Allow unlimited quota for apps for FileSystem access

- allow unlimited access for apps/extensions that have "unlimited_storage" permission.
- disallow any write access that may increase the filesystem usage (i.e. copy/move/create/write).
for others.
- allow unlimit access for file:/// URIs only if --allow-file-from-files flag is given.

BUG=57211
TEST=FileSystemQuota.*

TEST=Load a remote test page and verify that it throws QUOTA_EXCEEDED_ERR (22) for any write access.
TEST=Load an app/extension page that has "unlimited_storage" permission and verify that any write access is allowed.
TEST=Disable or uninstall the app/extension and do the same.  Verify that it throws QUOTA_EXCEEDED_ERR (22) for any write access.
TEST=Launch chromium without --allow-file-from-files flag, load a local test page (with file:/// URI) and verify that it throws SECURITY_ERR (18) for requesetFileSystem.
TEST=Launch chromium with --allow-file-from-files flag and do the same. Verify that requestFileSystem returns a valid filesystem and any write access is allowed.

Review URL: http://codereview.chromium.org/3561016

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@61934 0039d316-1c4b-4281-b951-d872f2087c98

4 files changed, 225 insertions, 0 deletions

diff --git a/webkit/fileapi/file_system_quota.cc b/webkit/fileapi/file_system_quota.cc
new file mode 100644
index 0000000..eb69beb
--- /dev/null
+++ b/webkit/fileapi/file_system_quota.cc
@@ -0,0 +1,35 @@
+// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "webkit/fileapi/file_system_quota.h"
+
+#include "base/file_path.h"
+#include "base/file_util_proxy.h"
+#include "base/ref_counted.h"
+#include "base/scoped_callback_factory.h"
+
+namespace fileapi {
+
+const int64 FileSystemQuota::kUnknownSize = -1;
+
+bool FileSystemQuota::CheckOriginQuota(const GURL& origin, int64) {
+  return CheckIfOriginGrantedUnlimitedQuota(origin);
+}
+
+void FileSystemQuota::SetOriginQuotaUnlimited(const GURL& origin) {
+  DCHECK(origin == origin.GetOrigin());
+  unlimited_quota_origins_.insert(origin);
+}
+
+void FileSystemQuota::ResetOriginQuotaUnlimited(const GURL& origin) {
+  DCHECK(origin == origin.GetOrigin());
+  unlimited_quota_origins_.erase(origin);
+}
+
+bool FileSystemQuota::CheckIfOriginGrantedUnlimitedQuota(const GURL& origin) {
+  std::set<GURL>::const_iterator found = unlimited_quota_origins_.find(origin);
+  return (found != unlimited_quota_origins_.end());
+}
+
+}  // namespace fileapi
diff --git a/webkit/fileapi/file_system_quota.h b/webkit/fileapi/file_system_quota.h
new file mode 100644
index 0000000..80888ed1
--- /dev/null
+++ b/webkit/fileapi/file_system_quota.h
@@ -0,0 +1,42 @@
+// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef WEBKIT_FILEAPI_FILE_SYSTEM_QUOTA_H_
+#define WEBKIT_FILEAPI_FILE_SYSTEM_QUOTA_H_
+
+#include <set>
+
+#include "base/basictypes.h"
+#include "googleurl/src/gurl.h"
+
+namespace fileapi {
+
+// A quota manager for FileSystem. For now it has little implementation
+// and just allows unlimited quota for apps.
+class FileSystemQuota {
+ public:
+  FileSystemQuota() { }
+  static const int64 kUnknownSize;
+
+  // Checks if the origin can grow its usage by |growth| bytes.
+  // This only performs in-memory check and returns immediately.
+  // For now it just returns false for any origins (regardless of the size)
+  // that are not in the in-memory unlimited_quota_origins map.
+  bool CheckOriginQuota(const GURL& origin, int64 growth);
+
+  // Maintains origins in memory that are allowed to have unlimited quota.
+  void SetOriginQuotaUnlimited(const GURL& origin);
+  void ResetOriginQuotaUnlimited(const GURL& origin);
+  bool CheckIfOriginGrantedUnlimitedQuota(const GURL& origin);
+
+ private:
+  // For some extensions/apps we allow unlimited quota.
+  std::set<GURL> unlimited_quota_origins_;
+
+  DISALLOW_COPY_AND_ASSIGN(FileSystemQuota);
+};
+
+}  // namespace fileapi
+
+#endif  // WEBKIT_FILEAPI_FILE_SYSTEM_QUOTA_H_
diff --git a/webkit/fileapi/file_system_quota_unittest.cc b/webkit/fileapi/file_system_quota_unittest.cc
new file mode 100644
index 0000000..0c505cd
--- /dev/null
+++ b/webkit/fileapi/file_system_quota_unittest.cc
@@ -0,0 +1,146 @@
+// Copyright (c) 2010 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "webkit/fileapi/file_system_quota.h"
+
+#include "base/basictypes.h"
+#include "base/logging.h"
+#include "base/scoped_ptr.h"
+#include "base/string_number_conversions.h"
+#include "testing/gtest/include/gtest/gtest.h"
+
+using namespace fileapi;
+
+class FileSystemQuotaTest : public testing::Test {
+ public:
+  FileSystemQuotaTest() { }
+
+  void SetUp() {
+    quota_.reset(new FileSystemQuota);
+  }
+
+  FileSystemQuota* quota() const { return quota_.get(); }
+
+ protected:
+  scoped_ptr<FileSystemQuota> quota_;
+  DISALLOW_COPY_AND_ASSIGN(FileSystemQuotaTest);
+};
+
+namespace {
+
+static const char* const kTestOrigins[] = {
+  "https://a.com/",
+  "http://b.com/",
+  "http://c.com:1/",
+  "file:///",
+};
+
+}  // anonymous namespace
+
+TEST_F(FileSystemQuotaTest, CheckOriginQuotaNotAllowed) {
+  for (size_t i = 0; i < ARRAYSIZE_UNSAFE(kTestOrigins); ++i) {
+    SCOPED_TRACE(testing::Message() << "CheckOriginQuotaNotAllowed #"
+                 << i << " " << kTestOrigins[i]);
+    // Should fail no matter how much size is requested.
+    EXPECT_FALSE(quota()->CheckOriginQuota(GURL(kTestOrigins[i]), -1));
+    EXPECT_FALSE(quota()->CheckOriginQuota(GURL(kTestOrigins[i]), 0));
+    EXPECT_FALSE(quota()->CheckOriginQuota(GURL(kTestOrigins[i]), 100));
+  }
+}
+
+TEST_F(FileSystemQuotaTest, CheckOriginQuotaUnlimited) {
+  // Tests if SetOriginQuotaUnlimited and ResetOriginQuotaUnlimited
+  // are working as expected.
+  for (size_t i = 0; i < ARRAYSIZE_UNSAFE(kTestOrigins); ++i) {
+    SCOPED_TRACE(testing::Message() << "CheckOriginQuotaUnlimited #"
+                 << i << " " << kTestOrigins[i]);
+    GURL url(kTestOrigins[i]);
+    EXPECT_FALSE(quota()->CheckIfOriginGrantedUnlimitedQuota(url));
+    EXPECT_FALSE(quota()->CheckOriginQuota(url, 0));
+
+    quota()->SetOriginQuotaUnlimited(url);
+    EXPECT_TRUE(quota()->CheckIfOriginGrantedUnlimitedQuota(url));
+    EXPECT_TRUE(quota()->CheckOriginQuota(url, -1));
+    EXPECT_TRUE(quota()->CheckOriginQuota(url, 0));
+    EXPECT_TRUE(quota()->CheckOriginQuota(url, 100));
+
+    quota()->ResetOriginQuotaUnlimited(url);
+    EXPECT_FALSE(quota()->CheckIfOriginGrantedUnlimitedQuota(url));
+    EXPECT_FALSE(quota()->CheckOriginQuota(url, -1));
+    EXPECT_FALSE(quota()->CheckOriginQuota(url, 0));
+    EXPECT_FALSE(quota()->CheckOriginQuota(url, 100));
+  }
+}
+
+TEST_F(FileSystemQuotaTest, CheckOriginQuotaWithMixedSet) {
+  // Tests setting unlimited quota for some urls doesn't affect
+  // other urls.
+  GURL test_url1("http://foo.bar.com/");
+  GURL test_url2("http://example.com/");
+  quota()->SetOriginQuotaUnlimited(test_url1);
+  quota()->SetOriginQuotaUnlimited(test_url2);
+
+  for (size_t i = 0; i < ARRAYSIZE_UNSAFE(kTestOrigins); ++i) {
+    SCOPED_TRACE(testing::Message() << "CheckOriginQuotaMixedSet #"
+                 << i << " " << kTestOrigins[i]);
+    GURL url(kTestOrigins[i]);
+    EXPECT_FALSE(quota()->CheckOriginQuota(url, 0));
+    EXPECT_FALSE(quota()->CheckIfOriginGrantedUnlimitedQuota(url));
+  }
+}
+
+TEST_F(FileSystemQuotaTest, CheckOriginQuotaMixedWithDifferentScheme) {
+  // Tests setting unlimited quota for urls doesn't affect
+  // pages in the same hosts but with different scheme.
+  for (size_t i = 0; i < ARRAYSIZE_UNSAFE(kTestOrigins); ++i) {
+    GURL url(kTestOrigins[i]);
+    if (url.SchemeIsFile())
+      continue;
+    DCHECK(url == url.GetOrigin());
+    std::string new_scheme = "https";
+    if (url.SchemeIsSecure())
+      new_scheme = "http";
+    else
+      DCHECK(url.SchemeIs("http"));
+    std::string new_url_string = new_scheme + "://" + url.host();
+    if (url.has_port())
+      new_url_string += ":" + url.port();
+    quota()->SetOriginQuotaUnlimited(GURL(new_url_string));
+  }
+
+  for (size_t i = 0; i < ARRAYSIZE_UNSAFE(kTestOrigins); ++i) {
+    SCOPED_TRACE(testing::Message()
+                 << "CheckOriginQuotaMixedWithDifferentScheme #"
+                 << i << " " << kTestOrigins[i]);
+    GURL url(kTestOrigins[i]);
+    EXPECT_FALSE(quota()->CheckOriginQuota(url, 0));
+    EXPECT_FALSE(quota()->CheckIfOriginGrantedUnlimitedQuota(url));
+  }
+}
+
+TEST_F(FileSystemQuotaTest, CheckOriginQuotaMixedWithDifferentPort) {
+  // Tests setting unlimited quota for urls doesn't affect
+  // pages in the same scheme/hosts but with different port number.
+  for (size_t i = 0; i < ARRAYSIZE_UNSAFE(kTestOrigins); ++i) {
+    GURL url(kTestOrigins[i]);
+    if (url.SchemeIsFile())
+      continue;
+    DCHECK(url == url.GetOrigin());
+    int port = 81;
+    if (url.has_port())
+      port = url.IntPort() + 1;
+    GURL new_url(url.scheme() + "://" + url.host() + ":" +
+                 base::IntToString(port));
+    quota()->SetOriginQuotaUnlimited(new_url);
+  }
+
+  for (size_t i = 0; i < ARRAYSIZE_UNSAFE(kTestOrigins); ++i) {
+    SCOPED_TRACE(testing::Message()
+                 << "CheckOriginQuotaMixedWithDifferentPort #"
+                 << i << " " << kTestOrigins[i]);
+    GURL url(kTestOrigins[i]);
+    EXPECT_FALSE(quota()->CheckOriginQuota(url, 0));
+    EXPECT_FALSE(quota()->CheckIfOriginGrantedUnlimitedQuota(url));
+  }
+}
diff --git a/webkit/fileapi/webkit_fileapi.gypi b/webkit/fileapi/webkit_fileapi.gypi
index a795da4..f01e9db 100644
--- a/webkit/fileapi/webkit_fileapi.gypi
+++ b/webkit/fileapi/webkit_fileapi.gypi
@@ -17,6 +17,8 @@
         'file_system_callback_dispatcher.h',
         'file_system_operation.cc',
         'file_system_operation.h',
+        'file_system_quota.cc',
+        'file_system_quota.h',
         'file_system_types.h',
         'file_writer_delegate.cc',
         'file_writer_delegate.h',