webrtc/base/rtccertificate_unittests.cc - Issue 1494103003: RTCCertificate::Expires() and ::HasExpired() implemented

Side by Side Diff: webrtc/base/rtccertificate_unittests.cc

Issue 1494103003: RTCCertificate::Expires() and ::HasExpired() implemented (Closed) Base URL: https://chromium.googlesource.com/external/webrtc.git@master

Patch Set: Addressed comments, added unittest Created 5 years ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
(Empty)
	1 /*

	2 * Copyright 2015 The WebRTC Project Authors. All rights reserved.

	3 *

	4 * Use of this source code is governed by a BSD-style license

	5 * that can be found in the LICENSE file in the root of the source

	6 * tree. An additional intellectual property rights grant can be found

	7 * in the file PATENTS. All contributing project authors may

	8 * be found in the AUTHORS file in the root of the source tree.

	9 */

	10

	11 #include "webrtc/base/checks.h"
	torbjorng (webrtc) 2015/12/04 12:47:46 nit: I don't think all these #Includes are needed. nit: I don't think all these #Includes are needed.
	12 #include "webrtc/base/gunit.h"

	13 #include "webrtc/base/logging.h"

	14 #include "webrtc/base/rtccertificate.h"

	15 #include "webrtc/base/safe_conversions.h"

	16 #include "webrtc/base/scoped_ptr.h"

	17 #include "webrtc/base/sslidentity.h"

	18 #include "webrtc/base/thread.h"

	19 #include "webrtc/base/timeutils.h"

	20

	21 namespace rtc {

	22

	23 class RTCCertificateTest : public testing::Test {

	24 public:

	25 RTCCertificateTest() {}

	26 ~RTCCertificateTest() {}

	27

	28 protected:

	29 // Gets the current time in ms since epoch, 1970-01-01T00:00:00Z.

	30 // If \|seconds_precision\| is true it is rounded down to seconds-precision.

	31 // This is useful when comparing expiration times since CreateCertificate is

	32 // limited to seconds-precision.

	33 uint64_t Now(bool seconds_precision) const {

	34 uint64_t now = TimeNanos() / kNumNanosecsPerMillisec;

	35 if (seconds_precision)

	36 return (now / 1000) * 1000;

	37 return now;

	38 }

	39

	40 // Generates a certificate with the specified \|expiration_time\|, expressed in

	41 // number of ms since epoch, 1970-01-01T00:00:00Z. The expiration time is
	torbjorng (webrtc) 2015/12/04 12:47:46 Note that a cert cannot store greater accuracy tha Note that a cert cannot store greater accuracy than 1 s. See RFC 5280. I really don't like that we mess around with ms for expiration, since this can only lead to confusion which may lead to failure to expire. I realise that the WebRTC draft defines expiration in ms.
	42 // converted to time_t meaning it is rounded down to number of seconds (note:

	43 // loss of precision) and these number of seconds must be in valid range of

	44 // time_t. On some 32-bit systems time_t is limited to < 2^31. On such systems

	45 // this will fail for expiration times of year 2038 or later.

	46 scoped_refptr<RTCCertificate> CreateCertificate(uint64_t expires_time) const {

	47 uint64_t expires_time_s = expires_time / kNumMillisecsPerSec; // ms -> s

	48 RTC_CHECK(rtc::IsValueInRangeForNumericType<time_t>(expires_time_s));

	49

	50 rtc::SSLIdentityParams params;

	51 params.common_name = "RTCCertificateTest's certificate";

	52 params.not_before = 0;

	53 params.not_after = static_cast<time_t>(expires_time_s);

	54 // Certificate type does not matter for our purposes, using ECDSA because it

	55 // is fast to generate.

	56 params.key_params = rtc::KeyParams::ECDSA(rtc::EC_NIST_P256);

	57

	58 scoped_ptr<SSLIdentity> identity(rtc::SSLIdentity::GenerateForTest(params));
	hta-webrtc 2015/12/03 18:16:05 You can make the test a lot more isolated (not dep You can make the test a lot more isolated (not depend on rtc::SSLIdentity) if you use a mock certificate. You're not testing rtc::SSLIdentity here, you're testing the handling code. hbos 2015/12/04 09:58:56 Ok. I'll add a expiration setter to FakeSSLCertifi Show quoted text On 2015/12/03 18:16:05, hta-webrtc wrote: > You can make the test a lot more isolated (not depend on rtc::SSLIdentity) if > you use a mock certificate. You're not testing rtc::SSLIdentity here, you're > testing the handling code. > Ok. I'll add a expiration setter to FakeSSLCertificate and use that.
	59 return RTCCertificate::Create(identity.Pass());

	60 }

	61 };

	62

	63 TEST_F(RTCCertificateTest, ExpiresNow) {

	64 uint64_t now = Now(true);

	65 scoped_refptr<RTCCertificate> certificate = CreateCertificate(now);

	66 EXPECT_EQ(now, certificate->Expires());

	67 }

	68

	69 TEST_F(RTCCertificateTest, HasExpired) {

	70 scoped_refptr<RTCCertificate> certificate;

	71

	72 // Test that a certificate that should not have expired hasn't.

	73 bool retry = true;

	74 while (retry) {
	hta-webrtc 2015/12/03 18:16:05 Looping until the times align is a Bad Thing. You Looping until the times align is a Bad Thing. You have no idea how many times you will go around the loop. If you mock the certificate, you have much more precise control. hbos 2015/12/04 09:58:56 Point taken, I'll simplify. Though as-is, one tes Show quoted text On 2015/12/03 18:16:05, hta-webrtc wrote: > Looping until the times align is a Bad Thing. > > You have no idea how many times you will go around the loop. > If you mock the certificate, you have much more precise control. Point taken, I'll simplify. Though as-is, one test run takes but milliseconds, so the odds of having to try again is very small. If you do try again you'll no longer be "on the edge" between second 1 and second 2 so the odds of having to try yet another time is exceedingly unlikely. But even if this could run for a 100 times that wouldn't be a performance problem. That being said if there is a regression and the assumption that one attempt is fast no longer holds we could get stuck in some undesirable looping.
	75 // Generate a certificate that expires in 0-1 seconds.

	76 // Note seconds-precision of \|expires\| due to CreateCertificate.

	77 uint64_t expires = Now(true) + 1000;

	78 certificate = CreateCertificate(expires);

	79 bool has_expired = certificate->HasExpired();

	80 if (has_expired) {

	81 // Expecting not to have expired, but in the rare case that too much time

	82 // passed between certificate generation and the HasExpired check we have

	83 // to try again.

	84 uint64_t now = Now(false);

	85 if (now >= expires)

	86 continue;

	87 }

	88 EXPECT_FALSE(has_expired);

	89 retry = false;

	90 }

	91 RTC_CHECK(certificate);

	92

	93 // Test that ~1.5 seconds later it has expired.

	94 Thread::Current()->SleepMs(1500);
	hta-webrtc 2015/12/03 18:16:05 Argh. This is going to cost us heavily. Sleeping i Argh. This is going to cost us heavily. Sleeping in tests is a Bad Thing - it wastes 1.5 seconds every time the tests are run. Good unit tests finish in milliseconds. I think this test could be much simpler - generate two certificates, one that expires at now-1000 and one that expires at now+1000, check that one has expired and one is not. There's a risk that the future-expired certificate will be flaky - you never know how much time will pass between any two lines in a test - but 1000 seconds should be enough to make it not-flaky. (Injectable time would make it not-flaky too, of course). hbos 2015/12/04 09:58:56 Ok. I wanted to test going from non-expired to exp Show quoted text On 2015/12/03 18:16:05, hta-webrtc wrote: > Argh. This is going to cost us heavily. Sleeping in tests is a Bad Thing - it > wastes 1.5 seconds every time the tests are run. Good unit tests finish in > milliseconds. > > I think this test could be much simpler - generate two certificates, one that > expires at now-1000 and one that expires at now+1000, check that one has expired > and one is not. > > There's a risk that the future-expired certificate will be flaky - you never > know how much time will pass between any two lines in a test - but 1000 seconds > should be enough to make it not-flaky. > (Injectable time would make it not-flaky too, of course). > Ok. I wanted to test going from non-expired to expired but I guess sleeping is not worth it. FakeSSLCertificate with expiration injection it is. torbjorng (webrtc) 2015/12/04 12:47:46 I disagree (with the Argh and with the technical c Show quoted text On 2015/12/03 18:16:05, hta-webrtc wrote: > Argh. This is going to cost us heavily. Sleeping in tests is a Bad Thing - it > wastes 1.5 seconds every time the tests are run. Good unit tests finish in > milliseconds. > > I think this test could be much simpler - generate two certificates, one that > expires at now-1000 and one that expires at now+1000, check that one has expired > and one is not. > > There's a risk that the future-expired certificate will be flaky - you never > know how much time will pass between any two lines in a test - but 1000 seconds > should be enough to make it not-flaky. > (Injectable time would make it not-flaky too, of course). > I disagree (with the Argh and with the technical contents). My view is that tests which run as close to reality are better than those that take artificial approaches. For certificates, we will generate them, then they will be valid and we should recognise them as valid, and later they will expire and we should recognise them as expired. Generating expired certificates and certificates valid longer than we can check for the expiration to happen will not make adequate tests of the mechanism which we need to test. I'd suggest a slight modification to hbos' original code, but the code was fine already. My suggestion is that one does not loop in the case the cert is expired directly after creation, at least not indefinitely. Instead just skip this test. As a complement, one should generate a certificate with say 100 seconds validity and fail if that is expired. This will never be flaky. It will make sure that no second/millisecond confusion exists or is introduced, and it will verify that the expiration mechanism is sound. This test is important enough that it is worth 1.5 seconds of wall clock time. We already spend several minutes of CPU time on testing the crypto code. hta-webrtc 2015/12/04 13:32:44 I'm afraid I disagree about the importance. This i Show quoted text On 2015/12/04 12:47:46, torbjorng (webrtc) wrote: > On 2015/12/03 18:16:05, hta-webrtc wrote: > > Argh. This is going to cost us heavily. Sleeping in tests is a Bad Thing - it > > wastes 1.5 seconds every time the tests are run. Good unit tests finish in > > milliseconds. > > > > I think this test could be much simpler - generate two certificates, one that > > expires at now-1000 and one that expires at now+1000, check that one has > expired > > and one is not. > > > > There's a risk that the future-expired certificate will be flaky - you never > > know how much time will pass between any two lines in a test - but 1000 > seconds > > should be enough to make it not-flaky. > > (Injectable time would make it not-flaky too, of course). > > > > I disagree (with the Argh and with the technical contents). > > My view is that tests which run as close to reality are better than those that > take artificial approaches. For certificates, we will generate them, then they > will be valid and we should recognise them as valid, and later they will expire > and we should recognise them as expired. > > Generating expired certificates and certificates valid longer than we can check > for the expiration to happen will not make adequate tests of the mechanism which > we need to test. > > I'd suggest a slight modification to hbos' original code, but the code was fine > already. My suggestion is that one does not loop in the case the cert is expired > directly after creation, at least not indefinitely. Instead just skip this > test. As a complement, one should generate a certificate with say 100 seconds > validity and fail if that is expired. > > This will never be flaky. It will make sure that no second/millisecond confusion > exists or is introduced, and it will verify that the expiration mechanism is > sound. > > This test is important enough that it is worth 1.5 seconds of wall clock time. > We already spend several minutes of CPU time on testing the crypto code. I'm afraid I disagree about the importance. This is an unit test for code that, in itself, has no state; the tests are already longer than the code it's testing. The test as written now tests that a certificate with an old expiry date shows as expired and that a certificate with an expiry date in the future shows as not expired; I think that's what we want to test. A real test that the same certificate will show as not-expired before some time and expired after that time is simple to write - but it requires an injected clock that is under the test's control. In my opinion, developers should run the unit tests for their module every time they make a change to that module, almost as an instinctive action. Each second spent extra here is a second of programmer's time lost. Some modules require, as you say, minutes of CPU time. Those are large tests, not unit tests. We won't ask programmers to run those on every change to their module while they're developing. https://wiki.corp.google.com/twiki/bin/view/Main/GoogleTestDefinitions#Defini... is old, but good. This is an unit test, and should be a small test.
	95 EXPECT_TRUE(certificate->HasExpired());

	96 }

	97

	98 } // namespace rtc

OLD	NEW

« webrtc/base/rtccertificate.cc ('K') | « webrtc/base/rtccertificate.cc ('k') | webrtc/base/sslidentity.h » ('j') | no next file with comments »