1
    2
    3
    4
    5
    6
    7
    8
    9
   10
   11
   12
   13
   14
   15
   16
   17
   18
   19
   20
   21
   22
   23
   24
   25
   26
   27
   28
   29
   30
   31
   32
   33
   34
   35
   36
   37
   38
   39
   40
   41
   42
   43
   44
   45
   46
   47
   48
   49
   50
   51
   52
   53
   54
   55
   56
   57
   58
   59
   60
   61
   62
   63
   64
   65
   66
   67
   68
   69
   70
   71
   72
   73
   74
   75
   76
   77
   78
   79
   80
   81
   82
   83
   84
   85
   86
   87
   88
   89
   90
   91
   92
   93
   94
   95
   96
   97
   98
   99
  100
  101
  102
  103
  104
  105
  106
  107
  108
  109
  110
  111
  112
  113
  114
  115
  116
  117
  118
  119
  120
  121
  122
  123
  124
  125
  126
  127
  128
  129
  130
  131
  132
  133
  134
  135
  136
  137
  138
  139
  140
  141
  142
  143
  144
  145
  146
  147
  148
  149
  150
  151
  152
  153
  154
  155
  156
  157
  158
  159
  160
  161
  162
  163
  164
  165
  166
  167
  168
  169
  170


content / browser / interest_group / interest_group_permissions_checker.h [blame]

// Copyright 2022 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef CONTENT_BROWSER_INTEREST_GROUP_INTEREST_GROUP_PERMISSIONS_CHECKER_H_
#define CONTENT_BROWSER_INTEREST_GROUP_INTEREST_GROUP_PERMISSIONS_CHECKER_H_

#include "content/common/content_export.h"

#include <list>
#include <map>
#include <memory>
#include <tuple>

#include "base/functional/callback_forward.h"
#include "base/memory/weak_ptr.h"
#include "base/time/time.h"
#include "content/browser/interest_group/interest_group_permissions_cache.h"
#include "net/base/network_isolation_key.h"
#include "services/data_decoder/public/cpp/data_decoder.h"
#include "services/network/public/mojom/url_loader_factory.mojom.h"
#include "url/origin.h"

namespace network {
class SimpleURLLoader;
}

namespace content {

// Responsible for checking whether a frame can join or leave an interest group.
// Performs .well-known fetches if necessary.
//
// Groups permissions checks that can be handled by the same .well-known fetch,
// to avoid redundant fetches.
//
// TODO(crbug.com/40221941):
// * Consider adding a per-NIK / per-page / per-frame LRU cache. Roundtrip to
//   the HTTP cache are slow, and we'll likely want to limit the number of
//   pending operations the renderer sends to the browser process at a time.
// * Add detailed error information to DevTools or as a Promise failure on
//   rejection.
// * Figure out integration with IsInterestGroupAPIAllowed() - e.g., for
//   cross-origin iframes, there are 3 origins (top-level frame, iframe,
//   interest group frame). Currently we're not considering iframe origin at
//   all. Should we be?
class CONTENT_EXPORT InterestGroupPermissionsChecker {
 public:
  // More than enough space, since current spec is a dictionary of at most two
  // entries, and each entry has keys and values from a fixed set, which have
  // limited lengths.
  static constexpr int kMaxBodySize = 8192;

  static const base::TimeDelta kRequestTimeout;

  enum class Operation {
    kJoin,
    kLeave,
  };

  using PermissionsCheckCallback =
      base::OnceCallback<void(bool operation_allowed)>;

  InterestGroupPermissionsChecker();

  InterestGroupPermissionsChecker(InterestGroupPermissionsChecker&) = delete;
  InterestGroupPermissionsChecker& operator=(InterestGroupPermissionsChecker&) =
      delete;
  ~InterestGroupPermissionsChecker();

  // Checks if `frame_origin` can perform `operation` on an interest group owned
  // by `interest_group_owner`. Fetches a .well-known URL using
  // `url_loader_factory` if needed to check permissions. Has no rate limiting,
  // so a fetch will always be started immediately, if one is needed.
  //
  // Invokes `permissions_check_callback` with the result of the check. May
  // invoke callback synchronously, in cases where no .well-known fetch is
  // needed.
  //
  // `permissions_check_callback` may not call CheckPermissions() or delete
  // `this` when invoked.
  //
  // Performs no validity checks on origins. It's up to the caller to make sure
  // they're HTTPS, and provided origins are in general allowed to join/leave
  // interest groups.
  void CheckPermissions(Operation operation,
                        const url::Origin& frame_origin,
                        const url::Origin& interest_group_owner,
                        const net::NetworkIsolationKey& network_isolation_key,
                        network::mojom::URLLoaderFactory& url_loader_factory,
                        PermissionsCheckCallback permissions_check_callback);

  void ClearCache();

  InterestGroupPermissionsCache& cache_for_testing() { return cache_; }

 private:
  using Permissions = InterestGroupPermissionsCache::Permissions;

  // Two permissions checks with the same key can use the same .well-known
  // response, though they may have a different associated Operation.
  struct PermissionsKey {
    bool operator<(const PermissionsKey& other) const {
      return std::tie(frame_origin, interest_group_owner,
                      network_isolation_key) <
             std::tie(other.frame_origin, other.interest_group_owner,
                      other.network_isolation_key);
    }

    url::Origin frame_origin;
    url::Origin interest_group_owner;
    net::NetworkIsolationKey network_isolation_key;
  };

  // A permissions check waiting on a .well-known fetch to complete.
  struct PendingPermissionsCheck {
    PendingPermissionsCheck(
        Operation operation,
        PermissionsCheckCallback permissions_check_callback);
    PendingPermissionsCheck(PendingPermissionsCheck&&);
    ~PendingPermissionsCheck();

    Operation operation;
    PermissionsCheckCallback permissions_check_callback;
  };

  // A request for a .well-known file, along with a list of
  // PendingPermissionChecks that are waiting on it to complete. Deleted once
  // `simple_url_loader` has received a response, and its JSON has been parsed
  // by an async DataDecoder::ParseJsonIsolated() call.
  struct ActiveRequest {
    ActiveRequest();
    ~ActiveRequest();

    std::list<PendingPermissionsCheck> pending_checks;

    // Used to fetch the .well-known URL.
    std::unique_ptr<network::SimpleURLLoader> simple_url_loader;
  };

  // A map of interest group origins to their ActiveRequests.
  using ActiveRequestMap =
      std::map<PermissionsKey, std::unique_ptr<ActiveRequest>>;

  // Invoked with the result of the ".well-known" fetch for `active_request`.
  void OnRequestComplete(ActiveRequestMap::iterator active_request,
                         std::unique_ptr<std::string> response_body);

  // Invoked with the result of parsing the response body associated with
  // `active_request` as JSON.
  void OnJsonParsed(ActiveRequestMap::iterator active_request,
                    data_decoder::DataDecoder::ValueOrError result);

  // Invoked once the Permissions to use for `active_request` have been
  // determined, either as result of an error, by successfully parsing the
  // result of a .well-known request as JSON.
  void OnActiveRequestComplete(ActiveRequestMap::iterator active_request,
                               Permissions permissions);

  // Returns true if `permissions` allows `operation`.
  static bool AllowsOperation(Permissions permissions, Operation operation);

  ActiveRequestMap active_requests_;
  InterestGroupPermissionsCache cache_;

  base::WeakPtrFactory<InterestGroupPermissionsChecker> weak_factory_{this};
};

}  // namespace content

#endif  // CONTENT_BROWSER_INTEREST_GROUP_INTEREST_GROUP_PERMISSIONS_CHECKER_H_