Trust Tokens: Add a global commitment key result store

This is one of a series of CLs updating Trust Tokens key commitment
state to use a singleton in-memory store owned by NetworkContext and
updated via Mojo from the component updater. This involves

1. Remove key commitment-related state from the on-disk trust
token store
2. Mojoify TrustTokenKeyCommitmentResult and remove
commitment fetching and parsing code

[3, this CL] Add a centralized issuers-to-commitments store in the
network service:
- Define the new store class (TrustTokenKeyCommitments) and make it
accessible via a NetworkService accessor method
- Expand NetworkService's Mojo interface to include a setter

4. Add component updater logic to populate this store.

Bug: 1063510
Change-Id: I69bda37a0373281c420919630b29f4aa3e127f24
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2117295Reviewed-by: Matt Menke <mmenke@chromium.org>
Reviewed-by: Matthew Denton <mpdenton@chromium.org>
Reviewed-by: Charlie Harrison <csharrison@chromium.org>
Commit-Queue: David Van Cleve <davidvc@chromium.org>
Cr-Commit-Position: refs/heads/master@{#755186}

services/network/network_service.cc

@@ -334,6 +334,8 @@ void NetworkService::Initialize(mojom::NetworkServiceParamsPtr params,
       std::make_unique<LegacyTLSConfigDistributor>();
 
   doh_probe_activator_ = std::make_unique<DelayedDohProbeActivator>(this);
+
+  trust_token_key_commitments_ = std::make_unique<TrustTokenKeyCommitments>();
 }
 
 NetworkService::~NetworkService() {
@@ -709,6 +711,12 @@ void NetworkService::SetEnvironment(
     env->SetVar(variable->name, variable->value);
 }
 
+void NetworkService::SetTrustTokenKeyCommitments(
+    base::flat_map<url::Origin, mojom::TrustTokenKeyCommitmentResultPtr>
+        commitments) {
+  trust_token_key_commitments_->Set(std::move(commitments));
+}
+
 #if defined(OS_ANDROID)
 void NetworkService::DumpWithoutCrashing(base::Time dump_request_time) {
   static base::debug::CrashKeyString* time_key =

services/network/network_service.h

@@ -38,6 +38,8 @@
 #include "services/network/public/mojom/network_change_manager.mojom.h"
 #include "services/network/public/mojom/network_quality_estimator_manager.mojom.h"
 #include "services/network/public/mojom/network_service.mojom.h"
+#include "services/network/public/mojom/trust_tokens.mojom.h"
+#include "services/network/trust_tokens/trust_token_key_commitments.h"
 #include "services/service_manager/public/cpp/binder_registry.h"
 
 namespace net {
@@ -173,6 +175,10 @@ class COMPONENT_EXPORT(NETWORK_SERVICE) NetworkService
 #endif
   void SetEnvironment(
       std::vector<mojom::EnvironmentVariablePtr> environment) override;
+  void SetTrustTokenKeyCommitments(
+      base::flat_map<url::Origin, mojom::TrustTokenKeyCommitmentResultPtr>
+          commitments) override;
+
 #if defined(OS_ANDROID)
   void DumpWithoutCrashing(base::Time dump_request_time) override;
 #endif
@@ -234,6 +240,10 @@ class COMPONENT_EXPORT(NETWORK_SERVICE) NetworkService
     return split_auth_cache_by_network_isolation_key_;
   }
 
+  const TrustTokenKeyCommitments* trust_token_key_commitments() const {
+    return trust_token_key_commitments_.get();
+  }
+
   static NetworkService* GetNetworkServiceForTesting();
 
  private:
@@ -345,6 +355,11 @@ class COMPONENT_EXPORT(NETWORK_SERVICE) NetworkService
   // HttpAuthCaches by NetworkIsolationKey.
   bool split_auth_cache_by_network_isolation_key_ = false;
 
+  // Globally-scoped cryptographic state for the Trust Tokens protocol
+  // (https://github.com/wicg/trust-token-api), updated via a Mojo IPC and
+  // provided to NetworkContexts via the getter.
+  std::unique_ptr<TrustTokenKeyCommitments> trust_token_key_commitments_;
+
   std::unique_ptr<DelayedDohProbeActivator> doh_probe_activator_;
 
   // Map from a renderer process id, to the set of plugin origins embedded by

services/network/network_service_unittest.cc

@@ -1222,6 +1222,38 @@ TEST_F(NetworkServiceTestWithService, SetNetworkConditions) {
   EXPECT_EQ(net::OK, client()->completion_status().error_code);
 }
 
+// Integration test confirming that the SetTrustTokenKeyCommitments IPC is wired
+// up correctly by verifying that it's possible to read a value previously
+// passed to the setter.
+TEST_F(NetworkServiceTestWithService, SetsTrustTokenKeyCommitments) {
+  ASSERT_TRUE(service_->trust_token_key_commitments());
+
+  auto expectation = mojom::TrustTokenKeyCommitmentResult::New();
+  expectation->batch_size = mojom::TrustTokenKeyCommitmentBatchSize::New(5);
+
+  url::Origin issuer_origin =
+      url::Origin::Create(GURL("https://issuer.example"));
+
+  base::flat_map<url::Origin, mojom::TrustTokenKeyCommitmentResultPtr> to_set;
+  to_set.insert_or_assign(issuer_origin, expectation.Clone());
+  network_service_->SetTrustTokenKeyCommitments(std::move(to_set));
+  network_service_.FlushForTesting();
+
+  mojom::TrustTokenKeyCommitmentResultPtr result;
+  bool ran = false;
+
+  service_->trust_token_key_commitments()->Get(
+      issuer_origin, base::BindLambdaForTesting(
+                         [&](mojom::TrustTokenKeyCommitmentResultPtr ptr) {
+                           result = std::move(ptr);
+                           ran = true;
+                         }));
+
+  ASSERT_TRUE(ran);
+
+  EXPECT_TRUE(result.Equals(expectation));
+}
+
 // CRLSets are not supported on iOS and Android system verifiers.
 #if !defined(OS_IOS) && !defined(OS_ANDROID)
 

services/network/public/mojom/network_service.mojom

@@ -22,6 +22,7 @@ import "services/network/public/mojom/network_interface.mojom";
 import "services/network/public/mojom/network_param.mojom";
 import "services/network/public/mojom/network_quality_estimator_manager.mojom";
 import "services/network/public/mojom/network_service_test.mojom";
+import "services/network/public/mojom/trust_tokens.mojom";
 import "services/network/public/mojom/url_loader.mojom";
 import "services/network/public/mojom/url_loader_factory.mojom";
 import "services/network/public/mojom/url_response_head.mojom";
@@ -386,6 +387,12 @@ interface NetworkService {
   // |environment| array.
   SetEnvironment(array<EnvironmentVariable> environment);
 
+  // Sets Trust Tokens key commitment state. |commitments| is a map from issuer
+  // origins to key commitment results (each result contains a collection of
+  // keys and some associated metadata).
+  SetTrustTokenKeyCommitments(
+      map<url.mojom.Origin, TrustTokenKeyCommitmentResult> commitments);
+
   // Calls base::debug::DumpWithoutCrashing for the network process.
   // TODO(http://crbug.com/934317): Remove this once done debugging renderer
   // hangs.

services/network/trust_tokens/BUILD.gn

@@ -23,6 +23,8 @@ source_set("trust_tokens") {
     "pending_trust_token_store.h",
     "sqlite_trust_token_persister.cc",
     "sqlite_trust_token_persister.h",
+    "suitable_trust_token_origin.cc",
+    "suitable_trust_token_origin.h",
     "trust_token_database_owner.cc",
     "trust_token_database_owner.h",
     "trust_token_http_headers.h",
@@ -31,6 +33,8 @@ source_set("trust_tokens") {
     "trust_token_key_commitment_getter.h",
     "trust_token_key_commitment_parser.cc",
     "trust_token_key_commitment_parser.h",
+    "trust_token_key_commitments.cc",
+    "trust_token_key_commitments.h",
     "trust_token_parameterization.h",
     "trust_token_persister.h",
     "trust_token_request_canonicalizer.cc",
@@ -94,9 +98,11 @@ source_set("tests") {
     "has_trust_tokens_answerer_unittest.cc",
     "pending_trust_token_store_unittest.cc",
     "sqlite_trust_token_persister_unittest.cc",
+    "suitable_trust_token_origin_unittest.cc",
     "trust_token_database_owner_unittest.cc",
     "trust_token_key_commitment_controller_unittest.cc",
     "trust_token_key_commitment_parser_unittest.cc",
+    "trust_token_key_commitments_unittest.cc",
     "trust_token_persister_unittest.cc",
     "trust_token_request_canonicalizer_unittest.cc",
     "trust_token_request_issuance_helper_unittest.cc",

services/network/trust_tokens/suitable_trust_token_origin.cc

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "services/network/trust_tokens/suitable_trust_token_origin.h"
+#include "services/network/public/cpp/is_potentially_trustworthy.h"
+#include "url/url_constants.h"
+
+namespace network {
+
+SuitableTrustTokenOrigin::~SuitableTrustTokenOrigin() = default;
+SuitableTrustTokenOrigin::SuitableTrustTokenOrigin(
+    const SuitableTrustTokenOrigin& rhs) = default;
+SuitableTrustTokenOrigin& SuitableTrustTokenOrigin::operator=(
+    const SuitableTrustTokenOrigin& rhs) = default;
+SuitableTrustTokenOrigin::SuitableTrustTokenOrigin(
+    SuitableTrustTokenOrigin&& rhs) = default;
+SuitableTrustTokenOrigin& SuitableTrustTokenOrigin::operator=(
+    SuitableTrustTokenOrigin&& rhs) = default;
+
+base::Optional<SuitableTrustTokenOrigin> SuitableTrustTokenOrigin::Create(
+    url::Origin origin) {
+  if (origin.scheme() != url::kHttpsScheme &&
+      origin.scheme() != url::kHttpScheme)
+    return base::nullopt;
+  if (!IsOriginPotentiallyTrustworthy(origin))
+    return base::nullopt;
+
+  return base::Optional<SuitableTrustTokenOrigin>(
+      base::in_place, util::PassKey<SuitableTrustTokenOrigin>(),
+      std::move(origin));
+}
+
+base::Optional<SuitableTrustTokenOrigin> SuitableTrustTokenOrigin::Create(
+    const GURL& url) {
+  return Create(url::Origin::Create(url));
+}
+
+std::string SuitableTrustTokenOrigin::Serialize() const {
+  return origin_.Serialize();
+}
+
+SuitableTrustTokenOrigin::SuitableTrustTokenOrigin(
+    util::PassKey<SuitableTrustTokenOrigin>,
+    url::Origin&& origin)
+    : origin_(std::move(origin)) {}
+
+}  // namespace network

services/network/trust_tokens/suitable_trust_token_origin.h

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef SERVICES_NETWORK_TRUST_TOKENS_SUITABLE_TRUST_TOKEN_ORIGIN_H_
+#define SERVICES_NETWORK_TRUST_TOKENS_SUITABLE_TRUST_TOKEN_ORIGIN_H_
+
+#include "base/util/type_safety/pass_key.h"
+#include "url/origin.h"
+
+namespace network {
+
+// Class SuitableTrustTokenOrigin is a thin wrapper over url::Origin enforcing
+// invariants required of all origins suitable for keying persistent Trust
+// Tokens state (https://github.com/wicg/trust-token-api). These origins must
+// be:
+// - potentially trustworthy, in the sense of
+// network::IsOriginPotentiallyTrustworthy (this is a security requirement); and
+// - either HTTP or HTTPS (this is so that the origins have unique
+// serializations).
+class SuitableTrustTokenOrigin {
+ public:
+  SuitableTrustTokenOrigin() = delete;
+  ~SuitableTrustTokenOrigin();
+
+  SuitableTrustTokenOrigin(const SuitableTrustTokenOrigin& rhs);
+  SuitableTrustTokenOrigin& operator=(const SuitableTrustTokenOrigin& rhs);
+  SuitableTrustTokenOrigin(SuitableTrustTokenOrigin&& rhs);
+  SuitableTrustTokenOrigin& operator=(SuitableTrustTokenOrigin&& rhs);
+
+  // Returns nullopt if |origin| (or |url|) is unsuitable for keying Trust
+  // Tokens persistent state. Otherwise, returns a new SuitableTrustTokenOrigin
+  // wrapping |origin| (or |url|).
+  static base::Optional<SuitableTrustTokenOrigin> Create(url::Origin origin);
+  static base::Optional<SuitableTrustTokenOrigin> Create(const GURL& url);
+
+  std::string Serialize() const;
+  const url::Origin& origin() const { return origin_; }
+
+  // Constructs a SuitableTrustTokenOrigin from the given origin. Public only as
+  // an implementation detail; clients should use |Create|.
+  SuitableTrustTokenOrigin(util::PassKey<SuitableTrustTokenOrigin>,
+                           url::Origin&& origin);
+
+ private:
+  friend bool operator==(const SuitableTrustTokenOrigin& lhs,
+                         const SuitableTrustTokenOrigin& rhs);
+  friend bool operator<(const SuitableTrustTokenOrigin& lhs,
+                        const SuitableTrustTokenOrigin& rhs);
+  url::Origin origin_;
+};
+
+inline bool operator==(const SuitableTrustTokenOrigin& lhs,
+                       const SuitableTrustTokenOrigin& rhs) {
+  return lhs.origin_ == rhs.origin_;
+}
+
+inline bool operator<(const SuitableTrustTokenOrigin& lhs,
+                      const SuitableTrustTokenOrigin& rhs) {
+  return lhs.origin_ < rhs.origin_;
+}
+
+}  // namespace network
+
+#endif  // SERVICES_NETWORK_TRUST_TOKENS_SUITABLE_TRUST_TOKEN_ORIGIN_H_

services/network/trust_tokens/suitable_trust_token_origin_unittest.cc

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "services/network/trust_tokens/suitable_trust_token_origin.h"
+
+#include "testing/gtest/include/gtest/gtest.h"
+#include "url/gurl.h"
+#include "url/origin.h"
+
+namespace network {
+
+TEST(SuitableTrustTokenOrigin, Suitable) {
+  // Suitable: HTTP/HTTPS and potentially trustworthy
+  auto suitable_url = GURL("https://suitable-origin.example");
+  auto suitable_origin = url::Origin::Create(suitable_url);
+
+  base::Optional<SuitableTrustTokenOrigin> created_from_url =
+      SuitableTrustTokenOrigin::Create(suitable_url);
+
+  ASSERT_TRUE(created_from_url);
+  EXPECT_EQ(created_from_url->origin(), suitable_origin);
+
+  base::Optional<SuitableTrustTokenOrigin> created_from_origin =
+      SuitableTrustTokenOrigin::Create(suitable_origin);
+  ASSERT_TRUE(created_from_origin);
+  EXPECT_EQ(created_from_origin->origin(), suitable_origin);
+
+  EXPECT_EQ(created_from_origin->Serialize(), suitable_origin.Serialize());
+}
+
+TEST(SuitableTrustTokenOrigin, Insecure) {
+  // Unsuitable: not potentially trustworthy
+  auto unsuitable_url = GURL("http://suitable-origin.example");
+  auto unsuitable_origin = url::Origin::Create(unsuitable_url);
+
+  EXPECT_FALSE(SuitableTrustTokenOrigin::Create(unsuitable_url));
+  EXPECT_FALSE(SuitableTrustTokenOrigin::Create(unsuitable_origin));
+}
+
+TEST(SuitableTrustTokenOrigin, SecureButNeitherHttpNorHttps) {
+  // Unsuitable: potentially trustworthy, but neither HTTP nor HTTPS
+  auto unsuitable_url = GURL("file:///");
+  auto unsuitable_origin = url::Origin::Create(unsuitable_url);
+
+  EXPECT_FALSE(SuitableTrustTokenOrigin::Create(unsuitable_url));
+  EXPECT_FALSE(SuitableTrustTokenOrigin::Create(unsuitable_origin));
+}
+
+}  // namespace network

services/network/trust_tokens/trust_token_key_commitment_getter.h

@@ -21,8 +21,8 @@ class TrustTokenKeyCommitmentGetter {
   virtual ~TrustTokenKeyCommitmentGetter() = default;
   virtual void Get(
       const url::Origin& origin,
-      base::OnceCallback<void(mojom::TrustTokenKeyCommitmentResultPtr)>
-          on_done) = 0;
+      base::OnceCallback<void(mojom::TrustTokenKeyCommitmentResultPtr)> on_done)
+      const = 0;
 };
 
 }  // namespace network

services/network/trust_tokens/trust_token_key_commitments.cc

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "services/network/trust_tokens/trust_token_key_commitments.h"
+
+#include <utility>
+
+#include "base/optional.h"
+#include "services/network/public/mojom/trust_tokens.mojom-forward.h"
+#include "services/network/trust_tokens/suitable_trust_token_origin.h"
+
+namespace network {
+
+TrustTokenKeyCommitments::TrustTokenKeyCommitments() = default;
+TrustTokenKeyCommitments::~TrustTokenKeyCommitments() = default;
+
+void TrustTokenKeyCommitments::Set(
+    base::flat_map<url::Origin, mojom::TrustTokenKeyCommitmentResultPtr> map) {
+  // To filter out the unsuitable origins in linear time, extract |map|'s
+  // contents a vector, filter the vector, and place the result back into
+  // |map_|.
+
+  std::vector<std::pair<url::Origin, mojom::TrustTokenKeyCommitmentResultPtr>>
+      to_filter(std::move(map).extract());
+
+  std::vector<std::pair<SuitableTrustTokenOrigin,
+                        mojom::TrustTokenKeyCommitmentResultPtr>>
+      filtered;
+
+  // Due to the characteristics of the Trust Tokens protocol, it is expected
+  // that there be no more than a couple hundred issuer origins.
+  for (std::pair<url::Origin, mojom::TrustTokenKeyCommitmentResultPtr>& kv :
+       to_filter) {
+    auto maybe_suitable_origin =
+        SuitableTrustTokenOrigin::Create(std::move(kv.first));
+    if (!maybe_suitable_origin)
+      continue;
+    filtered.emplace_back(std::move(*maybe_suitable_origin),
+                          std::move(kv.second));
+  }
+
+  map_.replace(std::move(filtered));
+}
+
+void TrustTokenKeyCommitments::Get(
+    const url::Origin& origin,
+    base::OnceCallback<void(mojom::TrustTokenKeyCommitmentResultPtr)> done)
+    const {
+  base::Optional<SuitableTrustTokenOrigin> suitable_origin =
+      SuitableTrustTokenOrigin::Create(origin);
+  if (!suitable_origin) {
+    std::move(done).Run(nullptr);
+    return;
+  }
+
+  auto it = map_.find(*suitable_origin);
+  if (it == map_.end()) {
+    std::move(done).Run(nullptr);
+    return;
+  }
+
+  std::move(done).Run(it->second->Clone());
+}
+
+}  // namespace network

services/network/trust_tokens/trust_token_key_commitments.h

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef SERVICES_NETWORK_TRUST_TOKENS_TRUST_TOKEN_KEY_COMMITMENTS_H_
+#define SERVICES_NETWORK_TRUST_TOKENS_TRUST_TOKEN_KEY_COMMITMENTS_H_
+
+#include <map>
+#include <memory>
+
+#include "base/callback.h"
+#include "base/containers/flat_map.h"
+#include "services/network/public/mojom/trust_tokens.mojom.h"
+#include "services/network/trust_tokens/suitable_trust_token_origin.h"
+#include "services/network/trust_tokens/trust_token_key_commitment_getter.h"
+
+namespace network {
+
+// Class TrustTokenKeyCommitments is a singleton owned by NetworkService; it
+// stores all known information about issuers' Trust Tokens key state. This
+// state is provided through offline updates via |Set|.
+class TrustTokenKeyCommitments : public TrustTokenKeyCommitmentGetter {
+ public:
+  TrustTokenKeyCommitments();
+  ~TrustTokenKeyCommitments() override;
+
+  TrustTokenKeyCommitments(const TrustTokenKeyCommitments&) = delete;
+  TrustTokenKeyCommitments& operator=(const TrustTokenKeyCommitments&) = delete;
+
+  // Overwrites the current issuers-to-commitments map with the values in |map|,
+  // ignoring those issuer origins which are not suitable Trust Tokens origins
+  // (in the sense of SuitableTrustTokenOrigin).
+  void Set(
+      base::flat_map<url::Origin, mojom::TrustTokenKeyCommitmentResultPtr> map);
+
+  // TrustTokenKeyCommitmentGetter implementation:
+  //
+  // If |origin| is a suitable Trust Tokens origin (in the sense of
+  // SuitableTrustTokenOrigin), searches for a key commitment result
+  // corresponding to |origin|. Returns nullptr if |origin| is not suitable, or
+  // if no commitment result is found.
+  void Get(const url::Origin& origin,
+           base::OnceCallback<void(mojom::TrustTokenKeyCommitmentResultPtr)>
+               done) const override;
+
+ private:
+  base::flat_map<SuitableTrustTokenOrigin,
+                 mojom::TrustTokenKeyCommitmentResultPtr>
+      map_;
+};
+
+}  // namespace network
+
+#endif  // SERVICES_NETWORK_TRUST_TOKENS_TRUST_TOKEN_KEY_COMMITMENTS_H_

services/network/trust_tokens/trust_token_key_commitments_unittest.cc

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "services/network/trust_tokens/trust_token_key_commitments.h"
+
+#include "base/test/bind_test_util.h"
+#include "services/network/public/mojom/trust_tokens.mojom-forward.h"
+#include "services/network/public/mojom/trust_tokens.mojom.h"
+#include "testing/gtest/include/gtest/gtest.h"
+#include "url/gurl.h"
+#include "url/origin.h"
+
+namespace network {
+
+mojom::TrustTokenKeyCommitmentResultPtr GetCommitmentForOrigin(
+    const TrustTokenKeyCommitments& commitments,
+    const url::Origin& origin) {
+  mojom::TrustTokenKeyCommitmentResultPtr result;
+  bool ran = false;
+
+  commitments.Get(origin, base::BindLambdaForTesting(
+                              [&](mojom::TrustTokenKeyCommitmentResultPtr ptr) {
+                                result = std::move(ptr);
+                                ran = true;
+                              }));
+
+  CHECK(ran);
+  return result;
+}
+
+TEST(TrustTokenKeyCommitments, Empty) {
+  TrustTokenKeyCommitments commitments;
+
+  // We shouldn't find any commitments in an empty store.
+  EXPECT_FALSE(GetCommitmentForOrigin(
+      commitments,
+      url::Origin::Create(GURL("https://suitable-origin.example"))));
+}
+
+TEST(TrustTokenKeyCommitments, CantRetrieveRecordForUnsuitableOrigin) {
+  TrustTokenKeyCommitments commitments;
+
+  // Opaque origins are insecure, and, consequently, not suitable for use a
+  // Trust Tokens issuer origins; so, the |Set| call should decline to store the
+  // result.
+  base::flat_map<url::Origin, mojom::TrustTokenKeyCommitmentResultPtr> to_set;
+  to_set.insert_or_assign(url::Origin(),
+                          mojom::TrustTokenKeyCommitmentResult::New());
+  commitments.Set(std::move(to_set));
+
+  // We shouldn't find any commitment corresponding to an unsuitable origin.
+  EXPECT_FALSE(GetCommitmentForOrigin(commitments, url::Origin()));
+}
+
+TEST(TrustTokenKeyCommitments, CanRetrieveRecordForSuitableOrigin) {
+  TrustTokenKeyCommitments commitments;
+
+  auto expectation = mojom::TrustTokenKeyCommitmentResult::New();
+  expectation->batch_size = mojom::TrustTokenKeyCommitmentBatchSize::New(5);
+
+  auto suitable_origin = *SuitableTrustTokenOrigin::Create(
+      GURL("https://suitable-origin.example"));
+
+  // Opaque origins are insecure, and, consequently, not suitable for use a
+  // Trust Tokens issuer origins; so, the |Set| call should decline to store the
+  // result.
+  base::flat_map<url::Origin, mojom::TrustTokenKeyCommitmentResultPtr> to_set;
+  to_set.insert_or_assign(suitable_origin.origin(), expectation.Clone());
+  commitments.Set(std::move(to_set));
+
+  // We shouldn't find any commitment corresponding to an unsuitable origin.
+  auto result = GetCommitmentForOrigin(commitments, suitable_origin.origin());
+  ASSERT_TRUE(result);
+  EXPECT_TRUE(result.Equals(expectation));
+}
+
+TEST(TrustTokenKeyCommitments, CantRetrieveRecordForOriginNotPresent) {
+  TrustTokenKeyCommitments commitments;
+
+  auto an_origin =
+      *SuitableTrustTokenOrigin::Create(GURL("https://an-origin.example"));
+  auto an_expectation = mojom::TrustTokenKeyCommitmentResult::New();
+  an_expectation->batch_size = mojom::TrustTokenKeyCommitmentBatchSize::New(5);
+
+  base::flat_map<url::Origin, mojom::TrustTokenKeyCommitmentResultPtr> to_set;
+  to_set.insert_or_assign(an_origin.origin(), an_expectation.Clone());
+  commitments.Set(std::move(to_set));
+
+  auto another_origin =
+      *SuitableTrustTokenOrigin::Create(GURL("https://another-origin.example"));
+
+  // We shouldn't find any commitment corresponding to an origin not in the map.
+  EXPECT_FALSE(GetCommitmentForOrigin(commitments, another_origin.origin()));
+}
+
+TEST(TrustTokenKeyCommitments, MultipleOrigins) {
+  TrustTokenKeyCommitments commitments;
+
+  SuitableTrustTokenOrigin origins[] = {
+      *SuitableTrustTokenOrigin::Create(GURL("https://an-origin.example")),
+      *SuitableTrustTokenOrigin::Create(GURL("https://another-origin.example")),
+  };
+
+  mojom::TrustTokenKeyCommitmentResultPtr expectations[] = {
+      mojom::TrustTokenKeyCommitmentResult::New(),
+      mojom::TrustTokenKeyCommitmentResult::New(),
+  };
+
+  expectations[0]->batch_size = mojom::TrustTokenKeyCommitmentBatchSize::New(0);
+  expectations[1]->batch_size = mojom::TrustTokenKeyCommitmentBatchSize::New(1);
+
+  base::flat_map<url::Origin, mojom::TrustTokenKeyCommitmentResultPtr> to_set;
+  to_set.insert_or_assign(origins[0].origin(), expectations[0].Clone());
+  to_set.insert_or_assign(origins[1].origin(), expectations[1].Clone());
+  commitments.Set(std::move(to_set));
+
+  for (int i : {0, 1}) {
+    auto result = GetCommitmentForOrigin(commitments, origins[i].origin());
+    ASSERT_TRUE(result);
+    EXPECT_TRUE(result.Equals(expectations[i]));
+  }
+}
+
+}  // namespace network

services/network/trust_tokens/trust_token_request_issuance_helper_unittest.cc

@@ -50,11 +50,12 @@ class FixedKeyCommitmentGetter : public TrustTokenKeyCommitmentGetter {
       const url::Origin& issuer,
       mojom::TrustTokenKeyCommitmentResultPtr result)
       : issuer_(issuer), result_(std::move(result)) {}
+
   void Get(const url::Origin& origin,
            base::OnceCallback<void(mojom::TrustTokenKeyCommitmentResultPtr)>
-               on_done) override {
+               on_done) const override {
     EXPECT_EQ(origin, issuer_);
-    std::move(on_done).Run(std::move(result_));
+    std::move(on_done).Run(result_.Clone());
   }
 
  private:

services/network/trust_tokens/trust_token_request_redemption_helper_unittest.cc

@@ -47,9 +47,9 @@ class FixedKeyCommitmentGetter : public TrustTokenKeyCommitmentGetter {
       : issuer_(issuer), result_(std::move(result)) {}
   void Get(const url::Origin& origin,
            base::OnceCallback<void(mojom::TrustTokenKeyCommitmentResultPtr)>
-               on_done) override {
+               on_done) const override {
     EXPECT_EQ(origin, issuer_);
-    std::move(on_done).Run(std::move(result_));
+    std::move(on_done).Run(result_.Clone());
   }
 
  private: