Add policy controlled permission block list for extensions

chrome/browser/extensions/extension_management.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/extensions/extension_management.h"
 
 #include <algorithm>
 #include <string>
-#include <vector>
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/logging.h"
 #include "base/prefs/pref_service.h"
+#include "base/strings/string16.h"
 #include "base/strings/string_util.h"
 #include "chrome/browser/extensions/extension_management_constants.h"
 #include "chrome/browser/extensions/extension_management_internal.h"
 #include "chrome/browser/extensions/external_policy_loader.h"
 #include "chrome/browser/extensions/external_provider_impl.h"
+#include "chrome/browser/extensions/permissions_based_management_policy_provider.h"
 #include "chrome/browser/extensions/standard_management_policy_provider.h"
 #include "chrome/browser/profiles/incognito_helpers.h"
 #include "chrome/browser/profiles/profile.h"
 #include "components/crx_file/id_util.h"
 #include "components/keyed_service/content/browser_context_dependency_manager.h"
 #include "components/pref_registry/pref_registry_syncable.h"
 #include "extensions/browser/pref_names.h"
+#include "extensions/common/permissions/api_permission_set.h"
+#include "extensions/common/permissions/permission_set.h"
 #include "extensions/common/url_pattern.h"
 #include "url/gurl.h"
 
 namespace extensions {
 
 ExtensionManagement::ExtensionManagement(PrefService* pref_service)
     : pref_service_(pref_service) {
   pref_change_registrar_.Init(pref_service_);
   base::Closure pref_change_callback = base::Bind(
       &ExtensionManagement::OnExtensionPrefChanged, base::Unretained(this));
   pref_change_registrar_.Add(pref_names::kInstallAllowList,
                              pref_change_callback);
   pref_change_registrar_.Add(pref_names::kInstallDenyList,
                              pref_change_callback);
   pref_change_registrar_.Add(pref_names::kInstallForceList,
                              pref_change_callback);
   pref_change_registrar_.Add(pref_names::kAllowedInstallSites,
                              pref_change_callback);
   pref_change_registrar_.Add(pref_names::kAllowedTypes, pref_change_callback);
   pref_change_registrar_.Add(pref_names::kExtensionManagement,
                              pref_change_callback);
   // Note that both |global_settings_| and |default_settings_| will be null
   // before first call to Refresh(), so in order to resolve this, Refresh() must
   // be called in the initialization of ExtensionManagement.
   Refresh();
-  provider_.reset(new StandardManagementPolicyProvider(this));
+  providers_.push_back(new StandardManagementPolicyProvider(this));
+  providers_.push_back(new PermissionsBasedManagementPolicyProvider(this));
 }
 
 ExtensionManagement::~ExtensionManagement() {
 }
 
+void ExtensionManagement::Shutdown() {
+  pref_change_registrar_.RemoveAll();
+  pref_service_ = nullptr;
+}
+
 void ExtensionManagement::AddObserver(Observer* observer) {
   observer_list_.AddObserver(observer);
 }
 
 void ExtensionManagement::RemoveObserver(Observer* observer) {
   observer_list_.RemoveObserver(observer);
 }
 
-ManagementPolicy::Provider* ExtensionManagement::GetProvider() const {
-  return provider_.get();
+std::vector<ManagementPolicy::Provider*> ExtensionManagement::GetProviders()
+    const {
+  return providers_.get();
 }
 
 bool ExtensionManagement::BlacklistedByDefault() const {
   return default_settings_->installation_mode == INSTALLATION_BLOCKED;
 }
 
 ExtensionManagement::InstallationMode ExtensionManagement::GetInstallationMode(
     const ExtensionId& id) const {
   return ReadById(id)->installation_mode;
 }
@@ skipping 59 matching lines @@
 bool ExtensionManagement::IsAllowedManifestType(
     Manifest::Type manifest_type) const {
   if (!global_settings_->has_restricted_allowed_types)
     return true;
   const std::vector<Manifest::Type>& allowed_types =
       global_settings_->allowed_types;
   return std::find(allowed_types.begin(), allowed_types.end(), manifest_type) !=
          allowed_types.end();
 }
 
+const APIPermissionSet& ExtensionManagement::GetBlockedAPIPermissions(
+    const ExtensionId& id) const {
+  return ReadById(id)->blocked_permissions;
+}
+
+scoped_refptr<const PermissionSet> ExtensionManagement::GetBlockedPermissions(
+    const ExtensionId& id) const {
+  // Only api permissions are supported currently.
+  return scoped_refptr<const PermissionSet>(
+      new PermissionSet(GetBlockedAPIPermissions(id),
+                        ManifestPermissionSet(),
+                        URLPatternSet(),
+                        URLPatternSet()));
+}
+
+bool ExtensionManagement::IsPermissionSetAllowed(
+    const ExtensionId& id,
+    scoped_refptr<const PermissionSet> perms) const {
+  for (const auto& blocked_api : GetBlockedAPIPermissions(id)) {
+    if (perms->HasAPIPermission(blocked_api->id()))
+      return false;
+  }
+  return true;
+}
+
 void ExtensionManagement::Refresh() {
   // Load all extension management settings preferences.
   const base::ListValue* allowed_list_pref =
       static_cast<const base::ListValue*>(LoadPreference(
           pref_names::kInstallAllowList, true, base::Value::TYPE_LIST));
   // Allow user to use preference to block certain extensions. Note that policy
   // managed forcelist or whitelist will always override this.
   const base::ListValue* denied_list_pref =
       static_cast<const base::ListValue*>(LoadPreference(
           pref_names::kInstallDenyList, false, base::Value::TYPE_LIST));
@@ skipping 137 matching lines @@
                      << extension_id << ".";
       }
     }
   }
 }
 
 const base::Value* ExtensionManagement::LoadPreference(
     const char* pref_name,
     bool force_managed,
     base::Value::Type expected_type) {
+  if (!pref_service_)
+    return nullptr;
   const PrefService::Preference* pref =
       pref_service_->FindPreference(pref_name);
   if (pref && !pref->IsDefaultValue() &&
       (!force_managed || pref->IsManaged())) {
     const base::Value* value = pref->GetValue();
     if (value && value->IsType(expected_type))
       return value;
   }
-  return NULL;
+  return nullptr;
 }
 
 void ExtensionManagement::OnExtensionPrefChanged() {
   Refresh();
   NotifyExtensionManagementPrefChanged();
 }
 
 void ExtensionManagement::NotifyExtensionManagementPrefChanged() {
   FOR_EACH_OBSERVER(
       Observer, observer_list_, OnExtensionManagementSettingsChanged());
@@ skipping 56 matching lines @@
 }
 
 void ExtensionManagementFactory::RegisterProfilePrefs(
     user_prefs::PrefRegistrySyncable* user_prefs) {
   user_prefs->RegisterDictionaryPref(
       pref_names::kExtensionManagement,
       user_prefs::PrefRegistrySyncable::UNSYNCABLE_PREF);
 }
 
 }  // namespace extensions