diff --git a/security/manager/ssl/tests/unit/test_pinning.js b/security/manager/ssl/tests/unit/test_pinning.js index d8a5b35f50b5..b771be2b0467 100644 --- a/security/manager/ssl/tests/unit/test_pinning.js +++ b/security/manager/ssl/tests/unit/test_pinning.js @@ -214,24 +214,34 @@ function check_pinning_telemetry() { .snapshot(); // Because all of our test domains are pinned to user-specified trust // anchors, effectively only strict mode and enforce test-mode get evaluated - do_check_eq(prod_histogram.counts[0], 4); // Failure count - do_check_eq(prod_histogram.counts[1], 4); // Success count - do_check_eq(test_histogram.counts[0], 2); // Failure count - do_check_eq(test_histogram.counts[1], 0); // Success count + equal(prod_histogram.counts[0], 4, + "Actual and expected prod (non-Mozilla) failure count should match"); + equal(prod_histogram.counts[1], 4, + "Actual and expected prod (non-Mozilla) success count should match"); + equal(test_histogram.counts[0], 2, + "Actual and expected test (non-Mozilla) failure count should match"); + equal(test_histogram.counts[1], 0, + "Actual and expected test (non-Mozilla) success count should match"); let moz_prod_histogram = service.getHistogramById("CERT_PINNING_MOZ_RESULTS") .snapshot(); let moz_test_histogram = service.getHistogramById("CERT_PINNING_MOZ_TEST_RESULTS").snapshot(); - do_check_eq(moz_prod_histogram.counts[0], 0); // Failure count - do_check_eq(moz_prod_histogram.counts[1], 0); // Success count - do_check_eq(moz_test_histogram.counts[0], 0); // Failure count - do_check_eq(moz_test_histogram.counts[1], 0); // Success count + equal(moz_prod_histogram.counts[0], 0, + "Actual and expected prod (Mozilla) failure count should match"); + equal(moz_prod_histogram.counts[1], 0, + "Actual and expected prod (Mozilla) success count should match"); + equal(moz_test_histogram.counts[0], 0, + "Actual and expected test (Mozilla) failure count should match"); + equal(moz_test_histogram.counts[1], 0, + "Actual and expected test (Mozilla) success count should match"); let per_host_histogram = service.getHistogramById("CERT_PINNING_MOZ_RESULTS_BY_HOST").snapshot(); - do_check_eq(per_host_histogram.counts[0], 0); // Failure count - do_check_eq(per_host_histogram.counts[1], 2); // Success count + equal(per_host_histogram.counts[0], 0, + "Actual and expected per host (Mozilla) failure count should match"); + equal(per_host_histogram.counts[1], 2, + "Actual and expected per host (Mozilla) success count should match"); run_next_test(); } diff --git a/security/manager/ssl/tests/unit/test_pinning_dynamic.js b/security/manager/ssl/tests/unit/test_pinning_dynamic.js index bc82fa0b7c46..603018d7a372 100644 --- a/security/manager/ssl/tests/unit/test_pinning_dynamic.js +++ b/security/manager/ssl/tests/unit/test_pinning_dynamic.js @@ -45,7 +45,8 @@ function run_test() { stateFile.append(SSS_STATE_FILE_NAME); // Assuming we're working with a clean slate, the file shouldn't exist // until we create it. - do_check_false(stateFile.exists()); + ok(!stateFile.exists(), + "State file should not exist when working with a clean slate"); let outputStream = FileUtils.openFileOutputStream(stateFile); let now = (new Date()).getTime(); writeLine("a.pinning2.example.com:HPKP\t0\t0\t" + (now + 100000) + ",1,0,kXoHD1ZGyMuowchJwy+xgHlzh0kJFoI9KX0o0IrzTps=\n", outputStream); @@ -56,12 +57,30 @@ function run_test() { do_test_pending(); gSSService = Cc["@mozilla.org/ssservice;1"] .getService(Ci.nsISiteSecurityService); - do_check_true(gSSService != null); + notEqual(gSSService, null, + "SiteSecurityService should have initialized successfully using" + + " the generated state file"); +} + +function checkDefaultSiteHPKPStatus() { + ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP, + "a.pinning2.example.com", 0), + "a.pinning2.example.com should have HPKP status"); + ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP, + "x.a.pinning2.example.com", 0), + "x.a.pinning2.example.com should not have HPKP status"); + ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP, + "b.pinning2.example.com", 0), + "b.pinning2.example.com should have HPKP status"); + ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP, + "x.b.pinning2.example.com", 0), + "x.b.pinning2.example.com should have HPKP status"); } function checkStateRead(aSubject, aTopic, aData) { - do_check_eq(aData, SSS_STATE_FILE_NAME); - do_check_neq(gSSService, null); + equal(aData, SSS_STATE_FILE_NAME, + "Observed data should be the Site Security Service state file name"); + notEqual(gSSService, null, "SiteSecurityService should be initialized"); // Initializing the certificate DB will cause NSS-initialization, which in // turn initializes the site security service. Since we're in part testing @@ -87,17 +106,10 @@ function checkStateRead(aSubject, aTopic, aData) { checkFail(certFromFile('cn-x.b.pinning2.example.com-badca.der'), "x.b.pinning2.example.com"); checkOK(certFromFile('cn-x.b.pinning2.example.com-pinningroot.der'), "x.b.pinning2.example.com"); - do_check_true(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP, - "a.pinning2.example.com", 0)); - do_check_false(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP, - "x.a.pinning2.example.com", 0)); - do_check_true(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP, - "b.pinning2.example.com", 0)); - do_check_true(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP, - "x.b.pinning2.example.com", 0)); + checkDefaultSiteHPKPStatus(); - // add withSubdomains to a.pinning2.example.com + // add includeSubdomains to a.pinning2.example.com gSSService.setKeyPins("a.pinning2.example.com", true, 1000, 2, [NON_ISSUED_KEY_HASH, PINNING_ROOT_KEY_HASH]); checkFail(certFromFile('cn-a.pinning2.example.com-badca.der'), "a.pinning2.example.com"); @@ -111,10 +123,14 @@ function checkStateRead(aSubject, aTopic, aData) { checkFail(certFromFile('cn-x.b.pinning2.example.com-badca.der'), "x.b.pinning2.example.com"); checkOK(certFromFile('cn-x.b.pinning2.example.com-pinningroot.der'), "x.b.pinning2.example.com"); - do_check_true(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP, - "a.pinning2.example.com", 0)); - do_check_true(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP, - "x.a.pinning2.example.com", 0)); + ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP, + "a.pinning2.example.com", 0), + "a.pinning2.example.com should still have HPKP status after adding" + + " includeSubdomains to a.pinning2.example.com"); + ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP, + "x.a.pinning2.example.com", 0), + "x.a.pinning2.example.com should now have HPKP status after adding" + + " includeSubdomains to a.pinning2.example.com"); // Now setpins without subdomains gSSService.setKeyPins("a.pinning2.example.com", false, 1000, 2, @@ -131,20 +147,13 @@ function checkStateRead(aSubject, aTopic, aData) { checkFail(certFromFile('cn-x.b.pinning2.example.com-badca.der'), "x.b.pinning2.example.com"); checkOK(certFromFile('cn-x.b.pinning2.example.com-pinningroot.der'), "x.b.pinning2.example.com"); - do_check_true(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP, - "a.pinning2.example.com", 0)); - do_check_false(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP, - "x.a.pinning2.example.com", 0)); - do_check_true(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP, - "b.pinning2.example.com", 0)); - do_check_true(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP, - "x.b.pinning2.example.com", 0)); + checkDefaultSiteHPKPStatus(); // failure to insert new pin entry leaves previous pin behavior try { gSSService.setKeyPins("a.pinning2.example.com", true, 1000, 1, ["not a hash"]); - do_check_true(false); // this shouldn't run + ok(false, "Attempting to set an invalid pin should have failed"); } catch(e) { } checkFail(certFromFile('cn-a.pinning2.example.com-badca.der'), "a.pinning2.example.com"); @@ -159,28 +168,23 @@ function checkStateRead(aSubject, aTopic, aData) { checkFail(certFromFile('cn-x.b.pinning2.example.com-badca.der'), "x.b.pinning2.example.com"); checkOK(certFromFile('cn-x.b.pinning2.example.com-pinningroot.der'), "x.b.pinning2.example.com"); - do_check_true(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP, - "a.pinning2.example.com", 0)); - do_check_false(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP, - "x.a.pinning2.example.com", 0)); - do_check_true(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP, - "b.pinning2.example.com", 0)); - do_check_true(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP, - "x.b.pinning2.example.com", 0)); + checkDefaultSiteHPKPStatus(); // Incorrect size results in failure try { gSSService.setKeyPins("a.pinning2.example.com", true, 1000, 2, ["not a hash"]); - do_check_true(false); // this shouldn't run + ok(false, "Attempting to set a pin with an incorrect size should have failed"); } catch(e) { } // Ensure built-in pins work as expected - do_check_false(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP, - "nonexistent.example.com", 0)); - do_check_true(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP, - "include-subdomains.pinning.example.com", 0)); + ok(!gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP, + "nonexistent.example.com", 0), + "Not built-in nonexistent.example.com should not have HPKP status"); + ok(gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP, + "include-subdomains.pinning.example.com", 0), + "Built-in include-subdomains.pinning.example.com should have HPKP status"); gSSService.setKeyPins("a.pinning2.example.com", false, 0, 1, [NON_ISSUED_KEY_HASH]); diff --git a/security/manager/ssl/tests/unit/test_pinning_header_parsing.js b/security/manager/ssl/tests/unit/test_pinning_header_parsing.js index 12630a0e415c..a7f2f9c236a1 100644 --- a/security/manager/ssl/tests/unit/test_pinning_header_parsing.js +++ b/security/manager/ssl/tests/unit/test_pinning_header_parsing.js @@ -29,9 +29,9 @@ function checkFailParseInvalidPin(pinValue) { try { gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HPKP, uri, pinValue, sslStatus, 0); - do_check_true(false); // this should not run + ok(false, "Invalid pin should have been rejected"); } catch (e) { - do_check_true(true); + ok(true, "Invalid pin should be rejected"); } } @@ -40,7 +40,7 @@ function checkPassValidPin(pinValue, settingPin) { certFromFile('cn-a.pinning2.example.com-pinningroot.der')); let uri = Services.io.newURI("https://a.pinning2.example.com", null, null); - // setup preconditions for the test, if setting ensure there is no previors + // setup preconditions for the test, if setting ensure there is no previous // state, if removing ensure there is a valid pin in place. if (settingPin) { gSSService.removeState(Ci.nsISiteSecurityService.HEADER_HPKP, uri, 0); @@ -53,18 +53,18 @@ function checkPassValidPin(pinValue, settingPin) { try { gSSService.processHeader(Ci.nsISiteSecurityService.HEADER_HPKP, uri, pinValue, sslStatus, 0); - do_check_true(true); + ok(true, "Valid pin should be accepted"); } catch (e) { - do_check_true(false); + ok(false, "Valid pin should have been accepted"); } // after processing ensure that the postconditions are true, if setting // the host must be pinned, if removing the host must not be pinned let hostIsPinned = gSSService.isSecureHost(Ci.nsISiteSecurityService.HEADER_HPKP, "a.pinning2.example.com", 0); if (settingPin) { - do_check_true(hostIsPinned); + ok(hostIsPinned, "Host should be considered pinned"); } else { - do_check_true(!hostIsPinned); + ok(!hostIsPinned, "Host should not be considered pinned"); } }