Add policy controlled permission block list for extensions

chrome/browser/extensions/extension_management_unittest.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <algorithm>
 #include <vector>
 
 #include "base/json/json_parser.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/prefs/pref_registry_simple.h"
 #include "base/prefs/testing_pref_service.h"
 #include "base/values.h"
 #include "chrome/browser/extensions/extension_management.h"
 #include "chrome/browser/extensions/extension_management_internal.h"
 #include "chrome/browser/extensions/extension_management_test_util.h"
 #include "chrome/browser/extensions/external_policy_loader.h"
+#include "chrome/browser/extensions/standard_management_policy_provider.h"
 #include "extensions/browser/pref_names.h"
 #include "extensions/common/manifest.h"
 #include "extensions/common/manifest_constants.h"
+#include "extensions/common/permissions/api_permission.h"
+#include "extensions/common/permissions/permissions_info.h"
 #include "extensions/common/url_pattern.h"
 #include "testing/gtest/include/gtest/gtest.h"
 #include "url/gurl.h"
 
 namespace extensions {
 
 namespace {
 
 const char kTargetExtension[] = "abcdefghijklmnopabcdefghijklmnop";
 const char kTargetExtension2[] = "bcdefghijklmnopabcdefghijklmnopa";
 const char kTargetExtension3[] = "cdefghijklmnopabcdefghijklmnopab";
 const char kTargetExtension4[] = "defghijklmnopabcdefghijklmnopabc";
 const char kOtherExtension[] = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
 const char kExampleUpdateUrl[] = "http://example.com/update_url";
 
 const char kExampleDictPreference[] =
     "{"
     "  \"abcdefghijklmnopabcdefghijklmnop\": {"  // kTargetExtension
     "    \"installation_mode\": \"allowed\","
+    "    \"blocked_permissions\": [\"fileSystem\", \"bookmarks\"],"
     "  },"
     "  \"bcdefghijklmnopabcdefghijklmnopa\": {"  // kTargetExtension2
     "    \"installation_mode\": \"force_installed\","
     "    \"update_url\": \"http://example.com/update_url\","
+    "    \"allowed_permissions\": [\"fileSystem\", \"bookmarks\"],"
     "  },"
     "  \"cdefghijklmnopabcdefghijklmnopab\": {"  // kTargetExtension3
     "    \"installation_mode\": \"normal_installed\","
     "    \"update_url\": \"http://example.com/update_url\","
+    "    \"allowed_permissions\": [\"fileSystem\", \"downloads\"],"
+    "    \"blocked_permissions\": [\"fileSystem\", \"history\"],"
     "  },"
     "  \"defghijklmnopabcdefghijklmnopabc\": {"  // kTargetExtension4
     "    \"installation_mode\": \"blocked\","
     "  },"
     "  \"*\": {"
     "    \"installation_mode\": \"blocked\","
     "    \"install_sources\": [\"*://foo.com/*\"],"
     "    \"allowed_types\": [\"theme\", \"user_script\"],"
+    "    \"blocked_permissions\": [\"fileSystem\", \"downloads\"],"
     "  },"
     "}";
 
 }  // namespace
 
 class ExtensionManagementServiceTest : public testing::Test {
  public:
   typedef ExtensionManagementPrefUpdater<TestingPrefServiceSimple> PrefUpdater;
 
   ExtensionManagementServiceTest() {}
@@ skipping 56 matching lines @@
  protected:
   scoped_ptr<TestingPrefServiceSimple> pref_service_;
   scoped_ptr<ExtensionManagement> extension_management_;
 };
 
 class ExtensionAdminPolicyTest : public ExtensionManagementServiceTest {
  public:
   ExtensionAdminPolicyTest() {}
   virtual ~ExtensionAdminPolicyTest() {}
 
+  void SetUpPolicyProvider() {
+    provider_.reset(
+        new StandardManagementPolicyProvider(extension_management_.get()));
+  }
+
   void CreateExtension(Manifest::Location location) {
     base::DictionaryValue values;
     CreateExtensionFromValues(location, &values);
   }
 
   void CreateHostedApp(Manifest::Location location) {
     base::DictionaryValue values;
     values.Set(extensions::manifest_keys::kWebURLs, new base::ListValue());
     values.SetString(extensions::manifest_keys::kLaunchWebURL,
                      "http://www.example.com");
@@ skipping 15 matching lines @@
   bool UserMayLoad(const base::ListValue* blacklist,
                    const base::ListValue* whitelist,
                    const base::DictionaryValue* forcelist,
                    const base::ListValue* allowed_types,
                    const Extension* extension,
                    base::string16* error);
   bool UserMayModifySettings(const Extension* extension, base::string16* error);
   bool MustRemainEnabled(const Extension* extension, base::string16* error);
 
  protected:
+  scoped_ptr<StandardManagementPolicyProvider> provider_;
   scoped_refptr<Extension> extension_;
 };
 
 bool ExtensionAdminPolicyTest::BlacklistedByDefault(
     const base::ListValue* blacklist) {
-  InitPrefService();
+  SetUpPolicyProvider();
   if (blacklist)
     SetPref(true, pref_names::kInstallDenyList, blacklist->DeepCopy());
   return extension_management_->BlacklistedByDefault();
 }
 
 bool ExtensionAdminPolicyTest::UserMayLoad(
     const base::ListValue* blacklist,
     const base::ListValue* whitelist,
     const base::DictionaryValue* forcelist,
     const base::ListValue* allowed_types,
     const Extension* extension,
     base::string16* error) {
-  InitPrefService();
+  SetUpPolicyProvider();
   if (blacklist)
     SetPref(true, pref_names::kInstallDenyList, blacklist->DeepCopy());
   if (whitelist)
     SetPref(true, pref_names::kInstallAllowList, whitelist->DeepCopy());
   if (forcelist)
     SetPref(true, pref_names::kInstallForceList, forcelist->DeepCopy());
   if (allowed_types)
     SetPref(true, pref_names::kAllowedTypes, allowed_types->DeepCopy());
-  return extension_management_->GetProvider()->UserMayLoad(extension, error);
+  return provider_->UserMayLoad(extension, error);
 }
 
 bool ExtensionAdminPolicyTest::UserMayModifySettings(const Extension* extension,
                                                      base::string16* error) {
-  InitPrefService();
-  return extension_management_->GetProvider()->UserMayModifySettings(extension,
-                                                                     error);
+  SetUpPolicyProvider();
+  return provider_->UserMayModifySettings(extension, error);
 }
 
 bool ExtensionAdminPolicyTest::MustRemainEnabled(const Extension* extension,
                                                  base::string16* error) {
-  InitPrefService();
-  return extension_management_->GetProvider()->MustRemainEnabled(extension,
-                                                                 error);
+  SetUpPolicyProvider();
+  return provider_->MustRemainEnabled(extension, error);
 }
 
 // Verify that preference controlled by legacy ExtensionInstallSources policy is
 // handled well.
 TEST_F(ExtensionManagementServiceTest, LegacyInstallSources) {
   base::ListValue allowed_sites_pref;
   allowed_sites_pref.AppendString("https://www.example.com/foo");
   allowed_sites_pref.AppendString("https://corp.mycompany.com/*");
   SetPref(
       true, pref_names::kAllowedInstallSites, allowed_sites_pref.DeepCopy());
@@ skipping 114 matching lines @@
   EXPECT_TRUE(ReadGlobalSettings()->has_restricted_allowed_types);
   const std::vector<Manifest::Type>& allowed_types =
       ReadGlobalSettings()->allowed_types;
   EXPECT_EQ(allowed_types.size(), 2u);
   EXPECT_TRUE(std::find(allowed_types.begin(),
                         allowed_types.end(),
                         Manifest::TYPE_THEME) != allowed_types.end());
   EXPECT_TRUE(std::find(allowed_types.begin(),
                         allowed_types.end(),
                         Manifest::TYPE_USER_SCRIPT) != allowed_types.end());
+
+  // Verifies blocked permission list settings.
+  APIPermissionSet api_permission_set;
+  api_permission_set.clear();
+  api_permission_set.insert(APIPermission::kFileSystem);
+  api_permission_set.insert(APIPermission::kDownloads);
+  EXPECT_EQ(api_permission_set,
+            extension_management_->GetBlockedAPIPermissions(kOtherExtension));
+
+  api_permission_set.clear();
+  api_permission_set.insert(APIPermission::kFileSystem);
+  api_permission_set.insert(APIPermission::kDownloads);
+  api_permission_set.insert(APIPermission::kBookmark);
+  EXPECT_EQ(api_permission_set,
+            extension_management_->GetBlockedAPIPermissions(kTargetExtension));
+
+  api_permission_set.clear();
+  api_permission_set.insert(APIPermission::kDownloads);
+  EXPECT_EQ(api_permission_set,
+            extension_management_->GetBlockedAPIPermissions(kTargetExtension2));
+
+  api_permission_set.clear();
+  api_permission_set.insert(APIPermission::kFileSystem);
+  api_permission_set.insert(APIPermission::kHistory);
+  EXPECT_EQ(api_permission_set,
+            extension_management_->GetBlockedAPIPermissions(kTargetExtension3));
 }
 
 // Tests functionality of new preference as to deprecate legacy
 // ExtensionInstallSources policy.
 TEST_F(ExtensionManagementServiceTest, NewInstallSources) {
   // Set the legacy preference, and verifies that it works.
   base::ListValue allowed_sites_pref;
   allowed_sites_pref.AppendString("https://www.example.com/foo");
   SetPref(
       true, pref_names::kAllowedInstallSites, allowed_sites_pref.DeepCopy());
@@ skipping 326 matching lines @@
   EXPECT_FALSE(error.empty());
 
   CreateExtension(Manifest::INTERNAL);
   error.clear();
   EXPECT_FALSE(MustRemainEnabled(extension_.get(), NULL));
   EXPECT_FALSE(MustRemainEnabled(extension_.get(), &error));
   EXPECT_TRUE(error.empty());
 }
 
 }  // namespace extensions