15f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)// Copyright 2014 The Chromium Authors. All rights reserved. 25f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)// Use of this source code is governed by a BSD-style license that can be 35f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)// found in the LICENSE file. 45f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) 55f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)#ifndef CHROME_BROWSER_SSL_CHROME_SSL_HOST_STATE_DELEGATE_H_ 65f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)#define CHROME_BROWSER_SSL_CHROME_SSL_HOST_STATE_DELEGATE_H_ 75f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) 85f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)#include "base/gtest_prod_util.h" 95f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)#include "base/memory/scoped_ptr.h" 105f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)#include "base/time/time.h" 115f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)#include "content/public/browser/ssl_host_state_delegate.h" 125f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) 135f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)class Profile; 145f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) 155f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)namespace base { 165f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)class Clock; 175f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)class DictionaryValue; 185f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)} // namespace base 195f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) 201320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci// Tracks whether the user has allowed a certificate error exception for a 211320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci// specific site, SSL fingerprint, and error. Based on command-line flags and 221320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci// experimental group, remembers this decision either until end-of-session or 231320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci// for a particular length of time. 245f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)class ChromeSSLHostStateDelegate : public content::SSLHostStateDelegate { 255f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) public: 265f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) explicit ChromeSSLHostStateDelegate(Profile* profile); 275f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) virtual ~ChromeSSLHostStateDelegate(); 285f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) 295f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) // SSLHostStateDelegate: 305f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) virtual void AllowCert(const std::string& host, 311320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci const net::X509Certificate& cert, 325f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) net::CertStatus error) OVERRIDE; 335f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) virtual void Clear() OVERRIDE; 341320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci virtual CertJudgment QueryPolicy(const std::string& host, 351320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci const net::X509Certificate& cert, 361320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci net::CertStatus error, 371320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci bool* expired_previous_decision) OVERRIDE; 386e8cce623b6e4fe0c9e4af605d675dd9d0338c38Torne (Richard Coles) virtual void HostRanInsecureContent(const std::string& host, 396e8cce623b6e4fe0c9e4af605d675dd9d0338c38Torne (Richard Coles) int pid) OVERRIDE; 406e8cce623b6e4fe0c9e4af605d675dd9d0338c38Torne (Richard Coles) virtual bool DidHostRunInsecureContent(const std::string& host, 416e8cce623b6e4fe0c9e4af605d675dd9d0338c38Torne (Richard Coles) int pid) const OVERRIDE; 426e8cce623b6e4fe0c9e4af605d675dd9d0338c38Torne (Richard Coles) 431320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci // Revokes all SSL certificate error allow exceptions made by the user for 441320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci // |host| in the given Profile. 451320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci virtual void RevokeUserAllowExceptions(const std::string& host); 466e8cce623b6e4fe0c9e4af605d675dd9d0338c38Torne (Richard Coles) 471320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci // RevokeUserAllowExceptionsHard is the same as RevokeUserAllowExceptions but 481320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci // additionally may close idle connections in the process. This should be used 491320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci // *only* for rare events, such as a user controlled button, as it may be very 501320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci // disruptive to the networking stack. 511320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci virtual void RevokeUserAllowExceptionsHard(const std::string& host); 525f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) 531320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci // Returns whether the user has allowed a certificate error exception for 541320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci // |host|. This does not mean that *all* certificate errors are allowed, just 551320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci // that there exists an exception. To see if a particular certificate and 561320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci // error combination exception is allowed, use QueryPolicy(). 571320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci virtual bool HasAllowException(const std::string& host) const; 585f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) 595f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) protected: 605f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) // SetClock takes ownership of the passed in clock. 615f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) void SetClock(scoped_ptr<base::Clock> clock); 625f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) 635f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) private: 645f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) FRIEND_TEST_ALL_PREFIXES(ForgetInstantlySSLHostStateDelegateTest, 655f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) MakeAndForgetException); 665f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) FRIEND_TEST_ALL_PREFIXES(RememberSSLHostStateDelegateTest, AfterRestart); 676e8cce623b6e4fe0c9e4af605d675dd9d0338c38Torne (Richard Coles) FRIEND_TEST_ALL_PREFIXES(RememberSSLHostStateDelegateTest, 686e8cce623b6e4fe0c9e4af605d675dd9d0338c38Torne (Richard Coles) QueryPolicyExpired); 695f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) 705f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) // Used to specify whether new content setting entries should be created if 715f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) // they don't already exist when querying the user's settings. 725f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) enum CreateDictionaryEntriesDisposition { 731320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci CREATE_DICTIONARY_ENTRIES, 741320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci DO_NOT_CREATE_DICTIONARY_ENTRIES 755f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) }; 765f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) 775f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) // Specifies whether user SSL error decisions should be forgetten at the end 785f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) // of this current session (the old style of remembering decisions), or 795f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) // whether they should be remembered across session restarts for a specified 805f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) // length of time, deteremined by 815f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) // |default_ssl_cert_decision_expiration_delta_|. 825f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) enum RememberSSLExceptionDecisionsDisposition { 831320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci FORGET_SSL_EXCEPTION_DECISIONS_AT_SESSION_END, 841320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci REMEMBER_SSL_EXCEPTION_DECISIONS_FOR_DELTA 855f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) }; 865f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) 871320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci // Returns a dictionary of certificate fingerprints and errors that have been 881320f92c476a1ad9d19dba2a48c72b75566198e9Primiano Tucci // allowed as exceptions by the user. 895f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) // 905f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) // |dict| specifies the user's full exceptions dictionary for a specific site 915f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) // in their content settings. Must be retrieved directly from a website 925f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) // setting in the the profile's HostContentSettingsMap. 935f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) // 945f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) // If |create_entries| specifies CreateDictionaryEntries, then 955f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) // GetValidCertDecisionsDict will create a new set of entries within the 965f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) // dictionary if they do not already exist. Otherwise will fail and return if 975f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) // NULL if they do not exist. 986e8cce623b6e4fe0c9e4af605d675dd9d0338c38Torne (Richard Coles) // 996e8cce623b6e4fe0c9e4af605d675dd9d0338c38Torne (Richard Coles) // |expired_previous_decision| is set to true if there had been a previous 1006e8cce623b6e4fe0c9e4af605d675dd9d0338c38Torne (Richard Coles) // decision made by the user but it has expired. Otherwise it is set to false. 1015f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) base::DictionaryValue* GetValidCertDecisionsDict( 1025f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) base::DictionaryValue* dict, 1036e8cce623b6e4fe0c9e4af605d675dd9d0338c38Torne (Richard Coles) CreateDictionaryEntriesDisposition create_entries, 1046e8cce623b6e4fe0c9e4af605d675dd9d0338c38Torne (Richard Coles) bool* expired_previous_decision); 1055f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) 1065f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) scoped_ptr<base::Clock> clock_; 1075f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) RememberSSLExceptionDecisionsDisposition should_remember_ssl_decisions_; 1085f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) base::TimeDelta default_ssl_cert_decision_expiration_delta_; 1095f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) Profile* profile_; 1105f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) 1116e8cce623b6e4fe0c9e4af605d675dd9d0338c38Torne (Richard Coles) // A BrokenHostEntry is a pair of (host, process_id) that indicates the host 1126e8cce623b6e4fe0c9e4af605d675dd9d0338c38Torne (Richard Coles) // contains insecure content in that renderer process. 1136e8cce623b6e4fe0c9e4af605d675dd9d0338c38Torne (Richard Coles) typedef std::pair<std::string, int> BrokenHostEntry; 1146e8cce623b6e4fe0c9e4af605d675dd9d0338c38Torne (Richard Coles) 1156e8cce623b6e4fe0c9e4af605d675dd9d0338c38Torne (Richard Coles) // Hosts which have been contaminated with insecure content in the 1166e8cce623b6e4fe0c9e4af605d675dd9d0338c38Torne (Richard Coles) // specified process. Note that insecure content can travel between 1176e8cce623b6e4fe0c9e4af605d675dd9d0338c38Torne (Richard Coles) // same-origin frames in one processs but cannot jump between processes. 1186e8cce623b6e4fe0c9e4af605d675dd9d0338c38Torne (Richard Coles) std::set<BrokenHostEntry> ran_insecure_content_hosts_; 1196e8cce623b6e4fe0c9e4af605d675dd9d0338c38Torne (Richard Coles) 12034680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) // This is a GUID to mark this unique session. Whenever a certificate decision 12134680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) // expiration is set, the GUID is saved as well so Chrome can tell if it was 12234680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) // last set during the current session. This is used by the 12334680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) // FORGET_SSL_EXCEPTION_DECISIONS_AT_SESSION_END experimental group to 12434680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) // determine if the expired_previous_decision bit should be set on queries. 12534680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) // 12634680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) // Why not just iterate over the set of current extensions and mark them all 12734680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) // as expired when the session starts, rather than storing a GUID for the 12834680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) // current session? Glad you asked! Unfortunately, content settings does not 12934680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) // currently support iterating over all current *compound* content setting 13034680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) // values (iteration only works for simple content settings). While this could 13134680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) // be added, it would be a fair amount of work for what amounts to a temporary 13234680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) // measurement problem, so it's not worth the complexity. 13334680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) // 13434680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) // TODO(jww): This is only used by the default and disable groups of the 13534680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) // certificate memory decisions experiment to tell if a decision has expired 13634680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) // since the last session. Since this is only used for UMA purposes, this 13734680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) // should be removed after the experiment has finished, and a call to Clear() 13834680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) // should be added to the constructor and destructor for members of the 13934680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) // FORGET_SSL_EXCEPTION_DECISIONS_AT_SESSION_END groups. See 14034680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) // https://crbug.com/418631 for more details. 14134680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) const std::string current_expiration_guid_; 14234680572440d7894ef8dafce81d8039ed80726a2Torne (Richard Coles) 1435f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) DISALLOW_COPY_AND_ASSIGN(ChromeSSLHostStateDelegate); 1445f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)}; 1455f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles) 1465f1c94371a64b3196d4be9466099bb892df9b88eTorne (Richard Coles)#endif // CHROME_BROWSER_SSL_CHROME_SSL_HOST_STATE_DELEGATE_H_ 147