Public Sessions - prompt the user for audioCapture/videoCapture requests

chrome/browser/media/public_session_media_access_handler.h

+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef CHROME_BROWSER_MEDIA_PUBLIC_SESSION_MEDIA_ACCESS_HANDLER_H_
+#define CHROME_BROWSER_MEDIA_PUBLIC_SESSION_MEDIA_ACCESS_HANDLER_H_
+
+#include "chrome/browser/extensions/extension_install_prompt.h"
+#include "chrome/browser/media/extension_media_access_handler.h"
+#include "content/public/common/media_stream_request.h"
+#include "extensions/common/extension_id.h"
+
+// MediaAccessHandler for extension capturing requests in Public Sessions. This
+// class is implemented as a wrapper around ExtensionMediaAccessHandler. It
+// allows for finer access control to audioCapture/videoCapture manifest
+// permission features inside of Public Sessions.
+//
+// In Public Sessions extensions are installed by admin policy hence they can
+// freely use the camera and microphone without the user knowing. This is not
+// acceptable from a security/privacy standpoint so we show the user a dialog
+// where they can choose whether to allow the extension access to camera and/or
+// microphone. Note: camera and microphone are used through audioCapture and
+// videoCapture manifest permissions which are limited to platform apps only.
+class PublicSessionMediaAccessHandler : public ExtensionMediaAccessHandler {

[Sergey Ulanov, 2016/12/02 20:29:47]

When I suggested to make PublicSessionMediaAccessHandler a wrapper for
ExtensionMediaAccessHandler I meant that it should encapsulate it, not inherit
from it. Style guide says: "Composition is often more appropriate than
inheritance." and I think it's applicable here. It would make this code less
error prone, e.g. when MediaAccessHandler interface is updated.

[Ivan Šandrk, 2016/12/05 13:10:51]

Done. I hope that's what you had in mind.

+ public:
+  explicit PublicSessionMediaAccessHandler();

[Devlin, 2016/12/02 20:40:28]

no need for explicit except in single-parameter ctors.

[Ivan Šandrk, 2016/12/05 13:10:51]

Done.

+  ~PublicSessionMediaAccessHandler() override;
+
+  // MediaAccessHandler implementation.
+  bool SupportsStreamType(const content::MediaStreamType type,
+                          const extensions::Extension* extension) override;
+  bool CheckMediaAccessPermission(
+      content::WebContents* web_contents,
+      const GURL& security_origin,
+      content::MediaStreamType type,
+      const extensions::Extension* extension) override;
+  void HandleRequest(content::WebContents* web_contents,
+                     const content::MediaStreamRequest& request,
+                     const content::MediaResponseCallback& callback,
+                     const extensions::Extension* extension) override;
+
+ private:
+  // Helper function used to chain the HandleRequest call into the original
+  // inside of ExtensionMediaAccessHandler.
+  void ChainHandleRequest(content::WebContents* web_contents,
+                          const content::MediaStreamRequest& request,
+                          const content::MediaResponseCallback& callback,
+                          const extensions::Extension* extension);
+
+  // Function used to resolve user decision regarding allowing audio/video.
+  void ResolvePermissionPrompt(
+      content::WebContents* web_contents,
+      const content::MediaStreamRequest& request,
+      const content::MediaResponseCallback& callback,
+      const extensions::Extension* extension,
+      const std::unique_ptr<ExtensionInstallPrompt>& prompt,
+      ExtensionInstallPrompt::Result prompt_result);
+
+  // Class used to cache user choice regarding allowing audio/video capture.
+  class UserChoice {
+   public:
+    // Helper function for checking if audio/video is allowed by user choice.
+    bool IsAllowed(content::MediaStreamType type) const;
+    // Helper function which returns true if audio/video wasn't prompted yet.
+    bool NeedsPrompting(content::MediaStreamType type) const;
+    void Set(content::MediaStreamType type, bool allowed);
+
+   private:
+    bool audio_prompted_ = false;
+    bool audio_allowed_ = false;
+    bool video_prompted_ = false;
+    bool video_allowed_ = false;
+  };
+
+  std::map<extensions::ExtensionId, UserChoice> user_choice_cache_;

[Sergey Ulanov, 2016/12/02 20:29:47]

I'm not very familiar with public sessions. Is it possible for one user to log
off and another one to log in there? Do we need to reset user_choice_cache_ in
that case?

[Devlin, 2016/12/02 20:40:28]

DISALLOW_COPY_AND_ASSIGN()

[Andrew T Wilson (Slow), 2016/12/04 19:57:01]

The profile is destroyed across sessions (the browser process itself also, I
believe?) so I think we're good.

[Ivan Šandrk, 2016/12/05 13:10:51]

Done.

[Ivan Šandrk, 2016/12/05 13:10:51]

Yes it's possible, and yes it needs resetting. I was told by one person that
this place *should* be reset automatically after user logs out, that no data is
kept between sessions in memory, but that may not be correct. I was testing this
so far only using a local chrome_os=1 build which dies after a logout for some
reason, I need to do a test on an actual device.

+};
+
+#endif  // CHROME_BROWSER_MEDIA_PUBLIC_SESSION_MEDIA_ACCESS_HANDLER_H_