Added EnabledPlugins policy.

The EnabledPlugins policy is linked to the plugins.plugins_whitelist preference.
Renamed some methods to clarify that policies can both disable and enable plugins.

Updated plugins.html (about:plugins) to display policy-enabled plugins.

Lots of tweaks in PluginGroup and PluginList (webkit/plugins/npapi) to preserve the
user's preference across policy changes. Removing a policy on a plugin restores the
state that the user had configured before.

TODO:
The interaction of "EnabledPlugins" and "DisabledPlugins" when overlapping isn't very well addressed yet. Currently, any plugin matching the "disabled" list will be disabled, regardless of matching or not the "enabled" list.

Small fixes:
Added missing "noPlugins" string to the jstemplate strings for plugins.html.

BUG=55022
TEST=Create a policy enabling a specific plugin and check about:plugins. Also test_shell_test PluginGroupTest.ManagedByPolicy, and unit_tests.

Review URL: http://codereview.chromium.org/6469068
Patch from Joao da Silva <joaodasilva@chromium.org>.

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@76373 0039d316-1c4b-4281-b951-d872f2087c98

3 files changed, 270 insertions, 73 deletions

diff --git a/webkit/plugins/npapi/plugin_group.cc b/webkit/plugins/npapi/plugin_group.cc
index fc5a4c1..4b61baa 100644
--- a/webkit/plugins/npapi/plugin_group.cc
+++ b/webkit/plugins/npapi/plugin_group.cc
@@ -26,25 +26,42 @@ const char* PluginGroup::kShockwaveGroupName = "Shockwave";
 
 /*static*/
 std::set<string16>* PluginGroup::policy_disabled_plugin_patterns_;
+/*static*/
+std::set<string16>* PluginGroup::policy_disabled_plugin_exception_patterns_;
+/*static*/
+std::set<string16>* PluginGroup::policy_enabled_plugin_patterns_;
 
 /*static*/
-void PluginGroup::SetPolicyDisabledPluginPatterns(
-    const std::set<string16>& set) {
+void PluginGroup::SetPolicyEnforcedPluginPatterns(
+    const std::set<string16>& plugins_disabled,
+    const std::set<string16>& plugins_disabled_exceptions,
+    const std::set<string16>& plugins_enabled) {
   if (!policy_disabled_plugin_patterns_)
-    policy_disabled_plugin_patterns_ = new std::set<string16>(set);
+    policy_disabled_plugin_patterns_ = new std::set<string16>(plugins_disabled);
+  else
+    *policy_disabled_plugin_patterns_ = plugins_disabled;
+
+  if (!policy_disabled_plugin_exception_patterns_)
+    policy_disabled_plugin_exception_patterns_ =
+        new std::set<string16>(plugins_disabled_exceptions);
+  else
+    *policy_disabled_plugin_exception_patterns_ = plugins_disabled_exceptions;
+
+  if (!policy_enabled_plugin_patterns_)
+    policy_enabled_plugin_patterns_ = new std::set<string16>(plugins_enabled);
   else
-    *policy_disabled_plugin_patterns_ = set;
+    *policy_enabled_plugin_patterns_ = plugins_enabled;
 }
 
 /*static*/
-bool PluginGroup::IsPluginNameDisabledByPolicy(const string16& plugin_name) {
-  if (!policy_disabled_plugin_patterns_)
+bool PluginGroup::IsStringMatchedInSet(const string16& name,
+                                       const std::set<string16>* pattern_set) {
+  if (!pattern_set)
     return false;
 
-  std::set<string16>::const_iterator pattern(
-      policy_disabled_plugin_patterns_->begin());
-  while (pattern != policy_disabled_plugin_patterns_->end()) {
-    if (MatchPattern(plugin_name, *pattern))
+  std::set<string16>::const_iterator pattern(pattern_set->begin());
+  while (pattern != pattern_set->end()) {
+    if (MatchPattern(name, *pattern))
       return true;
     ++pattern;
   }
@@ -52,6 +69,38 @@ bool PluginGroup::IsPluginNameDisabledByPolicy(const string16& plugin_name) {
   return false;
 }
 
+/*static*/
+bool PluginGroup::IsPluginNameDisabledByPolicy(const string16& plugin_name) {
+  // A plugin that matches some "disabled" pattern but also matches an "enabled"
+  // pattern will be enabled. Example: disable "*", enable "Flash, Java".
+  // Same for matching an "exception" pattern.
+  return IsStringMatchedInSet(plugin_name, policy_disabled_plugin_patterns_) &&
+        !IsStringMatchedInSet(plugin_name, policy_enabled_plugin_patterns_) &&
+        !IsStringMatchedInSet(plugin_name,
+                              policy_disabled_plugin_exception_patterns_);
+}
+
+/*static*/
+bool PluginGroup::IsPluginFileNameDisabledByPolicy(const string16& plugin_name,
+                                                   const string16& group_name) {
+  // This handles a specific plugin within a group that is allowed,
+  // but whose name matches a disabled pattern.
+  // Example: disable "*", exception "Java".
+  bool group_has_exception = IsStringMatchedInSet(
+      group_name,
+      policy_disabled_plugin_exception_patterns_);
+
+  return !IsPluginNameEnabledByPolicy(plugin_name) &&
+         !group_has_exception &&
+          IsPluginNameDisabledByPolicy(plugin_name);
+}
+
+/*static*/
+bool PluginGroup::IsPluginNameEnabledByPolicy(const string16& plugin_name) {
+  // There are no exceptions to enabled plugins.
+  return IsStringMatchedInSet(plugin_name, policy_enabled_plugin_patterns_);
+}
+
 VersionRange::VersionRange(VersionRangeDefinition definition)
     : low_str(definition.version_matcher_low),
       high_str(definition.version_matcher_high),
@@ -262,8 +311,13 @@ bool PluginGroup::EnablePlugin(const FilePath& filename) {
   bool did_enable = false;
   ResetGroupState();
   for (size_t i = 0; i < web_plugin_infos_.size(); ++i) {
-    if (web_plugin_infos_[i].path == filename)
-      did_enable = Enable(&web_plugin_infos_[i], WebPluginInfo::USER_ENABLED);
+    if (web_plugin_infos_[i].path == filename) {
+      did_enable = Enable(
+          &web_plugin_infos_[i],
+          IsPluginNameEnabledByPolicy(web_plugin_infos_[i].name) ?
+              WebPluginInfo::USER_ENABLED_POLICY_ENABLED :
+              WebPluginInfo::USER_ENABLED);
+    }
     UpdateActivePlugin(web_plugin_infos_[i]);
   }
   return did_enable;
@@ -326,23 +380,35 @@ DictionaryValue* PluginGroup::GetDataForUI() const {
   result->SetBoolean("critical", IsVulnerable());
 
   bool group_disabled_by_policy = IsPluginNameDisabledByPolicy(name);
+  bool group_enabled_by_policy = IsPluginNameEnabledByPolicy(name);
   ListValue* plugin_files = new ListValue();
   bool all_plugins_disabled_by_policy = true;
+  bool all_plugins_enabled_by_policy = true;
   for (size_t i = 0; i < web_plugin_infos_.size(); ++i) {
     DictionaryValue* plugin_file = new DictionaryValue();
     plugin_file->SetString("name", web_plugin_infos_[i].name);
     plugin_file->SetString("description", web_plugin_infos_[i].desc);
     plugin_file->SetString("path", web_plugin_infos_[i].path.value());
     plugin_file->SetString("version", web_plugin_infos_[i].version);
+
     bool plugin_disabled_by_policy = group_disabled_by_policy ||
         ((web_plugin_infos_[i].enabled & WebPluginInfo::POLICY_DISABLED) != 0);
+    bool plugin_enabled_by_policy = group_enabled_by_policy ||
+        ((web_plugin_infos_[i].enabled & WebPluginInfo::POLICY_ENABLED) != 0);
+
+    if (!plugin_disabled_by_policy)
+      all_plugins_disabled_by_policy = false;
+    if (!plugin_enabled_by_policy)
+      all_plugins_enabled_by_policy = false;
+
     if (plugin_disabled_by_policy) {
       plugin_file->SetString("enabledMode", "disabledByPolicy");
+    } else if (plugin_enabled_by_policy) {
+        plugin_file->SetString("enabledMode", "enabledByPolicy");
     } else {
-      all_plugins_disabled_by_policy = false;
       plugin_file->SetString(
           "enabledMode", IsPluginEnabled(web_plugin_infos_[i]) ?
-              "enabled" : "disabledByUser");
+              "enabledByUser" : "disabledByUser");
     }
 
     ListValue* mime_types = new ListValue();
@@ -369,8 +435,12 @@ DictionaryValue* PluginGroup::GetDataForUI() const {
 
   if (group_disabled_by_policy || all_plugins_disabled_by_policy) {
     result->SetString("enabledMode", "disabledByPolicy");
+  } else if (group_enabled_by_policy || all_plugins_enabled_by_policy) {
+    result->SetString("enabledMode", "enabledByPolicy");
   } else {
-    result->SetString("enabledMode", enabled_ ? "enabled" : "disabledByUser");
+    result->SetString("enabledMode", enabled_ ?
+                              "enabledByUser" :
+                              "disabledByUser");
   }
   result->Set("plugin_files", plugin_files);
 
@@ -440,21 +510,28 @@ void PluginGroup::DisableOutdatedPlugins() {
 
 bool PluginGroup::EnableGroup(bool enable) {
   bool group_disabled_by_policy = IsPluginNameDisabledByPolicy(group_name_);
-  // We can't enable groups disabled by policy
-  if (group_disabled_by_policy && enable)
+  bool group_enabled_by_policy = IsPluginNameEnabledByPolicy(group_name_);
+
+  // We can't enable nor disable groups controlled by policy.
+  if ((group_disabled_by_policy && enable) ||
+      (group_enabled_by_policy && !enable))
     return false;
 
   ResetGroupState();
   for (size_t i = 0; i < web_plugin_infos_.size(); ++i) {
+    bool policy_enabled =
+        IsPluginNameEnabledByPolicy(web_plugin_infos_[i].name);
     bool policy_disabled =
-        IsPluginNameDisabledByPolicy(web_plugin_infos_[i].name);
-    if (enable && !policy_disabled) {
+        IsPluginFileNameDisabledByPolicy(web_plugin_infos_[i].name,
+                                         group_name_);
+    if (policy_disabled) {
+      Disable(&web_plugin_infos_[i], WebPluginInfo::POLICY_DISABLED);
+    } else if (policy_enabled) {
+      Enable(&web_plugin_infos_[i], WebPluginInfo::POLICY_ENABLED);
+    } else if (enable) {
       Enable(&web_plugin_infos_[i], WebPluginInfo::USER_ENABLED);
     } else {
-      Disable(&web_plugin_infos_[i],
-              policy_disabled || group_disabled_by_policy ?
-                  WebPluginInfo::POLICY_DISABLED :
-                  WebPluginInfo::USER_DISABLED);
+      Disable(&web_plugin_infos_[i], WebPluginInfo::USER_DISABLED);
     }
     UpdateActivePlugin(web_plugin_infos_[i]);
   }
@@ -463,19 +540,30 @@ bool PluginGroup::EnableGroup(bool enable) {
 
 void PluginGroup::EnforceGroupPolicy() {
   bool group_disabled_by_policy = IsPluginNameDisabledByPolicy(group_name_);
+  bool group_enabled_by_policy = IsPluginNameEnabledByPolicy(group_name_);
 
   ResetGroupState();
   for (size_t i = 0; i < web_plugin_infos_.size(); ++i) {
+    bool policy_enabled =
+        group_enabled_by_policy ||
+        IsPluginNameEnabledByPolicy(web_plugin_infos_[i].name);
     bool policy_disabled =
-        IsPluginNameDisabledByPolicy(web_plugin_infos_[i].name) |
-        group_disabled_by_policy;
-
-    // TODO(pastarmovj): Add the code for enforcing enabled by policy...
+        !policy_enabled &&
+        (group_disabled_by_policy ||
+         IsPluginFileNameDisabledByPolicy(web_plugin_infos_[i].name,
+                                          group_name_));
     if (policy_disabled) {
       Disable(&web_plugin_infos_[i], WebPluginInfo::POLICY_DISABLED);
-    // ...here would a else if (policy_enabled) { ... } be then.
+    } else if (policy_enabled) {
+      Enable(&web_plugin_infos_[i], WebPluginInfo::POLICY_ENABLED);
     } else {
-      Enable(&web_plugin_infos_[i], WebPluginInfo::POLICY_UNMANAGED);
+      // If not managed, use the user's preference.
+      if ((web_plugin_infos_[i].enabled & WebPluginInfo::USER_MASK) ==
+          WebPluginInfo::USER_ENABLED) {
+        Enable(&web_plugin_infos_[i], WebPluginInfo::POLICY_UNMANAGED);
+      } else {
+        Disable(&web_plugin_infos_[i], WebPluginInfo::POLICY_UNMANAGED);
+      }
     }
     UpdateActivePlugin(web_plugin_infos_[i]);
   }
@@ -487,45 +575,46 @@ void PluginGroup::ResetGroupState() {
   version_.reset(Version::GetVersionFromString("0"));
 }
 
-bool PluginGroup::Enable(WebPluginInfo* plugin,
-                         int new_reason) {
-  DCHECK(new_reason == WebPluginInfo::USER_ENABLED ||
-         new_reason == WebPluginInfo::POLICY_UNMANAGED ||
-         new_reason == WebPluginInfo::POLICY_ENABLED);
+/*static*/
+bool PluginGroup::SetPluginState(WebPluginInfo* plugin,
+                                 int new_reason,
+                                 bool state_changes) {
   // If we are only stripping the policy then mask the policy bits.
   if (new_reason == WebPluginInfo::POLICY_UNMANAGED) {
     plugin->enabled &= WebPluginInfo::USER_MASK;
     return true;
   }
-  // If already enabled just upgrade the reason.
-  if (IsPluginEnabled(*plugin)) {
-    plugin->enabled |= new_reason;
-    return true;
+  if (new_reason & WebPluginInfo::MANAGED_MASK) {
+    // Policy-enforced change: preserve the user's preference, and override
+    // a possible previous policy flag.
+    plugin->enabled = (plugin->enabled & WebPluginInfo::USER_MASK) | new_reason;
+  } else if (state_changes && (plugin->enabled & WebPluginInfo::MANAGED_MASK)) {
+    // Refuse change when managed.
+    return false;
   } else {
-    // Only changeable if not managed.
-    if (plugin->enabled & WebPluginInfo::MANAGED_MASK)
-      return false;
-    plugin->enabled = new_reason;
+    // Accept the user update, but keep the policy flag if present.
+    plugin->enabled = (plugin->enabled & WebPluginInfo::MANAGED_MASK) |
+        new_reason;
   }
   return true;
 }
 
-bool PluginGroup::Disable(WebPluginInfo* plugin,
-                          int new_reason) {
+/*static*/
+bool PluginGroup::Enable(WebPluginInfo* plugin, int new_reason) {
+  DCHECK(new_reason == WebPluginInfo::USER_ENABLED ||
+         new_reason == WebPluginInfo::POLICY_ENABLED ||
+         new_reason == WebPluginInfo::USER_ENABLED_POLICY_ENABLED ||
+         new_reason == WebPluginInfo::POLICY_UNMANAGED);
+  return SetPluginState(plugin, new_reason, !IsPluginEnabled(*plugin));
+}
+
+/*static*/
+bool PluginGroup::Disable(WebPluginInfo* plugin, int new_reason) {
   DCHECK(new_reason == WebPluginInfo::USER_DISABLED ||
          new_reason == WebPluginInfo::POLICY_DISABLED ||
-         new_reason == WebPluginInfo::USER_DISABLED_POLICY_DISABLED);
-  // If already disabled just upgrade the reason.
-  if (!IsPluginEnabled(*plugin)) {
-    plugin->enabled |= new_reason;
-    return true;
-  } else {
-    // Only changeable if not managed.
-    if (plugin->enabled & WebPluginInfo::MANAGED_MASK)
-      return false;
-    plugin->enabled = new_reason;
-  }
-  return true;
+         new_reason == WebPluginInfo::USER_DISABLED_POLICY_DISABLED ||
+         new_reason == WebPluginInfo::POLICY_UNMANAGED);
+  return SetPluginState(plugin, new_reason, IsPluginEnabled(*plugin));
 }
 
 }  // namespace npapi
diff --git a/webkit/plugins/npapi/plugin_group.h b/webkit/plugins/npapi/plugin_group.h
index 9e0250c..39d9cd1 100644
--- a/webkit/plugins/npapi/plugin_group.h
+++ b/webkit/plugins/npapi/plugin_group.h
@@ -94,14 +94,24 @@ class PluginGroup {
 
   PluginGroup& operator=(const PluginGroup& other);
 
-  // Configures the set of plugin name patterns for disabling plugins via
-  // enterprise configuration management.
-  static void SetPolicyDisabledPluginPatterns(const std::set<string16>& set);
-
-  // Tests to see if a plugin is on the blacklist using its name as
-  // the lookup key.
+  // Configures the set of plugin name patterns for enabling and disabling
+  // plugins via enterprise configuration management.
+  static void SetPolicyEnforcedPluginPatterns(
+      const std::set<string16>& plugins_disabled,
+      const std::set<string16>& plugins_disabled_exceptions,
+      const std::set<string16>& plugins_enabled);
+
+  // Tests whether |plugin_name| is disabled by policy.
   static bool IsPluginNameDisabledByPolicy(const string16& plugin_name);
 
+  // Tests whether |plugin_name| within the plugin group |group_name| is
+  // disabled by policy.
+  static bool IsPluginFileNameDisabledByPolicy(const string16& plugin_name,
+                                               const string16& group_name);
+
+  // Tests whether |plugin_name| is enabled by policy.
+  static bool IsPluginNameEnabledByPolicy(const string16& plugin_name);
+
   // Returns true if the given plugin matches this group.
   bool Match(const WebPluginInfo& plugin) const;
 
@@ -245,13 +255,24 @@ class PluginGroup {
   // Returns true on success. Does not update the group state.
   static bool Disable(WebPluginInfo* plugin, int reason);
 
+  // Helper function to implement the functions above.
+  static bool SetPluginState(WebPluginInfo* plugin,
+                             int new_reason,
+                             bool state_changes);
+
   // Returns a non-const vector of all plugins in the group. This is only used
   // by PluginList.
   std::vector<WebPluginInfo>& GetPluginsContainer() {
     return web_plugin_infos_;
   }
 
+  // Checks if |name| matches any of the patterns in |pattern_set|.
+  static bool IsStringMatchedInSet(const string16& name,
+                                   const std::set<string16>* pattern_set);
+
   static std::set<string16>* policy_disabled_plugin_patterns_;
+  static std::set<string16>* policy_disabled_plugin_exception_patterns_;
+  static std::set<string16>* policy_enabled_plugin_patterns_;
 
   std::string identifier_;
   string16 group_name_;
diff --git a/webkit/plugins/npapi/plugin_group_unittest.cc b/webkit/plugins/npapi/plugin_group_unittest.cc
index 476655f..960d470 100644
--- a/webkit/plugins/npapi/plugin_group_unittest.cc
+++ b/webkit/plugins/npapi/plugin_group_unittest.cc
@@ -89,11 +89,13 @@ class PluginGroupTest : public testing::Test {
   }
  protected:
   virtual void TearDown() {
-    PluginGroup::SetPolicyDisabledPluginPatterns(std::set<string16>());
+    PluginGroup::SetPolicyEnforcedPluginPatterns(std::set<string16>(),
+                                                 std::set<string16>(),
+                                                 std::set<string16>());
   }
 };
 
-TEST(PluginGroupTest, PluginGroupMatch) {
+TEST_F(PluginGroupTest, PluginGroupMatch) {
   scoped_ptr<PluginGroup> group(PluginGroupTest::CreatePluginGroup(
       kPluginDef3));
   EXPECT_TRUE(group->Match(kPlugin3045));
@@ -106,7 +108,7 @@ TEST(PluginGroupTest, PluginGroupMatch) {
   EXPECT_FALSE(group->Match(kPluginNoVersion));
 }
 
-TEST(PluginGroupTest, PluginGroupMatchCorrectVersion) {
+TEST_F(PluginGroupTest, PluginGroupMatchCorrectVersion) {
   scoped_ptr<PluginGroup> group(PluginGroupTest::CreatePluginGroup(
       kPluginDef3));
   EXPECT_TRUE(group->Match(kPlugin2043));
@@ -124,7 +126,7 @@ TEST(PluginGroupTest, PluginGroupMatchCorrectVersion) {
   EXPECT_TRUE(group->Match(kPlugin4043));
 }
 
-TEST(PluginGroupTest, PluginGroupDescription) {
+TEST_F(PluginGroupTest, PluginGroupDescription) {
   string16 desc3043(ASCIIToUTF16("MyPlugin version 3.0.43"));
   string16 desc3045(ASCIIToUTF16("MyPlugin version 3.0.45"));
 
@@ -163,7 +165,7 @@ TEST(PluginGroupTest, PluginGroupDescription) {
   }
 }
 
-TEST(PluginGroupTest, PluginGroupDefinition) {
+TEST_F(PluginGroupTest, PluginGroupDefinition) {
   for (size_t i = 0; i < arraysize(kPluginDefinitions); ++i) {
     scoped_ptr<PluginGroup> def_group(
         PluginGroupTest::CreatePluginGroup(kPluginDefinitions[i]));
@@ -171,7 +173,7 @@ TEST(PluginGroupTest, PluginGroupDefinition) {
   }
 }
 
-TEST(PluginGroupTest, DisableOutdated) {
+TEST_F(PluginGroupTest, DisableOutdated) {
   PluginGroupDefinition plugindefs[] = { kPluginDef3, kPluginDef34 };
   for (size_t i = 0; i < 2; ++i) {
     scoped_ptr<PluginGroup> group(PluginGroupTest::CreatePluginGroup(
@@ -188,7 +190,7 @@ TEST(PluginGroupTest, DisableOutdated) {
   }
 }
 
-TEST(PluginGroupTest, VersionExtraction) {
+TEST_F(PluginGroupTest, VersionExtraction) {
   // Some real-world plugin versions (spaces, commata, parentheses, 'r', oh my)
   const char* versions[][2] = {
     { "7.6.6 (1671)", "7.6.6.1671" },  // Quicktime
@@ -216,11 +218,13 @@ TEST(PluginGroupTest, VersionExtraction) {
   }
 }
 
-TEST(PluginGroupTest, DisabledByPolicy) {
+TEST_F(PluginGroupTest, DisabledByPolicy) {
   std::set<string16> disabled_plugins;
   disabled_plugins.insert(ASCIIToUTF16("Disable this!"));
   disabled_plugins.insert(ASCIIToUTF16("*Google*"));
-  PluginGroup::SetPolicyDisabledPluginPatterns(disabled_plugins);
+  PluginGroup::SetPolicyEnforcedPluginPatterns(disabled_plugins,
+                                               std::set<string16>(),
+                                               std::set<string16>());
 
   EXPECT_FALSE(PluginGroup::IsPluginNameDisabledByPolicy(ASCIIToUTF16("42")));
   EXPECT_TRUE(PluginGroup::IsPluginNameDisabledByPolicy(
@@ -229,7 +233,90 @@ TEST(PluginGroupTest, DisabledByPolicy) {
       ASCIIToUTF16("Google Earth")));
 }
 
-TEST(PluginGroupTest, IsVulnerable) {
+TEST_F(PluginGroupTest, EnabledByPolicy) {
+  std::set<string16> enabled_plugins;
+  enabled_plugins.insert(ASCIIToUTF16("Enable that!"));
+  enabled_plugins.insert(ASCIIToUTF16("PDF*"));
+  PluginGroup::SetPolicyEnforcedPluginPatterns(std::set<string16>(),
+                                               std::set<string16>(),
+                                               enabled_plugins);
+
+  EXPECT_FALSE(PluginGroup::IsPluginNameEnabledByPolicy(ASCIIToUTF16("42")));
+  EXPECT_TRUE(PluginGroup::IsPluginNameEnabledByPolicy(
+      ASCIIToUTF16("Enable that!")));
+  EXPECT_TRUE(PluginGroup::IsPluginNameEnabledByPolicy(
+      ASCIIToUTF16("PDF Reader")));
+}
+
+TEST_F(PluginGroupTest, EnabledAndDisabledByPolicy) {
+  const string16 k42(ASCIIToUTF16("42"));
+  const string16 kEnabled(ASCIIToUTF16("Enabled"));
+  const string16 kEnabled2(ASCIIToUTF16("Enabled 2"));
+  const string16 kEnabled3(ASCIIToUTF16("Enabled 3"));
+  const string16 kException(ASCIIToUTF16("Exception"));
+  const string16 kException2(ASCIIToUTF16("Exception 2"));
+  const string16 kGoogleMars(ASCIIToUTF16("Google Mars"));
+  const string16 kGoogleEarth(ASCIIToUTF16("Google Earth"));
+
+  std::set<string16> disabled_plugins;
+  std::set<string16> disabled_plugins_exceptions;
+  std::set<string16> enabled_plugins;
+
+  disabled_plugins.insert(kEnabled);
+  disabled_plugins_exceptions.insert(kEnabled);
+  enabled_plugins.insert(kEnabled);
+
+  disabled_plugins_exceptions.insert(kException);
+
+  disabled_plugins.insert(kEnabled2);
+  enabled_plugins.insert(kEnabled2);
+
+  disabled_plugins.insert(kException2);
+  disabled_plugins_exceptions.insert(kException2);
+
+  disabled_plugins_exceptions.insert(kEnabled3);
+  enabled_plugins.insert(kEnabled3);
+
+  PluginGroup::SetPolicyEnforcedPluginPatterns(disabled_plugins,
+                                               disabled_plugins_exceptions,
+                                               enabled_plugins);
+
+  EXPECT_FALSE(PluginGroup::IsPluginNameEnabledByPolicy(k42));
+  EXPECT_FALSE(PluginGroup::IsPluginNameDisabledByPolicy(k42));
+
+  EXPECT_TRUE(PluginGroup::IsPluginNameEnabledByPolicy(kEnabled));
+  EXPECT_FALSE(PluginGroup::IsPluginNameDisabledByPolicy(kEnabled));
+  EXPECT_TRUE(PluginGroup::IsPluginNameEnabledByPolicy(kEnabled2));
+  EXPECT_FALSE(PluginGroup::IsPluginNameDisabledByPolicy(kEnabled2));
+  EXPECT_TRUE(PluginGroup::IsPluginNameEnabledByPolicy(kEnabled3));
+  EXPECT_FALSE(PluginGroup::IsPluginNameDisabledByPolicy(kEnabled3));
+
+  EXPECT_FALSE(PluginGroup::IsPluginNameEnabledByPolicy(kException));
+  EXPECT_FALSE(PluginGroup::IsPluginNameDisabledByPolicy(kException));
+  EXPECT_FALSE(PluginGroup::IsPluginNameEnabledByPolicy(kException2));
+  EXPECT_FALSE(PluginGroup::IsPluginNameDisabledByPolicy(kException2));
+
+  disabled_plugins.clear();
+  disabled_plugins_exceptions.clear();
+  enabled_plugins.clear();
+
+  disabled_plugins.insert(ASCIIToUTF16("*"));
+  disabled_plugins_exceptions.insert(ASCIIToUTF16("*Google*"));
+  enabled_plugins.insert(kGoogleEarth);
+
+  PluginGroup::SetPolicyEnforcedPluginPatterns(disabled_plugins,
+                                               disabled_plugins_exceptions,
+                                               enabled_plugins);
+
+  EXPECT_TRUE(PluginGroup::IsPluginNameEnabledByPolicy(kGoogleEarth));
+  EXPECT_FALSE(PluginGroup::IsPluginNameDisabledByPolicy(kGoogleEarth));
+  EXPECT_FALSE(PluginGroup::IsPluginNameEnabledByPolicy(kGoogleMars));
+  EXPECT_FALSE(PluginGroup::IsPluginNameDisabledByPolicy(kGoogleMars));
+  EXPECT_FALSE(PluginGroup::IsPluginNameEnabledByPolicy(k42));
+  EXPECT_TRUE(PluginGroup::IsPluginNameDisabledByPolicy(k42));
+}
+
+TEST_F(PluginGroupTest, IsVulnerable) {
   // Adobe Reader 10
   VersionRangeDefinition adobe_reader_version_range[] = {
       { "10", "11", "", false },
@@ -270,7 +357,7 @@ TEST(PluginGroupTest, IsVulnerable) {
   EXPECT_TRUE(PluginGroup(*group).RequiresAuthorization());
 }
 
-TEST(PluginGroupTest, MultipleVersions) {
+TEST_F(PluginGroupTest, MultipleVersions) {
   scoped_ptr<PluginGroup> group(
       PluginGroupTest::CreatePluginGroup(kPluginDef3));
   group->AddPlugin(kPlugin3044);