EME: Make sure sessions are closed before they are destroyed

media/blink/webcontentdecryptionmodulesession_impl.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "webcontentdecryptionmodulesession_impl.h"
 
 #include "base/bind.h"
 #include "base/callback_helpers.h"
 #include "base/logging.h"
+#include "base/memory/ptr_util.h"
 #include "base/numerics/safe_conversions.h"
 #include "base/strings/string_util.h"
 #include "base/strings/utf_string_conversions.h"
 #include "media/base/cdm_key_information.h"
 #include "media/base/cdm_promise.h"
 #include "media/base/key_system_names.h"
 #include "media/base/key_systems.h"
 #include "media/base/limits.h"
 #include "media/base/media_keys.h"
 #include "media/blink/cdm_result_promise.h"
 #include "media/blink/cdm_session_adapter.h"
 #include "media/blink/webmediaplayer_util.h"
 #include "media/cdm/json_web_key.h"
 #include "third_party/WebKit/public/platform/WebData.h"
 #include "third_party/WebKit/public/platform/WebEncryptedMediaKeyInformation.h"
 #include "third_party/WebKit/public/platform/WebString.h"
 #include "third_party/WebKit/public/platform/WebURL.h"
 #include "third_party/WebKit/public/platform/WebVector.h"
 
 #if defined(USE_PROPRIETARY_CODECS)
 #include "media/cdm/cenc_utils.h"
 #endif
 
 namespace media {
 
+namespace {
+
 const char kCloseSessionUMAName[] = "CloseSession";
 const char kGenerateRequestUMAName[] = "GenerateRequest";
 const char kLoadSessionUMAName[] = "LoadSession";
 const char kRemoveSessionUMAName[] = "RemoveSession";
 const char kUpdateSessionUMAName[] = "UpdateSession";
 
-static blink::WebContentDecryptionModuleSession::Client::MessageType
+blink::WebContentDecryptionModuleSession::Client::MessageType
 convertMessageType(MediaKeys::MessageType message_type) {
   switch (message_type) {
     case media::MediaKeys::LICENSE_REQUEST:
       return blink::WebContentDecryptionModuleSession::Client::MessageType::
           LicenseRequest;
     case media::MediaKeys::LICENSE_RENEWAL:
       return blink::WebContentDecryptionModuleSession::Client::MessageType::
           LicenseRenewal;
     case media::MediaKeys::LICENSE_RELEASE:
       return blink::WebContentDecryptionModuleSession::Client::MessageType::
           LicenseRelease;
   }
 
   NOTREACHED();
   return blink::WebContentDecryptionModuleSession::Client::MessageType::
       LicenseRequest;
 }
 
-static blink::WebEncryptedMediaKeyInformation::KeyStatus convertStatus(
+blink::WebEncryptedMediaKeyInformation::KeyStatus convertStatus(
     media::CdmKeyInformation::KeyStatus status) {
   switch (status) {
     case media::CdmKeyInformation::USABLE:
       return blink::WebEncryptedMediaKeyInformation::KeyStatus::Usable;
     case media::CdmKeyInformation::INTERNAL_ERROR:
       return blink::WebEncryptedMediaKeyInformation::KeyStatus::InternalError;
     case media::CdmKeyInformation::EXPIRED:
       return blink::WebEncryptedMediaKeyInformation::KeyStatus::Expired;
     case media::CdmKeyInformation::OUTPUT_RESTRICTED:
       return blink::WebEncryptedMediaKeyInformation::KeyStatus::
           OutputRestricted;
     case media::CdmKeyInformation::OUTPUT_DOWNSCALED:
       return blink::WebEncryptedMediaKeyInformation::KeyStatus::
           OutputDownscaled;
     case media::CdmKeyInformation::KEY_STATUS_PENDING:
       return blink::WebEncryptedMediaKeyInformation::KeyStatus::StatusPending;
     case media::CdmKeyInformation::RELEASED:
       return blink::WebEncryptedMediaKeyInformation::KeyStatus::Released;
   }
 
   NOTREACHED();
   return blink::WebEncryptedMediaKeyInformation::KeyStatus::InternalError;
 }
 
-static MediaKeys::SessionType convertSessionType(
+MediaKeys::SessionType convertSessionType(
     blink::WebEncryptedMediaSessionType session_type) {
   switch (session_type) {
     case blink::WebEncryptedMediaSessionType::Temporary:
       return MediaKeys::TEMPORARY_SESSION;
     case blink::WebEncryptedMediaSessionType::PersistentLicense:
       return MediaKeys::PERSISTENT_LICENSE_SESSION;
     case blink::WebEncryptedMediaSessionType::PersistentReleaseMessage:
       return MediaKeys::PERSISTENT_RELEASE_MESSAGE_SESSION;
     case blink::WebEncryptedMediaSessionType::Unknown:
       break;
   }
 
   NOTREACHED();
   return MediaKeys::TEMPORARY_SESSION;
 }
 
-static bool SanitizeInitData(EmeInitDataType init_data_type,
-                             const unsigned char* init_data,
-                             size_t init_data_length,
-                             std::vector<uint8_t>* sanitized_init_data,
-                             std::string* error_message) {
+bool SanitizeInitData(EmeInitDataType init_data_type,
+                      const unsigned char* init_data,
+                      size_t init_data_length,
+                      std::vector<uint8_t>* sanitized_init_data,
+                      std::string* error_message) {
   DCHECK_GT(init_data_length, 0u);
   if (init_data_length > limits::kMaxInitDataLength) {
     error_message->assign("Initialization data too long.");
     return false;
   }
 
   switch (init_data_type) {
     case EmeInitDataType::WEBM:
       // |init_data| for WebM is a single key.
       if (init_data_length > limits::kMaxKeyIdLength) {
@@ skipping 39 matching lines @@
 
     case EmeInitDataType::UNKNOWN:
       break;
   }
 
   NOTREACHED();
   error_message->assign("Initialization data type is not supported.");
   return false;
 }
 
-static bool SanitizeSessionId(const blink::WebString& session_id,
-                              std::string* sanitized_session_id) {
+bool SanitizeSessionId(const blink::WebString& session_id,
+                       std::string* sanitized_session_id) {
   // The user agent should thoroughly validate the sessionId value before
   // passing it to the CDM. At a minimum, this should include checking that
   // the length and value (e.g. alphanumeric) are reasonable.
   if (!session_id.containsOnlyASCII())
     return false;
 
   sanitized_session_id->assign(session_id.ascii());
   if (sanitized_session_id->length() > limits::kMaxSessionIdLength)
     return false;
 
   for (const char c : *sanitized_session_id) {
     if (!base::IsAsciiAlpha(c) && !base::IsAsciiDigit(c))
       return false;
   }
 
   return true;
 }
 
-static bool SanitizeResponse(const std::string& key_system,
-                             const uint8_t* response,
-                             size_t response_length,
-                             std::vector<uint8_t>* sanitized_response) {
+bool SanitizeResponse(const std::string& key_system,
+                      const uint8_t* response,
+                      size_t response_length,
+                      std::vector<uint8_t>* sanitized_response) {
   // The user agent should thoroughly validate the response before passing it
   // to the CDM. This may include verifying values are within reasonable limits,
   // stripping irrelevant data or fields, pre-parsing it, sanitizing it,
   // and/or generating a fully sanitized version. The user agent should check
   // that the length and values of fields are reasonable. Unknown fields should
   // be rejected or removed.
   if (response_length > limits::kMaxSessionResponseLength)
     return false;
 
   if (IsClearKey(key_system) || IsExternalClearKey(key_system)) {
@@ skipping 17 matching lines @@
     std::string sanitized_data = GenerateJWKSet(keys, session_type);
     sanitized_response->assign(sanitized_data.begin(), sanitized_data.end());
     return true;
   }
 
   // TODO(jrummell): Verify responses for Widevine.
   sanitized_response->assign(response, response + response_length);
   return true;
 }
 
+// If we need to close the session while destroying this object, we need a
+// dummy promise that won't call back into this object (or try to pass
+// something back to blink).
+class IgnoreResponsePromise : public SimpleCdmPromise {
+ public:
+  IgnoreResponsePromise() {}
+  ~IgnoreResponsePromise() override {}
+
+  // SimpleCdmPromise implementation.
+  void resolve() final { MarkPromiseSettled(); }
+  void reject(CdmPromise::Exception exception_code,
+              uint32_t system_code,
+              const std::string& error_message) final {
+    MarkPromiseSettled();
+  }
+};
+
+}  // namespace
+
 WebContentDecryptionModuleSessionImpl::WebContentDecryptionModuleSessionImpl(
     const scoped_refptr<CdmSessionAdapter>& adapter)
-    : adapter_(adapter), is_closed_(false), weak_ptr_factory_(this) {
-}
+    : adapter_(adapter),
+      has_close_been_called_(false),
+      is_closed_(false),
+      weak_ptr_factory_(this) {}
 
 WebContentDecryptionModuleSessionImpl::
     ~WebContentDecryptionModuleSessionImpl() {
   DCHECK(thread_checker_.CalledOnValidThread());
-  if (!session_id_.empty())
+
+  if (!session_id_.empty()) {
     adapter_->UnregisterSession(session_id_);
+
+    // From http://w3c.github.io/encrypted-media/#mediakeysession-interface
+    // "If a MediaKeySession object is not closed when it becomes inaccessible
+    // to the page, the CDM shall close the key session associated with the
+    // object."
+    //
+    // This object is destroyed when the corresponding blink object is no
+    // longer needed (which may be due to it becoming inaccessible to the
+    // page), so if the session is not closed and CloseSession() has not yet
+    // been called, call CloseSession() now. Since this object is being
+    // destroyed, there is no need for the promise to do anything as this
+    // session will be gone.
+    if (!is_closed_ && !has_close_been_called_) {
+      adapter_->CloseSession(session_id_,
+                             base::MakeUnique<IgnoreResponsePromise>());
+    }
+  }
 }
 
 void WebContentDecryptionModuleSessionImpl::setClientInterface(Client* client) {
   client_ = client;
 }
 
 blink::WebString WebContentDecryptionModuleSessionImpl::sessionId() const {
   return blink::WebString::fromUTF8(session_id_);
 }
 
@@ skipping 138 matching lines @@
   }
 
   adapter_->UpdateSession(
       session_id_, sanitized_response,
       std::unique_ptr<SimpleCdmPromise>(new CdmResultPromise<>(
           result, adapter_->GetKeySystemUMAPrefix() + kUpdateSessionUMAName)));
 }
 
 void WebContentDecryptionModuleSessionImpl::close(
     blink::WebContentDecryptionModuleResult result) {
+  // close() shouldn't be called if the session is already closed. blink
+  // prevents a second call to close(), but since the operation is
+  // asynchronous, there is a window where close() was called just before
+  // the closed event arrives. The CDM should handle the case where
+  // close() is called after it has already closed the session.
   DCHECK(!session_id_.empty());
+  DCHECK(!has_close_been_called_);
   DCHECK(thread_checker_.CalledOnValidThread());
+
+  has_close_been_called_ = true;
   adapter_->CloseSession(
       session_id_,
       std::unique_ptr<SimpleCdmPromise>(new CdmResultPromise<>(
           result, adapter_->GetKeySystemUMAPrefix() + kCloseSessionUMAName)));
 }
 
 void WebContentDecryptionModuleSessionImpl::remove(
     blink::WebContentDecryptionModuleResult result) {
   DCHECK(!session_id_.empty());
   DCHECK(thread_checker_.CalledOnValidThread());
@@ skipping 31 matching lines @@
 }
 
 void WebContentDecryptionModuleSessionImpl::OnSessionExpirationUpdate(
     const base::Time& new_expiry_time) {
   DCHECK(thread_checker_.CalledOnValidThread());
   client_->expirationChanged(new_expiry_time.ToJsTime());
 }
 
 void WebContentDecryptionModuleSessionImpl::OnSessionClosed() {
   DCHECK(thread_checker_.CalledOnValidThread());
+
+  // Only send one closed event to blink.
   if (is_closed_)
     return;
 
   is_closed_ = true;
   client_->close();
 }
 
 void WebContentDecryptionModuleSessionImpl::OnSessionInitialized(
     const std::string& session_id,
     SessionInitStatus* status) {
   DCHECK(thread_checker_.CalledOnValidThread());
   // CDM will return NULL if the session to be loaded can't be found.
   if (session_id.empty()) {
     *status = SessionInitStatus::SESSION_NOT_FOUND;
     return;
   }
 
   DCHECK(session_id_.empty()) << "Session ID may not be changed once set.";
   session_id_ = session_id;
   *status =
       adapter_->RegisterSession(session_id_, weak_ptr_factory_.GetWeakPtr())
           ? SessionInitStatus::NEW_SESSION
           : SessionInitStatus::SESSION_ALREADY_EXISTS;
 }
 
 }  // namespace media