Add policy controlled permission block list for extensions

This CL adds permissions block list for extensions. Currently only simple API permissions are supported, and the block list applies to both required and optional permissions of extensions. BUG=177351 Review URL: https://codereview.chromium.org/595363002 Cr-Commit-Position: refs/heads/master@{#302211}
author: binjin <binjin@chromium.org> 2014-10-30 18:55:57 -0700
committer: Commit bot <commit-bot@chromium.org> 2014-10-31 01:56:20 +0000
commit: e6b58b5a41f010118c5caea9ba78bc077a5f551b (patch)
tree: 126ea761cfa5b0be561ea347dd1e9831ca868f3a /chrome/browser/extensions/extension_management.cc
parent: 7393cee9845330bbe5e4712f5e16751256e6cb7c (diff)
download: chromium_src-e6b58b5a41f010118c5caea9ba78bc077a5f551b.zip
chromium_src-e6b58b5a41f010118c5caea9ba78bc077a5f551b.tar.gz
chromium_src-e6b58b5a41f010118c5caea9ba78bc077a5f551b.tar.bz2
1 files changed, 42 insertions, 5 deletions
diff --git a/chrome/browser/extensions/extension_management.cc b/chrome/browser/extensions/extension_management.cc
index dff3946..6904f5e 100644
--- a/chrome/browser/extensions/extension_management.cc
+++ b/chrome/browser/extensions/extension_management.cc
@@ -6,17 +6,18 @@
 
 #include <algorithm>
 #include <string>
-#include <vector>
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/logging.h"
 #include "base/prefs/pref_service.h"
+#include "base/strings/string16.h"
 #include "base/strings/string_util.h"
 #include "chrome/browser/extensions/extension_management_constants.h"
 #include "chrome/browser/extensions/extension_management_internal.h"
 #include "chrome/browser/extensions/external_policy_loader.h"
 #include "chrome/browser/extensions/external_provider_impl.h"
+#include "chrome/browser/extensions/permissions_based_management_policy_provider.h"
 #include "chrome/browser/extensions/standard_management_policy_provider.h"
 #include "chrome/browser/profiles/incognito_helpers.h"
 #include "chrome/browser/profiles/profile.h"
@@ -24,6 +25,8 @@
 #include "components/keyed_service/content/browser_context_dependency_manager.h"
 #include "components/pref_registry/pref_registry_syncable.h"
 #include "extensions/browser/pref_names.h"
+#include "extensions/common/permissions/api_permission_set.h"
+#include "extensions/common/permissions/permission_set.h"
 #include "extensions/common/url_pattern.h"
 #include "url/gurl.h"
 
@@ -49,12 +52,18 @@ ExtensionManagement::ExtensionManagement(PrefService* pref_service)
   // before first call to Refresh(), so in order to resolve this, Refresh() must
   // be called in the initialization of ExtensionManagement.
   Refresh();
-  provider_.reset(new StandardManagementPolicyProvider(this));
+  providers_.push_back(new StandardManagementPolicyProvider(this));
+  providers_.push_back(new PermissionsBasedManagementPolicyProvider(this));
 }
 
 ExtensionManagement::~ExtensionManagement() {
 }
 
+void ExtensionManagement::Shutdown() {
+  pref_change_registrar_.RemoveAll();
+  pref_service_ = nullptr;
+}
+
 void ExtensionManagement::AddObserver(Observer* observer) {
   observer_list_.AddObserver(observer);
 }
@@ -63,8 +72,9 @@ void ExtensionManagement::RemoveObserver(Observer* observer) {
   observer_list_.RemoveObserver(observer);
 }
 
-ManagementPolicy::Provider* ExtensionManagement::GetProvider() const {
-  return provider_.get();
+std::vector<ManagementPolicy::Provider*> ExtensionManagement::GetProviders()
+    const {
+  return providers_.get();
 }
 
 bool ExtensionManagement::BlacklistedByDefault() const {
@@ -144,6 +154,31 @@ bool ExtensionManagement::IsAllowedManifestType(
          allowed_types.end();
 }
 
+const APIPermissionSet& ExtensionManagement::GetBlockedAPIPermissions(
+    const ExtensionId& id) const {
+  return ReadById(id)->blocked_permissions;
+}
+
+scoped_refptr<const PermissionSet> ExtensionManagement::GetBlockedPermissions(
+    const ExtensionId& id) const {
+  // Only api permissions are supported currently.
+  return scoped_refptr<const PermissionSet>(
+      new PermissionSet(GetBlockedAPIPermissions(id),
+                        ManifestPermissionSet(),
+                        URLPatternSet(),
+                        URLPatternSet()));
+}
+
+bool ExtensionManagement::IsPermissionSetAllowed(
+    const ExtensionId& id,
+    scoped_refptr<const PermissionSet> perms) const {
+  for (const auto& blocked_api : GetBlockedAPIPermissions(id)) {
+    if (perms->HasAPIPermission(blocked_api->id()))
+      return false;
+  }
+  return true;
+}
+
 void ExtensionManagement::Refresh() {
   // Load all extension management settings preferences.
   const base::ListValue* allowed_list_pref =
@@ -301,6 +336,8 @@ const base::Value* ExtensionManagement::LoadPreference(
     const char* pref_name,
     bool force_managed,
     base::Value::Type expected_type) {
+  if (!pref_service_)
+    return nullptr;
   const PrefService::Preference* pref =
       pref_service_->FindPreference(pref_name);
   if (pref && !pref->IsDefaultValue() &&
@@ -309,7 +346,7 @@ const base::Value* ExtensionManagement::LoadPreference(
     if (value && value->IsType(expected_type))
       return value;
   }
-  return NULL;
+  return nullptr;
 }
 
 void ExtensionManagement::OnExtensionPrefChanged() {
author	binjin <binjin@chromium.org>	2014-10-30 18:55:57 -0700
committer	Commit bot <commit-bot@chromium.org>	2014-10-31 01:56:20 +0000
commit	e6b58b5a41f010118c5caea9ba78bc077a5f551b (patch)
tree	126ea761cfa5b0be561ea347dd1e9831ca868f3a /chrome/browser/extensions/extension_management.cc
parent	7393cee9845330bbe5e4712f5e16751256e6cb7c (diff)
download	chromium_src-e6b58b5a41f010118c5caea9ba78bc077a5f551b.zip chromium_src-e6b58b5a41f010118c5caea9ba78bc077a5f551b.tar.gz chromium_src-e6b58b5a41f010118c5caea9ba78bc077a5f551b.tar.bz2