extensions/common/permissions/permissions_data.h

   1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef EXTENSIONS_COMMON_PERMISSIONS_PERMISSIONS_DATA_H_
   6 #define EXTENSIONS_COMMON_PERMISSIONS_PERMISSIONS_DATA_H_
   7
   8 #include <map>
   9 #include <string>
  10 #include <vector>
  11
  12 #include "base/memory/ref_counted.h"
  13 #include "base/strings/string16.h"
  14 #include "base/synchronization/lock.h"
  15 #include "extensions/common/manifest.h"
  16 #include "extensions/common/permissions/api_permission.h"
  17 #include "extensions/common/permissions/coalesced_permission_message.h"
  18 #include "extensions/common/permissions/permission_message.h"
  19 #include "extensions/common/permissions/permission_message_provider.h"
  20 #include "extensions/common/permissions/permission_set.h"
  21
  22 class GURL;
  23
  24 namespace extensions {
  25 class Extension;
  26 class URLPatternSet;
  27
  28 // A container for the permissions state of an extension, including active,
  29 // withheld, and tab-specific permissions.
  30 class PermissionsData {
  31  public:
  32   // The possible types of access for a given frame.
  33   enum AccessType {
  34     ACCESS_DENIED,   // The extension is not allowed to access the given page.
  35     ACCESS_ALLOWED,  // The extension is allowed to access the given page.
  36     ACCESS_WITHHELD  // The browser must determine if the extension can access
  37                      // the given page.
  38   };
  39
  40   using TabPermissionsMap = std::map<int, scoped_refptr<const PermissionSet>>;
  41
  42   // Delegate class to allow different contexts (e.g. browser vs renderer) to
  43   // have control over policy decisions.
  44   class PolicyDelegate {
  45    public:
  46     virtual ~PolicyDelegate() {}
  47
  48     // Returns false if script access should be blocked on this page.
  49     // Otherwise, default policy should decide.
  50     virtual bool CanExecuteScriptOnPage(const Extension* extension,
  51                                         const GURL& document_url,
  52                                         const GURL& top_document_url,
  53                                         int tab_id,
  54                                         int process_id,
  55                                         std::string* error) = 0;
  56   };
  57
  58   static void SetPolicyDelegate(PolicyDelegate* delegate);
  59
  60   PermissionsData(const Extension* extension);
  61   virtual ~PermissionsData();
  62
  63   // Returns true if the extension is a COMPONENT extension or is on the
  64   // whitelist of extensions that can script all pages.
  65   static bool CanExecuteScriptEverywhere(const Extension* extension);
  66
  67   // Returns true if the --scripts-require-action flag would possibly affect
  68   // the given |extension| and |permissions|. We pass in the |permissions|
  69   // explicitly, as we may need to check with permissions other than the ones
  70   // that are currently on the extension's PermissionsData.
  71   static bool ScriptsMayRequireActionForExtension(
  72       const Extension* extension,
  73       const PermissionSet* permissions);
  74
  75   // Returns true if we should skip the permissions warning for the extension
  76   // with the given |extension_id|.
  77   static bool ShouldSkipPermissionWarnings(const std::string& extension_id);
  78
  79   // Returns true if the given |url| is restricted for the given |extension|,
  80   // as is commonly the case for chrome:// urls.
  81   // NOTE: You probably want to use CanAccessPage().
  82   static bool IsRestrictedUrl(const GURL& document_url,
  83                               const GURL& top_frame_url,
  84                               const Extension* extension,
  85                               std::string* error);
  86
  87   // Sets the runtime permissions of the given |extension| to |active| and
  88   // |withheld|.
  89   void SetPermissions(const scoped_refptr<const PermissionSet>& active,
  90                       const scoped_refptr<const PermissionSet>& withheld) const;
  91
  92   // Updates the tab-specific permissions of |tab_id| to include those from
  93   // |permissions|.
  94   void UpdateTabSpecificPermissions(
  95       int tab_id,
  96       scoped_refptr<const PermissionSet> permissions) const;
  97
  98   // Clears the tab-specific permissions of |tab_id|.
  99   void ClearTabSpecificPermissions(int tab_id) const;
 100
 101   // Returns true if the |extension| has the given |permission|. Prefer
 102   // IsExtensionWithPermissionOrSuggestInConsole when developers may be using an
 103   // api that requires a permission they didn't know about, e.g. open web apis.
 104   // Note this does not include APIs with no corresponding permission, like
 105   // "runtime" or "browserAction".
 106   // TODO(mpcomplete): drop the "API" from these names, it's confusing.
 107   bool HasAPIPermission(APIPermission::ID permission) const;
 108   bool HasAPIPermission(const std::string& permission_name) const;
 109   bool HasAPIPermissionForTab(int tab_id, APIPermission::ID permission) const;
 110   bool CheckAPIPermissionWithParam(
 111       APIPermission::ID permission,
 112       const APIPermission::CheckParam* param) const;
 113
 114   // Returns the hosts this extension effectively has access to, including
 115   // explicit and scriptable hosts, and any hosts on tabs the extension has
 116   // active tab permissions for.
 117   URLPatternSet GetEffectiveHostPermissions() const;
 118
 119   // TODO(rdevlin.cronin): HasHostPermission() and
 120   // HasEffectiveAccessToAllHosts() are just forwards for the active
 121   // permissions. We should either get rid of these, and have callers use
 122   // active_permissions(), or should get rid of active_permissions(), and make
 123   // callers use PermissionsData for everything. We should not do both.
 124
 125   // Whether the extension has access to the given |url|.
 126   bool HasHostPermission(const GURL& url) const;
 127
 128   // Whether the extension has effective access to all hosts. This is true if
 129   // there is a content script that matches all hosts, if there is a host
 130   // permission grants access to all hosts (like <all_urls>) or an api
 131   // permission that effectively grants access to all hosts (e.g. proxy,
 132   // network, etc.)
 133   bool HasEffectiveAccessToAllHosts() const;
 134
 135   // Returns the full list of legacy permission message IDs.
 136   // Deprecated. You DO NOT want to call this!
 137   // TODO(treib): Remove once we've switched to the new system.
 138   PermissionMessageIDs GetLegacyPermissionMessageIDs() const;
 139
 140   // Returns the full list of permission messages that should display at install
 141   // time, including their submessages, as strings.
 142   // TODO(treib): Remove this and move callers over to
 143   // GetCoalescedPermissionMessages once we've fully switched to the new system.
 144   PermissionMessageStrings GetPermissionMessageStrings() const;
 145
 146   // Returns the full list of permission details for messages that should
 147   // display at install time, in a nested format ready for display.
 148   CoalescedPermissionMessages GetCoalescedPermissionMessages() const;
 149
 150   // Returns true if the extension has requested all-hosts permissions (or
 151   // something close to it), but has had it withheld.
 152   bool HasWithheldImpliedAllHosts() const;
 153
 154   // Returns true if the |extension| has permission to access and interact with
 155   // the specified page, in order to do things like inject scripts or modify
 156   // the content.
 157   // If this returns false and |error| is non-NULL, |error| will be popualted
 158   // with the reason the extension cannot access the page.
 159   bool CanAccessPage(const Extension* extension,
 160                      const GURL& document_url,
 161                      const GURL& top_document_url,
 162                      int tab_id,
 163                      int process_id,
 164                      std::string* error) const;
 165   // Like CanAccessPage, but also takes withheld permissions into account.
 166   // TODO(rdevlin.cronin) We shouldn't have two functions, but not all callers
 167   // know how to wait for permission.
 168   AccessType GetPageAccess(const Extension* extension,
 169                            const GURL& document_url,
 170                            const GURL& top_document_url,
 171                            int tab_id,
 172                            int process_id,
 173                            std::string* error) const;
 174
 175   // Returns true if the |extension| has permission to inject a content script
 176   // on the page.
 177   // If this returns false and |error| is non-NULL, |error| will be popualted
 178   // with the reason the extension cannot script the page.
 179   // NOTE: You almost certainly want to use CanAccessPage() instead of this
 180   // method.
 181   bool CanRunContentScriptOnPage(const Extension* extension,
 182                                  const GURL& document_url,
 183                                  const GURL& top_document_url,
 184                                  int tab_id,
 185                                  int process_id,
 186                                  std::string* error) const;
 187   // Like CanRunContentScriptOnPage, but also takes withheld permissions into
 188   // account.
 189   // TODO(rdevlin.cronin) We shouldn't have two functions, but not all callers
 190   // know how to wait for permission.
 191   AccessType GetContentScriptAccess(const Extension* extension,
 192                                     const GURL& document_url,
 193                                     const GURL& top_document_url,
 194                                     int tab_id,
 195                                     int process_id,
 196                                     std::string* error) const;
 197
 198   // Returns true if extension is allowed to obtain the contents of a page as
 199   // an image. Since a page may contain sensitive information, this is
 200   // restricted to the extension's host permissions as well as the extension
 201   // page itself.
 202   bool CanCaptureVisiblePage(int tab_id, std::string* error) const;
 203
 204   // Returns the tab permissions map.
 205   TabPermissionsMap CopyTabSpecificPermissionsMap() const;
 206
 207   scoped_refptr<const PermissionSet> active_permissions() const {
 208     // We lock so that we can't also be setting the permissions while returning.
 209     base::AutoLock auto_lock(runtime_lock_);
 210     return active_permissions_unsafe_;
 211   }
 212
 213   scoped_refptr<const PermissionSet> withheld_permissions() const {
 214     // We lock so that we can't also be setting the permissions while returning.
 215     base::AutoLock auto_lock(runtime_lock_);
 216     return withheld_permissions_unsafe_;
 217   }
 218
 219 #if defined(UNIT_TEST)
 220   scoped_refptr<const PermissionSet> GetTabSpecificPermissionsForTesting(
 221       int tab_id) const {
 222     return GetTabSpecificPermissions(tab_id);
 223   }
 224 #endif
 225
 226  private:
 227   // Gets the tab-specific host permissions of |tab_id|, or NULL if there
 228   // aren't any.
 229   scoped_refptr<const PermissionSet> GetTabSpecificPermissions(
 230       int tab_id) const;
 231
 232   // Returns true if the |extension| has tab-specific permission to operate on
 233   // the tab specified by |tab_id| with the given |url|.
 234   // Note that if this returns false, it doesn't mean the extension can't run on
 235   // the given tab, only that it does not have tab-specific permission to do so.
 236   bool HasTabSpecificPermissionToExecuteScript(int tab_id,
 237                                                const GURL& url) const;
 238
 239   // Returns whether or not the extension is permitted to run on the given page,
 240   // checking against |permitted_url_patterns| in addition to blocking special
 241   // sites (like the webstore or chrome:// urls).
 242   AccessType CanRunOnPage(const Extension* extension,
 243                           const GURL& document_url,
 244                           const GURL& top_document_url,
 245                           int tab_id,
 246                           int process_id,
 247                           const URLPatternSet& permitted_url_patterns,
 248                           const URLPatternSet& withheld_url_patterns,
 249                           std::string* error) const;
 250
 251   // The associated extension's id.
 252   std::string extension_id_;
 253
 254   // The associated extension's manifest type.
 255   Manifest::Type manifest_type_;
 256
 257   mutable base::Lock runtime_lock_;
 258
 259   // The permission's which are currently active on the extension during
 260   // runtime.
 261   // Unsafe indicates that we must lock anytime this is directly accessed.
 262   // Unless you need to change |active_permissions_unsafe_|, use the (safe)
 263   // active_permissions() accessor.
 264   mutable scoped_refptr<const PermissionSet> active_permissions_unsafe_;
 265
 266   // The permissions the extension requested, but was not granted due because
 267   // they are too powerful. This includes things like all_hosts.
 268   // Unsafe indicates that we must lock anytime this is directly accessed.
 269   // Unless you need to change |withheld_permissions_unsafe_|, use the (safe)
 270   // withheld_permissions() accessor.
 271   mutable scoped_refptr<const PermissionSet> withheld_permissions_unsafe_;
 272
 273   mutable TabPermissionsMap tab_specific_permissions_;
 274
 275   DISALLOW_COPY_AND_ASSIGN(PermissionsData);
 276 };
 277
 278 }  // namespace extensions
 279
 280 #endif  // EXTENSIONS_COMMON_PERMISSIONS_PERMISSIONS_DATA_H_