Bug 1283109 - Create a services client for augmenting the STS preload list between releases. r=leplatrem

MozReview-Commit-ID: H9zZpBwJRgi --HG-- extra : rebase_source : ae9f58eea512c020ea96fe293c7825bbcc3ccf15
2024-11-24 13:21:05 +00:00 · 2016-12-21 15:36:31 +00:00 · 2016-12-21 15:36:31 +00:00 · 31afeff0c3
commit 31afeff0c3
parent f32a79f598
2 changed files with 41 additions and 9 deletions
--- a/services/common/blocklist-clients.js
+++ b/services/common/blocklist-clients.js
@ -281,13 +281,19 @@ function* updatePinningList(records) {
    for (let item of records) {
      try {
        const {pinType, pins=[], versions} = item;
-        if (pinType == "KeyPin" && pins.length &&
-            versions.indexOf(appInfo.version) != -1) {
-          siteSecurityService.setKeyPins(item.hostName,
-              item.includeSubdomains,
-              item.expires,
-              pins.length,
-              pins, true);
+        if (versions.indexOf(appInfo.version) != -1) {
+          if (pinType == "KeyPin" && pins.length) {
+            siteSecurityService.setKeyPins(item.hostName,
+                item.includeSubdomains,
+                item.expires,
+                pins.length,
+                pins, true);
+          }
+          if (pinType == "STSPin") {
+            siteSecurityService.setHSTSPreload(item.hostName,
+                                               item.includeSubdomains,
+                                               item.expires);
+          }
        }
      } catch (e) {
        // prevent errors relating to individual preload entries from causing
--- a/services/common/tests/unit/test_blocklist_pinning.js
+++ b/services/common/tests/unit/test_blocklist_pinning.js
@ -95,6 +95,7 @@ add_task(function* test_something(){
  ok(!sss.isSecureHost(sss.HEADER_HPKP, "one.example.com", 0));
  ok(!sss.isSecureHost(sss.HEADER_HPKP, "two.example.com", 0));
  ok(!sss.isSecureHost(sss.HEADER_HPKP, "three.example.com", 0));
+  ok(!sss.isSecureHost(sss.HEADER_HSTS, "five.example.com", 0));

  // Test an empty db populates
  let result = yield PinningPreloadClient.maybeSync(2000, Date.now());
@ -114,10 +115,10 @@ add_task(function* test_something(){
  result = yield PinningPreloadClient.maybeSync(4000, Date.now());

  // Open the collection, verify it's been updated:
-  // Our data now has three new records; all should be in the local collection
+  // Our data now has four new records; all should be in the local collection
  collection = do_get_kinto_collection(connection, COLLECTION_NAME);
  list = yield collection.list();
-  do_check_eq(list.data.length, 4);
+  do_check_eq(list.data.length, 5);
  yield connection.close();

  // check that a pin exists for two.example.com and three.example.com
@ -144,12 +145,21 @@ add_task(function* test_something(){
  let newValue = Services.prefs.getIntPref("services.blocklist.pinning.checked");
  do_check_neq(newValue, 0);

+  // Check that the HSTS preload added to the collection works...
+  ok(sss.isSecureHost(sss.HEADER_HSTS, "five.example.com", 0));
+  // ...and that includeSubdomains is honored
+  ok(!sss.isSecureHost(sss.HEADER_HSTS, "subdomain.five.example.com", 0));
+
  // Check that a sync completes even when there's bad data in the
  // collection. This will throw on fail, so just calling maybeSync is an
  // acceptible test (the data below with last_modified of 300 is nonsense).
  Services.prefs.setCharPref("services.settings.server",
                             `http://localhost:${server.identity.primaryPort}/v1`);
  yield PinningPreloadClient.maybeSync(5000, Date.now());
+
+  // The STS entry for five.example.com now has includeSubdomains set;
+  // ensure that the new includeSubdomains value is honored.
+  ok(sss.isSecureHost(sss.HEADER_HSTS, "subdomain.five.example.com", 0));
 });

 function run_test() {
@ -255,6 +265,14 @@ function getSampleResponse(req, port) {
        "versions" : ["some version that won't match"],
        "id":"dabafde9-df4a-ddba-2548-748da04cc02e",
        "last_modified":4000
+      },{
+        "pinType": "STSPin",
+        "hostName": "five.example.com",
+        "includeSubdomains": false,
+        "expires": new Date().getTime() + 1000000,
+        "versions" : [appInfo.version, "some version that won't match"],
+        "id":"dabafde9-df4a-ddba-2548-748da04cc032",
+        "last_modified":4000
      }]})
    },
    "GET:/v1/buckets/pinning/collections/pins/records?_sort=-last_modified&_since=4000": {
@ -289,6 +307,14 @@ function getSampleResponse(req, port) {
        "versions" : [appInfo.version],
        "id":"dabafde9-df4a-ddba-2548-748da04cc031",
        "last_modified":5000
+      },{
+        "pinType": "STSPin",
+        "hostName": "five.example.com",
+        "includeSubdomains": true,
+        "expires": new Date().getTime() + 1000000,
+        "versions" : [appInfo.version, "some version that won't match"],
+        "id":"dabafde9-df4a-ddba-2548-748da04cc032",
+        "last_modified":5000
      }]})
    }
  };