Certificate Transparency: Adding finch and NetLog logging for EV certs

chrome/browser/io_thread.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/io_thread.h"
 
 #include <vector>
 
 #include "base/base64.h"
 #include "base/bind.h"
@@ skipping 305 matching lines @@
 
 // Return true if stale-while-revalidate support should be enabled.
 bool IsStaleWhileRevalidateEnabled(const base::CommandLine& command_line) {
   if (command_line.HasSwitch(switches::kEnableStaleWhileRevalidate))
     return true;
   const std::string group_name =
       base::FieldTrialList::FindFullName(kStaleWhileRevalidateFieldTrialName);
   return group_name == "Enabled";
 }
 
+bool IsCertificateTransparencyRequiredForEV(
+    const base::CommandLine& command_line) {
+  const std::string group_name =
+      base::FieldTrialList::FindFullName("CTRequiredForEVTrial");
+
+  if (command_line.HasSwitch(switches::kRequireCTForEV))
+    return true;

[davidben, 2014/12/08 22:42:35]

Suuuper nitpicky nit that completely doesn't matter: I suppose you may as well
reorder these too. Matches the function above and there's no need to query the
field trial if you're going to bail out on the switch early anyway.

[Eran Messeri, 2014/12/09 19:58:15]

My understanding, from go/finch-and-flags, is that you should call FindFullName
regardless of the flag value for UMA to report the correct group.

+
+  return group_name == "RequirementEnforced";
+}
+
 }  // namespace
 
 class IOThread::LoggingNetworkChangeObserver
     : public net::NetworkChangeNotifier::IPAddressObserver,
       public net::NetworkChangeNotifier::ConnectionTypeObserver,
       public net::NetworkChangeNotifier::NetworkChangeObserver {
  public:
   // |net_log| must remain valid throughout our lifetime.
   explicit LoggingNetworkChangeObserver(net::NetLog* net_log)
       : net_log_(net_log) {
@@ skipping 300 matching lines @@
           << "Unable to decode CT public key.";
       scoped_ptr<net::CTLogVerifier> external_log_verifier(
           net::CTLogVerifier::Create(ct_public_key_data, log_description));
       CHECK(external_log_verifier) << "Unable to parse CT public key.";
       VLOG(1) << "Adding log with description " << log_description;
       ct_verifier->AddLog(external_log_verifier.Pass());
     }
   }
 
   net::CertPolicyEnforcer* policy_enforcer = NULL;
-  // TODO(eranm): Control with Finch, crbug.com/437766
-  if (command_line.HasSwitch(switches::kRequireCTForEV)) {
-    policy_enforcer = new net::CertPolicyEnforcer(kNumKnownCTLogs, true);
-  } else {
-    policy_enforcer = new net::CertPolicyEnforcer(kNumKnownCTLogs, false);
-  }
+  policy_enforcer = new net::CertPolicyEnforcer(
+      kNumKnownCTLogs, IsCertificateTransparencyRequiredForEV(command_line));
   globals_->cert_policy_enforcer.reset(policy_enforcer);
 
   globals_->ssl_config_service = GetSSLConfigService();
 
   SetupDataReductionProxy(network_delegate);
 
   globals_->http_auth_handler_factory.reset(CreateDefaultAuthHandlerFactory(
       globals_->host_resolver.get()));
   globals_->http_server_properties.reset(new net::HttpServerPropertiesImpl());
   // For the ProxyScriptFetcher, we use a direct ProxyService.
@@ skipping 743 matching lines @@
   net::QuicVersionVector supported_versions = net::QuicSupportedVersions();
   for (size_t i = 0; i < supported_versions.size(); ++i) {
     net::QuicVersion version = supported_versions[i];
     if (net::QuicVersionToString(version) == quic_version) {
       return version;
     }
   }
 
   return net::QUIC_VERSION_UNSUPPORTED;
 }