getInstalledRelatedApps: Introduce random delay to stop timing attacks.

content/public/android/junit/src/org/chromium/content/browser/installedapp/InstalledAppProviderTest.java

 // Copyright 2017 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 package org.chromium.content.browser.installedapp;
 
+import android.content.Context;
 import android.content.pm.ApplicationInfo;
 import android.content.pm.PackageManager;
 import android.content.pm.PackageManager.NameNotFoundException;
 import android.content.res.AssetManager;
 import android.content.res.Resources;
 import android.os.Bundle;
 
 import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Test;
@@ skipping 40 matching lines @@
     private static final String ORIGIN_SYNTAX_ERROR = "https:{";
     private static final String ORIGIN_MISSING_SCHEME = "path/only";
     private static final String ORIGIN_MISSING_HOST = "file:///path/piece";
     private static final String ORIGIN_MISSING_PORT = "http://example.com";
     private static final String ORIGIN_DIFFERENT_SCHEME = "http://example.com:8000";
     private static final String ORIGIN_DIFFERENT_HOST = "https://example.org:8000";
     private static final String ORIGIN_DIFFERENT_PORT = "https://example.com:8001";
 
     private FakePackageManager mPackageManager;
     private FakeFrameUrlDelegate mFrameUrlDelegate;
-    private InstalledAppProviderImpl mInstalledAppProvider;
+    private InstalledAppProviderTestImpl mInstalledAppProvider;
+
+    private static class InstalledAppProviderTestImpl extends InstalledAppProviderImpl {
+        private long mLastDelayMillis;
+
+        public InstalledAppProviderTestImpl(FrameUrlDelegate frameUrlDelegate, Context context) {
+            super(frameUrlDelegate, context);
+        }
+
+        public long getLastDelayMillis() {
+            return mLastDelayMillis;
+        }
+
+        @Override
+        protected void delayThenRun(Runnable r, long delayMillis) {
+            mLastDelayMillis = delayMillis;
+            r.run();
+        }
+    }
 
     /**
      * FakePackageManager allows for the "installation" of Android package names and setting up
      * Resources for installed packages.
      */
     private static class FakePackageManager extends DefaultPackageManager {
         private final HashMap<String, Bundle> mMetaDataMap;
         private final HashMap<String, Resources> mResourceMap;
 
         public FakePackageManager() {
@@ skipping 194 matching lines @@
                     }
                 });
     }
 
     @Before
     public void setUp() {
         mPackageManager = new FakePackageManager();
         RuntimeEnvironment.setRobolectricPackageManager(mPackageManager);
         mFrameUrlDelegate = new FakeFrameUrlDelegate(URL_ON_ORIGIN);
         mInstalledAppProvider =
-                new InstalledAppProviderImpl(mFrameUrlDelegate, RuntimeEnvironment.application);
+                new InstalledAppProviderTestImpl(mFrameUrlDelegate, RuntimeEnvironment.application);
     }
 
     /**
      * Origin of the page using the API is missing certain parts of the URI.
      */
     @Test
     @Feature({"InstalledApp"})
     public void testOriginMissingParts() {
         RelatedApplication manifestRelatedApps[] = new RelatedApplication[] {
                 createRelatedApplication(PLATFORM_ANDROID, PACKAGE_NAME_1, null)};
@@ skipping 490 matching lines @@
                 createRelatedApplication(PLATFORM_OTHER, PACKAGE_NAME_2, null),
                 createRelatedApplication(PLATFORM_ANDROID, PACKAGE_NAME_3, null)};
 
         setAssetStatement(PACKAGE_NAME_2, NAMESPACE_WEB, RELATION_HANDLE_ALL_URLS, ORIGIN);
         setAssetStatement(PACKAGE_NAME_3, NAMESPACE_WEB, RELATION_HANDLE_ALL_URLS, ORIGIN);
 
         RelatedApplication[] expectedInstalledRelatedApps =
                 new RelatedApplication[] {manifestRelatedApps[1], manifestRelatedApps[3]};
         verifyInstalledApps(manifestRelatedApps, expectedInstalledRelatedApps);
     }
+
+    /**
+     * Tests the pseudo-random artificial delay to counter a timing attack.
+     */
+    @Test
+    @Feature({"InstalledApp"})
+    public void testArtificialDelay() {
+        byte[] salt = {0x64, 0x09, -0x68, -0x25, 0x70, 0x11, 0x25, 0x24, 0x68, -0x1a, 0x08, 0x79,
+                -0x12, -0x50, 0x3b, -0x57, -0x17, -0x4d, 0x46, 0x02};
+        PackageHash.setGlobalSaltForTesting(salt);
+        setAssetStatement(PACKAGE_NAME_1, NAMESPACE_WEB, RELATION_HANDLE_ALL_URLS, ORIGIN);
+
+        // Installed app.
+        RelatedApplication manifestRelatedApps[] = new RelatedApplication[] {
+                createRelatedApplication(PLATFORM_ANDROID, PACKAGE_NAME_1, null)};
+        RelatedApplication[] expectedInstalledRelatedApps = manifestRelatedApps;
+        verifyInstalledApps(manifestRelatedApps, expectedInstalledRelatedApps);
+        // This expectation is based on HMAC_SHA256(salt, packageName encoded in UTF-8), taking the
+        // low 10 bits of the first two bytes of the result / 100.
+        Assert.assertEquals(2, mInstalledAppProvider.getLastDelayMillis());
+
+        // Non-installed app.
+        manifestRelatedApps = new RelatedApplication[] {
+                createRelatedApplication(PLATFORM_ANDROID, PACKAGE_NAME_2, null)};
+        expectedInstalledRelatedApps = new RelatedApplication[] {};
+        verifyInstalledApps(manifestRelatedApps, expectedInstalledRelatedApps);
+        // This expectation is based on HMAC_SHA256(salt, packageName encoded in UTF-8), taking the
+        // low 10 bits of the first two bytes of the result / 100.
+        Assert.assertEquals(5, mInstalledAppProvider.getLastDelayMillis());
+    }
 }