Remove DenyCertForHost from SSLHostStateDelegate API.

chrome/browser/ssl/chrome_ssl_host_state_delegate.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/ssl/chrome_ssl_host_state_delegate.h"
 
 #include "base/base64.h"
 #include "base/bind.h"
 #include "base/command_line.h"
 #include "base/logging.h"
@@ skipping 244 matching lines @@
   }
   default_ssl_cert_decision_expiration_delta_ =
       base::TimeDelta::FromSeconds(expiration_delta);
 }
 
 ChromeSSLHostStateDelegate::~ChromeSSLHostStateDelegate() {
   if (should_remember_ssl_decisions_ == ForgetSSLExceptionDecisionsAtSessionEnd)
     Clear();
 }
 
-void ChromeSSLHostStateDelegate::DenyCert(const std::string& host,
-                                          net::X509Certificate* cert,
-                                          net::CertStatus error) {
-  ChangeCertPolicy(host, cert, error, net::CertPolicy::DENIED);
-}
-
 void ChromeSSLHostStateDelegate::AllowCert(const std::string& host,
                                            net::X509Certificate* cert,
                                            net::CertStatus error) {
-  ChangeCertPolicy(host, cert, error, net::CertPolicy::ALLOWED);
+  GURL url = GetSecureGURLForHost(host);
+  const ContentSettingsPattern pattern =
+      ContentSettingsPattern::FromURLNoWildcard(url);
+  HostContentSettingsMap* map = profile_->GetHostContentSettingsMap();
+  scoped_ptr<base::Value> value(map->GetWebsiteSetting(
+      url, url, CONTENT_SETTINGS_TYPE_SSL_CERT_DECISIONS, std::string(), NULL));
+
+  if (!value.get() || !value->IsType(base::Value::TYPE_DICTIONARY))
+    value.reset(new base::DictionaryValue());
+
+  base::DictionaryValue* dict;
+  bool success = value->GetAsDictionary(&dict);
+  DCHECK(success);
+
+  bool expired_previous_decision;  // unused value in this function
+  base::DictionaryValue* cert_dict = GetValidCertDecisionsDict(
+      dict, CreateDictionaryEntries, &expired_previous_decision);
+  // If a a valid certificate dictionary cannot be extracted from the content
+  // setting, that means it's in an unknown format. Unfortunately, there's
+  // nothing to be done in that case, so a silent fail is the only option.
+  if (!cert_dict)
+    return;
+
+  dict->SetIntegerWithoutPathExpansion(kSSLCertDecisionVersionKey,
+                                       kDefaultSSLCertDecisionVersion);
+  cert_dict->SetIntegerWithoutPathExpansion(GetKey(cert, error),
+                                            net::CertPolicy::ALLOWED);
+
+  // The map takes ownership of the value, so it is released in the call to
+  // SetWebsiteSetting.
+  map->SetWebsiteSetting(pattern,
+                         pattern,
+                         CONTENT_SETTINGS_TYPE_SSL_CERT_DECISIONS,
+                         std::string(),
+                         value.release());
 }
 
 void ChromeSSLHostStateDelegate::Clear() {
   profile_->GetHostContentSettingsMap()->ClearSettingsForOneType(
       CONTENT_SETTINGS_TYPE_SSL_CERT_DECISIONS);
 }
 
 net::CertPolicy::Judgment ChromeSSLHostStateDelegate::QueryPolicy(
     const std::string& host,
     net::X509Certificate* cert,
@@ skipping 22 matching lines @@
     // This revoke is necessary to clear any old expired setting that may
     // lingering in the case that an old decision expried.
     RevokeUserDecisions(host);
     return net::CertPolicy::UNKNOWN;
   }
 
   success = cert_error_dict->GetIntegerWithoutPathExpansion(GetKey(cert, error),
                                                             &policy_decision);
 
   // If a policy decision was successfully retrieved and it's a valid value of
-  // ALLOWED or DENIED, return the valid value. Otherwise, return UNKNOWN.
+  // ALLOWED or DENIED, return the valid value. Otherwise, return UNKNOWN. Since
+  // the UI does not provide a way to deny certs and any DENIED value must have
+  // come from an external source, such as manually modifying the prefs file,
+  // Chrome we treats DENIED values as UNKNOWN.

[Peter Kasting, 2014/08/22 00:57:52]

Can we get rid of the concept of a DENIED value?

[jww, 2014/08/22 03:49:35]

I don't think so; they're used by net/. We could make a new enum just for
SSLHostStateDelegate purposes, but that adds an extra layer of translations to
net::CertPolicy::Judgements that we'd have to add.

I did modify this comment slightly to make it clearer that it will only be
ALLOWED or UNKNOWN.

   if (success && policy_decision == net::CertPolicy::Judgment::ALLOWED)
     return net::CertPolicy::Judgment::ALLOWED;
-  else if (success && policy_decision == net::CertPolicy::Judgment::DENIED)
-    return net::CertPolicy::Judgment::DENIED;
 
   return net::CertPolicy::Judgment::UNKNOWN;
 }
 
 void ChromeSSLHostStateDelegate::RevokeUserDecisions(const std::string& host) {
   GURL url = GetSecureGURLForHost(host);
   const ContentSettingsPattern pattern =
       ContentSettingsPattern::FromURLNoWildcard(url);
   HostContentSettingsMap* map = profile_->GetHostContentSettingsMap();
 
@@ skipping 21 matching lines @@
 // idle sockets.
 void ChromeSSLHostStateDelegate::RevokeUserDecisionsHard(
     const std::string& host) {
   RevokeUserDecisions(host);
   scoped_refptr<net::URLRequestContextGetter> getter(
       profile_->GetRequestContext());
   profile_->GetRequestContext()->GetNetworkTaskRunner()->PostTask(
       FROM_HERE, base::Bind(&CloseIdleConnections, getter));
 }
 
-bool ChromeSSLHostStateDelegate::HasUserDecision(const std::string& host) {
+bool ChromeSSLHostStateDelegate::HasAllowed(const std::string& host) {
   GURL url = GetSecureGURLForHost(host);
   const ContentSettingsPattern pattern =
       ContentSettingsPattern::FromURLNoWildcard(url);
   HostContentSettingsMap* map = profile_->GetHostContentSettingsMap();
 
   scoped_ptr<base::Value> value(map->GetWebsiteSetting(
       url, url, CONTENT_SETTINGS_TYPE_SSL_CERT_DECISIONS, std::string(), NULL));
 
   if (!value.get() || !value->IsType(base::Value::TYPE_DICTIONARY))
     return false;
 
   base::DictionaryValue* dict;  // Owned by value
   bool success = value->GetAsDictionary(&dict);
   DCHECK(success);
 
   for (base::DictionaryValue::Iterator it(*dict); !it.IsAtEnd(); it.Advance()) {
     int policy_decision;  // Owned by dict
     success = it.value().GetAsInteger(&policy_decision);
-    if (success && (static_cast<net::CertPolicy::Judgment>(policy_decision) !=
-                    net::CertPolicy::UNKNOWN))
+    if (success && (static_cast<net::CertPolicy::Judgment>(policy_decision) ==
+                    net::CertPolicy::ALLOWED))
       return true;
   }
 
   return false;
 }
 
 void ChromeSSLHostStateDelegate::HostRanInsecureContent(const std::string& host,
                                                         int pid) {
   ran_insecure_content_hosts_.insert(BrokenHostEntry(host, pid));
 }
 
 bool ChromeSSLHostStateDelegate::DidHostRunInsecureContent(
     const std::string& host,
     int pid) const {
   return !!ran_insecure_content_hosts_.count(BrokenHostEntry(host, pid));
 }
 void ChromeSSLHostStateDelegate::SetClock(scoped_ptr<base::Clock> clock) {
   clock_.reset(clock.release());
 }
-
-void ChromeSSLHostStateDelegate::ChangeCertPolicy(
-    const std::string& host,
-    net::X509Certificate* cert,
-    net::CertStatus error,
-    net::CertPolicy::Judgment judgment) {
-  GURL url = GetSecureGURLForHost(host);
-  const ContentSettingsPattern pattern =
-      ContentSettingsPattern::FromURLNoWildcard(url);
-  HostContentSettingsMap* map = profile_->GetHostContentSettingsMap();
-  scoped_ptr<base::Value> value(map->GetWebsiteSetting(
-      url, url, CONTENT_SETTINGS_TYPE_SSL_CERT_DECISIONS, std::string(), NULL));
-
-  if (!value.get() || !value->IsType(base::Value::TYPE_DICTIONARY))
-    value.reset(new base::DictionaryValue());
-
-  base::DictionaryValue* dict;
-  bool success = value->GetAsDictionary(&dict);
-  DCHECK(success);
-
-  bool expired_previous_decision;  // unused value in this function
-  base::DictionaryValue* cert_dict = GetValidCertDecisionsDict(
-      dict, CreateDictionaryEntries, &expired_previous_decision);
-  // If a a valid certificate dictionary cannot be extracted from the content
-  // setting, that means it's in an unknown format. Unfortunately, there's
-  // nothing to be done in that case, so a silent fail is the only option.
-  if (!cert_dict)
-    return;
-
-  dict->SetIntegerWithoutPathExpansion(kSSLCertDecisionVersionKey,
-                                       kDefaultSSLCertDecisionVersion);
-  cert_dict->SetIntegerWithoutPathExpansion(GetKey(cert, error), judgment);
-
-  // The map takes ownership of the value, so it is released in the call to
-  // SetWebsiteSetting.
-  map->SetWebsiteSetting(pattern,
-                         pattern,
-                         CONTENT_SETTINGS_TYPE_SSL_CERT_DECISIONS,
-                         std::string(),
-                         value.release());
-}