Review.

browser/brave_shields/ad_block_service_browsertest.cc

@@ -27,7 +27,7 @@
 #include "brave/browser/brave_browser_process.h"
 #include "brave/browser/component_updater/brave_component_contents_verifier.h"
 #include "brave/browser/net/brave_ad_block_tp_network_delegate_helper.h"
-#include "brave/components/brave_component_updater/browser/component_contents_verifier.h"
+#include "brave/components/brave_component_updater/browser/component_contents_accessor.h"
 #include "brave/components/brave_shields/content/browser/ad_block_custom_filters_provider.h"
 #include "brave/components/brave_shields/content/browser/ad_block_engine.h"
 #include "brave/components/brave_shields/content/browser/ad_block_service.h"
@@ -249,18 +249,14 @@ base::FilePath AdBlockServiceTest::MakeTestDataCopy(
 }
 
 brave_shields::AdBlockResourceProvider*
-AdBlockServiceTest::IntsallDefaultAdBlockResources(
+AdBlockServiceTest::InstallDefaultAdBlockResources(
     const base::FilePath& component_path) {
   brave_shields::AdBlockService* service =
       g_brave_browser_process->ad_block_service();
-  auto* resource_provider =
-      static_cast<brave_shields::AdBlockDefaultResourceProvider*>(
-          service->resource_provider());
-
   base::ScopedAllowBlockingForTesting allow_blocking;
-  resource_provider->OnComponentReady(
+  service->default_resource_provider()->OnComponentReady(
       component_updater::ComponentContentsAccessor::Create(component_path));
-  return resource_provider;
+  return service->default_resource_provider();
 }
 
 void AdBlockServiceTest::UpdateAdBlockResources(const std::string& resources) {
@@ -269,10 +265,8 @@ void AdBlockServiceTest::UpdateAdBlockResources(const std::string& resources) {
   brave_shields::AdBlockService* service =
       g_brave_browser_process->ad_block_service();
 
-  static_cast<brave_shields::AdBlockDefaultResourceProvider*>(
-      service->resource_provider())
-      ->OnComponentReady(
-          component_updater::ComponentContentsAccessor::Create(component_path));
+  service->default_resource_provider()->OnComponentReady(
+      component_updater::ComponentContentsAccessor::Create(component_path));
 }
 
 void AdBlockServiceTest::UpdateAdBlockInstanceWithRules(
@@ -1639,17 +1633,12 @@ class AdBlockServiceSignedComponentsTest : public AdBlockServiceTest {
   base::test::ScopedFeatureList feature_list_;
 };
 
-#if BUILDFLAG(ENABLE_EXTENSIONS)
-#define MAYBE_SafeResourcesComponentAccess SafeResourcesComponentAccess
-#else
-#define MAYBE_SafeResourcesComponentAccess DISABLED_SafeResourcesComponentAccess
-#endif
 IN_PROC_BROWSER_TEST_F(AdBlockServiceSignedComponentsTest,
-                       MAYBE_SafeResourcesComponentAccess) {
+                       SafeResourcesComponentAccess) {
   const auto components_path =
       GetTestDataDir().AppendASCII("adblock-components");
   {
-    auto* resource_provider = IntsallDefaultAdBlockResources(
+    auto* resource_provider = InstallDefaultAdBlockResources(
         components_path.AppendASCII("resources_ok"));
     base::RunLoop run_loop;
     resource_provider->LoadResources(
@@ -1664,12 +1653,20 @@ IN_PROC_BROWSER_TEST_F(AdBlockServiceSignedComponentsTest,
   }
 
   {
-    auto* resource_provider = IntsallDefaultAdBlockResources(
+    auto* resource_provider = InstallDefaultAdBlockResources(
         components_path.AppendASCII("resources_corrupted"));
     base::RunLoop run_loop;
     resource_provider->LoadResources(
         base::BindLambdaForTesting([&run_loop](const std::string& resources) {
+#if BUILDFLAG(ENABLE_EXTENSIONS)
           constexpr const char kExpectedResources[] = "[]";
+#else
+          // In case of extensions are disabled we don't check the signature.
+          constexpr const char kExpectedResources[] =
+              "[{\"name\":\"edited.js\",\"aliases\":[],\"kind\":{\"mime\":"
+              "\"application/javascript\"}]";
+#endif
+
           EXPECT_EQ(kExpectedResources, resources);
           run_loop.Quit();
         }));

browser/brave_shields/ad_block_service_browsertest.h

@@ -48,7 +48,7 @@ class AdBlockServiceTest : public PlatformBrowserTest {
   void AddNewRules(const std::string& rules,
                    uint8_t permission_mask = 0,
                    bool first_party_protections = false);
-  brave_shields::AdBlockResourceProvider* IntsallDefaultAdBlockResources(
+  brave_shields::AdBlockResourceProvider* InstallDefaultAdBlockResources(
       const base::FilePath& component_path);
   void UpdateAdBlockResources(const std::string& resources);
   void UpdateAdBlockInstanceWithRules(const std::string& rules);

browser/component_updater/brave_component_contents_verifier.cc

@@ -76,9 +76,11 @@ std::string GetRootHashForContent(base::span<const uint8_t> contents,
                                          block_size / crypto::kSHA256Length);
 }
 
-class SecureContentsVerifier : public component_updater::ContentsVerifier {
+class ExtensionsTreeHashContentsVerifier
+    : public component_updater::ContentsVerifier {
  public:
-  explicit SecureContentsVerifier(const base::FilePath& component_root) {
+  explicit ExtensionsTreeHashContentsVerifier(
+      const base::FilePath& component_root) {
     if (base::PathExists(
             component_root.AppendASCII(kBraveVerifiedContentsPath))) {
       verified_contents_ = extensions::VerifiedContents::CreateFromFile(
@@ -130,21 +132,20 @@ BASE_FEATURE(kComponentContentsVerifier,
              "ComponentContentsVerifier",
              base::FEATURE_DISABLED_BY_DEFAULT);
 
-std::unique_ptr<ContentsVerifier> CreateContentsVerifier(
+std::unique_ptr<ContentsVerifier> CreateExtensionsTreeHashContentsVerifier(
     const base::FilePath& component_root) {
 #if BUILDFLAG(ENABLE_EXTENSIONS)
-  const bool bypass = ShouldBypassSignature();
-  if (!bypass) {
-    return std::make_unique<SecureContentsVerifier>(component_root);
+  if (!ShouldBypassSignature()) {
+    return std::make_unique<ExtensionsTreeHashContentsVerifier>(component_root);
   }
 #endif
   // if there is no extensions enabled then we expect that on these platforms
   // the component files are protected by the OS.
-  return std::make_unique<ContentsVerifier>();
+  return nullptr;
 }
 
 void SetupComponentContentsVerifier() {
-  auto factory = base::BindRepeating(CreateContentsVerifier);
+  auto factory = base::BindRepeating(CreateExtensionsTreeHashContentsVerifier);
   SetupContentsVerifierFactory(std::move(factory));
 }
 

components/brave_component_updater/browser/BUILD.gn

@@ -15,6 +15,8 @@ static_library("browser") {
     "brave_component_updater_delegate.h",
     "brave_on_demand_updater.cc",
     "brave_on_demand_updater.h",
+    "component_contents_accessor.cc",
+    "component_contents_accessor.h",
     "component_contents_verifier.cc",
     "component_contents_verifier.h",
     "dat_file_util.cc",

components/brave_component_updater/browser/component_contents_accessor.cc

@@ -0,0 +1,62 @@
+// Copyright (c) 2024 The Brave Authors. All rights reserved.
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this file,
+// You can obtain one at https://mozilla.org/MPL/2.0/.
+
+#include "brave/components/brave_component_updater/browser/component_contents_accessor.h"
+
+#include <utility>
+#include <vector>
+
+#include "base/files/file_util.h"
+#include "brave/components/brave_component_updater/browser/component_contents_verifier.h"
+
+namespace component_updater {
+
+ComponentContentsAccessor::ComponentContentsAccessor(
+    const base::FilePath& component_root)
+    : component_root_(component_root),
+      verifier_(CreateContentsVerifier(component_root)) {}
+
+ComponentContentsAccessor::~ComponentContentsAccessor() = default;
+
+// static
+scoped_refptr<ComponentContentsAccessor> ComponentContentsAccessor::Create(
+    const base::FilePath& component_root) {
+  return base::WrapRefCounted(new ComponentContentsAccessor(component_root));
+}
+
+const base::FilePath& ComponentContentsAccessor::GetComponentRoot() const {
+  return component_root_;
+}
+
+std::optional<std::string> ComponentContentsAccessor::GetFileAsString(
+    const base::FilePath& relative_path) {
+  std::string contents;
+  if (!base::ReadFileToString(GetComponentRoot().Append(relative_path),
+                              &contents)) {
+    return std::nullopt;
+  }
+  if (verifier_ &&
+      !verifier_->VerifyContents(relative_path, base::as_byte_span(contents))) {
+    return std::nullopt;
+  }
+
+  return contents;
+}
+
+std::optional<std::vector<uint8_t>> ComponentContentsAccessor::GetFileAsBytes(
+    const base::FilePath& relative_path) {
+  auto contents =
+      base::ReadFileToBytes(GetComponentRoot().Append(relative_path));
+  if (!contents) {
+    return std::nullopt;
+  }
+  if (!verifier_->VerifyContents(relative_path,
+                                 base::as_byte_span(*contents))) {
+    return std::nullopt;
+  }
+  return std::move(*contents);
+}
+
+}  // namespace component_updater

components/brave_component_updater/browser/component_contents_accessor.h

@@ -0,0 +1,50 @@
+// Copyright (c) 2024 The Brave Authors. All rights reserved.
+// This Source Code Form is subject to the terms of the Mozilla Public
+// License, v. 2.0. If a copy of the MPL was not distributed with this file,
+// You can obtain one at https://mozilla.org/MPL/2.0/.
+
+#ifndef BRAVE_COMPONENTS_BRAVE_COMPONENT_UPDATER_BROWSER_COMPONENT_CONTENTS_ACCESSOR_H_
+#define BRAVE_COMPONENTS_BRAVE_COMPONENT_UPDATER_BROWSER_COMPONENT_CONTENTS_ACCESSOR_H_
+
+#include <memory>
+#include <optional>
+#include <string>
+#include <vector>
+
+#include "base/files/file_path.h"
+#include "base/memory/ref_counted.h"
+
+namespace component_updater {
+
+// Use on MAY_BLOCK sequence.
+class ComponentContentsAccessor
+    : public base::RefCountedThreadSafe<ComponentContentsAccessor> {
+ public:
+  ComponentContentsAccessor(const ComponentContentsAccessor&) = delete;
+  ComponentContentsAccessor(ComponentContentsAccessor&&) = delete;
+  ComponentContentsAccessor& operator=(const ComponentContentsAccessor&) =
+      delete;
+  ComponentContentsAccessor& operator=(ComponentContentsAccessor&&) = delete;
+
+  static scoped_refptr<ComponentContentsAccessor> Create(
+      const base::FilePath& component_root);
+
+  const base::FilePath& GetComponentRoot() const;
+
+  std::optional<std::string> GetFileAsString(
+      const base::FilePath& relative_path);
+  std::optional<std::vector<uint8_t>> GetFileAsBytes(
+      const base::FilePath& relative_path);
+
+ private:
+  friend class base::RefCountedThreadSafe<ComponentContentsAccessor>;
+  explicit ComponentContentsAccessor(const base::FilePath& component_root);
+  ~ComponentContentsAccessor();
+
+  const base::FilePath component_root_;
+  const std::unique_ptr<class ContentsVerifier> verifier_;
+};
+
+}  // namespace component_updater
+
+#endif  // BRAVE_COMPONENTS_BRAVE_COMPONENT_UPDATER_BROWSER_COMPONENT_CONTENTS_ACCESSOR_H_

components/brave_component_updater/browser/component_contents_verifier.cc

@@ -6,76 +6,32 @@
 #include "brave/components/brave_component_updater/browser/component_contents_verifier.h"
 
 #include <utility>
-#include <vector>
 
 #include "base/check_is_test.h"
-#include "base/files/file_util.h"
 #include "base/no_destructor.h"
 
 namespace component_updater {
 
 namespace {
-base::NoDestructor<ContentsVerifierFactory> g_verifier_factory;
-}
 
-// static
-void SetupContentsVerifierFactory(ContentsVerifierFactory factory) {
-  *g_verifier_factory = std::move(factory);
+ContentsVerifierFactory& GetContentsVerifierFactory() {
+  static base::NoDestructor<ContentsVerifierFactory> factory;
+  return *factory;
 }
 
-bool ContentsVerifier::VerifyContents(const base::FilePath& relative_path,
-                                      base::span<const uint8_t> contents) {
-  return true;
-}
+}  // namespace
 
-ComponentContentsAccessor::ComponentContentsAccessor(
-    const base::FilePath& component_root)
-    : component_root_(component_root),
-      verifier_(*g_verifier_factory ? g_verifier_factory->Run(component_root)
-                                    : std::make_unique<ContentsVerifier>()) {
-  if (!*g_verifier_factory) {
-    CHECK_IS_TEST();
-  }
+void SetupContentsVerifierFactory(ContentsVerifierFactory factory) {
+  GetContentsVerifierFactory() = std::move(factory);
 }
 
-ComponentContentsAccessor::~ComponentContentsAccessor() = default;
-
-// static
-scoped_refptr<ComponentContentsAccessor> ComponentContentsAccessor::Create(
+std::unique_ptr<ContentsVerifier> CreateContentsVerifier(
     const base::FilePath& component_root) {
-  return base::WrapRefCounted(new ComponentContentsAccessor(component_root));
-}
-
-const base::FilePath& ComponentContentsAccessor::GetComponentRoot() const {
-  return component_root_;
-}
-
-std::optional<std::string> ComponentContentsAccessor::GetFileAsString(
-    const base::FilePath& relative_path) {
-  std::string contents;
-  if (!base::ReadFileToString(GetComponentRoot().Append(relative_path),
-                              &contents)) {
-    return std::nullopt;
-  }
-  if (!verifier_->VerifyContents(relative_path, base::as_byte_span(contents))) {
-    return std::nullopt;
-  }
-
-  return contents;
-}
-
-std::optional<std::vector<uint8_t>> ComponentContentsAccessor::GetFileAsBytes(
-    const base::FilePath& relative_path) {
-  auto contents =
-      base::ReadFileToBytes(GetComponentRoot().Append(relative_path));
-  if (!contents) {
-    return std::nullopt;
-  }
-  if (!verifier_->VerifyContents(relative_path,
-                                 base::as_byte_span(*contents))) {
-    return std::nullopt;
+  if (!GetContentsVerifierFactory()) {
+    CHECK_IS_TEST();
+    return nullptr;
   }
-  return std::move(*contents);
+  return GetContentsVerifierFactory().Run(component_root);
 }
 
 }  // namespace component_updater