New security-related pyauto tests for Chrome on ChromeOS that verify extension permissions.

chrome/test/functional/chromeos_security.py

 #!/usr/bin/python
 # Copyright (c) 2011 The Chromium Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
 import os
 
 import pyauto_functional
 import pyauto
 
 
 class ChromeosSecurity(pyauto.PyUITest):
   """Security tests for chrome on ChromeOS.
 
   Requires ChromeOS to be logged in.
   """
+  COMPONENT_EXTENSION_BASELINE = [

[Nirnimesh, 2011/06/03 18:30:28]

Are these the same on marios, alex and zgb?

[dennis_jeffrey, 2011/06/03 22:04:19]

I think so.  I'm getting this information from
ProfileImpl::RegisterComponentExtensions, which contains the logic for whether
different component extensions are registered or not (it checks whether we're on
ChromeOS, whether it's an official build, etc).  I didn't see anything that
would suggest differences based on ChromeOS board type.

+      { 'name': 'Bookmark Manager',
+        'effective_host_permissions': ['chrome://favicon/*',
+                                       'chrome://resources/*',],
+        'api_permissions': ['bookmarks',
+                            'tabs',
+                            'experimental',],
+      },
+      { 'name': 'File Manager',
+        'effective_host_permissions': ['chrome://extension-icon/*',
+                                       'chrome://resources/*',],
+        'api_permissions': ['fileBrowserHandler',
+                            'fileBrowserPrivate',
+                            'mediaPlayerPrivate',
+                            'unlimitedStorage',],
+      },
+      { 'name': 'Mobile Activation',
+        'effective_host_permissions': [],
+        'api_permissions': [],
+      },
+      { 'name': 'Chrome Web Store',
+        'effective_host_permissions': [],
+        'api_permissions': ['management',
+                            'webstorePrivate',],
+      },
+  ]
+
+  BUNDLED_CRX_BASELINE = [
+      { 'crx_file': 'aciahcmjmecflokailenpkdchphgkefd.crx',
+        'name': 'Entanglement',
+        'effective_host_permissions': [],
+        'api_permissions': ['unlimitedStorage',],
+      },
+      { 'crx_file': 'apdfllckaahabafndbhieahigkjlhalf.crx',
+        'name': 'Google Docs',
+        'effective_host_permissions': [],
+        'api_permissions': ['unlimitedStorage',],
+      },
+      { 'crx_file': 'blpcfgokakmgnkcojhhkbfbldkacnbeo.crx',
+        'name': 'YouTube',
+        'effective_host_permissions': [],
+        'api_permissions': [],
+      },
+      { 'crx_file': 'ejjicmeblgpmajnghnpcppodonldlgfn.crx',
+        'name': 'Google Calendar',
+        'effective_host_permissions': [],
+        'api_permissions': ['notifications',
+                            'unlimitedStorage',],
+      },
+      { 'crx_file': 'hpfomeedmekonipambfkmjfacahlngjd.crx',
+        'name': 'Picasa Uploader',
+        'effective_host_permissions': ['*://www.google.com/*',
+                                       'https://picasaweb.google.com/*',],
+        'api_permissions': ['contextMenus',
+                            'fileBrowserHandler',
+                            'notifications',
+                            'tabs',],
+      },
+      { 'crx_file': 'kjebfhglflhjjjiceimfkgicifkhjlnm.crx',
+        'name': 'Scratchpad',
+        'effective_host_permissions': ['https://docs.google.com/*',
+                                       'https://www.google.com/*',],
+        'api_permissions': ['tabs',],
+      },
+      { 'crx_file': 'nckgahadagoaajjgafhacjanaoiihapd.crx',
+        'name': 'Google Talk',
+        'effective_host_permissions': ['*://mail.google.com/*',
+                                       '*://talkgadget.google.com/*',],
+        'api_permissions': ['tabs',],
+      },
+      { 'crx_file': 'pjkljhegncpnkpknbcohdijeoejaedia.crx',
+        'name': 'Gmail',
+        'effective_host_permissions': [],
+        'api_permissions': ['notifications',],
+      },
+  ]
+
+  def setUp(self):
+    pyauto.PyUITest.setUp(self)
+    if self.GetBrowserInfo()['properties']['is_official']:
+      self.COMPONENT_EXTENSION_BASELINE.append(
+          { 'name': 'Help',
+            'effective_host_permissions': ['*://www.google.com/*',],
+            'api_permissions': ['chromeosInfoPrivate',
+                                'tabs',],
+          })
 
   def ExtraChromeFlagsOnChromeOS(self):
-    """Override default list of extra flags typicall used with automation.
+    """Override default list of extra flags typically used with automation.
 
     See the default flags used with automation in pyauto.py.
     Chrome flags for this test should be as close to reality as possible.
     """
     return [
        '--homepage=about:blank',
     ]
 
   def testCannotViewLocalFiles(self):
     """Verify that local files cannot be accessed from the browser."""
     urls_and_titles = {
        'file:///': 'Index of /',
        'file:///etc/': 'Index of /etc/',
        self.GetFileURLForDataPath('title2.html'): 'Title Of Awesomeness',
     }
     for url, title in urls_and_titles.iteritems():
       self.NavigateToURL(url)
       self.assertNotEqual(title, self.GetActiveTabTitle(),
           msg='Could access local file %s.' % url)
 
+  def _VerifyExtensionPermissions(self, baseline):
+    full_ext_actual_info = self.GetExtensionsInfo()
+    for ext_expected_info in baseline:
+      located_ext_info = [info for info in full_ext_actual_info if
+                          info['name'] == ext_expected_info['name']]
+      self.assertTrue(
+          located_ext_info,
+          msg='Cannot locate extension info: ' + ext_expected_info['name'])
+      ext_actual_info = located_ext_info[0]
+      self.assertEqual(set(ext_expected_info['effective_host_permissions']),
+                       set(ext_actual_info['effective_host_permissions']),
+                       msg='Effective host permission info does not match for '
+                           'extension: ' + ext_expected_info['name'])
+      self.assertEqual(set(ext_expected_info['api_permissions']),
+                       set(ext_actual_info['api_permissions']),
+                       msg='API permission info does not match for '
+                           'extension: ' + ext_expected_info['name'])
+
+  def testComponentExtensionPermissions(self):
+    """Ensures component extension permissions are as expected."""
+    self._VerifyExtensionPermissions(self.COMPONENT_EXTENSION_BASELINE)

[Nirnimesh, 2011/06/03 18:30:28]

Should there be a count match somewhere?

[dennis_jeffrey, 2011/06/03 22:04:19]

Done.  This requires that I know which installed extensions are component
extensions.  I had to slightly modify the GetExtensionsInfo automation hook to
do it.

+
+  def testBundledCrxPermissions(self):
+    """Ensures bundled CRX permissions are as expected."""
+    # Verify that each bundled CRX on the device is expected, then install it.
+    bundled_crx_dir = os.path.abspath(
+        os.path.join('/', 'opt', 'google', 'chrome', 'extensions'))

[Nirnimesh, 2011/06/03 18:30:28]

This is one of the places where you don't want to use join()
Use the string instead: '/opt/goog/e/chrome/extensions'

[dennis_jeffrey, 2011/06/03 22:04:19]

Done.  What is the reason for this?

+    for file_name in os.listdir(bundled_crx_dir):
+      if file_name.endswith('.crx'):
+        self.assertTrue(
+            file_name in [x['crx_file'] for x in self.BUNDLED_CRX_BASELINE],
+            msg='Unexpected CRX file: ' + file_name)
+        crx_file = pyauto.FilePath(
+            os.path.abspath(os.path.join('/', 'opt', 'google', 'chrome',
+                                         'extensions', file_name)))
+        self.assertTrue(self.InstallExtension(crx_file, False),
+                        msg='Extension install failed.')

[Nirnimesh, 2011/06/03 18:30:28]

add: |crx_file| in the mesg

[dennis_jeffrey, 2011/06/03 22:04:19]

Done.

+
+    # Verify that the permissions information in the baseline matches the
+    # permissions associated with the installed bundled CRX extensions.
+    self._VerifyExtensionPermissions(self.BUNDLED_CRX_BASELINE)
+
+  def testNoUnexpectedExtensions(self):
+    """Ensures there are no unexpected bundled or component extensions."""
+    # Install all bundled extensions on the device.
+    bundled_crx_dir = os.path.abspath(
+        os.path.join('/', 'opt', 'google', 'chrome', 'extensions'))
+    for file_name in os.listdir(bundled_crx_dir):
+      if file_name.endswith('.crx'):
+        crx_file = pyauto.FilePath(
+            os.path.abspath(os.path.join('/', 'opt', 'google', 'chrome',
+                                         'extensions', file_name)))
+        self.assertTrue(self.InstallExtension(crx_file, False),
+                        msg='Extension install failed.')
+
+    # Ensure that the set of installed extension names precisely matches the
+    # baseline.
+    expected_names = [ext['name'] for ext in self.COMPONENT_EXTENSION_BASELINE]
+    expected_names.extend([ext['name'] for ext in self.BUNDLED_CRX_BASELINE])
+    ext_actual_info = self.GetExtensionsInfo()
+    installed_names = [ext['name'] for ext in ext_actual_info]
+    self.assertEqual(set(expected_names), set(installed_names),
+                     msg='Installed extension names do not match baseline:\n'
+                         'Installed extensions: %s\n'
+                         'Expected extensions: %s' % (installed_names,
+                                                      expected_names))
 
 if __name__ == '__main__':
   pyauto_functional.Main()