Create withheld permissions

extensions/common/permissions/permissions_data.h

Index: extensions/common/permissions/permissions_data.h
diff --git a/extensions/common/permissions/permissions_data.h b/extensions/common/permissions/permissions_data.h
index 9470d586ba8320bfbe1bdddbaf3febbc27f81755..37873340821e513aa01e18287eba7edef9ac38db 100644
--- a/extensions/common/permissions/permissions_data.h
+++ b/extensions/common/permissions/permissions_data.h
@@ -35,6 +35,14 @@ class UserScript;
 // straight.
 class PermissionsData {
  public:
+  // The possible types of access for a given frame.
+  enum AccessType {
+    ACCESS_DENIED,   // The extension is not allowed to access the given page.
+    ACCESS_ALLOWED,  // The extension is allowed to access the given page.
+    ACCESS_WITHHELD  // The browser must determine if the extension can access
+                     // the given page.
+  };
+
   // Delegate class to allow different contexts (e.g. browser vs renderer) to
   // have control over policy decisions.
   class PolicyDelegate {
@@ -76,8 +84,10 @@ class PermissionsData {
                               const Extension* extension,
                               std::string* error);
 
-  // Sets the runtime permissions of the given |extension| to |permissions|.
-  void SetActivePermissions(const PermissionSet* active) const;
+  // Sets the runtime permissions of the given |extension| to |active| and
+  // |withheld|.
+  void SetPermissions(const PermissionSet* active,
+                      const PermissionSet* withheld) const;

[not at google - send to devlin, 2014/07/01 00:28:36]

hm these should be const scoped_refptr<>&s

[Devlin, 2014/07/01 16:27:05]

The reason I didn't before was because if you const & it, you can't do something
like:

data->SetPermissions(new PermissionSet(...), new PermissionSet(...));

Which is not an uncommon pattern.  Tentatively done with this function, but is
there a reason we want to restrict ourselves from that?

[not at google - send to devlin, 2014/07/01 17:02:11]

yes, leaving objects with refcounts of 0 is asking for trouble. e.g. what if you
have the case:

void foo(PermissionSet* set) {
  isSomething(set);
  set->whatever();
}

void isSomething(scoped_refptr<PermissionSet> set) {  // or const
scoped_refptr<>&
  set->thing();
}

then innocently set->whatever() will break. it's just always safer to pass
refcounted objects around as scoped_refptrs. unless you're really sure it's
owned somewhere else (like Extension, I suppose).

note that we have the make_scoped_refptr(..) macro to make SetPermissions(..)
easier.

[Devlin, 2014/07/01 18:34:08]

Yeah, I wasn't saying these shouldn't be refptrs - that was my bad.  I was just
saying I'm not sure they should be const refptr&s.  :)  Anyway, done.

 
   // Updates the tab-specific permissions of |tab_id| to include those from
   // |permissions|.
@@ -132,6 +142,10 @@ class PermissionsData {
   // display at install time as strings.
   std::vector<base::string16> GetPermissionMessageDetailsStrings() const;
 
+  // Returns true if the extension has requested all-hosts permissions (or
+  // something close to it), but has had it withheld.
+  bool HasWithheldAllHosts() const;
+
   // Returns true if the |extension| has permission to access and interact with
   // the specified page, in order to do things like inject scripts or modify
   // the content.
@@ -143,6 +157,15 @@ class PermissionsData {
                      int tab_id,
                      int process_id,
                      std::string* error) const;
+  // Like CanAccessPage, but also takes withheld permissions into account.
+  // TODO(rdevlin.cronin) We shouldn't have two functions, but not all callers
+  // know how to wait for permission.
+  AccessType GetPageAccess(const Extension* extension,
+                           const GURL& document_url,
+                           const GURL& top_document_url,
+                           int tab_id,
+                           int process_id,
+                           std::string* error) const;
 
   // Returns true if the |extension| has permission to inject a content script
   // on the page.
@@ -156,6 +179,16 @@ class PermissionsData {
                                  int tab_id,
                                  int process_id,
                                  std::string* error) const;
+  // Like CanRunContentScriptOnPage, but also takes withheld permissions into
+  // account.
+  // TODO(rdevlin.cronin) We shouldn't have two functions, but not all callers
+  // know how to wait for permission.
+  AccessType GetContentScriptAccess(const Extension* extension,
+                                    const GURL& document_url,
+                                    const GURL& top_document_url,
+                                    int tab_id,
+                                    int process_id,
+                                    std::string* error) const;
 
   // Returns true if extension is allowed to obtain the contents of a page as
   // an image. Since a page may contain sensitive information, this is
@@ -163,19 +196,16 @@ class PermissionsData {
   // page itself.
   bool CanCaptureVisiblePage(int tab_id, std::string* error) const;
 
-  // Returns true if the user should be alerted that the |extension| is running
-  // a script. If |tab_id| and |url| are included, this also considers tab-
-  // specific permissions.
-  bool RequiresActionForScriptExecution(const Extension* extension) const;
-  bool RequiresActionForScriptExecution(const Extension* extension,
-                                        int tab_id,
-                                        const GURL& url) const;
-
   scoped_refptr<const PermissionSet> active_permissions() const {
     base::AutoLock auto_lock(runtime_lock_);
     return active_permissions_unsafe_;
   }
 
+  scoped_refptr<const PermissionSet> withheld_permissions() const {
+    base::AutoLock auto_lock(runtime_lock_);
+    return withheld_permissions_unsafe_;
+  }
+
 #if defined(UNIT_TEST)
   scoped_refptr<const PermissionSet> GetTabSpecificPermissionsForTesting(
       int tab_id) const {
@@ -198,16 +228,17 @@ class PermissionsData {
   bool HasTabSpecificPermissionToExecuteScript(int tab_id,
                                                const GURL& url) const;
 
-  // Returns true if the extension is permitted to run on the given page,
+  // Returns whether or not the extension is permitted to run on the given page,
   // checking against |permitted_url_patterns| in addition to blocking special
   // sites (like the webstore or chrome:// urls).
-  bool CanRunOnPage(const Extension* extension,
-                    const GURL& document_url,
-                    const GURL& top_document_url,
-                    int tab_id,
-                    int process_id,
-                    const URLPatternSet& permitted_url_patterns,
-                    std::string* error) const;
+  AccessType CanRunOnPage(const Extension* extension,
+                          const GURL& document_url,
+                          const GURL& top_document_url,
+                          int tab_id,
+                          int process_id,
+                          const URLPatternSet& permitted_url_patterns,
+                          const URLPatternSet& withheld_url_patterns,
+                          std::string* error) const;
 
   // The associated extension's id.
   std::string extension_id_;
@@ -224,6 +255,13 @@ class PermissionsData {
   // active_permissions() accessor.
   mutable scoped_refptr<const PermissionSet> active_permissions_unsafe_;
 
+  // The permissions the extension requested, but was not granted due because
+  // they are too powerful. This includes things like all_hosts.
+  // Unsafe indicates that we must lock anytime this is directly accessed.
+  // Unless you need to change |withheld_permissions_unsafe_|, use the (safe)
+  // withheld_permissions() accessor.
+  mutable scoped_refptr<const PermissionSet> withheld_permissions_unsafe_;
+
   mutable TabPermissionsMap tab_specific_permissions_;
 
   DISALLOW_COPY_AND_ASSIGN(PermissionsData);