Bug 1908481 - add a pref to select the user's CRLite filter channel. a=dmeehan

Original Revision: https://phabricator.services.mozilla.com/D216847

Differential Revision: https://phabricator.services.mozilla.com/D217737

modules/libpref/init/StaticPrefList.yaml

@@ -15033,6 +15033,15 @@
   value: 3
   mirror: always
 
+# The CRLite filter channel to which the user is subscribed.
+# - "all" => filters that contain all revocations,
+# - "specified" => filters that contain revocations with specified reason codes,
+# - "priority" => filters that contain high priority revocations.
+- name: security.pki.crlite_channel
+  type: String
+  value: "specified"
+  mirror: never
+
 - name: security.tls.version.min
   type: RelaxedAtomicUint32
   value: 3

security/manager/ssl/RemoteSecuritySettings.sys.mjs

@@ -538,6 +538,12 @@ class CRLiteFilters {
     }
   }
 
+  async getRecords() {
+    let records = await this.client.db.list();
+    records = await this.client._filterEntries(records);
+    return records;
+  }
+
   async onObservePollEnd() {
     if (!Services.prefs.getBoolPref(CRLITE_FILTERS_ENABLED_PREF, true)) {
       lazy.log.debug("CRLite filter downloading is disabled");
@@ -553,7 +559,7 @@ class CRLiteFilters {
       Ci.nsICertStorage.DATA_TYPE_CRLITE_FILTER_FULL
     );
     if (!hasPriorFilter) {
-      let current = await this.client.db.list();
+      let current = await this.getRecords();
       let toReset = current.filter(
         record => !record.incremental && record.loaded_into_cert_storage
       );
@@ -567,7 +573,7 @@ class CRLiteFilters {
       Ci.nsICertStorage.DATA_TYPE_CRLITE_FILTER_INCREMENTAL
     );
     if (!hasPriorStash) {
-      let current = await this.client.db.list();
+      let current = await this.getRecords();
       let toReset = current.filter(
         record => record.incremental && record.loaded_into_cert_storage
       );
@@ -578,7 +584,7 @@ class CRLiteFilters {
       );
     }
 
-    let current = await this.client.db.list();
+    let current = await this.getRecords();
     let fullFilters = current.filter(filter => !filter.incremental);
     if (fullFilters.length < 1) {
       lazy.log.debug("no full CRLite filters to download?");

security/manager/ssl/tests/unit/test_crlite_filters.js

@@ -101,7 +101,7 @@ function getFilenameForFilter(filter) {
  * @param {boolean} clear Whether or not to clear the local DB first. Defaults
  *                        to true.
  */
-async function syncAndDownload(filters, clear = true) {
+async function syncAndDownload(filters, clear = true, channel = "specified") {
   const localDB = await CRLiteFiltersClient.client.db;
   if (clear) {
     await localDB.clear();
@@ -130,6 +130,8 @@ async function syncAndDownload(filters, clear = true) {
       coverage: filter.type == "full" ? filter.coverage : undefined,
       enrolledIssuers:
         filter.type == "full" ? filter.enrolledIssuers : undefined,
+      channel: `${channel}`,
+      filter_expression: `'${channel}' == 'security.pki.crlite_channel'|preferenceValue('none')`,
     };
 
     await localDB.create(record);
@@ -175,6 +177,21 @@ add_task(async function test_crlite_no_filters() {
   );
 });
 
+add_task(async function test_crlite_no_filters_in_channel() {
+  Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true);
+
+  let result = await syncAndDownload(
+    [{ timestamp: "2019-01-01T00:00:00Z", type: "full", id: "0000" }],
+    true,
+    "other"
+  );
+  equal(
+    result,
+    "unavailable",
+    "CRLite filter download should have run, but nothing was available"
+  );
+});
+
 add_task(async function test_crlite_only_incremental_filters() {
   Services.prefs.setBoolPref(CRLITE_FILTERS_ENABLED_PREF, true);