Roll src/third_party/WebKit d9c6159:8139f33 (svn 201974:201975)
[chromium-blink-merge.git] / chrome / common / extensions / permissions / permission_set_unittest.cc
blob12e4c65c239c201fee2294c8818ebc23ed0c2dc0
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "base/command_line.h"
6 #include "base/json/json_file_value_serializer.h"
7 #include "base/logging.h"
8 #include "base/strings/string_number_conversions.h"
9 #include "base/strings/stringprintf.h"
10 #include "base/strings/utf_string_conversions.h"
11 #include "chrome/common/chrome_paths.h"
12 #include "chrome/common/chrome_switches.h"
13 #include "chrome/common/extensions/extension_test_util.h"
14 #include "chrome/common/extensions/features/feature_channel.h"
15 #include "chrome/common/extensions/permissions/chrome_permission_message_provider.h"
16 #include "chrome/grit/generated_resources.h"
17 #include "components/version_info/version_info.h"
18 #include "extensions/common/error_utils.h"
19 #include "extensions/common/extension.h"
20 #include "extensions/common/extension_builder.h"
21 #include "extensions/common/permissions/permission_message_provider.h"
22 #include "extensions/common/permissions/permission_message_test_util.h"
23 #include "extensions/common/permissions/permission_message_util.h"
24 #include "extensions/common/permissions/permission_set.h"
25 #include "extensions/common/permissions/permissions_data.h"
26 #include "extensions/common/permissions/permissions_info.h"
27 #include "extensions/common/permissions/socket_permission.h"
28 #include "extensions/common/value_builder.h"
29 #include "extensions/strings/grit/extensions_strings.h"
30 #include "testing/gtest/include/gtest/gtest.h"
31 #include "ui/base/l10n/l10n_util.h"
33 using extension_test_util::LoadManifest;
35 namespace extensions {
37 namespace {
39 static void AddPattern(URLPatternSet* extent, const std::string& pattern) {
40 int schemes = URLPattern::SCHEME_ALL;
41 extent->AddPattern(URLPattern(schemes, pattern));
44 size_t IndexOf(const PermissionMessages& warnings, const std::string& warning) {
45 size_t i = 0;
46 for (const PermissionMessage& msg : warnings) {
47 if (msg.message() == base::ASCIIToUTF16(warning))
48 return i;
49 ++i;
52 return warnings.size();
55 PermissionIDSet MakePermissionIDSet(APIPermission::ID id) {
56 PermissionIDSet set;
57 set.insert(id);
58 return set;
61 PermissionIDSet MakePermissionIDSet(APIPermission::ID id1,
62 APIPermission::ID id2) {
63 PermissionIDSet set;
64 set.insert(id1);
65 set.insert(id2);
66 return set;
69 PermissionIDSet MakePermissionIDSet(const APIPermissionSet& permissions) {
70 PermissionIDSet set;
71 for (const APIPermission* permission : permissions)
72 set.insert(permission->id());
73 return set;
76 std::string PermissionIDsToString(const PermissionIDSet& ids) {
77 std::vector<std::string> strs;
78 for (const PermissionID& id : ids)
79 strs.push_back(base::IntToString(id.id()));
80 return base::StringPrintf("[ %s ]", base::JoinString(strs, ", ").c_str());
83 std::string CoalescedPermissionIDsToString(const PermissionMessages& msgs) {
84 std::vector<std::string> strs;
85 for (const PermissionMessage& msg : msgs)
86 strs.push_back(PermissionIDsToString(msg.permissions()));
87 return base::JoinString(strs, " ");
90 // Check that the given |permissions| produce a single warning message,
91 // identified by the set of |expected_ids|.
92 testing::AssertionResult PermissionSetProducesMessage(
93 const PermissionSet* permissions,
94 Manifest::Type extension_type,
95 const PermissionIDSet& expected_ids) {
96 const PermissionMessageProvider* provider = PermissionMessageProvider::Get();
98 PermissionMessages msgs = provider->GetPermissionMessages(
99 provider->GetAllPermissionIDs(permissions, extension_type));
100 if (msgs.size() != 1) {
101 return testing::AssertionFailure()
102 << "Expected single permission message with IDs "
103 << PermissionIDsToString(expected_ids) << " but got " << msgs.size()
104 << " messages: " << CoalescedPermissionIDsToString(msgs);
106 if (!msgs.front().permissions().Equals(expected_ids)) {
107 return testing::AssertionFailure()
108 << "Expected permission IDs " << PermissionIDsToString(expected_ids)
109 << " but got " << PermissionIDsToString(msgs.front().permissions());
112 return testing::AssertionSuccess();
115 } // namespace
117 // Tests GetByID.
118 TEST(PermissionsTest, GetByID) {
119 PermissionsInfo* info = PermissionsInfo::GetInstance();
120 APIPermissionSet apis = info->GetAll();
121 for (APIPermissionSet::const_iterator i = apis.begin();
122 i != apis.end(); ++i) {
123 EXPECT_EQ(i->id(), i->info()->id());
127 // Tests that GetByName works with normal permission names and aliases.
128 TEST(PermissionsTest, GetByName) {
129 PermissionsInfo* info = PermissionsInfo::GetInstance();
130 EXPECT_EQ(APIPermission::kTab, info->GetByName("tabs")->id());
131 EXPECT_EQ(APIPermission::kManagement,
132 info->GetByName("management")->id());
133 EXPECT_FALSE(info->GetByName("alsdkfjasldkfj"));
136 TEST(PermissionsTest, GetAll) {
137 size_t count = 0;
138 PermissionsInfo* info = PermissionsInfo::GetInstance();
139 APIPermissionSet apis = info->GetAll();
140 for (APIPermissionSet::const_iterator api = apis.begin();
141 api != apis.end(); ++api) {
142 // Make sure only the valid permission IDs get returned.
143 EXPECT_NE(APIPermission::kInvalid, api->id());
144 EXPECT_NE(APIPermission::kUnknown, api->id());
145 count++;
147 EXPECT_EQ(count, info->get_permission_count());
150 TEST(PermissionsTest, GetAllByName) {
151 std::set<std::string> names;
152 names.insert("background");
153 names.insert("management");
155 // This is an alias of kTab
156 names.insert("windows");
158 // This unknown name should get dropped.
159 names.insert("sdlkfjasdlkfj");
161 APIPermissionSet expected;
162 expected.insert(APIPermission::kBackground);
163 expected.insert(APIPermission::kManagement);
164 expected.insert(APIPermission::kTab);
166 EXPECT_EQ(expected,
167 PermissionsInfo::GetInstance()->GetAllByName(names));
170 // Tests that the aliases are properly mapped.
171 TEST(PermissionsTest, Aliases) {
172 PermissionsInfo* info = PermissionsInfo::GetInstance();
173 // tabs: tabs, windows
174 std::string tabs_name = "tabs";
175 EXPECT_EQ(tabs_name, info->GetByID(APIPermission::kTab)->name());
176 EXPECT_EQ(APIPermission::kTab, info->GetByName("tabs")->id());
177 EXPECT_EQ(APIPermission::kTab, info->GetByName("windows")->id());
179 // unlimitedStorage: unlimitedStorage, unlimited_storage
180 std::string storage_name = "unlimitedStorage";
181 EXPECT_EQ(storage_name, info->GetByID(
182 APIPermission::kUnlimitedStorage)->name());
183 EXPECT_EQ(APIPermission::kUnlimitedStorage,
184 info->GetByName("unlimitedStorage")->id());
185 EXPECT_EQ(APIPermission::kUnlimitedStorage,
186 info->GetByName("unlimited_storage")->id());
189 TEST(PermissionsTest, EffectiveHostPermissions) {
190 scoped_refptr<Extension> extension;
191 scoped_refptr<const PermissionSet> permissions;
193 extension = LoadManifest("effective_host_permissions", "empty.json");
194 permissions = extension->permissions_data()->active_permissions();
195 EXPECT_EQ(0u,
196 extension->permissions_data()
197 ->GetEffectiveHostPermissions()
198 .patterns()
199 .size());
200 EXPECT_FALSE(
201 permissions->HasEffectiveAccessToURL(GURL("http://www.google.com")));
202 EXPECT_FALSE(permissions->HasEffectiveAccessToAllHosts());
204 extension = LoadManifest("effective_host_permissions", "one_host.json");
205 permissions = extension->permissions_data()->active_permissions();
206 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(
207 GURL("http://www.google.com")));
208 EXPECT_FALSE(permissions->HasEffectiveAccessToURL(
209 GURL("https://www.google.com")));
210 EXPECT_FALSE(permissions->HasEffectiveAccessToAllHosts());
212 extension = LoadManifest("effective_host_permissions",
213 "one_host_wildcard.json");
214 permissions = extension->permissions_data()->active_permissions();
215 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(GURL("http://google.com")));
216 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(
217 GURL("http://foo.google.com")));
218 EXPECT_FALSE(permissions->HasEffectiveAccessToAllHosts());
220 extension = LoadManifest("effective_host_permissions", "two_hosts.json");
221 permissions = extension->permissions_data()->active_permissions();
222 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(
223 GURL("http://www.google.com")));
224 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(
225 GURL("http://www.reddit.com")));
226 EXPECT_FALSE(permissions->HasEffectiveAccessToAllHosts());
228 extension = LoadManifest("effective_host_permissions",
229 "https_not_considered.json");
230 permissions = extension->permissions_data()->active_permissions();
231 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(GURL("http://google.com")));
232 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(GURL("https://google.com")));
233 EXPECT_FALSE(permissions->HasEffectiveAccessToAllHosts());
235 extension = LoadManifest("effective_host_permissions",
236 "two_content_scripts.json");
237 permissions = extension->permissions_data()->active_permissions();
238 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(GURL("http://google.com")));
239 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(
240 GURL("http://www.reddit.com")));
241 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(
242 GURL("http://news.ycombinator.com")));
243 EXPECT_FALSE(permissions->HasEffectiveAccessToAllHosts());
245 extension = LoadManifest("effective_host_permissions", "all_hosts.json");
246 permissions = extension->permissions_data()->active_permissions();
247 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(GURL("http://test/")));
248 EXPECT_FALSE(permissions->HasEffectiveAccessToURL(GURL("https://test/")));
249 EXPECT_TRUE(
250 permissions->HasEffectiveAccessToURL(GURL("http://www.google.com")));
251 EXPECT_TRUE(permissions->HasEffectiveAccessToAllHosts());
253 extension = LoadManifest("effective_host_permissions", "all_hosts2.json");
254 permissions = extension->permissions_data()->active_permissions();
255 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(GURL("http://test/")));
256 EXPECT_TRUE(
257 permissions->HasEffectiveAccessToURL(GURL("http://www.google.com")));
258 EXPECT_TRUE(permissions->HasEffectiveAccessToAllHosts());
260 extension = LoadManifest("effective_host_permissions", "all_hosts3.json");
261 permissions = extension->permissions_data()->active_permissions();
262 EXPECT_FALSE(permissions->HasEffectiveAccessToURL(GURL("http://test/")));
263 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(GURL("https://test/")));
264 EXPECT_TRUE(
265 permissions->HasEffectiveAccessToURL(GURL("http://www.google.com")));
266 EXPECT_TRUE(permissions->HasEffectiveAccessToAllHosts());
269 TEST(PermissionsTest, ExplicitAccessToOrigin) {
270 APIPermissionSet apis;
271 ManifestPermissionSet manifest_permissions;
272 URLPatternSet explicit_hosts;
273 URLPatternSet scriptable_hosts;
275 AddPattern(&explicit_hosts, "http://*.google.com/*");
276 // The explicit host paths should get set to /*.
277 AddPattern(&explicit_hosts, "http://www.example.com/a/particular/path/*");
279 scoped_refptr<PermissionSet> perm_set = new PermissionSet(
280 apis, manifest_permissions, explicit_hosts, scriptable_hosts);
281 ASSERT_TRUE(perm_set->HasExplicitAccessToOrigin(
282 GURL("http://www.google.com/")));
283 ASSERT_TRUE(perm_set->HasExplicitAccessToOrigin(
284 GURL("http://test.google.com/")));
285 ASSERT_TRUE(perm_set->HasExplicitAccessToOrigin(
286 GURL("http://www.example.com")));
287 ASSERT_TRUE(perm_set->HasEffectiveAccessToURL(
288 GURL("http://www.example.com")));
289 ASSERT_FALSE(perm_set->HasExplicitAccessToOrigin(
290 GURL("http://test.example.com")));
293 TEST(PermissionsTest, CreateUnion) {
294 APIPermission* permission = NULL;
296 ManifestPermissionSet manifest_permissions;
297 APIPermissionSet apis1;
298 APIPermissionSet apis2;
299 APIPermissionSet expected_apis;
301 URLPatternSet explicit_hosts1;
302 URLPatternSet explicit_hosts2;
303 URLPatternSet expected_explicit_hosts;
305 URLPatternSet scriptable_hosts1;
306 URLPatternSet scriptable_hosts2;
307 URLPatternSet expected_scriptable_hosts;
309 URLPatternSet effective_hosts;
311 scoped_refptr<PermissionSet> set1;
312 scoped_refptr<PermissionSet> set2;
313 scoped_refptr<PermissionSet> union_set;
315 const APIPermissionInfo* permission_info =
316 PermissionsInfo::GetInstance()->GetByID(APIPermission::kSocket);
317 permission = permission_info->CreateAPIPermission();
319 scoped_ptr<base::ListValue> value(new base::ListValue());
320 value->Append(new base::StringValue("tcp-connect:*.example.com:80"));
321 value->Append(new base::StringValue("udp-bind::8080"));
322 value->Append(new base::StringValue("udp-send-to::8888"));
323 ASSERT_TRUE(permission->FromValue(value.get(), NULL, NULL));
326 // Union with an empty set.
327 apis1.insert(APIPermission::kTab);
328 apis1.insert(APIPermission::kBackground);
329 apis1.insert(permission->Clone());
330 expected_apis.insert(APIPermission::kTab);
331 expected_apis.insert(APIPermission::kBackground);
332 expected_apis.insert(permission);
334 AddPattern(&explicit_hosts1, "http://*.google.com/*");
335 AddPattern(&expected_explicit_hosts, "http://*.google.com/*");
336 AddPattern(&effective_hosts, "http://*.google.com/*");
338 set1 = new PermissionSet(apis1, manifest_permissions,
339 explicit_hosts1, scriptable_hosts1);
340 set2 = new PermissionSet(apis2, manifest_permissions,
341 explicit_hosts2, scriptable_hosts2);
342 union_set = PermissionSet::CreateUnion(set1.get(), set2.get());
343 EXPECT_TRUE(set1->Contains(*set2.get()));
344 EXPECT_TRUE(set1->Contains(*union_set.get()));
345 EXPECT_FALSE(set2->Contains(*set1.get()));
346 EXPECT_FALSE(set2->Contains(*union_set.get()));
347 EXPECT_TRUE(union_set->Contains(*set1.get()));
348 EXPECT_TRUE(union_set->Contains(*set2.get()));
350 EXPECT_FALSE(union_set->HasEffectiveFullAccess());
351 EXPECT_EQ(expected_apis, union_set->apis());
352 EXPECT_EQ(expected_explicit_hosts, union_set->explicit_hosts());
353 EXPECT_EQ(expected_scriptable_hosts, union_set->scriptable_hosts());
354 EXPECT_EQ(expected_explicit_hosts, union_set->effective_hosts());
356 // Now use a real second set.
357 apis2.insert(APIPermission::kTab);
358 apis2.insert(APIPermission::kProxy);
359 apis2.insert(APIPermission::kClipboardWrite);
360 apis2.insert(APIPermission::kPlugin);
362 permission = permission_info->CreateAPIPermission();
364 scoped_ptr<base::ListValue> value(new base::ListValue());
365 value->Append(new base::StringValue("tcp-connect:*.example.com:80"));
366 value->Append(new base::StringValue("udp-send-to::8899"));
367 ASSERT_TRUE(permission->FromValue(value.get(), NULL, NULL));
369 apis2.insert(permission);
371 expected_apis.insert(APIPermission::kTab);
372 expected_apis.insert(APIPermission::kProxy);
373 expected_apis.insert(APIPermission::kClipboardWrite);
374 expected_apis.insert(APIPermission::kPlugin);
376 permission = permission_info->CreateAPIPermission();
378 scoped_ptr<base::ListValue> value(new base::ListValue());
379 value->Append(new base::StringValue("tcp-connect:*.example.com:80"));
380 value->Append(new base::StringValue("udp-bind::8080"));
381 value->Append(new base::StringValue("udp-send-to::8888"));
382 value->Append(new base::StringValue("udp-send-to::8899"));
383 ASSERT_TRUE(permission->FromValue(value.get(), NULL, NULL));
385 // Insert a new permission socket permisssion which will replace the old one.
386 expected_apis.insert(permission);
388 AddPattern(&explicit_hosts2, "http://*.example.com/*");
389 AddPattern(&scriptable_hosts2, "http://*.google.com/*");
390 AddPattern(&expected_explicit_hosts, "http://*.example.com/*");
391 AddPattern(&expected_scriptable_hosts, "http://*.google.com/*");
393 URLPatternSet::CreateUnion(
394 explicit_hosts2, scriptable_hosts2, &effective_hosts);
396 set2 = new PermissionSet(apis2, manifest_permissions,
397 explicit_hosts2, scriptable_hosts2);
398 union_set = PermissionSet::CreateUnion(set1.get(), set2.get());
400 EXPECT_FALSE(set1->Contains(*set2.get()));
401 EXPECT_FALSE(set1->Contains(*union_set.get()));
402 EXPECT_FALSE(set2->Contains(*set1.get()));
403 EXPECT_FALSE(set2->Contains(*union_set.get()));
404 EXPECT_TRUE(union_set->Contains(*set1.get()));
405 EXPECT_TRUE(union_set->Contains(*set2.get()));
407 EXPECT_TRUE(union_set->HasEffectiveFullAccess());
408 EXPECT_TRUE(union_set->HasEffectiveAccessToAllHosts());
409 EXPECT_EQ(expected_apis, union_set->apis());
410 EXPECT_EQ(expected_explicit_hosts, union_set->explicit_hosts());
411 EXPECT_EQ(expected_scriptable_hosts, union_set->scriptable_hosts());
412 EXPECT_EQ(effective_hosts, union_set->effective_hosts());
415 TEST(PermissionsTest, CreateIntersection) {
416 APIPermission* permission = NULL;
418 ManifestPermissionSet manifest_permissions;
419 APIPermissionSet apis1;
420 APIPermissionSet apis2;
421 APIPermissionSet expected_apis;
423 URLPatternSet explicit_hosts1;
424 URLPatternSet explicit_hosts2;
425 URLPatternSet expected_explicit_hosts;
427 URLPatternSet scriptable_hosts1;
428 URLPatternSet scriptable_hosts2;
429 URLPatternSet expected_scriptable_hosts;
431 URLPatternSet effective_hosts;
433 scoped_refptr<PermissionSet> set1;
434 scoped_refptr<PermissionSet> set2;
435 scoped_refptr<PermissionSet> new_set;
437 const APIPermissionInfo* permission_info =
438 PermissionsInfo::GetInstance()->GetByID(APIPermission::kSocket);
440 // Intersection with an empty set.
441 apis1.insert(APIPermission::kTab);
442 apis1.insert(APIPermission::kBackground);
443 permission = permission_info->CreateAPIPermission();
445 scoped_ptr<base::ListValue> value(new base::ListValue());
446 value->Append(new base::StringValue("tcp-connect:*.example.com:80"));
447 value->Append(new base::StringValue("udp-bind::8080"));
448 value->Append(new base::StringValue("udp-send-to::8888"));
449 ASSERT_TRUE(permission->FromValue(value.get(), NULL, NULL));
451 apis1.insert(permission);
453 AddPattern(&explicit_hosts1, "http://*.google.com/*");
454 AddPattern(&scriptable_hosts1, "http://www.reddit.com/*");
456 set1 = new PermissionSet(apis1, manifest_permissions,
457 explicit_hosts1, scriptable_hosts1);
458 set2 = new PermissionSet(apis2, manifest_permissions,
459 explicit_hosts2, scriptable_hosts2);
460 new_set = PermissionSet::CreateIntersection(set1.get(), set2.get());
461 EXPECT_TRUE(set1->Contains(*new_set.get()));
462 EXPECT_TRUE(set2->Contains(*new_set.get()));
463 EXPECT_TRUE(set1->Contains(*set2.get()));
464 EXPECT_FALSE(set2->Contains(*set1.get()));
465 EXPECT_FALSE(new_set->Contains(*set1.get()));
466 EXPECT_TRUE(new_set->Contains(*set2.get()));
468 EXPECT_TRUE(new_set->IsEmpty());
469 EXPECT_FALSE(new_set->HasEffectiveFullAccess());
470 EXPECT_EQ(expected_apis, new_set->apis());
471 EXPECT_EQ(expected_explicit_hosts, new_set->explicit_hosts());
472 EXPECT_EQ(expected_scriptable_hosts, new_set->scriptable_hosts());
473 EXPECT_EQ(expected_explicit_hosts, new_set->effective_hosts());
475 // Now use a real second set.
476 apis2.insert(APIPermission::kTab);
477 apis2.insert(APIPermission::kProxy);
478 apis2.insert(APIPermission::kClipboardWrite);
479 apis2.insert(APIPermission::kPlugin);
480 permission = permission_info->CreateAPIPermission();
482 scoped_ptr<base::ListValue> value(new base::ListValue());
483 value->Append(new base::StringValue("udp-bind::8080"));
484 value->Append(new base::StringValue("udp-send-to::8888"));
485 value->Append(new base::StringValue("udp-send-to::8899"));
486 ASSERT_TRUE(permission->FromValue(value.get(), NULL, NULL));
488 apis2.insert(permission);
490 expected_apis.insert(APIPermission::kTab);
491 permission = permission_info->CreateAPIPermission();
493 scoped_ptr<base::ListValue> value(new base::ListValue());
494 value->Append(new base::StringValue("udp-bind::8080"));
495 value->Append(new base::StringValue("udp-send-to::8888"));
496 ASSERT_TRUE(permission->FromValue(value.get(), NULL, NULL));
498 expected_apis.insert(permission);
500 AddPattern(&explicit_hosts2, "http://*.example.com/*");
501 AddPattern(&explicit_hosts2, "http://*.google.com/*");
502 AddPattern(&scriptable_hosts2, "http://*.google.com/*");
503 AddPattern(&expected_explicit_hosts, "http://*.google.com/*");
505 effective_hosts.ClearPatterns();
506 AddPattern(&effective_hosts, "http://*.google.com/*");
508 set2 = new PermissionSet(apis2, manifest_permissions,
509 explicit_hosts2, scriptable_hosts2);
510 new_set = PermissionSet::CreateIntersection(set1.get(), set2.get());
512 EXPECT_TRUE(set1->Contains(*new_set.get()));
513 EXPECT_TRUE(set2->Contains(*new_set.get()));
514 EXPECT_FALSE(set1->Contains(*set2.get()));
515 EXPECT_FALSE(set2->Contains(*set1.get()));
516 EXPECT_FALSE(new_set->Contains(*set1.get()));
517 EXPECT_FALSE(new_set->Contains(*set2.get()));
519 EXPECT_FALSE(new_set->HasEffectiveFullAccess());
520 EXPECT_FALSE(new_set->HasEffectiveAccessToAllHosts());
521 EXPECT_EQ(expected_apis, new_set->apis());
522 EXPECT_EQ(expected_explicit_hosts, new_set->explicit_hosts());
523 EXPECT_EQ(expected_scriptable_hosts, new_set->scriptable_hosts());
524 EXPECT_EQ(effective_hosts, new_set->effective_hosts());
527 TEST(PermissionsTest, CreateDifference) {
528 APIPermission* permission = NULL;
530 ManifestPermissionSet manifest_permissions;
531 APIPermissionSet apis1;
532 APIPermissionSet apis2;
533 APIPermissionSet expected_apis;
535 URLPatternSet explicit_hosts1;
536 URLPatternSet explicit_hosts2;
537 URLPatternSet expected_explicit_hosts;
539 URLPatternSet scriptable_hosts1;
540 URLPatternSet scriptable_hosts2;
541 URLPatternSet expected_scriptable_hosts;
543 URLPatternSet effective_hosts;
545 scoped_refptr<PermissionSet> set1;
546 scoped_refptr<PermissionSet> set2;
547 scoped_refptr<PermissionSet> new_set;
549 const APIPermissionInfo* permission_info =
550 PermissionsInfo::GetInstance()->GetByID(APIPermission::kSocket);
552 // Difference with an empty set.
553 apis1.insert(APIPermission::kTab);
554 apis1.insert(APIPermission::kBackground);
555 permission = permission_info->CreateAPIPermission();
557 scoped_ptr<base::ListValue> value(new base::ListValue());
558 value->Append(new base::StringValue("tcp-connect:*.example.com:80"));
559 value->Append(new base::StringValue("udp-bind::8080"));
560 value->Append(new base::StringValue("udp-send-to::8888"));
561 ASSERT_TRUE(permission->FromValue(value.get(), NULL, NULL));
563 apis1.insert(permission);
565 AddPattern(&explicit_hosts1, "http://*.google.com/*");
566 AddPattern(&scriptable_hosts1, "http://www.reddit.com/*");
568 set1 = new PermissionSet(apis1, manifest_permissions,
569 explicit_hosts1, scriptable_hosts1);
570 set2 = new PermissionSet(apis2, manifest_permissions,
571 explicit_hosts2, scriptable_hosts2);
572 new_set = PermissionSet::CreateDifference(set1.get(), set2.get());
573 EXPECT_EQ(*set1.get(), *new_set.get());
575 // Now use a real second set.
576 apis2.insert(APIPermission::kTab);
577 apis2.insert(APIPermission::kProxy);
578 apis2.insert(APIPermission::kClipboardWrite);
579 apis2.insert(APIPermission::kPlugin);
580 permission = permission_info->CreateAPIPermission();
582 scoped_ptr<base::ListValue> value(new base::ListValue());
583 value->Append(new base::StringValue("tcp-connect:*.example.com:80"));
584 value->Append(new base::StringValue("udp-send-to::8899"));
585 ASSERT_TRUE(permission->FromValue(value.get(), NULL, NULL));
587 apis2.insert(permission);
589 expected_apis.insert(APIPermission::kBackground);
590 permission = permission_info->CreateAPIPermission();
592 scoped_ptr<base::ListValue> value(new base::ListValue());
593 value->Append(new base::StringValue("udp-bind::8080"));
594 value->Append(new base::StringValue("udp-send-to::8888"));
595 ASSERT_TRUE(permission->FromValue(value.get(), NULL, NULL));
597 expected_apis.insert(permission);
599 AddPattern(&explicit_hosts2, "http://*.example.com/*");
600 AddPattern(&explicit_hosts2, "http://*.google.com/*");
601 AddPattern(&scriptable_hosts2, "http://*.google.com/*");
602 AddPattern(&expected_scriptable_hosts, "http://www.reddit.com/*");
604 effective_hosts.ClearPatterns();
605 AddPattern(&effective_hosts, "http://www.reddit.com/*");
607 set2 = new PermissionSet(apis2, manifest_permissions,
608 explicit_hosts2, scriptable_hosts2);
609 new_set = PermissionSet::CreateDifference(set1.get(), set2.get());
611 EXPECT_TRUE(set1->Contains(*new_set.get()));
612 EXPECT_FALSE(set2->Contains(*new_set.get()));
614 EXPECT_FALSE(new_set->HasEffectiveFullAccess());
615 EXPECT_FALSE(new_set->HasEffectiveAccessToAllHosts());
616 EXPECT_EQ(expected_apis, new_set->apis());
617 EXPECT_EQ(expected_explicit_hosts, new_set->explicit_hosts());
618 EXPECT_EQ(expected_scriptable_hosts, new_set->scriptable_hosts());
619 EXPECT_EQ(effective_hosts, new_set->effective_hosts());
621 // |set3| = |set1| - |set2| --> |set3| intersect |set2| == empty_set
622 set1 = PermissionSet::CreateIntersection(new_set.get(), set2.get());
623 EXPECT_TRUE(set1->IsEmpty());
626 TEST(PermissionsTest, IsPrivilegeIncrease) {
627 const struct {
628 const char* base_name;
629 bool expect_increase;
630 } kTests[] = {
631 { "allhosts1", false }, // all -> all
632 { "allhosts2", false }, // all -> one
633 { "allhosts3", true }, // one -> all
634 { "hosts1", false }, // http://a,http://b -> http://a,http://b
635 { "hosts2", true }, // http://a,http://b -> https://a,http://*.b
636 { "hosts3", false }, // http://a,http://b -> http://a
637 { "hosts4", true }, // http://a -> http://a,http://b
638 { "hosts5", false }, // http://a,b,c -> http://a,b,c + https://a,b,c
639 { "hosts6", false }, // http://a.com -> http://a.com + http://a.co.uk
640 { "permissions1", false }, // tabs -> tabs
641 { "permissions2", true }, // tabs -> tabs,bookmarks
642 // TODO(treib): This is wrong, kAllHosts implies kTabs. crbug.com/512344
643 { "permissions3", true }, // http://*/* -> http://*/*,tabs
644 { "permissions5", true }, // bookmarks -> bookmarks,history
645 { "equivalent_warnings", false }, // tabs --> tabs, webNavigation
646 #if !defined(OS_CHROMEOS) // plugins aren't allowed in ChromeOS
647 { "permissions4", false }, // plugin -> plugin,tabs
648 { "plugin1", false }, // plugin -> plugin
649 { "plugin2", false }, // plugin -> none
650 { "plugin3", true }, // none -> plugin
651 #endif
652 { "storage", false }, // none -> storage
653 { "notifications", false }, // none -> notifications
654 { "platformapp1", false }, // host permissions for platform apps
655 { "platformapp2", true }, // API permissions for platform apps
656 { "media_galleries1", true }, // all -> read|all
657 { "media_galleries2", true }, // read|all -> read|delete|copyTo|all
658 { "media_galleries3", true }, // all -> read|delete|all
659 { "media_galleries4", false }, // read|all -> all
660 { "media_galleries5", false }, // read|copyTo|delete|all -> read|all
661 { "media_galleries6", false }, // read|all -> read|all
662 { "media_galleries7", true }, // read|delete|all -> read|copyTo|delete|all
663 { "sockets1", true }, // none -> tcp:*:*
664 { "sockets2", false }, // tcp:*:* -> tcp:*:*
665 { "sockets3", true }, // tcp:a.com:80 -> tcp:*:*
668 for (size_t i = 0; i < arraysize(kTests); ++i) {
669 scoped_refptr<Extension> old_extension(
670 LoadManifest("allow_silent_upgrade",
671 std::string(kTests[i].base_name) + "_old.json"));
672 scoped_refptr<Extension> new_extension(
673 LoadManifest("allow_silent_upgrade",
674 std::string(kTests[i].base_name) + "_new.json"));
676 EXPECT_TRUE(new_extension.get()) << kTests[i].base_name << "_new.json";
677 if (!new_extension.get())
678 continue;
680 scoped_refptr<const PermissionSet> old_p(
681 old_extension->permissions_data()->active_permissions());
682 scoped_refptr<const PermissionSet> new_p(
683 new_extension->permissions_data()->active_permissions());
684 Manifest::Type extension_type = old_extension->GetType();
686 bool increased = PermissionMessageProvider::Get()->IsPrivilegeIncrease(
687 old_p.get(), new_p.get(), extension_type);
688 EXPECT_EQ(kTests[i].expect_increase, increased) << kTests[i].base_name;
692 TEST(PermissionsTest, PermissionMessages) {
693 // Ensure that all permissions that needs to show install UI actually have
694 // strings associated with them.
695 APIPermissionSet skip;
697 // These are considered "nuisance" or "trivial" permissions that don't need
698 // a prompt.
699 skip.insert(APIPermission::kActiveTab);
700 skip.insert(APIPermission::kAlarms);
701 skip.insert(APIPermission::kAlphaEnabled);
702 skip.insert(APIPermission::kAlwaysOnTopWindows);
703 skip.insert(APIPermission::kAppView);
704 skip.insert(APIPermission::kAudio);
705 skip.insert(APIPermission::kAudioModem);
706 skip.insert(APIPermission::kBrowsingData);
707 skip.insert(APIPermission::kCastStreaming);
708 skip.insert(APIPermission::kCommandsAccessibility);
709 skip.insert(APIPermission::kContextMenus);
710 skip.insert(APIPermission::kCryptotokenPrivate);
711 skip.insert(APIPermission::kCopresencePrivate);
712 skip.insert(APIPermission::kDesktopCapturePrivate);
713 skip.insert(APIPermission::kDiagnostics);
714 skip.insert(APIPermission::kDns);
715 skip.insert(APIPermission::kDownloadsShelf);
716 skip.insert(APIPermission::kEmbeddedExtensionOptions);
717 skip.insert(APIPermission::kExtensionView);
718 skip.insert(APIPermission::kFontSettings);
719 skip.insert(APIPermission::kFullscreen);
720 skip.insert(APIPermission::kGcm);
721 skip.insert(APIPermission::kIdle);
722 skip.insert(APIPermission::kImeWindowEnabled);
723 skip.insert(APIPermission::kInlineInstallPrivate);
724 skip.insert(APIPermission::kIdltest);
725 skip.insert(APIPermission::kLogPrivate);
726 skip.insert(APIPermission::kNotifications);
727 skip.insert(APIPermission::kNotificationProvider);
728 skip.insert(APIPermission::kOverrideEscFullscreen);
729 skip.insert(APIPermission::kPointerLock);
730 skip.insert(APIPermission::kPower);
731 skip.insert(APIPermission::kPrinterProvider);
732 skip.insert(APIPermission::kSessions);
733 skip.insert(APIPermission::kStorage);
734 skip.insert(APIPermission::kSystemCpu);
735 skip.insert(APIPermission::kSystemDisplay);
736 skip.insert(APIPermission::kSystemMemory);
737 skip.insert(APIPermission::kSystemNetwork);
738 skip.insert(APIPermission::kSystemStorage);
739 skip.insert(APIPermission::kTts);
740 skip.insert(APIPermission::kUnlimitedStorage);
741 skip.insert(APIPermission::kWebcamPrivate);
742 skip.insert(APIPermission::kWebView);
743 skip.insert(APIPermission::kWindowShape);
745 // These permissions are restricted to extensions force-installed by policy
746 // and don't require a prompt, i.e. they're restricted to location 'policy'.
747 skip.insert(APIPermission::kEnterprisePlatformKeys);
748 skip.insert(APIPermission::kEnterpriseDeviceAttributes);
750 // TODO(erikkay) add a string for this permission.
751 skip.insert(APIPermission::kBackground);
753 skip.insert(APIPermission::kClipboardWrite);
755 // The cookie permission does nothing unless you have associated host
756 // permissions.
757 skip.insert(APIPermission::kCookie);
759 // These are warned as part of host permission checks.
760 skip.insert(APIPermission::kDataReductionProxy);
761 skip.insert(APIPermission::kDeclarativeContent);
762 skip.insert(APIPermission::kPageCapture);
763 skip.insert(APIPermission::kProxy);
764 skip.insert(APIPermission::kTabCapture);
765 skip.insert(APIPermission::kWebRequest);
766 skip.insert(APIPermission::kWebRequestBlocking);
768 // This permission requires explicit user action (context menu handler)
769 // so we won't prompt for it for now.
770 skip.insert(APIPermission::kFileBrowserHandler);
772 // These permissions require explicit user action (configuration dialog)
773 // so we don't prompt for them at install time.
774 skip.insert(APIPermission::kMediaGalleries);
776 // If you've turned on the experimental command-line flag, we don't need
777 // to warn you further.
778 skip.insert(APIPermission::kExperimental);
780 // The Identity API has its own server-driven permission prompts.
781 skip.insert(APIPermission::kIdentity);
783 // These are private.
784 skip.insert(APIPermission::kAccessibilityPrivate);
785 skip.insert(APIPermission::kAutoTestPrivate);
786 skip.insert(APIPermission::kBookmarkManagerPrivate);
787 skip.insert(APIPermission::kBrailleDisplayPrivate);
788 skip.insert(APIPermission::kCast);
789 skip.insert(APIPermission::kCastStreaming);
790 skip.insert(APIPermission::kChromeosInfoPrivate);
791 skip.insert(APIPermission::kCloudPrintPrivate);
792 skip.insert(APIPermission::kCommandLinePrivate);
793 skip.insert(APIPermission::kDeveloperPrivate);
794 skip.insert(APIPermission::kDial);
795 skip.insert(APIPermission::kDownloadsInternal);
796 skip.insert(APIPermission::kEasyUnlockPrivate);
797 skip.insert(APIPermission::kEchoPrivate);
798 skip.insert(APIPermission::kEnterprisePlatformKeysPrivate);
799 skip.insert(APIPermission::kFeedbackPrivate);
800 skip.insert(APIPermission::kFileBrowserHandlerInternal);
801 skip.insert(APIPermission::kFileManagerPrivate);
802 skip.insert(APIPermission::kFirstRunPrivate);
803 skip.insert(APIPermission::kGcdPrivate);
804 skip.insert(APIPermission::kHotwordPrivate);
805 skip.insert(APIPermission::kIdentityPrivate);
806 skip.insert(APIPermission::kInputMethodPrivate);
807 skip.insert(APIPermission::kLanguageSettingsPrivate);
808 skip.insert(APIPermission::kMediaPlayerPrivate);
809 skip.insert(APIPermission::kMediaRouterPrivate);
810 skip.insert(APIPermission::kMetricsPrivate);
811 skip.insert(APIPermission::kPreferencesPrivate);
812 skip.insert(APIPermission::kPrincipalsPrivate);
813 skip.insert(APIPermission::kImageWriterPrivate);
814 skip.insert(APIPermission::kReadingListPrivate);
815 skip.insert(APIPermission::kRtcPrivate);
816 skip.insert(APIPermission::kStreamsPrivate);
817 skip.insert(APIPermission::kSystemPrivate);
818 skip.insert(APIPermission::kTabCaptureForTab);
819 skip.insert(APIPermission::kTerminalPrivate);
820 skip.insert(APIPermission::kVirtualKeyboardPrivate);
821 skip.insert(APIPermission::kWallpaperPrivate);
822 skip.insert(APIPermission::kWebrtcAudioPrivate);
823 skip.insert(APIPermission::kWebrtcDesktopCapturePrivate);
824 skip.insert(APIPermission::kWebrtcLoggingPrivate);
825 skip.insert(APIPermission::kWebstorePrivate);
826 skip.insert(APIPermission::kWebstoreWidgetPrivate);
828 // Warned as part of host permissions.
829 skip.insert(APIPermission::kDevtools);
831 // Platform apps.
832 skip.insert(APIPermission::kBrowser);
833 skip.insert(APIPermission::kHid);
834 skip.insert(APIPermission::kFileSystem);
835 skip.insert(APIPermission::kFileSystemProvider);
836 skip.insert(APIPermission::kFileSystemRequestFileSystem);
837 skip.insert(APIPermission::kFileSystemRetainEntries);
838 skip.insert(APIPermission::kFileSystemWrite);
839 skip.insert(APIPermission::kSocket);
840 skip.insert(APIPermission::kUsb);
841 skip.insert(APIPermission::kLauncherSearchProvider);
843 // We already have a generic message for declaring externally_connectable.
844 skip.insert(APIPermission::kExternallyConnectableAllUrls);
846 const PermissionMessageProvider* provider = PermissionMessageProvider::Get();
847 PermissionsInfo* info = PermissionsInfo::GetInstance();
848 APIPermissionSet permissions = info->GetAll();
849 for (APIPermissionSet::const_iterator i = permissions.begin();
850 i != permissions.end(); ++i) {
851 const APIPermissionInfo* permission_info = i->info();
852 EXPECT_TRUE(permission_info != NULL);
854 PermissionIDSet id;
855 id.insert(permission_info->id());
856 bool has_message = !provider->GetPermissionMessages(id).empty();
857 bool should_have_message = !skip.count(i->id());
858 EXPECT_EQ(should_have_message, has_message) << permission_info->name();
862 TEST(PermissionsTest, FileSystemPermissionMessages) {
863 APIPermissionSet api_permissions;
864 api_permissions.insert(APIPermission::kFileSystemWrite);
865 api_permissions.insert(APIPermission::kFileSystemDirectory);
866 scoped_refptr<PermissionSet> permissions(
867 new PermissionSet(api_permissions, ManifestPermissionSet(),
868 URLPatternSet(), URLPatternSet()));
869 EXPECT_TRUE(PermissionSetProducesMessage(
870 permissions.get(), Manifest::TYPE_PLATFORM_APP,
871 MakePermissionIDSet(api_permissions)));
874 TEST(PermissionsTest, HiddenFileSystemPermissionMessages) {
875 APIPermissionSet api_permissions;
876 api_permissions.insert(APIPermission::kFileSystemWrite);
877 api_permissions.insert(APIPermission::kFileSystemDirectory);
878 scoped_refptr<PermissionSet> permissions(
879 new PermissionSet(api_permissions, ManifestPermissionSet(),
880 URLPatternSet(), URLPatternSet()));
881 EXPECT_TRUE(PermissionSetProducesMessage(
882 permissions.get(), Manifest::TYPE_PLATFORM_APP,
883 MakePermissionIDSet(api_permissions)));
886 TEST(PermissionsTest, SuppressedPermissionMessages) {
888 // Tabs warning suppresses favicon warning.
889 APIPermissionSet api_permissions;
890 api_permissions.insert(APIPermission::kTab);
891 URLPatternSet hosts;
892 hosts.AddPattern(URLPattern(URLPattern::SCHEME_CHROMEUI,
893 "chrome://favicon/"));
894 scoped_refptr<PermissionSet> permissions(
895 new PermissionSet(api_permissions, ManifestPermissionSet(),
896 hosts, URLPatternSet()));
897 EXPECT_TRUE(PermissionSetProducesMessage(
898 permissions.get(), Manifest::TYPE_EXTENSION,
899 MakePermissionIDSet(APIPermission::kTab, APIPermission::kFavicon)));
902 // History warning suppresses favicon warning.
903 APIPermissionSet api_permissions;
904 api_permissions.insert(APIPermission::kHistory);
905 URLPatternSet hosts;
906 hosts.AddPattern(URLPattern(URLPattern::SCHEME_CHROMEUI,
907 "chrome://favicon/"));
908 scoped_refptr<PermissionSet> permissions(
909 new PermissionSet(api_permissions, ManifestPermissionSet(),
910 hosts, URLPatternSet()));
911 EXPECT_TRUE(PermissionSetProducesMessage(
912 permissions.get(), Manifest::TYPE_EXTENSION,
913 MakePermissionIDSet(APIPermission::kHistory, APIPermission::kFavicon)));
916 // All sites warning suppresses tabs warning.
917 APIPermissionSet api_permissions;
918 api_permissions.insert(APIPermission::kTab);
919 URLPatternSet hosts;
920 hosts.AddPattern(URLPattern(URLPattern::SCHEME_CHROMEUI, "*://*/*"));
921 scoped_refptr<PermissionSet> permissions(new PermissionSet(
922 api_permissions, ManifestPermissionSet(), hosts, URLPatternSet()));
923 EXPECT_TRUE(PermissionSetProducesMessage(
924 permissions.get(), Manifest::TYPE_EXTENSION,
925 MakePermissionIDSet(APIPermission::kHostsAll, APIPermission::kTab)));
928 // All sites warning suppresses topSites warning.
929 APIPermissionSet api_permissions;
930 api_permissions.insert(APIPermission::kTopSites);
931 URLPatternSet hosts;
932 hosts.AddPattern(URLPattern(URLPattern::SCHEME_CHROMEUI, "*://*/*"));
933 scoped_refptr<PermissionSet> permissions(new PermissionSet(
934 api_permissions, ManifestPermissionSet(), hosts, URLPatternSet()));
935 EXPECT_TRUE(PermissionSetProducesMessage(
936 permissions.get(), Manifest::TYPE_EXTENSION,
937 MakePermissionIDSet(APIPermission::kHostsAll,
938 APIPermission::kTopSites)));
941 // All sites warning suppresses declarativeWebRequest warning.
942 APIPermissionSet api_permissions;
943 api_permissions.insert(APIPermission::kDeclarativeWebRequest);
944 URLPatternSet hosts;
945 hosts.AddPattern(URLPattern(URLPattern::SCHEME_CHROMEUI, "*://*/*"));
946 scoped_refptr<PermissionSet> permissions(new PermissionSet(
947 api_permissions, ManifestPermissionSet(), hosts, URLPatternSet()));
948 EXPECT_TRUE(PermissionSetProducesMessage(
949 permissions.get(), Manifest::TYPE_EXTENSION,
950 MakePermissionIDSet(APIPermission::kHostsAll)));
953 // BrowsingHistory warning suppresses all history read/write warnings.
954 APIPermissionSet api_permissions;
955 api_permissions.insert(APIPermission::kHistory);
956 api_permissions.insert(APIPermission::kTab);
957 api_permissions.insert(APIPermission::kTopSites);
958 api_permissions.insert(APIPermission::kProcesses);
959 api_permissions.insert(APIPermission::kWebNavigation);
960 scoped_refptr<PermissionSet> permissions(
961 new PermissionSet(api_permissions, ManifestPermissionSet(),
962 URLPatternSet(), URLPatternSet()));
963 EXPECT_TRUE(PermissionSetProducesMessage(
964 permissions.get(), Manifest::TYPE_EXTENSION,
965 MakePermissionIDSet(api_permissions)));
968 // Tabs warning suppresses all read-only history warnings.
969 APIPermissionSet api_permissions;
970 api_permissions.insert(APIPermission::kTab);
971 api_permissions.insert(APIPermission::kTopSites);
972 api_permissions.insert(APIPermission::kProcesses);
973 api_permissions.insert(APIPermission::kWebNavigation);
974 scoped_refptr<PermissionSet> permissions(
975 new PermissionSet(api_permissions, ManifestPermissionSet(),
976 URLPatternSet(), URLPatternSet()));
977 EXPECT_TRUE(PermissionSetProducesMessage(
978 permissions.get(), Manifest::TYPE_EXTENSION,
979 MakePermissionIDSet(api_permissions)));
983 TEST(PermissionsTest, AccessToDevicesMessages) {
985 APIPermissionSet api_permissions;
986 api_permissions.insert(APIPermission::kSerial);
987 scoped_refptr<PermissionSet> permissions(
988 new PermissionSet(api_permissions,
989 ManifestPermissionSet(),
990 URLPatternSet(),
991 URLPatternSet()));
992 VerifyOnePermissionMessage(
993 permissions.get(), Manifest::TYPE_EXTENSION,
994 l10n_util::GetStringUTF16(IDS_EXTENSION_PROMPT_WARNING_SERIAL));
997 // Testing that multiple permissions will show the one message.
998 APIPermissionSet api_permissions;
999 api_permissions.insert(APIPermission::kSerial);
1000 api_permissions.insert(APIPermission::kSerial);
1001 scoped_refptr<PermissionSet> permissions(
1002 new PermissionSet(api_permissions,
1003 ManifestPermissionSet(),
1004 URLPatternSet(),
1005 URLPatternSet()));
1006 VerifyOnePermissionMessage(
1007 permissions.get(), Manifest::TYPE_EXTENSION,
1008 l10n_util::GetStringUTF16(IDS_EXTENSION_PROMPT_WARNING_SERIAL));
1011 scoped_refptr<Extension> extension =
1012 LoadManifest("permissions", "access_to_devices_bluetooth.json");
1013 PermissionSet* set = const_cast<PermissionSet*>(
1014 extension->permissions_data()->active_permissions().get());
1015 VerifyOnePermissionMessage(
1016 set, extension->GetType(),
1017 l10n_util::GetStringUTF16(IDS_EXTENSION_PROMPT_WARNING_BLUETOOTH));
1019 // Test Bluetooth and Serial
1020 set->apis_.insert(APIPermission::kSerial);
1021 VerifyOnePermissionMessage(
1022 set, extension->GetType(),
1023 l10n_util::GetStringUTF16(
1024 IDS_EXTENSION_PROMPT_WARNING_BLUETOOTH_SERIAL));
1028 TEST(PermissionsTest, MergedFileSystemPermissionComparison) {
1029 APIPermissionSet write_api_permissions;
1030 write_api_permissions.insert(APIPermission::kFileSystemWrite);
1031 scoped_refptr<PermissionSet> write_permissions(
1032 new PermissionSet(write_api_permissions, ManifestPermissionSet(),
1033 URLPatternSet(), URLPatternSet()));
1035 APIPermissionSet directory_api_permissions;
1036 directory_api_permissions.insert(APIPermission::kFileSystemDirectory);
1037 scoped_refptr<PermissionSet> directory_permissions(
1038 new PermissionSet(directory_api_permissions, ManifestPermissionSet(),
1039 URLPatternSet(), URLPatternSet()));
1041 APIPermissionSet write_directory_api_permissions;
1042 write_directory_api_permissions.insert(APIPermission::kFileSystemWrite);
1043 write_directory_api_permissions.insert(APIPermission::kFileSystemDirectory);
1044 scoped_refptr<PermissionSet> write_directory_permissions(
1045 new PermissionSet(write_directory_api_permissions,
1046 ManifestPermissionSet(),
1047 URLPatternSet(),
1048 URLPatternSet()));
1050 const PermissionMessageProvider* provider = PermissionMessageProvider::Get();
1051 EXPECT_FALSE(provider->IsPrivilegeIncrease(write_directory_permissions.get(),
1052 write_permissions.get(),
1053 Manifest::TYPE_PLATFORM_APP));
1054 EXPECT_FALSE(provider->IsPrivilegeIncrease(write_directory_permissions.get(),
1055 directory_permissions.get(),
1056 Manifest::TYPE_PLATFORM_APP));
1057 EXPECT_TRUE(provider->IsPrivilegeIncrease(write_permissions.get(),
1058 directory_permissions.get(),
1059 Manifest::TYPE_PLATFORM_APP));
1060 EXPECT_TRUE(provider->IsPrivilegeIncrease(write_permissions.get(),
1061 write_directory_permissions.get(),
1062 Manifest::TYPE_PLATFORM_APP));
1063 EXPECT_FALSE(provider->IsPrivilegeIncrease(directory_permissions.get(),
1064 write_permissions.get(),
1065 Manifest::TYPE_PLATFORM_APP));
1066 EXPECT_TRUE(provider->IsPrivilegeIncrease(directory_permissions.get(),
1067 write_directory_permissions.get(),
1068 Manifest::TYPE_PLATFORM_APP));
1071 TEST(PermissionsTest, GetWarningMessages_ManyHosts) {
1072 scoped_refptr<Extension> extension;
1073 extension = LoadManifest("permissions", "many-hosts.json");
1074 EXPECT_TRUE(VerifyOnePermissionMessage(
1075 extension->permissions_data(),
1076 "Read and change your data on encrypted.google.com and www.google.com"));
1079 TEST(PermissionsTest, GetWarningMessages_Plugins) {
1080 scoped_refptr<Extension> extension;
1081 extension = LoadManifest("permissions", "plugins.json");
1082 // We don't parse the plugins key on Chrome OS, so it should not ask for any
1083 // permissions.
1084 #if defined(OS_CHROMEOS)
1085 EXPECT_TRUE(VerifyNoPermissionMessages(extension->permissions_data()));
1086 #else
1087 EXPECT_TRUE(VerifyOnePermissionMessage(
1088 extension->permissions_data(),
1089 "Read and change all your data on your computer and the websites you "
1090 "visit"));
1091 #endif
1094 TEST(PermissionsTest, GetWarningMessages_AudioVideo) {
1095 const std::string kAudio("Use your microphone");
1096 const std::string kVideo("Use your camera");
1097 const std::string kBoth("Use your microphone and camera");
1099 // Both audio and video present.
1100 scoped_refptr<Extension> extension =
1101 LoadManifest("permissions", "audio-video.json");
1102 const PermissionMessageProvider* provider = PermissionMessageProvider::Get();
1103 PermissionSet* set = const_cast<PermissionSet*>(
1104 extension->permissions_data()->active_permissions().get());
1105 EXPECT_FALSE(VerifyHasPermissionMessage(set, extension->GetType(), kAudio));
1106 EXPECT_FALSE(VerifyHasPermissionMessage(set, extension->GetType(), kVideo));
1107 EXPECT_TRUE(VerifyHasPermissionMessage(set, extension->GetType(), kBoth));
1108 PermissionMessages warnings = provider->GetPermissionMessages(
1109 provider->GetAllPermissionIDs(set, extension->GetType()));
1110 size_t combined_index = IndexOf(warnings, kBoth);
1111 size_t combined_size = warnings.size();
1113 // Just audio present.
1114 set->apis_.erase(APIPermission::kVideoCapture);
1115 EXPECT_TRUE(VerifyHasPermissionMessage(set, extension->GetType(), kAudio));
1116 EXPECT_FALSE(VerifyHasPermissionMessage(set, extension->GetType(), kVideo));
1117 EXPECT_FALSE(VerifyHasPermissionMessage(set, extension->GetType(), kBoth));
1118 PermissionMessages warnings2 = provider->GetPermissionMessages(
1119 provider->GetAllPermissionIDs(set, extension->GetType()));
1120 EXPECT_EQ(combined_size, warnings2.size());
1121 EXPECT_EQ(combined_index, IndexOf(warnings2, kAudio));
1123 // Just video present.
1124 set->apis_.erase(APIPermission::kAudioCapture);
1125 set->apis_.insert(APIPermission::kVideoCapture);
1126 EXPECT_FALSE(VerifyHasPermissionMessage(set, extension->GetType(), kAudio));
1127 EXPECT_TRUE(VerifyHasPermissionMessage(set, extension->GetType(), kVideo));
1128 EXPECT_FALSE(VerifyHasPermissionMessage(set, extension->GetType(), kBoth));
1129 PermissionMessages warnings3 = provider->GetPermissionMessages(
1130 provider->GetAllPermissionIDs(set, extension->GetType()));
1131 EXPECT_EQ(combined_size, warnings3.size());
1132 EXPECT_EQ(combined_index, IndexOf(warnings3, kVideo));
1135 TEST(PermissionsTest, GetWarningMessages_CombinedSessions) {
1137 APIPermissionSet api_permissions;
1138 api_permissions.insert(APIPermission::kTab);
1139 api_permissions.insert(APIPermission::kTopSites);
1140 api_permissions.insert(APIPermission::kProcesses);
1141 api_permissions.insert(APIPermission::kWebNavigation);
1142 api_permissions.insert(APIPermission::kSessions);
1143 scoped_refptr<PermissionSet> permissions(
1144 new PermissionSet(api_permissions, ManifestPermissionSet(),
1145 URLPatternSet(), URLPatternSet()));
1146 EXPECT_TRUE(VerifyOnePermissionMessage(
1147 permissions.get(), Manifest::TYPE_EXTENSION,
1148 l10n_util::GetStringUTF16(
1149 IDS_EXTENSION_PROMPT_WARNING_HISTORY_READ_AND_SESSIONS)));
1152 APIPermissionSet api_permissions;
1153 api_permissions.insert(APIPermission::kHistory);
1154 api_permissions.insert(APIPermission::kTab);
1155 api_permissions.insert(APIPermission::kTopSites);
1156 api_permissions.insert(APIPermission::kProcesses);
1157 api_permissions.insert(APIPermission::kWebNavigation);
1158 api_permissions.insert(APIPermission::kSessions);
1159 scoped_refptr<PermissionSet> permissions(
1160 new PermissionSet(api_permissions, ManifestPermissionSet(),
1161 URLPatternSet(), URLPatternSet()));
1162 EXPECT_TRUE(VerifyOnePermissionMessage(
1163 permissions.get(), Manifest::TYPE_EXTENSION,
1164 l10n_util::GetStringUTF16(
1165 IDS_EXTENSION_PROMPT_WARNING_HISTORY_WRITE_AND_SESSIONS)));
1169 TEST(PermissionsTest, GetWarningMessages_DeclarativeWebRequest) {
1170 // Test that if the declarativeWebRequest permission is present
1171 // in combination with all hosts permission, then only the warning
1172 // for host permissions is shown, because that covers the use of
1173 // declarativeWebRequest.
1175 // Until Declarative Web Request is in stable, let's make sure it is enabled
1176 // on the current channel.
1177 ScopedCurrentChannel sc(version_info::Channel::CANARY);
1179 // First verify that declarativeWebRequest produces a message when host
1180 // permissions do not cover all hosts.
1181 scoped_refptr<Extension> extension =
1182 LoadManifest("permissions", "web_request_not_all_host_permissions.json");
1183 const PermissionSet* set =
1184 extension->permissions_data()->active_permissions().get();
1185 EXPECT_TRUE(VerifyHasPermissionMessage(set, extension->GetType(),
1186 "Block parts of web pages"));
1187 EXPECT_FALSE(VerifyHasPermissionMessage(
1188 set, extension->GetType(),
1189 "Read and change all your data on the websites you visit"));
1191 // Now verify that declarativeWebRequest does not produce a message when host
1192 // permissions do cover all hosts.
1193 extension =
1194 LoadManifest("permissions", "web_request_all_host_permissions.json");
1195 set = extension->permissions_data()->active_permissions().get();
1196 EXPECT_FALSE(VerifyHasPermissionMessage(set, extension->GetType(),
1197 "Block parts of web pages"));
1198 EXPECT_TRUE(VerifyHasPermissionMessage(
1199 set, extension->GetType(),
1200 "Read and change all your data on the websites you visit"));
1203 TEST(PermissionsTest, GetWarningMessages_Serial) {
1204 scoped_refptr<Extension> extension =
1205 LoadManifest("permissions", "serial.json");
1207 EXPECT_TRUE(extension->is_platform_app());
1208 EXPECT_TRUE(
1209 extension->permissions_data()->HasAPIPermission(APIPermission::kSerial));
1210 EXPECT_TRUE(VerifyOnePermissionMessage(extension->permissions_data(),
1211 "Access your serial devices"));
1214 TEST(PermissionsTest, GetWarningMessages_Socket_AnyHost) {
1215 ScopedCurrentChannel channel(version_info::Channel::DEV);
1217 scoped_refptr<Extension> extension =
1218 LoadManifest("permissions", "socket_any_host.json");
1219 EXPECT_TRUE(extension->is_platform_app());
1220 EXPECT_TRUE(
1221 extension->permissions_data()->HasAPIPermission(APIPermission::kSocket));
1222 EXPECT_TRUE(VerifyOnePermissionMessage(
1223 extension->permissions_data(),
1224 "Exchange data with any device on the local network or internet"));
1227 TEST(PermissionsTest, GetWarningMessages_Socket_OneDomainTwoHostnames) {
1228 ScopedCurrentChannel channel(version_info::Channel::DEV);
1230 scoped_refptr<Extension> extension =
1231 LoadManifest("permissions", "socket_one_domain_two_hostnames.json");
1232 EXPECT_TRUE(extension->is_platform_app());
1233 EXPECT_TRUE(
1234 extension->permissions_data()->HasAPIPermission(APIPermission::kSocket));
1236 // Verify the warnings, including support for unicode characters, the fact
1237 // that domain host warnings come before specific host warnings, and the fact
1238 // that domains and hostnames are in alphabetical order regardless of the
1239 // order in the manifest file.
1240 EXPECT_TRUE(VerifyTwoPermissionMessages(
1241 extension->permissions_data(),
1242 "Exchange data with any device in the domain example.org",
1243 "Exchange data with the devices named: "
1244 "b\xC3\xA5r.example.com foo.example.com",
1245 // "\xC3\xA5" = UTF-8 for lowercase A with ring above
1246 true));
1249 TEST(PermissionsTest, GetWarningMessages_Socket_TwoDomainsOneHostname) {
1250 ScopedCurrentChannel channel(version_info::Channel::DEV);
1252 scoped_refptr<Extension> extension =
1253 LoadManifest("permissions", "socket_two_domains_one_hostname.json");
1254 EXPECT_TRUE(extension->is_platform_app());
1255 EXPECT_TRUE(
1256 extension->permissions_data()->HasAPIPermission(APIPermission::kSocket));
1258 // Verify the warnings, including the fact that domain host warnings come
1259 // before specific host warnings and the fact that domains and hostnames are
1260 // in alphabetical order regardless of the order in the manifest file.
1261 EXPECT_TRUE(VerifyTwoPermissionMessages(
1262 extension->permissions_data(),
1263 "Exchange data with any device in the domains: "
1264 "example.com foo.example.org",
1265 "Exchange data with the device named bar.example.org", true));
1268 // Since platform apps always use isolated storage, they can't (silently)
1269 // access user data on other domains, so there's no need to prompt about host
1270 // permissions. See crbug.com/255229.
1271 TEST(PermissionsTest, GetWarningMessages_PlatformAppHosts) {
1272 scoped_refptr<Extension> extension;
1274 extension = LoadManifest("permissions", "platform_app_hosts.json");
1275 EXPECT_TRUE(extension->is_platform_app());
1276 EXPECT_TRUE(VerifyNoPermissionMessages(extension->permissions_data()));
1278 extension = LoadManifest("permissions", "platform_app_all_urls.json");
1279 EXPECT_TRUE(extension->is_platform_app());
1280 EXPECT_TRUE(VerifyNoPermissionMessages(extension->permissions_data()));
1283 testing::AssertionResult ShowsAllHostsWarning(const std::string& pattern) {
1284 scoped_refptr<Extension> extension =
1285 ExtensionBuilder()
1286 .SetManifest(DictionaryBuilder()
1287 .Set("name", "TLDWildCardTest")
1288 .Set("version", "0.1.0")
1289 .Set("permissions", ListBuilder().Append(pattern))
1290 .Build())
1291 .Build();
1293 return VerifyHasPermissionMessage(
1294 extension->permissions_data(),
1295 l10n_util::GetStringUTF16(IDS_EXTENSION_PROMPT_WARNING_ALL_HOSTS));
1298 TEST(PermissionsTest, GetWarningMessages_TLDWildcardTreatedAsAllHosts) {
1299 EXPECT_TRUE(ShowsAllHostsWarning("http://*.com/*")); // most popular.
1300 EXPECT_TRUE(ShowsAllHostsWarning("http://*.org/*")); // sanity check.
1301 EXPECT_TRUE(ShowsAllHostsWarning("http://*.co.uk/*")); // eTLD.
1302 EXPECT_TRUE(ShowsAllHostsWarning("http://*.de/*")); // foreign country tld.
1304 // We should still show the normal permissions (i.e., "Can access your data on
1305 // *.rdcronin.com") for things that are not TLDs.
1306 EXPECT_FALSE(ShowsAllHostsWarning("http://*.rdcronin.com/*"));
1308 // Pseudo-TLDs, like appspot.com, should not show all hosts.
1309 EXPECT_FALSE(ShowsAllHostsWarning("http://*.appspot.com/*"));
1311 // Non-TLDs should be likewise exempt.
1312 EXPECT_FALSE(ShowsAllHostsWarning("http://*.notarealtld/*"));
1314 // Our internal checks use "foo", so let's make sure we're not messing
1315 // something up with it.
1316 EXPECT_FALSE(ShowsAllHostsWarning("http://*.foo.com"));
1317 EXPECT_FALSE(ShowsAllHostsWarning("http://foo.com"));
1318 // This will fail if foo becomes a recognized TLD. Which could be soon.
1319 // Update as needed.
1320 EXPECT_FALSE(ShowsAllHostsWarning("http://*.foo"));
1323 TEST(PermissionsTest, GetDistinctHosts) {
1324 URLPatternSet explicit_hosts;
1325 std::set<std::string> expected;
1326 expected.insert("www.foo.com");
1327 expected.insert("www.bar.com");
1328 expected.insert("www.baz.com");
1331 SCOPED_TRACE("no dupes");
1333 // Simple list with no dupes.
1334 explicit_hosts.AddPattern(
1335 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.com/path"));
1336 explicit_hosts.AddPattern(
1337 URLPattern(URLPattern::SCHEME_HTTP, "http://www.bar.com/path"));
1338 explicit_hosts.AddPattern(
1339 URLPattern(URLPattern::SCHEME_HTTP, "http://www.baz.com/path"));
1340 EXPECT_EQ(expected,
1341 permission_message_util::GetDistinctHosts(
1342 explicit_hosts, true, true));
1346 SCOPED_TRACE("two dupes");
1348 // Add some dupes.
1349 explicit_hosts.AddPattern(
1350 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.com/path"));
1351 explicit_hosts.AddPattern(
1352 URLPattern(URLPattern::SCHEME_HTTP, "http://www.baz.com/path"));
1353 EXPECT_EQ(expected,
1354 permission_message_util::GetDistinctHosts(
1355 explicit_hosts, true, true));
1359 SCOPED_TRACE("schemes differ");
1361 // Add a pattern that differs only by scheme. This should be filtered out.
1362 explicit_hosts.AddPattern(
1363 URLPattern(URLPattern::SCHEME_HTTPS, "https://www.bar.com/path"));
1364 EXPECT_EQ(expected,
1365 permission_message_util::GetDistinctHosts(
1366 explicit_hosts, true, true));
1370 SCOPED_TRACE("paths differ");
1372 // Add some dupes by path.
1373 explicit_hosts.AddPattern(
1374 URLPattern(URLPattern::SCHEME_HTTP, "http://www.bar.com/pathypath"));
1375 EXPECT_EQ(expected,
1376 permission_message_util::GetDistinctHosts(
1377 explicit_hosts, true, true));
1381 SCOPED_TRACE("subdomains differ");
1383 // We don't do anything special for subdomains.
1384 explicit_hosts.AddPattern(
1385 URLPattern(URLPattern::SCHEME_HTTP, "http://monkey.www.bar.com/path"));
1386 explicit_hosts.AddPattern(
1387 URLPattern(URLPattern::SCHEME_HTTP, "http://bar.com/path"));
1389 expected.insert("monkey.www.bar.com");
1390 expected.insert("bar.com");
1392 EXPECT_EQ(expected,
1393 permission_message_util::GetDistinctHosts(
1394 explicit_hosts, true, true));
1398 SCOPED_TRACE("RCDs differ");
1400 // Now test for RCD uniquing.
1401 explicit_hosts.AddPattern(
1402 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.com/path"));
1403 explicit_hosts.AddPattern(
1404 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.co.uk/path"));
1405 explicit_hosts.AddPattern(
1406 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.de/path"));
1407 explicit_hosts.AddPattern(
1408 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.ca.us/path"));
1409 explicit_hosts.AddPattern(
1410 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.net/path"));
1411 explicit_hosts.AddPattern(
1412 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.com.my/path"));
1414 // This is an unknown RCD, which shouldn't be uniqued out.
1415 explicit_hosts.AddPattern(
1416 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.xyzzy/path"));
1417 // But it should only occur once.
1418 explicit_hosts.AddPattern(
1419 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.xyzzy/path"));
1421 expected.insert("www.foo.xyzzy");
1423 EXPECT_EQ(expected,
1424 permission_message_util::GetDistinctHosts(
1425 explicit_hosts, true, true));
1429 SCOPED_TRACE("wildcards");
1431 explicit_hosts.AddPattern(
1432 URLPattern(URLPattern::SCHEME_HTTP, "http://*.google.com/*"));
1434 expected.insert("*.google.com");
1436 EXPECT_EQ(expected,
1437 permission_message_util::GetDistinctHosts(
1438 explicit_hosts, true, true));
1442 SCOPED_TRACE("scriptable hosts");
1444 APIPermissionSet empty_perms;
1445 explicit_hosts.ClearPatterns();
1446 URLPatternSet scriptable_hosts;
1447 expected.clear();
1449 explicit_hosts.AddPattern(
1450 URLPattern(URLPattern::SCHEME_HTTP, "http://*.google.com/*"));
1451 scriptable_hosts.AddPattern(
1452 URLPattern(URLPattern::SCHEME_HTTP, "http://*.example.com/*"));
1454 expected.insert("*.google.com");
1455 expected.insert("*.example.com");
1457 scoped_refptr<PermissionSet> perm_set(new PermissionSet(
1458 empty_perms, ManifestPermissionSet(),
1459 explicit_hosts, scriptable_hosts));
1460 EXPECT_EQ(expected,
1461 permission_message_util::GetDistinctHosts(
1462 perm_set->effective_hosts(), true, true));
1466 // We don't display warnings for file URLs because they are off by default.
1467 SCOPED_TRACE("file urls");
1469 explicit_hosts.ClearPatterns();
1470 expected.clear();
1472 explicit_hosts.AddPattern(
1473 URLPattern(URLPattern::SCHEME_FILE, "file:///*"));
1475 EXPECT_EQ(expected,
1476 permission_message_util::GetDistinctHosts(
1477 explicit_hosts, true, true));
1481 TEST(PermissionsTest, GetDistinctHosts_ComIsBestRcd) {
1482 URLPatternSet explicit_hosts;
1483 explicit_hosts.AddPattern(
1484 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.ca/path"));
1485 explicit_hosts.AddPattern(
1486 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.org/path"));
1487 explicit_hosts.AddPattern(
1488 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.co.uk/path"));
1489 explicit_hosts.AddPattern(
1490 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.net/path"));
1491 explicit_hosts.AddPattern(
1492 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.jp/path"));
1493 explicit_hosts.AddPattern(
1494 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.com/path"));
1496 std::set<std::string> expected;
1497 expected.insert("www.foo.com");
1498 EXPECT_EQ(expected,
1499 permission_message_util::GetDistinctHosts(
1500 explicit_hosts, true, true));
1503 TEST(PermissionsTest, GetDistinctHosts_NetIs2ndBestRcd) {
1504 URLPatternSet explicit_hosts;
1505 explicit_hosts.AddPattern(
1506 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.ca/path"));
1507 explicit_hosts.AddPattern(
1508 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.org/path"));
1509 explicit_hosts.AddPattern(
1510 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.co.uk/path"));
1511 explicit_hosts.AddPattern(
1512 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.net/path"));
1513 explicit_hosts.AddPattern(
1514 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.jp/path"));
1515 // No http://www.foo.com/path
1517 std::set<std::string> expected;
1518 expected.insert("www.foo.net");
1519 EXPECT_EQ(expected,
1520 permission_message_util::GetDistinctHosts(
1521 explicit_hosts, true, true));
1524 TEST(PermissionsTest, GetDistinctHosts_OrgIs3rdBestRcd) {
1525 URLPatternSet explicit_hosts;
1526 explicit_hosts.AddPattern(
1527 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.ca/path"));
1528 explicit_hosts.AddPattern(
1529 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.org/path"));
1530 explicit_hosts.AddPattern(
1531 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.co.uk/path"));
1532 // No http://www.foo.net/path
1533 explicit_hosts.AddPattern(
1534 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.jp/path"));
1535 // No http://www.foo.com/path
1537 std::set<std::string> expected;
1538 expected.insert("www.foo.org");
1539 EXPECT_EQ(expected,
1540 permission_message_util::GetDistinctHosts(
1541 explicit_hosts, true, true));
1544 TEST(PermissionsTest, GetDistinctHosts_FirstInListIs4thBestRcd) {
1545 URLPatternSet explicit_hosts;
1546 explicit_hosts.AddPattern(
1547 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.ca/path"));
1548 // No http://www.foo.org/path
1549 explicit_hosts.AddPattern(
1550 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.co.uk/path"));
1551 // No http://www.foo.net/path
1552 explicit_hosts.AddPattern(
1553 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.jp/path"));
1554 // No http://www.foo.com/path
1556 std::set<std::string> expected;
1557 expected.insert("www.foo.ca");
1558 EXPECT_EQ(expected,
1559 permission_message_util::GetDistinctHosts(
1560 explicit_hosts, true, true));
1563 TEST(PermissionsTest, IsHostPrivilegeIncrease) {
1564 Manifest::Type type = Manifest::TYPE_EXTENSION;
1565 const PermissionMessageProvider* provider = PermissionMessageProvider::Get();
1566 ManifestPermissionSet empty_manifest_permissions;
1567 URLPatternSet elist1;
1568 URLPatternSet elist2;
1569 URLPatternSet slist1;
1570 URLPatternSet slist2;
1571 scoped_refptr<PermissionSet> set1;
1572 scoped_refptr<PermissionSet> set2;
1573 APIPermissionSet empty_perms;
1574 elist1.AddPattern(
1575 URLPattern(URLPattern::SCHEME_HTTP, "http://www.google.com.hk/path"));
1576 elist1.AddPattern(
1577 URLPattern(URLPattern::SCHEME_HTTP, "http://www.google.com/path"));
1579 // Test that the host order does not matter.
1580 elist2.AddPattern(
1581 URLPattern(URLPattern::SCHEME_HTTP, "http://www.google.com/path"));
1582 elist2.AddPattern(
1583 URLPattern(URLPattern::SCHEME_HTTP, "http://www.google.com.hk/path"));
1585 set1 = new PermissionSet(empty_perms, empty_manifest_permissions,
1586 elist1, slist1);
1587 set2 = new PermissionSet(empty_perms, empty_manifest_permissions,
1588 elist2, slist2);
1590 EXPECT_FALSE(provider->IsPrivilegeIncrease(set1.get(), set2.get(), type));
1591 EXPECT_FALSE(provider->IsPrivilegeIncrease(set2.get(), set1.get(), type));
1593 // Test that paths are ignored.
1594 elist2.ClearPatterns();
1595 elist2.AddPattern(
1596 URLPattern(URLPattern::SCHEME_HTTP, "http://www.google.com/*"));
1597 set2 = new PermissionSet(empty_perms, empty_manifest_permissions,
1598 elist2, slist2);
1599 EXPECT_FALSE(provider->IsPrivilegeIncrease(set1.get(), set2.get(), type));
1600 EXPECT_FALSE(provider->IsPrivilegeIncrease(set2.get(), set1.get(), type));
1602 // Test that RCDs are ignored.
1603 elist2.ClearPatterns();
1604 elist2.AddPattern(
1605 URLPattern(URLPattern::SCHEME_HTTP, "http://www.google.com.hk/*"));
1606 set2 = new PermissionSet(empty_perms, empty_manifest_permissions,
1607 elist2, slist2);
1608 EXPECT_FALSE(provider->IsPrivilegeIncrease(set1.get(), set2.get(), type));
1609 EXPECT_FALSE(provider->IsPrivilegeIncrease(set2.get(), set1.get(), type));
1611 // Test that subdomain wildcards are handled properly.
1612 elist2.ClearPatterns();
1613 elist2.AddPattern(
1614 URLPattern(URLPattern::SCHEME_HTTP, "http://*.google.com.hk/*"));
1615 set2 = new PermissionSet(empty_perms, empty_manifest_permissions,
1616 elist2, slist2);
1617 EXPECT_TRUE(provider->IsPrivilegeIncrease(set1.get(), set2.get(), type));
1618 // TODO(jstritar): Does not match subdomains properly. http://crbug.com/65337
1619 // EXPECT_FALSE(provider->IsPrivilegeIncrease(set2, set1, type));
1621 // Test that different domains count as different hosts.
1622 elist2.ClearPatterns();
1623 elist2.AddPattern(
1624 URLPattern(URLPattern::SCHEME_HTTP, "http://www.google.com/path"));
1625 elist2.AddPattern(
1626 URLPattern(URLPattern::SCHEME_HTTP, "http://www.example.org/path"));
1627 set2 = new PermissionSet(empty_perms, empty_manifest_permissions,
1628 elist2, slist2);
1629 EXPECT_TRUE(provider->IsPrivilegeIncrease(set1.get(), set2.get(), type));
1630 EXPECT_FALSE(provider->IsPrivilegeIncrease(set2.get(), set1.get(), type));
1632 // Test that different subdomains count as different hosts.
1633 elist2.ClearPatterns();
1634 elist2.AddPattern(
1635 URLPattern(URLPattern::SCHEME_HTTP, "http://mail.google.com/*"));
1636 set2 = new PermissionSet(empty_perms, empty_manifest_permissions,
1637 elist2, slist2);
1638 EXPECT_TRUE(provider->IsPrivilegeIncrease(set1.get(), set2.get(), type));
1639 EXPECT_TRUE(provider->IsPrivilegeIncrease(set2.get(), set1.get(), type));
1641 // Test that platform apps do not have host permissions increases.
1642 type = Manifest::TYPE_PLATFORM_APP;
1643 EXPECT_FALSE(provider->IsPrivilegeIncrease(set1.get(), set2.get(), type));
1644 EXPECT_FALSE(provider->IsPrivilegeIncrease(set2.get(), set1.get(), type));
1647 TEST(PermissionsTest, GetAPIsAsStrings) {
1648 APIPermissionSet apis;
1649 URLPatternSet empty_set;
1651 apis.insert(APIPermission::kProxy);
1652 apis.insert(APIPermission::kBackground);
1653 apis.insert(APIPermission::kNotifications);
1654 apis.insert(APIPermission::kTab);
1656 scoped_refptr<PermissionSet> perm_set = new PermissionSet(
1657 apis, ManifestPermissionSet(), empty_set, empty_set);
1658 std::set<std::string> api_names = perm_set->GetAPIsAsStrings();
1660 // The result is correct if it has the same number of elements
1661 // and we can convert it back to the id set.
1662 EXPECT_EQ(4u, api_names.size());
1663 EXPECT_EQ(apis,
1664 PermissionsInfo::GetInstance()->GetAllByName(api_names));
1667 TEST(PermissionsTest, IsEmpty) {
1668 APIPermissionSet empty_apis;
1669 URLPatternSet empty_extent;
1671 scoped_refptr<PermissionSet> empty = new PermissionSet();
1672 EXPECT_TRUE(empty->IsEmpty());
1673 scoped_refptr<PermissionSet> perm_set;
1675 perm_set = new PermissionSet(empty_apis, ManifestPermissionSet(),
1676 empty_extent, empty_extent);
1677 EXPECT_TRUE(perm_set->IsEmpty());
1679 APIPermissionSet non_empty_apis;
1680 non_empty_apis.insert(APIPermission::kBackground);
1681 perm_set = new PermissionSet(non_empty_apis, ManifestPermissionSet(),
1682 empty_extent, empty_extent);
1683 EXPECT_FALSE(perm_set->IsEmpty());
1685 // Try non standard host
1686 URLPatternSet non_empty_extent;
1687 AddPattern(&non_empty_extent, "http://www.google.com/*");
1689 perm_set = new PermissionSet(empty_apis, ManifestPermissionSet(),
1690 non_empty_extent, empty_extent);
1691 EXPECT_FALSE(perm_set->IsEmpty());
1693 perm_set = new PermissionSet(empty_apis, ManifestPermissionSet(),
1694 empty_extent, non_empty_extent);
1695 EXPECT_FALSE(perm_set->IsEmpty());
1698 TEST(PermissionsTest, ImpliedPermissions) {
1699 URLPatternSet empty_extent;
1700 APIPermissionSet apis;
1701 apis.insert(APIPermission::kFileBrowserHandler);
1702 EXPECT_EQ(1U, apis.size());
1704 scoped_refptr<PermissionSet> perm_set;
1705 perm_set = new PermissionSet(apis, ManifestPermissionSet(),
1706 empty_extent, empty_extent);
1707 EXPECT_EQ(2U, perm_set->apis().size());
1710 TEST(PermissionsTest, SyncFileSystemPermission) {
1711 scoped_refptr<Extension> extension = LoadManifest(
1712 "permissions", "sync_file_system.json");
1713 APIPermissionSet apis;
1714 apis.insert(APIPermission::kSyncFileSystem);
1715 EXPECT_TRUE(extension->is_platform_app());
1716 EXPECT_TRUE(extension->permissions_data()->HasAPIPermission(
1717 APIPermission::kSyncFileSystem));
1718 EXPECT_TRUE(
1719 VerifyOnePermissionMessage(extension->permissions_data(),
1720 "Store data in your Google Drive account"));
1723 // Make sure that we don't crash when we're trying to show the permissions
1724 // even though chrome://thumb (and everything that's not chrome://favicon with
1725 // a chrome:// scheme) is not a valid permission.
1726 // More details here: crbug/246314.
1727 TEST(PermissionsTest, ChromeURLs) {
1728 URLPatternSet allowed_hosts;
1729 allowed_hosts.AddPattern(
1730 URLPattern(URLPattern::SCHEME_ALL, "http://www.google.com/"));
1731 allowed_hosts.AddPattern(
1732 URLPattern(URLPattern::SCHEME_ALL, "chrome://favicon/"));
1733 allowed_hosts.AddPattern(
1734 URLPattern(URLPattern::SCHEME_ALL, "chrome://thumb/"));
1735 scoped_refptr<PermissionSet> permissions(
1736 new PermissionSet(APIPermissionSet(), ManifestPermissionSet(),
1737 allowed_hosts, URLPatternSet()));
1738 PermissionMessageProvider::Get()->GetPermissionMessages(
1739 PermissionMessageProvider::Get()->GetAllPermissionIDs(
1740 permissions.get(), Manifest::TYPE_EXTENSION));
1743 TEST(PermissionsTest, IsPrivilegeIncrease_DeclarativeWebRequest) {
1744 scoped_refptr<Extension> extension(
1745 LoadManifest("permissions", "permissions_all_urls.json"));
1746 scoped_refptr<const PermissionSet> permissions(
1747 extension->permissions_data()->active_permissions());
1749 scoped_refptr<Extension> extension_dwr(
1750 LoadManifest("permissions", "web_request_all_host_permissions.json"));
1751 scoped_refptr<const PermissionSet> permissions_dwr(
1752 extension_dwr->permissions_data()->active_permissions());
1754 EXPECT_FALSE(PermissionMessageProvider::Get()->
1755 IsPrivilegeIncrease(permissions.get(),
1756 permissions_dwr.get(),
1757 extension->GetType()));
1760 } // namespace extensions