1 /****************************************************************************
2 **
3 ** Copyright (C) 2017 The Qt Company Ltd.
4 ** Contact: https://www.qt.io/licensing/
5 **
6 ** This file is part of the QtNetwork module of the Qt Toolkit.
7 **
8 ** $QT_BEGIN_LICENSE:LGPL$
9 ** Commercial License Usage
10 ** Licensees holding valid commercial Qt licenses may use this file in
11 ** accordance with the commercial license agreement provided with the
12 ** Software or, alternatively, in accordance with the terms contained in
13 ** a written agreement between you and The Qt Company. For licensing terms
14 ** and conditions see https://www.qt.io/terms-conditions. For further
15 ** information use the contact form at https://www.qt.io/contact-us.
16 **
17 ** GNU Lesser General Public License Usage
18 ** Alternatively, this file may be used under the terms of the GNU Lesser
19 ** General Public License version 3 as published by the Free Software
20 ** Foundation and appearing in the file LICENSE.LGPL3 included in the
21 ** packaging of this file. Please review the following information to
22 ** ensure the GNU Lesser General Public License version 3 requirements
23 ** will be met: https://www.gnu.org/licenses/lgpl-3.0.html.
24 **
25 ** GNU General Public License Usage
26 ** Alternatively, this file may be used under the terms of the GNU
27 ** General Public License version 2.0 or (at your option) the GNU General
28 ** Public license version 3 or any later version approved by the KDE Free
29 ** Qt Foundation. The licenses are as published by the Free Software
30 ** Foundation and appearing in the file LICENSE.GPL2 and LICENSE.GPL3
31 ** included in the packaging of this file. Please review the following
32 ** information to ensure the GNU General Public License requirements will
33 ** be met: https://www.gnu.org/licenses/gpl-2.0.html and
34 ** https://www.gnu.org/licenses/gpl-3.0.html.
35 **
36 ** $QT_END_LICENSE$
37 **
38 ****************************************************************************/
39 
40 #include "qhstsstore_p.h"
41 #include "qhstspolicy.h"
42 
43 #include "qstandardpaths.h"
44 #include "qdatastream.h"
45 #include "qbytearray.h"
46 #include "qdatetime.h"
47 #include "qvariant.h"
48 #include "qstring.h"
49 #include "qdir.h"
50 
51 #include <utility>
52 
53 QT_BEGIN_NAMESPACE
54 
host_name_to_settings_key(const QString & hostName)55 static QString host_name_to_settings_key(const QString &hostName)
56 {
57     const QByteArray hostNameAsHex(hostName.toUtf8().toHex());
58     return QString::fromLatin1(hostNameAsHex);
59 }
60 
settings_key_to_host_name(const QString & key)61 static QString settings_key_to_host_name(const QString &key)
62 {
63     const QByteArray hostNameAsUtf8(QByteArray::fromHex(key.toLatin1()));
64     return QString::fromUtf8(hostNameAsUtf8);
65 }
66 
QHstsStore(const QString & dirName)67 QHstsStore::QHstsStore(const QString &dirName)
68     : store(absoluteFilePath(dirName), QSettings::IniFormat)
69 {
70     // Disable fallbacks, we do not want to use anything but our own ini file.
71     store.setFallbacksEnabled(false);
72 }
73 
~QHstsStore()74 QHstsStore::~QHstsStore()
75 {
76     synchronize();
77 }
78 
readPolicies()79 QVector<QHstsPolicy> QHstsStore::readPolicies()
80 {
81     // This function only attempts to read policies, making no decision about
82     // expired policies. It's up to a user (QHstsCache) to mark these policies
83     // for deletion and sync the store later. But we immediately remove keys/values
84     // (if the store isWritable) for the policies that we fail to read.
85     QVector<QHstsPolicy> policies;
86 
87     beginHstsGroups();
88 
89     const QStringList keys = store.childKeys();
90     for (const auto &key : keys) {
91         QHstsPolicy restoredPolicy;
92         if (deserializePolicy(key, restoredPolicy)) {
93             restoredPolicy.setHost(settings_key_to_host_name(key));
94             policies.push_back(std::move(restoredPolicy));
95         } else if (isWritable()) {
96             evictPolicy(key);
97         }
98     }
99 
100     endHstsGroups();
101 
102     return policies;
103 }
104 
addToObserved(const QHstsPolicy & policy)105 void QHstsStore::addToObserved(const QHstsPolicy &policy)
106 {
107     observedPolicies.push_back(policy);
108 }
109 
synchronize()110 void QHstsStore::synchronize()
111 {
112     if (!isWritable())
113         return;
114 
115     if (observedPolicies.size()) {
116         beginHstsGroups();
117         for (const QHstsPolicy &policy : qAsConst(observedPolicies)) {
118             const QString key(host_name_to_settings_key(policy.host()));
119             // If we fail to write a new, updated policy, we also remove the old one.
120             if (policy.isExpired() || !serializePolicy(key, policy))
121                 evictPolicy(key);
122         }
123         observedPolicies.clear();
124         endHstsGroups();
125     }
126 
127     store.sync();
128 }
129 
isWritable() const130 bool QHstsStore::isWritable() const
131 {
132     return store.isWritable();
133 }
134 
absoluteFilePath(const QString & dirName)135 QString QHstsStore::absoluteFilePath(const QString &dirName)
136 {
137     const QDir dir(dirName.isEmpty() ? QStandardPaths::writableLocation(QStandardPaths::CacheLocation)
138                                      : dirName);
139     return dir.absoluteFilePath(QLatin1String("hstsstore"));
140 }
141 
beginHstsGroups()142 void QHstsStore::beginHstsGroups()
143 {
144     store.beginGroup(QLatin1String("StrictTransportSecurity"));
145     store.beginGroup(QLatin1String("Policies"));
146 }
147 
endHstsGroups()148 void QHstsStore::endHstsGroups()
149 {
150     store.endGroup();
151     store.endGroup();
152 }
153 
deserializePolicy(const QString & key,QHstsPolicy & policy)154 bool QHstsStore::deserializePolicy(const QString &key, QHstsPolicy &policy)
155 {
156     Q_ASSERT(store.contains(key));
157 
158     const QVariant data(store.value(key));
159     if (data.isNull() || !data.canConvert<QByteArray>())
160         return false;
161 
162     const QByteArray serializedData(data.toByteArray());
163     QDataStream streamer(serializedData);
164     qint64 expiryInMS = 0;
165     streamer >> expiryInMS;
166     if (streamer.status() != QDataStream::Ok)
167         return false;
168     bool includesSubDomains = false;
169     streamer >> includesSubDomains;
170     if (streamer.status() != QDataStream::Ok)
171         return false;
172 
173     policy.setExpiry(QDateTime::fromMSecsSinceEpoch(expiryInMS));
174     policy.setIncludesSubDomains(includesSubDomains);
175 
176     return true;
177 }
178 
serializePolicy(const QString & key,const QHstsPolicy & policy)179 bool QHstsStore::serializePolicy(const QString &key, const QHstsPolicy &policy)
180 {
181     Q_ASSERT(store.isWritable());
182 
183     QByteArray serializedData;
184     QDataStream streamer(&serializedData, QIODevice::WriteOnly);
185     streamer << policy.expiry().toMSecsSinceEpoch();
186     streamer << policy.includesSubDomains();
187 
188     if (streamer.status() != QDataStream::Ok)
189         return false;
190 
191     store.setValue(key, serializedData);
192     return true;
193 }
194 
evictPolicy(const QString & key)195 void QHstsStore::evictPolicy(const QString &key)
196 {
197     Q_ASSERT(store.isWritable());
198     if (store.contains(key))
199         store.remove(key);
200 }
201 
202 QT_END_NAMESPACE
203