ChildProcessSecurityPolicy: Deprecate bitmask-based permissions checks for files.

content/browser/child_process_security_policy_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <set>
 #include <string>
 
 #include "base/basictypes.h"
 #include "base/files/file_path.h"
 #include "base/platform_file.h"
 #include "content/browser/child_process_security_policy_impl.h"
 #include "content/public/common/url_constants.h"
 #include "content/test/test_content_browser_client.h"
 #include "testing/gtest/include/gtest/gtest.h"
 #include "url/gurl.h"
+#include "webkit/browser/fileapi/file_permission_policy.h"
+#include "webkit/browser/fileapi/file_system_url.h"
+#include "webkit/common/fileapi/file_system_types.h"
 
 namespace content {
 namespace {
 
 const int kRendererID = 42;
 const int kWorkerRendererID = kRendererID + 1;
 
 #if defined(FILE_PATH_USES_DRIVE_LETTERS)
 #define TEST_PATH(x) FILE_PATH_LITERAL("c:") FILE_PATH_LITERAL(x)
 #else
@@ skipping 57 matching lines @@
                                const base::FilePath& file,
                                int permissions) {
     p->GrantPermissionsForFile(child_id, file, permissions);
   }
 
  private:
   ChildProcessSecurityPolicyTestBrowserClient test_browser_client_;
   ContentBrowserClient* old_browser_client_;
 };
 
+struct PermissionsSet {
+  PermissionsSet(bool can_read, bool can_write, bool can_create,

[vandebo (ex-Chrome), 2013/07/18 15:16:59]

A list of bools is almost always a bad plan.  How about a set of methods that
are chainable?

const PermissionSet& EnableRead();
const PermissionSet& EnableWrite();
etc ?

[tommycli, 2013/07/18 15:56:47]

Done.

+                 bool can_create_read_write)
+      : can_read(can_read),
+        can_write(can_write),
+        can_create(can_create),
+        can_create_read_write(can_create_read_write) {
+  }
+
+  bool operator==(const PermissionsSet& o) const {
+    return can_read == o.can_read &&
+        can_write == o.can_write &&
+        can_create == o.can_create &&
+        can_create_read_write == o.can_create_read_write;
+  }
+
+  bool can_read;
+  bool can_write;
+  bool can_create;
+  bool can_create_read_write;
+};
+
+PermissionsSet GetAllPermissions(ChildProcessSecurityPolicyImpl* p,
+                                 int child_id, const base::FilePath& file) {
+  return PermissionsSet(
+      p->CanReadFile(child_id, file),
+      p->CanWriteFile(child_id, file),
+      p->CanCreateFile(child_id, file),
+      p->CanCreateReadWriteFile(child_id, file));
+}
+
+PermissionsSet GetAllPermissionsForURL(
+    ChildProcessSecurityPolicyImpl* p,
+    int child_id,
+    const fileapi::FileSystemURL& url) {
+  return PermissionsSet(
+      p->CanReadFileSystemFile(child_id, url),
+      p->CanWriteFileSystemFile(child_id, url),
+      p->CanCreateFileSystemFile(child_id, url),
+      p->CanCreateReadWriteFileSystemFile(child_id, url));
+}
+
 TEST_F(ChildProcessSecurityPolicyTest, IsWebSafeSchemeTest) {
   ChildProcessSecurityPolicyImpl* p =
       ChildProcessSecurityPolicyImpl::GetInstance();
 
   EXPECT_TRUE(p->IsWebSafeScheme(chrome::kHttpScheme));
   EXPECT_TRUE(p->IsWebSafeScheme(chrome::kHttpsScheme));
   EXPECT_TRUE(p->IsWebSafeScheme(chrome::kFtpScheme));
   EXPECT_TRUE(p->IsWebSafeScheme(chrome::kDataScheme));
   EXPECT_TRUE(p->IsWebSafeScheme("feed"));
   EXPECT_TRUE(p->IsWebSafeScheme(chrome::kBlobScheme));
@@ skipping 168 matching lines @@
   EXPECT_TRUE(p->CanRequestURL(kRendererID, icon_url));
   EXPECT_FALSE(p->CanRequestURL(kRendererID, sensitive_url));
 
   p->GrantRequestURL(kRendererID, icon_url);
   EXPECT_TRUE(p->CanRequestURL(kRendererID, icon_url));
   EXPECT_TRUE(p->CanRequestURL(kRendererID, sensitive_url));
 
   p->Remove(kRendererID);
 }
 
-TEST_F(ChildProcessSecurityPolicyTest, CanReadFiles) {
+TEST_F(ChildProcessSecurityPolicyTest, PermissionGrantingAndRevoking) {
   ChildProcessSecurityPolicyImpl* p =
       ChildProcessSecurityPolicyImpl::GetInstance();
 
+  p->RegisterFileSystemPermissionPolicy(
+      fileapi::kFileSystemTypeTest,
+      fileapi::FILE_PERMISSION_USE_FILE_PERMISSION);
+
   p->Add(kRendererID);
+  base::FilePath file(TEST_PATH("/dir/testfile"));
+  fileapi::FileSystemURL url = fileapi::FileSystemURL::CreateForTest(
+      GURL("http://foo/"), fileapi::kFileSystemTypeTest, file);
 
-  EXPECT_FALSE(p->CanReadFile(kRendererID,
-                              base::FilePath(TEST_PATH("/etc/passwd"))));
-  p->GrantReadFile(kRendererID, base::FilePath(TEST_PATH("/etc/passwd")));
-  EXPECT_TRUE(p->CanReadFile(kRendererID,
-                             base::FilePath(TEST_PATH("/etc/passwd"))));
-  EXPECT_FALSE(p->CanReadFile(kRendererID,
-                              base::FilePath(TEST_PATH("/etc/shadow"))));
+  PermissionsSet all_denied(false, false, false, false);
 
+  // Test initially having no permissions.
+  EXPECT_EQ(all_denied, GetAllPermissions(p, kRendererID, file));
+  EXPECT_EQ(all_denied, GetAllPermissionsForURL(p, kRendererID, url));
+
+  // Testing every combination of permissions granting and revoking.
+  PermissionsSet read_only(true, false, false, false);
+  p->GrantReadFile(kRendererID, file);
+  EXPECT_EQ(read_only, GetAllPermissions(p, kRendererID, file));
+  EXPECT_EQ(read_only, GetAllPermissionsForURL(p, kRendererID, url));
+  p->RevokeAllPermissionsForFile(kRendererID, file);
+  EXPECT_EQ(all_denied, GetAllPermissions(p, kRendererID, file));
+  EXPECT_EQ(all_denied, GetAllPermissionsForURL(p, kRendererID, url));
+
+  PermissionsSet create_read_write(true, true, true, true);
+  p->GrantCreateReadWriteFile(kRendererID, file);
+  EXPECT_EQ(create_read_write, GetAllPermissions(p, kRendererID, file));
+  EXPECT_EQ(create_read_write, GetAllPermissionsForURL(p, kRendererID, url));
+  p->RevokeAllPermissionsForFile(kRendererID, file);
+  EXPECT_EQ(all_denied, GetAllPermissions(p, kRendererID, file));
+  EXPECT_EQ(all_denied, GetAllPermissionsForURL(p, kRendererID, url));
+
+  PermissionsSet create_write(false, true, true, false);
+  p->GrantCreateWriteFile(kRendererID, file);
+  EXPECT_EQ(create_write, GetAllPermissions(p, kRendererID, file));
+  EXPECT_EQ(create_write, GetAllPermissionsForURL(p, kRendererID, url));
+  p->RevokeAllPermissionsForFile(kRendererID, file);
+  EXPECT_EQ(all_denied, GetAllPermissions(p, kRendererID, file));
+  EXPECT_EQ(all_denied, GetAllPermissionsForURL(p, kRendererID, url));
+
+  // Test revoke permissions on renderer ID removal.
+  p->GrantCreateReadWriteFile(kRendererID, file);
+  EXPECT_EQ(create_read_write, GetAllPermissions(p, kRendererID, file));
+  EXPECT_EQ(create_read_write, GetAllPermissionsForURL(p, kRendererID, url));
   p->Remove(kRendererID);
+  EXPECT_EQ(all_denied, GetAllPermissions(p, kRendererID, file));
+  EXPECT_EQ(all_denied, GetAllPermissionsForURL(p, kRendererID, url));
+
+  // Test having no permissions upon re-adding same renderer ID.
   p->Add(kRendererID);
+  EXPECT_EQ(all_denied, GetAllPermissions(p, kRendererID, file));
+  EXPECT_EQ(all_denied, GetAllPermissionsForURL(p, kRendererID, url));
 
-  EXPECT_FALSE(p->CanReadFile(kRendererID,
-                              base::FilePath(TEST_PATH("/etc/passwd"))));
-  EXPECT_FALSE(p->CanReadFile(kRendererID,
-                              base::FilePath(TEST_PATH("/etc/shadow"))));
-
+  // Cleanup.
   p->Remove(kRendererID);
 }
 
 TEST_F(ChildProcessSecurityPolicyTest, CanReadDirectories) {
   ChildProcessSecurityPolicyImpl* p =
       ChildProcessSecurityPolicyImpl::GetInstance();
 
   p->Add(kRendererID);
 
   EXPECT_FALSE(p->CanReadDirectory(kRendererID,
@@ skipping 215 matching lines @@
   // queried on the IO thread.  The ChildProcessSecurityPolicy needs to be
   // prepared to answer policy questions about renderers who no longer exist.
 
   // In this case, we default to secure behavior.
   EXPECT_FALSE(p->CanRequestURL(kRendererID, url));
   EXPECT_FALSE(p->CanReadFile(kRendererID, file));
   EXPECT_FALSE(p->HasWebUIBindings(kRendererID));
 }
 
 }  // namespace content