Set SSL info when an HTTP auth dialog is triggered by direct navigation.

content/browser/loader/resource_loader.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/loader/resource_loader.h"
 
 #include "base/command_line.h"
 #include "base/location.h"
+#include "base/message_loop/message_loop.h"
 #include "base/metrics/histogram.h"
 #include "base/profiler/scoped_tracker.h"
 #include "base/single_thread_task_runner.h"
 #include "base/thread_task_runner_handle.h"
 #include "base/time/time.h"
 #include "content/browser/appcache/appcache_interceptor.h"
 #include "content/browser/child_process_security_policy_impl.h"
 #include "content/browser/loader/cross_site_resource_handler.h"
 #include "content/browser/loader/detachable_resource_handler.h"
 #include "content/browser/loader/resource_loader_delegate.h"
 #include "content/browser/loader/resource_request_info_impl.h"
 #include "content/browser/service_worker/service_worker_request_handler.h"
 #include "content/browser/ssl/ssl_client_auth_handler.h"
 #include "content/browser/ssl/ssl_manager.h"
 #include "content/browser/ssl/ssl_policy.h"
 #include "content/common/ssl_status_serialization.h"
 #include "content/public/browser/cert_store.h"
 #include "content/public/browser/resource_context.h"
 #include "content/public/browser/resource_dispatcher_host_login_delegate.h"
 #include "content/public/browser/signed_certificate_timestamp_store.h"
 #include "content/public/common/content_client.h"
 #include "content/public/common/content_switches.h"
 #include "content/public/common/process_type.h"
 #include "content/public/common/resource_response.h"
 #include "content/public/common/security_style.h"
+#include "content/public/common/ssl_status.h"
 #include "net/base/io_buffer.h"
 #include "net/base/load_flags.h"
 #include "net/http/http_response_headers.h"
 #include "net/ssl/client_cert_store.h"
 #include "net/url_request/redirect_info.h"
 #include "net/url_request/url_request_status.h"
 
 using base::TimeDelta;
 using base::TimeTicks;
 
 namespace content {
 namespace {
 
+// Stores the SignedCertificateTimestamps held in |sct_list| in the
+// SignedCertificateTimestampStore singleton, associated with |process_id|.
+// On return, |sct_ids| contains the assigned ID and verification status of
+// each SignedCertificateTimestamp.
 void StoreSignedCertificateTimestamps(
     const net::SignedCertificateTimestampAndStatusList& sct_list,
     int process_id,
     SignedCertificateTimestampIDStatusList* sct_ids) {
   SignedCertificateTimestampStore* sct_store(
       SignedCertificateTimestampStore::GetInstance());
 
-  for (auto iter = sct_list.begin(); iter != sct_list.end(); ++iter) {
-    const int sct_id(sct_store->Store(iter->sct.get(), process_id));
+  for (const auto& sct : sct_list) {
+    const int sct_id(sct_store->Store(sct.sct.get(), process_id));
     sct_ids->push_back(
-        SignedCertificateTimestampIDAndStatus(sct_id, iter->status));
+        SignedCertificateTimestampIDAndStatus(sct_id, sct.status));
   }
 }
 
 void GetSSLStatusForRequest(const GURL& url,
                             const net::SSLInfo& ssl_info,
                             int child_id,
                             SSLStatus* ssl_status) {
   DCHECK(ssl_info.cert);
 
   int cert_id =
@@ skipping 43 matching lines @@
     response->head.security_info = SerializeSecurityInfo(ssl_status);
   } else {
     // We should not have any SSL state.
     DCHECK(!request->ssl_info().cert_status);
     DCHECK_EQ(request->ssl_info().security_bits, -1);
     DCHECK_EQ(request->ssl_info().key_exchange_info, 0);
     DCHECK(!request->ssl_info().connection_status);
   }
 }
 
+std::string StoreAndSerializeSecurityInfo(const GURL& url,
+                                          const net::SSLInfo& ssl_info,
+                                          int process_id) {
+  DCHECK(ssl_info.cert.get());
+
+  SignedCertificateTimestampIDStatusList signed_certificate_timestamp_ids;
+  StoreSignedCertificateTimestamps(ssl_info.signed_certificate_timestamps,
+                                   process_id,
+                                   &signed_certificate_timestamp_ids);

[meacer, 2015/09/29 00:17:02]

Lines 132-135 aren't needed anymore now that this is using
GetSSLStatusForRequest, right? It seems like you could remove this method
altogether and use GetSSLStatusForRequest + SerializeSecurityInfo instead.

[palmer, 2015/09/29 00:46:36]

Done.

+
+  SSLStatus status;
+  GetSSLStatusForRequest(url, ssl_info, process_id, &status);
+  return SerializeSecurityInfo(status);
+}
+
 }  // namespace
 
 ResourceLoader::ResourceLoader(scoped_ptr<net::URLRequest> request,
                                scoped_ptr<ResourceHandler> handler,
                                ResourceLoaderDelegate* delegate)
     : deferred_stage_(DEFERRED_NONE),
       request_(request.Pass()),
       handler_(handler.Pass()),
       delegate_(delegate),
       is_transferring_(false),
@@ skipping 135 matching lines @@
 void ResourceLoader::OnAuthRequired(net::URLRequest* unused,
                                     net::AuthChallengeInfo* auth_info) {
   DCHECK_EQ(request_.get(), unused);
 
   ResourceRequestInfoImpl* info = GetRequestInfo();
   if (info->do_not_prompt_for_login()) {
     request_->CancelAuth();
     return;
   }
 
+  // Update the SSL state before showing the auth prompt.
+  const net::SSLInfo& ssl_info = request_->response_info().ssl_info;
+  if (ssl_info.cert.get()) {
+    bool is_main_frame = (request_->load_flags() & net::LOAD_MAIN_FRAME) != 0;
+    ResourceRequestInfoImpl* info = GetRequestInfo();
+    int render_process_id;
+    int render_frame_id;
+    if (!info->GetAssociatedRenderFrame(&render_process_id, &render_frame_id))
+      CHECK(false);
+
+    SSLStatus status;
+    GetSSLStatusForRequest(request_->url(), ssl_info, render_process_id,
+                           &status);
+
+    SSLManager::OnAuthDialog(render_process_id, render_frame_id, status,
+                             is_main_frame);
+  } else {
+    // We should not have any SSL state.
+    DCHECK(!ssl_info.cert_status && ssl_info.security_bits == -1 &&
+           !ssl_info.connection_status);
+  }
+
   // Create a login dialog on the UI thread to get authentication data, or pull
   // from cache and continue on the IO thread.
-
   DCHECK(!login_delegate_.get())
       << "OnAuthRequired called with login_delegate pending";
   login_delegate_ = delegate_->CreateLoginDelegate(this, auth_info);
   if (!login_delegate_.get())
     request_->CancelAuth();
 }
 
 void ResourceLoader::OnCertificateRequested(
     net::URLRequest* unused,
     net::SSLCertRequestInfo* cert_info) {
@@ skipping 13 matching lines @@
 }
 
 void ResourceLoader::OnSSLCertificateError(net::URLRequest* request,
                                            const net::SSLInfo& ssl_info,
                                            bool fatal) {
   ResourceRequestInfoImpl* info = GetRequestInfo();
 
   int render_process_id;
   int render_frame_id;
   if (!info->GetAssociatedRenderFrame(&render_process_id, &render_frame_id))
-    NOTREACHED();
+    CHECK(false);
 
   SSLManager::OnSSLCertificateError(
       weak_ptr_factory_.GetWeakPtr(),
       info->GetResourceType(),
       request_->url(),
       render_process_id,
       render_frame_id,
       ssl_info,
       fatal);
 }
@@ skipping 192 matching lines @@
   } else {
     times_cancelled_after_request_start_++;
   }
 
   request_->CancelWithError(error);
 
   if (!was_pending) {
     // If the request isn't in flight, then we won't get an asynchronous
     // notification from the request, so we have to signal ourselves to finish
     // this request.
-    base::ThreadTaskRunnerHandle::Get()->PostTask(
+    base::MessageLoop::current()->PostTask(
         FROM_HERE, base::Bind(&ResourceLoader::ResponseCompleted,
                               weak_ptr_factory_.GetWeakPtr()));
   }
 }
 
 void ResourceLoader::CompleteResponseStarted() {
   ResourceRequestInfoImpl* info = GetRequestInfo();
   scoped_refptr<ResourceResponse> response(new ResourceResponse());
   PopulateResourceResponse(info, request_.get(), response.get());
 
+  if (request_->ssl_info().cert.get()) {
+    // TODO(vadimt): Remove ScopedTracker below once crbug.com/423948 is fixed.
+    tracked_objects::ScopedTracker tracking_profile3(
+        FROM_HERE_WITH_EXPLICIT_FUNCTION(
+            "423948 ResourceLoader::CompleteResponseStarted3"));
+
+    response->head.security_info = StoreAndSerializeSecurityInfo(
+        request_->url(), request_->ssl_info(), info->GetChildID());
+
+  } else {
+    // We should not have any SSL state.
+    DCHECK(!request_->ssl_info().cert_status &&
+           request_->ssl_info().security_bits == -1 &&
+           !request_->ssl_info().connection_status);
+  }
+
+  // TODO(vadimt): Remove ScopedTracker below once crbug.com/423948 is fixed.
+  tracked_objects::ScopedTracker tracking_profile5(
+      FROM_HERE_WITH_EXPLICIT_FUNCTION(
+          "423948 ResourceLoader::CompleteResponseStarted5"));
+
   delegate_->DidReceiveResponse(this);
 
   // TODO(darin): Remove ScopedTracker below once crbug.com/475761 is fixed.
   tracked_objects::ScopedTracker tracking_profile(
       FROM_HERE_WITH_EXPLICIT_FUNCTION("475761 OnResponseStarted()"));
 
   bool defer = false;
   if (!handler_->OnResponseStarted(response.get(), &defer)) {
     Cancel();
   } else if (defer) {
@@ skipping 87 matching lines @@
   // instance.)
 }
 
 void ResourceLoader::ResponseCompleted() {
   DVLOG(1) << "ResponseCompleted: " << request_->url().spec();
   RecordHistograms();
   ResourceRequestInfoImpl* info = GetRequestInfo();
 
   std::string security_info;
   const net::SSLInfo& ssl_info = request_->ssl_info();
-  if (ssl_info.cert.get() != NULL) {
-    SSLStatus ssl_status;
-    GetSSLStatusForRequest(request_->url(), ssl_info, info->GetChildID(),
-                           &ssl_status);
-
-    security_info = SerializeSecurityInfo(ssl_status);
-  }
+  if (ssl_info.cert.get() != NULL)
+    security_info = StoreAndSerializeSecurityInfo(request_->url(), ssl_info,

[meacer, 2015/09/29 00:17:02]

nit: Braces since this code spans two lines?

[palmer, 2015/09/29 00:46:35]

Done.

+                                                  info->GetChildID());
 
   bool defer = false;
   {
     // TODO(darin): Remove ScopedTracker below once crbug.com/475761 is fixed.
     tracked_objects::ScopedTracker tracking_profile(
         FROM_HERE_WITH_EXPLICIT_FUNCTION("475761 OnResponseCompleted()"));
 
     handler_->OnResponseCompleted(request_->status(), security_info, &defer);
   }
   if (defer) {
@@ skipping 37 matching lines @@
       case net::URLRequestStatus::FAILED:
         status = STATUS_UNDEFINED;
         break;
     }
 
     UMA_HISTOGRAM_ENUMERATION("Net.Prefetch.Pattern", status, STATUS_MAX);
   }
 }
 
 }  // namespace content