Trigger known interception infobar on CertStatus

This changes the known interception disclosure infobars to be triggered on the CERT_STATUS_KNOWN_INTERCEPTION_DETECTED flag (instead of being triggered on a test URL). This also updates the tests to set up a CRLSet for the embedded test server and use real navigations rather than triggering the disclosure infobars directly. Bug: 1014711 Change-Id: Iaac4fd7eb11ad448921905d842f5b409d21952d6 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1929847 Commit-Queue: Christopher Thompson <cthomp@chromium.org> Reviewed-by: Mustafa Emre Acer <meacer@chromium.org> Cr-Commit-Position: refs/heads/master@{#719818}

Trigger known interception infobar on CertStatus
This changes the known interception disclosure infobars to be triggered on the CERT_STATUS_KNOWN_INTERCEPTION_DETECTED flag (instead of being triggered on a test URL). This also updates the tests to set up a CRLSet for the embedded test server and use real navigations rather than triggering the disclosure infobars directly. Bug: 1014711 Change-Id: Iaac4fd7eb11ad448921905d842f5b409d21952d6 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1929847 Commit-Queue: Christopher Thompson <cthomp@chromium.org> Reviewed-by: Mustafa Emre Acer <meacer@chromium.org> Cr-Commit-Position: refs/heads/master@{#719818}
68cdda6a · Christopher Thompson · Commit Bot · 2637a5d2 · 68cdda6a · 68cdda6a
Commit 68cdda6a authored Nov 28, 2019 by Christopher Thompson Committed by Commit Bot Nov 28, 2019
4 changed files
--- a/chrome/browser/ssl/known_interception_disclosure_infobar_browsertest.cc
+++ b/chrome/browser/ssl/known_interception_disclosure_infobar_browsertest.cc
@@ -2,7 +2,9 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
+#include "base/files/file_util.h"
 #include "base/test/simple_test_clock.h"
+#include "base/threading/thread_restrictions.h"
 #include "chrome/browser/infobars/infobar_service.h"
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/browser/ssl/known_interception_disclosure_infobar_delegate.h"
@@ -11,6 +13,11 @@
 #include "chrome/test/base/ui_test_utils.h"
 #include "components/infobars/core/confirm_infobar_delegate.h"
 #include "components/infobars/core/infobar.h"
+#include "content/public/browser/network_service_instance.h"
+#include "content/public/test/browser_test_utils.h"
+#include "net/cert/crl_set.h"
+#include "net/test/embedded_test_server/embedded_test_server.h"
+#include "net/test/test_data_directory.h"
 #include "ui/base/window_open_disposition.h"
 namespace {
@@ -42,12 +49,44 @@ void CloseInfobar(content::WebContents* contents) {
 }  // namespace
-using KnownInterceptionDisclosureInfobarTest = InProcessBrowserTest;
+class KnownInterceptionDisclosureInfobarTest : public InProcessBrowserTest {
+ public:
+  KnownInterceptionDisclosureInfobarTest()
+      : https_server_(net::EmbeddedTestServer::TYPE_HTTPS) {
+    https_server_.AddDefaultHandlers(GetChromeTestDataDir());
+  }
+  KnownInterceptionDisclosureInfobarTest(
+      const KnownInterceptionDisclosureInfobarTest&) = delete;
+  KnownInterceptionDisclosureInfobarTest& operator=(
+      const KnownInterceptionDisclosureInfobarTest&) = delete;
+  void SetUpOnMainThread() override {
+    ASSERT_TRUE(https_server_.Start());
+    // Load a CRLSet that marks the root as a known MITM.
+    std::string crl_set_bytes;
+    {
+      base::ScopedAllowBlockingForTesting allow_blocking;
+      base::ReadFileToString(net::GetTestCertsDirectory().AppendASCII(
+                                 "crlset_known_interception_by_root.raw"),
+                             &crl_set_bytes);
+    }
+    network::mojom::NetworkService* network_service =
+        content::GetNetworkService();
+    DCHECK(network_service);
+    network_service->UpdateCRLSet(
+        base::as_bytes(base::make_span(crl_set_bytes)));
+    content::FlushNetworkServiceInstanceForTesting();
+  }
+ protected:
+  net::EmbeddedTestServer https_server_;
+};
 IN_PROC_BROWSER_TEST_F(KnownInterceptionDisclosureInfobarTest,
                       OnlyShowDisclosureOncePerSession) {
-  const GURL kTestUrl("https://badssl.com/test/monitoring-disclosure/");
+  const GURL kInterceptedUrl(https_server_.GetURL("/ssl/google.html"));
-  const GURL kOtherUrl("https://example.com");
  TabStripModel* tab_strip_model = browser()->tab_strip_model();
  content::WebContents* tab1 = tab_strip_model->GetActiveWebContents();
@@ -57,46 +96,51 @@ IN_PROC_BROWSER_TEST_F(KnownInterceptionDisclosureInfobarTest,
  KnownInterceptionDisclosureCooldown::GetInstance()->SetClockForTesting(
      std::unique_ptr<base::Clock>(clock));
-  // Trigger the disclosure infobar.
+  // Trigger the disclosure infobar by navigating to a page served by a root
-  MaybeShowKnownInterceptionDisclosureDialog(tab1, kTestUrl);
+  // marked as known interception.
+  ui_test_utils::NavigateToURL(browser(), kInterceptedUrl);
  EXPECT_EQ(1u, GetInfobarCount(tab1));
  // Test that the infobar is shown on new tabs after it has been triggered
  // once.
  ui_test_utils::NavigateToURLWithDisposition(
-      browser(), kOtherUrl, WindowOpenDisposition::NEW_FOREGROUND_TAB,
+      browser(), GURL("about:blank"), WindowOpenDisposition::NEW_FOREGROUND_TAB,
      ui_test_utils::BROWSER_TEST_WAIT_FOR_NAVIGATION);
  content::WebContents* tab2 = tab_strip_model->GetActiveWebContents();
  EXPECT_EQ(1u, GetInfobarCount(tab2));
-  // Close the tab.
+  // Close the new tab.
  tab_strip_model->CloseWebContentsAt(tab_strip_model->active_index(),
                                      TabStripModel::CLOSE_USER_GESTURE);
+  // Reload the first page -- infobar should still show.
+  ui_test_utils::NavigateToURL(browser(), kInterceptedUrl);
+  EXPECT_EQ(1u, GetInfobarCount(tab1));
  // Dismiss the infobar.
  CloseInfobar(tab1);
  EXPECT_EQ(0u, GetInfobarCount(tab1));
-  // Try to trigger again -- infobar should not show.
+  // Try to trigger again by reloading the page -- infobar should not show.
-  MaybeShowKnownInterceptionDisclosureDialog(tab1, kTestUrl);
+  ui_test_utils::NavigateToURL(browser(), kInterceptedUrl);
  EXPECT_EQ(0u, GetInfobarCount(tab1));
  // Move clock ahead 8 days.
  clock->Advance(base::TimeDelta::FromDays(8));
  // Trigger the infobar again -- infobar should show again.
-  MaybeShowKnownInterceptionDisclosureDialog(tab1, kTestUrl);
+  ui_test_utils::NavigateToURL(browser(), kInterceptedUrl);
  EXPECT_EQ(1u, GetInfobarCount(tab1));
 }
 IN_PROC_BROWSER_TEST_F(KnownInterceptionDisclosureInfobarTest,
                       PRE_CooldownResetsOnBrowserRestartDesktop) {
-  const GURL kTestUrl("https://badssl.com/test/monitoring-disclosure/");
+  const GURL kInterceptedUrl(https_server_.GetURL("/ssl/google.html"));
  // Trigger the disclosure infobar.
  content::WebContents* tab =
      browser()->tab_strip_model()->GetActiveWebContents();
-  MaybeShowKnownInterceptionDisclosureDialog(tab, kTestUrl);
+  ui_test_utils::NavigateToURL(browser(), kInterceptedUrl);
  EXPECT_EQ(1u, GetInfobarCount(tab));
  // Dismiss the infobar.
@@ -106,7 +150,7 @@ IN_PROC_BROWSER_TEST_F(KnownInterceptionDisclosureInfobarTest,
 IN_PROC_BROWSER_TEST_F(KnownInterceptionDisclosureInfobarTest,
                       CooldownResetsOnBrowserRestartDesktop) {
-  const GURL kTestUrl("https://badssl.com/test/monitoring-disclosure/");
+  const GURL kInterceptedUrl(https_server_.GetURL("/ssl/google.html"));
  // On restart, no infobar should be shown initially.
  content::WebContents* tab =
@@ -115,6 +159,6 @@ IN_PROC_BROWSER_TEST_F(KnownInterceptionDisclosureInfobarTest,
  // Triggering the disclosure infobar again after browser restart should show
  // the infobar (the cooldown period should no longer apply on Desktop).
-  MaybeShowKnownInterceptionDisclosureDialog(tab, kTestUrl);
+  ui_test_utils::NavigateToURL(browser(), kInterceptedUrl);
  EXPECT_EQ(1u, GetInfobarCount(tab));
 }
--- a/chrome/browser/ssl/known_interception_disclosure_infobar_delegate.cc
+++ b/chrome/browser/ssl/known_interception_disclosure_infobar_delegate.cc
@@ -82,12 +82,10 @@ KnownInterceptionDisclosureCooldown::~KnownInterceptionDisclosureCooldown() =
 void MaybeShowKnownInterceptionDisclosureDialog(
    content::WebContents* web_contents,
-    const GURL& url) {
+    net::CertStatus cert_status) {
-  // TODO(cthomp): Replace this with triggering on the new CertStatus flag.
  KnownInterceptionDisclosureCooldown* disclosure_tracker =
      KnownInterceptionDisclosureCooldown::GetInstance();
-  constexpr char kTestUrl[] = "https://badssl.com/test/monitoring-disclosure/";
+  if (!(cert_status & net::CERT_STATUS_KNOWN_INTERCEPTION_DETECTED) &&
-  if (!url.EqualsIgnoringRef(GURL(kTestUrl)) &&
      !disclosure_tracker->get_has_seen_known_interception()) {
    return;
  }

--- a/chrome/browser/ssl/known_interception_disclosure_infobar_delegate.h
+++ b/chrome/browser/ssl/known_interception_disclosure_infobar_delegate.h
@@ -10,6 +10,7 @@
 #include "build/build_config.h"
 #include "components/infobars/core/confirm_infobar_delegate.h"
 #include "components/infobars/core/infobar_delegate.h"
+#include "net/cert/cert_status_flags.h"
 #include "url/gurl.h"
 namespace base {
@@ -62,7 +63,7 @@ class KnownInterceptionDisclosureCooldown {
 // dismissed.
 void MaybeShowKnownInterceptionDisclosureDialog(
    content::WebContents* web_contents,
-    const GURL& url);
+    net::CertStatus cert_status);
 class KnownInterceptionDisclosureInfoBarDelegate
    : public ConfirmInfoBarDelegate {

--- a/chrome/browser/ssl/security_state_tab_helper.cc
+++ b/chrome/browser/ssl/security_state_tab_helper.cc
@@ -216,9 +216,8 @@ void SecurityStateTabHelper::DidFinishNavigation(
    UMA_HISTOGRAM_BOOLEAN("interstitial.ssl.visited_site_after_warning", true);
  }
-  // TODO(cthomp): Replace this with triggering on the new CertStatus flag.
+  MaybeShowKnownInterceptionDisclosureDialog(
-  MaybeShowKnownInterceptionDisclosureDialog(web_contents(),
+      web_contents(), visible_security_state->cert_status);
-                                             navigation_handle->GetURL());
 }
 void SecurityStateTabHelper::DidChangeVisibleSecurityState() {