Enable WebContents elevation for managed users.

chrome/browser/ui/webui/extensions/extension_settings_handler.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/ui/webui/extensions/extension_settings_handler.h"
 
 #include "base/auto_reset.h"
 #include "base/base64.h"
 #include "base/bind.h"
 #include "base/bind_helpers.h"
@@ skipping 14 matching lines @@
 #include "chrome/browser/extensions/extension_host.h"
 #include "chrome/browser/extensions/extension_service.h"
 #include "chrome/browser/extensions/extension_system.h"
 #include "chrome/browser/extensions/extension_warning_set.h"
 #include "chrome/browser/extensions/lazy_background_task_queue.h"
 #include "chrome/browser/extensions/management_policy.h"
 #include "chrome/browser/extensions/shell_window_registry.h"
 #include "chrome/browser/extensions/unpacked_installer.h"
 #include "chrome/browser/extensions/updater/extension_updater.h"
 #include "chrome/browser/google/google_util.h"
+#include "chrome/browser/managed_mode/managed_mode_navigation_observer.h"
 #include "chrome/browser/managed_mode/managed_user_service.h"
 #include "chrome/browser/managed_mode/managed_user_service_factory.h"
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/browser/tab_contents/background_contents.h"
 #include "chrome/browser/ui/browser_finder.h"
 #include "chrome/browser/ui/chrome_select_file_policy.h"
 #include "chrome/browser/ui/extensions/application_launch.h"
 #include "chrome/browser/ui/extensions/shell_window.h"
 #include "chrome/browser/ui/webui/extensions/extension_icon_source.h"
 #include "chrome/browser/view_type_utils.h"
@@ skipping 30 matching lines @@
 
 
 using content::RenderViewHost;
 using content::WebContents;
 using extensions::Extension;
 using extensions::ExtensionUpdater;
 using extensions::ExtensionWarning;
 using extensions::ManagementPolicy;
 using extensions::Manifest;
 
+namespace {

[Bernhard Bauer, 2013/03/27 16:23:13]

Nit: newline

+// Used to allow managed users to install extensions if they are currently in
+// elevated state.
+class ScopedExtensionElevation {
+ public:
+  ScopedExtensionElevation(ManagedUserService* service,
+                           std::string extension_id);
+  ~ScopedExtensionElevation();
+
+ private:
+  ManagedUserService* service_;
+  std::string extension_id_;

[Bernhard Bauer, 2013/03/27 16:23:13]

You could have a vector of extension IDs and a method that adds elevation for
one extension. I think that would make the interface slightly nicer.

[Adrian Kuegel, 2013/03/27 16:52:25]

Done.

+};
+
+ScopedExtensionElevation::ScopedExtensionElevation(ManagedUserService* service,
+                                                   std::string extension_id)
+    : service_(service), extension_id_(extension_id) {
+  service_->AddElevationForExtension(extension_id_);
+}
+
+ScopedExtensionElevation::~ScopedExtensionElevation() {
+  service_->RemoveElevationForExtension(extension_id_);
+}
+
+}  // namespace
+
 ///////////////////////////////////////////////////////////////////////////////
 //
 // ExtensionSettingsHandler
 //
 ///////////////////////////////////////////////////////////////////////////////
 
 ExtensionSettingsHandler::ExtensionSettingsHandler()
     : extension_service_(NULL),
       management_policy_(NULL),
       ignore_notifications_(false),
@@ skipping 29 matching lines @@
 
 DictionaryValue* ExtensionSettingsHandler::CreateExtensionDetailValue(
     const Extension* extension,
     const std::vector<ExtensionPage>& pages,
     const extensions::ExtensionWarningService* warning_service) {
   DictionaryValue* extension_data = new DictionaryValue();
   bool enabled = extension_service_->IsExtensionEnabled(extension->id());
   extension->GetBasicInfo(enabled, extension_data);
 
   extension_data->SetBoolean("userModifiable",
-      management_policy_->UserMayModifySettings(extension, NULL));
+      CheckUserMayModifySettings(extension));
 
   GURL icon =
       ExtensionIconSource::GetIconURL(extension,
                                       extension_misc::EXTENSION_ICON_MEDIUM,
                                       ExtensionIconSet::MATCH_BIGGER,
                                       !enabled, NULL);
   if (Manifest::IsUnpackedLocation(extension->location()))
     extension_data->SetString("path", extension->path().value());
   extension_data->SetString("icon", icon.spec());
   extension_data->SetBoolean("isUnpacked",
@@ skipping 402 matching lines @@
 
   for (std::vector<const Extension*>::iterator iter =
        unpacked_extensions.begin(); iter != unpacked_extensions.end(); ++iter) {
     extension_service_->ReloadExtension((*iter)->id());
   }
 }
 
 void ExtensionSettingsHandler::PassphraseDialogCallback(bool success) {
   if (!success)
     return;
-  Profile* profile = Profile::FromWebUI(web_ui());
-  ManagedUserServiceFactory::GetForProfile(profile)->SetElevated(true);
+  ManagedModeNavigationObserver* observer =
+      ManagedModeNavigationObserver::FromWebContents(
+          web_ui()->GetWebContents());
+  observer->set_elevated(true);
   HandleRequestExtensionsData(NULL);
 }
 
 void ExtensionSettingsHandler::ManagedUserSetElevated(const ListValue* args) {
   ManagedUserService* service = ManagedUserServiceFactory::GetForProfile(
       Profile::FromWebUI(web_ui()));
   bool elevated;
   CHECK(args->GetBoolean(0, &elevated));
   if (elevated) {
     service->RequestAuthorization(
         web_ui()->GetWebContents(),
         base::Bind(&ExtensionSettingsHandler::PassphraseDialogCallback,
                    base::Unretained(this)));
   } else {
-    service->SetElevated(false);
+    ManagedModeNavigationObserver* observer =
+        ManagedModeNavigationObserver::FromWebContents(
+            web_ui()->GetWebContents());
+    observer->set_elevated(false);
     HandleRequestExtensionsData(NULL);
   }
 }
 
+bool ExtensionSettingsHandler::CheckUserMayModifySettings(
+    const Extension* extension) {
+  ManagedUserService* service = ManagedUserServiceFactory::GetForProfile(
+      Profile::FromWebUI(web_ui()));
+  scoped_ptr<ScopedExtensionElevation> elevation;
+  if (service->ProfileIsManaged() &&
+      service->IsElevatedForWebContents(web_ui()->GetWebContents())) {
+    elevation.reset(new ScopedExtensionElevation(service, extension->id()));
+  }
+  return management_policy_->UserMayModifySettings(extension, NULL);
+}
+
 void ExtensionSettingsHandler::HandleRequestExtensionsData(
     const ListValue* args) {
   DictionaryValue results;
 
   Profile* profile = Profile::FromWebUI(web_ui());
 
   // Add the extensions to the results structure.
   ListValue *extensions_list = new ListValue();
 
   extensions::ExtensionWarningService* warnings =
@@ skipping 29 matching lines @@
           empty_pages,  // Terminated process has no active pages.
           warnings));
     }
   }
   results.Set("extensions", extensions_list);
 
   ManagedUserService* service =
       ManagedUserServiceFactory::GetForProfile(profile);
 
   bool is_managed = service->ProfileIsManaged();
-  bool is_elevated = service->IsElevated();
+  bool is_elevated =
+      service->IsElevatedForWebContents(web_ui()->GetWebContents());
   bool developer_mode =
       (!is_managed || is_elevated) &&
       profile->GetPrefs()->GetBoolean(prefs::kExtensionsUIDeveloperMode);
   results.SetBoolean("profileIsManaged", is_managed);
   results.SetBoolean("profileIsElevated", is_elevated);
   results.SetBoolean("developerMode", developer_mode);
 
   // Check to see if we have any wiped out extensions.
   ExtensionService* extension_service =
       extensions::ExtensionSystem::Get(profile)->extension_service();
@@ skipping 90 matching lines @@
 }
 
 void ExtensionSettingsHandler::HandleEnableMessage(const ListValue* args) {
   CHECK_EQ(2U, args->GetSize());
   std::string extension_id, enable_str;
   CHECK(args->GetString(0, &extension_id));
   CHECK(args->GetString(1, &enable_str));
 
   const Extension* extension =
       extension_service_->GetInstalledExtension(extension_id);
-  if (!extension ||
-      !management_policy_->UserMayModifySettings(extension, NULL)) {
+  if (!extension || !CheckUserMayModifySettings(extension)) {
     LOG(ERROR) << "Attempt to enable an extension that is non-usermanagable was"
                << "made. Extension id: " << extension->id();
     return;
   }
 
   if (enable_str == "true") {
     extensions::ExtensionPrefs* prefs = extension_service_->extension_prefs();
     if (prefs->DidExtensionEscalatePermissions(extension_id)) {
       extensions::ShowExtensionDisabledDialog(
           extension_service_, web_ui()->GetWebContents(), extension);
     } else if ((prefs->GetDisableReasons(extension_id) &
                    Extension::DISABLE_UNSUPPORTED_REQUIREMENT) &&
                !requirements_checker_.get()) {
       // Recheck the requirements.
       scoped_refptr<const Extension> extension =
           extension_service_->GetExtensionById(extension_id,
                                                true /* include disabled */);
       requirements_checker_.reset(new extensions::RequirementsChecker());
       requirements_checker_->Check(
           extension,
           base::Bind(&ExtensionSettingsHandler::OnRequirementsChecked,
                      AsWeakPtr(), extension_id));
     } else {
       extension_service_->EnableExtension(extension_id);
 
       // Make sure any browser action contained within it is not hidden.
       prefs->SetBrowserActionVisibility(extension, true);
     }
   } else {
+    ManagedUserService* service = ManagedUserServiceFactory::GetForProfile(
+        Profile::FromWebUI(web_ui()));
+    scoped_ptr<ScopedExtensionElevation> elevation;
+    if (service->ProfileIsManaged() &&
+        service->IsElevatedForWebContents(web_ui()->GetWebContents())) {
+      elevation.reset(new ScopedExtensionElevation(service, extension_id));
+    }
     extension_service_->DisableExtension(
         extension_id, Extension::DISABLE_USER_ACTION);
   }
 }
 
 void ExtensionSettingsHandler::HandleEnableIncognitoMessage(
     const ListValue* args) {
   CHECK_EQ(2U, args->GetSize());
   std::string extension_id, enable_str;
   CHECK(args->GetString(0, &extension_id));
@@ skipping 24 matching lines @@
     const ListValue* args) {
   CHECK_EQ(2U, args->GetSize());
   std::string extension_id, allow_str;
   CHECK(args->GetString(0, &extension_id));
   CHECK(args->GetString(1, &allow_str));
   const Extension* extension =
       extension_service_->GetInstalledExtension(extension_id);
   if (!extension)
     return;
 
-  if (!management_policy_->UserMayModifySettings(extension, NULL)) {
+  if (!CheckUserMayModifySettings(extension)) {
     LOG(ERROR) << "Attempt to change allow file access of an extension that is "
                << "non-usermanagable was made. Extension id : "
                << extension->id();
     return;
   }
 
   extension_service_->SetAllowFileAccess(extension, allow_str == "true");
 }
 
 void ExtensionSettingsHandler::HandleUninstallMessage(const ListValue* args) {
   CHECK_EQ(1U, args->GetSize());
   std::string extension_id;
   CHECK(args->GetString(0, &extension_id));
   const Extension* extension =
       extension_service_->GetInstalledExtension(extension_id);
   if (!extension)
     return;
 
-  if (!management_policy_->UserMayModifySettings(extension, NULL)) {
+  if (!CheckUserMayModifySettings(extension)) {
     LOG(ERROR) << "Attempt to uninstall an extension that is non-usermanagable "
                << "was made. Extension id : " << extension->id();
     return;
   }
 
   if (!extension_id_prompting_.empty())
     return;  // Only one prompt at a time.
 
   extension_id_prompting_ = extension_id;
 
@@ skipping 234 matching lines @@
     std::vector<std::string> requirement_errors) {
   if (requirement_errors.empty()) {
     extension_service_->EnableExtension(extension_id);
   } else {
     ExtensionErrorReporter::GetInstance()->ReportError(
         UTF8ToUTF16(JoinString(requirement_errors, ' ')),
         true /* be noisy */);
   }
   requirements_checker_.reset();
 }