New security-related pyauto tests for Chrome on ChromeOS that verify extension permissions.

chrome/test/functional/chromeos_security.py

Index: chrome/test/functional/chromeos_security.py
diff --git a/chrome/test/functional/chromeos_security.py b/chrome/test/functional/chromeos_security.py
index d9cc3729fc4bda94f1b55420bf5dfdc3cc7b2a73..754257339872dbc5f68375cb32bd5018d4b3c6ac 100644
--- a/chrome/test/functional/chromeos_security.py
+++ b/chrome/test/functional/chromeos_security.py
@@ -14,9 +14,95 @@ class ChromeosSecurity(pyauto.PyUITest):
 
   Requires ChromeOS to be logged in.
   """
+  COMPONENT_EXTENSION_BASELINE = [

[Nirnimesh, 2011/06/03 18:30:28]

Are these the same on marios, alex and zgb?

[dennis_jeffrey, 2011/06/03 22:04:19]

I think so.  I'm getting this information from
ProfileImpl::RegisterComponentExtensions, which contains the logic for whether
different component extensions are registered or not (it checks whether we're on
ChromeOS, whether it's an official build, etc).  I didn't see anything that
would suggest differences based on ChromeOS board type.

+      { 'name': 'Bookmark Manager',
+        'effective_host_permissions': ['chrome://favicon/*',
+                                       'chrome://resources/*',],
+        'api_permissions': ['bookmarks',
+                            'tabs',
+                            'experimental',],
+      },
+      { 'name': 'File Manager',
+        'effective_host_permissions': ['chrome://extension-icon/*',
+                                       'chrome://resources/*',],
+        'api_permissions': ['fileBrowserHandler',
+                            'fileBrowserPrivate',
+                            'mediaPlayerPrivate',
+                            'unlimitedStorage',],
+      },
+      { 'name': 'Mobile Activation',
+        'effective_host_permissions': [],
+        'api_permissions': [],
+      },
+      { 'name': 'Chrome Web Store',
+        'effective_host_permissions': [],
+        'api_permissions': ['management',
+                            'webstorePrivate',],
+      },
+  ]
+
+  BUNDLED_CRX_BASELINE = [
+      { 'crx_file': 'aciahcmjmecflokailenpkdchphgkefd.crx',
+        'name': 'Entanglement',
+        'effective_host_permissions': [],
+        'api_permissions': ['unlimitedStorage',],
+      },
+      { 'crx_file': 'apdfllckaahabafndbhieahigkjlhalf.crx',
+        'name': 'Google Docs',
+        'effective_host_permissions': [],
+        'api_permissions': ['unlimitedStorage',],
+      },
+      { 'crx_file': 'blpcfgokakmgnkcojhhkbfbldkacnbeo.crx',
+        'name': 'YouTube',
+        'effective_host_permissions': [],
+        'api_permissions': [],
+      },
+      { 'crx_file': 'ejjicmeblgpmajnghnpcppodonldlgfn.crx',
+        'name': 'Google Calendar',
+        'effective_host_permissions': [],
+        'api_permissions': ['notifications',
+                            'unlimitedStorage',],
+      },
+      { 'crx_file': 'hpfomeedmekonipambfkmjfacahlngjd.crx',
+        'name': 'Picasa Uploader',
+        'effective_host_permissions': ['*://www.google.com/*',
+                                       'https://picasaweb.google.com/*',],
+        'api_permissions': ['contextMenus',
+                            'fileBrowserHandler',
+                            'notifications',
+                            'tabs',],
+      },
+      { 'crx_file': 'kjebfhglflhjjjiceimfkgicifkhjlnm.crx',
+        'name': 'Scratchpad',
+        'effective_host_permissions': ['https://docs.google.com/*',
+                                       'https://www.google.com/*',],
+        'api_permissions': ['tabs',],
+      },
+      { 'crx_file': 'nckgahadagoaajjgafhacjanaoiihapd.crx',
+        'name': 'Google Talk',
+        'effective_host_permissions': ['*://mail.google.com/*',
+                                       '*://talkgadget.google.com/*',],
+        'api_permissions': ['tabs',],
+      },
+      { 'crx_file': 'pjkljhegncpnkpknbcohdijeoejaedia.crx',
+        'name': 'Gmail',
+        'effective_host_permissions': [],
+        'api_permissions': ['notifications',],
+      },
+  ]
+
+  def setUp(self):
+    pyauto.PyUITest.setUp(self)
+    if self.GetBrowserInfo()['properties']['is_official']:
+      self.COMPONENT_EXTENSION_BASELINE.append(
+          { 'name': 'Help',
+            'effective_host_permissions': ['*://www.google.com/*',],
+            'api_permissions': ['chromeosInfoPrivate',
+                                'tabs',],
+          })
 
   def ExtraChromeFlagsOnChromeOS(self):
-    """Override default list of extra flags typicall used with automation.
+    """Override default list of extra flags typically used with automation.
 
     See the default flags used with automation in pyauto.py.
     Chrome flags for this test should be as close to reality as possible.
@@ -37,6 +123,72 @@ class ChromeosSecurity(pyauto.PyUITest):
       self.assertNotEqual(title, self.GetActiveTabTitle(),
           msg='Could access local file %s.' % url)
 
+  def _VerifyExtensionPermissions(self, baseline):
+    full_ext_actual_info = self.GetExtensionsInfo()
+    for ext_expected_info in baseline:
+      located_ext_info = [info for info in full_ext_actual_info if
+                          info['name'] == ext_expected_info['name']]
+      self.assertTrue(
+          located_ext_info,
+          msg='Cannot locate extension info: ' + ext_expected_info['name'])
+      ext_actual_info = located_ext_info[0]
+      self.assertEqual(set(ext_expected_info['effective_host_permissions']),
+                       set(ext_actual_info['effective_host_permissions']),
+                       msg='Effective host permission info does not match for '
+                           'extension: ' + ext_expected_info['name'])
+      self.assertEqual(set(ext_expected_info['api_permissions']),
+                       set(ext_actual_info['api_permissions']),
+                       msg='API permission info does not match for '
+                           'extension: ' + ext_expected_info['name'])
+
+  def testComponentExtensionPermissions(self):
+    """Ensures component extension permissions are as expected."""
+    self._VerifyExtensionPermissions(self.COMPONENT_EXTENSION_BASELINE)

[Nirnimesh, 2011/06/03 18:30:28]

Should there be a count match somewhere?

[dennis_jeffrey, 2011/06/03 22:04:19]

Done.  This requires that I know which installed extensions are component
extensions.  I had to slightly modify the GetExtensionsInfo automation hook to
do it.

+
+  def testBundledCrxPermissions(self):
+    """Ensures bundled CRX permissions are as expected."""
+    # Verify that each bundled CRX on the device is expected, then install it.
+    bundled_crx_dir = os.path.abspath(
+        os.path.join('/', 'opt', 'google', 'chrome', 'extensions'))

[Nirnimesh, 2011/06/03 18:30:28]

This is one of the places where you don't want to use join()
Use the string instead: '/opt/goog/e/chrome/extensions'

[dennis_jeffrey, 2011/06/03 22:04:19]

Done.  What is the reason for this?

+    for file_name in os.listdir(bundled_crx_dir):
+      if file_name.endswith('.crx'):
+        self.assertTrue(
+            file_name in [x['crx_file'] for x in self.BUNDLED_CRX_BASELINE],
+            msg='Unexpected CRX file: ' + file_name)
+        crx_file = pyauto.FilePath(
+            os.path.abspath(os.path.join('/', 'opt', 'google', 'chrome',
+                                         'extensions', file_name)))
+        self.assertTrue(self.InstallExtension(crx_file, False),
+                        msg='Extension install failed.')

[Nirnimesh, 2011/06/03 18:30:28]

add: |crx_file| in the mesg

[dennis_jeffrey, 2011/06/03 22:04:19]

Done.

+
+    # Verify that the permissions information in the baseline matches the
+    # permissions associated with the installed bundled CRX extensions.
+    self._VerifyExtensionPermissions(self.BUNDLED_CRX_BASELINE)
+
+  def testNoUnexpectedExtensions(self):
+    """Ensures there are no unexpected bundled or component extensions."""
+    # Install all bundled extensions on the device.
+    bundled_crx_dir = os.path.abspath(
+        os.path.join('/', 'opt', 'google', 'chrome', 'extensions'))
+    for file_name in os.listdir(bundled_crx_dir):
+      if file_name.endswith('.crx'):
+        crx_file = pyauto.FilePath(
+            os.path.abspath(os.path.join('/', 'opt', 'google', 'chrome',
+                                         'extensions', file_name)))
+        self.assertTrue(self.InstallExtension(crx_file, False),
+                        msg='Extension install failed.')
+
+    # Ensure that the set of installed extension names precisely matches the
+    # baseline.
+    expected_names = [ext['name'] for ext in self.COMPONENT_EXTENSION_BASELINE]
+    expected_names.extend([ext['name'] for ext in self.BUNDLED_CRX_BASELINE])
+    ext_actual_info = self.GetExtensionsInfo()
+    installed_names = [ext['name'] for ext in ext_actual_info]
+    self.assertEqual(set(expected_names), set(installed_names),
+                     msg='Installed extension names do not match baseline:\n'
+                         'Installed extensions: %s\n'
+                         'Expected extensions: %s' % (installed_names,
+                                                      expected_names))
 
 if __name__ == '__main__':
   pyauto_functional.Main()