ChildProcessSecurityPolicy: Deprecate bitmask-based permissions checks for files.

content/browser/child_process_security_policy_unittest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <set>
 #include <string>
 
 #include "base/basictypes.h"
 #include "base/files/file_path.h"
 #include "base/platform_file.h"
 #include "content/browser/child_process_security_policy_impl.h"
 #include "content/public/common/url_constants.h"
 #include "content/test/test_content_browser_client.h"
 #include "testing/gtest/include/gtest/gtest.h"
 #include "url/gurl.h"
+#include "webkit/browser/fileapi/file_permission_policy.h"
+#include "webkit/browser/fileapi/file_system_url.h"
+#include "webkit/common/fileapi/file_system_types.h"
 
 namespace content {
 namespace {
 
 const int kRendererID = 42;
 const int kWorkerRendererID = kRendererID + 1;
 
 #if defined(FILE_PATH_USES_DRIVE_LETTERS)
 #define TEST_PATH(x) FILE_PATH_LITERAL("c:") FILE_PATH_LITERAL(x)
 #else
@@ skipping 57 matching lines @@
                                const base::FilePath& file,
                                int permissions) {
     p->GrantPermissionsForFile(child_id, file, permissions);
   }
 
  private:
   ChildProcessSecurityPolicyTestBrowserClient test_browser_client_;
   ContentBrowserClient* old_browser_client_;
 };
 
+class PermissionsSet {
+ public:
+  PermissionsSet()
+      : can_read(false),

[vandebo (ex-Chrome), 2013/07/22 21:33:41]

I find this class strange because the grants are combinations of permissions and
this checks for the exact combination.  I think expanding it away is probably
less confusing in the long run.

[tommycli, 2013/07/23 15:30:22]

Done. I tried expanding the lines to do it the inline way. It's actually
shorter. I can't argue with that.

+        can_write(false),
+        can_create(false),
+        can_create_write(false) {
+  }
+
+  PermissionsSet& EnableRead() {
+    can_read = true;
+    return *this;
+  }
+
+  PermissionsSet& EnableWrite() {
+    can_write = true;
+    return *this;
+  }
+
+  PermissionsSet& EnableCreate() {
+    can_create = true;
+    return *this;
+  }
+
+  PermissionsSet& EnableCreateWrite() {
+    can_create_write = true;
+    return *this;
+  }
+
+  bool operator==(const PermissionsSet& o) const {
+    return can_read == o.can_read &&
+        can_write == o.can_write &&
+        can_create == o.can_create &&
+        can_create_write == o.can_create_write;
+  }
+
+private:
+  bool can_read;
+  bool can_write;
+  bool can_create;
+  bool can_create_write;
+};
+
+PermissionsSet GetAllPermissions(ChildProcessSecurityPolicyImpl* p,
+                                 int child_id, const base::FilePath& file) {
+  PermissionsSet permissions;
+
+  if (p->CanReadFile(child_id, file))
+    permissions.EnableRead();
+  if (p->CanWriteFile(child_id, file))
+    permissions.EnableWrite();
+  if (p->CanCreateFile(child_id, file))
+    permissions.EnableCreate();
+  if (p->CanCreateWriteFile(child_id, file))
+    permissions.EnableCreateWrite();
+
+  return permissions;
+}
+
+PermissionsSet GetAllPermissionsForURL(
+    ChildProcessSecurityPolicyImpl* p,
+    int child_id,
+    const fileapi::FileSystemURL& url) {
+  PermissionsSet permissions;
+
+  if (p->CanReadFileSystemFile(child_id, url))
+    permissions.EnableRead();
+  if (p->CanWriteFileSystemFile(child_id, url))
+    permissions.EnableWrite();
+  if (p->CanCreateFileSystemFile(child_id, url))
+    permissions.EnableCreate();
+  if (p->CanCreateWriteFileSystemFile(child_id, url))
+    permissions.EnableCreateWrite();
+
+  return permissions;
+}
+
 TEST_F(ChildProcessSecurityPolicyTest, IsWebSafeSchemeTest) {
   ChildProcessSecurityPolicyImpl* p =
       ChildProcessSecurityPolicyImpl::GetInstance();
 
   EXPECT_TRUE(p->IsWebSafeScheme(chrome::kHttpScheme));
   EXPECT_TRUE(p->IsWebSafeScheme(chrome::kHttpsScheme));
   EXPECT_TRUE(p->IsWebSafeScheme(chrome::kFtpScheme));
   EXPECT_TRUE(p->IsWebSafeScheme(chrome::kDataScheme));
   EXPECT_TRUE(p->IsWebSafeScheme("feed"));
   EXPECT_TRUE(p->IsWebSafeScheme(chrome::kBlobScheme));
@@ skipping 168 matching lines @@
   EXPECT_TRUE(p->CanRequestURL(kRendererID, icon_url));
   EXPECT_FALSE(p->CanRequestURL(kRendererID, sensitive_url));
 
   p->GrantRequestURL(kRendererID, icon_url);
   EXPECT_TRUE(p->CanRequestURL(kRendererID, icon_url));
   EXPECT_TRUE(p->CanRequestURL(kRendererID, sensitive_url));
 
   p->Remove(kRendererID);
 }
 
-TEST_F(ChildProcessSecurityPolicyTest, CanReadFiles) {
+TEST_F(ChildProcessSecurityPolicyTest, PermissionGrantingAndRevoking) {
   ChildProcessSecurityPolicyImpl* p =
       ChildProcessSecurityPolicyImpl::GetInstance();
 
+  p->RegisterFileSystemPermissionPolicy(
+      fileapi::kFileSystemTypeTest,
+      fileapi::FILE_PERMISSION_USE_FILE_PERMISSION);
+
   p->Add(kRendererID);
+  base::FilePath file(TEST_PATH("/dir/testfile"));
+  fileapi::FileSystemURL url = fileapi::FileSystemURL::CreateForTest(
+      GURL("http://foo/"), fileapi::kFileSystemTypeTest, file);
 
-  EXPECT_FALSE(p->CanReadFile(kRendererID,
-                              base::FilePath(TEST_PATH("/etc/passwd"))));
-  p->GrantReadFile(kRendererID, base::FilePath(TEST_PATH("/etc/passwd")));
-  EXPECT_TRUE(p->CanReadFile(kRendererID,
-                             base::FilePath(TEST_PATH("/etc/passwd"))));
-  EXPECT_FALSE(p->CanReadFile(kRendererID,
-                              base::FilePath(TEST_PATH("/etc/shadow"))));
+  PermissionsSet all_denied;
 
+  // Test initially having no permissions.
+  EXPECT_EQ(all_denied, GetAllPermissions(p, kRendererID, file));
+  EXPECT_EQ(all_denied, GetAllPermissionsForURL(p, kRendererID, url));
+
+  // Testing every combination of permissions granting and revoking.
+  PermissionsSet read_only;
+  read_only.EnableRead();
+  p->GrantReadFile(kRendererID, file);
+  EXPECT_EQ(read_only, GetAllPermissions(p, kRendererID, file));
+  EXPECT_EQ(read_only, GetAllPermissionsForURL(p, kRendererID, url));
+  p->RevokeAllPermissionsForFile(kRendererID, file);
+  EXPECT_EQ(all_denied, GetAllPermissions(p, kRendererID, file));
+  EXPECT_EQ(all_denied, GetAllPermissionsForURL(p, kRendererID, url));
+
+  PermissionsSet create_read_write;
+  create_read_write.EnableRead().EnableWrite().EnableCreate()
+      .EnableCreateWrite();
+  p->GrantCreateReadWriteFile(kRendererID, file);
+  EXPECT_EQ(create_read_write, GetAllPermissions(p, kRendererID, file));
+  EXPECT_EQ(create_read_write, GetAllPermissionsForURL(p, kRendererID, url));
+  p->RevokeAllPermissionsForFile(kRendererID, file);
+  EXPECT_EQ(all_denied, GetAllPermissions(p, kRendererID, file));
+  EXPECT_EQ(all_denied, GetAllPermissionsForURL(p, kRendererID, url));
+
+  PermissionsSet create_write;
+  create_write.EnableCreate().EnableWrite().EnableCreateWrite();
+  p->GrantCreateWriteFile(kRendererID, file);
+  EXPECT_EQ(create_write, GetAllPermissions(p, kRendererID, file));
+  EXPECT_EQ(create_write, GetAllPermissionsForURL(p, kRendererID, url));
+  p->RevokeAllPermissionsForFile(kRendererID, file);
+  EXPECT_EQ(all_denied, GetAllPermissions(p, kRendererID, file));
+  EXPECT_EQ(all_denied, GetAllPermissionsForURL(p, kRendererID, url));
+
+  // Test revoke permissions on renderer ID removal.
+  p->GrantCreateReadWriteFile(kRendererID, file);
+  EXPECT_EQ(create_read_write, GetAllPermissions(p, kRendererID, file));
+  EXPECT_EQ(create_read_write, GetAllPermissionsForURL(p, kRendererID, url));
   p->Remove(kRendererID);
+  EXPECT_EQ(all_denied, GetAllPermissions(p, kRendererID, file));
+  EXPECT_EQ(all_denied, GetAllPermissionsForURL(p, kRendererID, url));
+
+  // Test having no permissions upon re-adding same renderer ID.
   p->Add(kRendererID);
+  EXPECT_EQ(all_denied, GetAllPermissions(p, kRendererID, file));
+  EXPECT_EQ(all_denied, GetAllPermissionsForURL(p, kRendererID, url));
 
-  EXPECT_FALSE(p->CanReadFile(kRendererID,
-                              base::FilePath(TEST_PATH("/etc/passwd"))));
-  EXPECT_FALSE(p->CanReadFile(kRendererID,
-                              base::FilePath(TEST_PATH("/etc/shadow"))));
-
+  // Cleanup.
   p->Remove(kRendererID);
 }
 
 TEST_F(ChildProcessSecurityPolicyTest, CanReadDirectories) {
   ChildProcessSecurityPolicyImpl* p =
       ChildProcessSecurityPolicyImpl::GetInstance();
 
   p->Add(kRendererID);
 
   EXPECT_FALSE(p->CanReadDirectory(kRendererID,
@@ skipping 215 matching lines @@
   // queried on the IO thread.  The ChildProcessSecurityPolicy needs to be
   // prepared to answer policy questions about renderers who no longer exist.
 
   // In this case, we default to secure behavior.
   EXPECT_FALSE(p->CanRequestURL(kRendererID, url));
   EXPECT_FALSE(p->CanReadFile(kRendererID, file));
   EXPECT_FALSE(p->HasWebUIBindings(kRendererID));
 }
 
 }  // namespace content