| blob | 4d57ea31ac1084b9f5eab1f60e85c025526d701b |
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef CHROME_BROWSER_SAFE_BROWSING_SAFE_BROWSING_DATABASE_H_
6 #define CHROME_BROWSER_SAFE_BROWSING_SAFE_BROWSING_DATABASE_H_
8 #include <map>
9 #include <set>
10 #include <string>
11 #include <vector>
25 }
30 // Factory for creating SafeBrowsingDatabase. Tests implement this factory
31 // to create fake Databases for testing.
47 };
49 // Encapsulates on-disk databases that for safebrowsing. There are
50 // four databases: browse, download, download whitelist and
51 // client-side detection (csd) whitelist databases. The browse database contains
52 // information about phishing and malware urls. The download database contains
53 // URLs for bad binaries (e.g: those containing virus) and hash of
54 // these downloaded contents. The download whitelist contains whitelisted
55 // download hosting sites as well as whitelisted binary signing certificates
56 // etc. The csd whitelist database contains URLs that will never be considered
57 // as phishing by the client-side phishing detection. These on-disk databases
58 // are shared among all profiles, as it doesn't contain user-specific data. This
59 // object is not thread-safe, i.e. all its methods should be used on the same
60 // thread that it was created on, unless specified otherwise.
63 // Factory method for obtaining a SafeBrowsingDatabase implementation.
64 // It is not thread safe.
65 // The browse list and off-domain inclusion whitelist are always on;
66 // availability of other lists is controlled by the flags on this method.
76 // Makes the passed |factory| the factory used to instantiate
77 // a SafeBrowsingDatabase. This is used for tests.
80 }
84 // Initializes the database with the given filename.
87 // Deletes the current database and creates a new one.
90 // Returns false if |url| is not in the browse database or already was cached
91 // as a miss. If it returns true, |prefix_hits| contains sorted unique
92 // matching hash prefixes which had no cached results and |cache_hits|
93 // contains any matching cached gethash results. This function is safe to
94 // call from any thread.
100 // Returns true iff the given url is on the unwanted software blacklist.
101 // Returns false if |url| is not in the browse database or already was cached
102 // as a miss. If it returns true, |prefix_hits| contains sorted unique
103 // matching hash prefixes which had no cached results and |cache_hits|
104 // contains any matching cached gethash results. This function is safe to
105 // call from any thread.
111 // Returns false if none of |prefixes| are in Download database. If it returns
112 // true, |prefix_hits| should contain the prefixes for the URLs that were in
113 // the database. This function can ONLY be accessed from creation thread.
118 // Returns false if |url| is not on the client-side phishing detection
119 // whitelist. Otherwise, this function returns true. Note: the whitelist
120 // only contains full-length hashes so we don't return any prefix hit. This
121 // function is safe to call from any thread.
124 // The download whitelist is used for two purposes: a white-domain list of
125 // sites that are considered to host only harmless binaries as well as a
126 // whitelist of arbitrary strings such as hashed certificate authorities that
127 // are considered to be trusted. The two methods below let you lookup the
128 // whitelist either for a URL or an arbitrary string. These methods will
129 // return false if no match is found and true otherwise. This function is safe
130 // to call from any thread.
134 // Returns true if |url| is on the off-domain inclusion whitelist.
137 // Populates |prefix_hits| with any prefixes in |prefixes| that have matches
138 // in the database, returning true if there were any matches.
139 //
140 // This function can ONLY be accessed from the creation thread.
145 // Returns true iff the given IP is currently on the csd malware IP blacklist.
146 // This function is safe to call from any thread.
149 // A database transaction should look like:
150 //
151 // std::vector<SBListChunkRanges> lists;
152 // if (db.UpdateStarted(&lists)) {
153 // // Do something with |lists|.
154 //
155 // // Process add/sub commands.
156 // db.InsertChunks(list_name, chunks);
157 //
158 // // Process adddel/subdel commands.
159 // db.DeleteChunks(chunks_deletes);
160 //
161 // // If passed true, processes the collected chunk info and
162 // // rebuilds the filter. If passed false, rolls everything
163 // // back.
164 // db.UpdateFinished(success);
165 // }
166 //
167 // If UpdateStarted() returns true, the caller MUST eventually call
168 // UpdateFinished(). If it returns false, the caller MUST NOT call
169 // the other functions.
177 // Store the results of a GetHash response. In the case of empty results, we
178 // cache the prefixes until the next update so that we don't have to issue
179 // further GetHash requests we know will be empty. This function is safe to
180 // call from any thread.
186 // Returns true if the malware IP blacklisting killswitch URL is present
187 // in the csd whitelist. This function is safe to call from any thread.
190 // Returns true if the whitelist killswitch URL is present in the csd
191 // whitelist. This function is safe to call from any thread.
194 // The name of the bloom-filter file for the given database file.
195 // NOTE(shess): OBSOLETE. Present for deleting stale files.
199 // The name of the prefix set file for the given database file.
202 // Filename for malware and phishing URL database.
206 // Filename for download URL and download binary hash database.
210 // Filename for client-side phishing detection whitelist databsae.
214 // Filename for download whitelist databsae.
218 // Filename for the off-domain inclusion whitelist databsae.
222 // Filename for extension blacklist database.
226 // Filename for side-effect free whitelist database. This database no longer
227 // exists, but the filename is retained so the database may be deleted.
231 // Filename for the csd malware IP blacklist database.
235 // Filename for the unwanted software blacklist database.
239 // Get the prefixes matching the download |urls|.
243 // SafeBrowsing Database failure types for histogramming purposes. Explicitly
244 // label new values and do not re-use old values. Also make sure to reflect
245 // modifications made below in the SB2DatabaseFailure histogram enum.
267 // Obsolete: FAILURE_SIDE_EFFECT_FREE_WHITELIST_UPDATE_BEGIN = 20,
268 // Obsolete: FAILURE_SIDE_EFFECT_FREE_WHITELIST_UPDATE_FINISH = 21,
269 // Obsolete: FAILURE_SIDE_EFFECT_FREE_WHITELIST_DELETE = 22,
270 // Obsolete: FAILURE_SIDE_EFFECT_FREE_WHITELIST_PREFIX_SET_READ = 23,
271 // Obsolete: FAILURE_SIDE_EFFECT_FREE_WHITELIST_PREFIX_SET_WRITE = 24,
272 // Obsolete: FAILURE_SIDE_EFFECT_FREE_WHITELIST_PREFIX_SET_DELETE = 25,
283 // Memory space for histograms is determined by the max. ALWAYS
284 // ADD NEW VALUES BEFORE THIS ONE.
285 FAILURE_DATABASE_MAX
286 };
291 // The factory used to instantiate a SafeBrowsingDatabase object.
292 // Useful for tests, so they can provide their own implementation of
293 // SafeBrowsingDatabase.
295 };
299 // Create a database with the stores below. Takes ownership of all store
300 // objects handed to this constructor. Ignores all future operations on lists
301 // for which the store is initialized to NULL.
315 // Implement SafeBrowsingDatabase interface.
343 // Returns the value of malware_kill_switch_;
346 // Returns true if the CSD whitelist has everything whitelisted.
356 BrowseFullHashAndPrefixMatching);
358 // A SafeBrowsing whitelist contains a list of whitelisted full-hashes (stored
359 // in a sorted vector) as well as a boolean flag indicating whether all
360 // lookups in the whitelist should be considered matches for safety.
363 // This map holds a csd malware IP blacklist which maps a prefix mask
364 // to a set of hashed blacklisted IP prefixes. Each IP prefix is a hashed
365 // IPv6 IP prefix using SHA-1.
370 // The ThreadSafeStateManager holds the SafeBrowsingDatabase's state which
371 // must be accessed in a thread-safe fashion. It must be constructed on the
372 // SafeBrowsingDatabaseManager's main thread. The main thread will then be the
373 // only thread on which this state can be modified; allowing for unlocked
374 // reads on the main thread and thus avoiding contention while performing
375 // intensive operations such as writing that state to disk. The state can only
376 // be accessed via (Read|Write)Transactions obtained through this class which
377 // will automatically handle thread-safety.
380 // Identifiers for stores held by the ThreadSafeStateManager. Allows helper
381 // methods to start a transaction themselves and keep it as short as
382 // possible rather than force callers to start the transaction early to pass
383 // a store pointer to the said helper methods.
385 CSD,
386 DOWNLOAD,
387 INCLUSION,
388 };
390 BROWSE,
391 UNWANTED_SOFTWARE,
392 };
394 // Obtained through BeginReadTransaction(NoLockOnMainTaskRunner)?(): a
395 // ReadTransaction allows read-only observations of the
396 // ThreadSafeStateManager's state. The |prefix_gethash_cache_| has a special
397 // allowance to be writable from a ReadTransaction but can't benefit from
398 // unlocked ReadTransactions. ReadTransaction should be held for the
399 // shortest amount of time possible (e.g., release it before computing final
400 // results if possible).
403 // Obtained through BeginWriteTransaction(): a WriteTransaction allows
404 // modification of the ThreadSafeStateManager's state. It should be used for
405 // the shortest amount of time possible (e.g., pre-compute the new state
406 // before grabbing a WriteTransaction to swap it in atomically).
418 // The sequenced task runner for this object, used to verify that its state
419 // is only ever accessed from the runner.
422 // Lock for protecting access to this class' state.
425 SBWhitelist csd_whitelist_;
426 SBWhitelist download_whitelist_;
427 SBWhitelist inclusion_whitelist_;
429 // The IP blacklist should be small. At most a couple hundred IPs.
430 IPBlacklist ip_blacklist_;
432 // PrefixSets to speed up lookups for particularly large lists. The
433 // PrefixSet themselves are never modified, instead a new one is swapped in
434 // on update.
438 // Cache of gethash results for prefix stores. Entries should not be used if
439 // they are older than their expire_after field. Cached misses will have
440 // empty full_hashes field. Cleared on each update. The cache is "mutable"
441 // as it can be written to from any transaction holding the lock, including
442 // ReadTransactions.
446 };
448 // Forward the above inner-definitions to alleviate some verbosity in the
449 // impl.
455 // Manages the non-thread safe (i.e. only to be accessed to the database's
456 // main thread) state of this class.
467 }
472 }
477 }
482 }
487 }
492 }
497 }
502 }
505 // The sequenced task runner for this object, used to verify that its state
506 // is only ever accessed from the runner.
509 // The base filename passed to Init(), used to generate the store and prefix
510 // set filenames used to store data on disk.
513 // Set if corruption is detected during the course of an update.
514 // Causes the update functions to fail with no side effects, until
515 // the next call to |UpdateStarted()|.
518 // Set to true if any chunks are added or deleted during an update.
519 // Used to optimize away database update.
523 };
526 PrefixSetId prefix_set_id,
530 // Exposed for testing of PrefixSetContainsUrlHashes() on the
531 // PrefixSet backing kMalwareList.
538 PrefixSetId prefix_set_id,
542 // Returns true if the whitelist is disabled or if any of the given hashes
543 // matches the whitelist.
547 // Return the store matching |list_id|.
550 // Deletes the files on disk.
553 // Load the prefix set in "|db_filename| Prefix Set" off disk, if available,
554 // and stores it in the PrefixSet identified by |prefix_set_id|.
555 // |read_failure_type| provides a caller-specific error code to be used on
556 // failure. This method should only ever be called during initialization as
557 // it performs some disk IO while holding a transaction (for the sake of
558 // avoiding uncessary back-and-forth interactions with the lock during
559 // Init()).
562 PrefixSetId prefix_set_id,
563 FailureType read_failure_type);
565 // Writes the current prefix set "|db_filename| Prefix Set" on disk.
566 // |write_failure_type| provides a caller-specific error code to be used on
567 // failure.
569 PrefixSetId prefix_set_id,
570 FailureType write_failure_type);
572 // Loads the given full-length hashes to the given whitelist. If the number
573 // of hashes is too large or if the kill switch URL is on the whitelist
574 // we will whitelist everything.
576 SBWhitelistId whitelist_id);
578 // Parses the IP blacklist from the given full-length hashes.
581 // Helpers for handling database corruption.
582 // |OnHandleCorruptDatabase()| runs |ResetDatabase()| and sets
583 // |corruption_detected_|, |HandleCorruptDatabase()| posts
584 // |OnHandleCorruptDatabase()| to the current thread, to be run
585 // after the current task completes.
586 // TODO(shess): Wire things up to entirely abort the update
587 // transaction when this happens.
591 // Helpers for InsertChunks().
599 // Updates the |store| and stores the result on disk under |store_filename|.
602 FailureType failure_type);
604 // Updates a PrefixStore store for URLs (|url_store|) which is backed on disk
605 // by a "|db_filename| Prefix Set" file. Specific failure types are provided
606 // to highlight the specific store who made the initial request on failure.
607 // |store_full_hashes_in_prefix_set| dictates whether full_hashes from the
608 // |url_store| should be cached in the |prefix_set| as well.
611 PrefixSetId prefix_set_id,
612 FailureType finish_failure_type,
613 FailureType write_failure_type,
617 PrefixSetId prefix_set_id,
618 FailureType failure_type);
622 SBWhitelistId whitelist_id);
625 // Returns a raw pointer to ThreadSafeStateManager's PrefixGetHashCache for
626 // testing. This should only be used in unit tests (where multi-threading and
627 // synchronization are not problematic).
630 // Records a file size histogram for the database or PrefixSet backed by
631 // |filename|.
634 // The sequenced task runner for this object, used to verify that its state
635 // is only ever accessed from the runner and post some tasks to it.
638 ThreadSafeStateManager state_manager_;
640 DatabaseStateManager db_state_manager_;
642 // Underlying persistent stores for chunk data:
643 // - |browse_store_|: For browsing related (phishing and malware URLs)
644 // chunks and prefixes.
645 // - |download_store_|: For download related (download URL and binary hash)
646 // chunks and prefixes.
647 // - |csd_whitelist_store_|: For the client-side phishing detection
648 // whitelist chunks and full-length hashes. This list only contains 256
649 // bit hashes.
650 // - |download_whitelist_store_|: For the download whitelist chunks and
651 // full-length hashes. This list only contains 256 bit hashes.
652 // - |inclusion_whitelist_store_|: For the inclusion whitelist. Same format
653 // as |download_whitelist_store_|.
654 // - |extension_blacklist_store_|: For extension IDs.
655 // - |ip_blacklist_store_|: For IP blacklist.
656 // - |unwanted_software_store_|: For unwanted software list (format
657 // identical to browsing lists).
658 //
659 // The stores themselves will be modified throughout the existence of this
660 // database, but shouldn't ever be swapped out (hence the const scoped_ptr --
661 // which could be swapped for C++11's std::optional when that's available).
662 // They are NonThreadSafe and should thus only be accessed on the database's
663 // main thread as enforced by SafeBrowsingStoreFile's implementation.
673 // Used to schedule resetting the database because of corruption. This factory
674 // and the WeakPtrs it issues should only be used on the database's main
675 // thread.
677 };