Trust Tokens: Add a synchronous key commitment getter interface

This CL's child (crrev.com/c/2176796) adds a record expiry delegate
relying on synchronous availability of Trust Tokens key commitments in
order to check if the verification key corresponding to a signed
redemption record is still present in the key's issuer's most recent key
commitment result.

In order to provide synchronous access to keys, this CL adds a
synchronous key commitment getter interface and extends
TrustTokenKeyCommitments (which already stores all issuers' keys in
memory, so is eminently capable of providing access synchronously) to
implement the interface.

In a world where we fetch keys online during requests instead of offline
through the component updater, we could instead provide this synchronous
access by caching fetched keys in the trust token store.

R=csharrison

Test: Extend TrustTokenKeyCommitments unit tests.
Bug: 1077060
Change-Id: I0c6bb756fd8c0675ed890cf9c680412e2155d646
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2183509
Commit-Queue: David Van Cleve <davidvc@chromium.org>
Reviewed-by: Charlie Harrison <csharrison@chromium.org>
Auto-Submit: David Van Cleve <davidvc@chromium.org>
Cr-Commit-Position: refs/heads/master@{#766435}

services/network/trust_tokens/trust_token_key_commitment_getter.h

@@ -25,6 +25,15 @@ class TrustTokenKeyCommitmentGetter {
       const = 0;
 };
 
+// Class SynchronousTrustTokenKeyCommitmentGetter fetches key commitments
+// synchronously.
+class SynchronousTrustTokenKeyCommitmentGetter {
+ public:
+  virtual ~SynchronousTrustTokenKeyCommitmentGetter() = default;
+  virtual mojom::TrustTokenKeyCommitmentResultPtr GetSync(
+      const url::Origin& origin) const = 0;
+};
+
 }  // namespace network
 
 #endif  // SERVICES_NETWORK_TRUST_TOKENS_TRUST_TOKEN_KEY_COMMITMENT_GETTER_H_

services/network/trust_tokens/trust_token_key_commitments.cc

@@ -48,15 +48,14 @@ ParseCommitmentsFromCommandLine() {
 
 // Filters |result->keys| to contain only a small number of
 // soon-to-expire-but-not-yet-expired keys, then passes |result| to |done|.
-void ReturnCommitmentsAfterFiltering(
-    base::OnceCallback<void(mojom::TrustTokenKeyCommitmentResultPtr)> done,
+mojom::TrustTokenKeyCommitmentResultPtr FilterCommitments(
     mojom::TrustTokenKeyCommitmentResultPtr result) {
   if (result) {
     RetainSoonestToExpireTrustTokenKeys(
         &result->keys, kMaximumConcurrentlyValidTrustTokenVerificationKeys);
   }
 
-  std::move(done).Run(std::move(result));
+  return result;
 }
 
 }  // namespace
@@ -105,28 +104,30 @@ void TrustTokenKeyCommitments::Get(
     const url::Origin& origin,
     base::OnceCallback<void(mojom::TrustTokenKeyCommitmentResultPtr)> done)
     const {
+  std::move(done).Run(GetSync(origin));
+}
+
+mojom::TrustTokenKeyCommitmentResultPtr TrustTokenKeyCommitments::GetSync(
+    const url::Origin& origin) const {
   base::Optional<SuitableTrustTokenOrigin> suitable_origin =
       SuitableTrustTokenOrigin::Create(origin);
   if (!suitable_origin) {
-    std::move(done).Run(nullptr);
-    return;
+    return nullptr;
   }
 
   if (!additional_commitments_from_command_line_.empty()) {
     auto it = additional_commitments_from_command_line_.find(*suitable_origin);
     if (it != commitments_.end()) {
-      ReturnCommitmentsAfterFiltering(std::move(done), it->second->Clone());
-      return;
+      return FilterCommitments(it->second->Clone());
     }
   }
 
   auto it = commitments_.find(*suitable_origin);
   if (it == commitments_.end()) {
-    std::move(done).Run(nullptr);
-    return;
+    return nullptr;
   }
 
-  ReturnCommitmentsAfterFiltering(std::move(done), it->second->Clone());
+  return FilterCommitments(it->second->Clone());
 }
 
 }  // namespace network

services/network/trust_tokens/trust_token_key_commitments.h

@@ -19,7 +19,9 @@ namespace network {
 // Class TrustTokenKeyCommitments is a singleton owned by NetworkService; it
 // stores all known information about issuers' Trust Tokens key state. This
 // state is provided through offline updates via |Set|.
-class TrustTokenKeyCommitments : public TrustTokenKeyCommitmentGetter {
+class TrustTokenKeyCommitments
+    : public TrustTokenKeyCommitmentGetter,
+      public SynchronousTrustTokenKeyCommitmentGetter {
  public:
   TrustTokenKeyCommitments();
   ~TrustTokenKeyCommitments() override;
@@ -55,10 +57,18 @@ class TrustTokenKeyCommitments : public TrustTokenKeyCommitmentGetter {
   // If commitments for |origin| were passed both through a prior call to |Set|
   // and through the --additional-trust-token-key-commitments command-line
   // switch, the commitments passed through the switch take precedence.
+  //
+  // Implementation note: this is a thin wrapper around GetSync.
   void Get(const url::Origin& origin,
            base::OnceCallback<void(mojom::TrustTokenKeyCommitmentResultPtr)>
                done) const override;
 
+  // SynchronousTrustTokenKeyCommitmentResultGetter implementation:
+  //
+  // Implementation note: This is where the guts of |Get| live.
+  mojom::TrustTokenKeyCommitmentResultPtr GetSync(
+      const url::Origin& origin) const override;
+
  private:
   base::flat_map<SuitableTrustTokenOrigin,
                  mojom::TrustTokenKeyCommitmentResultPtr>

services/network/trust_tokens/trust_token_key_commitments_unittest.cc

@@ -20,13 +20,6 @@
 
 namespace network {
 
-namespace {
-
-using ::testing::AllOf;
-using ::testing::Truly;
-
-}  // namespace
-
 mojom::TrustTokenKeyCommitmentResultPtr GetCommitmentForOrigin(
     const TrustTokenKeyCommitments& commitments,
     const url::Origin& origin) {
@@ -218,4 +211,22 @@ TEST(TrustTokenKeyCommitments, FiltersKeys) {
                           }));
 }
 
+TEST(TrustTokenKeyCommitments, GetSync) {
+  TrustTokenKeyCommitments commitments;
+
+  auto expectation = mojom::TrustTokenKeyCommitmentResult::New();
+  expectation->batch_size = mojom::TrustTokenKeyCommitmentBatchSize::New(5);
+
+  auto suitable_origin = *SuitableTrustTokenOrigin::Create(
+      GURL("https://suitable-origin.example"));
+
+  base::flat_map<url::Origin, mojom::TrustTokenKeyCommitmentResultPtr> to_set;
+  to_set.insert_or_assign(suitable_origin.origin(), expectation.Clone());
+  commitments.Set(std::move(to_set));
+
+  auto result = commitments.GetSync(suitable_origin.origin());
+  ASSERT_TRUE(result);
+  EXPECT_TRUE(result.Equals(expectation));
+}
+
 }  // namespace network