Bug 1564221 - Do not use FakeTransportSecurityInfo in test_sss_enumerate.js r=keeler

As part of making `nsITranportSecurityInfo` builtinclass, we can no longer use JS-implemented `nsITransportSecurityInfo` instances in test cases. This patch migrates `test_sss_enumerate.js` to use `add_connection_test()` to get a valid `nsITransportSecurityInfo` instance for the unit tests. Differential Revision: https://phabricator.services.mozilla.com/D40350 --HG-- extra : moz-landing-system : lando
2019-08-06 16:17:35 +00:00 · 2019-08-06 16:17:35 +00:00 · e7f9be23da
--- a/security/manager/ssl/tests/unit/test_sss_enumerate.js
+++ b/security/manager/ssl/tests/unit/test_sss_enumerate.js
@ -3,6 +3,8 @@
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 "use strict";

+do_get_profile(); // must be done before instantiating nsIX509CertDB
+
 // This had better not be larger than the maximum maxAge for HPKP.
 const NON_ISSUED_KEY_HASH = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
 const PINNING_ROOT_KEY_HASH = "VCIlmPM9NkgFQtrs4Oa5TeFcDu6MWRTKSNdePEhOgD8=";
@ -10,78 +12,19 @@ const KEY_HASHES = [NON_ISSUED_KEY_HASH, PINNING_ROOT_KEY_HASH];
 const SECS_IN_A_WEEK = 7 * 24 * 60 * 60 * 1000;
 const TESTCASES = [
  {
-    hostname: "a.pinning2.example.com",
+    hostname: "a.pinning.example.com",
    includeSubdomains: true,
    expireTime: Date.now() + 12 * SECS_IN_A_WEEK * 1000,
  },
  {
-    hostname: "b.pinning2.example.com",
+    hostname: "b.pinning.example.com",
    includeSubdomains: false,
    expireTime: Date.now() + 13 * SECS_IN_A_WEEK * 1000,
  },
 ].sort((a, b) => a.expireTime - b.expireTime);

-registerCleanupFunction(() => {
-  Services.prefs.clearUserPref(
-    "security.cert_pinning.process_headers_from_non_builtin_roots"
-  );
-  Services.prefs.clearUserPref("security.cert_pinning.max_max_age_seconds");
-});
-
-do_get_profile();
-
-Services.prefs.setBoolPref(
-  "security.cert_pinning.process_headers_from_non_builtin_roots",
-  true
-);
-Services.prefs.setIntPref(
-  "security.cert_pinning.max_max_age_seconds",
-  20 * SECS_IN_A_WEEK
-);
-
-let certdb = Cc["@mozilla.org/security/x509certdb;1"].getService(
-  Ci.nsIX509CertDB
-);
-addCertFromFile(certdb, "test_pinning_dynamic/pinningroot.pem", "CTu,CTu,CTu");
-
 let sss = Cc["@mozilla.org/ssservice;1"].getService(Ci.nsISiteSecurityService);

-function insertEntries() {
-  for (let testcase of TESTCASES) {
-    let uri = Services.io.newURI("https://" + testcase.hostname);
-    let secInfo = new FakeTransportSecurityInfo(
-      constructCertFromFile(
-        `test_pinning_dynamic/${testcase.hostname}-pinningroot.pem`
-      )
-    );
-    // MaxAge is in seconds.
-    let maxAge = Math.round((testcase.expireTime - Date.now()) / 1000);
-    let header = `max-age=${maxAge}`;
-    if (testcase.includeSubdomains) {
-      header += "; includeSubdomains";
-    }
-    sss.processHeader(
-      Ci.nsISiteSecurityService.HEADER_HSTS,
-      uri,
-      header,
-      secInfo,
-      0,
-      Ci.nsISiteSecurityService.SOURCE_ORGANIC_REQUEST
-    );
-    for (let key of KEY_HASHES) {
-      header += `; pin-sha256="${key}"`;
-    }
-    sss.processHeader(
-      Ci.nsISiteSecurityService.HEADER_HPKP,
-      uri,
-      header,
-      secInfo,
-      0,
-      Ci.nsISiteSecurityService.SOURCE_ORGANIC_REQUEST
-    );
-  }
-}
-
 function getEntries(type) {
  return Array.from(sss.enumerate(type));
 }
@ -129,23 +72,84 @@ function checkSha256Keys(hpkpEntries) {
  }
 }

-function run_test() {
+registerCleanupFunction(() => {
+  Services.prefs.clearUserPref(
+    "security.cert_pinning.process_headers_from_non_builtin_roots"
+  );
+  Services.prefs.clearUserPref("security.cert_pinning.max_max_age_seconds");
+});
+
+function add_tests() {
  sss.clearAll();

-  insertEntries();
+  for (const testcase of TESTCASES) {
+    add_connection_test(
+      testcase.hostname,
+      PRErrorCodeSuccess,
+      undefined,
+      function insertEntry(secInfo) {
+        const uri = Services.io.newURI(`https://${testcase.hostname}`);

-  let hstsEntries = getEntries(Ci.nsISiteSecurityService.HEADER_HSTS);
-  let hpkpEntries = getEntries(Ci.nsISiteSecurityService.HEADER_HPKP);
+        // MaxAge is in seconds.
+        let maxAge = Math.round((testcase.expireTime - Date.now()) / 1000);
+        let header = `max-age=${maxAge}`;
+        if (testcase.includeSubdomains) {
+          header += "; includeSubdomains";
+        }
+        sss.processHeader(
+          Ci.nsISiteSecurityService.HEADER_HSTS,
+          uri,
+          header,
+          secInfo,
+          0,
+          Ci.nsISiteSecurityService.SOURCE_ORGANIC_REQUEST
+        );
+        for (let key of KEY_HASHES) {
+          header += `; pin-sha256="${key}"`;
+        }
+        sss.processHeader(
+          Ci.nsISiteSecurityService.HEADER_HPKP,
+          uri,
+          header,
+          secInfo,
+          0,
+          Ci.nsISiteSecurityService.SOURCE_ORGANIC_REQUEST
+        );
+      }
+    );
+  }

-  checkSiteSecurityStateAttrs(hstsEntries);
-  checkSiteSecurityStateAttrs(hpkpEntries);
+  add_task(() => {
+    let hstsEntries = getEntries(Ci.nsISiteSecurityService.HEADER_HSTS);
+    let hpkpEntries = getEntries(Ci.nsISiteSecurityService.HEADER_HPKP);

-  checkSha256Keys(hpkpEntries);
+    checkSiteSecurityStateAttrs(hstsEntries);
+    checkSiteSecurityStateAttrs(hpkpEntries);

-  sss.clearAll();
-  hstsEntries = getEntries(Ci.nsISiteSecurityService.HEADER_HSTS);
-  hpkpEntries = getEntries(Ci.nsISiteSecurityService.HEADER_HPKP);
+    checkSha256Keys(hpkpEntries);

-  equal(hstsEntries.length, 0, "Should clear all HSTS entries");
-  equal(hpkpEntries.length, 0, "Should clear all HPKP entries");
+    sss.clearAll();
+    hstsEntries = getEntries(Ci.nsISiteSecurityService.HEADER_HSTS);
+    hpkpEntries = getEntries(Ci.nsISiteSecurityService.HEADER_HPKP);
+
+    equal(hstsEntries.length, 0, "Should clear all HSTS entries");
+    equal(hpkpEntries.length, 0, "Should clear all HPKP entries");
+  });
+}
+
+function run_test() {
+  Services.prefs.setBoolPref(
+    "security.cert_pinning.process_headers_from_non_builtin_roots",
+    true
+  );
+  Services.prefs.setIntPref(
+    "security.cert_pinning.max_max_age_seconds",
+    20 * SECS_IN_A_WEEK
+  );
+
+  add_tls_server_setup("BadCertAndPinningServer", "bad_certs");
+
+  add_tests();
+
+  run_next_test();
 }
--- a/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertAndPinningServer.cpp
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertAndPinningServer.cpp
@ -84,6 +84,7 @@ const BadCertAndPinningHost sBadCertAndPinningHosts[] = {
    {"imminently-distrusted.example.com", "ee-imminently-distrusted"},
    {"localhost", "unknownissuer"},
    {"a.pinning.example.com", "default-ee"},
+    {"b.pinning.example.com", "default-ee"},
    {nullptr, nullptr}};

 int32_t DoSNISocketConfigBySubjectCN(PRFileDesc* aFd,
--- a/security/manager/ssl/tests/unit/xpcshell.ini
+++ b/security/manager/ssl/tests/unit/xpcshell.ini
@ -191,6 +191,7 @@ run-sequentially = hardcoded ports
 [test_ssl_status.js]
 run-sequentially = hardcoded ports
 [test_sss_enumerate.js]
+run-sequentially = hardcoded ports
 [test_sss_eviction.js]
 [test_sss_originAttributes.js]
 [test_sss_readstate.js]