chrome/browser/transport_security_persister.h - Issue 9415040: Refactor TransportSecurityState.

Side by Side Diff: chrome/browser/transport_security_persister.h

Issue 9415040: Refactor TransportSecurityState. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/

Patch Set: Created 8 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

« no previous file with comments | « chrome/browser/resources/net_internals/hsts_view.js ('k') | chrome/browser/transport_security_persister.cc » ('j') | chrome/browser/transport_security_persister.cc » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 // TransportSecurityState maintains an in memory database containing the	5 // TransportSecurityState maintains an in memory database containing the

6 // list of hosts that currently have transport security enabled. This	6 // list of hosts that currently have transport security enabled. This

7 // singleton object deals with writing that data out to disk as needed and	7 // singleton object deals with writing that data out to disk as needed and

8 // loading it at startup.	8 // loading it at startup.
	Ryan Sleevi 2012/04/26 19:21:12 I can't remember if it's been mentioned before, bu I can't remember if it's been mentioned before, but is there a risk of incognito state leaking into the main profile due to it being a singleton? If so, perhaps a TODO with the bug here would be nice :) palmer 2012/04/27 23:52:34 It's a singleton per-profile. See chrome/browser/p Show quoted text > I can't remember if it's been mentioned before, but is there a risk of incognito > state leaking into the main profile due to it being a singleton? It's a singleton per-profile. See chrome/browser/profiles/profile_io_data.{h,cc}.
9	9

10 // At startup we need to load the transport security state from the	10 // At startup we need to load the transport security state from the

11 // disk. For the moment, we don't want to delay startup for this load, so we	11 // disk. For the moment, we don't want to delay startup for this load, so we

12 // let the TransportSecurityState run for a while without being loaded.	12 // let the TransportSecurityState run for a while without being loaded.

13 // This means that it's possible for pages opened very quickly not to get the	13 // This means that it's possible for pages opened very quickly not to get the

14 // correct transport security information.	14 // correct transport security information.

15 //	15 //

16 // To load the state, we schedule a Task on the file thread which loads,	16 // To load the state, we schedule a Task on the file thread which loads,

17 // deserialises and configures the TransportSecurityState.	17 // deserializes and configures the TransportSecurityState.

18 //	18 //

19 // The TransportSecurityState object supports running a callback function	19 // The TransportSecurityState object supports running a callback function

20 // when it changes. This object registers the callback, pointing at itself.	20 // when it changes. This object registers the callback, pointing at itself.

21 //	21 //

22 // TransportSecurityState calls...	22 // TransportSecurityState calls...

23 // TransportSecurityPersister::StateIsDirty	23 // TransportSecurityPersister::StateIsDirty

24 // since the callback isn't allowed to block or reenter, we schedule a Task	24 // since the callback isn't allowed to block or reenter, we schedule a Task

25 // on the file thread after some small amount of time	25 // on the file thread after some small amount of time

26 //	26 //

27 // ...	27 // ...

28 //	28 //

29 // TransportSecurityPersister::SerialiseState	29 // TransportSecurityPersister::SerializeState

30 // copies the current state of the TransportSecurityState, serialises	30 // copies the current state of the TransportSecurityState, serializes

31 // and writes to disk.	31 // and writes to disk.

32	32

33 #ifndef CHROME_BROWSER_TRANSPORT_SECURITY_PERSISTER_H_	33 #ifndef CHROME_BROWSER_TRANSPORT_SECURITY_PERSISTER_H_

34 #define CHROME_BROWSER_TRANSPORT_SECURITY_PERSISTER_H_	34 #define CHROME_BROWSER_TRANSPORT_SECURITY_PERSISTER_H_

35 #pragma once	35 #pragma once

36	36

37 #include <string>	37 #include <string>

38	38

39 #include "base/file_path.h"	39 #include "base/file_path.h"

40 #include "base/memory/weak_ptr.h"	40 #include "base/memory/weak_ptr.h"

41 #include "chrome/common/important_file_writer.h"	41 #include "chrome/common/important_file_writer.h"

42 #include "net/base/transport_security_state.h"	42 #include "net/base/transport_security_state.h"

43	43

44 // Reads and updates on-disk TransportSecurity state.	44 // Reads and updates on-disk TransportSecurity state.

45 // Must be created, used and destroyed only on the IO thread.	45 // Must be created, used and destroyed only on the IO thread.

46 class TransportSecurityPersister	46 class TransportSecurityPersister

47 : public net::TransportSecurityState::Delegate,	47 : public net::TransportSecurityState::Delegate,

48 public ImportantFileWriter::DataSerializer {	48 public ImportantFileWriter::DataSerializer {

49 public:	49 public:

50 TransportSecurityPersister(net::TransportSecurityState* state,	50 TransportSecurityPersister(net::TransportSecurityState* state,

51 const FilePath& profile_path,	51 const FilePath& profile_path,

52 bool readonly);	52 bool readonly);

53 virtual ~TransportSecurityPersister();	53 virtual ~TransportSecurityPersister();

54	54

55 // Called by the TransportSecurityState when it changes its state.	55 // Called by the TransportSecurityState when it changes its state.

56 virtual void StateIsDirty(net::TransportSecurityState*) OVERRIDE;	56 virtual void StateIsDirty(net::TransportSecurityState*) OVERRIDE;

57	57

58 // ImportantFileWriter::DataSerializer:	58 // Implements the interface of ImportantFileWriter::DataSerializer.
	Ryan Sleevi 2012/04/26 19:21:12 The original form was consistent with http://dev.c The original form was consistent with http://dev.chromium.org/developers/coding-style#TOC-Code-formatting "When you implement an interface" ... palmer 2012/04/27 23:52:34 Done. Show quoted text On 2012/04/26 19:21:12, Ryan Sleevi wrote: > The original form was consistent with > http://dev.chromium.org/developers/coding-style#TOC-Code-formatting > > "When you implement an interface" ... Done.
	59 //

	60 // Serializes \|transport_security_state_\| into \|*output\|. Returns true if

	61 // all DomainStates were serialized correctly.

	62 //

	63 // The serialization format is JSON; the JSON represents a dictionary of

	64 // host:DomainState pairs (host is a string). The DomainState is

	65 // represented as a dictionary containing the following keys and value

	66 // types (not all keys will always be present):

	67 //
	Ryan Sleevi 2012/04/26 19:21:12 Should you include a version with the serializatio Should you include a version with the serialization form, especially as things are still a bit draft-y? palmer 2012/04/27 23:52:34 The appearance of draftiness is largely due to bac Show quoted text > Should you include a version with the serialization form, especially as things > are still a bit draft-y? The appearance of draftiness is largely due to backwards compat; I actually don't anticipate changing this much in the future. If we change it it will be to add things, which JSON allows easily and for which we can fall back gracefully. One of the things we'd need to fall back gracefully for would be the version field...
	68 // "include_subdomains": true\|false

	69 // "created": double

	70 // "expiry": double

	71 // "dynamic_spki_hashes_expiry": double

	72 // "mode": "default"\|"force-https"

	73 // legacy value synonyms "strict" = "force-https"

	74 // "pinning-only" = "default"

	75 // legacy value "spdy-only" is unused and ignored

	76 // "static_spki_hashes": list of strings

	77 // legacy key synonym "preloaded_spki_hashes"

	78 // "bad_static_spki_hashes": list of strings

	79 // legacy key synonym "bad_preloaded_spki_hashes"

	80 // "dynamic_spki_hashes": list of strings

	81 //

	82 // The keys are

	83 // SHA256(net::TransportSecurityState::CanonicalizeHost(domain)). The
	Ryan Sleevi 2012/04/26 19:21:12 There are two dictionaries (the first is host -> d There are two dictionaries (the first is host -> data, the second is key -> value). So it's not clear here what "keys" you're referring to, especially since you s/host/domain/ (from line 64). Might need some word smithing. palmer 2012/04/27 23:52:34 Done. Show quoted text On 2012/04/26 19:21:12, Ryan Sleevi wrote: > There are two dictionaries (the first is host -> data, the second is key -> > value). So it's not clear here what "keys" you're referring to, especially since > you s/host/domain/ (from line 64). > > Might need some word smithing. Done.
	84 // reason for hashing them is so that the stored state does not trivially

	85 // reveal a user's browsing history to an attacker reading the serialized

	86 // state on disk.

59 virtual bool SerializeData(std::string* data) OVERRIDE;	87 virtual bool SerializeData(std::string* data) OVERRIDE;

60	88

	89 // Parses an array of JSON-encoded TransportSecurityState::DomainState

	90 // entries. For use in loading entries defined on the command line

	91 // (switches::kHstsHosts).

	92 bool DeserializeFromCommandLine(const std::string& serialized);

	93

	94 // Clears any existing non-static entries, and then re-populates

	95 // \|transport_security_state_\|.

	96 //

	97 // Sets \|*dirty\| to true if the new state differs from the persisted

	98 // state; false otherwise.

	99 bool LoadEntries(const std::string& serialized, bool* dirty);

	100

61 private:	101 private:

62 class Loader;	102 class Loader;

63	103

	104 // Populates \|state\| from the JSON string \|serialized\|. Returns true if

	105 // all entries were parsed and deserialized correctly. If \|forced\| is

	106 // true, updates \|state\|'s map of "forced" DomainState entries; normally,

	107 // leave this false.

	108 //

	109 // Sets \|*dirty\| to true if the new state differs from the persisted

	110 // state; false otherwise.

	111 static bool Deserialize(const std::string& serialized,

	112 bool* dirty,

	113 bool forced,
	Ryan Sleevi 2012/04/26 19:21:12 nit: Function parameter ordering http://google-st nit: Function parameter ordering http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml?showone=Functi... \|forced\| should be before \|dirty\| palmer 2012/04/27 23:52:34 Done. Show quoted text On 2012/04/26 19:21:12, Ryan Sleevi wrote: > nit: Function parameter ordering > > http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml?showone=Functi... > > \|forced\| should be before \|dirty\| Done.
	114 net::TransportSecurityState* state);

	115

64 void CompleteLoad(const std::string& state);	116 void CompleteLoad(const std::string& state);

65	117

66 net::TransportSecurityState* transport_security_state_;	118 net::TransportSecurityState* transport_security_state_;

67	119

68 // Helper for safely writing the data.	120 // Helper for safely writing the data.

69 ImportantFileWriter writer_;	121 ImportantFileWriter writer_;

70	122

71 // Whether or not we're in read-only mode.	123 // Whether or not we're in read-only mode.

72 const bool readonly_;	124 const bool readonly_;

73	125

74 base::WeakPtrFactory<TransportSecurityPersister> weak_ptr_factory_;	126 base::WeakPtrFactory<TransportSecurityPersister> weak_ptr_factory_;

75	127

76 DISALLOW_COPY_AND_ASSIGN(TransportSecurityPersister);	128 DISALLOW_COPY_AND_ASSIGN(TransportSecurityPersister);

77 };	129 };

78	130

79 #endif // CHROME_BROWSER_TRANSPORT_SECURITY_PERSISTER_H_	131 #endif // CHROME_BROWSER_TRANSPORT_SECURITY_PERSISTER_H_

OLD	NEW