chrome.webRequest support for ExtensionSettings

chrome/browser/extensions/api/web_request/web_request_apitest.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "base/command_line.h"
 #include "base/macros.h"
 #include "base/memory/ptr_util.h"
 #include "base/strings/stringprintf.h"
 #include "build/build_config.h"
 #include "chrome/browser/chrome_notification_types.h"
 #include "chrome/browser/extensions/active_tab_permission_granter.h"
 #include "chrome/browser/extensions/extension_action_runner.h"
 #include "chrome/browser/extensions/extension_apitest.h"
 #include "chrome/browser/extensions/extension_service.h"
+#include "chrome/browser/extensions/extension_with_management_policy_apitest.h"
 #include "chrome/browser/extensions/tab_helper.h"
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/browser/search_engines/template_url_service_factory.h"
 #include "chrome/browser/ui/browser.h"
 #include "chrome/browser/ui/browser_navigator_params.h"
 #include "chrome/browser/ui/login/login_handler.h"
 #include "chrome/browser/ui/tabs/tab_strip_model.h"
 #include "chrome/common/extensions/extension_process_policy.h"
 #include "chrome/test/base/search_test_utils.h"
 #include "chrome/test/base/ui_test_utils.h"
+#include "chromeos/login/scoped_test_public_session_login_state.h"
 #include "content/public/browser/notification_registrar.h"
 #include "content/public/browser/notification_service.h"
 #include "content/public/browser/render_frame_host.h"
 #include "content/public/browser/render_view_host.h"
 #include "content/public/browser/render_widget_host.h"
 #include "content/public/browser/web_contents.h"
 #include "content/public/test/browser_test_utils.h"
 #include "extensions/browser/api/web_request/web_request_api.h"
 #include "extensions/browser/blocked_action_type.h"
 #include "extensions/browser/extension_system.h"
 #include "extensions/common/extension_builder.h"
 #include "extensions/common/features/feature.h"
 #include "extensions/test/extension_test_message_listener.h"
 #include "extensions/test/result_catcher.h"
 #include "net/dns/mock_host_resolver.h"
 #include "net/test/embedded_test_server/embedded_test_server.h"
+#include "net/test/embedded_test_server/http_request.h"
 #include "net/test/test_data_directory.h"
 #include "third_party/WebKit/public/platform/WebInputEvent.h"
 
 #if defined(OS_CHROMEOS)
 #include "chromeos/login/login_state.h"
 #endif  // defined(OS_CHROMEOS)
 
 using content::WebContents;
 
 namespace extensions {
@@ skipping 66 matching lines @@
   if (!ExecuteScriptAndExtractInt(
           host->host_contents(),
           "window.domAutomationController.send(window.webRequestCount)",
           &count))
     return -1;
   return count;
 }
 
 }  // namespace
 
-class ExtensionWebRequestApiTest : public ExtensionApiTest {
+class ExtensionWebRequestApiTest : public ExtensionApiTestWithManagementPolicy {
  public:
   void SetUpInProcessBrowserTestFixture() override {
-    ExtensionApiTest::SetUpInProcessBrowserTestFixture();
+    ExtensionApiTestWithManagementPolicy::SetUpInProcessBrowserTestFixture();
     host_resolver()->AddRule("*", "127.0.0.1");
   }
 
   void RunPermissionTest(
       const char* extension_directory,
       bool load_extension_with_incognito_permission,
       bool wait_for_extension_loaded_in_incognito,
       const char* expected_content_regular_window,
       const char* exptected_content_incognito_window);
 };
@@ skipping 22 matching lines @@
 }
 
 IN_PROC_BROWSER_TEST_F(ExtensionWebRequestApiTest, WebRequestTypes) {
   ASSERT_TRUE(StartEmbeddedTestServer());
   ASSERT_TRUE(RunExtensionSubtest("webrequest", "test_types.html")) << message_;
 }
 
 #if defined(OS_CHROMEOS)
 IN_PROC_BROWSER_TEST_F(ExtensionWebRequestApiTest, WebRequestPublicSession) {
   ASSERT_TRUE(StartEmbeddedTestServer());
-  // Set Public Session state.
-  chromeos::LoginState::Get()->SetLoggedInState(
-      chromeos::LoginState::LOGGED_IN_ACTIVE,
-      chromeos::LoginState::LOGGED_IN_USER_PUBLIC_ACCOUNT);
+  chromeos::ScopedTestPublicSessionLoginState login_state;
   // Disable a CHECK while doing api tests.
   WebRequestPermissions::AllowAllExtensionLocationsInPublicSessionForTesting(
       true);
   ASSERT_TRUE(RunExtensionSubtest("webrequest_public_session", "test.html")) <<
       message_;
   WebRequestPermissions::AllowAllExtensionLocationsInPublicSessionForTesting(
       false);
 }
 #endif  // defined(OS_CHROMEOS)
 
@@ skipping 473 matching lines @@
 // Test that the webRequest events are dispatched for the WebSocket handshake
 // requests when authenrication is requested by server.
 IN_PROC_BROWSER_TEST_F(ExtensionWebRequestApiTest,
                        WebSocketRequestAuthRequired) {
   ASSERT_TRUE(StartEmbeddedTestServer());
   ASSERT_TRUE(StartWebSocketServer(net::GetWebSocketTestDataDirectory(), true));
   ASSERT_TRUE(RunExtensionSubtest("webrequest", "test_websocket_auth.html"))
       << message_;
 }
 
+IN_PROC_BROWSER_TEST_F(ExtensionWebRequestApiTest, policyBlockByOrigin) {
+  // Browse to protected example.com page, which loads JS of unprotected
+  // domain. We try to block this external JS in the extension. Since
+  // the JS is loaded from a protected Origin, we succeed if the request
+  // isn't blocked.
+
+  // Set enterprise policy to block modification of requests to or
+  // from (origin) example.com/no*. This should NOT match the URL so the request
+  // CAN NOT be viewed or modified
+  {
+    ExtensionManagementPolicyUpdater pref(&policy_provider_);
+    pref.AddRuntimeBlockedHost("*", "*://example.com/no*");
+  }
+  // Set auto confirm UI flag.
+  PermissionsRequestFunction::SetAutoConfirmForTests(true);
+  PermissionsRequestFunction::SetIgnoreUserGestureForTests(true);
+
+  ASSERT_TRUE(StartEmbeddedTestServer());
+
+  LoadExtension(test_data_dir_.AppendASCII("webrequest/policy_blocked"));
+
+  // Listen to verify extension sees the web request.
+  ExtensionTestMessageListener before_request_listener("protected_origin",
+                                                       false);
+
+  // Wait until all remote Javascript files have been blocked / pulled down.
+  ui_test_utils::NavigateToURLWithDisposition(
+      browser(),
+      embedded_test_server()->GetURL(
+          "example.com",
+          "/extensions/api_test/webrequest/policy_blocked/ref_remote_js.html"),
+      WindowOpenDisposition::CURRENT_TAB,
+      ui_test_utils::BROWSER_TEST_WAIT_FOR_NAVIGATION);
+
+  // The webRequest was seen by the extension
+  EXPECT_TRUE(before_request_listener.was_satisfied());
+
+  // Clear the list of domains the server has seen
+  ClearRequestLog();
+
+  // Set enterprise policy to block modification of requests to or
+  // from (origin) example.com/e*. This SHOULD match the URL so the request
+  // SHOULD be modifyable, in this case
+  {
+    ExtensionManagementPolicyUpdater pref(&policy_provider_);
+    pref.AddRuntimeBlockedHost("*", "*://example.com/e*");
+  }
+
+  // Listen in case extension sees the web requst
+  ExtensionTestMessageListener before_request_listener2("protected_origin",
+                                                        false);
+
+  // Wait until all remote Javascript files have been pulled down
+  ui_test_utils::NavigateToURLWithDisposition(
+      browser(),
+      embedded_test_server()->GetURL(
+          "example.com",
+          "/extensions/api_test/webrequest/policy_blocked/ref_remote_js.html"),
+      WindowOpenDisposition::CURRENT_TAB,
+      ui_test_utils::BROWSER_TEST_WAIT_FOR_NAVIGATION);
+
+  // The server saw a request for the remote Javascript file
+  EXPECT_TRUE(BrowsedTo("example2.com"));
+
+  // The webRequest was hidden from the extension
+  EXPECT_FALSE(before_request_listener2.was_satisfied());
+
+  // We need to test again to make sure non-protected URLs are still visible
+  ClearRequestLog();
+
+  // Wait until all remote Javascript files have been pulled down
+  ui_test_utils::NavigateToURLWithDisposition(
+      browser(),
+      embedded_test_server()->GetURL(
+          "not_blocked_example.com",
+          "/extensions/api_test/webrequest/policy_blocked/ref_remote_js.html"),
+      WindowOpenDisposition::CURRENT_TAB,
+      ui_test_utils::BROWSER_TEST_WAIT_FOR_NAVIGATION);
+
+  // The server saw a request for the remote Javascript file
+  EXPECT_TRUE(BrowsedTo("example2.com"));
+
+  // The webRequest was visible from the extension
+  EXPECT_TRUE(before_request_listener.was_satisfied());
+}
+
+IN_PROC_BROWSER_TEST_F(ExtensionWebRequestApiTest, policyBlockByUrl) {
+  // Set enterprise policy to block modification of requests to or
+  // from (origin) example.com.
+  {
+    ExtensionManagementPolicyUpdater pref(&policy_provider_);
+    pref.AddRuntimeBlockedHost("*", "*://example.com/*");
+  }
+  // Set auto confirm UI flag.
+  PermissionsRequestFunction::SetAutoConfirmForTests(true);
+  PermissionsRequestFunction::SetIgnoreUserGestureForTests(true);
+
+  ASSERT_TRUE(StartEmbeddedTestServer());
+
+  LoadExtension(test_data_dir_.AppendASCII("webrequest/policy_blocked"));
+
+  // Listen in case extension sees the web requst
+  ExtensionTestMessageListener before_request_listener("protected_url", false);
+
+  // Wait until page fully loads
+  ui_test_utils::NavigateToURLWithDisposition(
+      browser(),
+      embedded_test_server()->GetURL(
+          "example.com",
+          "/extensions/api_test/webrequest/policy_blocked/protected_url.html"),
+      WindowOpenDisposition::CURRENT_TAB,
+      ui_test_utils::BROWSER_TEST_WAIT_FOR_NAVIGATION);
+
+  // The server saw a request for the protected site
+  EXPECT_TRUE(BrowsedTo("example.com"));
+
+  // The webRequest was hidden from the extension
+  EXPECT_FALSE(before_request_listener.was_satisfied());
+
+  // Wait until page fully loads
+  ui_test_utils::NavigateToURLWithDisposition(
+      browser(),
+      embedded_test_server()->GetURL(
+          "not_blocked_example.com",
+          "/extensions/api_test/webrequest/policy_blocked/protected_url.html"),
+      WindowOpenDisposition::CURRENT_TAB,
+      ui_test_utils::BROWSER_TEST_WAIT_FOR_NAVIGATION);
+
+  // The server saw a request for the protected site
+  EXPECT_TRUE(BrowsedTo("not_blocked_example.com"));
+
+  // The webRequest was visible from the extension
+  EXPECT_TRUE(before_request_listener.was_satisfied());
+}
+
+// Tests that webRequest respects hosts protected by ExtensionSettings policy.
+IN_PROC_BROWSER_TEST_F(ExtensionWebRequestApiTest,
+                       WebRequestProtectedByPolicy) {
+  FeatureSwitch::ScopedOverride enable_scripts_require_action(
+      FeatureSwitch::scripts_require_action(), true);
+  {
+    ExtensionManagementPolicyUpdater pref(&policy_provider_);
+    pref.AddRuntimeBlockedHost("*", "*://example.com/*");
+  }
+  extensions::PermissionsRequestFunction::SetIgnoreUserGestureForTests(true);
+  extensions::PermissionsRequestFunction::SetAutoConfirmForTests(true);
+  ASSERT_TRUE(StartEmbeddedTestServer());
+
+  ExtensionTestMessageListener listener("ready", false);
+  const Extension* extension =
+      LoadExtension(test_data_dir_.AppendASCII("webrequest_activetab"));
+  ASSERT_TRUE(extension) << message_;
+  EXPECT_TRUE(listener.WaitUntilSatisfied());
+
+  // Navigate the browser to a page in a new tab.
+  const std::string kHost = "example.com";
+  GURL url = embedded_test_server()->GetURL(kHost, "/empty.html");
+  chrome::NavigateParams params(browser(), url, ui::PAGE_TRANSITION_LINK);
+  params.disposition = WindowOpenDisposition::NEW_FOREGROUND_TAB;
+  ui_test_utils::NavigateToURL(&params);
+
+  content::WebContents* web_contents =
+      browser()->tab_strip_model()->GetActiveWebContents();
+  ASSERT_TRUE(web_contents);
+  ExtensionActionRunner* runner =
+      ExtensionActionRunner::GetForWebContents(web_contents);
+  ASSERT_TRUE(runner);
+
+  int port = embedded_test_server()->port();
+  const std::string kXhrPath = "simple.html";
+
+  // The extension shouldn't have currently received any webRequest events,
+  // since it doesn't have permission (and shouldn't receive any from an XHR).
+  EXPECT_EQ(0, GetWebRequestCountFromBackgroundPage(extension, profile()));
+  PerformXhrInFrame(web_contents->GetMainFrame(), kHost, port, kXhrPath);
+  EXPECT_EQ(0, GetWebRequestCountFromBackgroundPage(extension, profile()));
+
+  // Grant activeTab permission, and perform another XHR. The extension should
+  // still be blocked due to ExtensionSettings policy on example.com.
+  EXPECT_EQ(BLOCKED_ACTION_WEB_REQUEST, runner->GetBlockedActions(extension));
+  runner->set_default_bubble_close_action_for_testing(
+      base::WrapUnique(new ToolbarActionsBarBubbleDelegate::CloseAction(
+          ToolbarActionsBarBubbleDelegate::CLOSE_EXECUTE)));
+  runner->RunAction(extension, true);
+  base::RunLoop().RunUntilIdle();
+  EXPECT_TRUE(content::WaitForLoadStop(web_contents));
+  // The runner will have refreshed the page...
+  EXPECT_EQ(BLOCKED_ACTION_NONE, runner->GetBlockedActions(extension));
+  int xhr_count = GetWebRequestCountFromBackgroundPage(extension, profile());
+  // ... which means that we should have a non-zero xhr count.
+  EXPECT_EQ(xhr_count, 0);
+  // And the extension should also block future events.
+  PerformXhrInFrame(web_contents->GetMainFrame(), kHost, port, kXhrPath);
+  EXPECT_EQ(xhr_count,
+            GetWebRequestCountFromBackgroundPage(extension, profile()));
+}
+
 }  // namespace extensions