Add policy controlled permission block list for extensions

chrome/browser/extensions/extension_management_internal.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/extensions/extension_management_internal.h"
 
 #include "base/logging.h"
 #include "base/values.h"
 #include "chrome/browser/extensions/extension_management_constants.h"
 #include "extensions/common/url_pattern_set.h"
@@ skipping 49 matching lines @@
           GURL(update_url_str).is_valid()) {
         update_url = update_url_str;
       } else {
         // No valid update URL for extension.
         LOG(WARNING) << kMalformedPreferenceWarning;
         return false;
       }
     }
   }
 
+  // Parses the blocked permission settings.
+  const base::ListValue* list_value = nullptr;
+  base::string16 error;
+
+  // If applicable, inherit from global block list and remove all explicitly
+  // allowed permissions.
+  if (scope != SCOPE_DEFAULT &&
+      dict->GetListWithoutPathExpansion(schema_constants::kAllowedPermissions,
+                                        &list_value)) {
+    // It is assumed that Parse() is already called for SCOPE_DEFAULT and
+    // settings specified for |this| is initialized by copying from default
+    // settings, including the |blocked_permissions| setting here.
+    // That is, |blocked_permissions| should be the default block permissions
+    // list settings here.
+    APIPermissionSet globally_blocked_permissions = blocked_permissions;
+    APIPermissionSet explicitly_allowed_permissions;
+    // Reuses code for parsing API permissions from manifest. But note that we
+    // only support list of strings type.
+    if (!APIPermissionSet::ParseFromJSON(
+            list_value,
+            APIPermissionSet::kDisallowInternalPermissions,
+            &explicitly_allowed_permissions,
+            &error,
+            nullptr)) {
+      // There might be unknown permissions, warn and just ignore them;
+      LOG(WARNING) << error;
+    }
+    APIPermissionSet::Difference(globally_blocked_permissions,
+                                 explicitly_allowed_permissions,
+                                 &blocked_permissions);
+  }
+
+  // Then add all newly blocked permissions to the list.
+  if (dict->GetListWithoutPathExpansion(schema_constants::kBlockedPermissions,
+                                        &list_value)) {
+    // The |blocked_permissions| might be the result of the routines above,
+    // or remains the same as default block permissions settings.
+    APIPermissionSet permissions_to_merge_from = blocked_permissions;
+    APIPermissionSet permissions_parsed;
+    if (!APIPermissionSet::ParseFromJSON(
+            list_value,
+            APIPermissionSet::kDisallowInternalPermissions,
+            &permissions_parsed,
+            &error,
+            nullptr)) {
+      LOG(WARNING) << error;
+    }
+    APIPermissionSet::Union(
+        permissions_to_merge_from, permissions_parsed, &blocked_permissions);
+  }
+
   return true;
 }
 
 void IndividualSettings::Reset() {
   installation_mode = ExtensionManagement::INSTALLATION_ALLOWED;
   update_url.clear();
+  blocked_permissions.clear();
 }
 
 GlobalSettings::GlobalSettings() {
   Reset();
 }
 
 GlobalSettings::~GlobalSettings() {
 }
 
 void GlobalSettings::Reset() {
   has_restricted_install_sources = false;
   install_sources.ClearPatterns();
   has_restricted_allowed_types = false;
   allowed_types.clear();
 }
 
 }  // namespace internal
 
 }  // namespace extensions