Move app_installer into chromium.

app_installer/win/app_installer_main.cc

+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <windows.h>
+#include <initguid.h>
+#include <urlmon.h>
+#pragma comment(lib, "urlmon.lib")
+
+#include "base/at_exit.h"
+#include "base/base_paths.h"
+#include "base/basictypes.h"
+#include "base/command_line.h"
+#include "base/file_util.h"
+#include "base/logging.h"
+#include "base/logging_win.h"
+#include "base/memory/scoped_ptr.h"
+#include "base/path_service.h"
+#include "base/process/launch.h"
+#include "base/strings/string16.h"
+#include "base/strings/string_split.h"
+#include "base/strings/string_util.h"
+#include "chrome/common/chrome_switches.h"
+#include "chrome/installer/launcher_support/chrome_launcher_support.h"
+#include "chrome/installer/util/google_update_util.h"
+#include "chrome/installer/util/html_dialog.h"
+#include "chrome/installer/util/util_constants.h"
+#include "third_party/omaha/src/omaha/base/extractor.h"
+
+namespace app_installer {
+
+enum ExitCode {
+  SUCCESS = 0,
+  COULD_NOT_GET_FILE_PATH,
+  COULD_NOT_READ_TAG,
+  INVALID_APP_ID,
+  EULA_CANCELLED,
+  COULD_NOT_FIND_CHROME,
+  COULD_NOT_GET_TMP_FILE_PATH,
+  FAILED_TO_DOWNLOAD_CHROME_SETUP,
+  FAILED_TO_LAUNCH_CHROME_SETUP,
+};
+
+namespace {
+
+// Log provider UUID. Required for logging to Sawbuck.
+// {d82c3b59-bacd-4625-8282-4d570c4dad12}
+DEFINE_GUID(kAppInstallerLogProvider,
+    0xd82c3b59,
+    0xbacd,
+    0x4625,
+    0x82, 0x82, 0x4d, 0x57, 0x0c, 0x4d, 0xad, 0x12);
+
+const char kEnvVariableUntrustedData[] = "GoogleUpdateUntrustedData";
+const int kUntrustedDataMaxLength = 4096;
+
+const char kInstallChromeApp[] = "install-chrome-app";
+
+const wchar_t kDownloadAndEulaPage[] =
+    L"https://tools.google.com/dlpage/chromeappinstaller";
+
+const wchar_t kSxSDownloadAndEulaPage[] =
+    L"https://tools.google.com/dlpage/chromeappinstaller?sxs=true";
+
+const wchar_t kDialogDimensions[] = L"dialogWidth:750px;dialogHeight:500px";
+
+// This uses HTMLDialog to show a Chrome download page as a modal dialog.
+// The page includes the EULA and returns a download URL.
+class DownloadAndEulaHTMLDialog {
+ public:
+  explicit DownloadAndEulaHTMLDialog(bool is_canary) {
+    dialog_.reset(installer::CreateNativeHTMLDialog(
+        is_canary ? kSxSDownloadAndEulaPage : kDownloadAndEulaPage,
+        base::string16()));
+  }
+  ~DownloadAndEulaHTMLDialog() {}
+
+  // Shows the dialog and blocks for user input. Returns the string passed back
+  // by the web page via |window.returnValue|.
+  base::string16 ShowModal() {
+    Customizer customizer;
+    dialog_->ShowModal(NULL, &customizer);
+    return dialog_->GetExtraResult();
+  }
+
+ private:
+  class Customizer : public installer::HTMLDialog::CustomizationCallback {
+   public:
+    virtual void OnBeforeCreation(wchar_t** extra) OVERRIDE {
+      *extra = const_cast<wchar_t*>(kDialogDimensions);
+    }
+
+    virtual void OnBeforeDisplay(void* window) OVERRIDE {
+      // Customize the window by removing the close button and replacing the
+      // existing 'e' icon with the standard informational icon.
+      if (!window)
+        return;
+      HWND top_window = static_cast<HWND>(window);
+      LONG_PTR style = GetWindowLongPtrW(top_window, GWL_STYLE);
+      SetWindowLongPtrW(top_window, GWL_STYLE, style & ~WS_SYSMENU);
+      HICON ico = LoadIcon(NULL, IDI_INFORMATION);
+      SendMessageW(top_window, WM_SETICON, ICON_SMALL,
+                   reinterpret_cast<LPARAM>(ico));
+    }
+  };
+
+  scoped_ptr<installer::HTMLDialog> dialog_;
+  DISALLOW_COPY_AND_ASSIGN(DownloadAndEulaHTMLDialog);
+};
+
+// Gets the tag appended to a file. This uses the same format as Omaha.
+// Returns the empty string on failure.
+std::string GetTag(const base::FilePath& file_name_path) {
+  base::string16 file_name = file_name_path.value();
+  omaha::TagExtractor extractor;
+  if (!extractor.OpenFile(file_name.c_str()))
+    return std::string();
+
+  int tag_buffer_size = 0;
+  if (!extractor.ExtractTag(NULL, &tag_buffer_size) || tag_buffer_size <= 1)
+    return std::string();
+
+  scoped_ptr<char[]> tag_buffer(new char[tag_buffer_size]);
+  extractor.ExtractTag(tag_buffer.get(), &tag_buffer_size);
+  return std::string(tag_buffer.get(), tag_buffer_size - 1);
+}
+
+bool IsNotPrintable(unsigned char c) {
+  return c < 32 || c >= 127;

[palmer, 2014/10/13 23:47:53]

Nit: It feels better to stick to the standard ctype.h functions here and in
|IsIllegalUntrustedDataKeyChar|, and to reverse the names and logic of
|IsNotPrintable| and |IsIllegalUntrustedDataKeyChar|. That way the code reads as
"asserting goodness" rather than "checking for badness".

So, just:

  bool IsStringPrintable(const std::string& s) {
    return std::find_if_not(s.begin(), s.end(), isprint) == s.end();
  }

and

  bool IsLegalDataKeyChar(int c) {
    return isalnum(c) || c == '-' || c == '_' || c == '$';
  }

  bool IsDataKeyValid(const std::string& key) {
    return std::find_if_not(key.begin(), key.end(), IsLegalDataeyChar) ==
key.end();
  }

[jackhou1, 2014/10/14 01:13:55]

Oo, nice. Done.

+}
+
+// Returns whether or not |s| consists of printable characters.
+bool IsStringPrintable(const std::string& s) {
+  return std::find_if(s.begin(), s.end(), IsNotPrintable) == s.end();
+}
+
+bool IsIllegalUntrustedDataKeyChar(unsigned char c) {
+  return !(c >= 'A' && c <= 'Z' || c >= 'a' && c <= 'z' ||
+           c >= '0' && c <= '9' || c == '-' || c == '_' || c == '$');
+}
+
+// Returns true if |key| from untrusted data is valid.
+bool IsUntrustedDataKeyValid(const std::string& key) {
+  return std::find_if(key.begin(), key.end(), IsIllegalUntrustedDataKeyChar)
+      == key.end();
+}
+
+// Parses |data_string| as key-value pairs and overwrites |untrusted_data| with

[palmer, 2014/10/13 23:47:53]

Document the format this function expects the key-value pairs to be in.

[jackhou1, 2014/10/14 01:13:55]

Done.

+// the result. Returns true if the data could be parsed.
+bool ParseUntrustedData(
+    const std::string& data_string,
+    std::map<std::string, std::string>* untrusted_data) {

[palmer, 2014/10/13 23:47:53]

I'm confused about the terminology here. To security engineers, "trusted" means
"can violate our security guarantee/expectations"; "trustworthy" means "we have
some reason to believe it will not violate our security expectations", and
"untrusted" means "it can't hurt us; a check for trustworthiness might be nice
to have but is not strictly necessary".

The out-param |untrusted_data| should be called something like |parsed_pairs|,
and this function should (if necessary) assert a trustworthiness guarantee: If
the function returns true, the pairs are trustworthy (in whatever way matters to
the caller).

[jackhou1, 2014/10/14 01:13:55]

This code, along with IsUntrustedDataKeyValid above, was copied from some code
that used to be in Chrome. It refers to a string passed in by Omaha called
"untrusted_data". Hence the naming throughout the code.

It's untrusted because it's passed in as a url parameter to dl.google.com, which
adds the tag to the binary. We use this to pass the app-id, which is checked by
IsValidAppId. Should I change it to not say "untrusted"?

This function just checks that the values are printable strings. Is there
anything else that could be checked?

+  DCHECK(untrusted_data);
+  if (data_string.length() > kUntrustedDataMaxLength ||

[palmer, 2014/10/13 23:47:54]

Similarly, just |kMaxDataLength| or |kMaxValidDataLength|.

[jackhou1, 2014/10/14 01:13:55]

Done.

+      !IsStringPrintable(data_string)) {
+    LOG(ERROR) << "Invalid value in untrusted data string.";

[palmer, 2014/10/13 23:47:54]

Might be nice to log each failure separately, and to be more specific.

  if (data_string.length() > kMaxValidDataLength) {
    LOG(ERROR) << "Data string length exceeds maximum (" << kMaxDataLength <<
")";
    return false;
  }
  if (!IsStringPrintable(data_string)) {
    LOG(ERROR) << "Data string contains non-printable characters";
    return false;
  }

That having been said, below you call validation functions after on the keys and
values, so maybe you can save time by just checking there, and skipping the
!IsStringPrintable(data_string) call?

[jackhou1, 2014/10/14 01:13:55]

Done.

+    return false;
+  }
+
+  DVLOG(1) << "Untrusted data string: " << data_string;
+
+  std::vector<std::pair<std::string, std::string> > kv_pairs;
+  if (!base::SplitStringIntoKeyValuePairs(data_string, '=', '&', &kv_pairs)) {
+    LOG(ERROR) << "Failed to parse untrusted data: " << data_string;
+    return false;
+  }
+
+  untrusted_data->clear();
+  std::vector<std::pair<std::string, std::string> >::const_iterator it;
+  for (it = kv_pairs.begin(); it != kv_pairs.end(); ++it) {
+    const std::string& key(it->first);
+    const std::string& value(it->second);
+    if (IsUntrustedDataKeyValid(key) && IsStringPrintable(value))
+      (*untrusted_data)[key] = value;
+    else
+      LOG(ERROR) << "Illegal character found in untrusted data.";

[palmer, 2014/10/13 23:47:53]

Should return false here?

[jackhou1, 2014/10/14 01:13:55]

Done.

+  }
+  return true;
+}
+
+// Returns the value corresponding to |key| in untrusted data passed from
+// |tag|.  |tag| should be a printable list of key-value pairs, e.g.
+// "key1=value1&key2=value2".  Returns an empty string if |key| is absent or if
+// its value contains non-printable characters.
+std::string GetUntrustedDataValueFromTag(const std::string& tag,
+                                         const std::string& key) {
+  std::map<std::string, std::string> untrusted_data;
+  if (ParseUntrustedData(tag, &untrusted_data))
+    return untrusted_data[key];
+
+  return std::string();
+}
+
+bool IsValidAppId(const std::string& app_id) {
+  if (app_id.size() != 32)
+    return false;
+
+  for (size_t i = 0; i < app_id.size(); ++i) {
+    char c = base::ToLowerASCII(app_id[i]);
+    if (c < 'a' || c > 'p')
+      return false;
+  }
+
+  return true;
+}
+
+base::FilePath GetChromeExePath(bool is_canary) {
+  return is_canary ?
+      chrome_launcher_support::GetAnyChromeSxSPath() :
+      chrome_launcher_support::GetAnyChromePath();
+}
+
+ExitCode GetChrome(bool is_canary) {
+  // Show UI to install Chrome. The UI returns a download URL.
+  base::string16 download_url =
+      DownloadAndEulaHTMLDialog(is_canary).ShowModal();
+  if (download_url.empty())
+    return EULA_CANCELLED;
+
+  DVLOG(1) << "Chrome download url: " << download_url;
+
+  // Get a temporary file path.
+  base::FilePath setup_file;
+  if (!base::CreateTemporaryFile(&setup_file))
+    return COULD_NOT_GET_TMP_FILE_PATH;
+
+  // Download the Chrome installer.
+  HRESULT hr = URLDownloadToFile(
+      NULL, download_url.c_str(), setup_file.value().c_str(), 0, NULL);
+  if (FAILED(hr)) {
+    LOG(ERROR) << "Download failed: Error " << std::hex << hr << ". "
+               << setup_file.value();
+    return FAILED_TO_DOWNLOAD_CHROME_SETUP;
+  }
+
+  // Install Chrome. Wait for the installer to finish before returning.
+  base::LaunchOptions options;
+  options.wait = true;
+  if (!base::LaunchProcess(CommandLine(setup_file), options, NULL)) {
+    base::DeleteFile(setup_file, false);
+    return FAILED_TO_LAUNCH_CHROME_SETUP;
+  }
+
+  base::DeleteFile(setup_file, false);
+  return SUCCESS;
+}
+
+}  // namespace
+
+extern "C"
+int WINAPI wWinMain(HINSTANCE instance, HINSTANCE prev_instance,
+                    wchar_t* command_line, int show_command) {
+  base::AtExitManager exit_manager;
+  CommandLine::Init(0, NULL);
+  logging::LogEventProvider::Initialize(kAppInstallerLogProvider);
+  logging::LoggingSettings settings;
+  settings.logging_dest = logging::LOG_TO_SYSTEM_DEBUG_LOG;
+  logging::InitLogging(settings);
+
+  std::string app_id = CommandLine::ForCurrentProcess()->GetSwitchValueASCII(
+      switches::kAppId);
+  const char* sxs = installer::switches::kChromeSxS;
+  // --chrome-sxs on the command line takes precedence over chrome-sxs in the
+  // tag.
+  bool is_canary = CommandLine::ForCurrentProcess()->HasSwitch(sxs);
+
+  // --app-id on the command line inhibits tag parsing altogether.
+  if (app_id.empty()) {
+    base::FilePath current_exe;
+    if (!PathService::Get(base::FILE_EXE, &current_exe))
+      return COULD_NOT_GET_FILE_PATH;
+
+    std::string tag = GetTag(current_exe);
+    if (tag.empty())
+      return COULD_NOT_READ_TAG;
+
+    app_id = GetUntrustedDataValueFromTag(tag, switches::kAppId);

[palmer, 2014/10/13 23:47:54]

Since you call |GetUntrustedDataValueFromTag| twice, you are parsing |tag|
twice. Would be better to just parse it once, and cache the resulting map.

[jackhou1, 2014/10/14 01:13:55]

Done.

+
+    if (!is_canary)
+      is_canary = GetUntrustedDataValueFromTag(tag, sxs) == "1";
+  }
+
+  if (!IsValidAppId(app_id))
+    return INVALID_APP_ID;
+
+  base::FilePath chrome_path = GetChromeExePath(is_canary);
+  // If none found, show EULA, download, and install Chrome.
+  if (chrome_path.empty()) {
+    ExitCode get_chrome_result = GetChrome(is_canary);
+    if (get_chrome_result != SUCCESS)
+      return get_chrome_result;
+
+    chrome_path = GetChromeExePath(is_canary);
+    if (chrome_path.empty())
+      return COULD_NOT_FIND_CHROME;
+  }
+
+  CommandLine cmd(chrome_path);
+  cmd.AppendSwitchASCII(kInstallChromeApp, app_id);
+  DVLOG(1) << "Install command: " << cmd.GetCommandLineString();
+  bool launched = base::LaunchProcess(cmd, base::LaunchOptions(), NULL);
+  DVLOG(1) << "Launch " << (launched ? "success." : "failed.");
+
+  return SUCCESS;
+}
+
+}  // namespace app_installer