Port more unittests for CSPEE from blink to services/network

After reimplementing Content-Security-Policy: Embedded Enforcement
in services/network, I forgot to port some unit tests for the
subsumption algorithm from blink.

Bug: 1094909
Change-Id: Idfc2a47d791f6eb85190757e12933fffe270cb52
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2349298
Commit-Queue: Antonio Sartori <antoniosartori@chromium.org>
Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#804865}

services/network/public/cpp/content_security_policy/content_security_policy_unittest.cc

@@ -1273,6 +1273,171 @@ TEST(ContentSecurityPolicy, Subsumes) {
   }
 }
 
+TEST(ContentSecurityPolicy, SubsumesBasedOnCSPSourcesOnly) {
+  const char* csp_a =
+      "script-src http://*.one.com; img-src https://sub.one.com "
+      "http://two.com/imgs/";
+
+  struct TestCase {
+    const char* policies;
+    bool expected;
+    bool expected_first_policy_opposite;
+  } cases[] = {
+      // `listB`, which is not as restrictive as `A`, is not subsumed.
+      {"", false, true},
+      {"script-src http://example.com", false, false},
+      {"img-src http://example.com", false, false},
+      {"script-src http://*.one.com", false, true},
+      {"img-src https://sub.one.com http://two.com/imgs/", false, true},
+      {"default-src http://example.com", false, false},
+      {"default-src https://sub.one.com http://two.com/imgs/", false, false},
+      {"default-src http://sub.one.com", false, false},
+      {"script-src http://*.one.com; img-src http://two.com/", false, false},
+      {"script-src http://*.one.com, img-src http://sub.one.com", false, true},
+      {"script-src http://*.one.com, script-src https://two.com", false, true},
+      {"script-src http://*.random.com,"
+       "script-src https://random.com",
+       false, false},
+      {"script-src http://sub.one.com,"
+       "script-src https://random.com",
+       false, false},
+      {"script-src http://*.random.com; default-src http://sub.one.com "
+       "http://two.com/imgs/,"
+       "default-src https://sub.random.com",
+       false, false},
+      // `listB`, which is as restrictive as `A`, is subsumed.
+      {"default-src https://sub.one.com", true, false},
+      {"default-src http://random.com,"
+       "default-src https://non-random.com:*",
+       true, false},
+      {"script-src http://*.one.com; img-src https://sub.one.com", true, false},
+      {"script-src http://*.one.com; img-src https://sub.one.com "
+       "http://two.com/imgs/",
+       true, true},
+      {"script-src http://*.one.com,"
+       "img-src https://sub.one.com http://two.com/imgs/",
+       true, true},
+      {"script-src http://*.random.com; default-src https://sub.one.com "
+       "http://two.com/imgs/,"
+       "default-src https://else.com",
+       true, false},
+      {"script-src http://*.random.com; default-src https://sub.one.com "
+       "http://two.com/imgs/,"
+       "default-src https://sub.one.com",
+       true, false},
+  };
+
+  std::vector<mojom::ContentSecurityPolicyPtr> policy_a = ParseCSP(csp_a);
+
+  for (const auto& test : cases) {
+    std::vector<mojom::ContentSecurityPolicyPtr> policies_b =
+        ParseCSP(test.policies);
+    EXPECT_EQ(Subsumes(*policy_a[0], policies_b,
+                       url::Origin::Create(GURL("https://a.com"))),
+              test.expected)
+        << csp_a << " should " << (test.expected ? "" : "not ") << "subsume "
+        << test.policies;
+
+    if (!policies_b.empty()) {
+      // Check if first policy of `listB` subsumes `A`.
+      EXPECT_EQ(Subsumes(*policies_b[0], policy_a,
+                         url::Origin::Create(GURL("https://a.com"))),
+                test.expected_first_policy_opposite)
+          << csp_a << " should "
+          << (test.expected_first_policy_opposite ? "" : "not ") << "subsume "
+          << test.policies;
+    }
+  }
+}
+
+TEST(ContentSecurityPolicy, SubsumesIfNoneIsPresent) {
+  struct TestCase {
+    const char* policy_a;
+    const char* policies_b;
+    bool expected;
+  } cases[] = {
+      // `policyA` is 'none', but no policy in `policiesB` is.
+      {"script-src ", "", false},
+      {"script-src 'none'", "", false},
+      {"script-src ", "script-src http://example.com", false},
+      {"script-src 'none'", "script-src http://example.com", false},
+      {"script-src ", "img-src 'none'", false},
+      {"script-src 'none'", "img-src 'none'", false},
+      {"script-src ", "script-src http://*.one.com, img-src https://two.com",
+       false},
+      {"script-src 'none'",
+       "script-src http://*.one.com, img-src https://two.com", false},
+      {"script-src 'none'",
+       "script-src http://*.one.com, script-src https://two.com", true},
+      {"script-src 'none'", "script-src http://*.one.com, script-src 'self'",
+       true},
+      // `policyA` is not 'none', but at least effective result of `policiesB`
+      // is.
+      {"script-src http://example.com 'none'", "script-src 'none'", true},
+      {"script-src http://example.com", "script-src 'none'", true},
+      {"script-src http://example.com 'none'",
+       "script-src http://*.one.com, script-src http://sub.one.com,"
+       "script-src 'none'",
+       true},
+      {"script-src http://example.com",
+       "script-src http://*.one.com, script-src http://sub.one.com,"
+       "script-src 'none'",
+       true},
+      {"script-src http://one.com 'none'",
+       "script-src http://*.one.com, script-src http://sub.one.com,"
+       "script-src https://one.com",
+       true},
+      // `policyA` is `none` and at least effective result of `policiesB` is
+      // too.
+      {"script-src ", "script-src , script-src ", true},
+      {"script-src 'none'", "script-src, script-src 'none'", true},
+      {"script-src ", "script-src 'none', script-src 'none'", true},
+      {"script-src ",
+       "script-src 'none' http://example.com,"
+       "script-src 'none' http://example.com",
+       false},
+      {"script-src 'none'", "script-src 'none', script-src 'none'", true},
+      {"script-src 'none'",
+       "script-src 'none', script-src 'none', script-src 'none'", true},
+      {"script-src 'none'",
+       "script-src http://*.one.com, script-src http://sub.one.com,"
+       "script-src 'none'",
+       true},
+      {"script-src 'none'",
+       "script-src http://*.one.com, script-src http://two.com,"
+       "script-src http://three.com",
+       true},
+      // Policies contain special keywords.
+      {"script-src ", "script-src , script-src 'unsafe-eval'", true},
+      {"script-src 'none'", "script-src 'unsafe-inline', script-src 'none'",
+       true},
+      {"script-src ",
+       "script-src 'none' 'unsafe-inline',"
+       "script-src 'none' 'unsafe-inline'",
+       false},
+      {"script-src ",
+       "script-src 'none' 'unsafe-inline',"
+       "script-src 'unsafe-inline' 'strict-dynamic'",
+       false},
+      {"script-src 'unsafe-eval'",
+       "script-src 'unsafe-eval', script 'unsafe-inline'", true},
+      {"script-src 'unsafe-inline'", "script-src  , script http://example.com",
+       true},
+  };
+
+  for (const auto& test : cases) {
+    std::vector<mojom::ContentSecurityPolicyPtr> policy_a =
+        ParseCSP(test.policy_a);
+    std::vector<mojom::ContentSecurityPolicyPtr> policies_b =
+        ParseCSP(test.policies_b);
+    EXPECT_EQ(Subsumes(*policy_a[0], policies_b,
+                       url::Origin::Create(GURL("https://a.com"))),
+              test.expected)
+        << test.policy_a << " should " << (test.expected ? "" : "not ")
+        << "subsume " << test.policies_b;
+  }
+}
+
 TEST(ContentSecurityPolicy, SubsumesPluginTypes) {
   struct TestCase {
     const char* policy_a;