Bug 1893434 - Import user activation signals from permission manager into BTP user activation store. r=bvandersloot,manuel,anti-tracking-reviewers

Differential Revision: https://phabricator.services.mozilla.com/D208763

modules/libpref/init/StaticPrefList.yaml

@@ -14308,6 +14308,13 @@
   value: false
   mirror: always
 
+# Whether the migration ran to import user activation flags into the BTP user
+# activation store. Set to false to trigger a new migration.
+- name: privacy.bounceTrackingProtection.hasMigratedUserActivationData
+  type: bool
+  value: false
+  mirror: always
+
 #---------------------------------------------------------------------------
 # Prefs starting with "prompts."
 #---------------------------------------------------------------------------

toolkit/components/antitracking/bouncetrackingprotection/BounceTrackingProtection.cpp

@@ -21,6 +21,7 @@
 #include "nsHashPropertyBag.h"
 #include "nsIClearDataService.h"
 #include "nsIObserverService.h"
+#include "nsIPermissionManager.h"
 #include "nsIPrincipal.h"
 #include "nsISupports.h"
 #include "nsServiceManagerUtils.h"
@@ -78,6 +79,12 @@ BounceTrackingProtection::BounceTrackingProtection() {
     return;
   }
 
+  rv = MaybeMigrateUserInteractionPermissions();
+  if (NS_WARN_IF(NS_FAILED(rv))) {
+    MOZ_LOG(gBounceTrackingProtectionLog, LogLevel::Error,
+            ("user activation permission migration failed"));
+  }
+
   // Schedule timer for tracker purging. The timer interval is determined by
   // pref.
   uint32_t purgeTimerPeriod = StaticPrefs::
@@ -225,7 +232,7 @@ nsresult BounceTrackingProtection::RecordStatefulBounces(
 }
 
 nsresult BounceTrackingProtection::RecordUserActivation(
-    nsIPrincipal* aPrincipal) {
+    nsIPrincipal* aPrincipal, Maybe<PRTime> aActivationTime) {
   MOZ_ASSERT(XRE_IsParentProcess());
   NS_ENSURE_ARG_POINTER(aPrincipal);
 
@@ -244,7 +251,12 @@ nsresult BounceTrackingProtection::RecordUserActivation(
       mStorage->GetOrCreateStateGlobal(aPrincipal);
   MOZ_ASSERT(globalState);
 
-  return globalState->RecordUserActivation(siteHost, PR_Now());
+  // Default to current time if not timestamp is provided.
+  if (aActivationTime.isNothing()) {
+    aActivationTime = Some(PR_Now());
+  }
+
+  return globalState->RecordUserActivation(siteHost, aActivationTime.extract());
 }
 
 NS_IMETHODIMP
@@ -655,6 +667,83 @@ nsresult BounceTrackingProtection::ClearExpiredUserInteractions(
   return NS_OK;
 }
 
+nsresult BounceTrackingProtection::MaybeMigrateUserInteractionPermissions() {
+  // Only run the migration once.
+  if (StaticPrefs::
+          privacy_bounceTrackingProtection_hasMigratedUserActivationData()) {
+    return NS_OK;
+  }
+
+  MOZ_LOG(
+      gBounceTrackingProtectionLog, LogLevel::Info,
+      ("%s: Importing user activation data from permissions", __FUNCTION__));
+
+  // Get all user activation permissions that are within our user activation
+  // lifetime. We don't care about the rest since they are considered expired
+  // for BTP.
+
+  nsresult rv = NS_OK;
+  nsCOMPtr<nsIPermissionManager> permManager =
+      do_GetService(NS_PERMISSIONMANAGER_CONTRACTID, &rv);
+  NS_ENSURE_SUCCESS(rv, rv);
+  NS_ENSURE_TRUE(permManager, NS_ERROR_FAILURE);
+
+  // Construct the since time param. The permission manager expects epoch in
+  // miliseconds.
+  int64_t nowMS = PR_Now() / PR_USEC_PER_MSEC;
+  int64_t activationLifetimeMS =
+      static_cast<int64_t>(
+          StaticPrefs::
+              privacy_bounceTrackingProtection_bounceTrackingActivationLifetimeSec()) *
+      PR_MSEC_PER_SEC;
+  int64_t since = nowMS - activationLifetimeMS;
+  MOZ_ASSERT(since > 0);
+
+  // Get all user activation permissions last modified between "since" and now.
+  nsTArray<RefPtr<nsIPermission>> userActivationPermissions;
+  rv = permManager->GetAllByTypeSince("storageAccessAPI"_ns, since,
+                                      userActivationPermissions);
+  NS_ENSURE_SUCCESS(rv, rv);
+
+  MOZ_LOG(gBounceTrackingProtectionLog, LogLevel::Debug,
+          ("%s: Found %zu (non-expired) user activation permissions",
+           __FUNCTION__, userActivationPermissions.Length()));
+
+  for (const auto& perm : userActivationPermissions) {
+    nsCOMPtr<nsIPrincipal> permPrincipal;
+
+    rv = perm->GetPrincipal(getter_AddRefs(permPrincipal));
+    if (NS_WARN_IF(NS_FAILED(rv))) {
+      continue;
+    }
+    MOZ_ASSERT(permPrincipal);
+
+    // The time the permission was last modified is the time of last user
+    // activation.
+    int64_t modificationTimeMS;
+    rv = perm->GetModificationTime(&modificationTimeMS);
+    NS_ENSURE_SUCCESS(rv, rv);
+    MOZ_ASSERT(modificationTimeMS >= since,
+               "Unexpected permission modification time");
+
+    // We may end up with duplicates here since user activation permissions are
+    // tracked by origin, while BTP tracks user activation by site host.
+    // RecordUserActivation is responsible for only keeping the most recent user
+    // activation flag for a given site host and needs to make sure existing
+    // activation flags are not overwritten by older timestamps.
+    // RecordUserActivation expects epoch in microseconds.
+    rv = RecordUserActivation(permPrincipal,
+                              Some(modificationTimeMS * PR_USEC_PER_MSEC));
+    if (NS_WARN_IF(NS_FAILED(rv))) {
+      continue;
+    }
+  }
+
+  // Migration successful, set the pref to indicate that we have migrated.
+  return mozilla::Preferences::SetBool(
+      "privacy.bounceTrackingProtection.hasMigratedUserActivationData", true);
+}
+
 // ClearDataCallback
 
 NS_IMPL_ISUPPORTS(BounceTrackingProtection::ClearDataCallback,

toolkit/components/antitracking/bouncetrackingprotection/BounceTrackingProtection.h

@@ -38,8 +38,11 @@ class BounceTrackingProtection final : public nsIBounceTrackingProtection {
   [[nodiscard]] nsresult RecordStatefulBounces(
       BounceTrackingState* aBounceTrackingState);
 
-  // Stores a user activation flag with a timestamp for the given principal.
+  // Stores a user activation flag with a timestamp for the given principal. The
-  [[nodiscard]] nsresult RecordUserActivation(nsIPrincipal* aPrincipal);
+  // timestamp defaults to the current time, but can be overridden via
+  // aActivationTime.
+  [[nodiscard]] nsresult RecordUserActivation(
+      nsIPrincipal* aPrincipal, Maybe<PRTime> aActivationTime = Nothing());
 
   // Clears expired user interaction flags for the given state global. If
   // aStateGlobal == nullptr, clears expired user interaction flags for all
@@ -95,6 +98,11 @@ class BounceTrackingProtection final : public nsIBounceTrackingProtection {
     glean::TimerId mClearDurationTimer;
     RefPtr<ClearDataMozPromise::Private> mPromise;
   };
+
+  // Imports user activation permissions from permission manager if needed. This
+  // is important so we don't purge data for sites the user has interacted with
+  // before the feature was enabled.
+  [[nodiscard]] nsresult MaybeMigrateUserInteractionPermissions();
 };
 
 }  // namespace mozilla

toolkit/components/antitracking/bouncetrackingprotection/BounceTrackingStateGlobal.cpp

@@ -42,6 +42,19 @@ nsresult BounceTrackingStateGlobal::RecordUserActivation(
              __FUNCTION__, PromiseFlatCString(aSiteHost).get()));
   }
 
+  // Make sure we don't overwrite an existing, more recent user activation. This
+  // is only relevant for callers that pass in a timestamp that isn't PR_Now(),
+  // e.g. when importing user activation data.
+  Maybe<PRTime> existingUserActivation = mUserActivation.MaybeGet(aSiteHost);
+  if (existingUserActivation.isSome() &&
+      existingUserActivation.value() >= aTime) {
+    MOZ_LOG(gBounceTrackingProtectionLog, LogLevel::Debug,
+            ("%s: Skip: A more recent user activation "
+             "already exists for %s",
+             __FUNCTION__, PromiseFlatCString(aSiteHost).get()));
+    return NS_OK;
+  }
+
   mUserActivation.InsertOrUpdate(aSiteHost, aTime);
 
   if (aSkipStorage || !ShouldPersistToDisk()) {