OLD | NEW |
---|---|
1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "chrome/browser/ssl/chrome_expect_ct_reporter.h" | 5 #include "chrome/browser/ssl/chrome_expect_ct_reporter.h" |
6 | 6 |
7 #include <set> | |
7 #include <string> | 8 #include <string> |
8 | 9 |
9 #include "base/base64.h" | 10 #include "base/base64.h" |
10 #include "base/command_line.h" | 11 #include "base/command_line.h" |
11 #include "base/feature_list.h" | 12 #include "base/feature_list.h" |
12 #include "base/json/json_writer.h" | 13 #include "base/json/json_writer.h" |
13 #include "base/memory/ptr_util.h" | 14 #include "base/memory/ptr_util.h" |
14 #include "base/metrics/histogram_macros.h" | 15 #include "base/metrics/histogram_macros.h" |
15 #include "base/metrics/sparse_histogram.h" | 16 #include "base/metrics/sparse_histogram.h" |
16 #include "base/strings/string_number_conversions.h" | 17 #include "base/strings/string_number_conversions.h" |
18 #include "base/strings/string_split.h" | |
19 #include "base/strings/string_util.h" | |
17 #include "base/strings/stringprintf.h" | 20 #include "base/strings/stringprintf.h" |
18 #include "base/values.h" | 21 #include "base/values.h" |
19 #include "chrome/common/chrome_features.h" | 22 #include "chrome/common/chrome_features.h" |
23 #include "net/base/load_flags.h" | |
20 #include "net/cert/ct_serialization.h" | 24 #include "net/cert/ct_serialization.h" |
21 #include "net/traffic_annotation/network_traffic_annotation.h" | 25 #include "net/traffic_annotation/network_traffic_annotation.h" |
22 #include "net/url_request/report_sender.h" | 26 #include "net/url_request/report_sender.h" |
27 #include "net/url_request/url_request_context.h" | |
23 | 28 |
24 namespace { | 29 namespace { |
25 | 30 |
31 // Returns true if |request| contains any of the |expected_values| in a response | |
32 // header field named |header|. |expected_values| are expected to be lower-case | |
33 // and the check is case-insensitive. | |
34 bool FindHeaderValues(net::URLRequest* request, | |
meacer
2017/07/05 23:48:59
nit: Rename to RequestHasHeaderWithValue or simply
estark
2017/07/06 06:39:43
Done.
| |
35 const std::string& header, | |
36 const std::set<std::string>& expected_values) { | |
meacer
2017/07/05 23:48:59
nit: allowed_values instead of expected_values? ex
estark
2017/07/06 06:39:43
Done.
| |
37 std::string response_headers; | |
38 request->GetResponseHeaderByName(header, &response_headers); | |
39 std::vector<std::string> response_values = base::SplitString( | |
meacer
2017/07/05 23:48:59
nit: const
estark
2017/07/06 06:39:43
Done.
| |
40 response_headers, ",", base::KEEP_WHITESPACE, base::SPLIT_WANT_NONEMPTY); | |
41 for (const auto& value : response_values) { | |
42 for (const auto& expected : expected_values) { | |
43 if (base::ToLowerASCII(expected) == base::ToLowerASCII(value)) { | |
44 return true; | |
45 } | |
46 } | |
47 } | |
48 return false; | |
49 } | |
50 | |
26 std::string TimeToISO8601(const base::Time& t) { | 51 std::string TimeToISO8601(const base::Time& t) { |
27 base::Time::Exploded exploded; | 52 base::Time::Exploded exploded; |
28 t.UTCExplode(&exploded); | 53 t.UTCExplode(&exploded); |
29 return base::StringPrintf( | 54 return base::StringPrintf( |
30 "%04d-%02d-%02dT%02d:%02d:%02d.%03dZ", exploded.year, exploded.month, | 55 "%04d-%02d-%02dT%02d:%02d:%02d.%03dZ", exploded.year, exploded.month, |
31 exploded.day_of_month, exploded.hour, exploded.minute, exploded.second, | 56 exploded.day_of_month, exploded.hour, exploded.minute, exploded.second, |
32 exploded.millisecond); | 57 exploded.millisecond); |
33 } | 58 } |
34 | 59 |
35 std::unique_ptr<base::ListValue> GetPEMEncodedChainAsList( | 60 std::unique_ptr<base::ListValue> GetPEMEncodedChainAsList( |
(...skipping 86 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
122 policy_exception_justification: | 147 policy_exception_justification: |
123 "Not implemented, this is a feature that websites can opt into and " | 148 "Not implemented, this is a feature that websites can opt into and " |
124 "thus there is no Chrome-wide policy to disable it." | 149 "thus there is no Chrome-wide policy to disable it." |
125 })"); | 150 })"); |
126 | 151 |
127 } // namespace | 152 } // namespace |
128 | 153 |
129 ChromeExpectCTReporter::ChromeExpectCTReporter( | 154 ChromeExpectCTReporter::ChromeExpectCTReporter( |
130 net::URLRequestContext* request_context) | 155 net::URLRequestContext* request_context) |
131 : report_sender_( | 156 : report_sender_( |
132 new net::ReportSender(request_context, kTrafficAnnotation)) {} | 157 new net::ReportSender(request_context, kTrafficAnnotation)), |
158 request_context_(request_context) {} | |
133 | 159 |
134 ChromeExpectCTReporter::~ChromeExpectCTReporter() {} | 160 ChromeExpectCTReporter::~ChromeExpectCTReporter() {} |
135 | 161 |
136 void ChromeExpectCTReporter::OnExpectCTFailed( | 162 void ChromeExpectCTReporter::OnExpectCTFailed( |
137 const net::HostPortPair& host_port_pair, | 163 const net::HostPortPair& host_port_pair, |
138 const GURL& report_uri, | 164 const GURL& report_uri, |
139 base::Time expiration, | 165 base::Time expiration, |
140 const net::X509Certificate* validated_certificate_chain, | 166 const net::X509Certificate* validated_certificate_chain, |
141 const net::X509Certificate* served_certificate_chain, | 167 const net::X509Certificate* served_certificate_chain, |
142 const net::SignedCertificateTimestampAndStatusList& | 168 const net::SignedCertificateTimestampAndStatusList& |
(...skipping 23 matching lines...) Expand all Loading... | |
166 report->Set("scts", std::move(scts)); | 192 report->Set("scts", std::move(scts)); |
167 | 193 |
168 std::string serialized_report; | 194 std::string serialized_report; |
169 if (!base::JSONWriter::Write(outer_report, &serialized_report)) { | 195 if (!base::JSONWriter::Write(outer_report, &serialized_report)) { |
170 LOG(ERROR) << "Failed to serialize Expect CT report"; | 196 LOG(ERROR) << "Failed to serialize Expect CT report"; |
171 return; | 197 return; |
172 } | 198 } |
173 | 199 |
174 UMA_HISTOGRAM_BOOLEAN("SSL.ExpectCTReportSendingAttempt", true); | 200 UMA_HISTOGRAM_BOOLEAN("SSL.ExpectCTReportSendingAttempt", true); |
175 | 201 |
176 report_sender_->Send(report_uri, "application/json; charset=utf-8", | 202 SendPreflight(report_uri, serialized_report); |
177 serialized_report, base::Callback<void()>(), | 203 } |
204 | |
205 void ChromeExpectCTReporter::OnResponseStarted(net::URLRequest* request, | |
206 int net_error) { | |
207 auto preflight_it = inflight_preflights_.find(request); | |
208 DCHECK(inflight_preflights_.end() != inflight_preflights_.find(request)); | |
209 const InFlightPreflight& preflight = preflight_it->second; | |
210 | |
211 int response_code = request->GetResponseCode(); | |
meacer
2017/07/05 23:48:59
nit: const
estark
2017/07/06 06:39:43
Done.
| |
212 | |
213 // Check that the preflight succeeded: it must have an HTTP OK status code, | |
214 // with the following headers: | |
215 // - Access-Control-Allow-Origin: * or null | |
216 // - Access-Control-Allow-Methods: POST | |
217 // - Access-Control-Allow-Headers: Content-Type | |
218 | |
219 if (!request->status().is_success() || | |
220 (response_code < 200 || response_code > 299)) { | |
221 inflight_preflights_.erase(request); | |
222 RecordUMAOnFailure(preflight.report_uri, request->status().error(), | |
meacer
2017/07/05 23:48:58
There is a use after free here: preflight is a ref
estark
2017/07/06 06:39:43
Done. Moved the erase below and added comments.
| |
223 request->status().is_success() ? response_code : -1); | |
224 return; | |
225 } | |
226 | |
227 if (!FindHeaderValues(request, "Access-Control-Allow-Origin", | |
228 {"*", "null"}) || | |
229 !FindHeaderValues(request, "Access-Control-Allow-Methods", {"post"}) || | |
230 !FindHeaderValues(request, "Access-Control-Allow-Headers", | |
231 {"content-type"})) { | |
232 inflight_preflights_.erase(request); | |
233 RecordUMAOnFailure(preflight.report_uri, request->status().error(), | |
234 response_code); | |
235 return; | |
236 } | |
237 | |
238 report_sender_->Send(preflight.report_uri, | |
239 "application/expect-ct-report+json; charset=utf-8", | |
240 preflight.serialized_report, base::Callback<void()>(), | |
178 base::Bind(RecordUMAOnFailure)); | 241 base::Bind(RecordUMAOnFailure)); |
242 inflight_preflights_.erase(request); | |
179 } | 243 } |
244 | |
245 void ChromeExpectCTReporter::OnReadCompleted(net::URLRequest* request, | |
246 int bytes_read) { | |
247 NOTREACHED(); | |
248 } | |
249 | |
250 ChromeExpectCTReporter::InFlightPreflight::InFlightPreflight() {} | |
251 ChromeExpectCTReporter::InFlightPreflight::~InFlightPreflight() {} | |
252 | |
253 void ChromeExpectCTReporter::SendPreflight( | |
254 const GURL& report_uri, | |
255 const std::string& serialized_report) { | |
256 std::unique_ptr<net::URLRequest> url_request = | |
257 request_context_->CreateRequest(report_uri, net::DEFAULT_PRIORITY, this, | |
258 kTrafficAnnotation); | |
259 url_request->SetLoadFlags(net::LOAD_BYPASS_CACHE | net::LOAD_DISABLE_CACHE | | |
260 net::LOAD_DO_NOT_SEND_AUTH_DATA | | |
261 net::LOAD_DO_NOT_SEND_COOKIES | | |
262 net::LOAD_DO_NOT_SAVE_COOKIES); | |
263 url_request->set_method("OPTIONS"); | |
264 | |
265 net::HttpRequestHeaders extra_headers; | |
266 extra_headers.SetHeader("Origin", "null"); | |
267 extra_headers.SetHeader("Access-Control-Request-Method", "POST"); | |
268 extra_headers.SetHeader("Access-Control-Request-Headers", "content-type"); | |
269 url_request->SetExtraRequestHeaders(extra_headers); | |
270 | |
271 net::URLRequest* raw_request = url_request.get(); | |
272 inflight_preflights_[raw_request].request = std::move(url_request); | |
273 inflight_preflights_[raw_request].serialized_report = serialized_report; | |
274 inflight_preflights_[raw_request].report_uri = report_uri; | |
meacer
2017/07/05 23:48:59
optional nit: To save two extra map lookups you ca
estark
2017/07/06 06:39:43
Done. Changed to a unique_ptr in the map to avoid
| |
275 raw_request->Start(); | |
276 } | |
OLD | NEW |