Add policy controlled permission block list for extensions

chrome/browser/extensions/api/permissions/permissions_api.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/extensions/api/permissions/permissions_api.h"
 
 #include "base/memory/scoped_ptr.h"
 #include "chrome/browser/chrome_notification_types.h"
 #include "chrome/browser/extensions/api/permissions/permissions_api_helpers.h"
+#include "chrome/browser/extensions/extension_management.h"
 #include "chrome/browser/extensions/permissions_updater.h"
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/common/extensions/api/permissions.h"
 #include "extensions/browser/extension_prefs.h"
 #include "extensions/common/error_utils.h"
 #include "extensions/common/extension.h"
 #include "extensions/common/manifest_handlers/permissions_parser.h"
 #include "extensions/common/permissions/permission_message_provider.h"
 #include "extensions/common/permissions/permissions_data.h"
 #include "extensions/common/permissions/permissions_info.h"
 
 namespace extensions {
 
 using api::permissions::Permissions;
 
 namespace Contains = api::permissions::Contains;
 namespace GetAll = api::permissions::GetAll;
 namespace Remove = api::permissions::Remove;
 namespace Request  = api::permissions::Request;
 namespace helpers = permissions_api_helpers;
 
 namespace {
 
+const char kBlockedByEnterprisePolicy[] =
+    "Permissions are blocked by enterprise policy.";
 const char kCantRemoveRequiredPermissionsError[] =
     "You cannot remove required permissions.";
 const char kNotInOptionalPermissionsError[] =
     "Optional permissions must be listed in extension manifest.";
 const char kNotWhitelistedError[] =
     "The optional permissions API does not support '*'.";
 const char kUserGestureRequiredError[] =
     "This function must be called during a user gesture";
 
 enum AutoConfirmForTest {
@@ skipping 130 matching lines @@
     }
   }
 
   // The requested permissions must be defined as optional in the manifest.
   if (!PermissionsParser::GetOptionalPermissions(extension())
            ->Contains(*requested_permissions_.get())) {
     error_ = kNotInOptionalPermissionsError;
     return false;
   }
 
+  // Automatically declines api permissions requests, which are blocked by
+  // enterprise policy.
+  if (!ExtensionManagementFactory::GetForBrowserContext(GetProfile())
+           ->IsPermissionSetAllowed(extension()->id(),
+                                    requested_permissions_)) {
+    error_ = kBlockedByEnterprisePolicy;
+    return false;
+  }
+
   // We don't need to prompt the user if the requested permissions are a subset
   // of the granted permissions set.
   scoped_refptr<const PermissionSet> granted =
       ExtensionPrefs::Get(GetProfile())
           ->GetGrantedPermissions(extension()->id());
   if (granted.get() && granted->Contains(*requested_permissions_.get())) {
     PermissionsUpdater perms_updater(GetProfile());
     perms_updater.AddPermissions(extension(), requested_permissions_.get());
     results_ = Request::Results::Create(true);
     SendResponse(true);
@@ skipping 23 matching lines @@
     CHECK_EQ(DO_NOT_SKIP, auto_confirm_for_tests);
     install_ui_.reset(new ExtensionInstallPrompt(GetAssociatedWebContents()));
     install_ui_->ConfirmPermissions(
         this, extension(), requested_permissions_.get());
   }
 
   return true;
 }
 
 }  // namespace extensions