Trust Tokens: Add parameter enumeration and serialization in test utils

This CL adds common test utility code generating and serializing
combinations of Trust Token API parameters
(https://github.com/wicg/trust-token-api). This is so that the same code
can parameterize
1. the integration tests in trust_token_parameters_browsertest.cc, which
verify that JS parameters' values are correctly reflected in the network
stack, and
2. the iframe attribute parsing unittests in the child CL, which confirm
that the JSON-encoded 'trusttoken' iframe attribute is parsed into the
correct internal representation of the parameters' values.

It also refactors a test currently written using URLLoaderInterceptor to
use URLLoaderMonitor, which is much simpler.

Bug: 1062396
Change-Id: I3a109e2d0aacf3914f67aa7ac34ad3c7c363eccb
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2115778Reviewed-by: Avi Drissman <avi@chromium.org>
Reviewed-by: Charlie Harrison <csharrison@chromium.org>
Commit-Queue: David Van Cleve <davidvc@chromium.org>
Cr-Commit-Position: refs/heads/master@{#754721}

content/test/BUILD.gn

@@ -1198,6 +1198,7 @@ test("content_browsertests") {
     "//services/image_annotation/public/mojom:mojom",
     "//services/metrics/public/cpp:ukm_builders",
     "//services/network:test_support",
+    "//services/network/trust_tokens:test_support",
     "//services/service_manager/public/cpp",
     "//services/test/echo/public/mojom",
     "//services/tracing:privacy_check",

content/test/DEPS

@@ -26,6 +26,7 @@ include_rules = [
   "+services/network/public/cpp",
   "+services/network/public/mojom",
   "+services/network/test",
+  "+services/network/trust_tokens/test",
   "+services/network/mock_mojo_dhcp_wpad_url_client.h",
   "+services/network/url_request_context_builder_mojo.h",
   "+services/proxy_resolver",

content/test/trust_token_parameters_browsertest.cc

@@ -2,179 +2,29 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "base/json/json_string_value_serializer.h"
-#include "base/test/bind_test_util.h"
 #include "base/test/scoped_feature_list.h"
-#include "base/test/task_environment.h"
 #include "content/public/test/content_browser_test.h"
 #include "content/public/test/content_browser_test_utils.h"
-#include "content/public/test/url_loader_interceptor.h"
-#include "content/shell/browser/shell_content_browser_client.h"
+#include "content/public/test/url_loader_monitor.h"
+#include "net/base/escape.h"
 #include "services/network/public/cpp/features.h"
 #include "services/network/public/cpp/resource_request.h"
-#include "services/network/public/mojom/network_context.mojom.h"
-#include "services/network/public/mojom/trust_tokens.mojom-shared.h"
 #include "services/network/public/mojom/trust_tokens.mojom.h"
+#include "services/network/trust_tokens/test/trust_token_test_util.h"
 #include "testing/gmock/include/gmock/gmock.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
-using ::testing::Field;
-using ::testing::Optional;
-using ::testing::Property;
-
 // These integration tests verify that calling the Fetch API with Trust Tokens
 // parameters results in the parameters' counterparts appearing downstream in
 // network::ResourceRequest.
 //
-// They use URLLoaderInterceptor, as opposed to an embedded test server, in
-// order to directly inspect network::ResourceRequest instances.
-//
 // Separately, Blink layout tests check that the API correctly rejects invalid
 // input.
 
 namespace content {
 
-namespace {
-const char kTestHeaders[] = "HTTP/1.1 200 OK\nContent-type: text/html\n\n";
-
-std::string TrustTokenEnumToString(
-    network::mojom::TrustTokenOperationType type) {
-  switch (type) {
-    case network::mojom::TrustTokenOperationType::kIssuance:
-      return "token-request";
-    case network::mojom::TrustTokenOperationType::kRedemption:
-      return "srr-token-redemption";
-    case network::mojom::TrustTokenOperationType::kSigning:
-      return "send-srr";
-  }
-}
-
-std::string TrustTokenEnumToString(
-    network::mojom::TrustTokenRefreshPolicy policy) {
-  switch (policy) {
-    case network::mojom::TrustTokenRefreshPolicy::kUseCached:
-      return "none";
-    case network::mojom::TrustTokenRefreshPolicy::kRefresh:
-      return "refresh";
-  }
-}
-
-std::string TrustTokenEnumToString(
-    network::mojom::TrustTokenSignRequestData sign_request_data) {
-  switch (sign_request_data) {
-    case network::mojom::TrustTokenSignRequestData::kOmit:
-      return "omit";
-    case network::mojom::TrustTokenSignRequestData::kHeadersOnly:
-      return "headers-only";
-    case network::mojom::TrustTokenSignRequestData::kInclude:
-      return "include";
-  }
-}
-
-// The values instantiations of this struct will be serialized and passed to a
-// `fetch` call in executed JS.
-struct Input {
-  // Input (nullopt in an optional field will be omitted from the parameter's
-  // value):
-  network::mojom::TrustTokenOperationType type;
-  base::Optional<network::mojom::TrustTokenRefreshPolicy> refresh_policy;
-  base::Optional<network::mojom::TrustTokenSignRequestData> sign_request_data;
-  base::Optional<bool> include_timestamp_header;
-  // Because static initialization of GURLs/Origins isn't allowed in tests, use
-  // the string representation of the issuer origin and convert it to an Origin
-  // in the test.
-  base::Optional<std::string> issuer_spec;
-  base::Optional<std::vector<std::string>> additional_signed_headers;
-};
-
-// For a given test case, creates and returns:
-// 1. a serialized JSON dictionary suitable for passing as the value of
-//    `fetch`'s `trustToken` parameter.
-// 2. a network::mojom::TrustTokenParams object that should equal the value
-//    eventually passed to network::ResourceRequest when a fetch is executed
-//    with the returned trustToken parameter value.
-std::pair<std::string, network::mojom::TrustTokenParams>
-SerializeParametersAndConstructExpectation(const Input& input) {
-  network::mojom::TrustTokenParams expectation;
-
-  base::Value parameters(base::Value::Type::DICTIONARY);
-  parameters.SetStringKey("type", TrustTokenEnumToString(input.type));
-  expectation.type = input.type;
-
-  if (input.refresh_policy.has_value()) {
-    parameters.SetStringKey("refreshPolicy",
-                            TrustTokenEnumToString(*input.refresh_policy));
-    expectation.refresh_policy = *input.refresh_policy;
-  }
-
-  if (input.sign_request_data.has_value()) {
-    parameters.SetStringKey("signRequestData",
-                            TrustTokenEnumToString(*input.sign_request_data));
-    expectation.sign_request_data = *input.sign_request_data;
-  }
-
-  if (input.include_timestamp_header.has_value()) {
-    parameters.SetBoolKey("includeTimestampHeader",
-                          *input.include_timestamp_header);
-    expectation.include_timestamp_header = *input.include_timestamp_header;
-  }
-
-  if (input.issuer_spec.has_value()) {
-    parameters.SetStringKey("issuer", *input.issuer_spec);
-    expectation.issuer = url::Origin::Create(GURL(*input.issuer_spec));
-  }
-
-  if (input.additional_signed_headers.has_value()) {
-    base::Value headers(base::Value::Type::LIST);
-    for (const std::string& header : *input.additional_signed_headers)
-      headers.Append(header);
-    parameters.SetKey("additionalSignedHeaders", std::move(headers));
-    expectation.additional_signed_headers = *input.additional_signed_headers;
-  }
-
-  std::string serialized_parameters;
-  JSONStringValueSerializer serializer(&serialized_parameters);
-  CHECK(serializer.Serialize(parameters));
-  return std::make_pair(serialized_parameters, expectation);
-}
-
-const Input kIssuanceInputs[]{
-    // For issuance, there are no additional parameters to specify.
-    {.type = network::mojom::TrustTokenOperationType::kIssuance}};
-
-const Input kRedemptionInputs[]{
-    // The only free parameter for redemption is refreshPolicy.
-    {.type = network::mojom::TrustTokenOperationType::kRedemption,
-     .refresh_policy = network::mojom::TrustTokenRefreshPolicy::kRefresh},
-    {.type = network::mojom::TrustTokenOperationType::kRedemption,
-     .refresh_policy = network::mojom::TrustTokenRefreshPolicy::kUseCached},
-    {.type = network::mojom::TrustTokenOperationType::kRedemption}};
-
-const Input kSigningInputs[]{
-    // Signing's inputs are issuer, signRequestData, additionalSignedHeaders,
-    // and includeTimestampHeader; "issuer" has no default and must always be
-    // a secure origin.
-    {.type = network::mojom::TrustTokenOperationType::kSigning,
-     .sign_request_data = network::mojom::TrustTokenSignRequestData::kOmit,
-     .include_timestamp_header = true,
-     .issuer_spec = "https://issuer.example",
-     .additional_signed_headers =
-         std::vector<std::string>{"one header's name",
-                                  "another header's name"}},
-    {.type = network::mojom::TrustTokenOperationType::kSigning,
-     .sign_request_data =
-         network::mojom::TrustTokenSignRequestData::kHeadersOnly,
-     .include_timestamp_header = false,
-     .issuer_spec = "https://issuer.example"},
-    {.type = network::mojom::TrustTokenOperationType::kSigning,
-     .sign_request_data = network::mojom::TrustTokenSignRequestData::kInclude,
-     .issuer_spec = "https://issuer.example"},
-};
-
-}  // namespace
-
 class TrustTokenParametersBrowsertest
-    : public ::testing::WithParamInterface<Input>,
+    : public ::testing::WithParamInterface<network::TrustTokenTestParameters>,
       public ContentBrowserTest {
  public:
   TrustTokenParametersBrowsertest() {
@@ -185,65 +35,49 @@ class TrustTokenParametersBrowsertest
   base::test::ScopedFeatureList features_;
 };
 
-INSTANTIATE_TEST_SUITE_P(WithIssuanceParameters,
-                         TrustTokenParametersBrowsertest,
-                         testing::ValuesIn(kIssuanceInputs));
-INSTANTIATE_TEST_SUITE_P(WithRedemptionParameters,
-                         TrustTokenParametersBrowsertest,
-                         testing::ValuesIn(kRedemptionInputs));
-INSTANTIATE_TEST_SUITE_P(WithSigningParameters,
-                         TrustTokenParametersBrowsertest,
-                         testing::ValuesIn(kSigningInputs));
+INSTANTIATE_TEST_SUITE_P(
+    WithIssuanceParameters,
+    TrustTokenParametersBrowsertest,
+    testing::ValuesIn(network::kIssuanceTrustTokenTestParameters));
+
+INSTANTIATE_TEST_SUITE_P(
+    WithRedemptionParameters,
+    TrustTokenParametersBrowsertest,
+    testing::ValuesIn(network::kRedemptionTrustTokenTestParameters));
+
+INSTANTIATE_TEST_SUITE_P(
+    WithSigningParameters,
+    TrustTokenParametersBrowsertest,
+    testing::ValuesIn(network::kSigningTrustTokenTestParameters));
 
 IN_PROC_BROWSER_TEST_P(TrustTokenParametersBrowsertest,
                        PopulatesResourceRequest) {
-  bool attempted_to_load_image = false;
-
-  network::mojom::TrustTokenParams expectation;
-  std::string fetch_trust_token_parameter;
-  std::tie(fetch_trust_token_parameter, expectation) =
-      SerializeParametersAndConstructExpectation(GetParam());
-
-  URLLoaderInterceptor interceptor(base::BindLambdaForTesting(
-      [&attempted_to_load_image, &fetch_trust_token_parameter,
-       &expectation](URLLoaderInterceptor::RequestParams* params) -> bool {
-        std::string spec = params->url_request.url.spec();
-
-        // On the first request, to "main.com", load a landing page from which
-        // to make the Trust Tokens request.
-        if (spec.find("main") != std::string::npos) {
-          URLLoaderInterceptor::WriteResponse(
-              kTestHeaders,
-              "<html><script>fetch('https://www.image.com/image.png', "
-              "{trustToken: " +
-                  fetch_trust_token_parameter + "});</script></html>",
-              params->client.get());
-          return true;
-        }
-
-        // On the second request, to a path containing "image", verify that the
-        // network::ResourceRequest has the correct Trust Tokens parameters.
-        if (spec.find("image")) {
-          // Can't ASSERT_TRUE in a non-void-returning method, but we don't want
-          // to continue to the next line if there's no |trust_token_params|
-          // field present, because we'd trigger a check failure anyways, when
-          // dereferencing nullopt.
-          CHECK(params->url_request.trust_token_params);
-
-          EXPECT_TRUE(
-              params->url_request.trust_token_params->Equals(expectation));
-
-          attempted_to_load_image = true;
-        }
-
-        return false;
-      }));
-
-  EXPECT_TRUE(NavigateToURL(shell(), GURL("https://main.com/")));
-
-  // As a sanity check, make sure the test did actually try to load the
-  // subresource.
-  ASSERT_TRUE(attempted_to_load_image);
+  ASSERT_TRUE(embedded_test_server()->Start());
+
+  network::TrustTokenParametersAndSerialization
+      expected_params_and_serialization =
+          network::SerializeTrustTokenParametersAndConstructExpectation(
+              GetParam());
+
+  GURL url(embedded_test_server()->GetURL("/title1.html"));
+  GURL trust_token_url(embedded_test_server()->GetURL("/title2.html"));
+
+  URLLoaderMonitor monitor({trust_token_url});
+
+  EXPECT_TRUE(NavigateToURL(shell(), url));
+
+  EXPECT_TRUE(
+      ExecJs(shell(), JsReplace("fetch($1, {trustToken: ", trust_token_url) +
+                          expected_params_and_serialization.serialized_params +
+                          "});"));
+
+  monitor.WaitForUrls();
+  base::Optional<network::ResourceRequest> request =
+      monitor.GetRequestInfo(trust_token_url);
+  ASSERT_TRUE(request);
+  ASSERT_TRUE(request->trust_token_params);
+  EXPECT_TRUE(request->trust_token_params.as_ptr().Equals(
+      expected_params_and_serialization.params));
 }
 
 }  // namespace content

services/network/trust_tokens/BUILD.gn

@@ -12,6 +12,8 @@ source_set("trust_tokens") {
     "//services/network:tests",
   ]
 
+  defines = [ "IS_NETWORK_SERVICE_IMPL" ]
+
   sources = [
     "has_trust_tokens_answerer.cc",
     "has_trust_tokens_answerer.h",
@@ -63,6 +65,8 @@ source_set("trust_tokens") {
 source_set("test_support") {
   testonly = true
 
+  defines = [ "IS_NETWORK_SERVICE_IMPL" ]
+
   sources = [
     "test/trust_token_test_util.cc",
     "test/trust_token_test_util.h",
@@ -84,6 +88,8 @@ source_set("test_support") {
 source_set("tests") {
   testonly = true
 
+  defines = [ "IS_NETWORK_SERVICE_IMPL" ]
+
   sources = [
     "has_trust_tokens_answerer_unittest.cc",
     "pending_trust_token_store_unittest.cc",

services/network/trust_tokens/test/trust_token_test_util.cc

@@ -4,6 +4,7 @@
 
 #include "services/network/trust_tokens/test/trust_token_test_util.h"
 #include "base/test/bind_test_util.h"
+#include "services/network/public/mojom/trust_tokens.mojom-shared.h"
 
 namespace network {
 
@@ -35,4 +36,118 @@ TrustTokenRequestHelperTest::ExecuteBeginOperationAndWaitForResult(
   return status;
 }
 
+std::string TrustTokenEnumToString(mojom::TrustTokenOperationType type) {
+  switch (type) {
+    case mojom::TrustTokenOperationType::kIssuance:
+      return "token-request";
+    case mojom::TrustTokenOperationType::kRedemption:
+      return "srr-token-redemption";
+    case mojom::TrustTokenOperationType::kSigning:
+      return "send-srr";
+  }
+}
+
+std::string TrustTokenEnumToString(mojom::TrustTokenRefreshPolicy policy) {
+  switch (policy) {
+    case mojom::TrustTokenRefreshPolicy::kUseCached:
+      return "none";
+    case mojom::TrustTokenRefreshPolicy::kRefresh:
+      return "refresh";
+  }
+}
+
+std::string TrustTokenEnumToString(
+    mojom::TrustTokenSignRequestData sign_request_data) {
+  switch (sign_request_data) {
+    case mojom::TrustTokenSignRequestData::kOmit:
+      return "omit";
+    case mojom::TrustTokenSignRequestData::kHeadersOnly:
+      return "headers-only";
+    case mojom::TrustTokenSignRequestData::kInclude:
+      return "include";
+  }
+}
+
+TrustTokenParametersAndSerialization::TrustTokenParametersAndSerialization(
+    mojom::TrustTokenParamsPtr params,
+    std::string serialized_params)
+    : params(std::move(params)),
+      serialized_params(std::move(serialized_params)) {}
+TrustTokenParametersAndSerialization::~TrustTokenParametersAndSerialization() =
+    default;
+
+TrustTokenParametersAndSerialization::TrustTokenParametersAndSerialization(
+    TrustTokenParametersAndSerialization&&) = default;
+TrustTokenParametersAndSerialization& TrustTokenParametersAndSerialization::
+operator=(TrustTokenParametersAndSerialization&&) = default;
+
+TrustTokenTestParameters::~TrustTokenTestParameters() = default;
+TrustTokenTestParameters::TrustTokenTestParameters(
+    const TrustTokenTestParameters&) = default;
+TrustTokenTestParameters& TrustTokenTestParameters::operator=(
+    const TrustTokenTestParameters&) = default;
+
+TrustTokenTestParameters::TrustTokenTestParameters(
+    network::mojom::TrustTokenOperationType type,
+    base::Optional<network::mojom::TrustTokenRefreshPolicy> refresh_policy,
+    base::Optional<network::mojom::TrustTokenSignRequestData> sign_request_data,
+    base::Optional<bool> include_timestamp_header,
+    base::Optional<std::string> issuer_spec,
+    base::Optional<std::vector<std::string>> additional_signed_headers)
+    : type(type),
+      refresh_policy(refresh_policy),
+      sign_request_data(sign_request_data),
+      include_timestamp_header(include_timestamp_header),
+      issuer_spec(issuer_spec),
+      additional_signed_headers(additional_signed_headers) {}
+
+TrustTokenParametersAndSerialization
+SerializeTrustTokenParametersAndConstructExpectation(
+    const TrustTokenTestParameters& input) {
+  auto trust_token_params = mojom::TrustTokenParams::New();
+
+  base::Value parameters(base::Value::Type::DICTIONARY);
+  parameters.SetStringKey("type", TrustTokenEnumToString(input.type));
+  trust_token_params->type = input.type;
+
+  if (input.refresh_policy.has_value()) {
+    parameters.SetStringKey("refreshPolicy",
+                            TrustTokenEnumToString(*input.refresh_policy));
+    trust_token_params->refresh_policy = *input.refresh_policy;
+  }
+
+  if (input.sign_request_data.has_value()) {
+    parameters.SetStringKey("signRequestData",
+                            TrustTokenEnumToString(*input.sign_request_data));
+    trust_token_params->sign_request_data = *input.sign_request_data;
+  }
+
+  if (input.include_timestamp_header.has_value()) {
+    parameters.SetBoolKey("includeTimestampHeader",
+                          *input.include_timestamp_header);
+    trust_token_params->include_timestamp_header =
+        *input.include_timestamp_header;
+  }
+
+  if (input.issuer_spec.has_value()) {
+    parameters.SetStringKey("issuer", *input.issuer_spec);
+    trust_token_params->issuer = url::Origin::Create(GURL(*input.issuer_spec));
+  }
+
+  if (input.additional_signed_headers.has_value()) {
+    base::Value headers(base::Value::Type::LIST);
+    for (const std::string& header : *input.additional_signed_headers)
+      headers.Append(header);
+    parameters.SetKey("additionalSignedHeaders", std::move(headers));
+    for (const std::string& input_header : *input.additional_signed_headers) {
+      trust_token_params->additional_signed_headers.push_back(input_header);
+    }
+  }
+
+  std::string serialized_parameters;
+  JSONStringValueSerializer serializer(&serialized_parameters);
+  CHECK(serializer.Serialize(parameters));
+  return {std::move(trust_token_params), std::move(serialized_parameters)};
+}
+
 }  // namespace network

services/network/trust_tokens/test/trust_token_test_util.h

@@ -9,10 +9,14 @@
 #include <string>
 
 #include "base/callback_forward.h"
+#include "base/component_export.h"
+#include "base/json/json_string_value_serializer.h"
 #include "base/test/task_environment.h"
+#include "base/values.h"
 #include "net/traffic_annotation/network_traffic_annotation_test_helper.h"
 #include "net/url_request/url_request_test_util.h"
 #include "services/network/public/mojom/trust_tokens.mojom-shared.h"
+#include "services/network/public/mojom/trust_tokens.mojom.h"
 #include "services/network/trust_tokens/trust_token_request_helper.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
@@ -52,6 +56,149 @@ class TrustTokenRequestHelperTest : public ::testing::Test {
   net::TestURLRequestContext context_;
 };
 
+// The following helper methods unify parameterized unit/integration testing of
+// the Trust Tokens interface.
+//
+// They provide a way to serialize a number of Trust Tokens parameter structures
+// to JSON in a manner that covers all of the Trust Tokens
+// parameters, and all of the permitted values of the enum and bool parameters,
+// in order to verify that the parameters' values correctly
+// serialize/deserialize and are properly propagated to the network stack.
+//
+// Intended use:
+// - parameterize tests by k{Issuance, Signing, Redemption}TrustTokenParameters;
+// - in the tests, call |SerializeTrustTokenParametersAndConstructExpectation|
+// to construct (1) a string representation of the trustToken JS argument and
+// (2) a corresponding mojom::TrustTokenParams object expected to
+// appear downstream;
+// - pass the provided argument to the API (fetch, iframe, XHR, ...) and check
+// that the corresponding Mojo struct does, in fact, subsequently materialize.
+
+// The instantiations of this struct will be serialized and passed to a
+// `fetch` call in executed JS. This class is declared out-of-line so that it
+// can be shared between embedder- and Blink-side code.
+struct TrustTokenTestParameters final {
+  // TrustTokenTestParameters (when serialized, nullopt in an optional field
+  // will be omitted from the parameter's value):
+  TrustTokenTestParameters(
+      mojom::TrustTokenOperationType type,
+      base::Optional<mojom::TrustTokenRefreshPolicy> refresh_policy,
+      base::Optional<mojom::TrustTokenSignRequestData> sign_request_data,
+      base::Optional<bool> include_timestamp_header,
+      base::Optional<std::string> issuer_spec,
+      base::Optional<std::vector<std::string>> additional_signed_headers);
+
+  ~TrustTokenTestParameters();
+
+  TrustTokenTestParameters(const TrustTokenTestParameters&);
+  TrustTokenTestParameters& operator=(const TrustTokenTestParameters&);
+
+  mojom::TrustTokenOperationType type;
+  base::Optional<mojom::TrustTokenRefreshPolicy> refresh_policy;
+  base::Optional<mojom::TrustTokenSignRequestData> sign_request_data;
+  base::Optional<bool> include_timestamp_header;
+  // Because static initialization of GURLs/Origins isn't allowed in tests, use
+  // the string representation of the issuer origin and convert it to an Origin
+  // in the test.
+  base::Optional<std::string> issuer_spec;
+  base::Optional<std::vector<std::string>> additional_signed_headers;
+};
+
+// Serializes the value of a Trust Tokens enum parameter to its JS string
+// representation. Must be kept in sync with the corresponding IDL enum
+// definition.
+std::string TrustTokenEnumToString(mojom::TrustTokenOperationType type);
+std::string TrustTokenEnumToString(mojom::TrustTokenRefreshPolicy policy);
+std::string TrustTokenEnumToString(
+    mojom::TrustTokenSignRequestData sign_request_data);
+
+// For a given test case, creates and returns:
+// 1. a serialized JSON dictionary suitable for passing as the value of
+//    `fetch`'s (and XHR's, and iframe's) `trustToken` parameter.
+// 2. a TrustTokenParams object that should equal the
+//    value eventually passed downstream when a fetch/XHR/iframe load
+//    is provided the serialized parameters.
+struct TrustTokenParametersAndSerialization {
+  TrustTokenParametersAndSerialization(mojom::TrustTokenParamsPtr params,
+                                       std::string serialized_params);
+  ~TrustTokenParametersAndSerialization();
+
+  TrustTokenParametersAndSerialization(
+      const TrustTokenParametersAndSerialization&) = delete;
+  TrustTokenParametersAndSerialization& operator=(
+      const TrustTokenParametersAndSerialization&) = delete;
+
+  TrustTokenParametersAndSerialization(TrustTokenParametersAndSerialization&&);
+  TrustTokenParametersAndSerialization& operator=(
+      TrustTokenParametersAndSerialization&&);
+
+  mojom::TrustTokenParamsPtr params;
+  std::string serialized_params;
+};
+TrustTokenParametersAndSerialization
+SerializeTrustTokenParametersAndConstructExpectation(
+    const TrustTokenTestParameters& input);
+
+// These groups of parameters are defined in this utility file so that they can
+// be shared among different tests deserializing and propagating Trust Tokens
+// parameters; see above for a more detailed description of the intended use.
+const TrustTokenTestParameters kIssuanceTrustTokenTestParameters[]{
+    // For issuance, there are no additional parameters to specify.
+    TrustTokenTestParameters(mojom::TrustTokenOperationType::kIssuance,
+                             base::nullopt,
+                             base::nullopt,
+                             base::nullopt,
+                             base::nullopt,
+                             base::nullopt)};
+
+const TrustTokenTestParameters kRedemptionTrustTokenTestParameters[]{
+    // For redemption, there is one free parameter, refreshPolicy, with two
+    // values (and a default).
+    TrustTokenTestParameters(mojom::TrustTokenOperationType::kRedemption,
+                             mojom::TrustTokenRefreshPolicy::kRefresh,
+                             base::nullopt,
+                             base::nullopt,
+                             base::nullopt,
+                             base::nullopt),
+    TrustTokenTestParameters(mojom::TrustTokenOperationType::kRedemption,
+                             mojom::TrustTokenRefreshPolicy::kUseCached,
+                             base::nullopt,
+                             base::nullopt,
+                             base::nullopt,
+                             base::nullopt),
+    TrustTokenTestParameters(mojom::TrustTokenOperationType::kRedemption,
+                             base::nullopt,
+                             base::nullopt,
+                             base::nullopt,
+                             base::nullopt,
+                             base::nullopt)};
+
+const TrustTokenTestParameters kSigningTrustTokenTestParameters[]{
+    // Signing's inputs are issuer, signRequestData, additionalSignedHeaders,
+    // and includeTimestampHeader; "issuer" has no default and must always be
+    // a secure origin.
+    TrustTokenTestParameters(
+        mojom::TrustTokenOperationType::kSigning,
+        base::nullopt,
+        mojom::TrustTokenSignRequestData::kOmit,
+        /*include_timestamp_header=*/true,
+        "https://issuer.example",
+        std::vector<std::string>{"one additional header's name",
+                                 "another additional header's name"}),
+    TrustTokenTestParameters(mojom::TrustTokenOperationType::kSigning,
+                             base::nullopt,
+                             mojom::TrustTokenSignRequestData::kHeadersOnly,
+                             /*include_timestamp_header=*/false,
+                             "https://issuer.example",
+                             base::nullopt),
+    TrustTokenTestParameters(mojom::TrustTokenOperationType::kSigning,
+                             base::nullopt,
+                             mojom::TrustTokenSignRequestData::kInclude,
+                             /*include_timestamp_header=*/base::nullopt,
+                             "https://issuer.example",
+                             base::nullopt),
+};
+
 }  // namespace network
 
 #endif  // SERVICES_NETWORK_TRUST_TOKENS_TEST_TRUST_TOKEN_TEST_UTIL_H_