Implement robustness strings in requestMediaKeySystemAccess().

media/base/key_systems.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "media/base/key_systems.h"
 
 #include <string>
 
 #include "base/containers/hash_tables.h"
 #include "base/lazy_instance.h"
@@ skipping 57 matching lines @@
     {"vp8.0", EME_CODEC_WEBM_VP8},
     {"vp9", EME_CODEC_WEBM_VP9},
     {"vp9.0", EME_CODEC_WEBM_VP9},
 #if defined(USE_PROPRIETARY_CODECS)
     {"mp4a", EME_CODEC_MP4_AAC},
     {"avc1", EME_CODEC_MP4_AVC1},
     {"avc3", EME_CODEC_MP4_AVC1}
 #endif  // defined(USE_PROPRIETARY_CODECS)
 };
 
+static EmeConfigRule ConvertSessionTypeSupport(
+    EmeSessionTypeSupport support) {
+  switch (support) {
+    case EME_SESSION_TYPE_INVALID:
+      NOTREACHED();
+      return EmeConfigRule::NOT_SUPPORTED;
+    case EME_SESSION_TYPE_NOT_SUPPORTED:
+      return EmeConfigRule::NOT_SUPPORTED;
+    case EME_SESSION_TYPE_SUPPORTED_WITH_PERMISSION:
+      return EmeConfigRule::PERMISSION_REQUIRED;
+    case EME_SESSION_TYPE_SUPPORTED:
+      return EmeConfigRule::SUPPORTED;
+  }
+  NOTREACHED();
+  return EmeConfigRule::NOT_SUPPORTED;
+}
+
 static void AddClearKey(std::vector<KeySystemInfo>* concrete_key_systems) {
   KeySystemInfo info;
   info.key_system = kClearKeyKeySystem;
 
   // On Android, Vorbis, VP8, AAC and AVC1 are supported in MediaCodec:
   // http://developer.android.com/guide/appendix/media-formats.html
   // VP9 support is device dependent.
 
   info.supported_init_data_types = EME_INIT_DATA_TYPE_WEBM;
   info.supported_codecs = EME_CODEC_WEBM_ALL;
@@ skipping 94 matching lines @@
       bool is_prefixed);
 
   std::string GetKeySystemNameForUMA(const std::string& key_system) const;
 
   bool UseAesDecryptor(const std::string& concrete_key_system);
 
 #if defined(ENABLE_PEPPER_CDMS)
   std::string GetPepperType(const std::string& concrete_key_system);
 #endif
 
-  bool IsPersistentLicenseSessionSupported(
+  EmeConfigRule GetRobustnessConfigRule(
       const std::string& key_system,
-      bool is_permission_granted);
+      EmeMediaType media_type,
+      EmeRobustness robustness);
 
-  bool IsPersistentReleaseMessageSessionSupported(
+  EmeConfigRule GetPersistentLicenseSessionConfigRule(
+      const std::string& key_system);
+
+  EmeConfigRule GetPersistentReleaseMessageSessionConfigRule(
+      const std::string& key_system);
+
+  EmeConfigRule GetPersistentStateConfigRule(
       const std::string& key_system,
-      bool is_permission_granted);
+      EmeFeatureRequirement requirement);
 
-  bool IsPersistentStateRequirementSupported(
+  EmeConfigRule GetDistinctiveIdentifierConfigRule(
       const std::string& key_system,
-      EmeFeatureRequirement requirement,
-      bool is_permission_granted);
-
-  bool IsDistinctiveIdentifierRequirementSupported(
-      const std::string& key_system,
-      EmeFeatureRequirement requirement,
-      bool is_permission_granted);
+      EmeFeatureRequirement requirement);
 
   void AddContainerMask(const std::string& container, uint32 mask);
   void AddCodecMask(const std::string& codec, uint32 mask);
 
  private:
   void InitializeUMAInfo();
 
   void UpdateSupportedKeySystems();
 
   void AddConcreteSupportedKeySystems(
@@ skipping 166 matching lines @@
 }
 
 void KeySystems::AddConcreteSupportedKeySystems(
     const std::vector<KeySystemInfo>& concrete_key_systems) {
   DCHECK(thread_checker_.CalledOnValidThread());
   DCHECK(concrete_key_system_map_.empty());
   DCHECK(parent_key_system_map_.empty());
 
   for (const KeySystemInfo& info : concrete_key_systems) {
     DCHECK(!info.key_system.empty());
-    DCHECK_NE(info.persistent_license_support, EME_SESSION_TYPE_INVALID);
-    DCHECK_NE(info.persistent_release_message_support,
-              EME_SESSION_TYPE_INVALID);
-    // TODO(sandersd): Add REQUESTABLE and REQUESTABLE_WITH_PERMISSION for
-    // persistent_state_support once we can block access per-CDM-instance
-    // (http://crbug.com/457482).
-    DCHECK(info.persistent_state_support == EME_FEATURE_NOT_SUPPORTED ||
-           info.persistent_state_support == EME_FEATURE_ALWAYS_ENABLED);
-// TODO(sandersd): Allow REQUESTABLE_WITH_PERMISSION for all key systems on
-// all platforms once we have proper enforcement (http://crbug.com/457482).
-// On Chrome OS, an ID will not be used without permission, but we cannot
-// currently prevent the CDM from requesting the permission again when no
-// there was no initial prompt. Thus, we block "not-allowed" below.
-#if defined(OS_CHROMEOS)
-    DCHECK(info.distinctive_identifier_support == EME_FEATURE_NOT_SUPPORTED ||
-           (info.distinctive_identifier_support ==
-                EME_FEATURE_REQUESTABLE_WITH_PERMISSION &&
-            info.key_system == kWidevineKeySystem) ||
-           info.distinctive_identifier_support == EME_FEATURE_ALWAYS_ENABLED);
-#else
-    DCHECK(info.distinctive_identifier_support == EME_FEATURE_NOT_SUPPORTED ||
-           info.distinctive_identifier_support == EME_FEATURE_ALWAYS_ENABLED);
+    DCHECK(info.max_audio_robustness != EmeRobustness::INVALID);
+    DCHECK(info.max_video_robustness != EmeRobustness::INVALID);
+    DCHECK(info.persistent_license_support != EME_SESSION_TYPE_INVALID);
+    DCHECK(info.persistent_release_message_support != EME_SESSION_TYPE_INVALID);
+    DCHECK(info.persistent_state_support != EME_FEATURE_INVALID);
+    DCHECK(info.distinctive_identifier_support != EME_FEATURE_INVALID);
+
+    // If persistent state is not supported, then persistent sessions are not
+    // either. This is enforced in requestMediaKeySystemAccess(), but we want
+    // to catch the miconfiguration early.
+    if (info.persistent_state_support == EME_FEATURE_NOT_SUPPORTED) {
+      DCHECK(info.persistent_license_support == EME_SESSION_TYPE_NOT_SUPPORTED);
+      DCHECK(info.persistent_release_message_support ==
+             EME_SESSION_TYPE_NOT_SUPPORTED);
+    }
+

[ddorwin, 2015/03/16 23:25:08]

// Do not allow registration because it is not currently supported:
http://crbug.com/448888.
DCHECK(info.persistent_release_message_support == EME_FEATURE_NOT_SUPPORTED);

[sandersd (OOO until July 31), 2015/03/17 22:10:39]

Done.

+    // Distinctive identifiers always require permission.
+    DCHECK(info.distinctive_identifier_support != EME_FEATURE_REQUESTABLE);
+
+    // Distinctive identifiers and persistent state can only be reliably blocked
+    // for PPAPI key systems.

[ddorwin, 2015/03/16 23:25:08]

nit: s/PPAPI/Pepper-hosted/

new sentence - something like: Do not allow registration with non-absolute
values on other platforms.

[sandersd (OOO until July 31), 2015/03/17 22:10:39]

Done.

+    bool can_block = false;
+#if defined(ENABLE_PEPPER_CDMS)
+    DCHECK_EQ(info.use_aes_decryptor, info.pepper_type.empty());
+    can_block = !info.pepper_type.empty();
 #endif
-    if (info.persistent_state_support == EME_FEATURE_NOT_SUPPORTED) {
-      DCHECK_EQ(info.persistent_license_support,
-                EME_SESSION_TYPE_NOT_SUPPORTED);
-      DCHECK_EQ(info.persistent_release_message_support,
-                EME_SESSION_TYPE_NOT_SUPPORTED);
+    if (!can_block) {
+      DCHECK(info.distinctive_identifier_support == EME_FEATURE_NOT_SUPPORTED ||

[ddorwin, 2015/03/16 23:25:08]

Should we be checking persistent state too?

[sandersd (OOO until July 31), 2015/03/17 22:10:39]

Done.

+             info.distinctive_identifier_support == EME_FEATURE_ALWAYS_ENABLED);
     }
+
     DCHECK(!IsSupportedKeySystem(info.key_system))
         << "Key system '" << info.key_system << "' already registered";
     DCHECK(!parent_key_system_map_.count(info.key_system))
         <<  "'" << info.key_system << "' is already registered as a parent";
-#if defined(ENABLE_PEPPER_CDMS)
-    DCHECK_EQ(info.use_aes_decryptor, info.pepper_type.empty());
-#endif
-
     concrete_key_system_map_[info.key_system] = info;
-
     if (!info.parent_key_system.empty()) {
       DCHECK(!IsConcreteSupportedKeySystem(info.parent_key_system))
           << "Parent '" << info.parent_key_system << "' "
           << "already registered concrete";
       DCHECK(!parent_key_system_map_.count(info.parent_key_system))
           << "Parent '" << info.parent_key_system << "' already registered";
       parent_key_system_map_[info.parent_key_system] = info.key_system;
     }
   }
 }
@@ skipping 167 matching lines @@
       DLOG(FATAL) << concrete_key_system << " is not a known concrete system";
       return std::string();
   }
 
   const std::string& type = key_system_iter->second.pepper_type;
   DLOG_IF(FATAL, type.empty()) << concrete_key_system << " is not Pepper-based";
   return type;
 }
 #endif
 
-bool KeySystems::IsPersistentLicenseSessionSupported(
+EmeConfigRule KeySystems::GetRobustnessConfigRule(
     const std::string& key_system,
-    bool is_permission_granted) {
+    EmeMediaType media_type,
+    EmeRobustness robustness) {
+  DCHECK(thread_checker_.CalledOnValidThread());
+
+  if (robustness == EmeRobustness::INVALID)
+    return EmeConfigRule::NOT_SUPPORTED;
+  if (robustness == EmeRobustness::EMPTY)
+    return EmeConfigRule::SUPPORTED;
+
+  KeySystemInfoMap::const_iterator key_system_iter =
+      concrete_key_system_map_.find(key_system);
+  if (key_system_iter == concrete_key_system_map_.end()) {
+    NOTREACHED();
+    return EmeConfigRule::NOT_SUPPORTED;
+  }
+
+  EmeRobustness max_robustness = EmeRobustness::INVALID;
+  switch (media_type) {
+    case EmeMediaType::AUDIO:
+      max_robustness = key_system_iter->second.max_audio_robustness;
+      break;
+    case EmeMediaType::VIDEO:
+      max_robustness = key_system_iter->second.max_video_robustness;
+      break;
+  }
+
+#if defined(OS_CHROMEOS)
+  if (key_system == kWidevineKeySystem) {
+    // CrOS Widevine supports L1 when remote attestation succeeds, but the
+    // encrypted media permission is required to do so. Even when not strictly
+    // requred, we prefer to support L1 for video because it allows hardware
+    // acceleration to be used.
+    // TODO(sandersd): Only recommend permission when hardware acceleration is
+    // available for the specific codecs requested.
+    EmeConfigRule recommendation =
+        (media_type == EmeMediaType::VIDEO)
+            ? EmeConfigRule::PERMISSION_RECOMMENDED
+            : EmeConfigRule::SUPPORTED;
+    return (robustness <= max_robustness)

[ddorwin, 2015/03/16 23:25:08]

You could get rid of this by having
#else
  recommendation = EmeConfigRule::SUPPORTED;

and replacing line 683.

[sandersd (OOO until July 31), 2015/03/17 22:10:39]

See next comment.

+        ? recommendation
+        : EmeConfigRule::PERMISSION_REQUIRED;

[ddorwin, 2015/03/16 23:25:08]

Otherwise: NOT_SUPPORTED, right?

[sandersd (OOO until July 31), 2015/03/17 22:10:39]

This is confusing because I am imagining that max_robustness will be L3. (Thus
everything above max_robustness is in fact supported, as long as RA succeeds.)
It may make more sense to hardcode both limits, WDYT?

+  }
+#endif  // defined(OS_CHROMEOS)
+
+  return (robustness <= max_robustness)
+      ? EmeConfigRule::SUPPORTED
+      : EmeConfigRule::NOT_SUPPORTED;
+}
+
+EmeConfigRule KeySystems::GetPersistentLicenseSessionConfigRule(
+    const std::string& key_system) {
   DCHECK(thread_checker_.CalledOnValidThread());
 
   KeySystemInfoMap::const_iterator key_system_iter =
       concrete_key_system_map_.find(key_system);
   if (key_system_iter == concrete_key_system_map_.end()) {
     NOTREACHED();
-    return false;
+    return EmeConfigRule::NOT_SUPPORTED;
   }
-
-  switch (key_system_iter->second.persistent_license_support) {
-    case EME_SESSION_TYPE_INVALID:
-      NOTREACHED();
-      return false;
-    case EME_SESSION_TYPE_NOT_SUPPORTED:
-      return false;
-    case EME_SESSION_TYPE_SUPPORTED_WITH_PERMISSION:
-      return is_permission_granted;
-    case EME_SESSION_TYPE_SUPPORTED:
-      return true;
-  }
-
-  NOTREACHED();
-  return false;
+  return ConvertSessionTypeSupport(
+      key_system_iter->second.persistent_license_support);
 }
 
-bool KeySystems::IsPersistentReleaseMessageSessionSupported(
-    const std::string& key_system,
-    bool is_permission_granted) {
+EmeConfigRule KeySystems::GetPersistentReleaseMessageSessionConfigRule(
+    const std::string& key_system) {
   DCHECK(thread_checker_.CalledOnValidThread());
 
   KeySystemInfoMap::const_iterator key_system_iter =
       concrete_key_system_map_.find(key_system);
   if (key_system_iter == concrete_key_system_map_.end()) {
     NOTREACHED();
-    return false;
+    return EmeConfigRule::NOT_SUPPORTED;
   }
-
-  switch (key_system_iter->second.persistent_release_message_support) {
-    case EME_SESSION_TYPE_INVALID:
-      NOTREACHED();
-      return false;
-    case EME_SESSION_TYPE_NOT_SUPPORTED:
-      return false;
-    case EME_SESSION_TYPE_SUPPORTED_WITH_PERMISSION:
-      return is_permission_granted;
-    case EME_SESSION_TYPE_SUPPORTED:
-      return true;
-  }
-
-  NOTREACHED();
-  return false;
+  return ConvertSessionTypeSupport(
+      key_system_iter->second.persistent_release_message_support);
 }
 
-bool KeySystems::IsPersistentStateRequirementSupported(
+EmeConfigRule KeySystems::GetPersistentStateConfigRule(
     const std::string& key_system,
-    EmeFeatureRequirement requirement,
-    bool is_permission_granted) {
+    EmeFeatureRequirement requirement) {
   DCHECK(thread_checker_.CalledOnValidThread());
 
   KeySystemInfoMap::const_iterator key_system_iter =
       concrete_key_system_map_.find(key_system);
   if (key_system_iter == concrete_key_system_map_.end()) {
     NOTREACHED();
-    return false;
+    return EmeConfigRule::NOT_SUPPORTED;
   }
 
-  switch (key_system_iter->second.persistent_state_support) {
-    case EME_FEATURE_INVALID:
-      NOTREACHED();
-      return false;
-    case EME_FEATURE_NOT_SUPPORTED:
-      return requirement != EME_FEATURE_REQUIRED;
-    case EME_FEATURE_REQUESTABLE_WITH_PERMISSION:
-      return (requirement != EME_FEATURE_REQUIRED) || is_permission_granted;
-    case EME_FEATURE_REQUESTABLE:
-      return true;
-    case EME_FEATURE_ALWAYS_ENABLED:
-      // Persistent state does not require user permission, but the session
-      // types that use it might.
-      return requirement != EME_FEATURE_NOT_ALLOWED;
+  EmeFeatureSupport support = key_system_iter->second.persistent_state_support;
+  if (support == EME_FEATURE_NOT_SUPPORTED &&
+      requirement == EME_FEATURE_REQUIRED) {
+    return EmeConfigRule::NOT_SUPPORTED;
+  }
+  if (support == EME_FEATURE_ALWAYS_ENABLED &&
+      requirement == EME_FEATURE_NOT_ALLOWED) {

[ddorwin, 2015/03/16 23:25:08]

It is line 440 that ensures that EME_FEATURE_REQUESTABLE* is either not allowed
or is properly blockable for not-allowed, right?

It's probably worth commenting that here. Another option would be to put the
code at line 440 into a function and call it here and there.

[sandersd (OOO until July 31), 2015/03/17 22:10:39]

It turns out that the state table is really simple, there are only two cases
that are NOT_SUPPORTED; the rest are always supported in some capacity (how
exactly is different for PS and DI). If we didn't block those options at
registration, they would still be handled correctly here.

+    return EmeConfigRule::NOT_SUPPORTED;
   }
 
-  NOTREACHED();
-  return false;
+  // Permission is required only if the feature requires it; permission may
+  // still be required for individual persistent session types. Permission
+  // for optional requirements will be handled when they are resolved to

[ddorwin, 2015/03/16 23:25:08]

Just so I understand, EME_FEATURE_OPTIONAL could get here and fall through to
line 745 (on the first pass), right?

[sandersd (OOO until July 31), 2015/03/17 22:10:39]

Indeed.

+  // a specific value.
+  if (support == EME_FEATURE_REQUESTABLE_WITH_PERMISSION &&
+      requirement == EME_FEATURE_REQUIRED) {
+    return EmeConfigRule::PERMISSION_REQUIRED;
+  }
+  return EmeConfigRule::SUPPORTED;
 }
 
-bool KeySystems::IsDistinctiveIdentifierRequirementSupported(
+EmeConfigRule KeySystems::GetDistinctiveIdentifierConfigRule(
     const std::string& key_system,
-    EmeFeatureRequirement requirement,
-    bool is_permission_granted) {
+    EmeFeatureRequirement requirement) {
   DCHECK(thread_checker_.CalledOnValidThread());
 
   KeySystemInfoMap::const_iterator key_system_iter =
       concrete_key_system_map_.find(key_system);
   if (key_system_iter == concrete_key_system_map_.end()) {
     NOTREACHED();
-    return false;
+    return EmeConfigRule::NOT_SUPPORTED;
   }
 
-  switch (key_system_iter->second.distinctive_identifier_support) {
-    case EME_FEATURE_INVALID:
-      NOTREACHED();
-      return false;
-    case EME_FEATURE_NOT_SUPPORTED:
-      return requirement != EME_FEATURE_REQUIRED;
-    case EME_FEATURE_REQUESTABLE_WITH_PERMISSION:
-      // TODO(sandersd): Remove this hack once crbug.com/457482 and
-      // crbug.com/460616 are addressed.
-      // We cannot currently enforce "not-allowed", so don't allow it.
-      // Note: Removing this check will expose crbug.com/460616.
-      if (requirement == EME_FEATURE_NOT_ALLOWED)
-        return false;
-      return (requirement != EME_FEATURE_REQUIRED) || is_permission_granted;
-    case EME_FEATURE_REQUESTABLE:
-      NOTREACHED();
-      return true;
-    case EME_FEATURE_ALWAYS_ENABLED:
-      // Distinctive identifiers always require user permission.
-      return (requirement != EME_FEATURE_NOT_ALLOWED) && is_permission_granted;
+  EmeFeatureSupport support =
+      key_system_iter->second.distinctive_identifier_support;
+  if (support == EME_FEATURE_NOT_SUPPORTED &&
+      requirement == EME_FEATURE_REQUIRED) {
+    return EmeConfigRule::NOT_SUPPORTED;
+  }
+  if (support == EME_FEATURE_ALWAYS_ENABLED &&
+      requirement == EME_FEATURE_NOT_ALLOWED) {

[ddorwin, 2015/03/16 23:25:08]

ditto

[sandersd (OOO until July 31), 2015/03/17 22:10:39]

Acknowledged.

+    return EmeConfigRule::NOT_SUPPORTED;
   }
 
-  NOTREACHED();
-  return false;
+  // Permission is always required, but permission for optional requirements
+  // will be handled when they are resolved to a specific value.
+  if (requirement == EME_FEATURE_REQUIRED)
+    return EmeConfigRule::PERMISSION_REQUIRED;
+  return EmeConfigRule::SUPPORTED;
 }
 
 void KeySystems::AddContainerMask(const std::string& container, uint32 mask) {
   DCHECK(thread_checker_.CalledOnValidThread());
   DCHECK(!container_to_codec_mask_map_.count(container));
   container_to_codec_mask_map_[container] = static_cast<EmeCodec>(mask);
 }
 
 void KeySystems::AddCodecMask(const std::string& codec, uint32 mask) {
   DCHECK(thread_checker_.CalledOnValidThread());
@@ skipping 84 matching lines @@
 bool CanUseAesDecryptor(const std::string& concrete_key_system) {
   return KeySystems::GetInstance().UseAesDecryptor(concrete_key_system);
 }
 
 #if defined(ENABLE_PEPPER_CDMS)
 std::string GetPepperType(const std::string& concrete_key_system) {
   return KeySystems::GetInstance().GetPepperType(concrete_key_system);
 }
 #endif
 
-bool IsPersistentLicenseSessionSupported(
+EmeConfigRule GetRobustnessConfigRule(
     const std::string& key_system,
-    bool is_permission_granted) {
-  return KeySystems::GetInstance().IsPersistentLicenseSessionSupported(
-      key_system, is_permission_granted);
+    EmeMediaType media_type,
+    EmeRobustness robustness) {
+  return KeySystems::GetInstance().GetRobustnessConfigRule(
+      key_system, media_type, robustness);
 }
 
-bool IsPersistentReleaseMessageSessionSupported(
-    const std::string& key_system,
-    bool is_permission_granted) {
-  return KeySystems::GetInstance().IsPersistentReleaseMessageSessionSupported(
-      key_system, is_permission_granted);
+EmeConfigRule GetPersistentLicenseSessionConfigRule(
+    const std::string& key_system) {
+  return KeySystems::GetInstance().GetPersistentLicenseSessionConfigRule(
+      key_system);
 }
 
-bool IsPersistentStateRequirementSupported(
-    const std::string& key_system,
-    EmeFeatureRequirement requirement,
-    bool is_permission_granted) {
-  return KeySystems::GetInstance().IsPersistentStateRequirementSupported(
-      key_system, requirement, is_permission_granted);
+EmeConfigRule GetPersistentReleaseMessageSessionConfigRule(
+    const std::string& key_system) {
+  return KeySystems::GetInstance().GetPersistentReleaseMessageSessionConfigRule(
+      key_system);
 }
 
-bool IsDistinctiveIdentifierRequirementSupported(
+EmeConfigRule GetPersistentStateConfigRule(
     const std::string& key_system,
-    EmeFeatureRequirement requirement,
-    bool is_permission_granted) {
-  return KeySystems::GetInstance().IsDistinctiveIdentifierRequirementSupported(
-      key_system, requirement, is_permission_granted);
+    EmeFeatureRequirement requirement) {
+  return KeySystems::GetInstance().GetPersistentStateConfigRule(
+      key_system, requirement);
+}
+
+EmeConfigRule GetDistinctiveIdentifierConfigRule(
+    const std::string& key_system,
+    EmeFeatureRequirement requirement) {
+  return KeySystems::GetInstance().GetDistinctiveIdentifierConfigRule(
+      key_system, requirement);
 }
 
 // These two functions are for testing purpose only. The declaration in the
 // header file is guarded by "#if defined(UNIT_TEST)" so that they can be used
 // by tests but not non-test code. However, this .cc file is compiled as part of
 // "media" where "UNIT_TEST" is not defined. So we need to specify
 // "MEDIA_EXPORT" here again so that they are visible to tests.
 
 MEDIA_EXPORT void AddContainerMask(const std::string& container, uint32 mask) {
   KeySystems::GetInstance().AddContainerMask(container, mask);
 }
 
 MEDIA_EXPORT void AddCodecMask(const std::string& codec, uint32 mask) {
   KeySystems::GetInstance().AddCodecMask(codec, mask);
 }
 
 }  // namespace media