Add an experimental permissions API for extensions.

chrome/browser/extensions/extension_service.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/extensions/extension_service.h"
 
 #include <algorithm>
 #include <set>
 
 #include "base/basictypes.h"
@@ skipping 534 matching lines @@
     : weak_ptr_factory_(ALLOW_THIS_IN_INITIALIZER_LIST(this)),
       method_factory_(ALLOW_THIS_IN_INITIALIZER_LIST(this)),
       profile_(profile),
       extension_prefs_(extension_prefs),
       pending_extension_manager_(*ALLOW_THIS_IN_INITIALIZER_LIST(this)),
       install_directory_(install_directory),
       extensions_enabled_(extensions_enabled),
       show_extensions_prompts_(true),
       ready_(false),
       toolbar_model_(ALLOW_THIS_IN_INITIALIZER_LIST(this)),
+      permissions_manager_(ALLOW_THIS_IN_INITIALIZER_LIST(this)),
       apps_promo_(profile->GetPrefs()),
       event_routers_initialized_(false) {
   CHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
 
   // Figure out if extension installation should be enabled.
   if (command_line->HasSwitch(switches::kDisableExtensions)) {
     extensions_enabled_ = false;
   } else if (profile->GetPrefs()->GetBoolean(prefs::kDisableExtensions)) {
     extensions_enabled_ = false;
   }
@@ skipping 402 matching lines @@
                      extension);
     terminated_extensions_.erase(iter);
   }
 
   NotifyExtensionUnloaded(extension, UnloadedExtensionInfo::DISABLE);
 }
 
 void ExtensionService::GrantPermissions(const Extension* extension) {
   CHECK(extension);
 
-  // We only maintain the granted permissions prefs for INTERNAL extensions.
-  CHECK_EQ(Extension::INTERNAL, extension->location());
+  // We only maintain the granted permissions prefs for extensions that can't
+  // silently increase their permissions.
+  if (extension->CanSilentlyIncreasePermissions())
+    return;
 
   extension_prefs_->AddGrantedPermissions(extension->id(),
-                                          extension->permission_set());
+                                          extension->GetActivePermissions());
 }
 
 void ExtensionService::GrantPermissionsAndEnableExtension(
     const Extension* extension) {
   CHECK(extension);
   RecordPermissionMessagesHistogram(
       extension, "Extensions.Permissions_ReEnable");
   GrantPermissions(extension);
   extension_prefs_->SetDidExtensionEscalatePermissions(extension, false);
   EnableExtension(extension->id());
 }
 
+void ExtensionService::UpdateActivePermissions(
+    const Extension* extension,
+    const ExtensionPermissionSet* permissions) {
+  extension_prefs()->SetActivePermissions(extension->id(), permissions);
+  extension->SetActivePermissions(permissions);
+}
+
 void ExtensionService::LoadExtension(const FilePath& extension_path) {
   BrowserThread::PostTask(BrowserThread::FILE, FROM_HERE,
       NewRunnableMethod(backend_.get(),
                         &ExtensionServiceBackend::LoadSingleExtension,
                         extension_path, true));
 }
 
 void ExtensionService::LoadExtensionFromCommandLine(
     const FilePath& path_in) {
 
@@ skipping 345 matching lines @@
       Source<Profile>(profile_),
       Details<const Extension>(extension));
 
   // Tell renderers about the new extension.
   for (RenderProcessHost::iterator i(RenderProcessHost::AllHostsIterator());
        !i.IsAtEnd(); i.Advance()) {
     RenderProcessHost* host = i.GetCurrentValue();
     if (host->profile()->GetOriginalProfile() ==
         profile_->GetOriginalProfile()) {
       host->Send(
-          new ExtensionMsg_Loaded(ExtensionMsg_Loaded_Params(extension)));
+          new ExtensionMsg_Loaded(ExtensionMsg_Loaded_Params(
+              extension, extension->GetActivePermissions())));
     }
   }
 
   // Tell a random-ass collection of other subsystems about the new extension.
   // TODO(aa): What should we do with all this goop? Can it move into the
   // relevant objects via EXTENSION_LOADED?
 
   profile_->GetExtensionSpecialStoragePolicy()->
       GrantRightsForExtension(extension);
 
@@ skipping 587 matching lines @@
 
   // If a terminated extension is loaded, remove it from the terminated list.
   UntrackTerminatedExtension(extension->id());
 
   // If the extension was disabled for a reload, then enable it.
   if (disabled_extension_paths_.erase(extension->id()) > 0)
     EnableExtension(extension->id());
 
   // Check if the extension's privileges have changed and disable the
   // extension if necessary.
-  DisableIfPrivilegeIncrease(extension);
+  InitializePermissions(extension);
 
   bool disabled = Extension::UserMayDisable(extension->location()) &&
       extension_prefs_->GetExtensionState(extension->id()) ==
           Extension::DISABLED;
   if (disabled) {
     disabled_extensions_.push_back(scoped_extension);
     // TODO(aa): This seems dodgy. It seems that AddExtension() could get called
     // with a disabled extension for other reasons other than that an update was
     // disabled.
     NotificationService::current()->Notify(
         chrome::NOTIFICATION_EXTENSION_UPDATE_DISABLED,
         Source<Profile>(profile_),
         Details<const Extension>(extension));
     return;
   }
 
   extensions_.push_back(scoped_extension);
   NotifyExtensionLoaded(extension);
 }
 
-void ExtensionService::DisableIfPrivilegeIncrease(const Extension* extension) {
+void ExtensionService::InitializePermissions(const Extension* extension) {
+  // If the extension has used the optional permissions API, it will have a
+  // custom set of active permissions defined in the extension prefs. Here,
+  // we update the extension's active permissions based on the prefs.
+  scoped_refptr<ExtensionPermissionSet> active_permissions =
+      extension_prefs()->GetActivePermissions(extension->id());
+
+  if (active_permissions.get()) {
+    // We restrict the active permissions to be within the bounds defined in the
+    // extension's manifest.
+    //  a) active permissions must be a subset of optional + default permissions
+    //  b) active permissions must contains all default permissions
+    scoped_refptr<ExtensionPermissionSet> total_permissions =
+        ExtensionPermissionSet::CreateUnion(
+            extension->required_permission_set(),
+            extension->optional_permission_set());
+
+    // Make sure the active permissions contain no more than optional + default.
+    scoped_refptr<ExtensionPermissionSet> adjusted_active =
+        ExtensionPermissionSet::CreateIntersection(
+            total_permissions.get(), active_permissions.get());
+
+    // Make sure the active permissions contain the default permissions.
+    adjusted_active = ExtensionPermissionSet::CreateUnion(
+            extension->required_permission_set(), adjusted_active.get());
+
+    UpdateActivePermissions(extension, adjusted_active);
+  }
+
   // We keep track of all permissions the user has granted each extension.
   // This allows extensions to gracefully support backwards compatibility
   // by including unknown permissions in their manifests. When the user
   // installs the extension, only the recognized permissions are recorded.
   // When the unknown permissions become recognized (e.g., through browser
   // upgrade), we can prompt the user to accept these new permissions.
   // Extensions can also silently upgrade to less permissions, and then
   // silently upgrade to a version that adds these permissions back.
   //
   // For example, pretend that Chrome 10 includes a permission "omnibox"
   // for an API that adds suggestions to the omnibox. An extension can
   // maintain backwards compatibility while still having "omnibox" in the
   // manifest. If a user installs the extension on Chrome 9, the browser
   // will record the permissions it recognized, not including "omnibox."
   // When upgrading to Chrome 10, "omnibox" will be recognized and Chrome
   // will disable the extension and prompt the user to approve the increase
   // in privileges. The extension could then release a new version that
   // removes the "omnibox" permission. When the user upgrades, Chrome will
   // still remember that "omnibox" had been granted, so that if the
   // extension once again includes "omnibox" in an upgrade, the extension
   // can upgrade without requiring this user's approval.
   const Extension* old = GetExtensionByIdInternal(extension->id(),
                                                   true, true, false);
   bool is_extension_upgrade = old != NULL;
   bool is_privilege_increase = false;
 
-  // We only record the granted permissions for INTERNAL extensions, since
-  // they can't silently increase privileges.
-  if (extension->location() == Extension::INTERNAL) {
+  // We only need to compare the granted permissions to the current permissions
+  // if the extension is not allowed to silently increase its permissions.
+  if (!extension->CanSilentlyIncreasePermissions()) {
     // Add all the recognized permissions if the granted permissions list
     // hasn't been initialized yet.
-    scoped_ptr<ExtensionPermissionSet> granted_permissions(
-        extension_prefs_->GetGrantedPermissions(extension->id()));
+    scoped_refptr<ExtensionPermissionSet> granted_permissions =
+        extension_prefs_->GetGrantedPermissions(extension->id());
     CHECK(granted_permissions.get());
 
     // Here, we check if an extension's privileges have increased in a manner
     // that requires the user's approval. This could occur because the browser
     // upgraded and recognized additional privileges, or an extension upgrades
     // to a version that requires additional privileges.
     is_privilege_increase =
-        granted_permissions->HasLessPrivilegesThan(extension->permission_set());
+        granted_permissions->HasLessPrivilegesThan(
+            extension->GetActivePermissions());
   }
 
   if (is_extension_upgrade) {
     // Other than for unpacked extensions, CrxInstaller should have guaranteed
     // that we aren't downgrading.
     if (extension->location() != Extension::LOAD)
       CHECK(extension->version()->CompareTo(*(old->version())) >= 0);
 
     // Extensions get upgraded if the privileges are allowed to increase or
     // the privileges haven't increased.
@@ skipping 331 matching lines @@
       process->Send(new ExtensionMsg_SetFunctionNames(function_names));
 
       // Scripting whitelist. This is modified by tests and must be communicated
       // to renderers.
       process->Send(new ExtensionMsg_SetScriptingWhitelist(
           *Extension::GetScriptingWhitelist()));
 
       // Loaded extensions.
       for (size_t i = 0; i < extensions_.size(); ++i) {
         process->Send(new ExtensionMsg_Loaded(
-            ExtensionMsg_Loaded_Params(extensions_[i])));
+            ExtensionMsg_Loaded_Params(
+                extensions_[i], extensions_[i]->GetActivePermissions())));
       }
       break;
     }
     case content::NOTIFICATION_RENDERER_PROCESS_TERMINATED: {
       RenderProcessHost* process = Source<RenderProcessHost>(source).ptr();
       installed_app_hosts_.erase(process->id());
       break;
     }
     case chrome::NOTIFICATION_PREF_CHANGED: {
       std::string* pref_name = Details<std::string>(details).ptr();
@@ skipping 127 matching lines @@
 
 ExtensionService::NaClModuleInfoList::iterator
     ExtensionService::FindNaClModule(const GURL& url) {
   for (NaClModuleInfoList::iterator iter = nacl_module_list_.begin();
        iter != nacl_module_list_.end(); ++iter) {
     if (iter->url == url)
       return iter;
   }
   return nacl_module_list_.end();
 }