Make ActiveScriptController use Active Tab-style permissions

extensions/common/permissions/permissions_data_unittest.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <vector>
 
 #include "base/command_line.h"
 #include "base/memory/ref_counted.h"
 #include "base/strings/string16.h"
 #include "base/strings/utf_string_conversions.h"
 #include "chrome/common/chrome_version_info.h"
 #include "chrome/common/extensions/extension_test_util.h"
 #include "chrome/common/extensions/features/feature_channel.h"
 #include "content/public/common/socket_permission_request.h"
 #include "extensions/common/error_utils.h"
 #include "extensions/common/extension.h"
+#include "extensions/common/extension_builder.h"
 #include "extensions/common/id_util.h"
+#include "extensions/common/manifest.h"
 #include "extensions/common/manifest_constants.h"
 #include "extensions/common/permissions/api_permission.h"
 #include "extensions/common/permissions/permission_set.h"
 #include "extensions/common/permissions/permissions_data.h"
 #include "extensions/common/permissions/socket_permission.h"
 #include "extensions/common/switches.h"
 #include "extensions/common/url_pattern_set.h"
+#include "extensions/common/value_builder.h"
 #include "testing/gtest/include/gtest/gtest.h"
+#include "url/gurl.h"
 
 using base::UTF16ToUTF8;
 using content::SocketPermissionRequest;
 using extension_test_util::LoadManifest;
 using extension_test_util::LoadManifestUnchecked;
 using extension_test_util::LoadManifestStrict;
 
 namespace extensions {
 
 namespace {
 
+const char kAllHostsPermission[] = "*://*/*";
+
 bool CheckSocketPermission(
     scoped_refptr<Extension> extension,
     SocketPermissionRequest::OperationType type,
     const char* host,
     int port) {
   SocketPermission::CheckParam param(type, host, port);
   return PermissionsData::CheckAPIPermissionWithParam(
       extension.get(), APIPermission::kSocket, &param);
 }
 
+// Creates and returns an extension with the given |id|, |host_permissions|, and
+// manifest |location|.
+scoped_refptr<const Extension> GetExtensionWithHostPermission(
+    const std::string& id,
+    const std::string& host_permissions,
+    Manifest::Location location) {
+  ListBuilder permissions;
+  if (!host_permissions.empty())
+    permissions.Append(host_permissions);
+
+  return ExtensionBuilder()
+      .SetManifest(
+          DictionaryBuilder()
+              .Set("name", id)
+              .Set("description", "an extension")
+              .Set("manifest_version", 2)
+              .Set("version", "1.0.0")
+              .Set("permissions", permissions.Pass())
+              .Build())
+      .SetLocation(location)
+      .SetID(id)
+      .Build();
+}
+
+bool RequiresActionForScriptExecution(const std::string& extension_id,
+                                      const std::string& host_permissions,
+                                      Manifest::Location location) {
+  scoped_refptr<const Extension> extension =
+      GetExtensionWithHostPermission(extension_id,
+                                     host_permissions,
+                                     location);
+  return PermissionsData::RequiresActionForScriptExecution(
+      extension,
+      -1,  // Ignore tab id for these.
+      GURL::EmptyGURL());
+}
+
 }  // namespace
 
 TEST(ExtensionPermissionsTest, EffectiveHostPermissions) {
   scoped_refptr<Extension> extension;
   URLPatternSet hosts;
 
   extension = LoadManifest("effective_host_permissions", "empty.json");
   EXPECT_EQ(0u,
             PermissionsData::GetEffectiveHostPermissions(extension.get())
                 .patterns().size());
@@ skipping 89 matching lines @@
         extension, SocketPermissionRequest::UDP_BIND, "", 8888));
 
   EXPECT_FALSE(CheckSocketPermission(
         extension, SocketPermissionRequest::UDP_SEND_TO, "example.com", 1900));
   EXPECT_TRUE(CheckSocketPermission(
         extension,
         SocketPermissionRequest::UDP_SEND_TO,
         "239.255.255.250", 1900));
 }
 
+TEST(ExtensionPermissionsTest, RequiresActionForScriptExecution) {
+  // Extensions with all_hosts should require action.
+  EXPECT_TRUE(RequiresActionForScriptExecution(
+      "all_hosts_permissions", kAllHostsPermission, Manifest::INTERNAL));
+  // Extensions with nearly all hosts are treated the same way.
+  EXPECT_TRUE(RequiresActionForScriptExecution(
+      "pseudo_all_hosts_permissions", "*://*.com/*", Manifest::INTERNAL));
+  // Extensions with explicit permissions shouldn't require action.
+  EXPECT_FALSE(RequiresActionForScriptExecution(
+      "explicit_permissions", "https://www.google.com/*", Manifest::INTERNAL));
+  // Policy extensions are exempt...
+  EXPECT_FALSE(RequiresActionForScriptExecution(
+      "policy", kAllHostsPermission, Manifest::EXTERNAL_POLICY));
+  // ... as are component extensions.
+  EXPECT_FALSE(RequiresActionForScriptExecution(
+      "component", kAllHostsPermission, Manifest::COMPONENT));
+  // Throw in an external pref extension to make sure that it's not just working
+  // for everything non-internal.
+  EXPECT_TRUE(RequiresActionForScriptExecution(
+      "external_pref", kAllHostsPermission, Manifest::EXTERNAL_PREF));
+
+  // If we grant an extension tab permissions, then it should no longer require
+  // action.
+  scoped_refptr<const Extension> extension =
+      GetExtensionWithHostPermission("all_hosts_permissions",
+                                     kAllHostsPermission,
+                                     Manifest::INTERNAL);
+  URLPatternSet allowed_hosts;
+  allowed_hosts.AddPattern(
+      URLPattern(URLPattern::SCHEME_HTTPS, "https://www.google.com/*"));
+  scoped_refptr<PermissionSet> tab_permissions(
+      new PermissionSet(APIPermissionSet(),
+                        ManifestPermissionSet(),
+                        allowed_hosts,
+                        URLPatternSet()));
+  PermissionsData::UpdateTabSpecificPermissions(extension, 0, tab_permissions);
+  EXPECT_FALSE(PermissionsData::RequiresActionForScriptExecution(
+      extension, 0, GURL("https://www.google.com/")));
+}
+
 TEST(ExtensionPermissionsTest, GetPermissionMessages_ManyAPIPermissions) {
   scoped_refptr<Extension> extension;
   extension = LoadManifest("permissions", "many-apis.json");
   std::vector<base::string16> warnings =
       PermissionsData::GetPermissionMessageStrings(extension.get());
   // Warning for "tabs" is suppressed by "history" permission.
   ASSERT_EQ(5u, warnings.size());
   EXPECT_EQ("Access your data on api.flickr.com",
             UTF16ToUTF8(warnings[0]));
   EXPECT_EQ("Read and modify your bookmarks", UTF16ToUTF8(warnings[1]));
@@ skipping 466 matching lines @@
   PermissionsData::ClearTabSpecificPermissions(extension.get(), 1);
   EXPECT_FALSE(PermissionsData::GetTabSpecificPermissions(extension.get(), 1)
                    .get());
 
   EXPECT_TRUE(ScriptAllowedExclusivelyOnTab(extension.get(), no_urls, 0));
   EXPECT_TRUE(ScriptAllowedExclusivelyOnTab(extension.get(), no_urls, 1));
   EXPECT_TRUE(ScriptAllowedExclusivelyOnTab(extension.get(), no_urls, 2));
 }
 
 }  // namespace extensions