Revert "Add button to page info to revoke user certificate decisions."

Speculatively reverting because the CL may be causing the find_bugs
step on the Android builder to fail
http://build.chromium.org/p/chromium.linux/builders/Android%20Builder%20%28dbg%29/builds/63828/steps/findbugs/logs/stdio

TBR=jww
NOTRY=TRUE

Review URL: https://codereview.chromium.org/469003004

Cr-Commit-Position: refs/heads/master@{#289353}
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@289353 0039d316-1c4b-4281-b951-d872f2087c98

4 files changed, 222 insertions, 20 deletions

diff --git a/content/browser/ssl/ssl_host_state.cc b/content/browser/ssl/ssl_host_state.cc
new file mode 100644
index 0000000..15edabb
--- /dev/null
+++ b/content/browser/ssl/ssl_host_state.cc
@@ -0,0 +1,118 @@
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "content/browser/ssl/ssl_host_state.h"
+
+#include "base/logging.h"
+#include "base/lazy_instance.h"
+#include "content/public/browser/browser_context.h"
+#include "content/public/browser/ssl_host_state_delegate.h"
+#include "net/http/http_transaction_factory.h"
+#include "net/url_request/url_request_context.h"
+#include "net/url_request/url_request_context_getter.h"
+
+const char kKeyName[] = "content_ssl_host_state";
+
+namespace content {
+
+SSLHostState* SSLHostState::GetFor(BrowserContext* context) {
+  SSLHostState* rv = static_cast<SSLHostState*>(context->GetUserData(kKeyName));
+  if (!rv) {
+    rv = new SSLHostState();
+    rv->delegate_ = context->GetSSLHostStateDelegate();
+    // |context| may be NULL, implementing the default storage strategy.
+    if (context)
+      context->SetUserData(kKeyName, rv);
+  }
+  return rv;
+}
+
+SSLHostState::SSLHostState() {
+}
+
+SSLHostState::~SSLHostState() {
+}
+
+void SSLHostState::HostRanInsecureContent(const std::string& host, int pid) {
+  DCHECK(CalledOnValidThread());
+  ran_insecure_content_hosts_.insert(BrokenHostEntry(host, pid));
+}
+
+bool SSLHostState::DidHostRunInsecureContent(const std::string& host,
+                                             int pid) const {
+  DCHECK(CalledOnValidThread());
+  return !!ran_insecure_content_hosts_.count(BrokenHostEntry(host, pid));
+}
+
+void SSLHostState::DenyCertForHost(net::X509Certificate* cert,
+                                   const std::string& host,
+                                   net::CertStatus error) {
+  DCHECK(CalledOnValidThread());
+
+  if (!delegate_)
+    return;
+
+  delegate_->DenyCert(host, cert, error);
+}
+
+void SSLHostState::AllowCertForHost(net::X509Certificate* cert,
+                                    const std::string& host,
+                                    net::CertStatus error) {
+  DCHECK(CalledOnValidThread());
+
+  if (!delegate_)
+    return;
+
+  delegate_->AllowCert(host, cert, error);
+}
+
+void SSLHostState::RevokeAllowAndDenyPreferences(const std::string& host) {
+  DCHECK(CalledOnValidThread());
+
+  if (!delegate_)
+    return;
+
+  // TODO(jww): This will revoke all of the decisions in the browser context.
+  // However, the networking stack actually keeps track of its own list of
+  // exceptions per-HttpNetworkTransaction in the SSLConfig structure (see the
+  // allowed_bad_certs Vector in net/ssl/ssl_config.h). This dual-tracking of
+  // exceptions introduces a problem where the browser context can revoke a
+  // certificate, but if a transaction reuses a cached version of the SSLConfig
+  // (probably from a pooled socket), it may bypass the intestitial layer.
+  //
+  // Over time, the cached versions should expire and it should converge on
+  // showing the interstitial. We probably need to
+  // introduce into the networking stack a way revoke SSLConfig's
+  // allowed_bad_certs lists per socket.
+  delegate_->RevokeAllowAndDenyPreferences(host);
+}
+
+bool SSLHostState::HasAllowedOrDeniedCert(const std::string& host) {
+  DCHECK(CalledOnValidThread());
+
+  if (!delegate_)
+    return false;
+
+  return delegate_->HasAllowedOrDeniedCert(host);
+}
+
+void SSLHostState::Clear() {
+  if (!delegate_)
+    return;
+
+  delegate_->Clear();
+}
+
+net::CertPolicy::Judgment SSLHostState::QueryPolicy(net::X509Certificate* cert,
+                                                    const std::string& host,
+                                                    net::CertStatus error) {
+  DCHECK(CalledOnValidThread());
+
+  if (!delegate_)
+    return net::CertPolicy::Judgment::UNKNOWN;
+
+  return delegate_->QueryPolicy(host, cert, error);
+}
+
+}  // namespace content
diff --git a/content/browser/ssl/ssl_host_state.h b/content/browser/ssl/ssl_host_state.h
new file mode 100644
index 0000000..49ca8d2
--- /dev/null
+++ b/content/browser/ssl/ssl_host_state.h
@@ -0,0 +1,94 @@
+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CONTENT_BROWSER_SSL_SSL_HOST_STATE_H_
+#define CONTENT_BROWSER_SSL_SSL_HOST_STATE_H_
+
+#include <map>
+#include <set>
+#include <string>
+
+#include "base/basictypes.h"
+#include "base/compiler_specific.h"
+#include "base/supports_user_data.h"
+#include "base/threading/non_thread_safe.h"
+#include "content/common/content_export.h"
+#include "net/cert/cert_status_flags.h"
+#include "net/cert/x509_certificate.h"
+
+namespace content {
+class BrowserContext;
+class SSLHostStateDelegate;
+
+// SSLHostState
+//
+// The SSLHostState encapulates the host-specific state for SSL errors.  For
+// example, SSLHostState remembers whether the user has whitelisted a
+// particular broken cert for use with particular host.  We separate this state
+// from the SSLManager because this state is shared across many navigation
+// controllers.
+class CONTENT_EXPORT SSLHostState
+    : NON_EXPORTED_BASE(base::SupportsUserData::Data),
+      NON_EXPORTED_BASE(public base::NonThreadSafe) {
+ public:
+  // Contexts may specify a NULL certificate decision storage strategy. In that
+  // case, the returned SSLHostState from GetFor() will implement a default
+  // strategy of ignoring all exception requests and returning
+  // net::QueryPolicy::Judgment::UNKOWN from QueryPolicy().
+  static SSLHostState* GetFor(BrowserContext* browser_context);
+
+  SSLHostState();
+  virtual ~SSLHostState();
+
+  // Records that a host has run insecure content.
+  void HostRanInsecureContent(const std::string& host, int pid);
+
+  // Returns whether the specified host ran insecure content.
+  bool DidHostRunInsecureContent(const std::string& host, int pid) const;
+
+  // Records that |cert| is not permitted to be used for |url| in the future,
+  // for a specified |error| type.
+  void DenyCertForHost(net::X509Certificate* cert,
+                       const std::string& host,
+                       net::CertStatus error);
+
+  // Records that |cert| is permitted to be used for |url| in the future, for
+  // a specified |error| type.
+  void AllowCertForHost(net::X509Certificate* cert,
+                        const std::string& host,
+                        net::CertStatus error);
+
+  // Revoke all allow/deny preferences for |url|.
+  void RevokeAllowAndDenyPreferences(const std::string& host);
+
+  bool HasAllowedOrDeniedCert(const std::string& host);
+
+  // Clear all allow/deny preferences.
+  void Clear();
+
+  // Queries whether |cert| is allowed or denied for |url| and |error|.
+  net::CertPolicy::Judgment QueryPolicy(net::X509Certificate* cert,
+                                        const std::string& host,
+                                        net::CertStatus error);
+
+ private:
+  // A BrokenHostEntry is a pair of (host, process_id) that indicates the host
+  // contains insecure content in that renderer process.
+  typedef std::pair<std::string, int> BrokenHostEntry;
+
+  // Hosts which have been contaminated with insecure content in the
+  // specified process.  Note that insecure content can travel between
+  // same-origin frames in one processs but cannot jump between processes.
+  std::set<BrokenHostEntry> ran_insecure_content_hosts_;
+
+  // The certificate decision store. It may be NULL, depending on the browsing
+  // context. This is owned by the browsing context.
+  SSLHostStateDelegate* delegate_;
+
+  DISALLOW_COPY_AND_ASSIGN(SSLHostState);
+};
+
+}  // namespace content
+
+#endif  // CONTENT_BROWSER_SSL_SSL_HOST_STATE_H_
diff --git a/content/browser/ssl/ssl_policy_backend.cc b/content/browser/ssl/ssl_policy_backend.cc
index 3d0ea01..3eb4f46 100644
--- a/content/browser/ssl/ssl_policy_backend.cc
+++ b/content/browser/ssl/ssl_policy_backend.cc
@@ -5,54 +5,44 @@
 #include "content/browser/ssl/ssl_policy_backend.h"
 
 #include "content/browser/frame_host/navigation_controller_impl.h"
+#include "content/browser/ssl/ssl_host_state.h"
 #include "content/public/browser/browser_context.h"
-#include "content/public/browser/ssl_host_state_delegate.h"
 
 namespace content {
 
 SSLPolicyBackend::SSLPolicyBackend(NavigationControllerImpl* controller)
-    : ssl_host_state_delegate_(
-          controller->GetBrowserContext()->GetSSLHostStateDelegate()),
+    : ssl_host_state_(SSLHostState::GetFor(controller->GetBrowserContext())),
       controller_(controller) {
   DCHECK(controller_);
 }
 
 void SSLPolicyBackend::HostRanInsecureContent(const std::string& host, int id) {
-  if (ssl_host_state_delegate_)
-    ssl_host_state_delegate_->HostRanInsecureContent(host, id);
+  ssl_host_state_->HostRanInsecureContent(host, id);
   SSLManager::NotifySSLInternalStateChanged(controller_->GetBrowserContext());
 }
 
 bool SSLPolicyBackend::DidHostRunInsecureContent(const std::string& host,
                                                  int pid) const {
-  if (!ssl_host_state_delegate_)
-    return false;
-
-  return ssl_host_state_delegate_->DidHostRunInsecureContent(host, pid);
+  return ssl_host_state_->DidHostRunInsecureContent(host, pid);
 }
 
 void SSLPolicyBackend::DenyCertForHost(net::X509Certificate* cert,
                                        const std::string& host,
                                        net::CertStatus error) {
-  if (ssl_host_state_delegate_)
-    ssl_host_state_delegate_->DenyCert(host, cert, error);
+  ssl_host_state_->DenyCertForHost(cert, host, error);
 }
 
 void SSLPolicyBackend::AllowCertForHost(net::X509Certificate* cert,
                                         const std::string& host,
                                         net::CertStatus error) {
-  if (ssl_host_state_delegate_)
-    ssl_host_state_delegate_->AllowCert(host, cert, error);
+  ssl_host_state_->AllowCertForHost(cert, host, error);
 }
 
 net::CertPolicy::Judgment SSLPolicyBackend::QueryPolicy(
     net::X509Certificate* cert,
     const std::string& host,
     net::CertStatus error) {
-  if (!ssl_host_state_delegate_)
-    return net::CertPolicy::UNKNOWN;
-
-  return ssl_host_state_delegate_->QueryPolicy(host, cert, error);
+  return ssl_host_state_->QueryPolicy(cert, host, error);
 }
 
 }  // namespace content
diff --git a/content/browser/ssl/ssl_policy_backend.h b/content/browser/ssl/ssl_policy_backend.h
index a5222e9..06ea23e 100644
--- a/content/browser/ssl/ssl_policy_backend.h
+++ b/content/browser/ssl/ssl_policy_backend.h
@@ -15,7 +15,7 @@
 
 namespace content {
 class NavigationControllerImpl;
-class SSLHostStateDelegate;
+class SSLHostState;
 
 class SSLPolicyBackend {
  public:
@@ -45,8 +45,8 @@ class SSLPolicyBackend {
                                         net::CertStatus error);
 
  private:
-  // SSL state delegate specific for each host.
-  SSLHostStateDelegate* ssl_host_state_delegate_;
+  // SSL state specific for each host.
+  SSLHostState* ssl_host_state_;
 
   NavigationControllerImpl* controller_;