Allow trusted brokers to restrict connections for spawned applications to whitelisted applications …

mojo/shell/application_manager.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "mojo/shell/application_manager.h"
 
 #include "base/bind.h"
 #include "base/command_line.h"
 #include "base/logging.h"
 #include "base/macros.h"
@@ skipping 51 matching lines @@
   TerminateShellConnections();
   STLDeleteValues(&url_to_loader_);
   STLDeleteValues(&scheme_to_loader_);
 }
 
 void ApplicationManager::TerminateShellConnections() {
   STLDeleteValues(&identity_to_instance_);
 }
 
 void ApplicationManager::ConnectToApplication(
+    ApplicationInstance* originator,
     mojo::URLRequestPtr requested_url,
     const std::string& qualifier,
     const GURL& requestor_url,
     InterfaceRequest<ServiceProvider> services,
     ServiceProviderPtr exposed_services,
+    CapabilityFilterPtr filter,
     const base::Closure& on_application_end) {
   GURL requested_gurl(requested_url->url.To<std::string>());
   TRACE_EVENT_INSTANT1(
       "mojo_shell", "ApplicationManager::ConnectToApplication",
       TRACE_EVENT_SCOPE_THREAD, "requested_url", requested_gurl.spec());
   DCHECK(requested_gurl.is_valid());
 
   // We check both the mapped and resolved urls for existing instances because
   // external applications can be registered for the unresolved mojo:foo urls.
 
   GURL mapped_url = delegate_->ResolveMappings(requested_gurl);
-  if (ConnectToRunningApplication(mapped_url, qualifier, requestor_url,
-                                  &services, &exposed_services)) {
+  if (ConnectToRunningApplication(originator, mapped_url, qualifier,
+                                  requestor_url, &services,
+                                  &exposed_services, &filter)) {
     return;
   }
 
   GURL resolved_url = delegate_->ResolveMojoURL(mapped_url);
-  if (ConnectToRunningApplication(resolved_url, qualifier, requestor_url,
-                                  &services, &exposed_services)) {
+  if (ConnectToRunningApplication(originator, resolved_url, qualifier,
+                                  requestor_url, &services,
+                                  &exposed_services, &filter)) {
     return;
   }
 
   // The application is not running, let's compute the parameters.
   if (ConnectToApplicationWithLoader(
-          requested_gurl, qualifier, mapped_url, requestor_url, &services,
-          &exposed_services, on_application_end, GetLoaderForURL(mapped_url))) {
+          originator, requested_gurl, qualifier, mapped_url, requestor_url,
+          &services, &exposed_services, &filter, on_application_end,
+          GetLoaderForURL(mapped_url))) {
     return;
   }
 
   if (ConnectToApplicationWithLoader(
-          requested_gurl, qualifier, resolved_url, requestor_url, &services,
-          &exposed_services, on_application_end,
+          originator, requested_gurl, qualifier, resolved_url, requestor_url,
+          &services, &exposed_services, &filter, on_application_end,
           GetLoaderForURL(resolved_url))) {
     return;
   }
 
   if (ConnectToApplicationWithLoader(
-          requested_gurl, qualifier, resolved_url, requestor_url, &services,
-          &exposed_services, on_application_end, default_loader_.get())) {
+          originator, requested_gurl, qualifier, resolved_url, requestor_url,
+          &services, &exposed_services, &filter, on_application_end,
+          default_loader_.get())) {
     return;
   }
 
   auto callback = base::Bind(
       &ApplicationManager::HandleFetchCallback, weak_ptr_factory_.GetWeakPtr(),
-      requested_gurl, qualifier, requestor_url, base::Passed(services.Pass()),
-      base::Passed(exposed_services.Pass()), on_application_end);
+      originator, requested_gurl, qualifier, requestor_url,
+      base::Passed(services.Pass()), base::Passed(exposed_services.Pass()),
+      base::Passed(filter.Pass()),
+      on_application_end);
 
   if (delegate_->CreateFetcher(
           resolved_url,
           base::Bind(callback, NativeApplicationCleanup::DONT_DELETE))) {
     return;
   }
 
   if (resolved_url.SchemeIsFile()) {
     new LocalFetcher(
         resolved_url, GetBaseURLAndQuery(resolved_url, nullptr),
@@ skipping 28 matching lines @@
                        url_loader_factory_.get(),
                        base::Bind(callback, cleanup));
     return;
   }
 
   new NetworkFetcher(disable_cache_, requested_url.Pass(),
                      url_loader_factory_.get(), base::Bind(callback, cleanup));
 }
 
 bool ApplicationManager::ConnectToRunningApplication(
+    ApplicationInstance* originator,
     const GURL& resolved_url,
     const std::string& qualifier,
     const GURL& requestor_url,
     InterfaceRequest<ServiceProvider>* services,
-    ServiceProviderPtr* exposed_services) {
+    ServiceProviderPtr* exposed_services,
+    CapabilityFilterPtr* filter) {
   GURL application_url = GetBaseURLAndQuery(resolved_url, nullptr);
   ApplicationInstance* instance =
       GetApplicationInstance(application_url, qualifier);
   if (!instance)
     return false;
 
-  ConnectToClient(instance, resolved_url, requestor_url, services->Pass(),
-                  exposed_services->Pass());
+  instance->ConnectToClient(originator, resolved_url, requestor_url,
+                            services->Pass(), exposed_services->Pass(),
+                            filter->Pass());
   return true;
 }
 
 bool ApplicationManager::ConnectToApplicationWithLoader(
+    ApplicationInstance* originator,
     const GURL& requested_url,
     const std::string& qualifier,
     const GURL& resolved_url,
     const GURL& requestor_url,
     InterfaceRequest<ServiceProvider>* services,
     ServiceProviderPtr* exposed_services,
+    CapabilityFilterPtr* filter,
     const base::Closure& on_application_end,
     ApplicationLoader* loader) {
   if (!loader)
     return false;
 
   const GURL app_url =
       requested_url.SchemeIs("mojo") ? requested_url : resolved_url;
 
   loader->Load(
       resolved_url,
-      RegisterInstance(app_url, qualifier, requestor_url, services->Pass(),
-                       exposed_services->Pass(), on_application_end));
+      RegisterInstance(originator, app_url, qualifier, requestor_url,
+                       services->Pass(), exposed_services->Pass(),
+                       filter->Pass(), on_application_end));
   return true;
 }
 
 InterfaceRequest<Application> ApplicationManager::RegisterInstance(
+    ApplicationInstance* originator,
     const GURL& app_url,
     const std::string& qualifier,
     const GURL& requestor_url,
     InterfaceRequest<ServiceProvider> services,
     ServiceProviderPtr exposed_services,
+    CapabilityFilterPtr filter,
     const base::Closure& on_application_end) {
   Identity app_identity(app_url, qualifier);
 
   ApplicationPtr application;
   InterfaceRequest<Application> application_request = GetProxy(&application);
-  ApplicationInstance* instance = new ApplicationInstance(application.Pass(),
-                                                          this,
-                                                          app_identity,
-                                                          on_application_end);
+  ApplicationInstance::CapabilityFilter capability_filter;
+  if (!filter.is_null()) {
+    capability_filter =
+        filter->filter.To<ApplicationInstance::CapabilityFilter>();
+  }
+  ApplicationInstance* instance = new ApplicationInstance(
+      application.Pass(), this, app_identity, capability_filter,
+      on_application_end);
   identity_to_instance_[app_identity] = instance;
   instance->InitializeApplication();
-  ConnectToClient(instance, app_url, requestor_url, services.Pass(),
-                  exposed_services.Pass());
+  instance->ConnectToClient(originator, app_url, requestor_url, services.Pass(),
+                            exposed_services.Pass(), filter.Pass());
   return application_request.Pass();
 }
 
 ApplicationInstance* ApplicationManager::GetApplicationInstance(
     const GURL& url,
     const std::string& qualifier) {
   const auto& instance_it =
       identity_to_instance_.find(Identity(url, qualifier));
   if (instance_it != identity_to_instance_.end())
     return instance_it->second;
   return nullptr;
 }
 
-void ApplicationManager::ConnectToClient(
-    ApplicationInstance* instance,
-    const GURL& resolved_url,
-    const GURL& requestor_url,
-    InterfaceRequest<ServiceProvider> services,
-    ServiceProviderPtr exposed_services) {
-  instance->ConnectToClient(resolved_url, requestor_url, services.Pass(),
-                            exposed_services.Pass());
-}
-
 void ApplicationManager::HandleFetchCallback(
+    ApplicationInstance* originator,
     const GURL& requested_url,
     const std::string& qualifier,
     const GURL& requestor_url,
     InterfaceRequest<ServiceProvider> services,
     ServiceProviderPtr exposed_services,
+    CapabilityFilterPtr filter,
     const base::Closure& on_application_end,
     NativeApplicationCleanup cleanup,
     scoped_ptr<Fetcher> fetcher) {
   if (!fetcher) {
     // Network error. Drop |application_request| to tell requestor.
     return;
   }
 
   GURL redirect_url = fetcher->GetRedirectURL();
   if (!redirect_url.is_empty()) {
     // And around we go again... Whee!
     // TODO(sky): this loses |requested_url|.
     mojo::URLRequestPtr request(mojo::URLRequest::New());
     request->url = mojo::String::From(redirect_url.spec());
     HttpHeaderPtr header = HttpHeader::New();
     header->name = "Referer";
     header->value = fetcher->GetRedirectReferer().spec();
     request->headers.push_back(header.Pass());
-    ConnectToApplication(request.Pass(), qualifier, requestor_url,
-                         services.Pass(), exposed_services.Pass(),
+    ConnectToApplication(originator, request.Pass(), qualifier, requestor_url,
+                         services.Pass(), exposed_services.Pass(), nullptr,
                          on_application_end);
     return;
   }
 
   // We already checked if the application was running before we fetched it, but
   // it might have started while the fetch was outstanding. We don't want to
   // have two copies of the app running, so check again.
   //
   // Also, it's possible the original URL was redirected to an app that is
   // already running.
-  if (ConnectToRunningApplication(requested_url, qualifier, requestor_url,
-                                  &services, &exposed_services)) {
+  if (ConnectToRunningApplication(originator, requested_url, qualifier,
+                                  requestor_url, &services,
+                                  &exposed_services, &filter)) {
     return;
   }
 
   const GURL app_url =
       requested_url.scheme() == "mojo" ? requested_url : fetcher->GetURL();
 
   InterfaceRequest<Application> request(
-      RegisterInstance(app_url, qualifier, requestor_url, services.Pass(),
-                       exposed_services.Pass(), on_application_end));
+      RegisterInstance(originator, app_url, qualifier, requestor_url,
+                       services.Pass(), exposed_services.Pass(), filter.Pass(),
+                       on_application_end));
 
   // For resources that are loaded with content handlers, we group app instances
   // by site.
 
   // If the response begins with a #!mojo <content-handler-url>, use it.
   GURL content_handler_url;
   std::string shebang;
   bool enable_multi_process = base::CommandLine::ForCurrentProcess()->HasSwitch(
       switches::kEnableMultiprocess);
 
@@ skipping 188 matching lines @@
 void ApplicationManager::OnContentHandlerConnectionClosed(
     ContentHandlerConnection* content_handler) {
   // Remove the mapping to the content handler.
   auto it = url_to_content_handler_.find(
       std::make_pair(content_handler->content_handler_url(),
                      content_handler->content_handler_qualifier()));
   DCHECK(it != url_to_content_handler_.end());
   url_to_content_handler_.erase(it);
 }
 
+void ApplicationManager::CleanupRunner(NativeRunner* runner) {
+  native_runners_.erase(
+      std::find(native_runners_.begin(), native_runners_.end(), runner));
+}
+
 ScopedMessagePipeHandle ApplicationManager::ConnectToServiceByName(
     const GURL& application_url,
     const std::string& interface_name) {
   ServiceProviderPtr services;
   mojo::URLRequestPtr request(mojo::URLRequest::New());
   request->url = mojo::String::From(application_url.spec());
-  ConnectToApplication(request.Pass(), std::string(), GURL(),
-                       GetProxy(&services), nullptr, base::Closure());
+  ConnectToApplication(NULL, request.Pass(), std::string(), GURL(),

[jam, 2015/07/22 19:47:40]

nit: nullptr

[yzshen1, 2015/07/22 22:26:47]

nit: please consider nullptr.

+                       GetProxy(&services), nullptr, nullptr, base::Closure());
   MessagePipe pipe;
   services->ConnectToService(interface_name, pipe.handle1.Pass());
   return pipe.handle0.Pass();
 }
 
-void ApplicationManager::CleanupRunner(NativeRunner* runner) {
-  native_runners_.erase(
-      std::find(native_runners_.begin(), native_runners_.end(), runner));
-}
-
 }  // namespace shell
 }  // namespace mojo