content/browser/mojo_binder_policy_applier.h

// Copyright 2020 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef CONTENT_BROWSER_MOJO_BINDER_POLICY_APPLIER_H_
#define CONTENT_BROWSER_MOJO_BINDER_POLICY_APPLIER_H_

#include <string>

#include "base/functional/bind.h"
#include "base/functional/callback.h"
#include "base/functional/callback_forward.h"
#include "base/memory/raw_ref.h"
#include "content/browser/mojo_binder_policy_map_impl.h"
#include "content/common/content_export.h"

namespace content {

// MojoBinderPolicyApplier is a helper class for `BrowserInterfaceBrokerImpl`
// which allows control over when to run the binder registered for a
// requested interface. This is useful in cases like prerendering pages, where
// it can be desirable to defer binding until the page is activated, or take
// other actions.
//
// The action to take for each interface is specified in the given
// `MojoBinderPolicyMap`, and kDefer is used when no policy is specified.
//
// See content/browser/preloading/prerender/README.md for more about capability
// control.
class CONTENT_EXPORT MojoBinderPolicyApplier {
 public:
  enum class Mode {
    // In the kEnforce mode, MojoBinderPolicyApplier processes binding requests
    // strictly according to the pre-set policies.
    kEnforce,
    // If the page is about to activate, MojoBinderPolicyApplier will switch to
    // the kPrepareToGrantAll mode, and all non-kGrant binders will be
    // deferred.
    kPrepareToGrantAll,
    // In the kGrantAll mode, MojoBinderPolicyApplier grants all binding
    // requests regardless of their policies.
    kGrantAll,
  };

  // `policy_map` must outlive `this` and must not be null.
  // `cancel_callback` will be executed when ApplyPolicyToBinder() processes a
  // kCancel interface.
  MojoBinderPolicyApplier(
      const MojoBinderPolicyMapImpl* policy_map,
      base::OnceCallback<void(const std::string& interface_name)>
          cancel_callback);
  ~MojoBinderPolicyApplier();

  // Returns the instance used by BrowserInterfaceBrokerImpl for same-origin
  // prerendering pages. This is used when the prerendered page and the page
  // that triggered the prerendering are same origin.
  static std::unique_ptr<MojoBinderPolicyApplier>
  CreateForSameOriginPrerendering(
      base::OnceCallback<void(const std::string& interface_name)>
          cancel_closure);

  // Returns the instance used by BrowserInterfaceBrokerImpl for preview mode.
  // This is used when a page is shown in preview mode.
  static std::unique_ptr<MojoBinderPolicyApplier> CreateForPreview(
      base::OnceCallback<void(const std::string& interface_name)>
          cancel_closure);

  // Disallows copy and move operations.
  MojoBinderPolicyApplier(const MojoBinderPolicyApplier& other) = delete;
  MojoBinderPolicyApplier& operator=(const MojoBinderPolicyApplier& other) =
      delete;
  MojoBinderPolicyApplier(MojoBinderPolicyApplier&&) = delete;
  MojoBinderPolicyApplier& operator=(MojoBinderPolicyApplier&&) = delete;

  // Applies `MojoBinderNonAssociatedPolicy` before binding a non-associated
  // interface.
  // - In kEnforce mode:
  //   - kGrant: Runs `binder_callback` immediately.
  //   - kDefer: Saves `binder_callback` and runs it when GrantAll() is called.
  //   - kCancel: Drops `binder_callback` and runs `cancel_callback_`.
  //   - kUnexpected: Unimplemented now.
  // - In the kPrepareToGrantAll mode:
  //   - kGrant: Runs `binder_callback` immediately.
  //   - kDefer, kCancel and kUnexpected: Saves `binder_callback` and runs it
  //   when GrantAll() is called.
  // - In the kGrantAll mode: this always runs the callback immediately.
  void ApplyPolicyToNonAssociatedBinder(const std::string& interface_name,
                                        base::OnceClosure binder_callback);

  // Applies `MojoBinderAssociatedPolicy` before binding an associated
  // interface. Note that this method only applies kCancel and kGrant to
  // associated intefaces, because messages sent over associated interfaces
  // cannot be deferred. See
  // https://chromium.googlesource.com/chromium/src/+/HEAD/mojo/public/cpp/bindings/README.md#Associated-Interfaces
  // for more information.
  // Runs the cancellation callback and returns false if kCancel is applied.
  // Otherwise returns true.
  bool ApplyPolicyToAssociatedBinder(const std::string& interface_name);

  // Switches this to the kPrepareToGrantAll mode.
  void PrepareToGrantAll();

  // Runs all deferred binders and runs binder callbacks for all subsequent
  // requests, i.e., it stops applying the policies.

  void GrantAll();
  // Deletes all deferred binders without running them.
  void DropDeferredBinders();

 private:
  friend class MojoBinderPolicyApplierTest;

  // Gets the corresponding policy of the given mojo interface name.
  MojoBinderNonAssociatedPolicy GetNonAssociatedMojoBinderPolicy(
      const std::string& interface_name) const;

  const MojoBinderNonAssociatedPolicy default_policy_ =
      MojoBinderNonAssociatedPolicy::kDefer;
  // Maps Mojo interface name to its policy.
  const raw_ref<const MojoBinderPolicyMapImpl> policy_map_;

  // Will be executed upon a request for a kCancel interface.
  base::OnceCallback<void(const std::string& interface_name)> cancel_callback_;
  Mode mode_ = Mode::kEnforce;

  // Stores binders which are delayed running.
  std::vector<base::OnceClosure> deferred_binders_;

  // Stores binders that can be used to send synchronous messages but
  // are delayed running.
  std::vector<base::OnceClosure> deferred_sync_binders_;
};

}  // namespace content

#endif  // CONTENT_BROWSER_MOJO_BINDER_POLICY_APPLIER_H_