network_diagnostics: Add HttpsFirewall Routine

Tests whether a firewall is blocking HTTPS port 443.

TEST=unit_tests --gtest_filter=HttpsFirewallRoutineTest.*
BUG=chromium:956783

Change-Id: I43d91fc87b52ef303beb18ec06bff18f055a5eff
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2391419Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Steven Bennetts <stevenjb@chromium.org>
Commit-Queue: Kartik Hegde <khegde@chromium.org>
Cr-Commit-Position: refs/heads/master@{#816658}

chrome/browser/chromeos/BUILD.gn

@@ -1933,6 +1933,8 @@ source_set("chromeos") {
     "net/network_diagnostics/http_firewall_routine.h",
     "net/network_diagnostics/http_request_manager.cc",
     "net/network_diagnostics/http_request_manager.h",
+    "net/network_diagnostics/https_firewall_routine.cc",
+    "net/network_diagnostics/https_firewall_routine.h",
     "net/network_diagnostics/https_latency_routine.cc",
     "net/network_diagnostics/https_latency_routine.h",
     "net/network_diagnostics/lan_connectivity_routine.cc",
@@ -3481,6 +3483,7 @@ source_set("unit_tests") {
     "net/network_diagnostics/has_secure_wifi_connection_routine_unittest.cc",
     "net/network_diagnostics/http_firewall_routine_unittest.cc",
     "net/network_diagnostics/http_request_manager_unittest.cc",
+    "net/network_diagnostics/https_firewall_routine_unittest.cc",
     "net/network_diagnostics/https_latency_routine_unittest.cc",
     "net/network_diagnostics/lan_connectivity_routine_unittest.cc",
     "net/network_diagnostics/network_diagnostics_routine_unittest.cc",

chrome/browser/chromeos/net/network_diagnostics/README.md

@@ -146,6 +146,15 @@ Problems:
 * `kFirewallDetected`: Firewall detected.
 * `kPotentialFirewall`: A firewall may potentially exist.
 
+#### HttpsFirewall
+
+Tests whether a firewall is blocking HTTPS port 443.
+
+Problems:
+* `kHighDnsResolutionFailureRate`: DNS resolution failure rate is high.
+* `kFirewallDetected`: Firewall detected.
+* `kPotentialFirewall`: A firewall may potentially exist.
+
 ### Google Services Routines
 
 Tests successful communication with various Google domains.

chrome/browser/chromeos/net/network_diagnostics/https_firewall_routine.cc

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/chromeos/net/network_diagnostics/https_firewall_routine.h"
+
+#include <string>
+#include <utility>
+#include <vector>
+
+#include "base/bind.h"
+#include "base/ranges/algorithm.h"
+#include "chrome/browser/chromeos/net/network_diagnostics/network_diagnostics_util.h"
+#include "chrome/browser/profiles/profile_manager.h"
+#include "content/public/browser/storage_partition.h"
+#include "services/network/public/mojom/network_context.mojom.h"
+
+namespace chromeos {
+namespace network_diagnostics {
+namespace {
+
+// Https port number.
+constexpr int kHttpsPort = 443;
+// Https scheme.
+constexpr char kHttpsScheme[] = "https://";
+// Effetively, the number of random hosts to query.
+// total hosts queried by this routine = random hosts + fixed hosts, where
+// information about fixed hosts is found in network_diagnostics_util.cc.
+constexpr int kTotalAdditionalHostsToQuery = 3;
+// The length of a random eight letter prefix obtained by the characters from
+// |kPossibleChars|.
+constexpr int kHostPrefixLength = 8;
+// The threshold describing the number of DNS resolution failures permitted.
+// E.g. If 10 host resolution attempts are made, any more than two DNS failures
+// would result in a problem.
+constexpr double kDnsResolutionFailureRateThreshold = 0.2;
+// The threshold describing number of TLS probe failures permitted. E.g. If 10
+// TLS probes are attempted, any more than two failures would result in a
+// problem. This number does not take into account the number of TLS probes that
+// failed due to unsuccessful DNS resolution.
+constexpr double kTlsProbeFailureRateThreshold = 0.2;
+// For an explanation of error codes, see "net/base/net_error_list.h".
+constexpr int kRetryResponseCodes[] = {net::ERR_TIMED_OUT,
+                                       net::ERR_DNS_TIMED_OUT};
+
+}  // namespace
+
+const int kTotalNumRetries = 3;
+
+HttpsFirewallRoutine::HttpsFirewallRoutine()
+    : num_retries_(kTotalNumRetries),
+      tls_prober_getter_callback_(base::BindRepeating(
+          &HttpsFirewallRoutine::CreateAndExecuteTlsProber)) {
+  std::vector<std::string> url_strings =
+      util::GetRandomAndFixedHostsWithSchemeAndPort(
+          kTotalAdditionalHostsToQuery, kHostPrefixLength, kHttpsScheme,
+          kHttpsPort);
+  for (const auto& url_string : url_strings) {
+    urls_to_query_.push_back(GURL(url_string));
+  }
+  num_urls_to_query_ = urls_to_query_.size();
+}
+
+HttpsFirewallRoutine::~HttpsFirewallRoutine() = default;
+
+void HttpsFirewallRoutine::RunRoutine(HttpsFirewallRoutineCallback callback) {
+  if (!CanRun()) {
+    std::move(callback).Run(verdict(), std::move(problems_));
+    return;
+  }
+  routine_completed_callback_ = std::move(callback);
+  ProbeNextUrl();
+}
+
+void HttpsFirewallRoutine::AnalyzeResultsAndExecuteCallback() {
+  double dns_resolution_failure_rate =
+      static_cast<double>(dns_resolution_failures_) /
+      static_cast<double>(num_urls_to_query_);
+  double tls_probe_failure_rate =
+      static_cast<double>(tls_probe_failures_) /
+      static_cast<double>(num_no_dns_failure_tls_probes_attempted_);
+
+  if (dns_resolution_failure_rate > kDnsResolutionFailureRateThreshold) {
+    set_verdict(mojom::RoutineVerdict::kProblem);
+    problems_.push_back(
+        mojom::HttpsFirewallProblem::kHighDnsResolutionFailureRate);
+  } else if (tls_probe_failure_rate <= kTlsProbeFailureRateThreshold) {
+    set_verdict(mojom::RoutineVerdict::kNoProblem);
+  } else if (tls_probe_failures_ == num_no_dns_failure_tls_probes_attempted_) {
+    set_verdict(mojom::RoutineVerdict::kProblem);
+    problems_.push_back(mojom::HttpsFirewallProblem::kFirewallDetected);
+  } else {
+    // It cannot be conclusively determined whether a firewall exists; however,
+    // since reaching this case means tls_probe_failure_rate >
+    // kTlsProbeFailureRateThreshold, a firewall could potentially
+    // exist.
+    set_verdict(mojom::RoutineVerdict::kProblem);
+    problems_.push_back(mojom::HttpsFirewallProblem::kPotentialFirewall);
+  }
+  std::move(routine_completed_callback_).Run(verdict(), std::move(problems_));
+}
+
+void HttpsFirewallRoutine::ProbeNextUrl() {
+  DCHECK(urls_to_query_.size() > 0);
+
+  auto url = urls_to_query_.back();
+  urls_to_query_.pop_back();
+  AttemptProbe(url);
+}
+
+void HttpsFirewallRoutine::AttemptProbe(const GURL& url) {
+  // Store the instance of TlsProber.
+  tls_prober_ = tls_prober_getter_callback_.Run(
+      base::BindRepeating(&HttpsFirewallRoutine::GetNetworkContext), url,
+      base::BindOnce(&HttpsFirewallRoutine::OnProbeComplete, weak_ptr(), url));
+}
+
+void HttpsFirewallRoutine::OnProbeComplete(
+    const GURL& url,
+    int result,
+    TlsProber::ProbeExitEnum probe_exit_enum) {
+  if (probe_exit_enum == TlsProber::ProbeExitEnum::kDnsFailure) {
+    dns_resolution_failures_++;
+  } else {
+    const auto* iter = base::ranges::find(kRetryResponseCodes, result);
+    if (iter != std::end(kRetryResponseCodes) && num_retries_ > 0) {
+      num_retries_--;
+      AttemptProbe(url);
+      return;
+    }
+    if (result < 0) {
+      tls_probe_failures_++;
+    }
+    num_no_dns_failure_tls_probes_attempted_++;
+  }
+  if (urls_to_query_.size() == 0) {
+    AnalyzeResultsAndExecuteCallback();
+    return;
+  }
+  ProbeNextUrl();
+}
+
+network::mojom::NetworkContext* HttpsFirewallRoutine::GetNetworkContext() {
+  Profile* profile = util::GetUserProfile();
+  DCHECK(profile);
+
+  return content::BrowserContext::GetDefaultStoragePartition(profile)
+      ->GetNetworkContext();
+}
+
+std::unique_ptr<TlsProber> HttpsFirewallRoutine::CreateAndExecuteTlsProber(
+    TlsProber::NetworkContextGetter network_context_getter,
+    const GURL& url,
+    TlsProber::TlsProbeCompleteCallback callback) {
+  return std::make_unique<TlsProber>(std::move(network_context_getter), url,
+                                     std::move(callback));
+}
+
+}  // namespace network_diagnostics
+}  // namespace chromeos

chrome/browser/chromeos/net/network_diagnostics/https_firewall_routine.h

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROME_BROWSER_CHROMEOS_NET_NETWORK_DIAGNOSTICS_HTTPS_FIREWALL_ROUTINE_H_
+#define CHROME_BROWSER_CHROMEOS_NET_NETWORK_DIAGNOSTICS_HTTPS_FIREWALL_ROUTINE_H_
+
+#include <memory>
+#include <vector>
+
+#include "base/callback.h"
+#include "base/memory/weak_ptr.h"
+#include "chrome/browser/chromeos/net/network_diagnostics/network_diagnostics_routine.h"
+#include "chrome/browser/chromeos/net/network_diagnostics/tls_prober.h"
+#include "url/gurl.h"
+
+namespace network {
+namespace mojom {
+class NetworkContext;
+}
+}  // namespace network
+
+namespace chromeos {
+namespace network_diagnostics {
+
+// Number of retry attempts.
+extern const int kTotalNumRetries;
+
+// Tests whether a firewall is blocking HTTPS port 443.
+class HttpsFirewallRoutine : public NetworkDiagnosticsRoutine {
+ public:
+  using HttpsFirewallRoutineCallback =
+      mojom::NetworkDiagnosticsRoutines::HttpsFirewallCallback;
+  using TlsProberGetterCallback =
+      base::RepeatingCallback<std::unique_ptr<TlsProber>(
+          TlsProber::NetworkContextGetter network_context_getter,
+          const GURL& url,
+          TlsProber::TlsProbeCompleteCallback callback)>;
+
+  HttpsFirewallRoutine();
+  HttpsFirewallRoutine(const HttpsFirewallRoutine&) = delete;
+  HttpsFirewallRoutine& operator=(const HttpsFirewallRoutine&) = delete;
+  ~HttpsFirewallRoutine() override;
+
+  // NetworkDiagnosticsRoutine:
+  void AnalyzeResultsAndExecuteCallback() override;
+
+  // Run the core logic of this routine. Set |callback| to
+  // |routine_completed_callback_|, which is to be executed in
+  // AnalyzeResultsAndExecuteCallback().
+  void RunRoutine(HttpsFirewallRoutineCallback callback);
+
+  void set_tls_prober_getter_callback_for_testing(
+      TlsProberGetterCallback tls_prober_getter_callback) {
+    tls_prober_getter_callback_ = std::move(tls_prober_getter_callback);
+  }
+
+ private:
+  // Gets the next URL to probe.
+  void ProbeNextUrl();
+
+  // Helper function to launch a TLS probe.
+  void AttemptProbe(const GURL& url);
+
+  // Callback invoked once probe is complete. |url| is only relevant in case
+  // of probe retries.
+  void OnProbeComplete(const GURL& url,
+                       int result,
+                       TlsProber::ProbeExitEnum probe_exit_enum);
+
+  // Returns the network context.
+  static network::mojom::NetworkContext* GetNetworkContext();
+
+  // Creates an instance of TlsProber.
+  static std::unique_ptr<TlsProber> CreateAndExecuteTlsProber(
+      TlsProber::NetworkContextGetter network_context_getter,
+      const GURL& url,
+      TlsProber::TlsProbeCompleteCallback callback);
+
+  // Returns the weak pointer to |this|.
+  base::WeakPtr<HttpsFirewallRoutine> weak_ptr() {
+    return weak_factory_.GetWeakPtr();
+  }
+
+  std::vector<GURL> urls_to_query_;
+  int num_urls_to_query_ = 0;
+  int num_retries_ = 0;
+  int dns_resolution_failures_ = 0;
+  int tls_probe_failures_ = 0;
+  int num_no_dns_failure_tls_probes_attempted_ = 0;
+  TlsProberGetterCallback tls_prober_getter_callback_;
+  std::unique_ptr<TlsProber> tls_prober_;
+  std::vector<mojom::HttpsFirewallProblem> problems_;
+  HttpsFirewallRoutineCallback routine_completed_callback_;
+
+  base::WeakPtrFactory<HttpsFirewallRoutine> weak_factory_{this};
+};
+
+}  // namespace network_diagnostics
+}  // namespace chromeos
+
+#endif  // CHROME_BROWSER_CHROMEOS_NET_NETWORK_DIAGNOSTICS_HTTPS_FIREWALL_ROUTINE_H_

chrome/browser/chromeos/net/network_diagnostics/https_firewall_routine_unittest.cc

+// Copyright 2020 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "chrome/browser/chromeos/net/network_diagnostics/https_firewall_routine.h"
+
+#include <deque>
+#include <memory>
+#include <utility>
+
+#include "base/bind_helpers.h"
+#include "chrome/browser/chromeos/net/network_diagnostics/fake_host_resolver.h"
+#include "chrome/browser/chromeos/net/network_diagnostics/fake_network_context.h"
+#include "content/public/browser/browser_task_traits.h"
+#include "content/public/test/browser_task_environment.h"
+#include "net/base/net_errors.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+namespace chromeos {
+namespace network_diagnostics {
+
+namespace {
+
+// The number of hosts the the routine tries to open socket connections to (if
+// DNS resolution is successful). Value equals the number of random hosts
+// + fixed hosts queried by HttpsFirewallRoutine.
+const int kTotalHosts = 9;
+
+// Test implementation of TlsProber.
+class TestTlsProber final : public TlsProber {
+ public:
+  TestTlsProber(TlsProber::TlsProbeCompleteCallback callback,
+                int result,
+                TlsProber::ProbeExitEnum probe_exit_enum) {
+    // Post an asynchronus task simulating a completed probe. This mimics the
+    // behavior of the production TlsProber constructor since the TestTlsProber
+    // instance will be complete before FinishProbe is invoked. In the
+    // production TlsProber, the constructor completes before DNS host
+    // resolution is invoked.
+    content::GetUIThreadTaskRunner({})->PostTask(
+        FROM_HERE,
+        base::BindOnce(&TestTlsProber::FinishProbe, weak_factory_.GetWeakPtr(),
+                       std::move(callback), result, probe_exit_enum));
+  }
+
+  TestTlsProber(const TestTlsProber&) = delete;
+  TestTlsProber& operator=(const TestTlsProber&) = delete;
+  ~TestTlsProber() override = default;
+
+ private:
+  void FinishProbe(TlsProber::TlsProbeCompleteCallback callback,
+                   int result,
+                   TlsProber::ProbeExitEnum probe_exit_enum) {
+    std::move(callback).Run(result, probe_exit_enum);
+  }
+
+  base::WeakPtrFactory<TestTlsProber> weak_factory_{this};
+};
+
+}  // namespace
+
+class HttpsFirewallRoutineTest : public ::testing::Test {
+ public:
+  struct TlsProberReturnValue {
+    net::Error result;
+    TlsProber::ProbeExitEnum probe_exit_enum;
+  };
+
+  HttpsFirewallRoutineTest() = default;
+  HttpsFirewallRoutineTest(const HttpsFirewallRoutineTest&) = delete;
+  HttpsFirewallRoutineTest& operator=(const HttpsFirewallRoutineTest&) = delete;
+
+  void RunRoutine(
+      mojom::RoutineVerdict expected_routine_verdict,
+      const std::vector<mojom::HttpsFirewallProblem>& expected_problems) {
+    https_firewall_routine_->RunRoutine(base::BindOnce(
+        &HttpsFirewallRoutineTest::CompareVerdict, weak_factory_.GetWeakPtr(),
+        expected_routine_verdict, expected_problems));
+    run_loop_.Run();
+  }
+
+  void CompareVerdict(
+      mojom::RoutineVerdict expected_verdict,
+      const std::vector<mojom::HttpsFirewallProblem>& expected_problems,
+      mojom::RoutineVerdict actual_verdict,
+      const std::vector<mojom::HttpsFirewallProblem>& actual_problems) {
+    DCHECK(run_loop_.running());
+    EXPECT_EQ(expected_verdict, actual_verdict);
+    EXPECT_EQ(expected_problems, actual_problems);
+    run_loop_.Quit();
+  }
+
+  void SetUpRoutine(std::deque<TlsProberReturnValue> fake_probe_results) {
+    fake_probe_results_ = std::move(fake_probe_results);
+    https_firewall_routine_ = std::make_unique<HttpsFirewallRoutine>();
+    https_firewall_routine_->set_tls_prober_getter_callback_for_testing(
+        base::BindRepeating(
+            &HttpsFirewallRoutineTest::CreateAndExecuteTlsProber,
+            base::Unretained(this)));
+  }
+
+  // Sets up required properties (via fakes) and runs the test.
+  //
+  // Parameters:
+  // |fake_probe_results|: Represents the results of TLS probes.
+  // |expected_routine_verdict|: Represents the expected verdict
+  // reported by this test.
+  // |expected_problems|: Represents the expected problem
+  // reported by this test.
+  void SetUpAndRunRoutine(
+      std::deque<TlsProberReturnValue> fake_probe_results,
+      mojom::RoutineVerdict expected_routine_verdict,
+      const std::vector<mojom::HttpsFirewallProblem>& expected_problems) {
+    SetUpRoutine(std::move(fake_probe_results));
+    RunRoutine(expected_routine_verdict, expected_problems);
+  }
+
+  std::unique_ptr<TlsProber> CreateAndExecuteTlsProber(
+      TlsProber::NetworkContextGetter network_context_getter,
+      const GURL& url,
+      TlsProber::TlsProbeCompleteCallback callback) {
+    DCHECK(fake_probe_results_.size() > 0);
+
+    auto value = fake_probe_results_.front();
+    fake_probe_results_.pop_front();
+    auto test_tls_prober = std::make_unique<TestTlsProber>(
+        std::move(callback), value.result, value.probe_exit_enum);
+    return std::move(test_tls_prober);
+  }
+
+ private:
+  content::BrowserTaskEnvironment task_environment_;
+  base::RunLoop run_loop_;
+  std::deque<TlsProberReturnValue> fake_probe_results_;
+  std::unique_ptr<HttpsFirewallRoutine> https_firewall_routine_;
+  base::WeakPtrFactory<HttpsFirewallRoutineTest> weak_factory_{this};
+};
+
+TEST_F(HttpsFirewallRoutineTest, TestHighDnsResolutionFailuresRate) {
+  std::deque<TlsProberReturnValue> fake_probe_results;
+  // kTotalHosts = 9
+  for (int i = 0; i < kTotalHosts; i++) {
+    if (i < 2) {
+      fake_probe_results.push_back(TlsProberReturnValue{
+          net::ERR_NAME_NOT_RESOLVED, TlsProber::ProbeExitEnum::kDnsFailure});
+    } else {
+      // Having seven successful resolutions out of nine puts us below the
+      // threshold needed to attempt TLS probes.
+      fake_probe_results.push_back(
+          TlsProberReturnValue{net::OK, TlsProber::ProbeExitEnum::kSuccess});
+    }
+  }
+  SetUpAndRunRoutine(
+      std::move(fake_probe_results), mojom::RoutineVerdict::kProblem,
+      {mojom::HttpsFirewallProblem::kHighDnsResolutionFailureRate});
+}
+
+TEST_F(HttpsFirewallRoutineTest, TestFirewallDetection) {
+  std::deque<TlsProberReturnValue> fake_probe_results;
+  // kTotalHosts = 9
+  for (int i = 0; i < kTotalHosts; i++) {
+    fake_probe_results.push_back(TlsProberReturnValue{
+        net::ERR_FAILED, TlsProber::ProbeExitEnum::kTlsUpgradeFailure});
+  }
+  SetUpAndRunRoutine(std::move(fake_probe_results),
+                     mojom::RoutineVerdict::kProblem,
+                     {mojom::HttpsFirewallProblem::kFirewallDetected});
+}
+
+TEST_F(HttpsFirewallRoutineTest, TestPotentialFirewallDetection) {
+  std::deque<TlsProberReturnValue> fake_probe_results;
+  // kTotalHosts = 9
+  for (int i = 0; i < kTotalHosts; i++) {
+    if (i < 5) {
+      fake_probe_results.push_back(
+          TlsProberReturnValue{net::OK, TlsProber::ProbeExitEnum::kSuccess});
+    } else {
+      // Having five connection failures and four successful connections signals
+      // a potential firewall.
+      fake_probe_results.push_back(TlsProberReturnValue{
+          net::ERR_FAILED, TlsProber::ProbeExitEnum::kTcpConnectionFailure});
+    }
+  }
+  SetUpAndRunRoutine(std::move(fake_probe_results),
+                     mojom::RoutineVerdict::kProblem,
+                     {mojom::HttpsFirewallProblem::kPotentialFirewall});
+}
+
+TEST_F(HttpsFirewallRoutineTest, TestNoFirewallIssues) {
+  std::deque<TlsProberReturnValue> fake_probe_results;
+  // kTotalHosts = 9
+  for (int i = 0; i < kTotalHosts; i++) {
+    if (i < 8) {
+      fake_probe_results.push_back(
+          TlsProberReturnValue{net::OK, TlsProber::ProbeExitEnum::kSuccess});
+    } else {
+      // Having one connection failure and eight successful connections puts us
+      // above the required threshold.
+      fake_probe_results.push_back(TlsProberReturnValue{
+          net::ERR_FAILED, TlsProber::ProbeExitEnum::kMojoDisconnectFailure});
+    }
+  }
+  SetUpAndRunRoutine(std::move(fake_probe_results),
+                     mojom::RoutineVerdict::kNoProblem, {});
+}
+
+TEST_F(HttpsFirewallRoutineTest, TestContinousRetries) {
+  std::deque<TlsProberReturnValue> fake_probe_results;
+  // kTotalHosts = 9
+  for (int i = 0; i < kTotalHosts; i++) {
+    if (i < 8) {
+      fake_probe_results.push_back(
+          TlsProberReturnValue{net::OK, TlsProber::ProbeExitEnum::kSuccess});
+    } else {
+      // Having one socket that continuously retries until failure and eight
+      // sockets that make successful connections puts us above the required
+      // threshold.
+      for (int j = 0; j < kTotalNumRetries + 1; j++) {
+        fake_probe_results.push_back(TlsProberReturnValue{
+            net::ERR_TIMED_OUT,
+            TlsProber::ProbeExitEnum::kMojoDisconnectFailure});
+      }
+    }
+  }
+  SetUpAndRunRoutine(std::move(fake_probe_results),
+                     mojom::RoutineVerdict::kNoProblem, {});
+}
+
+}  // namespace network_diagnostics
+}  // namespace chromeos

chrome/browser/chromeos/net/network_diagnostics/network_diagnostics.cc

@@ -15,6 +15,7 @@
 #include "chrome/browser/chromeos/net/network_diagnostics/gateway_can_be_pinged_routine.h"
 #include "chrome/browser/chromeos/net/network_diagnostics/has_secure_wifi_connection_routine.h"
 #include "chrome/browser/chromeos/net/network_diagnostics/http_firewall_routine.h"
+#include "chrome/browser/chromeos/net/network_diagnostics/https_firewall_routine.h"
 #include "chrome/browser/chromeos/net/network_diagnostics/https_latency_routine.h"
 #include "chrome/browser/chromeos/net/network_diagnostics/lan_connectivity_routine.h"
 #include "chrome/browser/chromeos/net/network_diagnostics/signal_strength_routine.h"
@@ -169,6 +170,20 @@ void NetworkDiagnostics::HttpFirewall(HttpFirewallCallback callback) {
       std::move(routine), std::move(callback)));
 }
 
+void NetworkDiagnostics::HttpsFirewall(HttpsFirewallCallback callback) {
+  auto routine = std::make_unique<HttpsFirewallRoutine>();
+  // RunRoutine() takes a lambda callback that takes ownership of the routine.
+  // This ensures that the routine stays alive when it makes asynchronous mojo
+  // calls. The routine will be destroyed when the lambda exits.
+  routine->RunRoutine(base::BindOnce(
+      [](std::unique_ptr<HttpsFirewallRoutine> routine,
+         HttpsFirewallCallback callback, mojom::RoutineVerdict verdict,
+         const std::vector<mojom::HttpsFirewallProblem>& problems) {
+        std::move(callback).Run(verdict, std::move(problems));
+      },
+      std::move(routine), std::move(callback)));
+}
+
 void NetworkDiagnostics::HttpsLatency(HttpsLatencyCallback callback) {
   auto routine = std::make_unique<HttpsLatencyRoutine>();
   // RunRoutine() takes a lambda callback that takes ownership of the routine.

chrome/browser/chromeos/net/network_diagnostics/network_diagnostics.h

@@ -31,6 +31,7 @@ class NetworkDiagnostics : public mojom::NetworkDiagnosticsRoutines {
   void SignalStrength(SignalStrengthCallback callback) override;
   void GatewayCanBePinged(GatewayCanBePingedCallback callback) override;
   void HttpFirewall(HttpFirewallCallback callback) override;
+  void HttpsFirewall(HttpsFirewallCallback callback) override;
   void HasSecureWiFiConnection(
       HasSecureWiFiConnectionCallback callback) override;
   void DnsResolverPresent(DnsResolverPresentCallback callback) override;

chrome/browser/chromeos/net/network_diagnostics/tls_prober.cc

@@ -156,6 +156,8 @@ TlsProber::TlsProber(NetworkContextGetter network_context_getter,
   host_resolver_->Run(url);
 }
 
+TlsProber::TlsProber() = default;
+
 TlsProber::~TlsProber() = default;
 
 void TlsProber::OnHostResolutionComplete(

chrome/browser/chromeos/net/network_diagnostics/tls_prober.h

@@ -66,6 +66,10 @@ class TlsProber {
       const net::ResolveErrorInfo& resolve_error_info,
       const base::Optional<net::AddressList>& resolved_addresses);
 
+ protected:
+  // Test-only constructor.
+  TlsProber();
+
  private:
   // On success, upgrades a TCPConnectedSocket to a TLSClientSocket. On failure,
   // invokes the callback passed into the TlsProber instance with a failure

chromeos/services/cros_healthd/public/cpp/service_connection_unittest.cc

@@ -209,6 +209,10 @@ class MockNetworkDiagnosticsRoutines : public NetworkDiagnosticsRoutines {
               HttpFirewall,
               (NetworkDiagnosticsRoutines::HttpFirewallCallback),
               (override));
+  MOCK_METHOD(void,
+              HttpsFirewall,
+              (NetworkDiagnosticsRoutines::HttpsFirewallCallback),
+              (override));
   MOCK_METHOD(void,
               HttpsLatency,
               (NetworkDiagnosticsRoutines::HttpsLatencyCallback),

chromeos/services/network_health/public/mojom/network_diagnostics.mojom

@@ -99,6 +99,17 @@ enum HttpFirewallProblem {
   kPotentialFirewall,
 };
 
+// Problems related to the HttpsFirewall routine.
+[Extensible]
+enum HttpsFirewallProblem {
+  // DNS resolution failure rate is high.
+  kHighDnsResolutionFailureRate,
+  // Firewall detected.
+  kFirewallDetected,
+  // A firewall may potentially exist.
+  kPotentialFirewall,
+};
+
 // Problems related to the HttpsLatency routine.
 [Extensible]
 enum HttpsLatencyProblem {
@@ -156,6 +167,10 @@ interface NetworkDiagnosticsRoutines {
   HttpFirewall() => (RoutineVerdict verdict,
       array<HttpFirewallProblem> problems);
 
+  // Tests whether a firewall is blocking HTTPS port 443.
+  HttpsFirewall() => (RoutineVerdict verdict,
+      array<HttpsFirewallProblem> problems);
+
   // Tests whether the HTTPS latency is within established tolerance levels for
   // the system.
   HttpsLatency() => (RoutineVerdict verdict,