Whitelist access to HostResolver headers.

Convert the //net/dns:public source_set into :host_resolver and move all public headers to source. Access to these previously-public headers will now only be allowed for BUILD.gn rules listed in the friend list. Added friend entries with explanation comments for all remaining usage. Some with TODOs to remove, eg because they'll be migrated to network service. Confirmed that there are no other remaining usage in code where private headers are or are not enforced (checking unenforced by searching for "net/dns" in the error output). Removed a couple includes that were no longer needed. TBR=jochen@chromium.org Bug: 846454 Change-Id: I7bb633088689dc896f9fc27e1dec87ae699410db Reviewed-on: https://chromium-review.googlesource.com/1183981 Commit-Queue: Eric Orth <ericorth@chromium.org> Reviewed-by: Maks Orlovich <morlovich@chromium.org> Cr-Commit-Position: refs/heads/master@{#586362}

Whitelist access to HostResolver headers.
Convert the //net/dns:public source_set into :host_resolver and move all public headers to source. Access to these previously-public headers will now only be allowed for BUILD.gn rules listed in the friend list. Added friend entries with explanation comments for all remaining usage. Some with TODOs to remove, eg because they'll be migrated to network service. Confirmed that there are no other remaining usage in code where private headers are or are not enforced (checking unenforced by searching for "net/dns" in the error output). Removed a couple includes that were no longer needed. TBR=jochen@chromium.org Bug: 846454 Change-Id: I7bb633088689dc896f9fc27e1dec87ae699410db Reviewed-on: https://chromium-review.googlesource.com/1183981 Commit-Queue: Eric Orth <ericorth@chromium.org> Reviewed-by: Maks Orlovich <morlovich@chromium.org> Cr-Commit-Position: refs/heads/master@{#586362}
168a7e5b · Eric Orth · Commit Bot · 31237fb5 · 168a7e5b · 168a7e5b
Commit 168a7e5b authored Aug 27, 2018 by Eric Orth Committed by Commit Bot Aug 27, 2018
6 changed files
--- a/chrome/service/net/service_url_request_context_getter.h
+++ b/chrome/service/net/service_url_request_context_getter.h
@@ -10,7 +10,6 @@
 #include "net/cookies/cookie_monster.h"
 #include "net/disk_cache/disk_cache.h"
-#include "net/dns/host_resolver.h"
 #include "net/ftp/ftp_network_layer.h"
 #include "net/http/http_auth_handler_factory.h"
 #include "net/http/http_cache.h"

--- a/content/browser/renderer_host/pepper/pepper_tcp_socket_message_filter.h
+++ b/content/browser/renderer_host/pepper/pepper_tcp_socket_message_filter.h
@@ -22,7 +22,6 @@
 #include "mojo/public/cpp/bindings/binding.h"
 #include "net/base/address_list.h"
 #include "net/base/ip_endpoint.h"
-#include "net/dns/host_resolver.h"
 #include "net/socket/tcp_socket.h"
 #include "ppapi/c/pp_instance.h"
 #include "ppapi/c/ppb_tcp_socket.h"

--- a/extensions/browser/api/dns/dns_api.h
+++ b/extensions/browser/api/dns/dns_api.h
@@ -11,7 +11,6 @@
 #include "mojo/public/cpp/bindings/binding.h"
 #include "net/base/address_list.h"
 #include "net/base/completion_callback.h"
-#include "net/dns/host_resolver.h"
 #include "services/network/public/mojom/network_context.mojom.h"
 namespace extensions {

--- a/extensions/browser/api/socket/socket_api.h
+++ b/extensions/browser/api/socket/socket_api.h
@@ -23,7 +23,6 @@
 #include "mojo/public/cpp/bindings/binding.h"
 #include "net/base/address_list.h"
 #include "net/base/network_change_notifier.h"
-#include "net/dns/host_resolver.h"
 #include "net/socket/tcp_client_socket.h"
 #include "services/network/public/mojom/host_resolver.mojom.h"
 #include "services/network/public/mojom/network_service.mojom.h"

--- a/net/BUILD.gn
+++ b/net/BUILD.gn
@@ -386,17 +386,17 @@ component("net") {
    ":net_public_deps",
    "//net/dns",
    "//net/dns:dns_client",
+    "//net/dns:host_resolver",
    "//net/dns:host_resolver_impl",
    "//net/dns:mdns_client",
-    "//net/dns:public",
  ]
  allow_circular_includes_from = [
    "//net/dns",
    "//net/dns:dns_client",
+    "//net/dns:host_resolver",
    "//net/dns:host_resolver_impl",
    "//net/dns:mdns_client",
-    "//net/dns:public",
  ]
  if (!is_nacl) {
@@ -2126,9 +2126,9 @@ source_set("net_deps") {
    ":net",
    "//net/dns",
    "//net/dns:dns_client",
+    "//net/dns:host_resolver",
    "//net/dns:host_resolver_impl",
    "//net/dns:mdns_client",
-    "//net/dns:public",
  ]
  public_deps = [
@@ -2190,9 +2190,9 @@ source_set("net_public_deps") {
    ":net",
    "//net/dns",
    "//net/dns:dns_client",
+    "//net/dns:host_resolver",
    "//net/dns:host_resolver_impl",
    "//net/dns:mdns_client",
-    "//net/dns:public",
  ]
  public_deps = [

--- a/net/dns/BUILD.gn
+++ b/net/dns/BUILD.gn
@@ -95,43 +95,109 @@ source_set("dns") {
  public_deps = [
    ":dns_client",
+    ":host_resolver",
    ":host_resolver_impl",
    ":mdns_client",
-    ":public",
    "//net:net_public_deps",
  ]
  allow_circular_includes_from = [
    ":dns_client",
+    ":host_resolver",
    ":host_resolver_impl",
    ":mdns_client",
-    ":public",
  ]
 }
-# The standard public API of net/dns. Available for use both inside and outside
+# The standard API of net/dns.
-# the network stack by any code that needs it.
+#
-# TODO(crbug.com/821021): Servicify and convert all non-constant external usage
+# Should typically only be used within the network service. Usage external to
-# to IPCs.
+# the network service should instead use network service Mojo IPCs for host
-source_set("public") {
+# resolution. See ResolveHost() in
+# /services/network/public/mojom/network_context.mojom and
+# /services/network/public/mojom/host_resolver.mojom.
+source_set("host_resolver") {
  # Due to circular dependencies, should only be depended on through //net.
  # Limit visibility to //net and other source_sets with the same access
  # restriction.
  visibility = [
    ":dns",
-    ":dns_client",
    ":host_resolver_impl",
    ":mdns_client",
    "//net",
  ]
+  # Whitelist-only access so we can keep track of all usage external to the
+  # network stack and network service.
+  friend = [
+    # chrome/browser/devtools/device/tcp_device_provider.cc
+    # TODO(crbug.com/874653): Remove once migrated to network service IPC.
+    #
+    # chrome/browser/devtools/device/port_forwarding_controller.cc
+    # TODO(crbug.com/874651): Remove once migrated to network service IPC.
+    "//chrome/browser/devtools",
+    # chrome/browser/io_thread.cc
+    # Used to build in-process HostResolver when network service disabled.
+    #
+    # chrome/browser/net/dns_probe_service.cc
+    # TODO(crbug.com/874660): Remove once migrated to network service IPC.
+    #
+    # chrome/browser/net/url_info.h
+    # chrome/browser/net_benchmarking.cc
+    # HostResolver only used for deprecated net::Predictor.
+    # TODO(crbug.com/875238): Remove once deprecated code is removed.
+    "//chrome/browser",
+    # chrome/browser/ui/webui/net_internals/net_internals_ui.cc
+    # TODO(crbug.com/876110): Remove once migrated to network service IPC.
+    "//chrome/browser/ui",
+    # chromecast/browser/url_request_context_factory.cc
+    # URLRequestContext creation for chromecast.
+    "//chromecast/browser",
+    # components/network_hints/browser/network_hints_message_filter.cc
+    # TODO(crbug.com/874654): Remove once migrated to network service IPC.
+    "//components/network_hints/browser",
+    # content/public/browser/resource_hints.h
+    # Deprecated and soon to be removed.
+    # TODO(crbug.com/875238): Remove once code is removed.
+    "//content/public/browser:browser_sources",
+    # headless/lib/browser/headless_url_request_context_getter.cc
+    # URLRequestContext creation for headless.
+    "//headless",
+    # URLRequestContext and HttpNetworkSession::Context creation for iOS.
+    "//ios/components/io_thread",
+    "//ios/web/shell",
+    "//ios/web_view:*",
+    # Tests and test support.
+    "//chrome/browser:test_support",
+    "//chrome/test:browser_tests",
+    "//components/grpc_support/test:unit_tests",
+    "//content/shell:content_shell_lib",
+    # Stand-alone tools.
+    "//components/sync/tools:*",
+    "//google_apis/gcm:mcs_probe",
+    # Network stack/service.
+    "//components/certificate_transparency/*",
+    "//components/cronet/*",
+    "//net/*",
+    "//services/network/*",
+  ]
  sources = []
  public = []
  if (!is_nacl) {
-    public += [
+    sources += [
      "dns_config_service.h",
-      "dns_protocol.h",
      "host_cache.h",
      "host_resolver.h",
      "mapped_host_resolver.h",
@@ -154,7 +220,6 @@ source_set("host_resolver_impl") {
  # restriction.
  visibility = [
    ":dns",
-    ":public",
    "//net",
  ]
@@ -178,7 +243,7 @@ source_set("host_resolver_impl") {
  }
  deps = [
-    ":public",
+    ":host_resolver",
    "//net:net_deps",
  ]
  public_deps = [
@@ -210,6 +275,7 @@ source_set("dns_client") {
    "//chrome/test/*",
    "//components/certificate_transparency/*",
    "//net/*",
+    "//services/network/*",
  ]
  sources = []
@@ -218,6 +284,7 @@ source_set("dns_client") {
  if (!is_nacl) {
    sources += [
      "dns_client.h",
+      "dns_protocol.h",
      "dns_response.h",
      "dns_transaction.h",
      "record_parsed.h",
@@ -226,7 +293,6 @@ source_set("dns_client") {
  }
  deps = [
-    ":public",
    "//net:net_deps",
  ]
  public_deps = [
@@ -265,7 +331,7 @@ source_set("mdns_client") {
  deps = [
    ":dns_client",
-    ":public",
+    ":host_resolver",
    "//net:net_deps",
  ]
  public_deps = [