extensions/common/permissions/api_permission.h

   1 // Copyright 2013 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef EXTENSIONS_COMMON_PERMISSIONS_API_PERMISSION_H_
   6 #define EXTENSIONS_COMMON_PERMISSIONS_API_PERMISSION_H_
   7
   8 #include <map>
   9 #include <set>
  10 #include <string>
  11 #include <vector>
  12
  13 #include "base/callback.h"
  14 #include "base/memory/scoped_ptr.h"
  15 #include "base/pickle.h"
  16 #include "base/values.h"
  17 #include "extensions/common/permissions/permission_message.h"
  18
  19 namespace IPC {
  20 class Message;
  21 }
  22
  23 namespace extensions {
  24
  25 class PermissionIDSet;
  26 class APIPermissionInfo;
  27 class ChromeAPIPermissions;
  28
  29 // APIPermission is for handling some complex permissions. Please refer to
  30 // extensions::SocketPermission as an example.
  31 // There is one instance per permission per loaded extension.
  32 class APIPermission {
  33  public:
  34   // The IDs of all permissions available to apps. Add as many permissions here
  35   // as needed to generate meaningful permission messages. Add the rules for the
  36   // messages to ChromePermissionMessageProvider.
  37   // Do not reorder this enumeration or remove any entries. If you need to add a
  38   // new entry, add it just prior to kEnumBoundary, and ensure to update the
  39   // "ExtensionPermission3" enum in tools/metrics/histograms/histograms.xml
  40   // (by running update_extension_permission.py).
  41   // TODO(sashab): Move this to a more central location, and rename it to
  42   // PermissionID.
  43   enum ID {
  44     // Error codes.
  45     kInvalid,
  46     kUnknown,
  47
  48     // Actual permission IDs. Not all of these are valid permissions on their
  49     // own; some are just needed by various manifest permissions to represent
  50     // their permission message rule combinations.
  51     kAccessibilityFeaturesModify,
  52     kAccessibilityFeaturesRead,
  53     kAccessibilityPrivate,
  54     kActiveTab,
  55     kActivityLogPrivate,
  56     kAlarms,
  57     kAlphaEnabled,
  58     kAlwaysOnTopWindows,
  59     kAppView,
  60     kAudio,
  61     kAudioCapture,
  62     kAudioModem,
  63     kAutofillPrivate,
  64     kAutomation,
  65     kAutoTestPrivate,
  66     kBackground,
  67     kBluetoothPrivate,
  68     kBookmark,
  69     kBookmarkManagerPrivate,
  70     kBrailleDisplayPrivate,
  71     kBrowser,
  72     kBrowsingData,
  73     kCast,
  74     kCastStreaming,
  75     kChromeosInfoPrivate,
  76     kClipboardRead,
  77     kClipboardWrite,
  78     kCloudPrintPrivate,
  79     kCommandLinePrivate,
  80     kCommandsAccessibility,
  81     kContentSettings,
  82     kContextMenus,
  83     kCookie,
  84     kCopresence,
  85     kCopresencePrivate,
  86     kCryptotokenPrivate,
  87     kDataReductionProxy,
  88     kDiagnostics,
  89     kDial,
  90     kDebugger,
  91     kDeclarative,
  92     kDeclarativeContent,
  93     kDeclarativeWebRequest,
  94     kDesktopCapture,
  95     kDesktopCapturePrivate,
  96     kDeveloperPrivate,
  97     kDevtools,
  98     kDns,
  99     kDocumentScan,
 100     kDownloads,
 101     kDownloadsInternal,
 102     kDownloadsOpen,
 103     kDownloadsShelf,
 104     kEasyUnlockPrivate,
 105     kEchoPrivate,
 106     kEmbeddedExtensionOptions,
 107     kEnterprisePlatformKeys,
 108     kEnterprisePlatformKeysPrivate,
 109     kExperienceSamplingPrivate,
 110     kExperimental,
 111     kExtensionView,
 112     kExternallyConnectableAllUrls,
 113     kFeedbackPrivate,
 114     kFileBrowserHandler,
 115     kFileBrowserHandlerInternal,
 116     kFileManagerPrivate,
 117     kFileSystem,
 118     kFileSystemDirectory,
 119     kFileSystemProvider,
 120     kFileSystemRequestFileSystem,
 121     kFileSystemRetainEntries,
 122     kFileSystemWrite,
 123     kFileSystemWriteDirectory,
 124     kFirstRunPrivate,
 125     kFontSettings,
 126     kFullscreen,
 127     kGcdPrivate,
 128     kGcm,
 129     kGeolocation,
 130     kHid,
 131     kHistory,
 132     kHomepage,
 133     kHotwordPrivate,
 134     kIdentity,
 135     kIdentityEmail,
 136     kIdentityPrivate,
 137     kIdltest,
 138     kIdle,
 139     kImeWindowEnabled,
 140     kInlineInstallPrivate,
 141     kInput,
 142     kInputMethodPrivate,
 143     kInterceptAllKeys,
 144     kLauncherSearchProvider,
 145     kLocation,
 146     kLogPrivate,
 147     kManagement,
 148     kMediaGalleries,
 149     kMediaPlayerPrivate,
 150     kMediaRouterPrivate,
 151     kMetricsPrivate,
 152     kMDns,
 153     kMusicManagerPrivate,
 154     kNativeMessaging,
 155     kNetworkingConfig,
 156     kNetworkingPrivate,
 157     kNotificationProvider,
 158     kNotifications,
 159     kOverrideEscFullscreen,
 160     kPageCapture,
 161     kPointerLock,
 162     kPlatformKeys,
 163     kPlugin,
 164     kPower,
 165     kPreferencesPrivate,
 166     kPrincipalsPrivate,
 167     kPrinterProvider,
 168     kPrivacy,
 169     kProcesses,
 170     kProxy,
 171     kImageWriterPrivate,
 172     kReadingListPrivate,
 173     kRtcPrivate,
 174     kSearchProvider,
 175     kSearchEnginesPrivate,
 176     kSerial,
 177     kSessions,
 178     kSettingsPrivate,
 179     kSignedInDevices,
 180     kSocket,
 181     kStartupPages,
 182     kStorage,
 183     kStreamsPrivate,
 184     kSyncFileSystem,
 185     kSystemPrivate,
 186     kSystemDisplay,
 187     kSystemStorage,
 188     kTab,
 189     kTabCapture,
 190     kTabCaptureForTab,
 191     kTerminalPrivate,
 192     kTopSites,
 193     kTts,
 194     kTtsEngine,
 195     kUnlimitedStorage,
 196     kU2fDevices,
 197     kUsb,
 198     kUsbDevice,
 199     kVideoCapture,
 200     kVirtualKeyboardPrivate,
 201     kVpnProvider,
 202     kWallpaper,
 203     kWallpaperPrivate,
 204     kWebcamPrivate,
 205     kWebConnectable,  // for externally_connectable manifest key
 206     kWebNavigation,
 207     kWebRequest,
 208     kWebRequestBlocking,
 209     kWebrtcAudioPrivate,
 210     kWebrtcDesktopCapturePrivate,
 211     kWebrtcLoggingPrivate,
 212     kWebstorePrivate,
 213     kWebstoreWidgetPrivate,
 214     kWebView,
 215     kWindowShape,
 216     kScreenlockPrivate,
 217     kSystemCpu,
 218     kSystemMemory,
 219     kSystemNetwork,
 220     kSystemInfoCpu,
 221     kSystemInfoMemory,
 222     kBluetooth,
 223     kBluetoothDevices,
 224     kFavicon,
 225     kFullAccess,
 226     kHostReadOnly,
 227     kHostReadWrite,
 228     kHostsAll,
 229     kHostsAllReadOnly,
 230     kMediaGalleriesAllGalleriesCopyTo,
 231     kMediaGalleriesAllGalleriesDelete,
 232     kMediaGalleriesAllGalleriesRead,
 233     kNetworkState,
 234     kOverrideBookmarksUI,
 235     kShouldWarnAllHosts,
 236     kSocketAnyHost,
 237     kSocketDomainHosts,
 238     kSocketSpecificHosts,
 239     kUsbDeviceList,
 240     kUsbDeviceUnknownProduct,
 241     kUsbDeviceUnknownVendor,
 242     kUsersPrivate,
 243     kPasswordsPrivate,
 244     kLanguageSettingsPrivate,
 245     kEnterpriseDeviceAttributes,
 246     // Last entry: Add new entries above and ensure to update the
 247     // "ExtensionPermission3" enum in tools/metrics/histograms/histograms.xml
 248     // (by running update_extension_permission.py).
 249     kEnumBoundary
 250   };
 251
 252   struct CheckParam {
 253   };
 254
 255   explicit APIPermission(const APIPermissionInfo* info);
 256
 257   virtual ~APIPermission();
 258
 259   // Returns the id of this permission.
 260   ID id() const;
 261
 262   // Returns the name of this permission.
 263   const char* name() const;
 264
 265   // Returns the APIPermission of this permission.
 266   const APIPermissionInfo* info() const {
 267     return info_;
 268   }
 269
 270   // The set of permissions an app/extension with this API permission has. These
 271   // permissions are used by PermissionMessageProvider to generate meaningful
 272   // permission messages for the app/extension.
 273   //
 274   // For simple API permissions, this will return a set containing only the ID
 275   // of the permission. More complex permissions might have multiple IDs, one
 276   // for each of the capabilities the API permission has (e.g. read, write and
 277   // copy, in the case of the media gallery permission). Permissions that
 278   // require parameters may also contain a parameter string (along with the
 279   // permission's ID) which can be substituted into the permission message if a
 280   // rule is defined to do so.
 281   //
 282   // Permissions with multiple values, such as host permissions, are represented
 283   // by multiple entries in this set. Each permission in the subset has the same
 284   // ID (e.g. kHostReadOnly) but a different parameter (e.g. google.com). These
 285   // are grouped to form different kinds of permission messages (e.g. 'Access to
 286   // 2 hosts') depending on the number that are in the set. The rules that
 287   // define the grouping of related permissions with the same ID is defined in
 288   // ChromePermissionMessageProvider.
 289   virtual PermissionIDSet GetPermissions() const = 0;
 290
 291   // Returns true if this permission has any PermissionMessages.
 292   // TODO(sashab): Deprecate this in favor of GetPermissions() above.
 293   virtual bool HasMessages() const = 0;
 294
 295   // Returns the localized permission messages of this permission.
 296   // TODO(sashab): Deprecate this in favor of GetPermissions() above.
 297   virtual PermissionMessages GetMessages() const = 0;
 298
 299   // Returns true if the given permission is allowed.
 300   virtual bool Check(const CheckParam* param) const = 0;
 301
 302   // Returns true if |rhs| is a subset of this.
 303   virtual bool Contains(const APIPermission* rhs) const = 0;
 304
 305   // Returns true if |rhs| is equal to this.
 306   virtual bool Equal(const APIPermission* rhs) const = 0;
 307
 308   // Parses the APIPermission from |value|. Returns false if an error happens
 309   // and optionally set |error| if |error| is not NULL. If |value| represents
 310   // multiple permissions, some are invalid, and |unhandled_permissions| is
 311   // not NULL, the invalid ones are put into |unhandled_permissions| and the
 312   // function returns true.
 313   virtual bool FromValue(const base::Value* value,
 314                          std::string* error,
 315                          std::vector<std::string>* unhandled_permissions) = 0;
 316
 317   // Stores this into a new created |value|.
 318   virtual scoped_ptr<base::Value> ToValue() const = 0;
 319
 320   // Clones this.
 321   virtual APIPermission* Clone() const = 0;
 322
 323   // Returns a new API permission which equals this - |rhs|.
 324   virtual APIPermission* Diff(const APIPermission* rhs) const = 0;
 325
 326   // Returns a new API permission which equals the union of this and |rhs|.
 327   virtual APIPermission* Union(const APIPermission* rhs) const = 0;
 328
 329   // Returns a new API permission which equals the intersect of this and |rhs|.
 330   virtual APIPermission* Intersect(const APIPermission* rhs) const = 0;
 331
 332   // IPC functions
 333   // Writes this into the given IPC message |m|.
 334   virtual void Write(IPC::Message* m) const = 0;
 335
 336   // Reads from the given IPC message |m|.
 337   virtual bool Read(const IPC::Message* m, base::PickleIterator* iter) = 0;
 338
 339   // Logs this permission.
 340   virtual void Log(std::string* log) const = 0;
 341
 342  protected:
 343   // Returns the localized permission message associated with this api.
 344   // Use GetMessage_ to avoid name conflict with macro GetMessage on Windows.
 345   PermissionMessage GetMessage_() const;
 346
 347  private:
 348   const APIPermissionInfo* const info_;
 349 };
 350
 351
 352 // The APIPermissionInfo is an immutable class that describes a single
 353 // named permission (API permission).
 354 // There is one instance per permission.
 355 class APIPermissionInfo {
 356  public:
 357   enum Flag {
 358     kFlagNone = 0,
 359
 360     // Indicates if the permission implies full access (native code).
 361     kFlagImpliesFullAccess = 1 << 0,
 362
 363     // Indicates if the permission implies full URL access.
 364     kFlagImpliesFullURLAccess = 1 << 1,
 365
 366     // Indicates that extensions cannot specify the permission as optional.
 367     kFlagCannotBeOptional = 1 << 3,
 368
 369     // Indicates that the permission is internal to the extensions
 370     // system and cannot be specified in the "permissions" list.
 371     kFlagInternal = 1 << 4,
 372
 373     // Indicates that the permission may be granted to web contents by
 374     // extensions using the content_capabilities manifest feature.
 375     kFlagSupportsContentCapabilities = 1 << 5,
 376   };
 377
 378   typedef APIPermission* (*APIPermissionConstructor)(const APIPermissionInfo*);
 379
 380   typedef std::set<APIPermission::ID> IDSet;
 381
 382   ~APIPermissionInfo();
 383
 384   // Creates a APIPermission instance.
 385   APIPermission* CreateAPIPermission() const;
 386
 387   int flags() const { return flags_; }
 388
 389   APIPermission::ID id() const { return id_; }
 390
 391   // Returns the message id associated with this permission.
 392   PermissionMessage::ID message_id() const {
 393     return message_id_;
 394   }
 395
 396   // Returns the name of this permission.
 397   const char* name() const { return name_; }
 398
 399   // Returns true if this permission implies full access (e.g., native code).
 400   bool implies_full_access() const {
 401     return (flags_ & kFlagImpliesFullAccess) != 0;
 402   }
 403
 404   // Returns true if this permission implies full URL access.
 405   bool implies_full_url_access() const {
 406     return (flags_ & kFlagImpliesFullURLAccess) != 0;
 407   }
 408
 409   // Returns true if this permission can be added and removed via the
 410   // optional permissions extension API.
 411   bool supports_optional() const {
 412     return (flags_ & kFlagCannotBeOptional) == 0;
 413   }
 414
 415   // Returns true if this permission is internal rather than a
 416   // "permissions" list entry.
 417   bool is_internal() const {
 418     return (flags_ & kFlagInternal) != 0;
 419   }
 420
 421   // Returns true if this permission can be granted to web contents by an
 422   // extension through the content_capabilities manifest feature.
 423   bool supports_content_capabilities() const {
 424     return (flags_ & kFlagSupportsContentCapabilities) != 0;
 425   }
 426
 427  private:
 428   // Instances should only be constructed from within a PermissionsProvider.
 429   friend class ChromeAPIPermissions;
 430   friend class ExtensionsAPIPermissions;
 431   // Implementations of APIPermission will want to get the permission message,
 432   // but this class's implementation should be hidden from everyone else.
 433   friend class APIPermission;
 434
 435   // This exists to allow aggregate initialization, so that default values
 436   // for flags, etc. can be omitted.
 437   // TODO(yoz): Simplify the way initialization is done. APIPermissionInfo
 438   // should be the simple data struct.
 439   struct InitInfo {
 440     APIPermission::ID id;
 441     const char* name;
 442     int flags;
 443     int l10n_message_id;
 444     PermissionMessage::ID message_id;
 445     APIPermissionInfo::APIPermissionConstructor constructor;
 446   };
 447
 448   explicit APIPermissionInfo(const InitInfo& info);
 449
 450   // Returns the localized permission message associated with this api.
 451   // Use GetMessage_ to avoid name conflict with macro GetMessage on Windows.
 452   PermissionMessage GetMessage_() const;
 453
 454   const APIPermission::ID id_;
 455   const char* const name_;
 456   const int flags_;
 457   const int l10n_message_id_;
 458   const PermissionMessage::ID message_id_;
 459   const APIPermissionConstructor api_permission_constructor_;
 460 };
 461
 462 }  // namespace extensions
 463
 464 #endif  // EXTENSIONS_COMMON_PERMISSIONS_API_PERMISSION_H_