Google Git
Sign in
chromium / chromium / src.git / 57.0.2938.0 / . / components / certificate_transparency / ct_policy_manager.cc
blob: 445f3d204a7f4c569b99f7ff3cb8fbbf87b8d477 [file] [log] [blame]
// Copyright 2016 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "components/certificate_transparency/ct_policy_manager.h"
#include <map>
#include <set>
#include <string>
#include "base/bind.h"
#include "base/callback.h"
#include "base/location.h"
#include "base/sequenced_task_runner.h"
#include "base/strings/string_util.h"
#include "base/threading/sequenced_task_runner_handle.h"
#include "base/values.h"
#include "components/certificate_transparency/pref_names.h"
#include "components/prefs/pref_registry_simple.h"
#include "components/prefs/pref_service.h"
#include "components/url_formatter/url_fixer.h"
#include "components/url_matcher/url_matcher.h"
#include "net/base/host_port_pair.h"
namespace certificate_transparency {
class CTPolicyManager::CTDelegate
: public net::TransportSecurityState::RequireCTDelegate {
public:
explicit CTDelegate(
scoped_refptr<base::SequencedTaskRunner> network_task_runner);
~CTDelegate() override = default;
// Called on the prefs task runner. Updates the CTDelegate to require CT
// for |required_hosts|, and exclude |excluded_hosts| from CT policies.
void UpdateFromPrefs(const base::ListValue* required_hosts,
const base::ListValue* excluded_hosts);
// RequireCTDelegate implementation
// Called on the network task runner.
CTRequirementLevel IsCTRequiredForHost(const std::string& hostname) override;
private:
struct Filter {
bool ct_required = false;
bool match_subdomains = false;
size_t host_length = 0;
};
// Called on the |network_task_runner_|, updates the |url_matcher_| to
// require CT for |required_hosts| and exclude |excluded_hosts|, both
// of which are Lists of Strings which are URLBlacklist filters.
void Update(base::ListValue* required_hosts, base::ListValue* excluded_hosts);
// Parses the filters from |host_patterns|, adding them as filters to
// |filters_| (with |ct_required| indicating whether or not CT is required
// for that host), and updating |*conditions| with the corresponding
// URLMatcher::Conditions to match the host.
void AddFilters(bool ct_required,
base::ListValue* host_patterns,
url_matcher::URLMatcherConditionSet::Vector* conditions);
// Returns true if |lhs| has greater precedence than |rhs|.
bool FilterTakesPrecedence(const Filter& lhs, const Filter& rhs) const;
scoped_refptr<base::SequencedTaskRunner> network_task_runner_;
std::unique_ptr<url_matcher::URLMatcher> url_matcher_;
url_matcher::URLMatcherConditionSet::ID next_id_;
std::map<url_matcher::URLMatcherConditionSet::ID, Filter> filters_;
DISALLOW_COPY_AND_ASSIGN(CTDelegate);
};
CTPolicyManager::CTDelegate::CTDelegate(
scoped_refptr<base::SequencedTaskRunner> network_task_runner)
: network_task_runner_(std::move(network_task_runner)),
url_matcher_(new url_matcher::URLMatcher),
next_id_(0) {}
void CTPolicyManager::CTDelegate::UpdateFromPrefs(
const base::ListValue* required_hosts,
const base::ListValue* excluded_hosts) {
network_task_runner_->PostTask(
FROM_HERE,
base::Bind(&CTDelegate::Update, base::Unretained(this),
base::Owned(required_hosts->CreateDeepCopy().release()),
base::Owned(excluded_hosts->CreateDeepCopy().release())));
}
net::TransportSecurityState::RequireCTDelegate::CTRequirementLevel
CTPolicyManager::CTDelegate::IsCTRequiredForHost(const std::string& hostname) {
DCHECK(network_task_runner_->RunsTasksOnCurrentThread());
// Scheme and port are ignored by the policy, so it's OK to construct a
// new GURL here. However, |hostname| is in network form, not URL form,
// so it's necessary to wrap IPv6 addresses in brackets.
std::set<url_matcher::URLMatcherConditionSet::ID> matching_ids =
url_matcher_->MatchURL(
GURL("https://" + net::HostPortPair(hostname, 443).HostForURL()));
if (matching_ids.empty())
return CTRequirementLevel::DEFAULT;
// Determine the overall policy by determining the most specific policy.
std::map<url_matcher::URLMatcherConditionSet::ID, Filter>::const_iterator it =
filters_.begin();
const Filter* active_filter = nullptr;
for (const auto& match : matching_ids) {
// Because both |filters_| and |matching_ids| are sorted on the ID,
// treat both as forward-only iterators.
while (it != filters_.end() && it->first < match)
++it;
if (it == filters_.end()) {
NOTREACHED();
break;
}
if (!active_filter || FilterTakesPrecedence(it->second, *active_filter))
active_filter = &it->second;
}
CHECK(active_filter);
return active_filter->ct_required ? CTRequirementLevel::REQUIRED
: CTRequirementLevel::NOT_REQUIRED;
}
void CTPolicyManager::CTDelegate::Update(base::ListValue* required_hosts,
base::ListValue* excluded_hosts) {
DCHECK(network_task_runner_->RunsTasksOnCurrentThread());
url_matcher_.reset(new url_matcher::URLMatcher);
filters_.clear();
next_id_ = 0;
url_matcher::URLMatcherConditionSet::Vector all_conditions;
AddFilters(true, required_hosts, &all_conditions);
AddFilters(false, excluded_hosts, &all_conditions);
url_matcher_->AddConditionSets(all_conditions);
}
void CTPolicyManager::CTDelegate::AddFilters(
bool ct_required,
base::ListValue* hosts,
url_matcher::URLMatcherConditionSet::Vector* conditions) {
for (size_t i = 0; i < hosts->GetSize(); ++i) {
std::string pattern;
if (!hosts->GetString(i, &pattern))
continue;
Filter filter;
filter.ct_required = ct_required;
// Parse the pattern just to the hostname, ignoring all other portions of
// the URL.
url::Parsed parsed;
std::string ignored_scheme = url_formatter::SegmentURL(pattern, &parsed);
if (!parsed.host.is_nonempty())
continue; // If there is no host to match, can't apply the filter.
std::string lc_host = base::ToLowerASCII(
base::StringPiece(pattern).substr(parsed.host.begin, parsed.host.len));
if (lc_host == "*") {
// Wildcard hosts are not allowed and ignored.
continue;
} else if (lc_host[0] == '.') {
// A leading dot means exact match and to not match subdomains.
lc_host.erase(0, 1);
filter.match_subdomains = false;
} else {
// Canonicalize the host to make sure it's an actual hostname, not an
// IP address or a BROKEN canonical host, as matching subdomains is
// not desirable for those.
url::RawCanonOutputT<char> output;
url::CanonHostInfo host_info;
url::CanonicalizeHostVerbose(pattern.c_str(), parsed.host, &output,
&host_info);
// TODO(rsleevi): Use canonicalized form?
if (host_info.family == url::CanonHostInfo::NEUTRAL) {
// Match subdomains (implicit by the omission of '.'). Add in a
// leading dot to make sure matches only happen at the domain
// component boundary.
lc_host.insert(lc_host.begin(), '.');
filter.match_subdomains = true;
} else {
filter.match_subdomains = false;
}
}
filter.host_length = lc_host.size();
// Create a condition for the URLMatcher that matches the hostname (and/or
// subdomains).
url_matcher::URLMatcherConditionFactory* condition_factory =
url_matcher_->condition_factory();
std::set<url_matcher::URLMatcherCondition> condition_set;
condition_set.insert(
filter.match_subdomains
? condition_factory->CreateHostSuffixCondition(lc_host)
: condition_factory->CreateHostEqualsCondition(lc_host));
conditions->push_back(
new url_matcher::URLMatcherConditionSet(next_id_, condition_set));
filters_[next_id_] = filter;
++next_id_;
}
}
bool CTPolicyManager::CTDelegate::FilterTakesPrecedence(
const Filter& lhs,
const Filter& rhs) const {
if (lhs.match_subdomains != rhs.match_subdomains)
return !lhs.match_subdomains; // Prefer the more explicit policy.
if (lhs.host_length != rhs.host_length)
return lhs.host_length > rhs.host_length; // Prefer the longer host match.
if (lhs.ct_required != rhs.ct_required)
return lhs.ct_required; // Prefer the policy that requires CT.
return false;
}
// static
void CTPolicyManager::RegisterPrefs(PrefRegistrySimple* registry) {
registry->RegisterListPref(prefs::kCTRequiredHosts);
registry->RegisterListPref(prefs::kCTExcludedHosts);
}
CTPolicyManager::CTPolicyManager(
PrefService* pref_service,
scoped_refptr<base::SequencedTaskRunner> network_task_runner)
: delegate_(new CTDelegate(std::move(network_task_runner))),
weak_factory_(this) {
pref_change_registrar_.Init(pref_service);
pref_change_registrar_.Add(
prefs::kCTRequiredHosts,
base::Bind(&CTPolicyManager::ScheduleUpdate, base::Unretained(this)));
pref_change_registrar_.Add(
prefs::kCTExcludedHosts,
base::Bind(&CTPolicyManager::ScheduleUpdate, base::Unretained(this)));
ScheduleUpdate();
}
CTPolicyManager::~CTPolicyManager() {}
void CTPolicyManager::Shutdown() {
// Cancel any pending updates, since the preferences are going away.
weak_factory_.InvalidateWeakPtrs();
pref_change_registrar_.RemoveAll();
}
net::TransportSecurityState::RequireCTDelegate* CTPolicyManager::GetDelegate() {
return delegate_.get();
}
void CTPolicyManager::ScheduleUpdate() {
// Cancel any pending updates, and schedule a new update. If this method
// is called again, this pending update will be cancelled because the weak
// pointer is invalidated, and the new update will take precedence.
weak_factory_.InvalidateWeakPtrs();
base::SequencedTaskRunnerHandle::Get()->PostTask(
FROM_HERE,
base::Bind(&CTPolicyManager::Update, weak_factory_.GetWeakPtr()));
}
void CTPolicyManager::Update() {
delegate_->UpdateFromPrefs(
pref_change_registrar_.prefs()->GetList(prefs::kCTRequiredHosts),
pref_change_registrar_.prefs()->GetList(prefs::kCTExcludedHosts));
}
} // namespace certificate_transparency