WKWebView: Implemented recoverable SSL interstitials.

ios/web/web_state/ui/crw_wk_web_view_web_controller.mm

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #import "ios/web/web_state/ui/crw_wk_web_view_web_controller.h"
 
 #import <WebKit/WebKit.h>
 
+#include "base/containers/mru_cache.h"
 #include "base/ios/ios_util.h"
 #include "base/ios/weak_nsobject.h"
 #include "base/json/json_reader.h"
 #import "base/mac/scoped_nsobject.h"
 #include "base/macros.h"
 #include "base/metrics/histogram_macros.h"
 #include "base/strings/sys_string_conversions.h"
 #include "base/values.h"
 #import "ios/net/http_response_headers_util.h"
 #import "ios/web/crw_network_activity_indicator_manager.h"
 #import "ios/web/navigation/crw_session_controller.h"
 #import "ios/web/navigation/crw_session_entry.h"
 #include "ios/web/navigation/navigation_item_impl.h"
 #include "ios/web/navigation/web_load_params.h"
+#include "ios/web/net/cert_host_pair.h"
 #import "ios/web/net/crw_cert_verification_controller.h"
 #include "ios/web/public/cert_store.h"
 #include "ios/web/public/navigation_item.h"
 #include "ios/web/public/ssl_status.h"
 #include "ios/web/public/web_client.h"
 #import "ios/web/public/web_state/js/crw_js_injection_manager.h"
 #import "ios/web/public/web_state/ui/crw_native_content_provider.h"
 #import "ios/web/public/web_state/ui/crw_web_view_content_view.h"
 #import "ios/web/ui_web_view_util.h"
 #include "ios/web/web_state/blocked_popup_info.h"
 #import "ios/web/web_state/error_translation_util.h"
 #include "ios/web/web_state/frame_info.h"
 #import "ios/web/web_state/js/crw_js_window_id_manager.h"
 #import "ios/web/web_state/ui/crw_web_controller+protected.h"
 #import "ios/web/web_state/ui/crw_wk_script_message_router.h"
 #import "ios/web/web_state/ui/crw_wk_web_view_crash_detector.h"
 #import "ios/web/web_state/ui/web_view_js_utils.h"
 #import "ios/web/web_state/ui/wk_back_forward_list_item_holder.h"
 #import "ios/web/web_state/ui/wk_web_view_configuration_provider.h"
 #import "ios/web/web_state/web_state_impl.h"
 #import "ios/web/web_state/web_view_internal_creation_util.h"
 #import "ios/web/web_state/wk_web_view_security_util.h"
 #import "ios/web/webui/crw_web_ui_manager.h"
+#import "net/base/mac/url_conversions.h"
 #include "net/cert/x509_certificate.h"
-#import "net/base/mac/url_conversions.h"
 #include "net/ssl/ssl_info.h"
 #include "url/url_constants.h"
 
 namespace {
+
+// Represents cert verification error, which happened inside
+// |webView:didReceiveAuthenticationChallenge:completionHandler:| and should
+// be checked inside |webView:didFailProvisionalNavigation:withError:|.
+struct CertVerificationError {
+  BOOL is_recoverable;
+  net::CertStatus status;
+};
+
+// Type of Cache object for storing cert verification errors.
+typedef base::MRUCache<web::CertHostPair, CertVerificationError>
+    CertVerificationErrorsCacheType;
+
+// Maximum number of errors to store in cert verification errors cache.
+// Cache holds errors only for pending navigation, so the actual number of
+// stored errors is not expected to be high.
+const CertVerificationErrorsCacheType::size_type kMaxCertErrorsCount = 100;
+
 // Extracts Referer value from WKNavigationAction request header.
 NSString* GetRefererFromNavigationAction(WKNavigationAction* action) {
   return [action.request valueForHTTPHeaderField:@"Referer"];
 }
 
 NSString* const kScriptMessageName = @"crwebinvoke";
 NSString* const kScriptImmediateName = @"crwebinvokeimmediate";
 
 // Utility functions for storing the source of NSErrors received by WKWebViews:
 // - Errors received by |-webView:didFailProvisionalNavigation:withError:| are
@@ skipping 75 matching lines @@
   // bad SSL cert, presenting SSL interstitials and determining SSL status for
   // Navigation Items.
   base::scoped_nsobject<CRWCertVerificationController>
       _certVerificationController;
 
   // Whether the pending navigation has been directly cancelled in
   // |decidePolicyForNavigationAction| or |decidePolicyForNavigationResponse|.
   // Cancelled navigations should be simply discarded without handling any
   // specific error.
   BOOL _pendingNavigationCancelled;
+
+  // CertVerification errors which happened inside
+  // |webView:didReceiveAuthenticationChallenge:completionHandler:|.
+  // Key is leaf-cert/host pair. This storage is used to carry calculated
+  // cert status from |didReceiveAuthenticationChallenge:| to
+  // |didFailProvisionalNavigation:| delegate method.
+  scoped_ptr<CertVerificationErrorsCacheType> _certVerificationErrors;
 }
 
 // Response's MIME type of the last known navigation.
 @property(nonatomic, copy) NSString* documentMIMEType;
 
 // Dictionary where keys are the names of WKWebView properties and values are
 // selector names which should be called when a corresponding property has
 // changed. e.g. @{ @"URL" : @"webViewURLDidChange" } means that
 // -[self webViewURLDidChange] must be called every time when WKWebView.URL is
 // changed.
@@ skipping 106 matching lines @@
 // cert_status and security_style to default.
 - (void)scheduleSSLStatusUpdateUsingCertChain:(NSArray*)chain
                                          host:(NSString*)host;
 
 #if !defined(ENABLE_CHROME_NET_STACK_FOR_WKWEBVIEW)
 // Updates SSL status for the current navigation item based on the information
 // provided by web view.
 - (void)updateSSLStatusForCurrentNavigationItem;
 #endif
 
+// Used in webView:didReceiveAuthenticationChallenge:completionHandler: to reply
+// with NSURLSessionAuthChallengeDisposition and credentials.
+- (void)processAuthChallenge:(NSURLAuthenticationChallenge*)challenge
+         forCertAcceptPolicy:(web::CertAcceptPolicy)policy
+                  certStatus:(net::CertStatus)certStatus
+           completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition,
+                                       NSURLCredential*))completionHandler;
+
 // Registers load request with empty referrer and link or client redirect
 // transition based on user interaction state.
 - (void)registerLoadRequest:(const GURL&)url;
 
 // Called when a non-document-changing URL change occurs. Updates the
 // _documentURL, and informs the superclass of the change.
 - (void)URLDidChangeWithoutDocumentChange:(const GURL&)URL;
 
 // Called when web controller receives a new message from the web page.
 - (void)didReceiveScriptMessage:(WKScriptMessage*)message;
@@ skipping 29 matching lines @@
 
 #pragma mark CRWWebController public methods
 
 - (instancetype)initWithWebState:(scoped_ptr<web::WebStateImpl>)webState {
   DCHECK(webState);
   web::BrowserState* browserState = webState->GetBrowserState();
   self = [super initWithWebState:webState.Pass()];
   if (self) {
     _certVerificationController.reset([[CRWCertVerificationController alloc]
         initWithBrowserState:browserState]);
+    _certVerificationErrors.reset(
+        new CertVerificationErrorsCacheType(kMaxCertErrorsCount));
   }
   return self;
 }
 
 - (BOOL)keyboardDisplayRequiresUserAction {
   // TODO(stuartmorgan): Find out whether YES or NO is correct; see comment
   // in protected header.
   NOTIMPLEMENTED();
   return NO;
 }
@@ skipping 226 matching lines @@
   }
   return [super URLForHistoryNavigationFromItem:fromItem toItem:toItem];
 }
 
 - (void)setPageChangeProbability:(web::PageChangeProbability)probability {
   // Nothing to do; no polling timer.
 }
 
 - (void)abortWebLoad {
   [_wkWebView stopLoading];
+  _certVerificationErrors->Clear();
 }
 
 - (void)resetLoadState {
   // Nothing to do.
 }
 
 - (void)setSuppressDialogsWithHelperScript:(NSString*)script {
   [self evaluateJavaScript:script stringResultHandler:nil];
 }
 
@@ skipping 272 matching lines @@
                                sourceURL:sourceURL
                           referrerPolicy:base::SysNSStringToUTF8(policy)];
       }];
   });
 }
 
 #if !defined(ENABLE_CHROME_NET_STACK_FOR_WKWEBVIEW)
 - (void)handleSSLCertError:(NSError*)error {
   DCHECK(web::IsWKWebViewSSLCertError(error));
 
-  net::SSLInfo sslInfo;
-  web::GetSSLInfoFromWKWebViewSSLCertError(error, &sslInfo);
+  net::SSLInfo SSLInfo;
+  web::GetSSLInfoFromWKWebViewSSLCertError(error, &SSLInfo);
 
-  web::SSLStatus sslStatus;
-  sslStatus.security_style = web::SECURITY_STYLE_AUTHENTICATION_BROKEN;
-  sslStatus.cert_status = sslInfo.cert_status;
-  sslStatus.cert_id = web::CertStore::GetInstance()->StoreCert(
-      sslInfo.cert.get(), self.certGroupID);
+  web::SSLStatus SSLStatus;
+  SSLStatus.security_style = web::SECURITY_STYLE_AUTHENTICATION_BROKEN;
+  SSLStatus.cert_status = SSLInfo.cert_status;
+  SSLStatus.cert_id = web::CertStore::GetInstance()->StoreCert(
+      SSLInfo.cert.get(), self.certGroupID);
 
-  [self.delegate presentSSLError:sslInfo
-                    forSSLStatus:sslStatus
-                     recoverable:NO
-                        callback:nullptr];
+  // Retrieve verification results from _certVerificationErrors cache to avoid
+  // unnecessary recalculations. Verification results are cached for leaf cert,

[Ryan Sleevi, 2015/10/19 23:56:22]

s/for leaf cert/for the leaf cert/

[Eugene But (OOO till 7-30), 2015/10/21 04:01:02]

Done.

+  // because cert chain in |didReceiveAuthenticationChallenge:| is OS

[Ryan Sleevi, 2015/10/19 23:56:22]

s/is OS/is the OS/

[Ryan Sleevi, 2015/10/19 23:56:22]

s/because cert chain/because the cert chain/

[Eugene But (OOO till 7-30), 2015/10/21 04:01:02]

Done.

[Eugene But (OOO till 7-30), 2015/10/21 04:01:03]

Done.

+  // constructed chain, while |chain| is a chain from the server.

[Ryan Sleevi, 2015/10/19 23:56:22]

s/a chain/the chain/

[Eugene But (OOO till 7-30), 2015/10/21 04:01:02]

Done.

+  NSArray* chain = error.userInfo[web::kNSErrorPeerCertificateChainKey];
+  NSString* host = [error.userInfo[web::kNSErrorFailingURLKey] host];
+  scoped_refptr<net::X509Certificate> leafCert;
+  BOOL recoverable = NO;
+  if (chain.count && host.length) {
+    // Complete cert chain may not be available inside this method, so leaf
+    // cert is used as a key to retrieve _certVerificationErrors as well as for
+    // storing cert decision.

[Ryan Sleevi, 2015/10/19 23:56:22]

// The complete cert chain may not be available, so the leaf
// cert is used as a key to retrieve _certVerificationErrors, as well as
// for storing the cert decision.

[Eugene But (OOO till 7-30), 2015/10/21 04:01:02]

Done.

+    leafCert = web::CreateCertFromChain(@[ chain.firstObject ]);
+    if (leafCert) {
+      // This cache will be purged anyway so there is no need to use |Get|.

[Ryan Sleevi, 2015/10/19 23:56:22]

This is surprising/non-obvious, and doesn't seem to fit why why you're using
MRUCache.

It sounds like you're describing behaviour external to this file, and if so,
that's a layering concern; if it's in this file, where? Document.

[Eugene But (OOO till 7-30), 2015/10/21 04:01:02]

MRUCache allows cache to be bounded and evicts least recent errors, so It's
actually ideal.
Added more comments.

[Ryan Sleevi, 2015/10/28 21:28:50]

I suppose this wasn't clear, as I'm still uncertain why you're using Peek
instead of Get.

Are you trying to optimize? Why?

As clearly documented in Get(), if you Get() an error, it actually brings it to
the front of the MRU. That's how the "R" in MRU is calculated. So it's
surprising and non-obvious that you're invoking a behaviour that doesn't change
ordering at all, as it just makes it seem like you're using a bounded cache
size, rather than an MRU.

[Eugene But (OOO till 7-30), 2015/10/29 00:39:14]

_certVerificationErrors will be purged right after reading from it (see the list
line in webView:didFailProvisionalNavigation:withError:), so Peek was an
optimization.

However I clearly see how that optimization (more-likely negligible) made the
code confusing. Changing to Get.

+      auto error = _certVerificationErrors->Peek(
+          {leafCert, base::SysNSStringToUTF8(host)});
+      if (error != _certVerificationErrors->end()) {
+        SSLStatus.cert_status = error->second.status;
+        recoverable = error->second.is_recoverable;
+      } else {
+        // TODO(eugenebut): Report UMA with cache size (crbug.com/541736).
+      }
+    }
+  }
+
+  // Present SSL interstitial.
+  [self.delegate presentSSLError:SSLInfo
+                    forSSLStatus:SSLStatus
+                     recoverable:recoverable
+                        callback:^(BOOL proceed) {
+                          if (proceed) {
+                            // The interstitial will be removed during reload.
+                            [_certVerificationController
+                                allowCert:leafCert
+                                  forHost:host
+                                   status:SSLStatus.cert_status];
+                            [self loadCurrentURL];
+                          }
+                        }];
 }
 #endif  // #if !defined(ENABLE_CHROME_NET_STACK_FOR_WKWEBVIEW)
 
 - (void)addActivityIndicatorTask {
   [[CRWNetworkActivityIndicatorManager sharedInstance]
       startNetworkTaskForGroup:[self activityIndicatorGroupID]];
 }
 
 - (void)clearActivityIndicatorTasks {
   [[CRWNetworkActivityIndicatorManager sharedInstance]
@@ skipping 122 matching lines @@
     }
   }
 
   if (!previousSSLStatus.Equals(item->GetSSL())) {
     [self didUpdateSSLStatusForCurrentNavigationItem];
   }
 }
 
 #endif  // !defined(ENABLE_CHROME_NET_STACK_FOR_WKWEBVIEW)
 
+- (void)processAuthChallenge:(NSURLAuthenticationChallenge*)challenge
+         forCertAcceptPolicy:(web::CertAcceptPolicy)policy
+                  certStatus:(net::CertStatus)certStatus
+           completionHandler:(void (^)(NSURLSessionAuthChallengeDisposition,
+                                       NSURLCredential*))completionHandler {
+  SecTrustRef trust = challenge.protectionSpace.serverTrust;
+  if (policy == web::CERT_ACCEPT_POLICY_RECOVERABLE_ERROR_ACCEPTED_BY_USER) {
+    // Cert is invalid, but user agreed to proceed, override default behavior.
+    completionHandler(NSURLSessionAuthChallengeUseCredential,
+                      [NSURLCredential credentialForTrust:trust]);
+    return;
+  }
+
+  if (policy != web::CERT_ACCEPT_POLICY_ALLOW &&
+      SecTrustGetCertificateCount(trust)) {
+    // Cert is invalid and user has not agreed to proceed. Cache cert

[Ryan Sleevi, 2015/10/19 23:56:22]

// The cert is invalid and the user has not agreed to proceed. Cache
// the cert verification result in |_certVerificationErrors|, so that it
// can later be reused inside |didFailProvisionalNavigation:|.

[Eugene But (OOO till 7-30), 2015/10/21 04:01:03]

Done.

+    // verification result with _certVerificationErrors storage, so it can be
+    // later reused inside |didFailProvisionalNavigation:|.
+    // Leaf cert (w/o any intermidiates) is used as a key, because chain inside
+    // |didFailProvisionalNavigation:| differs (it will be server chain) and
+    // using intermidiates may result in keys mismatch.

[Ryan Sleevi, 2015/10/19 23:56:22]

// The leaf cert is used as the key, because the chain provided by
// |didFailProvisionalNavigation:| will differ (it is the server-supplied
// chain), thus if intermediates were considered, the keys would mismatch.

[Eugene But (OOO till 7-30), 2015/10/21 04:01:02]

Done.

+    scoped_refptr<net::X509Certificate> leafCert =
+        net::X509Certificate::CreateFromHandle(
+            SecTrustGetCertificateAtIndex(trust, 0),
+            net::X509Certificate::OSCertHandles());
+    if (leafCert) {
+      BOOL is_recoverable =
+          policy ==
+          web::CERT_ACCEPT_POLICY_RECOVERABLE_ERROR_UNDECIDED_BY_USER;
+      std::string host =
+          base::SysNSStringToUTF8(challenge.protectionSpace.host);
+      _certVerificationErrors->Put({leafCert, host},
+                                   {is_recoverable, certStatus});
+    }
+  }
+  completionHandler(NSURLSessionAuthChallengeRejectProtectionSpace, nil);
+}
+
 - (void)registerLoadRequest:(const GURL&)url {
   // If load request is registered via WKWebViewWebController, assume transition
   // is link or client redirect as other transitions will already be registered
   // by web controller or delegates.
   // TODO(stuartmorgan): Remove guesswork and replace with information from
   // decidePolicyForNavigationAction:.
   ui::PageTransition transition = self.userInteractionRegistered
                                       ? ui::PAGE_TRANSITION_LINK
                                       : ui::PAGE_TRANSITION_CLIENT_REDIRECT;
   // The referrer is not known yet, and will be updated later.
@@ skipping 395 matching lines @@
 #endif  // defined(ENABLE_CHROME_NET_STACK_FOR_WKWEBVIEW)
 
 #if !defined(ENABLE_CHROME_NET_STACK_FOR_WKWEBVIEW)
   if (web::IsWKWebViewSSLCertError(error))
     [self handleSSLCertError:error];
   else
 #endif
     [self handleLoadError:error inMainFrame:YES];
 
   [self discardPendingNavigationTypeForMainFrame];
+  _certVerificationErrors->Clear();
 }
 
 - (void)webView:(WKWebView *)webView
     didCommitNavigation:(WKNavigation *)navigation {
   DCHECK_EQ(_wkWebView, webView);
+  _certVerificationErrors->Clear();
   // This point should closely approximate the document object change, so reset
   // the list of injected scripts to those that are automatically injected.
   _injectedScriptManagers.reset([[NSMutableSet alloc] init]);
   [self injectWindowID];
 
   // The page has changed; commit the pending referrer.
   [self commitPendingReferrerString];
 
   // This is the point where the document's URL has actually changed.
   _documentURL = net::GURLWithNSURL([_wkWebView URL]);
@@ skipping 24 matching lines @@
   web::EvaluateJavaScript(webView,
                           @"__gCrWeb.didFinishNavigation()", nil);
   [self didFinishNavigation];
 }
 
 - (void)webView:(WKWebView *)webView
     didFailNavigation:(WKNavigation *)navigation
             withError:(NSError *)error {
   [self handleLoadError:WKWebViewErrorWithSource(error, NAVIGATION)
             inMainFrame:YES];
+  _certVerificationErrors->Clear();
 }
 
-- (void)webView:(WKWebView *)webView
-    didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge
+- (void)webView:(WKWebView*)webView
+    didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge*)challenge
                     completionHandler:
-        (void (^)(NSURLSessionAuthChallengeDisposition disposition,
-                  NSURLCredential *credential))completionHandler {
+                        (void (^)(NSURLSessionAuthChallengeDisposition,
+                                  NSURLCredential*))completionHandler {
   if (![challenge.protectionSpace.authenticationMethod
           isEqual:NSURLAuthenticationMethodServerTrust]) {
     completionHandler(NSURLSessionAuthChallengePerformDefaultHandling, nil);
     return;
   }
 
   SecTrustRef trust = challenge.protectionSpace.serverTrust;
-  scoped_refptr<net::X509Certificate> cert = web::CreateCertFromTrust(trust);
-  // TODO(eugenebut): pass SecTrustRef instead of cert.
+  base::ScopedCFTypeRef<SecTrustRef> scopedTrust(trust,
+                                                 base::scoped_policy::RETAIN);
+  base::WeakNSObject<CRWWKWebViewWebController> weakSelf(self);
   [_certVerificationController
-      decidePolicyForCert:cert
-                     host:challenge.protectionSpace.host
-        completionHandler:^(web::CertAcceptPolicy policy,
-                            net::CertStatus status) {
-          completionHandler(NSURLSessionAuthChallengeRejectProtectionSpace,
-                            nil);
-        }];
+      decideLoadPolicyForTrust:scopedTrust
+                          host:challenge.protectionSpace.host
+             completionHandler:^(web::CertAcceptPolicy policy,
+                                 net::CertStatus status) {
+               base::scoped_nsobject<CRWWKWebViewWebController> strongSelf(
+                   [weakSelf retain]);
+               [strongSelf processAuthChallenge:challenge
+                            forCertAcceptPolicy:policy
+                                     certStatus:status
+                              completionHandler:completionHandler];
+             }];
 }
 
 - (void)webViewWebContentProcessDidTerminate:(WKWebView*)webView {
+  _certVerificationErrors->Clear();
   [self webViewWebProcessDidCrash];
 }
 
 #pragma mark WKUIDelegate Methods
 
 - (WKWebView*)webView:(WKWebView*)webView
     createWebViewWithConfiguration:(WKWebViewConfiguration*)configuration
                forNavigationAction:(WKNavigationAction*)navigationAction
                     windowFeatures:(WKWindowFeatures*)windowFeatures {
   GURL requestURL = net::GURLWithNSURL(navigationAction.request.URL);
@@ skipping 75 matching lines @@
                               placeholderText:defaultText
                                    requestURL:
             net::GURLWithNSURL(frame.request.URL)
                             completionHandler:completionHandler];
   } else if (completionHandler) {
     completionHandler(nil);
   }
 }
 
 @end