Add enterprise policy to exempt hosts from Certificate Transparency

components/certificate_transparency/ct_policy_manager.h

+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef COMPONENTS_CERTIFICATE_TRANSPARENCY_CT_POLICY_MANAGER_H_
+#define COMPONENTS_CERTIFICATE_TRANSPARENCY_CT_POLICY_MANAGER_H_
+
+#include <memory>
+
+#include "base/macros.h"
+#include "base/memory/ref_counted.h"
+#include "base/memory/weak_ptr.h"
+#include "components/prefs/pref_change_registrar.h"
+#include "net/http/transport_security_state.h"
+
+namespace base {
+class SequencedTaskRunner;
+}  // base
+
+class PrefRegistrySimple;
+
+namespace certificate_transparency {
+
+// CTPolicyManager serves as the bridge between the Certificate Transparency
+// preferences (see pref_names.h) and the actual implementation, by exposing
+// a TransportSecurityState::RequireCTDelegate that can be used to query for
+// CT-related policies.
+class CTPolicyManager {
+ public:
+  // Registers the preferences related to Certificate Transparency policy
+  // in the given pref registry.
+  static void RegisterPrefs(PrefRegistrySimple* registry);
+
+  // Creates a CTPolicyManager that will monitor the preferences on
+  // |pref_service| and make them available to a RequireCTDelegate that
+  // can be used on |network_task_runner|.
+  //
+  // The CTPolicyManager should be constructed on the same task runner
+  // associated with the |pref_service|, but can be destructed on any
+  // task runner, provided that Shutdown() has been called.
+  CTPolicyManager(PrefService* pref_service,
+                  scoped_refptr<base::SequencedTaskRunner> network_task_runner);
+  ~CTPolicyManager();
+
+  // Unregisters the CTPolicyManager from the preference subsystem. This
+  // should be called on the same task runner that the pref service
+  // it was constructed with lives on.
+  void Shutdown();
+
+  // Returns a RequireCTDelegate() that responds based on the policies set

[eroman, 2016/06/30 02:24:36]

Why parens on RequiredCTDelegate() ?

+  // via preferences.
+  //
+  // The order of priority of the preferences is that:
+  //   - Specific hosts are preferred over those that match subdomains.
+  //   - The most specific host is preferred.
+  //   - Requiring CT is preferred over excluding CT
+  //
+  // This object MUST only be used on the network task runner supplied during
+  // construction, MAY be used after Shutdown() is called (at which point,
+  // it will reflect the last status before Shutdown() was called), and
+  // MUST NOT be used after this object has been deleted.
+  net::TransportSecurityState::RequireCTDelegate* GetDelegate();
+
+ private:
+  class CTDelegate;
+
+  // Schedules an update of the CTPolicyDelegate. As it's possible that
+  // multiple preferences may be updated at the same time, this exists to
+  // schedule only a single update.
+  void ScheduleUpdate();
+
+  // Performs the actual update of the CTPolicyDelegate once preference
+  // changes have quiesced.
+  void Update();
+
+  PrefChangeRegistrar pref_change_registrar_;
+  std::unique_ptr<CTDelegate> delegate_;
+
+  base::WeakPtrFactory<CTPolicyManager> weak_factory_;
+
+  DISALLOW_COPY_AND_ASSIGN(CTPolicyManager);
+};
+
+}  // namespace certificate_transparency
+
+#endif  // COMPONENTS_CERTIFICATE_TRANSPARENCY_CT_POLICY_MANAGER_H_