diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 17:32:43 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 17:32:43 +0000 |
| commit | 6bf0a5cb5034a7e684dcc3500e841785237ce2dd (patch) | |
| tree | a68f146d7fa01f0134297619fbe7e33db084e0aa /toolkit/components/cleardata/tests/unit/test_security_settings.js | |
| parent | Initial commit. (diff) | |
| download | thunderbird-upstream.tar.xz thunderbird-upstream.zip | |
Adding upstream version 1:115.7.0.upstream/1%115.7.0upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'toolkit/components/cleardata/tests/unit/test_security_settings.js')
| -rw-r--r-- | toolkit/components/cleardata/tests/unit/test_security_settings.js | 279 |
1 files changed, 279 insertions, 0 deletions
diff --git a/toolkit/components/cleardata/tests/unit/test_security_settings.js b/toolkit/components/cleardata/tests/unit/test_security_settings.js new file mode 100644 index 0000000000..b14f567bab --- /dev/null +++ b/toolkit/components/cleardata/tests/unit/test_security_settings.js @@ -0,0 +1,279 @@ +/* Any copyright is dedicated to the Public Domain. + http://creativecommons.org/publicdomain/zero/1.0/ */ + +/** + * Test for SecuritySettingsCleaner. + * This tests both, the SiteSecurityService and the ClientAuthRememberService. + */ + +"use strict"; + +let gSSService = Cc["@mozilla.org/ssservice;1"].getService( + Ci.nsISiteSecurityService +); + +let cars = Cc["@mozilla.org/security/clientAuthRememberService;1"].getService( + Ci.nsIClientAuthRememberService +); + +let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService( + Ci.nsIX509CertDB +); + +// These are not actual server and client certs. The ClientAuthRememberService +// does not care which certs we store decisions for, as long as they're valid. +let [clientCert] = certDB.getCerts(); + +function addSecurityInfo({ host, topLevelBaseDomain, originAttributes = {} }) { + let attrs = getOAWithPartitionKey({ topLevelBaseDomain }, originAttributes); + + let uri = Services.io.newURI(`https://${host}`); + + gSSService.processHeader(uri, "max-age=1000;", attrs); + + cars.rememberDecisionScriptable(host, attrs, clientCert); +} + +function addTestSecurityInfo() { + // First party + addSecurityInfo({ host: "example.net" }); + addSecurityInfo({ host: "test.example.net" }); + addSecurityInfo({ host: "example.org" }); + + // Third-party partitioned + addSecurityInfo({ host: "example.com", topLevelBaseDomain: "example.net" }); + addSecurityInfo({ host: "example.net", topLevelBaseDomain: "example.org" }); + addSecurityInfo({ + host: "test.example.net", + topLevelBaseDomain: "example.org", + }); + + // Ensure we have the correct state initially. + testSecurityInfo({ host: "example.net" }); + testSecurityInfo({ host: "test.example.net" }); + testSecurityInfo({ host: "example.org" }); + testSecurityInfo({ host: "example.com", topLevelBaseDomain: "example.net" }); + testSecurityInfo({ host: "example.net", topLevelBaseDomain: "example.org" }); + testSecurityInfo({ + host: "test.example.net", + topLevelBaseDomain: "example.org", + }); +} + +function testSecurityInfo({ + host, + topLevelBaseDomain, + expectedHSTS = true, + expectedCARS = true, + originAttributes = {}, +}) { + let attrs = getOAWithPartitionKey({ topLevelBaseDomain }, originAttributes); + + let messageSuffix = `for ${host}`; + if (topLevelBaseDomain) { + messageSuffix += ` partitioned under ${topLevelBaseDomain}`; + } + + let uri = Services.io.newURI(`https://${host}`); + let isSecure = gSSService.isSecureURI(uri, attrs); + Assert.equal( + isSecure, + expectedHSTS, + `HSTS ${expectedHSTS ? "is set" : "is not set"} ${messageSuffix}` + ); + + let hasRemembered = cars.hasRememberedDecisionScriptable(host, attrs, {}); + // CARS deleteDecisionsByHost does not include subdomains. That means for some + // test cases we expect a different remembered state. + Assert.equal( + hasRemembered, + expectedCARS, + `CAR ${expectedCARS ? "is set" : "is not set"} ${messageSuffix}` + ); +} + +add_task(async function test_baseDomain() { + gSSService.clearAll(); + + // ---- hsts cleaner ---- + addTestSecurityInfo(); + + // Clear hsts data of example.net including partitions. + await new Promise(aResolve => { + Services.clearData.deleteDataFromBaseDomain( + "example.net", + false, + Ci.nsIClearDataService.CLEAR_HSTS, + aResolve + ); + }); + + testSecurityInfo({ + host: "example.net", + expectedHSTS: false, + expectedCARS: true, + }); + // HSTSCleaner also removes subdomain settings. + testSecurityInfo({ + host: "test.example.net", + expectedHSTS: false, + expectedCARS: true, + }); + testSecurityInfo({ host: "example.org" }); + + testSecurityInfo({ + host: "example.com", + topLevelBaseDomain: "example.net", + expectedHSTS: false, + expectedCARS: true, + }); + testSecurityInfo({ + host: "example.net", + topLevelBaseDomain: "example.org", + expectedHSTS: false, + expectedCARS: true, + }); + testSecurityInfo({ + host: "test.example.net", + topLevelBaseDomain: "example.org", + expectedHSTS: false, + expectedCARS: true, + }); + + // ---- client auth remember cleaner ----- + addTestSecurityInfo(); + + // Clear security settings of example.net including partitions. + await new Promise(aResolve => { + Services.clearData.deleteDataFromBaseDomain( + "example.net", + false, + Ci.nsIClearDataService.CLEAR_CLIENT_AUTH_REMEMBER_SERVICE, + aResolve + ); + }); + + testSecurityInfo({ + host: "example.net", + expectedHSTS: true, + expectedCARS: false, + }); + // ClientAuthRememberCleaner also removes subdomain settings. + testSecurityInfo({ + host: "test.example.net", + expectedHSTS: true, + expectedCARS: false, + }); + testSecurityInfo({ host: "example.org" }); + + testSecurityInfo({ + host: "example.com", + topLevelBaseDomain: "example.net", + expectedHSTS: true, + expectedCARS: false, + }); + testSecurityInfo({ + host: "example.net", + topLevelBaseDomain: "example.org", + expectedHSTS: true, + expectedCARS: false, + }); + testSecurityInfo({ + host: "test.example.net", + topLevelBaseDomain: "example.org", + expectedHSTS: true, + expectedCARS: false, + }); + + // Cleanup + gSSService.clearAll(); +}); + +add_task(async function test_host() { + gSSService.clearAll(); + + // ---- HSTS cleaer ---- + addTestSecurityInfo(); + + // Clear security settings of example.net without partitions. + await new Promise(aResolve => { + Services.clearData.deleteDataFromHost( + "example.net", + false, + Ci.nsIClearDataService.CLEAR_HSTS, + aResolve + ); + }); + + testSecurityInfo({ + host: "example.net", + expectedHSTS: false, + expectedCARS: true, + }); + testSecurityInfo({ + host: "test.example.net", + expectedHSTS: false, + expectedCARS: true, + }); + testSecurityInfo({ host: "example.org" }); + + testSecurityInfo({ host: "example.com", topLevelBaseDomain: "example.net" }); + testSecurityInfo({ + host: "example.net", + topLevelBaseDomain: "example.org", + expectedHSTS: false, + expectedCARS: true, + }); + testSecurityInfo({ + host: "test.example.net", + topLevelBaseDomain: "example.org", + expectedHSTS: false, + expectedCARS: true, + }); + + // Cleanup + gSSService.clearAll(); + + // --- clientAuthRemember cleaner --- + + addTestSecurityInfo(); + + // Clear security settings of example.net without partitions. + await new Promise(aResolve => { + Services.clearData.deleteDataFromHost( + "example.net", + false, + Ci.nsIClearDataService.CLEAR_CLIENT_AUTH_REMEMBER_SERVICE, + aResolve + ); + }); + + testSecurityInfo({ + host: "example.net", + expectedHSTS: true, + expectedCARS: false, + }); + testSecurityInfo({ + host: "test.example.net", + expectedHSTS: true, + expectedCARS: true, + }); + testSecurityInfo({ host: "example.org" }); + + testSecurityInfo({ host: "example.com", topLevelBaseDomain: "example.net" }); + testSecurityInfo({ + host: "example.net", + topLevelBaseDomain: "example.org", + expectedHSTS: true, + expectedCARS: false, + }); + testSecurityInfo({ + host: "test.example.net", + topLevelBaseDomain: "example.org", + expectedHSTS: true, + expectedCARS: true, + }); + + // Cleanup + gSSService.clearAll(); +}); |