Add policy to disable specific plugin versions

BUG=68777
TEST=follow steps in here: http://dev.chromium.org/developers/how-tos/enterprise/adding-new-policies for manually testing your policy. Specify in your test a specific plugin version and then check about:plugins

Review URL: https://chromiumcodereview.appspot.com/10933072

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@159009 0039d316-1c4b-4281-b951-d872f2087c98

5 files changed, 313 insertions, 0 deletions

diff --git a/chrome/browser/policy/configuration_policy_handler.cc b/chrome/browser/policy/configuration_policy_handler.cc
index a1d65a9..cf8dfd3 100644
--- a/chrome/browser/policy/configuration_policy_handler.cc
+++ b/chrome/browser/policy/configuration_policy_handler.cc
@@ -12,7 +12,9 @@
 #include "base/stl_util.h"
 #include "base/string16.h"
 #include "base/string_number_conversions.h"
+#include "base/string_split.h"
 #include "base/string_util.h"
+#include "base/version.h"
 #include "chrome/browser/download/download_util.h"
 #include "chrome/browser/policy/configuration_policy_pref_store.h"
 #include "chrome/browser/policy/policy_error_map.h"
@@ -1274,4 +1276,82 @@ bool RestoreOnStartupPolicyHandler::CheckPolicySettings(
   return true;
 }
 
+// DisabledPluginsByVersionPolicyHandler implementation -----------------------
+
+DisabledPluginsByVersionPolicyHandler::DisabledPluginsByVersionPolicyHandler()
+    : TypeCheckingPolicyHandler(key::kDisabledPluginsByVersion,
+                                Value::TYPE_LIST) {
+}
+
+DisabledPluginsByVersionPolicyHandler::
+~DisabledPluginsByVersionPolicyHandler() {
+}
+
+bool DisabledPluginsByVersionPolicyHandler::CheckPolicySettings(
+    const PolicyMap& policies,
+    PolicyErrorMap* errors) {
+  const base::Value* value = NULL;
+  if (!CheckAndGetValue(policies, errors, &value))
+    return false;
+
+  if (!value)
+    return true;
+
+  const base::ListValue* list_value = NULL;
+  if (!value->GetAsList(&list_value))
+    return false;
+
+  for (base::ListValue::const_iterator entry(list_value->begin());
+       entry != list_value->end(); ++entry) {
+    string16 plugin_version;
+    if (!(*entry)->GetAsString(&plugin_version)) {
+      errors->AddError(policy_name(),
+                       entry - list_value->begin(),
+                       IDS_POLICY_TYPE_ERROR,
+                       ValueTypeToString(base::Value::TYPE_STRING));
+      return false;
+    }
+
+    std::vector<string16> splitted_plugin_version;
+    base::SplitString(plugin_version, L':', &splitted_plugin_version);
+    if (splitted_plugin_version.size() != 2 ||
+        splitted_plugin_version[0].empty() ||
+        splitted_plugin_version[1].empty()) {
+      errors->AddError(policy_name(),
+                       entry - list_value->begin(),
+                       IDS_POLICY_VALUE_FORMAT_ERROR);
+      return false;
+    }
+
+    std::vector<string16> splitted_versions;
+    base::SplitString(splitted_plugin_version[1], L',', &splitted_versions);
+    if (splitted_versions.size() == 0) {
+      errors->AddError(policy_name(),
+                       entry - list_value->begin(),
+                       IDS_POLICY_VALUE_FORMAT_ERROR);
+      return false;
+    }
+
+    for (size_t i = 0; i < splitted_versions.size(); ++i) {
+      if (!IsStringASCII(splitted_versions[i]) ||
+          !Version::IsValidWildcardString(UTF16ToASCII(splitted_versions[i]))) {
+        errors->AddError(policy_name(),
+                         entry - list_value->begin(),
+                         IDS_POLICY_VALUE_FORMAT_ERROR);
+        return false;
+      }
+    }
+  }
+
+  return true;
+}
+
+void DisabledPluginsByVersionPolicyHandler::ApplyPolicySettings(
+    const PolicyMap& policies,
+    PrefValueMap* prefs) {
+  const Value* value = policies.GetValue(policy_name());
+  if (value)
+    prefs->SetValue(prefs::kPluginsDisabledPluginsByVersion, value->DeepCopy());
+}
+
 }  // namespace policy
diff --git a/chrome/browser/policy/configuration_policy_handler.h b/chrome/browser/policy/configuration_policy_handler.h
index 5c6115f..0403808 100644
--- a/chrome/browser/policy/configuration_policy_handler.h
+++ b/chrome/browser/policy/configuration_policy_handler.h
@@ -399,6 +399,22 @@ class RestoreOnStartupPolicyHandler : public TypeCheckingPolicyHandler {
   DISALLOW_COPY_AND_ASSIGN(RestoreOnStartupPolicyHandler);
 };
 
+// Handles DisabledPluginsByVersion policy.
+class DisabledPluginsByVersionPolicyHandler : public TypeCheckingPolicyHandler {
+ public:
+  DisabledPluginsByVersionPolicyHandler();
+  virtual ~DisabledPluginsByVersionPolicyHandler();
+
+  // ConfigurationPolicyHandler methods:
+  virtual bool CheckPolicySettings(const PolicyMap& policies,
+                                   PolicyErrorMap* errors) OVERRIDE;
+  virtual void ApplyPolicySettings(const PolicyMap& policies,
+                                   PrefValueMap* prefs) OVERRIDE;
+
+ private:
+  DISALLOW_COPY_AND_ASSIGN(DisabledPluginsByVersionPolicyHandler);
+};
+
 }  // namespace policy
 
 #endif  // CHROME_BROWSER_POLICY_CONFIGURATION_POLICY_HANDLER_H_
diff --git a/chrome/browser/policy/configuration_policy_handler_list.cc b/chrome/browser/policy/configuration_policy_handler_list.cc
index 7e0157a..d2a2be2 100644
--- a/chrome/browser/policy/configuration_policy_handler_list.cc
+++ b/chrome/browser/policy/configuration_policy_handler_list.cc
@@ -348,6 +348,7 @@ ConfigurationPolicyHandlerList::ConfigurationPolicyHandlerList() {
   handlers_.push_back(new AutofillPolicyHandler());
   handlers_.push_back(new ClearSiteDataOnExitPolicyHandler());
   handlers_.push_back(new DefaultSearchPolicyHandler());
+  handlers_.push_back(new DisabledPluginsByVersionPolicyHandler());
   handlers_.push_back(new DiskCacheDirPolicyHandler());
   handlers_.push_back(new FileSelectionDialogsHandler());
   handlers_.push_back(new IncognitoModePolicyHandler());
diff --git a/chrome/browser/policy/configuration_policy_pref_store_unittest.cc b/chrome/browser/policy/configuration_policy_pref_store_unittest.cc
index 340d21d..62c983d 100644
--- a/chrome/browser/policy/configuration_policy_pref_store_unittest.cc
+++ b/chrome/browser/policy/configuration_policy_pref_store_unittest.cc
@@ -3,9 +3,11 @@
 // found in the LICENSE file.
 
 #include <string>
+#include <vector>
 
 #include "base/file_path.h"
 #include "base/memory/ref_counted.h"
+#include "base/string_util.h"
 #include "chrome/browser/policy/configuration_policy_handler.h"
 #include "chrome/browser/policy/configuration_policy_pref_store.h"
 #include "chrome/browser/policy/mock_configuration_policy_provider.h"
@@ -1077,4 +1079,122 @@ TEST_F(ConfigurationPolicyPrefStoreOthersTest, JavascriptEnabledOverridden) {
   EXPECT_TRUE(base::FundamentalValue(CONTENT_SETTING_ALLOW).Equals(value));
 }
 
+// Test case for disabled plugins by version policy settings.
+class ConfigurationPolicyPrefStoreDisabledPluginsByVersionTest
+    : public ConfigurationPolicyPrefStoreTest {
+ protected:
+  ConfigurationPolicyPrefStoreDisabledPluginsByVersionTest()
+      : policy_name_(key::kDisabledPluginsByVersion),
+        pref_name_(prefs::kPluginsDisabledPluginsByVersion) {
+  }
+
+  void AssertOk(const std::vector<std::string>& policy_values) {
+    base::ListValue plugin_list;
+    plugin_list.AppendStrings(policy_values);
+    PolicyMap policy;
+    policy.Set(policy_name_, POLICY_LEVEL_MANDATORY,
+               POLICY_SCOPE_USER, plugin_list.DeepCopy());
+    provider_.UpdateChromePolicy(policy);
+
+    const base::Value* value = NULL;
+    EXPECT_EQ(PrefStore::READ_OK, store_->GetValue(pref_name_, &value))
+        << "Policy values: '" << JoinString(policy_values, ", ")
+        << "' are expected to be correct.";
+    ASSERT_TRUE(value);
+    EXPECT_TRUE(plugin_list.Equals(value));
+  }
+
+  void AssertNoValue(const std::vector<std::string>& policy_values) {
+    base::ListValue plugin_list;
+    plugin_list.AppendStrings(policy_values);
+
+    PolicyMap policy;
+    policy.Set(policy_name_, POLICY_LEVEL_MANDATORY,
+               POLICY_SCOPE_USER, plugin_list.DeepCopy());
+    provider_.UpdateChromePolicy(policy);
+
+    EXPECT_EQ(PrefStore::READ_NO_VALUE, store_->GetValue(pref_name_, NULL))
+        << "At least one policy value of: '" << JoinString(policy_values, ", ")
+        << "' is expected to be invalid.";
+  }
+
+ private:
+  std::string policy_name_;
+  std::string pref_name_;
+};
+
+TEST_F(ConfigurationPolicyPrefStoreDisabledPluginsByVersionTest, PrefSetRight) {
+  // Different wildcards in plugin name.
+  std::vector<std::string> policy_values;
+  policy_values.push_back(".F?lash*:11");
+  AssertOk(policy_values);
+
+  // Multiple version components.
+  policy_values.clear();
+  policy_values.push_back("*Google*:11.2.1.*");
+  AssertOk(policy_values);
+
+  // No wildcards.
+  policy_values.clear();
+  policy_values.push_back("Other:11.3.3");
+  AssertOk(policy_values);
+
+  // Multiple versions in the version list.
+  policy_values.clear();
+  policy_values.push_back("OnceMore:11.*,9.1.*,1.1.1,1.1.2.*");
+  AssertOk(policy_values);
+
+  // Plug-in name component can have comma.
+  policy_values.clear();
+  policy_values.push_back("PluginName,RestOfName:11.1");
+  AssertOk(policy_values);
+
+  // Multiple list elements.
+  policy_values.clear();
+  policy_values.push_back(".F?lash*:11.*");
+  policy_values.push_back("*Google*:11.2.1.*");
+  policy_values.push_back("Other:11.3.3");
+  policy_values.push_back("OnceMore:11.*,9.1.*,1.1.1,1.1.2.*");
+  policy_values.push_back("PluginName,RestOfName:11.1");
+  AssertOk(policy_values);
+}
+
+TEST_F(ConfigurationPolicyPrefStoreDisabledPluginsByVersionTest, PrefNotSet) {
+  std::vector<std::string> policy_values;
+  policy_values.push_back("Incorrect");
+  AssertNoValue(policy_values);
+
+  policy_values.clear();
+  policy_values.push_back("InvalidVersionList:11.1#,12.2");
+  AssertNoValue(policy_values);
+
+  policy_values.clear();
+  policy_values.push_back("IncorrectVersionWildcard:11.*.1");
+  AssertNoValue(policy_values);
+
+  policy_values.clear();
+  policy_values.push_back("NoVersionList:");
+  AssertNoValue(policy_values);
+
+  // No plugin name.
+  policy_values.clear();
+  policy_values.push_back(":11.1");
+  AssertNoValue(policy_values);
+
+  policy_values.clear();
+  policy_values.push_back("Plugin:11.1:Invalid");
+  AssertNoValue(policy_values);
+
+  policy_values.clear();
+  policy_values.push_back("EmptyVersionList:,,,,");
+  AssertNoValue(policy_values);
+
+  // Any invalid element of the list stops setting the preference.
+  policy_values.clear();
+  policy_values.push_back("valid1:11.*");
+  policy_values.push_back("valid2:11.2.1.*");
+  policy_values.push_back("Invalid:");
+  AssertNoValue(policy_values);
+}
+
 }  // namespace policy
diff --git a/chrome/browser/policy/policy_browsertest.cc b/chrome/browser/policy/policy_browsertest.cc
index f4773f9..13bb08d 100644
--- a/chrome/browser/policy/policy_browsertest.cc
+++ b/chrome/browser/policy/policy_browsertest.cc
@@ -19,6 +19,7 @@
 #include "base/test/test_file_util.h"
 #include "base/utf_string_conversions.h"
 #include "base/values.h"
+#include "base/version.h"
 #include "chrome/app/chrome_command_ids.h"
 #include "chrome/browser/autocomplete/autocomplete_controller.h"
 #include "chrome/browser/browser_process.h"
@@ -92,6 +93,7 @@
 #include "testing/gtest/include/gtest/gtest.h"
 #include "ui/base/l10n/l10n_util.h"
 #include "ui/base/resource/resource_bundle.h"
+#include "webkit/plugins/npapi/plugin_utils.h"
 #include "webkit/plugins/webplugininfo.h"
 
 #if defined(OS_CHROMEOS)
@@ -703,6 +705,16 @@ IN_PROC_BROWSER_TEST_F(PolicyTest, DisabledPlugins) {
   // The user shouldn't be able to enable it.
   EXPECT_FALSE(SetPluginEnabled(plugin_prefs, flash, true));
   EXPECT_FALSE(plugin_prefs->IsPluginEnabled(*flash));
+
+  // Now remove the policy.
+  policies.Erase(key::kDisabledPlugins);
+  provider_.UpdateChromePolicy(policies);
+  EXPECT_TRUE(plugin_prefs->IsPluginEnabled(*flash));
+  // The user should be able to disable/enable it again.
+  EXPECT_TRUE(SetPluginEnabled(plugin_prefs, flash, false));
+  EXPECT_FALSE(plugin_prefs->IsPluginEnabled(*flash));
+  EXPECT_TRUE(SetPluginEnabled(plugin_prefs, flash, true));
+  EXPECT_TRUE(plugin_prefs->IsPluginEnabled(*flash));
 }
 
 IN_PROC_BROWSER_TEST_F(PolicyTest, DisabledPluginsExceptions) {
@@ -744,6 +756,14 @@ IN_PROC_BROWSER_TEST_F(PolicyTest, DisabledPluginsExceptions) {
   EXPECT_FALSE(plugin_prefs->IsPluginEnabled(*flash));
   EXPECT_TRUE(SetPluginEnabled(plugin_prefs, flash, true));
   EXPECT_TRUE(plugin_prefs->IsPluginEnabled(*flash));
+
+  // Now remove the exception for flash.
+  policies.Erase(key::kDisabledPluginsExceptions);
+  provider_.UpdateChromePolicy(policies);
+  // It should be disabled and the user shouldn't be able to enable it again.
+  EXPECT_FALSE(plugin_prefs->IsPluginEnabled(*flash));
+  EXPECT_FALSE(SetPluginEnabled(plugin_prefs, flash, true));
+  EXPECT_FALSE(plugin_prefs->IsPluginEnabled(*flash));
 }
 
 IN_PROC_BROWSER_TEST_F(PolicyTest, EnabledPlugins) {
@@ -775,6 +795,82 @@ IN_PROC_BROWSER_TEST_F(PolicyTest, EnabledPlugins) {
                POLICY_SCOPE_USER, plugin_list.DeepCopy());
   provider_.UpdateChromePolicy(policies);
   EXPECT_TRUE(plugin_prefs->IsPluginEnabled(*flash));
+
+  // Now remove the plugin from the whitelist.
+  policies.Erase(key::kEnabledPlugins);
+  provider_.UpdateChromePolicy(policies);
+  // The blacklisting should take effect.
+  EXPECT_FALSE(plugin_prefs->IsPluginEnabled(*flash));
+  // The user can't enable the plugin.
+  EXPECT_FALSE(SetPluginEnabled(plugin_prefs, flash, true));
+
+  // Remove it from the blacklist.
+  policies.Erase(key::kDisabledPlugins);
+  provider_.UpdateChromePolicy(policies);
+
+  // It should revert to the user's preferences automatically.
+  EXPECT_FALSE(plugin_prefs->IsPluginEnabled(*flash));
+  // The user can enable it.
+  EXPECT_TRUE(SetPluginEnabled(plugin_prefs, flash, true));
+  EXPECT_TRUE(plugin_prefs->IsPluginEnabled(*flash));
+}
+
+IN_PROC_BROWSER_TEST_F(PolicyTest, DisabledPluginsByVersion) {
+  std::vector<webkit::WebPluginInfo> plugins;
+  GetPluginList(&plugins);
+  const webkit::WebPluginInfo* flash = GetFlashPlugin(plugins);
+  if (!flash)
+    return;
+  PluginPrefs* plugin_prefs = PluginPrefs::GetForProfile(browser()->profile());
+  EXPECT_TRUE(plugin_prefs->IsPluginEnabled(*flash));
+
+  Version flash_version;
+  webkit::npapi::CreateVersionFromString(flash->version, &flash_version);
+  base::ListValue plugin_version_list;
+  plugin_version_list.Append(
+      base::Value::CreateStringValue("*Flash*:" + flash_version.GetString()));
+  PolicyMap policies;
+  policies.Set(key::kDisabledPluginsByVersion, POLICY_LEVEL_MANDATORY,
+               POLICY_SCOPE_USER, plugin_version_list.DeepCopy());
+  provider_.UpdateChromePolicy(policies);
+  // The version blacklisting should take effect.
+  EXPECT_FALSE(plugin_prefs->IsPluginEnabled(*flash));
+  // The user can't enable the plugin.
+  EXPECT_FALSE(SetPluginEnabled(plugin_prefs, flash, true));
+
+  // Set an EnablePlugin policy for flash.
+  base::ListValue enabled_plugins;
+  enabled_plugins.Append(base::Value::CreateStringValue("*Flash*"));
+  policies.Set(key::kEnabledPlugins, POLICY_LEVEL_MANDATORY,
+               POLICY_SCOPE_USER, enabled_plugins.DeepCopy());
+  provider_.UpdateChromePolicy(policies);
+  // Disabling by version is still holding, the plugin is disabled and
+  // the user can't enable it.
+  EXPECT_FALSE(plugin_prefs->IsPluginEnabled(*flash));
+  EXPECT_FALSE(SetPluginEnabled(plugin_prefs, flash, true));
+
+  // Set a DisabledPluginsException policy.
+  base::ListValue disabled_exception_plugins;
+  disabled_exception_plugins.Append(base::Value::CreateStringValue("*Flash*"));
+  policies.Set(key::kDisabledPluginsExceptions, POLICY_LEVEL_MANDATORY,
+               POLICY_SCOPE_USER, disabled_exception_plugins.DeepCopy());
+  provider_.UpdateChromePolicy(policies);
+  // Disabling by version is still holding, the plugin is disabled and
+  // the user can't enable it.
+  EXPECT_FALSE(plugin_prefs->IsPluginEnabled(*flash));
+  EXPECT_FALSE(SetPluginEnabled(plugin_prefs, flash, true));
+
+  // Now, remove all policies.
+  policies.Erase(key::kDisabledPluginsByVersion);
+  policies.Erase(key::kEnabledPlugins);
+  policies.Erase(key::kDisabledPluginsExceptions);
+  provider_.UpdateChromePolicy(policies);
+
+  // It should revert to the user's preferences automatically.
+  EXPECT_TRUE(plugin_prefs->IsPluginEnabled(*flash));
+  // The user can disable it.
+  EXPECT_TRUE(SetPluginEnabled(plugin_prefs, flash, false));
+  EXPECT_FALSE(plugin_prefs->IsPluginEnabled(*flash));
 }
 
 IN_PROC_BROWSER_TEST_F(PolicyTest, AlwaysAuthorizePlugins) {