Home | History | Annotate | Download | only in safe_browsing 
      1 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #ifndef CHROME_BROWSER_SAFE_BROWSING_PROTOCOL_MANAGER_H_
      6 #define CHROME_BROWSER_SAFE_BROWSING_PROTOCOL_MANAGER_H_
      7 #pragma once
      8 
      9 // A class that implements Chrome's interface with the SafeBrowsing protocol.
     10 // The SafeBrowsingProtocolManager handles formatting and making requests of,
     11 // and handling responses from, Google's SafeBrowsing servers. This class uses
     12 // The SafeBrowsingProtocolParser class to do the actual parsing.
     13 
     14 #include <deque>
     15 #include <set>
     16 #include <string>
     17 #include <vector>
     18 
     19 #include "base/gtest_prod_util.h"
     20 #include "base/hash_tables.h"
     21 #include "base/memory/scoped_ptr.h"
     22 #include "base/time.h"
     23 #include "base/timer.h"
     24 #include "chrome/browser/safe_browsing/chunk_range.h"
     25 #include "chrome/browser/safe_browsing/protocol_parser.h"
     26 #include "chrome/browser/safe_browsing/safe_browsing_service.h"
     27 #include "chrome/browser/safe_browsing/safe_browsing_util.h"
     28 #include "chrome/common/net/url_fetcher.h"
     29 
     30 namespace net {
     31 class URLRequestStatus;
     32 }  // namespace net
     33 
     34 #if defined(COMPILER_GCC)
     35 // Allows us to use URLFetchers in a hash_map with gcc (MSVC is okay without
     36 // specifying this).
     37 namespace __gnu_cxx {
     38 template<>
     39 struct hash<const URLFetcher*> {
     40   size_t operator()(const URLFetcher* fetcher) const {
     41     return reinterpret_cast<size_t>(fetcher);
     42   }
     43 };
     44 }
     45 #endif
     46 
     47 class SafeBrowsingProtocolManager;
     48 // Interface of a factory to create ProtocolManager.  Useful for tests.
     49 class SBProtocolManagerFactory {
     50  public:
     51   SBProtocolManagerFactory() {}
     52   virtual ~SBProtocolManagerFactory() {}
     53   virtual SafeBrowsingProtocolManager* CreateProtocolManager(
     54       SafeBrowsingService* sb_service,
     55       const std::string& client_name,
     56       const std::string& client_key,
     57       const std::string& wrapped_key,
     58       net::URLRequestContextGetter* request_context_getter,
     59       const std::string& info_url_prefix,
     60       const std::string& mackey_url_prefix,
     61       bool disable_auto_update) = 0;
     62  private:
     63   DISALLOW_COPY_AND_ASSIGN(SBProtocolManagerFactory);
     64 };
     65 
     66 class SafeBrowsingProtocolManager : public URLFetcher::Delegate {
     67   FRIEND_TEST_ALL_PREFIXES(SafeBrowsingProtocolManagerTest, TestBackOffTimes);
     68   FRIEND_TEST_ALL_PREFIXES(SafeBrowsingProtocolManagerTest, TestChunkStrings);
     69   FRIEND_TEST_ALL_PREFIXES(SafeBrowsingProtocolManagerTest, TestGetHashUrl);
     70   FRIEND_TEST_ALL_PREFIXES(SafeBrowsingProtocolManagerTest,
     71                            TestGetHashBackOffTimes);
     72   FRIEND_TEST_ALL_PREFIXES(SafeBrowsingProtocolManagerTest, TestMacKeyUrl);
     73   FRIEND_TEST_ALL_PREFIXES(SafeBrowsingProtocolManagerTest,
     74                            TestSafeBrowsingHitUrl);
     75   FRIEND_TEST_ALL_PREFIXES(SafeBrowsingProtocolManagerTest,
     76                            TestMalwareDetailsUrl);
     77   FRIEND_TEST_ALL_PREFIXES(SafeBrowsingProtocolManagerTest, TestNextChunkUrl);
     78   FRIEND_TEST_ALL_PREFIXES(SafeBrowsingProtocolManagerTest, TestUpdateUrl);
     79   friend class SafeBrowsingServiceTest;
     80 
     81  public:
     82   virtual ~SafeBrowsingProtocolManager();
     83 
     84   // Makes the passed |factory| the factory used to instantiate
     85   // a SafeBrowsingService. Useful for tests.
     86   static void RegisterFactory(SBProtocolManagerFactory* factory) {
     87     factory_ = factory;
     88   }
     89 
     90   // Create an instance of the safe browsing service.
     91   static SafeBrowsingProtocolManager* Create(
     92       SafeBrowsingService* sb_service,
     93       const std::string& client_name,
     94       const std::string& client_key,
     95       const std::string& wrapped_key,
     96       net::URLRequestContextGetter* request_context_getter,
     97       const std::string& info_url_prefix,
     98       const std::string& mackey_url_prefix,
     99       bool disable_auto_update);
    100 
    101   // Sets up the update schedule and internal state for making periodic requests
    102   // of the SafeBrowsing service.
    103   virtual void Initialize();
    104 
    105   // URLFetcher::Delegate interface.
    106   virtual void OnURLFetchComplete(const URLFetcher* source,
    107                                   const GURL& url,
    108                                   const net::URLRequestStatus& status,
    109                                   int response_code,
    110                                   const ResponseCookies& cookies,
    111                                   const std::string& data);
    112 
    113   // API used by the SafeBrowsingService for issuing queries. When the results
    114   // are available, SafeBrowsingService::HandleGetHashResults is called.
    115   virtual void GetFullHash(SafeBrowsingService::SafeBrowsingCheck* check,
    116                            const std::vector<SBPrefix>& prefixes);
    117 
    118   // Forces the start of next update after |next_update_msec| in msec.
    119   void ForceScheduleNextUpdate(int next_update_msec);
    120 
    121   // Scheduled update callback.
    122   void GetNextUpdate();
    123 
    124   // Called by the SafeBrowsingService when our request for a list of all chunks
    125   // for each list is done.  If database_error is true, that means the protocol
    126   // manager shouldn't fetch updates since they can't be written to disk.  It
    127   // should try again later to open the database.
    128   void OnGetChunksComplete(const std::vector<SBListChunkRanges>& list,
    129                            bool database_error);
    130 
    131   // Called after the chunks that were parsed were inserted in the database.
    132   void OnChunkInserted();
    133 
    134   // For UMA users we report to Google when a SafeBrowsing interstitial is shown
    135   // to the user.  |threat_type| should be one of the types known by
    136   // SafeBrowsingHitUrl.
    137   void ReportSafeBrowsingHit(const GURL& malicious_url,
    138                              const GURL& page_url,
    139                              const GURL& referrer_url,
    140                              bool is_subresource,
    141                              SafeBrowsingService::UrlCheckResult threat_type,
    142                              const std::string& post_data);
    143 
    144   // Users can opt-in on the SafeBrowsing interstitial to send detailed
    145   // malware reports. |report| is the serialized report.
    146   void ReportMalwareDetails(const std::string& report);
    147 
    148   bool is_initial_request() const { return initial_request_; }
    149 
    150   // The last time we received an update.
    151   base::Time last_update() const { return last_update_; }
    152 
    153   // Setter for additional_query_. To make sure the additional_query_ won't
    154   // be changed in the middle of an update, caller (e.g.: SafeBrowsingService)
    155   // should call this after callbacks triggered in UpdateFinished() or before
    156   // IssueUpdateRequest().
    157   void set_additional_query(const std::string& query) {
    158     additional_query_ = query;
    159   }
    160   const std::string& additional_query() const {
    161     return additional_query_;
    162   }
    163 
    164   // Enumerate failures for histogramming purposes.  DO NOT CHANGE THE
    165   // ORDERING OF THESE VALUES.
    166   enum ResultType {
    167     // 200 response code means that the server recognized the hash
    168     // prefix, while 204 is an empty response indicating that the
    169     // server did not recognize it.
    170     GET_HASH_STATUS_200,
    171     GET_HASH_STATUS_204,
    172 
    173     // Subset of successful responses which returned no full hashes.
    174     // This includes the 204 case, and also 200 responses for stale
    175     // prefixes (deleted at the server but yet deleted on the client).
    176     GET_HASH_FULL_HASH_EMPTY,
    177 
    178     // Subset of successful responses for which one or more of the
    179     // full hashes matched (should lead to an interstitial).
    180     GET_HASH_FULL_HASH_HIT,
    181 
    182     // Subset of successful responses which weren't empty and have no
    183     // matches.  It means that there was a prefix collision which was
    184     // cleared up by the full hashes.
    185     GET_HASH_FULL_HASH_MISS,
    186 
    187     // Memory space for histograms is determined by the max.  ALWAYS
    188     // ADD NEW VALUES BEFORE THIS ONE.
    189     GET_HASH_RESULT_MAX
    190   };
    191 
    192   // Record a GetHash result. |is_download| indicates if the get
    193   // hash is triggered by download related lookup.
    194   static void RecordGetHashResult(bool is_download,
    195                                   ResultType result_type);
    196 
    197  protected:
    198   // Constructs a SafeBrowsingProtocolManager for |sb_service| that issues
    199   // network requests using |request_context_getter|. When |disable_auto_update|
    200   // is true, protocol manager won't schedule next update until
    201   // ForceScheduleNextUpdate is called.
    202   SafeBrowsingProtocolManager(
    203       SafeBrowsingService* sb_service,
    204       const std::string& client_name,
    205       const std::string& client_key,
    206       const std::string& wrapped_key,
    207       net::URLRequestContextGetter* request_context_getter,
    208       const std::string& http_url_prefix,
    209       const std::string& https_url_prefix,
    210       bool disable_auto_update);
    211  private:
    212   friend class SBProtocolManagerFactoryImpl;
    213 
    214   // Internal API for fetching information from the SafeBrowsing servers. The
    215   // GetHash requests are higher priority since they can block user requests
    216   // so are handled separately.
    217   enum SafeBrowsingRequestType {
    218     NO_REQUEST = 0,     // No requests in progress
    219     UPDATE_REQUEST,     // Request for redirect URLs
    220     CHUNK_REQUEST,      // Request for a specific chunk
    221     GETKEY_REQUEST      // Update the client's MAC key
    222   };
    223 
    224   // Composes a URL using |prefix|, |method| (e.g.: gethash, download,
    225   // newkey, report), |client_name| and |version|. When not empty,
    226   // |additional_query| is appended to the URL with an additional "&"
    227   // in the front.
    228   static std::string ComposeUrl(const std::string& prefix,
    229                                 const std::string& method,
    230                                 const std::string& client_name,
    231                                 const std::string& version,
    232                                 const std::string& additional_query);
    233 
    234   // Generates Update URL for querying about the latest set of chunk updates.
    235   // Append "wrkey=xxx" to the URL when |use_mac| is true.
    236   GURL UpdateUrl(bool use_mac) const;
    237   // Generates GetHash request URL for retrieving full hashes.
    238   // Append "wrkey=xxx" to the URL when |use_mac| is true.
    239   GURL GetHashUrl(bool use_mac) const;
    240   // Generates new MAC client key request URL.
    241   GURL MacKeyUrl() const;
    242   // Generates URL for reporting safe browsing hits for UMA users.
    243   GURL SafeBrowsingHitUrl(
    244       const GURL& malicious_url, const GURL& page_url, const GURL& referrer_url,
    245       bool is_subresource,
    246       SafeBrowsingService::UrlCheckResult threat_type) const;
    247   // Generates URL for reporting malware details for users who opt-in.
    248   GURL MalwareDetailsUrl() const;
    249 
    250   // Composes a ChunkUrl based on input string.
    251   GURL NextChunkUrl(const std::string& input) const;
    252 
    253   // Returns the time (in milliseconds) for the next update request. If
    254   // 'back_off' is true, the time returned will increment an error count and
    255   // return the appriate next time (see ScheduleNextUpdate below).
    256   int GetNextUpdateTime(bool back_off);
    257 
    258   // Worker function for calculating GetHash and Update backoff times (in
    259   // seconds). 'Multiplier' is doubled for each consecutive error between the
    260   // 2nd and 5th, and 'error_count' is incremented with each call.
    261   int GetNextBackOffTime(int* error_count, int* multiplier);
    262 
    263   // Manages our update with the next allowable update time. If 'back_off_' is
    264   // true, we must decrease the frequency of requests of the SafeBrowsing
    265   // service according to section 5 of the protocol specification.
    266   // When disable_auto_update_ is set, ScheduleNextUpdate will do nothing.
    267   // ForceScheduleNextUpdate has to be called to trigger the update.
    268   void ScheduleNextUpdate(bool back_off);
    269 
    270   // Sends a request for a list of chunks we should download to the SafeBrowsing
    271   // servers. In order to format this request, we need to send all the chunk
    272   // numbers for each list that we have to the server. Getting the chunk numbers
    273   // requires a database query (run on the database thread), and the request
    274   // is sent upon completion of that query in OnGetChunksComplete.
    275   void IssueUpdateRequest();
    276 
    277   // Sends a request for a chunk to the SafeBrowsing servers.
    278   void IssueChunkRequest();
    279 
    280   // Gets a key from the SafeBrowsing servers for use with MAC. This should only
    281   // be called once per client unless the server directly tells us to update.
    282   void IssueKeyRequest();
    283 
    284   // Formats a string returned from the database into:
    285   //   "list_name;a:<add_chunk_ranges>:s:<sub_chunk_ranges>:mac\n"
    286   static std::string FormatList(const SBListChunkRanges& list, bool use_mac);
    287 
    288   // Runs the protocol parser on received data and update the
    289   // SafeBrowsingService with the new content. Returns 'true' on successful
    290   // parse, 'false' on error.
    291   bool HandleServiceResponse(const GURL& url, const char* data, int length);
    292 
    293   // If the SafeBrowsing service wants us to re-key, we clear our key state and
    294   // issue the request.
    295   void HandleReKey();
    296 
    297   // Updates internal state for each GetHash response error, assuming that the
    298   // current time is |now|.
    299   void HandleGetHashError(const base::Time& now);
    300 
    301   // Helper function for update completion.
    302   void UpdateFinished(bool success);
    303 
    304   // A callback that runs if we timeout waiting for a response to an update
    305   // request. We use this to properly set our update state.
    306   void UpdateResponseTimeout();
    307 
    308  private:
    309   // The factory that controls the creation of SafeBrowsingProtocolManager.
    310   // This is used by tests.
    311   static SBProtocolManagerFactory* factory_;
    312 
    313   // Main SafeBrowsing interface object.
    314   SafeBrowsingService* sb_service_;
    315 
    316   // Current active request (in case we need to cancel) for updates or chunks
    317   // from the SafeBrowsing service. We can only have one of these outstanding
    318   // at any given time unlike GetHash requests, which are tracked separately.
    319   scoped_ptr<URLFetcher> request_;
    320 
    321   // The kind of request that is currently in progress.
    322   SafeBrowsingRequestType request_type_;
    323 
    324   // The number of HTTP response errors, used for request backoff timing.
    325   int update_error_count_;
    326   int gethash_error_count_;
    327 
    328   // Multipliers which double (max == 8) for each error after the second.
    329   int update_back_off_mult_;
    330   int gethash_back_off_mult_;
    331 
    332   // Multiplier between 0 and 1 to spread clients over an interval.
    333   float back_off_fuzz_;
    334 
    335   // The list for which we are make a request.
    336   std::string list_name_;
    337 
    338   // For managing the next earliest time to query the SafeBrowsing servers for
    339   // updates.
    340   int next_update_sec_;
    341   base::OneShotTimer<SafeBrowsingProtocolManager> update_timer_;
    342 
    343   // All chunk requests that need to be made, along with their MAC.
    344   std::deque<ChunkUrl> chunk_request_urls_;
    345 
    346   // Map of GetHash requests.
    347   typedef base::hash_map<const URLFetcher*,
    348                          SafeBrowsingService::SafeBrowsingCheck*> HashRequests;
    349   HashRequests hash_requests_;
    350 
    351   // The next scheduled update has special behavior for the first 2 requests.
    352   enum UpdateRequestState {
    353     FIRST_REQUEST = 0,
    354     SECOND_REQUEST,
    355     NORMAL_REQUEST
    356   };
    357   UpdateRequestState update_state_;
    358 
    359   // We'll attempt to get keys once per browser session if we don't already have
    360   // them. They are not essential to operation, but provide a layer of
    361   // verification.
    362   bool initial_request_;
    363 
    364   // True if the service has been given an add/sub chunk but it hasn't been
    365   // added to the database yet.
    366   bool chunk_pending_to_write_;
    367 
    368   // The keys used for MAC. Empty keys mean we aren't using MAC.
    369   std::string client_key_;
    370   std::string wrapped_key_;
    371 
    372   // The last time we successfully received an update.
    373   base::Time last_update_;
    374 
    375   // While in GetHash backoff, we can't make another GetHash until this time.
    376   base::Time next_gethash_time_;
    377 
    378   // Current product version sent in each request.
    379   std::string version_;
    380 
    381   // Used for measuring chunk request latency.
    382   base::Time chunk_request_start_;
    383 
    384   // Tracks the size of each update (in bytes).
    385   int update_size_;
    386 
    387   // Track outstanding SafeBrowsing report fetchers for clean up.
    388   // We add both "hit" and "detail" fetchers in this set.
    389   std::set<const URLFetcher*> safebrowsing_reports_;
    390 
    391   // The safe browsing client name sent in each request.
    392   std::string client_name_;
    393 
    394   // A string that is appended to the end of URLs for download, gethash,
    395   // newkey, safebrowsing hits and chunk update requests.
    396   std::string additional_query_;
    397 
    398   // The context we use to issue network requests.
    399   scoped_refptr<net::URLRequestContextGetter> request_context_getter_;
    400 
    401   // URL prefix where browser fetches safebrowsing chunk updates, hashes, and
    402   // reports hits to the safebrowsing list for UMA users.
    403   std::string http_url_prefix_;
    404 
    405   // URL prefix where browser fetches MAC client key, and reports detailed
    406   // malware reports for users who opt-in.
    407   std::string https_url_prefix_;
    408 
    409   // When true, protocol manager will not start an update unless
    410   // ForceScheduleNextUpdate() is called. This is set for testing purpose.
    411   bool disable_auto_update_;
    412 
    413   DISALLOW_COPY_AND_ASSIGN(SafeBrowsingProtocolManager);
    414 };
    415 
    416 #endif  // CHROME_BROWSER_SAFE_BROWSING_PROTOCOL_MANAGER_H_
    417