#include "extensions/browser/content_verifier/test_utils.h"
#include "base/base64url.h"
#include "base/containers/contains.h"
#include "base/files/file_util.h"
#include "base/functional/bind.h"
#include "base/json/json_writer.h"
#include "base/strings/stringprintf.h"
#include "base/task/sequenced_task_runner.h"
#include "base/values.h"
#include "content/public/browser/browser_thread.h"
#include "crypto/keypair.h"
#include "crypto/sign.h"
#include "crypto/test_support.h"
#include "extensions/browser/extension_file_task_runner.h"
#include "extensions/common/constants.h"
#include "extensions/common/extension.h"
#include "extensions/common/file_util.h"
#include "testing/gtest/include/gtest/gtest.h"
#include "third_party/zlib/google/zip.h"
namespace extensions {
TestContentVerifySingleJobObserver::TestContentVerifySingleJobObserver(
const ExtensionId& extension_id,
const base::FilePath& relative_path)
: client_(
base::MakeRefCounted<ObserverClient>(extension_id, relative_path)) {
ContentVerifyJob::SetObserverForTests(client_);
}
TestContentVerifySingleJobObserver::~TestContentVerifySingleJobObserver() {
ContentVerifyJob::SetObserverForTests(nullptr);
}
ContentVerifyJob::FailureReason
TestContentVerifySingleJobObserver::WaitForJobFinished() {
return client_->WaitForJobFinished();
}
ContentHashReader::InitStatus
TestContentVerifySingleJobObserver::WaitForOnHashesReady() {
return client_->WaitForOnHashesReady();
}
TestContentVerifySingleJobObserver::ObserverClient::ObserverClient(
const ExtensionId& extension_id,
const base::FilePath& relative_path)
: extension_id_(extension_id), relative_path_(relative_path) {
EXPECT_TRUE(
content::BrowserThread::GetCurrentThreadIdentifier(&creation_thread_));
}
TestContentVerifySingleJobObserver::ObserverClient::~ObserverClient() = default;
void TestContentVerifySingleJobObserver::ObserverClient::JobFinished(
const ExtensionId& extension_id,
const base::FilePath& relative_path,
ContentVerifyJob::FailureReason reason) {
if (!content::BrowserThread::CurrentlyOn(creation_thread_)) {
content::BrowserThread::GetTaskRunnerForThread(creation_thread_)
->PostTask(FROM_HERE,
base::BindOnce(&TestContentVerifySingleJobObserver::
ObserverClient::JobFinished,
this, extension_id, relative_path, reason));
return;
}
if (extension_id != extension_id_ || relative_path != relative_path_)
return;
EXPECT_FALSE(failure_reason_.has_value());
failure_reason_ = reason;
job_finished_run_loop_.Quit();
}
void TestContentVerifySingleJobObserver::ObserverClient::OnHashesReady(
const ExtensionId& extension_id,
const base::FilePath& relative_path,
const ContentHashReader& hash_reader) {
if (content::BrowserThread::CurrentlyOn(creation_thread_))
OnHashesReadyOnCreationThread(extension_id, relative_path,
hash_reader.status());
else {
content::BrowserThread::GetTaskRunnerForThread(creation_thread_)
->PostTask(
FROM_HERE,
base::BindOnce(&TestContentVerifySingleJobObserver::ObserverClient::
OnHashesReadyOnCreationThread,
this, extension_id, relative_path,
hash_reader.status()));
}
}
void TestContentVerifySingleJobObserver::ObserverClient::
OnHashesReadyOnCreationThread(const ExtensionId& extension_id,
const base::FilePath& relative_path,
ContentHashReader::InitStatus hashes_status) {
if (extension_id != extension_id_ || relative_path != relative_path_)
return;
EXPECT_FALSE(seen_on_hashes_ready_);
seen_on_hashes_ready_ = true;
hashes_status_ = hashes_status;
on_hashes_ready_run_loop_.Quit();
}
ContentVerifyJob::FailureReason
TestContentVerifySingleJobObserver::ObserverClient::WaitForJobFinished() {
job_finished_run_loop_.Run();
EXPECT_TRUE(failure_reason_.has_value());
return failure_reason_.value_or(ContentVerifyJob::FAILURE_REASON_MAX);
}
ContentHashReader::InitStatus
TestContentVerifySingleJobObserver::ObserverClient::WaitForOnHashesReady() {
on_hashes_ready_run_loop_.Run();
return hashes_status_;
}
TestContentVerifyJobObserver::TestContentVerifyJobObserver()
: client_(base::MakeRefCounted<ObserverClient>()) {
ContentVerifyJob::SetObserverForTests(client_);
}
TestContentVerifyJobObserver::~TestContentVerifyJobObserver() {
ContentVerifyJob::SetObserverForTests(nullptr);
}
void TestContentVerifyJobObserver::ExpectJobResult(
const ExtensionId& extension_id,
const base::FilePath& relative_path,
Result expected_result) {
client_->ExpectJobResult(extension_id, relative_path, expected_result);
}
bool TestContentVerifyJobObserver::WaitForExpectedJobs() {
return client_->WaitForExpectedJobs();
}
TestContentVerifyJobObserver::ObserverClient::ObserverClient() {
EXPECT_TRUE(
content::BrowserThread::GetCurrentThreadIdentifier(&creation_thread_));
}
TestContentVerifyJobObserver::ObserverClient::~ObserverClient() = default;
void TestContentVerifyJobObserver::ObserverClient::JobFinished(
const ExtensionId& extension_id,
const base::FilePath& relative_path,
ContentVerifyJob::FailureReason failure_reason) {
if (!content::BrowserThread::CurrentlyOn(creation_thread_)) {
content::BrowserThread::GetTaskRunnerForThread(creation_thread_)
->PostTask(
FROM_HERE,
base::BindOnce(
&TestContentVerifyJobObserver::ObserverClient::JobFinished,
this, extension_id, relative_path, failure_reason));
return;
}
Result result = failure_reason == ContentVerifyJob::NONE ? Result::SUCCESS
: Result::FAILURE;
bool found = false;
for (auto i = expectations_.begin(); i != expectations_.end(); ++i) {
if (i->extension_id == extension_id && i->path == relative_path &&
i->result == result) {
found = true;
expectations_.erase(i);
break;
}
}
if (found) {
if (expectations_.empty() && job_quit_closure_)
std::move(job_quit_closure_).Run();
} else {
LOG(WARNING) << "Ignoring unexpected JobFinished " << extension_id << "/"
<< relative_path.value()
<< " failure_reason:" << failure_reason;
}
}
void TestContentVerifyJobObserver::ObserverClient::ExpectJobResult(
const ExtensionId& extension_id,
const base::FilePath& relative_path,
Result expected_result) {
expectations_.push_back(
ExpectedResult(extension_id, relative_path, expected_result));
}
bool TestContentVerifyJobObserver::ObserverClient::WaitForExpectedJobs() {
EXPECT_TRUE(content::BrowserThread::CurrentlyOn(creation_thread_));
if (!expectations_.empty()) {
base::RunLoop run_loop;
job_quit_closure_ = run_loop.QuitClosure();
run_loop.Run();
}
return expectations_.empty();
}
MockContentVerifierDelegate::MockContentVerifierDelegate()
: verifier_key_(kWebstoreSignaturesPublicKey.begin(),
kWebstoreSignaturesPublicKey.end()) {}
MockContentVerifierDelegate::~MockContentVerifierDelegate() = default;
ContentVerifierDelegate::VerifierSourceType
MockContentVerifierDelegate::GetVerifierSourceType(const Extension& extension) {
return verifier_source_type_;
}
ContentVerifierKey MockContentVerifierDelegate::GetPublicKey() {
DCHECK_EQ(VerifierSourceType::SIGNED_HASHES, verifier_source_type_);
return verifier_key_;
}
GURL MockContentVerifierDelegate::GetSignatureFetchUrl(
const ExtensionId& extension_id,
const base::Version& version) {
DCHECK_EQ(VerifierSourceType::SIGNED_HASHES, verifier_source_type_);
std::string url =
base::StringPrintf("http://localhost/getsignature?id=%s&version=%s",
extension_id.c_str(), version.GetString().c_str());
return GURL(url);
}
std::set<base::FilePath> MockContentVerifierDelegate::GetBrowserImagePaths(
const extensions::Extension* extension) {
return std::set<base::FilePath>();
}
void MockContentVerifierDelegate::VerifyFailed(
const ExtensionId& extension_id,
ContentVerifyJob::FailureReason reason) {
ADD_FAILURE() << "Unexpected call for this test";
}
void MockContentVerifierDelegate::Shutdown() {}
void MockContentVerifierDelegate::SetVerifierSourceType(
VerifierSourceType type) {
verifier_source_type_ = type;
}
void MockContentVerifierDelegate::SetVerifierKey(std::vector<uint8_t> key) {
verifier_key_ = std::move(key);
}
VerifierObserver::VerifierObserver() {
EXPECT_TRUE(
content::BrowserThread::GetCurrentThreadIdentifier(&creation_thread_));
ContentVerifier::SetObserverForTests(this);
}
VerifierObserver::~VerifierObserver() {
ContentVerifier::SetObserverForTests(nullptr);
}
void VerifierObserver::EnsureFetchCompleted(const ExtensionId& extension_id) {
EXPECT_TRUE(content::BrowserThread::CurrentlyOn(creation_thread_));
if (base::Contains(completed_fetches_, extension_id))
return;
EXPECT_TRUE(id_to_wait_for_.empty());
EXPECT_EQ(loop_runner_.get(), nullptr);
id_to_wait_for_ = extension_id;
loop_runner_ = base::MakeRefCounted<content::MessageLoopRunner>();
loop_runner_->Run();
id_to_wait_for_.clear();
loop_runner_ = nullptr;
}
void VerifierObserver::OnFetchComplete(
const scoped_refptr<const ContentHash>& content_hash,
bool did_hash_mismatch) {
if (!content::BrowserThread::CurrentlyOn(creation_thread_)) {
content::BrowserThread::GetTaskRunnerForThread(creation_thread_)
->PostTask(FROM_HERE, base::BindOnce(&VerifierObserver::OnFetchComplete,
weak_ptr_factory_.GetWeakPtr(),
content_hash, did_hash_mismatch));
return;
}
const ExtensionId extension_id = content_hash->extension_id();
completed_fetches_.insert(extension_id);
content_hash_ = content_hash;
did_hash_mismatch_ = did_hash_mismatch;
if (extension_id == id_to_wait_for_) {
DCHECK(loop_runner_);
loop_runner_->Quit();
}
}
ContentHashResult::ContentHashResult(
const ExtensionId& extension_id,
bool success,
bool was_cancelled,
const std::set<base::FilePath> mismatch_paths)
: extension_id(extension_id),
success(success),
was_cancelled(was_cancelled),
mismatch_paths(mismatch_paths) {}
ContentHashResult::~ContentHashResult() = default;
ContentHashWaiter::ContentHashWaiter()
: reply_task_runner_(base::SequencedTaskRunner::GetCurrentDefault()) {}
ContentHashWaiter::~ContentHashWaiter() = default;
std::unique_ptr<ContentHashResult> ContentHashWaiter::CreateAndWaitForCallback(
ContentHash::FetchKey key,
ContentVerifierDelegate::VerifierSourceType source_type) {
GetExtensionFileTaskRunner()->PostTask(
FROM_HERE,
base::BindOnce(&ContentHashWaiter::CreateContentHash,
base::Unretained(this), std::move(key), source_type));
run_loop_.Run();
DCHECK(result_);
return std::move(result_);
}
void ContentHashWaiter::CreatedCallback(scoped_refptr<ContentHash> content_hash,
bool was_cancelled) {
if (!reply_task_runner_->RunsTasksInCurrentSequence()) {
reply_task_runner_->PostTask(
FROM_HERE,
base::BindOnce(&ContentHashWaiter::CreatedCallback,
base::Unretained(this), content_hash, was_cancelled));
return;
}
DCHECK(content_hash);
result_ = std::make_unique<ContentHashResult>(
content_hash->extension_id(), content_hash->succeeded(), was_cancelled,
content_hash->hash_mismatch_unix_paths());
run_loop_.QuitWhenIdle();
}
void ContentHashWaiter::CreateContentHash(
ContentHash::FetchKey key,
ContentVerifierDelegate::VerifierSourceType source_type) {
ContentHash::Create(std::move(key), source_type, IsCancelledCallback(),
base::BindOnce(&ContentHashWaiter::CreatedCallback,
base::Unretained(this)));
}
namespace content_verifier_test_utils {
TestExtensionBuilder::TestExtensionBuilder()
: TestExtensionBuilder(ExtensionId(32, 'a')) {}
TestExtensionBuilder::TestExtensionBuilder(const ExtensionId& extension_id)
: extension_id_(extension_id) {
base::CreateDirectory(extension_dir_.UnpackedPath().Append(kMetadataFolder));
}
TestExtensionBuilder::~TestExtensionBuilder() = default;
void TestExtensionBuilder::WriteManifest() {
extension_dir_.WriteManifest(base::Value::Dict()
.Set("manifest_version", 2)
.Set("name", "Test extension")
.Set("version", "1.0"));
}
void TestExtensionBuilder::WriteResource(
base::FilePath::StringType relative_path,
std::string contents) {
extension_dir_.WriteFile(relative_path, contents);
AddResource(std::move(relative_path), std::move(contents));
}
void TestExtensionBuilder::AddResource(base::FilePath::StringType relative_path,
std::string contents) {
extension_resources_.emplace_back(base::FilePath(std::move(relative_path)),
std::move(contents));
}
void TestExtensionBuilder::WriteComputedHashes() {
int block_size = extension_misc::kContentVerificationDefaultBlockSize;
ComputedHashes::Data computed_hashes_data;
for (const auto& resource : extension_resources_) {
std::vector<std::string> hashes =
ComputedHashes::GetHashesForContent(resource.contents, block_size);
computed_hashes_data.Add(resource.relative_path, block_size, hashes);
}
ASSERT_TRUE(ComputedHashes(std::move(computed_hashes_data))
.WriteToFile(file_util::GetComputedHashesPath(
extension_dir_.UnpackedPath())));
}
std::string TestExtensionBuilder::CreateVerifiedContents() const {
std::unique_ptr<base::Value> payload = CreateVerifiedContentsPayload();
std::string payload_value;
if (!base::JSONWriter::Write(*payload, &payload_value))
return "";
std::string payload_b64;
base::Base64UrlEncode(
payload_value, base::Base64UrlEncodePolicy::OMIT_PADDING, &payload_b64);
auto signature =
crypto::sign::Sign(crypto::sign::SignatureKind::RSA_PKCS1_SHA256,
crypto::test::FixedRsa2048PrivateKeyForTesting(),
base::as_byte_span("." + payload_b64));
std::string signature_b64;
base::Base64UrlEncode(base::as_byte_span(signature),
base::Base64UrlEncodePolicy::OMIT_PADDING,
&signature_b64);
base::Value::List signatures = base::Value::List().Append(
base::Value::Dict()
.Set("header", base::Value::Dict().Set("kid", "webstore"))
.Set("protected", "")
.Set("signature", signature_b64));
base::Value::List verified_contents = base::Value::List().Append(
base::Value::Dict()
.Set("description", "treehash per file")
.Set("signed_content",
base::Value::Dict()
.Set("payload", payload_b64)
.Set("signatures", std::move(signatures))));
std::string json;
if (!base::JSONWriter::Write(verified_contents, &json)) {
return "";
}
return json;
}
void TestExtensionBuilder::WriteVerifiedContents() {
std::string verified_contents = CreateVerifiedContents();
ASSERT_NE(verified_contents.size(), 0u);
base::FilePath verified_contents_path =
file_util::GetVerifiedContentsPath(extension_dir_.UnpackedPath());
ASSERT_TRUE(base::WriteFile(verified_contents_path, verified_contents));
}
std::vector<uint8_t> TestExtensionBuilder::GetTestContentVerifierPublicKey()
const {
auto key = crypto::test::FixedRsa2048PrivateKeyForTesting();
return key.ToSubjectPublicKeyInfo();
}
std::unique_ptr<base::Value>
TestExtensionBuilder::CreateVerifiedContentsPayload() const {
int block_size = extension_misc::kContentVerificationDefaultBlockSize;
base::Value::List files;
for (const auto& resource : extension_resources_) {
std::string path = base::FilePath(resource.relative_path).AsUTF8Unsafe();
std::string tree_hash =
ContentHash::ComputeTreeHashForContent(resource.contents, block_size);
std::string tree_hash_b64;
base::Base64UrlEncode(tree_hash, base::Base64UrlEncodePolicy::OMIT_PADDING,
&tree_hash_b64);
files.Append(
base::Value::Dict().Set("path", path).Set("root_hash", tree_hash_b64));
}
base::Value::Dict result =
base::Value::Dict()
.Set("item_id", extension_id_)
.Set("item_version", "1.0")
.Set("content_hashes", base::Value::List().Append(
base::Value::Dict()
.Set("format", "treehash")
.Set("block_size", block_size)
.Set("hash_block_size", block_size)
.Set("files", std::move(files))));
return std::make_unique<base::Value>(std::move(result));
}
scoped_refptr<Extension> UnzipToDirAndLoadExtension(
const base::FilePath& extension_zip,
const base::FilePath& unzip_dir) {
if (!zip::Unzip(extension_zip, unzip_dir)) {
ADD_FAILURE() << "Failed to unzip path.";
return nullptr;
}
std::u16string error;
scoped_refptr<Extension> extension = file_util::LoadExtension(
unzip_dir, mojom::ManifestLocation::kInternal, 0 , &error);
EXPECT_NE(nullptr, extension.get()) << " error:'" << error << "'";
return extension;
}
}
}
