Communicate ExtensionSettings policy to renderers

extensions/common/permissions/permissions_data.h

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef EXTENSIONS_COMMON_PERMISSIONS_PERMISSIONS_DATA_H_
 #define EXTENSIONS_COMMON_PERMISSIONS_PERMISSIONS_DATA_H_
 
 #include <map>
 #include <memory>
 #include <string>
@@ skipping 64 matching lines @@
   // with the given |extension_id|.
   static bool ShouldSkipPermissionWarnings(const std::string& extension_id);
 
   // Returns true if the given |url| is restricted for the given |extension|,
   // as is commonly the case for chrome:// urls.
   // NOTE: You probably want to use CanAccessPage().
   static bool IsRestrictedUrl(const GURL& document_url,
                               const Extension* extension,
                               std::string* error);
 
+  // Is this extension using the default scope for policy_blocked_hosts and
+  // policy_allowed_hosts of the ExtensionSettings policy.
+  bool UsesDefaultPolicyHostRestrictions() const;
+
   // Locks the permissions data to the current thread. We don't do this on
   // construction, since extensions are initialized across multiple threads.
   void BindToCurrentThread() const;
 
   // Sets the runtime permissions of the given |extension| to |active| and
   // |withheld|.
   void SetPermissions(std::unique_ptr<const PermissionSet> active,
                       std::unique_ptr<const PermissionSet> withheld) const;
 
+  // Applies restrictions from enterprise policy limiting which URLs this
+  // extension can interact with. The same policy can also define a default set
+  // of URL restrictions using SetDefaultPolicyHostRestrictions. This function
+  // overrides any default host restriction policy.
+  void SetPolicyHostRestrictions(
+      const URLPatternSet& runtime_blocked_hosts,
+      const URLPatternSet& runtime_allowed_hosts,
+      const bool is_default_runtime_blocked_allowed_hosts) const;

[Devlin, 2017/03/29 21:36:50]

To me, it seems like this shouldn't take three parameters, and instead should be
two functions:
SetPolicyHostRestrictions(
    const URLPatternSet& runtime_blocked_hosts,
    const URLPatternSet& runtime_allowed_hosts);
SetUsesDefaultHostRestrictions(bool uses_default_restrictions);

Otherwise, what do we pass in the blocked/allowed hosts when uses default is
true?  If we pass in the defaults, then it results in massive memory waste -
each extension storing a copy of the defaults - and makes it easier to lead to
bugs (if we update the defaults, we'd need to also update extensions).  If we
pass in empty sets, then we didn't need to pass in anything.  We should prefer
one of the two routes - pass in the hosts if they are specified, or else just
use the defaults.

[nrpeter, 2017/03/30 00:06:06]

Done.

+
+  // Applies restrictions from enterprise policy limiting which URLs all
+  // extensions can interact with. This restriction can be overridden on a
+  // per-extnsion basis with SetPolicyHostRestrictions.

[Devlin, 2017/03/29 21:36:50]

per-extension

[nrpeter, 2017/03/30 00:06:06]

Done.

+  static void SetDefaultPolicyHostRestrictions(
+      const URLPatternSet& default_runtime_blocked_hosts,
+      const URLPatternSet& default_runtime_allowed_hosts);
+
   // Sets the active permissions, leaving withheld the same.
   void SetActivePermissions(std::unique_ptr<const PermissionSet> active) const;
 
   // Updates the tab-specific permissions of |tab_id| to include those from
   // |permissions|.
   void UpdateTabSpecificPermissions(int tab_id,
                                     const PermissionSet& permissions) const;
 
   // Clears the tab-specific permissions of |tab_id|.
   void ClearTabSpecificPermissions(int tab_id) const;
@@ skipping 90 matching lines @@
   const PermissionSet& active_permissions() const {
     DCHECK(!thread_checker_ || thread_checker_->CalledOnValidThread());
     return *active_permissions_unsafe_;
   }
 
   const PermissionSet& withheld_permissions() const {
     DCHECK(!thread_checker_ || thread_checker_->CalledOnValidThread());
     return *withheld_permissions_unsafe_;
   }
 
+  // Returns list of hosts this extension may not interact with by policy.
+  // This should only be used for 1. Serialization when initializing renderers
+  // or 2. Called from utility methods above. For all other uses, call utility
+  // methods instead (e.g. CanAccessPage()).
+  static const URLPatternSet& default_policy_blocked_hosts();
+
+  // Returns list of hosts this extension may interact with regardless of
+  // what is defined by policy_blocked_hosts().
+  // This should only be used for 1. Serialization when initializing renderers
+  // or 2. Called from utility methods above. For all other uses, call utility
+  // methods instead (e.g. CanAccessPage()).
+  static const URLPatternSet& default_policy_allowed_hosts();
+
+  // Returns list of hosts this extension may not interact with by policy.
+  // This should only be used for 1. Serialization when initializing renderers
+  // or 2. Called from utility methods above. For all other uses, call utility
+  // methods instead (e.g. CanAccessPage()).
+  const URLPatternSet& policy_blocked_hosts() const;
+
+  // Returns list of hosts this extension may interact with regardless of
+  // what is defined by policy_blocked_hosts().
+  // This should only be used for 1. Serialization when initializing renderers
+  // or 2. Called from utility methods above. For all other uses, call utility
+  // methods instead (e.g. CanAccessPage()).
+  const URLPatternSet& policy_allowed_hosts() const;
+
 #if defined(UNIT_TEST)
   const PermissionSet* GetTabSpecificPermissionsForTesting(int tab_id) const {
     base::AutoLock auto_lock(runtime_lock_);
     return GetTabSpecificPermissions(tab_id);
   }
 #endif
 
  private:
   // Gets the tab-specific host permissions of |tab_id|, or NULL if there
   // aren't any.
@@ skipping 12 matching lines @@
   // checking against |permitted_url_patterns| in addition to blocking special
   // sites (like the webstore or chrome:// urls).
   // Must be called with |runtime_lock_| acquired.
   AccessType CanRunOnPage(const Extension* extension,
                           const GURL& document_url,
                           int tab_id,
                           const URLPatternSet& permitted_url_patterns,
                           const URLPatternSet& withheld_url_patterns,
                           std::string* error) const;
 
+  // Check if a specific URL is blocked by policy from extension use at runtime.
+  bool IsRuntimeBlockedHost(const GURL& url) const;
+
   // The associated extension's id.
   std::string extension_id_;
 
   // The associated extension's manifest type.
   Manifest::Type manifest_type_;
 
   mutable base::Lock runtime_lock_;
 
   // The permission's which are currently active on the extension during
   // runtime.
   // Unsafe indicates that we must lock anytime this is directly accessed.
   // Unless you need to change |active_permissions_unsafe_|, use the (safe)
   // active_permissions() accessor.
   mutable std::unique_ptr<const PermissionSet> active_permissions_unsafe_;
 
   // The permissions the extension requested, but was not granted due because
   // they are too powerful. This includes things like all_hosts.
   // Unsafe indicates that we must lock anytime this is directly accessed.
   // Unless you need to change |withheld_permissions_unsafe_|, use the (safe)
   // withheld_permissions() accessor.
   mutable std::unique_ptr<const PermissionSet> withheld_permissions_unsafe_;
 
+  // The list of hosts an extension may not interact with by policy.
+  // Unless you need to change |policy_blocked_hosts_unsafe_|, use the (safe)
+  // policy_blocked_hosts() accessor.
+  mutable URLPatternSet policy_blocked_hosts_unsafe;
+
+  // The exclusive list of hosts an extension may interact with by policy.
+  // Unless you need to change |policy_allowed_hosts_unsafe_|, use the (safe)
+  // policy_allowed_hosts() accessor.
+  mutable URLPatternSet policy_allowed_hosts_unsafe;
+
+  // If the ExtensionSettings policy is not being used, or no per-extension
+  // exception to the default policy was declared for this extension.
+  mutable bool uses_default_policy_host_restrictions = true;
+
   mutable TabPermissionsMap tab_specific_permissions_;
 
   mutable std::unique_ptr<base::ThreadChecker> thread_checker_;
 
   DISALLOW_COPY_AND_ASSIGN(PermissionsData);
 };
 
 }  // namespace extensions
 
 #endif  // EXTENSIONS_COMMON_PERMISSIONS_PERMISSIONS_DATA_H_