Add policy controlled permission block list for extensions

This CL adds permissions block list for extensions. Currently only simple API permissions are supported, and the block list applies to both required and optional permissions of extensions.

BUG=177351

Review URL: https://codereview.chromium.org/595363002

Cr-Commit-Position: refs/heads/master@{#302211}

1 files changed, 36 insertions, 2 deletions

diff --git a/chrome/browser/extensions/api/permissions/permissions_apitest.cc b/chrome/browser/extensions/api/permissions/permissions_apitest.cc
index 798b2b5..7b6a35b 100644
--- a/chrome/browser/extensions/api/permissions/permissions_apitest.cc
+++ b/chrome/browser/extensions/api/permissions/permissions_apitest.cc
@@ -4,8 +4,11 @@
 
 #include "chrome/browser/extensions/api/permissions/permissions_api.h"
 #include "chrome/browser/extensions/extension_apitest.h"
+#include "chrome/browser/extensions/extension_management_test_util.h"
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/browser/ui/browser.h"
+#include "components/policy/core/browser/browser_policy_connector.h"
+#include "components/policy/core/common/mock_configuration_policy_provider.h"
 #include "extensions/browser/extension_prefs.h"
 #include "extensions/common/permissions/permission_set.h"
 #include "extensions/common/switches.h"
@@ -23,13 +26,28 @@ static void AddPattern(URLPatternSet* extent, const std::string& pattern) {
 }  // namespace
 
 class ExperimentalApiTest : public ExtensionApiTest {
-public:
- void SetUpCommandLine(CommandLine* command_line) override {
+ public:
+  void SetUpCommandLine(CommandLine* command_line) override {
     ExtensionApiTest::SetUpCommandLine(command_line);
     command_line->AppendSwitch(switches::kEnableExperimentalExtensionApis);
   }
 };
 
+class ExtensionApiTestWithManagementPolicy : public ExtensionApiTest {
+ public:
+  void SetUpInProcessBrowserTestFixture() override {
+    ExtensionApiTest::SetUpInProcessBrowserTestFixture();
+    EXPECT_CALL(policy_provider_, IsInitializationComplete(testing::_))
+        .WillRepeatedly(testing::Return(true));
+    policy_provider_.SetAutoRefresh();
+    policy::BrowserPolicyConnector::SetPolicyProviderForTesting(
+        &policy_provider_);
+  }
+
+ protected:
+  policy::MockConfigurationPolicyProvider policy_provider_;
+};
+
 IN_PROC_BROWSER_TEST_F(ExtensionApiTest, PermissionsFail) {
   ASSERT_TRUE(RunExtensionTest("permissions/disabled")) << message_;
 
@@ -128,6 +146,22 @@ IN_PROC_BROWSER_TEST_F(ExtensionApiTest, OptionalPermissionsRetainGesture) {
       << message_;
 }
 
+// Test that optional permissions blocked by enterprise policy will be denied
+// automatically.
+IN_PROC_BROWSER_TEST_F(ExtensionApiTestWithManagementPolicy,
+                       OptionalPermissionsPolicyBlocked) {
+  // Set enterprise policy to block some API permissions.
+  {
+    ExtensionManagementPolicyUpdater pref(&policy_provider_);
+    pref.AddBlockedPermission("*", "management");
+  }
+  // Set auto confirm UI flag.
+  PermissionsRequestFunction::SetAutoConfirmForTests(true);
+  PermissionsRequestFunction::SetIgnoreUserGestureForTests(true);
+  EXPECT_TRUE(RunExtensionTest("permissions/optional_policy_blocked"))
+      << message_;
+}
+
 // Tests that an extension can't gain access to file: URLs without the checkbox
 // entry in prefs. There shouldn't be a warning either.
 IN_PROC_BROWSER_TEST_F(ExtensionApiTest, OptionalPermissionsFileAccess) {