[go: nahoru, domu]

blob: dd9098d3d587d6cef0f1e8fb94e925192a44532d [file] [log] [blame]
// Copyright 2014 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "chrome/browser/extensions/permissions_based_management_policy_provider.h"
#include <memory>
#include <string>
#include <vector>
#include "base/check.h"
#include "base/memory/raw_ptr.h"
#include "base/memory/ref_counted.h"
#include "base/strings/utf_string_conversions.h"
#include "base/values.h"
#include "chrome/browser/extensions/extension_management.h"
#include "chrome/browser/extensions/extension_management_test_util.h"
#include "chrome/common/extensions/permissions/chrome_api_permissions.h"
#include "chrome/test/base/testing_profile.h"
#include "components/sync_preferences/testing_pref_service_syncable.h"
#include "content/public/test/browser_task_environment.h"
#include "extensions/common/extension.h"
#include "extensions/common/manifest.h"
#include "extensions/common/manifest_constants.h"
#include "extensions/common/mojom/api_permission_id.mojom-shared.h"
#include "extensions/common/permissions/api_permission.h"
#include "testing/gtest/include/gtest/gtest.h"
using extensions::mojom::APIPermissionID;
namespace extensions {
class PermissionsBasedManagementPolicyProviderTest : public testing::Test {
public:
typedef ExtensionManagementPrefUpdater<
sync_preferences::TestingPrefServiceSyncable>
PrefUpdater;
PermissionsBasedManagementPolicyProviderTest()
: profile_(std::make_unique<TestingProfile>()),
pref_service_(profile_->GetTestingPrefService()),
settings_(std::make_unique<ExtensionManagement>(profile_.get())),
provider_(settings_.get()) {}
void SetUp() override {}
void TearDown() override {}
// Get API permissions name for |id|, we cannot use arbitrary strings since
// they will be ignored by ExtensionManagementService.
std::string GetAPIPermissionName(APIPermissionID id) {
for (const auto& perm : chrome_api_permissions::GetPermissionInfos()) {
if (perm.id == id)
return perm.name;
}
ADD_FAILURE() << "Permission not found: " << id;
return std::string();
}
// Create an extension with specified |location|, |required_permissions| and
// |optional_permissions|.
scoped_refptr<const Extension> CreateExtensionWithPermission(
mojom::ManifestLocation location,
const base::Value::List* required_permissions,
const base::Value::List* optional_permissions) {
base::Value::Dict manifest_dict;
manifest_dict.Set(manifest_keys::kName, "test");
manifest_dict.Set(manifest_keys::kVersion, "0.1");
manifest_dict.Set(manifest_keys::kManifestVersion, 2);
if (required_permissions) {
manifest_dict.Set(manifest_keys::kPermissions,
required_permissions->Clone());
}
if (optional_permissions) {
manifest_dict.Set(manifest_keys::kOptionalPermissions,
optional_permissions->Clone());
}
std::string error;
scoped_refptr<const Extension> extension = Extension::Create(
base::FilePath(), location, manifest_dict, Extension::NO_FLAGS, &error);
CHECK(extension.get()) << error;
return extension;
}
protected:
content::BrowserTaskEnvironment task_environment_;
std::unique_ptr<TestingProfile> profile_;
raw_ptr<sync_preferences::TestingPrefServiceSyncable> pref_service_;
std::unique_ptr<ExtensionManagement> settings_;
PermissionsBasedManagementPolicyProvider provider_;
};
// Verifies that extensions with conflicting permissions cannot be loaded.
TEST_F(PermissionsBasedManagementPolicyProviderTest, APIPermissions) {
// Prepares the extension manifest.
base::Value::List required_permissions;
required_permissions.Append(
GetAPIPermissionName(APIPermissionID::kDownloads));
required_permissions.Append(GetAPIPermissionName(APIPermissionID::kCookie));
base::Value::List optional_permissions;
optional_permissions.Append(GetAPIPermissionName(APIPermissionID::kProxy));
scoped_refptr<const Extension> extension = CreateExtensionWithPermission(
mojom::ManifestLocation::kExternalPolicyDownload, &required_permissions,
&optional_permissions);
std::u16string error16;
// The extension should be allowed to be loaded by default.
error16.clear();
EXPECT_TRUE(provider_.UserMayLoad(extension.get(), &error16));
EXPECT_TRUE(error16.empty());
// Blocks kProxy by default. The test extension should still be allowed.
{
PrefUpdater pref(pref_service_.get());
pref.AddBlockedPermission("*",
GetAPIPermissionName(APIPermissionID::kProxy));
}
error16.clear();
EXPECT_TRUE(provider_.UserMayLoad(extension.get(), &error16));
EXPECT_TRUE(error16.empty());
// Blocks kCookie this time. The test extension should not be allowed now.
{
PrefUpdater pref(pref_service_.get());
pref.AddBlockedPermission("*",
GetAPIPermissionName(APIPermissionID::kCookie));
}
error16.clear();
EXPECT_FALSE(provider_.UserMayLoad(extension.get(), &error16));
EXPECT_FALSE(error16.empty());
// Explictly allows kCookie for test extension. It should be allowed again.
{
PrefUpdater pref(pref_service_.get());
pref.AddAllowedPermission(extension->id(),
GetAPIPermissionName(APIPermissionID::kCookie));
}
error16.clear();
EXPECT_TRUE(provider_.UserMayLoad(extension.get(), &error16));
EXPECT_TRUE(error16.empty());
// Explictly blocks kCookie for test extension. It should still be allowed.
{
PrefUpdater pref(pref_service_.get());
pref.AddBlockedPermission(extension->id(),
GetAPIPermissionName(APIPermissionID::kCookie));
}
error16.clear();
EXPECT_TRUE(provider_.UserMayLoad(extension.get(), &error16));
EXPECT_TRUE(error16.empty());
// Any extension specific definition overrides all defaults, even if blank.
{
PrefUpdater pref(pref_service_.get());
pref.UnsetBlockedPermissions(extension->id());
pref.UnsetAllowedPermissions(extension->id());
pref.ClearBlockedPermissions("*");
pref.AddBlockedPermission(
"*", GetAPIPermissionName(APIPermissionID::kDownloads));
}
error16.clear();
EXPECT_TRUE(provider_.UserMayLoad(extension.get(), &error16));
EXPECT_TRUE(error16.empty());
// Blocks kDownloads by default. It should be blocked.
{
PrefUpdater pref(pref_service_.get());
pref.UnsetPerExtensionSettings(extension->id());
pref.UnsetPerExtensionSettings(extension->id());
pref.ClearBlockedPermissions("*");
pref.AddBlockedPermission(
"*", GetAPIPermissionName(APIPermissionID::kDownloads));
}
error16.clear();
EXPECT_FALSE(provider_.UserMayLoad(extension.get(), &error16));
EXPECT_FALSE(error16.empty());
EXPECT_EQ("test (extension ID \"" + extension->id() +
"\") is blocked by the administrator. ",
base::UTF16ToASCII(error16));
// Set custom error message to display to user when install blocked.
const std::string blocked_install_message =
"Visit https://example.com/exception";
{
PrefUpdater pref(pref_service_.get());
pref.UnsetPerExtensionSettings(extension->id());
pref.UnsetPerExtensionSettings(extension->id());
pref.SetBlockedInstallMessage(extension->id(), blocked_install_message);
pref.ClearBlockedPermissions("*");
pref.AddBlockedPermission(
extension->id(), GetAPIPermissionName(APIPermissionID::kDownloads));
}
error16.clear();
EXPECT_FALSE(provider_.UserMayLoad(extension.get(), &error16));
EXPECT_FALSE(error16.empty());
EXPECT_EQ("test (extension ID \"" + extension->id() +
"\") is blocked by the administrator. " +
blocked_install_message,
base::UTF16ToASCII(error16));
}
} // namespace extensions