| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "chrome/browser/extensions/permissions_updater.h" | 5 #include "chrome/browser/extensions/permissions_updater.h" |
| 6 | 6 |
| 7 #include <utility> | 7 #include <utility> |
| 8 | 8 |
| 9 #include "base/files/file_path.h" | 9 #include "base/files/file_path.h" |
| 10 #include "base/json/json_file_value_serializer.h" | 10 #include "base/json/json_file_value_serializer.h" |
| (...skipping 233 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 244 }; | 244 }; |
| 245 | 245 |
| 246 auto url_permission_set = [](const GURL& url) { | 246 auto url_permission_set = [](const GURL& url) { |
| 247 URLPatternSet set; | 247 URLPatternSet set; |
| 248 URLPattern pattern(URLPattern::SCHEME_ALL, url.spec()); | 248 URLPattern pattern(URLPattern::SCHEME_ALL, url.spec()); |
| 249 set.AddPattern(pattern); | 249 set.AddPattern(pattern); |
| 250 return base::MakeUnique<PermissionSet>( | 250 return base::MakeUnique<PermissionSet>( |
| 251 APIPermissionSet(), ManifestPermissionSet(), set, URLPatternSet()); | 251 APIPermissionSet(), ManifestPermissionSet(), set, URLPatternSet()); |
| 252 }; | 252 }; |
| 253 | 253 |
| 254 auto can_access_page = []( |
| 255 scoped_refptr<const extensions::Extension> extension, |
| 256 const GURL& document_url) -> bool { |
| 257 PermissionsData::AccessType access = |
| 258 extension.get()->permissions_data()->GetPageAccess( |
| 259 extension.get(), document_url, -1, nullptr); |
| 260 return access == PermissionsData::ACCESS_ALLOWED; |
| 261 }; |
| 262 |
| 254 { | 263 { |
| 255 // Test revoking optional permissions. | 264 // Test revoking optional permissions. |
| 256 ListBuilder optional_permissions; | 265 ListBuilder optional_permissions; |
| 257 optional_permissions.Append("tabs").Append("cookies").Append("management"); | 266 optional_permissions.Append("tabs").Append("cookies").Append("management"); |
| 258 ListBuilder required_permissions; | 267 ListBuilder required_permissions; |
| 259 required_permissions.Append("topSites"); | 268 required_permissions.Append("topSites"); |
| 260 scoped_refptr<const Extension> extension = | 269 scoped_refptr<const Extension> extension = |
| 261 CreateExtensionWithOptionalPermissions(optional_permissions.Build(), | 270 CreateExtensionWithOptionalPermissions(optional_permissions.Build(), |
| 262 required_permissions.Build(), | 271 required_permissions.Build(), |
| 263 "My Extension"); | 272 "My Extension"); |
| (...skipping 55 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 319 scoped_refptr<const Extension> extension = | 328 scoped_refptr<const Extension> extension = |
| 320 CreateExtensionWithOptionalPermissions(optional_permissions.Build(), | 329 CreateExtensionWithOptionalPermissions(optional_permissions.Build(), |
| 321 required_permissions.Build(), | 330 required_permissions.Build(), |
| 322 "My Extension"); | 331 "My Extension"); |
| 323 PermissionsUpdater updater(profile()); | 332 PermissionsUpdater updater(profile()); |
| 324 updater.InitializePermissions(extension.get()); | 333 updater.InitializePermissions(extension.get()); |
| 325 | 334 |
| 326 // By default, all-hosts was withheld, so the extension shouldn't have | 335 // By default, all-hosts was withheld, so the extension shouldn't have |
| 327 // access to any site (like foo.com). | 336 // access to any site (like foo.com). |
| 328 const GURL kOrigin("http://foo.com"); | 337 const GURL kOrigin("http://foo.com"); |
| 338 |
| 329 EXPECT_FALSE(extension->permissions_data() | 339 EXPECT_FALSE(extension->permissions_data() |
| 330 ->active_permissions() | 340 ->active_permissions() |
| 331 .HasExplicitAccessToOrigin(kOrigin)); | 341 .HasExplicitAccessToOrigin(kOrigin)); |
| 332 EXPECT_TRUE(extension->permissions_data() | 342 EXPECT_TRUE(extension->permissions_data() |
| 333 ->withheld_permissions() | 343 ->withheld_permissions() |
| 334 .HasExplicitAccessToOrigin(kOrigin)); | 344 .HasExplicitAccessToOrigin(kOrigin)); |
| 335 | 345 |
| 336 const GURL kRequiredOrigin("http://www.google.com/"); | 346 const GURL kRequiredOrigin("http://www.google.com/"); |
| 337 EXPECT_TRUE(extension->permissions_data() | 347 EXPECT_TRUE(extension->permissions_data() |
| 338 ->active_permissions() | 348 ->active_permissions() |
| (...skipping 15 matching lines...) Expand all Loading... |
| 354 updater.RemovePermissions(extension.get(), *url_permission_set(kOrigin), | 364 updater.RemovePermissions(extension.get(), *url_permission_set(kOrigin), |
| 355 PermissionsUpdater::REMOVE_HARD); | 365 PermissionsUpdater::REMOVE_HARD); |
| 356 EXPECT_FALSE(extension->permissions_data() | 366 EXPECT_FALSE(extension->permissions_data() |
| 357 ->active_permissions() | 367 ->active_permissions() |
| 358 .HasExplicitAccessToOrigin(kOrigin)); | 368 .HasExplicitAccessToOrigin(kOrigin)); |
| 359 EXPECT_TRUE(extension->permissions_data() | 369 EXPECT_TRUE(extension->permissions_data() |
| 360 ->withheld_permissions() | 370 ->withheld_permissions() |
| 361 .HasExplicitAccessToOrigin(kOrigin)); | 371 .HasExplicitAccessToOrigin(kOrigin)); |
| 362 EXPECT_TRUE(updater.GetRevokablePermissions(extension.get())->IsEmpty()); | 372 EXPECT_TRUE(updater.GetRevokablePermissions(extension.get())->IsEmpty()); |
| 363 } | 373 } |
| 374 |
| 375 { |
| 376 // Make sure policy restriction updates update permission data. |
| 377 URLPatternSet default_policy_blocked_hosts; |
| 378 URLPatternSet default_policy_allowed_hosts; |
| 379 URLPatternSet policy_blocked_hosts; |
| 380 URLPatternSet policy_allowed_hosts; |
| 381 ListBuilder optional_permissions; |
| 382 ListBuilder required_permissions; |
| 383 required_permissions.Append("tabs").Append("http://*/*"); |
| 384 scoped_refptr<const Extension> extension = |
| 385 CreateExtensionWithOptionalPermissions(optional_permissions.Build(), |
| 386 required_permissions.Build(), |
| 387 "ExtensionSettings"); |
| 388 AddPattern(&default_policy_blocked_hosts, "http://*.google.com/*"); |
| 389 PermissionsUpdater updater(profile()); |
| 390 updater.InitializePermissions(extension.get()); |
| 391 extension->permissions_data()->SetDefaultPolicyHostRestrictions( |
| 392 default_policy_blocked_hosts, default_policy_allowed_hosts); |
| 393 |
| 394 // By default, all subdomains of google.com should be blocked. |
| 395 const GURL kOrigin("http://foo.com"); |
| 396 const GURL kGoogle("http://www.google.com"); |
| 397 const GURL kExampleGoogle("http://example.google.com"); |
| 398 EXPECT_TRUE( |
| 399 extension->permissions_data()->UsesDefaultPolicyHostRestrictions()); |
| 400 EXPECT_TRUE(can_access_page(extension, kOrigin)); |
| 401 EXPECT_FALSE(can_access_page(extension, kGoogle)); |
| 402 EXPECT_FALSE(can_access_page(extension, kExampleGoogle)); |
| 403 |
| 404 AddPattern(&default_policy_allowed_hosts, "http://example.google.com/*"); |
| 405 // Give the extension access to example.google.com. Now the |
| 406 // example.google.com should not be a runtime blocked host. |
| 407 updater.SetDefaultPolicyHostRestrictions(default_policy_blocked_hosts, |
| 408 default_policy_allowed_hosts); |
| 409 |
| 410 EXPECT_TRUE( |
| 411 extension->permissions_data()->UsesDefaultPolicyHostRestrictions()); |
| 412 EXPECT_TRUE(can_access_page(extension, kOrigin)); |
| 413 EXPECT_FALSE(can_access_page(extension, kGoogle)); |
| 414 EXPECT_TRUE(can_access_page(extension, kExampleGoogle)); |
| 415 |
| 416 // Revoke extension access to foo.com. Now, foo.com should be a runtime |
| 417 // blocked host. |
| 418 AddPattern(&default_policy_blocked_hosts, "*://*.foo.com/"); |
| 419 updater.SetDefaultPolicyHostRestrictions(default_policy_blocked_hosts, |
| 420 default_policy_allowed_hosts); |
| 421 EXPECT_TRUE( |
| 422 extension->permissions_data()->UsesDefaultPolicyHostRestrictions()); |
| 423 EXPECT_FALSE(can_access_page(extension, kOrigin)); |
| 424 EXPECT_FALSE(can_access_page(extension, kGoogle)); |
| 425 EXPECT_TRUE(can_access_page(extension, kExampleGoogle)); |
| 426 |
| 427 // Remove foo.com from blocked hosts. The extension should no longer have |
| 428 // be a runtime blocked host. |
| 429 default_policy_blocked_hosts.ClearPatterns(); |
| 430 AddPattern(&default_policy_blocked_hosts, "*://*.foo.com/"); |
| 431 updater.SetDefaultPolicyHostRestrictions(default_policy_blocked_hosts, |
| 432 default_policy_allowed_hosts); |
| 433 EXPECT_TRUE( |
| 434 extension->permissions_data()->UsesDefaultPolicyHostRestrictions()); |
| 435 EXPECT_FALSE(can_access_page(extension, kOrigin)); |
| 436 EXPECT_TRUE(can_access_page(extension, kGoogle)); |
| 437 EXPECT_TRUE(can_access_page(extension, kExampleGoogle)); |
| 438 |
| 439 // Set an empty individual policy, should not affect default policy. |
| 440 updater.SetPolicyHostRestrictions(extension.get(), policy_blocked_hosts, |
| 441 policy_allowed_hosts); |
| 442 EXPECT_FALSE( |
| 443 extension->permissions_data()->UsesDefaultPolicyHostRestrictions()); |
| 444 EXPECT_TRUE(can_access_page(extension, kOrigin)); |
| 445 EXPECT_TRUE(can_access_page(extension, kGoogle)); |
| 446 EXPECT_TRUE(can_access_page(extension, kExampleGoogle)); |
| 447 |
| 448 // Block google.com for the Individual scope. |
| 449 // Whitelist example.google.com for the Indiviaul scope. |
| 450 // Leave google.com and example.google.com off both the whitelist and |
| 451 // blacklist for Default scope. |
| 452 AddPattern(&policy_blocked_hosts, "*://*.google.com/*"); |
| 453 AddPattern(&policy_allowed_hosts, "*://example.google.com/*"); |
| 454 updater.SetPolicyHostRestrictions(extension.get(), policy_blocked_hosts, |
| 455 policy_allowed_hosts); |
| 456 EXPECT_FALSE( |
| 457 extension->permissions_data()->UsesDefaultPolicyHostRestrictions()); |
| 458 EXPECT_TRUE(can_access_page(extension, kOrigin)); |
| 459 EXPECT_FALSE(can_access_page(extension, kGoogle)); |
| 460 EXPECT_TRUE(can_access_page(extension, kExampleGoogle)); |
| 461 |
| 462 // Switch back to default scope for extension. |
| 463 updater.SetUsesDefaultHostRestrictions(extension.get()); |
| 464 EXPECT_TRUE( |
| 465 extension->permissions_data()->UsesDefaultPolicyHostRestrictions()); |
| 466 default_policy_blocked_hosts.ClearPatterns(); |
| 467 default_policy_allowed_hosts.ClearPatterns(); |
| 468 updater.SetDefaultPolicyHostRestrictions(default_policy_blocked_hosts, |
| 469 default_policy_allowed_hosts); |
| 470 } |
| 471 |
| 364 } | 472 } |
| 365 | |
| 366 } // namespace extensions | 473 } // namespace extensions |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2499493004:
Communicate ExtensionSettings policy to renderers (Closed)
