Submit a sample of notification images to Safe Browsing

chrome/browser/safe_browsing/notification_image_reporter.cc

+// Copyright 2017 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/safe_browsing/notification_image_reporter.h"
+
+#include <cmath>
+#include <vector>
+
+#include "base/bind.h"
+#include "base/logging.h"
+#include "base/memory/ptr_util.h"
+#include "base/memory/ref_counted_memory.h"
+#include "base/metrics/field_trial.h"
+#include "base/metrics/histogram_macros.h"
+#include "base/rand_util.h"
+#include "base/threading/sequenced_worker_pool.h"
+#include "chrome/browser/browser_process.h"
+#include "chrome/browser/profiles/profile.h"
+#include "chrome/browser/safe_browsing/safe_browsing_service.h"
+#include "chrome/common/safe_browsing/csd.pb.h"
+#include "components/safe_browsing_db/database_manager.h"
+#include "components/safe_browsing_db/safe_browsing_prefs.h"
+#include "content/public/browser/browser_thread.h"
+#include "net/base/net_errors.h"
+#include "net/url_request/report_sender.h"
+#include "skia/ext/image_operations.h"
+#include "third_party/skia/include/core/SkBitmap.h"
+#include "ui/gfx/codec/png_codec.h"
+#include "ui/gfx/geometry/size.h"
+#include "url/gurl.h"
+
+using content::BrowserThread;
+
+namespace safe_browsing {
+
+namespace {
+
+const size_t kMaxReportsPerDay = 5;
+const char kImageReporting[] = "NotificationImageReporting";

[Nathan Parker, 2017/01/20 00:25:43]

nit: Add "FieldTrial" (or "Feature" if you go with my suggestion below) to this
variable name

[harkness, 2017/01/20 16:58:06]

Done.

+const char kDefaultMimeType[] = "image/png";
+
+void LogReportResult(const GURL& url, int net_error) {

[Ilya Sherman, 2017/01/19 22:53:40]

nit: Looks like the |url| is not used, so it could probably be safely omitted.

[Nathan Parker, 2017/01/20 00:25:43]

Looks like that's part of the ReportSender interface, and is likely used
elsewhere.  You could add a comment so it doesn't look like a mistake.

[harkness, 2017/01/20 16:58:06]

Done.

+  UMA_HISTOGRAM_SPARSE_SLOWLY("SafeBrowsing.NotificationImageReporter.NetError",
+                              net_error);
+}
+
+}  // namespace
+
+const char NotificationImageReporter::kReportingUploadUrl[] =
+    "https://safebrowsing.googleusercontent.com/safebrowsing/clientreport/"
+    "notification-image";
+
+NotificationImageReporter::NotificationImageReporter(
+    net::URLRequestContext* request_context)
+    : NotificationImageReporter(base::MakeUnique<net::ReportSender>(
+          request_context,
+          net::ReportSender::CookiesPreference::DO_NOT_SEND_COOKIES)) {}
+
+NotificationImageReporter::NotificationImageReporter(
+    std::unique_ptr<net::ReportSender> report_sender)
+    : report_sender_(std::move(report_sender)), weak_factory_on_io_(this) {
+  DCHECK_CURRENTLY_ON(BrowserThread::IO);
+
+  // Create an experiment to control whether this instance sends image reports.
+  // The group will have 0% enabled and will only be turned on using Finch.
+  scoped_refptr<base::FieldTrial> trial(
+      base::FieldTrialList::FactoryGetFieldTrial(
+          kImageReporting, 100, "disabled", 2018, 1, 1,
+          base::FieldTrial::SESSION_RANDOMIZED, nullptr));
+  trial->AppendGroup("enabled", 0);
+}
+
+NotificationImageReporter::~NotificationImageReporter() {
+  DCHECK_CURRENTLY_ON(BrowserThread::IO);
+}
+
+void NotificationImageReporter::ReportNotificationImageOnIO(
+    Profile* profile,
+    const scoped_refptr<SafeBrowsingDatabaseManager>& database_manager,
+    const GURL& origin,
+    const SkBitmap& image) {
+  DCHECK_CURRENTLY_ON(BrowserThread::IO);
+  DCHECK(profile);
+  DCHECK_EQ(origin, origin.GetOrigin());
+  DCHECK(origin.is_valid());
+
+  // Skip whitelisted origins to cut down on report volume.
+  if (!database_manager || database_manager->MatchCsdWhitelistUrl(origin)) {
+    SkippedReporting();
+    return;
+  }
+
+  // Sample a Finch-controlled fraction only.
+  if (!IsReportingEnabled()) {
+    SkippedReporting();
+    return;
+  }
+
+  // Avoid exceeding kMaxReportsPerDay.
+  base::Time a_day_ago = base::Time::Now() - base::TimeDelta::FromDays(1);
+  while (!report_times_.empty() &&
+         report_times_.front() < /* older than */ a_day_ago) {
+    report_times_.pop();
+  }
+  if (report_times_.size() >= kMaxReportsPerDay) {
+    SkippedReporting();
+    return;
+  }
+  // n.b. we write to report_times_ here even if we'll later end up skipping
+  // reporting because GetExtendedReportingLevel was not SBER_LEVEL_SCOUT. That
+  // saves us two thread hops, with the downside that we may underreport
+  // notifications on the first day that a user opts in to SBER_LEVEL_SCOUT.
+  report_times_.push(base::Time::Now());
+
+  BrowserThread::PostTask(
+      BrowserThread::UI, FROM_HERE,
+      base::Bind(&NotificationImageReporter::ReportNotificationImageOnUI,
+                 weak_factory_on_io_.GetWeakPtr(), profile, origin, image));
+}
+
+bool NotificationImageReporter::IsReportingEnabled() const {
+  return (base::FieldTrialList::FindFullName(kImageReporting) == "enabled");

[Nathan Parker, 2017/01/20 00:25:43]

This is a bit inflexible since you can never change the group name, nor have
multiple enabled groups doing different things.

A more flexible way (and easier to test since it can be used with a simple flag)
is with a "Features."  e.g.:

https://cs.chromium.org/chromium/src/components/safe_browsing_db/v4_feature_l...

Then you add something like this to the finch config:
   "enabled_features": ["NotificationImageReporting"]

And then you can test with --enable_features=NotificationImageReporting.

[Nathan Parker, 2017/01/20 01:37:28]

Actually, this isn't sufficient to select a random sample of images from one
particular user -- it'll let you pick particular users to enable.

So I'd suggest using "params" on the field trial.  You can put in a string value
of, say, a ascii float (e.g. "0.2").  Then you'd convert that here from
string->float and call random to see if this image should be selected.

If the param isn't present, you can default the fraction to 0.0, so it'll be off
be default.  And you won't need the call to
base::FieldTrialList::FactoryGetFieldTrial() -- all that config will go in the
Google3 finch config.

[harkness, 2017/01/20 16:58:06]

Done.

+}
+
+void NotificationImageReporter::SkippedReporting() {}
+
+// static
+void NotificationImageReporter::ReportNotificationImageOnUI(
+    const base::WeakPtr<NotificationImageReporter>& weak_this_on_io,
+    Profile* profile,
+    const GURL& origin,
+    const SkBitmap& image) {
+  DCHECK_CURRENTLY_ON(BrowserThread::UI);
+
+  // Skip reporting unless SBER2 Scout is enabled.
+  if (GetExtendedReportingLevel(*profile->GetPrefs()) != SBER_LEVEL_SCOUT) {
+    BrowserThread::PostTask(
+        BrowserThread::IO, FROM_HERE,
+        base::Bind(&NotificationImageReporter::SkippedReporting,
+                   weak_this_on_io));
+    return;
+  }
+
+  BrowserThread::GetBlockingPool()->PostWorkerTask(
+      FROM_HERE,
+      base::Bind(
+          &NotificationImageReporter::DownscaleNotificationImageOnBlockingPool,
+          weak_this_on_io, origin, image));
+}
+
+// static
+void NotificationImageReporter::DownscaleNotificationImageOnBlockingPool(
+    const base::WeakPtr<NotificationImageReporter>& weak_this_on_io,
+    const GURL& origin,
+    const SkBitmap& image) {
+  DCHECK(BrowserThread::GetBlockingPool()->RunsTasksOnCurrentThread());
+
+  // Downscale to fit within 512x512. TODO(johnme): Get this from Finch.
+  const double MAX_SIZE = 512;
+  SkBitmap downscaled_image = image;
+  if ((image.width() > MAX_SIZE || image.height() > MAX_SIZE) &&
+      image.width() > 0 && image.height() > 0) {
+    double scale =
+        std::min(MAX_SIZE / image.width(), MAX_SIZE / image.height());
+    downscaled_image =
+        skia::ImageOperations::Resize(image, skia::ImageOperations::RESIZE_GOOD,
+                                      std::lround(scale * image.width()),
+                                      std::lround(scale * image.height()));
+  }
+
+  // Encode as PNG.
+  std::vector<unsigned char> png_bytes;
+  if (!gfx::PNGCodec::EncodeBGRASkBitmap(downscaled_image, false, &png_bytes)) {
+    NOTREACHED();
+    return;
+  }
+
+  BrowserThread::PostTask(
+      BrowserThread::IO, FROM_HERE,
+      base::Bind(&NotificationImageReporter::SendReportOnIO, weak_this_on_io,
+                 origin, base::RefCountedBytes::TakeVector(&png_bytes),
+                 gfx::Size(downscaled_image.width(), downscaled_image.height()),
+                 gfx::Size(image.width(), image.height())));
+}
+
+void NotificationImageReporter::SendReportOnIO(
+    const GURL& origin,
+    scoped_refptr<base::RefCountedMemory> data,
+    const gfx::Size& dimensions,
+    const gfx::Size& original_dimensions) {
+  DCHECK_CURRENTLY_ON(BrowserThread::IO);
+
+  NotificationImageReportRequest report;
+  report.set_notification_origin(origin.spec());
+  report.mutable_image()->set_data(data->front(), data->size());
+  report.mutable_image()->set_mime_type(kDefaultMimeType);
+  report.mutable_image()->mutable_dimensions()->set_width(dimensions.width());
+  report.mutable_image()->mutable_dimensions()->set_height(dimensions.height());
+  if (dimensions != original_dimensions) {
+    report.mutable_image()->mutable_original_dimensions()->set_width(
+        original_dimensions.width());
+    report.mutable_image()->mutable_original_dimensions()->set_height(
+        original_dimensions.height());
+  }
+
+  std::string serialized_report;
+  report.SerializeToString(&serialized_report);
+  report_sender_->Send(
+      GURL(kReportingUploadUrl), "application/octet-stream", serialized_report,
+      base::Bind(&LogReportResult, GURL(kReportingUploadUrl), net::OK),
+      base::Bind(&LogReportResult));
+  // TODO(johnme): Consider logging bandwidth and/or duration to UMA.
+}
+
+}  // namespace safe_browsing