Add an experimental permissions API for extensions.

chrome/browser/extensions/extension_service.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/extensions/extension_service.h"
 
 #include <algorithm>
 #include <set>
 
 #include "base/basictypes.h"
@@ skipping 534 matching lines @@
     : weak_ptr_factory_(ALLOW_THIS_IN_INITIALIZER_LIST(this)),
       method_factory_(ALLOW_THIS_IN_INITIALIZER_LIST(this)),
       profile_(profile),
       extension_prefs_(extension_prefs),
       pending_extension_manager_(*ALLOW_THIS_IN_INITIALIZER_LIST(this)),
       install_directory_(install_directory),
       extensions_enabled_(extensions_enabled),
       show_extensions_prompts_(true),
       ready_(false),
       toolbar_model_(ALLOW_THIS_IN_INITIALIZER_LIST(this)),
+      permissions_manager_(ALLOW_THIS_IN_INITIALIZER_LIST(this)),
       apps_promo_(profile->GetPrefs()),
       event_routers_initialized_(false) {
   CHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
 
   // Figure out if extension installation should be enabled.
   if (command_line->HasSwitch(switches::kDisableExtensions)) {
     extensions_enabled_ = false;
   } else if (profile->GetPrefs()->GetBoolean(prefs::kDisableExtensions)) {
     extensions_enabled_ = false;
   }
@@ skipping 402 matching lines @@
                      extension);
     terminated_extensions_.erase(iter);
   }
 
   NotifyExtensionUnloaded(extension, UnloadedExtensionInfo::DISABLE);
 }
 
 void ExtensionService::GrantPermissions(const Extension* extension) {
   CHECK(extension);
 
-  // We only maintain the granted permissions prefs for INTERNAL extensions.
-  CHECK_EQ(Extension::INTERNAL, extension->location());
+  // We only maintain the granted permissions prefs for INTERNAL extensions
+  // because the other types don't prompt the user at install & upgrade time.
+  if (extension->location() != Extension::INTERNAL)

[Mihai Parparita -not on Chrome, 2011/07/23 22:54:53]

Not seeing the Extension::CanSilentlyIncreasePermissions method that you said
you had added.

[jstritar, 2011/07/25 19:15:24]

Woops. Done.

+    return;
 
   extension_prefs_->AddGrantedPermissions(extension->id(),
-                                          extension->permission_set());
+                                          extension->GetActivePermissions());
 }
 
 void ExtensionService::GrantPermissionsAndEnableExtension(
     const Extension* extension) {
   CHECK(extension);
   RecordPermissionMessagesHistogram(
       extension, "Extensions.Permissions_ReEnable");
   GrantPermissions(extension);
   extension_prefs_->SetDidExtensionEscalatePermissions(extension, false);
   EnableExtension(extension->id());
 }
 
+void ExtensionService::UpdateActivePermissions(
+    const Extension* extension,
+    const ExtensionPermissionSet* permissions) {
+  extension_prefs()->SetActivePermissions(extension->id(), permissions);
+  extension->SetActivePermissions(permissions);
+}
+
 void ExtensionService::LoadExtension(const FilePath& extension_path) {
   BrowserThread::PostTask(BrowserThread::FILE, FROM_HERE,
       NewRunnableMethod(backend_.get(),
                         &ExtensionServiceBackend::LoadSingleExtension,
                         extension_path, true));
 }
 
 void ExtensionService::LoadExtensionFromCommandLine(
     const FilePath& path_in) {
 
@@ skipping 323 matching lines @@
       Source<Profile>(profile_),
       Details<const Extension>(extension));
 
   // Tell renderers about the new extension.
   for (RenderProcessHost::iterator i(RenderProcessHost::AllHostsIterator());
        !i.IsAtEnd(); i.Advance()) {
     RenderProcessHost* host = i.GetCurrentValue();
     if (host->profile()->GetOriginalProfile() ==
         profile_->GetOriginalProfile()) {
       host->Send(
-          new ExtensionMsg_Loaded(ExtensionMsg_Loaded_Params(extension)));
+          new ExtensionMsg_Loaded(ExtensionMsg_Loaded_Params(
+              extension, extension->GetActivePermissions())));
     }
   }
 
   // Tell a random-ass collection of other subsystems about the new extension.
   // TODO(aa): What should we do with all this goop? Can it move into the
   // relevant objects via EXTENSION_LOADED?
 
   profile_->GetExtensionSpecialStoragePolicy()->
       GrantRightsForExtension(extension);
 
@@ skipping 587 matching lines @@
 
   // If a terminated extension is loaded, remove it from the terminated list.
   UntrackTerminatedExtension(extension->id());
 
   // If the extension was disabled for a reload, then enable it.
   if (disabled_extension_paths_.erase(extension->id()) > 0)
     EnableExtension(extension->id());
 
   // Check if the extension's privileges have changed and disable the
   // extension if necessary.
-  DisableIfPrivilegeIncrease(extension);
+  InitializePermissions(extension);
 
   bool disabled = Extension::UserMayDisable(extension->location()) &&
       extension_prefs_->GetExtensionState(extension->id()) ==
           Extension::DISABLED;
   if (disabled) {
     disabled_extensions_.push_back(scoped_extension);
     // TODO(aa): This seems dodgy. It seems that AddExtension() could get called
     // with a disabled extension for other reasons other than that an update was
     // disabled.
     NotificationService::current()->Notify(
         chrome::NOTIFICATION_EXTENSION_UPDATE_DISABLED,
         Source<Profile>(profile_),
         Details<const Extension>(extension));
     return;
   }
 
   extensions_.push_back(scoped_extension);
   NotifyExtensionLoaded(extension);
 }
 
-void ExtensionService::DisableIfPrivilegeIncrease(const Extension* extension) {
+void ExtensionService::InitializePermissions(const Extension* extension) {
+  // If the extension has used the optional permissions API, it will have a
+  // custom set of active permissions defined in the extension prefs. Here,
+  // we update the extension's active permissions based on the prefs.
+  scoped_ptr<ExtensionPermissionSet> active_permissions(
+      extension_prefs()->GetActivePermissions(extension->id()));
+
+  if (active_permissions.get()) {
+    // We restrict the active permissions to be within the bounds defined in the
+    // extension's manifest.
+    //  a) active permissions must be a subset of optional + default permissions
+    //  b) active permissions must contains all default permissions
+    scoped_ptr<ExtensionPermissionSet> total_permissions(
+        ExtensionPermissionSet::CreateUnion(
+            extension->required_permission_set(),
+            extension->optional_permission_set()));
+
+    // Make sure the active permissions contain no more than optional + default.
+    scoped_ptr<ExtensionPermissionSet> adjusted_active(
+        ExtensionPermissionSet::CreateIntersection(
+            total_permissions.get(), active_permissions.get()));
+
+    // Make sure the active permissions contain the default permissions.
+    adjusted_active.reset(
+        ExtensionPermissionSet::CreateUnion(
+            extension->required_permission_set(), adjusted_active.get()));
+
+    UpdateActivePermissions(extension, adjusted_active.release());
+  }
+
   // We keep track of all permissions the user has granted each extension.
   // This allows extensions to gracefully support backwards compatibility
   // by including unknown permissions in their manifests. When the user
   // installs the extension, only the recognized permissions are recorded.
   // When the unknown permissions become recognized (e.g., through browser
   // upgrade), we can prompt the user to accept these new permissions.
   // Extensions can also silently upgrade to less permissions, and then
   // silently upgrade to a version that adds these permissions back.
   //
   // For example, pretend that Chrome 10 includes a permission "omnibox"
@@ skipping 20 matching lines @@
     // hasn't been initialized yet.
     scoped_ptr<ExtensionPermissionSet> granted_permissions(
         extension_prefs_->GetGrantedPermissions(extension->id()));
     CHECK(granted_permissions.get());
 
     // Here, we check if an extension's privileges have increased in a manner
     // that requires the user's approval. This could occur because the browser
     // upgraded and recognized additional privileges, or an extension upgrades
     // to a version that requires additional privileges.
     is_privilege_increase =
-        granted_permissions->HasLessPrivilegesThan(extension->permission_set());
+        granted_permissions->HasLessPrivilegesThan(
+            extension->GetActivePermissions());
   }
 
   if (is_extension_upgrade) {
     // Other than for unpacked extensions, CrxInstaller should have guaranteed
     // that we aren't downgrading.
     if (extension->location() != Extension::LOAD)
       CHECK(extension->version()->CompareTo(*(old->version())) >= 0);
 
     // Extensions get upgraded if the privileges are allowed to increase or
     // the privileges haven't increased.
@@ skipping 331 matching lines @@
       process->Send(new ExtensionMsg_SetFunctionNames(function_names));
 
       // Scripting whitelist. This is modified by tests and must be communicated
       // to renderers.
       process->Send(new ExtensionMsg_SetScriptingWhitelist(
           *Extension::GetScriptingWhitelist()));
 
       // Loaded extensions.
       for (size_t i = 0; i < extensions_.size(); ++i) {
         process->Send(new ExtensionMsg_Loaded(
-            ExtensionMsg_Loaded_Params(extensions_[i])));
+            ExtensionMsg_Loaded_Params(
+                extensions_[i], extensions_[i]->GetActivePermissions())));
       }
       break;
     }
     case content::NOTIFICATION_RENDERER_PROCESS_TERMINATED: {
       RenderProcessHost* process = Source<RenderProcessHost>(source).ptr();
       installed_app_hosts_.erase(process->id());
       break;
     }
     case chrome::NOTIFICATION_PREF_CHANGED: {
       std::string* pref_name = Details<std::string>(details).ptr();
@@ skipping 127 matching lines @@
 
 ExtensionService::NaClModuleInfoList::iterator
     ExtensionService::FindNaClModule(const GURL& url) {
   for (NaClModuleInfoList::iterator iter = nacl_module_list_.begin();
        iter != nacl_module_list_.end(); ++iter) {
     if (iter->url == url)
       return iter;
   }
   return nacl_module_list_.end();
 }