Add policy controlled permission block list for extensions

chrome/browser/extensions/extension_management_unittest.cc

Index: chrome/browser/extensions/extension_management_unittest.cc
diff --git a/chrome/browser/extensions/extension_management_unittest.cc b/chrome/browser/extensions/extension_management_unittest.cc
index fc100f5a15517e0c04557a359253f5a07a7aac2d..0576648dde8d4d6a66d9a6440c4296ca12207603 100644
--- a/chrome/browser/extensions/extension_management_unittest.cc
+++ b/chrome/browser/extensions/extension_management_unittest.cc
@@ -14,9 +14,12 @@
 #include "chrome/browser/extensions/extension_management_internal.h"
 #include "chrome/browser/extensions/extension_management_test_util.h"
 #include "chrome/browser/extensions/external_policy_loader.h"
+#include "chrome/browser/extensions/standard_management_policy_provider.h"
 #include "extensions/browser/pref_names.h"
 #include "extensions/common/manifest.h"
 #include "extensions/common/manifest_constants.h"
+#include "extensions/common/permissions/api_permission.h"
+#include "extensions/common/permissions/permissions_info.h"
 #include "extensions/common/url_pattern.h"
 #include "testing/gtest/include/gtest/gtest.h"
 #include "url/gurl.h"
@@ -35,19 +38,24 @@ const char kExampleDictPreference[] =
     "{"
     "  \"abcdefghijklmnopabcdefghijklmnop\": {"  // kTargetExtension
     "    \"installation_mode\": \"allowed\","
+    "    \"blocked_permissions\": [\"fileSystem\", \"bookmarks\"],"
     "  },"
     "  \"bcdefghijklmnopabcdefghijklmnopa\": {"  // kTargetExtension2
     "    \"installation_mode\": \"force_installed\","
     "    \"update_url\": \"http://example.com/update_url\","
+    "    \"allowed_permissions\": [\"fileSystem\", \"bookmarks\"],"
     "  },"
     "  \"cdefghijklmnopabcdefghijklmnopab\": {"  // kTargetExtension3
     "    \"installation_mode\": \"normal_installed\","
     "    \"update_url\": \"http://example.com/update_url\","
+    "    \"allowed_permissions\": [\"fileSystem\", \"downloads\"],"
+    "    \"blocked_permissions\": [\"fileSystem\", \"history\"],"
     "  },"
     "  \"*\": {"
     "    \"installation_mode\": \"blocked\","
     "    \"install_sources\": [\"*://foo.com/*\"],"
     "    \"allowed_types\": [\"theme\", \"user_script\"],"
+    "    \"blocked_permissions\": [\"fileSystem\", \"downloads\"],"
     "  },"
     "}";
 
@@ -124,6 +132,11 @@ class ExtensionAdminPolicyTest : public ExtensionManagementServiceTest {
   ExtensionAdminPolicyTest() {}
   virtual ~ExtensionAdminPolicyTest() {}
 
+  void SetUpPolicyProvider() {
+    provider_.reset(
+        new StandardManagementPolicyProvider(extension_management_.get()));
+  }
+
   void CreateExtension(Manifest::Location location) {
     base::DictionaryValue values;
     CreateExtensionFromValues(location, &values);
@@ -159,12 +172,13 @@ class ExtensionAdminPolicyTest : public ExtensionManagementServiceTest {
   bool MustRemainEnabled(const Extension* extension, base::string16* error);
 
  protected:
+  scoped_ptr<StandardManagementPolicyProvider> provider_;
   scoped_refptr<Extension> extension_;
 };
 
 bool ExtensionAdminPolicyTest::BlacklistedByDefault(
     const base::ListValue* blacklist) {
-  InitPrefService();
+  SetUpPolicyProvider();
   if (blacklist)
     SetPref(true, pref_names::kInstallDenyList, blacklist->DeepCopy());
   return extension_management_->BlacklistedByDefault();
@@ -177,7 +191,7 @@ bool ExtensionAdminPolicyTest::UserMayLoad(
     const base::ListValue* allowed_types,
     const Extension* extension,
     base::string16* error) {
-  InitPrefService();
+  SetUpPolicyProvider();
   if (blacklist)
     SetPref(true, pref_names::kInstallDenyList, blacklist->DeepCopy());
   if (whitelist)
@@ -186,21 +200,19 @@ bool ExtensionAdminPolicyTest::UserMayLoad(
     SetPref(true, pref_names::kInstallForceList, forcelist->DeepCopy());
   if (allowed_types)
     SetPref(true, pref_names::kAllowedTypes, allowed_types->DeepCopy());
-  return extension_management_->GetProvider()->UserMayLoad(extension, error);
+  return provider_->UserMayLoad(extension, error);
 }
 
 bool ExtensionAdminPolicyTest::UserMayModifySettings(const Extension* extension,
                                                      base::string16* error) {
-  InitPrefService();
-  return extension_management_->GetProvider()->UserMayModifySettings(extension,
-                                                                     error);
+  SetUpPolicyProvider();
+  return provider_->UserMayModifySettings(extension, error);
 }
 
 bool ExtensionAdminPolicyTest::MustRemainEnabled(const Extension* extension,
                                                  base::string16* error) {
-  InitPrefService();
-  return extension_management_->GetProvider()->MustRemainEnabled(extension,
-                                                                 error);
+  SetUpPolicyProvider();
+  return provider_->MustRemainEnabled(extension, error);
 }
 
 // Verify that preference controlled by legacy ExtensionInstallSources policy is
@@ -335,6 +347,32 @@ TEST_F(ExtensionManagementServiceTest, PreferenceParsing) {
   EXPECT_TRUE(std::find(allowed_types.begin(),
                         allowed_types.end(),
                         Manifest::TYPE_USER_SCRIPT) != allowed_types.end());
+
+  // Verifies blocked permission list settings.
+  APIPermissionSet api_permission_set;
+  api_permission_set.clear();
+  api_permission_set.insert(APIPermission::kFileSystem);
+  api_permission_set.insert(APIPermission::kDownloads);
+  EXPECT_EQ(api_permission_set,
+            extension_management_->GetBlockedAPIPermissions(kOtherExtension));
+
+  api_permission_set.clear();
+  api_permission_set.insert(APIPermission::kFileSystem);
+  api_permission_set.insert(APIPermission::kDownloads);
+  api_permission_set.insert(APIPermission::kBookmark);
+  EXPECT_EQ(api_permission_set,
+            extension_management_->GetBlockedAPIPermissions(kTargetExtension));
+
+  api_permission_set.clear();
+  api_permission_set.insert(APIPermission::kDownloads);
+  EXPECT_EQ(api_permission_set,
+            extension_management_->GetBlockedAPIPermissions(kTargetExtension2));
+
+  api_permission_set.clear();
+  api_permission_set.insert(APIPermission::kFileSystem);
+  api_permission_set.insert(APIPermission::kHistory);
+  EXPECT_EQ(api_permission_set,
+            extension_management_->GetBlockedAPIPermissions(kTargetExtension3));

[Joao da Silva, 2014/10/15 14:39:26]

Add tests with parsing errors in the permissions policy.

[binjin, 2014/10/16 18:13:58]

I think this tests along with unit tests for
PermissionBasedManagementPolicyProvider covers the code well. The actual parsing
re-used code that is well tested as well.

[Joao da Silva, 2014/10/17 12:52:39]

So what happens if the policy has an invalid permission that fails parsing? Do
we just ignore that permission? Or do we block all extensions by accident? I
really think having coverage for this is a good idea. This is easier to add in
extension_service_unittest.cc.

[binjin, 2014/10/17 13:03:19]

To clarify, the permission parser actually allows unknown permission for
backward compatibility purpose. Since these invalid permissions(might be
introduced in a newer version of chrome) are currently unknown to the chrome
version that user are using, it's safe to just ignore them. I will add few
comments regarding this and include a few invalid permissions in example
preference.

[binjin, 2014/10/17 14:04:22]

Done.

 }
 
 // Tests functionality of new preference as to deprecate legacy