Headless: support cookie encryption

- enable cookie encryption by default (use --disable-cookie-encryption to turn it off); - configure OSCrypt iff cookie encryption is enabled and profile path is set (there was a bug there, but it was masked by cookie encryption being disabled); - properly configure SSL channel id storage; - use mock keychain on MacOSX Bug: 864744 Change-Id: Ice97864bb80d8988e3e090310b35c509031a8e7d Reviewed-on: https://chromium-review.googlesource.com/c/1274199Reviewed-by: Dmitry Gozman <dgozman@chromium.org> Commit-Queue: Andrey Kosyakov <caseq@chromium.org> Cr-Commit-Position: refs/heads/master@{#599696}

Headless: support cookie encryption
- enable cookie encryption by default (use --disable-cookie-encryption to turn it off); - configure OSCrypt iff cookie encryption is enabled and profile path is set (there was a bug there, but it was masked by cookie encryption being disabled); - properly configure SSL channel id storage; - use mock keychain on MacOSX Bug: 864744 Change-Id: Ice97864bb80d8988e3e090310b35c509031a8e7d Reviewed-on: https://chromium-review.googlesource.com/c/1274199Reviewed-by: Dmitry Gozman <dgozman@chromium.org> Commit-Queue: Andrey Kosyakov <caseq@chromium.org> Cr-Commit-Position: refs/heads/master@{#599696}
14f0d10a · Andrey Kosyakov · Commit Bot · 3211c2f5 · 14f0d10a · 14f0d10a
Commit 14f0d10a authored Oct 15, 2018 by Andrey Kosyakov Committed by Commit Bot Oct 15, 2018
6 changed files
--- a/headless/BUILD.gn
+++ b/headless/BUILD.gn
@@ -866,6 +866,7 @@ jumbo_static_library("headless_shell_lib") {

  deps = [
    ":headless_renderer",
+    "//components/os_crypt",
    "//components/security_state/content",
    "//content/public/app:both",
    "//content/public/browser",

--- a/headless/app/headless_shell.cc
+++ b/headless/app/headless_shell.cc
@@ -26,6 +26,7 @@
 #include "base/task_runner_util.h"
 #include "build/build_config.h"
 #include "cc/base/switches.h"
+#include "components/os_crypt/os_crypt_switches.h"
 #include "components/viz/common/switches.h"
 #include "content/public/app/content_main.h"
 #include "content/public/browser/browser_thread.h"
@@ -652,6 +653,10 @@ int HeadlessShellMain(int argc, const char** argv) {
  builder.SetCrashDumpsDir(dumps_path);
 #endif

+#if defined(OS_MACOSX)
+  command_line.AppendSwitch(os_crypt::switches::kUseMockKeychain);
+#endif
+
  if (command_line.HasSwitch(switches::kDeterministicMode)) {
    command_line.AppendSwitch(switches::kEnableBeginFrameControl);


--- a/headless/app/headless_shell_switches.cc
+++ b/headless/app/headless_shell_switches.cc
@@ -12,6 +12,9 @@ namespace switches {
 // transparent.
 const char kDefaultBackgroundColor[] = "default-background-color";

+// Whether cookies stored as part of user profile are encrypted.
+const char kDisableCookieEncryption[] = "disable-cookie-encryption";
+
 // Whether or not begin frames should be issued over DevToolsProtocol
 // (experimental).
 const char kEnableBeginFrameControl[] = "enable-begin-frame-control";

--- a/headless/app/headless_shell_switches.h
+++ b/headless/app/headless_shell_switches.h
@@ -14,6 +14,7 @@ namespace switches {
 HEADLESS_EXPORT extern const char kCrashDumpsDir[];
 HEADLESS_EXPORT extern const char kDefaultBackgroundColor[];
 HEADLESS_EXPORT extern const char kDeterministicMode[];
+HEADLESS_EXPORT extern const char kDisableCookieEncryption[];
 HEADLESS_EXPORT extern const char kDisableCrashReporter[];
 HEADLESS_EXPORT extern const char kDumpDom[];
 HEADLESS_EXPORT extern const char kEnableBeginFrameControl[];

--- a/headless/lib/browser/headless_request_context_manager.cc
+++ b/headless/lib/browser/headless_request_context_manager.cc
@@ -244,26 +244,14 @@ HeadlessRequestContextManager::CreateSystemContext(
  auto manager = std::make_unique<HeadlessRequestContextManager>(
      options, base::FilePath());
  manager->is_system_context_ = true;
-  auto* network_service = content::GetNetworkService();

  base::CommandLine* command_line = base::CommandLine::ForCurrentProcess();
  auto auth_params = ::network::mojom::HttpAuthDynamicParams::New();
  auth_params->server_whitelist =
      command_line->GetSwitchValueASCII(switches::kAuthServerWhitelist);
+  auto* network_service = content::GetNetworkService();
  network_service->ConfigureHttpAuthPrefs(std::move(auth_params));

-#if defined(OS_LINUX) && !defined(OS_CHROMEOS)
-  if (manager->user_data_path_.empty()) {
-    ::network::mojom::CryptConfigPtr config =
-        ::network::mojom::CryptConfig::New();
-    config->store = command_line->GetSwitchValueASCII(switches::kPasswordStore);
-    config->product_name = kProductName;
-    config->should_use_preference = false;
-    config->user_data_path = manager->user_data_path_;
-    network_service->SetCryptConfig(std::move(config));
-  }
-#endif
-
  if (!manager->network_service_enabled_) {
    manager->Initialize();
    return manager;
@@ -279,6 +267,9 @@ HeadlessRequestContextManager::HeadlessRequestContextManager(
    base::FilePath user_data_path)
    : network_service_enabled_(
          base::FeatureList::IsEnabled(::network::features::kNetworkService)),
+      cookie_encryption_enabled_(
+          !base::CommandLine::ForCurrentProcess()->HasSwitch(
+              switches::kDisableCookieEncryption)),
      io_task_runner_(base::CreateSingleThreadTaskRunnerWithTraits(
          {content::BrowserThread::IO})),
      user_data_path_(std::move(user_data_path)),
@@ -297,6 +288,7 @@ HeadlessRequestContextManager::HeadlessRequestContextManager(
    proxy_config_monitor_ =
        std::make_unique<HeadlessProxyConfigMonitor>(proxy_monitor_task_runner);
  }
+  MaybeSetUpOSCrypt();
 }

 HeadlessRequestContextManager::~HeadlessRequestContextManager() {
@@ -382,21 +374,42 @@ void HeadlessRequestContextManager::InitializeOnIO() {
  url_request_context_getter_->SetURLRequestContext(builder.Build());
 }

+void HeadlessRequestContextManager::MaybeSetUpOSCrypt() {
+  static bool initialized = false;
+  if (initialized || !cookie_encryption_enabled_)
+    return;
+  if (user_data_path_.empty())
+    return;
+#if defined(OS_LINUX) && !defined(OS_CHROMEOS)
+  ::network::mojom::CryptConfigPtr config =
+      ::network::mojom::CryptConfig::New();
+  config->store = base::CommandLine::ForCurrentProcess()->GetSwitchValueASCII(
+      switches::kPasswordStore);
+  config->product_name = kProductName;
+  config->should_use_preference = false;
+  config->user_data_path = user_data_path_;
+  content::GetNetworkService()->SetCryptConfig(std::move(config));
+#endif
+  initialized = true;
+}
+
 ::network::mojom::NetworkContextParamsPtr
 HeadlessRequestContextManager::CreateNetworkContextParams() {
  auto context_params = ::network::mojom::NetworkContextParams::New();

  context_params->user_agent = user_agent_;
  context_params->accept_language = accept_language_;
-  context_params->enable_encrypted_cookies = false;
  // TODO(skyostil): Make these configurable.
  context_params->enable_data_url_support = true;
  context_params->enable_file_url_support = true;
  context_params->primary_network_context = is_system_context_;

  if (!user_data_path_.empty()) {
+    context_params->enable_encrypted_cookies = cookie_encryption_enabled_;
    context_params->cookie_path =
        user_data_path_.Append(FILE_PATH_LITERAL("Cookies"));
+    context_params->channel_id_path =
+        user_data_path_.Append(FILE_PATH_LITERAL("Origin Bound Certs"));
  }
  if (proxy_config_) {
    context_params->initial_proxy_config = net::ProxyConfigWithAnnotation(

--- a/headless/lib/browser/headless_request_context_manager.h
+++ b/headless/lib/browser/headless_request_context_manager.h
@@ -52,10 +52,12 @@ class HeadlessRequestContextManager {
 private:
  void Initialize();
  void InitializeOnIO();
+  void MaybeSetUpOSCrypt();

  ::network::mojom::NetworkContextParamsPtr CreateNetworkContextParams();

  const bool network_service_enabled_;
+  const bool cookie_encryption_enabled_;

  scoped_refptr<base::SingleThreadTaskRunner> io_task_runner_;