search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Extensions: Remove the intermediate PermissionMessageStrings interface
[chromium-blink-merge.git] / chrome / common / extensions / permissions / permission_set_unittest.cc
blob75002cb7bd9c8ae84cd3b3acf88117ce24a4ad5f
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "base/command_line.h"
6 #include "base/json/json_file_value_serializer.h"
7 #include "base/logging.h"
8 #include "base/strings/string_number_conversions.h"
9 #include "base/strings/stringprintf.h"
10 #include "base/strings/utf_string_conversions.h"
11 #include "chrome/common/chrome_paths.h"
12 #include "chrome/common/chrome_switches.h"
13 #include "chrome/common/extensions/extension_test_util.h"
14 #include "chrome/common/extensions/features/feature_channel.h"
15 #include "chrome/common/extensions/permissions/chrome_permission_message_provider.h"
16 #include "chrome/grit/generated_resources.h"
17 #include "components/version_info/version_info.h"
18 #include "extensions/common/error_utils.h"
19 #include "extensions/common/extension.h"
20 #include "extensions/common/extension_builder.h"
21 #include "extensions/common/permissions/permission_message_provider.h"
22 #include "extensions/common/permissions/permission_message_test_util.h"
23 #include "extensions/common/permissions/permission_message_util.h"
24 #include "extensions/common/permissions/permission_set.h"
25 #include "extensions/common/permissions/permissions_data.h"
26 #include "extensions/common/permissions/permissions_info.h"
27 #include "extensions/common/permissions/socket_permission.h"
28 #include "extensions/common/value_builder.h"
29 #include "extensions/strings/grit/extensions_strings.h"
30 #include "testing/gtest/include/gtest/gtest.h"
31 #include "ui/base/l10n/l10n_util.h"
32
33 using extension_test_util::LoadManifest;
34
35 namespace extensions {
36
37 namespace {
38
39 static void AddPattern(URLPatternSet* extent, const std::string& pattern) {
40 int schemes = URLPattern::SCHEME_ALL;
41 extent->AddPattern(URLPattern(schemes, pattern));
42 }
43
44 size_t IndexOf(const CoalescedPermissionMessages& warnings,
45 const std::string& warning) {
46 size_t i = 0;
47 for (const CoalescedPermissionMessage& msg : warnings) {
48 if (msg.message() == base::ASCIIToUTF16(warning))
49 return i;
50 ++i;
51 }
52
53 return warnings.size();
54 }
55
56 PermissionIDSet MakePermissionIDSet(APIPermission::ID id1,
57 APIPermission::ID id2) {
58 PermissionIDSet set;
59 set.insert(id1);
60 set.insert(id2);
61 return set;
62 }
63
64 PermissionIDSet MakePermissionIDSet(const APIPermissionSet& permissions) {
65 PermissionIDSet set;
66 for (const APIPermission* permission : permissions)
67 set.insert(permission->id());
68 return set;
69 }
70
71 std::string PermissionIDsToString(const PermissionIDSet& ids) {
72 std::vector<std::string> strs;
73 for (const PermissionID& id : ids)
74 strs.push_back(base::IntToString(id.id()));
75 return base::StringPrintf("[ %s ]", base::JoinString(strs, ", ").c_str());
76 }
77
78 std::string CoalescedPermissionIDsToString(
79 const CoalescedPermissionMessages& msgs) {
80 std::vector<std::string> strs;
81 for (const CoalescedPermissionMessage& msg : msgs)
82 strs.push_back(PermissionIDsToString(msg.permissions()));
83 return base::JoinString(strs, " ");
84 }
85
86 // Check that the given |permissions| produce a single warning message,
87 // identified by the set of |expected_ids|.
88 testing::AssertionResult PermissionSetProducesMessage(
89 const PermissionSet* permissions,
90 Manifest::Type extension_type,
91 const PermissionIDSet& expected_ids) {
92 const PermissionMessageProvider* provider = PermissionMessageProvider::Get();
93
94 CoalescedPermissionMessages msgs = provider->GetPermissionMessages(
95 provider->GetAllPermissionIDs(permissions, extension_type));
96 if (msgs.size() != 1) {
97 return testing::AssertionFailure()
98 << "Expected single permission message with IDs "
99 << PermissionIDsToString(expected_ids) << " but got " << msgs.size()
100 << " messages: " << CoalescedPermissionIDsToString(msgs);
101 }
102 if (!msgs.front().permissions().Equals(expected_ids)) {
103 return testing::AssertionFailure()
104 << "Expected permission IDs " << PermissionIDsToString(expected_ids)
105 << " but got " << PermissionIDsToString(msgs.front().permissions());
106 }
107
108 return testing::AssertionSuccess();
109 }
110
111 } // namespace
112
113 // Tests GetByID.
114 TEST(PermissionsTest, GetByID) {
115 PermissionsInfo* info = PermissionsInfo::GetInstance();
116 APIPermissionSet apis = info->GetAll();
117 for (APIPermissionSet::const_iterator i = apis.begin();
118 i != apis.end(); ++i) {
119 EXPECT_EQ(i->id(), i->info()->id());
120 }
121 }
122
123 // Tests that GetByName works with normal permission names and aliases.
124 TEST(PermissionsTest, GetByName) {
125 PermissionsInfo* info = PermissionsInfo::GetInstance();
126 EXPECT_EQ(APIPermission::kTab, info->GetByName("tabs")->id());
127 EXPECT_EQ(APIPermission::kManagement,
128 info->GetByName("management")->id());
129 EXPECT_FALSE(info->GetByName("alsdkfjasldkfj"));
130 }
131
132 TEST(PermissionsTest, GetAll) {
133 size_t count = 0;
134 PermissionsInfo* info = PermissionsInfo::GetInstance();
135 APIPermissionSet apis = info->GetAll();
136 for (APIPermissionSet::const_iterator api = apis.begin();
137 api != apis.end(); ++api) {
138 // Make sure only the valid permission IDs get returned.
139 EXPECT_NE(APIPermission::kInvalid, api->id());
140 EXPECT_NE(APIPermission::kUnknown, api->id());
141 count++;
142 }
143 EXPECT_EQ(count, info->get_permission_count());
144 }
145
146 TEST(PermissionsTest, GetAllByName) {
147 std::set<std::string> names;
148 names.insert("background");
149 names.insert("management");
150
151 // This is an alias of kTab
152 names.insert("windows");
153
154 // This unknown name should get dropped.
155 names.insert("sdlkfjasdlkfj");
156
157 APIPermissionSet expected;
158 expected.insert(APIPermission::kBackground);
159 expected.insert(APIPermission::kManagement);
160 expected.insert(APIPermission::kTab);
161
162 EXPECT_EQ(expected,
163 PermissionsInfo::GetInstance()->GetAllByName(names));
164 }
165
166 // Tests that the aliases are properly mapped.
167 TEST(PermissionsTest, Aliases) {
168 PermissionsInfo* info = PermissionsInfo::GetInstance();
169 // tabs: tabs, windows
170 std::string tabs_name = "tabs";
171 EXPECT_EQ(tabs_name, info->GetByID(APIPermission::kTab)->name());
172 EXPECT_EQ(APIPermission::kTab, info->GetByName("tabs")->id());
173 EXPECT_EQ(APIPermission::kTab, info->GetByName("windows")->id());
174
175 // unlimitedStorage: unlimitedStorage, unlimited_storage
176 std::string storage_name = "unlimitedStorage";
177 EXPECT_EQ(storage_name, info->GetByID(
178 APIPermission::kUnlimitedStorage)->name());
179 EXPECT_EQ(APIPermission::kUnlimitedStorage,
180 info->GetByName("unlimitedStorage")->id());
181 EXPECT_EQ(APIPermission::kUnlimitedStorage,
182 info->GetByName("unlimited_storage")->id());
183 }
184
185 TEST(PermissionsTest, EffectiveHostPermissions) {
186 scoped_refptr<Extension> extension;
187 scoped_refptr<const PermissionSet> permissions;
188
189 extension = LoadManifest("effective_host_permissions", "empty.json");
190 permissions = extension->permissions_data()->active_permissions();
191 EXPECT_EQ(0u,
192 extension->permissions_data()
193 ->GetEffectiveHostPermissions()
194 .patterns()
195 .size());
196 EXPECT_FALSE(
197 permissions->HasEffectiveAccessToURL(GURL("http://www.google.com")));
198 EXPECT_FALSE(permissions->HasEffectiveAccessToAllHosts());
199
200 extension = LoadManifest("effective_host_permissions", "one_host.json");
201 permissions = extension->permissions_data()->active_permissions();
202 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(
203 GURL("http://www.google.com")));
204 EXPECT_FALSE(permissions->HasEffectiveAccessToURL(
205 GURL("https://www.google.com")));
206 EXPECT_FALSE(permissions->HasEffectiveAccessToAllHosts());
207
208 extension = LoadManifest("effective_host_permissions",
209 "one_host_wildcard.json");
210 permissions = extension->permissions_data()->active_permissions();
211 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(GURL("http://google.com")));
212 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(
213 GURL("http://foo.google.com")));
214 EXPECT_FALSE(permissions->HasEffectiveAccessToAllHosts());
215
216 extension = LoadManifest("effective_host_permissions", "two_hosts.json");
217 permissions = extension->permissions_data()->active_permissions();
218 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(
219 GURL("http://www.google.com")));
220 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(
221 GURL("http://www.reddit.com")));
222 EXPECT_FALSE(permissions->HasEffectiveAccessToAllHosts());
223
224 extension = LoadManifest("effective_host_permissions",
225 "https_not_considered.json");
226 permissions = extension->permissions_data()->active_permissions();
227 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(GURL("http://google.com")));
228 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(GURL("https://google.com")));
229 EXPECT_FALSE(permissions->HasEffectiveAccessToAllHosts());
230
231 extension = LoadManifest("effective_host_permissions",
232 "two_content_scripts.json");
233 permissions = extension->permissions_data()->active_permissions();
234 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(GURL("http://google.com")));
235 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(
236 GURL("http://www.reddit.com")));
237 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(
238 GURL("http://news.ycombinator.com")));
239 EXPECT_FALSE(permissions->HasEffectiveAccessToAllHosts());
240
241 extension = LoadManifest("effective_host_permissions", "all_hosts.json");
242 permissions = extension->permissions_data()->active_permissions();
243 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(GURL("http://test/")));
244 EXPECT_FALSE(permissions->HasEffectiveAccessToURL(GURL("https://test/")));
245 EXPECT_TRUE(
246 permissions->HasEffectiveAccessToURL(GURL("http://www.google.com")));
247 EXPECT_TRUE(permissions->HasEffectiveAccessToAllHosts());
248
249 extension = LoadManifest("effective_host_permissions", "all_hosts2.json");
250 permissions = extension->permissions_data()->active_permissions();
251 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(GURL("http://test/")));
252 EXPECT_TRUE(
253 permissions->HasEffectiveAccessToURL(GURL("http://www.google.com")));
254 EXPECT_TRUE(permissions->HasEffectiveAccessToAllHosts());
255
256 extension = LoadManifest("effective_host_permissions", "all_hosts3.json");
257 permissions = extension->permissions_data()->active_permissions();
258 EXPECT_FALSE(permissions->HasEffectiveAccessToURL(GURL("http://test/")));
259 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(GURL("https://test/")));
260 EXPECT_TRUE(
261 permissions->HasEffectiveAccessToURL(GURL("http://www.google.com")));
262 EXPECT_TRUE(permissions->HasEffectiveAccessToAllHosts());
263 }
264
265 TEST(PermissionsTest, ExplicitAccessToOrigin) {
266 APIPermissionSet apis;
267 ManifestPermissionSet manifest_permissions;
268 URLPatternSet explicit_hosts;
269 URLPatternSet scriptable_hosts;
270
271 AddPattern(&explicit_hosts, "http://*.google.com/*");
272 // The explicit host paths should get set to /*.
273 AddPattern(&explicit_hosts, "http://www.example.com/a/particular/path/*");
274
275 scoped_refptr<PermissionSet> perm_set = new PermissionSet(
276 apis, manifest_permissions, explicit_hosts, scriptable_hosts);
277 ASSERT_TRUE(perm_set->HasExplicitAccessToOrigin(
278 GURL("http://www.google.com/")));
279 ASSERT_TRUE(perm_set->HasExplicitAccessToOrigin(
280 GURL("http://test.google.com/")));
281 ASSERT_TRUE(perm_set->HasExplicitAccessToOrigin(
282 GURL("http://www.example.com")));
283 ASSERT_TRUE(perm_set->HasEffectiveAccessToURL(
284 GURL("http://www.example.com")));
285 ASSERT_FALSE(perm_set->HasExplicitAccessToOrigin(
286 GURL("http://test.example.com")));
287 }
288
289 TEST(PermissionsTest, CreateUnion) {
290 APIPermission* permission = NULL;
291
292 ManifestPermissionSet manifest_permissions;
293 APIPermissionSet apis1;
294 APIPermissionSet apis2;
295 APIPermissionSet expected_apis;
296
297 URLPatternSet explicit_hosts1;
298 URLPatternSet explicit_hosts2;
299 URLPatternSet expected_explicit_hosts;
300
301 URLPatternSet scriptable_hosts1;
302 URLPatternSet scriptable_hosts2;
303 URLPatternSet expected_scriptable_hosts;
304
305 URLPatternSet effective_hosts;
306
307 scoped_refptr<PermissionSet> set1;
308 scoped_refptr<PermissionSet> set2;
309 scoped_refptr<PermissionSet> union_set;
310
311 const APIPermissionInfo* permission_info =
312 PermissionsInfo::GetInstance()->GetByID(APIPermission::kSocket);
313 permission = permission_info->CreateAPIPermission();
314 {
315 scoped_ptr<base::ListValue> value(new base::ListValue());
316 value->Append(new base::StringValue("tcp-connect:*.example.com:80"));
317 value->Append(new base::StringValue("udp-bind::8080"));
318 value->Append(new base::StringValue("udp-send-to::8888"));
319 ASSERT_TRUE(permission->FromValue(value.get(), NULL, NULL));
320 }
321
322 // Union with an empty set.
323 apis1.insert(APIPermission::kTab);
324 apis1.insert(APIPermission::kBackground);
325 apis1.insert(permission->Clone());
326 expected_apis.insert(APIPermission::kTab);
327 expected_apis.insert(APIPermission::kBackground);
328 expected_apis.insert(permission);
329
330 AddPattern(&explicit_hosts1, "http://*.google.com/*");
331 AddPattern(&expected_explicit_hosts, "http://*.google.com/*");
332 AddPattern(&effective_hosts, "http://*.google.com/*");
333
334 set1 = new PermissionSet(apis1, manifest_permissions,
335 explicit_hosts1, scriptable_hosts1);
336 set2 = new PermissionSet(apis2, manifest_permissions,
337 explicit_hosts2, scriptable_hosts2);
338 union_set = PermissionSet::CreateUnion(set1.get(), set2.get());
339 EXPECT_TRUE(set1->Contains(*set2.get()));
340 EXPECT_TRUE(set1->Contains(*union_set.get()));
341 EXPECT_FALSE(set2->Contains(*set1.get()));
342 EXPECT_FALSE(set2->Contains(*union_set.get()));
343 EXPECT_TRUE(union_set->Contains(*set1.get()));
344 EXPECT_TRUE(union_set->Contains(*set2.get()));
345
346 EXPECT_FALSE(union_set->HasEffectiveFullAccess());
347 EXPECT_EQ(expected_apis, union_set->apis());
348 EXPECT_EQ(expected_explicit_hosts, union_set->explicit_hosts());
349 EXPECT_EQ(expected_scriptable_hosts, union_set->scriptable_hosts());
350 EXPECT_EQ(expected_explicit_hosts, union_set->effective_hosts());
351
352 // Now use a real second set.
353 apis2.insert(APIPermission::kTab);
354 apis2.insert(APIPermission::kProxy);
355 apis2.insert(APIPermission::kClipboardWrite);
356 apis2.insert(APIPermission::kPlugin);
357
358 permission = permission_info->CreateAPIPermission();
359 {
360 scoped_ptr<base::ListValue> value(new base::ListValue());
361 value->Append(new base::StringValue("tcp-connect:*.example.com:80"));
362 value->Append(new base::StringValue("udp-send-to::8899"));
363 ASSERT_TRUE(permission->FromValue(value.get(), NULL, NULL));
364 }
365 apis2.insert(permission);
366
367 expected_apis.insert(APIPermission::kTab);
368 expected_apis.insert(APIPermission::kProxy);
369 expected_apis.insert(APIPermission::kClipboardWrite);
370 expected_apis.insert(APIPermission::kPlugin);
371
372 permission = permission_info->CreateAPIPermission();
373 {
374 scoped_ptr<base::ListValue> value(new base::ListValue());
375 value->Append(new base::StringValue("tcp-connect:*.example.com:80"));
376 value->Append(new base::StringValue("udp-bind::8080"));
377 value->Append(new base::StringValue("udp-send-to::8888"));
378 value->Append(new base::StringValue("udp-send-to::8899"));
379 ASSERT_TRUE(permission->FromValue(value.get(), NULL, NULL));
380 }
381 // Insert a new permission socket permisssion which will replace the old one.
382 expected_apis.insert(permission);
383
384 AddPattern(&explicit_hosts2, "http://*.example.com/*");
385 AddPattern(&scriptable_hosts2, "http://*.google.com/*");
386 AddPattern(&expected_explicit_hosts, "http://*.example.com/*");
387 AddPattern(&expected_scriptable_hosts, "http://*.google.com/*");
388
389 URLPatternSet::CreateUnion(
390 explicit_hosts2, scriptable_hosts2, &effective_hosts);
391
392 set2 = new PermissionSet(apis2, manifest_permissions,
393 explicit_hosts2, scriptable_hosts2);
394 union_set = PermissionSet::CreateUnion(set1.get(), set2.get());
395
396 EXPECT_FALSE(set1->Contains(*set2.get()));
397 EXPECT_FALSE(set1->Contains(*union_set.get()));
398 EXPECT_FALSE(set2->Contains(*set1.get()));
399 EXPECT_FALSE(set2->Contains(*union_set.get()));
400 EXPECT_TRUE(union_set->Contains(*set1.get()));
401 EXPECT_TRUE(union_set->Contains(*set2.get()));
402
403 EXPECT_TRUE(union_set->HasEffectiveFullAccess());
404 EXPECT_TRUE(union_set->HasEffectiveAccessToAllHosts());
405 EXPECT_EQ(expected_apis, union_set->apis());
406 EXPECT_EQ(expected_explicit_hosts, union_set->explicit_hosts());
407 EXPECT_EQ(expected_scriptable_hosts, union_set->scriptable_hosts());
408 EXPECT_EQ(effective_hosts, union_set->effective_hosts());
409 }
410
411 TEST(PermissionsTest, CreateIntersection) {
412 APIPermission* permission = NULL;
413
414 ManifestPermissionSet manifest_permissions;
415 APIPermissionSet apis1;
416 APIPermissionSet apis2;
417 APIPermissionSet expected_apis;
418
419 URLPatternSet explicit_hosts1;
420 URLPatternSet explicit_hosts2;
421 URLPatternSet expected_explicit_hosts;
422
423 URLPatternSet scriptable_hosts1;
424 URLPatternSet scriptable_hosts2;
425 URLPatternSet expected_scriptable_hosts;
426
427 URLPatternSet effective_hosts;
428
429 scoped_refptr<PermissionSet> set1;
430 scoped_refptr<PermissionSet> set2;
431 scoped_refptr<PermissionSet> new_set;
432
433 const APIPermissionInfo* permission_info =
434 PermissionsInfo::GetInstance()->GetByID(APIPermission::kSocket);
435
436 // Intersection with an empty set.
437 apis1.insert(APIPermission::kTab);
438 apis1.insert(APIPermission::kBackground);
439 permission = permission_info->CreateAPIPermission();
440 {
441 scoped_ptr<base::ListValue> value(new base::ListValue());
442 value->Append(new base::StringValue("tcp-connect:*.example.com:80"));
443 value->Append(new base::StringValue("udp-bind::8080"));
444 value->Append(new base::StringValue("udp-send-to::8888"));
445 ASSERT_TRUE(permission->FromValue(value.get(), NULL, NULL));
446 }
447 apis1.insert(permission);
448
449 AddPattern(&explicit_hosts1, "http://*.google.com/*");
450 AddPattern(&scriptable_hosts1, "http://www.reddit.com/*");
451
452 set1 = new PermissionSet(apis1, manifest_permissions,
453 explicit_hosts1, scriptable_hosts1);
454 set2 = new PermissionSet(apis2, manifest_permissions,
455 explicit_hosts2, scriptable_hosts2);
456 new_set = PermissionSet::CreateIntersection(set1.get(), set2.get());
457 EXPECT_TRUE(set1->Contains(*new_set.get()));
458 EXPECT_TRUE(set2->Contains(*new_set.get()));
459 EXPECT_TRUE(set1->Contains(*set2.get()));
460 EXPECT_FALSE(set2->Contains(*set1.get()));
461 EXPECT_FALSE(new_set->Contains(*set1.get()));
462 EXPECT_TRUE(new_set->Contains(*set2.get()));
463
464 EXPECT_TRUE(new_set->IsEmpty());
465 EXPECT_FALSE(new_set->HasEffectiveFullAccess());
466 EXPECT_EQ(expected_apis, new_set->apis());
467 EXPECT_EQ(expected_explicit_hosts, new_set->explicit_hosts());
468 EXPECT_EQ(expected_scriptable_hosts, new_set->scriptable_hosts());
469 EXPECT_EQ(expected_explicit_hosts, new_set->effective_hosts());
470
471 // Now use a real second set.
472 apis2.insert(APIPermission::kTab);
473 apis2.insert(APIPermission::kProxy);
474 apis2.insert(APIPermission::kClipboardWrite);
475 apis2.insert(APIPermission::kPlugin);
476 permission = permission_info->CreateAPIPermission();
477 {
478 scoped_ptr<base::ListValue> value(new base::ListValue());
479 value->Append(new base::StringValue("udp-bind::8080"));
480 value->Append(new base::StringValue("udp-send-to::8888"));
481 value->Append(new base::StringValue("udp-send-to::8899"));
482 ASSERT_TRUE(permission->FromValue(value.get(), NULL, NULL));
483 }
484 apis2.insert(permission);
485
486 expected_apis.insert(APIPermission::kTab);
487 permission = permission_info->CreateAPIPermission();
488 {
489 scoped_ptr<base::ListValue> value(new base::ListValue());
490 value->Append(new base::StringValue("udp-bind::8080"));
491 value->Append(new base::StringValue("udp-send-to::8888"));
492 ASSERT_TRUE(permission->FromValue(value.get(), NULL, NULL));
493 }
494 expected_apis.insert(permission);
495
496 AddPattern(&explicit_hosts2, "http://*.example.com/*");
497 AddPattern(&explicit_hosts2, "http://*.google.com/*");
498 AddPattern(&scriptable_hosts2, "http://*.google.com/*");
499 AddPattern(&expected_explicit_hosts, "http://*.google.com/*");
500
501 effective_hosts.ClearPatterns();
502 AddPattern(&effective_hosts, "http://*.google.com/*");
503
504 set2 = new PermissionSet(apis2, manifest_permissions,
505 explicit_hosts2, scriptable_hosts2);
506 new_set = PermissionSet::CreateIntersection(set1.get(), set2.get());
507
508 EXPECT_TRUE(set1->Contains(*new_set.get()));
509 EXPECT_TRUE(set2->Contains(*new_set.get()));
510 EXPECT_FALSE(set1->Contains(*set2.get()));
511 EXPECT_FALSE(set2->Contains(*set1.get()));
512 EXPECT_FALSE(new_set->Contains(*set1.get()));
513 EXPECT_FALSE(new_set->Contains(*set2.get()));
514
515 EXPECT_FALSE(new_set->HasEffectiveFullAccess());
516 EXPECT_FALSE(new_set->HasEffectiveAccessToAllHosts());
517 EXPECT_EQ(expected_apis, new_set->apis());
518 EXPECT_EQ(expected_explicit_hosts, new_set->explicit_hosts());
519 EXPECT_EQ(expected_scriptable_hosts, new_set->scriptable_hosts());
520 EXPECT_EQ(effective_hosts, new_set->effective_hosts());
521 }
522
523 TEST(PermissionsTest, CreateDifference) {
524 APIPermission* permission = NULL;
525
526 ManifestPermissionSet manifest_permissions;
527 APIPermissionSet apis1;
528 APIPermissionSet apis2;
529 APIPermissionSet expected_apis;
530
531 URLPatternSet explicit_hosts1;
532 URLPatternSet explicit_hosts2;
533 URLPatternSet expected_explicit_hosts;
534
535 URLPatternSet scriptable_hosts1;
536 URLPatternSet scriptable_hosts2;
537 URLPatternSet expected_scriptable_hosts;
538
539 URLPatternSet effective_hosts;
540
541 scoped_refptr<PermissionSet> set1;
542 scoped_refptr<PermissionSet> set2;
543 scoped_refptr<PermissionSet> new_set;
544
545 const APIPermissionInfo* permission_info =
546 PermissionsInfo::GetInstance()->GetByID(APIPermission::kSocket);
547
548 // Difference with an empty set.
549 apis1.insert(APIPermission::kTab);
550 apis1.insert(APIPermission::kBackground);
551 permission = permission_info->CreateAPIPermission();
552 {
553 scoped_ptr<base::ListValue> value(new base::ListValue());
554 value->Append(new base::StringValue("tcp-connect:*.example.com:80"));
555 value->Append(new base::StringValue("udp-bind::8080"));
556 value->Append(new base::StringValue("udp-send-to::8888"));
557 ASSERT_TRUE(permission->FromValue(value.get(), NULL, NULL));
558 }
559 apis1.insert(permission);
560
561 AddPattern(&explicit_hosts1, "http://*.google.com/*");
562 AddPattern(&scriptable_hosts1, "http://www.reddit.com/*");
563
564 set1 = new PermissionSet(apis1, manifest_permissions,
565 explicit_hosts1, scriptable_hosts1);
566 set2 = new PermissionSet(apis2, manifest_permissions,
567 explicit_hosts2, scriptable_hosts2);
568 new_set = PermissionSet::CreateDifference(set1.get(), set2.get());
569 EXPECT_EQ(*set1.get(), *new_set.get());
570
571 // Now use a real second set.
572 apis2.insert(APIPermission::kTab);
573 apis2.insert(APIPermission::kProxy);
574 apis2.insert(APIPermission::kClipboardWrite);
575 apis2.insert(APIPermission::kPlugin);
576 permission = permission_info->CreateAPIPermission();
577 {
578 scoped_ptr<base::ListValue> value(new base::ListValue());
579 value->Append(new base::StringValue("tcp-connect:*.example.com:80"));
580 value->Append(new base::StringValue("udp-send-to::8899"));
581 ASSERT_TRUE(permission->FromValue(value.get(), NULL, NULL));
582 }
583 apis2.insert(permission);
584
585 expected_apis.insert(APIPermission::kBackground);
586 permission = permission_info->CreateAPIPermission();
587 {
588 scoped_ptr<base::ListValue> value(new base::ListValue());
589 value->Append(new base::StringValue("udp-bind::8080"));
590 value->Append(new base::StringValue("udp-send-to::8888"));
591 ASSERT_TRUE(permission->FromValue(value.get(), NULL, NULL));
592 }
593 expected_apis.insert(permission);
594
595 AddPattern(&explicit_hosts2, "http://*.example.com/*");
596 AddPattern(&explicit_hosts2, "http://*.google.com/*");
597 AddPattern(&scriptable_hosts2, "http://*.google.com/*");
598 AddPattern(&expected_scriptable_hosts, "http://www.reddit.com/*");
599
600 effective_hosts.ClearPatterns();
601 AddPattern(&effective_hosts, "http://www.reddit.com/*");
602
603 set2 = new PermissionSet(apis2, manifest_permissions,
604 explicit_hosts2, scriptable_hosts2);
605 new_set = PermissionSet::CreateDifference(set1.get(), set2.get());
606
607 EXPECT_TRUE(set1->Contains(*new_set.get()));
608 EXPECT_FALSE(set2->Contains(*new_set.get()));
609
610 EXPECT_FALSE(new_set->HasEffectiveFullAccess());
611 EXPECT_FALSE(new_set->HasEffectiveAccessToAllHosts());
612 EXPECT_EQ(expected_apis, new_set->apis());
613 EXPECT_EQ(expected_explicit_hosts, new_set->explicit_hosts());
614 EXPECT_EQ(expected_scriptable_hosts, new_set->scriptable_hosts());
615 EXPECT_EQ(effective_hosts, new_set->effective_hosts());
616
617 // |set3| = |set1| - |set2| --> |set3| intersect |set2| == empty_set
618 set1 = PermissionSet::CreateIntersection(new_set.get(), set2.get());
619 EXPECT_TRUE(set1->IsEmpty());
620 }
621
622 TEST(PermissionsTest, IsPrivilegeIncrease) {
623 const struct {
624 const char* base_name;
625 bool expect_increase;
626 } kTests[] = {
627 { "allhosts1", false }, // all -> all
628 { "allhosts2", false }, // all -> one
629 { "allhosts3", true }, // one -> all
630 { "hosts1", false }, // http://a,http://b -> http://a,http://b
631 { "hosts2", true }, // http://a,http://b -> https://a,http://*.b
632 { "hosts3", false }, // http://a,http://b -> http://a
633 { "hosts4", true }, // http://a -> http://a,http://b
634 { "hosts5", false }, // http://a,b,c -> http://a,b,c + https://a,b,c
635 { "hosts6", false }, // http://a.com -> http://a.com + http://a.co.uk
636 { "permissions1", false }, // tabs -> tabs
637 { "permissions2", true }, // tabs -> tabs,bookmarks
638 { "permissions3", true }, // http://a -> http://a,tabs
639 { "permissions5", true }, // bookmarks -> bookmarks,history
640 { "equivalent_warnings", false }, // tabs --> tabs, webNavigation
641 #if !defined(OS_CHROMEOS) // plugins aren't allowed in ChromeOS
642 { "permissions4", false }, // plugin -> plugin,tabs
643 { "plugin1", false }, // plugin -> plugin
644 { "plugin2", false }, // plugin -> none
645 { "plugin3", true }, // none -> plugin
646 #endif
647 { "storage", false }, // none -> storage
648 { "notifications", false }, // none -> notifications
649 { "platformapp1", false }, // host permissions for platform apps
650 { "platformapp2", true }, // API permissions for platform apps
651 { "media_galleries1", true }, // all -> read|all
652 { "media_galleries2", true }, // read|all -> read|delete|copyTo|all
653 { "media_galleries3", true }, // all -> read|delete|all
654 { "media_galleries4", false }, // read|all -> all
655 { "media_galleries5", false }, // read|copyTo|delete|all -> read|all
656 { "media_galleries6", false }, // read|all -> read|all
657 { "media_galleries7", true }, // read|delete|all -> read|copyTo|delete|all
658 { "sockets1", true }, // none -> tcp:*:*
659 { "sockets2", false }, // tcp:*:* -> tcp:*:*
660 { "sockets3", true }, // tcp:a.com:80 -> tcp:*:*
661 };
662
663 for (size_t i = 0; i < arraysize(kTests); ++i) {
664 scoped_refptr<Extension> old_extension(
665 LoadManifest("allow_silent_upgrade",
666 std::string(kTests[i].base_name) + "_old.json"));
667 scoped_refptr<Extension> new_extension(
668 LoadManifest("allow_silent_upgrade",
669 std::string(kTests[i].base_name) + "_new.json"));
670
671 EXPECT_TRUE(new_extension.get()) << kTests[i].base_name << "_new.json";
672 if (!new_extension.get())
673 continue;
674
675 scoped_refptr<const PermissionSet> old_p(
676 old_extension->permissions_data()->active_permissions());
677 scoped_refptr<const PermissionSet> new_p(
678 new_extension->permissions_data()->active_permissions());
679 Manifest::Type extension_type = old_extension->GetType();
680
681 bool increased = PermissionMessageProvider::Get()->IsPrivilegeIncrease(
682 old_p.get(), new_p.get(), extension_type);
683 EXPECT_EQ(kTests[i].expect_increase, increased) << kTests[i].base_name;
684 }
685 }
686
687 TEST(PermissionsTest, PermissionMessages) {
688 // Ensure that all permissions that needs to show install UI actually have
689 // strings associated with them.
690 APIPermissionSet skip;
691
692 // These are considered "nuisance" or "trivial" permissions that don't need
693 // a prompt.
694 skip.insert(APIPermission::kActiveTab);
695 skip.insert(APIPermission::kAlarms);
696 skip.insert(APIPermission::kAlphaEnabled);
697 skip.insert(APIPermission::kAlwaysOnTopWindows);
698 skip.insert(APIPermission::kAppView);
699 skip.insert(APIPermission::kAudio);
700 skip.insert(APIPermission::kAudioModem);
701 skip.insert(APIPermission::kBrowsingData);
702 skip.insert(APIPermission::kCastStreaming);
703 skip.insert(APIPermission::kCommandsAccessibility);
704 skip.insert(APIPermission::kContextMenus);
705 skip.insert(APIPermission::kCryptotokenPrivate);
706 skip.insert(APIPermission::kCopresencePrivate);
707 skip.insert(APIPermission::kDesktopCapturePrivate);
708 skip.insert(APIPermission::kDiagnostics);
709 skip.insert(APIPermission::kDns);
710 skip.insert(APIPermission::kDownloadsShelf);
711 skip.insert(APIPermission::kEmbeddedExtensionOptions);
712 skip.insert(APIPermission::kExtensionView);
713 skip.insert(APIPermission::kFontSettings);
714 skip.insert(APIPermission::kFullscreen);
715 skip.insert(APIPermission::kGcm);
716 skip.insert(APIPermission::kIdle);
717 skip.insert(APIPermission::kImeWindowEnabled);
718 skip.insert(APIPermission::kInlineInstallPrivate);
719 skip.insert(APIPermission::kIdltest);
720 skip.insert(APIPermission::kLogPrivate);
721 skip.insert(APIPermission::kNotifications);
722 skip.insert(APIPermission::kNotificationProvider);
723 skip.insert(APIPermission::kOverrideEscFullscreen);
724 skip.insert(APIPermission::kPointerLock);
725 skip.insert(APIPermission::kPower);
726 skip.insert(APIPermission::kPrinterProvider);
727 skip.insert(APIPermission::kSessions);
728 skip.insert(APIPermission::kStorage);
729 skip.insert(APIPermission::kSystemCpu);
730 skip.insert(APIPermission::kSystemDisplay);
731 skip.insert(APIPermission::kSystemMemory);
732 skip.insert(APIPermission::kSystemNetwork);
733 skip.insert(APIPermission::kSystemStorage);
734 skip.insert(APIPermission::kTts);
735 skip.insert(APIPermission::kUnlimitedStorage);
736 skip.insert(APIPermission::kWebcamPrivate);
737 skip.insert(APIPermission::kWebView);
738 skip.insert(APIPermission::kWindowShape);
739
740 // These permissions are restricted to extensions force-installed by policy
741 // and don't require a prompt, i.e. they're restricted to location 'policy'.
742 skip.insert(APIPermission::kEnterprisePlatformKeys);
743
744 // TODO(erikkay) add a string for this permission.
745 skip.insert(APIPermission::kBackground);
746
747 skip.insert(APIPermission::kClipboardWrite);
748
749 // The cookie permission does nothing unless you have associated host
750 // permissions.
751 skip.insert(APIPermission::kCookie);
752
753 // These are warned as part of host permission checks.
754 skip.insert(APIPermission::kDataReductionProxy);
755 skip.insert(APIPermission::kDeclarativeContent);
756 skip.insert(APIPermission::kPageCapture);
757 skip.insert(APIPermission::kProxy);
758 skip.insert(APIPermission::kTabCapture);
759 skip.insert(APIPermission::kWebRequest);
760 skip.insert(APIPermission::kWebRequestBlocking);
761
762 // This permission requires explicit user action (context menu handler)
763 // so we won't prompt for it for now.
764 skip.insert(APIPermission::kFileBrowserHandler);
765
766 // These permissions require explicit user action (configuration dialog)
767 // so we don't prompt for them at install time.
768 skip.insert(APIPermission::kMediaGalleries);
769
770 // If you've turned on the experimental command-line flag, we don't need
771 // to warn you further.
772 skip.insert(APIPermission::kExperimental);
773
774 // The Identity API has its own server-driven permission prompts.
775 skip.insert(APIPermission::kIdentity);
776
777 // These are private.
778 skip.insert(APIPermission::kAccessibilityPrivate);
779 skip.insert(APIPermission::kAutoTestPrivate);
780 skip.insert(APIPermission::kBookmarkManagerPrivate);
781 skip.insert(APIPermission::kBrailleDisplayPrivate);
782 skip.insert(APIPermission::kCast);
783 skip.insert(APIPermission::kCastStreaming);
784 skip.insert(APIPermission::kChromeosInfoPrivate);
785 skip.insert(APIPermission::kCloudPrintPrivate);
786 skip.insert(APIPermission::kCommandLinePrivate);
787 skip.insert(APIPermission::kDeveloperPrivate);
788 skip.insert(APIPermission::kDial);
789 skip.insert(APIPermission::kDownloadsInternal);
790 skip.insert(APIPermission::kEasyUnlockPrivate);
791 skip.insert(APIPermission::kEchoPrivate);
792 skip.insert(APIPermission::kEnterprisePlatformKeysPrivate);
793 skip.insert(APIPermission::kFeedbackPrivate);
794 skip.insert(APIPermission::kFileBrowserHandlerInternal);
795 skip.insert(APIPermission::kFileManagerPrivate);
796 skip.insert(APIPermission::kFirstRunPrivate);
797 skip.insert(APIPermission::kGcdPrivate);
798 skip.insert(APIPermission::kHotwordPrivate);
799 skip.insert(APIPermission::kIdentityPrivate);
800 skip.insert(APIPermission::kInputMethodPrivate);
801 skip.insert(APIPermission::kLanguageSettingsPrivate);
802 skip.insert(APIPermission::kMediaPlayerPrivate);
803 skip.insert(APIPermission::kMediaRouterPrivate);
804 skip.insert(APIPermission::kMetricsPrivate);
805 skip.insert(APIPermission::kPreferencesPrivate);
806 skip.insert(APIPermission::kPrincipalsPrivate);
807 skip.insert(APIPermission::kImageWriterPrivate);
808 skip.insert(APIPermission::kReadingListPrivate);
809 skip.insert(APIPermission::kRtcPrivate);
810 skip.insert(APIPermission::kStreamsPrivate);
811 skip.insert(APIPermission::kSystemPrivate);
812 skip.insert(APIPermission::kTabCaptureForTab);
813 skip.insert(APIPermission::kTerminalPrivate);
814 skip.insert(APIPermission::kVirtualKeyboardPrivate);
815 skip.insert(APIPermission::kWallpaperPrivate);
816 skip.insert(APIPermission::kWebrtcAudioPrivate);
817 skip.insert(APIPermission::kWebrtcDesktopCapturePrivate);
818 skip.insert(APIPermission::kWebrtcLoggingPrivate);
819 skip.insert(APIPermission::kWebstorePrivate);
820 skip.insert(APIPermission::kWebstoreWidgetPrivate);
821
822 // Warned as part of host permissions.
823 skip.insert(APIPermission::kDevtools);
824
825 // Platform apps.
826 skip.insert(APIPermission::kBrowser);
827 skip.insert(APIPermission::kHid);
828 skip.insert(APIPermission::kFileSystem);
829 skip.insert(APIPermission::kFileSystemProvider);
830 skip.insert(APIPermission::kFileSystemRequestFileSystem);
831 skip.insert(APIPermission::kFileSystemRetainEntries);
832 skip.insert(APIPermission::kFileSystemWrite);
833 skip.insert(APIPermission::kSocket);
834 skip.insert(APIPermission::kUsb);
835 skip.insert(APIPermission::kUsbDevice);
836 skip.insert(APIPermission::kLauncherSearchProvider);
837
838 // We already have a generic message for declaring externally_connectable.
839 skip.insert(APIPermission::kExternallyConnectableAllUrls);
840
841 PermissionsInfo* info = PermissionsInfo::GetInstance();
842 APIPermissionSet permissions = info->GetAll();
843 for (APIPermissionSet::const_iterator i = permissions.begin();
844 i != permissions.end(); ++i) {
845 const APIPermissionInfo* permission_info = i->info();
846 EXPECT_TRUE(permission_info != NULL);
847
848 if (skip.count(i->id())) {
849 EXPECT_EQ(PermissionMessage::kNone, permission_info->message_id())
850 << "unexpected message_id for " << permission_info->name();
851 } else {
852 EXPECT_NE(PermissionMessage::kNone, permission_info->message_id())
853 << "missing message_id for " << permission_info->name();
854 }
855 }
856 }
857
858 TEST(PermissionsTest, FileSystemPermissionMessages) {
859 APIPermissionSet api_permissions;
860 api_permissions.insert(APIPermission::kFileSystemWrite);
861 api_permissions.insert(APIPermission::kFileSystemDirectory);
862 scoped_refptr<PermissionSet> permissions(
863 new PermissionSet(api_permissions, ManifestPermissionSet(),
864 URLPatternSet(), URLPatternSet()));
865 EXPECT_TRUE(PermissionSetProducesMessage(
866 permissions.get(), Manifest::TYPE_PLATFORM_APP,
867 MakePermissionIDSet(api_permissions)));
868 }
869
870 // The file system permissions have a special-case hack to show a warning for
871 // write and directory at the same time.
872 // TODO(sammc): Remove this. See http://crbug.com/284849.
873 TEST(PermissionsTest, FileSystemImplicitPermissions) {
874 APIPermissionSet apis;
875 apis.insert(APIPermission::kFileSystemWrite);
876 apis.AddImpliedPermissions();
877
878 EXPECT_EQ(apis.find(APIPermission::kFileSystemWrite)->id(),
879 APIPermission::kFileSystemWrite);
880 EXPECT_EQ(apis.size(), 1u);
881
882 apis.erase(APIPermission::kFileSystemWrite);
883 apis.insert(APIPermission::kFileSystemDirectory);
884 apis.AddImpliedPermissions();
885
886 EXPECT_EQ(apis.find(APIPermission::kFileSystemDirectory)->id(),
887 APIPermission::kFileSystemDirectory);
888 EXPECT_EQ(apis.size(), 1u);
889
890 apis.insert(APIPermission::kFileSystemWrite);
891 apis.AddImpliedPermissions();
892
893 EXPECT_EQ(apis.find(APIPermission::kFileSystemWrite)->id(),
894 APIPermission::kFileSystemWrite);
895 EXPECT_EQ(apis.find(APIPermission::kFileSystemDirectory)->id(),
896 APIPermission::kFileSystemDirectory);
897 EXPECT_EQ(apis.find(APIPermission::kFileSystemWriteDirectory)->id(),
898 APIPermission::kFileSystemWriteDirectory);
899 EXPECT_EQ(apis.size(), 3u);
900 }
901
902 TEST(PermissionsTest, HiddenFileSystemPermissionMessages) {
903 APIPermissionSet api_permissions;
904 api_permissions.insert(APIPermission::kFileSystemWrite);
905 api_permissions.insert(APIPermission::kFileSystemDirectory);
906 api_permissions.insert(APIPermission::kFileSystemWriteDirectory);
907 scoped_refptr<PermissionSet> permissions(
908 new PermissionSet(api_permissions, ManifestPermissionSet(),
909 URLPatternSet(), URLPatternSet()));
910 EXPECT_TRUE(PermissionSetProducesMessage(
911 permissions.get(), Manifest::TYPE_PLATFORM_APP,
912 MakePermissionIDSet(api_permissions)));
913 }
914
915 TEST(PermissionsTest, SuppressedPermissionMessages) {
916 {
917 // Tabs warning suppresses favicon warning.
918 APIPermissionSet api_permissions;
919 api_permissions.insert(APIPermission::kTab);
920 URLPatternSet hosts;
921 hosts.AddPattern(URLPattern(URLPattern::SCHEME_CHROMEUI,
922 "chrome://favicon/"));
923 scoped_refptr<PermissionSet> permissions(
924 new PermissionSet(api_permissions, ManifestPermissionSet(),
925 hosts, URLPatternSet()));
926 EXPECT_TRUE(PermissionSetProducesMessage(
927 permissions.get(), Manifest::TYPE_EXTENSION,
928 MakePermissionIDSet(APIPermission::kTab, APIPermission::kFavicon)));
929 }
930 {
931 // History warning suppresses favicon warning.
932 APIPermissionSet api_permissions;
933 api_permissions.insert(APIPermission::kHistory);
934 URLPatternSet hosts;
935 hosts.AddPattern(URLPattern(URLPattern::SCHEME_CHROMEUI,
936 "chrome://favicon/"));
937 scoped_refptr<PermissionSet> permissions(
938 new PermissionSet(api_permissions, ManifestPermissionSet(),
939 hosts, URLPatternSet()));
940 EXPECT_TRUE(PermissionSetProducesMessage(
941 permissions.get(), Manifest::TYPE_EXTENSION,
942 MakePermissionIDSet(APIPermission::kHistory, APIPermission::kFavicon)));
943 }
944 {
945 // All sites warning suppresses tabs warning.
946 APIPermissionSet api_permissions;
947 api_permissions.insert(APIPermission::kTab);
948 URLPatternSet hosts;
949 hosts.AddPattern(URLPattern(URLPattern::SCHEME_CHROMEUI, "*://*/*"));
950 scoped_refptr<PermissionSet> permissions(new PermissionSet(
951 api_permissions, ManifestPermissionSet(), hosts, URLPatternSet()));
952 EXPECT_TRUE(PermissionSetProducesMessage(
953 permissions.get(), Manifest::TYPE_EXTENSION,
954 MakePermissionIDSet(APIPermission::kHostsAll, APIPermission::kTab)));
955 }
956 {
957 // All sites warning suppresses topSites warning.
958 APIPermissionSet api_permissions;
959 api_permissions.insert(APIPermission::kTopSites);
960 URLPatternSet hosts;
961 hosts.AddPattern(URLPattern(URLPattern::SCHEME_CHROMEUI, "*://*/*"));
962 scoped_refptr<PermissionSet> permissions(new PermissionSet(
963 api_permissions, ManifestPermissionSet(), hosts, URLPatternSet()));
964 EXPECT_TRUE(PermissionSetProducesMessage(
965 permissions.get(), Manifest::TYPE_EXTENSION,
966 MakePermissionIDSet(APIPermission::kHostsAll,
967 APIPermission::kTopSites)));
968 }
969 {
970 // All sites warning suppresses declarativeWebRequest warning.
971 APIPermissionSet api_permissions;
972 api_permissions.insert(APIPermission::kDeclarativeWebRequest);
973 URLPatternSet hosts;
974 hosts.AddPattern(URLPattern(URLPattern::SCHEME_CHROMEUI, "*://*/*"));
975 scoped_refptr<PermissionSet> permissions(new PermissionSet(
976 api_permissions, ManifestPermissionSet(), hosts, URLPatternSet()));
977 EXPECT_TRUE(PermissionSetProducesMessage(
978 permissions.get(), Manifest::TYPE_EXTENSION,
979 MakePermissionIDSet(APIPermission::kHostsAll,
980 APIPermission::kDeclarativeWebRequest)));
981 }
982 {
983 // BrowsingHistory warning suppresses all history read/write warnings.
984 APIPermissionSet api_permissions;
985 api_permissions.insert(APIPermission::kHistory);
986 api_permissions.insert(APIPermission::kTab);
987 api_permissions.insert(APIPermission::kTopSites);
988 api_permissions.insert(APIPermission::kProcesses);
989 api_permissions.insert(APIPermission::kWebNavigation);
990 scoped_refptr<PermissionSet> permissions(
991 new PermissionSet(api_permissions, ManifestPermissionSet(),
992 URLPatternSet(), URLPatternSet()));
993 EXPECT_TRUE(PermissionSetProducesMessage(
994 permissions.get(), Manifest::TYPE_EXTENSION,
995 MakePermissionIDSet(api_permissions)));
996 }
997 {
998 // Tabs warning suppresses all read-only history warnings.
999 APIPermissionSet api_permissions;
1000 api_permissions.insert(APIPermission::kTab);
1001 api_permissions.insert(APIPermission::kTopSites);
1002 api_permissions.insert(APIPermission::kProcesses);
1003 api_permissions.insert(APIPermission::kWebNavigation);
1004 scoped_refptr<PermissionSet> permissions(
1005 new PermissionSet(api_permissions, ManifestPermissionSet(),
1006 URLPatternSet(), URLPatternSet()));
1007 EXPECT_TRUE(PermissionSetProducesMessage(
1008 permissions.get(), Manifest::TYPE_EXTENSION,
1009 MakePermissionIDSet(api_permissions)));
1010 }
1011 }
1012
1013 TEST(PermissionsTest, AccessToDevicesMessages) {
1014 {
1015 APIPermissionSet api_permissions;
1016 api_permissions.insert(APIPermission::kSerial);
1017 scoped_refptr<PermissionSet> permissions(
1018 new PermissionSet(api_permissions,
1019 ManifestPermissionSet(),
1020 URLPatternSet(),
1021 URLPatternSet()));
1022 VerifyOnePermissionMessage(
1023 permissions.get(), Manifest::TYPE_EXTENSION,
1024 l10n_util::GetStringUTF16(IDS_EXTENSION_PROMPT_WARNING_SERIAL));
1025 }
1026 {
1027 // Testing that multiple permissions will show the one message.
1028 APIPermissionSet api_permissions;
1029 api_permissions.insert(APIPermission::kSerial);
1030 api_permissions.insert(APIPermission::kSerial);
1031 scoped_refptr<PermissionSet> permissions(
1032 new PermissionSet(api_permissions,
1033 ManifestPermissionSet(),
1034 URLPatternSet(),
1035 URLPatternSet()));
1036 VerifyOnePermissionMessage(
1037 permissions.get(), Manifest::TYPE_EXTENSION,
1038 l10n_util::GetStringUTF16(IDS_EXTENSION_PROMPT_WARNING_SERIAL));
1039 }
1040 {
1041 scoped_refptr<Extension> extension =
1042 LoadManifest("permissions", "access_to_devices_bluetooth.json");
1043 PermissionSet* set = const_cast<PermissionSet*>(
1044 extension->permissions_data()->active_permissions().get());
1045 VerifyOnePermissionMessage(
1046 set, extension->GetType(),
1047 l10n_util::GetStringUTF16(IDS_EXTENSION_PROMPT_WARNING_BLUETOOTH));
1048
1049 // Test Bluetooth and Serial
1050 set->apis_.insert(APIPermission::kSerial);
1051 VerifyOnePermissionMessage(
1052 set, extension->GetType(),
1053 l10n_util::GetStringUTF16(
1054 IDS_EXTENSION_PROMPT_WARNING_BLUETOOTH_SERIAL));
1055 }
1056 }
1057
1058 TEST(PermissionsTest, MergedFileSystemPermissionComparison) {
1059 APIPermissionSet write_api_permissions;
1060 write_api_permissions.insert(APIPermission::kFileSystemWrite);
1061 scoped_refptr<PermissionSet> write_permissions(
1062 new PermissionSet(write_api_permissions, ManifestPermissionSet(),
1063 URLPatternSet(), URLPatternSet()));
1064
1065 APIPermissionSet directory_api_permissions;
1066 directory_api_permissions.insert(APIPermission::kFileSystemDirectory);
1067 scoped_refptr<PermissionSet> directory_permissions(
1068 new PermissionSet(directory_api_permissions, ManifestPermissionSet(),
1069 URLPatternSet(), URLPatternSet()));
1070
1071 APIPermissionSet write_directory_api_permissions;
1072 write_directory_api_permissions.insert(
1073 APIPermission::kFileSystemWriteDirectory);
1074 scoped_refptr<PermissionSet> write_directory_permissions(
1075 new PermissionSet(write_directory_api_permissions,
1076 ManifestPermissionSet(),
1077 URLPatternSet(),
1078 URLPatternSet()));
1079
1080 const PermissionMessageProvider* provider = PermissionMessageProvider::Get();
1081 EXPECT_FALSE(provider->IsPrivilegeIncrease(write_directory_permissions.get(),
1082 write_permissions.get(),
1083 Manifest::TYPE_PLATFORM_APP));
1084 EXPECT_FALSE(provider->IsPrivilegeIncrease(write_directory_permissions.get(),
1085 directory_permissions.get(),
1086 Manifest::TYPE_PLATFORM_APP));
1087 EXPECT_TRUE(provider->IsPrivilegeIncrease(write_permissions.get(),
1088 directory_permissions.get(),
1089 Manifest::TYPE_PLATFORM_APP));
1090 EXPECT_TRUE(provider->IsPrivilegeIncrease(write_permissions.get(),
1091 write_directory_permissions.get(),
1092 Manifest::TYPE_PLATFORM_APP));
1093 EXPECT_FALSE(provider->IsPrivilegeIncrease(directory_permissions.get(),
1094 write_permissions.get(),
1095 Manifest::TYPE_PLATFORM_APP));
1096 EXPECT_TRUE(provider->IsPrivilegeIncrease(directory_permissions.get(),
1097 write_directory_permissions.get(),
1098 Manifest::TYPE_PLATFORM_APP));
1099 }
1100
1101 TEST(PermissionsTest, GetWarningMessages_ManyHosts) {
1102 scoped_refptr<Extension> extension;
1103 extension = LoadManifest("permissions", "many-hosts.json");
1104 EXPECT_TRUE(VerifyOnePermissionMessage(
1105 extension->permissions_data(),
1106 "Read and change your data on encrypted.google.com and www.google.com"));
1107 }
1108
1109 TEST(PermissionsTest, GetWarningMessages_Plugins) {
1110 scoped_refptr<Extension> extension;
1111 extension = LoadManifest("permissions", "plugins.json");
1112 // We don't parse the plugins key on Chrome OS, so it should not ask for any
1113 // permissions.
1114 #if defined(OS_CHROMEOS)
1115 EXPECT_TRUE(VerifyNoPermissionMessages(extension->permissions_data()));
1116 #else
1117 EXPECT_TRUE(VerifyOnePermissionMessage(
1118 extension->permissions_data(),
1119 "Read and change all your data on your computer and the websites you "
1120 "visit"));
1121 #endif
1122 }
1123
1124 TEST(PermissionsTest, GetWarningMessages_AudioVideo) {
1125 const std::string kAudio("Use your microphone");
1126 const std::string kVideo("Use your camera");
1127 const std::string kBoth("Use your microphone and camera");
1128
1129 // Both audio and video present.
1130 scoped_refptr<Extension> extension =
1131 LoadManifest("permissions", "audio-video.json");
1132 const PermissionMessageProvider* provider = PermissionMessageProvider::Get();
1133 PermissionSet* set = const_cast<PermissionSet*>(
1134 extension->permissions_data()->active_permissions().get());
1135 EXPECT_FALSE(VerifyHasPermissionMessage(set, extension->GetType(), kAudio));
1136 EXPECT_FALSE(VerifyHasPermissionMessage(set, extension->GetType(), kVideo));
1137 EXPECT_TRUE(VerifyHasPermissionMessage(set, extension->GetType(), kBoth));
1138 CoalescedPermissionMessages warnings = provider->GetPermissionMessages(
1139 provider->GetAllPermissionIDs(set, extension->GetType()));
1140 size_t combined_index = IndexOf(warnings, kBoth);
1141 size_t combined_size = warnings.size();
1142
1143 // Just audio present.
1144 set->apis_.erase(APIPermission::kVideoCapture);
1145 EXPECT_TRUE(VerifyHasPermissionMessage(set, extension->GetType(), kAudio));
1146 EXPECT_FALSE(VerifyHasPermissionMessage(set, extension->GetType(), kVideo));
1147 EXPECT_FALSE(VerifyHasPermissionMessage(set, extension->GetType(), kBoth));
1148 CoalescedPermissionMessages warnings2 = provider->GetPermissionMessages(
1149 provider->GetAllPermissionIDs(set, extension->GetType()));
1150 EXPECT_EQ(combined_size, warnings2.size());
1151 EXPECT_EQ(combined_index, IndexOf(warnings2, kAudio));
1152
1153 // Just video present.
1154 set->apis_.erase(APIPermission::kAudioCapture);
1155 set->apis_.insert(APIPermission::kVideoCapture);
1156 EXPECT_FALSE(VerifyHasPermissionMessage(set, extension->GetType(), kAudio));
1157 EXPECT_TRUE(VerifyHasPermissionMessage(set, extension->GetType(), kVideo));
1158 EXPECT_FALSE(VerifyHasPermissionMessage(set, extension->GetType(), kBoth));
1159 CoalescedPermissionMessages warnings3 = provider->GetPermissionMessages(
1160 provider->GetAllPermissionIDs(set, extension->GetType()));
1161 EXPECT_EQ(combined_size, warnings3.size());
1162 EXPECT_EQ(combined_index, IndexOf(warnings3, kVideo));
1163 }
1164
1165 TEST(PermissionsTest, GetWarningMessages_CombinedSessions) {
1166 {
1167 APIPermissionSet api_permissions;
1168 api_permissions.insert(APIPermission::kTab);
1169 api_permissions.insert(APIPermission::kTopSites);
1170 api_permissions.insert(APIPermission::kProcesses);
1171 api_permissions.insert(APIPermission::kWebNavigation);
1172 api_permissions.insert(APIPermission::kSessions);
1173 scoped_refptr<PermissionSet> permissions(
1174 new PermissionSet(api_permissions, ManifestPermissionSet(),
1175 URLPatternSet(), URLPatternSet()));
1176 EXPECT_TRUE(VerifyOnePermissionMessage(
1177 permissions.get(), Manifest::TYPE_EXTENSION,
1178 l10n_util::GetStringUTF16(
1179 IDS_EXTENSION_PROMPT_WARNING_HISTORY_READ_AND_SESSIONS)));
1180 }
1181 {
1182 APIPermissionSet api_permissions;
1183 api_permissions.insert(APIPermission::kHistory);
1184 api_permissions.insert(APIPermission::kTab);
1185 api_permissions.insert(APIPermission::kTopSites);
1186 api_permissions.insert(APIPermission::kProcesses);
1187 api_permissions.insert(APIPermission::kWebNavigation);
1188 api_permissions.insert(APIPermission::kSessions);
1189 scoped_refptr<PermissionSet> permissions(
1190 new PermissionSet(api_permissions, ManifestPermissionSet(),
1191 URLPatternSet(), URLPatternSet()));
1192 EXPECT_TRUE(VerifyOnePermissionMessage(
1193 permissions.get(), Manifest::TYPE_EXTENSION,
1194 l10n_util::GetStringUTF16(
1195 IDS_EXTENSION_PROMPT_WARNING_HISTORY_WRITE_AND_SESSIONS)));
1196 }
1197 }
1198
1199 TEST(PermissionsTest, GetWarningMessages_DeclarativeWebRequest) {
1200 // Test that if the declarativeWebRequest permission is present
1201 // in combination with all hosts permission, then only the warning
1202 // for host permissions is shown, because that covers the use of
1203 // declarativeWebRequest.
1204
1205 // Until Declarative Web Request is in stable, let's make sure it is enabled
1206 // on the current channel.
1207 ScopedCurrentChannel sc(version_info::Channel::CANARY);
1208
1209 // First verify that declarativeWebRequest produces a message when host
1210 // permissions do not cover all hosts.
1211 scoped_refptr<Extension> extension =
1212 LoadManifest("permissions", "web_request_not_all_host_permissions.json");
1213 const PermissionSet* set =
1214 extension->permissions_data()->active_permissions().get();
1215 EXPECT_TRUE(VerifyHasPermissionMessage(set, extension->GetType(),
1216 "Block parts of web pages"));
1217 EXPECT_FALSE(VerifyHasPermissionMessage(
1218 set, extension->GetType(),
1219 "Read and change all your data on the websites you visit"));
1220
1221 // Now verify that declarativeWebRequest does not produce a message when host
1222 // permissions do cover all hosts.
1223 extension =
1224 LoadManifest("permissions", "web_request_all_host_permissions.json");
1225 set = extension->permissions_data()->active_permissions().get();
1226 EXPECT_FALSE(VerifyHasPermissionMessage(set, extension->GetType(),
1227 "Block parts of web pages"));
1228 EXPECT_TRUE(VerifyHasPermissionMessage(
1229 set, extension->GetType(),
1230 "Read and change all your data on the websites you visit"));
1231 }
1232
1233 TEST(PermissionsTest, GetWarningMessages_Serial) {
1234 scoped_refptr<Extension> extension =
1235 LoadManifest("permissions", "serial.json");
1236
1237 EXPECT_TRUE(extension->is_platform_app());
1238 EXPECT_TRUE(
1239 extension->permissions_data()->HasAPIPermission(APIPermission::kSerial));
1240 EXPECT_TRUE(VerifyOnePermissionMessage(extension->permissions_data(),
1241 "Access your serial devices"));
1242 }
1243
1244 TEST(PermissionsTest, GetWarningMessages_Socket_AnyHost) {
1245 ScopedCurrentChannel channel(version_info::Channel::DEV);
1246
1247 scoped_refptr<Extension> extension =
1248 LoadManifest("permissions", "socket_any_host.json");
1249 EXPECT_TRUE(extension->is_platform_app());
1250 EXPECT_TRUE(
1251 extension->permissions_data()->HasAPIPermission(APIPermission::kSocket));
1252 EXPECT_TRUE(VerifyOnePermissionMessage(
1253 extension->permissions_data(),
1254 "Exchange data with any device on the local network or internet"));
1255 }
1256
1257 TEST(PermissionsTest, GetWarningMessages_Socket_OneDomainTwoHostnames) {
1258 ScopedCurrentChannel channel(version_info::Channel::DEV);
1259
1260 scoped_refptr<Extension> extension =
1261 LoadManifest("permissions", "socket_one_domain_two_hostnames.json");
1262 EXPECT_TRUE(extension->is_platform_app());
1263 EXPECT_TRUE(
1264 extension->permissions_data()->HasAPIPermission(APIPermission::kSocket));
1265
1266 // Verify the warnings, including support for unicode characters, the fact
1267 // that domain host warnings come before specific host warnings, and the fact
1268 // that domains and hostnames are in alphabetical order regardless of the
1269 // order in the manifest file.
1270 EXPECT_TRUE(VerifyTwoPermissionMessages(
1271 extension->permissions_data(),
1272 "Exchange data with any device in the domain example.org",
1273 "Exchange data with the devices named: "
1274 "b\xC3\xA5r.example.com foo.example.com",
1275 // "\xC3\xA5" = UTF-8 for lowercase A with ring above
1276 true));
1277 }
1278
1279 TEST(PermissionsTest, GetWarningMessages_Socket_TwoDomainsOneHostname) {
1280 ScopedCurrentChannel channel(version_info::Channel::DEV);
1281
1282 scoped_refptr<Extension> extension =
1283 LoadManifest("permissions", "socket_two_domains_one_hostname.json");
1284 EXPECT_TRUE(extension->is_platform_app());
1285 EXPECT_TRUE(
1286 extension->permissions_data()->HasAPIPermission(APIPermission::kSocket));
1287
1288 // Verify the warnings, including the fact that domain host warnings come
1289 // before specific host warnings and the fact that domains and hostnames are
1290 // in alphabetical order regardless of the order in the manifest file.
1291 EXPECT_TRUE(VerifyTwoPermissionMessages(
1292 extension->permissions_data(),
1293 "Exchange data with any device in the domains: "
1294 "example.com foo.example.org",
1295 "Exchange data with the device named bar.example.org", true));
1296 }
1297
1298 // Since platform apps always use isolated storage, they can't (silently)
1299 // access user data on other domains, so there's no need to prompt about host
1300 // permissions. See crbug.com/255229.
1301 TEST(PermissionsTest, GetWarningMessages_PlatformAppHosts) {
1302 scoped_refptr<Extension> extension;
1303
1304 extension = LoadManifest("permissions", "platform_app_hosts.json");
1305 EXPECT_TRUE(extension->is_platform_app());
1306 EXPECT_TRUE(VerifyNoPermissionMessages(extension->permissions_data()));
1307
1308 extension = LoadManifest("permissions", "platform_app_all_urls.json");
1309 EXPECT_TRUE(extension->is_platform_app());
1310 EXPECT_TRUE(VerifyNoPermissionMessages(extension->permissions_data()));
1311 }
1312
1313 testing::AssertionResult ShowsAllHostsWarning(const std::string& pattern) {
1314 scoped_refptr<Extension> extension =
1315 ExtensionBuilder()
1316 .SetManifest(DictionaryBuilder()
1317 .Set("name", "TLDWildCardTest")
1318 .Set("version", "0.1.0")
1319 .Set("permissions", ListBuilder().Append(pattern))
1320 .Build())
1321 .Build();
1322
1323 return VerifyHasPermissionMessage(
1324 extension->permissions_data(),
1325 l10n_util::GetStringUTF16(IDS_EXTENSION_PROMPT_WARNING_ALL_HOSTS));
1326 }
1327
1328 TEST(PermissionsTest, GetWarningMessages_TLDWildcardTreatedAsAllHosts) {
1329 EXPECT_TRUE(ShowsAllHostsWarning("http://*.com/*")); // most popular.
1330 EXPECT_TRUE(ShowsAllHostsWarning("http://*.org/*")); // sanity check.
1331 EXPECT_TRUE(ShowsAllHostsWarning("http://*.co.uk/*")); // eTLD.
1332 EXPECT_TRUE(ShowsAllHostsWarning("http://*.de/*")); // foreign country tld.
1333
1334 // We should still show the normal permissions (i.e., "Can access your data on
1335 // *.rdcronin.com") for things that are not TLDs.
1336 EXPECT_FALSE(ShowsAllHostsWarning("http://*.rdcronin.com/*"));
1337
1338 // Pseudo-TLDs, like appspot.com, should not show all hosts.
1339 EXPECT_FALSE(ShowsAllHostsWarning("http://*.appspot.com/*"));
1340
1341 // Non-TLDs should be likewise exempt.
1342 EXPECT_FALSE(ShowsAllHostsWarning("http://*.notarealtld/*"));
1343
1344 // Our internal checks use "foo", so let's make sure we're not messing
1345 // something up with it.
1346 EXPECT_FALSE(ShowsAllHostsWarning("http://*.foo.com"));
1347 EXPECT_FALSE(ShowsAllHostsWarning("http://foo.com"));
1348 // This will fail if foo becomes a recognized TLD. Which could be soon.
1349 // Update as needed.
1350 EXPECT_FALSE(ShowsAllHostsWarning("http://*.foo"));
1351 }
1352
1353 TEST(PermissionsTest, GetDistinctHosts) {
1354 URLPatternSet explicit_hosts;
1355 std::set<std::string> expected;
1356 expected.insert("www.foo.com");
1357 expected.insert("www.bar.com");
1358 expected.insert("www.baz.com");
1359
1360 {
1361 SCOPED_TRACE("no dupes");
1362
1363 // Simple list with no dupes.
1364 explicit_hosts.AddPattern(
1365 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.com/path"));
1366 explicit_hosts.AddPattern(
1367 URLPattern(URLPattern::SCHEME_HTTP, "http://www.bar.com/path"));
1368 explicit_hosts.AddPattern(
1369 URLPattern(URLPattern::SCHEME_HTTP, "http://www.baz.com/path"));
1370 EXPECT_EQ(expected,
1371 permission_message_util::GetDistinctHosts(
1372 explicit_hosts, true, true));
1373 }
1374
1375 {
1376 SCOPED_TRACE("two dupes");
1377
1378 // Add some dupes.
1379 explicit_hosts.AddPattern(
1380 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.com/path"));
1381 explicit_hosts.AddPattern(
1382 URLPattern(URLPattern::SCHEME_HTTP, "http://www.baz.com/path"));
1383 EXPECT_EQ(expected,
1384 permission_message_util::GetDistinctHosts(
1385 explicit_hosts, true, true));
1386 }
1387
1388 {
1389 SCOPED_TRACE("schemes differ");
1390
1391 // Add a pattern that differs only by scheme. This should be filtered out.
1392 explicit_hosts.AddPattern(
1393 URLPattern(URLPattern::SCHEME_HTTPS, "https://www.bar.com/path"));
1394 EXPECT_EQ(expected,
1395 permission_message_util::GetDistinctHosts(
1396 explicit_hosts, true, true));
1397 }
1398
1399 {
1400 SCOPED_TRACE("paths differ");
1401
1402 // Add some dupes by path.
1403 explicit_hosts.AddPattern(
1404 URLPattern(URLPattern::SCHEME_HTTP, "http://www.bar.com/pathypath"));
1405 EXPECT_EQ(expected,
1406 permission_message_util::GetDistinctHosts(
1407 explicit_hosts, true, true));
1408 }
1409
1410 {
1411 SCOPED_TRACE("subdomains differ");
1412
1413 // We don't do anything special for subdomains.
1414 explicit_hosts.AddPattern(
1415 URLPattern(URLPattern::SCHEME_HTTP, "http://monkey.www.bar.com/path"));
1416 explicit_hosts.AddPattern(
1417 URLPattern(URLPattern::SCHEME_HTTP, "http://bar.com/path"));
1418
1419 expected.insert("monkey.www.bar.com");
1420 expected.insert("bar.com");
1421
1422 EXPECT_EQ(expected,
1423 permission_message_util::GetDistinctHosts(
1424 explicit_hosts, true, true));
1425 }
1426
1427 {
1428 SCOPED_TRACE("RCDs differ");
1429
1430 // Now test for RCD uniquing.
1431 explicit_hosts.AddPattern(
1432 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.com/path"));
1433 explicit_hosts.AddPattern(
1434 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.co.uk/path"));
1435 explicit_hosts.AddPattern(
1436 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.de/path"));
1437 explicit_hosts.AddPattern(
1438 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.ca.us/path"));
1439 explicit_hosts.AddPattern(
1440 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.net/path"));
1441 explicit_hosts.AddPattern(
1442 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.com.my/path"));
1443
1444 // This is an unknown RCD, which shouldn't be uniqued out.
1445 explicit_hosts.AddPattern(
1446 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.xyzzy/path"));
1447 // But it should only occur once.
1448 explicit_hosts.AddPattern(
1449 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.xyzzy/path"));
1450
1451 expected.insert("www.foo.xyzzy");
1452
1453 EXPECT_EQ(expected,
1454 permission_message_util::GetDistinctHosts(
1455 explicit_hosts, true, true));
1456 }
1457
1458 {
1459 SCOPED_TRACE("wildcards");
1460
1461 explicit_hosts.AddPattern(
1462 URLPattern(URLPattern::SCHEME_HTTP, "http://*.google.com/*"));
1463
1464 expected.insert("*.google.com");
1465
1466 EXPECT_EQ(expected,
1467 permission_message_util::GetDistinctHosts(
1468 explicit_hosts, true, true));
1469 }
1470
1471 {
1472 SCOPED_TRACE("scriptable hosts");
1473
1474 APIPermissionSet empty_perms;
1475 explicit_hosts.ClearPatterns();
1476 URLPatternSet scriptable_hosts;
1477 expected.clear();
1478
1479 explicit_hosts.AddPattern(
1480 URLPattern(URLPattern::SCHEME_HTTP, "http://*.google.com/*"));
1481 scriptable_hosts.AddPattern(
1482 URLPattern(URLPattern::SCHEME_HTTP, "http://*.example.com/*"));
1483
1484 expected.insert("*.google.com");
1485 expected.insert("*.example.com");
1486
1487 scoped_refptr<PermissionSet> perm_set(new PermissionSet(
1488 empty_perms, ManifestPermissionSet(),
1489 explicit_hosts, scriptable_hosts));
1490 EXPECT_EQ(expected,
1491 permission_message_util::GetDistinctHosts(
1492 perm_set->effective_hosts(), true, true));
1493 }
1494
1495 {
1496 // We don't display warnings for file URLs because they are off by default.
1497 SCOPED_TRACE("file urls");
1498
1499 explicit_hosts.ClearPatterns();
1500 expected.clear();
1501
1502 explicit_hosts.AddPattern(
1503 URLPattern(URLPattern::SCHEME_FILE, "file:///*"));
1504
1505 EXPECT_EQ(expected,
1506 permission_message_util::GetDistinctHosts(
1507 explicit_hosts, true, true));
1508 }
1509 }
1510
1511 TEST(PermissionsTest, GetDistinctHosts_ComIsBestRcd) {
1512 URLPatternSet explicit_hosts;
1513 explicit_hosts.AddPattern(
1514 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.ca/path"));
1515 explicit_hosts.AddPattern(
1516 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.org/path"));
1517 explicit_hosts.AddPattern(
1518 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.co.uk/path"));
1519 explicit_hosts.AddPattern(
1520 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.net/path"));
1521 explicit_hosts.AddPattern(
1522 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.jp/path"));
1523 explicit_hosts.AddPattern(
1524 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.com/path"));
1525
1526 std::set<std::string> expected;
1527 expected.insert("www.foo.com");
1528 EXPECT_EQ(expected,
1529 permission_message_util::GetDistinctHosts(
1530 explicit_hosts, true, true));
1531 }
1532
1533 TEST(PermissionsTest, GetDistinctHosts_NetIs2ndBestRcd) {
1534 URLPatternSet explicit_hosts;
1535 explicit_hosts.AddPattern(
1536 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.ca/path"));
1537 explicit_hosts.AddPattern(
1538 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.org/path"));
1539 explicit_hosts.AddPattern(
1540 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.co.uk/path"));
1541 explicit_hosts.AddPattern(
1542 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.net/path"));
1543 explicit_hosts.AddPattern(
1544 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.jp/path"));
1545 // No http://www.foo.com/path
1546
1547 std::set<std::string> expected;
1548 expected.insert("www.foo.net");
1549 EXPECT_EQ(expected,
1550 permission_message_util::GetDistinctHosts(
1551 explicit_hosts, true, true));
1552 }
1553
1554 TEST(PermissionsTest, GetDistinctHosts_OrgIs3rdBestRcd) {
1555 URLPatternSet explicit_hosts;
1556 explicit_hosts.AddPattern(
1557 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.ca/path"));
1558 explicit_hosts.AddPattern(
1559 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.org/path"));
1560 explicit_hosts.AddPattern(
1561 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.co.uk/path"));
1562 // No http://www.foo.net/path
1563 explicit_hosts.AddPattern(
1564 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.jp/path"));
1565 // No http://www.foo.com/path
1566
1567 std::set<std::string> expected;
1568 expected.insert("www.foo.org");
1569 EXPECT_EQ(expected,
1570 permission_message_util::GetDistinctHosts(
1571 explicit_hosts, true, true));
1572 }
1573
1574 TEST(PermissionsTest, GetDistinctHosts_FirstInListIs4thBestRcd) {
1575 URLPatternSet explicit_hosts;
1576 explicit_hosts.AddPattern(
1577 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.ca/path"));
1578 // No http://www.foo.org/path
1579 explicit_hosts.AddPattern(
1580 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.co.uk/path"));
1581 // No http://www.foo.net/path
1582 explicit_hosts.AddPattern(
1583 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.jp/path"));
1584 // No http://www.foo.com/path
1585
1586 std::set<std::string> expected;
1587 expected.insert("www.foo.ca");
1588 EXPECT_EQ(expected,
1589 permission_message_util::GetDistinctHosts(
1590 explicit_hosts, true, true));
1591 }
1592
1593 TEST(PermissionsTest, IsHostPrivilegeIncrease) {
1594 Manifest::Type type = Manifest::TYPE_EXTENSION;
1595 const PermissionMessageProvider* provider = PermissionMessageProvider::Get();
1596 ManifestPermissionSet empty_manifest_permissions;
1597 URLPatternSet elist1;
1598 URLPatternSet elist2;
1599 URLPatternSet slist1;
1600 URLPatternSet slist2;
1601 scoped_refptr<PermissionSet> set1;
1602 scoped_refptr<PermissionSet> set2;
1603 APIPermissionSet empty_perms;
1604 elist1.AddPattern(
1605 URLPattern(URLPattern::SCHEME_HTTP, "http://www.google.com.hk/path"));
1606 elist1.AddPattern(
1607 URLPattern(URLPattern::SCHEME_HTTP, "http://www.google.com/path"));
1608
1609 // Test that the host order does not matter.
1610 elist2.AddPattern(
1611 URLPattern(URLPattern::SCHEME_HTTP, "http://www.google.com/path"));
1612 elist2.AddPattern(
1613 URLPattern(URLPattern::SCHEME_HTTP, "http://www.google.com.hk/path"));
1614
1615 set1 = new PermissionSet(empty_perms, empty_manifest_permissions,
1616 elist1, slist1);
1617 set2 = new PermissionSet(empty_perms, empty_manifest_permissions,
1618 elist2, slist2);
1619
1620 EXPECT_FALSE(provider->IsPrivilegeIncrease(set1.get(), set2.get(), type));
1621 EXPECT_FALSE(provider->IsPrivilegeIncrease(set2.get(), set1.get(), type));
1622
1623 // Test that paths are ignored.
1624 elist2.ClearPatterns();
1625 elist2.AddPattern(
1626 URLPattern(URLPattern::SCHEME_HTTP, "http://www.google.com/*"));
1627 set2 = new PermissionSet(empty_perms, empty_manifest_permissions,
1628 elist2, slist2);
1629 EXPECT_FALSE(provider->IsPrivilegeIncrease(set1.get(), set2.get(), type));
1630 EXPECT_FALSE(provider->IsPrivilegeIncrease(set2.get(), set1.get(), type));
1631
1632 // Test that RCDs are ignored.
1633 elist2.ClearPatterns();
1634 elist2.AddPattern(
1635 URLPattern(URLPattern::SCHEME_HTTP, "http://www.google.com.hk/*"));
1636 set2 = new PermissionSet(empty_perms, empty_manifest_permissions,
1637 elist2, slist2);
1638 EXPECT_FALSE(provider->IsPrivilegeIncrease(set1.get(), set2.get(), type));
1639 EXPECT_FALSE(provider->IsPrivilegeIncrease(set2.get(), set1.get(), type));
1640
1641 // Test that subdomain wildcards are handled properly.
1642 elist2.ClearPatterns();
1643 elist2.AddPattern(
1644 URLPattern(URLPattern::SCHEME_HTTP, "http://*.google.com.hk/*"));
1645 set2 = new PermissionSet(empty_perms, empty_manifest_permissions,
1646 elist2, slist2);
1647 EXPECT_TRUE(provider->IsPrivilegeIncrease(set1.get(), set2.get(), type));
1648 // TODO(jstritar): Does not match subdomains properly. http://crbug.com/65337
1649 // EXPECT_FALSE(provider->IsPrivilegeIncrease(set2, set1, type));
1650
1651 // Test that different domains count as different hosts.
1652 elist2.ClearPatterns();
1653 elist2.AddPattern(
1654 URLPattern(URLPattern::SCHEME_HTTP, "http://www.google.com/path"));
1655 elist2.AddPattern(
1656 URLPattern(URLPattern::SCHEME_HTTP, "http://www.example.org/path"));
1657 set2 = new PermissionSet(empty_perms, empty_manifest_permissions,
1658 elist2, slist2);
1659 EXPECT_TRUE(provider->IsPrivilegeIncrease(set1.get(), set2.get(), type));
1660 EXPECT_FALSE(provider->IsPrivilegeIncrease(set2.get(), set1.get(), type));
1661
1662 // Test that different subdomains count as different hosts.
1663 elist2.ClearPatterns();
1664 elist2.AddPattern(
1665 URLPattern(URLPattern::SCHEME_HTTP, "http://mail.google.com/*"));
1666 set2 = new PermissionSet(empty_perms, empty_manifest_permissions,
1667 elist2, slist2);
1668 EXPECT_TRUE(provider->IsPrivilegeIncrease(set1.get(), set2.get(), type));
1669 EXPECT_TRUE(provider->IsPrivilegeIncrease(set2.get(), set1.get(), type));
1670
1671 // Test that platform apps do not have host permissions increases.
1672 type = Manifest::TYPE_PLATFORM_APP;
1673 EXPECT_FALSE(provider->IsPrivilegeIncrease(set1.get(), set2.get(), type));
1674 EXPECT_FALSE(provider->IsPrivilegeIncrease(set2.get(), set1.get(), type));
1675 }
1676
1677 TEST(PermissionsTest, GetAPIsAsStrings) {
1678 APIPermissionSet apis;
1679 URLPatternSet empty_set;
1680
1681 apis.insert(APIPermission::kProxy);
1682 apis.insert(APIPermission::kBackground);
1683 apis.insert(APIPermission::kNotifications);
1684 apis.insert(APIPermission::kTab);
1685
1686 scoped_refptr<PermissionSet> perm_set = new PermissionSet(
1687 apis, ManifestPermissionSet(), empty_set, empty_set);
1688 std::set<std::string> api_names = perm_set->GetAPIsAsStrings();
1689
1690 // The result is correct if it has the same number of elements
1691 // and we can convert it back to the id set.
1692 EXPECT_EQ(4u, api_names.size());
1693 EXPECT_EQ(apis,
1694 PermissionsInfo::GetInstance()->GetAllByName(api_names));
1695 }
1696
1697 TEST(PermissionsTest, IsEmpty) {
1698 APIPermissionSet empty_apis;
1699 URLPatternSet empty_extent;
1700
1701 scoped_refptr<PermissionSet> empty = new PermissionSet();
1702 EXPECT_TRUE(empty->IsEmpty());
1703 scoped_refptr<PermissionSet> perm_set;
1704
1705 perm_set = new PermissionSet(empty_apis, ManifestPermissionSet(),
1706 empty_extent, empty_extent);
1707 EXPECT_TRUE(perm_set->IsEmpty());
1708
1709 APIPermissionSet non_empty_apis;
1710 non_empty_apis.insert(APIPermission::kBackground);
1711 perm_set = new PermissionSet(non_empty_apis, ManifestPermissionSet(),
1712 empty_extent, empty_extent);
1713 EXPECT_FALSE(perm_set->IsEmpty());
1714
1715 // Try non standard host
1716 URLPatternSet non_empty_extent;
1717 AddPattern(&non_empty_extent, "http://www.google.com/*");
1718
1719 perm_set = new PermissionSet(empty_apis, ManifestPermissionSet(),
1720 non_empty_extent, empty_extent);
1721 EXPECT_FALSE(perm_set->IsEmpty());
1722
1723 perm_set = new PermissionSet(empty_apis, ManifestPermissionSet(),
1724 empty_extent, non_empty_extent);
1725 EXPECT_FALSE(perm_set->IsEmpty());
1726 }
1727
1728 TEST(PermissionsTest, ImpliedPermissions) {
1729 URLPatternSet empty_extent;
1730 APIPermissionSet apis;
1731 apis.insert(APIPermission::kFileBrowserHandler);
1732 EXPECT_EQ(1U, apis.size());
1733
1734 scoped_refptr<PermissionSet> perm_set;
1735 perm_set = new PermissionSet(apis, ManifestPermissionSet(),
1736 empty_extent, empty_extent);
1737 EXPECT_EQ(2U, perm_set->apis().size());
1738 }
1739
1740 TEST(PermissionsTest, SyncFileSystemPermission) {
1741 scoped_refptr<Extension> extension = LoadManifest(
1742 "permissions", "sync_file_system.json");
1743 APIPermissionSet apis;
1744 apis.insert(APIPermission::kSyncFileSystem);
1745 EXPECT_TRUE(extension->is_platform_app());
1746 EXPECT_TRUE(extension->permissions_data()->HasAPIPermission(
1747 APIPermission::kSyncFileSystem));
1748 EXPECT_TRUE(
1749 VerifyOnePermissionMessage(extension->permissions_data(),
1750 "Store data in your Google Drive account"));
1751 }
1752
1753 // Make sure that we don't crash when we're trying to show the permissions
1754 // even though chrome://thumb (and everything that's not chrome://favicon with
1755 // a chrome:// scheme) is not a valid permission.
1756 // More details here: crbug/246314.
1757 TEST(PermissionsTest, ChromeURLs) {
1758 URLPatternSet allowed_hosts;
1759 allowed_hosts.AddPattern(
1760 URLPattern(URLPattern::SCHEME_ALL, "http://www.google.com/"));
1761 allowed_hosts.AddPattern(
1762 URLPattern(URLPattern::SCHEME_ALL, "chrome://favicon/"));
1763 allowed_hosts.AddPattern(
1764 URLPattern(URLPattern::SCHEME_ALL, "chrome://thumb/"));
1765 scoped_refptr<PermissionSet> permissions(
1766 new PermissionSet(APIPermissionSet(), ManifestPermissionSet(),
1767 allowed_hosts, URLPatternSet()));
1768 PermissionMessageProvider::Get()->GetPermissionMessages(
1769 PermissionMessageProvider::Get()->GetAllPermissionIDs(
1770 permissions.get(), Manifest::TYPE_EXTENSION));
1771 }
1772
1773 TEST(PermissionsTest, IsPrivilegeIncrease_DeclarativeWebRequest) {
1774 scoped_refptr<Extension> extension(
1775 LoadManifest("permissions", "permissions_all_urls.json"));
1776 scoped_refptr<const PermissionSet> permissions(
1777 extension->permissions_data()->active_permissions());
1778
1779 scoped_refptr<Extension> extension_dwr(
1780 LoadManifest("permissions", "web_request_all_host_permissions.json"));
1781 scoped_refptr<const PermissionSet> permissions_dwr(
1782 extension_dwr->permissions_data()->active_permissions());
1783
1784 EXPECT_FALSE(PermissionMessageProvider::Get()->
1785 IsPrivilegeIncrease(permissions.get(),
1786 permissions_dwr.get(),
1787 extension->GetType()));
1788 }
1789
1790 } // namespace extensions