Remove DenyCertForHost from SSLHostStateDelegate API.

chrome/browser/ssl/chrome_ssl_host_state_delegate.cc

Index: chrome/browser/ssl/chrome_ssl_host_state_delegate.cc
diff --git a/chrome/browser/ssl/chrome_ssl_host_state_delegate.cc b/chrome/browser/ssl/chrome_ssl_host_state_delegate.cc
index c306b22f0a9295b7f8e582a8e977fa859be4bc42..86370de7fbc65e00c831345be32e8110333907e6 100644
--- a/chrome/browser/ssl/chrome_ssl_host_state_delegate.cc
+++ b/chrome/browser/ssl/chrome_ssl_host_state_delegate.cc
@@ -262,16 +262,44 @@ ChromeSSLHostStateDelegate::~ChromeSSLHostStateDelegate() {
     Clear();
 }
 
-void ChromeSSLHostStateDelegate::DenyCert(const std::string& host,
-                                          net::X509Certificate* cert,
-                                          net::CertStatus error) {
-  ChangeCertPolicy(host, cert, error, net::CertPolicy::DENIED);
-}
-
 void ChromeSSLHostStateDelegate::AllowCert(const std::string& host,
                                            net::X509Certificate* cert,
                                            net::CertStatus error) {
-  ChangeCertPolicy(host, cert, error, net::CertPolicy::ALLOWED);
+  GURL url = GetSecureGURLForHost(host);
+  const ContentSettingsPattern pattern =
+      ContentSettingsPattern::FromURLNoWildcard(url);
+  HostContentSettingsMap* map = profile_->GetHostContentSettingsMap();
+  scoped_ptr<base::Value> value(map->GetWebsiteSetting(
+      url, url, CONTENT_SETTINGS_TYPE_SSL_CERT_DECISIONS, std::string(), NULL));
+
+  if (!value.get() || !value->IsType(base::Value::TYPE_DICTIONARY))
+    value.reset(new base::DictionaryValue());
+
+  base::DictionaryValue* dict;
+  bool success = value->GetAsDictionary(&dict);
+  DCHECK(success);
+
+  bool expired_previous_decision;  // unused value in this function
+  base::DictionaryValue* cert_dict = GetValidCertDecisionsDict(
+      dict, CreateDictionaryEntries, &expired_previous_decision);
+  // If a a valid certificate dictionary cannot be extracted from the content
+  // setting, that means it's in an unknown format. Unfortunately, there's
+  // nothing to be done in that case, so a silent fail is the only option.
+  if (!cert_dict)
+    return;
+
+  dict->SetIntegerWithoutPathExpansion(kSSLCertDecisionVersionKey,
+                                       kDefaultSSLCertDecisionVersion);
+  cert_dict->SetIntegerWithoutPathExpansion(GetKey(cert, error),
+                                            net::CertPolicy::ALLOWED);
+
+  // The map takes ownership of the value, so it is released in the call to
+  // SetWebsiteSetting.
+  map->SetWebsiteSetting(pattern,
+                         pattern,
+                         CONTENT_SETTINGS_TYPE_SSL_CERT_DECISIONS,
+                         std::string(),
+                         value.release());
 }
 
 void ChromeSSLHostStateDelegate::Clear() {
@@ -314,11 +342,12 @@ net::CertPolicy::Judgment ChromeSSLHostStateDelegate::QueryPolicy(
                                                             &policy_decision);
 
   // If a policy decision was successfully retrieved and it's a valid value of
-  // ALLOWED or DENIED, return the valid value. Otherwise, return UNKNOWN.
+  // ALLOWED, return the valid value. Otherwise, return UNKNOWN. Since the UI
+  // does not provide a way to deny certs and any DENIED value must have come
+  // from an external source, such as manually modifying the prefs file, Chrome
+  // we treats DENIED values as UNKNOWN.

[felt, 2014/08/25 17:13:44]

nit: "Chrome we treats"

Also: can we get rid of UNKNOWN? Just have ALLOWED or DENIED, with DENIED as the
default unless overridden by the user?

[jww, 2014/09/03 21:15:56]

Done
Yeah. pkasting suggested something similar, and now that I've thought about it
more, it makes sense to me, so the latest CL does this.

   if (success && policy_decision == net::CertPolicy::Judgment::ALLOWED)
     return net::CertPolicy::Judgment::ALLOWED;
-  else if (success && policy_decision == net::CertPolicy::Judgment::DENIED)
-    return net::CertPolicy::Judgment::DENIED;
 
   return net::CertPolicy::Judgment::UNKNOWN;
 }
@@ -360,7 +389,7 @@ void ChromeSSLHostStateDelegate::RevokeUserDecisionsHard(
       FROM_HERE, base::Bind(&CloseIdleConnections, getter));
 }
 
-bool ChromeSSLHostStateDelegate::HasUserDecision(const std::string& host) {
+bool ChromeSSLHostStateDelegate::HasAllowed(const std::string& host) {
   GURL url = GetSecureGURLForHost(host);
   const ContentSettingsPattern pattern =
       ContentSettingsPattern::FromURLNoWildcard(url);
@@ -379,8 +408,8 @@ bool ChromeSSLHostStateDelegate::HasUserDecision(const std::string& host) {
   for (base::DictionaryValue::Iterator it(*dict); !it.IsAtEnd(); it.Advance()) {
     int policy_decision;  // Owned by dict
     success = it.value().GetAsInteger(&policy_decision);
-    if (success && (static_cast<net::CertPolicy::Judgment>(policy_decision) !=
-                    net::CertPolicy::UNKNOWN))
+    if (success && (static_cast<net::CertPolicy::Judgment>(policy_decision) ==
+                    net::CertPolicy::ALLOWED))
       return true;
   }
 
@@ -400,44 +429,3 @@ bool ChromeSSLHostStateDelegate::DidHostRunInsecureContent(
 void ChromeSSLHostStateDelegate::SetClock(scoped_ptr<base::Clock> clock) {
   clock_.reset(clock.release());
 }
-
-void ChromeSSLHostStateDelegate::ChangeCertPolicy(
-    const std::string& host,
-    net::X509Certificate* cert,
-    net::CertStatus error,
-    net::CertPolicy::Judgment judgment) {
-  GURL url = GetSecureGURLForHost(host);
-  const ContentSettingsPattern pattern =
-      ContentSettingsPattern::FromURLNoWildcard(url);
-  HostContentSettingsMap* map = profile_->GetHostContentSettingsMap();
-  scoped_ptr<base::Value> value(map->GetWebsiteSetting(
-      url, url, CONTENT_SETTINGS_TYPE_SSL_CERT_DECISIONS, std::string(), NULL));
-
-  if (!value.get() || !value->IsType(base::Value::TYPE_DICTIONARY))
-    value.reset(new base::DictionaryValue());
-
-  base::DictionaryValue* dict;
-  bool success = value->GetAsDictionary(&dict);
-  DCHECK(success);
-
-  bool expired_previous_decision;  // unused value in this function
-  base::DictionaryValue* cert_dict = GetValidCertDecisionsDict(
-      dict, CreateDictionaryEntries, &expired_previous_decision);
-  // If a a valid certificate dictionary cannot be extracted from the content
-  // setting, that means it's in an unknown format. Unfortunately, there's
-  // nothing to be done in that case, so a silent fail is the only option.
-  if (!cert_dict)
-    return;
-
-  dict->SetIntegerWithoutPathExpansion(kSSLCertDecisionVersionKey,
-                                       kDefaultSSLCertDecisionVersion);
-  cert_dict->SetIntegerWithoutPathExpansion(GetKey(cert, error), judgment);
-
-  // The map takes ownership of the value, so it is released in the call to
-  // SetWebsiteSetting.
-  map->SetWebsiteSetting(pattern,
-                         pattern,
-                         CONTENT_SETTINGS_TYPE_SSL_CERT_DECISIONS,
-                         std::string(),
-                         value.release());
-}