1 // Copyright 2017 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "services/network/network_service.h"
6
7 #include <map>
8 #include <utility>
9 #include <vector>
10
11 #include "base/bind.h"
12 #include "base/command_line.h"
13 #include "base/debug/crash_logging.h"
14 #include "base/debug/dump_without_crashing.h"
15 #include "base/environment.h"
16 #include "base/feature_list.h"
17 #include "base/logging.h"
18 #include "base/memory/ptr_util.h"
19 #include "base/metrics/histogram_macros.h"
20 #include "base/numerics/ranges.h"
21 #include "base/stl_util.h"
22 #include "base/task/post_task.h"
23 #include "base/task/thread_pool.h"
24 #include "base/timer/timer.h"
25 #include "base/values.h"
26 #include "build/chromecast_buildflags.h"
27 #include "build/chromeos_buildflags.h"
28 #include "components/network_session_configurator/common/network_features.h"
29 #include "components/os_crypt/os_crypt.h"
30 #include "mojo/public/cpp/bindings/scoped_message_error_crash_key.h"
31 #include "mojo/public/cpp/system/functions.h"
32 #include "net/base/features.h"
33 #include "net/base/logging_network_change_observer.h"
34 #include "net/base/network_change_notifier.h"
35 #include "net/base/network_change_notifier_posix.h"
36 #include "net/base/port_util.h"
37 #include "net/cert/cert_database.h"
38 #include "net/cert/ct_log_response_parser.h"
39 #include "net/cert/internal/system_trust_store.h"
40 #include "net/cert/signed_tree_head.h"
41 #include "net/dns/host_resolver.h"
42 #include "net/dns/host_resolver_manager.h"
43 #include "net/dns/public/dns_config_overrides.h"
44 #include "net/http/http_auth_handler_factory.h"
45 #include "net/log/file_net_log_observer.h"
46 #include "net/log/net_log.h"
47 #include "net/log/net_log_capture_mode.h"
48 #include "net/log/net_log_util.h"
49 #include "net/nqe/network_quality_estimator.h"
50 #include "net/socket/client_socket_pool_manager.h"
51 #include "net/ssl/ssl_key_logger_impl.h"
52 #include "net/url_request/url_request_context.h"
53 #include "services/network/crl_set_distributor.h"
54 #include "services/network/cross_origin_read_blocking_exception_for_plugin.h"
55 #include "services/network/dns_config_change_manager.h"
56 #include "services/network/first_party_sets/preloaded_first_party_sets.h"
57 #include "services/network/http_auth_cache_copier.h"
58 #include "services/network/legacy_tls_config_distributor.h"
59 #include "services/network/net_log_exporter.h"
60 #include "services/network/net_log_proxy_sink.h"
61 #include "services/network/network_context.h"
62 #include "services/network/network_usage_accumulator.h"
63 #include "services/network/public/cpp/crash_keys.h"
64 #include "services/network/public/cpp/cross_origin_read_blocking.h"
65 #include "services/network/public/cpp/features.h"
66 #include "services/network/public/cpp/initiator_lock_compatibility.h"
67 #include "services/network/public/cpp/load_info_util.h"
68 #include "services/network/public/cpp/network_switches.h"
69 #include "services/network/url_loader.h"
70
71 #if defined(OS_ANDROID) && defined(ARCH_CPU_ARMEL)
72 #include "crypto/openssl_util.h"
73 #include "third_party/boringssl/src/include/openssl/cpu.h"
74 #endif
75
76 #if ((defined(OS_LINUX) || BUILDFLAG(IS_LACROS)) && !BUILDFLAG(IS_CHROMECAST)) || defined(OS_BSD)
77 #include "components/os_crypt/key_storage_config_linux.h"
78 #endif
79
80 #if defined(OS_ANDROID)
81 #include "base/android/application_status_listener.h"
82 #include "net/android/http_auth_negotiate_android.h"
83 #endif
84
85 #if BUILDFLAG(IS_CT_SUPPORTED)
86 #include "services/network/sct_auditing_cache.h"
87 #endif
88
89 namespace network {
90
91 namespace {
92
93 NetworkService* g_network_service = nullptr;
94
95 // The interval for calls to NetworkService::UpdateLoadStates
96 constexpr auto kUpdateLoadStatesInterval =
97 base::TimeDelta::FromMilliseconds(250);
98
CreateNetworkChangeNotifierIfNeeded(net::NetworkChangeNotifier::ConnectionType initial_connection_type,net::NetworkChangeNotifier::ConnectionSubtype initial_connection_subtype,bool mock_network_change_notifier)99 std::unique_ptr<net::NetworkChangeNotifier> CreateNetworkChangeNotifierIfNeeded(
100 net::NetworkChangeNotifier::ConnectionType initial_connection_type,
101 net::NetworkChangeNotifier::ConnectionSubtype initial_connection_subtype,
102 bool mock_network_change_notifier) {
103 // There is a global singleton net::NetworkChangeNotifier if NetworkService
104 // is running inside of the browser process.
105 if (mock_network_change_notifier)
106 return net::NetworkChangeNotifier::CreateMockIfNeeded();
107 return net::NetworkChangeNotifier::CreateIfNeeded(initial_connection_type,
108 initial_connection_subtype);
109 }
110
OnGetNetworkList(std::unique_ptr<net::NetworkInterfaceList> networks,mojom::NetworkService::GetNetworkListCallback callback,bool success)111 void OnGetNetworkList(std::unique_ptr<net::NetworkInterfaceList> networks,
112 mojom::NetworkService::GetNetworkListCallback callback,
113 bool success) {
114 if (success) {
115 std::move(callback).Run(*networks);
116 } else {
117 std::move(callback).Run(base::nullopt);
118 }
119 }
120
121 #if defined(OS_ANDROID) && BUILDFLAG(USE_KERBEROS)
122 // Used for Negotiate authentication on Android, which needs to generate tokens
123 // in the browser process.
124 class NetworkServiceAuthNegotiateAndroid : public net::HttpAuthMechanism {
125 public:
NetworkServiceAuthNegotiateAndroid(NetworkContext * network_context,const net::HttpAuthPreferences * prefs)126 NetworkServiceAuthNegotiateAndroid(NetworkContext* network_context,
127 const net::HttpAuthPreferences* prefs)
128 : network_context_(network_context), auth_negotiate_(prefs) {}
129 ~NetworkServiceAuthNegotiateAndroid() override = default;
130
131 // HttpAuthMechanism implementation:
Init(const net::NetLogWithSource & net_log)132 bool Init(const net::NetLogWithSource& net_log) override {
133 return auth_negotiate_.Init(net_log);
134 }
135
NeedsIdentity() const136 bool NeedsIdentity() const override {
137 return auth_negotiate_.NeedsIdentity();
138 }
139
AllowsExplicitCredentials() const140 bool AllowsExplicitCredentials() const override {
141 return auth_negotiate_.AllowsExplicitCredentials();
142 }
143
ParseChallenge(net::HttpAuthChallengeTokenizer * tok)144 net::HttpAuth::AuthorizationResult ParseChallenge(
145 net::HttpAuthChallengeTokenizer* tok) override {
146 return auth_negotiate_.ParseChallenge(tok);
147 }
148
GenerateAuthToken(const net::AuthCredentials * credentials,const std::string & spn,const std::string & channel_bindings,std::string * auth_token,const net::NetLogWithSource & net_log,net::CompletionOnceCallback callback)149 int GenerateAuthToken(const net::AuthCredentials* credentials,
150 const std::string& spn,
151 const std::string& channel_bindings,
152 std::string* auth_token,
153 const net::NetLogWithSource& net_log,
154 net::CompletionOnceCallback callback) override {
155 network_context_->client()->OnGenerateHttpNegotiateAuthToken(
156 auth_negotiate_.server_auth_token(), auth_negotiate_.can_delegate(),
157 auth_negotiate_.GetAuthAndroidNegotiateAccountType(), spn,
158 base::BindOnce(&NetworkServiceAuthNegotiateAndroid::Finish,
159 weak_factory_.GetWeakPtr(), auth_token,
160 std::move(callback)));
161 return net::ERR_IO_PENDING;
162 }
163
SetDelegation(net::HttpAuth::DelegationType delegation_type)164 void SetDelegation(net::HttpAuth::DelegationType delegation_type) override {
165 auth_negotiate_.SetDelegation(delegation_type);
166 }
167
168 private:
Finish(std::string * auth_token_out,net::CompletionOnceCallback callback,int result,const std::string & auth_token)169 void Finish(std::string* auth_token_out,
170 net::CompletionOnceCallback callback,
171 int result,
172 const std::string& auth_token) {
173 *auth_token_out = auth_token;
174 std::move(callback).Run(result);
175 }
176
177 NetworkContext* network_context_ = nullptr;
178 net::android::HttpAuthNegotiateAndroid auth_negotiate_;
179 base::WeakPtrFactory<NetworkServiceAuthNegotiateAndroid> weak_factory_{this};
180 };
181
CreateAuthSystem(NetworkContext * network_context,const net::HttpAuthPreferences * prefs)182 std::unique_ptr<net::HttpAuthMechanism> CreateAuthSystem(
183 NetworkContext* network_context,
184 const net::HttpAuthPreferences* prefs) {
185 return std::make_unique<NetworkServiceAuthNegotiateAndroid>(network_context,
186 prefs);
187 }
188 #endif
189
190 // Called when NetworkService received a bad IPC message (but only when
191 // NetworkService is running in a separate process - otherwise the existing bad
192 // message handling inside the Browser process is sufficient).
HandleBadMessage(const std::string & error)193 void HandleBadMessage(const std::string& error) {
194 LOG(WARNING) << "Mojo error in NetworkService:" << error;
195 mojo::debug::ScopedMessageErrorCrashKey crash_key_value(error);
196 base::debug::DumpWithoutCrashing();
197 network::debug::ClearDeserializationCrashKeyString();
198 }
199
200 } // namespace
201
DataPipeUseTracker(NetworkService * network_service,DataPipeUser user)202 DataPipeUseTracker::DataPipeUseTracker(NetworkService* network_service,
203 DataPipeUser user)
204 : network_service_(network_service), user_(user) {}
205
DataPipeUseTracker(DataPipeUseTracker && that)206 DataPipeUseTracker::DataPipeUseTracker(DataPipeUseTracker&& that)
207 : DataPipeUseTracker(that.network_service_, that.user_) {
208 this->state_ = that.state_;
209 that.state_ = State::kReset;
210 }
211
~DataPipeUseTracker()212 DataPipeUseTracker::~DataPipeUseTracker() {
213 Reset();
214 }
215
Activate()216 void DataPipeUseTracker::Activate() {
217 DCHECK_EQ(state_, State::kInit);
218 network_service_->OnDataPipeCreated(user_);
219 state_ = State::kActivated;
220 }
221
Reset()222 void DataPipeUseTracker::Reset() {
223 if (state_ == State::kActivated) {
224 network_service_->OnDataPipeDropped(user_);
225 }
226 state_ = State::kReset;
227 }
228
229 // static
230 const base::TimeDelta NetworkService::kInitialDohProbeTimeout =
231 base::TimeDelta::FromSeconds(5);
232
233 // Handler of delaying calls to NetworkContext::ActivateDohProbes() until after
234 // an initial service startup delay.
235 class NetworkService::DelayedDohProbeActivator {
236 public:
DelayedDohProbeActivator(NetworkService * network_service)237 explicit DelayedDohProbeActivator(NetworkService* network_service)
238 : network_service_(network_service) {
239 DCHECK(network_service_);
240
241 // Delay initial DoH probes to prevent interference with startup tasks.
242 doh_probes_timer_.Start(
243 FROM_HERE, NetworkService::kInitialDohProbeTimeout,
244 base::BindOnce(&DelayedDohProbeActivator::ActivateAllDohProbes,
245 base::Unretained(this)));
246 }
247
248 DelayedDohProbeActivator(const DelayedDohProbeActivator&) = delete;
249 DelayedDohProbeActivator& operator=(const DelayedDohProbeActivator&) = delete;
250
251 // Activates DoH probes for |network_context| iff the initial startup delay
252 // has expired. Intended to be called on registration of contexts to activate
253 // probes for contexts created and registered after the initial delay has
254 // expired.
MaybeActivateDohProbes(NetworkContext * network_context)255 void MaybeActivateDohProbes(NetworkContext* network_context) {
256 // If timer is still running, probes will be started on completion.
257 if (doh_probes_timer_.IsRunning())
258 return;
259
260 network_context->ActivateDohProbes();
261 }
262
263 // Attempts to activate DoH probes for all contexts registered with the
264 // service. Intended to be called on expiration of |doh_probes_timer_| to
265 // activate probes for contexts registered during the initial delay.
ActivateAllDohProbes()266 void ActivateAllDohProbes() {
267 for (auto* network_context : network_service_->network_contexts_) {
268 MaybeActivateDohProbes(network_context);
269 }
270 }
271
272 private:
273 NetworkService* const network_service_;
274
275 // If running, DoH probes will be started on completion. If not running, DoH
276 // probes may be started at any time.
277 base::OneShotTimer doh_probes_timer_;
278 };
279
NetworkService(std::unique_ptr<service_manager::BinderRegistry> registry,mojo::PendingReceiver<mojom::NetworkService> receiver,bool delay_initialization_until_set_client)280 NetworkService::NetworkService(
281 std::unique_ptr<service_manager::BinderRegistry> registry,
282 mojo::PendingReceiver<mojom::NetworkService> receiver,
283 bool delay_initialization_until_set_client)
284 : net_log_(net::NetLog::Get()), registry_(std::move(registry)) {
285 DCHECK(!g_network_service);
286 g_network_service = this;
287
288 // |registry_| is nullptr when an in-process NetworkService is
289 // created directly, like in most unit tests.
290 if (registry_)
291 mojo::SetDefaultProcessErrorHandler(base::BindRepeating(&HandleBadMessage));
292
293 if (receiver.is_valid())
294 Bind(std::move(receiver));
295
296 if (!delay_initialization_until_set_client)
297 Initialize(mojom::NetworkServiceParams::New());
298
299 metrics_trigger_timer_.Start(FROM_HERE, base::TimeDelta::FromMinutes(20),
300 this, &NetworkService::ReportMetrics);
301 }
302
Initialize(mojom::NetworkServiceParamsPtr params,bool mock_network_change_notifier)303 void NetworkService::Initialize(mojom::NetworkServiceParamsPtr params,
304 bool mock_network_change_notifier) {
305 if (initialized_)
306 return;
307
308 initialized_ = true;
309
310 #if defined(OS_ANDROID) && defined(ARCH_CPU_ARMEL)
311 // Make sure OpenSSL is initialized before using it to histogram data.
312 crypto::EnsureOpenSSLInit();
313
314 // Measure CPUs with broken NEON units. See https://crbug.com/341598.
315 UMA_HISTOGRAM_BOOLEAN("Net.HasBrokenNEON", CRYPTO_has_broken_NEON());
316 // Measure Android kernels with missing AT_HWCAP2 auxv fields. See
317 // https://crbug.com/boringssl/46.
318 UMA_HISTOGRAM_BOOLEAN("Net.NeedsHWCAP2Workaround",
319 CRYPTO_needs_hwcap2_workaround());
320 #endif
321
322 if (!params->environment.empty())
323 SetEnvironment(std::move(params->environment));
324
325 base::CommandLine* command_line = base::CommandLine::ForCurrentProcess();
326
327 #if defined(OS_MAC)
328 if (!base::FeatureList::IsEnabled(network::features::kCertVerifierService) &&
329 base::FeatureList::IsEnabled(
330 net::features::kCertVerifierBuiltinFeature)) {
331 net::InitializeTrustStoreMacCache();
332 }
333 #endif
334
335 // Set-up the global port overrides.
336 if (command_line->HasSwitch(switches::kExplicitlyAllowedPorts)) {
337 std::string allowed_ports =
338 command_line->GetSwitchValueASCII(switches::kExplicitlyAllowedPorts);
339 net::SetExplicitlyAllowedPorts(allowed_ports);
340 }
341
342 // Record this once per session, though the switch is appled on a
343 // per-NetworkContext basis.
344 UMA_HISTOGRAM_BOOLEAN(
345 "Net.Certificate.IgnoreCertificateErrorsSPKIListPresent",
346 command_line->HasSwitch(switches::kIgnoreCertificateErrorsSPKIList));
347
348 network_change_manager_ = std::make_unique<NetworkChangeManager>(
349 CreateNetworkChangeNotifierIfNeeded(
350 net::NetworkChangeNotifier::ConnectionType(
351 params->initial_connection_type),
352 net::NetworkChangeNotifier::ConnectionSubtype(
353 params->initial_connection_subtype),
354 mock_network_change_notifier));
355
356 trace_net_log_observer_.WatchForTraceStart(net_log_);
357
358 // Add an observer that will emit network change events to |net_log_|.
359 // Assuming NetworkChangeNotifier dispatches in FIFO order, we should be
360 // logging the network change before other IO thread consumers respond to it.
361 network_change_observer_ =
362 std::make_unique<net::LoggingNetworkChangeObserver>(net_log_);
363
364 network_quality_estimator_manager_ =
365 std::make_unique<NetworkQualityEstimatorManager>(net_log_);
366
367 dns_config_change_manager_ = std::make_unique<DnsConfigChangeManager>();
368
369 host_resolver_manager_ = std::make_unique<net::HostResolverManager>(
370 net::HostResolver::ManagerOptions(),
371 net::NetworkChangeNotifier::GetSystemDnsConfigNotifier(), net_log_);
372 host_resolver_factory_ = std::make_unique<net::HostResolver::Factory>();
373
374 network_usage_accumulator_ = std::make_unique<NetworkUsageAccumulator>();
375
376 http_auth_cache_copier_ = std::make_unique<HttpAuthCacheCopier>();
377
378 crl_set_distributor_ = std::make_unique<CRLSetDistributor>();
379
380 legacy_tls_config_distributor_ =
381 std::make_unique<LegacyTLSConfigDistributor>();
382
383 doh_probe_activator_ = std::make_unique<DelayedDohProbeActivator>(this);
384
385 trust_token_key_commitments_ = std::make_unique<TrustTokenKeyCommitments>();
386
387 preloaded_first_party_sets_ = std::make_unique<PreloadedFirstPartySets>();
388 if (command_line->HasSwitch(switches::kUseFirstPartySet)) {
389 preloaded_first_party_sets_->SetManuallySpecifiedSet(
390 command_line->GetSwitchValueASCII(switches::kUseFirstPartySet));
391 }
392
393 #if BUILDFLAG(IS_CT_SUPPORTED)
394 constexpr size_t kMaxSCTAuditingCacheEntries = 1024;
395 sct_auditing_cache_ =
396 std::make_unique<SCTAuditingCache>(kMaxSCTAuditingCacheEntries);
397 #endif
398 }
399
~NetworkService()400 NetworkService::~NetworkService() {
401 DCHECK_EQ(this, g_network_service);
402
403 doh_probe_activator_.reset();
404
405 g_network_service = nullptr;
406 // Destroy owned network contexts.
407 DestroyNetworkContexts();
408
409 // All NetworkContexts (Owned and unowned) must have been deleted by this
410 // point.
411 DCHECK(network_contexts_.empty());
412
413 if (file_net_log_observer_) {
414 file_net_log_observer_->StopObserving(nullptr /*polled_data*/,
415 base::OnceClosure());
416 }
417
418 if (initialized_)
419 trace_net_log_observer_.StopWatchForTraceStart();
420 }
421
set_os_crypt_is_configured()422 void NetworkService::set_os_crypt_is_configured() {
423 os_crypt_config_set_ = true;
424 }
425
Create(mojo::PendingReceiver<mojom::NetworkService> receiver)426 std::unique_ptr<NetworkService> NetworkService::Create(
427 mojo::PendingReceiver<mojom::NetworkService> receiver) {
428 return std::make_unique<NetworkService>(nullptr, std::move(receiver));
429 }
430
CreateForTesting()431 std::unique_ptr<NetworkService> NetworkService::CreateForTesting() {
432 return std::make_unique<NetworkService>(
433 std::make_unique<service_manager::BinderRegistry>());
434 }
435
RegisterNetworkContext(NetworkContext * network_context)436 void NetworkService::RegisterNetworkContext(NetworkContext* network_context) {
437 DCHECK_EQ(0u, network_contexts_.count(network_context));
438 network_contexts_.insert(network_context);
439 if (quic_disabled_)
440 network_context->DisableQuic();
441
442 // The params may already be present, so we propagate it
443 // to this new network_context. When params gets changed
444 // via ConfigureHttpAuthPrefs method, we propagate the change
445 // to all NetworkContexts in |network_contexts_|
446 if (http_auth_dynamic_network_service_params_) {
447 network_context->OnHttpAuthDynamicParamsChanged(
448 http_auth_dynamic_network_service_params_.get());
449 }
450
451 if (doh_probe_activator_)
452 doh_probe_activator_->MaybeActivateDohProbes(network_context);
453 }
454
DeregisterNetworkContext(NetworkContext * network_context)455 void NetworkService::DeregisterNetworkContext(NetworkContext* network_context) {
456 DCHECK_EQ(1u, network_contexts_.count(network_context));
457 network_contexts_.erase(network_context);
458 }
459
460 #if BUILDFLAG(IS_ASH)
ReinitializeLogging(mojom::LoggingSettingsPtr settings)461 void NetworkService::ReinitializeLogging(mojom::LoggingSettingsPtr settings) {
462 logging::LoggingSettings logging_settings;
463 logging_settings.logging_dest = settings->logging_dest;
464 base::ScopedFD log_file_descriptor = settings->log_file_descriptor.TakeFD();
465 logging_settings.log_file = fdopen(log_file_descriptor.release(), "a");
466 if (!logging_settings.log_file) {
467 LOG(ERROR) << "Failed to open new log file handle";
468 return;
469 }
470 if (!logging::InitLogging(logging_settings))
471 LOG(ERROR) << "Unable to reinitialize logging";
472 }
473 #endif
474
CreateNetLogEntriesForActiveObjects(net::NetLog::ThreadSafeObserver * observer)475 void NetworkService::CreateNetLogEntriesForActiveObjects(
476 net::NetLog::ThreadSafeObserver* observer) {
477 std::set<net::URLRequestContext*> contexts;
478 for (NetworkContext* nc : network_contexts_)
479 contexts.insert(nc->url_request_context());
480 return net::CreateNetLogEntriesForActiveObjects(contexts, observer);
481 }
482
SetClient(mojo::PendingRemote<mojom::NetworkServiceClient> client,mojom::NetworkServiceParamsPtr params)483 void NetworkService::SetClient(
484 mojo::PendingRemote<mojom::NetworkServiceClient> client,
485 mojom::NetworkServiceParamsPtr params) {
486 client_.Bind(std::move(client));
487 Initialize(std::move(params));
488 }
489
StartNetLog(base::File file,net::NetLogCaptureMode capture_mode,base::Value client_constants)490 void NetworkService::StartNetLog(base::File file,
491 net::NetLogCaptureMode capture_mode,
492 base::Value client_constants) {
493 DCHECK(client_constants.is_dict());
494 std::unique_ptr<base::DictionaryValue> constants =
495 base::DictionaryValue::From(
496 base::Value::ToUniquePtrValue(net::GetNetConstants()));
497 constants->MergeDictionary(&client_constants);
498
499 file_net_log_observer_ = net::FileNetLogObserver::CreateUnboundedPreExisting(
500 std::move(file), capture_mode, std::move(constants));
501 file_net_log_observer_->StartObserving(net_log_);
502 }
503
AttachNetLogProxy(mojo::PendingRemote<mojom::NetLogProxySource> proxy_source,mojo::PendingReceiver<mojom::NetLogProxySink> proxy_sink)504 void NetworkService::AttachNetLogProxy(
505 mojo::PendingRemote<mojom::NetLogProxySource> proxy_source,
506 mojo::PendingReceiver<mojom::NetLogProxySink> proxy_sink) {
507 if (!net_log_proxy_sink_)
508 net_log_proxy_sink_ = std::make_unique<NetLogProxySink>();
509 net_log_proxy_sink_->AttachSource(std::move(proxy_source),
510 std::move(proxy_sink));
511 }
512
SetSSLKeyLogFile(base::File file)513 void NetworkService::SetSSLKeyLogFile(base::File file) {
514 net::SSLClientSocket::SetSSLKeyLogger(
515 std::make_unique<net::SSLKeyLoggerImpl>(std::move(file)));
516 }
517
CreateNetworkContext(mojo::PendingReceiver<mojom::NetworkContext> receiver,mojom::NetworkContextParamsPtr params)518 void NetworkService::CreateNetworkContext(
519 mojo::PendingReceiver<mojom::NetworkContext> receiver,
520 mojom::NetworkContextParamsPtr params) {
521 owned_network_contexts_.emplace(std::make_unique<NetworkContext>(
522 this, std::move(receiver), std::move(params),
523 base::BindOnce(&NetworkService::OnNetworkContextConnectionClosed,
524 base::Unretained(this))));
525 }
526
ConfigureStubHostResolver(bool insecure_dns_client_enabled,net::SecureDnsMode secure_dns_mode,base::Optional<std::vector<mojom::DnsOverHttpsServerPtr>> dns_over_https_servers)527 void NetworkService::ConfigureStubHostResolver(
528 bool insecure_dns_client_enabled,
529 net::SecureDnsMode secure_dns_mode,
530 base::Optional<std::vector<mojom::DnsOverHttpsServerPtr>>
531 dns_over_https_servers) {
532 DCHECK(!dns_over_https_servers || !dns_over_https_servers->empty());
533
534 // Enable or disable the insecure part of DnsClient. "DnsClient" is the class
535 // that implements the stub resolver.
536 host_resolver_manager_->SetInsecureDnsClientEnabled(
537 insecure_dns_client_enabled);
538
539 // Configure DNS over HTTPS.
540 net::DnsConfigOverrides overrides;
541 if (dns_over_https_servers && !dns_over_https_servers.value().empty()) {
542 overrides.dns_over_https_servers.emplace();
543 for (const auto& doh_server : *dns_over_https_servers) {
544 overrides.dns_over_https_servers.value().emplace_back(
545 doh_server->server_template, doh_server->use_post);
546 }
547 }
548 overrides.secure_dns_mode = secure_dns_mode;
549 overrides.allow_dns_over_https_upgrade =
550 base::FeatureList::IsEnabled(features::kDnsOverHttpsUpgrade);
551 overrides.disabled_upgrade_providers =
552 SplitString(features::kDnsOverHttpsUpgradeDisabledProvidersParam.Get(),
553 ",", base::TRIM_WHITESPACE, base::SPLIT_WANT_NONEMPTY);
554
555 host_resolver_manager_->SetDnsConfigOverrides(overrides);
556 }
557
DisableQuic()558 void NetworkService::DisableQuic() {
559 quic_disabled_ = true;
560
561 for (auto* network_context : network_contexts_) {
562 network_context->DisableQuic();
563 }
564 }
565
SetUpHttpAuth(mojom::HttpAuthStaticParamsPtr http_auth_static_params)566 void NetworkService::SetUpHttpAuth(
567 mojom::HttpAuthStaticParamsPtr http_auth_static_params) {
568 DCHECK(!http_auth_static_network_service_params_);
569 DCHECK(network_contexts_.empty());
570 http_auth_static_network_service_params_ = std::move(http_auth_static_params);
571 }
572
ConfigureHttpAuthPrefs(mojom::HttpAuthDynamicParamsPtr http_auth_dynamic_params)573 void NetworkService::ConfigureHttpAuthPrefs(
574 mojom::HttpAuthDynamicParamsPtr http_auth_dynamic_params) {
575 // We need to store it as a member variable because the method
576 // NetworkService::RegisterNetworkContext(NetworkContext *network_context)
577 // uses it to populate the HttpAuthPreferences of the incoming network_context
578 // with the latest dynamic params of the NetworkService.
579 http_auth_dynamic_network_service_params_ =
580 std::move(http_auth_dynamic_params);
581
582 for (NetworkContext* network_context : network_contexts_) {
583 network_context->OnHttpAuthDynamicParamsChanged(
584 http_auth_dynamic_network_service_params_.get());
585 }
586 }
587
SetRawHeadersAccess(int32_t process_id,const std::vector<url::Origin> & origins)588 void NetworkService::SetRawHeadersAccess(
589 int32_t process_id,
590 const std::vector<url::Origin>& origins) {
591 DCHECK(process_id);
592 if (!origins.size()) {
593 raw_headers_access_origins_by_pid_.erase(process_id);
594 } else {
595 raw_headers_access_origins_by_pid_[process_id] =
596 base::flat_set<url::Origin>(origins.begin(), origins.end());
597 }
598 }
599
SetMaxConnectionsPerProxy(int32_t max_connections)600 void NetworkService::SetMaxConnectionsPerProxy(int32_t max_connections) {
601 int new_limit = max_connections;
602 if (new_limit < 0)
603 new_limit = net::kDefaultMaxSocketsPerProxyServer;
604
605 // Clamp the value between min_limit and max_limit.
606 int max_limit = 99;
607 int min_limit = net::ClientSocketPoolManager::max_sockets_per_group(
608 net::HttpNetworkSession::NORMAL_SOCKET_POOL);
609 new_limit = base::ClampToRange(new_limit, min_limit, max_limit);
610
611 // Assign the global limit.
612 net::ClientSocketPoolManager::set_max_sockets_per_proxy_server(
613 net::HttpNetworkSession::NORMAL_SOCKET_POOL, new_limit);
614 }
615
HasRawHeadersAccess(int32_t process_id,const GURL & resource_url) const616 bool NetworkService::HasRawHeadersAccess(int32_t process_id,
617 const GURL& resource_url) const {
618 // Allow raw headers for browser-initiated requests.
619 if (!process_id)
620 return true;
621 auto it = raw_headers_access_origins_by_pid_.find(process_id);
622 if (it == raw_headers_access_origins_by_pid_.end())
623 return false;
624 return it->second.find(url::Origin::Create(resource_url)) != it->second.end();
625 }
626
net_log() const627 net::NetLog* NetworkService::net_log() const {
628 return net_log_;
629 }
630
GetNetworkChangeManager(mojo::PendingReceiver<mojom::NetworkChangeManager> receiver)631 void NetworkService::GetNetworkChangeManager(
632 mojo::PendingReceiver<mojom::NetworkChangeManager> receiver) {
633 network_change_manager_->AddReceiver(std::move(receiver));
634 }
635
GetNetworkQualityEstimatorManager(mojo::PendingReceiver<mojom::NetworkQualityEstimatorManager> receiver)636 void NetworkService::GetNetworkQualityEstimatorManager(
637 mojo::PendingReceiver<mojom::NetworkQualityEstimatorManager> receiver) {
638 network_quality_estimator_manager_->AddReceiver(std::move(receiver));
639 }
640
GetDnsConfigChangeManager(mojo::PendingReceiver<mojom::DnsConfigChangeManager> receiver)641 void NetworkService::GetDnsConfigChangeManager(
642 mojo::PendingReceiver<mojom::DnsConfigChangeManager> receiver) {
643 dns_config_change_manager_->AddReceiver(std::move(receiver));
644 }
645
GetTotalNetworkUsages(mojom::NetworkService::GetTotalNetworkUsagesCallback callback)646 void NetworkService::GetTotalNetworkUsages(
647 mojom::NetworkService::GetTotalNetworkUsagesCallback callback) {
648 std::move(callback).Run(network_usage_accumulator_->GetTotalNetworkUsages());
649 }
650
GetNetworkList(uint32_t policy,mojom::NetworkService::GetNetworkListCallback callback)651 void NetworkService::GetNetworkList(
652 uint32_t policy,
653 mojom::NetworkService::GetNetworkListCallback callback) {
654 auto networks = std::make_unique<net::NetworkInterfaceList>();
655 auto* raw_networks = networks.get();
656 // net::GetNetworkList may block depending on platform.
657 base::ThreadPool::PostTaskAndReplyWithResult(
658 FROM_HERE, {base::MayBlock()},
659 base::BindOnce(&net::GetNetworkList, raw_networks, policy),
660 base::BindOnce(&OnGetNetworkList, std::move(networks),
661 std::move(callback)));
662 }
663
UpdateCRLSet(base::span<const uint8_t> crl_set,mojom::NetworkService::UpdateCRLSetCallback callback)664 void NetworkService::UpdateCRLSet(
665 base::span<const uint8_t> crl_set,
666 mojom::NetworkService::UpdateCRLSetCallback callback) {
667 crl_set_distributor_->OnNewCRLSet(crl_set, std::move(callback));
668 }
669
UpdateLegacyTLSConfig(base::span<const uint8_t> config,mojom::NetworkService::UpdateLegacyTLSConfigCallback callback)670 void NetworkService::UpdateLegacyTLSConfig(
671 base::span<const uint8_t> config,
672 mojom::NetworkService::UpdateLegacyTLSConfigCallback callback) {
673 legacy_tls_config_distributor_->OnNewLegacyTLSConfig(config,
674 std::move(callback));
675 }
676
OnCertDBChanged()677 void NetworkService::OnCertDBChanged() {
678 net::CertDatabase::GetInstance()->NotifyObserversCertDBChanged();
679 }
680
681 #if defined(OS_LINUX) || BUILDFLAG(IS_LACROS) || defined(OS_BSD)
SetCryptConfig(mojom::CryptConfigPtr crypt_config)682 void NetworkService::SetCryptConfig(mojom::CryptConfigPtr crypt_config) {
683 #if !BUILDFLAG(IS_CHROMECAST)
684 DCHECK(!os_crypt_config_set_);
685 auto config = std::make_unique<os_crypt::Config>();
686 config->store = crypt_config->store;
687 config->product_name = crypt_config->product_name;
688 config->main_thread_runner = base::ThreadTaskRunnerHandle::Get();
689 config->should_use_preference = crypt_config->should_use_preference;
690 config->user_data_path = crypt_config->user_data_path;
691 OSCrypt::SetConfig(std::move(config));
692 os_crypt_config_set_ = true;
693 #endif
694 }
695 #endif
696
697 #if defined(OS_WIN) || defined(OS_MAC)
SetEncryptionKey(const std::string & encryption_key)698 void NetworkService::SetEncryptionKey(const std::string& encryption_key) {
699 OSCrypt::SetRawEncryptionKey(encryption_key);
700 }
701 #endif
702
AddCorbExceptionForPlugin(int32_t process_id)703 void NetworkService::AddCorbExceptionForPlugin(int32_t process_id) {
704 DCHECK_NE(mojom::kBrowserProcessId, process_id);
705 CrossOriginReadBlockingExceptionForPlugin::AddExceptionForPlugin(process_id);
706 }
707
AddAllowedRequestInitiatorForPlugin(int32_t process_id,const url::Origin & allowed_request_initiator)708 void NetworkService::AddAllowedRequestInitiatorForPlugin(
709 int32_t process_id,
710 const url::Origin& allowed_request_initiator) {
711 DCHECK_NE(mojom::kBrowserProcessId, process_id);
712 std::map<int, std::set<url::Origin>>& map = plugin_origins_;
713 map[process_id].insert(allowed_request_initiator);
714 }
715
RemoveSecurityExceptionsForPlugin(int32_t process_id)716 void NetworkService::RemoveSecurityExceptionsForPlugin(int32_t process_id) {
717 DCHECK_NE(mojom::kBrowserProcessId, process_id);
718
719 CrossOriginReadBlockingExceptionForPlugin::RemoveExceptionForPlugin(
720 process_id);
721
722 std::map<int, std::set<url::Origin>>& map = plugin_origins_;
723 map.erase(process_id);
724 }
725
IsInitiatorAllowedForPlugin(int process_id,const url::Origin & request_initiator)726 bool NetworkService::IsInitiatorAllowedForPlugin(
727 int process_id,
728 const url::Origin& request_initiator) {
729 const std::map<int, std::set<url::Origin>>& map = plugin_origins_;
730 const auto it = map.find(process_id);
731 if (it == map.end())
732 return false;
733
734 const std::set<url::Origin>& allowed_origins = it->second;
735 return base::Contains(allowed_origins, request_initiator);
736 }
737
OnMemoryPressure(base::MemoryPressureListener::MemoryPressureLevel memory_pressure_level)738 void NetworkService::OnMemoryPressure(
739 base::MemoryPressureListener::MemoryPressureLevel memory_pressure_level) {
740 base::MemoryPressureListener::NotifyMemoryPressure(memory_pressure_level);
741 }
742
OnPeerToPeerConnectionsCountChange(uint32_t count)743 void NetworkService::OnPeerToPeerConnectionsCountChange(uint32_t count) {
744 network_quality_estimator_manager_->GetNetworkQualityEstimator()
745 ->OnPeerToPeerConnectionsCountChange(count);
746 }
747
748 #if defined(OS_ANDROID)
OnApplicationStateChange(base::android::ApplicationState state)749 void NetworkService::OnApplicationStateChange(
750 base::android::ApplicationState state) {
751 for (auto* network_context : network_contexts_)
752 network_context->app_status_listener()->Notify(state);
753 }
754 #endif
755
SetEnvironment(std::vector<mojom::EnvironmentVariablePtr> environment)756 void NetworkService::SetEnvironment(
757 std::vector<mojom::EnvironmentVariablePtr> environment) {
758 std::unique_ptr<base::Environment> env(base::Environment::Create());
759 for (const auto& variable : environment)
760 env->SetVar(variable->name, variable->value);
761 }
762
SetTrustTokenKeyCommitments(const std::string & raw_commitments,base::OnceClosure done)763 void NetworkService::SetTrustTokenKeyCommitments(
764 const std::string& raw_commitments,
765 base::OnceClosure done) {
766 trust_token_key_commitments_->ParseAndSet(raw_commitments);
767 std::move(done).Run();
768 }
769
770 #if BUILDFLAG(IS_CT_SUPPORTED)
ClearSCTAuditingCache()771 void NetworkService::ClearSCTAuditingCache() {
772 sct_auditing_cache_->ClearCache();
773 }
774
ConfigureSCTAuditing(bool enabled,double sampling_rate,const GURL & reporting_uri,const net::MutableNetworkTrafficAnnotationTag & traffic_annotation,mojo::PendingRemote<mojom::URLLoaderFactory> factory)775 void NetworkService::ConfigureSCTAuditing(
776 bool enabled,
777 double sampling_rate,
778 const GURL& reporting_uri,
779 const net::MutableNetworkTrafficAnnotationTag& traffic_annotation,
780 mojo::PendingRemote<mojom::URLLoaderFactory> factory) {
781 sct_auditing_cache_->set_enabled(enabled);
782 sct_auditing_cache_->set_sampling_rate(sampling_rate);
783 sct_auditing_cache_->set_report_uri(reporting_uri);
784 sct_auditing_cache_->set_traffic_annotation(traffic_annotation);
785 sct_auditing_cache_->set_url_loader_factory(std::move(factory));
786 }
787 #endif
788
789 #if defined(OS_ANDROID)
DumpWithoutCrashing(base::Time dump_request_time)790 void NetworkService::DumpWithoutCrashing(base::Time dump_request_time) {
791 static base::debug::CrashKeyString* time_key =
792 base::debug::AllocateCrashKeyString("time_since_dump_request_ms",
793 base::debug::CrashKeySize::Size32);
794 base::debug::ScopedCrashKeyString scoped_time(
795 time_key, base::NumberToString(
796 (base::Time::Now() - dump_request_time).InMilliseconds()));
797 base::debug::DumpWithoutCrashing();
798 }
799 #endif
800
BindTestInterface(mojo::PendingReceiver<mojom::NetworkServiceTest> receiver)801 void NetworkService::BindTestInterface(
802 mojo::PendingReceiver<mojom::NetworkServiceTest> receiver) {
803 if (registry_) {
804 auto pipe = receiver.PassPipe();
805 registry_->TryBindInterface(mojom::NetworkServiceTest::Name_, &pipe);
806 }
807 }
808
SetPreloadedFirstPartySets(const std::string & raw_sets)809 void NetworkService::SetPreloadedFirstPartySets(const std::string& raw_sets) {
810 preloaded_first_party_sets_->ParseAndSet(raw_sets);
811 }
812
813 std::unique_ptr<net::HttpAuthHandlerFactory>
CreateHttpAuthHandlerFactory(NetworkContext * network_context)814 NetworkService::CreateHttpAuthHandlerFactory(NetworkContext* network_context) {
815 if (!http_auth_static_network_service_params_) {
816 return net::HttpAuthHandlerFactory::CreateDefault(
817 network_context->GetHttpAuthPreferences()
818 #if defined(OS_ANDROID) && BUILDFLAG(USE_KERBEROS)
819 ,
820 base::BindRepeating(&CreateAuthSystem, network_context)
821 #endif
822 );
823 }
824
825 return net::HttpAuthHandlerRegistryFactory::Create(
826 network_context->GetHttpAuthPreferences(),
827 http_auth_static_network_service_params_->supported_schemes
828 #if BUILDFLAG(USE_EXTERNAL_GSSAPI)
829 ,
830 http_auth_static_network_service_params_->gssapi_library_name
831 #endif
832 #if defined(OS_ANDROID) && BUILDFLAG(USE_KERBEROS)
833 ,
834 base::BindRepeating(&CreateAuthSystem, network_context)
835 #endif
836 );
837 }
838
OnBeforeURLRequest()839 void NetworkService::OnBeforeURLRequest() {
840 MaybeStartUpdateLoadInfoTimer();
841 }
842
OnDataPipeCreated(DataPipeUser user)843 void NetworkService::OnDataPipeCreated(DataPipeUser user) {
844 auto& entry = data_pipe_use_[user];
845 ++entry.current;
846 entry.max = std::max(entry.max, entry.current);
847 }
848
OnDataPipeDropped(DataPipeUser user)849 void NetworkService::OnDataPipeDropped(DataPipeUser user) {
850 auto& entry = data_pipe_use_[user];
851 DCHECK_GT(entry.current, 0);
852 --entry.current;
853 entry.min = std::min(entry.min, entry.current);
854 }
855
StopMetricsTimerForTesting()856 void NetworkService::StopMetricsTimerForTesting() {
857 metrics_trigger_timer_.Stop();
858 }
859
DestroyNetworkContexts()860 void NetworkService::DestroyNetworkContexts() {
861 owned_network_contexts_.clear();
862 }
863
OnNetworkContextConnectionClosed(NetworkContext * network_context)864 void NetworkService::OnNetworkContextConnectionClosed(
865 NetworkContext* network_context) {
866 auto it = owned_network_contexts_.find(network_context);
867 DCHECK(it != owned_network_contexts_.end());
868 owned_network_contexts_.erase(it);
869 }
870
MaybeStartUpdateLoadInfoTimer()871 void NetworkService::MaybeStartUpdateLoadInfoTimer() {
872 if (waiting_on_load_state_ack_ || update_load_info_timer_.IsRunning())
873 return;
874
875 bool has_loader = false;
876 for (auto* network_context : network_contexts_) {
877 if (!network_context->url_request_context()->url_requests()->empty()) {
878 has_loader = true;
879 break;
880 }
881 }
882
883 if (!has_loader)
884 return;
885
886 update_load_info_timer_.Start(FROM_HERE, kUpdateLoadStatesInterval, this,
887 &NetworkService::UpdateLoadInfo);
888 }
889
UpdateLoadInfo()890 void NetworkService::UpdateLoadInfo() {
891 // For requests from the same {process_id, routing_id} pair, pick the most
892 // important. For ones from the browser, return all of them.
893 std::vector<mojom::LoadInfoPtr> infos;
894 std::map<std::pair<int32_t, int32_t>, mojom::LoadInfoPtr> frame_infos;
895
896 for (auto* network_context : network_contexts_) {
897 for (auto* loader :
898 *network_context->url_request_context()->url_requests()) {
899 auto* url_loader = URLLoader::ForRequest(*loader);
900 if (!url_loader)
901 continue;
902
903 auto process_id = url_loader->GetProcessId();
904 auto routing_id = url_loader->GetRenderFrameId();
905 if (routing_id == MSG_ROUTING_NONE) {
906 // If there is no routing_id, then the browser can't associate this with
907 // a page so no need to send.
908 continue;
909 }
910
911 auto load_info = mojom::LoadInfo::New();
912 load_info->process_id = process_id;
913 load_info->routing_id = routing_id;
914 load_info->host = loader->url().host();
915 auto load_state = loader->GetLoadState();
916 load_info->load_state = static_cast<uint32_t>(load_state.state);
917 load_info->state_param = std::move(load_state.param);
918 auto upload_progress = loader->GetUploadProgress();
919 load_info->upload_size = upload_progress.size();
920 load_info->upload_position = upload_progress.position();
921
922 if (process_id == 0) {
923 // Requests from the browser can't be compared to ones from child
924 // processes, so send them all without looking for the most interesting.
925 infos.push_back(std::move(load_info));
926 continue;
927 }
928
929 auto key = std::make_pair(process_id, routing_id);
930 auto existing = frame_infos.find(key);
931 if (existing == frame_infos.end() ||
932 LoadInfoIsMoreInteresting(*load_info, *existing->second)) {
933 frame_infos[key] = std::move(load_info);
934 }
935 }
936 }
937
938 for (auto& it : frame_infos)
939 infos.push_back(std::move(it.second));
940
941 if (infos.empty())
942 return;
943
944 DCHECK(!waiting_on_load_state_ack_);
945 waiting_on_load_state_ack_ = true;
946 client_->OnLoadingStateUpdate(
947 std::move(infos), base::BindOnce(&NetworkService::AckUpdateLoadInfo,
948 base::Unretained(this)));
949 }
950
AckUpdateLoadInfo()951 void NetworkService::AckUpdateLoadInfo() {
952 DCHECK(waiting_on_load_state_ack_);
953 waiting_on_load_state_ack_ = false;
954 MaybeStartUpdateLoadInfoTimer();
955 }
956
ReportMetrics()957 void NetworkService::ReportMetrics() {
958 UMA_HISTOGRAM_COUNTS_10000("Net.DataPipeUseForUrlLoader.Min",
959 data_pipe_use_[DataPipeUser::kUrlLoader].min);
960 UMA_HISTOGRAM_COUNTS_10000("Net.DataPipeUseForUrlLoader.Max",
961 data_pipe_use_[DataPipeUser::kUrlLoader].max);
962 UMA_HISTOGRAM_COUNTS_10000("Net.DataPipeUseForWebSocket.Min",
963 data_pipe_use_[DataPipeUser::kWebSocket].min);
964 UMA_HISTOGRAM_COUNTS_10000("Net.DataPipeUseForWebSocket.Max",
965 data_pipe_use_[DataPipeUser::kWebSocket].max);
966
967 for (auto& pair : data_pipe_use_) {
968 DataPipeUsage& entry = pair.second;
969 entry.max = entry.current;
970 entry.min = entry.current;
971 }
972 }
973
Bind(mojo::PendingReceiver<mojom::NetworkService> receiver)974 void NetworkService::Bind(
975 mojo::PendingReceiver<mojom::NetworkService> receiver) {
976 DCHECK(!receiver_.is_bound());
977 receiver_.Bind(std::move(receiver));
978 }
979
980 // static
GetNetworkServiceForTesting()981 NetworkService* NetworkService::GetNetworkServiceForTesting() {
982 return g_network_service;
983 }
984
985 } // namespace network
986