Split out PST metrics for per-site limits.

Change-Id: I0583ab4f2f50bad454d3662473a84bc9898de243
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6133673
Reviewed-by: Bo Liu <boliu@chromium.org>
Reviewed-by: Dmitry Gozman <dgozman@chromium.org>
Commit-Queue: Steven Valdez <svaldez@chromium.org>
Reviewed-by: Giovanni Ortuno Urquidi <ortuno@chromium.org>
Reviewed-by: Aykut Bulut <aykutb@google.com>
Reviewed-by: Charlie Harrison <csharrison@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1402392}

content/browser/browsing_data/browsing_data_remover_impl_browsertest.cc

@@ -769,7 +769,7 @@ class TrustTokensTester {
     // provided to HasTrustTokens(origin, _) calls in AddOrigin:
     // - If data has not been cleared,
     //     HasTrustToken(origin, https://probe.example)
-    //   is expected to fail with kResourceLimited because |origin| is at
+    //   is expected to fail with kSiteIssuerLimit because |origin| is at
     //   its number-of-associated-issuers limit, so the answerer will refuse
     //   to answer a query for an origin it has not yet seen.
     // - If data has been cleared, the answerer should be able to fulfill the
@@ -778,11 +778,11 @@ class TrustTokensTester {
         url::Origin::Create(GURL("https://probe.example")),
         base::BindLambdaForTesting(
             [&](network::mojom::HasTrustTokensResultPtr result) {
-              // HasTrustTokens will error out with kResourceLimited exactly
+              // HasTrustTokens will error out with kSiteIssuerLimit exactly
               // when the top-frame origin |origin| was previously added by
               // AddOrigin.
               if (result->status ==
-                  network::mojom::TrustTokenOperationStatus::kResourceLimited) {
+                  network::mojom::TrustTokenOperationStatus::kSiteIssuerLimit) {
                 has_origin = true;
               }
 

content/browser/devtools/protocol/network_handler.cc

@@ -3683,6 +3683,9 @@ String GetTrustTokenOperationStatus(
         kOperationSuccessfullyFulfilledLocally:
       return protocol::Network::TrustTokenOperationDone::StatusEnum::
           FulfilledLocally;
+    case network::mojom::TrustTokenOperationStatus::kSiteIssuerLimit:
+      return protocol::Network::TrustTokenOperationDone::StatusEnum::
+          SiteIssuerLimit;
   }
 }
 

services/network/public/mojom/trust_tokens.mojom

@@ -74,6 +74,9 @@ enum TrustTokenOperationStatus {
   // The operation was executed by a means other than sending the resource
   // request at hand, so there's no response to provide for the request.
   kOperationSuccessfullyFulfilledLocally = 11,
+
+  // The limit on issuers per-site was hit.
+  kSiteIssuerLimit = 12,
 };
 // LINT.ThenChange(//tools/metrics/histograms/metadata/net/enums.xml:TrustTokenOperationStatus)
 

services/network/trust_tokens/trust_token_query_answerer.cc

@@ -72,7 +72,7 @@ void TrustTokenQueryAnswerer::AnswerTokenQueryWithStore(
 
   if (!trust_token_store->SetAssociation(issuer, top_frame_origin_)) {
     std::move(callback).Run(mojom::HasTrustTokensResult::New(
-        mojom::TrustTokenOperationStatus::kResourceLimited,
+        mojom::TrustTokenOperationStatus::kSiteIssuerLimit,
         /*has_trust_tokens=*/false));
     return;
   }

services/network/trust_tokens/trust_token_query_answerer_unittest.cc

@@ -122,7 +122,7 @@ TEST(TrustTokenQueryAnswerer, TokenQueryHandlesFailureToAssociateIssuer) {
           }));
 
   ASSERT_TRUE(result);
-  EXPECT_EQ(result->status, mojom::TrustTokenOperationStatus::kResourceLimited);
+  EXPECT_EQ(result->status, mojom::TrustTokenOperationStatus::kSiteIssuerLimit);
 }
 
 TEST(TrustTokenQueryAnswerer, TokenQuerySuccessWithNoTokens) {

services/network/trust_tokens/trust_token_request_issuance_helper.cc

@@ -153,7 +153,7 @@ void TrustTokenRequestIssuanceHelper::Begin(
   if (!token_store_->SetAssociation(*issuer_, top_level_origin_)) {
     LogOutcome(net_log_, kBegin, "Couldn't set issuer-toplevel association");
     std::move(done).Run(std::nullopt,
-                        mojom::TrustTokenOperationStatus::kResourceLimited);
+                        mojom::TrustTokenOperationStatus::kSiteIssuerLimit);
     return;
   }
 

services/network/trust_tokens/trust_token_request_issuance_helper_unittest.cc

@@ -201,7 +201,7 @@ TEST_F(TrustTokenRequestIssuanceHelperTest, RejectsIfTooManyIssuers) {
   auto request = MakeURLRequest("https://issuer.com/");
   request->set_initiator(issuer);
   EXPECT_EQ(ExecuteBeginOperationAndWaitForResult(&helper, request.get()),
-            mojom::TrustTokenOperationStatus::kResourceLimited);
+            mojom::TrustTokenOperationStatus::kSiteIssuerLimit);
 }
 
 // Check that issuance fails if the number of tokens stored for the issuer is

services/network/trust_tokens/trust_token_request_redemption_helper.cc

@@ -106,7 +106,7 @@ void TrustTokenRequestRedemptionHelper::Begin(
   if (!token_store_->SetAssociation(*issuer_, top_level_origin_)) {
     LogOutcome(net_log_, kBegin, "Couldn't set issuer-toplevel association");
     std::move(done).Run(std::nullopt,
-                        mojom::TrustTokenOperationStatus::kResourceLimited);
+                        mojom::TrustTokenOperationStatus::kSiteIssuerLimit);
     return;
   }
 

services/network/trust_tokens/trust_token_request_redemption_helper_unittest.cc

@@ -125,7 +125,7 @@ TEST_F(TrustTokenRequestRedemptionHelperTest, RejectsIfTooManyIssuers) {
   mojom::TrustTokenOperationStatus result =
       ExecuteBeginOperationAndWaitForResult(&helper, request.get());
 
-  EXPECT_EQ(result, mojom::TrustTokenOperationStatus::kResourceLimited);
+  EXPECT_EQ(result, mojom::TrustTokenOperationStatus::kSiteIssuerLimit);
 }
 
 // Check that redemption fails if its key commitment request fails.

third_party/blink/public/devtools_protocol/browser_protocol.pdl

@@ -7436,6 +7436,7 @@ domain Network
         InternalError
         UnknownError
         FulfilledLocally
+        SiteIssuerLimit
       TrustTokenOperationType type
       RequestId requestId
       # Top level origin. The context in which the operation was attempted.

third_party/blink/renderer/core/fetch/trust_token_to_mojom.cc

@@ -161,6 +161,9 @@ DOMException* TrustTokenErrorToDOMException(TrustTokenOperationStatus error) {
     case TrustTokenOperationStatus::kResourceLimited:
       return create("Quota hit for Private State Tokens operation",
                     DOMExceptionCode::kOperationError);
+    case TrustTokenOperationStatus::kSiteIssuerLimit:
+      return create("Limit hit for Private State Tokens issuers per site",
+                    DOMExceptionCode::kOperationError);
     case TrustTokenOperationStatus::kUnauthorized:
       return create(
           "Private State Tokens API unavailable due to user settings.",

tools/metrics/histograms/metadata/net/enums.xml

@@ -2738,6 +2738,7 @@ Called by update_net_trust_anchors.py.-->
   <int value="9" label="Internal error"/>
   <int value="10" label="Unknown error"/>
   <int value="11" label="Operation fulfilled locally"/>
+  <int value="12" label="Per-site issuer limit reached"/>
 </enum>
 
 <!-- LINT.ThenChange(//services/network/public/mojom/trust_tokens.mojom:TrustTokenOperationStatus) -->