Trust Tokens: Refactor signing tests to verify more expectations in test

Right now, a lot of the postcondition verification for the Trust Tokens
browser tests covering request signing takes place in the test helper,
network::test::TrustTokenRequestHandler. In particular, right now, the
helper provides an interface that allows callers to extract the last
signing request verification error, if any. This has a couple problems:
  1. Callers can't distinguish cases where no signing request arrived in
  the handler from cases where a signing request was successfully
  processed
  2. All of the postcondition checking takes place in the handler, so
  it's hard to modify the postcondition checking to reflect changes in
  test expectations. Right now, we do this by passing an options
  struct to the handler, but it woul be more readable if we could
  express the expectations in real time, after sending the request, in
  the main browser test code.

This CL refactors the test handler to instead allow callers to extract
a representation of the most recently received signed request, if any.
Callers can then check postconditions directly against this data, using
trust_tokens/test/ helper methods.

Fixed: 1126276
Change-Id: Ic6d9f403c2175cc5bb7c2a3ff59ffc575252cda3
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2520200
Commit-Queue: David Van Cleve <davidvc@chromium.org>
Reviewed-by: Matt Menke <mmenke@chromium.org>
Reviewed-by: Charlie Harrison <csharrison@chromium.org>
Cr-Commit-Position: refs/heads/master@{#825103}

services/network/public/cpp/BUILD.gn

@@ -105,6 +105,8 @@ component("cpp") {
     "spki_hash_set.h",
     "supports_loading_mode/supports_loading_mode_parser.cc",
     "supports_loading_mode/supports_loading_mode_parser.h",
+    "trust_token_http_headers.cc",
+    "trust_token_http_headers.h",
     "trust_token_operation_authorization.h",
     "weak_wrapper_shared_url_loader_factory.cc",
     "weak_wrapper_shared_url_loader_factory.h",

services/network/public/cpp/OWNERS

@@ -15,3 +15,6 @@ per-file cross_origin_resource_policy*=lukasza@chromium.org
 per-file cross_origin_opener_policy*=ahemery@chromium.org
 per-file cross_origin_opener_policy*=clamy@chromium.org
 per-file cross_origin_opener_policy*=pmeuleman@chromium.org
+
+# Files and features related to component:Internals>Network>TrustTokens
+per-file trust_token*=file://services/network/trust_tokens/OWNERS

services/network/trust_tokens/trust_token_http_headers.cc → services/network/public/cpp/trust_token_http_headers.cc

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#include "services/network/trust_tokens/trust_token_http_headers.h"
+#include "services/network/public/cpp/trust_token_http_headers.h"
 
 #include "base/no_destructor.h"
 #include "base/strings/string_piece.h"

services/network/trust_tokens/trust_token_http_headers.h → services/network/public/cpp/trust_token_http_headers.h

@@ -2,11 +2,12 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-#ifndef SERVICES_NETWORK_TRUST_TOKENS_TRUST_TOKEN_HTTP_HEADERS_H_
-#define SERVICES_NETWORK_TRUST_TOKENS_TRUST_TOKEN_HTTP_HEADERS_H_
+#ifndef SERVICES_NETWORK_PUBLIC_CPP_TRUST_TOKEN_HTTP_HEADERS_H_
+#define SERVICES_NETWORK_PUBLIC_CPP_TRUST_TOKEN_HTTP_HEADERS_H_
 
 #include <vector>
 
+#include "base/component_export.h"
 #include "base/strings/string_piece_forward.h"
 
 namespace network {
@@ -61,8 +62,9 @@ constexpr char kTrustTokensRequestHeaderSecTrustTokensAdditionalSigningData[] =
 //
 // In particular, this does *not* contain Signed-Headers because this header's
 // value is provided by the Trust Token API's client.
+COMPONENT_EXPORT(NETWORK_CPP)
 const std::vector<base::StringPiece>& TrustTokensRequestHeaders();
 
 }  // namespace network
 
-#endif  // SERVICES_NETWORK_TRUST_TOKENS_TRUST_TOKEN_HTTP_HEADERS_H_
+#endif  // SERVICES_NETWORK_PUBLIC_CPP_TRUST_TOKEN_HTTP_HEADERS_H_

services/network/trust_tokens/BUILD.gn

@@ -50,8 +50,6 @@ source_set("trust_tokens") {
     "trust_token_client_data_canonicalization.h",
     "trust_token_database_owner.cc",
     "trust_token_database_owner.h",
-    "trust_token_http_headers.cc",
-    "trust_token_http_headers.h",
     "trust_token_key_commitment_controller.cc",
     "trust_token_key_commitment_controller.h",
     "trust_token_key_commitment_getter.h",
@@ -121,6 +119,7 @@ source_set("test_support") {
     "//net",
     "//net:test_support",
     "//net/traffic_annotation:test_support",
+    "//services/network/public/cpp",
     "//services/network/public/mojom",
     "//testing/gtest",
     "//url",

services/network/trust_tokens/test/signed_request_verification_util.cc

@@ -15,10 +15,10 @@
 #include "components/cbor/values.h"
 #include "net/http/http_request_headers.h"
 #include "net/http/structured_headers.h"
+#include "services/network/public/cpp/trust_token_http_headers.h"
 #include "services/network/public/mojom/trust_tokens.mojom-shared.h"
 #include "services/network/trust_tokens/ed25519_trust_token_request_signer.h"
 #include "services/network/trust_tokens/signed_redemption_record_serialization.h"
-#include "services/network/trust_tokens/trust_token_http_headers.h"
 #include "services/network/trust_tokens/trust_token_parameterization.h"
 #include "services/network/trust_tokens/trust_token_request_canonicalizer.h"
 #include "services/network/trust_tokens/trust_token_request_signing_helper.h"

services/network/trust_tokens/test/test_server_handler_registration.cc

@@ -110,14 +110,11 @@ void RegisterTrustTokenTestHandlers(net::EmbeddedTestServer* test_server,
         replacements.SetHostStr(host_and_maybe_port);
         GURL destination_url = request.GetURL().ReplaceComponents(replacements);
 
-        std::string error;
         net::HttpRequestHeaders headers;
         for (const auto& name_and_value : request.headers)
           headers.SetHeader(name_and_value.first, name_and_value.second);
 
-        bool success =
-            handler->VerifySignedRequest(destination_url, headers, &error);
-        LOG_IF(ERROR, !success) << error;
+        handler->RecordSignedRequest(destination_url, headers);
 
         // Unlike issuance and redemption, there's no special state to return
         // on success for signing.

services/network/trust_tokens/test/trust_token_request_handler.cc

@@ -19,10 +19,10 @@
 #include "crypto/sha2.h"
 #include "net/http/http_request_headers.h"
 #include "net/http/structured_headers.h"
+#include "services/network/public/cpp/trust_token_http_headers.h"
 #include "services/network/trust_tokens/ed25519_trust_token_request_signer.h"
 #include "services/network/trust_tokens/scoped_boringssl_bytes.h"
 #include "services/network/trust_tokens/test/signed_request_verification_util.h"
-#include "services/network/trust_tokens/trust_token_http_headers.h"
 #include "services/network/trust_tokens/trust_token_request_canonicalizer.h"
 #include "services/network/trust_tokens/trust_token_request_signing_helper.h"
 #include "third_party/boringssl/src/include/openssl/curve25519.h"
@@ -99,10 +99,10 @@ struct TrustTokenRequestHandler::Rep {
   // encoding of a structure matching the format specified in the design doc.
   //
   // If this is the case, returns true and stores the contained
-  // browser-generated public key hash in |hashes_of_redemption_bound_key_pairs|
-  // for comparison against subsequent signed requests. Otherwise, returns false
-  // and, if |error| is not null, sets |error| to a human-readable explanation
-  // of why the input was not valid.
+  // browser-generated public key hash in
+  // |hashes_of_redemption_bound_public_keys| for comparison against subsequent
+  // signed requests. Otherwise, returns false and, if |error| is not null, sets
+  // |error| to a human-readable explanation of why the input was not valid.
   bool ConfirmClientDataIntegrityAndStoreKeyHash(
       base::span<const uint8_t> client_data,
       std::string* error = nullptr);
@@ -110,14 +110,11 @@ struct TrustTokenRequestHandler::Rep {
   // Maintains all key pairs bound to successful redemptions.
   // TODO(davidvc): This can be expanded to map per top-frame origin for
   // tests across multiple origins.
-  // TODO(davidvc): We can also expand the verification logic here to confirm
-  // the private metadata field decodes appropriately.
-  std::set<std::string> hashes_of_redemption_bound_key_pairs;
-
-  // Contains a human-readable string explaining why the most recent signed
-  // request verification to fail failed, or nullopt if no verification has
-  // failed.
-  base::Optional<std::string> last_verification_error;
+  std::set<std::string> hashes_of_redemption_bound_public_keys;
+
+  // This is a structured representation of the most recent input to
+  // RecordSignedRequest.
+  base::Optional<TrustTokenSignedRequest> last_incoming_signed_request;
 };
 
 bssl::UniquePtr<TRUST_TOKEN_ISSUER>
@@ -205,7 +202,7 @@ bool TrustTokenRequestHandler::Rep::ConfirmClientDataIntegrityAndStoreKeyHash(
     return false;
   }
 
-  hashes_of_redemption_bound_key_pairs.insert(std::string(key_hash));
+  hashes_of_redemption_bound_public_keys.insert(std::string(key_hash));
 
   return true;
 }
@@ -335,121 +332,25 @@ base::Optional<std::string> TrustTokenRequestHandler::Redeem(
   return base::Base64Encode(decoded_redemption_response.as_span());
 }
 
-bool TrustTokenRequestHandler::VerifySignedRequest(
+void TrustTokenRequestHandler::RecordSignedRequest(
     const GURL& destination,
-    const net::HttpRequestHeaders& headers,
-    std::string* error_out) {
-  std::string dummy_error;
-  if (!error_out)
-    error_out = &dummy_error;
-
-  // In order to avoid deadlock, this must be before VerifySignedRequest's
-  // |lock|'s definition. This is so that |set_last_error_on_return|'s
-  // destructor (and associated callback) are run after the function-scoped
-  // AutoLock is destroyed (and releases the mutex).
-  base::ScopedClosureRunner set_last_error_on_return(
-      base::BindLambdaForTesting([error_out, this]() {
-        base::AutoLock lock(mutex_);
-        if (!error_out->empty())
-          rep_->last_verification_error = *error_out;
-      }));
-
+    const net::HttpRequestHeaders& headers) {
   base::AutoLock lock(mutex_);
 
-  std::string sec_signed_redemption_record_header;
-  if (!headers.GetHeader(kTrustTokensRequestHeaderSecSignedRedemptionRecord,
-                         &sec_signed_redemption_record_header)) {
-    *error_out = "Request missing its SRR header";
-
-    return false;
-  }
-
-  // If there was a client-side failure, expect an empty SRR header and no other
-  // Trust Tokens headers.
-  if (rep_->client_signing_outcome == SigningOutcome::kFailure) {
-    if (!sec_signed_redemption_record_header.empty()) {
-      *error_out = "Client-side failure but nonempty SRR header: " +
-                   sec_signed_redemption_record_header;
-      return false;
-    }
-    if (headers.HasHeader(kTrustTokensRequestHeaderSecSignature)) {
-      *error_out = "Client-side failure but received Sec-Signature header";
-      return false;
-    }
-    if (headers.HasHeader(kTrustTokensRequestHeaderSecTime)) {
-      *error_out = "Client-side failure but received Sec-Time header";
-      return false;
-    }
-    if (headers.HasHeader(kTrustTokensRequestHeaderSignedHeaders)) {
-      *error_out = "Client-side failure but received Signed-Headers header";
-      return false;
-    }
-    return true;
-  }
-  DCHECK_EQ(rep_->client_signing_outcome, SigningOutcome::kSuccess);
-
-  std::map<SuitableTrustTokenOrigin, std::string> redemption_records_per_issuer;
-  // On failure, |ExtractRedemptionRecordsFromHeader| has set the error.
-  if (!ExtractRedemptionRecordsFromHeader(sec_signed_redemption_record_header,
-                                          &redemption_records_per_issuer,
-                                          error_out)) {
-    return false;
-  }
-
-  for (const auto& issuer_and_record : redemption_records_per_issuer) {
-    // TODO(davidvc): Check that the issuer corresponds to "this server's
-    // domain" once this handler is scoped to a single domain.
-    std::string srr_body;
-    switch (VerifyTrustTokenSignedRedemptionRecord(
-        issuer_and_record.second,
-        base::StringPiece(
-            reinterpret_cast<const char*>(rep_->srr_verification.data()),
-            rep_->srr_verification.size()),
-        &srr_body)) {
-      case SrrVerificationStatus::kSignatureVerificationError:
-        if (error_out) {
-          *error_out = "Request SRR signature failed to verify";
-        }
-        return false;
-      case SrrVerificationStatus::kParseError:
-        if (error_out) {
-          *error_out = "Request SRR header failed to parse";
-        }
-        return false;
-      case SrrVerificationStatus::kSuccess:
-        break;
-    }
-
-    if (!ConfirmSrrBodyIntegrity(srr_body, error_out))
-      return false;  // On failure, |ConfirmSrrBodyIntegrity| has set the error.
-  }
-
-  std::map<std::string, std::string> verification_keys;
-
-  if (!ReconstructSigningDataAndVerifySignatures(destination, headers,
-                                                 /*verifier=*/{}, error_out,
-                                                 &verification_keys)) {
-    return false;
-  }
-
-  for (const auto& issuer_and_key : verification_keys) {
-    if (!base::Contains(rep_->hashes_of_redemption_bound_key_pairs,
-                        crypto::SHA256HashString(issuer_and_key.second))) {
-      if (error_out) {
-        *error_out =
-            "Got a request signed with a verification key whose hash was not "
-            "previously bound to a redemption request.";
-      }
-      return false;
-    }
-  }
+  rep_->last_incoming_signed_request =
+      TrustTokenSignedRequest{destination, headers};
+}
 
-  return true;
+std::set<std::string>
+TrustTokenRequestHandler::hashes_of_redemption_bound_public_keys() const {
+  base::AutoLock lock(mutex_);
+  return rep_->hashes_of_redemption_bound_public_keys;
 }
 
-base::Optional<std::string> TrustTokenRequestHandler::LastVerificationError() {
+base::Optional<TrustTokenSignedRequest>
+TrustTokenRequestHandler::last_incoming_signed_request() const {
   base::AutoLock lock(mutex_);
-  return rep_->last_verification_error;
+  return rep_->last_incoming_signed_request;
 }
 
 void TrustTokenRequestHandler::UpdateOptions(Options options) {

services/network/trust_tokens/test/trust_token_request_handler.h

@@ -5,6 +5,7 @@
 #ifndef SERVICES_NETWORK_TRUST_TOKENS_TEST_TRUST_TOKEN_REQUEST_HANDLER_H_
 #define SERVICES_NETWORK_TRUST_TOKENS_TEST_TRUST_TOKEN_REQUEST_HANDLER_H_
 
+#include <set>
 #include <string>
 
 #include "base/optional.h"
@@ -17,6 +18,11 @@
 namespace network {
 namespace test {
 
+struct TrustTokenSignedRequest {
+  GURL destination;
+  net::HttpRequestHeaders headers;
+};
+
 // TrustTokenRequestHandler encapsulates server-side Trust Tokens issuance and
 // redemption logic and implements some integrity and correctness checks for
 // requests subsequently signed with keys bound to token redemptions.
@@ -107,38 +113,24 @@ class TrustTokenRequestHandler {
   static const base::TimeDelta kSrrLifetime;
   base::Optional<std::string> Redeem(base::StringPiece redemption_request);
 
-  // Inspects |request| to see if its contents are the expected the result of a
-  // client-side signing operation.
-  //
-  // If the configured signing outcome (see Options) is kFailure, returns true
-  // exactly when the request contains an empty Sec-Signed-Redemption-Record
-  // header and no Sec-Signature header.
-  //
-  // If the configured signing outcome (see Options) is kSuccess, returns true
-  // exactly when:
-  // - the request bears a well-formed Sec-Signature header with a valid
-  // signature over the request's canonical signing data; and
-  // - the signature's public key's hash was bound to a previous redemption
-  // request; and
-  // - the request contains a well-formed signed redemption record whose
-  // signature verifies against the issuer's published SRR key.
-  //
-  // Otherwise, returns false and, if |error_out| is not null, sets |error_out|
-  // to a helpful error message.
-  //
-  // TODO(davidvc): This currently doesn't support signRequestData: 'omit'.
-  bool VerifySignedRequest(const GURL& destination,
-                           const net::HttpRequestHeaders& headers,
-                           std::string* error_out = nullptr);
+  // Stores a representation of a signed request with the given destination and
+  // headers in a manner that can be retrieved for inspection by calling
+  // |last_incoming_signed_request|.
+  void RecordSignedRequest(const GURL& destination,
+                           const net::HttpRequestHeaders& headers);
+
+  // Returns the public key hashes received in prior redemption requests.
+  std::set<std::string> hashes_of_redemption_bound_public_keys() const;
 
-  // Returns the verification error from the most recent unsuccessful
-  // VerifySignedRequest call, if any.
-  base::Optional<std::string> LastVerificationError();
+  // Returns a structured representation of the last signed request received.
+  base::Optional<TrustTokenSignedRequest> last_incoming_signed_request() const;
 
  private:
   struct Rep;  // Contains state internal to this class's implementation.
 
-  // Guards this class's internal state.
+  // Guards this class's internal state. This makes sure we're reading writes to
+  // the state that occur while handling requests, which takes place off of the
+  // main sequence due to how net::EmbeddedTestServer works.
   mutable base::Lock mutex_;
   std::unique_ptr<Rep> rep_ GUARDED_BY(mutex_);
 };

services/network/trust_tokens/trust_token_request_canonicalizer.cc

@@ -10,8 +10,8 @@
 #include "components/cbor/values.h"
 #include "components/cbor/writer.h"
 #include "net/base/registry_controlled_domains/registry_controlled_domain.h"
+#include "services/network/public/cpp/trust_token_http_headers.h"
 #include "services/network/public/mojom/trust_tokens.mojom-shared.h"
-#include "services/network/trust_tokens/trust_token_http_headers.h"
 #include "services/network/trust_tokens/trust_token_request_signing_helper.h"
 
 namespace network {

services/network/trust_tokens/trust_token_request_canonicalizer_unittest.cc

@@ -9,9 +9,9 @@
 #include "components/cbor/values.h"
 #include "components/cbor/writer.h"
 #include "net/url_request/url_request.h"
+#include "services/network/public/cpp/trust_token_http_headers.h"
 #include "services/network/public/mojom/trust_tokens.mojom-shared.h"
 #include "services/network/trust_tokens/test/trust_token_test_util.h"
-#include "services/network/trust_tokens/trust_token_http_headers.h"
 #include "services/network/trust_tokens/trust_token_request_canonicalizer.h"
 #include "services/network/trust_tokens/trust_token_request_signing_helper.h"
 #include "testing/gtest/include/gtest/gtest.h"

services/network/trust_tokens/trust_token_request_helper_factory.cc

@@ -15,6 +15,7 @@
 #include "net/log/net_log_with_source.h"
 #include "net/url_request/url_request.h"
 #include "services/network/public/cpp/resource_request.h"
+#include "services/network/public/cpp/trust_token_http_headers.h"
 #include "services/network/public/cpp/trust_token_parameterization.h"
 #include "services/network/public/mojom/trust_tokens.mojom-shared.h"
 #include "services/network/trust_tokens/boringssl_trust_token_issuance_cryptographer.h"
@@ -25,7 +26,6 @@
 #include "services/network/trust_tokens/local_trust_token_operation_delegate_impl.h"
 #include "services/network/trust_tokens/operating_system_matching.h"
 #include "services/network/trust_tokens/suitable_trust_token_origin.h"
-#include "services/network/trust_tokens/trust_token_http_headers.h"
 #include "services/network/trust_tokens/trust_token_key_commitment_controller.h"
 #include "services/network/trust_tokens/trust_token_parameterization.h"
 #include "services/network/trust_tokens/trust_token_request_canonicalizer.h"

services/network/trust_tokens/trust_token_request_helper_factory_unittest.cc

@@ -13,11 +13,11 @@
 #include "net/url_request/url_request.h"
 #include "services/network/public/cpp/optional_trust_token_params.h"
 #include "services/network/public/cpp/resource_request.h"
+#include "services/network/public/cpp/trust_token_http_headers.h"
 #include "services/network/public/cpp/trust_token_parameterization.h"
 #include "services/network/public/mojom/trust_tokens.mojom.h"
 #include "services/network/trust_tokens/pending_trust_token_store.h"
 #include "services/network/trust_tokens/test/trust_token_test_util.h"
-#include "services/network/trust_tokens/trust_token_http_headers.h"
 #include "services/network/trust_tokens/trust_token_parameterization.h"
 #include "testing/gtest/include/gtest/gtest.h"
 #include "url/origin.h"

services/network/trust_tokens/trust_token_request_issuance_helper.cc

@@ -17,11 +17,11 @@
 #include "net/url_request/url_request.h"
 #include "services/network/public/cpp/features.h"
 #include "services/network/public/cpp/is_potentially_trustworthy.h"
+#include "services/network/public/cpp/trust_token_http_headers.h"
 #include "services/network/public/mojom/trust_tokens.mojom.h"
 #include "services/network/public/mojom/url_response_head.mojom.h"
 #include "services/network/trust_tokens/proto/public.pb.h"
 #include "services/network/trust_tokens/suitable_trust_token_origin.h"
-#include "services/network/trust_tokens/trust_token_http_headers.h"
 #include "services/network/trust_tokens/trust_token_key_filtering.h"
 #include "services/network/trust_tokens/trust_token_parameterization.h"
 #include "services/network/trust_tokens/trust_token_store.h"

services/network/trust_tokens/trust_token_request_issuance_helper_unittest.cc

@@ -19,13 +19,13 @@
 #include "net/url_request/url_request.h"
 #include "net/url_request/url_request_test_util.h"
 #include "services/network/public/cpp/features.h"
+#include "services/network/public/cpp/trust_token_http_headers.h"
 #include "services/network/public/cpp/trust_token_parameterization.h"
 #include "services/network/public/mojom/trust_tokens.mojom.h"
 #include "services/network/public/mojom/url_response_head.mojom.h"
 #include "services/network/trust_tokens/operating_system_matching.h"
 #include "services/network/trust_tokens/proto/public.pb.h"
 #include "services/network/trust_tokens/test/trust_token_test_util.h"
-#include "services/network/trust_tokens/trust_token_http_headers.h"
 #include "services/network/trust_tokens/trust_token_key_commitment_getter.h"
 #include "services/network/trust_tokens/trust_token_parameterization.h"
 #include "services/network/trust_tokens/trust_token_store.h"

services/network/trust_tokens/trust_token_request_redemption_helper.cc

@@ -13,10 +13,10 @@
 #include "net/http/http_response_headers.h"
 #include "net/url_request/url_request.h"
 #include "services/network/public/cpp/is_potentially_trustworthy.h"
+#include "services/network/public/cpp/trust_token_http_headers.h"
 #include "services/network/public/mojom/url_response_head.mojom.h"
 #include "services/network/trust_tokens/proto/public.pb.h"
 #include "services/network/trust_tokens/trust_token_database_owner.h"
-#include "services/network/trust_tokens/trust_token_http_headers.h"
 #include "services/network/trust_tokens/trust_token_parameterization.h"
 #include "services/network/trust_tokens/trust_token_store.h"
 #include "url/url_constants.h"

services/network/trust_tokens/trust_token_request_redemption_helper_unittest.cc

@@ -15,11 +15,11 @@
 #include "net/traffic_annotation/network_traffic_annotation_test_helper.h"
 #include "net/url_request/url_request.h"
 #include "net/url_request/url_request_test_util.h"
+#include "services/network/public/cpp/trust_token_http_headers.h"
 #include "services/network/public/cpp/trust_token_parameterization.h"
 #include "services/network/public/mojom/url_response_head.mojom.h"
 #include "services/network/trust_tokens/proto/public.pb.h"
 #include "services/network/trust_tokens/test/trust_token_test_util.h"
-#include "services/network/trust_tokens/trust_token_http_headers.h"
 #include "services/network/trust_tokens/trust_token_key_commitment_getter.h"
 #include "services/network/trust_tokens/trust_token_parameterization.h"
 #include "services/network/trust_tokens/trust_token_store.h"

services/network/trust_tokens/trust_token_request_signing_helper.cc

@@ -22,10 +22,10 @@
 #include "net/http/structured_headers.h"
 #include "net/url_request/url_request.h"
 #include "services/network/public/cpp/is_potentially_trustworthy.h"
+#include "services/network/public/cpp/trust_token_http_headers.h"
 #include "services/network/public/cpp/trust_token_parameterization.h"
 #include "services/network/public/mojom/trust_tokens.mojom-shared.h"
 #include "services/network/trust_tokens/proto/public.pb.h"
-#include "services/network/trust_tokens/trust_token_http_headers.h"
 #include "services/network/trust_tokens/trust_token_request_canonicalizer.h"
 #include "services/network/trust_tokens/trust_token_store.h"
 #include "url/url_constants.h"