| OLD | NEW |
|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/chromeos/attestation/platform_verification_flow.h" | 5 #include "chrome/browser/chromeos/attestation/platform_verification_flow.h" |
| 6 | 6 |
| 7 #include "base/command_line.h" | 7 #include "base/command_line.h" |
| 8 #include "base/logging.h" | 8 #include "base/logging.h" |
| 9 #include "base/message_loop/message_loop.h" | 9 #include "base/message_loop/message_loop.h" |
| 10 #include "base/metrics/histogram.h" | 10 #include "base/metrics/histogram.h" |
| (...skipping 198 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 209 return; | 209 return; |
| 210 } | 210 } |
| 211 BoolDBusMethodCallback dbus_callback = base::Bind( | 211 BoolDBusMethodCallback dbus_callback = base::Bind( |
| 212 &DBusCallback, | 212 &DBusCallback, |
| 213 base::Bind(&PlatformVerificationFlow::CheckConsent, this, context), | 213 base::Bind(&PlatformVerificationFlow::CheckConsent, this, context), |
| 214 base::Bind(&ReportError, context.callback, INTERNAL_ERROR)); | 214 base::Bind(&ReportError, context.callback, INTERNAL_ERROR)); |
| 215 cryptohome_client_->TpmAttestationIsEnrolled(dbus_callback); | 215 cryptohome_client_->TpmAttestationIsEnrolled(dbus_callback); |
| 216 } | 216 } |
| 217 | 217 |
| 218 void PlatformVerificationFlow::CheckConsent(const ChallengeContext& context, | 218 void PlatformVerificationFlow::CheckConsent(const ChallengeContext& context, |
| 219 bool attestation_enrolled) { | 219 bool /* attestation_enrolled */) { |
| 220 PrefService* pref_service = delegate_->GetPrefs(context.web_contents); | 220 content::WebContents* web_contents = context.web_contents; |
| 221 |
| 222 bool enabled_for_origin = false; |
| 223 bool found = |
| 224 GetOriginPref(delegate_->GetContentSettings(web_contents), |
| 225 delegate_->GetURL(web_contents), &enabled_for_origin); |
| 226 if (found && !enabled_for_origin) { |
| 227 VLOG(1) << "Platform verification denied because the origin has been " |
| 228 << "blocked by the user."; |
| 229 ReportError(context.callback, USER_REJECTED); |
| 230 return; |
| 231 } |
| 232 |
| 233 PrefService* pref_service = delegate_->GetPrefs(web_contents); |
| 221 if (!pref_service) { | 234 if (!pref_service) { |
| 222 LOG(ERROR) << "Failed to get user prefs."; | 235 LOG(ERROR) << "Failed to get user prefs."; |
| 223 ReportError(context.callback, INTERNAL_ERROR); | 236 ReportError(context.callback, INTERNAL_ERROR); |
| 224 return; | 237 return; |
| 225 } | 238 } |
| 226 bool consent_required = ( | 239 |
| 227 // Consent required if attestation has never been enrolled on this device. | 240 // Consent required if user has never given consent for this origin, or if |
| 228 !attestation_enrolled || | 241 // user has never given consent to attestation for content protection on this |
| 229 // Consent required if this is the first use of attestation for content | 242 // device. |
| 230 // protection on this device. | 243 bool consent_required = |
| 231 !pref_service->GetBoolean(prefs::kRAConsentFirstTime) || | 244 !found || !pref_service->GetBoolean(prefs::kRAConsentGranted); |
| 232 // Consent required if consent has never been given for this domain. | 245 |
| 233 !GetDomainPref(delegate_->GetContentSettings(context.web_contents), | |
| 234 delegate_->GetURL(context.web_contents), | |
| 235 NULL)); | |
| 236 Delegate::ConsentCallback consent_callback = base::Bind( | 246 Delegate::ConsentCallback consent_callback = base::Bind( |
| 237 &PlatformVerificationFlow::OnConsentResponse, | 247 &PlatformVerificationFlow::OnConsentResponse, |
| 238 this, | 248 this, |
| 239 context, | 249 context, |
| 240 consent_required); | 250 consent_required); |
| 241 if (consent_required) { | 251 if (consent_required) { |
| 242 // TODO(xhwang): Using delegate_->GetURL() here is not right. The consent | 252 // TODO(xhwang): Using delegate_->GetURL() here is not right. The consent |
| 243 // may be requested by a frame from a different origin. This will be solved | 253 // may be requested by a frame from a different origin. This will be solved |
| 244 // when http://crbug.com/454847 is fixed. | 254 // when http://crbug.com/454847 is fixed. |
| 245 delegate_->ShowConsentPrompt( | 255 delegate_->ShowConsentPrompt( |
| 246 context.web_contents, | 256 context.web_contents, |
| 247 delegate_->GetURL(context.web_contents).GetOrigin(), consent_callback); | 257 delegate_->GetURL(context.web_contents).GetOrigin(), consent_callback); |
| 248 } else { | 258 } else { |
| 249 consent_callback.Run(CONSENT_RESPONSE_NONE); | 259 consent_callback.Run(CONSENT_RESPONSE_NONE); |
| 250 } | 260 } |
| 251 } | 261 } |
| 252 | 262 |
| 253 void PlatformVerificationFlow::RegisterProfilePrefs( | 263 void PlatformVerificationFlow::RegisterProfilePrefs( |
| 254 user_prefs::PrefRegistrySyncable* prefs) { | 264 user_prefs::PrefRegistrySyncable* prefs) { |
| 255 prefs->RegisterBooleanPref(prefs::kRAConsentFirstTime, | 265 prefs->RegisterBooleanPref(prefs::kRAConsentGranted, |
| 256 false, | 266 false, // Default value. |
| 257 user_prefs::PrefRegistrySyncable::UNSYNCABLE_PREF); | 267 user_prefs::PrefRegistrySyncable::UNSYNCABLE_PREF); |
| 258 } | 268 } |
| 259 | 269 |
| 260 void PlatformVerificationFlow::OnConsentResponse( | 270 void PlatformVerificationFlow::OnConsentResponse( |
| 261 const ChallengeContext& context, | 271 const ChallengeContext& context, |
| 262 bool consent_required, | 272 bool consent_required, |
| 263 ConsentResponse consent_response) { | 273 ConsentResponse consent_response) { |
| 264 if (consent_required) { | 274 if (consent_required) { |
| 265 if (consent_response == CONSENT_RESPONSE_NONE) { | 275 if (consent_response == CONSENT_RESPONSE_NONE) { |
| 266 // No user response - do not proceed and do not modify any settings. | 276 // No user response - do not proceed and do not modify any settings. |
| (...skipping 145 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 412 if (!pref_service) { | 422 if (!pref_service) { |
| 413 LOG(ERROR) << "Failed to get user prefs."; | 423 LOG(ERROR) << "Failed to get user prefs."; |
| 414 return false; | 424 return false; |
| 415 } | 425 } |
| 416 if (!pref_service->GetBoolean(prefs::kEnableDRM)) { | 426 if (!pref_service->GetBoolean(prefs::kEnableDRM)) { |
| 417 VLOG(1) << "Platform verification denied because content protection " | 427 VLOG(1) << "Platform verification denied because content protection " |
| 418 << "identifiers have been disabled by the user."; | 428 << "identifiers have been disabled by the user."; |
| 419 return false; | 429 return false; |
| 420 } | 430 } |
| 421 | 431 |
| 422 // Check the user preference for this domain. | 432 // Check the user preference for this origin. |
| 423 bool enabled_for_domain = false; | 433 bool enabled_for_origin = false; |
| 424 bool found = GetDomainPref(delegate_->GetContentSettings(web_contents), | 434 bool found = |
| 425 delegate_->GetURL(web_contents), | 435 GetOriginPref(delegate_->GetContentSettings(web_contents), |
| 426 &enabled_for_domain); | 436 delegate_->GetURL(web_contents), &enabled_for_origin); |
| 427 if (found && !enabled_for_domain) { | 437 if (found && !enabled_for_origin) { |
| 428 VLOG(1) << "Platform verification denied because the domain has been " | 438 VLOG(1) << "Platform verification denied because the origin has been " |
| 429 << "blocked by the user."; | 439 << "blocked by the user."; |
| 430 return false; | 440 return false; |
| 431 } | 441 } |
| 432 return true; | 442 return true; |
| 433 } | 443 } |
| 434 | 444 |
| 435 bool PlatformVerificationFlow::UpdateSettings( | 445 bool PlatformVerificationFlow::UpdateSettings( |
| 436 content::WebContents* web_contents, | 446 content::WebContents* web_contents, |
| 437 ConsentResponse consent_response) { | 447 ConsentResponse consent_response) { |
| 438 PrefService* pref_service = delegate_->GetPrefs(web_contents); | 448 PrefService* pref_service = delegate_->GetPrefs(web_contents); |
| 439 if (!pref_service) { | 449 if (!pref_service) { |
| 440 LOG(ERROR) << "Failed to get user prefs."; | 450 LOG(ERROR) << "Failed to get user prefs."; |
| 441 return false; | 451 return false; |
| 442 } | 452 } |
| 443 pref_service->SetBoolean(prefs::kRAConsentFirstTime, true); | 453 |
| 444 RecordDomainConsent(delegate_->GetContentSettings(web_contents), | 454 if (consent_response == CONSENT_RESPONSE_ALLOW) { |
| 455 pref_service->SetBoolean(prefs::kRAConsentGranted, true); |
| 456 } |
| 457 |
| 458 RecordOriginConsent(delegate_->GetContentSettings(web_contents), |
| 445 delegate_->GetURL(web_contents), | 459 delegate_->GetURL(web_contents), |
| 446 (consent_response == CONSENT_RESPONSE_ALLOW)); | 460 (consent_response == CONSENT_RESPONSE_ALLOW)); |
| 447 return true; | 461 return true; |
| 448 } | 462 } |
| 449 | 463 |
| 450 bool PlatformVerificationFlow::GetDomainPref( | 464 bool PlatformVerificationFlow::GetOriginPref( |
| 451 HostContentSettingsMap* content_settings, | 465 HostContentSettingsMap* content_settings, |
| 452 const GURL& url, | 466 const GURL& url, |
| 453 bool* pref_value) { | 467 bool* pref_value) { |
| 454 CHECK(content_settings); | 468 CHECK(content_settings); |
| 455 CHECK(url.is_valid()); | 469 CHECK(url.is_valid()); |
| 456 ContentSetting setting = content_settings->GetContentSetting( | 470 ContentSetting setting = content_settings->GetContentSetting( |
| 457 url, | 471 url, |
| 458 url, | 472 url, |
| 459 CONTENT_SETTINGS_TYPE_PROTECTED_MEDIA_IDENTIFIER, | 473 CONTENT_SETTINGS_TYPE_PROTECTED_MEDIA_IDENTIFIER, |
| 460 std::string()); | 474 std::string()); |
| 461 if (setting != CONTENT_SETTING_ALLOW && setting != CONTENT_SETTING_BLOCK) | 475 if (setting != CONTENT_SETTING_ALLOW && setting != CONTENT_SETTING_BLOCK) |
| 462 return false; | 476 return false; |
| 463 if (pref_value) | 477 if (pref_value) |
| 464 *pref_value = (setting == CONTENT_SETTING_ALLOW); | 478 *pref_value = (setting == CONTENT_SETTING_ALLOW); |
| 465 return true; | 479 return true; |
| 466 } | 480 } |
| 467 | 481 |
| 468 void PlatformVerificationFlow::RecordDomainConsent( | 482 void PlatformVerificationFlow::RecordOriginConsent( |
| 469 HostContentSettingsMap* content_settings, | 483 HostContentSettingsMap* content_settings, |
| 470 const GURL& url, | 484 const GURL& url, |
| 471 bool allow_domain) { | 485 bool allow_origin) { |
| 472 CHECK(content_settings); | 486 CHECK(content_settings); |
| 473 CHECK(url.is_valid()); | 487 CHECK(url.is_valid()); |
| 474 // Build a pattern to represent scheme and host. | 488 // Build a pattern to represent scheme and host. |
| 475 scoped_ptr<ContentSettingsPattern::BuilderInterface> builder( | 489 scoped_ptr<ContentSettingsPattern::BuilderInterface> builder( |
| 476 ContentSettingsPattern::CreateBuilder(false)); | 490 ContentSettingsPattern::CreateBuilder(false)); |
| 477 builder->WithScheme(url.scheme()) | 491 builder->WithScheme(url.scheme()) |
| 478 ->WithDomainWildcard() | 492 ->WithDomainWildcard() |
| 479 ->WithHost(url.host()) | 493 ->WithHost(url.host()) |
| 480 ->WithPathWildcard(); | 494 ->WithPathWildcard(); |
| 481 if (!url.port().empty()) | 495 if (!url.port().empty()) |
| 482 builder->WithPort(url.port()); | 496 builder->WithPort(url.port()); |
| 483 else if (url.SchemeIs(url::kHttpsScheme)) | 497 else if (url.SchemeIs(url::kHttpsScheme)) |
| 484 builder->WithPort(kDefaultHttpsPort); | 498 builder->WithPort(kDefaultHttpsPort); |
| 485 else if (url.SchemeIs(url::kHttpScheme)) | 499 else if (url.SchemeIs(url::kHttpScheme)) |
| 486 builder->WithPortWildcard(); | 500 builder->WithPortWildcard(); |
| 487 ContentSettingsPattern pattern = builder->Build(); | 501 ContentSettingsPattern pattern = builder->Build(); |
| 488 if (pattern.IsValid()) { | 502 if (pattern.IsValid()) { |
| 489 ContentSetting setting = allow_domain ? CONTENT_SETTING_ALLOW | 503 ContentSetting setting = |
| 490 : CONTENT_SETTING_BLOCK; | 504 allow_origin ? CONTENT_SETTING_ALLOW : CONTENT_SETTING_BLOCK; |
| 491 content_settings->SetContentSetting( | 505 content_settings->SetContentSetting( |
| 492 pattern, | 506 pattern, |
| 493 pattern, | 507 pattern, |
| 494 CONTENT_SETTINGS_TYPE_PROTECTED_MEDIA_IDENTIFIER, | 508 CONTENT_SETTINGS_TYPE_PROTECTED_MEDIA_IDENTIFIER, |
| 495 std::string(), | 509 std::string(), |
| 496 setting); | 510 setting); |
| 497 } else { | 511 } else { |
| 498 LOG(WARNING) << "Not recording action: invalid URL pattern"; | 512 LOG(WARNING) << "Not recording action: invalid URL pattern"; |
| 499 } | 513 } |
| 500 } | 514 } |
| 501 | 515 |
| 502 bool PlatformVerificationFlow::IsExpired(const std::string& certificate) { | 516 bool PlatformVerificationFlow::IsExpired(const std::string& certificate) { |
| 503 scoped_refptr<net::X509Certificate> x509( | 517 scoped_refptr<net::X509Certificate> x509( |
| 504 net::X509Certificate::CreateFromBytes(certificate.data(), | 518 net::X509Certificate::CreateFromBytes(certificate.data(), |
| 505 certificate.length())); | 519 certificate.length())); |
| 506 if (!x509.get() || x509->valid_expiry().is_null()) { | 520 if (!x509.get() || x509->valid_expiry().is_null()) { |
| 507 LOG(WARNING) << "Failed to parse certificate, cannot check expiry."; | 521 LOG(WARNING) << "Failed to parse certificate, cannot check expiry."; |
| 508 return false; | 522 return false; |
| 509 } | 523 } |
| 510 return (base::Time::Now() > x509->valid_expiry()); | 524 return (base::Time::Now() > x509->valid_expiry()); |
| 511 } | 525 } |
| 512 | 526 |
| 513 } // namespace attestation | 527 } // namespace attestation |
| 514 } // namespace chromeos | 528 } // namespace chromeos |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 979273003:
Simplify PlatformVerificationFlow::CheckConsent() logic. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master