search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Add ENABLE_MEDIA_ROUTER define to builds other than Android and iOS.
[chromium-blink-merge.git] / chrome / common / extensions / permissions / permission_set_unittest.cc
blob581855cba6be733f45a32bab6b7130f3e2287c95
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "base/command_line.h"
6 #include "base/json/json_file_value_serializer.h"
7 #include "base/logging.h"
8 #include "base/strings/string_number_conversions.h"
9 #include "base/strings/stringprintf.h"
10 #include "base/strings/utf_string_conversions.h"
11 #include "chrome/common/chrome_paths.h"
12 #include "chrome/common/chrome_switches.h"
13 #include "chrome/common/extensions/extension_test_util.h"
14 #include "chrome/common/extensions/features/feature_channel.h"
15 #include "chrome/common/extensions/permissions/chrome_permission_message_provider.h"
16 #include "chrome/grit/generated_resources.h"
17 #include "extensions/common/error_utils.h"
18 #include "extensions/common/extension.h"
19 #include "extensions/common/extension_builder.h"
20 #include "extensions/common/permissions/permission_message_provider.h"
21 #include "extensions/common/permissions/permission_message_test_util.h"
22 #include "extensions/common/permissions/permission_message_util.h"
23 #include "extensions/common/permissions/permission_set.h"
24 #include "extensions/common/permissions/permissions_data.h"
25 #include "extensions/common/permissions/permissions_info.h"
26 #include "extensions/common/permissions/socket_permission.h"
27 #include "extensions/common/value_builder.h"
28 #include "extensions/strings/grit/extensions_strings.h"
29 #include "testing/gtest/include/gtest/gtest.h"
30 #include "ui/base/l10n/l10n_util.h"
31
32 using extension_test_util::LoadManifest;
33
34 namespace extensions {
35
36 namespace {
37
38 static void AddPattern(URLPatternSet* extent, const std::string& pattern) {
39 int schemes = URLPattern::SCHEME_ALL;
40 extent->AddPattern(URLPattern(schemes, pattern));
41 }
42
43 size_t IndexOf(const PermissionMessageStrings& warnings,
44 const std::string& warning) {
45 for (size_t i = 0; i < warnings.size(); ++i) {
46 if (warnings[i].message == base::ASCIIToUTF16(warning))
47 return i;
48 }
49
50 return warnings.size();
51 }
52
53 PermissionIDSet MakePermissionIDSet(APIPermission::ID id1,
54 APIPermission::ID id2) {
55 PermissionIDSet set;
56 set.insert(id1);
57 set.insert(id2);
58 return set;
59 }
60
61 PermissionIDSet MakePermissionIDSet(const APIPermissionSet& permissions) {
62 PermissionIDSet set;
63 for (const APIPermission* permission : permissions)
64 set.insert(permission->id());
65 return set;
66 }
67
68 std::string LegacyPermissionIDsToString(const PermissionMessageIDs& ids) {
69 std::vector<std::string> strs;
70 for (const PermissionMessage::ID& id : ids)
71 strs.push_back(base::IntToString(id));
72 return base::StringPrintf("[ %s ]", JoinString(strs, ", ").c_str());
73 }
74
75 std::string PermissionIDsToString(const PermissionIDSet& ids) {
76 std::vector<std::string> strs;
77 for (const PermissionID& id : ids)
78 strs.push_back(base::IntToString(id.id()));
79 return base::StringPrintf("[ %s ]", JoinString(strs, ", ").c_str());
80 }
81
82 std::string CoalescedPermissionIDsToString(
83 const CoalescedPermissionMessages& msgs) {
84 std::vector<std::string> strs;
85 for (const CoalescedPermissionMessage& msg : msgs)
86 strs.push_back(PermissionIDsToString(msg.permissions()));
87 return JoinString(strs, " ");
88 }
89
90 // Check that the given |permissions| produce a single warning message,
91 // identified by |expected_legacy_id| in the old system, and by the set of
92 // |expected_ids| in the new system.
93 testing::AssertionResult PermissionSetProducesMessage(
94 const PermissionSet* permissions,
95 Manifest::Type extension_type,
96 PermissionMessage::ID expected_legacy_id,
97 const PermissionIDSet& expected_ids) {
98 const PermissionMessageProvider* provider = PermissionMessageProvider::Get();
99 PermissionMessageIDs legacy_ids =
100 provider->GetLegacyPermissionMessageIDs(permissions, extension_type);
101 if (legacy_ids.size() != 1 || expected_legacy_id != legacy_ids[0]) {
102 return testing::AssertionFailure()
103 << "Expected single legacy permission ID " << expected_legacy_id
104 << " but got " << LegacyPermissionIDsToString(legacy_ids);
105 }
106
107 CoalescedPermissionMessages msgs = provider->GetCoalescedPermissionMessages(
108 provider->GetAllPermissionIDs(permissions, extension_type));
109 if (msgs.size() != 1) {
110 return testing::AssertionFailure()
111 << "Expected single permission message with IDs "
112 << PermissionIDsToString(expected_ids) << " but got " << msgs.size()
113 << " messages: " << CoalescedPermissionIDsToString(msgs);
114 }
115 if (!msgs.front().permissions().Equals(expected_ids)) {
116 return testing::AssertionFailure()
117 << "Expected permission IDs " << PermissionIDsToString(expected_ids)
118 << " but got " << PermissionIDsToString(msgs.front().permissions());
119 }
120
121 return testing::AssertionSuccess();
122 }
123
124 } // namespace
125
126 // Tests GetByID.
127 TEST(PermissionsTest, GetByID) {
128 PermissionsInfo* info = PermissionsInfo::GetInstance();
129 APIPermissionSet apis = info->GetAll();
130 for (APIPermissionSet::const_iterator i = apis.begin();
131 i != apis.end(); ++i) {
132 EXPECT_EQ(i->id(), i->info()->id());
133 }
134 }
135
136 // Tests that GetByName works with normal permission names and aliases.
137 TEST(PermissionsTest, GetByName) {
138 PermissionsInfo* info = PermissionsInfo::GetInstance();
139 EXPECT_EQ(APIPermission::kTab, info->GetByName("tabs")->id());
140 EXPECT_EQ(APIPermission::kManagement,
141 info->GetByName("management")->id());
142 EXPECT_FALSE(info->GetByName("alsdkfjasldkfj"));
143 }
144
145 TEST(PermissionsTest, GetAll) {
146 size_t count = 0;
147 PermissionsInfo* info = PermissionsInfo::GetInstance();
148 APIPermissionSet apis = info->GetAll();
149 for (APIPermissionSet::const_iterator api = apis.begin();
150 api != apis.end(); ++api) {
151 // Make sure only the valid permission IDs get returned.
152 EXPECT_NE(APIPermission::kInvalid, api->id());
153 EXPECT_NE(APIPermission::kUnknown, api->id());
154 count++;
155 }
156 EXPECT_EQ(count, info->get_permission_count());
157 }
158
159 TEST(PermissionsTest, GetAllByName) {
160 std::set<std::string> names;
161 names.insert("background");
162 names.insert("management");
163
164 // This is an alias of kTab
165 names.insert("windows");
166
167 // This unknown name should get dropped.
168 names.insert("sdlkfjasdlkfj");
169
170 APIPermissionSet expected;
171 expected.insert(APIPermission::kBackground);
172 expected.insert(APIPermission::kManagement);
173 expected.insert(APIPermission::kTab);
174
175 EXPECT_EQ(expected,
176 PermissionsInfo::GetInstance()->GetAllByName(names));
177 }
178
179 // Tests that the aliases are properly mapped.
180 TEST(PermissionsTest, Aliases) {
181 PermissionsInfo* info = PermissionsInfo::GetInstance();
182 // tabs: tabs, windows
183 std::string tabs_name = "tabs";
184 EXPECT_EQ(tabs_name, info->GetByID(APIPermission::kTab)->name());
185 EXPECT_EQ(APIPermission::kTab, info->GetByName("tabs")->id());
186 EXPECT_EQ(APIPermission::kTab, info->GetByName("windows")->id());
187
188 // unlimitedStorage: unlimitedStorage, unlimited_storage
189 std::string storage_name = "unlimitedStorage";
190 EXPECT_EQ(storage_name, info->GetByID(
191 APIPermission::kUnlimitedStorage)->name());
192 EXPECT_EQ(APIPermission::kUnlimitedStorage,
193 info->GetByName("unlimitedStorage")->id());
194 EXPECT_EQ(APIPermission::kUnlimitedStorage,
195 info->GetByName("unlimited_storage")->id());
196 }
197
198 TEST(PermissionsTest, EffectiveHostPermissions) {
199 scoped_refptr<Extension> extension;
200 scoped_refptr<const PermissionSet> permissions;
201
202 extension = LoadManifest("effective_host_permissions", "empty.json");
203 permissions = extension->permissions_data()->active_permissions();
204 EXPECT_EQ(0u,
205 extension->permissions_data()
206 ->GetEffectiveHostPermissions()
207 .patterns()
208 .size());
209 EXPECT_FALSE(
210 permissions->HasEffectiveAccessToURL(GURL("http://www.google.com")));
211 EXPECT_FALSE(permissions->HasEffectiveAccessToAllHosts());
212
213 extension = LoadManifest("effective_host_permissions", "one_host.json");
214 permissions = extension->permissions_data()->active_permissions();
215 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(
216 GURL("http://www.google.com")));
217 EXPECT_FALSE(permissions->HasEffectiveAccessToURL(
218 GURL("https://www.google.com")));
219 EXPECT_FALSE(permissions->HasEffectiveAccessToAllHosts());
220
221 extension = LoadManifest("effective_host_permissions",
222 "one_host_wildcard.json");
223 permissions = extension->permissions_data()->active_permissions();
224 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(GURL("http://google.com")));
225 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(
226 GURL("http://foo.google.com")));
227 EXPECT_FALSE(permissions->HasEffectiveAccessToAllHosts());
228
229 extension = LoadManifest("effective_host_permissions", "two_hosts.json");
230 permissions = extension->permissions_data()->active_permissions();
231 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(
232 GURL("http://www.google.com")));
233 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(
234 GURL("http://www.reddit.com")));
235 EXPECT_FALSE(permissions->HasEffectiveAccessToAllHosts());
236
237 extension = LoadManifest("effective_host_permissions",
238 "https_not_considered.json");
239 permissions = extension->permissions_data()->active_permissions();
240 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(GURL("http://google.com")));
241 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(GURL("https://google.com")));
242 EXPECT_FALSE(permissions->HasEffectiveAccessToAllHosts());
243
244 extension = LoadManifest("effective_host_permissions",
245 "two_content_scripts.json");
246 permissions = extension->permissions_data()->active_permissions();
247 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(GURL("http://google.com")));
248 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(
249 GURL("http://www.reddit.com")));
250 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(
251 GURL("http://news.ycombinator.com")));
252 EXPECT_FALSE(permissions->HasEffectiveAccessToAllHosts());
253
254 extension = LoadManifest("effective_host_permissions", "all_hosts.json");
255 permissions = extension->permissions_data()->active_permissions();
256 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(GURL("http://test/")));
257 EXPECT_FALSE(permissions->HasEffectiveAccessToURL(GURL("https://test/")));
258 EXPECT_TRUE(
259 permissions->HasEffectiveAccessToURL(GURL("http://www.google.com")));
260 EXPECT_TRUE(permissions->HasEffectiveAccessToAllHosts());
261
262 extension = LoadManifest("effective_host_permissions", "all_hosts2.json");
263 permissions = extension->permissions_data()->active_permissions();
264 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(GURL("http://test/")));
265 EXPECT_TRUE(
266 permissions->HasEffectiveAccessToURL(GURL("http://www.google.com")));
267 EXPECT_TRUE(permissions->HasEffectiveAccessToAllHosts());
268
269 extension = LoadManifest("effective_host_permissions", "all_hosts3.json");
270 permissions = extension->permissions_data()->active_permissions();
271 EXPECT_FALSE(permissions->HasEffectiveAccessToURL(GURL("http://test/")));
272 EXPECT_TRUE(permissions->HasEffectiveAccessToURL(GURL("https://test/")));
273 EXPECT_TRUE(
274 permissions->HasEffectiveAccessToURL(GURL("http://www.google.com")));
275 EXPECT_TRUE(permissions->HasEffectiveAccessToAllHosts());
276 }
277
278 TEST(PermissionsTest, ExplicitAccessToOrigin) {
279 APIPermissionSet apis;
280 ManifestPermissionSet manifest_permissions;
281 URLPatternSet explicit_hosts;
282 URLPatternSet scriptable_hosts;
283
284 AddPattern(&explicit_hosts, "http://*.google.com/*");
285 // The explicit host paths should get set to /*.
286 AddPattern(&explicit_hosts, "http://www.example.com/a/particular/path/*");
287
288 scoped_refptr<PermissionSet> perm_set = new PermissionSet(
289 apis, manifest_permissions, explicit_hosts, scriptable_hosts);
290 ASSERT_TRUE(perm_set->HasExplicitAccessToOrigin(
291 GURL("http://www.google.com/")));
292 ASSERT_TRUE(perm_set->HasExplicitAccessToOrigin(
293 GURL("http://test.google.com/")));
294 ASSERT_TRUE(perm_set->HasExplicitAccessToOrigin(
295 GURL("http://www.example.com")));
296 ASSERT_TRUE(perm_set->HasEffectiveAccessToURL(
297 GURL("http://www.example.com")));
298 ASSERT_FALSE(perm_set->HasExplicitAccessToOrigin(
299 GURL("http://test.example.com")));
300 }
301
302 TEST(PermissionsTest, CreateUnion) {
303 APIPermission* permission = NULL;
304
305 ManifestPermissionSet manifest_permissions;
306 APIPermissionSet apis1;
307 APIPermissionSet apis2;
308 APIPermissionSet expected_apis;
309
310 URLPatternSet explicit_hosts1;
311 URLPatternSet explicit_hosts2;
312 URLPatternSet expected_explicit_hosts;
313
314 URLPatternSet scriptable_hosts1;
315 URLPatternSet scriptable_hosts2;
316 URLPatternSet expected_scriptable_hosts;
317
318 URLPatternSet effective_hosts;
319
320 scoped_refptr<PermissionSet> set1;
321 scoped_refptr<PermissionSet> set2;
322 scoped_refptr<PermissionSet> union_set;
323
324 const APIPermissionInfo* permission_info =
325 PermissionsInfo::GetInstance()->GetByID(APIPermission::kSocket);
326 permission = permission_info->CreateAPIPermission();
327 {
328 scoped_ptr<base::ListValue> value(new base::ListValue());
329 value->Append(new base::StringValue("tcp-connect:*.example.com:80"));
330 value->Append(new base::StringValue("udp-bind::8080"));
331 value->Append(new base::StringValue("udp-send-to::8888"));
332 ASSERT_TRUE(permission->FromValue(value.get(), NULL, NULL));
333 }
334
335 // Union with an empty set.
336 apis1.insert(APIPermission::kTab);
337 apis1.insert(APIPermission::kBackground);
338 apis1.insert(permission->Clone());
339 expected_apis.insert(APIPermission::kTab);
340 expected_apis.insert(APIPermission::kBackground);
341 expected_apis.insert(permission);
342
343 AddPattern(&explicit_hosts1, "http://*.google.com/*");
344 AddPattern(&expected_explicit_hosts, "http://*.google.com/*");
345 AddPattern(&effective_hosts, "http://*.google.com/*");
346
347 set1 = new PermissionSet(apis1, manifest_permissions,
348 explicit_hosts1, scriptable_hosts1);
349 set2 = new PermissionSet(apis2, manifest_permissions,
350 explicit_hosts2, scriptable_hosts2);
351 union_set = PermissionSet::CreateUnion(set1.get(), set2.get());
352 EXPECT_TRUE(set1->Contains(*set2.get()));
353 EXPECT_TRUE(set1->Contains(*union_set.get()));
354 EXPECT_FALSE(set2->Contains(*set1.get()));
355 EXPECT_FALSE(set2->Contains(*union_set.get()));
356 EXPECT_TRUE(union_set->Contains(*set1.get()));
357 EXPECT_TRUE(union_set->Contains(*set2.get()));
358
359 EXPECT_FALSE(union_set->HasEffectiveFullAccess());
360 EXPECT_EQ(expected_apis, union_set->apis());
361 EXPECT_EQ(expected_explicit_hosts, union_set->explicit_hosts());
362 EXPECT_EQ(expected_scriptable_hosts, union_set->scriptable_hosts());
363 EXPECT_EQ(expected_explicit_hosts, union_set->effective_hosts());
364
365 // Now use a real second set.
366 apis2.insert(APIPermission::kTab);
367 apis2.insert(APIPermission::kProxy);
368 apis2.insert(APIPermission::kClipboardWrite);
369 apis2.insert(APIPermission::kPlugin);
370
371 permission = permission_info->CreateAPIPermission();
372 {
373 scoped_ptr<base::ListValue> value(new base::ListValue());
374 value->Append(new base::StringValue("tcp-connect:*.example.com:80"));
375 value->Append(new base::StringValue("udp-send-to::8899"));
376 ASSERT_TRUE(permission->FromValue(value.get(), NULL, NULL));
377 }
378 apis2.insert(permission);
379
380 expected_apis.insert(APIPermission::kTab);
381 expected_apis.insert(APIPermission::kProxy);
382 expected_apis.insert(APIPermission::kClipboardWrite);
383 expected_apis.insert(APIPermission::kPlugin);
384
385 permission = permission_info->CreateAPIPermission();
386 {
387 scoped_ptr<base::ListValue> value(new base::ListValue());
388 value->Append(new base::StringValue("tcp-connect:*.example.com:80"));
389 value->Append(new base::StringValue("udp-bind::8080"));
390 value->Append(new base::StringValue("udp-send-to::8888"));
391 value->Append(new base::StringValue("udp-send-to::8899"));
392 ASSERT_TRUE(permission->FromValue(value.get(), NULL, NULL));
393 }
394 // Insert a new permission socket permisssion which will replace the old one.
395 expected_apis.insert(permission);
396
397 AddPattern(&explicit_hosts2, "http://*.example.com/*");
398 AddPattern(&scriptable_hosts2, "http://*.google.com/*");
399 AddPattern(&expected_explicit_hosts, "http://*.example.com/*");
400 AddPattern(&expected_scriptable_hosts, "http://*.google.com/*");
401
402 URLPatternSet::CreateUnion(
403 explicit_hosts2, scriptable_hosts2, &effective_hosts);
404
405 set2 = new PermissionSet(apis2, manifest_permissions,
406 explicit_hosts2, scriptable_hosts2);
407 union_set = PermissionSet::CreateUnion(set1.get(), set2.get());
408
409 EXPECT_FALSE(set1->Contains(*set2.get()));
410 EXPECT_FALSE(set1->Contains(*union_set.get()));
411 EXPECT_FALSE(set2->Contains(*set1.get()));
412 EXPECT_FALSE(set2->Contains(*union_set.get()));
413 EXPECT_TRUE(union_set->Contains(*set1.get()));
414 EXPECT_TRUE(union_set->Contains(*set2.get()));
415
416 EXPECT_TRUE(union_set->HasEffectiveFullAccess());
417 EXPECT_TRUE(union_set->HasEffectiveAccessToAllHosts());
418 EXPECT_EQ(expected_apis, union_set->apis());
419 EXPECT_EQ(expected_explicit_hosts, union_set->explicit_hosts());
420 EXPECT_EQ(expected_scriptable_hosts, union_set->scriptable_hosts());
421 EXPECT_EQ(effective_hosts, union_set->effective_hosts());
422 }
423
424 TEST(PermissionsTest, CreateIntersection) {
425 APIPermission* permission = NULL;
426
427 ManifestPermissionSet manifest_permissions;
428 APIPermissionSet apis1;
429 APIPermissionSet apis2;
430 APIPermissionSet expected_apis;
431
432 URLPatternSet explicit_hosts1;
433 URLPatternSet explicit_hosts2;
434 URLPatternSet expected_explicit_hosts;
435
436 URLPatternSet scriptable_hosts1;
437 URLPatternSet scriptable_hosts2;
438 URLPatternSet expected_scriptable_hosts;
439
440 URLPatternSet effective_hosts;
441
442 scoped_refptr<PermissionSet> set1;
443 scoped_refptr<PermissionSet> set2;
444 scoped_refptr<PermissionSet> new_set;
445
446 const APIPermissionInfo* permission_info =
447 PermissionsInfo::GetInstance()->GetByID(APIPermission::kSocket);
448
449 // Intersection with an empty set.
450 apis1.insert(APIPermission::kTab);
451 apis1.insert(APIPermission::kBackground);
452 permission = permission_info->CreateAPIPermission();
453 {
454 scoped_ptr<base::ListValue> value(new base::ListValue());
455 value->Append(new base::StringValue("tcp-connect:*.example.com:80"));
456 value->Append(new base::StringValue("udp-bind::8080"));
457 value->Append(new base::StringValue("udp-send-to::8888"));
458 ASSERT_TRUE(permission->FromValue(value.get(), NULL, NULL));
459 }
460 apis1.insert(permission);
461
462 AddPattern(&explicit_hosts1, "http://*.google.com/*");
463 AddPattern(&scriptable_hosts1, "http://www.reddit.com/*");
464
465 set1 = new PermissionSet(apis1, manifest_permissions,
466 explicit_hosts1, scriptable_hosts1);
467 set2 = new PermissionSet(apis2, manifest_permissions,
468 explicit_hosts2, scriptable_hosts2);
469 new_set = PermissionSet::CreateIntersection(set1.get(), set2.get());
470 EXPECT_TRUE(set1->Contains(*new_set.get()));
471 EXPECT_TRUE(set2->Contains(*new_set.get()));
472 EXPECT_TRUE(set1->Contains(*set2.get()));
473 EXPECT_FALSE(set2->Contains(*set1.get()));
474 EXPECT_FALSE(new_set->Contains(*set1.get()));
475 EXPECT_TRUE(new_set->Contains(*set2.get()));
476
477 EXPECT_TRUE(new_set->IsEmpty());
478 EXPECT_FALSE(new_set->HasEffectiveFullAccess());
479 EXPECT_EQ(expected_apis, new_set->apis());
480 EXPECT_EQ(expected_explicit_hosts, new_set->explicit_hosts());
481 EXPECT_EQ(expected_scriptable_hosts, new_set->scriptable_hosts());
482 EXPECT_EQ(expected_explicit_hosts, new_set->effective_hosts());
483
484 // Now use a real second set.
485 apis2.insert(APIPermission::kTab);
486 apis2.insert(APIPermission::kProxy);
487 apis2.insert(APIPermission::kClipboardWrite);
488 apis2.insert(APIPermission::kPlugin);
489 permission = permission_info->CreateAPIPermission();
490 {
491 scoped_ptr<base::ListValue> value(new base::ListValue());
492 value->Append(new base::StringValue("udp-bind::8080"));
493 value->Append(new base::StringValue("udp-send-to::8888"));
494 value->Append(new base::StringValue("udp-send-to::8899"));
495 ASSERT_TRUE(permission->FromValue(value.get(), NULL, NULL));
496 }
497 apis2.insert(permission);
498
499 expected_apis.insert(APIPermission::kTab);
500 permission = permission_info->CreateAPIPermission();
501 {
502 scoped_ptr<base::ListValue> value(new base::ListValue());
503 value->Append(new base::StringValue("udp-bind::8080"));
504 value->Append(new base::StringValue("udp-send-to::8888"));
505 ASSERT_TRUE(permission->FromValue(value.get(), NULL, NULL));
506 }
507 expected_apis.insert(permission);
508
509 AddPattern(&explicit_hosts2, "http://*.example.com/*");
510 AddPattern(&explicit_hosts2, "http://*.google.com/*");
511 AddPattern(&scriptable_hosts2, "http://*.google.com/*");
512 AddPattern(&expected_explicit_hosts, "http://*.google.com/*");
513
514 effective_hosts.ClearPatterns();
515 AddPattern(&effective_hosts, "http://*.google.com/*");
516
517 set2 = new PermissionSet(apis2, manifest_permissions,
518 explicit_hosts2, scriptable_hosts2);
519 new_set = PermissionSet::CreateIntersection(set1.get(), set2.get());
520
521 EXPECT_TRUE(set1->Contains(*new_set.get()));
522 EXPECT_TRUE(set2->Contains(*new_set.get()));
523 EXPECT_FALSE(set1->Contains(*set2.get()));
524 EXPECT_FALSE(set2->Contains(*set1.get()));
525 EXPECT_FALSE(new_set->Contains(*set1.get()));
526 EXPECT_FALSE(new_set->Contains(*set2.get()));
527
528 EXPECT_FALSE(new_set->HasEffectiveFullAccess());
529 EXPECT_FALSE(new_set->HasEffectiveAccessToAllHosts());
530 EXPECT_EQ(expected_apis, new_set->apis());
531 EXPECT_EQ(expected_explicit_hosts, new_set->explicit_hosts());
532 EXPECT_EQ(expected_scriptable_hosts, new_set->scriptable_hosts());
533 EXPECT_EQ(effective_hosts, new_set->effective_hosts());
534 }
535
536 TEST(PermissionsTest, CreateDifference) {
537 APIPermission* permission = NULL;
538
539 ManifestPermissionSet manifest_permissions;
540 APIPermissionSet apis1;
541 APIPermissionSet apis2;
542 APIPermissionSet expected_apis;
543
544 URLPatternSet explicit_hosts1;
545 URLPatternSet explicit_hosts2;
546 URLPatternSet expected_explicit_hosts;
547
548 URLPatternSet scriptable_hosts1;
549 URLPatternSet scriptable_hosts2;
550 URLPatternSet expected_scriptable_hosts;
551
552 URLPatternSet effective_hosts;
553
554 scoped_refptr<PermissionSet> set1;
555 scoped_refptr<PermissionSet> set2;
556 scoped_refptr<PermissionSet> new_set;
557
558 const APIPermissionInfo* permission_info =
559 PermissionsInfo::GetInstance()->GetByID(APIPermission::kSocket);
560
561 // Difference with an empty set.
562 apis1.insert(APIPermission::kTab);
563 apis1.insert(APIPermission::kBackground);
564 permission = permission_info->CreateAPIPermission();
565 {
566 scoped_ptr<base::ListValue> value(new base::ListValue());
567 value->Append(new base::StringValue("tcp-connect:*.example.com:80"));
568 value->Append(new base::StringValue("udp-bind::8080"));
569 value->Append(new base::StringValue("udp-send-to::8888"));
570 ASSERT_TRUE(permission->FromValue(value.get(), NULL, NULL));
571 }
572 apis1.insert(permission);
573
574 AddPattern(&explicit_hosts1, "http://*.google.com/*");
575 AddPattern(&scriptable_hosts1, "http://www.reddit.com/*");
576
577 set1 = new PermissionSet(apis1, manifest_permissions,
578 explicit_hosts1, scriptable_hosts1);
579 set2 = new PermissionSet(apis2, manifest_permissions,
580 explicit_hosts2, scriptable_hosts2);
581 new_set = PermissionSet::CreateDifference(set1.get(), set2.get());
582 EXPECT_EQ(*set1.get(), *new_set.get());
583
584 // Now use a real second set.
585 apis2.insert(APIPermission::kTab);
586 apis2.insert(APIPermission::kProxy);
587 apis2.insert(APIPermission::kClipboardWrite);
588 apis2.insert(APIPermission::kPlugin);
589 permission = permission_info->CreateAPIPermission();
590 {
591 scoped_ptr<base::ListValue> value(new base::ListValue());
592 value->Append(new base::StringValue("tcp-connect:*.example.com:80"));
593 value->Append(new base::StringValue("udp-send-to::8899"));
594 ASSERT_TRUE(permission->FromValue(value.get(), NULL, NULL));
595 }
596 apis2.insert(permission);
597
598 expected_apis.insert(APIPermission::kBackground);
599 permission = permission_info->CreateAPIPermission();
600 {
601 scoped_ptr<base::ListValue> value(new base::ListValue());
602 value->Append(new base::StringValue("udp-bind::8080"));
603 value->Append(new base::StringValue("udp-send-to::8888"));
604 ASSERT_TRUE(permission->FromValue(value.get(), NULL, NULL));
605 }
606 expected_apis.insert(permission);
607
608 AddPattern(&explicit_hosts2, "http://*.example.com/*");
609 AddPattern(&explicit_hosts2, "http://*.google.com/*");
610 AddPattern(&scriptable_hosts2, "http://*.google.com/*");
611 AddPattern(&expected_scriptable_hosts, "http://www.reddit.com/*");
612
613 effective_hosts.ClearPatterns();
614 AddPattern(&effective_hosts, "http://www.reddit.com/*");
615
616 set2 = new PermissionSet(apis2, manifest_permissions,
617 explicit_hosts2, scriptable_hosts2);
618 new_set = PermissionSet::CreateDifference(set1.get(), set2.get());
619
620 EXPECT_TRUE(set1->Contains(*new_set.get()));
621 EXPECT_FALSE(set2->Contains(*new_set.get()));
622
623 EXPECT_FALSE(new_set->HasEffectiveFullAccess());
624 EXPECT_FALSE(new_set->HasEffectiveAccessToAllHosts());
625 EXPECT_EQ(expected_apis, new_set->apis());
626 EXPECT_EQ(expected_explicit_hosts, new_set->explicit_hosts());
627 EXPECT_EQ(expected_scriptable_hosts, new_set->scriptable_hosts());
628 EXPECT_EQ(effective_hosts, new_set->effective_hosts());
629
630 // |set3| = |set1| - |set2| --> |set3| intersect |set2| == empty_set
631 set1 = PermissionSet::CreateIntersection(new_set.get(), set2.get());
632 EXPECT_TRUE(set1->IsEmpty());
633 }
634
635 TEST(PermissionsTest, IsPrivilegeIncrease) {
636 const struct {
637 const char* base_name;
638 bool expect_increase;
639 } kTests[] = {
640 { "allhosts1", false }, // all -> all
641 { "allhosts2", false }, // all -> one
642 { "allhosts3", true }, // one -> all
643 { "hosts1", false }, // http://a,http://b -> http://a,http://b
644 { "hosts2", true }, // http://a,http://b -> https://a,http://*.b
645 { "hosts3", false }, // http://a,http://b -> http://a
646 { "hosts4", true }, // http://a -> http://a,http://b
647 { "hosts5", false }, // http://a,b,c -> http://a,b,c + https://a,b,c
648 { "hosts6", false }, // http://a.com -> http://a.com + http://a.co.uk
649 { "permissions1", false }, // tabs -> tabs
650 { "permissions2", true }, // tabs -> tabs,bookmarks
651 { "permissions3", true }, // http://a -> http://a,tabs
652 { "permissions5", true }, // bookmarks -> bookmarks,history
653 { "equivalent_warnings", false }, // tabs --> tabs, webNavigation
654 #if !defined(OS_CHROMEOS) // plugins aren't allowed in ChromeOS
655 { "permissions4", false }, // plugin -> plugin,tabs
656 { "plugin1", false }, // plugin -> plugin
657 { "plugin2", false }, // plugin -> none
658 { "plugin3", true }, // none -> plugin
659 #endif
660 { "storage", false }, // none -> storage
661 { "notifications", false }, // none -> notifications
662 { "platformapp1", false }, // host permissions for platform apps
663 { "platformapp2", true }, // API permissions for platform apps
664 { "media_galleries1", true }, // all -> read|all
665 { "media_galleries2", true }, // read|all -> read|delete|copyTo|all
666 { "media_galleries3", true }, // all -> read|delete|all
667 { "media_galleries4", false }, // read|all -> all
668 { "media_galleries5", false }, // read|copyTo|delete|all -> read|all
669 { "media_galleries6", false }, // read|all -> read|all
670 { "media_galleries7", true }, // read|delete|all -> read|copyTo|delete|all
671 { "sockets1", true }, // none -> tcp:*:*
672 { "sockets2", false }, // tcp:*:* -> tcp:*:*
673 { "sockets3", true }, // tcp:a.com:80 -> tcp:*:*
674 };
675
676 for (size_t i = 0; i < arraysize(kTests); ++i) {
677 scoped_refptr<Extension> old_extension(
678 LoadManifest("allow_silent_upgrade",
679 std::string(kTests[i].base_name) + "_old.json"));
680 scoped_refptr<Extension> new_extension(
681 LoadManifest("allow_silent_upgrade",
682 std::string(kTests[i].base_name) + "_new.json"));
683
684 EXPECT_TRUE(new_extension.get()) << kTests[i].base_name << "_new.json";
685 if (!new_extension.get())
686 continue;
687
688 scoped_refptr<const PermissionSet> old_p(
689 old_extension->permissions_data()->active_permissions());
690 scoped_refptr<const PermissionSet> new_p(
691 new_extension->permissions_data()->active_permissions());
692 Manifest::Type extension_type = old_extension->GetType();
693
694 bool increased = PermissionMessageProvider::Get()->IsPrivilegeIncrease(
695 old_p.get(), new_p.get(), extension_type);
696 EXPECT_EQ(kTests[i].expect_increase, increased) << kTests[i].base_name;
697 }
698 }
699
700 TEST(PermissionsTest, PermissionMessages) {
701 // Ensure that all permissions that needs to show install UI actually have
702 // strings associated with them.
703 APIPermissionSet skip;
704
705 // These are considered "nuisance" or "trivial" permissions that don't need
706 // a prompt.
707 skip.insert(APIPermission::kActiveTab);
708 skip.insert(APIPermission::kAlarms);
709 skip.insert(APIPermission::kAlphaEnabled);
710 skip.insert(APIPermission::kAlwaysOnTopWindows);
711 skip.insert(APIPermission::kAppView);
712 skip.insert(APIPermission::kAudio);
713 skip.insert(APIPermission::kAudioModem);
714 skip.insert(APIPermission::kBrowsingData);
715 skip.insert(APIPermission::kCastStreaming);
716 skip.insert(APIPermission::kCommandsAccessibility);
717 skip.insert(APIPermission::kContextMenus);
718 skip.insert(APIPermission::kCryptotokenPrivate);
719 skip.insert(APIPermission::kCopresencePrivate);
720 skip.insert(APIPermission::kDesktopCapturePrivate);
721 skip.insert(APIPermission::kDiagnostics);
722 skip.insert(APIPermission::kDns);
723 skip.insert(APIPermission::kDownloadsShelf);
724 skip.insert(APIPermission::kEmbeddedExtensionOptions);
725 skip.insert(APIPermission::kExtensionView);
726 skip.insert(APIPermission::kFontSettings);
727 skip.insert(APIPermission::kFullscreen);
728 skip.insert(APIPermission::kGcm);
729 skip.insert(APIPermission::kIdle);
730 skip.insert(APIPermission::kImeWindowEnabled);
731 skip.insert(APIPermission::kInlineInstallPrivate);
732 skip.insert(APIPermission::kIdltest);
733 skip.insert(APIPermission::kLogPrivate);
734 skip.insert(APIPermission::kNotifications);
735 skip.insert(APIPermission::kNotificationProvider);
736 skip.insert(APIPermission::kOverrideEscFullscreen);
737 skip.insert(APIPermission::kPointerLock);
738 skip.insert(APIPermission::kPower);
739 skip.insert(APIPermission::kPrinterProvider);
740 skip.insert(APIPermission::kSessions);
741 skip.insert(APIPermission::kStorage);
742 skip.insert(APIPermission::kSystemCpu);
743 skip.insert(APIPermission::kSystemDisplay);
744 skip.insert(APIPermission::kSystemMemory);
745 skip.insert(APIPermission::kSystemNetwork);
746 skip.insert(APIPermission::kSystemStorage);
747 skip.insert(APIPermission::kTts);
748 skip.insert(APIPermission::kUnlimitedStorage);
749 skip.insert(APIPermission::kWebcamPrivate);
750 skip.insert(APIPermission::kWebView);
751 skip.insert(APIPermission::kWindowShape);
752
753 // These permissions are restricted to extensions force-installed by policy
754 // and don't require a prompt, i.e. they're restricted to location 'policy'.
755 skip.insert(APIPermission::kEnterprisePlatformKeys);
756
757 // TODO(erikkay) add a string for this permission.
758 skip.insert(APIPermission::kBackground);
759
760 skip.insert(APIPermission::kClipboardWrite);
761
762 // The cookie permission does nothing unless you have associated host
763 // permissions.
764 skip.insert(APIPermission::kCookie);
765
766 // These are warned as part of host permission checks.
767 skip.insert(APIPermission::kDataReductionProxy);
768 skip.insert(APIPermission::kDeclarativeContent);
769 skip.insert(APIPermission::kPageCapture);
770 skip.insert(APIPermission::kProxy);
771 skip.insert(APIPermission::kTabCapture);
772 skip.insert(APIPermission::kWebRequest);
773 skip.insert(APIPermission::kWebRequestBlocking);
774
775 // This permission requires explicit user action (context menu handler)
776 // so we won't prompt for it for now.
777 skip.insert(APIPermission::kFileBrowserHandler);
778
779 // These permissions require explicit user action (configuration dialog)
780 // so we don't prompt for them at install time.
781 skip.insert(APIPermission::kMediaGalleries);
782
783 // If you've turned on the experimental command-line flag, we don't need
784 // to warn you further.
785 skip.insert(APIPermission::kExperimental);
786
787 // The Identity API has its own server-driven permission prompts.
788 skip.insert(APIPermission::kIdentity);
789
790 // These are private.
791 skip.insert(APIPermission::kAccessibilityPrivate);
792 skip.insert(APIPermission::kAutoTestPrivate);
793 skip.insert(APIPermission::kBookmarkManagerPrivate);
794 skip.insert(APIPermission::kBrailleDisplayPrivate);
795 skip.insert(APIPermission::kCast);
796 skip.insert(APIPermission::kCastStreaming);
797 skip.insert(APIPermission::kChromeosInfoPrivate);
798 skip.insert(APIPermission::kCloudPrintPrivate);
799 skip.insert(APIPermission::kCommandLinePrivate);
800 skip.insert(APIPermission::kDeveloperPrivate);
801 skip.insert(APIPermission::kDial);
802 skip.insert(APIPermission::kDownloadsInternal);
803 skip.insert(APIPermission::kEasyUnlockPrivate);
804 skip.insert(APIPermission::kEchoPrivate);
805 skip.insert(APIPermission::kEnterprisePlatformKeysPrivate);
806 skip.insert(APIPermission::kFeedbackPrivate);
807 skip.insert(APIPermission::kFileBrowserHandlerInternal);
808 skip.insert(APIPermission::kFileManagerPrivate);
809 skip.insert(APIPermission::kFirstRunPrivate);
810 skip.insert(APIPermission::kGcdPrivate);
811 skip.insert(APIPermission::kHotwordPrivate);
812 skip.insert(APIPermission::kIdentityPrivate);
813 skip.insert(APIPermission::kInputMethodPrivate);
814 skip.insert(APIPermission::kMediaPlayerPrivate);
815 skip.insert(APIPermission::kMediaRouterPrivate);
816 skip.insert(APIPermission::kMetricsPrivate);
817 skip.insert(APIPermission::kPreferencesPrivate);
818 skip.insert(APIPermission::kPrincipalsPrivate);
819 skip.insert(APIPermission::kImageWriterPrivate);
820 skip.insert(APIPermission::kReadingListPrivate);
821 skip.insert(APIPermission::kRtcPrivate);
822 skip.insert(APIPermission::kStreamsPrivate);
823 skip.insert(APIPermission::kSystemPrivate);
824 skip.insert(APIPermission::kTabCaptureForTab);
825 skip.insert(APIPermission::kTerminalPrivate);
826 skip.insert(APIPermission::kVirtualKeyboardPrivate);
827 skip.insert(APIPermission::kWallpaperPrivate);
828 skip.insert(APIPermission::kWebrtcAudioPrivate);
829 skip.insert(APIPermission::kWebrtcLoggingPrivate);
830 skip.insert(APIPermission::kWebstorePrivate);
831
832 // Warned as part of host permissions.
833 skip.insert(APIPermission::kDevtools);
834
835 // Platform apps.
836 skip.insert(APIPermission::kBrowser);
837 skip.insert(APIPermission::kHid);
838 skip.insert(APIPermission::kFileSystem);
839 skip.insert(APIPermission::kFileSystemProvider);
840 skip.insert(APIPermission::kFileSystemRequestFileSystem);
841 skip.insert(APIPermission::kFileSystemRetainEntries);
842 skip.insert(APIPermission::kFileSystemWrite);
843 skip.insert(APIPermission::kSocket);
844 skip.insert(APIPermission::kUsb);
845 skip.insert(APIPermission::kUsbDevice);
846 skip.insert(APIPermission::kLauncherSearchProvider);
847
848 // We already have a generic message for declaring externally_connectable.
849 skip.insert(APIPermission::kExternallyConnectableAllUrls);
850
851 PermissionsInfo* info = PermissionsInfo::GetInstance();
852 APIPermissionSet permissions = info->GetAll();
853 for (APIPermissionSet::const_iterator i = permissions.begin();
854 i != permissions.end(); ++i) {
855 const APIPermissionInfo* permission_info = i->info();
856 EXPECT_TRUE(permission_info != NULL);
857
858 if (skip.count(i->id())) {
859 EXPECT_EQ(PermissionMessage::kNone, permission_info->message_id())
860 << "unexpected message_id for " << permission_info->name();
861 } else {
862 EXPECT_NE(PermissionMessage::kNone, permission_info->message_id())
863 << "missing message_id for " << permission_info->name();
864 }
865 }
866 }
867
868 TEST(PermissionsTest, FileSystemPermissionMessages) {
869 APIPermissionSet api_permissions;
870 api_permissions.insert(APIPermission::kFileSystemWrite);
871 api_permissions.insert(APIPermission::kFileSystemDirectory);
872 scoped_refptr<PermissionSet> permissions(
873 new PermissionSet(api_permissions, ManifestPermissionSet(),
874 URLPatternSet(), URLPatternSet()));
875 EXPECT_TRUE(PermissionSetProducesMessage(
876 permissions.get(), Manifest::TYPE_PLATFORM_APP,
877 PermissionMessage::kFileSystemDirectory,
878 MakePermissionIDSet(api_permissions)));
879 }
880
881 // The file system permissions have a special-case hack to show a warning for
882 // write and directory at the same time.
883 // TODO(sammc): Remove this. See http://crbug.com/284849.
884 TEST(PermissionsTest, FileSystemImplicitPermissions) {
885 APIPermissionSet apis;
886 apis.insert(APIPermission::kFileSystemWrite);
887 apis.AddImpliedPermissions();
888
889 EXPECT_EQ(apis.find(APIPermission::kFileSystemWrite)->id(),
890 APIPermission::kFileSystemWrite);
891 EXPECT_EQ(apis.size(), 1u);
892
893 apis.erase(APIPermission::kFileSystemWrite);
894 apis.insert(APIPermission::kFileSystemDirectory);
895 apis.AddImpliedPermissions();
896
897 EXPECT_EQ(apis.find(APIPermission::kFileSystemDirectory)->id(),
898 APIPermission::kFileSystemDirectory);
899 EXPECT_EQ(apis.size(), 1u);
900
901 apis.insert(APIPermission::kFileSystemWrite);
902 apis.AddImpliedPermissions();
903
904 EXPECT_EQ(apis.find(APIPermission::kFileSystemWrite)->id(),
905 APIPermission::kFileSystemWrite);
906 EXPECT_EQ(apis.find(APIPermission::kFileSystemDirectory)->id(),
907 APIPermission::kFileSystemDirectory);
908 EXPECT_EQ(apis.find(APIPermission::kFileSystemWriteDirectory)->id(),
909 APIPermission::kFileSystemWriteDirectory);
910 EXPECT_EQ(apis.size(), 3u);
911 }
912
913 TEST(PermissionsTest, HiddenFileSystemPermissionMessages) {
914 APIPermissionSet api_permissions;
915 api_permissions.insert(APIPermission::kFileSystemWrite);
916 api_permissions.insert(APIPermission::kFileSystemDirectory);
917 api_permissions.insert(APIPermission::kFileSystemWriteDirectory);
918 scoped_refptr<PermissionSet> permissions(
919 new PermissionSet(api_permissions, ManifestPermissionSet(),
920 URLPatternSet(), URLPatternSet()));
921 EXPECT_TRUE(PermissionSetProducesMessage(
922 permissions.get(), Manifest::TYPE_PLATFORM_APP,
923 PermissionMessage::kFileSystemWriteDirectory,
924 MakePermissionIDSet(api_permissions)));
925 }
926
927 TEST(PermissionsTest, SuppressedPermissionMessages) {
928 {
929 // Tabs warning suppresses favicon warning.
930 APIPermissionSet api_permissions;
931 api_permissions.insert(APIPermission::kTab);
932 URLPatternSet hosts;
933 hosts.AddPattern(URLPattern(URLPattern::SCHEME_CHROMEUI,
934 "chrome://favicon/"));
935 scoped_refptr<PermissionSet> permissions(
936 new PermissionSet(api_permissions, ManifestPermissionSet(),
937 hosts, URLPatternSet()));
938 EXPECT_TRUE(PermissionSetProducesMessage(
939 permissions.get(), Manifest::TYPE_EXTENSION, PermissionMessage::kTabs,
940 MakePermissionIDSet(APIPermission::kTab, APIPermission::kFavicon)));
941 }
942 {
943 // History warning suppresses favicon warning.
944 APIPermissionSet api_permissions;
945 api_permissions.insert(APIPermission::kHistory);
946 URLPatternSet hosts;
947 hosts.AddPattern(URLPattern(URLPattern::SCHEME_CHROMEUI,
948 "chrome://favicon/"));
949 scoped_refptr<PermissionSet> permissions(
950 new PermissionSet(api_permissions, ManifestPermissionSet(),
951 hosts, URLPatternSet()));
952 EXPECT_TRUE(PermissionSetProducesMessage(
953 permissions.get(), Manifest::TYPE_EXTENSION,
954 PermissionMessage::kBrowsingHistory,
955 MakePermissionIDSet(APIPermission::kHistory, APIPermission::kFavicon)));
956 }
957 {
958 // All sites warning suppresses tabs warning.
959 APIPermissionSet api_permissions;
960 api_permissions.insert(APIPermission::kTab);
961 URLPatternSet hosts;
962 hosts.AddPattern(URLPattern(URLPattern::SCHEME_CHROMEUI, "*://*/*"));
963 scoped_refptr<PermissionSet> permissions(new PermissionSet(
964 api_permissions, ManifestPermissionSet(), hosts, URLPatternSet()));
965 EXPECT_TRUE(PermissionSetProducesMessage(
966 permissions.get(), Manifest::TYPE_EXTENSION,
967 PermissionMessage::kHostsAll,
968 MakePermissionIDSet(APIPermission::kHostsAll, APIPermission::kTab)));
969 }
970 {
971 // All sites warning suppresses topSites warning.
972 APIPermissionSet api_permissions;
973 api_permissions.insert(APIPermission::kTopSites);
974 URLPatternSet hosts;
975 hosts.AddPattern(URLPattern(URLPattern::SCHEME_CHROMEUI, "*://*/*"));
976 scoped_refptr<PermissionSet> permissions(new PermissionSet(
977 api_permissions, ManifestPermissionSet(), hosts, URLPatternSet()));
978 EXPECT_TRUE(PermissionSetProducesMessage(
979 permissions.get(), Manifest::TYPE_EXTENSION,
980 PermissionMessage::kHostsAll,
981 MakePermissionIDSet(APIPermission::kHostsAll,
982 APIPermission::kTopSites)));
983 }
984 {
985 // All sites warning suppresses declarativeWebRequest warning.
986 APIPermissionSet api_permissions;
987 api_permissions.insert(APIPermission::kDeclarativeWebRequest);
988 URLPatternSet hosts;
989 hosts.AddPattern(URLPattern(URLPattern::SCHEME_CHROMEUI, "*://*/*"));
990 scoped_refptr<PermissionSet> permissions(new PermissionSet(
991 api_permissions, ManifestPermissionSet(), hosts, URLPatternSet()));
992 EXPECT_TRUE(PermissionSetProducesMessage(
993 permissions.get(), Manifest::TYPE_EXTENSION,
994 PermissionMessage::kHostsAll,
995 MakePermissionIDSet(APIPermission::kHostsAll,
996 APIPermission::kDeclarativeWebRequest)));
997 }
998 {
999 // BrowsingHistory warning suppresses all history read/write warnings.
1000 APIPermissionSet api_permissions;
1001 api_permissions.insert(APIPermission::kHistory);
1002 api_permissions.insert(APIPermission::kTab);
1003 api_permissions.insert(APIPermission::kTopSites);
1004 api_permissions.insert(APIPermission::kProcesses);
1005 api_permissions.insert(APIPermission::kWebNavigation);
1006 scoped_refptr<PermissionSet> permissions(
1007 new PermissionSet(api_permissions, ManifestPermissionSet(),
1008 URLPatternSet(), URLPatternSet()));
1009 EXPECT_TRUE(PermissionSetProducesMessage(
1010 permissions.get(), Manifest::TYPE_EXTENSION,
1011 PermissionMessage::kBrowsingHistory,
1012 MakePermissionIDSet(api_permissions)));
1013 }
1014 {
1015 // Tabs warning suppresses all read-only history warnings.
1016 APIPermissionSet api_permissions;
1017 api_permissions.insert(APIPermission::kTab);
1018 api_permissions.insert(APIPermission::kTopSites);
1019 api_permissions.insert(APIPermission::kProcesses);
1020 api_permissions.insert(APIPermission::kWebNavigation);
1021 scoped_refptr<PermissionSet> permissions(
1022 new PermissionSet(api_permissions, ManifestPermissionSet(),
1023 URLPatternSet(), URLPatternSet()));
1024 EXPECT_TRUE(PermissionSetProducesMessage(
1025 permissions.get(), Manifest::TYPE_EXTENSION, PermissionMessage::kTabs,
1026 MakePermissionIDSet(api_permissions)));
1027 }
1028 }
1029
1030 TEST(PermissionsTest, AccessToDevicesMessages) {
1031 {
1032 APIPermissionSet api_permissions;
1033 api_permissions.insert(APIPermission::kSerial);
1034 scoped_refptr<PermissionSet> permissions(
1035 new PermissionSet(api_permissions,
1036 ManifestPermissionSet(),
1037 URLPatternSet(),
1038 URLPatternSet()));
1039 VerifyOnePermissionMessage(
1040 permissions.get(), Manifest::TYPE_EXTENSION,
1041 l10n_util::GetStringUTF16(IDS_EXTENSION_PROMPT_WARNING_SERIAL));
1042 }
1043 {
1044 // Testing that multiple permissions will show the one message.
1045 APIPermissionSet api_permissions;
1046 api_permissions.insert(APIPermission::kSerial);
1047 api_permissions.insert(APIPermission::kSerial);
1048 scoped_refptr<PermissionSet> permissions(
1049 new PermissionSet(api_permissions,
1050 ManifestPermissionSet(),
1051 URLPatternSet(),
1052 URLPatternSet()));
1053 VerifyOnePermissionMessage(
1054 permissions.get(), Manifest::TYPE_EXTENSION,
1055 l10n_util::GetStringUTF16(IDS_EXTENSION_PROMPT_WARNING_SERIAL));
1056 }
1057 {
1058 scoped_refptr<Extension> extension =
1059 LoadManifest("permissions", "access_to_devices_bluetooth.json");
1060 PermissionSet* set = const_cast<PermissionSet*>(
1061 extension->permissions_data()->active_permissions().get());
1062 VerifyOnePermissionMessage(
1063 set, extension->GetType(),
1064 l10n_util::GetStringUTF16(IDS_EXTENSION_PROMPT_WARNING_BLUETOOTH));
1065
1066 // Test Bluetooth and Serial
1067 set->apis_.insert(APIPermission::kSerial);
1068 VerifyOnePermissionMessage(
1069 set, extension->GetType(),
1070 l10n_util::GetStringUTF16(
1071 IDS_EXTENSION_PROMPT_WARNING_BLUETOOTH_SERIAL));
1072 }
1073 }
1074
1075 TEST(PermissionsTest, MergedFileSystemPermissionComparison) {
1076 APIPermissionSet write_api_permissions;
1077 write_api_permissions.insert(APIPermission::kFileSystemWrite);
1078 scoped_refptr<PermissionSet> write_permissions(
1079 new PermissionSet(write_api_permissions, ManifestPermissionSet(),
1080 URLPatternSet(), URLPatternSet()));
1081
1082 APIPermissionSet directory_api_permissions;
1083 directory_api_permissions.insert(APIPermission::kFileSystemDirectory);
1084 scoped_refptr<PermissionSet> directory_permissions(
1085 new PermissionSet(directory_api_permissions, ManifestPermissionSet(),
1086 URLPatternSet(), URLPatternSet()));
1087
1088 APIPermissionSet write_directory_api_permissions;
1089 write_directory_api_permissions.insert(
1090 APIPermission::kFileSystemWriteDirectory);
1091 scoped_refptr<PermissionSet> write_directory_permissions(
1092 new PermissionSet(write_directory_api_permissions,
1093 ManifestPermissionSet(),
1094 URLPatternSet(),
1095 URLPatternSet()));
1096
1097 const PermissionMessageProvider* provider = PermissionMessageProvider::Get();
1098 EXPECT_FALSE(provider->IsPrivilegeIncrease(write_directory_permissions.get(),
1099 write_permissions.get(),
1100 Manifest::TYPE_PLATFORM_APP));
1101 EXPECT_FALSE(provider->IsPrivilegeIncrease(write_directory_permissions.get(),
1102 directory_permissions.get(),
1103 Manifest::TYPE_PLATFORM_APP));
1104 EXPECT_TRUE(provider->IsPrivilegeIncrease(write_permissions.get(),
1105 directory_permissions.get(),
1106 Manifest::TYPE_PLATFORM_APP));
1107 EXPECT_TRUE(provider->IsPrivilegeIncrease(write_permissions.get(),
1108 write_directory_permissions.get(),
1109 Manifest::TYPE_PLATFORM_APP));
1110 EXPECT_FALSE(provider->IsPrivilegeIncrease(directory_permissions.get(),
1111 write_permissions.get(),
1112 Manifest::TYPE_PLATFORM_APP));
1113 EXPECT_TRUE(provider->IsPrivilegeIncrease(directory_permissions.get(),
1114 write_directory_permissions.get(),
1115 Manifest::TYPE_PLATFORM_APP));
1116 }
1117
1118 TEST(PermissionsTest, GetWarningMessages_ManyHosts) {
1119 scoped_refptr<Extension> extension;
1120 extension = LoadManifest("permissions", "many-hosts.json");
1121 EXPECT_TRUE(VerifyOnePermissionMessage(
1122 extension->permissions_data(),
1123 "Read and change your data on encrypted.google.com and www.google.com"));
1124 }
1125
1126 TEST(PermissionsTest, GetWarningMessages_Plugins) {
1127 scoped_refptr<Extension> extension;
1128 extension = LoadManifest("permissions", "plugins.json");
1129 // We don't parse the plugins key on Chrome OS, so it should not ask for any
1130 // permissions.
1131 #if defined(OS_CHROMEOS)
1132 EXPECT_TRUE(VerifyNoPermissionMessages(extension->permissions_data()));
1133 #else
1134 EXPECT_TRUE(VerifyOnePermissionMessage(
1135 extension->permissions_data(),
1136 "Read and change all your data on your computer and the websites you "
1137 "visit"));
1138 #endif
1139 }
1140
1141 TEST(PermissionsTest, GetWarningMessages_AudioVideo) {
1142 // Both audio and video present.
1143 scoped_refptr<Extension> extension =
1144 LoadManifest("permissions", "audio-video.json");
1145 const PermissionMessageProvider* provider = PermissionMessageProvider::Get();
1146 PermissionSet* set = const_cast<PermissionSet*>(
1147 extension->permissions_data()->active_permissions().get());
1148 EXPECT_FALSE(VerifyHasPermissionMessage(set, extension->GetType(),
1149 "Use your microphone"));
1150 EXPECT_FALSE(
1151 VerifyHasPermissionMessage(set, extension->GetType(), "Use your camera"));
1152 EXPECT_TRUE(VerifyHasPermissionMessage(set, extension->GetType(),
1153 "Use your microphone and camera"));
1154 PermissionMessageStrings warnings =
1155 provider->GetPermissionMessageStrings(set, extension->GetType());
1156 size_t combined_index = IndexOf(warnings, "Use your microphone and camera");
1157 size_t combined_size = warnings.size();
1158
1159 // Just audio present.
1160 set->apis_.erase(APIPermission::kVideoCapture);
1161 EXPECT_TRUE(VerifyHasPermissionMessage(set, extension->GetType(),
1162 "Use your microphone"));
1163 EXPECT_FALSE(
1164 VerifyHasPermissionMessage(set, extension->GetType(), "Use your camera"));
1165 EXPECT_FALSE(VerifyHasPermissionMessage(set, extension->GetType(),
1166 "Use your microphone and camera"));
1167 warnings = provider->GetPermissionMessageStrings(set, extension->GetType());
1168 EXPECT_EQ(combined_size, warnings.size());
1169 EXPECT_EQ(combined_index, IndexOf(warnings, "Use your microphone"));
1170
1171 // Just video present.
1172 set->apis_.erase(APIPermission::kAudioCapture);
1173 set->apis_.insert(APIPermission::kVideoCapture);
1174 EXPECT_FALSE(VerifyHasPermissionMessage(set, extension->GetType(),
1175 "Use your microphone"));
1176 EXPECT_TRUE(
1177 VerifyHasPermissionMessage(set, extension->GetType(), "Use your camera"));
1178 EXPECT_FALSE(VerifyHasPermissionMessage(set, extension->GetType(),
1179 "Use your microphone and camera"));
1180 warnings = provider->GetPermissionMessageStrings(set, extension->GetType());
1181 EXPECT_EQ(combined_size, warnings.size());
1182 }
1183
1184 TEST(PermissionsTest, GetWarningMessages_CombinedSessions) {
1185 {
1186 APIPermissionSet api_permissions;
1187 api_permissions.insert(APIPermission::kTab);
1188 api_permissions.insert(APIPermission::kTopSites);
1189 api_permissions.insert(APIPermission::kProcesses);
1190 api_permissions.insert(APIPermission::kWebNavigation);
1191 api_permissions.insert(APIPermission::kSessions);
1192 scoped_refptr<PermissionSet> permissions(
1193 new PermissionSet(api_permissions, ManifestPermissionSet(),
1194 URLPatternSet(), URLPatternSet()));
1195 EXPECT_TRUE(VerifyOnePermissionMessage(
1196 permissions.get(), Manifest::TYPE_EXTENSION,
1197 l10n_util::GetStringUTF16(
1198 IDS_EXTENSION_PROMPT_WARNING_HISTORY_READ_AND_SESSIONS)));
1199 }
1200 {
1201 APIPermissionSet api_permissions;
1202 api_permissions.insert(APIPermission::kHistory);
1203 api_permissions.insert(APIPermission::kTab);
1204 api_permissions.insert(APIPermission::kTopSites);
1205 api_permissions.insert(APIPermission::kProcesses);
1206 api_permissions.insert(APIPermission::kWebNavigation);
1207 api_permissions.insert(APIPermission::kSessions);
1208 scoped_refptr<PermissionSet> permissions(
1209 new PermissionSet(api_permissions, ManifestPermissionSet(),
1210 URLPatternSet(), URLPatternSet()));
1211 EXPECT_TRUE(VerifyOnePermissionMessage(
1212 permissions.get(), Manifest::TYPE_EXTENSION,
1213 l10n_util::GetStringUTF16(
1214 IDS_EXTENSION_PROMPT_WARNING_HISTORY_WRITE_AND_SESSIONS)));
1215 }
1216 }
1217
1218 TEST(PermissionsTest, GetWarningMessages_DeclarativeWebRequest) {
1219 // Test that if the declarativeWebRequest permission is present
1220 // in combination with all hosts permission, then only the warning
1221 // for host permissions is shown, because that covers the use of
1222 // declarativeWebRequest.
1223
1224 // Until Declarative Web Request is in stable, let's make sure it is enabled
1225 // on the current channel.
1226 ScopedCurrentChannel sc(chrome::VersionInfo::CHANNEL_CANARY);
1227
1228 // First verify that declarativeWebRequest produces a message when host
1229 // permissions do not cover all hosts.
1230 scoped_refptr<Extension> extension =
1231 LoadManifest("permissions", "web_request_not_all_host_permissions.json");
1232 const PermissionSet* set =
1233 extension->permissions_data()->active_permissions().get();
1234 EXPECT_TRUE(VerifyHasPermissionMessage(set, extension->GetType(),
1235 "Block parts of web pages"));
1236 EXPECT_FALSE(VerifyHasPermissionMessage(
1237 set, extension->GetType(),
1238 "Read and change all your data on the websites you visit"));
1239
1240 // Now verify that declarativeWebRequest does not produce a message when host
1241 // permissions do cover all hosts.
1242 extension =
1243 LoadManifest("permissions", "web_request_all_host_permissions.json");
1244 set = extension->permissions_data()->active_permissions().get();
1245 EXPECT_FALSE(VerifyHasPermissionMessage(set, extension->GetType(),
1246 "Block parts of web pages"));
1247 EXPECT_TRUE(VerifyHasPermissionMessage(
1248 set, extension->GetType(),
1249 "Read and change all your data on the websites you visit"));
1250 }
1251
1252 TEST(PermissionsTest, GetWarningMessages_Serial) {
1253 scoped_refptr<Extension> extension =
1254 LoadManifest("permissions", "serial.json");
1255
1256 EXPECT_TRUE(extension->is_platform_app());
1257 EXPECT_TRUE(
1258 extension->permissions_data()->HasAPIPermission(APIPermission::kSerial));
1259 EXPECT_TRUE(VerifyOnePermissionMessage(extension->permissions_data(),
1260 "Access your serial devices"));
1261 }
1262
1263 TEST(PermissionsTest, GetWarningMessages_Socket_AnyHost) {
1264 ScopedCurrentChannel channel(chrome::VersionInfo::CHANNEL_DEV);
1265
1266 scoped_refptr<Extension> extension =
1267 LoadManifest("permissions", "socket_any_host.json");
1268 EXPECT_TRUE(extension->is_platform_app());
1269 EXPECT_TRUE(
1270 extension->permissions_data()->HasAPIPermission(APIPermission::kSocket));
1271 EXPECT_TRUE(VerifyOnePermissionMessage(
1272 extension->permissions_data(),
1273 "Exchange data with any computer on the local network or internet"));
1274 }
1275
1276 TEST(PermissionsTest, GetWarningMessages_Socket_OneDomainTwoHostnames) {
1277 ScopedCurrentChannel channel(chrome::VersionInfo::CHANNEL_DEV);
1278
1279 scoped_refptr<Extension> extension =
1280 LoadManifest("permissions", "socket_one_domain_two_hostnames.json");
1281 EXPECT_TRUE(extension->is_platform_app());
1282 EXPECT_TRUE(
1283 extension->permissions_data()->HasAPIPermission(APIPermission::kSocket));
1284
1285 // Verify the warnings, including support for unicode characters, the fact
1286 // that domain host warnings come before specific host warnings, and the fact
1287 // that domains and hostnames are in alphabetical order regardless of the
1288 // order in the manifest file.
1289 EXPECT_TRUE(VerifyTwoPermissionMessages(
1290 extension->permissions_data(),
1291 "Exchange data with any computer in the domain example.org",
1292 "Exchange data with the computers named: "
1293 "b\xC3\xA5r.example.com foo.example.com",
1294 // "\xC3\xA5" = UTF-8 for lowercase A with ring above
1295 true));
1296 }
1297
1298 TEST(PermissionsTest, GetWarningMessages_Socket_TwoDomainsOneHostname) {
1299 ScopedCurrentChannel channel(chrome::VersionInfo::CHANNEL_DEV);
1300
1301 scoped_refptr<Extension> extension =
1302 LoadManifest("permissions", "socket_two_domains_one_hostname.json");
1303 EXPECT_TRUE(extension->is_platform_app());
1304 EXPECT_TRUE(
1305 extension->permissions_data()->HasAPIPermission(APIPermission::kSocket));
1306
1307 // Verify the warnings, including the fact that domain host warnings come
1308 // before specific host warnings and the fact that domains and hostnames are
1309 // in alphabetical order regardless of the order in the manifest file.
1310 EXPECT_TRUE(VerifyTwoPermissionMessages(
1311 extension->permissions_data(),
1312 "Exchange data with any computer in the domains: "
1313 "example.com foo.example.org",
1314 "Exchange data with the computer named bar.example.org", true));
1315 }
1316
1317 // Since platform apps always use isolated storage, they can't (silently)
1318 // access user data on other domains, so there's no need to prompt about host
1319 // permissions. See crbug.com/255229.
1320 TEST(PermissionsTest, GetWarningMessages_PlatformAppHosts) {
1321 scoped_refptr<Extension> extension;
1322
1323 extension = LoadManifest("permissions", "platform_app_hosts.json");
1324 EXPECT_TRUE(extension->is_platform_app());
1325 EXPECT_TRUE(VerifyNoPermissionMessages(extension->permissions_data()));
1326
1327 extension = LoadManifest("permissions", "platform_app_all_urls.json");
1328 EXPECT_TRUE(extension->is_platform_app());
1329 EXPECT_TRUE(VerifyNoPermissionMessages(extension->permissions_data()));
1330 }
1331
1332 testing::AssertionResult ShowsAllHostsWarning(const std::string& pattern) {
1333 scoped_refptr<Extension> extension =
1334 ExtensionBuilder()
1335 .SetManifest(DictionaryBuilder()
1336 .Set("name", "TLDWildCardTest")
1337 .Set("version", "0.1.0")
1338 .Set("permissions", ListBuilder().Append(pattern))
1339 .Build())
1340 .Build();
1341
1342 return VerifyHasPermissionMessage(
1343 extension->permissions_data(),
1344 l10n_util::GetStringUTF16(IDS_EXTENSION_PROMPT_WARNING_ALL_HOSTS));
1345 }
1346
1347 TEST(PermissionsTest, GetWarningMessages_TLDWildcardTreatedAsAllHosts) {
1348 EXPECT_TRUE(ShowsAllHostsWarning("http://*.com/*")); // most popular.
1349 EXPECT_TRUE(ShowsAllHostsWarning("http://*.org/*")); // sanity check.
1350 EXPECT_TRUE(ShowsAllHostsWarning("http://*.co.uk/*")); // eTLD.
1351 EXPECT_TRUE(ShowsAllHostsWarning("http://*.de/*")); // foreign country tld.
1352
1353 // We should still show the normal permissions (i.e., "Can access your data on
1354 // *.rdcronin.com") for things that are not TLDs.
1355 EXPECT_FALSE(ShowsAllHostsWarning("http://*.rdcronin.com/*"));
1356
1357 // Pseudo-TLDs, like appspot.com, should not show all hosts.
1358 EXPECT_FALSE(ShowsAllHostsWarning("http://*.appspot.com/*"));
1359
1360 // Non-TLDs should be likewise exempt.
1361 EXPECT_FALSE(ShowsAllHostsWarning("http://*.notarealtld/*"));
1362
1363 // Our internal checks use "foo", so let's make sure we're not messing
1364 // something up with it.
1365 EXPECT_FALSE(ShowsAllHostsWarning("http://*.foo.com"));
1366 EXPECT_FALSE(ShowsAllHostsWarning("http://foo.com"));
1367 // This will fail if foo becomes a recognized TLD. Which could be soon.
1368 // Update as needed.
1369 EXPECT_FALSE(ShowsAllHostsWarning("http://*.foo"));
1370 }
1371
1372 TEST(PermissionsTest, GetDistinctHosts) {
1373 URLPatternSet explicit_hosts;
1374 std::set<std::string> expected;
1375 expected.insert("www.foo.com");
1376 expected.insert("www.bar.com");
1377 expected.insert("www.baz.com");
1378
1379 {
1380 SCOPED_TRACE("no dupes");
1381
1382 // Simple list with no dupes.
1383 explicit_hosts.AddPattern(
1384 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.com/path"));
1385 explicit_hosts.AddPattern(
1386 URLPattern(URLPattern::SCHEME_HTTP, "http://www.bar.com/path"));
1387 explicit_hosts.AddPattern(
1388 URLPattern(URLPattern::SCHEME_HTTP, "http://www.baz.com/path"));
1389 EXPECT_EQ(expected,
1390 permission_message_util::GetDistinctHosts(
1391 explicit_hosts, true, true));
1392 }
1393
1394 {
1395 SCOPED_TRACE("two dupes");
1396
1397 // Add some dupes.
1398 explicit_hosts.AddPattern(
1399 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.com/path"));
1400 explicit_hosts.AddPattern(
1401 URLPattern(URLPattern::SCHEME_HTTP, "http://www.baz.com/path"));
1402 EXPECT_EQ(expected,
1403 permission_message_util::GetDistinctHosts(
1404 explicit_hosts, true, true));
1405 }
1406
1407 {
1408 SCOPED_TRACE("schemes differ");
1409
1410 // Add a pattern that differs only by scheme. This should be filtered out.
1411 explicit_hosts.AddPattern(
1412 URLPattern(URLPattern::SCHEME_HTTPS, "https://www.bar.com/path"));
1413 EXPECT_EQ(expected,
1414 permission_message_util::GetDistinctHosts(
1415 explicit_hosts, true, true));
1416 }
1417
1418 {
1419 SCOPED_TRACE("paths differ");
1420
1421 // Add some dupes by path.
1422 explicit_hosts.AddPattern(
1423 URLPattern(URLPattern::SCHEME_HTTP, "http://www.bar.com/pathypath"));
1424 EXPECT_EQ(expected,
1425 permission_message_util::GetDistinctHosts(
1426 explicit_hosts, true, true));
1427 }
1428
1429 {
1430 SCOPED_TRACE("subdomains differ");
1431
1432 // We don't do anything special for subdomains.
1433 explicit_hosts.AddPattern(
1434 URLPattern(URLPattern::SCHEME_HTTP, "http://monkey.www.bar.com/path"));
1435 explicit_hosts.AddPattern(
1436 URLPattern(URLPattern::SCHEME_HTTP, "http://bar.com/path"));
1437
1438 expected.insert("monkey.www.bar.com");
1439 expected.insert("bar.com");
1440
1441 EXPECT_EQ(expected,
1442 permission_message_util::GetDistinctHosts(
1443 explicit_hosts, true, true));
1444 }
1445
1446 {
1447 SCOPED_TRACE("RCDs differ");
1448
1449 // Now test for RCD uniquing.
1450 explicit_hosts.AddPattern(
1451 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.com/path"));
1452 explicit_hosts.AddPattern(
1453 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.co.uk/path"));
1454 explicit_hosts.AddPattern(
1455 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.de/path"));
1456 explicit_hosts.AddPattern(
1457 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.ca.us/path"));
1458 explicit_hosts.AddPattern(
1459 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.net/path"));
1460 explicit_hosts.AddPattern(
1461 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.com.my/path"));
1462
1463 // This is an unknown RCD, which shouldn't be uniqued out.
1464 explicit_hosts.AddPattern(
1465 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.xyzzy/path"));
1466 // But it should only occur once.
1467 explicit_hosts.AddPattern(
1468 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.xyzzy/path"));
1469
1470 expected.insert("www.foo.xyzzy");
1471
1472 EXPECT_EQ(expected,
1473 permission_message_util::GetDistinctHosts(
1474 explicit_hosts, true, true));
1475 }
1476
1477 {
1478 SCOPED_TRACE("wildcards");
1479
1480 explicit_hosts.AddPattern(
1481 URLPattern(URLPattern::SCHEME_HTTP, "http://*.google.com/*"));
1482
1483 expected.insert("*.google.com");
1484
1485 EXPECT_EQ(expected,
1486 permission_message_util::GetDistinctHosts(
1487 explicit_hosts, true, true));
1488 }
1489
1490 {
1491 SCOPED_TRACE("scriptable hosts");
1492
1493 APIPermissionSet empty_perms;
1494 explicit_hosts.ClearPatterns();
1495 URLPatternSet scriptable_hosts;
1496 expected.clear();
1497
1498 explicit_hosts.AddPattern(
1499 URLPattern(URLPattern::SCHEME_HTTP, "http://*.google.com/*"));
1500 scriptable_hosts.AddPattern(
1501 URLPattern(URLPattern::SCHEME_HTTP, "http://*.example.com/*"));
1502
1503 expected.insert("*.google.com");
1504 expected.insert("*.example.com");
1505
1506 scoped_refptr<PermissionSet> perm_set(new PermissionSet(
1507 empty_perms, ManifestPermissionSet(),
1508 explicit_hosts, scriptable_hosts));
1509 EXPECT_EQ(expected,
1510 permission_message_util::GetDistinctHosts(
1511 perm_set->effective_hosts(), true, true));
1512 }
1513
1514 {
1515 // We don't display warnings for file URLs because they are off by default.
1516 SCOPED_TRACE("file urls");
1517
1518 explicit_hosts.ClearPatterns();
1519 expected.clear();
1520
1521 explicit_hosts.AddPattern(
1522 URLPattern(URLPattern::SCHEME_FILE, "file:///*"));
1523
1524 EXPECT_EQ(expected,
1525 permission_message_util::GetDistinctHosts(
1526 explicit_hosts, true, true));
1527 }
1528 }
1529
1530 TEST(PermissionsTest, GetDistinctHosts_ComIsBestRcd) {
1531 URLPatternSet explicit_hosts;
1532 explicit_hosts.AddPattern(
1533 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.ca/path"));
1534 explicit_hosts.AddPattern(
1535 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.org/path"));
1536 explicit_hosts.AddPattern(
1537 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.co.uk/path"));
1538 explicit_hosts.AddPattern(
1539 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.net/path"));
1540 explicit_hosts.AddPattern(
1541 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.jp/path"));
1542 explicit_hosts.AddPattern(
1543 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.com/path"));
1544
1545 std::set<std::string> expected;
1546 expected.insert("www.foo.com");
1547 EXPECT_EQ(expected,
1548 permission_message_util::GetDistinctHosts(
1549 explicit_hosts, true, true));
1550 }
1551
1552 TEST(PermissionsTest, GetDistinctHosts_NetIs2ndBestRcd) {
1553 URLPatternSet explicit_hosts;
1554 explicit_hosts.AddPattern(
1555 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.ca/path"));
1556 explicit_hosts.AddPattern(
1557 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.org/path"));
1558 explicit_hosts.AddPattern(
1559 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.co.uk/path"));
1560 explicit_hosts.AddPattern(
1561 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.net/path"));
1562 explicit_hosts.AddPattern(
1563 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.jp/path"));
1564 // No http://www.foo.com/path
1565
1566 std::set<std::string> expected;
1567 expected.insert("www.foo.net");
1568 EXPECT_EQ(expected,
1569 permission_message_util::GetDistinctHosts(
1570 explicit_hosts, true, true));
1571 }
1572
1573 TEST(PermissionsTest, GetDistinctHosts_OrgIs3rdBestRcd) {
1574 URLPatternSet explicit_hosts;
1575 explicit_hosts.AddPattern(
1576 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.ca/path"));
1577 explicit_hosts.AddPattern(
1578 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.org/path"));
1579 explicit_hosts.AddPattern(
1580 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.co.uk/path"));
1581 // No http://www.foo.net/path
1582 explicit_hosts.AddPattern(
1583 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.jp/path"));
1584 // No http://www.foo.com/path
1585
1586 std::set<std::string> expected;
1587 expected.insert("www.foo.org");
1588 EXPECT_EQ(expected,
1589 permission_message_util::GetDistinctHosts(
1590 explicit_hosts, true, true));
1591 }
1592
1593 TEST(PermissionsTest, GetDistinctHosts_FirstInListIs4thBestRcd) {
1594 URLPatternSet explicit_hosts;
1595 explicit_hosts.AddPattern(
1596 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.ca/path"));
1597 // No http://www.foo.org/path
1598 explicit_hosts.AddPattern(
1599 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.co.uk/path"));
1600 // No http://www.foo.net/path
1601 explicit_hosts.AddPattern(
1602 URLPattern(URLPattern::SCHEME_HTTP, "http://www.foo.jp/path"));
1603 // No http://www.foo.com/path
1604
1605 std::set<std::string> expected;
1606 expected.insert("www.foo.ca");
1607 EXPECT_EQ(expected,
1608 permission_message_util::GetDistinctHosts(
1609 explicit_hosts, true, true));
1610 }
1611
1612 TEST(PermissionsTest, IsHostPrivilegeIncrease) {
1613 Manifest::Type type = Manifest::TYPE_EXTENSION;
1614 const PermissionMessageProvider* provider = PermissionMessageProvider::Get();
1615 ManifestPermissionSet empty_manifest_permissions;
1616 URLPatternSet elist1;
1617 URLPatternSet elist2;
1618 URLPatternSet slist1;
1619 URLPatternSet slist2;
1620 scoped_refptr<PermissionSet> set1;
1621 scoped_refptr<PermissionSet> set2;
1622 APIPermissionSet empty_perms;
1623 elist1.AddPattern(
1624 URLPattern(URLPattern::SCHEME_HTTP, "http://www.google.com.hk/path"));
1625 elist1.AddPattern(
1626 URLPattern(URLPattern::SCHEME_HTTP, "http://www.google.com/path"));
1627
1628 // Test that the host order does not matter.
1629 elist2.AddPattern(
1630 URLPattern(URLPattern::SCHEME_HTTP, "http://www.google.com/path"));
1631 elist2.AddPattern(
1632 URLPattern(URLPattern::SCHEME_HTTP, "http://www.google.com.hk/path"));
1633
1634 set1 = new PermissionSet(empty_perms, empty_manifest_permissions,
1635 elist1, slist1);
1636 set2 = new PermissionSet(empty_perms, empty_manifest_permissions,
1637 elist2, slist2);
1638
1639 EXPECT_FALSE(provider->IsPrivilegeIncrease(set1.get(), set2.get(), type));
1640 EXPECT_FALSE(provider->IsPrivilegeIncrease(set2.get(), set1.get(), type));
1641
1642 // Test that paths are ignored.
1643 elist2.ClearPatterns();
1644 elist2.AddPattern(
1645 URLPattern(URLPattern::SCHEME_HTTP, "http://www.google.com/*"));
1646 set2 = new PermissionSet(empty_perms, empty_manifest_permissions,
1647 elist2, slist2);
1648 EXPECT_FALSE(provider->IsPrivilegeIncrease(set1.get(), set2.get(), type));
1649 EXPECT_FALSE(provider->IsPrivilegeIncrease(set2.get(), set1.get(), type));
1650
1651 // Test that RCDs are ignored.
1652 elist2.ClearPatterns();
1653 elist2.AddPattern(
1654 URLPattern(URLPattern::SCHEME_HTTP, "http://www.google.com.hk/*"));
1655 set2 = new PermissionSet(empty_perms, empty_manifest_permissions,
1656 elist2, slist2);
1657 EXPECT_FALSE(provider->IsPrivilegeIncrease(set1.get(), set2.get(), type));
1658 EXPECT_FALSE(provider->IsPrivilegeIncrease(set2.get(), set1.get(), type));
1659
1660 // Test that subdomain wildcards are handled properly.
1661 elist2.ClearPatterns();
1662 elist2.AddPattern(
1663 URLPattern(URLPattern::SCHEME_HTTP, "http://*.google.com.hk/*"));
1664 set2 = new PermissionSet(empty_perms, empty_manifest_permissions,
1665 elist2, slist2);
1666 EXPECT_TRUE(provider->IsPrivilegeIncrease(set1.get(), set2.get(), type));
1667 // TODO(jstritar): Does not match subdomains properly. http://crbug.com/65337
1668 // EXPECT_FALSE(provider->IsPrivilegeIncrease(set2, set1, type));
1669
1670 // Test that different domains count as different hosts.
1671 elist2.ClearPatterns();
1672 elist2.AddPattern(
1673 URLPattern(URLPattern::SCHEME_HTTP, "http://www.google.com/path"));
1674 elist2.AddPattern(
1675 URLPattern(URLPattern::SCHEME_HTTP, "http://www.example.org/path"));
1676 set2 = new PermissionSet(empty_perms, empty_manifest_permissions,
1677 elist2, slist2);
1678 EXPECT_TRUE(provider->IsPrivilegeIncrease(set1.get(), set2.get(), type));
1679 EXPECT_FALSE(provider->IsPrivilegeIncrease(set2.get(), set1.get(), type));
1680
1681 // Test that different subdomains count as different hosts.
1682 elist2.ClearPatterns();
1683 elist2.AddPattern(
1684 URLPattern(URLPattern::SCHEME_HTTP, "http://mail.google.com/*"));
1685 set2 = new PermissionSet(empty_perms, empty_manifest_permissions,
1686 elist2, slist2);
1687 EXPECT_TRUE(provider->IsPrivilegeIncrease(set1.get(), set2.get(), type));
1688 EXPECT_TRUE(provider->IsPrivilegeIncrease(set2.get(), set1.get(), type));
1689
1690 // Test that platform apps do not have host permissions increases.
1691 type = Manifest::TYPE_PLATFORM_APP;
1692 EXPECT_FALSE(provider->IsPrivilegeIncrease(set1.get(), set2.get(), type));
1693 EXPECT_FALSE(provider->IsPrivilegeIncrease(set2.get(), set1.get(), type));
1694 }
1695
1696 TEST(PermissionsTest, GetAPIsAsStrings) {
1697 APIPermissionSet apis;
1698 URLPatternSet empty_set;
1699
1700 apis.insert(APIPermission::kProxy);
1701 apis.insert(APIPermission::kBackground);
1702 apis.insert(APIPermission::kNotifications);
1703 apis.insert(APIPermission::kTab);
1704
1705 scoped_refptr<PermissionSet> perm_set = new PermissionSet(
1706 apis, ManifestPermissionSet(), empty_set, empty_set);
1707 std::set<std::string> api_names = perm_set->GetAPIsAsStrings();
1708
1709 // The result is correct if it has the same number of elements
1710 // and we can convert it back to the id set.
1711 EXPECT_EQ(4u, api_names.size());
1712 EXPECT_EQ(apis,
1713 PermissionsInfo::GetInstance()->GetAllByName(api_names));
1714 }
1715
1716 TEST(PermissionsTest, IsEmpty) {
1717 APIPermissionSet empty_apis;
1718 URLPatternSet empty_extent;
1719
1720 scoped_refptr<PermissionSet> empty = new PermissionSet();
1721 EXPECT_TRUE(empty->IsEmpty());
1722 scoped_refptr<PermissionSet> perm_set;
1723
1724 perm_set = new PermissionSet(empty_apis, ManifestPermissionSet(),
1725 empty_extent, empty_extent);
1726 EXPECT_TRUE(perm_set->IsEmpty());
1727
1728 APIPermissionSet non_empty_apis;
1729 non_empty_apis.insert(APIPermission::kBackground);
1730 perm_set = new PermissionSet(non_empty_apis, ManifestPermissionSet(),
1731 empty_extent, empty_extent);
1732 EXPECT_FALSE(perm_set->IsEmpty());
1733
1734 // Try non standard host
1735 URLPatternSet non_empty_extent;
1736 AddPattern(&non_empty_extent, "http://www.google.com/*");
1737
1738 perm_set = new PermissionSet(empty_apis, ManifestPermissionSet(),
1739 non_empty_extent, empty_extent);
1740 EXPECT_FALSE(perm_set->IsEmpty());
1741
1742 perm_set = new PermissionSet(empty_apis, ManifestPermissionSet(),
1743 empty_extent, non_empty_extent);
1744 EXPECT_FALSE(perm_set->IsEmpty());
1745 }
1746
1747 TEST(PermissionsTest, ImpliedPermissions) {
1748 URLPatternSet empty_extent;
1749 APIPermissionSet apis;
1750 apis.insert(APIPermission::kFileBrowserHandler);
1751 EXPECT_EQ(1U, apis.size());
1752
1753 scoped_refptr<PermissionSet> perm_set;
1754 perm_set = new PermissionSet(apis, ManifestPermissionSet(),
1755 empty_extent, empty_extent);
1756 EXPECT_EQ(2U, perm_set->apis().size());
1757 }
1758
1759 TEST(PermissionsTest, SyncFileSystemPermission) {
1760 scoped_refptr<Extension> extension = LoadManifest(
1761 "permissions", "sync_file_system.json");
1762 APIPermissionSet apis;
1763 apis.insert(APIPermission::kSyncFileSystem);
1764 EXPECT_TRUE(extension->is_platform_app());
1765 EXPECT_TRUE(extension->permissions_data()->HasAPIPermission(
1766 APIPermission::kSyncFileSystem));
1767 EXPECT_TRUE(
1768 VerifyOnePermissionMessage(extension->permissions_data(),
1769 "Store data in your Google Drive account"));
1770 }
1771
1772 // Make sure that we don't crash when we're trying to show the permissions
1773 // even though chrome://thumb (and everything that's not chrome://favicon with
1774 // a chrome:// scheme) is not a valid permission.
1775 // More details here: crbug/246314.
1776 TEST(PermissionsTest, ChromeURLs) {
1777 URLPatternSet allowed_hosts;
1778 allowed_hosts.AddPattern(
1779 URLPattern(URLPattern::SCHEME_ALL, "http://www.google.com/"));
1780 allowed_hosts.AddPattern(
1781 URLPattern(URLPattern::SCHEME_ALL, "chrome://favicon/"));
1782 allowed_hosts.AddPattern(
1783 URLPattern(URLPattern::SCHEME_ALL, "chrome://thumb/"));
1784 scoped_refptr<PermissionSet> permissions(
1785 new PermissionSet(APIPermissionSet(), ManifestPermissionSet(),
1786 allowed_hosts, URLPatternSet()));
1787 PermissionMessageProvider::Get()->GetLegacyPermissionMessageIDs(
1788 permissions.get(), Manifest::TYPE_EXTENSION);
1789 PermissionMessageProvider::Get()->GetCoalescedPermissionMessages(
1790 PermissionMessageProvider::Get()->GetAllPermissionIDs(
1791 permissions.get(), Manifest::TYPE_EXTENSION));
1792 }
1793
1794 TEST(PermissionsTest, IsPrivilegeIncrease_DeclarativeWebRequest) {
1795 scoped_refptr<Extension> extension(
1796 LoadManifest("permissions", "permissions_all_urls.json"));
1797 scoped_refptr<const PermissionSet> permissions(
1798 extension->permissions_data()->active_permissions());
1799
1800 scoped_refptr<Extension> extension_dwr(
1801 LoadManifest("permissions", "web_request_all_host_permissions.json"));
1802 scoped_refptr<const PermissionSet> permissions_dwr(
1803 extension_dwr->permissions_data()->active_permissions());
1804
1805 EXPECT_FALSE(PermissionMessageProvider::Get()->
1806 IsPrivilegeIncrease(permissions.get(),
1807 permissions_dwr.get(),
1808 extension->GetType()));
1809 }
1810
1811 } // namespace extensions