Lazily load extension API schemas

chrome/common/extensions/api/extension_api.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/common/extensions/api/extension_api.h"
 
 #include <algorithm>
 #include <string>
 #include <vector>
 
@@ skipping 18 matching lines @@
 using base::DictionaryValue;
 using base::ListValue;
 using base::Value;
 
 namespace extensions {
 
 using api::GeneratedSchemas;
 
 namespace {
 
+const char kUnavailableMessage[] = "You do not have permission to access this "
+                                   "API. Ensure that the required permission "
+                                   "or manifest property is included in your "
+                                   "manifest.json.";
 const char* kChildKinds[] = {
   "functions",
   "events"
 };
 
 // Returns true if |dict| has an unprivileged "true" property.
 bool IsUnprivileged(const DictionaryValue* dict) {
   bool unprivileged = false;
   return dict->GetBoolean("unprivileged", &unprivileged) && unprivileged;
 }
@@ skipping 174 matching lines @@
     // TODO(aa): Remove this code when all API descriptions have been updated.
     *feature_type = "api";
     *feature_name = full_name;
     return;
   }
 
   *feature_type = full_name.substr(0, colon_index);
   *feature_name = full_name.substr(colon_index + 1);
 }
 
+bool ExtensionAPI::UsesFeatureSystem(const std::string& full_name) {
+  std::string api_name = GetAPINameFromFullName(full_name, NULL);
+  return features_.find(api_name) != features_.end();
+}
+
 void ExtensionAPI::LoadSchema(const std::string& name,
                               const base::StringPiece& schema) {
   scoped_ptr<ListValue> schema_list(LoadSchemaList(name, schema));
   std::string schema_namespace;
 
   while (!schema_list->empty()) {
     DictionaryValue* schema = NULL;
     {
       Value* value = NULL;
       schema_list->Remove(schema_list->GetSize() - 1, &value);
       CHECK(value->IsType(Value::TYPE_DICTIONARY));
       schema = static_cast<DictionaryValue*>(value);
     }
 
     CHECK(schema->GetString("namespace", &schema_namespace));
     PrefixWithNamespace(schema_namespace, schema);
     schemas_[schema_namespace] = make_linked_ptr(schema);
     CHECK_EQ(1u, unloaded_schemas_.erase(schema_namespace));
 
     // Populate |{completely,partially}_unprivileged_apis_|.
-    //
+
     // For "partially", only need to look at functions/events; even though
     // there are unprivileged properties (e.g. in extensions), access to those
     // never reaches C++ land.
     bool unprivileged = false;
     if (schema->GetBoolean("unprivileged", &unprivileged) && unprivileged) {
       completely_unprivileged_apis_.insert(schema_namespace);
     } else if (HasUnprivilegedChild(schema, "functions") ||
                HasUnprivilegedChild(schema, "events") ||
                HasUnprivilegedChild(schema, "properties")) {
       partially_unprivileged_apis_.insert(schema_namespace);
     }
 
-    // Populate |url_matching_apis_|.
-    ListValue* matches = NULL;
-    if (schema->GetList("matches", &matches)) {
-      URLPatternSet pattern_set;
-      for (size_t i = 0; i < matches->GetSize(); ++i) {
-        std::string pattern;
-        CHECK(matches->GetString(i, &pattern));
-        pattern_set.AddPattern(
-            URLPattern(UserScript::ValidUserScriptSchemes(), pattern));
+    bool uses_feature_system = false;
+    schema->GetBoolean("uses_feature_system", &uses_feature_system);
+
+    if (!uses_feature_system) {
+      // Populate |url_matching_apis_|.
+      ListValue* matches = NULL;
+      if (schema->GetList("matches", &matches)) {
+        URLPatternSet pattern_set;
+        for (size_t i = 0; i < matches->GetSize(); ++i) {
+          std::string pattern;
+          CHECK(matches->GetString(i, &pattern));
+          pattern_set.AddPattern(
+              URLPattern(UserScript::ValidUserScriptSchemes(), pattern));
+        }
+        url_matching_apis_[schema_namespace] = pattern_set;
       }
-      url_matching_apis_[schema_namespace] = pattern_set;
+      continue;
     }
 
     // Populate feature maps.
     // TODO(aa): Consider not storing features that can never run on the current
     // machine (e.g., because of platform restrictions).
-    bool uses_feature_system = false;
-    schema->GetBoolean("uses_feature_system", &uses_feature_system);
-    if (!uses_feature_system)
-      continue;
-
     SimpleFeature* feature = new SimpleFeature();
     feature->set_name(schema_namespace);
     feature->Parse(schema);
 
     FeatureMap* schema_features = new FeatureMap();
     CHECK(features_.insert(
         std::make_pair(schema_namespace,
                        make_linked_ptr(schema_features))).second);
     CHECK(schema_features->insert(
         std::make_pair("", make_linked_ptr(feature))).second);
@@ skipping 104 matching lines @@
 void ExtensionAPI::RegisterSchema(const std::string& name,
                                   const base::StringPiece& source) {
   unloaded_schemas_[name] = source;
 }
 
 void ExtensionAPI::RegisterDependencyProvider(const std::string& name,
                                               FeatureProvider* provider) {
   dependency_providers_[name] = provider;
 }
 
-bool ExtensionAPI::IsAvailable(const std::string& full_name,
-                               const Extension* extension,
-                               Feature::Context context) {
+Feature::Availability ExtensionAPI::IsAvailable(const std::string& full_name,
+                                                const Extension* extension,
+                                                Feature::Context context,
+                                                const GURL& url) {
   std::set<std::string> dependency_names;
   dependency_names.insert(full_name);
   ResolveDependencies(&dependency_names);

[not at google - send to devlin, 2013/03/22 18:13:48]

as I mentioned in IRC - I think we can entirely get rid of the dependencies now
that we load types properly - dependency_names, ResolveDependencies, that
spurious looking for loop below (I guess you'd need to just collapse it). That
would be a *really* nice cleanup.

[cduvall, 2013/03/22 20:26:45]

Discussed in IRC, the loop is still needed because feature dependencies still
need to be checked.

-
   for (std::set<std::string>::iterator iter = dependency_names.begin();
        iter != dependency_names.end(); ++iter) {
+    ////////////////////////////////////////////////////////////////////////////
+    // TODO(cduvall): Take this out once all APIs have been converted to
+    // features.
+    std::string feature_type;
+    std::string feature_name;
+    SplitDependencyName(*iter, &feature_type, &feature_name);
+    if (feature_type == "api" && !UsesFeatureSystem(feature_name)) {
+      // Check the parent feature's availability if there are dependencies.
+      if (!IsNonFeatureAPIAvailable(full_name, context, extension, url))
+        return Feature::CreateAvailability(Feature::INVALID_CONTEXT,
+                                           kUnavailableMessage);
+      continue;
+    }
+    ////////////////////////////////////////////////////////////////////////////
+
+    // This seems wrong. The dependencies aren't checked, it just checks the
+    // parent feature again. Changing to check dependencies makes these fail:
+    // ExtensionApiTest.OptionalPermissionsGranted
+    // ExtensionApiTest.OptionalPermissionsAutoConfirm
+    // ExtensionApiTest.OptionalPermissionsDeny
+    //
+    // Checking dependencies would mean that some APIs, like chrome.bookmarks
+    // would now be required to be in the manifest permissions when they
+    // previously did not need to be (the bookmarks API has the
+    // permission:bookmarks dependency). This seems like it would break a lot
+    // of things.
     Feature* feature = GetFeatureDependency(full_name);
     CHECK(feature) << *iter;
 
     Feature::Availability availability =
-        feature->IsAvailableToContext(extension, context);
+        feature->IsAvailableToContext(extension, context, url);
     if (!availability.is_available())
-      return false;
+      return availability;
   }
 
-  return true;
+  return Feature::CreateAvailability(Feature::IS_AVAILABLE, "");
 }
 
 bool ExtensionAPI::IsPrivileged(const std::string& full_name) {
   std::string child_name;
   std::string api_name = GetAPINameFromFullName(full_name, &child_name);
 
   // First try to use the feature system.
   Feature* feature(GetFeature(full_name));
   if (feature) {
     // An API is 'privileged' if it or any of its dependencies can only be run
@@ skipping 77 matching lines @@
   if (extension.is_platform_app()) {
     for (size_t i = 0; i < arraysize(kDisallowedPlatformAppFeatures); ++i) {
       if (feature == kDisallowedPlatformAppFeatures[i])
         return false;
     }
   }
 
   return true;
 }
 
-// Removes APIs from |apis| that should not be allowed for |extension|.
-// TODO(kalman/asargent) - Make it possible to specify these rules
-// declaratively.
-void RemoveDisallowedAPIs(const Extension& extension,
-                          std::set<std::string>* apis) {
-  CHECK(apis);
-  std::set<std::string>::iterator i = apis->begin();
-  while (i != apis->end()) {
-    if (!IsFeatureAllowedForExtension(*i, extension)) {
-      apis->erase(i++);
-    } else {
-      ++i;
-    }
-  }
-}
-
 }  // namespace
 
-std::set<std::string> ExtensionAPI::GetAPIsForContext(
-    Feature::Context context, const Extension* extension, const GURL& url) {
-  // We're forced to load all schemas now because we need to know the metadata
-  // about every API -- and the metadata is stored in the schemas themselves.
-  // This is a shame.
-  // TODO(aa/kalman): store metadata in a separate file and don't load all
-  // schemas.
-  LoadAllSchemas();
-
-  std::set<std::string> temp_result;
-
-  // First handle all the APIs that have been converted to the feature system.
-  if (extension) {
-    for (APIFeatureMap::iterator iter = features_.begin();
-         iter != features_.end(); ++iter) {
-      if (IsAvailable(iter->first, extension, context))
-        temp_result.insert(iter->first);
-    }
-  }
-
-  // Second, fall back to the old way.
-  // TODO(aa): Remove this when all APIs have been converted.
+bool ExtensionAPI::IsNonFeatureAPIAvailable(const std::string& name,
+                                            Feature::Context context,
+                                            const Extension* extension,
+                                            const GURL& url) {
   switch (context) {
     case Feature::UNSPECIFIED_CONTEXT:
       break;
 
     case Feature::BLESSED_EXTENSION_CONTEXT:
       if (extension) {
         // Availability is determined by the permissions of the extension.
-        GetAllowedAPIs(extension, &temp_result);
-        ResolveDependencies(&temp_result);
-        RemoveDisallowedAPIs(*extension, &temp_result);
+        if (!IsAPIAllowed(name, extension))
+          return false;
+        if (!IsFeatureAllowedForExtension(name, *extension))
+          return false;
       }
       break;
 
     case Feature::UNBLESSED_EXTENSION_CONTEXT:
     case Feature::CONTENT_SCRIPT_CONTEXT:
       if (extension) {
         // Same as BLESSED_EXTENSION_CONTEXT, but only those APIs that are
         // unprivileged.
-        GetAllowedAPIs(extension, &temp_result);
-        // Resolving dependencies before removing unprivileged APIs means that
-        // some unprivileged APIs may have unrealised dependencies. Too bad!
-        ResolveDependencies(&temp_result);
-        RemovePrivilegedAPIs(&temp_result);
+        if (!IsAPIAllowed(name, extension))
+          return false;
+        if (!IsPrivilegedAPI(name))
+          return false;
       }
       break;
 
     case Feature::WEB_PAGE_CONTEXT:
+      if (!url_matching_apis_.count(name))
+        return false;
       if (url.is_valid()) {

[not at google - send to devlin, 2013/03/22 18:13:48]

This is subtly incorrect... if the url is invalid then this falls through and
ends up returning true.

However, I think that the reason the URL was invalid was something to do with it
not being set until after load? In which case I *think* that it's safe to CHECK
this now, since we're lazy. Perhaps that's one of the things that was blocking
us from converting to features properly?

Let's try a CHECK. if it starts crashing we can just cherry-pick a fix :)

[cduvall, 2013/03/22 20:26:45]

Done.

         // Availablility is determined by the url.
-        GetAPIsMatchingURL(url, &temp_result);
+        return url_matching_apis_[name].MatchesURL(url);
       }
       break;
   }
 
-  // Filter out all non-API features and remove the feature type part of the
-  // name.
-  std::set<std::string> result;
-  for (std::set<std::string>::iterator iter = temp_result.begin();
-       iter != temp_result.end(); ++iter) {
-    std::string feature_type;
-    std::string feature_name;
-    SplitDependencyName(*iter, &feature_type, &feature_name);
-    if (feature_type == "api")
-      result.insert(feature_name);
-  }
-
-  return result;
+  return true;
 }
 
 std::set<std::string> ExtensionAPI::GetAllAPINames() {
   std::set<std::string> result;
   for (SchemaMap::iterator i = schemas_.begin(); i != schemas_.end(); ++i)
     result.insert(i->first);
   for (UnloadedSchemaMap::iterator i = unloaded_schemas_.begin();
        i != unloaded_schemas_.end(); ++i) {
     result.insert(i->first);
   }
@@ skipping 68 matching lines @@
     if (last_dot_index == std::string::npos)
       break;
 
     api_name_candidate = api_name_candidate.substr(0, last_dot_index);
   }
 
   *child_name = "";
   return "";
 }
 
-void ExtensionAPI::GetAllowedAPIs(
-    const Extension* extension, std::set<std::string>* out) {
-  for (SchemaMap::const_iterator i = schemas_.begin(); i != schemas_.end();
-      ++i) {
-    if (features_.find(i->first) != features_.end()) {
-      // This API is controlled by the feature system. Nothing to do here.
-      continue;
-    }
-
-    if (extension->required_permission_set()->HasAnyAccessToAPI(i->first) ||
-        extension->optional_permission_set()->HasAnyAccessToAPI(i->first)) {
-      out->insert(i->first);
-    }
-  }
+bool ExtensionAPI::IsAPIAllowed(const std::string& name,
+                                const Extension* extension) {
+  return extension->required_permission_set()->HasAnyAccessToAPI(name) ||
+      extension->optional_permission_set()->HasAnyAccessToAPI(name);

[not at google - send to devlin, 2013/03/22 18:13:48]

Hum, this is interesting actually. Again, since we're injecting lazily, in
theory we can actually do this on demand. However, makes sense for a follow-up
patch.

 }
 
 void ExtensionAPI::ResolveDependencies(std::set<std::string>* out) {
   std::set<std::string> missing_dependencies;
   for (std::set<std::string>::iterator i = out->begin(); i != out->end(); ++i)
     GetMissingDependencies(*i, *out, &missing_dependencies);
 
   while (missing_dependencies.size()) {
     std::string next = *missing_dependencies.begin();
     missing_dependencies.erase(next);
@@ skipping 23 matching lines @@
 
   for (size_t i = 0; i < dependencies->GetSize(); ++i) {
     std::string dependency_name;
     if (dependencies->GetString(i, &dependency_name) &&
         !excluding.count(dependency_name)) {
       out->insert(dependency_name);
     }
   }
 }
 
-void ExtensionAPI::RemovePrivilegedAPIs(std::set<std::string>* apis) {
-  std::set<std::string> privileged_apis;
-  for (std::set<std::string>::iterator i = apis->begin(); i != apis->end();
-      ++i) {
-    if (!completely_unprivileged_apis_.count(*i) &&
-        !partially_unprivileged_apis_.count(*i)) {
-      privileged_apis.insert(*i);
-    }
-  }
-  for (std::set<std::string>::iterator i = privileged_apis.begin();
-      i != privileged_apis.end(); ++i) {
-    apis->erase(*i);
-  }
-}
-
-void ExtensionAPI::GetAPIsMatchingURL(const GURL& url,
-                                      std::set<std::string>* out) {
-  for (std::map<std::string, URLPatternSet>::const_iterator i =
-      url_matching_apis_.begin(); i != url_matching_apis_.end(); ++i) {
-    if (features_.find(i->first) != features_.end()) {
-      // This API is controlled by the feature system. Nothing to do.
-      continue;
-    }
-
-    if (i->second.MatchesURL(url))
-      out->insert(i->first);
-  }
-}
-
-void ExtensionAPI::LoadAllSchemas() {
-  while (unloaded_schemas_.size()) {
-    std::map<std::string, base::StringPiece>::iterator it =
-        unloaded_schemas_.begin();
-    LoadSchema(it->first, it->second);
-  }
+bool ExtensionAPI::IsPrivilegedAPI(const std::string& name) {
+  return completely_unprivileged_apis_.count(name) ||
+      partially_unprivileged_apis_.count(name);

[not at google - send to devlin, 2013/03/22 18:13:48]

another cleanup I'm looking forward to: not doing this.

 }
 
 }  // namespace extensions