Add more management policy checking after extension installed

chrome/browser/extensions/extension_service.cc

 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/extensions/extension_service.h"
 
 #include <algorithm>
 #include <iterator>
 #include <set>
 
@@ skipping 1549 matching lines @@
   crash_keys::SetActiveExtensions(extension_ids);
 }
 
 void ExtensionService::OnExtensionInstalled(
     const Extension* extension,
     const syncer::StringOrdinal& page_ordinal,
     int install_flags) {
   CHECK(BrowserThread::CurrentlyOn(BrowserThread::UI));
 
   const std::string& id = extension->id();
-  bool initial_enable = ShouldEnableOnInstall(extension);
+  Extension::DisableReason disable_reason =
+      GetDisableReasonOnInstalled(extension);
   std::string install_parameter;
   const extensions::PendingExtensionInfo* pending_extension_info =
       pending_extension_manager()->GetById(id);
   if (pending_extension_info) {
     if (!pending_extension_info->ShouldAllowInstall(extension)) {
       pending_extension_manager()->Remove(id);
 
       LOG(WARNING) << "ShouldAllowInstall() returned false for "
                    << id << " of type " << extension->GetType()
                    << " and update URL "
@@ skipping 12 matching lines @@
       return;
     }
 
     install_parameter = pending_extension_info->install_parameter();
     pending_extension_manager()->Remove(id);
   } else {
     // We explicitly want to re-enable an uninstalled external
     // extension; if we're here, that means the user is manually
     // installing the extension.
     if (extension_prefs_->IsExternalExtensionUninstalled(id)) {
-      initial_enable = true;
+      disable_reason = Extension::DISABLE_NONE;
     }
   }
 
   // Unsupported requirements overrides the management policy.
   if (install_flags & extensions::kInstallFlagHasRequirementErrors) {
-    initial_enable = false;
-    extension_prefs_->AddDisableReason(
-        id, Extension::DISABLE_UNSUPPORTED_REQUIREMENT);
+    disable_reason = Extension::DISABLE_UNSUPPORTED_REQUIREMENT;
   // If the extension was disabled because of unsupported requirements but
   // now supports all requirements after an update and there are not other
   // disable reasons, enable it.
   } else if (extension_prefs_->GetDisableReasons(id) ==
       Extension::DISABLE_UNSUPPORTED_REQUIREMENT) {
-    initial_enable = true;
+    disable_reason = Extension::DISABLE_NONE;
     extension_prefs_->ClearDisableReasons(id);
   }
 
   if (install_flags & extensions::kInstallFlagIsBlacklistedForMalware) {
     // Installation of a blacklisted extension can happen from sync, policy,
     // etc, where to maintain consistency we need to install it, just never
     // load it (see AddExtension). Usually it should be the job of callers to
     // incercept blacklisted extension earlier (e.g. CrxInstaller, before even
     // showing the install dialogue).
     extension_prefs_->AcknowledgeBlacklistedExtension(id);
@@ skipping 15 matching lines @@
     UMA_HISTOGRAM_ENUMERATION("Extensions.UpdateSource",
                               extension->location(), Manifest::NUM_LOCATIONS);
 
     // A fully installed app cannot be demoted to an ephemeral app.
     if ((install_flags & extensions::kInstallFlagIsEphemeral) &&
         !extension_prefs_->IsEphemeralApp(id)) {
       install_flags &= ~static_cast<int>(extensions::kInstallFlagIsEphemeral);
     }
   }
 
+  if (disable_reason != Extension::DISABLE_NONE)
+    extension_prefs_->AddDisableReason(id, disable_reason);
+
   const Extension::State initial_state =
-      initial_enable ? Extension::ENABLED : Extension::DISABLED;
+      disable_reason == Extension::DISABLE_NONE ? Extension::ENABLED
+                                                : Extension::DISABLED;
   if (ShouldDelayExtensionUpdate(
           id,
           !!(install_flags & extensions::kInstallFlagInstallImmediately))) {
     extension_prefs_->SetDelayedInstallInfo(
         extension,
         initial_state,
         install_flags,
         extensions::ExtensionPrefs::DELAY_REASON_WAIT_FOR_IDLE,
         page_ordinal,
         install_parameter);
@@ skipping 476 matching lines @@
     case chrome::NOTIFICATION_PROFILE_DESTRUCTION_STARTED: {
       OnProfileDestructionStarted();
       break;
     }
 
     default:
       NOTREACHED() << "Unexpected notification type.";
   }
 }
 
-bool ExtensionService::ShouldEnableOnInstall(const Extension* extension) {
+Extension::DisableReason ExtensionService::GetDisableReasonOnInstalled(
+    const Extension* extension) {
+  Extension::DisableReason disable_reason;
+  // Extensions disabled by management policy should always be disabled, even
+  // if it's force-installed.
+  if (system_->management_policy()->MustRemainDisabled(
+          extension, &disable_reason, nullptr)) {
+    // A specified reason is required to disable the extension.
+    DCHECK(disable_reason != Extension::DISABLE_NONE);
+    return disable_reason;
+  }
+
   // Extensions installed by policy can't be disabled. So even if a previous
   // installation disabled the extension, make sure it is now enabled.
-  if (system_->management_policy()->MustRemainEnabled(extension, NULL))
-    return true;
+  if (system_->management_policy()->MustRemainEnabled(extension, nullptr))
+    return Extension::DISABLE_NONE;
 
-  if (extension_prefs_->IsExtensionDisabled(extension->id()))
-    return false;
+  // An already disabled extension should inherit the disable reasons and
+  // remain disabled.
+  if (extension_prefs_->IsExtensionDisabled(extension->id())) {
+    disable_reason = static_cast<Extension::DisableReason>(

[not at google - send to devlin, 2014/11/14 17:20:43]

Damn, ok, this static_cast<> isn't actually right. Sorry for not noticing that.
It's possible that you will get undefined results if there are multiple disable
reasons, trying to cast it to a single one. It looks like this function actually
needs to return a bitmask.

Annoyingly, it looks like that will also require adding an AddDisableReasons
method to ExtensionPrefs which takes a bitmask (the interface on ExtensionPrefs
is pretty odd really).

[binjin, 2014/11/14 18:21:58]

Done.

+        extension_prefs_->GetDisableReasons(extension->id()));
+    // If an extension was disabled without specified reason, presume it's
+    // disabled by user.
+    return disable_reason == Extension::DISABLE_NONE
+               ? Extension::DISABLE_USER_ACTION
+               : disable_reason;
+  }
 
   if (FeatureSwitch::prompt_for_external_extensions()->IsEnabled()) {
     // External extensions are initially disabled. We prompt the user before
     // enabling them. Hosted apps are excepted because they are not dangerous
     // (they need to be launched by the user anyway).
     if (extension->GetType() != Manifest::TYPE_HOSTED_APP &&
         Manifest::IsExternalLocation(extension->location()) &&
         !extension_prefs_->IsExternalExtensionAcknowledged(extension->id())) {
-      return false;
+      return Extension::DISABLE_EXTERNAL_EXTENSION;
     }
   }
 
-  return true;
+  return Extension::DISABLE_NONE;
 }
 
 bool ExtensionService::ShouldDelayExtensionUpdate(
     const std::string& extension_id,
     bool install_immediately) const {
   const char kOnUpdateAvailableEvent[] = "runtime.onUpdateAvailable";
 
   // If delayed updates are globally disabled, or just for this extension,
   // don't delay.
   if (!install_updates_when_idle_ || install_immediately)
@@ skipping 202 matching lines @@
 }
 
 void ExtensionService::OnProfileDestructionStarted() {
   ExtensionIdSet ids_to_unload = registry_->enabled_extensions().GetIDs();
   for (ExtensionIdSet::iterator it = ids_to_unload.begin();
        it != ids_to_unload.end();
        ++it) {
     UnloadExtension(*it, UnloadedExtensionInfo::REASON_PROFILE_SHUTDOWN);
   }
 }