Support host-based deletion for SSLHostStateDelegate

chrome/browser/ssl/chrome_ssl_host_state_delegate.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/ssl/chrome_ssl_host_state_delegate.h"
 
 #include <stdint.h>
 
 #include <set>
 
 #include "base/base64.h"
 #include "base/bind.h"
+#include "base/callback.h"
 #include "base/command_line.h"
 #include "base/guid.h"
 #include "base/logging.h"
 #include "base/metrics/field_trial.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/time/clock.h"
 #include "base/time/default_clock.h"
 #include "base/time/time.h"
 #include "base/values.h"
 #include "chrome/browser/content_settings/host_content_settings_map_factory.h"
@@ skipping 109 matching lines @@
       // Set the new pattern.
       if (value) {
         map->SetWebsiteSettingDefaultScope(
             url, GURL(), CONTENT_SETTINGS_TYPE_SSL_CERT_DECISIONS,
             std::string(), std::move(value));
       }
     }
   }
 }
 
+bool HostFilterToPatternFilter(
+    const base::Callback<bool(const std::string&)>& host_filter,
+    const ContentSettingsPattern& primary_pattern,
+    const ContentSettingsPattern& secondary_pattern) {
+  // We only store data for "https://<host>" primary patterns, so we can convert
+  // them directly to a URL. The secondary pattern is unused.
+  GURL url(primary_pattern.ToString());
+  DCHECK(url.is_valid());

[estark, 2016/08/30 01:52:16]

Just checking that this DCHECK really is a DCHECK -- I can't figure out where
exactly this |primary_pattern| comes from. It's not e.g. a string typed by the
user, is it?

[msramek, 2016/08/30 14:39:41]

Oh, the shame! The DCHECK is wrong, thanks for catching this :)

The user can't type it, but an administrator can, because it's managed by
policy:
https://www.chromium.org/administrators/policy-list-3#AutoSelectCertificateFo...

If we want to delete data for <host>, we must delete all patterns for
"*://<host>:*" or stricter (i.e. with specified scheme or port). I.e. there are
patterns with invalid URLs that we still care about.

We need to compare two blackboxes - ContentSettingsPattern and |host_filter|,
and I don't think there's a way around that without making one of them
transparent. So I added a GetHost() method to ContentSettingsPattern.

I also added a TODO for myself to investigate whether broadly scoped exceptions
are in practice recognized by ChromeSSLHostStateDelegate. We can talk about that
with Joel when he returns.

[raymes, 2016/08/30 23:32:00]

Hmm, this file is dealing with CONTENT_SETTINGS_TYPE_SSL_CERT_DECISIONS though,
not CONTENT_SETTINGS_TYPE_AUTO_SELECT_CERTIFICATE. I don't think
SSL_CERT_DECISIONS are managed by policy -- I think they are only set via the
chrome UI. Given that, can we avoid adding the GetHost for now?

The other content_settings changes look good to me though.

[msramek, 2016/08/31 13:43:11]

...correct. I panicked and searched for the wrong one :)

So! The only SetWebsiteSetting call for SSL_CERT_DECISIONS is in this file, and
it uses the default pattern scoping for the URL generated by
GetSecureGURLForHost(), which is GURL("https://<host>"). The default scoping
will create a "https://<host>:443" pattern, which is also a valid URL.

Even before the introduction of default scopes, SSL_CERT_DECISIONS used
FromURLNoWildcard, so there cannot be any legacy exceptions with wildcards
either.

This is not manageable by policy or extensions.

Which means that yes, the DCHECK is valid after all :-)

+  return host_filter.Run(url.host());
+}
+
 }  // namespace
 
 // This helper function gets the dictionary of certificate fingerprints to
 // errors of certificates that have been accepted by the user from the content
 // dictionary that has been passed in. The returned pointer is owned by the the
 // argument dict that is passed in.
 //
 // If create_entries is set to |DO_NOT_CREATE_DICTIONARY_ENTRIES|,
 // GetValidCertDecisionsDict will return NULL if there is anything invalid about
 // the setting, such as an invalid version or invalid value types (in addition
@@ skipping 154 matching lines @@
                                        kDefaultSSLCertDecisionVersion);
   cert_dict->SetIntegerWithoutPathExpansion(GetKey(cert, error), ALLOWED);
 
   // The map takes ownership of the value, so it is released in the call to
   // SetWebsiteSettingDefaultScope.
   map->SetWebsiteSettingDefaultScope(url, GURL(),
                                      CONTENT_SETTINGS_TYPE_SSL_CERT_DECISIONS,
                                      std::string(), std::move(value));
 }
 
-void ChromeSSLHostStateDelegate::Clear() {
+void ChromeSSLHostStateDelegate::Clear(
+    const base::Callback<bool(const std::string&)>& host_filter) {
+  // Convert host matching to content settings pattern matching. Content
+  // settings deletion is done synchronously on the UI thread, so we can use
+  // |host_filter| by reference.
+  base::Callback<bool(const ContentSettingsPattern& primary_pattern,
+                      const ContentSettingsPattern& secondary_pattern)>
+      pattern_filter;
+  if (!host_filter.is_null()) {
+    pattern_filter =
+        base::Bind(&HostFilterToPatternFilter, base::ConstRef(host_filter));
+  }
+
   HostContentSettingsMapFactory::GetForProfile(profile_)
-      ->ClearSettingsForOneType(CONTENT_SETTINGS_TYPE_SSL_CERT_DECISIONS);
+      ->ClearSettingsForOneTypeWithPredicate(
+          CONTENT_SETTINGS_TYPE_SSL_CERT_DECISIONS, pattern_filter);
 }
 
 content::SSLHostStateDelegate::CertJudgment
 ChromeSSLHostStateDelegate::QueryPolicy(const std::string& host,
                                         const net::X509Certificate& cert,
                                         net::CertStatus error,
                                         bool* expired_previous_decision) {
   HostContentSettingsMap* map =
       HostContentSettingsMapFactory::GetForProfile(profile_);
   GURL url = GetSecureGURLForHost(host);
@@ skipping 130 matching lines @@
     case CERT_ERRORS_CONTENT:
       return !!ran_content_with_cert_errors_hosts_.count(
           BrokenHostEntry(host, child_id));
   }
   NOTREACHED();
   return false;
 }
 void ChromeSSLHostStateDelegate::SetClock(std::unique_ptr<base::Clock> clock) {
   clock_.reset(clock.release());
 }