Add Certificate Transparency logs auditing

components/certificate_transparency/single_tree_tracker.h

Index: components/certificate_transparency/single_tree_tracker.h
diff --git a/components/certificate_transparency/single_tree_tracker.h b/components/certificate_transparency/single_tree_tracker.h
index f7afe72c3b449ed80396f12f54744cce005f38cf..a6c7c3c01480cf4fea6a60ecffdf9af4613ff099 100644
--- a/components/certificate_transparency/single_tree_tracker.h
+++ b/components/certificate_transparency/single_tree_tracker.h
@@ -9,8 +9,10 @@
 #include <string>
 
 #include "base/memory/ref_counted.h"
+#include "base/optional.h"
 #include "base/time/time.h"
 #include "net/cert/ct_verifier.h"
+#include "net/cert/merkle_tree_leaf.h"
 #include "net/cert/signed_tree_head.h"
 #include "net/cert/sth_observer.h"
 
@@ -25,7 +27,6 @@ struct SignedCertificateTimestamp;
 }  // namespace net
 
 namespace certificate_transparency {
-
 // Tracks the state of an individual Certificate Transparency Log's Merkle Tree.
 // A CT Log constantly issues Signed Tree Heads, for which every older STH must
 // be incorporated into the current/newer STH. As new certificates are logged,
@@ -96,17 +97,66 @@ class SingleTreeTracker : public net::CTVerifier::Observer,
       const net::ct::SignedCertificateTimestamp* sct);
 
  private:
+  // Contains metadata about a MerkleTreeLeaf: The time it was first observed
+  // by this client, the index of the MerkleTreeLeaf in the log, if known
+  // and its inclusion check status.
+  class LeafState {

[Ryan Sleevi, 2016/07/01 22:15:50]

Declaring all of this in the .h defeats the very purpose of having a private
member like this - which is hiding the interface.

You want to forward declare this.

[Eran Messeri, 2016/07/13 14:42:56]

Done.

+   public:
+    LeafState(SCTInclusionStatus status, const base::Time& observed_at);
+    LeafState(const LeafState& other);
+    LeafState(LeafState&&);
+    ~LeafState();
+
+    // Sets the index of the leaf in the tree. May be called only once per
+    // instance.
+    void SetLeafIndex(uint64_t index);
+
+    // Returns true if the leaf index was set for this instance.
+    bool HasLeafIndex() const;
+
+    // Returns the leaf index. May only be called on an instance where
+    // SetLeafIndex was called.
+    uint64_t GetLeafIndex() const;
+
+    // The time the leaf was observed.
+    const base::Time& ObservedAt() const;
+
+    // Returns the current inclusion status.
+    SCTInclusionStatus State() const;
+
+    // Sets the current inclusion status.
+    void SetState(SCTInclusionStatus status);
+
+   private:
+    // When the leaf for the particular certificate was first seen.
+    const base::Time observed_at_;
+
+    // The leaf's index in the tree. Only set if the index has been
+    // obtained from the log.
+    base::Optional<uint64_t> leaf_index_;
+
+    // Inclusion checking status of this leaf
+    SCTInclusionStatus state_;
+  };
+  // Orders LeafState instances by the timestamp of the MerkleTreeLeaf they
+  // contain, *not* the observation time.
+  struct OrderByTimestamp {
+    bool operator()(const net::ct::MerkleTreeLeaf& lhs,
+                    const net::ct::MerkleTreeLeaf& rhs) const;
+  };
+
+  // Returns true if |leaf| has been observed in the past.
+  bool LeafAlreadyEncountered(const net::ct::MerkleTreeLeaf& leaf);
+
   // Holds the latest STH fetched and verified for this log.
   net::ct::SignedTreeHead verified_sth_;
 
   // The log being tracked.
   scoped_refptr<const net::CTLogVerifier> ct_log_;
 
-  // List of log entries pending inclusion check.
-  // TODO(eranm): Rather than rely on the timestamp, extend to to use the
-  // whole MerkleTreeLeaf (RFC6962, section 3.4.) as a key. See
-  // https://crbug.com/506227#c22 and https://crbug.com/613495
-  std::map<base::Time, SCTInclusionStatus> entries_status_;
+  // Map of log entries to their state.
+  std::map<net::ct::MerkleTreeLeaf, LeafState, OrderByTimestamp>
+      observed_entries_;
 
   DISALLOW_COPY_AND_ASSIGN(SingleTreeTracker);
 };