Network Service: Use allowlist for IgnoreErrorsCertVerifier

This CL replaces "whitelist" with "allowlist" in IgnoreErrorsCertVerifier. Bug: 842296 Change-Id: I501b451fbb76dc48e5977b2a855913ee79028462 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2247947 Commit-Queue: Lingqi Chi <lingqi@chromium.org> Reviewed-by: Takashi Toyoshima <toyoshim@chromium.org> Cr-Commit-Position: refs/heads/master@{#780198}

Network Service: Use allowlist for IgnoreErrorsCertVerifier
This CL replaces "whitelist" with "allowlist" in IgnoreErrorsCertVerifier. Bug: 842296 Change-Id: I501b451fbb76dc48e5977b2a855913ee79028462 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2247947 Commit-Queue: Lingqi Chi <lingqi@chromium.org> Reviewed-by: Takashi Toyoshima <toyoshim@chromium.org> Cr-Commit-Position: refs/heads/master@{#780198}
d05b87c9 · Lingqi Chi · Commit Bot · aa52fe75 · d05b87c9 · d05b87c9
Commit d05b87c9 authored Jun 19, 2020 by Lingqi Chi Committed by Commit Bot Jun 19, 2020
3 changed files
--- a/services/network/ignore_errors_cert_verifier.cc
+++ b/services/network/ignore_errors_cert_verifier.cc
@@ -48,8 +48,8 @@ std::unique_ptr<CertVerifier> IgnoreErrorsCertVerifier::MaybeWrapCertVerifier(
 IgnoreErrorsCertVerifier::IgnoreErrorsCertVerifier(
    std::unique_ptr<CertVerifier> verifier,
-    SPKIHashSet whitelist)
+    SPKIHashSet allowlist)
-    : verifier_(std::move(verifier)), whitelist_(std::move(whitelist)) {}
+    : verifier_(std::move(verifier)), allowlist_(std::move(allowlist)) {}
 IgnoreErrorsCertVerifier::~IgnoreErrorsCertVerifier() {}
@@ -78,17 +78,17 @@ int IgnoreErrorsCertVerifier::Verify(const RequestParams& params,
    }
  }
-  // Intersect SPKI hashes from the chain with the whitelist.
+  // Intersect SPKI hashes from the chain with the allowlist.
-  auto whitelist_begin = whitelist_.begin();
+  auto allowlist_begin = allowlist_.begin();
-  auto whitelist_end = whitelist_.end();
+  auto allowlist_end = allowlist_.end();
  auto fingerprints_begin = spki_fingerprints.begin();
  auto fingerprints_end = spki_fingerprints.end();
  bool ignore_errors = false;
-  while (whitelist_begin != whitelist_end &&
+  while (allowlist_begin != allowlist_end &&
         fingerprints_begin != fingerprints_end) {
-    if (*whitelist_begin < *fingerprints_begin) {
+    if (*allowlist_begin < *fingerprints_begin) {
-      ++whitelist_begin;
+      ++allowlist_begin;
-    } else if (*fingerprints_begin < *whitelist_begin) {
+    } else if (*fingerprints_begin < *allowlist_begin) {
      ++fingerprints_begin;
    } else {
      ignore_errors = true;
@@ -119,9 +119,9 @@ void IgnoreErrorsCertVerifier::SetConfig(const Config& config) {
  verifier_->SetConfig(config);
 }
-void IgnoreErrorsCertVerifier::SetWhitelistForTesting(
+void IgnoreErrorsCertVerifier::SetAllowlistForTesting(
-    const SPKIHashSet& whitelist) {
+    const SPKIHashSet& allowlist) {
-  whitelist_ = whitelist;
+  allowlist_ = allowlist;
 }
 }  // namespace network
--- a/services/network/ignore_errors_cert_verifier.h
+++ b/services/network/ignore_errors_cert_verifier.h
@@ -19,7 +19,7 @@
 namespace network {
 // IgnoreErrorsCertVerifier wraps another CertVerifier in order to ignore
-// verification errors from certificate chains that match a whitelist of SPKI
+// verification errors from certificate chains that match a allowlist of SPKI
 // fingerprints.
 class COMPONENT_EXPORT(NETWORK_SERVICE) IgnoreErrorsCertVerifier
    : public net::CertVerifier {
@@ -28,7 +28,7 @@ class COMPONENT_EXPORT(NETWORK_SERVICE) IgnoreErrorsCertVerifier
  // --user-data-dir flag is missing, or --ignore-certificate-errors-spki-list
  // flag is missing then MaybeWrapCertVerifier returns the supplied verifier.
  // Otherwise it returns an IgnoreErrorsCertVerifier wrapping the supplied
-  // verifier using the whitelist from the
+  // verifier using the allowlist from the
  // --ignore-certificate-errors-spki-list flag.
  //
  // As the --user-data-dir flag is embedder defined, the flag to check for
@@ -39,13 +39,13 @@ class COMPONENT_EXPORT(NETWORK_SERVICE) IgnoreErrorsCertVerifier
      std::unique_ptr<net::CertVerifier> verifier);
  IgnoreErrorsCertVerifier(std::unique_ptr<net::CertVerifier> verifier,
-                           SPKIHashSet whitelist);
+                           SPKIHashSet allowlist);
  ~IgnoreErrorsCertVerifier() override;
  // Verify skips certificate verification and returns OK if any of the
  // certificates from the chain in |params| match one of the SPKI fingerprints
-  // from the whitelist. Otherwise, it invokes Verify on the wrapped verifier
+  // from the allowlist. Otherwise, it invokes Verify on the wrapped verifier
  // and returns the result.
  int Verify(const RequestParams& params,
             net::CertVerifyResult* verify_result,
@@ -57,10 +57,10 @@ class COMPONENT_EXPORT(NETWORK_SERVICE) IgnoreErrorsCertVerifier
 private:
  friend class IgnoreErrorsCertVerifierTest;
-  void SetWhitelistForTesting(const SPKIHashSet& whitelist);
+  void SetAllowlistForTesting(const SPKIHashSet& whitelist);
  std::unique_ptr<net::CertVerifier> verifier_;
-  SPKIHashSet whitelist_;
+  SPKIHashSet allowlist_;
  DISALLOW_COPY_AND_ASSIGN(IgnoreErrorsCertVerifier);
 };

--- a/services/network/ignore_errors_cert_verifier_unittest.cc
+++ b/services/network/ignore_errors_cert_verifier_unittest.cc
@@ -46,7 +46,7 @@ namespace network {
 static const char kTestUserDataDirSwitch[] = "test-user-data-dir";
-static std::vector<std::string> MakeWhitelist() {
+static std::vector<std::string> MakeAllowlist() {
  base::FilePath certs_dir = net::GetTestCertsDirectory();
  net::CertificateList certs = net::CreateCertificateListFromFile(
      certs_dir, "x509_verify_results.chain.pem", X509Certificate::FORMAT_AUTO);
@@ -74,7 +74,7 @@ class IgnoreErrorsCertVerifierTest : public ::testing::Test {
 protected:
  void SetUp() override {
-    verifier_.SetWhitelistForTesting(CreateSPKIHashSet(MakeWhitelist()));
+    verifier_.SetAllowlistForTesting(CreateSPKIHashSet(MakeAllowlist()));
  }
  // The wrapped CertVerifier. Defaults to returning ERR_CERT_INVALID. Owned by
@@ -83,7 +83,7 @@ class IgnoreErrorsCertVerifierTest : public ::testing::Test {
  IgnoreErrorsCertVerifier verifier_;
 };
-static void GetNonWhitelistedTestCert(scoped_refptr<X509Certificate>* out) {
+static void GetNonAllowlistedTestCert(scoped_refptr<X509Certificate>* out) {
  base::FilePath certs_dir = net::GetTestCertsDirectory();
  scoped_refptr<X509Certificate> test_cert(
      net::ImportCertFromFile(certs_dir, "ok_cert.pem"));
@@ -98,7 +98,7 @@ static CertVerifier::RequestParams MakeRequestParams(
                                     /*sct_list=*/std::string());
 }
-static void GetWhitelistedTestCert(scoped_refptr<X509Certificate>* out) {
+static void GetAllowlistedTestCert(scoped_refptr<X509Certificate>* out) {
  base::FilePath certs_dir = net::GetTestCertsDirectory();
  *out = net::CreateCertificateChainFromFile(
      certs_dir, "x509_verify_results.chain.pem", X509Certificate::FORMAT_AUTO);
@@ -110,7 +110,7 @@ TEST_F(IgnoreErrorsCertVerifierTest, TestNoMatchCertOk) {
  mock_verifier_->set_default_result(OK);
  scoped_refptr<X509Certificate> test_cert;
-  ASSERT_NO_FATAL_FAILURE(GetNonWhitelistedTestCert(&test_cert));
+  ASSERT_NO_FATAL_FAILURE(GetNonAllowlistedTestCert(&test_cert));
  CertVerifyResult verify_result;
  TestCompletionCallback callback;
  std::unique_ptr<CertVerifier::Request> request;
@@ -123,7 +123,7 @@ TEST_F(IgnoreErrorsCertVerifierTest, TestNoMatchCertOk) {
 TEST_F(IgnoreErrorsCertVerifierTest, TestNoMatchCertError) {
  scoped_refptr<X509Certificate> test_cert;
-  ASSERT_NO_FATAL_FAILURE(GetNonWhitelistedTestCert(&test_cert));
+  ASSERT_NO_FATAL_FAILURE(GetNonAllowlistedTestCert(&test_cert));
  CertVerifyResult verify_result;
  TestCompletionCallback callback;
  std::unique_ptr<CertVerifier::Request> request;
@@ -136,7 +136,7 @@ TEST_F(IgnoreErrorsCertVerifierTest, TestNoMatchCertError) {
 TEST_F(IgnoreErrorsCertVerifierTest, TestMatch) {
  scoped_refptr<X509Certificate> test_cert;
-  ASSERT_NO_FATAL_FAILURE(GetWhitelistedTestCert(&test_cert));
+  ASSERT_NO_FATAL_FAILURE(GetAllowlistedTestCert(&test_cert));
  CertVerifyResult verify_result;
  TestCompletionCallback callback;
  std::unique_ptr<CertVerifier::Request> request;
@@ -156,7 +156,7 @@ class IgnoreCertificateErrorsSPKIListFlagTest
      command_line.AppendSwitchASCII(kTestUserDataDirSwitch, "/foo/bar/baz");
    }
    command_line.AppendSwitchASCII(switches::kIgnoreCertificateErrorsSPKIList,
-                                   base::JoinString(MakeWhitelist(), ","));
+                                   base::JoinString(MakeAllowlist(), ","));
    auto mock_verifier = std::make_unique<MockCertVerifier>();
    mock_verifier->set_default_result(ERR_CERT_INVALID);
@@ -173,7 +173,7 @@ class IgnoreCertificateErrorsSPKIListFlagTest
 // are present, certificate verification is bypassed.
 TEST_P(IgnoreCertificateErrorsSPKIListFlagTest, TestUserDataDirSwitchRequired) {
  scoped_refptr<X509Certificate> test_cert;
-  ASSERT_NO_FATAL_FAILURE(GetWhitelistedTestCert(&test_cert));
+  ASSERT_NO_FATAL_FAILURE(GetAllowlistedTestCert(&test_cert));
  CertVerifyResult verify_result;
  TestCompletionCallback callback;
  std::unique_ptr<CertVerifier::Request> request;