Revert of Refactor connection_security into SecurityStateModel

chrome/browser/ssl/connection_security.cc

Index: chrome/browser/ssl/connection_security.cc
diff --git a/chrome/browser/ssl/connection_security.cc b/chrome/browser/ssl/connection_security.cc
new file mode 100644
index 0000000000000000000000000000000000000000..04569a1d5c9b2b81346b4fbcf02cacc770f54207
--- /dev/null
+++ b/chrome/browser/ssl/connection_security.cc
@@ -0,0 +1,238 @@
+// Copyright 2015 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/ssl/connection_security.h"
+
+#include "base/command_line.h"
+#include "base/metrics/field_trial.h"
+#include "base/metrics/histogram_macros.h"
+#include "base/prefs/pref_service.h"
+#include "chrome/browser/profiles/profile.h"
+#include "chrome/browser/ssl/ssl_error_info.h"
+#include "chrome/common/chrome_constants.h"
+#include "chrome/common/chrome_switches.h"
+#include "chrome/common/pref_names.h"
+#include "content/public/browser/cert_store.h"
+#include "content/public/browser/navigation_controller.h"
+#include "content/public/browser/navigation_entry.h"
+#include "content/public/browser/web_contents.h"
+#include "content/public/common/origin_util.h"
+#include "content/public/common/ssl_status.h"
+#include "net/base/net_util.h"
+#include "net/cert/cert_status_flags.h"
+#include "net/cert/x509_certificate.h"
+#include "net/ssl/ssl_connection_status_flags.h"
+
+#if defined(OS_CHROMEOS)
+#include "chrome/browser/chromeos/policy/policy_cert_service.h"
+#include "chrome/browser/chromeos/policy/policy_cert_service_factory.h"
+#endif
+
+namespace {
+
+connection_security::SecurityLevel GetSecurityLevelForNonSecureFieldTrial() {
+  std::string choice =
+      base::CommandLine::ForCurrentProcess()->GetSwitchValueASCII(
+          switches::kMarkNonSecureAs);
+  std::string group = base::FieldTrialList::FindFullName("MarkNonSecureAs");
+
+  // Do not change this enum. It is used in the histogram.
+  enum MarkNonSecureStatus { NEUTRAL, DUBIOUS, NON_SECURE, LAST_STATUS };
+  const char kEnumeration[] = "MarkNonSecureAs";
+
+  connection_security::SecurityLevel level;
+  MarkNonSecureStatus status;
+
+  if (choice == switches::kMarkNonSecureAsNeutral) {
+    status = NEUTRAL;
+    level = connection_security::NONE;
+  } else if (choice == switches::kMarkNonSecureAsNonSecure) {
+    status = NON_SECURE;
+    level = connection_security::SECURITY_ERROR;
+  } else if (group == switches::kMarkNonSecureAsNeutral) {
+    status = NEUTRAL;
+    level = connection_security::NONE;
+  } else if (group == switches::kMarkNonSecureAsNonSecure) {
+    status = NON_SECURE;
+    level = connection_security::SECURITY_ERROR;
+  } else {
+    status = NEUTRAL;
+    level = connection_security::NONE;
+  }
+
+  UMA_HISTOGRAM_ENUMERATION(kEnumeration, status, LAST_STATUS);
+  return level;
+}
+
+scoped_refptr<net::X509Certificate> GetCertForSSLStatus(
+    const content::SSLStatus& ssl) {
+  scoped_refptr<net::X509Certificate> cert;
+  return content::CertStore::GetInstance()->RetrieveCert(ssl.cert_id, &cert)
+             ? cert
+             : nullptr;
+}
+
+connection_security::SHA1DeprecationStatus GetSHA1DeprecationStatus(
+    scoped_refptr<net::X509Certificate> cert,
+    const content::SSLStatus& ssl) {
+  if (!cert || !(ssl.cert_status & net::CERT_STATUS_SHA1_SIGNATURE_PRESENT))
+    return connection_security::NO_DEPRECATED_SHA1;
+
+  // The internal representation of the dates for UI treatment of SHA-1.
+  // See http://crbug.com/401365 for details.
+  static const int64_t kJanuary2017 = INT64_C(13127702400000000);
+  if (cert->valid_expiry() >= base::Time::FromInternalValue(kJanuary2017))
+    return connection_security::DEPRECATED_SHA1_BROKEN;
+  // kJanuary2016 needs to be kept in sync with
+  // ToolbarModelAndroid::IsDeprecatedSHA1Present().
+  static const int64_t kJanuary2016 = INT64_C(13096080000000000);
+  if (cert->valid_expiry() >= base::Time::FromInternalValue(kJanuary2016))
+    return connection_security::DEPRECATED_SHA1_WARNING;
+
+  return connection_security::NO_DEPRECATED_SHA1;
+}
+
+connection_security::MixedContentStatus GetMixedContentStatus(
+    const content::SSLStatus& ssl) {
+  bool ran_insecure_content = false;
+  bool displayed_insecure_content = false;
+  if (ssl.content_status & content::SSLStatus::RAN_INSECURE_CONTENT)
+    ran_insecure_content = true;
+  if (ssl.content_status & content::SSLStatus::DISPLAYED_INSECURE_CONTENT)
+    displayed_insecure_content = true;
+
+  if (ran_insecure_content && displayed_insecure_content)
+    return connection_security::RAN_AND_DISPLAYED_MIXED_CONTENT;
+  if (ran_insecure_content)
+    return connection_security::RAN_MIXED_CONTENT;
+  if (displayed_insecure_content)
+    return connection_security::DISPLAYED_MIXED_CONTENT;
+
+  return connection_security::NO_MIXED_CONTENT;
+}
+
+}  // namespace
+
+namespace connection_security {
+
+SecurityLevel GetSecurityLevelForWebContents(
+    const content::WebContents* web_contents) {
+  if (!web_contents)
+    return NONE;
+
+  content::NavigationEntry* entry =
+      web_contents->GetController().GetVisibleEntry();
+  if (!entry)
+    return NONE;
+
+  const content::SSLStatus& ssl = entry->GetSSL();
+  switch (ssl.security_style) {
+    case content::SECURITY_STYLE_UNKNOWN:
+      return NONE;
+
+    case content::SECURITY_STYLE_UNAUTHENTICATED: {
+      const GURL& url = entry->GetURL();
+      if (!content::IsOriginSecure(url) && url.IsStandard())
+        return GetSecurityLevelForNonSecureFieldTrial();
+      return NONE;
+    }
+
+    case content::SECURITY_STYLE_AUTHENTICATION_BROKEN:
+      return SECURITY_ERROR;
+
+    case content::SECURITY_STYLE_AUTHENTICATED: {
+#if defined(OS_CHROMEOS)
+      // Report if there is a policy cert first, before reporting any other
+      // authenticated-but-with-errors cases. A policy cert is a strong
+      // indicator of a MITM being present (the enterprise), while the
+      // other authenticated-but-with-errors indicate something may
+      // be wrong, or may be wrong in the future, but is unclear now.
+      policy::PolicyCertService* service =
+          policy::PolicyCertServiceFactory::GetForProfile(
+              Profile::FromBrowserContext(web_contents->GetBrowserContext()));
+      if (service && service->UsedPolicyCertificates())
+        return SECURITY_POLICY_WARNING;
+#endif
+
+      scoped_refptr<net::X509Certificate> cert = GetCertForSSLStatus(ssl);
+      SHA1DeprecationStatus sha1_status = GetSHA1DeprecationStatus(cert, ssl);
+      if (sha1_status == DEPRECATED_SHA1_BROKEN)
+        return SECURITY_ERROR;
+      if (sha1_status == DEPRECATED_SHA1_WARNING)
+        return NONE;
+
+      MixedContentStatus mixed_content_status = GetMixedContentStatus(ssl);
+      // Active mixed content is downgraded to the BROKEN style and
+      // handled above.
+      DCHECK_NE(RAN_MIXED_CONTENT, mixed_content_status);
+      DCHECK_NE(RAN_AND_DISPLAYED_MIXED_CONTENT, mixed_content_status);
+      // This should be kept in sync with
+      // |kDisplayedInsecureContentStyle|. That is: the treatment
+      // given to passive mixed content here should be expressed by
+      // |kDisplayedInsecureContentStyle|, which is used to coordinate
+      // the treatment of passive mixed content with other security UI
+      // elements.
+      if (mixed_content_status == DISPLAYED_MIXED_CONTENT)
+        return NONE;
+
+      if (net::IsCertStatusError(ssl.cert_status)) {
+        DCHECK(net::IsCertStatusMinorError(ssl.cert_status));
+        return NONE;
+      }
+      if (net::SSLConnectionStatusToVersion(ssl.connection_status) ==
+          net::SSL_CONNECTION_VERSION_SSL3) {
+        // SSLv3 will be removed in the future.
+        return SECURITY_WARNING;
+      }
+      if ((ssl.cert_status & net::CERT_STATUS_IS_EV) && cert)
+        return EV_SECURE;
+      return SECURE;
+    }
+
+    default:
+      NOTREACHED();
+      return NONE;
+  }
+}
+
+void GetSecurityInfoForWebContents(const content::WebContents* web_contents,
+                                   SecurityInfo* security_info) {
+  content::NavigationEntry* entry =
+      web_contents ? web_contents->GetController().GetVisibleEntry() : nullptr;
+  if (!entry) {
+    security_info->security_style = content::SECURITY_STYLE_UNKNOWN;
+    return;
+  }
+
+  security_info->scheme_is_cryptographic =
+      entry->GetURL().SchemeIsCryptographic();
+
+  SecurityLevel security_level = GetSecurityLevelForWebContents(web_contents);
+  switch (security_level) {
+    case SECURITY_WARNING:
+    case NONE:
+      security_info->security_style = content::SECURITY_STYLE_UNAUTHENTICATED;
+      break;
+    case EV_SECURE:
+    case SECURE:
+      security_info->security_style = content::SECURITY_STYLE_AUTHENTICATED;
+      break;
+    case SECURITY_POLICY_WARNING:
+      security_info->security_style = content::SECURITY_STYLE_WARNING;
+      break;
+    case SECURITY_ERROR:
+      security_info->security_style =
+          content::SECURITY_STYLE_AUTHENTICATION_BROKEN;
+      break;
+  }
+
+  const content::SSLStatus& ssl = entry->GetSSL();
+  scoped_refptr<net::X509Certificate> cert = GetCertForSSLStatus(ssl);
+  security_info->sha1_deprecation_status = GetSHA1DeprecationStatus(cert, ssl);
+  security_info->mixed_content_status = GetMixedContentStatus(ssl);
+  security_info->cert_status = ssl.cert_status;
+  security_info->cert_id = ssl.cert_id;
+}
+
+}  // namespace connection_security