Fix on-disk structure for persistent storage in webview tags.

content/browser/storage_partition_impl_map.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/storage_partition_impl_map.h"
 
 #include "base/bind.h"
 #include "base/callback.h"
 #include "base/file_path.h"
 #include "base/stl_util.h"
 #include "base/string_util.h"
+#include "base/string_number_conversions.h"
 #include "content/browser/appcache/chrome_appcache_service.h"
 #include "content/browser/fileapi/browser_file_system_helper.h"
 #include "content/browser/fileapi/chrome_blob_storage_context.h"
 #include "content/browser/histogram_internals_request_job.h"
 #include "content/browser/net/view_blob_internals_job_factory.h"
 #include "content/browser/net/view_http_cache_job_factory.h"
 #include "content/browser/renderer_host/resource_request_info_impl.h"
 #include "content/browser/resource_context_impl.h"
 #include "content/browser/storage_partition_impl.h"
 #include "content/browser/tcmalloc_internals_request_job.h"
 #include "content/public/browser/browser_context.h"
 #include "content/public/browser/browser_thread.h"
 #include "content/public/browser/storage_partition.h"
 #include "content/public/common/content_constants.h"
 #include "content/public/common/url_constants.h"
+#include "crypto/sha2.h"
 #include "net/url_request/url_request_context_getter.h"
 #include "net/url_request/url_request_context.h"
 #include "webkit/appcache/view_appcache_internals_job.h"
 #include "webkit/blob/blob_data.h"
 #include "webkit/blob/blob_url_request_job_factory.h"
 #include "webkit/fileapi/file_system_url_request_job_factory.h"
 
 using appcache::AppCacheService;
 using fileapi::FileSystemContext;
 using webkit_blob::BlobStorageController;
@@ skipping 139 matching lines @@
       CreateFileSystemProtocolHandler(file_system_context));
   DCHECK(set_protocol);
 
   job_factory->AddInterceptor(
       new DeveloperProtocolHandler(appcache_service,
                                    blob_storage_context->controller()));
 
   // TODO(jam): Add the ProtocolHandlerRegistryIntercepter here!
 }
 
+// These constants are used to create the directory structure under the profile
+// where renderers with a non-default storage partition keep their persistent
+// state. This will contain a set of directories that partially mirror the
+// directory structure of BrowserContext::GetPath().
+//
+// The kStoragePartitionDirname contains an extensions directory which is
+// further partitioned by extension id, followed by another level of directories
+// for the "default" extension storage partition and one directory for each

[ericu, 2012/11/14 01:55:19]

Perhaps: ...directories, one for the "default" extension...

...if I'm reading that right?

+// persistent partition used by a webview tag. Example:
+//
+//   Storage/ext/ABCDEF/def
+//   Storage/ext/ABCDEF/hash(partition name)
+//
+// The code in GetStoragePartitionPath() constructs these path names.
+//
+// TODO(nasko): Move extension related path code out of content.
+const FilePath::CharType kStoragePartitionDirname[] =
+    FILE_PATH_LITERAL("Storage");
+const FilePath::CharType kExtensionsDirname[] =
+    FILE_PATH_LITERAL("ext");
+const FilePath::CharType kDefaultPartitionDirname[] =
+    FILE_PATH_LITERAL("def");
+
+// Because partition names are user specified, they can be arbitrarily long
+// which makes them unsuitable for paths names. We use a truncation of a
+// SHA256 hash to perform a deterministic shortening of the string. The
+// kPartitionNameHashBytes constant controls the length of the truncation.
+// We use 6 bytes, which gives us 99.999% reliability against collisions over
+// 1 million partition domains.
+//
+// Analysis:
+// We assume that all partition names within one partition domain are

[akalin, 2012/11/14 07:05:16]

you probably should add that you're assuming that sha256 gives a
close-to-uniform distribution over its output range, as well that any hash
function which takes a prefix of a sha256 hash also gives a close-to-uniform
distribution.

+// controlled by the the same entity. Thus there is no chance for adverserial
+// attack and all we care about is accidental collision. To get 5 9s over
+// 1 million domains, we need the probability of a collision in any one domain
+// to be
+//
+//    p < nroot(1000000, .99999) ~= 10^-11

[akalin, 2012/11/14 07:05:16]

i think you mean p < 1 - nroot(...)

I had to look up nroot and think a bit to figure out the notation.  I think it's
clearer as:

p < 1 - 0.99999^(1/1000000)

+//
+// We the following birthday attack approximation to caculate the max number

[Charlie Reis, 2012/11/12 22:58:20]

typo: We the
typo: caculate

[awong, 2012/11/12 23:49:16]

Done.

+// of unique names for this probability:
+//
+//    n(p,H) = sqrt(2*H * ln(1/(1-p)))

[akalin, 2012/11/14 07:05:16]

from reading the wikipedia article, i think this is a lower bound, i.e.:

n(p, H) > sqrt(...)

which is nice.

+//
+// For a 6-byte hash, H = 2^(6*8).  n(10^-11, H) ~= 75
+//
+// An average partition domain is likely to have less than 10 unique
+// partition names which is far lower than 75.
+//
+// Note, that for 4 9s of reliability, the limit is 237 partition names per
+// partition domain.
+const int kPartitionNameHashBytes = 6;
+
 }  // namespace
 
+// static
+FilePath StoragePartitionImplMap::GetStoragePartitionPath(
+    const std::string& partition_domain,
+    const std::string& partition_name) {
+  if (partition_domain.empty())
+    return FilePath();
+
+  CHECK(IsStringUTF8(partition_domain));
+
+  FilePath path = FilePath(kStoragePartitionDirname).Append(kExtensionsDirname)
+      .Append(FilePath::FromUTF8Unsafe(partition_domain));
+
+  if (!partition_name.empty()) {
+    // For analysis of why we can ignore collisions, see the comment above
+    // kPartitionNameHashBytes.
+    char buffer[kPartitionNameHashBytes];
+    crypto::SHA256HashString(partition_name, &buffer[0],

[ericu, 2012/11/14 01:55:19]

Fits on one line?

+                             sizeof(buffer));
+    return path.AppendASCII(base::HexEncode(buffer, sizeof(buffer)));
+  }
+
+  return path.Append(kDefaultPartitionDirname);
+}
+
+
 StoragePartitionImplMap::StoragePartitionImplMap(
     BrowserContext* browser_context)
     : browser_context_(browser_context),
       resource_context_initialized_(false) {
 }
 
 StoragePartitionImplMap::~StoragePartitionImplMap() {
   STLDeleteContainerPairSecondPointers(partitions_.begin(),
                                        partitions_.end());
 }
 
 StoragePartitionImpl* StoragePartitionImplMap::Get(
     const std::string& partition_domain,
     const std::string& partition_name,
     bool in_memory) {
   // TODO(ajwong): ResourceContexts no longer have any storage related state.
   // We should move this into a place where it is called once per
   // BrowserContext creation rather than piggybacking off the default context
   // creation.
   if (!resource_context_initialized_) {
     resource_context_initialized_ = true;
     InitializeResourceContext(browser_context_);
   }
 
   // Find the previously created partition if it's available.
-  StoragePartitionImpl::StoragePartitionConfig partition_config(
+  StoragePartitionConfig partition_config(
       partition_domain, partition_name, in_memory);
 
   PartitionMap::const_iterator it = partitions_.find(partition_config);
   if (it != partitions_.end())
     return it->second;
 
-  // There was no previous partition, so let's make a new one.
+  FilePath partition_path =
+      browser_context_->GetPath().Append(
+          GetStoragePartitionPath(partition_domain, partition_name));
   StoragePartitionImpl* partition =
-      StoragePartitionImpl::Create(browser_context_, partition_config,
-                                   browser_context_->GetPath());
+      StoragePartitionImpl::Create(browser_context_, in_memory,
+                                   partition_path);
   partitions_[partition_config] = partition;
 
   // These calls must happen after StoragePartitionImpl::Create().
   partition->SetURLRequestContext(
       partition_domain.empty() ?
       browser_context_->GetRequestContext() :
       browser_context_->GetRequestContextForStoragePartition(
           partition->GetPath(), in_memory));
   partition->SetMediaURLRequestContext(
       partition_domain.empty() ?
@@ skipping 43 matching lines @@
 
     // We do not call InitializeURLRequestContext() for media contexts because,
     // other than the HTTP cache, the media contexts share the same backing
     // objects as their associated "normal" request context.  Thus, the previous
     // call serves to initialize the media request context for this storage
     // partition as well.
   }
 }
 
 }  // namespace content