device/fido: add filter ability.

At several points in the past we have wanted a Finch-controllable
filter. This change attempts to add a fairly generic one that would have
met all the previous needs.

Change-Id: Iec25677b9bca532c45844933cf7d5d0d95e00764
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2612051
Reviewed-by: Martin Kreichgauer <martinkr@google.com>
Commit-Queue: Adam Langley <agl@chromium.org>
Cr-Commit-Position: refs/heads/master@{#842117}

chrome/browser/extensions/api/cryptotoken_private/cryptotoken_private_api.cc

@@ -23,13 +23,14 @@
 #include "content/public/browser/render_frame_host.h"
 #include "content/public/browser/web_contents.h"
 #include "crypto/sha2.h"
-#include "device/fido/features.h"
+#include "device/fido/filter.h"
 #include "extensions/browser/extension_api_frame_id_map.h"
 #include "extensions/common/error_utils.h"
 #include "net/base/registry_controlled_domains/registry_controlled_domain.h"
 #include "url/origin.h"
 
 #if defined(OS_WIN)
+#include "device/fido/features.h"
 #include "device/fido/win/webauthn_api.h"
 #endif  // defined(OS_WIN)
 
@@ -200,8 +201,10 @@ CryptotokenPrivateCanAppIdGetAttestationFunction::Run() {
   }
 
   // If the origin is blocked, reject attestation.
-  if (device::DoesMatchWebAuthAttestationBlockedDomains(
-          url::Origin::Create(origin_url))) {
+  if (device::fido_filter::Evaluate(
+          device::fido_filter::Operation::MAKE_CREDENTIAL, origin.Serialize(),
+          /*device=*/base::nullopt, /*id=*/base::nullopt) ==
+      device::fido_filter::Action::NO_ATTESTATION) {
     return RespondNow(OneArgument(base::Value(false)));
   }
 

content/browser/webauth/authenticator_common.cc

@@ -47,6 +47,7 @@
 #include "device/fido/fido_constants.h"
 #include "device/fido/fido_parsing_utils.h"
 #include "device/fido/fido_transport_protocol.h"
+#include "device/fido/filter.h"
 #include "device/fido/get_assertion_request_handler.h"
 #include "device/fido/make_credential_request_handler.h"
 #include "device/fido/public_key.h"
@@ -828,6 +829,24 @@ void AuthenticatorCommon::MakeCredential(
   options->relying_party.id = std::move(*rp_id);
   request_delegate_->SetRelyingPartyId(relying_party_id_);
 
+  device::fido_filter::MaybeInitialize();
+  switch (device::fido_filter::Evaluate(
+      device::fido_filter::Operation::MAKE_CREDENTIAL, relying_party_id_,
+      /*device=*/base::nullopt,
+      /*id=*/base::nullopt)) {
+    case device::fido_filter::Action::ALLOW:
+      break;
+    case device::fido_filter::Action::NO_ATTESTATION:
+      // This will be handled by the request handler.
+      break;
+    case device::fido_filter::Action::BLOCK:
+      InvokeCallbackAndCleanup(
+          std::move(callback),
+          blink::mojom::AuthenticatorStatus::NOT_ALLOWED_ERROR, nullptr,
+          Focus::kDontCheck);
+      return;
+  }
+
   base::Optional<std::string> appid_exclude;
   if (options->appid_exclude) {
     appid_exclude =
@@ -1096,6 +1115,17 @@ void AuthenticatorCommon::GetAssertion(
                 client_data::kGetType, caller_origin_.Serialize(),
                 options->challenge, is_cross_origin);
 
+  device::fido_filter::MaybeInitialize();
+  if (device::fido_filter::Evaluate(
+          device::fido_filter::Operation::GET_ASSERTION, relying_party_id_,
+          /*device=*/base::nullopt,
+          /*id=*/base::nullopt) == device::fido_filter::Action::BLOCK) {
+    InvokeCallbackAndCleanup(
+        std::move(callback),
+        blink::mojom::AuthenticatorStatus::NOT_ALLOWED_ERROR);
+    return;
+  }
+
   // Cryptotoken requests should be proxied without UI.
   if (origin_is_crypto_token_extension || disable_ui_)
     request_delegate_->DisableUI();
@@ -1395,7 +1425,7 @@ void AuthenticatorCommon::OnRegisterResponse(
 
       // cryptotoken checks the attestation blocklist itself.
       if (!origin_is_crypto_token_extension &&
-          device::DoesMatchWebAuthAttestationBlockedDomains(caller_origin_) &&
+          response_data->attestation_should_be_filtered &&
           !request_delegate_->ShouldPermitIndividualAttestation(
               relying_party_id_)) {
         attestation_erasure =