|
||||
skip-if = appname == "thunderbird"
|
||||
tags = blocklist
|
||||
|
|
|
@ -8,7 +8,6 @@ with Files('**'):
|
|||
BUG_COMPONENT = ('Toolkit', 'Blocklist Implementation')
|
||||
|
||||
FINAL_TARGET_FILES.defaults.settings.blocklists += ['addons.json',
|
||||
'certificates.json',
|
||||
'gfx.json',
|
||||
'plugins.json']
|
||||
|
||||
|
|
|
@ -3,7 +3,8 @@
|
|||
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
||||
|
||||
FINAL_TARGET_FILES.defaults.settings['security-state'] += [
|
||||
'intermediates.json'
|
||||
'intermediates.json',
|
||||
'onecrl.json',
|
||||
]
|
||||
|
||||
if CONFIG['MOZ_BUILD_APP'] == 'browser':
|
||||
|
|
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Загрузка…
Ссылка в новой задаче