OLD | NEW |
1 // Copyright 2016 The Chromium Authors. All rights reserved. | 1 // Copyright 2016 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "chrome/browser/ssl/chrome_expect_ct_reporter.h" | 5 #include "chrome/browser/ssl/chrome_expect_ct_reporter.h" |
6 | 6 |
| 7 #include <set> |
7 #include <string> | 8 #include <string> |
8 | 9 |
9 #include "base/base64.h" | 10 #include "base/base64.h" |
10 #include "base/command_line.h" | 11 #include "base/command_line.h" |
11 #include "base/feature_list.h" | 12 #include "base/feature_list.h" |
12 #include "base/json/json_writer.h" | 13 #include "base/json/json_writer.h" |
13 #include "base/memory/ptr_util.h" | 14 #include "base/memory/ptr_util.h" |
14 #include "base/metrics/histogram_macros.h" | 15 #include "base/metrics/histogram_macros.h" |
15 #include "base/metrics/sparse_histogram.h" | 16 #include "base/metrics/sparse_histogram.h" |
16 #include "base/strings/string_number_conversions.h" | 17 #include "base/strings/string_number_conversions.h" |
| 18 #include "base/strings/string_split.h" |
| 19 #include "base/strings/string_util.h" |
17 #include "base/strings/stringprintf.h" | 20 #include "base/strings/stringprintf.h" |
18 #include "base/values.h" | 21 #include "base/values.h" |
19 #include "chrome/common/chrome_features.h" | 22 #include "chrome/common/chrome_features.h" |
| 23 #include "net/base/load_flags.h" |
20 #include "net/cert/ct_serialization.h" | 24 #include "net/cert/ct_serialization.h" |
21 #include "net/traffic_annotation/network_traffic_annotation.h" | 25 #include "net/traffic_annotation/network_traffic_annotation.h" |
22 #include "net/url_request/report_sender.h" | 26 #include "net/url_request/report_sender.h" |
| 27 #include "net/url_request/url_request_context.h" |
23 | 28 |
24 namespace { | 29 namespace { |
25 | 30 |
| 31 // Returns true if |request| contains any of the |allowed_values| in a response |
| 32 // header field named |header|. |allowed_values| are expected to be lower-case |
| 33 // and the check is case-insensitive. |
| 34 bool HasHeaderValues(net::URLRequest* request, |
| 35 const std::string& header, |
| 36 const std::set<std::string>& allowed_values) { |
| 37 std::string response_headers; |
| 38 request->GetResponseHeaderByName(header, &response_headers); |
| 39 const std::vector<std::string> response_values = base::SplitString( |
| 40 response_headers, ",", base::KEEP_WHITESPACE, base::SPLIT_WANT_NONEMPTY); |
| 41 for (const auto& value : response_values) { |
| 42 for (const auto& allowed : allowed_values) { |
| 43 if (base::ToLowerASCII(allowed) == base::ToLowerASCII(value)) { |
| 44 return true; |
| 45 } |
| 46 } |
| 47 } |
| 48 return false; |
| 49 } |
| 50 |
26 std::string TimeToISO8601(const base::Time& t) { | 51 std::string TimeToISO8601(const base::Time& t) { |
27 base::Time::Exploded exploded; | 52 base::Time::Exploded exploded; |
28 t.UTCExplode(&exploded); | 53 t.UTCExplode(&exploded); |
29 return base::StringPrintf( | 54 return base::StringPrintf( |
30 "%04d-%02d-%02dT%02d:%02d:%02d.%03dZ", exploded.year, exploded.month, | 55 "%04d-%02d-%02dT%02d:%02d:%02d.%03dZ", exploded.year, exploded.month, |
31 exploded.day_of_month, exploded.hour, exploded.minute, exploded.second, | 56 exploded.day_of_month, exploded.hour, exploded.minute, exploded.second, |
32 exploded.millisecond); | 57 exploded.millisecond); |
33 } | 58 } |
34 | 59 |
35 std::unique_ptr<base::ListValue> GetPEMEncodedChainAsList( | 60 std::unique_ptr<base::ListValue> GetPEMEncodedChainAsList( |
(...skipping 86 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
122 policy_exception_justification: | 147 policy_exception_justification: |
123 "Not implemented, this is a feature that websites can opt into and " | 148 "Not implemented, this is a feature that websites can opt into and " |
124 "thus there is no Chrome-wide policy to disable it." | 149 "thus there is no Chrome-wide policy to disable it." |
125 })"); | 150 })"); |
126 | 151 |
127 } // namespace | 152 } // namespace |
128 | 153 |
129 ChromeExpectCTReporter::ChromeExpectCTReporter( | 154 ChromeExpectCTReporter::ChromeExpectCTReporter( |
130 net::URLRequestContext* request_context) | 155 net::URLRequestContext* request_context) |
131 : report_sender_( | 156 : report_sender_( |
132 new net::ReportSender(request_context, kTrafficAnnotation)) {} | 157 new net::ReportSender(request_context, kTrafficAnnotation)), |
| 158 request_context_(request_context) {} |
133 | 159 |
134 ChromeExpectCTReporter::~ChromeExpectCTReporter() {} | 160 ChromeExpectCTReporter::~ChromeExpectCTReporter() {} |
135 | 161 |
136 void ChromeExpectCTReporter::OnExpectCTFailed( | 162 void ChromeExpectCTReporter::OnExpectCTFailed( |
137 const net::HostPortPair& host_port_pair, | 163 const net::HostPortPair& host_port_pair, |
138 const GURL& report_uri, | 164 const GURL& report_uri, |
139 base::Time expiration, | 165 base::Time expiration, |
140 const net::X509Certificate* validated_certificate_chain, | 166 const net::X509Certificate* validated_certificate_chain, |
141 const net::X509Certificate* served_certificate_chain, | 167 const net::X509Certificate* served_certificate_chain, |
142 const net::SignedCertificateTimestampAndStatusList& | 168 const net::SignedCertificateTimestampAndStatusList& |
(...skipping 23 matching lines...) Expand all Loading... |
166 report->Set("scts", std::move(scts)); | 192 report->Set("scts", std::move(scts)); |
167 | 193 |
168 std::string serialized_report; | 194 std::string serialized_report; |
169 if (!base::JSONWriter::Write(outer_report, &serialized_report)) { | 195 if (!base::JSONWriter::Write(outer_report, &serialized_report)) { |
170 LOG(ERROR) << "Failed to serialize Expect CT report"; | 196 LOG(ERROR) << "Failed to serialize Expect CT report"; |
171 return; | 197 return; |
172 } | 198 } |
173 | 199 |
174 UMA_HISTOGRAM_BOOLEAN("SSL.ExpectCTReportSendingAttempt", true); | 200 UMA_HISTOGRAM_BOOLEAN("SSL.ExpectCTReportSendingAttempt", true); |
175 | 201 |
176 report_sender_->Send(report_uri, "application/json; charset=utf-8", | 202 SendPreflight(report_uri, serialized_report); |
177 serialized_report, base::Callback<void()>(), | 203 } |
| 204 |
| 205 void ChromeExpectCTReporter::OnResponseStarted(net::URLRequest* request, |
| 206 int net_error) { |
| 207 auto preflight_it = inflight_preflights_.find(request); |
| 208 DCHECK(inflight_preflights_.end() != inflight_preflights_.find(request)); |
| 209 PreflightInProgress* preflight = preflight_it->second.get(); |
| 210 |
| 211 const int response_code = request->GetResponseCode(); |
| 212 |
| 213 // Check that the preflight succeeded: it must have an HTTP OK status code, |
| 214 // with the following headers: |
| 215 // - Access-Control-Allow-Origin: * or null |
| 216 // - Access-Control-Allow-Methods: POST |
| 217 // - Access-Control-Allow-Headers: Content-Type |
| 218 |
| 219 if (!request->status().is_success() || response_code < 200 || |
| 220 response_code > 299) { |
| 221 RecordUMAOnFailure(preflight->report_uri, request->status().error(), |
| 222 request->status().is_success() ? response_code : -1); |
| 223 inflight_preflights_.erase(request); |
| 224 // Do not use |preflight| after this point, since it has been erased above. |
| 225 return; |
| 226 } |
| 227 |
| 228 if (!HasHeaderValues(request, "Access-Control-Allow-Origin", {"*", "null"}) || |
| 229 !HasHeaderValues(request, "Access-Control-Allow-Methods", {"post"}) || |
| 230 !HasHeaderValues(request, "Access-Control-Allow-Headers", |
| 231 {"content-type"})) { |
| 232 RecordUMAOnFailure(preflight->report_uri, request->status().error(), |
| 233 response_code); |
| 234 inflight_preflights_.erase(request); |
| 235 // Do not use |preflight| after this point, since it has been erased above. |
| 236 return; |
| 237 } |
| 238 |
| 239 report_sender_->Send(preflight->report_uri, |
| 240 "application/expect-ct-report+json; charset=utf-8", |
| 241 preflight->serialized_report, base::Callback<void()>(), |
178 base::Bind(RecordUMAOnFailure)); | 242 base::Bind(RecordUMAOnFailure)); |
| 243 inflight_preflights_.erase(request); |
179 } | 244 } |
| 245 |
| 246 void ChromeExpectCTReporter::OnReadCompleted(net::URLRequest* request, |
| 247 int bytes_read) { |
| 248 NOTREACHED(); |
| 249 } |
| 250 |
| 251 ChromeExpectCTReporter::PreflightInProgress::PreflightInProgress( |
| 252 std::unique_ptr<net::URLRequest> request, |
| 253 const std::string& serialized_report, |
| 254 const GURL& report_uri) |
| 255 : request(std::move(request)), |
| 256 serialized_report(serialized_report), |
| 257 report_uri(report_uri) {} |
| 258 |
| 259 ChromeExpectCTReporter::PreflightInProgress::~PreflightInProgress() {} |
| 260 |
| 261 void ChromeExpectCTReporter::SendPreflight( |
| 262 const GURL& report_uri, |
| 263 const std::string& serialized_report) { |
| 264 std::unique_ptr<net::URLRequest> url_request = |
| 265 request_context_->CreateRequest(report_uri, net::DEFAULT_PRIORITY, this, |
| 266 kTrafficAnnotation); |
| 267 url_request->SetLoadFlags(net::LOAD_BYPASS_CACHE | net::LOAD_DISABLE_CACHE | |
| 268 net::LOAD_DO_NOT_SEND_AUTH_DATA | |
| 269 net::LOAD_DO_NOT_SEND_COOKIES | |
| 270 net::LOAD_DO_NOT_SAVE_COOKIES); |
| 271 url_request->set_method("OPTIONS"); |
| 272 |
| 273 net::HttpRequestHeaders extra_headers; |
| 274 extra_headers.SetHeader("Origin", "null"); |
| 275 extra_headers.SetHeader("Access-Control-Request-Method", "POST"); |
| 276 extra_headers.SetHeader("Access-Control-Request-Headers", "content-type"); |
| 277 url_request->SetExtraRequestHeaders(extra_headers); |
| 278 |
| 279 net::URLRequest* raw_request = url_request.get(); |
| 280 inflight_preflights_[raw_request] = base::MakeUnique<PreflightInProgress>( |
| 281 std::move(url_request), serialized_report, report_uri); |
| 282 raw_request->Start(); |
| 283 } |
OLD | NEW |