network_time_tracker: add temporary time protocol.

components/network_time/network_time_tracker.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/network_time/network_time_tracker.h"
 
 #include <stdint.h>
 #include <utility>
 
 #include "base/i18n/time_formatting.h"
+#include "base/json/json_reader.h"
 #include "base/logging.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/time/tick_clock.h"
 #include "build/build_config.h"
+#include "components/client_update_protocol/ecdsa.h"
 #include "components/network_time/network_time_pref_names.h"
 #include "components/prefs/pref_registry_simple.h"
 #include "components/prefs/pref_service.h"
+#include "net/base/load_flags.h"
+#include "net/base/net_errors.h"
+#include "net/http/http_response_headers.h"
+#include "net/url_request/url_fetcher.h"
+#include "net/url_request/url_fetcher_response_writer.h"
+#include "net/url_request/url_request_context_getter.h"
 
 namespace network_time {
 
 namespace {
 
+// Minimum number of minutes between time queries.
+const uint32_t kMinimumQueryDelayMinutes = 60;
+
 // Number of time measurements performed in a given network time calculation.
 const uint32_t kNumTimeMeasurements = 7;
 
 // Amount of divergence allowed between wall clock and tick clock.
 const uint32_t kClockDivergenceSeconds = 60;
 
 // Maximum time lapse before deserialized data are considered stale.
 const uint32_t kSerializedDataMaxAgeDays = 7;
 
 // Name of a pref that stores the wall clock time, via |ToJsTime|.
 const char kPrefTime[] = "local";
 
 // Name of a pref that stores the tick clock time, via |ToInternalValue|.
 const char kPrefTicks[] = "ticks";
 
 // Name of a pref that stores the time uncertainty, via |ToInternalValue|.
 const char kPrefUncertainty[] = "uncertainty";
 
 // Name of a pref that stores the network time via |ToJsTime|.
 const char kPrefNetworkTime[] = "network";
 
+// Time server's maximum allowable clock skew, in seconds.  (This is a property
+// of the time server that we happen to know.  It's unlikely that it would ever
+// be that badly wrong, but all the same it's included here to document the very
+// rough nature of the time service provided by this class.)
+const uint32_t kTimeServerMaxSkewSeconds = 10;
+
+const char kTimeServiceURL[] = "http://clients2.google.com/time/1/current";
+
+// This is an ECDSA prime256v1 named-curve key.
+const int kKeyVersion = 1;
+const uint8_t kKeyPubBytes[] = {
+    0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02,
+    0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03,
+    0x42, 0x00, 0x04, 0xeb, 0xd8, 0xad, 0x0b, 0x8f, 0x75, 0xe8, 0x84, 0x36,
+    0x23, 0x48, 0x14, 0x24, 0xd3, 0x93, 0x42, 0x25, 0x43, 0xc1, 0xde, 0x36,
+    0x29, 0xc6, 0x95, 0xca, 0xeb, 0x28, 0x85, 0xff, 0x09, 0xdc, 0x08, 0xec,
+    0x45, 0x74, 0x6e, 0x4b, 0xc3, 0xa5, 0xfd, 0x8a, 0x2f, 0x02, 0xa0, 0x4b,
+    0xc3, 0xc6, 0xa4, 0x7b, 0xa4, 0x41, 0xfc, 0xa7, 0x02, 0x54, 0xab, 0xe3,
+    0xe4, 0xb1, 0x00, 0xf5, 0xd5, 0x09, 0x11};
+
+std::string GetServerProof(const net::URLFetcher* source) {
+  const net::HttpResponseHeaders* response_headers =
+      source->GetResponseHeaders();
+  if (!response_headers) {
+    return std::string();
+  }
+  std::string proof;
+  return response_headers->EnumerateHeader(nullptr, "x-cup-server-proof",
+                                           &proof)
+             ? proof
+             : std::string();
+}
+
+// Limits the amount of data that will be buffered from the server's response.
+class SizeLimitingStringWriter : public net::URLFetcherStringWriter {
+ public:
+  SizeLimitingStringWriter(size_t limit) : limit_(limit) {}
+
+  int Write(net::IOBuffer* buffer,
+            int num_bytes,
+            const net::CompletionCallback& callback) override {
+    if (data().length() + num_bytes > limit_) {
+      return net::ERR_FILE_TOO_BIG;
+    }
+    return net::URLFetcherStringWriter::Write(buffer, num_bytes, callback);
+  }
+
+ private:
+  size_t limit_;
+};
+
 }  // namespace
 
 // static
 void NetworkTimeTracker::RegisterPrefs(PrefRegistrySimple* registry) {
   registry->RegisterDictionaryPref(prefs::kNetworkTimeMapping,
                                    new base::DictionaryValue());
 }
 
 NetworkTimeTracker::NetworkTimeTracker(
     std::unique_ptr<base::Clock> clock,
     std::unique_ptr<base::TickClock> tick_clock,
-    PrefService* pref_service)
-    : clock_(std::move(clock)),
+    PrefService* pref_service,
+    scoped_refptr<net::URLRequestContextGetter> getter)
+    : server_url_(kTimeServiceURL),
+      max_response_size_(1024),
+      getter_(std::move(getter)),
+      clock_(std::move(clock)),
       tick_clock_(std::move(tick_clock)),
       pref_service_(pref_service) {
   const base::DictionaryValue* time_mapping =
       pref_service_->GetDictionary(prefs::kNetworkTimeMapping);
   double time_js = 0;
   double ticks_js = 0;
   double network_time_js = 0;
   double uncertainty_js = 0;
   if (time_mapping->GetDouble(kPrefTime, &time_js) &&
       time_mapping->GetDouble(kPrefTicks, &ticks_js) &&
       time_mapping->GetDouble(kPrefUncertainty, &uncertainty_js) &&
       time_mapping->GetDouble(kPrefNetworkTime, &network_time_js)) {
     time_at_last_measurement_ = base::Time::FromJsTime(time_js);
     ticks_at_last_measurement_ = base::TimeTicks::FromInternalValue(
         static_cast<int64_t>(ticks_js));
     network_time_uncertainty_ = base::TimeDelta::FromInternalValue(
         static_cast<int64_t>(uncertainty_js));
     network_time_at_last_measurement_ = base::Time::FromJsTime(network_time_js);
   }
   base::Time now = clock_->Now();
   if (ticks_at_last_measurement_ > tick_clock_->NowTicks() ||
       time_at_last_measurement_ > now ||
       now - time_at_last_measurement_ >
           base::TimeDelta::FromDays(kSerializedDataMaxAgeDays)) {
     // Drop saved mapping if either clock has run backward, or the data are too
     // old.
     pref_service_->ClearPref(prefs::kNetworkTimeMapping);
     network_time_at_last_measurement_ = base::Time();  // Reset.
   }
+
+  base::StringPiece public_key = {reinterpret_cast<const char*>(kKeyPubBytes),
+                                  sizeof(kKeyPubBytes)};
+  query_signer_ =
+      client_update_protocol::Ecdsa::Create(kKeyVersion, public_key);
+
+  QueueTimeQuery(base::TimeDelta::FromMinutes(kMinimumQueryDelayMinutes));
 }
 
 NetworkTimeTracker::~NetworkTimeTracker() {
   DCHECK(thread_checker_.CalledOnValidThread());
 }
 
 void NetworkTimeTracker::UpdateNetworkTime(base::Time network_time,
                                            base::TimeDelta resolution,
                                            base::TimeDelta latency,
                                            base::TimeTicks post_time) {
@@ skipping 29 matching lines @@
 
   base::DictionaryValue time_mapping;
   time_mapping.SetDouble(kPrefTime, time_at_last_measurement_.ToJsTime());
   time_mapping.SetDouble(kPrefTicks, static_cast<double>(
       ticks_at_last_measurement_.ToInternalValue()));
   time_mapping.SetDouble(kPrefUncertainty, static_cast<double>(
       network_time_uncertainty_.ToInternalValue()));
   time_mapping.SetDouble(kPrefNetworkTime,
       network_time_at_last_measurement_.ToJsTime());
   pref_service_->Set(prefs::kNetworkTimeMapping, time_mapping);
+
+  query_timer_.Reset();

[mmenke, 2016/05/02 17:47:28]

This seems really unexpected.  Suggest moving it to the end of
OnURLFetchComplete, at least.

[mab, 2016/05/05 19:57:42]

Added a comment explaining why this is here.

+}
+
+void NetworkTimeTracker::SetTimeServerURLForTesting(const GURL& url) {
+  server_url_ = url;
+}
+
+void NetworkTimeTracker::SetMaxResponseSizeForTesting(size_t limit) {
+  max_response_size_ = limit;
 }
 
 bool NetworkTimeTracker::GetNetworkTime(base::Time* network_time,
                                         base::TimeDelta* uncertainty) const {
   DCHECK(thread_checker_.CalledOnValidThread());
   DCHECK(network_time);
   if (network_time_at_last_measurement_.is_null()) {
     return false;
   }
   DCHECK(!ticks_at_last_measurement_.is_null());
@@ skipping 15 matching lines @@
     network_time_at_last_measurement_ = base::Time();
     return false;
   }
   *network_time = network_time_at_last_measurement_ + tick_delta;
   if (uncertainty) {
     *uncertainty = network_time_uncertainty_ + divergence;
   }
   return true;
 }
 
+void NetworkTimeTracker::QueryTimeService() {
+  DCHECK(thread_checker_.CalledOnValidThread());
+
+  // If GetNetworkTime() returns true, the NetworkTimeTracker thinks it is in
+  // sync, so there is no need to query.
+  base::Time network_time;
+  if (GetNetworkTime(&network_time, nullptr)) {
+    return;
+  }
+
+  std::string query_string;
+  query_signer_->SignRequest(nullptr, &query_string);
+  GURL url = server_url_;
+  GURL::Replacements replacements;
+  replacements.SetQueryStr(query_string);
+  url = url.ReplaceComponents(replacements);
+
+  // This cancels any outstanding fetch.
+  time_fetcher_ = net::URLFetcher::Create(url, net::URLFetcher::GET, this);
+  if (!time_fetcher_) {
+    DVLOG(1) << "tried to make fetch happen; failed";
+    return;
+  }
+  time_fetcher_->SaveResponseWithWriter(
+      std::unique_ptr<net::URLFetcherResponseWriter>(
+          new SizeLimitingStringWriter(max_response_size_)));
+  DCHECK(getter_);
+  time_fetcher_->SetRequestContext(getter_.get());
+  // Not expecting any cookies, but just in case.
+  time_fetcher_->SetLoadFlags(net::LOAD_BYPASS_CACHE | net::LOAD_DISABLE_CACHE |
+                              net::LOAD_DO_NOT_SAVE_COOKIES |
+                              net::LOAD_DO_NOT_SEND_COOKIES |
+                              net::LOAD_DO_NOT_SEND_AUTH_DATA);
+  time_fetcher_->Start();
+  fetch_started_ = tick_clock_->NowTicks();
+}
+
+void NetworkTimeTracker::OnURLFetchComplete(const net::URLFetcher* source) {
+  DCHECK(thread_checker_.CalledOnValidThread());
+  DCHECK(time_fetcher_);
+  DCHECK_EQ(source, time_fetcher_.get());
+
+  // Since the timer is a repeating timer, it's unnecessary to reset it
+  // explicitly, but doing so is a convenient way to back off in the event of an
+  // error.  Do that by default, and (if the query was successful) reset it to
+  // the standard interval.

[mmenke, 2016/05/02 17:47:28]

Since you always set the timer delay, any reason not to make this a
OneshotTimer?  Are you concerned about the URLFetcher hanging?  If so, that
seems a valid concern, but then you probably want to test that case, and
document that behavior where you declare the timer.

[mab, 2016/05/05 19:57:42]

I guess the main reason is that it obviates the need to audit whether the timer
is running, because it's always running.  I.e. there is no failure mode in which
time queries stop because I have failed to requeue the timer in some edge case.

+  DCHECK(query_timer_.IsRunning());
+  base::TimeDelta delay = query_timer_.GetCurrentDelay();
+  if (delay < base::TimeDelta::FromDays(2)) {
+    delay *= 2;
+  }
+  QueueTimeQuery(delay);
+
+  if (time_fetcher_->GetStatus().status() != net::URLRequestStatus::SUCCESS &&
+      time_fetcher_->GetResponseCode() != 200) {
+    DVLOG(1) << "fetch failed, status=" << time_fetcher_->GetStatus().status()
+             << ",code=" << time_fetcher_->GetResponseCode();
+    time_fetcher_.reset();

[mmenke, 2016/05/02 17:47:28]

optional:  May want to extract most of this function to a subroutine.  Then you
could do:


if (UpdateTimeFromResponse()) {
  // Stop timer.
} else {
  // Figure out retry delay here, and set timer.
}
time_fetcher_.reset();

[mab, 2016/05/05 19:57:42]

That's a great idea.  Done.

+    return;
+  }
+
+  std::string response_body;
+  if (!time_fetcher_->GetResponseAsString(&response_body)) {
+    DVLOG(1) << "failed to get response";
+    time_fetcher_.reset();
+    return;
+  }
+  DCHECK(query_signer_);
+  if (!query_signer_->ValidateResponse(response_body,
+                                       GetServerProof(time_fetcher_.get()))) {
+    DVLOG(1) << "invalid signature";
+    time_fetcher_.reset();
+    return;
+  }
+  time_fetcher_.reset();
+  response_body = response_body.substr(5);  // Skips leading )]}'\n
+  std::unique_ptr<base::Value> value = base::JSONReader::Read(response_body);
+  if (!value) {
+    DVLOG(1) << "bad JSON";
+    return;
+  }
+  const base::DictionaryValue* dict;
+  if (!value->GetAsDictionary(&dict)) {
+    DVLOG(1) << "not a dictionary";
+    return;
+  }
+  double current_time_millis;
+  if (!dict->GetDouble("current_time_millis", &current_time_millis)) {
+    DVLOG(1) << "no current_time_millis";
+    return;
+  }
+  // There is a "server_nonce" key here too, but it serves no purpose other than
+  // to make the server's response unpredictable.
+  base::Time current_time = base::Time::FromJsTime(current_time_millis);
+  base::TimeDelta resolution =
+      base::TimeDelta::FromMilliseconds(1) +
+      base::TimeDelta::FromSeconds(kTimeServerMaxSkewSeconds);
+  base::TimeDelta latency = tick_clock_->NowTicks() - fetch_started_;
+  UpdateNetworkTime(current_time, resolution, latency, tick_clock_->NowTicks());
+
+  // Normal completion, so, no backoff.
+  QueueTimeQuery(base::TimeDelta::FromMinutes(kMinimumQueryDelayMinutes));
+}
+
+void NetworkTimeTracker::QueueTimeQuery(base::TimeDelta delay) {
+  query_timer_.Start(FROM_HERE, delay, this,
+                     &NetworkTimeTracker::QueryTimeService);
+}
+
 }  // namespace network_time