Roll src/third_party/WebKit d9c6159:8139f33 (svn 201974:201975)
[chromium-blink-merge.git] / net / http / transport_security_persister.h
blob27ecc23c19a86d264ff65ed5ee9f9497c458afb6
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 // TransportSecurityState maintains an in memory database containing the
6 // list of hosts that currently have transport security enabled. This
7 // singleton object deals with writing that data out to disk as needed and
8 // loading it at startup.
10 // At startup we need to load the transport security state from the
11 // disk. For the moment, we don't want to delay startup for this load, so we
12 // let the TransportSecurityState run for a while without being loaded.
13 // This means that it's possible for pages opened very quickly not to get the
14 // correct transport security information.
16 // To load the state, we schedule a Task on background_runner, which
17 // deserializes and configures the TransportSecurityState.
19 // The TransportSecurityState object supports running a callback function
20 // when it changes. This object registers the callback, pointing at itself.
22 // TransportSecurityState calls...
23 // TransportSecurityPersister::StateIsDirty
24 // since the callback isn't allowed to block or reenter, we schedule a Task
25 // on the file task runner after some small amount of time
27 // ...
29 // TransportSecurityPersister::SerializeState
30 // copies the current state of the TransportSecurityState, serializes
31 // and writes to disk.
33 #ifndef NET_HTTP_TRANSPORT_SECURITY_PERSISTER_H_
34 #define NET_HTTP_TRANSPORT_SECURITY_PERSISTER_H_
36 #include <string>
38 #include "base/files/file_path.h"
39 #include "base/files/important_file_writer.h"
40 #include "base/memory/ref_counted.h"
41 #include "base/memory/weak_ptr.h"
42 #include "net/base/net_export.h"
43 #include "net/http/transport_security_state.h"
45 namespace base {
46 class DictionaryValue;
47 class SequencedTaskRunner;
50 namespace net {
52 // Reads and updates on-disk TransportSecurity state. Clients of this class
53 // should create, destroy, and call into it from one thread.
55 // background_runner is the task runner this class should use internally to
56 // perform file IO, and can optionally be associated with a different thread.
57 class NET_EXPORT TransportSecurityPersister
58 : public TransportSecurityState::Delegate,
59 public base::ImportantFileWriter::DataSerializer {
60 public:
61 TransportSecurityPersister(
62 TransportSecurityState* state,
63 const base::FilePath& profile_path,
64 const scoped_refptr<base::SequencedTaskRunner>& background_runner,
65 bool readonly);
66 ~TransportSecurityPersister() override;
68 // Called by the TransportSecurityState when it changes its state.
69 void StateIsDirty(TransportSecurityState*) override;
71 // ImportantFileWriter::DataSerializer:
73 // Serializes |transport_security_state_| into |*output|. Returns true if
74 // all STS and PKP states were serialized correctly.
76 // The serialization format is JSON; the JSON represents a dictionary of
77 // host:DomainState pairs (host is a string). The DomainState contains
78 // the STS and PKP states and is represented as a dictionary containing
79 // the following keys and value types (not all keys will always be
80 // present):
82 // "sts_include_subdomains": true|false
83 // "pkp_include_subdomains": true|false
84 // "created": double
85 // "expiry": double
86 // "dynamic_spki_hashes_expiry": double
87 // "mode": "default"|"force-https"
88 // legacy value synonyms "strict" = "force-https"
89 // "pinning-only" = "default"
90 // legacy value "spdy-only" is unused and ignored
91 // "static_spki_hashes": list of strings
92 // legacy key synonym "preloaded_spki_hashes"
93 // "bad_static_spki_hashes": list of strings
94 // legacy key synonym "bad_preloaded_spki_hashes"
95 // "dynamic_spki_hashes": list of strings
97 // The JSON dictionary keys are strings containing
98 // Base64(SHA256(TransportSecurityState::CanonicalizeHost(domain))).
99 // The reason for hashing them is so that the stored state does not
100 // trivially reveal a user's browsing history to an attacker reading the
101 // serialized state on disk.
102 bool SerializeData(std::string* data) override;
104 // Clears any existing non-static entries, and then re-populates
105 // |transport_security_state_|.
107 // Sets |*dirty| to true if the new state differs from the persisted
108 // state; false otherwise.
109 bool LoadEntries(const std::string& serialized, bool* dirty);
111 private:
112 // Populates |state| from the JSON string |serialized|. Returns true if
113 // all entries were parsed and deserialized correctly.
115 // Sets |*dirty| to true if the new state differs from the persisted
116 // state; false otherwise.
117 static bool Deserialize(const std::string& serialized,
118 bool* dirty,
119 TransportSecurityState* state);
121 // Populates |host| with default values for the STS and PKP states.
122 // These default values represent "null" states and are only useful to keep
123 // the entries in the resulting JSON consistent. The deserializer will ignore
124 // "null" states.
125 // TODO(davidben): This can be removed when the STS and PKP states are stored
126 // independently on disk. https://crbug.com/470295
127 void PopulateEntryWithDefaults(base::DictionaryValue* host);
129 void CompleteLoad(const std::string& state);
131 TransportSecurityState* transport_security_state_;
133 // Helper for safely writing the data.
134 base::ImportantFileWriter writer_;
136 scoped_refptr<base::SequencedTaskRunner> foreground_runner_;
137 scoped_refptr<base::SequencedTaskRunner> background_runner_;
139 // Whether or not we're in read-only mode.
140 const bool readonly_;
142 base::WeakPtrFactory<TransportSecurityPersister> weak_ptr_factory_;
144 DISALLOW_COPY_AND_ASSIGN(TransportSecurityPersister);
147 } // namespace net
149 #endif // NET_HTTP_TRANSPORT_SECURITY_PERSISTER_H_