Create withheld permissions

extensions/common/permissions/permissions_data.h

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef EXTENSIONS_COMMON_PERMISSIONS_PERMISSIONS_DATA_H_
 #define EXTENSIONS_COMMON_PERMISSIONS_PERMISSIONS_DATA_H_
 
 #include <map>
 #include <string>
 #include <vector>
@@ skipping 17 matching lines @@
 class URLPatternSet;
 class UserScript;
 
 // A container for the active permissions of an extension.
 // TODO(rdevlin.cronin): For the love of everything good, rename this class to
 // ActivePermissions. We do *not* need PermissionsParser, PermissionSet,
 // PermissionInfo, and PermissionsData. No one will be able to keep them
 // straight.
 class PermissionsData {
  public:
+  // The possible types of access for a given frame.
+  enum AccessType {
+    ACCESS_DENIED,   // The extension is not allowed to access the given page.
+    ACCESS_ALLOWED,  // The extension is allowed to access the given page.
+    ACCESS_WITHHELD  // The browser must determine if the extension can access
+                     // the given page.
+  };
+
   // Delegate class to allow different contexts (e.g. browser vs renderer) to
   // have control over policy decisions.
   class PolicyDelegate {
    public:
     virtual ~PolicyDelegate() {}
 
     // Returns false if script access should be blocked on this page.
     // Otherwise, default policy should decide.
     virtual bool CanExecuteScriptOnPage(const Extension* extension,
                                         const GURL& document_url,
@@ skipping 21 matching lines @@
   static bool CanExecuteScriptEverywhere(const Extension* extension);
 
   // Returns true if the given |url| is restricted for the given |extension|,
   // as is commonly the case for chrome:// urls.
   // NOTE: You probably want to use CanAccessPage().
   static bool IsRestrictedUrl(const GURL& document_url,
                               const GURL& top_frame_url,
                               const Extension* extension,
                               std::string* error);
 
-  // Sets the runtime permissions of the given |extension| to |permissions|.
-  void SetActivePermissions(const PermissionSet* active) const;
+  // Sets the runtime permissions of the given |extension| to |active| and
+  // |withheld|.
+  void SetPermissions(const PermissionSet* active,
+                      const PermissionSet* withheld) const;

[not at google - send to devlin, 2014/07/01 00:28:36]

hm these should be const scoped_refptr<>&s

[Devlin, 2014/07/01 16:27:05]

The reason I didn't before was because if you const & it, you can't do something
like:

data->SetPermissions(new PermissionSet(...), new PermissionSet(...));

Which is not an uncommon pattern.  Tentatively done with this function, but is
there a reason we want to restrict ourselves from that?

[not at google - send to devlin, 2014/07/01 17:02:11]

yes, leaving objects with refcounts of 0 is asking for trouble. e.g. what if you
have the case:

void foo(PermissionSet* set) {
  isSomething(set);
  set->whatever();
}

void isSomething(scoped_refptr<PermissionSet> set) {  // or const
scoped_refptr<>&
  set->thing();
}

then innocently set->whatever() will break. it's just always safer to pass
refcounted objects around as scoped_refptrs. unless you're really sure it's
owned somewhere else (like Extension, I suppose).

note that we have the make_scoped_refptr(..) macro to make SetPermissions(..)
easier.

[Devlin, 2014/07/01 18:34:08]

Yeah, I wasn't saying these shouldn't be refptrs - that was my bad.  I was just
saying I'm not sure they should be const refptr&s.  :)  Anyway, done.

 
   // Updates the tab-specific permissions of |tab_id| to include those from
   // |permissions|.
   void UpdateTabSpecificPermissions(
       int tab_id,
       scoped_refptr<const PermissionSet> permissions) const;

[not at google - send to devlin, 2014/07/01 00:28:36]

and this should be const& as well.

[Devlin, 2014/07/01 16:27:05]

Breaks stuff (see above).

 
   // Clears the tab-specific permissions of |tab_id|.
   void ClearTabSpecificPermissions(int tab_id) const;
 
   // Returns true if the |extension| has the given |permission|. Prefer
   // IsExtensionWithPermissionOrSuggestInConsole when developers may be using an
   // api that requires a permission they didn't know about, e.g. open web apis.
   // Note this does not include APIs with no corresponding permission, like
   // "runtime" or "browserAction".
   // TODO(mpcomplete): drop the "API" from these names, it's confusing.
@@ skipping 28 matching lines @@
   PermissionMessages GetPermissionMessages() const;
 
   // Returns the full list of permission messages that should display at install
   // time as strings.
   std::vector<base::string16> GetPermissionMessageStrings() const;
 
   // Returns the full list of permission details for messages that should
   // display at install time as strings.
   std::vector<base::string16> GetPermissionMessageDetailsStrings() const;
 
+  // Returns true if the extension has requested all-hosts permissions (or
+  // something close to it), but has had it withheld.
+  bool HasWithheldAllHosts() const;
+
   // Returns true if the |extension| has permission to access and interact with
   // the specified page, in order to do things like inject scripts or modify
   // the content.
   // If this returns false and |error| is non-NULL, |error| will be popualted
   // with the reason the extension cannot access the page.
   bool CanAccessPage(const Extension* extension,
                      const GURL& document_url,
                      const GURL& top_document_url,
                      int tab_id,
                      int process_id,
                      std::string* error) const;
+  // Like CanAccessPage, but also takes withheld permissions into account.
+  // TODO(rdevlin.cronin) We shouldn't have two functions, but not all callers
+  // know how to wait for permission.
+  AccessType GetPageAccess(const Extension* extension,
+                           const GURL& document_url,
+                           const GURL& top_document_url,
+                           int tab_id,
+                           int process_id,
+                           std::string* error) const;
 
   // Returns true if the |extension| has permission to inject a content script
   // on the page.
   // If this returns false and |error| is non-NULL, |error| will be popualted
   // with the reason the extension cannot script the page.
   // NOTE: You almost certainly want to use CanAccessPage() instead of this
   // method.
   bool CanRunContentScriptOnPage(const Extension* extension,
                                  const GURL& document_url,
                                  const GURL& top_document_url,
                                  int tab_id,
                                  int process_id,
                                  std::string* error) const;
+  // Like CanRunContentScriptOnPage, but also takes withheld permissions into
+  // account.
+  // TODO(rdevlin.cronin) We shouldn't have two functions, but not all callers
+  // know how to wait for permission.
+  AccessType GetContentScriptAccess(const Extension* extension,
+                                    const GURL& document_url,
+                                    const GURL& top_document_url,
+                                    int tab_id,
+                                    int process_id,
+                                    std::string* error) const;
 
   // Returns true if extension is allowed to obtain the contents of a page as
   // an image. Since a page may contain sensitive information, this is
   // restricted to the extension's host permissions as well as the extension
   // page itself.
   bool CanCaptureVisiblePage(int tab_id, std::string* error) const;
 
-  // Returns true if the user should be alerted that the |extension| is running
-  // a script. If |tab_id| and |url| are included, this also considers tab-
-  // specific permissions.
-  bool RequiresActionForScriptExecution(const Extension* extension) const;
-  bool RequiresActionForScriptExecution(const Extension* extension,
-                                        int tab_id,
-                                        const GURL& url) const;
-
   scoped_refptr<const PermissionSet> active_permissions() const {
     base::AutoLock auto_lock(runtime_lock_);
     return active_permissions_unsafe_;
   }
 
+  scoped_refptr<const PermissionSet> withheld_permissions() const {
+    base::AutoLock auto_lock(runtime_lock_);
+    return withheld_permissions_unsafe_;
+  }
+
 #if defined(UNIT_TEST)
   scoped_refptr<const PermissionSet> GetTabSpecificPermissionsForTesting(
       int tab_id) const {
     return GetTabSpecificPermissions(tab_id);
   }
 #endif
 
  private:
   typedef std::map<int, scoped_refptr<const PermissionSet> > TabPermissionsMap;
 
   // Gets the tab-specific host permissions of |tab_id|, or NULL if there
   // aren't any.
   scoped_refptr<const PermissionSet> GetTabSpecificPermissions(
       int tab_id) const;
 
   // Returns true if the |extension| has tab-specific permission to operate on
   // the tab specified by |tab_id| with the given |url|.
   // Note that if this returns false, it doesn't mean the extension can't run on
   // the given tab, only that it does not have tab-specific permission to do so.
   bool HasTabSpecificPermissionToExecuteScript(int tab_id,
                                                const GURL& url) const;
 
-  // Returns true if the extension is permitted to run on the given page,
+  // Returns whether or not the extension is permitted to run on the given page,
   // checking against |permitted_url_patterns| in addition to blocking special
   // sites (like the webstore or chrome:// urls).
-  bool CanRunOnPage(const Extension* extension,
-                    const GURL& document_url,
-                    const GURL& top_document_url,
-                    int tab_id,
-                    int process_id,
-                    const URLPatternSet& permitted_url_patterns,
-                    std::string* error) const;
+  AccessType CanRunOnPage(const Extension* extension,
+                          const GURL& document_url,
+                          const GURL& top_document_url,
+                          int tab_id,
+                          int process_id,
+                          const URLPatternSet& permitted_url_patterns,
+                          const URLPatternSet& withheld_url_patterns,
+                          std::string* error) const;
 
   // The associated extension's id.
   std::string extension_id_;
 
   // The associated extension's manifest type.
   Manifest::Type manifest_type_;
 
   mutable base::Lock runtime_lock_;
 
   // The permission's which are currently active on the extension during
   // runtime.
   // Unsafe indicates that we must lock anytime this is directly accessed.
   // Unless you need to change |active_permissions_unsafe_|, use the (safe)
   // active_permissions() accessor.
   mutable scoped_refptr<const PermissionSet> active_permissions_unsafe_;
 
+  // The permissions the extension requested, but was not granted due because
+  // they are too powerful. This includes things like all_hosts.
+  // Unsafe indicates that we must lock anytime this is directly accessed.
+  // Unless you need to change |withheld_permissions_unsafe_|, use the (safe)
+  // withheld_permissions() accessor.
+  mutable scoped_refptr<const PermissionSet> withheld_permissions_unsafe_;
+
   mutable TabPermissionsMap tab_specific_permissions_;
 
   DISALLOW_COPY_AND_ASSIGN(PermissionsData);
 };
 
 }  // namespace extensions
 
 #endif  // EXTENSIONS_COMMON_PERMISSIONS_PERMISSIONS_DATA_H_