Communicate ExtensionSettings policy to renderers

extensions/common/permissions/permissions_data.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "extensions/common/permissions/permissions_data.h"
 
 #include <algorithm>
 #include <utility>
 
 #include "base/command_line.h"
+#include "base/lazy_instance.h"
 #include "base/macros.h"
 #include "content/public/common/url_constants.h"
 #include "extensions/common/constants.h"
 #include "extensions/common/error_utils.h"
 #include "extensions/common/extension.h"
 #include "extensions/common/extensions_client.h"
 #include "extensions/common/manifest.h"
 #include "extensions/common/manifest_constants.h"
 #include "extensions/common/manifest_handlers/permissions_parser.h"
 #include "extensions/common/permissions/api_permission.h"
 #include "extensions/common/permissions/permission_message_provider.h"
 #include "extensions/common/switches.h"
 #include "extensions/common/url_pattern_set.h"
 #include "url/gurl.h"
 #include "url/url_constants.h"
 
 namespace extensions {
 
 namespace {
 
 PermissionsData::PolicyDelegate* g_policy_delegate = nullptr;
 
+struct DefaultRuntimePolicy {
+  URLPatternSet blocked_hosts;
+  URLPatternSet allowed_hosts;
+};
+// URLs an extension can't interact with. An extension can override these
+// settings by declaring its own list of blocked and allowed hosts using
+// policy_blocked_hosts and policy_allowed_hosts.
+base::LazyInstance<DefaultRuntimePolicy>::Leaky default_runtime_policy =
+    LAZY_INSTANCE_INITIALIZER;
+
 class AutoLockOnValidThread {
  public:
   AutoLockOnValidThread(base::Lock& lock, base::ThreadChecker* thread_checker)
       : auto_lock_(lock) {
     DCHECK(!thread_checker || thread_checker->CalledOnValidThread());
   }
 
  private:
   base::AutoLock auto_lock_;
 
@@ skipping 37 matching lines @@
 bool PermissionsData::ShouldSkipPermissionWarnings(
     const std::string& extension_id) {
   // See http://b/4946060 for more details.
   return extension_id == extension_misc::kProdHangoutsExtensionId;
 }
 
 // static
 bool PermissionsData::IsRestrictedUrl(const GURL& document_url,
                                       const Extension* extension,
                                       std::string* error) {
+  if (extension &&
+      extension->permissions_data()->IsRuntimeBlockedHost(document_url)) {
+    *error = manifest_errors::kCannotAccessPage;
+    return true;
+  }
   if (extension && CanExecuteScriptEverywhere(extension))
     return false;
 
   // Check if the scheme is valid for extensions. If not, return.
   if (!URLPattern::IsValidSchemeForExtensions(document_url.scheme()) &&
       document_url.spec() != url::kAboutBlankURL) {
     if (error) {
       if (extension->permissions_data()->active_permissions().HasAPIPermission(
               APIPermission::kTab)) {
         *error = ErrorUtils::FormatErrorMessage(
@@ skipping 20 matching lines @@
   if (extension && document_url.SchemeIs(kExtensionScheme) &&
       document_url.host() != extension->id() && !allow_on_chrome_urls) {
     if (error)
       *error = manifest_errors::kCannotAccessExtensionUrl;
     return true;
   }
 
   return false;
 }
 
+bool PermissionsData::UsesDefaultPolicyHostRestrictions() const {
+  DCHECK(!thread_checker_ || thread_checker_->CalledOnValidThread());
+  return uses_default_policy_host_restrictions;
+}
+
+const URLPatternSet& PermissionsData::default_policy_blocked_hosts() {
+  return default_runtime_policy.Get().blocked_hosts;
+}
+
+const URLPatternSet& PermissionsData::default_policy_allowed_hosts() {
+  return default_runtime_policy.Get().allowed_hosts;
+}
+
+const URLPatternSet& PermissionsData::policy_blocked_hosts() const {
+  DCHECK(!thread_checker_ || thread_checker_->CalledOnValidThread());
+  if (uses_default_policy_host_restrictions)
+    return default_policy_blocked_hosts();
+  return policy_blocked_hosts_unsafe_;
+}
+
+const URLPatternSet& PermissionsData::policy_allowed_hosts() const {
+  DCHECK(!thread_checker_ || thread_checker_->CalledOnValidThread());
+  if (uses_default_policy_host_restrictions)
+    return default_policy_allowed_hosts();
+  return policy_allowed_hosts_unsafe_;
+}
+
 void PermissionsData::BindToCurrentThread() const {
   DCHECK(!thread_checker_);
   thread_checker_.reset(new base::ThreadChecker());
 }
 
 void PermissionsData::SetPermissions(
     std::unique_ptr<const PermissionSet> active,
     std::unique_ptr<const PermissionSet> withheld) const {
   AutoLockOnValidThread lock(runtime_lock_, thread_checker_.get());
   active_permissions_unsafe_ = std::move(active);
   withheld_permissions_unsafe_ = std::move(withheld);
 }
 
+void PermissionsData::SetPolicyHostRestrictions(
+    const URLPatternSet& runtime_blocked_hosts,
+    const URLPatternSet& runtime_allowed_hosts) const {
+  AutoLockOnValidThread lock(runtime_lock_, thread_checker_.get());
+  policy_blocked_hosts_unsafe_ = runtime_blocked_hosts;

[dcheng, 2017/03/31 23:48:06]

I'm having trouble understanding why it's sometimes OK to not grab the lock, but
sometimes it's important to grab it.

[nrpeter, 2017/04/01 00:19:02]

Good point, added the check to SetUsesDefaultHostRestrictions.

runtime_lock_ is part of the class and not available to static methods like
SetDefaultPolicyHostRestrictions. Should I create a second static lock for
setting / reading the default host restrictions?

[dcheng, 2017/04/01 00:24:07]

I don't really know, but my question is more about
PermissionsData::policy_allowed_hosts(), etc: we return a reference to a
URLPatternSet, but access doesn't appear to be protected. I'm wondering why this
is OK.

[nrpeter, 2017/04/03 22:35:48]

I was copying active_permissions() from permissions_data.h which also returns a
reference and is used to populate permissions data from the browser process to
renderers.

[Devlin, 2017/04/04 16:29:10]

It's only safe to grab them directly (using the *unsafe_ members) when we've
already grabbed the lock.  e.g., CanRunOnPage() is only ever called from other
functions which acquire the lock; therefore it's safe to use the members without
first acquiring it.

We should make sure that we're abiding by this (so we need to acquire the lock
in SetUsesDefaultHostRestrictions, etc.)

[nrpeter, 2017/04/05 23:13:26]

FYI: We are acquiring the lock in SetUsesDefaultHostRestrictions in a later 
patchset
https://codereview.chromium.org/2499493004/diff/240001/extensions/common/perm...

[dcheng, 2017/04/07 06:57:19]

Can we use runtime_lock_.AssertAquired() to make this clear?

[nrpeter, 2017/04/12 23:35:44]

Added the lock assertion check as requested.

+  policy_allowed_hosts_unsafe_ = runtime_allowed_hosts;
+}
+
+void PermissionsData::SetUsesDefaultHostRestrictions(
+    bool uses_default_restrictions) const {
+  uses_default_policy_host_restrictions = uses_default_restrictions;
+}
+
+// static
+void PermissionsData::SetDefaultPolicyHostRestrictions(
+    const URLPatternSet& default_runtime_blocked_hosts,
+    const URLPatternSet& default_runtime_allowed_hosts) {
+  default_runtime_policy.Get().blocked_hosts = default_runtime_blocked_hosts;
+  default_runtime_policy.Get().allowed_hosts = default_runtime_allowed_hosts;
+}
+
 void PermissionsData::SetActivePermissions(
     std::unique_ptr<const PermissionSet> active) const {
   AutoLockOnValidThread lock(runtime_lock_, thread_checker_.get());
   active_permissions_unsafe_ = std::move(active);
 }
 
 void PermissionsData::UpdateTabSpecificPermissions(
     int tab_id,
     const PermissionSet& permissions) const {
   AutoLockOnValidThread lock(runtime_lock_, thread_checker_.get());
@@ skipping 48 matching lines @@
 URLPatternSet PermissionsData::GetEffectiveHostPermissions() const {
   base::AutoLock auto_lock(runtime_lock_);
   URLPatternSet effective_hosts = active_permissions_unsafe_->effective_hosts();
   for (const auto& val : tab_specific_permissions_)
     effective_hosts.AddPatterns(val.second->effective_hosts());
   return effective_hosts;
 }
 
 bool PermissionsData::HasHostPermission(const GURL& url) const {
   base::AutoLock auto_lock(runtime_lock_);
-  return active_permissions_unsafe_->HasExplicitAccessToOrigin(url);
+  return active_permissions_unsafe_->HasExplicitAccessToOrigin(url) &&
+         !IsRuntimeBlockedHost(url);
 }
 
 bool PermissionsData::HasEffectiveAccessToAllHosts() const {
   base::AutoLock auto_lock(runtime_lock_);
   return active_permissions_unsafe_->HasEffectiveAccessToAllHosts();
 }
 
 PermissionMessages PermissionsData::GetPermissionMessages() const {
   base::AutoLock auto_lock(runtime_lock_);
   return PermissionMessageProvider::Get()->GetPermissionMessages(
@@ skipping 98 matching lines @@
   if (tab_id >= 0) {
     const PermissionSet* tab_permissions = GetTabSpecificPermissions(tab_id);
     if (tab_permissions &&
         tab_permissions->explicit_hosts().MatchesSecurityOrigin(url)) {
       return true;
     }
   }
   return false;
 }
 
+bool PermissionsData::IsRuntimeBlockedHost(const GURL& url) const {
+  return policy_blocked_hosts().MatchesURL(url) &&
+         !policy_allowed_hosts().MatchesURL(url);
+}
+
 PermissionsData::AccessType PermissionsData::CanRunOnPage(
     const Extension* extension,
     const GURL& document_url,
     int tab_id,
     const URLPatternSet& permitted_url_patterns,
     const URLPatternSet& withheld_url_patterns,
     std::string* error) const {
   runtime_lock_.AssertAcquired();
   if (g_policy_delegate &&
       !g_policy_delegate->CanExecuteScriptOnPage(extension, document_url,
-                                                 tab_id, error)) {
+                                                 tab_id, error))
+    return ACCESS_DENIED;
+
+  if (IsRuntimeBlockedHost(document_url)) {
+    if (error)
+      *error =
+          "This page cannot be scripted due to an ExtensionsSettings policy.";
     return ACCESS_DENIED;
   }
 
   if (IsRestrictedUrl(document_url, extension, error))
     return ACCESS_DENIED;
 
   if (HasTabSpecificPermissionToExecuteScript(tab_id, document_url))
     return ACCESS_ALLOWED;
 
   if (permitted_url_patterns.MatchesURL(document_url))
     return ACCESS_ALLOWED;
 
   if (withheld_url_patterns.MatchesURL(document_url))
     return ACCESS_WITHHELD;
 
   if (error) {
     if (extension->permissions_data()->active_permissions().HasAPIPermission(
             APIPermission::kTab)) {
       *error = ErrorUtils::FormatErrorMessage(
           manifest_errors::kCannotAccessPageWithUrl, document_url.spec());
     } else {
       *error = manifest_errors::kCannotAccessPage;
     }
   }
 
   return ACCESS_DENIED;
 }
 
 }  // namespace extensions