Supervised user whitelists: Cleanup
[chromium-blink-merge.git] / extensions / common / file_util.cc
blob99d68442b89f90000b808cfbe45670a10411acb1
1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "extensions/common/file_util.h"
7 #include <map>
8 #include <set>
9 #include <string>
10 #include <utility>
11 #include <vector>
13 #include "base/files/file_enumerator.h"
14 #include "base/files/file_path.h"
15 #include "base/files/file_util.h"
16 #include "base/files/scoped_temp_dir.h"
17 #include "base/json/json_file_value_serializer.h"
18 #include "base/logging.h"
19 #include "base/memory/scoped_ptr.h"
20 #include "base/metrics/field_trial.h"
21 #include "base/metrics/histogram.h"
22 #include "base/strings/stringprintf.h"
23 #include "base/strings/utf_string_conversions.h"
24 #include "base/threading/thread_restrictions.h"
25 #include "base/time/time.h"
26 #include "extensions/common/constants.h"
27 #include "extensions/common/extension.h"
28 #include "extensions/common/extension_icon_set.h"
29 #include "extensions/common/extension_l10n_util.h"
30 #include "extensions/common/install_warning.h"
31 #include "extensions/common/manifest.h"
32 #include "extensions/common/manifest_constants.h"
33 #include "extensions/common/manifest_handler.h"
34 #include "extensions/common/manifest_handlers/icons_handler.h"
35 #include "extensions/common/message_bundle.h"
36 #include "grit/extensions_strings.h"
37 #include "net/base/escape.h"
38 #include "ui/base/l10n/l10n_util.h"
39 #include "url/gurl.h"
41 namespace extensions {
42 namespace file_util {
43 namespace {
45 // Returns true if the given file path exists and is not zero-length.
46 bool ValidateFilePath(const base::FilePath& path) {
47 int64 size = 0;
48 if (!base::PathExists(path) ||
49 !base::GetFileSize(path, &size) ||
50 size == 0) {
51 return false;
54 return true;
57 // Returns true if the extension installation should flush all files and the
58 // directory.
59 bool UseSafeInstallation() {
60 const char kFieldTrialName[] = "ExtensionUseSafeInstallation";
61 const char kEnable[] = "Enable";
62 return base::FieldTrialList::FindFullName(kFieldTrialName) == kEnable;
65 enum FlushOneOrAllFiles {
66 ONE_FILE_ONLY,
67 ALL_FILES
70 // Flush all files in a directory or just one. When flushing all files, it
71 // makes sure every file is on disk. When flushing one file only, it ensures
72 // all parent directories are on disk.
73 void FlushFilesInDir(const base::FilePath& path,
74 FlushOneOrAllFiles one_or_all_files) {
75 if (!UseSafeInstallation()) {
76 return;
78 base::FileEnumerator temp_traversal(path,
79 true, // recursive
80 base::FileEnumerator::FILES);
81 for (base::FilePath current = temp_traversal.Next(); !current.empty();
82 current = temp_traversal.Next()) {
83 base::File currentFile(current,
84 base::File::FLAG_OPEN | base::File::FLAG_WRITE);
85 currentFile.Flush();
86 currentFile.Close();
87 if (one_or_all_files == ONE_FILE_ONLY) {
88 break;
93 } // namespace
95 const base::FilePath::CharType kTempDirectoryName[] = FILE_PATH_LITERAL("Temp");
97 base::FilePath InstallExtension(const base::FilePath& unpacked_source_dir,
98 const std::string& id,
99 const std::string& version,
100 const base::FilePath& extensions_dir) {
101 base::FilePath extension_dir = extensions_dir.AppendASCII(id);
102 base::FilePath version_dir;
104 // Create the extension directory if it doesn't exist already.
105 if (!base::PathExists(extension_dir)) {
106 if (!base::CreateDirectory(extension_dir))
107 return base::FilePath();
110 // Get a temp directory on the same file system as the profile.
111 base::FilePath install_temp_dir = GetInstallTempDir(extensions_dir);
112 base::ScopedTempDir extension_temp_dir;
113 if (install_temp_dir.empty() ||
114 !extension_temp_dir.CreateUniqueTempDirUnderPath(install_temp_dir)) {
115 LOG(ERROR) << "Creating of temp dir under in the profile failed.";
116 return base::FilePath();
118 base::FilePath crx_temp_source =
119 extension_temp_dir.path().Append(unpacked_source_dir.BaseName());
120 if (!base::Move(unpacked_source_dir, crx_temp_source)) {
121 LOG(ERROR) << "Moving extension from : " << unpacked_source_dir.value()
122 << " to : " << crx_temp_source.value() << " failed.";
123 return base::FilePath();
126 // Try to find a free directory. There can be legitimate conflicts in the case
127 // of overinstallation of the same version.
128 const int kMaxAttempts = 100;
129 for (int i = 0; i < kMaxAttempts; ++i) {
130 base::FilePath candidate = extension_dir.AppendASCII(
131 base::StringPrintf("%s_%u", version.c_str(), i));
132 if (!base::PathExists(candidate)) {
133 version_dir = candidate;
134 break;
138 if (version_dir.empty()) {
139 LOG(ERROR) << "Could not find a home for extension " << id << " with "
140 << "version " << version << ".";
141 return base::FilePath();
144 base::TimeTicks start_time = base::TimeTicks::Now();
146 // Flush the source dir completely before moving to make sure everything is
147 // on disk. Otherwise a sudden power loss could cause the newly installed
148 // extension to be in a corrupted state. Note that empty sub-directories
149 // may still be lost.
150 FlushFilesInDir(crx_temp_source, ALL_FILES);
152 // The target version_dir does not exists yet, so base::Move() is using
153 // rename() on POSIX systems. It is atomic in the sense that it will
154 // either complete successfully or in the event of data loss be reverted.
155 if (!base::Move(crx_temp_source, version_dir)) {
156 LOG(ERROR) << "Installing extension from : " << crx_temp_source.value()
157 << " into : " << version_dir.value() << " failed.";
158 return base::FilePath();
161 // Flush one file in the new version_dir to make sure the dir move above is
162 // persisted on disk. This is guaranteed on POSIX systems. ExtensionPrefs
163 // is going to be updated with the new version_dir later. In the event of
164 // data loss ExtensionPrefs should be pointing to the previous version which
165 // is still fine.
166 FlushFilesInDir(version_dir, ONE_FILE_ONLY);
168 UMA_HISTOGRAM_TIMES("Extensions.FileInstallation",
169 base::TimeTicks::Now() - start_time);
171 return version_dir;
174 void UninstallExtension(const base::FilePath& extensions_dir,
175 const std::string& id) {
176 // We don't care about the return value. If this fails (and it can, due to
177 // plugins that aren't unloaded yet), it will get cleaned up by
178 // ExtensionGarbageCollector::GarbageCollectExtensions.
179 base::DeleteFile(extensions_dir.AppendASCII(id), true); // recursive.
182 scoped_refptr<Extension> LoadExtension(const base::FilePath& extension_path,
183 Manifest::Location location,
184 int flags,
185 std::string* error) {
186 return LoadExtension(extension_path, std::string(), location, flags, error);
189 scoped_refptr<Extension> LoadExtension(const base::FilePath& extension_path,
190 const std::string& extension_id,
191 Manifest::Location location,
192 int flags,
193 std::string* error) {
194 scoped_ptr<base::DictionaryValue> manifest(
195 LoadManifest(extension_path, error));
196 if (!manifest.get())
197 return NULL;
198 if (!extension_l10n_util::LocalizeExtension(
199 extension_path, manifest.get(), error)) {
200 return NULL;
203 scoped_refptr<Extension> extension(Extension::Create(
204 extension_path, location, *manifest, flags, extension_id, error));
205 if (!extension.get())
206 return NULL;
208 std::vector<InstallWarning> warnings;
209 if (!ValidateExtension(extension.get(), error, &warnings))
210 return NULL;
211 extension->AddInstallWarnings(warnings);
213 return extension;
216 base::DictionaryValue* LoadManifest(const base::FilePath& extension_path,
217 std::string* error) {
218 return LoadManifest(extension_path, kManifestFilename, error);
221 base::DictionaryValue* LoadManifest(
222 const base::FilePath& extension_path,
223 const base::FilePath::CharType* manifest_filename,
224 std::string* error) {
225 base::FilePath manifest_path = extension_path.Append(manifest_filename);
226 if (!base::PathExists(manifest_path)) {
227 *error = l10n_util::GetStringUTF8(IDS_EXTENSION_MANIFEST_UNREADABLE);
228 return NULL;
231 JSONFileValueDeserializer deserializer(manifest_path);
232 scoped_ptr<base::Value> root(deserializer.Deserialize(NULL, error));
233 if (!root.get()) {
234 if (error->empty()) {
235 // If |error| is empty, than the file could not be read.
236 // It would be cleaner to have the JSON reader give a specific error
237 // in this case, but other code tests for a file error with
238 // error->empty(). For now, be consistent.
239 *error = l10n_util::GetStringUTF8(IDS_EXTENSION_MANIFEST_UNREADABLE);
240 } else {
241 *error = base::StringPrintf(
242 "%s %s", manifest_errors::kManifestParseError, error->c_str());
244 return NULL;
247 if (!root->IsType(base::Value::TYPE_DICTIONARY)) {
248 *error = l10n_util::GetStringUTF8(IDS_EXTENSION_MANIFEST_INVALID);
249 return NULL;
252 return static_cast<base::DictionaryValue*>(root.release());
255 bool ValidateExtension(const Extension* extension,
256 std::string* error,
257 std::vector<InstallWarning>* warnings) {
258 // Ask registered manifest handlers to validate their paths.
259 if (!ManifestHandler::ValidateExtension(extension, error, warnings))
260 return false;
262 // Check children of extension root to see if any of them start with _ and is
263 // not on the reserved list. We only warn, and do not block the loading of the
264 // extension.
265 std::string warning;
266 if (!CheckForIllegalFilenames(extension->path(), &warning))
267 warnings->push_back(InstallWarning(warning));
269 // Check that extensions don't include private key files.
270 std::vector<base::FilePath> private_keys =
271 FindPrivateKeyFiles(extension->path());
272 if (extension->creation_flags() & Extension::ERROR_ON_PRIVATE_KEY) {
273 if (!private_keys.empty()) {
274 // Only print one of the private keys because l10n_util doesn't have a way
275 // to translate a list of strings.
276 *error =
277 l10n_util::GetStringFUTF8(IDS_EXTENSION_CONTAINS_PRIVATE_KEY,
278 private_keys.front().LossyDisplayName());
279 return false;
281 } else {
282 for (size_t i = 0; i < private_keys.size(); ++i) {
283 warnings->push_back(InstallWarning(
284 l10n_util::GetStringFUTF8(IDS_EXTENSION_CONTAINS_PRIVATE_KEY,
285 private_keys[i].LossyDisplayName())));
287 // Only warn; don't block loading the extension.
289 return true;
292 std::vector<base::FilePath> FindPrivateKeyFiles(
293 const base::FilePath& extension_dir) {
294 std::vector<base::FilePath> result;
295 // Pattern matching only works at the root level, so filter manually.
296 base::FileEnumerator traversal(
297 extension_dir, /*recursive=*/true, base::FileEnumerator::FILES);
298 for (base::FilePath current = traversal.Next(); !current.empty();
299 current = traversal.Next()) {
300 if (!current.MatchesExtension(kExtensionKeyFileExtension))
301 continue;
303 std::string key_contents;
304 if (!base::ReadFileToString(current, &key_contents)) {
305 // If we can't read the file, assume it's not a private key.
306 continue;
308 std::string key_bytes;
309 if (!Extension::ParsePEMKeyBytes(key_contents, &key_bytes)) {
310 // If we can't parse the key, assume it's ok too.
311 continue;
314 result.push_back(current);
316 return result;
319 bool CheckForIllegalFilenames(const base::FilePath& extension_path,
320 std::string* error) {
321 // Reserved underscore names.
322 static const base::FilePath::CharType* reserved_names[] = {
323 kLocaleFolder, kPlatformSpecificFolder, FILE_PATH_LITERAL("__MACOSX"), };
324 CR_DEFINE_STATIC_LOCAL(
325 std::set<base::FilePath::StringType>,
326 reserved_underscore_names,
327 (reserved_names, reserved_names + arraysize(reserved_names)));
329 // Enumerate all files and directories in the extension root.
330 // There is a problem when using pattern "_*" with FileEnumerator, so we have
331 // to cheat with find_first_of and match all.
332 const int kFilesAndDirectories =
333 base::FileEnumerator::DIRECTORIES | base::FileEnumerator::FILES;
334 base::FileEnumerator all_files(extension_path, false, kFilesAndDirectories);
336 base::FilePath file;
337 while (!(file = all_files.Next()).empty()) {
338 base::FilePath::StringType filename = file.BaseName().value();
339 // Skip all that don't start with "_".
340 if (filename.find_first_of(FILE_PATH_LITERAL("_")) != 0)
341 continue;
342 if (reserved_underscore_names.find(filename) ==
343 reserved_underscore_names.end()) {
344 *error = base::StringPrintf(
345 "Cannot load extension with file or directory name %s. "
346 "Filenames starting with \"_\" are reserved for use by the system.",
347 file.BaseName().AsUTF8Unsafe().c_str());
348 return false;
352 return true;
355 base::FilePath GetInstallTempDir(const base::FilePath& extensions_dir) {
356 // We do file IO in this function, but only when the current profile's
357 // Temp directory has never been used before, or in a rare error case.
358 // Developers are not likely to see these situations often, so do an
359 // explicit thread check.
360 base::ThreadRestrictions::AssertIOAllowed();
362 // Create the temp directory as a sub-directory of the Extensions directory.
363 // This guarantees it is on the same file system as the extension's eventual
364 // install target.
365 base::FilePath temp_path = extensions_dir.Append(kTempDirectoryName);
366 if (base::PathExists(temp_path)) {
367 if (!base::DirectoryExists(temp_path)) {
368 DLOG(WARNING) << "Not a directory: " << temp_path.value();
369 return base::FilePath();
371 if (!base::PathIsWritable(temp_path)) {
372 DLOG(WARNING) << "Can't write to path: " << temp_path.value();
373 return base::FilePath();
375 // This is a directory we can write to.
376 return temp_path;
379 // Directory doesn't exist, so create it.
380 if (!base::CreateDirectory(temp_path)) {
381 DLOG(WARNING) << "Couldn't create directory: " << temp_path.value();
382 return base::FilePath();
384 return temp_path;
387 void DeleteFile(const base::FilePath& path, bool recursive) {
388 base::DeleteFile(path, recursive);
391 base::FilePath ExtensionURLToRelativeFilePath(const GURL& url) {
392 std::string url_path = url.path();
393 if (url_path.empty() || url_path[0] != '/')
394 return base::FilePath();
396 // Drop the leading slashes and convert %-encoded UTF8 to regular UTF8.
397 std::string file_path = net::UnescapeURLComponent(url_path,
398 net::UnescapeRule::SPACES | net::UnescapeRule::URL_SPECIAL_CHARS);
399 size_t skip = file_path.find_first_not_of("/\\");
400 if (skip != file_path.npos)
401 file_path = file_path.substr(skip);
403 base::FilePath path = base::FilePath::FromUTF8Unsafe(file_path);
405 // It's still possible for someone to construct an annoying URL whose path
406 // would still wind up not being considered relative at this point.
407 // For example: chrome-extension://id/c:////foo.html
408 if (path.IsAbsolute())
409 return base::FilePath();
411 return path;
414 base::FilePath ExtensionResourceURLToFilePath(const GURL& url,
415 const base::FilePath& root) {
416 std::string host = net::UnescapeURLComponent(url.host(),
417 net::UnescapeRule::SPACES | net::UnescapeRule::URL_SPECIAL_CHARS);
418 if (host.empty())
419 return base::FilePath();
421 base::FilePath relative_path = ExtensionURLToRelativeFilePath(url);
422 if (relative_path.empty())
423 return base::FilePath();
425 base::FilePath path = root.AppendASCII(host).Append(relative_path);
426 if (!base::PathExists(path))
427 return base::FilePath();
428 path = base::MakeAbsoluteFilePath(path);
429 if (path.empty() || !root.IsParent(path))
430 return base::FilePath();
431 return path;
434 bool ValidateExtensionIconSet(const ExtensionIconSet& icon_set,
435 const Extension* extension,
436 int error_message_id,
437 std::string* error) {
438 for (ExtensionIconSet::IconMap::const_iterator iter = icon_set.map().begin();
439 iter != icon_set.map().end();
440 ++iter) {
441 const base::FilePath path =
442 extension->GetResource(iter->second).GetFilePath();
443 if (!ValidateFilePath(path)) {
444 *error = l10n_util::GetStringFUTF8(error_message_id,
445 base::UTF8ToUTF16(iter->second));
446 return false;
449 return true;
452 MessageBundle* LoadMessageBundle(
453 const base::FilePath& extension_path,
454 const std::string& default_locale,
455 std::string* error) {
456 error->clear();
457 // Load locale information if available.
458 base::FilePath locale_path = extension_path.Append(kLocaleFolder);
459 if (!base::PathExists(locale_path))
460 return NULL;
462 std::set<std::string> locales;
463 if (!extension_l10n_util::GetValidLocales(locale_path, &locales, error))
464 return NULL;
466 if (default_locale.empty() || locales.find(default_locale) == locales.end()) {
467 *error = l10n_util::GetStringUTF8(
468 IDS_EXTENSION_LOCALES_NO_DEFAULT_LOCALE_SPECIFIED);
469 return NULL;
472 MessageBundle* message_bundle =
473 extension_l10n_util::LoadMessageCatalogs(
474 locale_path,
475 default_locale,
476 extension_l10n_util::CurrentLocaleOrDefault(),
477 locales,
478 error);
480 return message_bundle;
483 std::map<std::string, std::string>* LoadMessageBundleSubstitutionMap(
484 const base::FilePath& extension_path,
485 const std::string& extension_id,
486 const std::string& default_locale) {
487 std::map<std::string, std::string>* return_value =
488 new std::map<std::string, std::string>();
489 if (!default_locale.empty()) {
490 // Touch disk only if extension is localized.
491 std::string error;
492 scoped_ptr<MessageBundle> bundle(
493 LoadMessageBundle(extension_path, default_locale, &error));
495 if (bundle.get())
496 *return_value = *bundle->dictionary();
499 // Add @@extension_id reserved message here, so it's available to
500 // non-localized extensions too.
501 return_value->insert(
502 std::make_pair(MessageBundle::kExtensionIdKey, extension_id));
504 return return_value;
507 base::FilePath GetVerifiedContentsPath(const base::FilePath& extension_path) {
508 return extension_path.Append(kMetadataFolder)
509 .Append(kVerifiedContentsFilename);
511 base::FilePath GetComputedHashesPath(const base::FilePath& extension_path) {
512 return extension_path.Append(kMetadataFolder).Append(kComputedHashesFilename);
515 } // namespace file_util
516 } // namespace extensions