Certificate Transparency: Adding finch and NetLog logging for EV certs

chrome/browser/io_thread.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/io_thread.h"
 
 #include <vector>
 
 #include "base/base64.h"
 #include "base/bind.h"
@@ skipping 306 matching lines @@
 
 // Return true if stale-while-revalidate support should be enabled.
 bool IsStaleWhileRevalidateEnabled(const base::CommandLine& command_line) {
   if (command_line.HasSwitch(switches::kEnableStaleWhileRevalidate))
     return true;
   const std::string group_name =
       base::FieldTrialList::FindFullName(kStaleWhileRevalidateFieldTrialName);
   return group_name == "Enabled";
 }
 
+bool IsCertificateTransparencyRequiredForEV(
+    const base::CommandLine& command_line) {
+  const std::string group_name =
+      base::FieldTrialList::FindFullName("CTRequiredForEVTrial");

[mmenke, 2014/12/16 16:40:12]

nit:  Should put this just before use, per Google style guide.  Admittedly,
doesn't really matter for performance, but still seems weird to always do it
even when we have a switch and end up ignoring the result.

[Eran Messeri, 2014/12/17 16:19:31]

IIUC in go/finch-and-flags this pattern is explicitly stated for UMA to report
the correct group with each histogram logging.

+
+  if (command_line.HasSwitch(switches::kRequireCTForEV))
+    return true;
+
+  return group_name == "RequirementEnforced";
+}
+
 }  // namespace
 
 class IOThread::LoggingNetworkChangeObserver
     : public net::NetworkChangeNotifier::IPAddressObserver,
       public net::NetworkChangeNotifier::ConnectionTypeObserver,
       public net::NetworkChangeNotifier::NetworkChangeObserver {
  public:
   // |net_log| must remain valid throughout our lifetime.
   explicit LoggingNetworkChangeObserver(net::NetLog* net_log)
       : net_log_(net_log) {
@@ skipping 312 matching lines @@
           << "Unable to decode CT public key.";
       scoped_ptr<net::CTLogVerifier> external_log_verifier(
           net::CTLogVerifier::Create(ct_public_key_data, log_description));
       CHECK(external_log_verifier) << "Unable to parse CT public key.";
       VLOG(1) << "Adding log with description " << log_description;
       ct_verifier->AddLog(external_log_verifier.Pass());
     }
   }
 
   net::CertPolicyEnforcer* policy_enforcer = NULL;
-  // TODO(eranm): Control with Finch, crbug.com/437766
-  if (command_line.HasSwitch(switches::kRequireCTForEV)) {
-    policy_enforcer = new net::CertPolicyEnforcer(true);
-  } else {
-    policy_enforcer = new net::CertPolicyEnforcer(false);
-  }
+  policy_enforcer = new net::CertPolicyEnforcer(
+      IsCertificateTransparencyRequiredForEV(command_line));
   globals_->cert_policy_enforcer.reset(policy_enforcer);
 
   globals_->ssl_config_service = GetSSLConfigService();
 
   globals_->http_auth_handler_factory.reset(CreateDefaultAuthHandlerFactory(
       globals_->host_resolver.get()));
   globals_->http_server_properties.reset(new net::HttpServerPropertiesImpl());
   // For the ProxyScriptFetcher, we use a direct ProxyService.
   globals_->proxy_script_fetcher_proxy_service.reset(
       net::ProxyService::CreateDirectWithNetLog(net_log_));
@@ skipping 732 matching lines @@
   net::QuicVersionVector supported_versions = net::QuicSupportedVersions();
   for (size_t i = 0; i < supported_versions.size(); ++i) {
     net::QuicVersion version = supported_versions[i];
     if (net::QuicVersionToString(version) == quic_version) {
       return version;
     }
   }
 
   return net::QUIC_VERSION_UNSUPPORTED;
 }